October is the month of Halloween. Many appreciate the ability to hide their identity and get enjoyment from being temporarily frightened. But scare tactics are something we actively avoid at FRSecure. We don’t share information security news stories like this as a way to scare you into working with us to bolster your security programs. We legitimately care about fixing this broken industry—including its scare tactics. So, here are some of the information security news articles from October that stood out. Hopefully you can use these to recognize what’s out there so you can avoid letting attackers catch you off guard.
- The most targeted entities for cybercrimincals are cities, but alarmingly, schools and hospitals are not far behind. A recent study shows 621 ransomware attacks this year, including incidents that closed public schools and delayed surgeries. The costs of these attacks are estimated to total $186M, but more importantly, our children’s well being and our health are at stake.
- Of those 621 (and counting), three Alabama hospitals closed doors early in the month as they dealt with a ransomware attack. The attack caused massive disruptions within the DCH Health System’s hospitals, forcing them to turn patients away for a week and a half.
- The United States isn’t alone, either. 27 procedures with 30 patients were cancelled at an Australian hospital in October due to a ransomware attack. While they denied patient information being accessed, any disruption in surgery scheduling could be lethal.
- Canada, too. Several Canadian municipalities have also recently found their systems infected with ransomware, and a Toronto dental clinic was targeted for a $165k ransom.
- A study came out this month stating that 66 percent of small businesses worldwide have faced cyberattacks in the past year. While companies are becoming increasingly aware of high-impact ransomware attacks on businesses and governments, many of the people surveyed are not confident in their ability to respond properly.
Fixing the Broken Industry
- We’ve seen an increasing effort from attackers to target the aviation industry. Manufacturers, airlines, and airports are all under increasing duress. Thankfully, the government is working to fix the vulnerabilities that make them easy targets. While the Department of Homeland Security and the Department of Transportation haven’t revealed much about the revived program, the goal is to improve “cyber resilience” of aircraft.
- Paying ransomware is inexcusable for a number of reasons. Now the FBI has made an official statement agreeing with that sentiment. In the public service announcement, the FBI says that “the FBI does not advocate paying a ransom,” but they added that they urge reporting of ransomware to authorities whether the ransom is paid or not.
- Education is an incredibly important component of information security. There’s a job shortage in the industry, and anything we can do to bolster the talent pool (and the visibility of the industry) is a step in the right direction. Target’s cybersecurity department is taking a big step in helping, donating $250,000 to the University of Minnesota to provide opportunities to students in information security programs.
- In a unique way of fixing the industry, the DoD hired ethical hackers to find vulnerabilities in their critical systems through a “bug bounty.” In total, the hackers found 31 vulnerabilities—including a critical one. “With each new initiative, the Department of Defense further bolsters its cyber defenses against rogue enemy actors thanks to white hat hackers from across the globe.”
Social engineering and fraud
- Phishing attacks have alway been a problem in information security. These kinds of scams continue to be effective, so they’ll continue to happen. Recently, Amazon, Paypal, and Google users were targeted in a highly sophisticated attack attempting to steal Paypal-stored credit card information.
- Multi-factor authentication has long been one of the most successful methods for deterring cyber criminals. It’s meant to be a second line of defense in the event that someone gets into your account using your credentials. The FBI is now warning that cyber criminals are finding ways to bypass multi-factor authentication—and a lot of the time, they use social engineering tactics to do so.
- 60 universities worldwide were hit by a phishing attack in mid-October. The culprit is an Iranian group whose main focus is to steal research and intellectual property through the use of phishing and fake logins.
- Many financial institutions, social media platforms, and other sites rely on your phone number to verify identity. Now, attackers are able to mimic your number in a SIM-swap attack. Effectively, this leaves your security up to the phone companies instead of you.
- It’s not uncommon to see data breaches anymore. We preach all the time that you can’t stop all bad things from happening, so it’s important to have a plan for when they do. It is a bit strange to hear it from a company disclosing their breach, though. Zynga, a mobile gaming development company that makes popular games like Words with Friends, announced a breach in early October by sharing that, “cyberattacks are one of the unfortunate realities of doing business today.”
- Twitter is in some hot water this month after admitting that they were profiting from sharing millions of UK users’ data with advertisers. The email addresses and phone numbers originally added to accounts as two-factor security measures have since been used to target personalized advertisements.
- If you’re one of the millions of people globally who are smartening their homes, here’s another issue to look out for. Older Amazon Echo and Kindle devices were discovered to contain WPA/WPA2 protocol vulnerabilities that could allow attackers to decipher your keychain.
- Despite a 2012 class action lawsuit filed against Zappos (who is close to reaching a settlement), the shoe company denies doing anything wrong. They’re now proposing to compensate all victims by giving them a 10 percent discount on a future online purchase.
Following information security news and trends is important. It gives you an idea of what’s going on in the industry so you can continue to protect yourself and your business. Follow FRSecure on Twitter and LinkedIn for consistent updates on information security news like this, and visit our site to learn how your organization can continue to make improvements to its security measures.