Cybersecurity News of the Week, October 11, 2020

SecureTheVillage Calendar

InfraGard Webinar: Malign Foreign Influence and Election Security Threat Briefing October 15 @ 8:15 am – 12:00 pm PDT

Financial Services Cybersecurity Roundtable: Managing 3rd Party Service Providers in Financial Services with John Coleman. October 16 @ 8:00 am – 10:00 am PDT

Insurance Brokers Cybersecurity Roundtable: Navigating the Strange World of Cyber Risk, Cyber Exposures, & Cyber-Gotchas with Jason Meshekow October 20 @ 2:00 pm – 3:00 pm PDT

Technology & Security Management HappyHour: Talking to the CSuite: Open Fair Standard. October 27 @ 4:30 pm – 5:30 pm PDT

Cybersecure 2020: A A Reasonable Guide to Reasonable Security. October 28 @ 1:00 pm – 5:00 pm PDT

LMG Security Virtual Class: Cyber First Responders. November 5 @ 9:00 am – 6:00 pm PST

Information Security Management Webinar: Conversation on the Cyber Risk Landscape with Deron T. McElroy, CISA. November 12 @ 10:00 am – 11:00 am PST

Insurance Brokers Cybersecurity Roundtable: Case Study of a Breach: Helping Your Clients Prepare for the Inevitable. November 17 @ 2:00 pm – 3:00 pm PST

Financial Services Cybersecurity Roundtable: November 2020. November 20 @ 8:00 am – 10:00 am PST

Individuals at Risk

Information Security Management

A Cybersecurity Checklist For The New Norm: Covid-19 has caused a seismic shift in how businesses operate. Offices have shut down, and workers have gone remote. Employees returning to offices are putting additional stress on limited resources that have shifted to some extent to supporting the work-from-home option. On one hand, IT infrastructure is struggling to cope with an increase in demand while on the other, attackers are seeking to exploit vulnerabilities in this newly expanded remote work environment. Forbes, October 8, 2020

Secure The Human

It’s never too early to teach your kids about cybersecurity: Technology is here to stay, and it continues to advance and grow all the time. Because of its prominent place in the world, it can seem like today’s generation is practically born with an iPhone in hand. In fact, as of 2015, 61% of children ages 3-18 had access to the internet at home. That number has undoubtedly increased today, as it’s become more of a necessity thanks to everything from remote learning to teens looking for careers in cybersecurity. The Next Web, October 8, 2020

Cybersecurity Awareness Month: How to protect your kids from identity theft: Freezing your child’s credit is one way to stop cybercriminals from stealing their identity. But you have to be careful to keep the key to thaw it later. TechRepublic, October 7, 2020

Cyber Warning

How Cybersecurity and Cyberbullying are Intertwined in K-12 Schools: Cybersecurity and cyberbullying are uniquely related in K-12 online learning systems. SecurityBoulevard, October 8, 2020

Microsoft warns of Android ransomware that activates when you press the Home button: New MalLocker.B ransomware is currently spreading via online forums and third-party websites. ZDNet, October 8, 2020

Amazon Prime Day Spurs Spike in Phishing, Fraud Attacks: A spike in phishing and malicious websites aimed at defrauding customers aim to make Prime Day a field day for hackers. ThreatPost, October 8, 2020

Don’t Get Suckered by Phishing Scams About Trump’s Health: A new phishing scam is duping unsuspecting victims with enticing links promising access to President Trump’s alleged health records and top-secret COVID-19 treatment information. In reality, these misleading links are triggering downloads that sneak a new, dangerous form of malware onto the PCs of unsuspecting truth-seekers. LifeHacker, October 8, 2020


Information Security Management for the Organization

Cybersecurity in the C-Suite & Board

Boards Increase Investment in Cybersecurity in Face of Threats and Regulatory Fines: Board decisions on cybersecurity spending are slowly improving following the impact of regulatory fines and COVID-19. InfoSecurity, October 8, 2020

Making Cybersecurity a Priority in the Boardroom: Cyber risks are ever-increasing in the Covid-19 era. On one hand, businesses are going through a radical transformation while on the other, the attack surface is rapidly expanding due to more people working from home. There is increased pressure on executive teams to step-up and get a better handle on cybersecurity. InfoSecurity, September 28, 2020

