This week’s essential cybersecurity and privacy news for the cyber-aware and the cyber-concerned. Designed to educate, support, and advocate.
Stan’s Top of the News
In major news this week, the Securities and Exchange Commission (SEC) has thrown the information security profession into turmoil by suing Solar Winds and its Chief Information Security Officer (CISO), Tim Brown, for misleading investors about Solar Winds’ security weaknesses. At issue is the role of the CISO: is it to report risk to the Board or does it extend to the Board’s actions and its communications to shareholders.
Given that it appears that Solar Winds was hacked by an arm of the Russian Government, the suit begs the question of whether any non-government organization can adequately protect itself against a nation-state attack; in other words, (i) was Solar Winds doing a “reasonable” job protecting itself given the nature of its risk and (ii) was it being transparent about this to its investors.
The professional concern of the suit is intense. The challenges of being a Chief Information Security Officer are immense. We have to fight off the enemy at our gates with too little staff, too few resources, users who continually click on phishing emails, and too often management that neither understands its cyber risk nor provides necessary cybersecurity leadership. Now sue us personally because the Board failed to disclose the obvious – we are unable to stop a persistent targeted attack from a nation state – and you have just dis-incentivized an entire profession that is required for the cyber security of every organization in America and you have done so at a time when 1 of every 4 cybersecurity positions is vacant.
- SEC: SolarWinds failed to disclose cybersecurity woes before historic breach: In a civil action, the Securities and Exchange Commission charged the company with failing to disclose its problems ahead of a breach by suspected Russian hackers that is considered one of the largest ever
- What to know about the SEC’s case against SolarWinds. More from WaPo about what happened and what it means.
- Cyber Chiefs Worry About Personal Liability as SEC Sues SolarWinds, Executive: Tim Brown, the company’s top security executive, is named in SEC suit. … The SEC sued SolarWinds and its head of security on Monday, alleging they misled shareholders about cyber vulnerabilities. … As the Securities and Exchange Commission gets more aggressive in enforcing cybersecurity regulations, corporate cyber chiefs want to insulate themselves from potential liability.
- Cybersecurity Leaders Spooked by SEC Lawsuit Against SolarWinds CISO: The SEC’s lawsuit against the CISO of SolarWinds is leaving CISOs across the industry spooked and reevaluating their roles.
Small and Midsize Organizations. Take your security to the next level. As part of our LA Cybersecure initiative, SecureTheVillage has launched a Pilot Program to enable 50 small to midsize organizations to measurably improve their cybersecurity readiness. The LA Cybersecure Pilot Program is funded by a grant from the Center for Internet Security (CIS) Alan Paller Laureate Program. Find out more and register now.
Family Protection Newsletter: Did you know we created the Family Protection Newsletter for non-cyber experts? For your parents, friends, those who need to protect themselves in a digital world. Sign up or share with a friend! Click here to learn more and quickly add to your free subscription!
How Hackable Are You? Take our test. Find out how hackable you are and download our free updated 13-step guide.
- How Hackable Are You? Think your defenses are strong. Find out as SecureTheVillage tests you on five basics. Please take our short test as your answers will help you and guide us to improve community safety.
Upcoming events. Please join us.
- Los Angeles Cybersecurity Workforce Coalition: The monthly meeting of the workforce coalition, Tue, December 5, 1:00 pm – 2:00 pm PT.
- Eighth Annual Los Angeles Cyber Security Summit. Join SecureTheVillage on November 30 at the Beverly Hilton Hotel for the Cyber Security Summit, ranked as one of the “Top 50 Must-Attend Conferences” by DigitalGuardian. Keynote speakers are friends of SecureTheVillage: LA County CISO Jeffrey Aguilar and FBI Supervisory Special Agent Michael Sohn. I’m moderating “Panel 3 Cloud Security – Leveraging Its Strengths and Overcoming Its Vulnerabilities”. Register free with code STV23. Come say hello at the SecureTheVillage booth.
Cybersecurity Nonprofit of the Week … National Cybersecurity Alliance,
Kudos this week to the National Cybersecurity Alliance, a non-profit organization on a mission to create a more secure, interconnected world. The Alliance is an advocate for the safe use of technology, educating everyone on how we can protect ourselves, our families, and our organizations from cybercrime. They create strong partnerships between governments and corporations to amplify their message and to foster a greater “digital” good, encouraging everyone to do their part to prevent digital wrongdoing of any kind. As they say, the real solution to cybercrime isn’t technology, it’s all of us doing our part. Like SecureTheVillage, the National Cybersecurity Alliance is a member of Nonprofit Cyber, a coalition of implementation-focused cybersecurity nonprofits.
