Unpatched Vulnerabilities, New Legislation and the FBI Pushing Against a Ransomware Payment Ban

The expanding threat landscape is making ransomware one of the few bipartisan issues in Congress right now.  But an FBI expert’s testimony proves there are still no easy answers.  Here are the top cybersecurity stories for small and midsize business executives in late July.

Software Vulnerabilities Take 6 Months to Patch

A recent study found that software companies are still taking an average of six months to patch vulnerabilities.  That’s leaving many networks with vulnerabilities that are being carefully managed until a fix is available.

More hackers and security researchers than ever are in the race to uncover security holes in software.  When the security researchers discover the vulnerability first, they can alert the software developer, who can (eventually) provide a patch to its customers.  When the hackers find a vulnerability before a patch is issued, they can use it to gain access to business networks and deploy ransomware or steal sensitive data.

In either case, the software developer has to issue a patch to secure its product.  Unsurprisingly, the more work that gets put into hunting for vulnerabilities, the more are found.  That’s leaving software developers with more patches to issue, keeping them busy and slowing down patch releases.

Every day a vulnerability remains unpatched is a day it can be exploited to drop ransomware on a network or steal sensitive data.  This is why companies should build layers of defense within a network and not rely only on patches and signature-based antivirus products.  [Learn more at DarkReading]

House Passes Slate of Cybersecurity Bills

Not much is bipartisan in Washington these days, but a collection of cybersecurity bills covering everything from mobile phone equipment to public cybersecurity education passed the US House 319-105 last week.  These bills have yet to pass the Senate (where they stalled previously after House passage) but this year’s bipartisan support is a good sign they have a chance to do so.

While these measures are mostly aimed at protecting federal systems and critical infrastructure, they are a sign of Congress’s focus on the headline-grabbing topic.  The government would need to pass additional legislation to mandate many cybersecurity-related actions be taken by private companies, something Biden acknowledged this week when issuing an Executive Order focusing on cybersecurity upgrades. [Read more at The Hill]

FBI to Congress: Please Don’t Ban Ransomware Payments

The assistant director of the FBI’s Cyber Division told the Senate Judiciary Committee that banning ransomware payments is not (yet) a good idea.  His reasoning demonstrates the threat magnitude of a ransomware attack to many businesses.

“If we ban ransom payments now, you’re putting U.S. companies in a position to face yet another extortion, which is being blackmailed for paying the ransom and not sharing that with authorities,” said Bryan Vorndran.

In other words, damage faced by holdout companies would be so severe that the FBI believes many CEOs would risk breaking the law to make the payment anyway – exposing them to further blackmail.  If companies did risk making the payment, they would also be less likely to report the attack to the FBI; doing so would risk the agency learning of the illegal payment.

“It’s a really complicated conversation, but it’s our position that banning ransom payments is not the road to go down,” Vorndran said. [Read More at Pymnts]

Industrial Controls Still a Lucrative Target

May’s attack on Colonial Pipeline was a traditional ransomware attack targeting computer networks.  But security experts have been warning for years that industrial controls (networks used to monitor or change settings on infrastructure remotely) could become lucrative targets for ransomware gangs or state actors.

Security researchers this week demonstrated two specific vulnerabilities in these systems which have recently been patched by the devices’ vendors.  A vulnerability in WAGO devices was especially concerning – a cybercriminal could remotely install a program that allowed them to control the device.  This could potentially allow them to disable things like temperature controls or movement rates.

Industrial control equipment manufacturers and end users will likely be racing to catch up to the security practices used on modern day networks in the coming months to avoid attacks like these.  These systems are used extensively in the utility industry, but other industries such as manufacturing, mining and food production also use them.  [Read More at Threatpost]