WebProNews

Tag: Cybersecurity

  • National Cyber Strategy Puts Cybersecurity Burden on Big Tech

    National Cyber Strategy Puts Cybersecurity Burden on Big Tech

    The White House unveiled its National Cyber Strategy, shifting the burden of providing security from individuals to Big Tech.

    Cybersecurity has become a major issue for individuals, businesses, and government agencies, with hardly a day going by without disclosure of another data breach. According to CNBC, a key component of the new strategy is putting the burden of protection on Big Tech, the segment best equipped to address security issues.

    “The president’s strategy fundamentally reimagines America’s cyber social contract,” Acting National Cyber Director Kemba Walden said during a press briefing on Wednesday. “It will rebalance the responsibility for managing cyber risk onto those who are most able to bear it.”

    Walden added, “the biggest, most capable and best-positioned actors in our digital ecosystem can and should shoulder a greater share of the burden for managing cyber risk and keeping us all safe.”

    The strategy document emphasizes the importance of the public and private sectors working together:

    The most capable and best-positioned actors in cyberspace must be better stewards of the digital ecosystem. Today, end users bear too great a burden for mitigating cyber risks. Individuals, small businesses, state and local governments, and infrastructure operators have limited resources and competing priorities, yet these actors’ choices can have a significant impact on our national cybersecurity. A single person’s momentary lapse in judgment, use of an outdated password, or errant click on a suspicious link should not have national security consequences. Our collective cyber resilience cannot rely on the constant vigilance of our smallest organizations and individual citizens.

    Instead, across both the public and private sectors, we must ask more of the most capable and best- positioned actors to make our digital ecosystem secure and resilient. In a free and interconnected society, protecting data and assuring the reliability of critical systems must be the responsibility of the owners and operators of the systems that hold our data and make our society function, as well as of the technology providers that build and service these systems. Government’s role is to protect its own systems; to ensure private entities, particularly critical infrastructure, are protecting their systems; and to carry out core governmental functions such as engaging in diplomacy, collecting intelligence, imposing economic costs, enforcing the law, and, conducting disruptive actions to counter cyber threats. Together, industry and government must drive effective and equitable collaboration to correct market failures, minimize the harms from cyber incidents to society’s most vulnerable, and defend our shared digital ecosystem.

    The National Cyber Strategy echoes sentiments voiced by Google, in which the company threw its support behind companies being held responsible for cybersecurity. Google also emphasized the need for companies to build systems that are fundamentally more secure — rather than offloading that burden on the average user.

  • Google Cloud May Be Vulnerable to Unnoticed Data Theft

    Google Cloud May Be Vulnerable to Unnoticed Data Theft

    Google Cloud may be more vulnerable than its competitors to unnoticed data theft, thanks to logs that are not as helpful as they should be.

    Cybersecurity firm Mitiga analyzed Google Cloud’s online storage and found that the platform’s logging mechanism comes up woefully short in terms of providing useful information. This is especially concerning since these logs are used by security professionals and law enforcement to identify the scope of a potential breach.

    According to Mitiga, Google’s current logging system cannot effectively differentiate between a threat actor viewing data versus exfiltrating it:

    Even with the detailed logging constraint applied, Google logs events of reading Metadata of an object in a bucket the same way it logs events of downloading the exact same object. This lack of coverage means that when a threat actor downloads your data or, even worse, exfiltrates it to an external bucket, the only logs you would see will be the same as if the TA just viewed the metadata of the object.

    While this issue doesn’t inherently make Google Cloud any more insecure than the next cloud provider, it does mean that customers impacted by a data breach on Google Cloud may have a much harder time taking the appropriate investigative action.

    Mitiga reached out to Google Cloud and received the following response:

    “The Mitiga blog highlights how Google’s Cloud Storage logging can be improved upon for forensics analysis in an exfiltration scenario with multiple organizations. We appreciate Mitiga’s feedback, and although we don’t consider it a vulnerability, have provided mitigation recommendations.”

  • Hackers Had Access to News Corp’s Systems For Two Years

    Hackers Had Access to News Corp’s Systems For Two Years

    News Corp has revealed that a previously acknowledged breach was much worse than originally thought.

    News Corp, which owns The Wall Street Journal, revealed in February 2022 that it had suffered a cybersecurity breach. The company said the breach involved “persistent cyberattack activity” in a third-party cloud service it used.

    Unfortunately, in a breach notification first spotted by Ars Technica, the company has admitted that the breach went on for two years:

    “Based on the investigation, News Corp understands that, between February 2020 and January 2022, an unauthorized party gained access to certain business documents and emails from a limited number of its personnel’s accounts in the affected system, some of which contained personal information,” the letter stated. “Our investigation indicates that this activity does not appear to be focused on exploiting personal information.”

    The company did say that it does not believe any fraud or identity theft has been committed as a result of the breach. Instead, News Corp told Ars that investigators “believe that this was an intelligence collection.”

    That conclusion would certainly be in line with conclusions gathered last year when the breach was first discovered. At the time, News Corp enlisted security firm Mandiant to help it resolve the situation. Mandiant’s conclusion was that the attack was carried out by hackers affiliated with the Chinese government.

  • Google Sides With US in Holding Companies Responsible for Cybersecurity

    Google Sides With US in Holding Companies Responsible for Cybersecurity

    Google and the US government may be at odds about many things, but the two are in agreement on one big one: who should be responsible for cyberattacks.

    In a blog post by Kent Walker, President, Global Affairs & Chief Legal Officer, and Royal Hansen, VP of Engineering for Privacy, Safety, and Security, the executives make the case that companies should be responsible for improving cybersecurity:

    “Should companies be responsible for cyberattacks? The U.S. government thinks so – and frankly, we agree.”