Information Security Management

Why MSPs Are Hacker Targets, and What To Do About It … Managed service providers are increasingly becoming the launching pad of choice for ransomware and other online malfeasance: It’s commonly understood that smaller businesses have smaller IT budgets, which often does not leave much room for IT security. Even in 2020, many of these companies have never heard of NIST, ISO 27001, or other security frameworks, let alone implemented them. And with more than 30 million businesses falling in the category of fewer than 1,000 employees, small businesses represent a significant part of the American economy. For an attacker, this is a gold mine of potential opportunity, but the key to that financial reward means operational scalability, putting the target squarely on managed service providers (MSPs). DarkReading, October 9, 2020

Companies opting out of DHS threat-sharing platform call for better data: Since its inception in 2016, the Department of Homeland Security’s threat-sharing platform has been plagued by a lack of participation from public and private organizations alike. DHS is now vowing to make improvements, as the security community calls for better quality of data and more tangible payback for opting in. SCMedia, October 8, 2020

Amid Growing Ransomware Attacks, OFAC Pushes Private Sector, FBI Cooperation: While a recent advisory from OFAC is hoping to push companies impacted by ransomware into the arms of the FBI and other law enforcement agencies, businesses that are fearful of losing control over the subsequent investigation may be reluctant to comply., October 8, 2020

Only 27.9% of organizations able to maintain compliance with the PCI DSS: Global organizations continue to put their customers’ cardholder data at risk due to a lack of long term payment security strategy and execution, flags the Verizon report. HelpNetSecurity, October 8, 2020

Cybersecurity Awareness: 6 Myths And How To Combat Them: National Cybersecurity Awareness month is upon us. And, so is the opportunity to look at what common C-suite misconceptions could be handcuffing security awareness efforts. SecurityIntelligence, October 7, 2020

Using PCI Scope to Lower Risks and Cost … By leveraging newer technology and risk transfer, organizations can in some cases reduce questions almost tenfold. This article discusses leveraging technology identified in PCI Self-Assessment Questionnaires A and P2PE to reduce the risks and costs to an organization when processing credit cards, which also subjects the organization to fewer and less onerous compliance requirements. By leveraging newer technology and risk transfer, organizations can in some cases reduce questions almost tenfold. By R. Scott Pierangelo and David Lam, Members SecureTheVillage Leadership Council, ISSA, October 2020

Privacy Management

New CCPA Amendment Extends Exemptions for Employment, B2B Data: A new amendment to the California Consumer Privacy Act allows California employers and businesses that collect personal information of business partners to take some comfort from the fact they may continue to rely on two important CCPA exemptions. Morgan, Lewis & Bockius LLP partner Reece Hirsch explains the impact and predicts more enforcement from state regulators. Bloomberg, October 8, 2020

Cyber Warning

FBI Issues Warning of Using Hotel WiFi if Teleworking from Hotel: The Federal Bureau of Investigation is issuing this announcement to encourage Americans to exercise caution when using hotel wireless networks (Wi-Fi) for telework. FBI has observed a trend where individuals who were previously teleworking from home are beginning to telework from hotels. US hotels, predominantly in major cities, have begun to advertise daytime room reservations for guests seeking a quiet, distraction-free work environment. While this option may be appealing, accessing sensitive information from hotel Wi-Fi poses an increased security risk over home Wi-Fi networks. Malicious actors can exploit inconsistent or lax hotel Wi-Fi security and guests’ security complacency to compromise the work and personal data of hotel guests. Following good cyber security practices can minimize some of the risks associated with using hotel Wi-Fi for telework. FBI, October 6, 2020

Cyber Talent

The cybersecurity skills gap: California educates the workforce of the future: California is a beacon for global innovation, home of Silicon Valley and a center for space tech. Its economy outpaces many nations, beating both the Russian Federation and Italy for gross domestic product. Big name enterprise players, the U.S. military, and government all vie for top talent; and there isn’t enough to go around. SiliconAngle, October 8, 2020

Secure The Human

More scoring, less boring: How companies can gamify security training: Video games, quiz show competitions and undercover “mole” operations are among the more inventive ways companies are trying to spice up their security awareness training. SCMedia, October 8, 2020

