Individuals at Risk
Cyber Privacy – Facebook
In Class-Action Lawsuit Over Cambridge Analytica, Facebook Lawyer Says You Don’t Have Any Privacy on the Site. The Next Day, Zuckerberg Tells Shareholders He Wants to Build a “privacy-focused social platform.”: Just one day before Facebook CEO Mark Zuckerberg said at a shareholder meeting that he wants to build a “privacy-focused social platform,” the company’s lawyer argued that privacy doesn’t actually exist on Facebook. Digital Trends, May 30, 2019
Cyber Danger
Why You Shouldn’t Use The Wi-Fi In Your Airbnb, According To A Hacker: Most Airbnb users book stays with no major issues. But staying in a stranger’s house means you inevitably make yourself vulnerable to some risks, some of which have included scams, hidden cameras and discrimination. It can be hard to let your guard down while renting an Airbnb ― and you shouldn’t, even if everything seems to check out. Huffpost, May 29, 2019
Cyber Defense
Lock Down Your Login. What is Two-Factor … also called Multi-Factor … Authentication (MFA) and Why You Need to Use it. SANS Security Awareness Newsletter. [Oldie but Goodie]: The process of authentication, or proving who you are, is key to protecting your information, such as your email, social media, or online banking accounts. You may not realize it, but there are three different ways to prove who you are: what you know, such as a password, what you have, such as your driver’s license, and some part of you, such as your fingerprint. Each one of these methods has advantages and disadvantages. The most common authentication method is passwords, which are something you know. Unfortunately, using passwords just by themselves is proving to be more and more insecure. In this newsletter, we teach you how to protect yourself and lock down your login with something far better than just passwords. It’s called two-factor authentication. SANS, December 2017
Cyber Warning
Phishing Emails Pretend to be Office 365 ‘File Deletion’ Alerts: A new phishing campaign is underway that pretends to be from the “Office 365 Team” warning recipients that there has been unusual amount of file deletions occurring on their account. BleepingComputer, May 28, 2019
Cyber Humor
Information Security Management in the Organization
Information Security Management and Governance
Ransomware Succeeds Because Targets Don’t Learn From History: It was writer, poet, and philosopher George Santayana, who said in 1905 that, “Those who cannot remember the past are condemned to repeat it.” British Prime Minister Winston Churchill reportedly updated it a bit in 1948 with, “Those who fail to learn from history are condemned to repeat it.” Forbes, May 30, 2019
Cybersecurity in the C-Suite
New Centrify Report Confirms What We Already Know: Most businesses ‘overconfident’ in their ability to stop cybersecurity breaches: Some 93% of organizations said they feel prepared against cyberthreats, though they lack common cyber best practices, according to a Centrify report. TechRepublic, May 30, 2019
Cyber Update
IT Depts. MSPs. Microsoft issues second security warning over BlueKeep, a recently discovered critical vulnerability in Remote Desktop Protocol service that can be exploited worm-like in old operating systems to take over unpatched devices: Microsoft has issued a second security warning over BlueKeep, a recently discovered vulnerability in its Remote Desktop Protocol service that could enable attackers to use a worm-like exploit to take over devices running unpatched older Windows operating systems. BankInfoSecurity, May 31, 2019
Cyber Defense
4 tips for getting the most from threat intelligence: It’s easy to gather data on potential threats, but you have to know what to do with that intelligence if you want to improve your security stance. CSO, May 30, 2019
Five tips for protecting your organization’s online data from inadvertant exposure as new study says number of files exposed on misconfigured servers, storage and cloud services has risen to 2.3 billion in last year: Organizations rely on various storage tools and technologies to provide online access to certain data. SMB, FTP, rsync, Amazon S3, and NAS drives are all used to make necessary files available to the people who need them. But the improper use of these technologies is exposing sensitive information and leaving those files vulnerable to attackers, according to a report released Thursday by Digital Shadows. TechRepublic, May 30, 2019
Secure The Human