    The two execs then quote Jen Easterly and Eric Goldstein of the Cybersecurity and Infrastructure Security Agency at the Department of Homeland Security:

    “The incentives for developing and selling technology have eclipsed customer safety in importance. […] Americans…have unwittingly come to accept that it is normal for new software and devices to be indefensible by design. They accept products that are released to market with dozens, hundreds, or even thousands of defects. They accept that the cybersecurity burden falls disproportionately on consumers and small organizations, which are often least aware of the threat and least capable of protecting themselves.”

    Walker and Hansen go on to lament that cyber threats are growing, taking advantage of “insecure software, indefensible architectures, and inadequate security investment.” The solution is a complete rethinking of how software is designed and deployed.

    “The bottom line: People deserve products that are secure by default and systems that are built to withstand the growing onslaught from attackers,” the executives write. “Safety should be fundamental: built-in, enabled out of the box, and not added on as an afterthought. In other words, we need secure products, not security products. That’s why Google has worked to build security in – often making it invisible – to our users. Many of our most significant security features, including innovations like SafeBrowsing, do their best work behind the scenes for our core consumer products.”

    The executives emphasize the importance of security being smooth and streamlined, not the cumbersome experience that often exists today, and that results in customers choosing insecurity over inconvenience. Walker and Hansen also recognize there is no silver bullet but that significant steps can and should be taken to greatly improve the status quo.

    “Of course, raising the security baseline won’t stop all bad actors, and software will likely always have flaws – but we can start by covering the basics, fixing the most egregious security risks, and coming up with new approaches that eliminate entire classes of threats,” they add. “Google has made investments in the past two decades, but contributing resources is just a piece of the puzzle. It’s work for all of us, but it’s the responsible thing to do: The safety and security of our increasingly digitized world depends on it.”

  • Windows 11 Sends Massive Amounts of Data to Ad Companies

    Windows 11 Sends Massive Amounts of Data to Ad Companies

    The PC Security Channel (TPSC) analyzed Windows 11 and found it sends massive amounts of user data to Microsoft, as well as third-party ad companies.

    TPSC is a YouTube channel dedicated to cybersecurity and privacy. The channel took a brand-new laptop that had never been used and used Wireshark to monitor the computer’s traffic, starting from the moment it was booted up.

    Unsurprisingly, the computer immediately connected to a number of Microsoft services, including Bing, MSN, and the Windows Update service. While it’s not surprising a Windows machine would connect to Microsoft, it is surprising that the Bing traffic was happening without the web browser ever being opened or used.

    Even more surprising, Windows 11 also connected to McAfee, Steam, and Comscore’s ScorecardResearch.com, to name just a few. The last one is particularly alarming, as it is an ad-tech company. In fact, when TPSC first tried going to the website to see what ScorecardResearch.com was, the channel’s browser adblocker would not even load the page since it is a known ad and tracking domain.

    To make matters worse, Microsoft connects and sends data to these servers without expressly asking the user’s permission. Instead, the company relies on a vague clause in the Microsoft License Terms to constitute permission.

    Privacy; Consent to Use of Data. Your privacy is important to us. Some of the software features send or receive information when using those features. Many of these features can be switched off in the user interface, or you can choose not to use them. By accepting this agreement and using the software you agree that Microsoft may collect, use, and disclose the information as described in the Microsoft Privacy Statement (aka.ms/privacy), and as may be described in the user interface associated with the software features.

    Tom’s Hardware reached out to Microsoft and was given the following statement:

    “As with any modern operating system, users can expect to see data flowing to help them remain secure, up to date, and keep the system working as anticipated,” a Microsoft spokesperson said. “We are committed to transparency and regularly publish information about the data we collect to empower customers to be more informed about their privacy.”

    A legitimate case can be made for Windows 11 connecting to Microsoft services, but there is absolutely no valid justification for connecting to and sending telemetry to an ad-tech company.

    Interestingly, TPSC ran the same test with Windows XP and found that it only connected to Microsoft update servers, greatly undermining Microsoft’s claim that Windows 11’s connections to third parties were necessary to “remain secure, up to date, and keep the system working as anticipated.”

    As we have stated at WPN many times, there is NO EXCUSE for a company that charges handsomely for a product to then turn around and try to monetize its customers’ data, let alone try to do so without express and explicit permission. And no, a couple of sentences buried in a long, legalese licensing document that few people will ever read does not count as express and explicit permission.

    Microsoft should be ashamed of itself for this behavior, and one can only hope this revelation will put the companies in the crosshairs of the EU’s GDPR.

    In the meantime, TPSC’s question, “Has Windows become spyware?” is one that deserves an answer.

  • Google Cloud & Health-ISAC Partner to Bolster Healthcare Cybersecurity

    Google Cloud & Health-ISAC Partner to Bolster Healthcare Cybersecurity

    Google Cloud and Health-ISAC have announced a partnership aimed at helping the healthcare industry bolster cybersecurity.

    Like many industries, healthcare has been hard-hit by cybersecurity threats, with ransomware attacks shutting down hospitals and compromising operations. Google Cloud and Health-ISAC (Health Information Sharing and Analysis Center) are working together to “help Health-ISAC members discover threats more rapidly” and “also assist in evicting malicious actors from their infrastructure.”

    Today, we’re announcing the general availability of our next investment in this community. Working with the Health-ISAC Threat Operations Center, Google Cloud security engineers developed an open sourced integration that connects the Health-ISAC Indicator Threat Sharing (HITS) feed directly with Google Cloud’s Chronicle Security Operations information and event management. HITS allows Health-ISAC members to easily connect and quickly share cyber threat intelligence through machine-to-machine automation.

