Cybersecurity News of the Week, November 29, 2020

SecureTheVillage Calendar

Information Security Management Webinar: PCI DSS 4.0 with Scott Pierangelo. December 10 @ 10:00 am – 11:00 am PST

Invitational Cybersecurity Workforce Workshop — Linking Supply & Demand December 15 @ 10:00 am – 12:00 pm PST

Insurance Brokers Cybersecurity Roundtable: What Your Clients Need to Know About Information Security Management with Dr. Stan Stahl, PHD. December 15 @ 2:00 pm – 3:00 pm PST

Financial Services Cybersecurity Roundtable: December 2020 December 18 @ 8:00 am – 10:00 am PST 

Dr. Steve Krantz Webinar: Personal Cybersecurity January 12, 2021 @ 1:00 pm – 3:00 pm PST

Dr. Steve Krantz Webinar: Become A CyberGuardian January 14, 2021 @ 12:30 pm – 2:00 pm PST

Individuals at Risk

Cyber Privacy

Sophos notifies customers of data exposure after database misconfiguration: Exclusive: Company says that only a small subset of customers were impacted. ZDNet, November 26, 2020

Cyber Warning

L.A. City Attorney warns of ‘Letter from Santa scam’ and social media gift exchange scheme ahead of holidays: The Los Angeles City Attorney is warning residents about a social media gift exchange scheme and a “Letter from Santa” scam that bilks people out of money with the promise of a handwritten letter from the jolly old man. KTLA, November 27, 2020

Online Holiday Shopping Scams: CISA warns consumers to be especially cautious of fraudulent sites spoofing reputable businesses, unsolicited emails purporting to be from charities, and unencrypted financial transactions. CISA, November 24, 2020

Cyber Humor

Information Security Management for the Organization

Information Security Management

Orca Security Research: Top Virtual Appliance Vendors Neglect the Security of their Products: Orca scanned 2,218 virtual appliance images from 540 vendors for known vulnerabilities and found a total of 401,571 vulnerabilities. CPO, November 27, 2020

Researcher Identifies Millions of Vulnerable Systems Unpatched for Severe Bugs: Approximately 25% of systems still running vulnerable Windows RDP service, more than 18 months since Microsoft issued an update. CPO, November 26, 2020

5 Lessons We Learned From Our Ransomware Attack: It’s well documented that ransomware attacks are on the rise, and they can have serious consequences that impact all parts of a business including customers, operations, brand, and even boards of directors. HBR, November 25, 2020

How Ransomware Defense Is Evolving With Ransomware Attacks: As data exfiltration threats and bigger ransom requests become the norm, security professionals are advancing from the basic “keep good backups” advice. DarkReading, November 24, 2020

Cyber Talent

There’s no ‘hacker house’ geared toward undergraduate women, so they created one of their own: Hacker houses are making a comeback for entrepreneurs as remote work drags on. While founders are adapting to quarantine in style, a group of college women in their 20s aren’t waiting until they are done with undergraduate work to plunge into the lifestyle themselves. TechCrunch, November 27, 2020

How a Cybersecurity Training Program Can Recruit From Inside Your Business: The cybersecurity industry is facing a shortage of trained and experienced professionals. Schools, universities and organizations are doing amazing things to encourage the next generation to pursue a cybersecurity career. However, there is still a huge cybersecurity talent shortage. With the right training, this can change. SecurityIntelligence, November, 24 2020

My Expert Advice On Becoming A Cybersecurity Professional: The cybersecurity industry has so many opportunities but is in dire need of new talent. According to ISC2, there were approximately 2.8 million professionals in the cybersecurity workforce as of last November. We needed to grow the industry to at least an additional 4 million skilled professionals to close the skill gap. Cyber has been trendy and sexy since the early 2000s. We are still a relatively young profession. Nobody who is a leader in our field today started their career as a cybersecurity professional. Everyone has their own unique story. Forbes, November 24, 2020

Cyber Law

The Hidden Dangers Of Privacy Laws Like The GDPR And CCPA: In the past few years, two landmark privacy laws have changed how U.S. companies handle personal information. The first is the European Union’s General Data Protection Regulation, or GDPR, which applies to companies that do business in Europe. The second is the California Consumer Privacy Act, or CCPA, which applies to companies of a certain size that do business in California. Forbes, November 25, 2020

Hanna Andersson agrees to pay $400K in CCPA-related breach lawsuit: What is believed to be the first monetary settlement for a lawsuit related to the California Consumer Privacy Act (CCPA) has been filed in a federal court in California. ComplianceWeek, November 23, 2020

