Erskine Payton
In the News Article- Week 4
MIS 5206
Temple University
Retool blames breach on Google Authenticator MFA cloud sync feature
There were 27 cloud customers were compromised following a targeted and multi-stage social engineering attack, software company Retool reported last week. Retool is a development platform utilized by novice users to titans of the industry. It was revealed that the hacked accounts were all in the cryptocurrency industry. So, this was very targeted in scope, the attackers bypassed multiple security controls using SMS phishing and social engineering to compromise an IT employee’s Okta account. Utilizing a URL impersonating Retool’s internal identity portal that was launched during a previously announced migration of logins to Okta.
It mentions that most of the users ignored the message but there is always one. The user clicked a fictious link completing the fraudulent MFA form. The hacker then calls the help desk “Deep Faking” the user’s voice, and the helpdesk provided them with an MFA code granting them access. Retool is blaming hack on a new feature in Google Authenticator that allows users to synchronize their 2FA codes with their Google account. When alerted of the breach Retool lept into action. I just think it is unfair to blame Google when your employee was negligent and was deceived by a social engineering attack. Something this embarrassing you need to point fingers at someone but Retool is pointing at the wrong people.
Article – The U.S. Is Less Prepared to Fight Cybercrime Than It Could Be
Summary – Cybercrimes in the United States have caused massive financial losses, endangering public safety and economic security. Victims range from individuals and schools to businesses, utilities, and governments. Ransomware attacks have targeted schools, leading to substantial monetary losses and disruptions in education. Additionally, federal agencies like the U.S. Marshals Service have fallen victim to cyberattacks, compromising sensitive information.
Federal law enforcement agencies are working to combat cybercrimes, but they face challenges due to the complex nature of these crimes. Cybercriminals can operate anonymously, across state and international borders, making tracking and detection difficult. Victims often hesitate to report cybercrimes due to uncertainty about who to contact and concerns about reputation damage. Even when reported, inconsistencies in how federal agencies define cybercrimes hinder information sharing and coordination. Moreover, there is no centralized repository for cybercrime data, limiting law enforcement’s ability to understand the scope and nature of cybercrimes.
In response, Congress mandated the Department of Justice to develop standardized categories for cybercrimes, enabling agencies to better classify and track incidents. The department is working on implementing this requirement and plans to create a cybercrime-specific category for the FBI’s National Incident-Based Reporting System. These efforts aim to provide law enforcement with better tools to collect accurate and comprehensive data on cybercrimes, ultimately improving their ability to combat these threats to American society and individuals.
Three actively exploited zero-day vulnerabilities affecting iOS, iPadOS, macOS, watchOS, and Safari have been fixed by Apple in yet another batch of security updates, bringing the total number of zero-day vulnerabilities found in Apple’s software this year to 16.
The following is a list of security flaws:
A security framework bug called CVE-2023-41991, which affects certificate validation, could make it possible for a malicious software to avoid signature validation.
A vulnerability in the Kernel that can let a local attacker get elevated privileges is CVE-2023-41992.
During the processing of specifically created web content, a WebKit issue called CVE-2023-41993 could lead to arbitrary code execution.
The only additional information provided by Apple was a statement stating that “issue may have been actively exploited against versions of iOS before iOS 16.7.” https://thehackernews.com/2023/09/apple-rushes-to-patch-3-new-zero-day.html
Title: Deadglyph: New Advanced Backdoor with Distinctive Malware Tactics
Summary: Researchers have discovered a new sophisticated computer malware called Deadglyph, used by a cyber espionage group known as Stealth Falcon. What sets Deadglyph apart is its complex structure, consisting of two separate parts that communicate with each other, a feature uncommon in malware. This design aims to make it more challenging for cybersecurity experts to analyze and understand the malware’s functionality. Stealth Falcon, a group with a history of targeting individuals critical of the Middle East’s ruling powers, has a track record of using advanced techniques and exploiting software vulnerabilities. Deadglyph is their latest tool, equipped with evasive mechanisms to avoid detection and capable of performing various covert tasks. This discovery underscores the increasing sophistication of cyber espionage activities conducted by the Stealth Falcon group.
