January 2023 Newsletter - If you’d like to read this newsletter at the same time as our subscribers, please sign up here.
Feds: Cyber Security Will Not Be Voluntary Anymore
As I discussed last year, the environment around cyber security is changing. More evidence came to light last week as the Biden White House began to reveal its 35-page “National Cybersecurity Strategy,” which presents two significant, and depending on your perspective, shocking, differences from the status quo:
The United States will proactively attack cyber criminals. Major hacker groups and state-sponsored attackers will be targeted by the FBI National Cyber Investigations Joint Task Force.
Cyber security will become mandatory for organizations that operate critical infrastructure.
The second aspect of the Biden Administration plan should be front of mind for every business owner. Although the draft limits regulation to a small number of infrastructure operators, including fuel pipelines and water departments, it signals the most significant shift in decades for cyber policy. The United States government has had enough of disruptive and potentially dangerous cyber attacks. The messaging from officials and analysts is unanimous: the days of voluntary cyber security compliance are over.
This continues a trend I pointed out in 2022. Government regulators have had enough of infrastructure attacks and high-profile hacks, and they are about to place the burden of cybersecurity on every business in the United States that uses the Internet. You’ll find more, including my assessment of what you will be required to do, in this month’s main story, Feds Move Toward Mandatory Cybersecurity.
BREAKING: Ransomware Gang Posts Sensitive Police Files Online
Unredacted police incident reports from the Bay Area Rapid Transit (BART) police landed on the Dark Web following a ransomware attack that targeted multiple BART systems. This attack occurred just weeks after newspaper The Guardian saw personnel files, including passports, for some of its U.K. staff posted online.
In both cases, it appears that hackers were unable to bring down critical systems, but cyber security failed to protect every aspect of the organizations’ infrastructure. Hackers were able to find unencrypted data by probing connections between systems, exposing sensitive information.
Protect Your Clients with Dark Web Monitoring
Hackers now know that they can sell data for big money. From credit card numbers to Social Security numbers to private phone numbers and emails of journalists, politicians and corporate executives, there is a growing market for every scrap of data a hacker can get.
Small businesses are especially vulnerable. How would you know if your data were stolen and for sale on the Dark Web? What would it do to your customer base and reputation if people found out their data were stolen from you, and you didn’t know it?
Affordable Dark Web monitoring from Protect Now is a critical defense against data loss. You provide the parameters, we discover what is already online and then alert you immediately when we find new information. This service stops inside threats and cyber attacks that other defenses may miss, offering the highest level of protection to your business, your employees and your clients. Contact us today to see how affordable this critical cyber defense can be.
Stat of the Month
The number of sailing vessels affected by a ransomware attack targeting ShipManager software used to provide live data to ships moving between ports. On January 7, DNV reported a ransomware attack impacting proprietary software that manages shipboard functions, including repairs, crew management and safety systems. The attack initially took ShipManager offline for more than 7,000 vessels, though offline functionality remained.
Specific details on the attack have yet to be revealed, but it shows how hackers target small, seemingly invisible businesses that operate custom software. DNV was uniquely vulnerable as a major provider of transportation infrastructure; the hack offered a way to further snarl supply chains still recovering from the global pandemic.
Time to Turn Off TikTok
The University of Texas banned TikTok from all devices that connect to the school’s networks. This follows a ban issued in December that required TikTok to be removed from all devices issued by the Texas state government.
In response to the ban, a TikTok spokesperson said the move, “...will do nothing to advance cybersecurity.” I disagree, for two critical reasons, neither of which involve politics or the fuzzy relationship between TikTok owner ByteDance and the Chinese government.
First, the presence of social media in any work setting is a distraction. Employees checking on or posting to social media are not fully engaged with their work. This can lead to lapses in vigilance that allow a malware or phishing attack to succeed.
Second, social media is itself a vector for cyberattacks. Criminals can reach out directly to employees through social media platforms, in the same way that they use text, email or other social sites to launch phishing attacks. Employees may also unwittingly post information that criminals can use in attacks. As I previously discussed, public information is bait for phishing. Hackers scour the Web and social media for any personal information they can find that might yield passwords, identifying data or details that can be used to impersonate an employee.
Social media apps do not belong on company-issued devices unless social media is part of an employee’s job. It gets trickier to keep social media apps off personal devices that connect to company networks, but this can be achieved by blacklisting sites like TikTok to keep them off company WiFi.
This will not be a popular decision with some employees, but it will add a layer of protection for sensitive data. Remind employees that hackers mine social media to carry out their attacks and that they need to consider the personal role that they play in cyber security.
Cybersecurity Resolutions for 2023 – The Security Guy and the CIA Spy Podcast
Start the New Year with a resolution to join Robert Siciliano and Peter Warmka as they discuss steps everyone should follow for stronger cybersecurity, and ways to stop criminals from “human hacking” their way into your systems. Available as audio on Apple | Spotify | Google | Anchor or as video on YouTube.
I cannot overstate the significance of the Biden Administration’s plan for mandatory cybersecurity. Up to this point, we have had nothing but guidelines and voluntary compliance. Attitudes at the Federal level have clearly changed, and I am confident in predicting three things:
- We will not have workable standards any time soon. This is the nature of regulations. Expect a drawn-out process where government and the private sector argue over what cybersecurity means. Businesses will have to pivot quickly and repeatedly to keep up with regulations.
- Data encryption will be mandatory. Every organization needs to take a hard look at how and where data are stored. You will be required to ensure that data is encrypted at the storage level, and whenever they travel across the Internet. Legacy systems and spreadsheets may need to go if they cannot be secured.
- You will be required to use a certified professional to meet mandates. In the same way that you need notaries, lawyers and CPAs, you will need to have a credentialed cybersecurity expert oversee the implementation of security measures and protocols. That will be an added expense and the price will rise as the requirement nears. Smart organizations will contract those services now and build a relationship with security providers to avoid a high-priced compliance scramble down the road.
Stay safe out there,
Robert & the Protect Now Team