    “The integration of Health-ISAC’s threat feed with Chronicle Security Operations is exciting to see,” said Errol Weiss, Health-ISAC’s chief security officer. “Our members can now ingest Health-ISAC’s Signature Threat Feed of member-to-member shared threat indicators into Chronicle, and use that information to help automation and threat analyst decisions when protecting critical network infrastructure.”

  • Reddit Was Hacked, but Says User Data Is Safe

    Reddit Was Hacked, but Says User Data Is Safe

    Reddit has informed users that it was hacked Sunday night, but says user accounts and passwords appear to be safe.

    According to the social media company, its employees were targeted by a “sophisticated phishing campaign” that pointed employees to a website that attempted to steal their credentials.

    After successfully obtaining a single employee’s credentials, the attacker gained access to some internal docs, code, as well as some internal dashboards and business systems. We show no indications of breach of our primary production systems (the parts of our stack that run Reddit and store the majority of our data).

    Exposure included limited contact information for (currently hundreds of) company contacts and employees (current and former), as well as limited advertiser information. Based on several days of initial investigation by security, engineering, and data science (and friends!), we have no evidence to suggest that any of your non-public data has been accessed, or that Reddit’s information has been published or distributed online.

    Hopefully the scope of the breach remains limited to Reddit’s initial findings.

  • Privacy and Cybersecurity Challenges in 2023 – Part One

    Privacy and Cybersecurity Challenges in 2023 – Part One

    With a new year comes new privacy and cybersecurity challenges for companies large and small, not the least of which is new regulation. The tech industry is facing new regulations in 2023, some of which will have profound impacts on day-to-day business and carry heft penalties for non-compliance.

    Here’s some of the top regulatory issues companies need to be aware of:

    Voluntary Cooperation Is Out; Regulation Is In

    One of the major changes moving forward in 2023 is an expected change in the US government’s approach to cybersecurity. In the past, the government was largely willing to allow companies to handle cybersecurity issues on a voluntary basis, but those days appear to be over.

    The White House Office of the National Cyber Director is expected to unveil major new initiatives in the first half of 2023, and many of them will be mandatory.

    “We’ve been working for about 23 years on a largely voluntary approach,” said Mark Montgomery, the senior director of the Center on Cyber and Technology Innovation at the Foundation for Defense of Democracies. “The way forward is going to require thinking about regulation.”

    California Consumer Privacy Act of 2018

    One of the biggest regulatory challenges businesses will face is the California Consumer Privacy Act of 2018 (CCPA), including the Proposition 24 amendments that were passed in 2020 and expanded the scope of the CCPA.

    Per the California Attorney General’s office, the CCPA guarantees the following rights:

    • The right to know about the personal information a business collects about them and how it is used and shared;
    • The right to delete personal information collected from them (with some exceptions);
    • The right to opt-out of the sale or sharing of their personal information; and
    • The right to non-discrimination for exercising their CCPA rights.

    In addition, the Proposition 24 amendments add the following:

    • The right to correct inaccurate personal information that a business has about them; and
    • The right to limit the use and disclosure of sensitive personal information collected about them.

    The latter two rights, in particular, are of special note since they went into effect on January 1, 2023.

    Most important, however, is a provision that allows customers to take legal action against companies that fail to properly protect their data and expose such data as a result of a breach. This places a tremendous responsibility on companies to ensure all possible measures are being taken to reduce their possible liability.

    Increased GDPR Enforcement

    Another major hurdle many businesses will face is increased enforcement of the European Union’s GDPR. While the GDPR has been in effect for years, companies on both sides of the Atlantic have largely ignored some of its provisions.

    The EU sent a clear message in 2022, however, that companies will continue to ignore the GDPR at their own peril. For example, in January 2022, the Austrian Data Protection Authority ruled that Google Analytics violated the GDPR and was therefore illegal, impacting countless EU-based companies and websites.

    At the heart of the issue is the protection of EU citizens’ data when it is in the hands of US-based companies. The EU is especially concerned that US intelligence agencies could have unwarranted access to such data. While the US and EU are working to establish a new data-sharing deal that would address such concerns, such a deal is still a ways off, leaving companies to navigate the complicated situation on their own.

    In the meantime, the EU has made it clear it will continue to go after companies that ignore its privacy and cybersecurity regulations.

    “Instead of actually adapting services to be GDPR compliant, US companies have tried to simply add some text to their privacy policies and ignore the Court of Justice,” says Max Schrems, honorary chair of The European Center for Digital Rights. “Many EU companies have followed the lead instead of switching to legal options.”

    General Issues

    In addition to the above specific concerns, there are a number of general concerns companies face. Ransomware attacks have been a growing threat in recent years, especially attacks that target vital infrastructure.

    As a result of the growing threat, cybersecurity has been a major focus of the Biden administration, with multiple executive orders, memorandums, and fact sheets addressing the issue. Some of these include unprecedented requirements, including mandatory measures to improve the overall cybersecurity of US businesses and agencies.

    Dealing With the Challenges

    Understanding the challenges is just the first step in properly preparing for and dealing with them. In Part Two of this series, we’ll look at some specific steps companies and organizations can take.

  • Lessons From the Latest Cyber Incidents

    Lessons From the Latest Cyber Incidents

    The LastPass data breach. Ransomware on The Guardian and Royal Mail. Hackers exploiting the platform CircleCI with zero-day malware.

    January is not even over and major hacking incidents or the aftermath of last year’s exploits have already been headlining the news.

    Some malicious cyber activity took place in December that has been discovered now or not yet remedied. Other major cases such as Royal Mail are still ongoing.

    What can others learn from these major incidents and how can endpoint security, anti-ransomware solutions, and phishing prevention aid companies to secure their most valuable assets?

