Cybersecurity News of the Week, August 23, 2020

SecureTheVillage Calendar

Technology & Security Management HappyHour: LA Cyber Lab with Policy Director for Cybersecurity Chris Covino. August 25 @ 4:30 pm – 5:30 pm PDT

CyberFreedomWebinar: Taming The Tiger: How to Detect, Deter, & Defeat Disinformation with Marc Ambinder. September 8 @ 10:00 am – 11:00 am PDT

Information Security Management Webinar: The Great Reboot: Succeeding in a World of Catastrophic Risk and Opportunity with Bob Zukis & Others. September 10 @ 10:00 am – 11:00 am PDT

Insurance Brokers Cybersecurity Roundtable: Cybersecurity Essentials for Small & Medium Businesses with Deron T. McElroy, CISA. September 15 @ 2:00 pm – 3:00 pm PDT

Financial Services Cybersecurity Roundtable: Top Cybersecurity Threats of 2020 with Sherri Davidoff of LMG Security. September 25 @ 8:00 am – 10:00 am PDT

Information Security Management Webinar: Conversation on the Cyber Risk Landscape with Deron T. McElroy, CISA. November 12 @ 10:00 am – 11:00 am PST

Individuals at Risk

Cyber Warning

Over a Billion Android Phones Turned Into Perfect Spying Tools by Security Flaws: Over a billion smartphones are affected by a set of 400 security flaws, turning them into perfect spying tools, Check Point has revealed. The recently discovered vulnerability affects over 40% of Android phones around the world — 90% of them are currently in the US market. CPO, August 20, 2020

Cyber Defense

10 cybersecurity myths you need to stop believing: On the Dark Web, you can purchase cybercrime “how-to kits” that gather lists of breached names, account numbers, passwords, and even telephone support lines for the victims to call. It’s not difficult to get on the Dark Web. Tap or click here for my short guide that tells you how to access the Dark Web. USA Today, August 20, 2020

Cyber Humor

Information Security Management for the Organization

Information Security Management

When Your Heartbeat Becomes Data: Benefits and Risk of Biometrics: Knowing who your users are today is more important than ever. This explains, in part, why integrating biometric usage into identity and access management (IAM) appears appealing. Throw in some artificial intelligence (AI) to help manage all these data points, and the future of biometrics looks pretty wild. SecurityIntelligence, August 21, 2020

The Blackbaud Breach – Focus on Vendors: In July of this year, Blackbaud, a U.S. based cloud computing provider and one of the world’s largest providers of administration, fundraising, and financial management software, notified its clients that it had discovered and stopped a ransomware attack. Robert Braun, JMBM Cybersecurity Lawyer Forum, August 21, 2020

Digital Transformation: Breaking Down Silos for Better Data Security: Today, enterprises are under pressure to improve the power and reduce the cost of running mission-critical business applications by migrating to modern software architectures. By breaking down the silos between adjacent teams and the tools they use, security teams can do this at the same time as they take steps toward zero trust and true security unification. SecurityIntelligence, August 20, 2020

Vendor security in the cross-hairs as Instacart discloses security incident caused by two contractors … Instacart says two employees at a third-party support vendor accessed “more shopper profiles than was necessary.”: Grocery delivery and pick-up service Instacart disclosed a security incident caused by two employees working for a company providing tech support services for Instacart shoppers. ZDNet, August 20, 2020

How the shift to remote working has impacted cybersecurity … Cybercriminals have adapted by exploiting improperly secured VPNs, cloud-based services, and business email, says Malwarebytes: Triggered by the coronavirus lockdown, the abrupt transition to a work from home (WFH) venue forced organizations to scramble to support a larger remote workforce. Such a quick shift means that certain security measures and requirements inevitably fell by the wayside. At the same time, cybercriminals found a new opportunity for attack with remote workers and improperly secured connections and technologies. Together, these trends have created a more vulnerable environment affecting the cybersecurity defenses of many organizations. TechRepublic, August 20, 2020

How to think about cybersecurity in the era of COVID-19: Cyber incidents are consistently ranked at the top of business concerns, and it’s easy to see why: According to one estimate, the global cost of cybercrime will rise to $6 trillion a year by the end of 2021. MIT, August 20, 2020

Cybersecurity in the C-Suite & Board

Former Uber Security Chief Charged With Concealing Hack: Joe Sullivan, who led Uber’s security team through the company’s most tumultuous period, was fired by the company’s newly installed chief executive in 2017. New York Times, August 20, 2020

Cyber Warning

FBI, CISA Echo Warnings on ‘Vishing’ Threat: The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) on Thursday issued a joint alert to warn about the growing threat from voice phishing or “vishing” attacks targeting companies. The advisory came less than 24 hours after KrebsOnSecurity published an in-depth look at a crime group offering a service that people can hire to steal VPN credentials and other sensitive data from employees working remotely during the Coronavirus pandemic. KrebsOnSecurity, August 21, 2020

Voice Phishers Targeting Corporate VPNs: The COVID-19 epidemic has brought a wave of email phishing attacks that try to trick work-at-home employees into giving away credentials needed to remotely access their employers’ networks. But one increasingly brazen group of crooks is taking your standard phishing attack to the next level, marketing a voice phishing service that uses a combination of one-on-one phone calls and custom phishing sites to steal VPN credentials from employees. KrebsOnSecurity, August 19, 2020