Link: https://thehackernews.com/2023/09/deadglyph-new-advanced-backdoor-with.html
Air Canada says hackers accessed limited employee records during cyberattack:
In a heart-stopping revelation, Air Canada, the aviation giant, has been struck by an insidious and malevolent cyberattack. Unyielding hackers have managed to breach the fortress of this esteemed company, gaining illicit access to a treasure trove of limited employee records. With trembling hands, Air Canada admits that this audacious intrusion has left them shaken to their very core.
Like unseen phantoms cloaked in shadows, these nefarious hackers were able to embed their poisonous codes into the company’s digital infrastructure, fearlessly infiltrating its impenetrable defenses. For a brief but perilous interlude, they reveled in a clandestine dance of infiltration. And as they vanished into the virtual ether, they brazenly left a haunting silence that resonated with the magnitude of their audacity.
Within the boundaries of their breach, these cyber bandits plundered a limited yet significant cache of employee records, as if laying claim to their victims’ digital souls. The affected records, carefully curated over time, served as an invaluable testament to the lives and identities of Air Canada’s workforce. It is a violation wholly unparalleled, sending shivers down the spines of those who trusted their esteemed employer with the sacred guardianship of their personal information.
Now, as the company grapples with the aftermath of this malicious act, Air Canada must confront the chilling reality that they were mere pawns in a cyber warfare, exploited and blindsided by an unforgiving foe. With an unwavering commitment to protect their employees and restore their trust, Air Canada has pledged to heed the call for increased security measures. For they know that the weight of this treachery can only be lifted by dedicating every fiber of their being to ensuring the safety of their flock.
In this digital battleground, it is not only Air Canada’s honor that is at stake but the very foundation of trust that underpins modern society. It is a stark reminder that even the mighty can fall victim to unseen adversaries lurking in the shadows, waiting for their moment to strike.
Security Awareness Training Isn’t Working – How Can We Improve It? – Security Week
This article was surprising to me when I read the title, so I decided to give it a read. The beginning of the article goes on about how phishing is the most talked about topic etc. but what caught me by surprise was that how co-founder and chief customer officer at Tines, Thomas Kinsella, states, “Security awareness training does not work, Does it stop 100% of breaches? Obviously not, But the larger problem is that organizations push the sole responsibility for preventing a breach onto employees by mandating training and punishing anyone who fails.” He then says that punishing anyone who fails is a separate issue and that the awareness programs and training can have an opposite effect on employees. Now that I have been taking these classes for a few weeks, the one thing that has stood out for me is effective communication and business continuity, getting the buying from not just top executives, it’s the whole organization. Bec McKeown, founder of psychology at Mind Science stated,” It is not a user’s job to worry about cybersecurity-that’s the job of the cybersecurity team.” I like to counter that and ask about places of employment that have bathroom signs that say employees must wash their hands after using. Like a couple of the students that pointed out in their post this week, cybersecurity is a people problem. We are all in it together and we need to get on board to combat these issues. The article then points out that security awareness should go together with behavioral training and to have a layered approach. “Do not stop at awareness-the level you want to get to be “behavior change.” Cybersecurity must become second nature to all employees, whether at work or at home which Metcalfe states which is a great point as it just doesn’t stop at your job anyone that has a device that connects to the internet has a responsibility to take this seriously.
Following! I just stated this in another post but the connection between this statement, “But the larger problem is that organizations push the sole responsibility for preventing a breach onto employees by mandating training and punishing anyone who fails” and this statement, “He then says that punishing anyone who fails is a separate issue and that the awareness programs and training can have an opposite effect on employees” is such an eye sore. There is obviously a greater issue at hand within many of these organizations. Nobody wants to deal with this, but they must deal with it just like many other pressing problems in this economy that are coming to light.
