Secure the Village
Grant of $3 Million Will Help L.A. Cyber Lab Expand. Congratulations to Mayor Garcetti and our friends at Cyber Lab LA. SecureTheVillage is proud to be a part of this vital public-private initiative: The capabilities of the Los Angeles Cyber Lab will be expanded now that the Department of Homeland Security has awarded the project a $3 million grant, Mayor Eric Garcetti said Wednesday. NBC LA, October 4, 2018
Individuals at Risk
Cyber Awareness
Asking the public about cybercrime and cybersecurity. Public support for efforts to reduce negative incidents in cyberspace is critical to society’s efforts to preserve the benefits of digital technolology: Cybersecurity involves protecting the digital technologies upon which we depend against criminals who seek to abuse them for their own ends. Public support for efforts to reduce cybercrime is critical to society’s efforts to preserve the benefits of digital technologies. That is why I am so interested in what the public thinks about cybercrime and cybersecurity, and why I have been researching the topic by means of surveys, several of which I have summarized below. Later this month I will be publishing, here on WeLiveSecurity.com, the results of our most recent survey. This article serves as background and context for those cybercrime statistics. welivesecurity, October 4, 2018
We’re All in This Together – Why You Should Champion National Cyber Security Awareness Month: With data breaches on the rise and personal information ending up in the hands of cyber criminals, we are no longer questioning whether a breach will occur, but when the breach will occur, and how it will affect us. ITSP, October 1, 2018
October is National Cybersecurity Awareness Month. Cybersecurity is everyone’s responsibility, and this month serves as a reminder that each of us has a part to play in making the Internet safer and more secure: Connected devices are essential to our professional and personal lives, and criminals have gravitated to these platforms as well. Many common crimes—like theft, fraud, harassment, and abuse—are now carried out online, using new technologies and tactics. Others, like cyber intrusions and attacks on critical infrastructure, have emerged as our dependence on connected systems revealed new vulnerabilities. FBI, October 1, 2018
Cyber Defense
The Inconvenient Truth About Your Eight-Character Password: October is National Cyber Security Awareness Month (NCSAM), which means it’s time to talk about passwords for the umpteenth time. Why beat this dead horse again? Because just about everyone still uses passwords, and even the most recent password security recommendations do not make them any stronger. SecurityIntelligence, October 4, 2018
The one serious MacBook Pro security flaw that nobody is talking about. Every MacBook since 2015 and every MacBook Pro since 2016 is at risk. Here’s how you can keep your machines safe: One of Han Solo’s trademark lines was “I’ve got a bad feeling about this.” Ever since I started thinking about getting the 2018 i9-based, 32GB MacBook Pro, I’ve been having a bad feeling, but I couldn’t put my finger on what it was. ZDNet, October 3, 2018
Cyber Warning
Signing Up for Benefits? Beware of Phishing Attacks: In addition to being National Cyber Security Awareness Month (NCSAM) in the US, October also marks the beginning of a lucrative two-month phishing season. Over the next two months, the vast majority of companies will have employees review and enroll in benefits, with many organizations also beginning their holiday party and charity campaign planning. These activities provide a window of opportunity for threat actors to strike with phishing attacks that appear legitimate. SecurityIntelligence, October 5, 2018
Security analysis of mobile apps finds 85% violate security standards. The majority of contain cybersecurity flaws in data storage, communication, or authentication practices, according to a WhiteHat report: Cybercriminals are increasingly targeting mobile apps for attacks, due in part to lax security standards, according to a Thursday report from WhiteHat Security. The majority of mobile apps—85%—violate one or more of the Open Web Application Security Project (OWASP) Mobile Top 10, meaning they contain at least one common security vulnerability that can be exploited, the report found. TechRepublic, October 4, 2018
Voice Phishing Scams Are Getting More Clever: Most of us have been trained to be wary of clicking on links and attachments that arrive in emails unexpected, but it’s easy to forget scam artists are constantly dreaming up innovations that put a new shine on old-fashioned telephone-based phishing scams. Think you’re too smart to fall for one? Think again: Even technology experts are getting taken in by some of the more recent schemes (or very nearly). KrebsOnSecurity, October 1, 2018
Know Your Enemy
For $14.71, You Can Buy A Passport Scan on the Dark Web. That’s the average price of a digital passport scan, and it goes up with proof of identification, a new study finds: A digital passport scan costs an average of $14.71 on the Dark Web, but a scan is all you’ll get for that price. Cybercriminals up the cost for scans accompanied by identity verification documents, and you’ll pay more than $13,000 for a legitimate physical passport. DarkReading, October 4, 2018