    Royal Mail: Long Road to Recovery After Nightmare Ransomware

    The type of malware that encrypts files to demand ransom (mostly in crypto) in exchange for regaining access to documents is known as ransomware.

    Behind these major cases are malicious ransomware groups such as LockBit, Black Cat, and Hive. Most of them operate from Russia due to a lack of sanctions for this type of criminal activity in the country.

    On January 10, Royal Mail, the major British distribution service, was targeted with ransomware.

    A member of the ransomware gang LockBit has confirmed that they are behind this damaging cyber attack.

    The aftermath of the hack is still ongoing and sending or receiving international parcels has been disabled for a week. The company is working on restoring its services.

    Businesses that rely on the shipments via Royal Mail have already said that they’re been losing their ratings, customers, and lack of service is already causing major financial losses.

    The Guardian: Phishing Is Not Going Anywhere Anytime Soon

    Social engineering techniques are often the first step for cybercriminals because it’s easier to “hack” people than systems that are protected with all types of security measures and solutions.

    The most common type of social engineering is phishing.

    Hackers use emails, social media, or phone calls to target their victims and pressure them to either click the infected link that leads to the infected link, download malware hidden in the attachment, or reveal their passwords.

    To prevent it, companies invest in advanced tools that filter emails and phishing awareness training that teaches teams to recognize the most common phishing attempts.

    On December 20, The Guardian Media Group discovered the cyber incident within their network. It was identified as ransomware and they said that the malware infected their system following the successful phishing campaign.

    Luckily, workers could continue their work and publish digitally and via the app.

    The bad news was that private information of the UK staff has been obtained by the threat actor. The data of readers and subscribers haven’t been accessed by the malicious actor.

    However, their IT systems have been disrupted (internal WiFi was taken down) and until that is remedied completely workers have to telecommute until February.

    CircleCI: Mind Your Endpoint Security

    With the rise of remote work, the security of all of the devices workers use to connect to the company’s network (AKA endpoint devices) is essential for preventing cyberattacks.

    Employees connect to the company’s network from various home devices and maybe even bring their own laptops to work. If all those devices aren’t protected, the companies that rely on global teams have a major vulnerability that can be exploited for hacking.

    Endpoint security is the term that refers to a solution that is designed for protecting data, preventing threats, and identifying advanced zero-day attacks (which are difficult to detect because hackers rely on previously unknown flaws).

    On December 16, the DevOp platform known as CircleCI was the victim of a zero-day attack.

    The company was notified of the suspicious activity on December 29 and started investigating the issue and securing the platform.

    They identified the exact scope and what kind of hacking took place on January 4. Also, they notified all customers of the security incident and advised them to rotate all secrets within CircleCI and review internal logs.

    The sophisticated hackers exploited a device one engineer has been using for work. They managed to infect it with malware that bypassed the antivirus software. Once they gained unauthorized access, they could impersonate the employee.

    LastPass: How You Handle Data Breaches Matters

    Data breaches affect both the business that has been breached and the individual whose information has been leaked.

    They can occur after a successful phishing incident in which another person revealed their credentials, unauthorized access after exploiting a vulnerability, and other methods.

    On December 22, LastPass, a well-known password manager, made an update on the data breach they experienced on November 30. They revealed that the incident had worse repercussions than they initially claimed.

    Namely, the threat actor managed to access password vaults as well as user data.

    The company hasn’t provided their customers with more information for a week after that update and security experts have suggested that users switch to something else.

    The lack of transparency has caused many users to change to another service.

    Key Takeaways and Lessons Learned

    Let’s start with Royal Mail. This ransomware shows how the cyber attack on critical infrastructure affects businesses and prompts consumers to question whether they could have been better protected against possible hacking threats.

    It takes a lot of time for companies to stand back on their feet following an incident. During that time, they lose money on the remediation and fall behind on their tasks.

    Regardless of how prepared your company might be for hacking activity, zero-day attacks can still wreak havoc on systems.

    Cyber incidents are often interlinked – as is evident from The Guardian hacking where the hacker was able to deploy ransomware following a successful phishing attack.

    At the end of the day, there is no ideal security measure because security incidents can occur even within well-protected and managed infrastructures.

    Once the attack or data breach occurs, it’s important how the news is communicated to those that are affected by the incident – that is, to be transparent and not leave worried users in the dark.

  • Microsoft Unveils Microsoft Security Experts Managed Services

    Microsoft Unveils Microsoft Security Experts Managed Services

    Microsoft is moving further into the realm of cybersecurity, unveiling new managed services to help its customers tackle security challenges.

    Microsoft is already one of the leading companies fighting cybersecurity threats. In fact, Microsoft Security blocked 9.6 billion malware attacks, as well as more than 35.7 billion phishing and malicious emails in 2021 alone. The company is now using that expertise to launch its Microsoft Security Experts managed services to help its customers.

    The company has unveiled three new services. Microsoft Defender Experts for Hunting will help customers “proactively hunt for threats across Microsoft Defender data, including endpoints, Office 365, cloud applications, and identity.”

    Microsoft Defender Experts for XDR is a “managed extended detection and response (XDR) service” for companies that need to expand their own internal security operations.

    Microsoft Security Services for Enterprise is a comprehensive solution for large enterprises that want their entire security service managed by experts.

    Microsoft is also committed to working with “an ecosystem of partners and technologies” in an effort to provide the best possible service.

    “Microsoft is uniquely positioned to help our customers and their partners meet today’s security challenges,” writes Vasu Jakkal, Corporate Vice President, Security, Compliance, Identity, and Management. “We secure devices, identities, apps, and clouds—the fundamental fabric of our customers’ lives—with the full scale of our comprehensive multicloud, multiplatform solutions. Plus, we understand today’s security challenges because we live this fight ourselves every single day.”

