Article: Data centers facing opposition over environmental concerns
The increasing demand for cloud computing and AI is driving the global expansion of data centers. However, there are concerns about environmental damage, increased CO2 emissions, excessive energy and water usage, and local disruptions (noise and traffic). In response, developers are trying to mitigate these impacts by choosing less sensitive sites and converting industrial developments. The regulatory changes by new EU requirements and UK government support aim to ease the development process while promoting more sustainable practices.
I chose this since it reminded me of the question relating to where to place a data center. Being sure to locate it in a region that is avoiding natural disasters is imperative.
Why insider attacks are indicative of a need for security convergence
I came across an article that ties in well with this week’s lessons about merging physical and cyber security to create a stronger defense against various threats, particularly insider attacks.
A major issue is that only 20% of businesses have fully integrated both physical and cyber security, despite the increasing number of breaches. Many companies focus on one type of security without considering how the two can complement each other. This lack of integration is risky, especially as insider attacks are on the rise.
Some key points about insider threats:
– 34% of businesses experience an insider attack annually, and these attacks have increased by 47% over the last two years. This shows that insider threats are evolving faster than current security measures can handle.
– 74% of organizations feel vulnerable to insider attacks but still lack the necessary security systems to effectively address the risk.
– 56% of insider attacks come from employees or partners, with 32% of these being intentional. This highlights the need for businesses to create security systems that can handle both accidental and deliberate threats.
The main takeaway is that insider threats are increasing rapidly, and businesses can’t rely on just one form of security. By integrating both physical and cyber security, they can cover more areas of vulnerability and keep their data more secure. If one system has a weakness, the other can help fill the gap.
In the News – What Is The Most Overlooked Factor When Installing Physical Security
Brief Summary: The article emphasizes often overlooked considerations when implementing physical security systems. It stresses the importance of planning for future expansions as a cost-saving strategy, fostering close collaboration between security and IT stakeholders to deliver significant value to both security and business operations, ensuring strategic camera placement and quality, and establishing a follow-up process after installation to ensure ongoing effectiveness.
Planning for future expansion can enhance the value of existing technology by automating operations and simplifying the management of separate solutions. Collaborative efforts between security and IT stakeholders, along with maintaining an inventory of resources and implementing adequate lifecycle management, are recognized for maximizing a company’s investment and ensuring optimal system performance.
Cameras play a critical role in maximizing the system’s cross-departmental value. They enhance the effectiveness of supporting technologies such as metadata extraction and face/license plate recognition. Neglecting proactive, ongoing maintenance, as well as failing to regularly update and test security risks, can lead to exploitable vulnerabilities.
Works Cited
The FBI is warning timeshare owners about a telemarketing scam linked to a Mexican drug cartel that preys on victims by offering to buy their timeshares. A retired Canadian couple, the Dimitruks, fell victim to this scam, losing over $50,000 after receiving a call in late 2022 from a supposed buyer in Mexico. Over the course of nearly a year, they were asked to wire money for various “fees” and taxes while dealing with a fake escrow company. Despite their suspicions, the scammers reassured them repeatedly, even claiming to have fired “bad employees.” The FBI later revealed that the scam is linked to the Jalisco New Generation Cartel, which operates call centers targeting timeshare owners. The Dimitruks have not yet reported the scam to the authorities, though filing a report could help prevent similar incidents. The FBI urges victims of such scams to report to the Internet Crime Complaint Center (IC3).
Title: Millions of Kia Cars Were Vulnerable to Remote Hacking
Security researchers discovered vulnerabilities in a website for Kia vehicle owners that could allow attackers to remotely control key vehicle functions using just the car’s license plate within 30 seconds.
The flaws also allowed attackers to harvest personal information such as name, address, email, and phone number, and create a second user on the vehicle without the owner’s knowledge or alter the primary user information. The newly acquired access allowed the researchers to retrieve the personal information of a user, then replace the user’s email address and add themselves as the primary account holders, which then allowed them to send arbitrary commands to the vehicle.
Kia acknowledged the issues in June 2024 and implemented a fix by mid-August. The vulnerabilities could affect nearly any Kia vehicle made after 2013.
