|
CMMC board faces ‘passionate’ internal turmoil over new contract with DOD
The fissures and political infighting put the program at its highest risk yet and come at a critical time when contractors are waiting for regulatory guidance from the Office of Management and Budget, Eric Crusius, a partner with Holland and Knight, told FedScoop. [...] “It’s a good idea, but the management of it seems ham-handed,” Mike Hamilton, founder of CI Security, told FedScoop.
https://www.fedscoop.com/cybersecurity-maturity-model-certification-cmmc-issues-ab/
Business ID Theft Soars Amid COVID Closures
Most consumers are likely aware of the threat from identity theft, which occurs when crooks apply for new lines of credit in your name. But the same crime can be far more costly and damaging when thieves target small businesses. Unfortunately, far too many entrepreneurs are simply unaware of the threat or don’t know how to be watchful for it. What’s more, with so many small enterprises going out of business or sitting dormant during the COVID-19 pandemic, organized fraud rings have an unusually rich pool of targets to choose from.
https://krebsonsecurity.com/2020/07/business-id-theft-soars-amid-covid-closures/
Average cost of healthcare data breach rises to $7.1M, according to IBM report
That's up more than 10% from last year, when the average data breach cost healthcare organizations $6.45 million, according to IBM Security’s 2020 data breach cost report. Healthcare organizations continue to have the highest costs associated with data breaches, according to the report, which looked at more than 500 data breaches that occurred last year across 17 industries. Across all industries, data breaches cost companies $3.86 million per breach on average, or $1.49 per record.
https://www.fiercehealthcare.com/tech/average-cost-healthcare-data-breach-rises-to-7-1m-according-to-ibm-report
Proposed COVID-19 Relief Bills Include Privacy, Security Funding
The Senate Committee on Appropriations unveiled COVID-19 relief legislation this week, which would allocate $53 million in funds to the Department of Homeland Security Cybersecurity and Infrastructure Security Agency to protect coronavirus research data and related data. [...] The additional emergency appropriations' legislation for the coronavirus health response and agency operations [...] would include a total of $306 billion in overall funds with carve-outs for DHS CISA.
https://healthitsecurity.com/news/proposed-covid-19-relief-bills-include-privacy-security-funding
Cyber-Enabled Financial Crime and Money Laundering
And finally, as an industry, we need to convince regulators to reward actionable intelligence. A poor quality Suspicious Activity Report, or SAR, is an expensive waste of everyone’s time. Better to have not written it at all. But institutions are not being rewarded for the quality of their SAR narratives, so the end result is a satisficing exercise. The quantity and quality of SAR filings is driven solely by what will satisfy the regulators. Rarely is anyone rewarded for going above and beyond.
https://www.jdsupra.com/legalnews/cyber-enabled-financial-crime-and-money-96899/
Garmin experiences 9% sales decrease in Q2 as it recovers from cyber attack
Garmin's president and CEO, Cliff Pemble, addressed the issue briefly during his opening remarks on the earnings call. He said there was no indication that any customer data — including payment information — was accessed, lost, or stolen. He added critical business systems have been restored and expects remaining systems restored in the next few days.
https://www.bicycleretailer.com/industry-news/2020/07/29/garmin-experiences-9-sales-decrease-q2#.XyIKuZ5Kg2w
Exclusive: More than 30 UK charities affected by Blackbaud cyber attack
The regulator said it had recieved 33 serious incident reports in relation to the attack after data was stolen when hackers targeted the US-based software provider. Blackbaud is one of the largest providers of fundraising, financial management, and supporter management software to the UK charity sector. So far, national homelessness charity Crisis, and mental health charity YoungMinds have acknowledged they were caught up in the incident.
https://www.thirdsector.co.uk/exclusive-30-uk-charities-affected-blackbaud-cyber-attack/finance/article/1690620
Twilio Security Incident Shows Danger of Misconfigured S3 Buckets
Attackers were able to change the library's code due to a misconfiguration in the S3 bucket that hosted the library. They injected code that made the browser load an extra URL that had been linked to Magecart attacks. Twilio doesn't believe this was targeted at the company. Rather, it seems to be an opportunistic attack related to a campaign to exploit open S3 buckets for financial gain.
https://www.darkreading.com/cloud/twilio-security-incident-shows-danger-of-misconfigured-s3-buckets/d/d-id/1338447
Lauded admiral says U.S. needs a military cyber force to fight espionage
One of America’s greatest modern military minds told an online Steamboat Springs audience Monday that the U.S. needs to develop a cyber force as another military branch. The heavily decorated, retired 4-star Admiral Jim Stavridis served as the 16th Supreme Allied Commander of NATO — Gen. Dwight D. Eisenhower was the first — and led the Navy’s premier operational think tank, Deep Blue, immediately after the 9/11 attacks. “I assure you Russia has a cyber force — and China, Iran and North Korea … It’s time for us to create a cyber force,” Stavridis said.