Cyber Insurance

Consumers and Business Owners are Underprepared for Evolving Cyberthreats: As COVID-19 drives more Americans to turn to virtual or digital business interactions, cyber criminals have found fertile hunting ground for new opportunities to exploit weaknesses. According to a new Nationwide Agent Authority survey, many American consumers and businesses are dangerously underprepared to defend against common and evolving cyberthreats. CPA Practice Advisor, October 1, 2020

Cybersecurity in Society

Cyber Crime

Senate Democrat raises concerns around Universal Health Services breach: Sen. Mark Warner (D-Va.) on Friday raised concerns around a recent cyberattack on hospital chain Universal Health Services (UHS) that resulted in the data of millions of customers potentially being compromised. The Hill, October 9, 2020

German tech giant Software AG down after ransomware attack: The Clop ransomware gang is demanding more than $20 million from German tech firm Software AG. ZDNet, October 9, 2020

Number of corporate credentials exposed on the dark web increased by 429%: While there has been a year-over-year decrease in publicly disclosed data breaches, an Arctic Wolf report reveals that the number of corporate credentials with plaintext passwords on the dark web has increased by 429 percent since March. HelpNetSecurity, October 8, 2020

Clinical Trials Hit by Ransomware Attack on Health Tech Firm: No patients were affected, but the incident was another reminder of the risks in the increasingly common assaults on computer networks. The New York Times, October 3, 2020

Know Your Enemy

Elusive hacker-for-hire group Bahamut linked to historical attack campaigns: The Bahamut group targets high-value victims and takes meticulous care with its own operational security. CSO, October 9, 2020

Amid an Embarrassment of Riches, Ransom Gangs Increasingly Outsource Their Work: There’s an old adage in information security: “Every company gets penetration tested, whether or not they pay someone for the pleasure.” Many organizations that do hire professionals to test their network security posture unfortunately tend to focus on fixing vulnerabilities hackers could use to break in. But judging from the proliferation of help-wanted ads for offensive pentesters in the cybercrime underground, today’s attackers have exactly zero trouble gaining that initial intrusion: The real challenge seems to be hiring enough people to help everyone profit from the access already gained. KrebsOnSecurity, October 8, 2020

Cyber Freedom

Cyberattacks, Foreign Interference, and Digital Infrastructure: Conducting Secure Elections Amid a Pandemic: The coronavirus pandemic has introduced an additional layer of complexity into the already challenging task of conducting secure, democratic elections. Prior to the pandemic, many democracies were working to secure their elections from foreign adversaries, often with limited budgets. These challenges have only grown more acute because of the pandemic. Since the coronavirus arrived, much attention has, correctly, been focused on how to administer elections in a manner that reduces the likelihood of voters and pollworkers contracting the virus. However, after reviewing many elections held in Europe and the United States, including several during the pandemic, we believe that more can and should be done to secure human, physical, and cyber election assets. Both the pandemic and foreign interference threats show no signs of abating; meanwhile the pandemic creates further windows of opportunity for authoritarian regimes to interfere in elections. Alliance for Securing Democracy, October 8, 2020

Technology a double-edged sword for U.S. election security: Technologies are being weaponized to undermine the 2020 U.S. presidential election, but IT systems will also help identify fraud and verify results in a contested election. SearchSecurity, October 8, 2020

Homeland Security steps up warnings about 2020 U.S. election security: WASHINGTON (Reuters) – The U.S. Department of Homeland Security (DHS) on Tuesday stepped up warnings about foreign threats to U.S. election security, affirming other agencies’ concerns regarding Russian interference in particular. Reuters, October 6, 2020

Election security bolstered in key states for 2020 presidential race. Will they hold?: With the presidency on the ballot in less than a year, fears of another attempt by Russia or other foreign powers to interfere in the election seem to grow with each passing day. The Fulcrum, December 9, 2020


Facebook, Twitter dismantle global array of disinformation networks: LONDON/WASHINGTON (Reuters) – Facebook Inc FB.O and Twitter Inc TWTR.N said on Thursday they had taken down more than a dozen disinformation networks used by political and state-backed groups in multiple countries to deceive users on their platforms. Reuters, October 7, 2020

Become A CyberGuardian

Protect your community: take the CyberGuardian Pledge, join our email list, get invited to events.

Take the Pledge