Title: T-Mobile to Pay Millions to Settle with FCC Over Data Breaches
T Mobile has reached an agreement with the FCC regarding four data breaches that exposed the details of many customers over the years between 2021 and 2023. The breaches exposed sensitive and personal information Including names, addresses Social Security numbers, and customer proprietary network data (CPNI). The company’s largest breach took place in August 2021 and affected a total of 76 million people.
The FCCs investigation found that T Mobile did not adequately safeguard customer data and permitted third party entry to CPNI while neglecting to follow adequate security practices. As a part of the settlement, T Mobile will pay $15.75 million in fines and also invest another $15.75 million towards enhancing its cybersecurity over the next two years. The company must also implement a security program that includes zero trust architecture, network segmentation, and multi factor authentication while regularly updating stakeholders on its progress.
T-Mobile claims it has voluntarily enhanced its security measures since 2021, engaging internal and external experts to improve controls and processes.
The fact that T-Mobile has had a data breach every year since 2021 makes me wonder about the effectiveness of its security controls, the strength of its security infrastructure and how frequently it undergoes audits, if at all.
Article: Drought Stricken Communities Push Back Against Data Centers
This article came about after an $800 million data center was approved to be built in Arizona. At the time (2021) Arizona was facing the largest drought that they had seen in 126 years and state that the state was on “Red Alert” in terms of how dry the state was. The issue with this specific data center is that it required over a million gallons of water a day to keep the computers inside the data center cool. This issue is not just in Arizona, but also other states such as South Carolina, where they face extreme heat and dryness. The article mentions that across the country more data centers are being approved because as a country we are using more data. However the issue is that many companies are building data centers in dry states because they are less vulnerable to natural disasters, and are also closer to solid infrastructure. These data centers require a large amount of water to cool the computers, and now the cities in which these data centers are being built are facing the consequences of lacking water. My response to the article is questioning what state is the best for a data center. States with a lot of moisture are too hot and face threats like hurricanes, and the states that are dry need water for the people living there. It seams this issue is only going to continue.
It appears that millions of individuals in the United States had their social security number leaked from nationalpublicdata.com (NDP is a background check company). There was a lawsuit filed in August by a California resident alleging his identity theft protection service alerted him that his personal information had been leaked to the dark web by the “nationalpublicdata.com” breach.
The breach allegedly occurred around April 2024, with a hacker group called USDoD who leaked a version of the stolen NPD data for free on a hacking forum. That hacker claimed the stolen files include 2.7 billion records, with each listing a person’s full name, address, date of birth, Social Security number and phone number.
McAfee, an information security company, reported that it hasn’t found any filings with state attorneys general. Potential victims of the breach were also not notified. NPD posted an alert about the breach on its website, stating that it believes the information breached includes names, email addresses, phone numbers, Social Security numbers and mailing addresses. The issue with this is if you did not know NPD had your information how would you know to check. Additionally, victims should be notified individually.
Article: Researcher Finds Over 60 Vulnerabilities in Physical Security Systems
A research has discovered more than 60 vulnerabilities across 20 physical security products, including critical flaws that can be exploited remotely to take complete control of a device. The researcher used a timeboxed approach and manual testing to identify vulnerabilities in 28 video management systems and 13 access control systems. He was able to identify 23 remote code execution vulnerabilities, 16 injection issues (SQL, XAML and command injection, 14 arbitrary file upload/download flaws, and 12 instances of hardcoded passwords and private keys. Some vulnerabilities could be exploited using common free tools, while other small custom exploits were needed such as C#, PowerShell or Python. These vulnerabilities can be exploited by a remote attacker, directly from the internet and without authentication to take complete control of the targeted machine. I think this article is important as even though physical security such as security cameras are implemented, it invites more vulnerabilities that can be exploited.
Article: Hurricane Helene damages could hit $35 Billion
With the latest natural disaster to hit American shores we need to be more aware then ever about the problems we as data security professionals will face as we move forward. With Climate change making these issues worse we need to make certain that when we have the ability to push for climate resilient models that we do so. Obviously these damages are not just affecting IT infrastructure, but I wouldn’t be surprised if, at least not now but in the near future, that companies’ losses from Natural disasters eclipses that from data breaches.
