The US National Security Agency (NSA) issued an advisory to stop using outdated SSL/TLS protocols, which include SSL 2.0, SSL 3.0, TLS 1.0, and TLS 1.1. Organizations who use these older protocols might have a false sense of security their data in transit is secure, however, that is not the case due to weak encryption algorithms being used such as RC4, DES, and 3DES. Additionally, vulnerabilities in these protocols allow attackers to perform man-in-the-middle attacks to intercept and modify data between a website and their users. Now the NSA recommends using TLS 1.2 or TLS 1.3. It is important to note the recommended protocols can support the older and weak encryption algorithms, but the NSA warns against using them.
I thought this article was interesting because it’s relevant to an infrastructure upgrade project I am working on during my day job.
Former home security technician, Telesforo Aviles, from the renowned security company ADT admitted to habitually hacking into customer’s home surveillance camera to spy on them without consent. For four and a half years, he accessed around 200 customers’ surveillance, more than 9,600 times for sexual gratification. During the installation process, he noted which women he found attractive and proceed to log into their feeds repeatedly. He went against company policy and added his personal email accounts into their “ADT Pulse” account to give himself real-time access to their feeds. He would add them under the pretense he was “testing the system” or just adding it without their knowledge.
Incidents like these further instill the idea, “who watches the watchers”? Employees of these companies are the people meant to uphold their company standards but can also be people with their own agendas. This widens the scope of what is the threat environment, who is considered a threat source, and how can we weigh the benefits vs. risk of having surveillance.
This week I came across a white paper in Information Week that highlighted the end to end exposure of data from leaks due to vulnerabilities in DICOM protocols and PACS Servers.
DICOM allow modalities (x-ray machines and other medical devices) to “send and receive data to and from workstations” . These DICOM formatted images which include extensive PII. During their 6 month investigation CybelAngel analysts were able to access 44 of 50 randomly chosen devices, found that the data is unencrypted and is being transmitted via unregistered ports.
PACS workstations were also examined and without any hacking tools were able to find 300 open portals and while the documentations of the web-based software used to view DICOM images “indicate steps to secure the portal using encryption and password-restricted access” it was not mandatory or enforced. They were able to view, create, edit or delete patient data.
It was an interesting read considering one of our topics last week was that medical data was the most valuable and wanted type of data hackers want.
Within the last 10 days, there was a report which stated, “in September 2020, the U.S. Department of Defense (DoD) announced an interim Defense Federal Acquisition Regulation Supplement (DFARS) rule to enhance existing DFARS regulations.” This interim rule states all organizations which work with classified uniform information (CUI) must be compliant with the NIST SP800-171 requirements.
There are three levels of assessment which range from basic to medium and high. The basic assessment allow the organization to perform self-assessments. They must maintain their SPP as part of the assessment. The medium assessment allow the DoD to perform their own review of the organization. The high requirement allows the DoD to perform an on-site analysis of the SPP and how it’s implemented within the organization. All of this is to help ensure the CUI is protected and has good integrity.
SonicWall Breached Via Zero-Day Flaw In Remote Access Tool
SonicWall, is a private company headquartered in Silicon Valley. SonWall sells a range of Internet appliances primarily directed at content control and network security. On January 21st 2021
Sophisticated hackers compromised SonicWall’s NetExtender VPN client and SMB-oriented Secure Mobile Access 100 series product, which are used to provide employees and users with remote access to internal resources.
To help keep its own customers’ networks safe, the vendor has included a series of mitigations in its knowledgebase article, such as deploying a firewall to limit who can interact with SMA devices or disabling access via the NetExtender VPN client to its firewalls.Multi-factor authentication must be enabled on all SonicWall SMA, firewall and MySonicWall accounts as well.
Why Companies Need to Understand and Create a Protocol for Insider Threats
Over the last two years, the number of insider incidents has increased by 47%. Employees are perhaps the biggest security risks of any company. Deliberately or inadvertently, they can cause a serious breach of company data.
Insider Threats Protocols, Secure Web Gateway. Above all, every employee should be encouraged to take cybersecurity personally. This can be achieved by including them in establishing your insider threats protocol. Everyone should know the roles they are to play in preventing, detecting, and managing insider threats. This eliminates confusion. Insider threats are menacing and unforgiving. Combating them requires a measured and smart approach.
