HLS.Today – Today, the U.S. Department of Homeland Security (DHS) announced that the Cyber Safety Review Board (CSRB) will review the recent attacks associated with Lapsus$, a global extortion-focused hacker group. Lapsus$ has reportedly employed techniques to bypass a range of commonly-used security controls and has successfully infiltrated a number of companies across industries and geographic areas. The CSRB will develop actionable recommendations for how organizations can protect themselves, their customers, and their employees in the face of these types of attacks. Once concluded, the report will be transmitted to President Biden through Secretary of Homeland Security Alejandro N. Mayorkas and CISA Director Jen Easterly.
“The Cyber Safety Review Board has quickly established itself as an innovative and enduring institution in the cybersecurity ecosystem,” said Secretary Alejandro N. Mayorkas. “With its review into Lapsus$, the Board will build on the lessons learned from its first review and share actionable recommendations to help the private and public sectors strengthen their cyber resilience.”
The CSRB is an unprecedented public-private initiative that brings together government and industry leaders to conduct authoritative fact-finding and to issue recommendations in the wake of significant cybersecurity incidents. The CSRB’s first review focused on vulnerabilities discovered in late 2021 in the widely used Log4j open-source software library. In July 2022, the CSRB concluded that review and published its report, which included 19 actionable recommendations for government and industry. The CSRB does not have regulatory powers and is not an enforcement authority. Its purpose is to identify relevant lessons learned to inform future improvements and better protect our communities.
“Lapsus$ has targeted some of the most sophisticated companies on the planet,” said CSRB Chair and DHS Under Secretary for Policy Robert Silvers. “In the wake of major incidents, the Cyber Safety Review Board conducts authoritative fact-finding and issues recommendations that can have immediate impact on the security of the ecosystem. As a unified effort between government and industry, we will advise on how to repel and respond to these types of cyber-enabled extortion attacks.”
“As cyber threats continue to evolve it is imperative that all organizations recognize that they are not invincible,” said CSRB Deputy Chair Heather Adkins. “The CSRB will review the cyber activity of Lapsus$ in order to analyze their tactics and help organizations of all sizes protect themselves.”
“Lapsus$ actors have perpetrated damaging intrusions against multiple critical infrastructure sectors, including healthcare, government facilities, and critical manufacturing,” said CISA Director Jen Easterly. “The range of victims and diversity of tactics used demand that we understand how Lapsus$ actors executed their malicious cyber activities so we can mitigate risk to potential future victims. We applaud the CSRB for taking on this review to help advance our collective cyber defense.”
The CSRB was established as a mandate in the President’s Executive Order, Improving the Nation’s Cybersecurity, to drive a thoughtful approach to learn from cyber incidents. For more information, visit CISA.gov/CSRB.
Cyber Safety Review Board Releases Unprecedented Report of its Review into Log4j Vulnerabilities and Response
Release Date: July 14, 2022
Report Includes 19 Specific Recommendations for Government and Industry
WASHINGTON – Today, the U.S. Department of Homeland Security (DHS) released the Cyber Safety Review Board’s (CSRB) first report, which includes 19 actionable recommendations for government and industry. The recommendations from the CSRB – an unprecedented public-private initiative that brings together government and industry leaders to review and assess significant cybersecurity events to better protect our nation’s networks and infrastructure – address the continued risk posed by vulnerabilities discovered in late 2021 in the widely used Log4j open-source software library. These are among the most serious vulnerabilities discovered in recent years. The CSRB’s recommendations focus on driving better security in software products and enhancing public and private sector organizations’ ability to respond to severe vulnerabilities. This report was delivered to President Biden through Secretary of Homeland Security Alejandro N. Mayorkas.
“At this critical juncture in our nation’s cybersecurity, when our ability to handle risk is not keeping pace with advances in the digital space, the Cyber Safety Review Board is a new and transformational institution that will advance our cyber resilience in unprecedented ways,” said Secretary Mayorkas. “The CSRB’s first-of-its-kind review has provided us – government and industry alike – with clear, actionable recommendations that DHS will help implement to strengthen our cyber resilience and advance the public-private partnership that is so vital to our collective security.”
