Week of June 14th, 2024

Welcome to Your Cybersecurity Recap: a bite-sized weekly newsletter by cybersecurity enthusiasts, for cybersecurity enthusiasts.

Here are this week’s top takeaways:

Recently-Issued Security Alert: Critical Microsoft Outlook Zero-Click RCE Flaw Executes as Email is Opened

A critical zero-click remote code execution (RCE) vulnerability has been discovered in popular personal information management system Microsoft Outlook.

This vulnerability, designated as CVE-2024-30103 , enables attackers to run arbitrary code by sending a specially designed email. When the recipient opens the email, the exploit is triggered.

The vulnerability, CVE-2024-30103, is particularly alarming due to its zero-click nature. Unlike traditional phishing attacks that require user interaction, this flaw can be exploited without any action from the user.

Opening the malicious email alone is enough to compromise the system, making it a powerful weapon for cybercriminals and greatly reducing the barriers to successful exploitation.

A recent report from IBM states that in 2024, the most common cyberattack methods are compromised credentials (19%) and phishing attempts (16%) . This highlights the need for individuals to remain vigilant with their online security.

On average, phishing inflicted the most significant damage at US$ 4.91 million, followed by business email compromise at US$ 4.89 million. All these facts indicate that enterprises must alert employees about phishing attacks and invest in periodic, in-depth Employee Awareness Training to keep abreast of both current and emerging security threats such as CVE-2024-30103.

The Importance of Education Sector Cybersecurity–Toronto District School Board Hit By Cyberattack?

This past week, threat actors attempted to attack a technology testing environment used by the Toronto District School Board (TDSB) with ransomware, officials said Wednesday.

In a statement to parents on Wednesday, the school board stated that it recently became aware of unauthorized activity within a system the technology department uses to test programs before they run live on official systems. The statement also confirmed that the test environment is separate from the board’s official networks.

Colleen Russell-Rawlins, the director of education, and Associate Director Stacey Zucker explained that the board’s cybersecurity team took “immediate steps to secure and preserve data while safeguarding critical systems.”?

“TDSB systems are operational and have not been impacted. We have notified the Toronto Police Service and are working with third-party experts to assess the incident,” they said in the joint statement. “We are conducting a thorough investigation to understand the nature of the incident, any impact on our network, and if any personal information may have been affected by the incident. Out of an abundance of caution, we have notified the Information and Privacy Commissioner of Ontario.”

With the TDSB being the largest school board in Canada and managing 582 schools with about 235,000 total students, this incident is an example of why proactive penetration testing isn’t an option in 2024–it is a critical, non-negotiable component of any cybersecurity roadmap.

Out of 17 reported-on industries, the education sector ranked as the least secure (with financial and healthcare ranking closely behind.) This was determined by the education sector having, on average:

• The highest vulnerabilities present in application security
• The weakest endpoint security
• The least likely to keep software updated

What is the reason for this? While much of it is attributed to human error, device standardization (which is common across all industries, but significantly more difficult to achieve in an educational setting due to their wide number of part-time, remote, and interned workers) is rarely enforced, meaning that educational device management policies and authentication protocols for connected devices are a weak link.

Another primary reasoning for why education sector cybersecurity faces security concerns is that employee awareness training is seldom executed on: with human risk accounting for 82% of security breaches in 2024, organizations open themselves to threat actors by not having robust, periodic awareness training in place.

By understanding the trends and emerging threats that education sector cybersecurity statistics point to, staff and IT decision makers can better advocate for proactive cybersecurity measures.

In 2024 and beyond, proactive cybersecurity measures for the education sector include, but are not limited to, the following:

• Building Funding Narratives: Funding narratives for the education sector demonstrate the potential threats of not investing (or cutting the budget to) cybersecurity. By providing research-backed statistics, decision makers can influence the prioritization of funding to high-risk security areas that can be the difference between a safeguarded institution and losing up to billions in reputational and financial damages
• Being Eligible for Cyber Insurance: In 2024, more institutions than ever before are being denied cyber insurance. Cyber insurance is a type of insurance product that an entity or business purchases as a contract to help minimize the financial risks associated with online businesses or businesses that leverage technology. The policyholder pays a monthly or quarterly fee while transferring the risk to the insurer; in addition, it is important to note that cyber insurance is a new and emerging industry that grew from US$ 9.73 billion in 2021 to US$ 11.75 billion (approx.) in 2022 alone. Partially due to this influx, cyber insurance companies are reluctant to offer claims or accept insurance proposals from companies for a myriad of reasons, including not having proactively invested in anti-cybercrime measures before a breach has occurred
• Employee Awareness Training: By periodically providing cybersecurity training to employees, organizations can lessen the likelihood of human error resulting in data breaches; this is especially effective as a way to counteract social engineering, which utilizes psychology to create successful phishing campaigns against unsuspecting staff and students alike
• Continuous Penetration Testing: Hailed as one of the best ways to safeguard institutions, Continuous Penetration Testing replicates continuous attacks on your web applications and IT infrastructure. Threat actors regularly target enterprises to uncover and exploit new vulnerabilities. By performing Continuous Penetration Tests, vulnerabilities can be detected and remedied more proactively than point-in-time security assessments, and by leveraging education sector cybersecurity statistics, the importance of periodic pentesting can be emphasized to decision-makers

What are your initial thoughts on this attempted breach?