Apple announced that iPhone 12 and Magsafe charging accessories affect the implantable cardioverter-defibrillator stop operating. Also, Apple warned that the customers who have the implantable cardioverter-defibrillator should keep at least 6 inches away from iPhone 12. If they have wireless charging, they keep them away more than 12 inches. Because the iPhone 12 and MagSafe are including cases built to make a wireless charger, they can have a better connection. They have components and radios that emit electromagnetic fields, these components make the implantable cardioverter-defibrillator stop running. After that, Apple suggests the users contact the supplier of their medical device to find out any impact of the new iPhone or accessories might have. So far, Apple did not promise that the customers return the products or recall the products.
The Australian Securities and Investments Commission (ASIC) on Monday disclosed a security incident that involved Accellion software.
The newly disclosed incident, ASIC says, was identified on January 15, 2021, and resulted in unauthorized access to one of its servers, on which documents related to recent Australian credit license applications were stored.
“This incident is related to Accellion software used by ASIC to transfer files and attachments,” the Australian regulator says.
The watchdog says that there’s no evidence that license application forms or attachments were accessed or downloaded, but notes that “there is some risk that some limited information may have been viewed by the threat actor.”
Access to the affected server has been disabled, to contain the incident, and an investigation into the matter has been launched. Furthermore, ASIC and Accellion are working on notifying the impacted parties, the Commission says.
Mastercard Introduces Quantum-Resistant Specs to Enhance Contactless Security
Credit card firm Mastercard has unveiled new quantum-resistant standards that are designed to enhance the security and privacy of contactless payments.
he Enhanced Contactless (Ecos) specifications have been introduced following a surge in contactless payments over the past year, fuelled by the desire for more hygienic payment methods in-store as a result of the COVID-19 pandemic. Ecos will enable the utilization of new quantum-resistant technology in order to deliver advances in algorithms and cryptography. Convenience will be maintained as contactless interactions will remain under half a second.
Cyber criminals use deceased staff accounts to spread Nemty ransomware
This was an interesting article that highlighted certain overlooked “Best Practices” for information security such as disabling accounts of users who are no longer with the company.
An organization was infected with a ransomware called Nemty. The organization reached out to the Sophos incident response team Rapid Response for further investigation. Nemty was first detected in 2019 and was a Ransomeware-as-a-Service (RaaS) that could be purchased in off the black market. It was later taken off the market so the code could be modified so suit the needs of future buyers. Sophos narrowed down the RCA of the attack to a network intrusion of a high-level administer account. Over the course of a month, the attackers exfiltrated hundreds of gigabytes’ worth of data. It is important to note that in a ransomware investigation, the deployment of the ransomware is the final step in the attack. Many victims do not realize that generally, the attackers have already been in the system for sometime performing malicious acts. The cybersecurity team asked who the high privilege administration account belonged to. The victim company said the account belonged to a former member of staff who passed away approximately three months before the cyber intrusion. Instead of revoking access and closing down the ‘ghost’ account, the firm chose to keep it active and open “because there were services that it was used for.” Sophos suggests that any ghost account allowed to stay connected to corporate resources once the user has no need of it should have interactive logins disabled, or if the account is really needed, a service account should be created in its stead.
A vulnerability in TikTok’s platform may have allowed attackers to easily compile phone numbers and unique user ID’s and other data that can be leveraged in phishing attacks. It came from the linking of a user’s contacts to their TikTok accounts. It made it possible to connect profile details with phone number. The attackers could leverage this feature in order to query the app’s database which opens the potential for privacy violations. Because this app grew at an incredible pace in its short life span, it makes it more vulnerable as with things moving so fast there are bound to be holes here and there. The issue was patched before the issue was published publicly.
The easy In the News this week is the SolarWinds attack. Forbes had a nice summary of the attack, how it was accomplished by including malware in an update for the network monitoring tool and what potential liabilities the company may have. The first liability is around how the malware compromised the digital signature process which is the establishment of a trust relationship between various software. Compromising the signature process is first liability concern. The second liability is around SolarWinds software development life cycle and software versioning. How malware ended up in a software update brings into question whether security controls were being executed as part of their SDLC and then that the malware’s dynamic link library remained in SolarWinds downloader for at least a year after the bug was identified.
