{"id":26836,"date":"2022-08-12T15:18:07","date_gmt":"2022-08-12T19:18:07","guid":{"rendered":"https:\/\/www.itworldcanada.com?p=497731"},"modified":"2022-08-16T11:24:02","modified_gmt":"2022-08-16T15:24:02","slug":"cyber-security-today-week-in-review-for-august-12-2022","status":"publish","type":"post","link":"https:\/\/technewsday.com\/staging\/cyber-security-today-week-in-review-for-august-12-2022\/","title":{"rendered":"Cyber Security Today, Week in Review for August 12, 2022"},"content":{"rendered":"<p data-ar-index=\"0\">Welcome to Cyber Security Today. This is the Week in Review edition for the week ending Friday, August 12th, 2022. I\u2019m Howard Solomon, contributing reporter on cybersecurity for ITWorldCanada.com.<\/p>\n<p data-ar-index=\"1\"><iframe style=\"border: none;\" title=\"Libsyn Player\" src=\"https:\/\/html5-player.libsyn.com\/embed\/episode\/id\/24028605\/height\/90\/theme\/custom\/thumbnail\/yes\/direction\/forward\/render-playlist\/no\/custom-color\/000000\/\" width=\"100%\" height=\"90\" scrolling=\"no\" allowfullscreen=\"allowfullscreen\"><\/iframe><\/p>\n<table style=\"width: 100%;\">\n<tbody>\n<tr>\n<td><a href=\"https:\/\/www.amazon.com\/ITWC-Cyber-Security-Today\/dp\/B07BRNG89P\/ref=sr_1_1?s=digital-skills&amp;ie=UTF8&amp;qid=1522688435\" rel=\"noopener noreferrer\"><img decoding=\"async\" class=\"aligncenter wp-image-396718 size-full\" src=\"https:\/\/i.itworldcanada.com\/wp-content\/uploads\/2017\/09\/sub-alexa-200.png\" alt=\"Cyb er Security Today on Amazon Alexa\" width=\"200\" height=\"74\" border=\"none\" \/><\/a><\/td>\n<td><a href=\"https:\/\/www.google.com\/podcasts?feed=aHR0cDovL2N5YmVyc2VjdXJpdHl0b2RheS5saWJzeW4uY29tL3Jzcw%3D%3D\" rel=\"noopener noreferrer\"><img decoding=\"async\" class=\"thumbnail aligncenter wp-image-408712 size-full\" src=\"https:\/\/i.itworldcanada.com\/wp-content\/uploads\/2018\/09\/sub-gp-200.png\" alt=\"Cyber Security Today on Google Podcasts\" width=\"200\" height=\"74\" \/><\/a><\/td>\n<td><a href=\"https:\/\/itunes.apple.com\/ca\/podcast\/cyber-security-today\/id1363182054\" rel=\"noopener noreferrer\"><img decoding=\"async\" class=\"aligncenter wp-image-396720 size-full\" src=\"https:\/\/i.itworldcanada.com\/wp-content\/uploads\/2017\/09\/sub-itunes-200.png\" alt=\"Subscribe to Cyber Security Today on Apple Podcasts\" width=\"200\" height=\"74\" border=\"none\" \/><\/a><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p data-ar-index=\"2\">\n<p data-ar-index=\"3\">This week\u2019s guest commentator is IT World Canada CIO Jim Love. We\u2019ll talk about some of the cybersecurity news of the week. But first a quick review of some of the headlines:<\/p>\n<p data-ar-index=\"4\"><strong>Cisco Systems admitted<\/strong> that in May <a href=\"https:\/\/www.itworldcanada.com\/article\/cisco-report-on-mfa-hack-backs-up-black-hat-conference-presentation\/497585\" rel=\"noopener\">an employee fell for a text-based phishing scam<\/a> that compromised the staffer\u2019s multifactor authentication protection. The attacker copied data held in an employee\u2019s cloud storage account. Jim and I will discuss this incident.<\/p>\n<p data-ar-index=\"5\"><strong>We\u2019ll also look<\/strong> into a report that<a href=\"https:\/\/www.itworldcanada.com\/article\/twilio-employees-fell-for-phishing-texts-claiming-to-be-from-it-department\/496952\" rel=\"noopener\"> employees at Twilio and Cloudflare recently fell for a different text-based phishing scam<\/a> last week, as well as news that some American and U.K. employees are so proud of their top secret security clearance they list it on their LinkedIn biographies \u2014 which would make it less than secret \u2026<\/p>\n<p data-ar-index=\"6\"><strong>Canadian recreational vehicle maker BRP<\/strong> <a href=\"https:\/\/www.itworldcanada.com\/article\/canadian-recreational-vehicle-maker-brp-ontario-cannabis-store-dealing-with-cyber-attacks\/497252\" rel=\"noopener\">is still dealing with the effects<\/a> of a cyber attack. The company, which makes Sko-Doos and Sea-Doos, hasn\u2019t detailed what kind of attack it was hit with at the beginning of the week. But it said manufacturing at its Quebec plant won\u2019t start again until this coming Monday, after a seven-day shutdown. Even then other operations remain suspended.