US Ransomware Bill | Decreasing Gap Between Vulnerability Disclosures and Exploits | Average Data Breach Cost Rising
Article by Christopher Lauder, Delegate Relationship Executive, Rela8 Group
US Ransomware Bill
To begin, we will hop over the pond to the United States, where a bill that is designed to increase visibility of foreign ransomware attackers has passed through the House of Representatives.
In its shortened form, it is known as the Ransomware Act. To give it its full name, it is called the Reporting Attacks From Nations Selected For Oversight And Monitoring Web Attacks And Ransomware From Enemies Act. The aim of this is to make it easier for the United States to respond to any ransomware attacks from foreign adversaries.
This would amend the 2006 US Safe Web Act by mandating reporting of cross-border complaints that relate to ransomware and other attacks. The Act focuses mainly on Russia, China, Iran, and North Korea, to specifically identify these countries when referring to alleged perpetrators of ransomware attacks.
Under this new law, the Federal Trade Commission (FTC) would send a report to the House Committee of Energy and Commerce, and the Senate Committee on Commerce, Science, and Transportation every two years. It would outline cross-border complaints received by the FTC and be broken down by the alleged perpetrator.
This would include the number of complaints involving ransomware, along with a list of those that the FTC had acted, and not acted upon. This must now pass through the Senate before it can reach the desk of the President.
More information on this can be found in the links below.
Source - Ransomware Bill Passes House - InfoSec Magazine
Source - Ransomware Bill Passes House - Fintech Global
Source - Ransomware Bill Passes House - SecurityWeek
Decreasing Gap Between Vulnerability Disclosures and Exploits
Next, Palo Alto’s annual Unit 42 incident response report has been released and it is warning of a gap between vulnerability disclosures that is ever decreasing, combined with an increase in cybercrime.
The report – The 2022 Attack Surface Management Threat Report, found that attackers start scanning for vulnerabilities within 15 minutes of a CVE (Common Vulnerabilities and Exposures) being announced. Around 36% of the 600 incident response cases that were studied in the report were ransomware, while 34% of the attacks were business email compromises.
In line with our recent news briefings, most of the intrusions and breaches were as a result of phishing, making up 37% of the means of initial access. Also used was the exploitation of known vulnerabilities and brute force credential attacks. Interestingly, 20% was a result of previously compromised credentials, insider threats, social engineering, and abuse of trusted tools.
As for what businesses can do, the recommendation is the usual training of users in spotting phishing attacks that have made it past the filters and disabling any direct external RDP access in favour of something funnelled through an enterprise-grade MFA-VPN. MFA should be implemented regardless, and anything exposed to the internet requires patching as quickly as testing permits.
In an article by The Register, they remark how Unit 42 consulting director Dan O'Day puts it in the report, "Remember to protect yourself against the hackers – not just the auditors."
Source - Time From Vulnerability Disclosures To Exploits Is Shrinking - The Register
Source - 2022 ASM Threat Report - Palo Alto
Source - Unit 42 Report
Average Data Breach Cost Rising
Finally, in a new article by DARKReading, they examine how the average cost of a data breach has been rising in 2022, and how the cost of these breaches is being passed on to consumers in what could be called a “cyber tax”.
They write that these costs that are usually passed on to consumers, and not investors, as compromised businesses have been found to raise the price for their goods and services.
Interestingly, 60% of data breaches have resulted in companies being able to recoup the cost of any fines, clean-ups, and technological improvements, by increasing prices. Essentially, making consumers pay for breaches and a companies lack of preparedness. This is according to the annual ‘Cost of Data Breach Report 2022’.
In the report, executives and security professionals in 550 companies were surveyed. They found that the average cost of a data breach continued to rise this year and has reached an average of $4.4 million globally, is an increase of 13% since 2020. In the United States, this cost has reached $9.4 million.
Furthermore, other results of note are how they found that companies need an average of 277 days to identify and contain data breaches. This has fallen from 287 days in 2021. Lastly, how 83% of companies had suffered more than one data breach.
Discussing the findings, John Hendley, Head of Strategy for IBM Security’s X-Force Research Team said:
"It is clear that cyberattacks are evolving into market stressors that are triggering chain reactions, [and] we see that these breaches are contributing to those inflationary pressures. We have to think about cyber events as factors that are capable of straining the economy, similar to COVID, the war in Ukraine, gas prices, all of that."
The full report can be read below.
Source - Average Costs of Data Breach Soar - DarkReading
Source - Data Breach Costs Reach All Time High - IBM