{"id":29185,"date":"2022-09-30T16:00:59","date_gmt":"2022-09-30T20:00:59","guid":{"rendered":"https:\/\/www.itworldcanada.com?p=505685"},"modified":"2022-10-03T09:18:34","modified_gmt":"2022-10-03T13:18:34","slug":"cyber-security-today-week-in-review-for-friday-september-30-2022","status":"publish","type":"post","link":"https:\/\/technewsday.com\/staging\/cyber-security-today-week-in-review-for-friday-september-30-2022\/","title":{"rendered":"Cyber Security Today, Week in Review for Friday, September 30, 2022"},"content":{"rendered":"<p data-ar-index=\"0\">Welcome to Cyber Security Today. This is the Week in Review edition of the podcast for the week ending Friday September 30th, 2022. From Toronto, I\u2019m Howard Solomon, contributing reporter on cybersecurity for ITWorldCanada.com.<\/p>\n<p data-ar-index=\"1\"><iframe style=\"border: none;\" title=\"Libsyn Player\" src=\"https:\/\/html5-player.libsyn.com\/embed\/episode\/id\/24538728\/height\/90\/theme\/custom\/thumbnail\/yes\/direction\/forward\/render-playlist\/no\/custom-color\/000000\/\" width=\"100%\" height=\"90\" scrolling=\"no\" allowfullscreen=\"allowfullscreen\"><\/iframe><\/p>\n<table style=\"width: 100%;\">\n<tbody>\n<tr>\n<td><a href=\"https:\/\/www.amazon.com\/ITWC-Cyber-Security-Today\/dp\/B07BRNG89P\/ref=sr_1_1?s=digital-skills&amp;ie=UTF8&amp;qid=1522688435\" rel=\"noopener noreferrer\"><img decoding=\"async\" class=\"aligncenter wp-image-396718 size-full\" src=\"https:\/\/i.itworldcanada.com\/wp-content\/uploads\/2017\/09\/sub-alexa-200.png\" alt=\"Cyb er Security Today on Amazon Alexa\" width=\"200\" height=\"74\" border=\"none\" \/><\/a><\/td>\n<td><a href=\"https:\/\/www.google.com\/podcasts?feed=aHR0cDovL2N5YmVyc2VjdXJpdHl0b2RheS5saWJzeW4uY29tL3Jzcw%3D%3D\" rel=\"noopener noreferrer\"><img decoding=\"async\" class=\"thumbnail aligncenter wp-image-408712 size-full\" src=\"https:\/\/i.itworldcanada.com\/wp-content\/uploads\/2018\/09\/sub-gp-200.png\" alt=\"Cyber Security Today on Google Podcasts\" width=\"200\" height=\"74\" \/><\/a><\/td>\n<td><a href=\"https:\/\/itunes.apple.com\/ca\/podcast\/cyber-security-today\/id1363182054\" rel=\"noopener noreferrer\"><img decoding=\"async\" class=\"aligncenter wp-image-396720 size-full\" src=\"https:\/\/i.itworldcanada.com\/wp-content\/uploads\/2017\/09\/sub-itunes-200.png\" alt=\"Subscribe to Cyber Security Today on Apple Podcasts\" width=\"200\" height=\"74\" border=\"none\" \/><\/a><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p data-ar-index=\"2\">In a few minutes I\u2019ll be joined by Terry Cutler, head of Montreal\u2019s <a href=\"https:\/\/www.cyologylabs.com\/?r_done=1\" rel=\"noopener\">Cyology Labs<\/a>, to discuss what\u2019s been happening \u2014 or about to happen \u2014 in cybersecurity. Most of our discussion will focus on Cybersecurity Awareness Month, which begins tomorrow.<\/p>\n<p data-ar-index=\"3\">But first a look back at some of the headlines from the past seven days:<\/p>\n<p data-ar-index=\"4\"><strong>A hacker managed<\/strong> to break into the content management system of the news site Fast Company and alter stories with obscene and racist remarks. The publication had to temporarily take the site offline to fix the problem. <a href=\"https:\/\/thedesk.net\/2022\/09\/fast-company-apple-news-push-alert-thrax-vandalism\/\" rel=\"noopener\">The hacker claims they were able to figure out a password used by a number of employees that had a shared element.<\/a> Terry and I will discuss this incident.<\/p>\n<p data-ar-index=\"5\"><strong>Last week<\/strong> I told you that the encryptor code for the LockBit ransomware has been stolen and leaked. It hasn\u2019t taken long for another hacking group to take advantage. T<a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/leaked-lockbit-30-builder-used-by-bl00dy-ransomware-gang-in-attacks\/\" rel=\"noopener\">here are multiple reports<\/a> that the B100dy ransomware gang has already adopted this code for an attack on a victim in Ukraine.<\/p>\n<p data-ar-index=\"6\"><strong>Crooks continue to target<\/strong> medical offices and healthcare service providers in the U.S. <a href=\"https:\/\/www.scmagazine.com\/analysis\/breach\/health-data-theft-at-physicians-business-office-impacts-197k-patients\" rel=\"noopener\">According to SC Media<\/a>, some of the latest victims include Physicians Business Office, which provides practice management services for doctors. Just under 200,000 patients are been notified their personal and health data was likely stolen in a hack last April. A Tennessee walk-in doctor\u2019s office is notifying just over 58,000 patients that their data was stolen after a hack that started in July. A Texas hospital said it has nearly finished recovering its IT systems after a ransomware attack earlier this month. And a medical provider has acknowledged that a security configuration error at a third-party provider in May led to the theft of data of over 22,000 patients.