Hacker leaks data of 2.28 million dating site users
A well-known hacker who goes by the name ShinyHunters leaked the details of more than 2.28 million users registered on MeetMindful.com. The sensitive information that was hacked was names, email addresses, address, birth dates, IP addresses, facebook user ids, facebook authentication tokens, marital status, etc. The data on the dating website has been shared as a free download on a publicly accessible hacking forum known for its trade in hacked databases and have been viewed and downloaded more than 1,500 times. Even though not all leaked accounts have full details included, the provided data can be used to trace their dating profiles back to their real-world identities. The leak of this highly sensitive data is definitely a looming issue and MeetMindful needs to inform the account holders of his data breach and what information was leaked. I think they should also provide the account holders with some account protection/mitigation and remove the personal information of account holders. The most important step is to understand the root of the issue as to how this data breach happened so that it doesn’t happen in the future and therefore better protect their systems.
The Solarwinds cyber attack is probably the top news this past week. According to SecurityWeek, more companies have been affected by this breach, including Mimecast and Qualys. In Mimecast’s scenario, this breach was pulled off by obtaining a certificate to prompt users to log in to their Microsoft 365 online account. With this information, the perpetrators were able to access “LDAP, Azure Active Directory, Exchange Web Services, POP3 journaling, and SMTP-authenticated delivery routes”. It seems that this attack is still an ongoing matter, and more and more organizations are getting affected.
Cybersecurity investments will increase up to 10% in 2021
A Canalys forecast predicts cybersecurity investments will increase 10% worldwide in the best-case scenario in 2021. Information security will remain a high priority this year, as the range of threats broadens and new vulnerabilities emerge, while the frequency of attacks is unlikely to subside.
The overall cybersecurity market value is expected to reach US$60.2 billion in 2021, covering shipments of endpoint security, network security, web and email security, data security, vulnerability and security analytics, and identity access management.
Despite the continued growth in cybersecurity investment, the number of data breaches and records being compromised, as well as ransomware attacks, reached an all-time high last year.
Over 12 billion records, containing a range of personal identifiable information, were reportedly compromised in 2020, while the number of known ransomware attacks increased by nearly 60%. Misconfigurations of cloud-based databases and phishing campaigns targeting the vulnerabilities of unsecured and poorly trained remote workers were key factors. https://www.helpnetsecurity.com/2021/01/26/cybersecurity-investments-2021/?web_view=true
RealSense ID is mainly aimed at corporate customers and users involved in embedded systems, allowing individuals to prove their identity based entirely on their facial features. There are two variants of the original hardware: modules that can be embedded in larger projects, and complete peripherals that can be used directly. As attacks against traditional password-based authentication continue to increase, multiple factors and stronger forms of authentication are essential. It is encouraging that people are working on better authentication mechanisms. However, like many security controls, one of the biggest challenges is the adoption and security of the system itself.
Late last year, in a planned expansion in the number of organizations managing vulnerability information, the Cybersecurity and Infrastructure Security Agency (CISA) -A branch within the U.S Department of Homeland security- joined MITRE in assigning Common Vulnerability Enumeration identifiers. The CVE assignment was dedicated to software vulnerabilities in the Medical and Industrial control systems industries.
Both entities maintain root-level CVE Number Authority and report to the board managing the CVE program. The entry of CISA in assigning CVE Identifiers assists MITRE in efforts to decongest the process and avoid delays as experienced between 2014 and 2016. This addition is expected to result in more coverage of software in the respective industries (Medical and ICS) and as a result, more vulnerabilities will be named and addressed appropriately.
The US National Security Agency (NSA) issued an advisory to stop using outdated SSL/TLS protocols, which include SSL 2.0, SSL 3.0, TLS 1.0, and TLS 1.1. Organizations who use these older protocols might have a false sense of security their data in transit is secure, however, that is not the case due to weak encryption algorithms being used such as RC4, DES, and 3DES. Additionally, vulnerabilities in these protocols allow attackers to perform man-in-the-middle attacks to intercept and modify data between a website and their users. Now the NSA recommends using TLS 1.2 or TLS 1.3. It is important to note the recommended protocols can support the older and weak encryption algorithms, but the NSA warns against using them.
I thought this article was interesting because it’s relevant to an infrastructure upgrade project I am working on during my day job.
https://www.zdnet.com/article/nsa-urges-system-administrators-to-replace-obsolete-tls-protocols/
Former home security technician, Telesforo Aviles, from the renowned security company ADT admitted to habitually hacking into customer’s home surveillance camera to spy on them without consent. For four and a half years, he accessed around 200 customers’ surveillance, more than 9,600 times for sexual gratification. During the installation process, he noted which women he found attractive and proceed to log into their feeds repeatedly. He went against company policy and added his personal email accounts into their “ADT Pulse” account to give himself real-time access to their feeds. He would add them under the pretense he was “testing the system” or just adding it without their knowledge.