New Variant of Banking Trojan BBTok Targets Over 40 Latin American Banks
According to a new report, there is an active banking malware targeting users in Latin America, particularly users in Brazil and Mexico. The malware tricks users to enter their 2FA code or card details by replicating the interfaces of their banks. BBToK is generated by a custom server-side PowerShell scripts, and distributed through phishing emails that consist of various file types. BBToK is a windows-based banking malware that surfaced in 2020. It has the capability to enumerate and kill processes, issue remote commands, manipulate keyboard, and serve fake login pages for banks operating in the two countries. To avoid detection, attackers use techniques such as living-off-the-land (LOLBins) and geofencing checks to make sure that the targets are only from Brazil or Mexico. The main goal of the attackers is to steal bank users’ credentials in order to take over their accounts.
With proper training this breach could have been avoided. A trained eye in potential phishing emails would have noticed the website the link was referencing was not booking.com, but a malicious website named guest-approval[.]info. The phishing attack was responsible for multiple credit card numbers being stolen.
CISA and the NFL, and other partners conducted a cybersecurity exercises. This is to help prepare for cybersecurity responses. The plans are for the parties involved to review plans and respond to an attack. Point of sales for purchasing at these events often use stadium Wi – Fi and mobile devices.
These types of activities are a great way for examining plans and procedures when responding to significant cyber incidents, like those depicted in the scenario.
The exercise scenario included hypothetical situations involving phishing, ransomware, a data breach, and potential insider threats.
As in our readings this week, this comes down to plans and education of those involved, knowing what to do and how to help prevent it, identifying, and reporting it.
The NFL and CISA have been doing this for 10 years now and continue to make sure those aware as the Super Bowl moves to different stadiums and involves different teams.
The New Jersey Cybersecurity & Communications Integration Cell (NJCCIC) warns of QR code phishing (Quishing) scams. Scammers create fake QR codes in emails, impersonating IT departments, to trick users into revealing personal information. Additionally, scammers are using fake QR code stickers on top of legitimate ones to redirect people to fraudulent sites for payments. In order to keep ourselves safe, we need to check QR code URLs, ensure secure connections, and watch for red flags on websites.
Article: Xenomorph Android malware now targets U.S. banks and crypto wallets
Security experts are warning of a new campaign by the “Xenomorph” virus to expand their targeting of banks and crypto wallets in the US. The Xenomorph virus first began circulating in 2022 and uses background overlays to steal credential info from targets by monitoring and recording log in credentials. While this virus has been in circulation for at least a year, experts are now concerned about a new pattern of bank and crypto targeting. Newer versions of the Xenomorph app have allegedly been using phishing pages to prompt downloads of the software and infect devices. These versions of the virus also come with new features that allow the software to better mask itself behind the façade of a genuine program, eliciting further user trust.
Security issues like these are all too common in our modern day, and with evolving threats such as the Xenomorph virus, both IT professionals and users should remain vigilant of any suspicious activity relating to possible malware infections or system compromises
The U.S Securities and Exchange Commission (SEC) Adopts Rules for Public Disclosure of Cybersecurity Incidents
SEC has publicized their policy on requiring public companies and foreign private issuers to publicly disclose material cybersecurity incidents that occur within their establishment. I find this news interesting since from my understanding making breaching publicly available has been a recommendation that has not been formally put into practice. I could be wrong here, but I could not find anything final on companies making breaches publicly available. Also, I find this news fascinating since I have come across many stories of “hacktivists” who will find vulnerabilities within a system and make them public after bringing it to the company’s attention to no avail. It seems those efforts may not have been done in vain. Merchants are owed transparency when a vendor’s protection of their data has been compromised. Unfortunately, there are too many large (and “well-renowned”) companies who still choose not to disclose cybersecurity incidents due to the depth in which these attacks take place or simply because they do not want to acknowledge their fault in the incident and now it seems the pressure is on. The articles shared are the SEC press release and a publication from Dorsey & Whitney law firm.
Press Release: SEC.gov | SEC Adopts Rules on Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure by Public Companies – https://www.sec.gov/news/press-release/2023-139
I find this article relevant as it aligns with this week’s unit topic.