<\/p>\n<p data-ar-index=\"7\"><strong>A criminal gang <\/strong>has made tens of millions of dollars since 2019 by using stolen credit card information on some 200 fake dating and adult websites they created, researchers at ReasonLabs revealed.<\/p>\n<p data-ar-index=\"8\"><strong>Finally<\/strong>, Australia\u2019s attorney-general is <a href=\"https:\/\/www.securityweek.com\/australia-flags-tough-new-data-protection-laws-year\" rel=\"noopener\">pondering changes to the Privacy Act following the huge data breach at the country\u2019s second-largest wireless carrier.<\/a> Optus, a subsidiary of Singapore Telecommunications earlier this month. After the attack the hacker dumped the data on 10,000 customers \u2014 including Medicare numbers \u2014 on the dark web.<\/p>\n<p data-ar-index=\"9\"><em>(The following transcript has been edited for clarity)<\/em><\/p>\n<p data-ar-index=\"10\"><strong>Howard:<\/strong>\u00a0<em>The Week in Review<\/em> often gets caught out by the calendar for certain events \u2014 Fraud Awareness Month, Password Awareness Day \u2014 which inevitably happen a day early or a week ahead. But not this time. Tomorrow starts the annual October Cybersecurity Awareness Month. Yes, people still need to be shaken from complacency and reminded to be aware of cybersecurity and to follow cybersecurity best practices. This includes individuals at home, employees at work, IT security teams and senior management.<\/p>\n<p data-ar-index=\"11\">Organizations should, of course, be conscious of cybersecurity every day. So how should this year\u2019s Cybersecurity Awareness Month be observed by organizations? Are there things they can or should be doing differently that they do every day, every week, every quarter?<\/p>\n<p data-ar-index=\"12\"><strong>Terry Cutler:<\/strong> Here\u2019s the challenge: We\u2019re seeing attacks are increasing and we\u2019re trying to defend against all attack surfaces. There are phishing and spearfishing attacks, ransomware, employees copying out data to cloud storage, websites are being attacked, employees that are losing or getting their devices stolen, they click on links they\u2019re not supposed to, there\u2019s no visibility to know if a hacker is in your environment and you don\u2019t have an incident response plan, there\u2019s outdated software, passwords are stolen, there are IT guys who are not trained in cybersecurity so they\u2019re often giving wrong advice \u2014 and companies think their cyber insurance will take care things but they\u2019re also having a hard time qualifying for cyber insurance \u2026<\/p>\n<p data-ar-index=\"13\">So my advice to everyone from the CEO down to their IT teams is they need to sit down and ask this question: Can we identify, protect, detect, respond \u2014 and especially recover \u2014 from a cyber attack? Recovery is vital because if gets destroyed how fast can you recover from a backup?<\/p>\n<p data-ar-index=\"14\">There\u2019s a couple of tips to share: The big one is around passwords. Use a password manager [across the organization]. But here\u2019s my take on password managers. They can create really strong passwords that are somewhat unbreakable <a href=\"https:\/\/www.itworldcanada.com\/article\/lastpass-hacked-source-code-stolen\/499622\" rel=\"noopener\">but remember the LastPass hack a month or so ago. <\/a>If your passwords have been corrupted or are made unusable there\u2019s no way you can remember what password that was to this or that account. [<em>Editor: Unless there is a safely protected written or digital backup<\/em>]. Password managers are useful but you\u2019ve got to be careful with them.<\/p>\n<p data-ar-index=\"15\">Second, use multifactor authentication. If an employee\u2019s password is leaked on the dark web and a hacker tries to use it they\u2019ll get an alert. However, there are ways to bypass multifactor authentication \u2026<\/p>\n<p data-ar-index=\"16\">You also want to make sure your data is backed up.<\/p>\n<p data-ar-index=\"17\">Employees have to be taught to hover over the links in email before clicking on them.<\/p>\n<p data-ar-index=\"18\">I think one of the most important things senior leadership and IT department should do this year is get a penetration test done. See how strong your defences are \u2014 is IT receiving the proper alerts to know an attack happening? Pen tests can also testing users as well.<\/p>\n<p data-ar-index=\"19\">Another thing companies could be implementing is server message block signing. It\u2019s where workstations and servers have their communications encrypted so no tampering or man-the-middle attacks can happen.