Cybersecurity News You Can Use
The Dispatch highlights cybersecurity news you can use. I share what I think is informative, relevant, interesting, and actionable. Look for //My take: for context and actionable information.
SMB Security Weaknesses
ISACA posted about the weaknesses that are common to SMBs.
Lack of a high-level strategy. Many businesses, especially new and small ones, simply lack a high-level strategy for their cybersecurity needs. They don’t have any security infrastructure in place, either because they don’t take the topic seriously or because they deem it a comparatively low priority. However, this high-level strategy that sets the course for your main security priorities and your general approach to preventing and mitigating attacks is vital for success.
I found this article via Chris Wright’s newsletter, who stated,
"The best thing a small business can do to "be secure" is to develop a high level strategy. This will then guide your program and inform all your cybersecurity spending and resource allocation decisions going forward. This almost always starts with a Security Policy that is derived from a solid set of industry standards."
//My Take: I 100% agree. I heard recently "We aren’t Walmart, we only have x employees." To which I say you are absolutely correct, but that doesn’t mean you get to ignore your cybersecurity. It does mean it needs to be appropriate for you. Policy forms the foundation of your cybersecurity program. There are lots of SMB Cybersecurity resources out there.
FBI Warning – BEC & Email Forwarding
The FBI issued a notification about cyber criminals using email forwarding rules to avoid detection and maintain access. This fits with what I’ve seen, it’s pretty common. However, the interesting element here is that they note that when created via web interface that often bypasses many monitoring systems and user detection.
//My Take: You should strongly consider disabling all email forward to any external domain. It’s too risky for a variety of reasons. Microsoft 365 just changed this to their default as well. Disable IMAP/POP3 protocols and please please please enforce MFA for everyone.
Coveware has published their Q3 Ransomware report. Some notable takeaways:
- Median Ransom Payment $110,532, Q3 2020
- Most victims of a ransomware attack (70%+) have less than 1,000 employees.
- Almost 50% of ransomware cases included the threat to release exfiltrated data along with encrypted data.
They also note,
"The biggest change over the past 6 quarters is threat actors now realize that their tactics scale to much larger enterprises without much of an increase in their own operating costs." //My Take: Take a look at this report and see the attack vectors by company size. For companies with 1000-10,000 employees Phishing and RDP are nearly equally in prevalence. Again RDP is too risky to expose to the public internet. Put it behind a VPN with MFA.
Cyber Insurance Warning
One of the most concerning updates comes from RiskyBiz,
"Standard and Poor’s predicts cyber security insurance premiums will need to rise by 20-30% a year from 2021 (compared to a growth of 11% from 2018 to 2019) if these costs keep escalating. S&P has already observed a growing number of cyber insurance policies that exclude ransomware and business email compromise events."
A 20-30% increase? Ugh. Makes sense though. I’ve already see premiums in late 2020 rise. Expect more. The 2nd part is even worse, Cyber policies excluding Ransomware & BEC, that effectively guts your policy.
//My Take: Cyber Insurance is critical. It can be the difference from being able to respond appropriately (and legally) vs trying to downplay an incident and hoping for the best. Have a Cyber Specialist/Broker review your policy and read the exclusions closely. I’ve found some interesting ones of late. Reshop your Cyber Policy every year. Remember they are unregulated so there are big differences in what providers offer.
Impressive iPhone Exploit
A scarily Impressive iPhone Exploit – It’s been patched and no evidence it was used in the wild. Just an astounding reminder how much we depend on vulnerability researchers.
Apple Privacy Cards
Developers must disclose the use of contact information, health and financial data, location data, user content, browsing history, search history, identifiers, usage data, diagnostics, and more. If a software maker is collecting the user’s data to display first or third-party adverts, this has to be disclosed.
These disclosures then get translated to a card-style interface displayed on the app store.
Policy / Law / Culture
FCC Chair Announces Departure
From Ars – Adios Ajit. Perhaps we can regain some ground on Net Neutrality.
One Clear Message From Voters This Election? More Privacy
Strengthening privacy is one of the few reliably bipartisan endeavors in modern politics, but the two measures scrambled traditional alliances on privacy: The ACLU opposed the California proposition, while police chiefs supported the Michigan measure. If those politics are any indication, privacy in the post-2020 landscape will be odd, iterative, surprisingly bipartisan, and very complicated.
Fun / Cool / Nifty
Hallmark Holiday Backgrounds