October is Security Awareness Month, and many organizations are gearing up to host security awareness events, send out reminders, and conduct security training sessions. They all share a common goal: to educate their clients, customers, and employees. While there are numerous security topics to cover, and each organization has its own list of priorities based on what they consider important or where they’ve experienced the most security incidents, there is one topic that consistently appears on every list: “Phishing.” Phishing schemes are currently at an all-time high, making education on this subject of utmost importance.
In a new study conducted in a peer-reviewed setting, it was found that remote workers are more mindful of cyber security practices as compared to in-office workers. The study explains that this has to do with the fact that remote workers feel more responsible for the security/equipment as they are not in an office environment.
When you are working from the office, you expect there to be security measures in place which makes them complacent to the idea of security risks. This might also cause them to not recognize certain risks or follow best practices.
Erskine Payton says
Erskine Payton
In the News Article- Week 4
MIS 5206
Temple University
Retool blames breach on Google Authenticator MFA cloud sync feature
There were 27 cloud customers were compromised following a targeted and multi-stage social engineering attack, software company Retool reported last week. Retool is a development platform utilized by novice users to titans of the industry. It was revealed that the hacked accounts were all in the cryptocurrency industry. So, this was very targeted in scope, the attackers bypassed multiple security controls using SMS phishing and social engineering to compromise an IT employee’s Okta account. Utilizing a URL impersonating Retool’s internal identity portal that was launched during a previously announced migration of logins to Okta.
It mentions that most of the users ignored the message but there is always one. The user clicked a fictious link completing the fraudulent MFA form. The hacker then calls the help desk “Deep Faking” the user’s voice, and the helpdesk provided them with an MFA code granting them access. Retool is blaming hack on a new feature in Google Authenticator that allows users to synchronize their 2FA codes with their Google account. When alerted of the breach Retool lept into action. I just think it is unfair to blame Google when your employee was negligent and was deceived by a social engineering attack. Something this embarrassing you need to point fingers at someone but Retool is pointing at the wrong people.
https://www.bleepingcomputer.com/news/security/retool-blames-breach-on-google-authenticator-mfa-cloud-sync-feature/amp/
Chidi Okafor says
Chidiebere Okafor
Week 4 – In the news
Article – The U.S. Is Less Prepared to Fight Cybercrime Than It Could Be
Summary – Cybercrimes in the United States have caused massive financial losses, endangering public safety and economic security. Victims range from individuals and schools to businesses, utilities, and governments. Ransomware attacks have targeted schools, leading to substantial monetary losses and disruptions in education. Additionally, federal agencies like the U.S. Marshals Service have fallen victim to cyberattacks, compromising sensitive information.
Federal law enforcement agencies are working to combat cybercrimes, but they face challenges due to the complex nature of these crimes. Cybercriminals can operate anonymously, across state and international borders, making tracking and detection difficult. Victims often hesitate to report cybercrimes due to uncertainty about who to contact and concerns about reputation damage. Even when reported, inconsistencies in how federal agencies define cybercrimes hinder information sharing and coordination. Moreover, there is no centralized repository for cybercrime data, limiting law enforcement’s ability to understand the scope and nature of cybercrimes.
In response, Congress mandated the Department of Justice to develop standardized categories for cybercrimes, enabling agencies to better classify and track incidents. The department is working on implementing this requirement and plans to create a cybercrime-specific category for the FBI’s National Incident-Based Reporting System. These efforts aim to provide law enforcement with better tools to collect accurate and comprehensive data on cybercrimes, ultimately improving their ability to combat these threats to American society and individuals.
Link – https://www.gao.gov/blog/u.s.-less-prepared-fight-cybercrime-it-could-be
Ikenna Alajemba says
Three actively exploited zero-day vulnerabilities affecting iOS, iPadOS, macOS, watchOS, and Safari have been fixed by Apple in yet another batch of security updates, bringing the total number of zero-day vulnerabilities found in Apple’s software this year to 16.