  • SolarWinds Is in Trouble With the SEC Over Supply Chain Attack

    SolarWinds Is in Trouble With the SEC Over Supply Chain Attack

    SolarWinds is facing monetary and enforcement consequences as a result of its supply chain attack in 2020.

    SolarWinds was the victim of a supply chain attack in which attackers compromised one of SolarWinds IT tools that was used by companies and government agencies around the world. As a result, at least 18,000 of SolarWinds customers downloaded the compromised software, with many being directly hacked.

    It appears the company is now facing the consequences, both with shareholders and the SEC. In a filing with the SEC, the company says it has agreed to pay shareholders $26 million.

    SolarWinds entered into a binding settlement term sheet with respect to the previously disclosed consolidated putative class action lawsuit….The settlement, if approved, would require the Company to pay $26 million to fund claims submitted by class members, the legal fees of plaintiffs’ counsel and the costs of administering the settlement.

    In addition, the company also revealed that it had been notified of an SEC Wells notice, which could lead to enforcement action.

    Also on October 28, 2022, the enforcement staff of the U.S. Securities and Exchange Commission (the “SEC”) provided the Company with a “Wells Notice” relating to its investigation into the previously disclosed cyberattack on the Company’s Orion Software Platform and internal systems. The Wells Notice states that the SEC staff has made a preliminary determination to recommend that the SEC file an enforcement action against the Company alleging violations of certain provisions of the U.S. federal securities laws with respect to its cybersecurity disclosures and public statements, as well as its internal controls and disclosure controls and procedures.

    It is not surprising the SEC is taking such action. The SolarWinds attack was one of the most devastating cyberattacks in history and had a profound impact on companies and agencies. The US Judiciary even went so far as to return to paper records in the wake of the attack.

  • Rubrik Zero Labs: Cybersecurity Breaches Often Lead to Leadership Changes

    Rubrik Zero Labs: Cybersecurity Breaches Often Lead to Leadership Changes

    Rubrik Zero Labs’ “The State of Data Security” report contains eye-opening insights on the real impact of cybersecurity breaches.

    When analyzing the impact of cybersecurity breaches, much of the focus is on how much data is compromised and how much the breach will cost a company. Rubrik Zero Labs’ latest research, however, analyzes the human impact of cybersecurity incidents, shedding light on an under-reported consequence.

    According to the report, “36% of organizations in our study dealt with a leadership change in the last year due to a cyberattack and its follow-on response.” In fact, in a large percentage of cybersecurity incidents, boards and/or executive leadership lacked confidence in the organization’s ability to recover. Only 27% were completely confident, while 40% were ‘usually confident, but with occasional scrutiny,’ and 33% had little to no confidence, no doubt playing a major role the 36% of companies changing leadership.

    What’s more, a whopping 96% of IT and Security leaders experienced a significant emotional and psychological toll. The effects included worrying about job security, as well as concerns they had lost the trust of their colleagues and organization.

    “We often overlook the psychological dimension of cyberattacks and the chaos that tends to follow after discovering an incident,” said Chris Krebs, Former Director of CISA and Founding Partner of the Krebs Stamos Group. “The bad guys sure have figured it out, though, with criminals and state actors alike trying to generate emotional responses when they attack, as evidenced by the increase in criminal extortion efforts and hack and leak campaigns. In the end, IT and security leaders alike tend to take the blame for these cyberattacks.

    “One of the most effective techniques I’ve seen to prepare for these types of attacks is to accept you’re going to have a bad day at some point, and your job is to ensure that it doesn’t become a ‘worse day.’ This is why we need defenders across the spectrum to come together – sharing best practices, learnings after attacks, simulations, frameworks – so that we’re collectively strengthening our defenses and minimizing the psychological impact brought on by an attack.”

  • Thomson Reuters Data Leak Could Lead to Supply-Chain Attack

    Thomson Reuters Data Leak Could Lead to Supply-Chain Attack

    Thomson Reuters is the latest company to be hit with a data leak, one that exposed more than 3TB of data, including passwords.

    According to the Cybernews research team, Thomson Reuters left three databases exposed to the public. One of them included 3TB of ElasticSearch data, including passwords stored in plaintext.

    Cybernews researchers fear the data could ultimately be used in a supply-chain attack:

    The naming of ElasticSearch indices inside the Thomson Reuters server suggests that the open instance was used as a logging server to collect vast amounts of data gathered through user-client interaction. In other words, the company collected and exposed thousands of gigabytes of data that Cybernews researchers believe would be worth millions of dollars on underground criminal forums because of the potential access it could give to other systems.

    The threat is even more severe since the data is current, with some of it logged as recently as October 26.

    “ElasticSearch is a very common and widely used data storage and is prone to misconfigurations, which makes it accessible to anyone. This instance left sensitive data open and was already indexed via popular IoT [internet of things] search engines. This provides a large attack surface for malicious actors to exploit not only internal systems but a way for supply chain attacks to get through. A simple human error can lead to devastating attacks, from data exfiltration to ransomware,” said Mantas Sasnauskas, the Head of Security Research at Cybernews.

    Thomson Reuters addressed the issue immediately, but only time will tell what the long-term ramifications will be.

  • Small Businesses Need A Cybersecurity Plan, Too. Here’s Where To Start

    Small Businesses Need A Cybersecurity Plan, Too. Here’s Where To Start

    43% of all data breaches involve small and medium businesses. Small businesses need a robust cybersecurity plan, as cyber attackers often target them, assuming their cybersecurity strategy will be weak.