<\/p>\n<p data-ar-index=\"20\">And get rid of outdated software and operating systems.<\/p>\n<p data-ar-index=\"21\"><strong>Howard:<\/strong> My take on Cybersecurity Awareness Month is that it shouldn\u2019t only be thought of as something that should be aimed at ordinary employees. So I want to talk about three events that suggest organizations and infosec leaders still have a lot to learn. First,<a href=\"https:\/\/www.doj.nh.gov\/consumer\/security-breaches\/documents\/american-envoy-piedmont-20220919.pdf\" rel=\"noopener\"> the recent American Airlines hack<\/a>, news of which um was only revealed this month. In July customers notified the airline that they received phishing emails that had come from the hacked email accounts of airline employees. So first of all, the airline didn\u2019t know that these employees\u2019 accounts had been hacked.<\/p>\n<p data-ar-index=\"22\"><strong>Terry:<\/strong> The hackers got access via a couple of ways: Either they sent phishing emails to the employees and they clicked on it and gave away their access, or could be passwords that leaked onto the dark web and were reused. And either multifactor authentication wasn\u2019t turned on or it was bypassed \u2026 What\u2019s interesting is that the airline didn\u2019t have technology in place to know that there was suspicious activity happening. Maybe they didn\u2019t turn on geo-fencing to know that people who usually log in from Canada are logging in from somewhere in the Middle East or Africa.<\/p>\n<p data-ar-index=\"23\"><strong>Howard:<\/strong> The second thing about this incident was the hacker used an <a href=\"https:\/\/en.wikipedia.org\/wiki\/Internet_Message_Access_Protocol\" rel=\"noopener\">IMAP protocol<\/a> to access the employees\u2019 mailboxes. And then using that protocol the hacker may have been able to synchronize the contents of the mailboxes to another device that was controlled by the hacker. Explain what IMAP is and why organizations shouldn\u2019t be using it today.<\/p>\n<p data-ar-index=\"24\"><strong>Terry:<\/strong> IMAP has been around since the mid-\u201980s. It enables remote users to view and manage their messages that are stored on a server. But IMAP has become very insecure when it comes to enterprises. We\u2019re moving away from IMAP and using webmail. One of the problems with IMAP is that it\u2019s designed to accept plain text login credentials, which could be intercepted. But a lot of companies still have IMAP enabled. It\u2019s very, very challenging to defend. This is a perfect example of how backward compatibility is still enabled. You want to eventually kill off the IMAP service and use webmail. The other problem with IMAP is it doesn\u2019t support strong authentication, so you can\u2019t necessarily enable multifactor authentication. That\u2019s why everybody moving towards an Office365 or Gmail approach where you can enable all of these stronger functionalities. Also, IMAP uses port 143. You want to switch over to port 993, which encrypts email transmissions.<\/p>\n<p data-ar-index=\"25\">The point is move away from IMP as fast as possible.<\/p>\n<p data-ar-index=\"26\"><strong>Howard:<\/strong> And the third segment of this hack that I want to talk about is the hackers were able to copy a lot of sensitive data of about 1,700 people from the email accounts. Those airline employees\u2019 accounts they hacked into included people\u2019s names, Social Security numbers, driver\u2019s license numbers, passport numbers, employee numbers, dates of birth, mailing addresses, phone numbers. This is all the sort of stuff that an attacker can use to to create a phony ID. Aren\u2019t there ways of protecting data held in employees\u2019 inboxes like attachments that hold sensitive data?<\/p>\n<p data-ar-index=\"27\"><strong>Terry:<\/strong> Whenever we travel and we have to deal with our travel agent, they need information to avoid any problems. We typically send copies of our passport and whatever they need to get us up and running as quickly as possible. But once this data leaves our inbox we no longer control it. We\u2019re hoping employees on either side of the airline will actually delete the email afterwards to protect the data. As an airline employee there\u2019s not too much they can do to protect their inbox except for things like paying attention to email phishing attacks, and creating a strong password. But on the IT side they should be implementing things like geozones in order to block access from other countries that are trying to access these inboxes. They also want to make sure they\u2019ve implemented multifactor authentication for all of their users. How many times have we discussed where companies say, \u2018We\u2019ve implemented MFA already,\u2019 and then you ask the question, \u2018Well for all your users, or just the executives?