The following is a list of security flaws:
A security framework bug called CVE-2023-41991, which affects certificate validation, could make it possible for a malicious software to avoid signature validation.
A vulnerability in the Kernel that can let a local attacker get elevated privileges is CVE-2023-41992.
During the processing of specifically created web content, a WebKit issue called CVE-2023-41993 could lead to arbitrary code execution.
The only additional information provided by Apple was a statement stating that “issue may have been actively exploited against versions of iOS before iOS 16.7.” https://thehackernews.com/2023/09/apple-rushes-to-patch-3-new-zero-day.html
Alex Ruiz says
Title: Deadglyph: New Advanced Backdoor with Distinctive Malware Tactics
Summary: Researchers have discovered a new sophisticated computer malware called Deadglyph, used by a cyber espionage group known as Stealth Falcon. What sets Deadglyph apart is its complex structure, consisting of two separate parts that communicate with each other, a feature uncommon in malware. This design aims to make it more challenging for cybersecurity experts to analyze and understand the malware’s functionality. Stealth Falcon, a group with a history of targeting individuals critical of the Middle East’s ruling powers, has a track record of using advanced techniques and exploiting software vulnerabilities. Deadglyph is their latest tool, equipped with evasive mechanisms to avoid detection and capable of performing various covert tasks. This discovery underscores the increasing sophistication of cyber espionage activities conducted by the Stealth Falcon group.
Link: https://thehackernews.com/2023/09/deadglyph-new-advanced-backdoor-with.html
Michael Obiukwu says
Air Canada says hackers accessed limited employee records during cyberattack:
In a heart-stopping revelation, Air Canada, the aviation giant, has been struck by an insidious and malevolent cyberattack. Unyielding hackers have managed to breach the fortress of this esteemed company, gaining illicit access to a treasure trove of limited employee records. With trembling hands, Air Canada admits that this audacious intrusion has left them shaken to their very core.
Like unseen phantoms cloaked in shadows, these nefarious hackers were able to embed their poisonous codes into the company’s digital infrastructure, fearlessly infiltrating its impenetrable defenses. For a brief but perilous interlude, they reveled in a clandestine dance of infiltration. And as they vanished into the virtual ether, they brazenly left a haunting silence that resonated with the magnitude of their audacity.
Within the boundaries of their breach, these cyber bandits plundered a limited yet significant cache of employee records, as if laying claim to their victims’ digital souls. The affected records, carefully curated over time, served as an invaluable testament to the lives and identities of Air Canada’s workforce. It is a violation wholly unparalleled, sending shivers down the spines of those who trusted their esteemed employer with the sacred guardianship of their personal information.
Now, as the company grapples with the aftermath of this malicious act, Air Canada must confront the chilling reality that they were mere pawns in a cyber warfare, exploited and blindsided by an unforgiving foe. With an unwavering commitment to protect their employees and restore their trust, Air Canada has pledged to heed the call for increased security measures. For they know that the weight of this treachery can only be lifted by dedicating every fiber of their being to ensuring the safety of their flock.
In this digital battleground, it is not only Air Canada’s honor that is at stake but the very foundation of trust that underpins modern society. It is a stark reminder that even the mighty can fall victim to unseen adversaries lurking in the shadows, waiting for their moment to strike.
