Daily News Digest

Stay current on the global cyber threat landscape and industry developments with CCOE’s daily digest and library of cybersecurity news and articles.

  • Cyber Attack Taps Operations at Molson Coors

    • When a breach impacts critical infrastructure or a food and beverage manufacturer, it seems to take the seriousness to another level. After all, in either instance, the impact could result in serious injuries or even fatalities.
    • This is what made the recent attack on a small Florida city’s water treatment facility so alarming. It is also what makes the “cyber incident” recently acknowledged by Molson Coors a scary occurrence.
    • “Given the round-the-clock nature of operations in food and beverage companies, much of the IT equipment in manufacturing plants can’t be patched frequently, making these assets a prime target for attacks such as ransomware..." - Grant Geyer, CPO, Claroty
    • While the adult beverage manufacturer has yet to provide many details, a regulatory filing Thursday noted the event has resulted in taking key systems offline, including impacting portions of its production and distribution operations.
    - Peter Fretty | March 11, 2021
  • (hak-iq.us20.list-manage.com)
  • Tax Time Guide: Make protecting tax and financial information a habit

    • The Internal Revenue Service today urged people to continue practicing proper cybersecurity habits by securing computers, phones and other devices.
    • As a reminder, the IRS doesn't initiate contact with taxpayers by email, text messages or social media channels to request personal or financial information. Generally, the IRS first mails a paper bill to a person who owes taxes.
    • A few tips to help minimize exposure to fraud and identity theft:
      • Protect personal information. Treat personal information like cash – don't hand it out to just anyone.
      • Set password and encryption protections for wireless networks.
      • Never download "security" software from a pop-up ad.
      • Use security software. An anti-virus program should provide protection from viruses, Trojans, spyware and adware. The IRS urges people, especially tax professionals, to use an anti-virus program and always keep it up to date.
      • Set security software to update automatically so it can be updated as threats emerge.
      • Back up files. No system is completely secure. Copy important files, including federal and state tax returns, onto removable discs or back-up drives and cloud storage.
    | March 11, 2021
  • (hak-iq.us20.list-manage.com)
  • Verkada breach exposed live feeds of 150,000 surveillance cameras inside schools, hospitals and more

    • A group of hackers have breached a database containing security camera feeds collected by Verkada Inc., a Silicon Valley startup. The database includes live feeds of 150,000 surveillance cameras inside hospitals, organizations, police departments, prisons and schools. 
    • Tesla Inc. and software provider Cloudflare Inc. were exposed in the breach.
    • The breach was carried out by a hacker with the goal of demonstrating the "pervasiveness of video surveillance and the ease with which systems could be broken into." One of the hackers claiming credit for this breach include Tillie Kottmann, who has reportedly hacked Intel Corp. and Nissan Motor Co.
    • A Verkada spokesperson said they had disabled all internal administrator accounts to prevent any further unauthorized access.
    • This latest breach should be a reminder that a compromised privileged account can lead to access to extremely sensitive devices when it is not protected with privileged access best practices, notes Joseph Carson, Chief Security Scientist at Thycotic. "Questions should be raised on whether a single user account should have that much privileged access to so many security cameras. When I was a System Administrator, we practiced separation of duties meaning that my accounts had limited access and for me to gain access to other systems I had to go through a security control before that would be permitted.  This latest security breach is a stark reminder on the importance of the Principle of Least Privilege and why a single privileged account should be controlled with more verifications and requirements."
    - Maria Enriquez | March 11, 2021
  • (hak-iq.us20.list-manage.com)
  • The SolarWinds Cyber-Attack – The Devastation and Wreckage

    • In a recent 10-K disclosure, SolarWinds announced that it is the subject of ongoing investigations conducted by the Department of Justice, the Securities and Exchange Commission, and various state attorneys general focused on the cyberattack on its software.
    • Given the high-profile nature of the cyber-attack, DOJ and state enforcement actions are likely to seek relatively large settlements.  The E.U. will follow suit to underscore the importance of proactive security strategies.
    • SolarWinds’ 10-K filing reflects the devastating impact a cyber-attack can have on a business.
    • By the end of 2020, SolarWinds has incurred over $3 million in expenses.  These costs are likely to increase substantially as SolarWinds completes its investigation, remedies deficiencies in its cyber protection solutions.  Further, SolarWinds will incur legal and consulting expenses as it navigates the government enforcement and private litigation costs.
    JDSupra - Michael Volkov | March 10, 2021
  • (hak-iq.us20.list-manage.com)
  • There’s No Margin for Error in Port Cyber Security

    • With the global shipping industry already under pressure, and the UK facing new challenges in 2021 as the Brexit transition period has ended, addressing the risk to port infrastructure from cyber-attack has never been more critical.
    • Due to the critical nature of ports, and the publicity and knock-on effects of disruption, ports are an attractive target, and may be viewed as being more likely to pay up.
    • By getting access to data and systems within the port, they can get information on goods movements, or attempt to amend records to evade taxes and excise duties.
    • Information held by ports such as passenger movements, goods flows or operational techniques can be hugely revealing to help build a better picture of activity in a country or region.
    • Ports are especially exposed as they typically have to interact with a large number of stakeholders on a daily basis, which can give attackers a wide range of opportunities to attempt to impersonate legitimate entities.
    - Joel Snape | March 9, 2021
  • (hak-iq.us20.list-manage.com)
  • Careful where you selfie: Hackers are using WFH photos to steal your info

