Category Archives: Internet Security
Connecticut pushes cybersecurity with offers of punitive damage protection – GCN.com
Connecticut pushes cybersecurity with offers of punitive damage protection
Connecticut Gov. Ned Lamontsigned a bill designed to encourage businesses in the state to beef up their cybersecurity.
An Act Incentivizing the Adoption of Cybersecurity Standards for Businesses will protect businesses from punitive damages resulting from a breach of personal data if they have adopted and adhere to industry-standard cybersecurity measures.
The new law requires businesses to secure individuals names, Social Security numbers, taxpayer ID numbers, driver's license numbers or other government identifiers; financial account numbers and passwords; medical or health insurance information; biometric information; and names or email address that are used in combination with a password or security to access online accounts.
To be exempt from damages, an organization must conform to the current version of any recognized security framework such as the National Institute of Standards and Technologys Framework for Improving Critical Infrastructure Cybersecurity; Special Publications 800-171, 800-53 and 800-53a; the Federal Risk and Authorization Management Program's FedRAMP Security Assessment Framework; the Center for Internet Security's Critical Security Controls for Effective Cyber Defense; or the ISO/IEC 27000 series.
Organizations already regulated by the state or federal government must keep their compliance with the Health Insurance Portability and Accountability Act, the Federal Information Security Modernization Act and the Health Information Technology for Economic and Clinical Health Act in order to avoid paying punitive damages.
Businesses must also comply with the current version of the Payment Card Industry Data Security Standard.
When any of the relied-upon cybersecurity standards are updated, businesses have six months to comply.
The legislation is the latest of Connecticuts efforts to better secure its assets. Earlier this year, Lamontannouncedthe centralization of state IT resources and named Jeff Brown as the states first chief information security officer.
Across the globe, cybersecurity risks continue to rise,Brown said. Connecticut is investing in cybersecurity and technology in new ways to protect our residents and businesses. We are bringing our statewide information technology team together into one, collaborative organization that will help us identify and deter cybersecurity incidents faster, bring everyone onto streamlined platforms, and ultimately protect more private information.
The measure goes into effect on Oct. 1, 2021.
About the Author
Connect with the GCN staff on Twitter @GCNtech.
The rest is here:
Connecticut pushes cybersecurity with offers of punitive damage protection - GCN.com
Avast and RiskIQ announce threat intelligence partnership – ChannelLife Australia
Digital security and privacy company Avast, and RiskIQ, an internet security intelligence company, have announced a threat intelligence partnership. Under the agreement, the companies will use their specific areas of expertise to develop combined threat intelligence for their customer bases to enhance security practices.
At Avast, we recognise that no one provider can see the whole picture, says Avast senior VP, partner business, Nick Viney.
Thats why we partner broadly to improve the threat intelligence available to companies and also to improve our ability to protect our customers. Our global threat intelligence will contribute to RiskIQs understanding of the worldwide threat landscape.
"Avast will leverage RiskIQs intelligence to enrich our data and further scale our threat hunting and response capabilities for companies and consumers alike," he adds.
Avasts threat intelligence platform covers hundreds of millions of endpoints from internet threats, powered by threat intelligence from Avasts global network, one of the worlds largest and most geographically diverse threat detection networks. Avast says advanced analytics enable insight into thousands of malware families, including how they are detectable before customers are impacted, and how those threats evolve as bad actors attempt to evade detection.
RiskIQ aggregates and collects data and intelligence from the whole internet to identify threats and attacker infrastructure, and leverages machine learning to scale threat hunting and incident response. Its Illuminate Internet Intelligence Platform provides content on attackers, including their tools and systems, and indicators of compromise across the global attack surface.
RiskIQ and Avast share a mission to protect people and businesses on the internet, and as partners, we can both be more effective, says RiskIQ CEO, Lou Manousos.
Avast helps us enrich our understanding of the global threat landscape, and we welcome them to our Interlock Partner Program. RiskIQs Interlock Partner Program is a next-generation program supporting deep, bi-directional integrations that meaningfully advance the capabilities and value for customers and both solutions.
It enables members to rapidly deploy RiskIQ attack surface visibility and internet security intelligence across their enterprise security ecosystem (or infrastructure) for automated and informed threat detection, investigations, and prevention, he says.
Avast has 435 million online users and offers products under Avast and AVG to protect from threats on the internet and the evolving IoT threat landscape. While RiskIQ specialises in digital attack surface management, discovery, intelligence, and mitigation of threats associated with an organisations digital presence. Based in San Francisco, the company is backed by Summit Partners, Battery Ventures, Georgian Partners, NationalGrid Partners, and MassMutual Ventures.
Read the original post:
Avast and RiskIQ announce threat intelligence partnership - ChannelLife Australia
Internet of Things in desperate need of more robust identity and access management – SecurityBrief Asia
The future of identity and access management in the Internet of Things will escape the confines of user-focused identity and transition toward a more inclusive model, according to a new analysis research report by ABI Research.
The new multi-faced approach will include machine and system identity along with IoT device and platform management operations.
