CCOE Logo
 

Breach Guide

Learn the steps to take in the event of a data breach and stay current on the cyber threat landscape with the FTC’s Data Breach Resources, FBI’s Daily Digest Library and San Diego’s Cyber Incident Response Guide.

Federal Trade Commission (FTC) Data Breach Resources

Find out the steps to take as a business or consumer if you experience a data breach.

ftc-gov

FBI Cyber Daily Digest Library

Stay current on the global threat landscape with the FBI’s daily circulation of published data breaches and articles.

  • White House warns companies to step up cybersecurity: 'We can't do it alone'

    • The White House warned corporate executives and business leaders on Thursday to step up security measures to protect against ransomware attacks after intrusions disrupted operations at a major meatpacking company and the biggest U.S. fuel pipeline.
    • The recent cyberattacks have forced companies to see ransomware as a threat to core business operations and not just data theft, as ransomware attacks have shifted from stealing to disrupting operations.
    • Best practices such as multifactor authentication, endpoint detection and response, encryption and a skilled security team. Companies should back up data and regularly test systems, as well as update and patch systems promptly.
    • There has been a significant hike in the frequency and size of ransomware attacks, Anne Neuberger, cybersecurity adviser at the National Security Council, said in a letter.
    • Neuberger advised that companies test incident response plans and use a third party to test the security team's work.
    - Doina Chiacu | June 3, 2021

  • REvil, A Notorious Ransomware Gang, Was Behind JBS Cyberattack, The FBI Says

    • The world's largest meat processing company has resumed most production after a weekend cyberattack, but experts say the vulnerabilities exposed by this attack and others are far from resolved.
    • In a statement late Wednesday, the FBI attributed the attack on Brazil-based meat processor JBS SA to REvil, a Russian-speaking gang that has made some of the largest ransomware demands on record in recent months.
    • REvil has not posted anything related to the hack on its dark web site. But that's not unusual. Ransomware syndicates as a rule don't post about attacks when they are in initial negotiations with victims — or if the victims have paid a ransom.
    • JBS said late Wednesday said that it expects to resume production at all its plants on Thursday and be running at "close to full capacity" across its global operations.
    • President Joe Biden intends to confront Russia's leader, Vladimir Putin, about his nation's harboring of ransomware criminals when the two meet in Europe in two weeks.
    • JBS is the second-largest producer of beef, pork and chicken in the U.S. If it were to shut down for even one day, the U.S. would lose almost a quarter of its beef-processing capacity, or the equivalent of 20,000 beef cows, according to Trey Malone, an assistant professor of agriculture at Michigan State University.
    • The plant closures reflect the reality that modern meat processing is heavily automated, for both food- and worker-safety reasons. Computers collect data at multiple stages of the production process; orders, billing, shipping and other functions are all electronic.
    | June 3, 2021

  • Scripps Health notifies patients of data breach after ransomware attack

    • Nonprofit healthcare provider, Scripps Health in San Diego, has disclosed a data breach exposing patient information after suffering a ransomware attack last month.
    • The attack caused the healthcare provider to suspend their IT systems, including public-facing portals, including MyScripps and scripps.org.
    • "The investigation is ongoing, but we determined that an unauthorized person did gain access to our network, deployed malware, and, on April 29, 2021, acquired copies of some of the documents on our systems," said an updated Scripps Health security incident notice.
    • When ransomware operations breach an organization, they will first silently spread throughout the network while stealing files and data. Once they gain access to a Windows admin account and the domain controller, they deploy the ransomware to encrypt devices.
    • "Importantly, this incident did not result in unauthorized access to Scripps’ electronic medical record application, Epic. However, health information and personal financial information was acquired through other documents stored on our network."
    • For those patients whose data was exposed, Scripps Health has begun mailing notification letters on June 1st, 2021.
    - Lawrence Abrams | June 3, 2021