As directed by President Biden through Executive Order 14028 Improving the Nation’s Cybersecurity, Secretary Mayorkas established the CSRB in February 2022 to review and assess significant cybersecurity events so that government, industry, and the broader security community can better protect our nation’s networks and infrastructure. The CSRB provides a unique forum for leading senior experts from government and industry to deliver strategic recommendations designed to elevate our nation’s cybersecurity. During its inaugural review, the CSRB engaged with nearly 80 organizations and individuals to gather insights into the Log4j event, inform findings, and develop actionable recommendations to prevent and respond more effectively to future incidents. As the release of this report demonstrates, DHS and the CSRB are committed to transparency and will, whenever possible, release public versions of CSRB reports, consistent with applicable law and the need to protect sensitive information from disclosure.
“The Cyber Safety Review Board has established itself as a new, innovative, and enduring institution in the cybersecurity ecosystem,” said CSRB Chair and DHS Under Secretary for Policy Robert Silvers. “Never before have industry and government cyber leaders come together in this way to review serious incidents, identify what happened, and advise the entire community on how we can do better in the future. Our review of Log4j produced recommendations that we are confident can drive change and improve cybersecurity.”
“Cybersecurity is a shared responsibility, which is why it is so critical that the CSRB is a private-public partnership,” said CSRB Deputy Chair Heather Adkins. “We hope that the independent fact-finding, analysis, and conclusions reached, as well as the recommendations, are taken in earnest as lessons-learned and instructive actions for both the near and long-term.”
“The CSRB is a remarkable public-private initiative that has produced an important blueprint for CISA – our nation’s civilian cyber defense agency – to meaningfully increase cybersecurity resilience and preparedness across our country,” said CISA Director Jen Easterly. “I look forward to implementing the CSRB’s impactful recommendations and thank the members for their time and thoughtful counsel.”
The CSRB conducted its review in the public interest and recommended the release of its full report to the public. In keeping with his commitment to improving transparency, Secretary Mayorkas followed that recommendation to enable both public and private partners to fully benefit from the CSRB’s review.
The CSRB is composed of highly esteemed cybersecurity leaders from the federal government and the private sector. The CSRB does not have regulatory powers and is not an enforcement authority. Instead, its purpose is to identify and share lessons learned to enable advances in national cybersecurity. Robert Silvers, DHS Under Secretary for Policy, serves as Chair and Heather Adkins, Google’s Vice President for Security Engineering, serves as Deputy Chair.
The CSRB is composed of 15 highly esteemed cybersecurity leaders from the federal government and the private sector that make up the inaugural board membership:
Robert Silvers, Under Secretary for Policy, Department of Homeland Security (Chair)
Heather Adkins, Vice President, Security Engineering, Google (Deputy Chair)
Dmitri Alperovitch, Co-Founder and Chairman, Silverado Policy Accelerator and Co-Founder and former CTO of CrowdStrike, Inc.
Chris DeRusha, Federal Chief Information Security Officer, Office of Management and Budget
Chris Inglis, National Cyber Director, Office of the National Cyber Director
Rob Joyce, Director of Cybersecurity, National Security Agency
Katie Moussouris, Founder and CEO, Luta Security
David Mussington, Executive Assistant Director for Infrastructure Security, Cybersecurity and Infrastructure Security Agency
Chris Novak, Co-Founder and Managing Director, Verizon Threat Research Advisory Center
Tony Sager, Senior Vice President and Chief Evangelist, Center for Internet Security
John Sherman, Chief Information Officer, Department of Defense
Bryan Vorndran, Assistant Director, Cyber Division, Federal Bureau of Investigation
Kemba Walden, Assistant General Counsel, Digital Crimes Unit, Microsoft
Wendi Whitmore, Senior Vice President, Unit 42, Palo Alto Networks
HLS.Today 42 Cyber Attack Statistics in past 10 years - InfoSec