July 19, 2022
Good morning, everyone!
Patch All the Things!
Think Before You Click
You’ve heard me say this before! Here's another good example in the news: Last week Microsoft revealed details of a phishing campaign that targeted over 10,000 organizations in the past year, which actually bypassed the protections of 2FA:
Once the authentication was completed, the threat actor stole the session cookie the legitimate site sent, so the user doesn't need to be reauthenticated at every new page visited.
In the days following the cookie theft, the threat actors accessed employee email accounts and looked for messages to use in business email compromise scams, which tricked targets into wiring large sums of money to accounts they believed belonged to co-workers or business partners. The attackers used those email threads and the hacked employee's forged identity to convince the other party to make a payment.
So, now we know that while 2FA is still the single most important thing you can do to protect online accounts, we have been reminded that you have to protect those accounts from YOU also! Think before you click.
Ransomware is expensive
I think you all know this by now, eh? But it bears repeating, especially if you are leaning on your cyber liability insurance to cover you.
Maastricht University in the Netherlands recently recovered bitcoin it paid in ransom in 2019. The value when they paid was approximately $200,000 and now it’s worth upwards of $500,000 because of the rise in bitcoin values. But guess what?
The university noted that even the gain of $300,000 was not enough to offset the total cost of recovering from the attack.
Get that? Even recovering double the amount of ransom paid, the attack was still more expensive. Remember: be as secure as you can be, as compliant as you can afford to be, and then buy insurance to help transfer risk.
Amazon admits to giving away Ring data without user consent
You know how Amazon has said over and over again that they won’t give out your Ring doorbell data without your consent? Well, that’s not true:
The Amazon company responded to an inquiry from US Senator Ed Markey (D-Mass.), confirming that there have been 11 cases in 2022 where Ring complied with police "emergency" requests. In each case, Ring handed over private recordings, including video and audio, without letting users know that police had access to—and potentially downloaded—their data.
Just be aware, if you have one of these devices, that audio and video are being recorded and may be accessed by third parties without your knowledge or consent.
Be safe this week! (and always 😉)
Talk to you again soon!
Security Awareness Training Available Here, There, Everywhere!
Thanks to COVID-19, lots of things went virtual, including my employee Security Awareness Training. Live training made a comeback a few months ago, but many organizations are retreating. No worries. Wherever you and your employees may be, I can deliver an interesting and informative training session in whatever format you prefer.
Contact me to schedule your employee training sessions. They're fun! ☺