<\/p>\n<p data-ar-index=\"7\"><strong>A cyber attack<\/strong> on a major distribution and logistics company has had one impact in Canada: Distribution of marijuana in the province of Ontario has been temporarily disrupted.<\/p>\n<p data-ar-index=\"8\"><strong>The number of cyber incidents<\/strong> involving simultaneous attacks from more than one threat actor seem to be increasing, <a href=\"https:\/\/www.itworldcanada.com\/article\/beware-of-simultaneous-cyber-attacks-warns-sophos\/496960\" rel=\"noopener\">say researchers at Sophos<\/a>. In one incident three ransomware gangs consecutively attacked the same organization within a short period of time. Some of the victim firm\u2019s files were triple encrypted.<\/p>\n<p data-ar-index=\"9\"><strong>Some application developers are fuming<\/strong> about GitHub\u2019s intention to place tracking cookies on some of its subdomains. GitHub calls them \u201cnon-essential cookies.\u201d They would be put on GitHub\u2019s marketing web pages. The change would start September 1st and let GitHub personalize content and ads for enterprise users. <a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/githubs-new-privacy-policy-sparks-backlash-over-tracking-cookies\/\" rel=\"noopener\">But the Bleeping Computer news site reports<\/a> that a lot of users aren\u2019t happy. You have until the end of this month to register a complaint.<\/p>\n<p data-ar-index=\"10\"><strong>A former Twitter employee<\/strong> <a href=\"https:\/\/www.bloomberg.com\/news\/articles\/2022-08-09\/former-twitter-employee-is-convicted-of-spying-for-saudi-arabia\" rel=\"noopener\">was convicted this week<\/a> by a jury in San Francisco for giving personal information of users of the platform to the government of Saudi Arabia. Prosecutors argued the goal was to help silence critics of the Crown prince. A second Twitter employee allegedly involved in the activity got out of the U.S. before being arrested.<\/p>\n<p data-ar-index=\"11\"><strong>Finally,<\/strong> IT administrators using the Device42 asset management platform have been warned to update to the latest version. This comes after <a href=\"https:\/\/www.bitdefender.com\/blog\/labs\/a-red-team-perspective-on-the-device42-asset-management-appliance\/\" rel=\"noopener\">researchers at BitDefender discovered<\/a> several severe vulnerabilities that could allow a hacker to compromise the platform and get into IT systems.<\/p>\n<p data-ar-index=\"12\"><em>(The following transcript has been edited for clarity)<\/em><\/p>\n<p data-ar-index=\"13\"><strong>Howard:<\/strong> There\u2019s a theme to the three stories that we\u2019re looking at today, and that\u2019s employees are still one of the weak points in security by clicking on malicious links, creating easily guessable passwords or using the same password on multiple sites. And through preying on the gullibility of people \u2014 also known as social engineering \u2014 a lot of employees fall for scams. Example one: In May an employee at Cisco Systems gave into pestering by a hacker pretending to be from a trusted organization and approved a multifactor authentication push notification on their smartphone that led to Cisco being hacked. Cisco says no data was stolen directly from its systems. But the hacker did get corporate data held by an employee in the personal cloud storage service called Box. For those who don\u2019t know, what\u2019s a push notification?<\/p>\n<p data-ar-index=\"14\"><strong>Jim Love:<\/strong> This should make things more secure. It\u2019s the idea that you not only registered a website but something is sent and a notification is sent to another device [you have] and you use that to validate access. The classic example is if I try to go into Google it\u2019ll send me a notification [on my smartphone] saying \u2018click here to authorize.\u2019 So you\u2019ve got multifactor authentication. It doesn\u2019t seem to always work exactly the way people want it to though. People don\u2019t always treat these notifications the way they should, and some of them aren\u2019t designed exactly the way I think they should be. And I think many security professionals would agree.<\/p>\n<p data-ar-index=\"15\"><strong>Howard:<\/strong> What did you think when you ah read about this Cisco incident?