Cybersecurity News of the Week, January 3, 2021

SecureTheVillage Calendar

Dr. Steve Krantz Webinar: Personal Cybersecurity January 12, 2021 @ 1:00 pm – 3:00 pm PST

Caltech/Fullstack Cyber Bootcamp Virtual/Online Hiring Day. January 12, 2021 @ 2:00 pm – 4:30 pm PST

Dr. Steve Krantz Webinar: Become A CyberGuardian January 14, 2021 @ 12:30 pm – 2:00 pm PST

Information Security Management Webinar: Ask the Lawyer: Updates on the Evolving Security and Privacy Legal Landscape with Jordan Fischer. January 14, 2021 @ 10:00 am – 11:00 am PST

Financial Services Cybersecurity Roundtable: Protecting Yourself and Your Business Against the Latest Cyber Threats with Mark Rhodes-Ousley. January 22, 2021 @ 8:30 am – 10:00 am PST

Digital Directors Network: Global Case Studies In Innovation Governance: An Australian And US Perspective January 27, 2021 @ 4:00 pm – 5:15 pm PST

Dr. Steve Krantz Webinar: Doing It … Online. TUE, February 9, 2021, 2:30 PM PST

Individuals at Risk

Cyber Defense

5 things you need to do to stop yourself getting hacked in 2021: You are your own biggest weakness. Changing just a few of your behaviours can reduce the chances of your online accounts being hacked. Wired, January 2, 2021

Adobe Flash is Dead: Here’s What That Means: Support for Adobe Flash officially ended on December 31, 2020, effectively killing off the platform. The now-discontinued web plugin will be remembered for its golden era of animated internet memes and the endless security problems that eventually led to its demise. HowToGeek, January 1, 2021

Would you take the bait? Take our phishing quiz to find out!: Is the message real or fake? Take our Phishing Derby quiz to find out how much you know about phishing. WeLiveSecurity, December 31, 2020

Cyber Update

Millions of users still haven’t updated from Windows 7: If reports are to be believed, several million Windows 7 users haven’t upgraded their machines to a newer version, even after almost a year of Microsoft retiring the decade old operating system. TechRadar, January 1, 2021

Cyber Warning

New warning issued over COVID‑19 vaccine fraud, cyberattacks: Cybercriminals look to cash in on the vaccine rollout, including by falsely offering to help people jump the line. welivesecurity, December 31, 2020

Does a friend “need money urgently”? Check your facts before paying out…: Last week, we warned of a Facebook Messenger scam that used a bogus video to lure you onto a phoney Facebook login page. NakedSecurity, December 22, 2020

Cyber Humor

Information Security Management for the Organization

Cybersecurity in the C-Suite & Board

It’s A Twister! Will SolarWinds Blow Cybersecurity Governance Reform Into The Boardroom?: The SolarWinds breach is getting uglier — systemically ugly. The breadth and impact of the SolarWinds breach is described as the most severe cyber-attack in history. Forbes, December 19, 2020

Information Security Management

10 Benefits of Running Cybersecurity Exercises: There may be no better way to ascertain your organization’s strengths and weaknesses than by running regular security drills. DarkReading, December 28, 2020

‘Tis the Season for Nonprofit Cybersecurity Risks to Reach New Heights: The period between Christmas and New Year’s Day has long been the time people give to charities the most, making the charities themselves attractive targets for cyber criminals. Because the events of 2020 will likely boost existing trends, nonprofit cybersecurity challenges may be greater than ever this year — even as groups find themselves with fewer resources to devote to cutting down on this risk. SecurityIntelligence, December 26, 2020

Cyber Warning

Ransomware attackers now have their sights set on the biggest prize: The business of ransomware is changing and the next targets are going to be wealthy organisations that will pay to save their reputations. Wired, January 2, 2021

Cybersecurity in Society

Cyber Crime

Ransomware Is Headed Down a Dire Path: 2020 was a great year for ransomware gangs. For hospitals, schools, municipal governments, and everyone else, it’s going to get worse before it gets better. Wired, December 29, 2020

2020 had its share of memorable hacks and breaches. Here are the top 10: The past 12 months teaches us that, yes, attacks do only get better. ars technica, December 28, 2020

“Evil mobile emulator farms” used to steal millions from US and EU banks: Scale of operation is unlike anything researchers had seen before. ars technica, December 17, 2020

Cyber Privacy

BREAKING NEWS: Federal Court Grants Preliminary Approval of First CCPA Settlement: In November the high-end children’s clothing retailer Hanna Andersson agreed to pay $400,000 and implement new security measures as part of a class action settlement arising from litigation brought in the wake of a widespread data breach. The National Law Review, December 30, 2020

