Cyber Risk Governance Insights | June 3, 2024

WEEK IN HEADLINES

SOFTWARE - Urgent: Update or Risk Security Breach

Google? (NASDAQ: GOOGL) is issuing a 72-hour warning to users of its popular Chrome browser. The urgency stems from the impending removal of Manifest V2 extensions, which will impact ad blockers. While ad blockers are affected, security updates are crucial. The US government via CISA has also advised federal employees to install emergency updates for Chrome.

MANUFACTURING - Attack Surge on Vulnerable OT Systems

Microsoft warns of a concerning surge in cyber-attacks targeting internet-exposed and poorly secured operational technology (OT) devices since late 2023, conducted by groups like CyberAv3ngers and pro-Russia hacktivists. Successful breaches could enable adversaries to manipulate critical industrial processes, leading to outages with severe consequences. Many vulnerable OT systems lack adequate security and are directly connected to the internet, making them easy targets.

TELECOMM - Mobile Security: A Weekly Reboot

The National Security Agency (NSA) recommends a straightforward yet effective measure for Mobile Device Best Practices - turning your smartphone off and back on once a week. While not a foolproof solution, this simple act can impede hackers' ability to pilfer data from your device. The NSA's report highlights various threats, including malicious apps, compromised Wi-Fi networks, spyware monitoring conversations, and remote access by hackers to collect calling/texting data.

FINANCIAL SERVICES - Massive Data Breach 30M Records for Sale

A hacker group known as ShinyHunters is reportedly selling a massive trove of Santander Bank (NYSE: SAN) data, including information for 30 million customers, employees, and bank accounts. The posted data occurred two weeks after the bank reported a data breach, including bank account details, credit card numbers, and human resources information. Santander has declined to confirm the extent of the cyberattack.

HOSPITALITY - User Info Offered for Sale on Dark Web

Live Nation (NYSE: LYV), the parent company of Ticketmaster, revealed in an SEC filing that it detected unauthorized access to a third-party cloud database containing Ticketmaster user data. A threat actor advertised the stolen data for sale on the dark web on May 27th. Live Nation assured it is taking measures to safeguard users, cooperating with law enforcement, and notifying affected individuals. The incident has not significantly impacted Live Nation's operations but raises concerns amid the company's ongoing antitrust lawsuit with the DOJ.

NONPROFIT - Sustained DDoS Attacks Disrupt Access

The nonprofit Internet Archive, home to millions of historical documents and preserved websites, faces a relentless distributed denial-of-service (DDoS) cyber-attack. The attack, which has persisted for three days, launches tens of thousands of fake information requests per second, impacting access to the Internet Archive Wayback Machine. The source of the attack remains unknown.

INSIGHTS & EXPERT PERSPECTIVES

RESILIENCE: NSA Guidance: Boost Your Cyber Resilience with Visibility and Analytics Guidance

RESILIENCE: NSA Guidance: Boost Your Cyber Resilience with Visibility and Analytics Guidance

Executive Summary: The National Security Agency (NSA) has released new guidance focusing on the visibility and analytics pillar of the zero trust security model. This pillar emphasizes the importance of gaining comprehensive visibility into an organization's assets, users, and activities, as well as leveraging advanced analytics to detect and respond to potential threats effectively. The guidance aims to help organizations enhance their cybersecurity posture by implementing robust monitoring, logging, and analysis capabilities across their networks and systems.

• Visualization: Understanding potential risks and threats by leadership is critical so that resources can be properly allocated and directed to reduce the risks and protect the organization.
• Analytics: AI & Behavioral Analytics can help detect anomalies that may have been overlooked and suspicious activities that may indicate a security breach or insider threat.
• Guidance: Continuous monitoring, centralized logging, and automated analysis helps organizations keep pace with the advancement of threats.

INSIGHTS: We have believed for some time that data visualization with charts and graphs is far more impactful for executive leadership to grasp the organization's cyber resilience maturity.? We feel so strongly about this that we have developed a vendor agnostic Open Source platform for data visualization, simply connect your security tools to this platform, retain data sovereignty, and streamline the cyber risk governance communications among your organization management.

Some critics of continuously monitoring organizational devices believe employee privacy is at risk.? However, if you have open communication and transparent policies that establish clear guidelines and policies around the use of employee monitoring software.? If on company devices, this is clear on a policy point; yet complicated when you allow a more open policy of employees using whatever device they choose to access company data to do their work.? Consider a gateway with a virtual desktop environment where you can monitor the activities of the employees to ensure that they're doing work-related activities on company resources.

Discover how our continuous measurement and monitoring approach can enhance your visible resilience. Contact Netswitch for a complimentary consultation.

OPINION - The Failure of Data Security Law

The current data security laws are inadequate in combating the growing data security threats and protecting individuals from the risks of data breaches. This chapter from the book "BREACHED! WHY DATA SECURITY LAW FAILS AND HOW TO IMPROVE IT" by Daniel Solove and Woodrow H. critically analyzes the strengths and weaknesses of existing data security laws.

Broadly, the authors state that there are three types of data security laws:

1. breach notification laws;
2. security safeguards laws that require substantive measures to protect security; and
3. private litigation under various causes of action.

They argue that despite some small successes, the law is generally failing to combat the data security threats we face.

A "holistic data security" approach, which focuses on mitigating risk in the entire data ecosystem, may be challenging to implement and enforce due to the complexity and dynamic nature of data ecosystems.

Breach notification laws merely require organizations to provide transparency about data breaches, but the laws don’t provide prevention or a cure. Security safeguards laws are often enforced too late, if at all.

Enforcement authorities wait until a data breach occurs, but penalizing organizations after a breach increases the pain of a breach marginally, but not enough to be a game changer.

Private litigation has increased the costs of data breaches but has accomplished little else. Courts have often struggled to understand the harm of data breaches, so data breach cases have frequently been dismissed.

Sharpen Your Cyber Edge with Netswitch

Master Compliance & Minimize Risks:

• Independent Security Audit: Identify network risks with our automated Security And Risk Assessment (SARA). Get a clear picture, prioritize improvements, and optimize resource allocation. Contact Netswitch
• Free "Quick Start" Program: Gain a free cyber risk and governance health check. Enroll now and start building resilience.

Deepen Your Knowledge

• Join Our LinkedIn Group: Collaborate with industry leaders in the CyberRisk Governance Group on LinkedIn. Share insights and stay ahead of the curve.
• Live Events: Participate in interactive LinkedIn Live sessions. Explore cyber risk topics with executives, technologists, and governance professionals.

Don't wait.

Contact Netswitch today to take control of your cyber risk.

Disclaimer: The information and links provided in this newsletter are for informational purposes only. Netswitch does not warrant the accuracy or completeness of such information and is not liable for any damages arising from its use.