<\/p>\n<p data-ar-index=\"16\"><strong>Jim:<\/strong> One little mistake from an employee can undo a whole lot of work to build a corporate reputation. That\u2019s the one thing that always goes through my mind. When are we going to get this [security] right? This is entirely preventable. And as much as multifactor authentication is a good thing, it\u2019s done poorly. We have to start to work through this in a way that makes more sense.<\/p>\n<p data-ar-index=\"17\"><strong>Howard:<\/strong> One problem is that threat actors may fire repeated push notifications to a target\u2019s smartphone at night when they\u2019re trying to sleep, and the attacker hoping that they\u2019ll approve the notification to stop their phone from buzzing.<\/p>\n<p data-ar-index=\"18\"><strong>Howard:<\/strong> It\u2019s a clever strategy, but it\u2019s one that just shouldn\u2019t work. You shouldn\u2019t be clicking on things on your phone when you don\u2019t know the impact of them. But again, that\u2019s a training piece.<\/p>\n<p data-ar-index=\"19\"><strong>Jim:<\/strong> You know, even when you\u2019d have a technical breach where somebody finds a zero-day [vulnerability] in the code or something like that, it normally takes a person taking an action or failing to take an action to make the thing [ the vulnerability] work, and this is a classic example. Why should you be able to get multiple requests from something? And why would you just go clicking on them? First of all, that\u2019s bad. That\u2019s a training problem. If you\u2019re trying to design a security application you see a number of these things coming time after time after time. Shouldn\u2019t you do what my phone does and say, \u2018Warning this looks like fraud?\u2019<\/p>\n<p data-ar-index=\"20\"><strong>Howard:<\/strong> IT administrators should note what happened after the attacker got into the Cisco network: They didn\u2019t immediately just root around the system. They first added their own mobile phone numbers to an employee\u2019s account or accounts for allowing authentication to Cisco\u2019s VPN. That way the attacker had more than one account for network access.<\/p>\n<p data-ar-index=\"21\"><strong>Jim:<\/strong> You should be able to restrict the access [to user accounts]. There\u2019s a lot of things that went wrong in this. It\u2019s easy to be a Monday morning quarterback, but this should be a warning to people to take a look at their systems and remember that multifactor authentication is great but there\u2019s this thing called MFA Fatigue. We covered this in an edition of This Week in Ransomware that I did. Forty-eight per cent of office workers said security was a hindrance. And 31 per cent of the aged 18 to 24 said they tried to circumvent security. We\u2019ve got to train people well and we have to design the system so that they don\u2019t make people want to subvert them.<\/p>\n<p data-ar-index=\"22\"><strong>Howard:<\/strong> Well, you can have an IT system where your employee has an account with their username their password, and for multifactor authentication, there\u2019s a phone number and the employee can only have one phone number for authentication for sending the second factor code. You need an administrator\u2019s approval in order to add more than one phone number. Of course that also means that you have to make sure administrator accounts are thoroughly protected because one of the first things that an attacker tries to do is elevate privileges so they can get administrator accounts. But my point is that there\u2019s a way that IT can choke this kind of an attack off by making sure that extra phone numbers aren\u2019t added on without good authorization.<\/p>\n<p data-ar-index=\"23\"><strong>Jim:<\/strong> It takes good design, but the more layers you put on the more difficult you make work for people as well. I had a problem with my bank this week I thought one of my credit cards was compromised. So I phoned the bank to cancel my card, and they asked me to identify myself. They asked me a number of questions that I didn\u2019t know the answer to because I was in the middle of nowhere and didn\u2019t have my credit card statement with me. So I have a potentially stolen credit card I can\u2019t report because I can\u2019t identify myself. That\u2019s when you get these rigid policies that stop making sense. You\u2019re right that at one point or another if there\u2019s movement in privileged accounts or if it\u2019s a change in things that\u2019s suspicious. People need to look into them. I don\u2019t know how well you can do that at scale, though. It may just be one of those things where we really have to go back and relook at the design of security itself and ask, \u2018Are we doing it right?