\u2019 They need to have it on for everybody.<\/p>\n<p data-ar-index=\"28\"><strong>Howard:<\/strong> The second incident I want to bring up to illustrate this point that IT administrators have a lot to answer for is the hack this week of the website of the news site Fast Company. Hacker defaced several news articles, which went out to Apple News subscribers \u2014 who as you may imagine were surprised at the wording in the news stories. Apparently several employees who had administrative access to the website were given, or allowed to have, a similar access password with a variation on the word pizza. So it sounds like one employee had the password \u2018pizza123\u2019 and another had the password \u2018pizza456\u2019 and a third employee may have had the password \u2018pizza789.\u2019 That would be pretty easy to guess if the hacker had figured out one employee\u2019s password. This is a violation of cybersecurity 101.<\/p>\n<p data-ar-index=\"29\"><strong>Terry:<\/strong> This is a perfect example of [doing something for] convenience. They probably set up a default password but expected each user to change it.<\/p>\n<p data-ar-index=\"30\"><strong>Howard<\/strong>: The third incident I want to bring up regarding Cybersecurity Awareness Month and the responsibilities of senior management and IT administrators is the recent Uber hack. The cause of this hack was an employee of a third-party contractor who fell for a trick. They gave into the repeated messages on their smartphone asking for a verification of their multifactor login. These messages were being sent by a hacker who was trying to get around the multifactor authentication protection. The employee got tired of seeing these messages. That\u2019s a matter of bad cybersecurity awareness training. But this incident also spawned <a href=\"https:\/\/www.nytimes.com\/2022\/09\/26\/opinion\/uber-hack-data.html?searchResultPosition=1\" rel=\"noopener\">a column in The New York Times by security expert Bruce Schneier,<\/a> who argued that the hack is another example of how companies skimp on security because they have no financial incentive to tighten up. He said only strong government regulations are going to change that attitude. Do you agree that companies are skimping on security because they have no financial incentive to tighten up?<\/p>\n<p data-ar-index=\"31\"><strong>Terry:<\/strong> Absolutely. A common theme I hear is, \u2018Who\u2019s going to want to hack me? I\u2019m small fish.\u2019 But they don\u2019t realize \u2014 especially the small and medium business guys \u2014 that almost 80 per cent of all small businesses are being targeted by cybercriminals. because they know that they don\u2019t have the time, money or resources to do cybersecurity. They\u2019re hacking into smaller businesses and using them as a jump point to attack another company \u2026 One study 60 per cent of small businesses that get hit with a cyber attack will go bankrupt within six months. We\u2019ve seen a lot of cases where a firm gets hit with ransomware and if they have to dish out $300,000 or a million dollars to get their data back. That could be a death sentence for a small business.<\/p>\n<p data-ar-index=\"32\">The other challenge is we\u2019re 3,000,000 personnel in the cyber security industry. There\u2019s not enough experts to help protect everybody.<\/p>\n<p data-ar-index=\"33\"><strong>Howard:<\/strong> One of the problems I have is that some cybersecurity pros want to have it both ways: They say no combination of technologies can stop a cyber attack if a threat actor has the time and the money and the determination. They\u2019re going to hack you, and your job is only to lower the risk. But at the same time there are complaints that organizations don\u2019t take cybersecurity seriously every time that there there is a big hack in the news. Am I wrong to say there\u2019s an inconsistency here?<\/p>\n<p data-ar-index=\"34\"><strong>Terry:<\/strong> That\u2019s a tough question, but the answer is no silver bullet to stop a hacker. You only make it harder for them to get in. So if you have enough defences in place to thwart off a hacker he\u2019s going to move on to somebody else. But like you said earlier, if these guys have the financial means and the expertise they\u2019re going to get you. We\u2019ve seen cases where you could drop in millions of dollars of cybersecurity technology and expertise, but it just takes one mistake \u2026<\/p>\n<p data-ar-index=\"35\"><strong>Howard:<\/strong> I want to emphasize to chief executives and IT security leaders that no organization can be prepared for a cyber attack unless it has a written and implemented cybersecurity strategy for reducing risk. Can you go over what that plan would include?