SecureTheVillage

Cybersecurity News of the Week

Cybersecurity News of the Week, May 19, 2024

This week’s essential cybersecurity and privacy news for the cyber-aware and the cyber-concerned. Designed to educate, support, and advocate.

Stan’s Corner

Every organization is faced with the challenge of deciding how much to invest in information security, and where to invest it. Every dollar a business spends securing information is a dollar that can’t be spent on sales or operations or any of the other competing demands for resources. And, assuming that information security dollars are being spent wisely, every dollar not spent on information security increases the risk to the business that it will suffer a cybersecurity incident. And, if the business holds sensitive information of other people, that not-spent-dollar increases the likelihood these people will be harmed. This is the reasonableness challenge that every business and nonprofit faces: Given our unique circumstances, what’s a reasonable budget for information security and where should I spend that budget to best lower my risk.

The reasonableness challenge has legal overtones as emerging laws and regulations (including California’s CCPA) are using phrases like “reasonable practices” without definition. We’re also seeing increasing numbers of lawsuits claiming defendant’s information security practices are not reasonable.

The Center for Internet Security has made a major contribution to this question with the publication of A Guide to Defining Reasonable Cybersecurity. The Guide provides a detailed and well thought out analysis of emerging laws, regulations, and lawsuits. It also makes the case that a company that implements the Center for Internet Security Controls, version 8, using the Center’s Risk Assessment Methodology will meet the legal standard for reasonableness.

SecureTheVillage has been a leader in the Los Angeles community on the subject of reasonable security since our founding in 2015. We will host our 5th Annual Reasonableness Seminar / Webinar this October during National Cybersecurity Awareness Month. We are also strong proponents of the work of the Center for Internet Security. We embedded it in our own 2019 CCPA recommendations on Minimum Reasonable Information Security Practices. And the Center’s work is integral to our LA Cybersecure Program.

We can all be grateful to the Center for Internet Security for their Guide. Kudos.

From SecureTheVillage

  • Smaller business? Nonprofit? Take your security to the next level. Apply Now! If you’re a small business or nonprofit in the greater Los Angeles area, apply NOW for LA Cybersecure. Protect your organization with our innovative team-based learn-by-doing program with coaching and guidance that costs less than two cups of coffee a week.
  • IT Service Provider / MSP? Take your client’s security to the next level. Apply Now!  If you’re an IT service provider in the greater Los Angeles area, apply NOW for LA Cybersecure. With our innovative team-based learn-by-doing program, you’ll have both that “seat at the table” and the peace of mind that you’re providing your clients with the IT security management they need.
  • The LA Cybersecure Program is funded in part by a grant from the Center for Internet Security (CIS) Alan Paller Laureate Program.
  • Family Protection Newsletter: Did you know we created the Family Protection Newsletter for non-cyber experts? For your parents, friends, those who need to protect themselves in a digital world. Sign up or share with a friend! Click here to learn more and quickly add to your free subscription! 
  • How Hackable Are You? Think your defenses are strong. Find out as SecureTheVillage tests you on five basic controls and download our free updated 13-step guide.
  • Please Support SecureTheVillage: We need your help if we’re to build a world of CyberGuardians TM. Please donate to SecureTheVillage. Thank you. It takes a village to secure the village. TM

Cybersecurity Nonprofit of the Week … National Cybersecurity Alliance,

Kudos this week to the National Cybersecurity Alliance, a non-profit organization on a mission to create a more secure, interconnected world. The Alliance is an advocate for the safe use of technology, educating everyone on how we can protect ourselves, our families, and our organizations from cybercrime. They create strong partnerships between governments and corporations to amplify their message and to foster a greater “digital” good, encouraging everyone to do their part to prevent digital wrongdoing of any kind. As they say, the real solution to cybercrime isn’t technology, it’s all of us doing our part.  Like SecureTheVillage, the National Cybersecurity Alliance is a member of Nonprofit Cyber, a coalition of implementation-focused cybersecurity nonprofits.

Cyber Humor

Section 2: Let’s Be Careful Out There. And Let’s Help Others Who Aren’t Yet Cyber-Aware. 

Parents. Teach your children. Please.

Teach your family. Set up code words. Be prepared.