\u2019 \u2026 A phone message is so easy to fake, so if you\u2019re sending a push notification by over your phone its pretty easy to mess with. So how do you do this? I don\u2019t think having a physical authentication key on a smartphone would be good. Biometrics are a way that we might get past part of this. We really do have to go back and relook at this stuff that we think is protecting us.<\/p>\n<p data-ar-index=\"24\">\u2026<\/p>\n<p data-ar-index=\"25\"><strong>Howard:<\/strong> Coincidentally, the Cisco hack proved the point of a presentation that I covered online on Wednesday from the Black Hat cybersecurity conference in Las Vegas. The point was IT and security managers have to choose phish-resistant multifactor authentication solutions, not just any MFA solution. The presenter was Roger Grimes of KnowBe4 and he said he\u2019s got many tricks to lure people into doing things and hack them when he does penetration tests. For example, if he can find out their smartphone number and the county they live in he\u2019ll send a text message to them pretending to be from the county with a warning that there\u2019s a water leak and they shouldn\u2019t drink the water. Would the person like to be sent a push notification when the water is safe? And if they click yes, Grimes can download malware. That\u2019s a perfect example of of a social engineering attack.<\/p>\n<p data-ar-index=\"26\"><strong>Jim:<\/strong> I don\u2019t even know how you\u2019d get past that one. I\u2019ll now be more cautious. I get notifications from Hydro and from all kinds of places asking if I\u2019d like a push notification when me power comes back on. Yeah, I would. If you hadn\u2019t alerted me to that one I think I might have fallen for that. But that\u2019s why we need people to improve design.<\/p>\n<p data-ar-index=\"27\"><strong>Howard:<\/strong> An example of phish-resistant multifactor solutions come from the FIDO Alliance, which is the Fast Identity group of vendors who have put together solutions that are very hard to compromise. One of them for example is a physical security key that a user has to plug into their USB port in order to access sensitive websites and applications like email. That\u2019s probably an ideal thing for people who are IT administrators, network administrators and even senior executives.<\/p>\n<p data-ar-index=\"28\">Jim: But what do you do about phones? There\u2019s no USB on phones. FIDO does do a neat thing. They share the public [soft encryption] key when they\u2019re exchanging information to approve you, but they keep the private key and the information on your phone. Which means you can be challenged on your phone for that private key. It\u2019s not shared outwardly so there\u2019s a layer of protection. It\u2019s really quite well thought out. But we should be thinking through the scenarios and saying, \u2018Maybe there\u2019s just stuff you shouldn\u2019t be able to do on your phone \u2013particularly administrator accounts. Maybe you should have to carry a laptop around with you if that\u2019s your job.\u2019<\/p>\n<p data-ar-index=\"29\"><strong>Howard:<\/strong> You mentioned biometrics a little earlier. One of the things that Roger Grime said is you can\u2019t rely only on biometrics for secure login. You need to have a biometric \u2014 facial recognition or a fingerprint \u2014 plus the user has to enter a pin number or a password. That\u2019s what makes it multifactor authentication.<\/p>\n<p data-ar-index=\"30\"><strong>Jim:<\/strong> That\u2019s why we don\u2019t talk about one-factor authentication. Multifactor is in there. It just makes it exponentially harder if I\u2019m going to take a biometric signal and ask you for another identification point. But again, you\u2019ve got that careful balance between getting in the way of people doing their job. I have an authenticator app that I use for some things, and I do that because I don\u2019t trust push notifications. But if I lost my phone \u2026<\/p>\n<p data-ar-index=\"31\">Nothing\u2019s perfect, and I think that\u2019s the other piece of this. But you want to make it as hard as possible [for the attacker].