  • Here’s What Universities Need to Know About Cyber-Attacks

    • Universities have learnt to operate entirely remotely and now that learning may resume in person, a hybrid education model will likely continue. The transition from physical to online models happened so quickly that it left many IT networks exposed to serious harm from outside forces.
    • Universities operate large corporate-sized networks, but without the budgets to match. Add to that, teachers and students aren’t given training to use and connect their technology in a safe way.
    • Three lessons universities need to quickly take on board:
      • Your Research is Valuable to Cyber-Criminals
        • There is a hefty price tag on some of the research conducted by universities, which makes it particularly attractive to cyber-criminals.
      • Personal Information of Students and Staff Can Easily Fall into the Wrong Hands
        • Attackers use phishing to break into university networks and sneak around, undetected, in search of data they believe has the highest value – both to the victim and to other cyber-criminals who might pay good money for it. Quite often, this information is sold or published on the dark web, which can lead to staff and students becoming victims of further crimes, such as identity theft.
      • A Cyber-attack Can Knock Everything Offline
        • With some students still studying remotely, an attack could see students left sitting at home, unable to access course materials, online tools and any of the other resources they need to get on with their work. For university students paying £9,000 a year and facing some of the most important exams of their lives, the implications of a cyber-attack are enormous on both a financial and personal level.
    - Jonathan Lee | June 1, 2021

  • Ransomware Is Everywhere — Here’s What You Need To Consider

    • There have been more than 4,000 ransomware attacks every day since 2016, according to an interagency U.S. government report.
    • If you pay the ransom, you’re sending out a dangerous message to criminals that you will play ball. The inevitable consequence is that they’re far more likely to target your sector or attack your organization again in the future.
    • An issue that’s often missed in this scenario is that paying the ransom usually means you’ll receive a functioning decryption tool. This doesn’t instantly return things to normal, and you will have to allocate more resources to recover properly. Apart from the risk that the tool doesn’t work, you may face a logistically tricky task in simply entering all the keys on your various devices. Once this is done, there’s still the pressing concern of tracing and mitigating the original breach that led to ransomware gaining a foothold in your network.
    • There are several preventive measures and precautions you can take to reduce the risk of a ransomware attack:
      • Maintain a proper backup
      • Patch continuously
      • Maintain an up-to-date asset list
      • Plan and rehearse recovery
      • Consider cyber insurance
    - Steve Durbin | June 1, 2021

  • SolarWinds Hackers Return, Launch Phishing Campaign Using Compromised Account of US Foreign Aid Agency

    • The SolarWinds hackers are back again, this time leveraging the stolen email account of a United States federal agency to run a phishing campaign against 150 government entities in 24 countries. The attack is particularly high risk as the credentials could have allowed the phishing emails to sail straight into the inboxes of thousands of recipients with sensitive job titles.
    • A blog post from Microsoft refers to the phishing campaign as resulting in “limited damage” without “any significant number of compromised organizations.”
    • The group wasted little time in distributing authentic-looking phishing emails to contacts associated with a  Constant Contact marketing email account belonging to the United States Agency for International Development (USAID), a federal government agency responsible for about half the foreign aid that the US distributes around the world.
    • It was packed with a disguised link leading to an attack site that installed the NativeZone malware. NativeZone allows for surreptitious remote control of infected systems and can be used to quietly exfiltrate sensitive data.
    • The SolarWinds hackers made attempts on some 3,000 email accounts belonging to about 150 organizations. The campaign ran through May, changing targeting and delivering techniques several times in an attempt to foil detection.
    • WHAT WE KNOW - the SolarWinds hackers have a focus on first compromising trusted sources (software updates, email accounts) and then using them to phish high-value government targets.
    • Wired is now reporting that the SolarWinds hackers are members of the SVR foreign intelligence agency, a claim that the head of the agency has denied.
    • While this relatively blunt approach was the main technique used in the phishing campaign, the hackers did alter their strategy for certain recipients with iPhones or iPads. These recipients were targeted with a zero-day vulnerability that Apple patched back in late March.
    - Scott Ikeda | May 31, 2021