https://www.steamboatpilot.com/news/lauded-admiral-says-u-s-needs-a-military-cyber-force-to-fight-espionage/
Disinformation and the Case for a Well-Regulated Cyber Militia
They are real patriots, citizens who do more than stand at a ball game while the flag is raised, hands over hearts. The group Estonia has formed to defend itself against Russian cyber aggression is comprised of Estonian citizens taking civic action on behalf of their country, assisted and orchestrated by a website called Propastop.org. Think of it. A country a fraction of the size of the United States, with a fraction of our resources, is successfully and unambiguously standing up to the threat of Russian cyber aggression. Sound inspiring? To all Americans, regardless of political bent, it certainly should. Why can’t we do the same?
https://www.thecipherbrief.com/disinformation-and-the-case-for-a-well-regulated-cyber-militia
Cyber-enabled disinformation campaign targeted US-Poland alliance
The study revealed a direct connection between Russia’s cyber activities and its effort to counter external circumstances that are perceived to threaten the country’s military security. However, Russia’s responses to such circumstances are not always military. In line with its ‘hybrid warfare’ operational concept, the Kremlin often opts for non-kinetic, informational measures as a means of influencing the social and political environment of its adversaries. This also allows the country to largely avoid any risk of escalation. The Kremlin believes that such non-military measures can also be effective in achieving its regional security goals.
https://neweasterneurope.eu/2020/07/29/disinformation-campaign-targeted-us-poland-alliance/
Russian Intelligence Agencies Push Disinformation on Pandemic
“Russian intelligence agencies are taking a more central role in disinformation efforts that Russia is pushing now [...] The disinformation efforts are a refinement of what Russia tried to do in 2016. The fake social media accounts and bots used by the Internet Research Agency and other Russia-backed groups to amplify false articles have proved relatively easy to stamp out. But it is far more difficult to stop the dissemination of such articles that appear on websites that seem legitimate, according to outside experts.
https://www.nytimes.com/2020/07/28/us/politics/russia-disinformation-coronavirus.html
Nation State Attackers Shift to Credential Theft
He said that financial attacks are still happening, and there are more standard cyber-attacks taking place where the attacker tries “to gain large financial sums in one cyber-attack,” but the “longer game” with credential theft is now common, and from a cyber-criminal perspective, the value in purely financial attacks is diminishing, with more money made from “selling access to desktop machines.
https://www.infosecurity-magazine.com/news/nation-state-attackers-shift-to/
This Billion Dollar Company Considers Privacy Laws a Threat to Its Business
ZoomInfo, a data broker that collects contact information by harvesting it from peoples' email inboxes, sees increased attention on privacy legislation as a core risk to its billion dollar business, according to public records. A recent filing from ZoomInfo's public offering shows in stark detail how valuable contact data can be, and how companies in the data harvesting space see their business as potentially impacted by changing perceptions around privacy. ZoomInfo went public in June, raising nearly a billion dollars.
https://www.vice.com/en_us/article/y3zqbw/zoominfo-privacy-laws
Are Businesses Unprepared to Fight Bot Attacks?
The survey found a high awareness of how bot attacks could negatively affect a business, with over 70% of businesses acknowledging that they are aware of the most common bot attacks including credential stuffing and card cracking. And, in fact, 76% said they have suffered a bot attack. [...] “With over half of web traffic today generated by bots, this implies that businesses are unaware of a great deal of the bot traffic on their sites,” said the firm in a statement on the research.
https://securityboulevard.com/2020/07/are-businesses-unprepared-to-fight-bot-attacks/
'BootHole' Flaw Allows Installation of Stealthy Malware, Affects Billions of Devices
Billions of Windows and Linux devices are affected by a serious GRUB2 bootloader vulnerability that can be exploited to install persistent and stealthy malware, firmware security company Eclypsium revealed on Wednesday. The vulnerability, tracked as CVE-2020-10713 and dubbed BootHole, has a CVSS score of 8.2 and Eclypsium says it affects all operating systems that use GRUB2 with Secure Boot, a mechanism designed to protect the boot process from attacks. In fact, the company says the flaw impacts machines that use Secure Boot even if they’re not using GRUB2.
https://www.securityweek.com/boothole-flaw-allows-installation-stealthy-malware-affects-billions-devices
OkCupid Security Flaw Threatens Intimate Dater Details
The flaws are fixed, but “our research into OKCupid, which is one of the longest-standing and most popular applications in their sector, has led us to raise some serious questions over the security of dating apps[.] The fundamental questions being: How safe are my intimate details on the application? How easily can someone I don’t know access my most private photos, messages and details? We’ve learned that dating apps can be far from safe.”
https://threatpost.com/okcupid-security-flaw-threatens-intimate-dater-details/157809/
U.S. Government Says It’s Building A ‘Virtually Unhackable’ Quantum Internet
What if there was a quantum internet that came with a promise of being virtually unhackable? That's precisely what the U.S. Department of Energy (DOE) has said is to be built to usher in "a new era of communications" and push the U.S. to the "forefront of the global quantum race." What's more, the DOE announced during a July 23 press conference, a working prototype is expected to be completed within the next ten years. I'll return to the unhackable claim shortly, but first, let's examine just what this quantum internet blueprint involves.
https://www.forbes.com/sites/daveywinder/2020/07/25/us-government-to-build-virtually-unhackable-quantum-internet-within-10-years/#5f1622f12b70
|
