Welcome to another edition of the Infosec Monitor. A weekly newsletter covering what's happened, what's happening, and what's coming in cybersecurity.

In this week’s edition of the Infosec Monitor: Idaho National Laboratory hacked, Australia Cyber Security Strategy, free shared services from CISA, and the impact of not paying a ransom.

News

SEC 4-day notification rule hits congressional resistance

The new SEC rule is being challenged due to its conflict with existing regulations and the burden it places on cybersecurity professionals. A joint bill, House Joint Resolution 100 and Senate Joint Resolution 50, aims to void the SEC rule. The bill argues that the Cyber Incident Reporting for Critical Infrastructure Act of 2022 already has sufficient regulations in place for reporting. However, the joint resolutions have made little progress and have a low chance of passing, according to GovTrack.us. SC Magazine

Australia releases 2023-2030 Cyber Security Strategy

The 58-page report outlines the six "shields" that Australia will use to ensure it becomes a cybersecurity leader. The strategy represents a strategic shift in the approach to cybersecurity, moving from an independent per-topic-based approach to a holistic whole-of-nation approach. By fostering deep collaboration, it becomes the responsibility of everyone, including individuals, businesses, and the government, to prioritize cyber security. AU.Gov

CISA offers no-cost shared cybersecurity services to private critical infrastructure entities

CISA is launching a voluntary pilot program that offers cybersecurity services, targeting critical infrastructure entities that are in the most need. The initial focus will be on healthcare, water, and K-12 education. The program will begin with 100 entities. SecurityWeek CISA

Cyber Security Incidents

Idaho National Laboratory breached by SiegedSec

The national laboratory, which employs over 5,000 people, confirmed on Monday that it had experienced a breach. The attackers stated that they had accessed employee data, including social security numbers, home addresses, and more. They did not make any claims regarding the compromise of confidential research. INL confirmed that the breached system was a federally approved HR system. Engadget

Shimano internal data leaked after not paying ransom

As a result of a ransomware attack that occurred in November, Shimano's data, which included employee data (including passport information), financial records, internal confidential documents, and part designs, has been leaked by the LockBit group. Shimano did not pay the ransom demanded by the group, who were also responsible for the initial attack. CyclingWeekly

Kronos Research hacker access API to steal $24M in Etherium

Kronos was forced to shut down their trading API to investigate unauthorized usage of their APIs that resulted in the loss of over 12,800 ETH. CoinTelegraph

Fidelity National Financial cybersecurity incident, ongoing

Fidelity has filed an SEC Form 8-K regarding an ongoing investigation into a breach of their systems. The full impact is not yet known. However, Fidelity has shut down some systems, impacting the closings of some homebuyers. TechCrunch

About

Cybersecurity is at a crossroads, changing more rapidly than we believed was possible just a few years ago. Stay informed on what's going on, what's happened, and what's coming next.

I'm Bryan Smith, the author of the Infosec Monitor. I've spent over a decade pioneering changes in how cybersecurity is managed. From helping create the first cyber risk quantification (CRQ) software to advising how to approach cybersecurity pragmatically and proactively.

Data & Research

During a short Thanksgiving week, no one wants to unveil their research. I hope everyone in the US had a wonderful Thanksgiving.

Cybersecurity M&A

PureHealth acquires PureCS for undisclosed sum. Zawya

Thank you for reading Infosec Monitor. This post is public so feel free to share it.