    So, how can small businesses reinforce their cybersecurity strategy?

    Keep reading for the ultimate guide to small business security. This guide will help you build a security strategy that will help you meet GDPR compliance and avoid a data breach.

    Train Your Employees On Data Protection Policies

    Human error is one of the leading causes of data breaches. Experiencing a data breach can put your company’s reputation in the balance and cause significant financial losses. It’s in your best interest to provide employees with adequate training on data protection policies, eliminating the risk of human error leading to a data breach.

    Your employees need to know about your data protection policies, and you should teach them about GDPR and the expectations they must meet to ensure compliance.

    When you train your employees on data protection policies, you should also cover the following cybersecurity topics:

    • Password creation – you should instruct your employees on the importance of setting unique passwords for each company account. Your data protection training should also cover how to create strong passwords and why weak passwords create vulnerabilities in your cybersecurity strategy.
    • Software updates – you should train your employees to regularly update any software on their devices. If they are operating with older software versions, this could put your data at risk. Older software versions often have vulnerabilities not present in newer versions of the software, and a cybercriminal may take advantage of this vulnerability to access your data.
    • How to spot phishing scams – malware attacks and phishing scams are the main factors that lead to human error, causing a cybersecurity breach. You should train your employees to spot phishing scams and malware attacks. You should also cover the importance of not sharing any sensitive information with an unverified source.

    Install A Firewall

    Firewalls are an invaluable element in any cybersecurity strategy. Without a firewall, traffic can enter your network freely without any checks or safety measures. A firewall acts as a barrier around your network, monitoring the incoming and outgoing traffic to ensure that only trusted sources are allowed to access your network. Since small businesses are often more vulnerable to cyberattacks, investing in a firewall is necessary, as it provides your network with an additional layer of protection.

    Encrypt Your Company Data

    In addition to securing your network with a firewall, you must also consider the benefit of encrypting your company data. Encryption is where your company data is scrambled and made unreadable to those who do not have the cipher to decode the information. So, even if a cyber attacker managed to get past your firewall and access company data successfully, the information they accessed would be unreadable and thus useless – protecting your business from breaking GDPR compliance.

    Ensure Employees Use A VPN When Working Remotely

    Many small businesses are implementing remote working models to give their employees a better work-life balance while improving productivity. However, with remote work comes the fear of data exposure from compromised employee networks and devices.

    To ensure remote working does not interfere with your data security, you should implement a policy that requires employees to use a VPN when accessing company information from home. A VPN makes it more difficult for cyber attackers to find your employees’ IP addresses, allowing them more anonymity online. It also creates an encrypted tunnel through which your data travels when you send and receive information. Implementing a VPN can reduce data vulnerability when employees work remotely.

    Implement A Zero-Trust Cyber And Physical Security Strategy

    Zero-trust is a cybersecurity policy designed to not only protect government organizations but also businesses from the threat of an internal security breach. Should an employee device or network become compromised, a cyber attacker may be able to gain access to a wide range of company data. However, with a zero-trust policy in place, your employee will only gain access and permissions for the data they need to carry out daily tasks. So, even if their device or account is breached, the hacker will only gain access to a limited amount of information.

    Zero-trust isn’t just for your cybersecurity policy, either. If a visitor, interviewee, or contractor enters your office building, does this mean they should be able to access your server rooms and rooms housing sensitive data? 

    You need to enforce your cybersecurity policies regarding physical security and ensure that your server rooms are protected from internal and external threats to data security. You can install cloud-based card access control systems on areas housing servers and devices that host sensitive company information, protecting your data from physical and digital threats.

    If you converge your cybersecurity with physical security and also implement cloud security, you are giving your business the best protection from any potential threats.

    Summary

    Small businesses aren’t immune to cybersecurity threats. Cyber Attackers often target them assuming that their cybersecurity strategy will be weak. By implementing these cybersecurity strategy tips, you can ensure your data is protected and avoid the consequences of breaking GDPR compliance regulations.

  • DHS Announces $1 Billion State and Local Cybersecurity Grant Program

    DHS Announces $1 Billion State and Local Cybersecurity Grant Program

    The Department of Homeland security is launching the first-of-its-kind cybersecurity grant program for state, local, and territorial (SLT) governments.

    The State and Local Cybersecurity Grant Program is being funded by President Biden’s Bipartisan Infrastructure Law, providing $1 billion for SLT governments. The grants will help SLT governments to better prepare for and defend against ever-growing cybersecurity threats.

    “Cyberattacks have emerged as one of the most significant threats to our homeland,” said Secretary of Homeland Security Alejandro N. Mayorkas. “In response, we continue to strengthen our nation’s cybersecurity, including by resourcing state and local communities to build and enhance their cyber defenses. The cybersecurity grant process we are starting today is a vital step forward in this critical effort. Our approach is one of partnership, in the service of an all-of-society investment in the security of our homeland.”

    “As we build a better America, we’re ensuring that our infrastructure is more modern and digitally connected. But along the way, we must also take proactive steps to increase our resilience to the increasing threat of cyberattacks,” said White House Infrastructure Coordinator Mitch Landrieu. “Thanks to the President’s Bipartisan Infrastructure Law, we’re making a once-in-a-generation investment of $1 billion in infrastructure cybersecurity, giving our state and local governments the resources they need to guard against debilitating cyber threats. Today’s announcement marks an important step in our commitment to strengthen resilience, protect and improve our nation’s infrastructure, and safeguard our economy.”

  • Patreon Just Let Its Entire Security Team Go [Updated]

    Patreon Just Let Its Entire Security Team Go [Updated]

    Update: Story has been updated with a response from Patreon.

    Patreon may have just put a massive target on its back with the news that it has reportedly laid off its entire security team.