Live on Cyber with Dr. Stan Stahl – Live on LinkedIn and Your Favorite Podcast Platform
The Hardest Thing Is Taking That First Step: (Video) (Podcast): If you’re starting your journey to secure your business, you’re in the right place! Learn the Top 4 security steps every small business needs from the Cyber Readiness Institute‘s Starter Kit! Small and micro-businesses, build a strong foundation to prevent loss with these Four Core Cyber Policies: ✅ Super strong passwords that guard your personal and client data. ✅ Backups that catch you if you fall. ✅ Training to keep tricks and scams at bay. ✅ A secure place for all your important info. … If you’re ready to get started: 1️⃣ Appoint a leader. 2️⃣ Implement the four policies. 3️⃣ Train your staff. 4️⃣ Prepare for a cybersecurity incident. … Make sure your business is safe online—without taking up all your time. … If you’re ready to level up, and you’re a #smallbusiness, #nonprofit, or #ITMSP in Los Angeles, applications are open now for #LACybersecure, a pilot program with coaching and guidance that costs less than a daily cup of coffee. https://lnkd.in/g45nQ4_j. … Subscribe to Live on Cyber with Stan Stahl, PhD and Julie Michelle Morris, your weekly 15-min update on the latest in privacy and information security affecting your business and community!
Section 2 – Let’s Be Careful Out There. And Let’s Help Others Who Aren’t Yet Cyber-Aware.
The online safety of our children is the subject of two in-depth stories, one from The Wall Street Journal and the other from The Atlantic. Together they paint a bleak picture of the damage we’re doing to our children and why it’s so hard to do anything about it. It’s past time for Washington to find a win-win-win-win solution that protects our kids and protects the first amendment. Just do it!!
- His Job Was to Make Instagram Safe for Teens. His 14-Year-Old Showed Him What the App Was Really Like.: When a Meta security expert told Mark Zuckerberg that Instagram’s approach to protecting teens wasn’t working, the CEO didn’t reply. Now the former insider is set to tell Congress about the predatory behavior. … In the fall of 2021 a consultant named Arturo Bejar sent Meta Platforms Chief Executive Mark Zuckerberg an unusual note. … “I wanted to bring to your attention what l believe is a critical gap in how we as a company approach harm, and how the people we serve experience it,” he began. Though Meta regularly issued public reports suggesting that it was largely on top of safety issues on its platforms, he wrote, the company was deluding itself. … The experience of young users on Meta’s Instagram—where Bejar had spent the previous two years working as a consultant—was especially acute. In a subsequent email to Instagram head Adam Mosseri, one statistic stood out: One in eight users under the age of 16 said they had experienced unwanted sexual advances on the platform over the previous seven days.
- Why Congress Keeps Failing to Protect Kids Online: Americans are broadly united in support of laws to make the internet safer for kids. So why doesn’t Congress act? ,,, Roughly a decade has passed since experts began to appreciate that social media may be truly hazardous for children, and especially for teenagers. As with teenage smoking, the evidence has accumulated slowly, but leads in clear directions. The heightened rates of depression, anxiety, and suicide among young people are measurable and disheartening. When I worked for the White House on technology policy, I would hear from the parents of children who had suffered exploitation or who died by suicide after terrible experiences online. They were asking us to do something.
Another sign that it continues to get more dangerous in cyberspace. Let’s be careful.
- Report Links ChatGPT to 1265% Rise in Phishing Emails: The SlashNext State of Phishing Report 2023 has unveiled a concerning trend in the cybersecurity landscape, revealing a 1265% surge in malicious phishing emails since Q4 2022. … The annual report, compiled by SlashNext Threat Labs, encompasses an analysis of threats observed across email, mobile and browser channels over 12 months, from Q4 2022 to Q3 2023. The report also emphasized a noteworthy 967% increase in credential phishing attacks.
Section 3 – Cybersecurity and Privacy News for the Cyber-Concerned.
The United States and the G7 both made news this week on managing the ongoing challenges of AI.
- With Executive Order, White House Tries to Balance A.I.’s Potential and Peril: President Biden announced regulations on Monday that seemed to have a little bit for everyone. … How do you regulate something that has the potential to both help and harm people, that touches every sector of the economy and that is changing so quickly even the experts can’t keep up? … That has been the main challenge for governments when it comes to artificial intelligence.
- Exclusive: G7 to agree AI code of conduct for companies: BRUSSELS, Oct 29 (Reuters) – The Group of Seven industrial countries will on Monday agree a code of conduct for companies developing advanced artificial intelligence systems, a G7 document showed, as governments seek to mitigate the risks and potential misuse of the technology. … The voluntary code of conduct will set a landmark for how major countries govern AI, amid privacy concerns and security risks, the document seen by Reuters showed.
In another sign of the Biden-Harris Administration’s work to counter cybercrime, the White hosted its third annual counter ransomware initiative summit where several nations pledged not to pay ransoms.