https://therecord.media/air-canada-limited-employee-info-accessed
Michael,OBIUKWU
MS ITACS/Fall 2023
Jeffrey Sullivan says
https://www.securityweek.com/security-awareness-training-isnt-working-how-can-we-improve-it/
Security Awareness Training Isn’t Working – How Can We Improve It? – Security Week
This article was surprising to me when I read the title, so I decided to give it a read. The beginning of the article goes on about how phishing is the most talked about topic etc. but what caught me by surprise was that how co-founder and chief customer officer at Tines, Thomas Kinsella, states, “Security awareness training does not work, Does it stop 100% of breaches? Obviously not, But the larger problem is that organizations push the sole responsibility for preventing a breach onto employees by mandating training and punishing anyone who fails.” He then says that punishing anyone who fails is a separate issue and that the awareness programs and training can have an opposite effect on employees. Now that I have been taking these classes for a few weeks, the one thing that has stood out for me is effective communication and business continuity, getting the buying from not just top executives, it’s the whole organization. Bec McKeown, founder of psychology at Mind Science stated,” It is not a user’s job to worry about cybersecurity-that’s the job of the cybersecurity team.” I like to counter that and ask about places of employment that have bathroom signs that say employees must wash their hands after using. Like a couple of the students that pointed out in their post this week, cybersecurity is a people problem. We are all in it together and we need to get on board to combat these issues. The article then points out that security awareness should go together with behavioral training and to have a layered approach. “Do not stop at awareness-the level you want to get to be “behavior change.” Cybersecurity must become second nature to all employees, whether at work or at home which Metcalfe states which is a great point as it just doesn’t stop at your job anyone that has a device that connects to the internet has a responsibility to take this seriously.
Ashley A. Jones says
Following! I just stated this in another post but the connection between this statement, “But the larger problem is that organizations push the sole responsibility for preventing a breach onto employees by mandating training and punishing anyone who fails” and this statement, “He then says that punishing anyone who fails is a separate issue and that the awareness programs and training can have an opposite effect on employees” is such an eye sore. There is obviously a greater issue at hand within many of these organizations. Nobody wants to deal with this, but they must deal with it just like many other pressing problems in this economy that are coming to light.
Jeffrey Sullivan says
Like Insurance. Noone wants to pay for it until there’s an accident.
Akintunde Akinmusire says
https://thehackernews.com/2023/09/new-variant-of-banking-trojan-bbtok.html
New Variant of Banking Trojan BBTok Targets Over 40 Latin American Banks
According to a new report, there is an active banking malware targeting users in Latin America, particularly users in Brazil and Mexico. The malware tricks users to enter their 2FA code or card details by replicating the interfaces of their banks. BBToK is generated by a custom server-side PowerShell scripts, and distributed through phishing emails that consist of various file types. BBToK is a windows-based banking malware that surfaced in 2020. It has the capability to enumerate and kill processes, issue remote commands, manipulate keyboard, and serve fake login pages for banks operating in the two countries. To avoid detection, attackers use techniques such as living-off-the-land (LOLBins) and geofencing checks to make sure that the targets are only from Brazil or Mexico. The main goal of the attackers is to steal bank users’ credentials in order to take over their accounts.
Kelly Conger says
Kelly Conger
Week 4 In The News
https://www.bleepingcomputer.com/news/security/hotel-hackers-redirect-guests-to-fake-bookingcom-to-steal-cards/
With proper training this breach could have been avoided. A trained eye in potential phishing emails would have noticed the website the link was referencing was not booking.com, but a malicious website named guest-approval[.]info. The phishing attack was responsible for multiple credit card numbers being stolen.
Marc Greenberg says
CISA and NFL Collaborate to Secure Super Bowl LVIII
Marc Greenberg in the news. – Week 4
https://www.infosecurity-magazine.com/news/cisa-nfl-secure-super-bowl/
CISA and the NFL, and other partners conducted a cybersecurity exercises. This is to help prepare for cybersecurity responses. The plans are for the parties involved to review plans and respond to an attack. Point of sales for purchasing at these events often use stadium Wi – Fi and mobile devices.
These types of activities are a great way for examining plans and procedures when responding to significant cyber incidents, like those depicted in the scenario.
The exercise scenario included hypothetical situations involving phishing, ransomware, a data breach, and potential insider threats.
As in our readings this week, this comes down to plans and education of those involved, knowing what to do and how to help prevent it, identifying, and reporting it.
The NFL and CISA have been doing this for 10 years now and continue to make sure those aware as the Super Bowl moves to different stadiums and involves different teams.