The U.S. plans to ban certain Chinese and Russian hardware and software from vehicles due to security concerns, fearing potential remote manipulation of cars. Although such technology is minimally used in U.S. vehicles, the move is a proactive step to safeguard national security. The software ban will take effect in 2027, with hardware restrictions following three years later to allow for supply chain adjustments as many companies will need to find new suppliers. This article stresses the cybersecurity risks posed by modern vehicles’ connectivity features. It also underscores the importance of keeping physical infrastructure and networks separate to minimize damage from potential hacks. Where separation isn’t possible, legal safeguards should be implemented.
How to ensure security without compromising privacy
This article talked about how to find the balance between securing an organization and protecting individual privacy. The gold standard for ensuring privacy is a framework developed by the former Privacy and Information Commissioner for Ontario, Dr. Ann Cavoukian. It’s called Privacy by Design and is the basis for the General Data Protection Regulation (GDPR) and other privacy laws.
The Privacy by Design framework defaults to the highest levels of privacy protection. Security leaders can collect and store only the information needed and limit access to sensitive data. Security leaders can also fine-tune who can access sensitive data, define how long this data is held, and under what circumstances it’s deleted. Having encryption built in is also an example of privacy by design. Captured data is automatically encrypted. Only operators with the correct credentials can view it. Some companies have a “four eyes” principle, requiring two people to provide credentials to access the information. The last is privacy masking. For privacy related video surveillance applications specifically consider privacy masking. A privacy mask hides or anonymizes a part of the video. This is done to protect the privacy of individuals or sensitive information within a monitored space. https://www.securitymagazine.com/articles/101040-how-to-ensure-security-without-compromising-privacy
Hurricane Helene, a category 4 storm, caused widespread cellular outages across several Southeastern U.S. states, including Florida, Georgia, and the Carolinas. The hurricane has left more than two million people without power. Major carriers like AT&T, Verizon, and T-Mobile dispatched recovery teams, facing challenges like fiber cuts and extensive damage to cell towers. AT&T received over 100 emergency connectivity requests, while Verizon deployed satellite assets for temporary connection. Additionally, Spectrum reported outages due to damage at its regional data center in South Carolina, affecting customers across multiple states. Some communities turned to Starlink satellite broadband as an alternative, providing free internet access during recovery efforts.
New Critical Password Warning—86% Of All Router Users Need To Act Now
This article revealed that 86% of users have not changed their admin password on their router.
This is a big security risk for the average consumer because the credentials are similar for most routers across different manufacturers. It is recommended for users to change their generic passwords to strong and complex ones so as to not leave a backdoor open for threat actors to wreak havoc on home networks.
The article also claims that 89% of users do not update the firmware of their routers. One of the most efficient ways for corporations to close vulnerabilities is by implementing frequent patches or firmware upgrades. Everyday consumers should take the same approach to keeping their network secure by regularly upgrading their router’s firmware versions. It is a way for manufacturers to introduce new capabilities, bug fixes, and close vulnerabilities.
This article makes known the backdoor vulnerabilities available for exploitation by threat actors and announces that endpoints are not the only vulnerabilities that can compromise an entire network.
Article: Data centers facing opposition over environmental concerns
The increasing demand for cloud computing and AI is driving the global expansion of data centers. However, there are concerns about environmental damage, increased CO2 emissions, excessive energy and water usage, and local disruptions (noise and traffic). In response, developers are trying to mitigate these impacts by choosing less sensitive sites and converting industrial developments. The regulatory changes by new EU requirements and UK government support aim to ease the development process while promoting more sustainable practices.
I chose this since it reminded me of the question relating to where to place a data center. Being sure to locate it in a region that is avoiding natural disasters is imperative.
Link: https://cybernews.com/editorial/data-centers-opposition-environmental-concerns/
Why insider attacks are indicative of a need for security convergence
I came across an article that ties in well with this week’s lessons about merging physical and cyber security to create a stronger defense against various threats, particularly insider attacks.
A major issue is that only 20% of businesses have fully integrated both physical and cyber security, despite the increasing number of breaches. Many companies focus on one type of security without considering how the two can complement each other. This lack of integration is risky, especially as insider attacks are on the rise.