    • When you’re proud of your home office setup, it’s tempting to snap a selfie and share it with the world — but think twice before you hit “Post.” Hawk-eyed hackers can take a single detail from your background and pinpoint sensitive data, including corporate secrets.
    • If you post a selfie online, potential cybercriminals can zoom in and see the contents of your computer screen. If you left up an email from your boss, now they know which email address to use to target your team with Business Email Compromise (BEC) attacks.
    • If you still want to upload a photo of your home office setup, blur the background.
    - Serena O'Sullivan | March 9, 2021
  • (hak-iq.us20.list-manage.com)
  • LinkedIn to Stop Collecting IDFA Data from iOS Devices in respect to Apple’s App Tracking Transparency Feature

    • Apple announced a new App Tracking Transparency Feature which will be hitting on iOS devices in the coming spring.
    • What this App Tracking Feature will do once launched is that each app present on the App Store and downloaded on your phone will have to ask for user consent in order to retrieve and share your data.
    • LinkedIn announced that they will stop using the IDFA, also called “Identifier for Advertisements.” This is a program in applications which allows cross platform and cross app tracking between different applications by collecting user data and if a developer removes it permanently from their applications they will not have to ask for user consent from Apple users as their applications ability to share data around will finish.
    • This is great step from LinkedIn. Removing the use of IDFA will not have the users worry about their privacy and will save the company from updating to user consent notifications as well. Apart from LinkedIn, Google is also following on the same footsteps when they announced removing the use of their IDFA data in January.
    - Arooj Ahmed | March 7, 2021
  • (hak-iq.us20.list-manage.com)
  • Microsoft Shares Additional Mitigations for Exchange Server Vulnerabilities Under Attack

    • Microsoft on Friday released alternative mitigation measures for organizations who have not been able to immediately apply emergency out-of-band patches released earlier this week that address vulnerabilities being exploited to siphon e-mail data from corporate Microsoft Exchange servers.
    • Microsoft also provided a nmap script to help customers discover vulnerable servers within their infrastructure.
    • Analysts say that HAFNIUM, a state-sponsored hacking group operating out of China, has been on an an active hacking spree with a massive espionage campaign underway to siphon data from organizations globally.
    • “This is the real deal. If your organization runs an OWA server exposed to the internet, assume compromise between 02/26-03/03,” Ex-CISA Chief Chris Krebs tweeted. “Check for 8 character aspx files in C:\inetpubwwwrootaspnet_clientsystem_web. If you get a hit on that search, you’re now in incident response mode."
    - Mike Lennon | March 6, 2021
  • (hak-iq.us20.list-manage.com)
  • BEST PRACTICES – 9 must-do security protocols companies must embrace to stem remote work risks

    • As a remote worker, it is imperative to take measures to protect yourself and your employer online. Start by checking to see what security protocols your company has in place.
    • Here are some cybersecurity best practices tips that apply more than ever when it comes to remote workers carrying out their duties securely:
      • Use strong passwords
      • Use 2FA
      • Use a VPN
      • Setup firewalls
      • Use A/V
      • Secure home router
      • Install regular updates
      • Backup your data
      • Keep aware for phishing emails
    | March 6, 2021
  • (hak-iq.us20.list-manage.com)
  • HIPAA Security Requirements: What They Really Mean

    • The University of Texas M.D. Anderson Cancer Center was having a hard time protecting patient electronic health information (ePHI).
    • After several security-related incidents, there was no evidence that any of the lost devices were used, or that the ePHI was accessed by anyone, but the state-run cancer center clearly failed to protect the data, and had failed to encrypt these records.
    • The Department of Health and Human Services investigated Anderson for violations of HIPAA and HITECH laws and regulations.
    • HHS imposed a fine of $4,348,000 USD against Anderson, and administrative and court appeals followed. On January 14, 2020, the United States Court of Appeals for the Fifth Circuit (which includes Texas) found that HHS findings, specifically that the hospital had no “mechanism to encrypt” health records, and that they improperly “disclosed” these records, was arbitrary and capricious, and reversed the fines.
    • The federal appeals court distinguished between a failure of encryption and a failure to have a mechanism to encrypt, noting that a company could have a bulletproof encryption procedure, and encrypt thousands of computers and millions of thumb drives, and still inadvertently fail to encrypt a few drives which would result in a security breach.
    • The court noted that the cancer center’s loss of data was due to “reasonable cause” and not “willful neglect” 42 U.S.C. § 1320d5(a)(1)(B).
    • There is an erroneous assumption that every data breach involving ePHI is a HIPAA violation, and that every “loss of control” of data is an improper disclosure of ePHI.
    • HHS needs to have the power to impose fines for true violations. Sometimes, these fines need to be severe and consequential. Mere failures of security – even when they have bad results – should result in orders to compensate the privacy victims, not necessarily pay off HHS. But willful, deliberate and repeated failures to do the basic things – even when no breach occurs – should permit HHS to bring down the hammer.
    - Mark Rasch | March 4, 2021
  • (hak-iq.us20.list-manage.com)