    Patreon is the funding platform that many content creators use to support themselves. The platform gives creators a way to build a community around the content they offer and gives fans the ability to become “patrons” of their favorite creators. Unfortunately, especially for a company that handles so much financial information, Patreon appears to have laid off its security team.

    Emily Metcalfe, Patreon Senior Security Engineer, broke the news in a LinkedIn post:

    So for better or worse, I and the rest of the Patreon Security Team are no longer with the company. As a result I’m looking for a new Security or Privacy Engineering role and would appreciate any connections, advice, or job opportunities from folks in my network.

    Ellen Satterwhite, Patreon’s Interim Head of Communications & US Policy Lead, reached out to WPN to provide some clarity on the company’s decision and reassure users that it will remain a safe and secure platform:

    As a global platform, we will always prioritize the security of our creators’ and customers’ data. As part of a strategic shift of a portion of our security program, we have parted ways with five employees. We also partner with a number of external organizations to continuously develop our security capabilities and conduct regular security assessments to ensure we meet or exceed the highest industry standards. The changes made this week will have no impact on our ability to continue providing a secure and safe platform for our creators and patrons.

    Only time will tell if Patreon’s reliance on “external organizations” will be enough to maintain the security its users rely on. Even with its external partnerships, however, it’s hard to imagine a company of Patreon’s significance letting its own internal security team go.

  • Hyundai Secures Its Vehicles Systems With Sample Encryption Keys

    Hyundai Secures Its Vehicles Systems With Sample Encryption Keys

    In what may be one of the worst examples of cybersecurity, Hyundai is being called out for using example encryption keys for its security.

    Encryption keys are critical components of modern cryptography. The key used to decrypt sensitive information is supposed to be carefully and closely guarded.

    According to The Register, Hyundai’s programmers seemed to have missed the memo and instead used cryptographic keys found in publicly available programming tutorials.

    A developer, going by the handle “greenluigi1,” discovered he could overwrite Hyundai’s infotainment system with his own software thanks to Hyundai using publicly available crypto keys. Once he discovered them, it was a relatively simple matter trick the system into accepting his software as a valid update.

    The entire situation is a case study in bad programming, not to mention the danger drivers can be exposed to as a result. If a vehicle’s computer system is compromised, there’s no limit to the dangerous scenarios that can result if key parts of the vehicle’s software are replaced with malicious elements.

    As manufacturers create vehicles that are increasingly connected to the rest of the world, they’re going to have to do a much better job securing those vehicles — or Hyundai will need to, at the very least.

  • PSA: macOS Users Should Update Zoom Immediately

    PSA: macOS Users Should Update Zoom Immediately

    Zoom has released an update to its macOS client that fixes a severe vulnerability, one that could give a user root access.

    Apple’s macOS is based on BSD Unix, inheriting a root user that has ultimate permissions. According to Zoom, a bug in the app could allow a non-root user to gain root access, representing a major threat to the computer’s security.

    The company has released an update that addresses the issue and all users are advised to update immediately.

    The Zoom Client for Meetings for macOS (Standard and for IT Admin) starting with version 5.7.3 and before 5.11.5 contains a vulnerability in the auto update process. A local low-privileged user could exploit this vulnerability to escalate their privileges to root.

    Users can help keep themselves secure by applying current updates or downloading the latest Zoom software with all current security updates from https://zoom.us/download.

  • CloudBees: 45% of Execs Are Only Halfway Through Securing Supply Chain

    CloudBees: 45% of Execs Are Only Halfway Through Securing Supply Chain

    The latest report from CloudBees is bad news for the cloud industry, with many companies still not fully securing their supply chain.

    Supply chain attacks have become increasingly common, with hackers viewing them as a high-reward attack vector. Rather than trying to compromise individual targets, a single, successful attack against a vendor whose software or APIs are used by thousands of companies can yield far greater results.

    Unfortunately, many companies have yet to fully secure their supply chain, according to CloudBees. Of the C-suite executives surveyed, 93% believed they were well-prepared for an attack. A deeper dive, however, showed a different story.

    A whopping 45% of execs say they are only halfway through the process of securing their supply chain, with only 23% nearly done. Even worse, a disturbing 64% say they don’t know who they would turn to first in the wake of an attack.

    “We discovered that as software becomes the primary source of customer experience and value, supply chain security is getting the attention it deserves and at the proper levels in the organization,” writes Prakash Sethuraman, Chief Information Security Officer, CloudBees. “However, this study reveals gaps that indicate supply chain security is not well understood, nor are systems as robust or comprehensive as they should be.

    “Bottom line, the results reinforce the concept that software supply chain security needs to go beyond “shift left” to “shift security everywhere” — with automation. The software you are developing must be as secure as possible, but it doesn’t stop there. The delivery process itself must be protected, and you have to be able to detect and instantly mitigate problems in production to consider your software supply chain as secure.”

  • DDoS Perpetrators Are Clever, But DDoS Mitigation Services Are No Straggler

    DDoS Perpetrators Are Clever, But DDoS Mitigation Services Are No Straggler

    In June 2022, the world has reportedly witnessed the most powerful HTTPS Distributed Denial-of-Service (DDoS) attack so far. A botnet called Mantis launched a brief but record-setting DDoS attack, which peaked at 26 million requests per second.

    This recent DDoS incident shows how cybercriminals continue to improve their methods and make their attacks more sophisticated to overcome existing defenses or overwhelm targets with unprecedented volumes of requests. DDoS solution providers, hence, must always be ready to step up in response.