"IAM is yet another identity and security framework that poses significant challenges when crossing from the IT realm onto the IoT," says Dimitrios Pavlakis, senior cyber security and IoT analyst at ABI Research.
"Most cloud providers regard IAM as a purely user-focused term while other IoT device management and platform providers make references to IAM in device access control," he says.
"IAM in traditional IT environment is used to streamline user digital identities and to enhance the security of user-facing front-end operations using a variety of management tools, privilege management software and automated workflows to create a user-focused authorisation framework."
Pavlakis says the explosion of IoT technologies has significantly increased the sheer volume and complexity or interconnected devices, users, systems, and platforms making traditional IT IAM insufficient, if not problematic in some cases.
"Insufficient access control options, legacy infrastructure and proprietary protocol dependencies, traditionally closed networks, the fervent increase in digitisation, albeit with lackluster security operations, are some of the most prominent challenges for IAM in IoT," he explains.
"Regardless of which IAM terminology is used, these challenges along with the highly complex IoT identity value chain point toward a more competent model of IAM, which touches upon various technologies and security protocols to be considered under the IAM umbrella including: user privilege management and on-prem access control, edge-to-cloud integration, cloud directory-as-a-service, system and machine ID, data security and governance, API management, IoT device identity, authentication and access control."
Pavlakis says the justifiable lack of a unified IoT security standardisation framework, the fact that organisations are always on a reactive approach versus proactive, the emergence of the new cyber-threat horizon and ever-present budget restrictions also forces implementers to create an approximation of IAM protocols by examining IoT applications on a case by case basis.
"No matter how you slice it, IAM in Industrial IoT obviously ought to be significantly different than IAM protocols in finance settings and further blurs the lines between access control for system, machine and user ID," he says.
Prominent IT IAM vendors include Cisco, IBM, Microsoft, Oracle, RSA, ForgeRock, Giesecke and Devrient, Ping Identity, Idaptive, Micro Focus, Okta and Ubisecure while new vendor categories under the IoT IAM umbrella can include telcos, IoT device, gateway management or platform providers including Entrust, Globalsign, Pelion, Sierra Wireless, Cradlepoint, Kerlink, and Advantech.
See the article here:
Internet of Things in desperate need of more robust identity and access management - SecurityBrief Asia
Serial Swatter Who Caused Death Gets Five Years in Prison Krebs on Security – Krebs on Security
A 18-year-old Tennessee man who helped set in motion a fraudulent distress call to police that led to the death of a 60-year-old grandfather in 2020 was sentenced to 60 months in prison today.
60-year-old Mark Herring died of a heart attack after police surrounded his home in response to a swatting attack.
Shane Sonderman, of Lauderdale County, Tenn. admitted to conspiring with a group of criminals thats been swatting and harassing people for months in a bid to coerce targets into giving up their valuable Twitter and Instagram usernames.
At Sondermans sentencing hearing today, prosecutors told the court the defendant and his co-conspirators would text and call targets and their families, posting their personal information online and sending them pizzas and other deliveries of food as a harassment technique.
Other victims of the group told prosecutors their tormentors further harassed them by making false reports of child abuse to social services local to the targets area, and false reports in the targets name to local suicide prevention hotlines.
Eventually, when subjects of their harassment refused to sell or give up their Twitter and Instagram usernames, Sonderman and others would swat their targets or make a false report to authorities in the targets name with the intention of sending a heavily armed police response to that persons address.
For weeks throughout March and April 2020, 60-year-old Mark Herring of Bethpage, Tenn. was inundated with text messages asking him to give up his @Tennessee Twitter handle. When he ignored the requests, Sonderman and his buddies began having food delivered to Herrings home via cash on delivery.
At one point, Sonderman posted Herrings home address in a Discord chat room used by the group, and a minor in the United Kingdom quickly followed up by directing a swatting attack on Herrings home.
Ann Billings was dating Mr. Herring and was present when the police surrounded his home. She recalled for the Tennessee court today how her friend died shortly thereafter of a heart attack.
Billings said she first learned of the swatting when a neighbor called and asked why the street was lined with police cars. When Mr. Herring stepped out on the back porch to investigate, police told him to put his hands up and to come to the street.
Unable to disengage a lock on his back fence, Herring was instructed to somehow climb over the fence with his hands up.
He was starting to get more upset, Billings recalled. He said, Im a 60-year-old fat man and I cant do that.'
Billings said Mr. Herring then offered to crawl under a gap in the fence, but when he did so and stood up, he collapsed of a heart attack. Herring died at a nearby hospital soon after.
Mary Frances Herring, who was married to Mr. Herring for 28 years, said her late husband was something of a computer whiz in his early years who securedthe @Tennessee Twitter handle shortly after Twitter came online. Internet archivist Jason Scott says Herring was the creator of the successful software products Sparkware and QWIKMail; Scott has 2 hours worth of interviews with Herring from 20 years ago here.
Perhaps the most poignant testimony today came when Ms. Herring said her husband who was killed by people who wanted to steal his account had a habit of registering new Instagram usernames as presents for friends and family members whod just had children.