Alyanna Inocentes says
Latest Cyber Threat: Quishing
https://www.shu.edu/technology/news/protect-yourself-from-quishing-attempts.html
The New Jersey Cybersecurity & Communications Integration Cell (NJCCIC) warns of QR code phishing (Quishing) scams. Scammers create fake QR codes in emails, impersonating IT departments, to trick users into revealing personal information. Additionally, scammers are using fake QR code stickers on top of legitimate ones to redirect people to fraudulent sites for payments. In order to keep ourselves safe, we need to check QR code URLs, ensure secure connections, and watch for red flags on websites.
Andrew Young says
Article: Xenomorph Android malware now targets U.S. banks and crypto wallets
Security experts are warning of a new campaign by the “Xenomorph” virus to expand their targeting of banks and crypto wallets in the US. The Xenomorph virus first began circulating in 2022 and uses background overlays to steal credential info from targets by monitoring and recording log in credentials. While this virus has been in circulation for at least a year, experts are now concerned about a new pattern of bank and crypto targeting. Newer versions of the Xenomorph app have allegedly been using phishing pages to prompt downloads of the software and infect devices. These versions of the virus also come with new features that allow the software to better mask itself behind the façade of a genuine program, eliciting further user trust.
Security issues like these are all too common in our modern day, and with evolving threats such as the Xenomorph virus, both IT professionals and users should remain vigilant of any suspicious activity relating to possible malware infections or system compromises
Link: https://www.bleepingcomputer.com/news/security/xenomorph-android-malware-now-targets-us-banks-and-crypto-wallets/
Ashley A. Jones says
The U.S Securities and Exchange Commission (SEC) Adopts Rules for Public Disclosure of Cybersecurity Incidents
SEC has publicized their policy on requiring public companies and foreign private issuers to publicly disclose material cybersecurity incidents that occur within their establishment. I find this news interesting since from my understanding making breaching publicly available has been a recommendation that has not been formally put into practice. I could be wrong here, but I could not find anything final on companies making breaches publicly available. Also, I find this news fascinating since I have come across many stories of “hacktivists” who will find vulnerabilities within a system and make them public after bringing it to the company’s attention to no avail. It seems those efforts may not have been done in vain. Merchants are owed transparency when a vendor’s protection of their data has been compromised. Unfortunately, there are too many large (and “well-renowned”) companies who still choose not to disclose cybersecurity incidents due to the depth in which these attacks take place or simply because they do not want to acknowledge their fault in the incident and now it seems the pressure is on. The articles shared are the SEC press release and a publication from Dorsey & Whitney law firm.
Press Release: SEC.gov | SEC Adopts Rules on Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure by Public Companies – https://www.sec.gov/news/press-release/2023-139
Dorsey publication: New SEC Cybersecurity Rules Require Mandatory Disclosure | News & Resources | Dorsey – https://www.dorsey.com/newsresources/publications/client-alerts/2023/9/new-sec-cybersecurity
Akiyah says
I find this article relevant as it aligns with this week’s unit topic.
October is Security Awareness Month, and many organizations are gearing up to host security awareness events, send out reminders, and conduct security training sessions. They all share a common goal: to educate their clients, customers, and employees. While there are numerous security topics to cover, and each organization has its own list of priorities based on what they consider important or where they’ve experienced the most security incidents, there is one topic that consistently appears on every list: “Phishing.” Phishing schemes are currently at an all-time high, making education on this subject of utmost importance.
https://www.trendmicro.com/en_us/ciso/23/i/cybersecurity-awareness-month-4-actionable-tips.html
https://almanac.upenn.edu/articles/one-step-ahead-penn-celebrates-2023-national-cybersecurity-awareness-month
Unnati Singla says
Remote workers are more aware of cybersecurity risks than in-office employees: new study.
https://theconversation.com/remote-workers-are-more-aware-of-cybersecurity-risks-than-in-office-employees-new-study-207801
In a new study conducted in a peer-reviewed setting, it was found that remote workers are more mindful of cyber security practices as compared to in-office workers. The study explains that this has to do with the fact that remote workers feel more responsible for the security/equipment as they are not in an office environment.
When you are working from the office, you expect there to be security measures in place which makes them complacent to the idea of security risks. This might also cause them to not recognize certain risks or follow best practices.