Encryption, Hardware Security, Configuration management, Attack simulation, Patch Management, Email security, Social engineering

Tesla, Crypto AG, Shark Tank, COVID-19 – SWN #15

March 4, 2020

 

 

Tesla files leaked, Shark Tank Judge gets back scam cash, Spotify accounts hacked?, and the Swiss Government is fed up and filing charges in the Crypto AG situation. Jason Wood covers Cyberattacks a Top Concern for Gov Workers.

Visit https://www.securityweekly.com/swn for all the latest episodes!

Full Episode Show Notes

To learn more about our sponsors visit: The Security Weekly Sponsor's Page

Tesla, Crypto AG, Shark Tank, COVID-19

Security Weekly News -- Week of 1 -- March -- 2020

  1. Tesla, SpaceX Parts Manufacturer Suffers a Data Breach due to DoppelPaymer.
  2. Maryland Court rules Digital Assets Damaged During Ransomware Attack are Covered.
  3. National Ink and Stitch, LLC v. State Auto Insurance Companies.
  4. U. S. Government Sanctions Two Chinese Nationals in Connection with Lazarus Group Money Laundering.
  5. The two were also named in a 250 Million hack of an unnamed Exchange.
  6. Swiss Government files Criminal Complaint over CIA/BND Crypto AG operation.
  7. Cruise Line Hack Exposes Personal and Financial Data.
  8. How Princess Cruise Ship will be Cleaned of Coronavirus.
  9. Shark Tank Judge almost loses 400k in a spearphishing email scam.
  10. Spotify Hacking: How has someone taken over my music?
  11. COVID-19, CDC Site
  12. Plague, Inc. removed from China's AppStore.

Expert Commentary:

Cyberattacks a Top Concern for Gov Workers

Doug opened up this episode of Security Weekly News by talking about ransomware. It seems like we talk about ransomware every week. There’s a good reason for that. It’s because we do. And let’s face it, it’s in news every week. Someone got hit with it and they are locked out of their data. They may pay the ransom, they may not, or they may go out of business. It’s in everyone’s awareness. IBM had a poll conducted the cybersecurity concerns and awareness of state and local government employees. The poll was conducted from January 16 - Feb 3, 2020, which plays into one of the findings a bit.

One of the interesting findings is that overall these employees have a higher level of concern about cyberattacks than they do about natural disasters, environmental disasters, terrorist attacks, disease outbreaks, and economic decline. At this point, I suspect the poll was taken prior to the current level of concern about the coronavirus. I’d be interested in seeing how much these numbers have changed. One thing that I noticed on this high level finding is that the levels of concern is that the levels of concern on these categories varies depending on the role an employee has in the organization. IT staff were far and away most concerned about security incidents than anything else. Conversely, emergency personnel were concerned about these type of events, their highest concerns were natural disasters and terrorist attacks.

IBM cites ransomware being in the news and local governments being targeted with ransomware as reasons for this higher level of concern. As I was reading up on topics for this week, I ran into articles on state governments being locked up with more ransomware. No surprise there, but I imagine these employees are feeling a bit targeted.

I also thought it was interesting that with this concern level, 44% of employees said they have not received basic security training and 70% have not received what they feel is adequate training to respond to security attacks. Contrast that with 66% of the people polled said their employer is prepared for security incidents and 74% of them were confident in their ability to not fall prey to an attack. I’m assuming that would mean some kind of social engineering or phishing attack. My experience makes me feel that some folks are a bit overconfident in their judgement. These attacks are too widespread and successful to buy into that self assessment. And I’ve conducted attacks that worked very well in organizations of all types.

One of the thoughts I had as I read this last bit on training was that a good phish is going to create a sense of urgency, fear, or worry. That level of stress weakens our judgment and makes us more likely to make mistakes. In times of stress, people fall back on their previous experiences and training. Good training would make it more likely that someone would recognize the attack because they have the ability to fall back on that knowledge and experience on how to respond.

I suspect most of our organizations would have similar findings if this poll was taken against them. Sure, this was a poll that will be used by IBM for marketing, but there’s still some useful information here. The catch is that we will need to be able to craft training that is actually realistic and useful. For example, I’ve seen phish training that is set up to not look too realistic or be too good. The organizations fear it could impede the legitimate flow of information in it. It’s good to be aware of this issue, but instead of weakening the training in a massive way it probably would be better figure out how to adjust the training to take that into account. Provide a way to get good feedback to the employee on where the signs were that a phish was a fake and don’t make them fear their employment for failing to recognize them immediately.

If you would like to take a look at the poll results, I have them linked in the show notes for you. In the mean time, think about the security training your organization does and whether it could be improved and where those improvements should be made.


https://www.ibm.com/downloads/cas/74JKYWZQ

Hosts

[caption id="attachment_210" align="alignleft" width="120"]Doug White Doug White - Professor[/caption] [caption id="attachment_210" align="alignleft" width="120"]Jason Wood Jason Wood - Founder; Primary Consultant[/caption]

Guests

Announcements

  • Our first-ever virtual training is happening on March 19th at 11:00am ET with Adam Kehler & Rob Harvey from the Online Business Systems Risk, Security & Privacy Team. In this training you will learn how to generate a complex SHA-256 hashed password and then use password cracking tools to break it. Register for our upcoming webcasts & trainings by visiting securityweekly.com, selecting the webcast/training drop down from the top menu bar and clicking registration.
  • Join us at InfoSecWorld 2020 - March 30 - April 1, 2020 at the Disney Contemporary Resort! Security Weekly listeners save 15% off the InfoSec World Main Conference or World Pass! Visit securityweekly.com/ISW2020, click the register button to register with our discount code or the schedule button to sponsor a micro-interview!
  • OSHEAN and the Pell Center are partnering together to present Cybersecurity Exchange Day on Wednesday, March 18th from 9am-3pm at Salve Regina University in the beautiful Newport, RI! Visit securityweekly.com/OSHEAN2020 to register for free and come join in the fun!

[audio src="http://traffic.libsyn.com/sw-all/SWN_15_-_March_3_2020-0_converted.mp3"]

prestitial ad