National Cybersecurity – Solar Winds

As Understanding of Russian Hacking Grows, So Does Alarm: Those behind the widespread intrusion into government and corporate networks exploited seams in U.S. defenses and gave away nothing to American monitoring of their systems. The New York Times, January 2, 2021

SolarWinds hackers accessed Microsoft source code, the company says: WASHINGTON (Reuters) -The hacking group behind the SolarWinds compromise was able to break into Microsoft Corp and access some of its source code, Microsoft said on Thursday, something experts said sent a worrying signal about the spies’ ambition. Reuters, December 31, 2020

What we must do to prevent the next SolarWinds hack: While the U.S. government and the private sector determine the breadth and depth of the SolarWinds event, we already can glean important lessons and identify immediate cybersecurity priorities for our nation. Three themes that have emerged are: How do we prepare for unexpected, low-probability, high-risk events? How should the framework for public/private collaboration evolve? And, what type of cyber attack warrants a response? TheHill, December 30, 2020

Russia’s SolarWinds Attack: Recent news articles have all been talking about the massive Russian cyberattack against the United States, but that’s wrong on two accounts. It wasn’t a cyberattack in international relations terms, it was espionage. And the victim wasn’t just the US, it was the entire world. But it was massive, and it is dangerous. Schneier on Security, December 28, 2020

The SolarWinds Wake-Up Call: The recently discovered SolarWinds hack holds obvious lessons for governments around the world, particularly after a year in which cyber attacks on critical infrastructure have surged. International action is urgently needed, not to write new treaties or codes of conduct, but to enforce existing norms. ProjectSyndicate, December 16, 2020

National Cybersecurity

How Can the U.S. Rebuild After Shocking Series of Cyber Breaches: President-Elect Joe Biden’s incoming national security adviser Jake Sullivan told NPR this week that the Defense Department hasn’t granted a meeting to the Biden transition team since Dec. 18. That – Sullivan tells NPR – is complicating the ability of the incoming administration of being read-in on the current administration’s response to what experts are describing as one of the most damaging cyberattacks in U.S. history. The Cipher Brief, December 31, 2020

The Russians Have Issued a Wake Up Call: Weeks after a massive cyber breach of U.S. government agencies and private sector companies was publicly announced, there is still not a clear response from the administration on who is responsible and what will be done about it. The Cipher Brief, December 31, 2020

Rethinking Our View of System Security: We have the best cyberdefenders in the world. So let’s give them a world-class “cyber defense” to match. As we watch the latest fallout from the recent SolarWinds attack with Team USA up against Team Nation-State, it occurred to me that we may need to modify our defensive strategy a bit, and more important, give Team USA a full defensive unit for a change. Ron Ross, NIST, LinkedIn, December 28, 2020

The Adversaries Live in the Cracks: Why Systems Security Engineering Matters. … if you really want to know why the cyber-attackers always seem to have the advantage in the current environment of highly complex systems and unbridled connectivity, the answer is staring us right in the face and it is very simple—the bad guys are using systems security engineering to “attack” our systems more than we are using systems security engineering to “protect” our systems. Ron Ross, NIST, LinkedIn, December 19, 2020

Reimagining our Domestic Cyber Defense Posture: OPINION — The SolarWinds breach, targeting several government agencies and private sector entities, was a stunning feat carried out by a nation-state actor purported to be associated with Russia’s SVR intelligence service. We still don’t yet understand the scope of the operation or the extent of the damage wrought by the perpetrators. Some describe this event as a failure of U.S cyber strategy, and many are calling for change. At this stage of our understanding, most experts agree that it was a highly-sophisticated, highly-disciplined act of espionage. Such a dangerous and costly operation warrants a strong response now, as well as a fundamental redesign of our domestic cyber defensive posture. In the words of Cipher Brief Expert General Stanley McChrystal, “it takes a network to defeat a network.” The Cipher Brief, December 23, 2020

Four key challenges for cybersecurity leaders”: … In business and society today, we are too often focused on bolting on cybersecurity in a hyphenated manner. We want “security-enabled” this, “security-enhanced” that. But cybersecurity cannot be an add-on. Rather it must be built into every product and system from the moment it is conceived. To achieve such integration, we need to address four fundamental leadership challenges. World Economic Forum, January 13, 2020

Cyber Misc

The Cybersecurity Stories We Were Jealous of in 2020: These are the best stories on hacking, information security, privacy, and surveillance from this year that we wish we had reported and written ourselves. Vice, December 21, 2020

Become A CyberGuardian

Protect your community: take the CyberGuardian Pledge, join our email list, get invited to events.

Take the Pledge