Information Security Management in the Organization
Information Security Management and Governance
The Importance of Information Security Plans: In the first installation of our weekly series during National Cybersecurity Awareness Month, we examine information security plans (ISP) as part of an overall cybersecurity strategy. Regardless of the size or function of an organization, having an ISP is a critical planning and risk management tool and, depending on the business, it may be required by law. An ISP details the categories of data collected, the ways that data is processed or used, and the measures in place to protect it. An ISP should address different categories of data maintained by the organization, including employee data and customer data as well as sensitive business information like trade secrets. National Law Review, October 5, 2018
Cyber Warning
Business email compromise made easy for cyber criminals by poor security practices and hacking services, research reveals. Time to check your cybersecurity controls: Around 12.5 million company email boxes and 33,000 finance department credentials are openly accessible on the web, research from digital risk management and threat intelligence firm Digital Shadows has found. ComputerWeekly, October 4, 2018
Cyber Talent
Building Cybersecure Culture through an Age-Old Technique: Apprenticeships: Earlier this year, the CompTIA Cybersecurity Advisory Board released a white paper, “Building a Culture of Cybersecurity” [note: link opens a PDF], that highlights cybersecurity threats, issues and considerations – especially in terms of concerns that are most important to corporate executives and boards of directors. ITSP, October 3, 2018
Cyber Compliance
New NASAA president Michael Pieciak puts cybersecurity at top of agenda. Investment advisors will be required to adopt policies & procedures to safeguard information and to inform clients about their privacy policies annually: It’s often the smallest investment advisory firms that are the most vulnerable to online threats, and that’s why it’s natural for rule-making to start at the state level, according to a top state regulator. Investment News, October 5, 2018
Insurance Companies Are Facing Cybersecurity Compliance Deadlines. South Carolina recently became the first state to adopt the National Association of Insurance Commissioners’ Insurance Data Security Model Law: South Carolina recently became the first state to adopt the National Association of Insurance Commissioners’ Insurance Data Security Model Law. The NAIC is a standard-setting and regulatory support organization consisting of the top insurance regulators from the 50 states, D.C. and five U.S. territories. Law.com, October 4, 2018
Cybersecurity in Society
Cyber Crime
North Korean Hackers Tied to $100 Million in SWIFT banking Fraud. FireEye Traces APT38 Attacks; US-CERT Issues ATM Cash-Out Malware Attack Alert: A gang of North Korean government hackers, known as APT38, has been waging a sophisticated hacking campaign against banks in Asia and Africa, resulting in the theft of more than $100 million via fraudulent transfers through SWIFT, the global money-transfer network, says U.S. cybersecurity firm FireEye. BankInfoSecurity, October 4, 2018
Cyber Breach
Facebook Could Face Up to $1.63 Billion Fine for Latest Hack Under the GDPR: Facebook’s stunning disclosure of a massive hack on Friday in which attackers gained access tokens to at least 50 million accounts—bypassing security measures and potentially giving them full control of both profiles and linked apps—has already stirred the threat of a $1.63 billion dollar fine in the European Union, according to the Wall Street Journal. Gizmodo, September 30, 2018
Cyber Attack
DHS aware of ongoing APT attacks on cloud service providers. Attacks most likely linked to APT10, a Chinese cyber-espionage group, also known as Red Apollo, Stone Panda, POTASSIUM, or MenuPass: The US Department of Homeland Security has issued an alert today about “ongoing” cyber-attacks against managed service providers –a term used to describe online cloud-based services. ZDNet, October 3, 2018
Why us? 6 months after ransomware attack Atlanta has no answers as costs to rebuild systems exceed $3M.: A cyberattack is as unapologetic as it is invasive. In Atlanta’s case, a March ransomware attack also included a level of irony in that file names on city computers were altered to include “weapologize” and “imsorry.” CIO Dive, October 4, 2018
National Cybersecurity
