Cyber Oregon News Roundup: Scariest hacks, tips to manage phishing, extending cybersecurity to vendors

Editor’s Note: This is your cyber news roundup with the latest cybersecurity news and tips from the Cyber Oregon team to help you and your organization stay safe online and protect your digital assets. We examine cybersecurity news and developments from across the Northwest and the Nation that are important to all Oregonians including individuals, businesses, non-profit organizations, government entities, and educational institutions. Sign up to receive ongoing updates here.

What are some of the top hacks and vulnerabilities in 2019? Taking a look back at cybersecurity this year – eek! It has been a banner year for cybersecurity threats and hacks with exploits, backdoor hacks, and data breaches affecting users, companies, and governments around the world. There have been supply-chain attacks, corporate ransomware, and high-profile government hacks, as well as hacks and malware on our devices, in our applications, at our gas station, on our planes. In his ZDNet article, The Scariest Hacks and Vulnerabilities of 2019, reporter Catalin Cimpanu gives a complete rundown of the past 10 months of security disasters that would scare anyone. Cyber threats abound. Here’s a snapshot:

  • Severe vulnerabilities in Apple FaceTime
  • Hackers steal data from South Korea’s Defense Ministry
  • Oklahoma data leak exposes FBI investigation records
  • Iranian hackers suspected in worldwide DNS hijacking campaign
  • Websites can steal browser data via extensions APIs
  • Malware found preinstalled on Android devices
  • New malware can make ATMs spit out cash
  • Hiding malware using the CPU
  • Hackers take tornado sirens offline before major storm
  • Chrome zero-day under active attacks
  • Hacks at French gas stations
  • Smartphone unlocking
  • United Airlines covers up seat cameras
  • Tens of thousands of cars left exposed to thieves
  • The Weather Channel goes off the air for 90 minutes after ransomware infection
  • Facebook admits to storing plaintext passwords for millions of Instagram users
  • Indian government agency left details of millions of pregnant women exposed online
  • Unsecured server exposes data for 85% of all Panama citizens
  • Google replaces faulty Titan security keys
  • London Underground to begin tracking passengers through Wi-Fi hotspots
  • Hackers breached 10 telecom providers
  • NASA hacked because of unauthorized Raspberry Pi connected to its network
  • Hackers put patient data for sale online
  • Vulnerabilities found in GE anesthesia machines
  • Louisiana governor declares state emergency after local ransomware outbreak
  • Employees connect nuclear plant to the internet so they can mine cryptocurrency
  • Moscow’s blockchain voting system cracked a month before election
  • U.S. military purchased $32.8M worth of electronics with known security risks
  • Database leaks data on most of Ecuador’s citizens
  • Massive wave of account hijacks hits YouTube creators
  • Ransomware incident to cost company a whopping $95 million
  • Alexa and Google Home devices leveraged to phish and eavesdrop on users

Phishing attacks on the rise; how to protect your business

One attack method that continues to gain momentum is phishing. Nearly one third of all data breaches involve phishing, according to Verizon’s 2019 Data Breach Investigations Report. And phishing is not just hitting companies. Research indicates that phishing was present in 78% of cyber espionage incidents and the installation and use of backdoors. Lance Whitney explains in his TechRepublic article that cybercriminals who employ phishing as their attack method use various tricks and techniques to lure their victims into divulging private information. He says, “Cybercriminals are leveraging some of the world’s largest tech companies to trap users.” A recent report, Akamai 2019 State of the Internet/Security Phishing: Bating the Hook, states that criminals are exploiting top global brands and their users through highly organized and sophisticated phishing operations, with users of Microsoft, PayPal, DHL, and Dropbox as the biggest targets for phishing attacks. Akamai offers these tips for businesses to protect themselves against phishing attacks:

  1. Awareness training. You can and should train your employees to spot and report basic and generic phishing attacks. Cybercriminals have learned to adapt to basic awareness training models. In fact, targeting the natural workflow of an intended victim is how phishers have been able to launch more business email compromise attacks.
  2. Phishing simulations. A good defense requires a good offense. As such, phishing simulations can help organizations better protect themselves and decrease the odds of a security incident. However, such simulations should be customized to the individual or business unit. For example, a phishing simulation sent to people in human resources could spoof resumes for a recent job posting. A simulation sent to sales employees could spoof lead generation responses following a recent event.
  3. Endpoint protection. Beyond training and simulations, protecting your endpoints is another way for you to stay ahead of the phishing game.

What about your vendors’ cybersecurity practices?

While you have been focused on implement cybersecurity practices within your organization, have you considered your third parties that you do business with? Any organization outside of your company that provides a product or service and has access to your system could put you at risk: cloud providers, professional services, payment processor, payroll, etc. If cybersecurity incidents occur as a result of these third-party relationships, it’s the companies themselves that are on the hook for regulatory fines, penalties, and reputation, according to ZDNet article, Extending cybersecurity awareness of the third-party ecosystem. Alla Valente, an analyst at Forrester, recommends that organizations:

  1. Create and maintain a central repository for third-party relationships.You can’t manage what you can’t measure and won’t be able to thoroughly assess the risk of each relationship if you don’t know how many third-parties you have or who those third-parties are. More than half of all organizations don’t keep an active catalog of third-parties.
  2. Think beyond outdated nomenclature that limits your scope and creates blind spots.Third-parties go by many names: vendor, supplier, IT service provider, affiliate, associate, consultant, etc. Don’t limit cybersecurity assessment to software vendors alone. With digital transformation and IoT, almost every single third-party relationship involves storing, processing, or transmitting sensitive data.  Think of every relationship as a link along the value chain, including your HVAC repair technician.
  3. Take cybersecurity precautions at the end of the relationship.For many organizations, one critical step is missing from their third-party cybersecurity process. Very often, they overlook or forget to terminate the third-parties access to critical systems when a contract is completed. The offboarding process is essential for mitigating downstream risks. Create a process whereby the owner of the third-party relationship notifies the proper channels before announcing contract termination, this way, security can monitor for irregular access – in case the third-party wants to take any souvenirs at your expense — and ensure access has been terminated at the end of the contractual period.

Cyber Oregon partner blog of interest