<\/p>\n<p data-ar-index=\"32\"><strong>Howard:<\/strong> Roger Grimes told this scary story in his presentation. He was involved in a case where a company lost $20 million to a ransomware attacker. Why? The CISO approved a push notification eighty times even though the message clearly indicated that the sender was was based in Russia. And this was a company that was obviously not based in Russia. And they asked him why you keep saying yes to this multifactor push notification? And he said, \u2018Well, that\u2019s what I was told to do.\u2019 Grimes says no, that wasn\u2019t what he was told, although it\u2019s possible that he misunderstood something that IT told him. But his point was there was an indication on this notification that it wasn\u2019t coming from inside his company and he ignored it.<\/p>\n<p data-ar-index=\"33\"><strong>Jim:<\/strong> I always say to people if you\u2019re going to do things that stupid print your resume up in advance, because they\u2019re going to take your computer when they fire you. No CSO in the world should have ever done that. But that\u2019s an extreme case. But you found one [the county water warning trick] that might have fooled me. We\u2019re all going to be fooled, and that\u2019s why I want employees to ask questions. I want them to say, \u2018Doesn\u2019t seem right?\u2019 And if the CSO can\u2019t lead then they have no right to have that job.<\/p>\n<p data-ar-index=\"34\"><strong>Howard<\/strong>: Example number two of careless employees: Employees just don\u2019t seem to think about what they\u2019re posting on social media. Fortune.com reported this week it found American federal workers and military personnel are listing sensitive things on their LinkedIn accounts and one is that they have top secret clearance. And it and it wasn\u2019t only Americans who were doing this. Apparently government workers in the U. K. are doing the same thing now. How is it that people don\u2019t realize that threat actors scan Linkedin for potential targets? They\u2019re looking at what people list on their bios. This kind of information is going to make them stick out.<\/p>\n<p data-ar-index=\"35\"><strong>Jim:<\/strong> Again, it\u2019s a question of policies and training people to not put a target on their back. Hackers are looking for places where it\u2019s easy, where they\u2019re going to get a return [on their time]. You want to give them as little information as possible. That\u2019s a training issue. The crazy thing is, if you got top secret clearance or whatever aren\u2019t you getting the training that prevents you from doing something like that? What were these people thinking? It just drives me insane that somebody would not have training at that level.<\/p>\n<p data-ar-index=\"36\"><strong>Howard:<\/strong> People don\u2019t think. And I\u2019m sure they\u2019re proud \u2013\u2018Hey, I\u2019m not just an employee in the X department I\u2019m important. I got Top Secret Clearance.\u2019<\/p>\n<p data-ar-index=\"37\"><strong>Jim:<\/strong> Until until my boss sees this Linkedin post, in which case it should be taken away. This is a classic case. Anybody who\u2019s out there listening should think about it and ask, \u2018Do we make it easy to find the people who may be able to be hackable? Are we giving hackers clues on social media? This is the type of conversation we need to have with employees.<\/p>\n<p data-ar-index=\"38\"><strong>Howard:<\/strong> And it can be innocuous information, too. It reminds me of a story presenter at the RSA conference gave a couple of years ago: An executive of a firm in Texas was really proud of the fact that he coached his daughter\u2019s softball team and an attacker picked that up [on social media], so when he was out of town at a tournament the attacker was able to compromise the executive\u2019s email account and sent a message to the executive assistant saying, \u2018Hi Susan, something\u2019s come up and I\u2019d like you to look after this. We have a new supplier and we have to send them a $2 million advance on orders that are to come. Please forward $2 million to this person. Here\u2019s the account number.\u2019 And then he ended the message by saying, \u2018You don\u2019t have to email me back with confirmation that you\u2019ve done this. I trust you.