This week’s Cyber Security Headlines – Week in Review is hosted by Rich Stroffolino with guest Dmitriy Sokolovskiy, senior vice president, information security, Semrush
Missed the live show? Watch it on YouTube
Cyber Security Headlines – Week in Review is live every Friday at 12:30pm PT/3:30pm ET. Join us each week by registering for the open discussion at CISOSeries.com
Four cyber companies fined for SolarWinds disclosure failures
On Tuesday, the Securities and Exchange Commission (SEC) announced fines totaling roughly $6 million against Check Point, Avaya, Unisys and Mimecast for their lackluster disclosures related to the 2020 SolarWinds Orion software compromise. The SEC said the companies made “materially misleading” disclosures related to the incident that further victimized shareholders and the investment community. The fines are the result of a years-long investigation into public companies potentially impacted by the SolarWinds compromise.
(The Record and TechCrunch)
Microsoft warns it lost some customers’ security logs for a month
This warning comes as a result of a bug that prevented critical logs for some enterprise customers from being consistently collected during the first three weeks of September. This data is used to detect suspicious traffic, behavior, and login attempts on a network, thus its absence increases the chances for attacks to go undetected. For some clients, this problem continued until October 3. Even though they fixed the bug using safe deployment practices, the company failed to identify the new problem, and it took a few days to detect it. Researcher Kevin Beaumont says he knows of at least two companies who did not receive a notification about the issue. A list of the Microsoft services impacted is available in the show notes to this episode.
Egress shows how spammers are getting around phishing defenses
In the cat and mouse game of sending spam to clients, both attackers and defenders are using natural language processors (NLPs) to write better emails or detect spam patterns respectively. The threat intelligence unit of Egress is now showing how email services that use NLPs to calculate whether an email is safe are now getting manipulated through the increased use of random text, legitimate links, or whitespace. This is based on the premise that if enough “safe” elements are detected in an email, the email security application will be delivered to the victim, despite the possible presence of malicious attachments. According to a report from Egress, this is due in part to time pressure, specifically, “for some email security tools, if an email takes too long to scan, it will be released before the scan is complete.”
Thanks to today’s episode sponsor, SpyCloud
Cloud auth keys found in popular mobile apps
Symantec has reported that multiple popular mobile applications for iOS and Android come with hardcoded, unencrypted credentials for cloud services like Amazon Web Services (AWS) and Microsoft Azure Blob Storage. Symantec says these keys are present in the apps’ codebases because of errors and bad practices during the development phase. Exposing these types of credentials can easily lead to unauthorized access to storage buckets and databases with sensitive user data. The exposed creds were found in at least thirteen apps including Pic Stitch, Meru Cabs, and Crumbl, which have registered more than 4 million downloads each.
CISA proposes new security requirements for personal data
As part of an implementation of an Executive Order issued in February, the Cybersecurity & Infrastructure Security Agency proposed new rules for companies that transact with bulk amounts of sensitive personal or government-related data that could be exposed to “countries of concern.” The proposal calls for maintaining an updated monthly data asset inventory, specific vulnerability remediation windows for critical or actively exploited vulnerabilities, enforcing MFA, collecting access and event logs, and not storing encryption keys with the data they cover. These proposed rules are now open for public comment.
UK report on Cyber Essentials certification
In 2014, the UK government launched its Cyber Essentials certification, a self-assessment program based around five technical controls. To mark the 10th anniversary, the UK government released an independent impact evaluation. This finding found that 86% of respondents said Cyber Essentials directly strengthened senior management’s understanding of cyber attack risks, with 76% taking additional preventative security measures beyond Cyber Essentials requirements. The UK’s National Cyber Security Centre also claimed that insurance data showed that organizations in Cyber Essentials “are 92% less likely to make a claim on their insurance than those without it.” Adoption of Cyber Essentials still has a long way to go, with 31,000 organizations certified, less than 1% of those eligible in the UK. Cybersecurity minister Feryal Clark said the government’s next priority will be promoting Cyber Essentials certification down through an organization’s supply chain.
(The Record, Gov.UK)
Penn State fined for failing to meet cyber requirements in federal contracts
The university has been fined $1.25 million for “failing to comply with cybersecurity requirements laid out in its contracts with federal agencies.” The issue involves 15 contracts made between the school and the Department of Defense and NASA in which the school was accused of “failing to implement cybersecurity controls between 2018 and 2023, and after acknowledging the issues it allegedly subsequently failed to develop or implement any plans to correct the issues.” The DOJ has added that said Penn State “admitted its cybersecurity failings in assessment filings and pledged to fix them but misrepresented the dates by which it would implement them and did not pursue plans of action to do so.
67% of organizations say employees lack basic security awareness, says Fortinet
According to Fortinet’s 2024 Security Awareness and Training Global Research Report, two thirds of organizations are concerned that their employees lack fundamental security awareness. This is an increase from last year when the number was 56%. Amit Zimerman, Co-Founder and Chief Product Officer at Oasis Security, suggests that in addition to improving employee security awareness training, “IT security teams must implement strong identity and access management (IAM) frameworks with compensating controls like multi-factor authentication (MFA) to mitigate phishing attempts.”