Should Failing Phish Tests Be a Fireable Offense?: Would your average Internet user be any more vigilant against phishing scams if he or she faced the real possibility of losing their job after falling for one too many of these emails? Recently, I met someone at a conference who said his employer had in fact terminated employees for such repeated infractions. As this was the first time I’d ever heard of an organization actually doing this, I asked some phishing experts what they thought (spoiler alert: they’re not fans of this particular teaching approach). KrebsOnSecurity, May 29, 2019
Cybersecurity in Society
Cyber Privacy
How a quantum computer could break 2048-bit RSA encryption in 8 hours … And new analysis shows it’s going to happen a lot sooner than anyone ever thought: Many people worry that quantum computers will be able to crack certain codes used to send secure messages. The codes in question encrypt data using “trapdoor” mathematical functions that work easily in one direction but not in the other. That makes encrypting data easy but decoding it hugely difficult without the help of a special key. MIT Technology Review, May 30, 2019
Cyber Breach
One of New York’s largest nonprofits suffers data breach. People Inc. says an employee email account was the source. Another sad illustration of the importance of multi-factor authentication (MFA): People Inc., one of western New York’s largest non-profit agencies, has revealed a data breach which has exposed sensitive medical information belonging to current and former clients. ZDNet, May 31, 2019
Cyber Attack
Tax delays and canceled home sales: The costly ripple effects of today’s cyber-attacks: On May 7, accounting software company Wolters Kluwer faced a devastating malware attack, shutting off service and panicking many accountants who were racing to file their clients’ tax returns by a May 15 deadline. CNBC, May 26, 2019
Know Your Enemy
It only takes three seconds … An account of why the cyber criminals are winning. Hint: It’s basic hygiene, not rocket science: On Monday, May 6, accountants around the United States woke up to start their workweek only to discover that their CCH products — a suite of tax and other solutions offered by Wolters Kluwer Tax & Accounting — were down. Confusion turned to panic, which then turned to anger pretty soon after customers were informed the company had been the victim of a cyberattack. accountingToday, May 29, 2019
National Cybersecurity
NSA Deflects Blame for Baltimore Ransomware Attack: An agency’s policy advisor says city officials had more than two years to patch computers against the attack. Defense One, May 31, 2019
Cyber Command appoints new No. 2 amid growing battle with foreign hackers: The head of U.S. Cyber Command has tapped the organization’s chief of staff to be his new deputy, filling a critical vacancy as the command looks to bolster operations to defend the 2020 elections from foreign interference. Politico, May 30, 2019
In Baltimore and Beyond, a Stolen N.S.A. Tool Wreaks Havoc: For nearly three weeks, Baltimore has struggled with a cyberattack by digital extortionists that has frozen thousands of computers, shut down email and disrupted real estate sales, water bills, health alerts and many other services. The New York Times, May 25, 2019
Cyber Freedom
Political Parties Get Poor Cybersecurity Report Card: Political parties in both the US and Europe could try harder when it comes to cybersecurity, warned a report from SecurityScorecard in May. InfoSecurity, May 31, 2019
GAO says Cybersecurity, IT Systems Risks Still Loom High Over 2020 Census: With less than a year until Census Day left, the Government Accountability Office (GAO) said that the Census Bureau’s critical census IT systems and cybersecurity mitigation and contingency plans are high-concern areas among the 360 active risks for the 2020 Census that GAO identified in a report today. MeriTalk, May 31, 2019
Mueller remarks put renewed focus on election security bills: Legislation aimed at securing U.S. elections got an unexpected shot in the arm this week when Robert Mueller devoted a fair share of his first remarks on the Russia probe to the threat posed by foreign actors seeking to undermine democracy at the ballot box. The Hill, May 30, 2019
Perhaps Mueller’s most consequential comment was his blunt counterintelligence assessment: “Russian intelligence officers, who are part of the Russian military, launched a concerted attack on our political system.”: One of the least discussed but perhaps most consequential comments by special counsel Robert S. Mueller III during his appearance before reporters this week was his blunt counterintelligence assessment: “Russian intelligence officers, who are part of the Russian military, launched a concerted attack on our political system.” The Washington Post, May 30, 2019