Incidents like these further instill the idea, “who watches the watchers”? Employees of these companies are the people meant to uphold their company standards but can also be people with their own agendas. This widens the scope of what is the threat environment, who is considered a threat source, and how can we weigh the benefits vs. risk of having surveillance.
https://www.infosecurity-magazine.com/news/technician-admits-spying-on/
This week I came across a white paper in Information Week that highlighted the end to end exposure of data from leaks due to vulnerabilities in DICOM protocols and PACS Servers.
DICOM allow modalities (x-ray machines and other medical devices) to “send and receive data to and from workstations” . These DICOM formatted images which include extensive PII. During their 6 month investigation CybelAngel analysts were able to access 44 of 50 randomly chosen devices, found that the data is unencrypted and is being transmitted via unregistered ports.
PACS workstations were also examined and without any hacking tools were able to find 300 open portals and while the documentations of the web-based software used to view DICOM images “indicate steps to secure the portal using encryption and password-restricted access” it was not mandatory or enforced. They were able to view, create, edit or delete patient data.
It was an interesting read considering one of our topics last week was that medical data was the most valuable and wanted type of data hackers want.
https://www.informationweek.com/whitepaper/cybersecurity/risk-management-security/full-body-exposure-cybelangel-analysis-of-medical-data-leaks/423713?gset=yes&_mc=NL_DR_EDT_DR_daily_20210123&cid=NL_DR_EDT_DR_daily_20210123&elq_mid=101738&elq_cid=34768184&download=true
Within the last 10 days, there was a report which stated, “in September 2020, the U.S. Department of Defense (DoD) announced an interim Defense Federal Acquisition Regulation Supplement (DFARS) rule to enhance existing DFARS regulations.” This interim rule states all organizations which work with classified uniform information (CUI) must be compliant with the NIST SP800-171 requirements.
There are three levels of assessment which range from basic to medium and high. The basic assessment allow the organization to perform self-assessments. They must maintain their SPP as part of the assessment. The medium assessment allow the DoD to perform their own review of the organization. The high requirement allows the DoD to perform an on-site analysis of the SPP and how it’s implemented within the organization. All of this is to help ensure the CUI is protected and has good integrity.
https://securityboulevard.com/2021/01/dfars-interim-rule-drives-need-for-assessment-prep-cybersecurity-management/
SonicWall Breached Via Zero-Day Flaw In Remote Access Tool
SonicWall, is a private company headquartered in Silicon Valley. SonWall sells a range of Internet appliances primarily directed at content control and network security. On January 21st 2021
Sophisticated hackers compromised SonicWall’s NetExtender VPN client and SMB-oriented Secure Mobile Access 100 series product, which are used to provide employees and users with remote access to internal resources.
To help keep its own customers’ networks safe, the vendor has included a series of mitigations in its knowledgebase article, such as deploying a firewall to limit who can interact with SMA devices or disabling access via the NetExtender VPN client to its firewalls.Multi-factor authentication must be enabled on all SonicWall SMA, firewall and MySonicWall accounts as well.
SonicWall
https://thehackernews.com/2021/01/exclusive-sonicwall-hacked-using-0-day.html
Why Companies Need to Understand and Create a Protocol for Insider Threats
Over the last two years, the number of insider incidents has increased by 47%. Employees are perhaps the biggest security risks of any company. Deliberately or inadvertently, they can cause a serious breach of company data.
Insider Threats Protocols, Secure Web Gateway. Above all, every employee should be encouraged to take cybersecurity personally. This can be achieved by including them in establishing your insider threats protocol. Everyone should know the roles they are to play in preventing, detecting, and managing insider threats. This eliminates confusion. Insider threats are menacing and unforgiving. Combating them requires a measured and smart approach.
https://www.infosecurity-magazine.com/next-gen-infosec/create-protocol-insider-threats/
Apple announced that iPhone 12 and Magsafe charging accessories affect the implantable cardioverter-defibrillator stop operating. Also, Apple warned that the customers who have the implantable cardioverter-defibrillator should keep at least 6 inches away from iPhone 12. If they have wireless charging, they keep them away more than 12 inches. Because the iPhone 12 and MagSafe are including cases built to make a wireless charger, they can have a better connection. They have components and radios that emit electromagnetic fields, these components make the implantable cardioverter-defibrillator stop running. After that, Apple suggests the users contact the supplier of their medical device to find out any impact of the new iPhone or accessories might have. So far, Apple did not promise that the customers return the products or recall the products.
https://techxplore.com/news/2021-01-apple-iphone-magsafe-accessories-safe.html
The Australian Securities and Investments Commission (ASIC) on Monday disclosed a security incident that involved Accellion software.