- White House hosts Counter Ransomware Initiative summit, with a focus on not paying hackers: The third annual White House-led counter ransomware summit convening 48 countries, the European Union and Interpol launches in Washington today, featuring several new elements including a pledge from most member states not to pay ransoms and a project to leverage artificial intelligence to analyze blockchains, according to Deputy National Security Advisor for Cyber and Emerging Technologies Anne Neuberger.
In another move to force companies to implement reasonable cybercrime defenses, the State of New York has strengthened its already strong cybersecurity rules.
- New York Adds Stiffer Requirements to Cybersecurity Rules: Financial companies must now report ransom payments and strengthen board oversight. … New York’s financial watchdog published significant updates to its cybersecurity regulations Wednesday, adding strict provisions around board oversight and ransom payments that go further than recent federal rules.
This week in cybercrime, including more information about the MOVEit breach.
- Boeing confirms ‘cyber incident’ after ransomware gang claims data theft: Aerospace giant Boeing has confirmed that it is dealing with a “cyber incident,” days after the company was listed on the leak site of the LockBit ransomware gang. … In a statement given to TechCrunch, Boeing spokesperson Jim Proulx confirmed that attackers had targeted “elements of our parts and distribution business.” The spokesperson added: “This issue does not affect flight safety. We are actively investigating the incident and coordinating with law enforcement and regulatory authorities. We are notifying our customers and suppliers.” … This confirmation comes soon after the Russia-linked LockBit ransomware gang claimed responsibility for a cyberattack targeting Boeing. According to a recent U.S. government advisory, LockBit has targeted approximately 1,800 victim systems in the U.S. and worldwide since late 2019.
- American Airlines pilot union hit with ransomware: The American Airlines pilot union is working to restore its systems following a ransomware attack, the latest in a rash of cyber incidents affecting the aviation industry. … The union, which represents more than 15,000 of the airline’s pilots, posted a notice on its website explaining it first discovered the cyberattack on October 30. … The unnamed cybersecurity firm hired to conduct an investigation confirmed that the union was hit with ransomware and said some systems were encrypted.
- Ace Hardware hit with cyber breach: Weekend cybersecurity incident interrupts key systems. … Oak Brook, Illinois-based Ace Hardware is investigating a weekend cybersecurity incident that has disrupted shipments.
- Cyber terror group “Play” says it stole thousands of files from Dallas County: Dallas County employees are bracing for the impact of another reported cyber attackmonths after a crippling data theft in May. … The post appeared Saturday on a list of active ransomware attacks committed by a person or group identified as “Play.” … It states “private documents of Dallas County departments” will go up for sale on the dark web unless an unspecified ransom is paid by Friday.
- Major Mexican airport confirms experts are working to address cyberattack: One of the highest-traffic airports in Mexico said it is responding to a cyberattack. … The Querétaro Intercontinental Airport — about three hours from Mexico City — confirmed reports that it had been attacked by hackers, posting a notice on social media sites that it had called in experts to help address the issue.
- Russian Hackers Breached 632,000 DOJ And Pentagon Email Addresses In Massive MOVEit Cyberattack, Report Says: The email addresses of about 632,000 employees from the Justice and Defense departments were accessed in a hack earlier this year, Bloomberg reported Monday, adding to the number of organizations—including airlines, universities and other U.S. agencies—impacted by a series of data breaches largely blamed on a Russian-speaking criminal group.
There continues to be a critical shortage of cybersecurity professionals to keep our organizations safe from cybercrime.
- A record high 4 million cybersecurity professionals are needed worldwide, according to ISC2. The cyber organization’s CEO says that’s still not enough: Millions of companies across the world are at risk of cyberattacks that could debilitate profit and brand reputation overnight. And with an increasingly connected digital world, something as simple as a smart thermostat could help hackers infiltrate systems. … But many companies are not taking these threats seriously, according to Clar Rosso, CEO of ISC2—one of the largest certification organizations as well as member associations for cybersecurity professionals.
Section 4 – Managing Information Security and Privacy in Your Organization.
An excellent article by friend of SecureTheVillage Ric Merrifield helping break the language barrier between “business speak” and “cybersecurity speak.”
- Why Many Small and Medium Businesses Lag in Managing Cyber Risks: There are countless articles about the enormous financial and business impact of cyber-crimes, and while many organizations with fewer than 1,000 people view this as a big company problem, the reality is 46% of all cyber breaches impact organizations with fewer than 1,000 people and 61% of 2021 cyberattacks targeted these small and medium organizations (often called SMBs). … So, if this is such a big problem, why aren’t these SMBs doing more to protect themselves? Four things make a large part of this issue.
If you use Cisco devices, PATCH now.
- Exploit released for critical Cisco IOS XE flaw, many hosts still hacked: Public exploit code is now available for the critical Cisco IOS XE vulnerability tracked as CVE-2023-20198 that was leveraged as a zero-day to hack tens of thousands of devices. … Cisco released patches for most releases of its IOS XE software but thousands of systems continue to be compromised, internet scans show.