This week’s essential cybersecurity and privacy news for the cyber-aware and the cyber-concerned. Designed to educate, support, and advocate.
Stan’s Top of the News
For every 1,000 cybersecurity jobs across, 300 are unstaffed. With a total of more than 600,000 cybersecurity job openings, we are at a distinct disadvantage in cybercrime. It’s like fighting a forest fire with too little water, too few helicopters, and too few firefighters. These unfilled cybersecurity jobs also make perfect careers for people in under-served communities, both in our cities and in rural America. This makes filling these positions a win-win-win-win for America. To address these challenges, the Biden – Harris administration this week rolled out its National Cyber Workforce and Education Strategy (NCWES), a first-of-its-kind comprehensive approach aimed at addressing both immediate and long-term cyber workforce needs.
- FACT SHEET: Biden-Harris Administration Announces National Cyber Workforce and Education Strategy, Unleashing America’s Cyber Talent: Today, the Biden-Harris Administration unveiled the National Cyber Workforce and Education Strategy (NCWES), a first-of-its-kind comprehensive approach aimed at addressing both immediate and long-term cyber workforce needs. Filling the hundreds of thousands of cyber job vacancies across our nation is a national security imperative and the Administration is making generational investments to prepare our country to lead in the digital economy. The NCWES is positioned to empower every American seeking to participate in our digital ecosystem and underscores the critical need to fill a vast number of vacant cyber jobs.
The workforce strategy is important but its implementation will take time. This makes it imperative for our smaller organizations and our village residents to remain personally vigilant. So let’s give kudos to the Administration while staying focused and alert to attacks.
New. Family Protection Newsletter: Did you know we created the Family Protection Newsletter, for non-cyber experts? For your parents, friends, those who need to protect themselves in a digital world. Sign up or share with a friend! Click here to learn more and quickly add to your free subscription!
How Hackable Are You? Take our test. Find out how hackable you are and download our free 8-step guide.
- How Hackable Are You? Think your defenses are strong. Find out as SecureTheVillage tests you on five basics. Please take our short quiz as your answers will help you and guide us to improve community safety.
Upcoming events. Please join us.
- Cybersecurity Threat Briefing – Meeting Today’s Cyber Crime Challenges, with Special Guest Speaker SSA Michael Sohn, FBI. Co-hosted with Department Financial Protection & Innovation. Friday, August 18, 8:30 am – 10:00 am PT
- Los Angeles Cybersecurity Workforce Coalition: The monthly meeting of the workforce coalition, Tue, September 5, 1:00 pm – 2:00 pm PT.
Cyber Humor
Cybersecurity Nonprofit of the Week … National Cybersecurity Alliance,
Kudos this week to the National Cybersecurity Alliance, a non-profit organization on a mission to create a more secure, interconnected world. The Alliance is an advocate for the safe use of technology, educating everyone on how we can protect ourselves, our families, and our organizations from cybercrime. They create strong partnerships between governments and corporations to amplify their message and to foster a greater “digital” good, encouraging everyone to do their part to prevent digital wrongdoing of any kind. As they say, the real solution to cybercrime isn’t technology, it’s all of us doing our part. Like SecureTheVillage, the National Cybersecurity Alliance is a member of Nonprofit Cyber, a coalition of implementation-focused cybersecurity nonprofits.
Live on Cyber with Dr. Stan Stahl – Live on LinkedIn and Your Favorite Podcast Platform
IBM’s Cost of a Data Breach Report – Penny Wise & Pound Foolish: (Video) (Podcast): IBM’s eye-opening Annual Cost of a Data Breach Report reveals a disturbing trend. Companies often choose to burden their customers with the financial fallout of cybercrime, rather than bolstering their cybersecurity. As #cybercriminals leverage #AI to heighten their attacks and laws increasingly mandate #cybersecurity controls, the risk of ignoring these digital defenses is spiraling.
In this episode of Live on Cyber with Stan Stahl, PhD and Julie Michelle Morris, we’re shedding light on this appalling strategy, Number 1 in our list of the Top 3 Egregious Findings in IBM’s annual report. As always, Stan and Julie provide actionable tips and thoughtful wisdom in a fun conversation on the complexities of cybersecurity and privacy.
Section 2 – Let’s Be Careful Out There. And Let’s Help Others Who Aren’t Yet Cyber-Aware.
Cyber scams targeted at unsophisticated baby-boomers are out of control. Please warn the people you know to be careful out there.
- Crypto scheme bilks Eden Prairie couple out of $9 million in unprecedented Minnesota fraud case: Police say the 21 transactions the man believed would yield big returns went from routinely topping $100,000 to $2.1 million in a single transaction.
Section 3 – Cybersecurity and Privacy News for the Cyber-Concerned.
Congratulations to the Electronic Frony=tier Foundation and the many others who created and managed the transition to embed basic privacy onto the Internet’s core.
