Cybersecurity News of the Week, November 15, 2020

SecureTheVillage Calendar

Insurance Brokers Cybersecurity Roundtable: Case Study of a Breach: Helping Your Clients Prepare for the Inevitable. November 17 @ 2:00 pm – 3:00 pm PST

Financial Services Cybersecurity Roundtable: Identity Problems in Financial Services with Liam McCarty. November 20 @ 8:30 am – 10:00 am PST

Information Security Management Webinar: PCI DSS 4.0 with Scott Pierangelo. December 10 @ 10:00 am – 11:00 am PST

Insurance Brokers Cybersecurity Roundtable: What Your Clients Need to Know About Information Security Management with Dr. Stan Stahl, PHD. December 15 @ 2:00 pm – 3:00 pm PST

Individuals at Risk

Cyber Update

Patch Tuesday, November 2020 Edition: Adobe and Microsoft each issued a bevy of updates today to plug critical security holes in their software. Microsoft’s release includes fixes for 112 separate flaws, including one zero-day vulnerability that is already being exploited to attack Windows users. Microsoft also is taking flak for changing its security advisories and limiting the amount of information disclosed about each bug. KrebsOnSecurity, November 10, 2020

Cyber Humor

Information Security Management for the Organization

Information Security Management

Implement Cloud Security Best Practices With This Guide: As more employees opt for remote work, organizations rely on cloud computing options for easy access to corporate data and applications. This dependence on the cloud also puts a new emphasis on cloud security. SecurityIntelligence, November 12, 2020

Five tips for chief information security officers to increase their strategic value to the CEO and board of directors: The role of the chief information security officer – or CISO for short – is to understand a corporation’s cyber threat landscape and know where vulnerabilities lie. And given the relentless increase in sophisticated hacking, their clout and importance to the CEO and Board is increasing exponentially. Given COVID-19, as millions of American white-collar workers have moved from the office to their home to work remotely and stay in touch with colleagues solely online, it has been CISOs who have been charged with making sure this eruption of new endpoints isn’t compromising corporate network security. Security Magazine, November 12, 2020

5 cybersecurity trends we spotted in 2020: One thing’s for sure — it’s not been an easy year for cybersecurity professionals. TechHQ, November 12, 2020

How to recover from your next data breach: There is an ebb and flow to cybersecurity. Black Hats find a vulnerability, White Hats find a patch, and businesses are left in the middle in a constant state of risk. Ara Aslanian, CEO reevert, SecureTheVillage Leadership Council, SecurityMagazine, November 10, 2020

Cyber Warning

‘Pay2Key’ Could Become Next Big Ransomware Threat: Researchers from Check Point say an Iranian-based threat actor has successfully attacked multiple Israeli companies could soon go global. DarkReading, November 13, 2020

Manufacturing is becoming a major target for ransomware attacks … A combination of the critical nature of manufacturing plants & security vulnerabilities mean hackers are eyeing up easy pay days – & attacks are on the rise: Ransomware has become a major threat to the manufacturing industry as cyber-criminal groups increasingly take an interest in targeting the industrial control systems (ICS) that manage operations. ZDNet, November 13, 2020

Data-Exfiltrating Ransomware Gangs Pedal False Promises … Thieves Not Honoring ‘Pay Us to Delete Stolen Data’ Guarantees, Investigators Warn: Victims of crypto-locking malware who pay a ransom to their attackers are paying, on average, more than ever before. But ransomware incident response firm Coveware reports that when victims pay for a guarantee that data stolen during an attack – before systems got encrypted – will get deleted, they’re often paying for false promises. BankInfoSecurity, November 6, 2020

Cyber Law

Cyber Consulting Firms Get Tied Up in Post-Breach Lawsuits: Cybersecurity consultants could be on the hook for data breaches at companies they contract with after two recent court rulings in consumer class actions. BloombergLaw, November 10, 2020

Cybersecurity in Society

Cyber Crime

Cybercrime To Cost The World $10.5 Trillion Annually By 2025 … Cybersecurity Ventures predicts global cybercrime costs will grow by 15 percent per year over the next five years: This represents the greatest transfer of economic wealth in history, risks the incentives for innovation and investment, is exponentially larger than the damage inflicted from natural disasters in a year, and will be more profitable than the global trade of all major illegal drugs combined. PR Newswire, November 13, 2020

Italian drinks maker Campari hit by Ragnar Locker ransomware attack: Operations at Italian drinks maker Davide Campari-Milano S.p.A., best known simply as Campari, were knocked offline last week following a ransomware attack. SiliconAngle, November 8, 2020

Cyber Privacy

Interactive Advertising Bureau (IAB) CCPA Benchmark Survey: The California Consumer Privacy Act (the “CCPA”) is a complicated law, prompting multiple interpretations that have evolved over time. This holds especially true for the digital advertising industry, where the combination of complex data flows and numerous participants has understandably resulted in differing legal views and approaches to CCPA compliance since the law’s effective date. IAB, November 12,

CCPA 2.0? California Adopts Sweeping New Data Privacy Protections: On November 3, 2020, California voters approved California Proposition 24, also known as the California Privacy Rights Act of 2020, or CPRA. The CPRA expands protections afforded to personal information, building off of the California Consumer Privacy Act (CCPA), which took effect in January of this year. While some of the CPRA changes will take effect immediately, most will not become enforceable until July 1, 2023, and apply only to personal information collected after January 1, 2022. Crowell Moring, November 9, 2020

