Welcome to cybersecurity today. This is the “Week in Review” edition for the week ending Friday, May 26, 2023. My name is Howard Solomon. In the US he is a reporter on ITWorldCanada.com and he writes about cybersecurity at TechNewsday.com.
Within minutes, Terry Cutler from the Institute of Cytology in Montreal will be here to comment on the latest news. First, let’s take a look at some of the headlines from the last seven days.
Four states in America have settled Claims Against Sight Insurance Benefits Companies Over 2020 Data Breach. The breach stole the information of 2.1 million people. Terry and I will take a look at the case.
It will also investigate the spread of fake images posted on Twitter of an alleged explosion near the Pentagon. Learn why Cisco Systems won’t patch new vulnerabilities found in older small business switches, why businesses keep unwanted data for so long, and why Canadian data breach victims are fighting tax officials. increase.
Ransomware News attributed an attack on the Philadelphia Inquirer news service to a Cuban ransomware gang.
The Snatch ransomware gang takes credit for its attack on the Canadian Nursing Association.
German car and weapons maker Reinmetall said last month it was attacked by the Black Basta ransomware group.
The city of Dallas, Texas, which is still dealing with the effects of a ransomware attack more than two weeks ago, had to close its city courthouse building on Monday. We anticipate reopening on Tuesday, May 30th.
The BlackCat ransomware gang has added a new tool. According to Trend Micro researchers, this is a digitally signed Windows kernel driver. This driver is used in conjunction with another user’s client executable to control and kill defensive software on computers and servers.
Android users with an app called iRecorder-Screen Recorder were warned to remove it. This came after researchers at ESET discovered it had been compromised to install spyware last August. The app has been available since September 2021 and has been downloaded 50,000 times.
Samsung smartphone owners are also being asked to install the latest patches following the discovery of four critical vulnerabilities.
(below is edited transcript One of the topics discussed. Play the podcast to hear the full conversation)
Howard: Let’s start with a US$2.5 million data breach settlement between four US states and a vision insurance benefit company called EyeMed Vision Care. In 2020, hackers used usernames and passwords to gain access to company email her accounts used by staff. The account contained messages and attachments containing personal information about 2.1 million subscribers. The data included names, dates of birth, full or partial social security numbers, medical diagnoses, and other information. In addition to copying the data, the attacker used email access to send her 2,000 phishing her messages to the client (which appears to have been sent by the company) in an attempt to obtain her credentials. It was made. There were a few things that stood out to me in this attack. First, nine employees broke company rules by sharing the same username and password. Second, while the company was implementing multi-factor authentication, it had not implemented it in its email system prior to the attack. And third, he said, the company had hired a consultant to do a risk assessment, but the email system hadn’t been evaluated.
Terry what do you think about this?
Terry Cutler: There’s a lot to unpack here. The first part is about nine employees who circumvented company regulations. I still can’t believe they actually share usernames and passwords. It should be in the employee handbook. Sharing your username and password allows other people to log in as you, so this is prohibited. Now it’s up to you to prove it’s not you.the other is them [the hacker] Over 2,000 shipped [phishing] Email. This is like living on land.If you are sending an email from a legitimate company [account] No one would question it. It’s not impersonation. Everything is back to normal. It will land in your inbox, and people who see it will click on the link, potentially revealing their passwords or even infecting your company, depending on what they clicked on. As for the part where we do an external risk assessment but not the email server, our own penetration testing confirms this more and more. Clients say, “Oh, we use Office365, so we don’t need to evaluate it.” Microsoft has it covered. But they don’t realize that his Office365 out of the box isn’t secure. Auditing reveals things like multi-factor authentication not being turned on, being inconsistently enforced, password policies set to never expire, and much more. Can I receive and send malicious email attachments? Because I’m going to send an email to your inbox to see if it gets there. Also check the temporary exception rule. Also look for third-party apps like LinkedIn, such as LinkedIn Contacts Sync.let’s see if it does [Office365] Contacts can be shared externally and personal information such as OneDrive for business may be exposed. Is it being used on an unmanaged device? Is external auto-forwarding of email enabled? These are all features available in Office, but they could be completely misconfigured.
Howard: Let’s take these one at a time. First, security awareness training clearly fails when 9 people ignore password rules.
Terry: Probably because most employees are not tech savvy.
Howard: One more thing — we’ve talked about this a bit, but how can we do a risk assessment without including email?
Terry: Often when we do an assessment, clients want to exclude it because they think it is covered by someone else. it’s not. We always need to be educated as to why it is not covered and should be included in the risk assessment.
Howard: It’s also worth noting that as part of the settlement, the company will implement a written information security program, regularly record and review network traffic and login attempts, develop an incident response plan, and a few other things. I had to agree with So one of the lessons for me is that I don’t want to be publicly instructed by regulators to do these things after an attack.
Terry: We do a lot of assessments. Some of our audits are called Pathfinder Assessments, which tell you where you are now and where you need to be.and often they don’t have it [incident response] Your playbook is set up. They have no idea about incident response plans. Who, when and where to contact? All such things do not exist. And often lack proper documentation.So if [the regulator] You say “I need to start implementing logging and make a plan for all this”, but this requires expertise. And if you don’t have the budget, you can’t hire professionals, especially if you’re a nonprofit. That’s where outsourcing comes in. But it costs a lot of money. And in many cases, companies will not feel the need to implement this until it is too late. For example, the company I currently work with doesn’t even have a firewall. They just have his normal ISP modem. They don’t think their machines need endpoint protection, and they don’t think about how much sensitive information they have. They believe that cyberattacks will never happen because they have only seven employees.