Some key points about insider threats:
– 34% of businesses experience an insider attack annually, and these attacks have increased by 47% over the last two years. This shows that insider threats are evolving faster than current security measures can handle.
– 74% of organizations feel vulnerable to insider attacks but still lack the necessary security systems to effectively address the risk.
– 56% of insider attacks come from employees or partners, with 32% of these being intentional. This highlights the need for businesses to create security systems that can handle both accidental and deliberate threats.
The main takeaway is that insider threats are increasing rapidly, and businesses can’t rely on just one form of security. By integrating both physical and cyber security, they can cover more areas of vulnerability and keep their data more secure. If one system has a weakness, the other can help fill the gap.
https://www.securitymagazine.com/articles/100891-why-insider-attacks-are-indicative-of-a-need-for-security-convergence
In the News – What Is The Most Overlooked Factor When Installing Physical Security
Brief Summary: The article emphasizes often overlooked considerations when implementing physical security systems. It stresses the importance of planning for future expansions as a cost-saving strategy, fostering close collaboration between security and IT stakeholders to deliver significant value to both security and business operations, ensuring strategic camera placement and quality, and establishing a follow-up process after installation to ensure ongoing effectiveness.
Planning for future expansion can enhance the value of existing technology by automating operations and simplifying the management of separate solutions. Collaborative efforts between security and IT stakeholders, along with maintaining an inventory of resources and implementing adequate lifecycle management, are recognized for maximizing a company’s investment and ensuring optimal system performance.
Cameras play a critical role in maximizing the system’s cross-departmental value. They enhance the effectiveness of supporting technologies such as metadata extraction and face/license plate recognition. Neglecting proactive, ongoing maintenance, as well as failing to regularly update and test security risks, can lead to exploitable vulnerabilities.
Works Cited
Anderson, L. (2024, August 21). What Is The Most Overlooked Factor When Installing
Physical Security? Retrieved from Security Informed: https://www.securityinformed.com/insights/overlooked-factor-installing-physical-security-co-227-ga-co-723-ga-co-2566-ga-co-4022-ga-co-4559-ga-co-8173-ga-co-9887-ga-co-1552977087-ga-co-1579177526-ga-co-1582238342-ga-co-1584600779-ga-co-1639390230-ga-off.17
Timeshare Owner? The Mexican Drug Cartels Want You
https://krebsonsecurity.com/2024/09/timeshare-owner-the-mexican-drug-cartels-want-you/#more-68943
The FBI is warning timeshare owners about a telemarketing scam linked to a Mexican drug cartel that preys on victims by offering to buy their timeshares. A retired Canadian couple, the Dimitruks, fell victim to this scam, losing over $50,000 after receiving a call in late 2022 from a supposed buyer in Mexico. Over the course of nearly a year, they were asked to wire money for various “fees” and taxes while dealing with a fake escrow company. Despite their suspicions, the scammers reassured them repeatedly, even claiming to have fired “bad employees.” The FBI later revealed that the scam is linked to the Jalisco New Generation Cartel, which operates call centers targeting timeshare owners. The Dimitruks have not yet reported the scam to the authorities, though filing a report could help prevent similar incidents. The FBI urges victims of such scams to report to the Internet Crime Complaint Center (IC3).
Title: Millions of Kia Cars Were Vulnerable to Remote Hacking
Security researchers discovered vulnerabilities in a website for Kia vehicle owners that could allow attackers to remotely control key vehicle functions using just the car’s license plate within 30 seconds.
The flaws also allowed attackers to harvest personal information such as name, address, email, and phone number, and create a second user on the vehicle without the owner’s knowledge or alter the primary user information. The newly acquired access allowed the researchers to retrieve the personal information of a user, then replace the user’s email address and add themselves as the primary account holders, which then allowed them to send arbitrary commands to the vehicle.
Kia acknowledged the issues in June 2024 and implemented a fix by mid-August. The vulnerabilities could affect nearly any Kia vehicle made after 2013.
https://www.securityweek.com/millions-of-kia-cars-were-vulnerable-to-remote-hacking-researchers/
Title: T-Mobile to Pay Millions to Settle with FCC Over Data Breaches
T Mobile has reached an agreement with the FCC regarding four data breaches that exposed the details of many customers over the years between 2021 and 2023. The breaches exposed sensitive and personal information Including names, addresses Social Security numbers, and customer proprietary network data (CPNI). The company’s largest breach took place in August 2021 and affected a total of 76 million people.
