This week’s essential cybersecurity and privacy news for the cyber-aware and the cyber-concerned. Designed to educate, support, and advocate.
Stan’s Corner
As if to ironically underscore my discussion about the Crowdstrike outage below, my Internet was out all day and my backup – my iPhone’s Personal Hotspot – didn’t work either. That’s why this is nearly 7 hours late. As I write below “bad things will happen.”
It hit like a 7.2 earthquake. Flights cancelled. ATMs not working. TV stations knocked off the air. A 7.2 cyber-quake caused by a flawed software update from cybersecurity firm Crowdstrike plunged the world into chaos.
Two truths emerge even before we get the systems back up and running.
The first truth is that in today’s hyper-connected world, bad things will happen. They’re as inevitable as tornados and hurricanes. If disruptions are going to happen, then prudence dictates that we be prepared to minimize the disruption, eradicate the problem, and quickly return to “business as usual.”
This truth is not just for big-picture 7.2 cyber-quakes. It’s a lesson as well for the small businesses and nonprofits that are at risk from the thousands of smaller cyber-quakes that roil the cyber-world every day. Ransomware. Online bank fraud. Malware. Data breaches. With fewer resources and often living month-to-month, smaller organizations too need to learn to manage disruptions.
Our big national and international systems … the algorithms that run our airlines, our banks, communications, energy, media etc … are so big and so complex that risk has become what engineers call systemic. Imagine a structure made of Legos that’s so fragile that the whole structure falls down if you remove any one piece. Whether it’s a “small Logo” running a small business or a “global Lego” used by companies all over the world, it’s fragile. And when it breaks, whatever we were doing is disrupted. This is the situation we find ourselves in.
And this gets us to the second truth. We need a top-to-bottom attitude change in the way we develop and deploy our algorithms. A little event – engineers who released a flawed software update – caused a world-wide 7.2 cyber-quake. We can do better. And we must. This is the essence of “Secure by Design” and “Privacy by default,” two initiatives of the Biden-Harris Administration.
We’ve known how to do better for more than 40 years. Working in the aerospace industry in the 1980s I was part of a software engineering team responsible for making sure there were no critical mistakes in the algorithms the President would use if he needed to launch our nuclear missiles. The fact that we’ve never had a nuclear missile go off by accident is a testament to the quality of our work.
There are two challenges to building this level of quality into our algorithms. The first is money: 20% of the cost to be 100% sure that those nuclear missile algorithms were safe went into the work my team was doing. As we saw in the recent ProPublica stories about Microsoft’s decision not to fix a hyper-critical security defect, companies are loath to spend money on security because security isn’t the path to profits … just like automobile companies before the 1960s were loath to spend money on safety. It’s hard to imagine that, in the absence of regulations, companies are going to willingly forego profits to provide improved security and reliability. Maybe when pigs fly.
The second challenge to building this level of quality into our algorithms is attitude. Only to the extent that quality is embedded into the culture can we have an expectation that i’s are dotted and t’s crossed. As the Boeing quality scandal demonstrates, quality regulations mean nothing if quality isn’t baked into the DNA of the organization. Paraphrasing the great management leader Peter Drucker: “Culture eats regulations for breakfast.”
This weekend is the 55th anniversary of the Moon landing. We’re past due for a cybersecurity and reliability moon-shot: a regulatory and cultural shift towards doing much better at preventing disruptions and minimizing their effects when they inevitably occurs. At some point a tipping point may come and the national mood and political energy will coalesce. The question is the cost in toil and treasure before we take action.
Smaller businesses and nonprofits don’t have to wait for the national mood to change. They can launch their own moonshot. It’s more about leadership and culture than dollars and cents. SecureTheVillage is here to help.
- Delta Air Lines says cancellations continue as it tries to restore operations after tech outage: Airlines, including Delta Air Lines, continued to struggle to restore operations two days after a faulty software update caused technological havoc worldwide and resulted in several carriers grounding flights. … Total cancellations within, into or out of the U.S. on Sunday clocked in at 1,461, according to the latest data from FlightAware. Delta and United Airlines topped the cancellations.
- CrowdStrike IT outage affected 8.5 million Windows devices, Microsoft says: Microsoft says it estimates that 8.5m computers around the world were disabled by the global IT outage. … It’s the first time a figure has been put on the incident and suggests it could be the worst cyber event in history.
- Costs from the global outage could top $1 billion – but who pays the bill is harder to understand: The world learned relatively quickly that cybersecurity firm CrowdStrike was behind a crippling global tech outage on Friday. But figuring out who will pay the bill for the damages could take a lot longer.
- CrowdStrike update that caused global outage likely skipped checks, experts say: Security experts said CrowdStrike’s routine update of its widely used cybersecurity software, which caused clients’ computer systems to crash globally on Friday, apparently did not undergo adequate quality checks before it was deployed.
- CrowdStrike Made Its Name Fighting Technology Problems. Now It Has Caused One.The little-known company is very popular in Corporate America, contributing to the severity of the global IT outage. … George Kurtz spent more than a decade building Crowdstrike into a cybersecurity powerhouse that helps prevent massive disruptions to computer systems. Now the company he co-founded has caused the kind of massive global outage it was supposed to prevent.