\u2019 And there was $2 million gone.<\/p>\n<p data-ar-index=\"39\"><strong>Jim:<\/strong> That happens all the time, even in a relatively small business when somebody\u2019s on vacation. I\u2019ve heard of things where hackers wait to see somebody get on a plane so that they could actually send a message like that, knowing that that victim couldn\u2019t be reached for four hours. That comes from a posting that says, \u2018I am in the airport getting ready to fly to Vancouver.\u2019 We give away so much information. That makes it all more incumbent on us to have the type of training that says anybody could have this information and could use it \u2026 The best thing to do if you\u2019ve got a question [about an email] is pick up the phone, talk to the person and ask \u2018Did you send this?\u2019<\/p>\n<p data-ar-index=\"40\"><strong>Howard:<\/strong> Example three: Employees at Twilio fell for a text-based phishing scam last week responding to messages pretending to be from the company\u2019s IT department. The message would say something like their password had expired, so they had to tap on a link to update their password. Or they got a message saying that an event in their calendar had changed so the calendar had to be updated and they had to tap on their phone for the change. And when the victims logged in they logged into a fake website that copied their credentials and that led to the theft of Twilio customer data. This is an old trick. In fact, after Twilio admitted its employees fell for this Cloudflare acknowledged that some of its staff did as well. It was the same kind of attack Although the Cloudflare attack was stopped. Why?<a href=\"https:\/\/blog.cloudflare.com\/2022-07-sms-phishing-attacks\/\" rel=\"noopener\"> Because all Cloudflare employees need to have physical security keys<\/a> [Like a <a href=\"https:\/\/www.yubico.com\/\" rel=\"noopener\">Yubikey<\/a> or a <a href=\"https:\/\/cloud.google.com\/titan-security-key\" rel=\"noopener\">Titan key<\/a>] that they plug into their computers for extra authorization in order to log in. [Having an employee\u2019s username and password isn\u2019t enough for a hacker if they don\u2019t have their security key].<\/p>\n<p data-ar-index=\"41\"><strong>Jim:<\/strong> That works all the time. My favorite for this phishing is a message that appears to come from the human resources department: \u2018We\u2019ve got three new prime parking spots available. If you want one this link and log in.\u2019 [And the hacker steals the credentials.] That one worked in a company where I worked big time. It\u2019s about the training: You should never, ever, follow a link and put in a password if the link comes to you [in an email or text]. Go to the website the regular way you get there. It\u2019s easy to fool people [with a spoofed URL]. \u201cITworldcanada.com\u201d could be \u201cITworldcandas.com\u201d and nobody spots the \u201cs\u201d in there. That\u2019s one of the instructions people have to get. It this case it came back to a good old physical key. There\u2019s a really good lesson in this: Maybe it\u2019s the way to go in a lot of circumstances. We talk about multifactor authentication, not just two-factor authentication. If you have to take a couple of steps then chances are you\u2019re going to make it more difficult for the hacker.<\/p>\n<p data-ar-index=\"42\"><strong>Howard:<\/strong> These three incidents point to the importance of regular security awareness training. What techniques have you found that helps make training messages stick?<\/p>\n<p data-ar-index=\"43\"><strong>Jim.<\/strong> One is security is a continuing conversation. It is not one-time training, and I think you can prove that from the stats people gather. All of these people probably had a bit of security training. But you have to have an ongoing conversation. If you are responsible for security in your organization take every opportunity that you can to have to have a conversation and help people understand it. Step two is to teach there are no stupid questions. If someone could phone me several times and ask me the same question about security I am going to be open with them, I\u2019m going to be patient. I\u2019ve told them you can call anybody in our IT department. Three is that we as executives have to hold ourselves to account and demonstrate that even when it\u2019s inconvenient for us we won\u2019t bypass security. That\u2019s a way of getting across to the staff that we are as restricted by this as you are, we will not violate the rules ourselves. I\u2019ve seen that a lot where executives don\u2019t feel that they\u2019re held accountable for these things. Maybe you have to be held to a higher standard. The fourth thing is, this [security training] doesn\u2019t have to be dull. We\u2019ve done security videos that are just fun on phishing and on creating safe passwords so people can talk about them.