I
might like this kind of law, assuming a company can “create,
maintain, and comply with a written cybersecurity program.”
Who gets to say they are in compliance?
William Berglund, Robert J. Hanna and Victoria L.
Vance of Tucker Ellis write:
Maintaining robust cybersecurity measures that meet government- and industry-recognized standards will provide businesses operating in Ohio with a legal defense to data breach lawsuits, if a bill recently introduced in the Ohio Senate becomes law.
Ohio Senate Bill No. 220 (S.B. 220), known as the Data Protection Act, was introduced to provide businesses with an incentive to achieve a “higher level of cybersecurity” by maintaining a cybersecurity program that substantially complies with one of eight industry-recommended frameworks. See S.B. 220, Section 1, proposed Ohio Rev. Code §§ 1354.01 to 1354.05.
Compliance Standards To Be Met
Businesses that are in substantial compliance with one of the eight frameworks outlined in S.B. 220 would be entitled to a “legal safe harbor” to be pled as an affirmative defense to tort claims related to a data breach stemming from alleged failures to adopt reasonable cybersecurity measures. S.B. 220, Section 1, proposed Ohio Rev. Code §§ 1354.02(A) and (C), 1354.03; S.B. 220, Section 2(A).
Read more on Tucker
Ellis.
This is the kind of article I advise my Computer
Security students to share with their employers.
Phishers
Are Upping Their Game. So Should You.
Not long ago, phishing attacks were fairly easy
for the average Internet user to spot: Full of grammatical and
spelling errors, and linking to phony bank or email logins at
unencrypted (http:// vs. https://) Web pages. Increasingly, however,
phishers are upping their game, polishing their copy and hosting scam
pages over https:// connections — complete with the green lock icon
in the browser address bar to make the fake sites appear more
legitimate.
According to stats
released this week by anti-phishing firm Phishlabs,
nearly 25 percent of all phishing sites in the third quarter of this
year were hosted on HTTPS domains — almost double the percentage
seen in the previous quarter.
… Lay traps:
When you’ve
mastered the basics above, consider setting traps for phishers,
scammers and unscrupulous marketers. Some email providers — most
notably Gmail — make this especially easy.
(Related).
Oof. I read something like this notification
below from Boise Cascade Company in Utah, and I wonder if the
employees had been regularly trained in avoiding phishing attacks, or
if it was just the case that the phishing was done so damned well
that the employees fell for it despite their training. In this case,
the intrusion was part of a scheme to alter or redirect employees’
payroll direct deposit accounts.
The Company’s investigation determined that a phishing scheme got into its email system on or about October 31, 2017. Our information technology team caught the scheme within minutes of the first phishing email, blocked the email, and notified employees not to click on the link in it or similar emails. Unfortunately, approximately 300 employees clicked on the link anyway. The investigation further revealed that company-wide, 23 employees’ direct deposit instructions were changed.
I’d love to see what that phishing email looked
like if 300 people fell for it.
One
of the better Security Week articles.
The
Cumulative Effect of Major Breaches: The Collective Risk of Yahoo &
Equifax
Until
quite recently, people believed that a dizzying one billion accounts
were compromised in the 2013 Yahoo! breach… and then it was
revealed that the real number is about three billion accounts.
That
raises the question: so what? Isn’t all the damage from a
four-year-old breach already done?
The
answer: not at all. For those who have taken control of the
compromised accounts, or who possess confidential information about a
billion or more individuals, the
Yahoo! breach is the gift that will keep on giving.
First
of all, the consequences of the breach are not yet fully realized.
Criminals have only recently started using compromised email accounts
to spread ransomware and spam. As email service providers
increasingly use the age of the sending account as an indicator of
risk, the value to criminals of long-established but compromised
accounts has started to increase. These accounts become a
circumvention strategy for criminals wishing to reliably deliver
malicious emails. As the value of an established account goes up,
the damage that can be done by using the compromised accounts does,
too.
Second,
criminals have only recently started to mine the contents of
compromised accounts to identify promising opportunities – but that
is increasingly happening now, and is becoming another source of
value to the Yahoo! attackers (and anybody who has already purchased
compromised accounts from them.) To a large extent, we are still in
the “manual effort” phase of this type of attack, wherein
attackers have not yet understood exactly what they are looking for,
and therefore, have not yet written scripts to automate the task.
Once their understanding matures and they automate the process, the
vast volumes of compromised accounts will turn into new criminal
opportunities.
And
the automated extraction of meaningful content will dramatically
increase the yield of the attacks that the criminals will be able to
mount. Think of it like this: if your account was compromised, and a
good friend or colleague gets an email from you … or rather, your
email account … with a malicious attachment, will they open it? If
the email is obvious spam, they probably won’t, but if the message
makes sense, they will; and if the attacker knows what you and your
contact normally talk about, that isn’t difficult to do.
There
is also a multiplier effect as the number of major
breaches of consumer data rises.
In
the recent Equifax breach, criminals made off with information for
more
than 145 million Americans, including names, mother’s maiden
names, social security numbers, addresses, birthdays, and more. But
not email addresses, and not banking affiliations and account
numbers. A
crafty attacker can easily match the names and birthdays of the
Equifax breach to the names and birthdays of the Yahoo! breach,
automatically generating very powerful combinations. With this
combined intelligence, the attacker can contact banks, posing as
banking customers, and gain access to accounts.
“Once we figured out how to get paid all other
thoughts stopped!”
Thomas Fox-Brewster reports:
Despite the catastrophic 2015 hack that hit the dating site for adulterous folk, people still use Ashley Madison to hook up with others looking for some extramarital action. For those who’ve stuck around, or joined after the breach, decent cybersecurity is a must. Except, according to security researchers, the site has left photos of a very private nature belonging to a large portion of customers exposed.
The issues arose from the way in which Ashley Madison handled photos designed to be hidden from public view. Whilst users’ public pictures are viewable by anyone who’s signed up, private photos are secured by a “key.” But Ashley Madison automatically shares a user’s key with another person if the latter shares their key first. By doing that, even if a user declines to share their private key, and by extension their pics, it’s still possible to get them without authorization.
Read more on Forbes.
And no, that wasn’t Forbes’ headline for the story.
No comments:
Post a Comment