The FCCs investigation found that T Mobile did not adequately safeguard customer data and permitted third party entry to CPNI while neglecting to follow adequate security practices. As a part of the settlement, T Mobile will pay $15.75 million in fines and also invest another $15.75 million towards enhancing its cybersecurity over the next two years. The company must also implement a security program that includes zero trust architecture, network segmentation, and multi factor authentication while regularly updating stakeholders on its progress.
T-Mobile claims it has voluntarily enhanced its security measures since 2021, engaging internal and external experts to improve controls and processes.
The fact that T-Mobile has had a data breach every year since 2021 makes me wonder about the effectiveness of its security controls, the strength of its security infrastructure and how frequently it undergoes audits, if at all.
https://www.securityweek.com/t-mobile-to-pay-millions-to-settle-with-fcc-over-data-breaches/
Article: Drought Stricken Communities Push Back Against Data Centers
This article came about after an $800 million data center was approved to be built in Arizona. At the time (2021) Arizona was facing the largest drought that they had seen in 126 years and state that the state was on “Red Alert” in terms of how dry the state was. The issue with this specific data center is that it required over a million gallons of water a day to keep the computers inside the data center cool. This issue is not just in Arizona, but also other states such as South Carolina, where they face extreme heat and dryness. The article mentions that across the country more data centers are being approved because as a country we are using more data. However the issue is that many companies are building data centers in dry states because they are less vulnerable to natural disasters, and are also closer to solid infrastructure. These data centers require a large amount of water to cool the computers, and now the cities in which these data centers are being built are facing the consequences of lacking water. My response to the article is questioning what state is the best for a data center. States with a lot of moisture are too hot and face threats like hurricanes, and the states that are dry need water for the people living there. It seams this issue is only going to continue.
https://www.nbcnews.com/tech/internet/drought-stricken-communities-push-back-against-data-centers-n1271344
Hackers may have stolen your Social Security number in a massive breach. Here’s what to know.
https://www.cbsnews.com/news/social-security-number-leak-npd-breach-what-to-know/
It appears that millions of individuals in the United States had their social security number leaked from nationalpublicdata.com (NDP is a background check company). There was a lawsuit filed in August by a California resident alleging his identity theft protection service alerted him that his personal information had been leaked to the dark web by the “nationalpublicdata.com” breach.
The breach allegedly occurred around April 2024, with a hacker group called USDoD who leaked a version of the stolen NPD data for free on a hacking forum. That hacker claimed the stolen files include 2.7 billion records, with each listing a person’s full name, address, date of birth, Social Security number and phone number.
McAfee, an information security company, reported that it hasn’t found any filings with state attorneys general. Potential victims of the breach were also not notified. NPD posted an alert about the breach on its website, stating that it believes the information breached includes names, email addresses, phone numbers, Social Security numbers and mailing addresses. The issue with this is if you did not know NPD had your information how would you know to check. Additionally, victims should be notified individually.
According to USA today a cyber security firm is offering a free tool to check if your social security number or personal information was breached.
https://www.usatoday.com/story/tech/2024/08/17/social-security-hack-national-public-data-confirms/74843810007/
Article: Researcher Finds Over 60 Vulnerabilities in Physical Security Systems
A research has discovered more than 60 vulnerabilities across 20 physical security products, including critical flaws that can be exploited remotely to take complete control of a device. The researcher used a timeboxed approach and manual testing to identify vulnerabilities in 28 video management systems and 13 access control systems. He was able to identify 23 remote code execution vulnerabilities, 16 injection issues (SQL, XAML and command injection, 14 arbitrary file upload/download flaws, and 12 instances of hardcoded passwords and private keys. Some vulnerabilities could be exploited using common free tools, while other small custom exploits were needed such as C#, PowerShell or Python. These vulnerabilities can be exploited by a remote attacker, directly from the internet and without authentication to take complete control of the targeted machine. I think this article is important as even though physical security such as security cameras are implemented, it invites more vulnerabilities that can be exploited.