Cyber Talent

The cybersecurity skills shortage is getting worse: New research from ESG and ISSA illustrates a lack of advancement in bridging the cybersecurity skill shortage gap. CSO, August 21, 2020

Your Newest Cybersecurity Professional Is Already in Your Company: The cybersecurity talent gap is real. The 2019/2020 Official Annual Cybersecurity Jobs Report predicts that there will be 3.5 million security jobs left unfilled globally by 2021. The cybersecurity profession hit a 0% unemployment rate and the pay is good. So, why are security leaders struggling to fill positions? It could be because they are looking for the perfect candidate that doesn’t exist. Meanwhile, their newest security team member may already be working in their company. SecurityIntelligence, August 20, 2020

Cybersecurity in Society

Cyber Privacy

Consumer Privacy Concerns Vary With Location, Social Circumstances; Expectations of Privacy Do Not Necessarily Mirror Offline Models: A new study of privacy concerns from the University of Notre Dame upends the notion that traditional “reasonable expectation of privacy” models also apply to digital tracking and data collection. Respondents had nuanced views of how location data collection and data privacy should work in public spaces, views that run counter to traditional notions that privacy is very limited when in a public area. CPO, August 21, 2020

Cyber Crime

Ransomware Attacks on Travel Companies Spread, Sparking Complacency Fears: A spate of ransomware attacks on travel companies worries some security professionals, who believe the criminals are upping their games. Some criminal groups may be plowing part of the payouts they get from shakedowns into launching more sophisticated attacks. Skift, August 21, 2020

University of Utah pays $457,000 to ransomware gang … University officials restored from backups, but they had to pay the ransomware gang to prevent them from leaking student data: The University of Utah revealed today that it paid a ransomware gang $457,059 in order to avoid having hackers leak student information online. ZDNet, August 21, 2020

Ransomware Payday: Average Payments Jump to $178,000: Ransomware gangs continue to see bigger payoffs from their ransom-paying victims. BankInfoSecurity, August 20, 2020

Did Jack Daniels Thwart a Ransomware Attack or Not?: Jack Daniels says it successfully fended off the attack, but the REvil ransomware gang has put stolen data up for auction on the darknet. CoinTelegraph, August 20, 2020

Ransomware Attack on Carnival May Have Been Its Second Compromise This Year: Security vendor Prevailion says it observed signs of malicious activity on the cruise operator’s network between at least February and June. DarkReading, August 18, 2020

Cyber Defense

SEC issues proposals to bolster CAT cybersecurity … The SEC proposed amendments to the national market system plan governing the comprehensive database, in an effort to boost data security: In an effort to improve data security related to the consolidated audit trail, the SEC on Friday proposed amendments to the national market system plan governing the comprehensive database. Pensions&Investments, August 22, 2020

Google fixes major Gmail bug seven hours after exploit details go public … Attackers could have sent spoofed emails mimicking any Gmail or G Suite customer: Google has patched on Wednesday a major security bug impacting the Gmail and G Suite email servers. August, 20, 2020

Microsoft Put Off Fixing Zero Day for 2 Years: A security flaw in the way Microsoft Windows guards users against malicious files was actively exploited in malware attacks for two years before last week, when Microsoft finally issued a software update to correct the problem. KrensOnSecurity, August 17, 2020

Know the Enemy

Honor Among Thieves: Dark Web Marketplaces Rise and Fall on Unspoken Digital “Pirate’s Code”: Even as they deal in stolen credit card numbers and illegal drugs, the patrons of dark web marketplaces expect these underground retail outlets to abide by certain general terms of fair play. New research from threat intelligence firm Digital Shadows indicates that these markets endure based largely on perceptions of honest dealing that are comparable to the standards expected from legitimate retail sites. CPO, August 20, 2020

Cyber Danger

NSA and FBI Expose Russian Previously Undisclosed Malware “Drovorub” in Cybersecurity Advisory: The National Security Agency (NSA) and the Federal Bureau of Investigation (FBI) released a new Cybersecurity Advisory about previously undisclosed Russian malware. NSA, August 13, 2020

Cyber Freedom

74 Days From the Presidential Election, Security Worries Mount: With pandemic measures continuing and political divisions deepening, security experts express concern about the security and integrity of the November election. DarkReading, August 21, 2020

Election Security: A Progress Report From CISA’s Krebs … Sizing Up Efforts at the State and Local Level to Enhance Protections: State and local governments are better equipped to ensure election security than they were four years ago, says Christopher Krebs, director of the Cybersecurity Infrastructure and Security Agency, who calls on election officials to serve as “risk managers.” BankInfoSecurity, August 18, 2020

Senate Final Report on 2016 Russian Election Hacking Details … Russian President Vladimir Putin ordered hack of Democratic National Committee’s computer networks to hurt Clinton, help Trump, and undermine the election process: The Senate Intelligence Committee Tuesday released its fifth and final report on Russia’s attempts to influence the 2016 election, providing more details on how Russian hackers resided on Democratic National Committee servers for months and citing shortcomings in the FBI’s investigation. GovInfoSecurity, August 18, 2018

US Intelligence Adds More Details on Election Interference: Russia, China, Iran Look to Influence 2020 Presidential Election. GovInfoSecurity, August 8, 2020

Become A CyberGuardian

Protect your community: take the CyberGuardian Pledge, join our email list, get invited to events.

Take the Pledge