Forget Mueller: Our pants are still down on election security, and Facebook can’t save us: Special counsel Robert Mueller’s press conference Wednesday, which briefly described his team’s thinking about how they approached obstruction allegations against the president, buried one largely buried story about the entire affair: Then and now, we as a country still collectively have our pants down on cybersecurity. CNBC, May 29, 2019
US Officials Say Foreign Election Hacking Is Inevitable. We Must Become Cyber-Resilient and Able to Withstand a Breach. Take a Licking and Keep On Ticking!!: WASHINGTON — The hacking of U.S. election systems, including by foreign adversaries, is inevitable, and the real challenge is ensuring the country is resilient enough to withstand catastrophic problems from cyber breaches, government officials said Wednesday. The New York Times, May 22, 2019
Cyber Regulation
A New Standard Modeled After New York’s Department of Financial Services (NYDFS) 23 NYCRR 500 Is Emerging In Cybersecurity Regulations: In response to worries over data security, New York’s Department of Financial Services (NYDFS) enacted a set of cybersecurity regulations that is quickly becoming the standard for data security in the financial industry. The regulation, officially known as 23 NYCRR 500, went into effect in March 2017. Since then, the NYDFS regulations have grown in popularity and are now popping up in a number of other agency regulations. Forbes, May 31, 2019
NY Investigates Exposure of 885 Million Mortgage Documents: New York regulators are investigating a weakness that exposed 885 million mortgage records at First American Financial Corp. [NYSE:FAF] as the first test of the state’s strict new cybersecurity regulation. That measure, which went into effect in March 2019 and is considered among the toughest in the nation, requires financial companies to regularly audit and report on how they protect sensitive data, and provides for fines in cases where violations were reckless or willful. KrebsOnSecurity, May 31, 2019
How Much Will Be Enough? Third-Party Diligence Under the NYDFS Cybersecurity Requirements: Recent enforcement actions by other regulatory bodies in response to data breaches attributable to third parties may shed some light on what Covered Entities should do and what level of due diligence DFS may expect when it comes to third parties. New York Law Journal, May 31, 2019
Canada Uses Civil Anti-Spam Law in Bid to Fine Malware Purveyors: Canadian government regulators are using the country’s powerful new anti-spam law to pursue hefty fines of up to a million dollars against Canadian citizens suspected of helping to spread malicious software. KrebsOnSecurity, May 30, 2019
New York “On Brink” of Passing Law to Set GDPR-Like Information Security and Privacy Management Standards for All Companies Holding Information of New York Residents: New York’s lawmakers are on the brink of passing a data security law that will give New Yorkers more information about how their data is being used and when it has been compromised. DUO, May 30, 2019
California Assembly Approves Amendments to Exclude Employees from CCPA, Protect Loyalty Programs: On Tuesday and Wednesday of this week, the California Assembly voted to approve four bills to amend the California Consumer Privacy Act (CCPA). The legislation now moves to the California Senate. AD Law Access, May 30, 2019
Complying with the California Consumer Privacy Act in 5 (more or less) Not So Easy Steps: Part 3 – The Privacy Policy: This is the third in a series of articles on complying with the California Consumer Privacy Act (CCPA). The CCPA is estimated to directly impact more than 500,000 businesses, many of them smaller and mid-size businesses; even more companies that are not specifically subject to the CCPA will need to comply to do business with those that are. Robert Braun, Esq., SecureTheVillage Leadership Council, JMBM Cybersecurity Lawyer Forum, May 28, 2019
Cyber Miscellany
The AI gig economy is coming for you: The artificial-intelligence industry runs on the invisible labor of humans working in isolated and often terrible conditions—and the model is spreading to more and more businesses. MIT Technology Review, May 31, 2019
SecureTheVillage Calendar
Webinar: SecureTheVillage June Webinar
CCPA, Part 3: Minimum Reasonable Security Practices
June 6 @ 10:00 am – 11:00 am
Financial Services Cybersecurity Roundtable – June 2019
Raising Cybersecurity Awareness – Essential Training Information for Bank Employees, Officers, and Customers
Kimberly Pease, Vice President and Co-founder, Citadel Information Group
June 14 @ 8:00 am – 10:00 am
Webinar: SecureTheVillage July Webinar
July 4 @ 10:00 am – 11:00 am
Webinar: SecureTheVillage August Webinar
August 1 @ 10:00 am – 11:00 am