Link: https://www.securityweek.com/researcher-finds-over-60-vulnerabilities-physical-security-systems/
Article: Hurricane Helene damages could hit $35 Billion
With the latest natural disaster to hit American shores we need to be more aware then ever about the problems we as data security professionals will face as we move forward. With Climate change making these issues worse we need to make certain that when we have the ability to push for climate resilient models that we do so. Obviously these damages are not just affecting IT infrastructure, but I wouldn’t be surprised if, at least not now but in the near future, that companies’ losses from Natural disasters eclipses that from data breaches.
https://www.axios.com/2024/10/01/hurricane-helene-damages-35-billion
Article: US to ban Chinese tech in cars
The U.S. plans to ban certain Chinese and Russian hardware and software from vehicles due to security concerns, fearing potential remote manipulation of cars. Although such technology is minimally used in U.S. vehicles, the move is a proactive step to safeguard national security. The software ban will take effect in 2027, with hardware restrictions following three years later to allow for supply chain adjustments as many companies will need to find new suppliers. This article stresses the cybersecurity risks posed by modern vehicles’ connectivity features. It also underscores the importance of keeping physical infrastructure and networks separate to minimize damage from potential hacks. Where separation isn’t possible, legal safeguards should be implemented.
Source: https://www.bbc.com/news/articles/cwyegl8q80do
How to ensure security without compromising privacy
This article talked about how to find the balance between securing an organization and protecting individual privacy. The gold standard for ensuring privacy is a framework developed by the former Privacy and Information Commissioner for Ontario, Dr. Ann Cavoukian. It’s called Privacy by Design and is the basis for the General Data Protection Regulation (GDPR) and other privacy laws.
The Privacy by Design framework defaults to the highest levels of privacy protection. Security leaders can collect and store only the information needed and limit access to sensitive data. Security leaders can also fine-tune who can access sensitive data, define how long this data is held, and under what circumstances it’s deleted. Having encryption built in is also an example of privacy by design. Captured data is automatically encrypted. Only operators with the correct credentials can view it. Some companies have a “four eyes” principle, requiring two people to provide credentials to access the information. The last is privacy masking. For privacy related video surveillance applications specifically consider privacy masking. A privacy mask hides or anonymizes a part of the video. This is done to protect the privacy of individuals or sensitive information within a monitored space.
https://www.securitymagazine.com/articles/101040-how-to-ensure-security-without-compromising-privacy
Hurricane Helene, a category 4 storm, caused widespread cellular outages across several Southeastern U.S. states, including Florida, Georgia, and the Carolinas. The hurricane has left more than two million people without power. Major carriers like AT&T, Verizon, and T-Mobile dispatched recovery teams, facing challenges like fiber cuts and extensive damage to cell towers. AT&T received over 100 emergency connectivity requests, while Verizon deployed satellite assets for temporary connection. Additionally, Spectrum reported outages due to damage at its regional data center in South Carolina, affecting customers across multiple states. Some communities turned to Starlink satellite broadband as an alternative, providing free internet access during recovery efforts.
https://www.datacenterdynamics.com/en/news/hurricane-helene-causes-cellular-outages-across-several-us-states/#:~:text=The%20company%20noted%20that%20network,Tennessee%2C%20Kentucky%2C%20and%20Ohio.
New Critical Password Warning—86% Of All Router Users Need To Act Now
This article revealed that 86% of users have not changed their admin password on their router.
This is a big security risk for the average consumer because the credentials are similar for most routers across different manufacturers. It is recommended for users to change their generic passwords to strong and complex ones so as to not leave a backdoor open for threat actors to wreak havoc on home networks.
The article also claims that 89% of users do not update the firmware of their routers. One of the most efficient ways for corporations to close vulnerabilities is by implementing frequent patches or firmware upgrades. Everyday consumers should take the same approach to keeping their network secure by regularly upgrading their router’s firmware versions. It is a way for manufacturers to introduce new capabilities, bug fixes, and close vulnerabilities.
This article makes known the backdoor vulnerabilities available for exploitation by threat actors and announces that endpoints are not the only vulnerabilities that can compromise an entire network.
Source: https://www.forbes.com/sites/daveywinder/2024/10/01/new-critical-password-warning-86-of-all-router-users-need-to-act-now/