  • Scammers use deepfake voices to demand ransom in fake kidnappings: Amanda Hardesty’s family recently fell victim to a fake kidnapping scam. She said her 19-year-old son got a call from someone claiming to have kidnapped his younger sister. … “But really what put him in a panic was when she got on the phone. And when she got on the phone, it was her voice and she was begging her brother for her life,” said Hardesty. … Hardesty’s daughter had not been kidnapped and was in a high school classroom at the time. Apparently, scammers are using artificial intelligence (AI) to mimic a person’s voice to convince a loved one that they had been kidnapped and their life threatened. … “Technology has brought so much good to the world and it’s brought so much bad,” she said.

If you have a D-Link router, patch it now.

Section 3: Cybersecurity and Privacy News for the Cyber-Concerned.

This is a story we don’t need. Both public and private sector cybersecurity defenders rely on getting timely accurate information about system vulnerabilities. We have a critical backlog of known vulnerabilities about which basic information – like how dangerous it is – is lacking. The IT and security departments rely on this information. IT service providers and MSPs that manage their clients’ IT infrastructure rely on this information. This is no time to let the National Vulnerability Database fall through the cracks. Why didn’t we resolve this months ago before the chaos?

  • Experts Warn the NVD Backlog Is Reaching a Breaking Point: Federal Database Nears 10,000 Unanalyzed Vulnerabilities Amid Halt in Operations. … The United States’ federal database for tracking security vulnerabilities has virtually ground to a halt. Analysis of newly disclosed vulnerabilities and exposures has become nearly nonexistent as experts warn that the massive backlog and ongoing issues could result in supply chain risks across critical sectors. … One critical question must be resolved to fix NVD’s issues, said Michael Daniel, president and CEO of the Cyber Threat Alliance and a former cybersecurity coordinator on the National Security Council. Who should be responsible for populating the database with information to provide comprehensive and actionable risk information? There’s debate over whether the database, currently managed by the National Institute of Standards and Technology, should migrate to the Cybersecurity and Infrastructure Security Agency or even to the private sector, which handles much of the vulnerability management process.

Security and privacy laws and regulations are in the news this week. I’m rooting for the Vermont Governor to sign the privacy act.

  • Financial institutions have 30 days to disclose breaches under new rules: The Securities and Exchange Commission (SEC) will require some financial institutions to disclose security breaches within 30 days of learning about them. … On Wednesday, the SEC adopted changes to Regulation S-P, which governs the treatment of the personal information of consumers. Under the amendments, institutions must notify individuals whose personal information was compromised “as soon as practicable, but not later than 30 days” after learning of unauthorized network access or use of customer data. The new requirements will be binding on broker-dealers (including funding portals), investment companies, registered investment advisers, and transfer agents.
  • Vermont just passed one of the strongest privacy bills nationwide, Gov. Scott considering a veto: The bill will increase consumer privacy and security by limiting corporate data collection of personal information. … Last week, in the final hours of the legislative session, the Vermont legislature passed H121, a data privacy bill sponsored by Rep. Monique Priestly that would put strict limits on how companies can collect and use data. If signed, it will be one of the strongest privacy laws in the nation, joining Maryland – which enacted its privacy law last week – in raising the bar for privacy protections nationally. 

The travails of UniSuper after Google Cloud accidentally deleted its account is a reminder that information security is about managing risk. The only certainties continue to be death and taxes.

This week in cybercrime. An active ransomware campaign by the LockBit gang using emails with attached zip-files. Ascension’s ransomware challenge is the tip of the iceberg under attack by the Black Basta gang. Wichita Kansas continues to use paper and pencils as it digs out from under its ransomware attack. Not even Europol is immune. And we now know the name of the company that suffered a $25 million deepfake fraud last February.

