Cybersecurity News of the Week, April 30, 2023

This week’s essential cybersecurity and privacy news for the cyber-aware and the cyber-concerned. Designed to educate, support, and advocate.

Stan’s Top of the News

Our lead stories this week are both on the Administration’s National Cybersecurity Strategy. First up is a piece by CISA (the Cybersecurity and Infrastructure Security Agency) on basic principles for building security into our technology. We take brakes, seatbelts, and other safety measures for granted when we get in our cars, we need to build this kind of basic security in our technology. The second article reminds us that simply building in security will not be sufficient unless the person behind the wheel does their part.

  • Secure by Design, Secure by Default: It’s time to build cybersecurity into the design and manufacture of technology products. Find out here what it means to be secure by design and secure by default. … As America’s Cyber Defense Agency, CISA is charged with defending our nation against ever-evolving cyber threats and to understand, manage, and reduce risk to the cyber and physical infrastructure that Americans rely on every hour of every day. But, as we introduce more unsafe technology to our lives, this has become increasingly difficult.  https://www.cisa.gov/securebydesign
  • There’s No Silver Bullet for Cybersecurity: Governments are incapable of fixing the insecurity of the internet by themselves, and businesses are unlikely to do it until the economic pain of ignoring the insecurity of the internet becomes greater than the profits it can earn from it. There are no silver bullets. … Government officials in the U.S. and the UK recently took victory laps after reporting a 15% reduction in ransomware attacks. Ironically, as both governments issued press releases and touted their accomplishments, a global ransomware blitz by a presumed group of Russian and Chinese hackers was underway. The attacks infected an estimated 5,000 victims in Europe and the U.S. with ransomware, demonstrating the two-steps-forward, one-step-back nature of fighting the war on cyber terror. https://hbr.org/2023/04/theres-no-silver-bullet-for-cybersecurity 

How Hackable Are You? Take our test. Find out how hackable you are and download our free 8-step guide.

  • How Hackable Are You? Think your defenses are strong. Find out as SecureTheVillage tests you on five basics. Please take our short quiz as your answers will help you and guide us to improve community safety.

New. Family Protection Newsletter: Did you know we created the Family Protection Newsletter for non-cyber experts? For your parents, friends, all those who need to protect themselves in a digital world. We feature info on how to freeze your credit and what ‘marriage scams’ are in Edition 1. Sign up or share with a friend! Click here to learn more and quickly add to your free subscription! 

Upcoming events. Please join us.

Cyber Humor

Cybersecurity Nonprofit of the Week … Cybercrime Support Network

Kudos this week to the Cybercrime Support Network, a nonprofit that helps individuals and small businesses impacted by cybercrime. As a leading voice for cybercrime victims, the Cybercrime Support Network is dedicated to serving those affected by the ever growing impact of cybercrime before, during, and after. Founded in 2017, Cybercrime Support Network (CSN) connects victims to resources, increases cybercrime and online fraud reporting, and decreases revictimization. Since November 2018, CSN has provided help to over 1,000,000 individuals and small businesses via FightCybercrime.org and ScamSpotter.org. Like SecureTheVillage, the Cybercrime Support Network is a fellow-member of Nonprofit Cyber, a coalition of implementation-focused cybersecurity nonprofits.

Live on Cyber with Dr. Stan – Live on LinkedIn and Your Favorite Podcast Platform

Waiting for security: (Video) (Podcast): This week  Stan and Julie riff on a key component of the National Cybersecurity Strategy: Secure by design. Secure by default. How it’s a long-term strategy. How we don’t have time to wait. … Someday security will be built into our computers and applications the way safety is built into cars. But not now. Not yet. Now we’re back in the 1930s without seatbelts, without collapsible steering wheels, without padded dashboards. Even without safety glass. … The lack of built-in security in our digital lives pushes security responsibility on to us, the end users. CISA head Jen Easterly describes it this way: “As a nation, we have allowed a system where the cybersecurity burden is placed disproportionately on the shoulders of consumers and small organizations and away from the producers of the technology and those developing the products that increasingly run our digital lives.” … As always, Stan and Julie provide actionable tips and thoughtful wisdom about the steps we can take to protect our cybersecurity and privacy while we wait for our cybersecurity Nirvana.

Section 2 – Let’s Be Careful Out There. And Let’s Help Others Who Aren’t Yet Cyber-Aware. 

This is a follow-up to earlier identity theft stories from the Wall Street Journal and the Los Angeles Times. Be careful out there!!!

Our next story illustrates the theme of this week’s podcast. Yes; it’s my decision if I want to pay extra for leather seats. But MFA isn’t leather seats. It’s Meta and Twitter charging extra for seatbelts and brakes. I’m not a fan of regulations but this story demonstrates that we need them. Our applications need to be secure by default. As we pointed out in our Top-of-the-News, It’s not a silver bullet but it’s a start.

  • Are Meta and Twitter Making Cybersecurity Less Accessible?: Customers pay for additional features along with their purchases all the time. You can upgrade a car’s seats from fabric to leather, or pay for more analytics on a marketing automation platform. But the new upcharges for security features on social media accounts have experts concerned about the overall impact on cybersecurity. https://securityintelligence.com/news/are-meta-and-twitter-making-cybersecurity-less-accessible/

Section 3 – Cybersecurity News for the Cyber-Concerned.

Several national cybersecurity stories made the news this week, commencing with a story we began covering several weeks ago.