    The Mantis attack

    Mantis is said to be behind the series of attacks that affected almost a thousand customers of the content delivery network firm Cloudflare. It targeted companies in different industries including gaming, finance, telecommunications, and shopping. The attack affected organizations based across the globe including the United States, Canada, the United Kingdom, Germany, France, Ukraine, Poland, and Russia.

    Cloudflare describes Mantis as the next evolution of the 2018 Meris botnet attack, which infected MicroTik routers and compromised various popular websites. It operates a relatively small fleet of bots, at around 5,000. However, Cloudflare notes that this fleet is capable of generating a massive force. Cloudflare says it has been “responsible for the largest HTTPS DDoS attacks we have ever observed.”

    The attack yielded over 212 million HTTPS requests from over 1,500 networks. It was driven by a botnet that tech journalists characterize as “tiny,” but each node generated approximately 5,200 RPS. It also managed to hijack various virtual machine platforms and took over HTTP proxies to launch attacks.

    Effective DDoS mitigation

    The overwhelming surge of malicious web traffic lasted for only around 30 seconds. It’s still long enough to create an impact, considering that website users usually leave a site if it fails to load within three to five seconds. However, it is not bad that DDoS mitigation solutions are able to fend off new forms of attacks and prevent long durations of downtimes.

    Modern DDoS mitigation services can keep up with the evolving nature of attacks. They now have larger network and processing capacities, shorter latency, and faster time to mitigation. Of course, not all providers are the same, but the top-tier ones are generally enough to prevent serious DDoS consequences.

    Choosing a DDoS mitigation service based on their network and processing capacities can be tricky. Higher is always better but the capacities and costs are directly proportional, so organizations need to weigh their options carefully. DDoS, after all, is not the only cyber threat they have to worry about. They have to allocate resources efficiently and prepare for the unpredictable kinds of attacks they will encounter.

    It is also important to examine the “time to mitigation” for DDoS attacks. Top solutions can respond to attacks within seconds, and this is what organizations should be looking for. The average duration of DDoS attacks in 2021 was 6.1 minutes. This may sound brief or manageable, but a lot can happen within 6.1 minutes. For online businesses, these “few” minutes can already mean several missed sales or opportunities and reputational damage.

    Short-duration attacks are also rarely intended to be harmless. Even the 30-second Mantis attack cited earlier could have been just a part of a bigger cyber-attack. As VentureBeat explains, “organizations should watch out for these types of attacks as they can be a distraction tactic and part of a wider multi-vector attack.”

    Some DDoS mitigation solutions may be configured to ignore brief attacks and treat them as insignificant. This is inexpedient and potentially harmful. DDoS attacks can be in tandem with a malware installation, which can take place while an organization is still busy reestablishing its firewall and other security controls after a network disruption.

    Important features

    It is important for DDoS mitigation solutions to have network layer and application layer mitigation. They should also provide secondary asset protection. Additionally, the ability to protect individual IPs is necessary.

    Network layer mitigation is about addressing the volume of an attack, the massive surge of malicious traffic going to a server. Methods to do this include null routing (direction of traffic to a nonexistent IP address), sinkholing (the diversion of traffic away from its target), scrubbing (routing of ingress traffic through a security service), and IP masking (prevention of direct-to-IP DDoS attacks by hiding the origin server’s IP).

    Application layer mitigation entails the profiling of incoming traffic to sort out DDoS bots from legitimate requests. This can be done through multiple inspection methods to detect legitimate traffic including the checking of the IP and Autonomous System Number, examination of behavioral patterns, and cross-inspection of HTTP(S) header content. Application layer mitigation can also be undertaken by posing multiple challenges such as CAPTCHAs to make it difficult for automated requests to move ahead.

    As mentioned, DDoS attacks may come with other cyberattacks. These other attacks can target various IT assets including DNS servers, web servers, email servers, FTP servers, as well as ERP and CRM platforms. It is important for a DDoS mitigation solution to likewise provide protection for these assets through features such as DNS name server protection and app protection.

    Moreover, it is crucial to examine the ability of a DDoS defense system to provide individual IP protection. DDoS solutions are traditionally limited to shielding IP ranges, not specific IPs representing specific cloud environments and assets. In modern use cases, the ability to protect individual IPs is essential to enabling immediate DDoS security for specific IPs or IT assets.

    Continuous protection improvement

    This post is not saying that DDoS mitigation services at present are already in their optimum form. As long as threats continue to evolve and threat actors ceaselessly find new ways to get around defenses, mitigation solutions should likewise improve. It is reassuring to know that security firms persistently enhance and advance the technologies or solutions they offer against DDoS.

    Still, the intended users of these solutions should be mindful of the options they pick. Different providers offer varying DDoS protection performance. Not everyone stays abreast with the latest threat methods. Not all security providers are mindful of the attack combinations that use DDoS as a smoke bomb or deception to conceal more sinister cyberattack schemes.

  • T-Mobile Agrees to $350 Million Settlement Data Breach

    T-Mobile Agrees to $350 Million Settlement Data Breach

    T-Mobile has agreed to a $350 million settlement over a data breach in 2021 that impacted some 76 million US individuals.

    A hacker claimed to have breached T-Mobile’s servers in 2021 and tried to sell a subset of the data. T-Mobile acknowledged the breach, saying the compromised data included “customers’ first and last names, date of birth, SSN, and driver’s license/ID information for a subset of current and former postpay customers and prospective T-Mobile customers.”

    According to CNN, the company has agreed to pay a $350 million settlement to address several class-action suits, as well as spend an additional $150 million to improve cybersecurity through 2023.

    “Customers are first in everything we do and protecting their information is a top priority,” the company said in a statement. “Like every company, we are not immune to these criminal attacks. Our efforts to guard against them continue and over the past year we have doubled down on our extensive cybersecurity program to enhance existing programs.”