Cybersecurity in Society

Cyber Crime

Canon confirms it was hit by major ransomware attack, customer data stolen: Maze ransomware group is responsible for the cyberattack that occurred back in August. TechRadarPro, November 28, 2020

A hacker is selling access to the email accounts of hundreds of C-level executives: Access is sold for $100 to $1500 per account, depending on the company size and exec role. ZDNet, November 27, 2020

Manchester United email servers remain offline amid what is being called a ‘ransomware’ attack: Players’ managers looking to lift salaries by a couple of million pounds or so better check their email read receipts: a full week after Manchester United was hit by hackers, many of its systems remain offline, with at least one report claiming the club is being shaken down for ransom. The Register, November 27, 2020

Ransomware: IT Services Firm Faces $60 Million Recovery: France’s Sopra Steria Was Hit By Previously Unseen Version of Ryuk Ransomware. BankInfoSecurity, November 26, 2020

US Fertility says patient data was stolen in a ransomware attack: U.S. Fertility, one of the largest networks of fertility clinics in the United States, has confirmed it was hit by a ransomware attack and that data was taken. TechCrunch, November 26, 2020

Baltimore County Schools To Provide Daily Updates On ‘Catastrophic’ Ransomware Cyber Attack: TOWSON, Md. (WJZ) — Baltimore County Schools said Friday that they plan to provide daily updates at 4 p.m. on a “catastrophic” ransomware cyber attack that forced schools to close on Wednesday. CBS Baltimore, November 26, 2020

GoDaddy Employees Used in Attacks on Multiple Cryptocurrency Services: Fraudsters redirected email and web traffic destined for several cryptocurrency trading platforms over the past week. The attacks were facilitated by scams targeting employees at GoDaddy, the world’s largest domain name registrar, KrebsOnSecurity has learned. KrebsOnSecurity, November 21, 2020

Cyber Attack

Exclusive: Suspected North Korean hackers targeted COVID vaccine maker AstraZeneca: Hackers said to pose as recruiters on networking site LinkedIn & WhatsApp then sent malware-laced email to employees. Reuters, November 27, 2020

Cyber Espionage

85% of Cyber Espionage Is State-Affiliated, Only 4% Tied To Organized Crime: Verizon’s 2020 Cyber Espionage Report, the result of a total of 14 years of research into global data breaches and threat actor activity, has come up with some illuminating observations about long-term patterns of cyber spying. Among the major highlights are that criminal organizations and disgruntled former employees play a trivial role in overall attempts, that the public sector is the preferred target of attackers and that desktops and laptops are far more likely to be breached than phones. CPO, November 27, 2020

Know Your Enemy

Ransomware: This new variant could be the next big malware threat to your business: Egregor is gaining traction after only emerging in September – and researchers warn this ransomware family is only just getting started. ZDNet, November 25, 2020

National Cybersecurity

The emerging cybersecurity headaches awaiting Biden: The incoming administration will face a slew of cybersecurity-related challenges, as Joe Biden takes office under a very different environment than existed when he was last in the White House as vice president. Axios, November 25, 2020

The Cybersecurity 202: China is likely to be Biden’s biggest cybersecurity challenge: China is shaping up to be the Biden administration’s biggest cybersecurity headache. The Washington Post, November 25, 2020

The Cybersecurity 202: Biden’s DHS pick adds cybersecurity chops to the incoming administration: President-elect Joe Biden’s pick to lead the Department of Homeland Security will bring a boatload of cybersecurity experience to the job. The Washington Post, November 25, 2020

Space Cybersecurity in the Age of Defending Forward: On Sept. 4, the Trump administration released a policy directive detailing the United States’s cybersecurity principles for “space systems.” Emphasizing the importance of space systems for communication, science, economic prosperity, and national security, the directive highlights the importance of integrating cybersecurity throughout the development and life cycle of space systems. Specifically, the directive calls for agencies to “foster practices within Government space operations and across the commercial space industry that protect space assets and their supporting infrastructure” and defend against cyber threats. LawFare, November 24, 2020


Undermining Democracy: Last Thursday, Rudy Giuliani, a Trump campaign lawyer, alleged a widespread voting conspiracy involving Venezuela, Cuba, and China. Another lawyer, Sidney Powell, argued that Mr. Trump won in a landslide, the entire election in swing states should be overturned and the legislatures should make sure that the electors are selected for the president. Schneier on Security, November 27, 2020f

Become A CyberGuardian

Protect your community: take the CyberGuardian Pledge, join our email list, get invited to events.

Take the Pledge