- Ode to an Outage, from Jen Easterly, Director, CISA: America’s Cyber Defense Agency: With 36 hours of perspective, and readily acknowledging there is still much we need to learn about the event, I wanted to provide some personal thoughts on yesterday’s massive IT outage.
From SecureTheVillage
- Smaller business? Nonprofit? Take your security to the next level. Apply Now! If you’re a small business or nonprofit in the greater Los Angeles area, apply NOW for LA Cybersecure. Protect your organization with our innovative team-based learn-by-doing program with coaching and guidance that costs less than two cups of coffee a week.
- IT Service Provider / MSP? Take your client’s security to the next level. Apply Now! If you’re an IT service provider in the greater Los Angeles area, apply NOW for LA Cybersecure. With our innovative team-based learn-by-doing program, you’ll have both that “seat at the table” and the peace of mind that you’re providing your clients with the IT security management they need.
- The LA Cybersecure Program is funded in part by a grant from the Center for Internet Security (CIS) Alan Paller Laureate Program.
- Family Protection Newsletter: Did you know we created the Family Protection Newsletter for non-cyber experts? For your parents, friends, those who need to protect themselves in a digital world. Sign up or share with a friend! Click here to learn more and quickly add to your free subscription!
- How Hackable Are You? Think your defenses are strong. Find out as SecureTheVillage tests you on five basic controls and download our free updated 13-step guide.
- Please Support SecureTheVillage: We need your help if we’re to build a world of CyberGuardians TM. Please donate to SecureTheVillage. Thank you. It takes a village to secure the village. TM.
Cybersecurity Nonprofit of the Week … Sightline Security
Our kudos this week to Sightline Security, a nonprofit that helps nonprofits secure and protect their critical information. Sightline’s mission is to equip, empower, and support nonprofits to navigate and embed cybersecurity into their organizations with confidence. Kudos to Sightline Security for their cyber support to the vital under-served nonprofit community. Sightline Security is playing a major role in our LA Cybersecurity Program. Like SecureTheVillage, Sightline Security is a fellow-member of Nonprofit Cyber.
Cyber Humor
Section 2: Let’s Be Careful Out There. And Let’s Help Others Who Aren’t Yet Cyber-Aware.
Always be suspicious. Aways be vigilant.
- This Airline Scam Is All Over Google Right Now. Here’s How to Protect Yourself: A cancelled or delayed flight can create chaos, leading travelers to frantically try and get a hold of their airline to update their flight. But what happens if the airline representative you think you’re talking to is a scammer?
- Change Healthcare cyberhack fallout ripples to consumers: The Change Healthcare cyberattack shook U.S. health care to its core for months and exposed major cyber vulnerabilities. But the likely ripple effects on individuals are only now becoming apparent. … Why it matters: As many as 1 in 3 Americans may have had personal information compromised, some of which is purportedly being trafficked on the dark web — and is expected to enable identity theft, as well as tax, insurance and mortgage fraud. … And experts say the people with the most at stake aren’t aware they’re at risk.
Let’s remind people to freeze their credit.
- Cybercriminals Have My Personal Data. I Froze My Credit To Protect My Identity: Data breaches and frequent scam calls and messages from bad actors made freezing my credit a no-brainer.
Section 3: Cybersecurity and Privacy News for the Cyber-Concerned.
Here’s the latest chapters in ongoing stories we’ve been covering.
- Change Healthcare Ransomware Attack Cost Predicted to Rise to at Least $2.3B in 2024: UnitedHealth Group (UHG) has provided an update on the cost of its response to the February 2024 ransomware attack on Change Healthcare. The total cost of the response is now predicted to be between $2.3 billion and $2.45 billion this year, more than $1 billion more than previously reported. UHG has already paid almost $2 billion dealing with the response to the ransomware attack, which caused massive disruption to providers across the country due to prolonged outages.
- SolarWinds Defeats Part of SEC’s Fraud Case Over Hack: Federal judge dismisses some claims against software company relating to breach disclosures. … A federal judge on Thursday dismissed part of a landmark government lawsuit against SolarWinds and its top cybersecurity executive over how the software company dealt with a breach disclosed in 2020 that affected customers, including U.S. government agencies.
This week in cybercrime.
- Hacker group claims it leaked internal Disney Slack messages over AI concerns: An activist hacking group claimed it leaked thousands of Disney’s internal messaging channels, which included information about unreleased projects, raw images computer codes and some logins.
- AT&T ransom laundered through mixers, gambling services: The $370,000 ransom paid to a hacker involved in the massive theft of data from telecom giant AT&T is currently being laundered through a variety of cryptocurrency mixing platforms and gambling services, according to researchers tracking the funds.
- California officials say largest trial court in US victim of ransomware attack: A ransomware attack has shut down the computer system of the largest trial court in the country, officials with the Superior Court of Los Angeles County said.
- Rite Aid confirms a ‘limited cybersecurity incident’ after ransomware group claims attack: The American pharmacy chain Rite Aid said it experienced a “limited cybersecurity incident” in June that affected some of the company’s systems.
- Police arrest a teenage boy in connection with the MGM Resorts ransomware attack: It turns out the MGM Resorts hacker may just be a 17-year-old teenager.
Section 4: Managing Information Security and Privacy in the Organization.
- Data Breaches Highlight Lack of Basic Cyber Controls: AT&T, UnitedHealth Group join a growing list of companies with hacks traced to the absence of one particular security measure: multifactor authentication.