The newly disclosed incident, ASIC says, was identified on January 15, 2021, and resulted in unauthorized access to one of its servers, on which documents related to recent Australian credit license applications were stored.
“This incident is related to Accellion software used by ASIC to transfer files and attachments,” the Australian regulator says.
The watchdog says that there’s no evidence that license application forms or attachments were accessed or downloaded, but notes that “there is some risk that some limited information may have been viewed by the threat actor.”
Access to the affected server has been disabled, to contain the incident, and an investigation into the matter has been launched. Furthermore, ASIC and Accellion are working on notifying the impacted parties, the Commission says.
https://www.securityweek.com/australian-corporate-regulator-discloses-breach-involving-accellion-software
Mastercard Introduces Quantum-Resistant Specs to Enhance Contactless Security
Credit card firm Mastercard has unveiled new quantum-resistant standards that are designed to enhance the security and privacy of contactless payments.
he Enhanced Contactless (Ecos) specifications have been introduced following a surge in contactless payments over the past year, fuelled by the desire for more hygienic payment methods in-store as a result of the COVID-19 pandemic. Ecos will enable the utilization of new quantum-resistant technology in order to deliver advances in algorithms and cryptography. Convenience will be maintained as contactless interactions will remain under half a second.
https://www.infosecurity-magazine.com/news/mastercard-quantum-resistant/
Cyber criminals use deceased staff accounts to spread Nemty ransomware
This was an interesting article that highlighted certain overlooked “Best Practices” for information security such as disabling accounts of users who are no longer with the company.
An organization was infected with a ransomware called Nemty. The organization reached out to the Sophos incident response team Rapid Response for further investigation. Nemty was first detected in 2019 and was a Ransomeware-as-a-Service (RaaS) that could be purchased in off the black market. It was later taken off the market so the code could be modified so suit the needs of future buyers. Sophos narrowed down the RCA of the attack to a network intrusion of a high-level administer account. Over the course of a month, the attackers exfiltrated hundreds of gigabytes’ worth of data. It is important to note that in a ransomware investigation, the deployment of the ransomware is the final step in the attack. Many victims do not realize that generally, the attackers have already been in the system for sometime performing malicious acts. The cybersecurity team asked who the high privilege administration account belonged to. The victim company said the account belonged to a former member of staff who passed away approximately three months before the cyber intrusion. Instead of revoking access and closing down the ‘ghost’ account, the firm chose to keep it active and open “because there were services that it was used for.” Sophos suggests that any ghost account allowed to stay connected to corporate resources once the user has no need of it should have interactive logins disabled, or if the account is really needed, a service account should be created in its stead.
https://www.zdnet.com/article/cybercriminals-use-deceased-staff-accounts-to-spread-nemty-ransomware/#ftag=RSSbaffb68
https://threatpost.com/tiktok-flaw-phishing-attacks/163322/
A vulnerability in TikTok’s platform may have allowed attackers to easily compile phone numbers and unique user ID’s and other data that can be leveraged in phishing attacks. It came from the linking of a user’s contacts to their TikTok accounts. It made it possible to connect profile details with phone number. The attackers could leverage this feature in order to query the app’s database which opens the potential for privacy violations. Because this app grew at an incredible pace in its short life span, it makes it more vulnerable as with things moving so fast there are bound to be holes here and there. The issue was patched before the issue was published publicly.
The easy In the News this week is the SolarWinds attack. Forbes had a nice summary of the attack, how it was accomplished by including malware in an update for the network monitoring tool and what potential liabilities the company may have. The first liability is around how the malware compromised the digital signature process which is the establishment of a trust relationship between various software. Compromising the signature process is first liability concern. The second liability is around SolarWinds software development life cycle and software versioning. How malware ended up in a software update brings into question whether security controls were being executed as part of their SDLC and then that the malware’s dynamic link library remained in SolarWinds downloader for at least a year after the bug was identified.
