Roller coaster
I am reading, watching, listening, learning, trying - failing - trying - succeeding, teaching, sharing and creating for security every day. I want to share my week's highlights via this newsletter, hoping they might trigger an action to create a secure, diverse and inclusive world.
The security journey is never an easy one - every day is a roller coaster ride.
News that caught my eye last week
"Okta said on Wednesday hundreds of its customers may have been affected by a security breach involving hacking group Lapsus$, amid criticism of the digital authentication firm's slow response to the intrusion that knocked its shares down about 11%." - I saved each published communication content and the timeline of this breach to use as an example for future training sessions.
"The teenager, who is alleged to have amassed a $14m (£10.6m) fortune from hacking, has been named by rival hackers and researchers. The boy's father told the BBC: 'I had never heard about any of this until recently. He's never talked about any hacking, but he is very good on computers and spends a lot of time on the computer. I always thought he was playing games.'"
"Almost a month after the attack, the disruptions continue. Thousands still remain offline in Europe—around 2,000 wind turbines are still disconnected in Germany—and companies are racing to replace broken modems or fix connections with updates. Multiple intelligence agencies, including those in the US and Europe, are also investigating the attack."
"Cybersecurity researchers at ESET have identified over 40 copycat websites designed to look like those of popular cryptocurrency websites, but which actually trick users into downloading fake versions of the apps containing trojan malware. New cryptocurrency users appear to be targeted in particular. The websites are specifically designed to target mobile users and lure them into downloading the malware. The attackers use online advertising, posted to legitimate cryptocurrency and blockchain-related websites, to direct traffic to the malicious cryptocurrency wallet downloads."
The founder of DeFiance Capital, a venture capital fund focused on the decentralized finance (DeFi) space, just had over $1.7 million worth of non-fungible tokens (NFTs) stolen from his crypto wallet on Tuesday. 'Well, this hit me hard but if I got exploited as a fairly sophisticated 5 years crypto user (DeFi user, password manager, mostly hardware wallet), I'm not sure how I can persuade most normal people to put a substantial part of their net worth on-chain anymore.' The likely root cause for the exploit is a spear-phishing email' he received recently."?
Let's put our thinking hats on...
"For many, risk can seem an abstract, nebulous topic. How can businesses prioritise or conquer risk when it seems less real than many of the more immediate, concrete and tangible concerns leaders must face?"
"Good cyber strategy is good business strategy. For years, cyber security professionals have understood this. More recently, leading CEOs and independent directors have acknowledged it, and now regulators are proposing new rules to establish it. Given the SEC’s regulatory footprint, this action should be a wake-up call to business leaders around the world. While the proposed rules are not yet in force, the SEC’s views on cyber risk raise important considerations for boards of directors, including management reporting, organization, and even composition."
Standards, frameworks, legislation, regulation and more
"The Guidelines serve both to instruct organizations on how to design their platforms and user interfaces in a GDPR-compliant manner, as well as to educate users on how certain practices they are subject to could run contrary to the GDPR (which could, as a result, lead to an increase in GDPR complaints arising from such practices)."
"CSA and CRI released the Cloud Profile extension for the CRI Profile v1.2. This extension allows financial institutions and CSPs to build cloud security governance and compliance programs that meet their strict sectorial requirements."
"The European Commission (EC) has proposed two new regulations to establish common cyber and information security measures across the bloc, with the aim of bolstering resilience and response capacity against a range of cyber threats. Under the proposed cybersecurity regulation, which was published 22 March 2022, all European Union (EU) institutions, bodies, offices, and agencies will be required to have cyber security frameworks in place for governance, risk management, and control."
"The European Union and the U.S. on Friday announced they had agreed “in principle” to a new framework for cross-border data transfers, providing some much-needed relief for tech giants. For over a year, officials on either side of the Atlantic have been hashing out a deal to replace the so-called Privacy Shield, an arrangement allowing firms to share Europeans’ data with the U.S."
"A new bill introduced on Wednesday seeks to force agencies into modernizing their outdated information technology systems, while requiring officials to write up plans and additional guidance to update and dispose of those legacy systems."?
UK Information Commissioners Office issues a fine for a firm of solicitors after a ransomware attack
领英推荐
"The ICO Monetary Penalty Notice shows that the firm did not use MFA and had unpatched software in place. After gaining access to the network, the attackers were able to install tools and set up an account on the network, before deploying ransomware."
Statistics, reports, surveys, benchmarks and more
"In 2021, IC3 continued to receive a record number of complaints from the American public: 847,376 reported complaints, which was a 7% increase from 2020, with potential losses exceeding $6.9 billion. Among the 2021 complaints received, ransomware, business e-mail compromise (BEC) schemes, and the criminal use of cryptocurrency are among the top incidents reported. In 2021, BEC schemes resulted in 19,954 complaints with an adjusted loss of nearly $2.4 billion."
"The 2022 Unit 42 Ransomware Threat Report published by Palo Alto Networks today claimed the average ransomware payment reached a record $541,010 in 2021, rising 78% year-on-year. Average ransom demands also rose by 144%, reaching an astronomical $2.2m."
"The fastest form of ransomware is LockBit, which took a median time of just 5 minutes and 50 seconds to encrypt 100,000 files. In one of the tests, it only took LockBit 4 minutes and 9 seconds to encrypt the files measuring in at 53.83 GB across different Windows operating systems and hardware specifications."?
"2021 posed a challenging year for healthcare cybersecurity with the continuing COVID-19 pandemic at the forefront of everyone’s minds.?The paper summarises projections for Operational Technology, Supply Chain, Cybercriminal actions, and Nation-State cyber threats we may see in 2022."
Career, Women in Security, Inclusion & Diversity and more
Are you a woman working in tech who would like to inspire the next generation & change the ratio of #WomenInTech? Share your story of how you got to where you are today & what you love about your role.
The cyber security for toddlers book made by Dr Elizabeth Quaglia is one of CyBOK funded small projects and you can now view the pdf version on their website
"Microsoft announced on Wednesday that it will expand its cyber security skilling initiative to 23 additional countries. The campaign, which began last year in the U.S., is part of the company’s push to help solve the cyber security industry’s growing talent problem, while also helping diversify the industry. Like many industries within tech, cyber security is facing both a workforce shortage and a widening skills gap among workers."?
Interesting story of the week
"Based on the group's internal chat logs leaked earlier this month, the average Conti ransomware group member earns a salary of $1,800 per month, a figure you might consider low considering the success of the criminal gang."?
"We could download the things that we believe make ourselves so unique," he said. "Now, of course, if you're not in that body anymore, that is definitely going to be a difference, but as far as preserving our memories, our personality, I think we could do that." - I can start listing how could this go wrong in terms of security, but then I may not be able to finish this newsletter in a couple of days.
Upcoming events
Thank you for reading this newsletter
Sources for visuals: Adobe Stock, Unsplash (and yes, you are right, I am deliberately selecting visual material with women. If I cannot find one that includes women at that time, I choose an object/text version instead.)