Cybersecurity Today: December 11, 2024 Episode Summary Hosted by Jim Love

In this episode of Cybersecurity Today, host Jim Love delves into the complexities surrounding the SEC's cybersecurity disclosure rules, examines recent allegations against Deloitte involving the BrainCypher ransomware group, and highlights critical security patches released by Microsoft and SAP. This comprehensive overview provides valuable insights for businesses aiming to navigate the evolving cybersecurity landscape.

1. SEC Cyber Disclosure Rules: Struggles and Implications

One year after the Securities and Exchange Commission (SEC) implemented stricter cybersecurity disclosure regulations, many public companies continue to grapple with compliance, resulting in limited transparency for investors.

Jim Love opens the discussion by highlighting the ongoing confusion among companies attempting to adhere to the new rules:

"One year after the securities and Exchange Commission, the SEC introduced stricter disclosure rules for cybersecurity incidents. Many companies are still struggling to comply, leaving investors in the dark about critical details." [00:03]

A recent report by Breach Rx underscores the minimal compliance rates:

"Only 16.9% of public companies filing 8K reports on cyber incidents have provided specific details on the material impact of those incidents in their business." [00:45]

The report further reveals that over half of these filings rely on generic language with scant information on organizational responses:

"52% of these filings relied on generic boilerplate language, with just under half offering any information on how the organization was responding to the issue." [01:10]

Andy Lunsford, CEO of Breach Rx, criticizes the industry's approach:

"The SEC was very clear they wanted more transparency... and it's pretty clear that's not what the industry has done." [02:30]

Corporate legal teams appear to be a significant barrier, as they often discourage detailed disclosures to mitigate litigation risks. This has led to widespread minimal reporting practices, though leaders like Microsoft are setting higher standards:

"Notable exceptions, like Microsoft, have filed more comprehensive disclosures, setting a potential standard for the industry looking ahead." [03:15]

The uncertainty around SEC enforcement, especially with a potential leadership change from Gary Gensler to Paul Atkins, casts doubt on the long-term effectiveness of these disclosure rules:

"The SEC's enforcement of these rules remains uncertain, especially with a change in leadership on the horizon." [04:00]

2. Deloitte Denies BrainCypher Ransomware Allegations

The episode transitions to recent cybersecurity claims involving Deloitte and the notorious BrainCypher ransomware group. Deloitte faces allegations of a significant data breach, which the company firmly denies.

Jim Love reports:

"Deloitte has denied allegations from the BrainCypher ransomware group, claiming the theft of over one terabyte of data." [04:30]

BrainCypher has publicly accused Deloitte UK of exfiltrating a substantial amount of compressed data, threatening to release it unless a ransom is paid within five days:

"The group added Deloitte UK to its Tor leak site, alleging they had exfiltrated a trove of compressed data." [05:00]

In response, Deloitte asserts that the breach allegedly pertains to a single client system outside their network:

"Our investigation indicated that the allegations relate to a single client system sits outside of the Deloitte network. No Deloitte systems have been impacted." [05:30]

Historically, Deloitte has faced similar accusations. In September 2024, Intel broker threat actors claimed a data theft, which Deloitte also refuted. This pattern of allegations raises concerns about the robustness of Deloitte's cybersecurity measures:

"The ongoing brain cipher allegations place Deloitte cybersecurity measures under scrutiny once again." [06:15]

Despite the denial, the situation echoes Deloitte's 2017 breach, where unauthorized access to admin credentials led to the exposure of confidential client information, severely damaging the firm's reputation:

"In 2017, the company did suffer a significant breach where a hacker got access to admin credentials, which exposed confidential client emails and other sensitive information, leading to a severe reputational hit." [07:00]

3. Critical Vulnerabilities and Security Patches from Microsoft and SAP

The episode concludes with an update on significant security vulnerabilities addressed by Microsoft and SAP, emphasizing the importance of timely patch application to safeguard systems.

Jim Love details Microsoft's latest Patch Tuesday:

"Microsoft's December 2024 Patch Tuesday addressed 71 security vulnerabilities, including one actively exploited 0day CVE2024 49138." [07:30]

Notably, sixteen critical flaws involve remote code execution, presenting substantial risks:

"Among the fixes, 16 critical flaws involve remote code execution, posing significant risks to affected Systems." [08:00]

A zero-day vulnerability discovered by CrowdStrike allows attackers to gain system privileges on Windows devices. While exploitation details are scarce, Microsoft has released a fix to mitigate the threat:

"Microsoft has released a fix to mitigate the risk." [08:45]

SAP is also active in addressing security threats, releasing patches for sixteen vulnerabilities, including a critical server-side request forgery flaw in NetWeaver's Adobe Document Services (ADS):

"The vulnerability, tracked as CVE2024 47578, with a CVSS score of 9.1, could allow attackers with administrative privileges to exploit the system by sending crafted requests through a vulnerable Web application." [09:30]

SAP’s response includes patches for related vulnerabilities and cross-site scripting issues, urging organizations to apply these updates promptly:

"Organizations using affected systems are strongly advised to apply the patches promptly to mitigate those potential risks." [10:15]

Jim emphasizes the severity of these vulnerabilities, urging immediate action from users and organizations to protect against potential exploits:

"Given the severity of these flaws, users and organizations are urged to apply the patches immediately to protect against potential exploits." [10:45]

Conclusion

Jim Love wraps up the episode by underscoring the dynamic and challenging nature of the current cybersecurity environment:

"There's a lot going on and that's our show for today." [11:00]

Listeners are directed to the show notes for additional resources and encouraged to engage with comments and feedback:

"You can find links to reports and other details in our show notes@technewsday.com we welcome comments, tips, and the occasional bit of constructive criticism@editorialechnewsday.ca." [11:30]

This episode of Cybersecurity Today provides a critical examination of the SEC’s cybersecurity disclosure rules, ongoing ransomware allegations against a major firm, and essential updates on software vulnerabilities, offering listeners a thorough understanding of the current cybersecurity challenges and responses.