Link to article
https://www.forbes.com/sites/jodywestby/2020/12/16/solarwinds-cyber-attacks-raise-questions-about-the-companys-security-practices-and-liability/?sh=784bcdfe711d
Hacker leaks data of 2.28 million dating site users
A well-known hacker who goes by the name ShinyHunters leaked the details of more than 2.28 million users registered on MeetMindful.com. The sensitive information that was hacked was names, email addresses, address, birth dates, IP addresses, facebook user ids, facebook authentication tokens, marital status, etc. The data on the dating website has been shared as a free download on a publicly accessible hacking forum known for its trade in hacked databases and have been viewed and downloaded more than 1,500 times. Even though not all leaked accounts have full details included, the provided data can be used to trace their dating profiles back to their real-world identities. The leak of this highly sensitive data is definitely a looming issue and MeetMindful needs to inform the account holders of his data breach and what information was leaked. I think they should also provide the account holders with some account protection/mitigation and remove the personal information of account holders. The most important step is to understand the root of the issue as to how this data breach happened so that it doesn’t happen in the future and therefore better protect their systems.
https://www.zdnet.com/article/hacker-leaks-data-of-2-28-million-dating-site-users/
The Solarwinds cyber attack is probably the top news this past week. According to SecurityWeek, more companies have been affected by this breach, including Mimecast and Qualys. In Mimecast’s scenario, this breach was pulled off by obtaining a certificate to prompt users to log in to their Microsoft 365 online account. With this information, the perpetrators were able to access “LDAP, Azure Active Directory, Exchange Web Services, POP3 journaling, and SMTP-authenticated delivery routes”. It seems that this attack is still an ongoing matter, and more and more organizations are getting affected.
https://www.securityweek.com/more-cybersecurity-firms-confirm-being-hit-solarwinds-hack
Cybersecurity investments will increase up to 10% in 2021
A Canalys forecast predicts cybersecurity investments will increase 10% worldwide in the best-case scenario in 2021. Information security will remain a high priority this year, as the range of threats broadens and new vulnerabilities emerge, while the frequency of attacks is unlikely to subside.
The overall cybersecurity market value is expected to reach US$60.2 billion in 2021, covering shipments of endpoint security, network security, web and email security, data security, vulnerability and security analytics, and identity access management.
Despite the continued growth in cybersecurity investment, the number of data breaches and records being compromised, as well as ransomware attacks, reached an all-time high last year.
Over 12 billion records, containing a range of personal identifiable information, were reportedly compromised in 2020, while the number of known ransomware attacks increased by nearly 60%. Misconfigurations of cloud-based databases and phishing campaigns targeting the vulnerabilities of unsecured and poorly trained remote workers were key factors.
https://www.helpnetsecurity.com/2021/01/26/cybersecurity-investments-2021/?web_view=true
RealSense ID is mainly aimed at corporate customers and users involved in embedded systems, allowing individuals to prove their identity based entirely on their facial features. There are two variants of the original hardware: modules that can be embedded in larger projects, and complete peripherals that can be used directly. As attacks against traditional password-based authentication continue to increase, multiple factors and stronger forms of authentication are essential. It is encouraging that people are working on better authentication mechanisms. However, like many security controls, one of the biggest challenges is the adoption and security of the system itself.
https://www.theregister.com/2021/01/07/intel_realsense_id/
Late last year, in a planned expansion in the number of organizations managing vulnerability information, the Cybersecurity and Infrastructure Security Agency (CISA) -A branch within the U.S Department of Homeland security- joined MITRE in assigning Common Vulnerability Enumeration identifiers. The CVE assignment was dedicated to software vulnerabilities in the Medical and Industrial control systems industries.
Both entities maintain root-level CVE Number Authority and report to the board managing the CVE program. The entry of CISA in assigning CVE Identifiers assists MITRE in efforts to decongest the process and avoid delays as experienced between 2014 and 2016. This addition is expected to result in more coverage of software in the respective industries (Medical and ICS) and as a result, more vulnerabilities will be named and addressed appropriately.
https://www.darkreading.com/vulnerabilities—threats/vulnerability-management/cisa-joins-mitre-to-issue-vulnerability-identifiers/d/d-id/1338930?&web_view=true