<\/p>\n<p data-ar-index=\"44\">Fifth is teach that every employee should admit when they\u2019ve made a mistake. I told you this [county water phish] would have fooled, and that push notification would have fooled me. I know better now. When I talk to my staff I talk about the dumb things I\u2019ve done. You have to let them know that we\u2019re all in this together. And it\u2019s a wonderful thing if somebody on my staff questions something and asks, \u2018Jim do you really think that\u2019s secure?\u2019<\/p>\n<p data-ar-index=\"45\"><strong>Howard:<\/strong> Before we wrap up we shouldn\u2019t forget the organization\u2019s role. We\u2019ve talked a lot about employees making mistakes, but organizations play a role in creating holes in their defenses by doing things like not enabling multifactor authentication, not making sure that employees use strong passwords and not encrypting data.<\/p>\n<p data-ar-index=\"46\"><strong>Jim:<\/strong> I say that we don\u2019t fail on technology. We fail in our imagination. Some organizations do things because there\u2019s a checklist. I despair of some security training that teaches you to go through a checklist. It should teach you to ask questions and to think about what you\u2019re doing. And if that\u2019s done well then people when you\u2019re enabling multifactor authentication you ask, \u2018How could I break it?\u2019 There are lots of people out there who will give you all kinds of examples like we\u2019ve discussed to think about \u2018How would somebody get past that? Is it implemented well?\u2019 Because it\u2019s not that you implement technology, it\u2019s that you implement it well. Those are the basics. We\u2019re still at the level where people aren\u2019t using strong passwords. On your [intranet] website there are rules for employees right now about creating passwords with a special character and a capitalization \u2026 Yet someone got that from a checklist. Everybody knows that length of a password is more important than complexity, but there are sites today where I can\u2019t put in a more secure password because they won\u2019t let me. Poor design is something we always have to go back and question.<\/p>\n<p data-ar-index=\"47\">The post <a href=\"https:\/\/www.itworldcanada.com\/article\/cyber-security-today-week-in-review-for-august-12-2022\/497731\">Cyber Security Today, Week in Review for August 12, 2022<\/a> first appeared on <a href=\"https:\/\/www.itworldcanada.com\/\">IT World Canada<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>The theme of this week&#8217;s discussion is why employees do risky things like click on malicious links that defeat multifactor auth<\/p>\n","protected":false},"author":17,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[360,16],"tags":[389],"class_list":["post-26836","post","type-post","status-publish","format-standard","hentry","category-podcasts","category-security","tag-cyber-security-today"],"acf":[],"_links":{"self":[{"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/posts\/26836","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/users\/17"}],"replies":[{"embeddable":true,"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/comments?post=26836"}],"version-history":[{"count":4,"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/posts\/26836\/revisions"}],"predecessor-version":[{"id":26930,"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/posts\/26836\/revisions\/26930"}],"wp:attachment":[{"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/media?parent=26836"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/categories?post=26836"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/tags?post=26836"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}