A New, More Aggressive U.S. Cybersecurity Policy Complements Traditional Methods: In introducing the new National Cyber Strategy, Bolton also confirmed a Wall Street Journal article from August which reported that Trump had rescinded former U.S. President Barack Obama’s guidance on conducting cyber activities, replacing it with a policy that gives more authority to the U.S. Cyber Command. Former National Security Agency contractor Edward Snowden leaked the previous guidance, Presidential Policy Directive 20 of October 2012. He sought to expose how the U.S. government was considering offensive cyber operations, defined as those that could cause physical harm or major property damage. The old guidance made clear that such drastic measures should be taken only as a last resort and with the express permission of the president. Presidential Policy Directive 20 also emphasized that cyber operations should follow the interagency process in order to coordinate the response and ensure a “whole-of-government” approach. Stratfor, October 5, 2018
Spy Bust Exposes Methods of Putin’s GRU Military Hackers: The exposure of Russian espionage operations by Dutch, U.K. and U.S. authorities has opened a window into the sometimes sloppy tradecraft of the Kremlin’s GRU military-intelligence service. Bloomberg, October 4, 2018
Russian hackers behind DNC breach now targeting Europe, South America: The Russian hackers who meddled with the 2016 US presidential elections have been attacking governments in other continents, according to Symantec. CNet, October 4, 2018
The Big Hack: How China Used a Tiny Chip to Infiltrate U.S. Companies: The attack by Chinese spies reached almost 30 U.S. companies, including Amazon and Apple, by compromising America’s technology supply chain, according to extensive interviews with government and corporate sources. Bloomberg, October 4, 2018
Senate passes key cyber bill cementing cybersecurity agency at DHS: The Senate on Wednesday passed a key cyber bill that solidifies the Department of Homeland Security’s role as the main federal agency overseeing civilian cybersecurity. The Hill, October 3, 2018
Cyber Fine
Lessons From the Record-Setting Uber Data Breach Settlement: Uber has had a hard time getting data security right. This past week, the ride-sharing company agreed to pay $148 million in a settlement with 50 state attorneys general and the District of Columbia after it intentionally concealed a 2016 data breach. According to the New York Attorney General, it is the largest settlement ever in a multi-state breach case. Uber was found to have breached notification laws by hiding the fact that hackers accessed the information of 57 million users. Uber then paid the hackers $100,000 to destroy the data, without publically disclosing the loss. Cybersecurity Lawyer Forum, October 1, 2018
Cyber Regulation
The Trump administration is suing California to quash its new net neutrality law: The Trump administration said Sunday it will sue California in an effort to block what some experts have described as the toughest net neutrality law ever enacted in the United States, setting up a high-stakes legal showdown over the future of the Internet. The Washington Post, September 30, 2018
California gov. signs nation’s strictest net neutrality rules into law. US government will sue California—Ajit Pai called state rules “illegal.”: California Governor Jerry Brown today signed net neutrality legislation into law, setting up a legal showdown pitting his state against Internet service providers and the US government. ars technica, September 30, 2018
Cyber Medical
Malware hits medical devices at 18 percent of healthcare orgs in last year. New CHIME-KLAS survey of CIOs, CISOs & other security leaders finds few confident in ability to protect patient safety & prevent disruptions from cybercriminals: Nearly one in five provider organizations (18 percent) polled for a new joint report from CHIME and KLAS have seen malware or ransomware infect or impact medical devices in the past year and a half. HealthCareITNews, October 4, 2018
Cyber Enforcement
Seven Russian hackers charged with hacking anti-doping organizations. Three of the defendants were also indicted as a result of the Mueller probe over the summer: On Thursday morning, the Department of Justice announced a wide array of criminal charges against seven Russian intelligence officers, including computer hacking, wire fraud, money laundering, and identity theft. According to the indictment, the defendants stole and disseminated the personal information of several prominent anti-doping officials and 250 athletes following the 2014 Sochi Olympics. TheVerge, October 4, 2018
Cyber Miscellany
Cybersecurity Risks Should Weigh on Investors’ Minds More Often: Tensions over tariffs and pacts like the North American Free Trade Agreement have dominated recent economic headlines, but Thursday’s triple-whammy of cyber hacking news gives justified prominence to what may be an even bigger threat to global prosperity. The New York Times, October 4, 2018
SecureTheVillage Calendar
Financial Services Cybersecurity Roundtable. October 12 @ 8:00 am – 10:00 am.
Cybersecure LA 2018 … Define! Develop! Deliver! October 25 @ 8:00 am – 3:30 pm. Cybersecure LA 2018 … a joint presentation of SecureTheVillage and Pepperdine Graziadio Business School. Define your Cyber Risks | Develop an Action Plan | Deliver a Stronger Cyber Risk Posture. REGISTER NOW.
Webinar: Getting Cyber-Prepared: Incident Response & Business Continuity. November 1 @ 10:00 am – 11:00 am.
Webinar: Third-Party Security Management. December 6 @ 10:00 am -11:00 am
Financial Services Cybersecurity Roundtable. December 14 @ 8:00 am – 10:00 am