- Celebrating Ten Years of Encrypting the Web with Let’s Encrypt: Ten years ago, the web was a very different place. Most websites didn’t use HTTPS to protect your data. As a result, snoops could read emails or even take over accounts by stealing cookies. But a group of determined researchers and technologists from EFF and the University of Michigan were dreaming of a better world: one where every web page you visited was protected from spying and interference. Meanwhile, another group at Mozilla was working on the same dream. Those dreams led to the creation of Let’s Encrypt and tools like EFF’s Certbot, which simplify protecting websites and make browsing the web safer for everyone.
These next two stories demonstrate our twin cybersecurity challenges. (1) Guiding users to practice secure behaviors. (2) Securely managing our complex technology infrastructure.
- Why computer security guidelines are so unclear: “When there’s a computer security incident, we shouldn’t blame an employee because they didn’t comply with one of a thousand security rules we expected them to follow,” says Brad Reaves. A new study highlights a key problem with computer security guidelines and outlines ways to improve them.
- Microsoft comes under blistering criticism for “grossly irresponsible” security: Azure looks like a house of cards collapsing under the weight of exploits and vulnerabilities. … Microsoft has once again come under blistering criticism for the security practices of Azure and its other cloud offerings, with the CEO of security firm Tenable saying Microsoft is “grossly irresponsible” and mired in a “culture of toxic obfuscation.” … The comments from Amit Yoran, chairman and CEO of Tenable, come six days after Sen. Ron Wyden (D-Ore.) blasted Microsoft for what he said were “negligent cybersecurity practices” that enabled hackers backed by the Chinese government to steal hundreds of thousands of emails from cloud customers, including officials in the US Departments of State and Commerce. Microsoft has yet to provide key details about the mysterious breach, which involved the hackers obtaining an extraordinarily powerful encryption key granting access to a variety of its other cloud services. The company has taken pains ever since to obscure its infrastructure’s role in the mass breach.
North Korea’s cybercrime program has got the attention of the Senate. This follows our story last week of the unexpected op-ed co-authored by Senators Graham and Warren.
- Crypto Heists Funneling Billions to North Korea’s Nuclear Program Attract Senate Scrutiny: Democratic lawmakers, warning of national security threat, press Biden to disclose efforts to crack down on Pyongyang. … Three Democratic senators are pressing the Biden administration to disclose more information about its efforts to counteract North Korea’s dependence on stolen cryptocurrency to fund its nuclear program, calling Pyongyang’s growing reliance on digital assets to evade sanctions a severe national security threat.
AI continues to make cybercrime easier while a story in The New York Times provide another illustration of how hard it is proving to be to put guardrails on these systems.
- WormGPT, FraudGPT Are Just the ‘Tip of the Iceberg,’ Warn Security Experts: It’s already challenging enough to call ChatGPT, Bard, and other AI chatbots “good,” but to make matters more complicated, they already have their own evil twins. Security researchers shared last month that WormGPT and FraudGPT were beginning to automate cybercrime by allowing bad actors to generate custom scam emails on a whim. While each chatbot presents its own safety implications, experts warn that WormGPT and FraudGPT are just “the tip of the iceberg,” with malicious AI applications rapidly finding a home in the dark web.
- Researchers Poke Holes in Safety Controls of ChatGPT and Other Chatbots: A new report indicates that the guardrails for widely used chatbots can be thwarted, leading to an increasingly unpredictable environment for the technology. … When artificial intelligence companies build online chatbots, like ChatGPT, Claude and Google Bard, they spend months adding guardrails that are supposed to prevent their systems from generating hate speech, disinformation and other toxic material. … Now there is a way to easily poke holes in those safety systems.
The cyber-insurance industry continues to be challenged by lack of actionable data.
- Cyber-Insurance Underwriting Is Still Stuck in the Dark Ages: Insurance underwriters are storied for their analytical and extremely methodical use of data to measure risk and write policies accordingly. This works well in insurance markets such as car or home insurance, for which actuarial tables exist based on risk data that goes back for decades or longer. … But when an insurance company seeks to cover a fast-changing risk environment for which very little long-standing data exists, a lot of that actuarial science becomes more like a guessing game. … This is where we’re at with cyber-insurance underwriting today.
On the privacy front, California to review the collection and use of data from our cars.
