A new year means new developments in the world of information security news. We’ve already started to see some of Evan’s 2018 Information Security Predictions come true. The NSA is dealing with a shrinking talent pool as many employees jump to the private sector. Ransomware was one of the fastest-growing forms of cyberattacks from 2016 to 2017 and that trend shows no sign of slowing down. Equifax was in the news again. The 2018 Winter Olympics are fast approaching and as the anticipation grows, so do concerns over the Olympics’ potential as a target for hackers. All of that, and more, in our Information Security News Roundup for the month of January.
Evan’s 2018 Information Security Predictions Are Coming True
- The high profile downfalls of executives at Equifax and Uber have opened the eyes of executives to the dangers that data breaches pose to their own job security. In response to the highly public nature of recent data breaches, many companies are trying to improve their own information security departments. Corporate leaders now see cybersecurity threats and the stiff competition for top-tier cybersecurity talent as one of the most pressing issues in 2018. Great news if you’re looking for a job in cybersecurity, not so good if you’re looking to hire one of us.
- Reflection: Exhibiting Due Care is expected if you’re in a leadership role, especially so if part of your responsibilities include managing your organization’s information security program. Negligence in this area can leave the door wide open for litigation in the event something bad happens. FRSecure’s information security risk assessment, Penetration Testing, and vCISO offerings are great ways to comprehensively assess your organization’s security program and establish an effective baseline that considers modern threats.
- One industry that has increased its emphasis on cybersecurity is electricity and other utilities. Xcel Energy now employs more than 100 security analysts. That is a huge jump from the relatively low numbers just a few years ago. Cyber attacks on energy grids in countries such as Ukraine have caused a revelation in the thinking of energy companies. As cyberattacks evolve, so too must the cyber defenses of utilities. That means employing top talent to foil top-level hackers.
- As companies in the private sector ramp up their search for top talent, public entities like the National Security Agency have had to deal with their top talent jumping ship. Some of the most highly skilled employees of the NSA have become less confident in the spy organization’s leadership and more attracted to the flexible nature and higher pay of private-sector jobs. Relatively junior cyber professionals can make up to $200,000 or more per year in the private sector. That’s more than top officials at the NSA. It’s hard to pass that kind of pay raise up. Even if it means you don’t get to tell people you’re a spy anymore.
- Reflection: Organizations need to emphasize training. Many CTOs and IT Directors have great technical responsibilities but have zero technical skillset- this creates a huge risk to your organization. FRSecure’s training workshops are a great way to upgrade your team’s skills and knowledge in security without breaking the bank!
- The number of ransomware attacks on healthcare institutions increased by 89% from 2016 to 2017. The top six hacks against healthcare organizations were all attributed to ransomware in 2017. As organizations have gotten better at defending themselves from ransomware, hackers have advanced their ransomware tools in lockstep. Expect more nasty and complex ransomware in 2018.
- Reflection: Vulnerability scanning and architecture reviews are excellent ways to establish better security controls that will help your organization be more resilient, especially to automated attacks like ransomware. If you already have a solid foundation, Penetration Testing will test it, and help you take your security infrastructure to the next level.
- Inga Beale, chief executive of Lloyd’s of London, acknowledged that there are many cyber risks that are not covered by insurance. The insurance industry is rapidly trying to come up with contingency measures for cyber attacks. Beale added that covering cyberattacks should be one of the insurance industry’s top priorities.
- Reflection: Most organizations are unprepared for a computer security incident because they lack the planning and technical skills to handle it. This ends up costing them dearly in their public reputation, associated liability, and costs incurred by responding to an incident. FRSecure’s experts can help you establish an Incident Response program that will efficiently detect, contain, and remediate incidents by better preparing your organization, testing your plan annually, and keeping your staff trained on modern investigation techniques.
Equifax returns to our Information Security News Roundup
- Consumers across the country filed the most complaints to the Consumer Financial Protection Burea about Equifax. The heavily covered data breach at Equifax in 2017 affected millions of Americans. The massive disclosure of private information likely inspired the thousands of complaints that the CFPB received regarding the reporting agency.
- While Equifax took a beating from Americans in 2018, Equifax Canada assured its account holders that their info hadn’t been linked to any fraud. Chief privacy officer John Russo said “sorry” to all affected Canadians before pointing out that no signs of identity theft had been reported since the breach. A good sign for a company trying to regain public trust.
- Many people predicted that the massive nature of the Equifax breach would inspire the sweeping reform of data security laws. Many people were wrong. Congress prioritized other issues such as tax reform and preventing a government shutdown. We here at FRSecure know a bill will soon be written that empowers U.S citizens to protect their identities. Our very own security expert, Brad Nigh, is writing one.
- In our November Information Security News Roundup, we mentioned the rising popularity of “cryptojacking.” “Cryptojacking” is the process of hijacking devices and forcing them to mine for digital currencies. You might not even know your devices have been jacked until you see your electricity bill skyrocket. Hijacked smart home devices will use substantially more energy than normal. Mining for digital currency requires a lot of processing power and that means lots of energy. Some affected homes have seen their electricity bills triple in size.
- One of Japan’s largest cryptocurrency exchanges, Coincheck, revealed it lost nearly $400 million in a security breach. The exchange suspended most trading and withdrawals and compensate those who were affected. As cryptocurrencies become more popular, cryptocurrency exchanges are becoming a juicier target for hackers.
The Winter Olympics (of hacking)
- Hackers of all skill levels are preparing for the Winter Games in Pyeongchang, South Korea. The Olympics will run from February 9th to the 25th but already hacking schemes are being discovered. Ticket scammers and digital disrupters alike will target the Olympics. Many are looking for the notoriety and respect from dark websites that would come with pulling off a successful high-profile attack at an event such as the Olympics.
- Internet-connected devices and digital displays are prime targets, warns the Center for Longterm Cybersecurity at the University of Berkeley. Fancy Bear, a Russian cyber group, has already released stolen emails from the IOC. This could have been some sort of retaliation for the Russia Federation receiving a ban from these Winter Olympics.
Information Security in Government
- Following the penetration of the Democratic National Committee, Russian hacking groups have shifted their efforts to the U.S Senates email system. Feike Hacquebord, a researcher at Trend Micro, told the AP that these groups are still very active. They are looking to “influence public opinion once again”, possibly in order to influence the 2018 midterm elections.
- The state of Delaware announced the formation of a new cybersecurity training partnership that aims to provide young women with the opportunity to discover or nurture a passion for careers in cybersecurity. The aptly named “Girls Go CyberStart” program teaches young women cybersecurity skills through a no-cost online discovery game. Top performers will have a chance to win a trip to the 2018 Women in CyberSecurity Conference.
- The Colorado Senate is considering a bill that aims to utilize blockchain technology to improve the state’s cybersecurity. The bill hopes to eliminate inefficiencies in Colorado’s existing practices by using blockchain technology to evaluate and quantify risk and enhance the protection of personal information, among other things.
- Hundreds of government and military personnel flocked to Agusta, Georgia in January. The reason, not to play a few rounds at Agusta National, but to participate in the inaugural Cyber Education, Research and Training Symposium. They aim to come up with better ways to improve America’s cyber defenses as well as training methods to educate the next generation of cyber defenders.
That is all for the Information Security News Roundup for the month of January. Want to get more information security news or share news that you’ve found with us? Check out FRSecure’s Twitter or LinkedIn feeds for updates on what’s going on in the world of information security.