<\/p>\n<p data-ar-index=\"36\"><strong>Terry:<\/strong> First, have a proper inventory of all the hardware and software currently in the environment. What versions do you have, what operating systems do you have [on every device] how old are the machines?<\/p>\n<p data-ar-index=\"37\">Second, how much valuable information do you have on computers? We\u2019ve seen cases where employees have copied sensitive information from the server to their workstations and forgotten about it. Data needs to be prioritized for protection.<\/p>\n<p data-ar-index=\"38\">Third is creating a great patch management system.<\/p>\n<p data-ar-index=\"39\">Fourth is having antivirus anti-malware and firewall technology \u2014 although I have a problem with that. These are traditional cybersecurity technologies. You also need behavioural analytical technology and other advanced technologies.<\/p>\n<p data-ar-index=\"40\">Fifth is access control. Remove all default administrative passwords. General employees shouldn\u2019t have administrative access on their systems, but we often still see that. We also want to make sure employees create strong passwords and have multifactor authentication turned on.<\/p>\n<p data-ar-index=\"41\">Sixth is a user awareness training program that regularly tests the employees \u2014 at least once a month or every three months \u2014 to see how they\u2019re doing.<\/p>\n<p data-ar-index=\"42\">Seventh, you want a policy to take care of data that\u2019s at rest or in transit<\/p>\n<p data-ar-index=\"43\">Eighth, create a strong backup and recovery plan. This is one of the most important takeaways \u2014 make sure your backups are safe and tested.<\/p>\n<p data-ar-index=\"44\">Ninth, have a proper incident response plan in case of a disaster. My strong suggestion here is to work with a consultant or IT firm that will have fresh eyes on your environment.<\/p>\n<p data-ar-index=\"45\"><strong>Howard:<\/strong> I want to close by saying for organizations that don\u2019t already have a cybersecurity plan there are lots of free resources. The <a href=\"https:\/\/cyber.gc.ca\/en\" rel=\"noopener\">Canadian government\u2019s Canadian Centre for Cybersecurity<\/a> has a set of <a href=\"https:\/\/www.cyber.gc.ca\/en\/guidance\/baseline-cyber-security-controls-small-and-medium-organizations\" rel=\"noopener\">baseline cyber security controls for small and medium-sized organizations<\/a>. The United States <a href=\"https:\/\/www.cisa.gov\/\" rel=\"noopener\">Cybersecurity and Infrastructure Security Agency<\/a> has <a href=\"https:\/\/www.cisa.gov\/publication\/cisa-cybersecurity-awareness-program-small-business-resources\" rel=\"noopener\">similar resources<\/a>. If you are in the United Kingdom the <a href=\"https:\/\/www.ncsc.gov.uk\/\" rel=\"noopener\">UK National Cyber Security Centre<\/a> has free resources. The<a href=\"https:\/\/www.cisecurity.org\/\" rel=\"noopener\"> Center for Internet Security<\/a> has its <a href=\"https:\/\/www.cisecurity.org\/controls\/v8\" rel=\"noopener\">Critical Security Controls.<\/a><\/p>\n<p data-ar-index=\"46\">Not only that, big IT vendors probably have free resources for their customers.<\/p>\n<p data-ar-index=\"47\">The post <a href=\"https:\/\/www.itworldcanada.com\/article\/cyber-security-today-week-in-review-for-friday-september-30-2022\/505685\">Cyber Security Today, Week in Review for Friday, September 30, 2022<\/a> first appeared on <a href=\"https:\/\/www.itworldcanada.com\/\">IT World Canada<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>This episode features a discussion about what corporate and infosec leaders should be thinking about during Cybersecurity Aware<\/p>\n","protected":false},"author":17,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[360,16],"tags":[389],"class_list":["post-29185","post","type-post","status-publish","format-standard","hentry","category-podcasts","category-security","tag-cyber-security-today"],"acf":[],"_links":{"self":[{"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/posts\/29185","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/users\/17"}],"replies":[{"embeddable":true,"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/comments?post=29185"}],"version-history":[{"count":3,"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/posts\/29185\/revisions"}],"predecessor-version":[{"id":29257,"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/posts\/29185\/revisions\/29257"}],"wp:attachment":[{"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/media?parent=29185"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/categories?post=29185"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/tags?post=29185"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}