- California Opens Privacy Probe Into Who Controls, Shares the Data Your Car Is Collecting Data can be used by insurance companies, city planners or by brokers offering it for sale: California’s new privacy regulator said Monday it is embarking on its first-ever enforcement action: a review of the privacy practices of connected automobiles. … The California Privacy Protection Agency—created under a ballot initiative in 2020 and the only regulator in the nation solely dedicated to privacy issues—will examine the growing amalgamation of data collected by smart vehicles and whether the business practices of the companies collecting that data comply with state law. … Modern vehicles are effectively connected computers on wheels. They’re able to collect a wealth of information via built in apps, sensors, and cameras, which can monitor people both inside and near the vehicle,” Ashkan Soltani, the agency’s executive director, said in a statement. … U.S. regulators’ scrutiny of the data lags behind such efforts in Europe, which has forced automakers to update software to limit the collection and protect the privacy of consumers. … Automobiles represent the latest frontier for regulators, raising fresh questions about who will control the data generated by vehicles as they move through the world. Numerous companies are in a position to access the data—including the automakers themselves, companies that make or run in-car navigation or infotainment systems, satellite radio companies and in-vehicle security and emergency services providers. Insurance companies have also been encouraging consumers to share information about their driving behavior, sometimes in exchange for a discount.
This Week in Cybercrime: Continued fallout from the MOVEit vulnerability.
- Health data of 1.7 million Oregon residents accessed by MOVEit hackers: Hackers behind the mass-exploitation of a vulnerability in the popular corporate file transfer tool MOVEit Transfer have accessed the protected health information of 1.7 million Oregon citizens. … PH Tech said that hackers accessed patients’ personal and protected health information, including names, dates of birth, Social Security numbers, email and postal addresses, member and plan ID numbers. The hackers also accessed sensitive health information, including insurance authorizations, diagnosis and procedure codes, and claims information.
- MOVEit Data Breach Hits US Government Contractor, Exposes Health Data of 8 to 11 Million People: The damage tally from the massive MOVEit data breach continues to go up, as a US government contractor is reporting that 8 to 11 million records of health data have been exposed. … The breach is with a company called Maximus, a contractor that administers aspects of Medicaid and Medicare as well as numerous other government programs. The
- Cyberattack causes multiple hospitals to shut emergency rooms and divert ambulances: Cybercriminals attacked the computer systems of a California-based health care provider causing emergency rooms in multiple states to close and ambulance services to be redirected. … The ransomware attack happened at Prospect Medical Holdings of Los Angeles, which has hospitals and clinics in Connecticut, Pennsylvania, Rhode Island and Texas. Prospect Medical is investigating how the breach happened and is working on resolving the issue, the company said in a statement Friday.
- Marine industry giant Brunswick Corporation lost $85 million in cyberattack, CEO confirms: A June cybersecurity incident will cost the Brunswick Corporation as much as $85 million, the company’s CEO told investors last week.
- Global ransomware attacks at an all-time high and the US is the primary target: More than 43 percent of reported incidents happened in the United States. Global ransomware attacks are on the rise, according to a report issued by Malwarebytes. The study shows a massive surge from July 2022 to June 2023, with the United States bearing the brunt of these attacks. The organization noted that of the 1,900 reported ransomware attacks collected, over 43 percent originate in the U.S, an increase of 75 percent from last year’s findings.
Section 4 – Managing Information Security and Privacy in Your Organization.
Two stories on managing the CISO relationship and a third story on protecting the network. Patch and update now.
- CISOs Need Backing to Take Charge of Security: Unless the CEO and other C-suite executives defer to the CISO’s decisions on cybersecurity, is the CISO really running things? … According to a recent report, only five of the Fortune 100 companies count their heads of security when listing top management. … The CISO role and its relationship to clout and influence have always been a dance with the corporate old guard. Does the CISO truly have the authority to stop a line-of-business executive from doing something risky? And if the CISO tries, will the CISO get backing from the CEO and others? … A recent LinkedIn discussion initiated by Derek Andrews, director of cybersecurity operations and incident response for a large nonprofit who he said he would rather not identify, encapsulated the fears quite well. … “The CISO role isn’t really the chief of anything other than being the person to take the fall when the time is right,” Andrews wrote. “CISOs aren’t in the CEO inner circle. They’re like the fourth ring out. That means that the security sell has to go through three others before it gets real organizational approval and, by that time, it’s watered down to doing more phishing training.” … Andrews then raised a critical question: Why do enterprises allow every business unit to decide on their own if something is overly risky, rather than the CISO?
- How CISOs can engage the C-suite and Board to manage and address cyber risk: The modern Chief Information Security Officer (CISO) has a difficult job. Amidst the myriad of malicious cyber threats attempting to infiltrate their organization, CISOs must also effectively navigate other murky waters: Engaging their C-suite and governing counterparts on matters of cybersecurity. It’s a tall task for which decades of technical training and programmatic cyber expertise alone are insufficient preparation.
- CISA, NSA, FBI and International Partners Issue Advisory on the Top Routinely Exploited Vulnerabilities in 2022: In 2022, malicious cyber actors continued exploiting known software vulnerabilities to target unpatched systems and applications, including some vulnerabilities that have been known for more than five years, according to a newly released joint Cybersecurity Advisory (CSA) from U.S. and foreign partner intelligence agencies.