  • The perilous path to a new cybercrime treaty. A U.N. panel is working on a cybercrime treaty. Here’s what it could look like. SAN FRANCISCO — A U.N. panel recently completed the latest round of negotiations over a new cybercrime treaty. That process is now rapidly hurtling toward its end. The thorny debate over the treaty has been marked by Russia pushing for a treaty that expands the definition of cybercrime in a way that worries the United States, human rights activists and civil liberties groups. The United States and its allies had been comfortable with a preexisting cybercrime treaty known as the Budapest Convention but have nonetheless engaged in the discussions. Free Link: https://wapo.st/3Hn5OiL
  • (ISC)2 Urges Countries to Strengthen Collaboration on Cybersecurity Regulation: As cybersecurity policies and regulations evolve rapidly around the world, greater collaboration is necessary to ensure more robust and resilient frameworks to support shared learning and best practices, according to (ISC)². … The international cybersecurity non-profit has led new research in collaboration with the Royal United Services Institute (RUSI), a British think tank, examining cybersecurity legislation and regulation within the UK, the US, Canada, the EU, Japan and Singapore. … The report, titled Global Approaches to Cyber Policy, Legislation and Regulation, was published on April 27, 2023. https://www.infosecurity-magazine.com/news/isc2-strengthen-collaboration/
  • Chinese cyber threat ‘unparalleled,’ FBI director says: China is the biggest threat to the United States, per Director Christopher Wray. The Chinese cyber threat is “unparalleled” by any other national security challenge seen by the U.S. government, according to FBI Director Christopher Wray. https://abcnews.go.com/Politics/chinese-cyber-threat-unparalleled-fbi-director/story?id=98914869
  • Federal Law Enforcement’s New Focus is on ‘Disruption’ of Cybercrime: Deputy Attorney General Lisa Monaco  told attendees at the 2023 RSA Conference that the Department of Justice will be taking a “disruption” approach to cybercrime. Monaco noted that success will be seen with a “bias towards action,” rather than just courtroom victories. https://www.nextgov.com/cybersecurity/2023/04/federal-law-enforcements-new-focus-disruption-cybercrime/385597/

Election security is back in the news with two stories. The first looks back to the 2020 election while the second looks forward to 2024.

The following stories are particularly disturbing because they’re all preventable. Do you take your physical security seriously? Then why not your cybersecurity? These stories are disturbing for what they say about our lack of care and attention.

And the outcome of our failures are shown in the stories on cybercrime and its aftermath.

A few miscellaneous stories to round out the week’s news. The first story from the Columbia Journalism Review is fascinating.

  • The Hacker: Runa Sandvik has made it her life’s work to protect journalists against cyberattacks. Authoritarian regimes are keeping her in business.  https://www.cjr.org/the_feature/runa-sandvik.php
  • 5 ways threat actors can use ChatGPT to enhance attacks: New research details how attackers can use AI-driven systems like ChatGPT in different aspects of cyberattacks including reconnaissance, phishing, and developing polymorphic code. The Cloud Security Alliance (CSA) has revealed five ways malicious actors can use ChatGPT to enhance their attack toolset in a new report exploring the cybersecurity implications of large language models (LLMs). The Security Implications of ChatGPT paper details how threat actors can exploit AI-driven systems in different aspects of cyberattacks including enumeration, foothold assistance, reconnaissance, phishing, and the generation of polymorphic code. By examining these topics, the CSA said it aims to raise awareness of the potential threats and emphasize the need for robust security measures and responsible AI development. https://www.csoonline.com/article/3694931/5-ways-threat-actors-can-use-chatgpt-to-enhance-attacks.amp.html
  • FDA warns of security vulnerability in Illumina’s DNA sequencing machines: The Food and Drug Administration warned health care providers Thursday that a security vulnerability in DNA sequencers made by Illumina could allow unauthorized users to access or alter potentially important medical data. https://www.statnews.com/2023/04/27/fda-warns-vulnerability-illumina-sequencing-m/

Section 4 – Managing  Information Security and Privacy in Your Organization.

My long-time friend and colleague, CFO for Rent Gene Siciliano, wrote about a cybersecurity failure in his weekly blog post. Denial is NOT a river in Egypt. Denial can be costly, even deadly. If you’re an Executive and your IT Director or IT service provider can’t tell you what your biggest security vulnerability is and what they’re doing to manage it, then they are not managing the security of your information. Thanks to Gene for his eye-opening blog.

  • Cybersecurity is (not) our problem: One of the ways I try to make a difference in the world of business is by serving on boards of directors, both fiduciary and advisory, for privately owned companies and nonprofits. A year or so ago I raised the issue of cybersecurity for one of our larger clients, a large operator of franchised fast food restaurants for whom I have served for several years as a member of their Advisory Board. The executive in charge of IT resisted bringing the discussion to the Board … This week, about a year later and one day before this quarter’s scheduled meeting, the President announced in a short email that they had to cancel the meeting because they have been dealing with a cybersecurity incident. After a week of working the problem they still don’t have access to all their files, and thus were unable to prepare for or participate in the scheduled board meeting. https://www.cfoforrent.com/cybersecurity-is-not-our-problem/

Minutes count when you’re trying to recover stolen money. This talk at RSA recommends getting to know law enforcement before you need them.

Become A CyberGuardian

Protect your community: take the CyberGuardian Pledge, join our email list, get invited to events.

Take the Pledge