  • Botnet sent millions of emails in LockBit Black ransomware campaign: Since April, millions of phishing emails have been sent through the Phorpiex botnet to conduct a large-scale LockBit Black ransomware campaign. … The attackers use ZIP attachments containing an executable that deploys the LockBit Black payload, which encrypts the recipients’ systems if launched. … These phishing emails with “your document” and “photo of you???” subject lines are being sent using “Jenny Brown” or “Jenny Green” aliases from over 1,500 unique IP addresses worldwide, including Kazakhstan, Uzbekistan, Iran, Russia, and China.
  • Black Basta ransomware group is imperiling critical infrastructure, groups warn: Threat group has targeted 500 organizations. One is currently struggling to cope. … Federal agencies, health care associations, and security researchers are warning that a ransomware group tracked under the name Black Basta is ravaging critical infrastructure sectors in attacks that have targeted more than 500 organizations in the past two years. … One of the latest casualties of the native Russian-speaking group, according to CNN, is Ascension, a St. Louis-based health care system that includes 140 hospitals in 19 states. A network intrusion that struck the nonprofit last week ​​took down many of its automated processes for handling patient care, including its systems for managing electronic health records and ordering tests, procedures, and medications. In the aftermath, Ascension has diverted ambulances from some of its hospitals and relied on manual processes.
  • ‘Hospitals in chaos.’ Ascension hospitals still dealing with problems from cyberattack: A major cyberattack is still affecting health care at Ascension. The ransomware attack that began on Wednesday, May 8, has medical providers reverting to pen and paper, leading to longer wait times at the ER and much more. According to Ascension, they are focused on restoring systems safely and said they are making progress, but it “will take time to return to normal operations.” … Some nurses and patients have described “hospitals in chaos” at Ascension facilities across the country.
  • Law enforcement data stolen in Wichita ransomware attack: The city of Wichita warned its residents on Tuesday that the gang behind a recent ransomware attack likely stole sensitive law enforcement information. … In a data breach notice about the incident, which is still affecting numerous city services, the government said hackers copied files from its network between May 3-4. … “These files contained law enforcement incident and traffic information, which include names, Social Security numbers, driver’s license or state identification card numbers, and payment card information,” city officials said, noting that the hackers got in through a “recently disclosed security vulnerability that affects organizations throughout the world.” Wichita officials said there is still no timetable for when affected systems will be brought back online. Since the incident, police officers have had to keep paper records and all city offices have had to revert to cash payments in lieu of access to credit card systems. 
  • Europol Investigating Breach After Hacker Offers to Sell Classified Data: Europol is investigating a data breach, but says no core systems are impacted and no operational data has been compromised.
  • UK engineering firm Arup falls victim to £20m deepfake scam: Hong Kong employee was duped into sending cash to criminals by AI-generated video call. … The British engineering company Arup has confirmed it was the victim of a deepfake fraud after an employee was duped into sending HK$200m (£20m) to criminals by an artificial intelligence-generated video call.

Section 4: Helping Executives Understand Why and Know How.

A survey by The Wall Street Journal continues to show increased concern about managing their cybersecurity compliance concerns. And, according to the Journal, 90% said their cybersecurity compliance program was at least somewhat effective. But “somewhat effective” seems far too low a bar to set. What percentage believe their cybersecurity compliance is “very effective?” And how do they know they’re not succumbing to the Lake Wobegon effect. Given the growth of cybercrime together with the resulting laws, regulations, and lawsuits, it would seem that anything less than an ability to demonstrate that one has a “very effective”  program is not reasonable.

  • Cyber Threats Rise Along With Scrutiny of How Companies Handle Hacks: Cybersecurity threats increased for businesses over the past year, according to a Wall Street Journal survey of compliance professionals. … Nine out of 10 companies said cybersecurity risks rose, with nearly half saying the risk shot up substantially. Almost all midsize companies—those with between $50 million and $1 billion in revenue—said they felt cyber threats had increased. … Accompanying the heightened cyber risk is increased uncertainty about their compliance department’s ability to respond to incoming threats. … Nearly half of compliance survey respondents said they had only a basic or novice level of expertise in overseeing cybersecurity-related compliance. Only 8% considered themselves experts. … The need to staff up to handle incoming cyber threats also weighs on the mind of compliance professionals. Nearly seven out of 10 respondents told us they have needed to gain knowledge in this area over the past year. Despite these challenges, 90% said their cybersecurity compliance program was at least somewhat effective. Only 2% called their program “very ineffective.” 

Section 5:  Securing the Technology.

A warning to IT service providers. Let’s be careful out there.

Become A CyberGuardian

Protect your community: take the CyberGuardian Pledge, join our email list, get invited to events.

Take the Pledge

SUPPORT US

SecureTheVillage is a community-based response to the cybersecurity and privacy crisis. We are a 501c(3) nonprofit with a vision of a cybersecure global village. We invite you to join with us as together we make the vision a reality. It takes the village.

Be a CyberPartnerDonate