Know Your Enemy

Darkside Ransomware Gang Launches Affiliate Program … Darkside is the latest ransomware gang to announce that it’s launched an affiliate program as part of its bid to maximize revenue: Using Affiliates Enables Crowdsourced Profits But Leaves Operators More Exposed. BankInfoSecurity, November 12, 2020

The Evolution Of The Ransomware Economy: The ransomware business is booming. High returns are motivating more cybercriminals to explore this lucrative economy, including testing new approaches that may yield higher or more consistent payouts. Forbes, November 10, 2020

Ransomware Group Turns to Facebook Ads — Krebs on Security … “They’ve also started to call victims. They’re outsourcing to Indian call centers, who call victims asking when they are going to pay or have their data leaked.”: It’s bad enough that many ransomware gangs now have blogs where they publish data stolen from companies that refuse to make an extortion payment. Now, one crime group has started using hacked Facebook accounts to run ads publicly pressuring their ransomware victims into paying up. KrebsOnSecurity, November 10, 2020

Cyber Freedom

Shakeup at Cybersecurity Agency That Denied Trump Election Claims … Breaking w Trump, the Cybersecurity and Infrastructure Security Agency has found no evidence of election fraud. Now, a pair of key officials may have been forced out: Bryan Ware, a top official within the Cybersecurity and Infrastructure Security Agency (CISA), part of the Department of Homeland Security, abruptly resigned today. Decrypt, November 12, 2020

“The November 3rd election was the most secure in American history” says Elections Infrastructure Government Coordinating Council & the Election Infrastructure Sector Coordinating Executive Committee: WASHINGTON – The members of Election Infrastructure Government Coordinating Council (GCC) Executive Committee – Cybersecurity and Infrastructure Security Agency (CISA) Assistant Director Bob Kolasky, U.S. Election Assistance Commission Chair Benjamin Hovland, National Association of Secretaries of State (NASS) President Maggie Toulouse Oliver, National Association of State Election Directors (NASED) President Lori Augino, and Escambia County (Florida) Supervisor of Elections David Stafford – and the members of the Election Infrastructure Sector Coordinating Council (SCC) – Chair Brian Hancock (Unisyn Voting Solutions), Vice Chair Sam Derheimer (Hart InterCivic), Chris Wlaschin (Election Systems & Software), Ericka Haas (Electronic Registration Information Center), and Maria Bianchi (Democracy Works) – released the following statement: CISA, November 12, 2020

Election Security: When to Worry, When to Not, and the Takeaway from Antrim County, Michigan: Everyone wants an election that is secure and reliable. With technology in the mix, making sure that the technology supports this is critical. EFF has long-warned against blindly adopting technologies that can be easily manipulated or fail without having systems in place to test, secure, and catch problems, including through risk limiting audits. At the same time, not every problem is worth pulling the fire alarm about—we have to look at the bigger story and context. And we have to stand down when our worst fears turn out to be unfounded. EFF, November 10, 2020

National Cybersecurity

Delayed transition creates IT, cybersecurity risks for Biden team: Transition experts and former homeland security officials are warning of the potential IT risks associated with a delayed presidential transition, including insecure communication channels and increased cybersecurity vulnerabilities. FedScoop, November 13, 2020

Starting Dec. 1, Cybersecurity Is No Longer Optional as DoD begins requiring CMMC certification for contractors: “This is the start of a new day in the Department of Defense where cybersecurity, as we’ve been saying for years is foundational for acquisitions, we’re putting our money where our mouth is. We mean it,” Katie Arrington says. BreakingDefense, November 12, 2020

Biden’s Cybersecurity Mission: Regain Momentum: Experts Say Cybersecurity Will Be a Higher Priority. BankInfoSecurity, November 11, 2020

Cyber Fine

Ticketmaster Scores Hefty Fine Over 2018 Data Breach: The events giant faces a GDPR-related penalty in the U.K., and more could follow. ThreatPost, November 13, 2020


Americans Were Primed To Believe The Current Onslaught Of Disinformation: It started with a drizzle but quickly turned into a downpour: Disinformation about the election, and in particular unfounded claims of election fraud, has flooded the internet over the past week. And Americans were primed to believe it. FiveThirtyEight, November 12, 2020

Tracking Viral Misinformation About the 2020 Election: Every day, Times reporters will chronicle and debunk false and misleading information that is going viral online. The New York Times, November 12, 2020

Cyber Talent

Cybersecurity careers: Which one is right for you?: Looking for vulnerabilities, securing systems or dismantling them, these are all viable career paths in the cybersecurity industry. Could one of them be right for you? WeLiveSecurity, November 13, 2020

(ISC)2 study identifies global workforce gap of around 3.1 million professionals. Employment needs to grow by around 41% in the US & 89% worldwide to fill talent gap. Shortage falls as COVID-19 has resulted in security team downsizing: The huge global shortfall in cybersecurity professionals has dropped for the first time since records began, thanks to more joining the industry and pandemic-related uncertainties on the demand side, according to (ISC)2. InfoSecurity, November 12, 2020

Cybersecurity industry in Detroit is growing and mentors are starting with young people: With Detroit’s cybersecurity industry constantly growing and changing, many are finding the need to teach students about the field while they’re young. Detroit Free Press, November 12, 2020

Become A CyberGuardian

Protect your community: take the CyberGuardian Pledge, join our email list, get invited to events.

Take the Pledge