  • Why Air India Breach is an Eye-Opener for Every CISO

    • The cybersecurity vulnerability within the Indian tech ecosystem is growing wider and more apparent by the day. Three months after air transport data major SITA reported a data breach, Air India said last week that personal data of about 4.5 million passengers had been compromised following the incident at SITA.
    • Air India said that CVV data of credit cards were not held by SITA, as it urged passengers to change passwords “wherever applicable to ensure safety of their personal data.”
    • The struggling airline, which is surviving on taxpayer money, claimed that it had investigated the security incident, secured the compromised servers, engaged with unnamed external specialists, notified the credit card issuers, and had reset passwords of its frequent flyer program.
    • The lesson from such breaches as Sonit Jain, CEO of GajShield Infotech observed, “While organization spend a lot of effort securing their enterprise network, risk assessment of partner networks is rarely done, leaving a big gap open to be compromised. As attackers start mapping supply chain providers of an organization, we will see an increase in the number of such attacks. Lack of visibility and control will leave a blind spot ready to be used.” “Cyber defenses now need to be extended beyond an organization’s network and cover their partner network, processes, and employees too,” he said.
    • When the world went into lockdown in March 2020, the total number of bruteforce attacks against remote desktop protocol (RDP) jumped from 93.1 million worldwide in February 2020 to 277.4 million 2020 in March—a 197 per cent increase.
    • “It obviously becomes essential for enterprises to regularly train their non-IT staff and create an awareness in order to protect their consumer’s data from being exposed in a data breach incident due to threats like phishing, malware and brute force attacks. Regular system updates and proactive disclosure of such incidents also help businesses in creating a stronger strategy to fight against data breaches,” he said.
    - Sohini Bagchi | May 25, 2021

  • How to deal with a data breach at your company

    • With the increasing risks of data breaches, organizations should not only work on mitigating but also develop a plan to deal with such occurrences.
    • While it is important to protect and prevent your business from a data breach, finding a recovery plan following a breach is important.
      • Contain the Breach - begin by isolating the affected systems to prevent them from spreading to your entire network. This includes disconnecting any breached accounts and shutting down targeted departments.
      • Assess Degree of Damage - Identifying how the attack occurred is important to prevent future attacks using the same tactics. You should also thoroughly assess the affected systems to uncover any malware left by the hacker. During the assessment, identify the attack vector, social engineering methods used, and sensitivity of breached data.
      • Inform the Affected - You should notify the relevant authorities, individuals, and third-party organizations affected. Ensure that you craft the data breach notification letter openly and sincerely. Inform both internal and external affected persons about the type of data breach that occurred, records affected, possible losses incurred, plans for mitigating the damage, and how you intend to prevent a recurrence.
      • Conduct a Security Audit - With or without a data breach, regular security audits are important.
      • Improve Your Cybersecurity Systems
        • Using data encryption
        • Multi-factor authentication
        • Training employees
    - Chris Smith | May 25, 2021

  • Ransomware: What To Do If You Don't Have a Plan

    • Nothing vaults ransomware into the IT discussion like a $5 million payout accompanied by a crippling gas shortage and $7-per-gallon gas gouging.
    • Here's a checklist on what to do and plan:
      • Enforce MFA
      • Stop with the common password issue
      • Use authentication...correctly
      • Protect Identities
      • Get a privileged access baseline in place
      • Make a list of mission-critical apps
      • Update/replace out of date OSes
      • Patches/Updates
      • Stop recycling service accounts
      • End user accounts shouldn't be used as admin accounts
      • Server admin account should not have admin rights on workstation
      • Produce a clear line of leadership
      • Create a risk assessment of your recourses
      • Inventory resources and assessments
      • Organize an incident event log
    - Dave Ramel | May 18, 2021

  • National security officials outline hopes for US data breach notification law

    • Top U.S. national security officials on Tuesday explained some ideal elements to a potential national data breach reporting law, describing the idea as one pathway to stopping massive security incidents like the SolarWinds hack.
    • A national data breach reporting law would need to be clear and concise for companies to follow it, and generally not be a huge burden, said Tonya Ugoretz, deputy assistant director of the FBI.
    • It might function as an alternative to government surveillance of private sector networks, a controversial idea previously suggested as a means of detecting cyber-espionage.
    • The irony of the renewed demand for a national law stemming from the SolarWinds hack is that FireEye demonstrated the best-case scenario in voluntarily reporting that it was compromised, alerting the federal government to the broader threat, Hickey said.
    - Tim Sparks | May 18, 2021

San Diego Cyber Incident Response Guide

Learn more about San Diego’s region-wide cyber incident response guide and available local, state and federal resources.

San Diego Cyber Incident Response Guide October 2017