If someone was having a baby, he would ask them, What are your naming the baby?, Ms. Herring said. And he would get them that Instagram name and give it to them as a gift.
Valerie Dozono also was an early adopter of Instagram, securing the two-letter username VD for her initials. When Dozono ignored multiple unsolicited offers to buy the account, she and many family and friends started getting unrequested pizza deliveries at all hours.
When Dozono continued to ignore her tormentors, Sonderman and others targeted her with a SIM-swapping attack, a scheme in which fraudsters trick or bribe employees at wireless phone companies into redirecting the targets text messages and phone calls to a device they control. From there, the attackers can reset the password for any online account that allows password resets via SMS.
But it wasnt the subsequent bomb threat that Sonderman and friends called in to her home that bothered Dozono most. It was the home invasion that was ordered at her address using strangers on social media.
Dozono said Sonderman created an account on Grindr the location-based social networking and dating app for gay, bi, trans and queer people and set up a rendezvous at her address with an unsuspecting Grindr user who was instructed to waltz into her home as if he was invited.
This gentleman was sent to my home thinking someone was there, and he was given instructions to walk into my home, Dozono said.
The court heard from multiple other victims targeted by Sonderman and friends over a two-year period. Including Shane Glass, who started getting harassed in 2019 over his @Shane Instagram handle. Glass told the court that endless pizza deliveries, as well as SIM swapping and swatting attacks left him paranoid for months that his assailant could be someone stalking him nearby.
Judge Mark Norris said Sondermans agreement to plead to one count of extortion by threat of serious injury or damage carries with it a recommended sentence of 27 to 33 months in prison. However, the judge said other actions by the defendant warranted up to 60 months (5 years) in prison.
Sonderman might have been eligible to knock a few months off his sentence had he cooperated with investigators and refrained from committing further crimes while out on bond.
But prosecutors said that shortly after his release, Sonderman went right back to doing what he was doing when he got caught. Investigators who subpoenaed his online communications found hed logged into the Instagram account FreeTheSoldiers, which was known to have been used by the group to harass people for their social media handles.
Sonderman was promptly re-arrested for violating the terms of his release, and prosecutors played for the court today a recording of a phone call Sonderman made from jail in which he brags to a female acquaintance that he wiped his mobile phone two days before investigators served another search warrant on his home.
Sonderman himself read a lengthy statement in which he apologized for his actions, blaming his addiction on several psychiatric conditions including bipolar disorder. While his recitation was initially monotone and practically devoid of emotion, Sonderman eventually broke down in tears that made the rest of his statement difficult to hear over the phone-based conference system the court made available to reporters.
The bipolar diagnoses was confirmed by his mother, who sobbed as she simultaneously begged the court for mercy while saying her son didnt deserve any.
Judge Norris said he was giving Sonderman the maximum sentenced allowed by law under the statute 60 months in prison followed by three years of supervised release, but implied that his sentence would be far harsher if the law permitted.
Although it may seem inadequate, the law is the law, Norris said. The harm it caused, the death and destruction.its almost unspeakable. This is not like cases we frequently have that involve guns and carjacking and drugs. This is a whole different level of insidious criminal behavior here.
Sondermans sentence pales in comparison to the 20-year prison time handed down in 2019 to serial swatter Tyler Barriss, a California man who admitted making a phony emergency call to police in late 2017 that led to the shooting death of an innocent Kansas resident.
Go here to read the rest:
Serial Swatter Who Caused Death Gets Five Years in Prison Krebs on Security - Krebs on Security
Center For Internet Security Updates CIS Controls With Focus On Cloud, Mobile, And Remote Work – Technology – United States – Mondaq News Alerts
Now is a great time to review your security posture, as you havea new tool to help you. On May 18, 2021, the Center for InternetSecurity (CIS) released Version 8 of its CIS Controls, formerly knownas the CIS Critical Security Controls (and often called the"CIS Top 20").
CIS intends the new version to better address some of the majordevelopments in IT and cybersecurity over the past several years,including the movement to cloud solutions, increased mobility, andnormalization of remote work. CIS is also updating the ecosystem oftools that support the Controls, including self-assessment toolsand a method for risk assessments that helps to justify securityinvestments.
The Version 8 update is likely to garner a lot of attention fromcompanies looking to address the "reasonable security"requirements referenced in California law (see Cal. Civ. Code1798.81.5(b), 1798.150(a)(1)), including in the forthcomingCalifornia Privacy Rights Act (CPRA), as well as numerous otherstate laws.
Then-California Attorney General (now Vice President) KamalaHarris concluded in her 2016 data breach report that anorganization's failure to implement all applicable CIS Controls"constitutes a lack of reasonable security." Since thatreport, many companies have used the CIS Controls as a primary wayfor evaluating their compliance with reasonable securityprovisions.
At their core, the CIS Controls are a list of security bestpractices similar to security frameworks such as NIST 800-53 andthe ISO 27000-series. Prior to Version 8, the CIS Controls wereorganized into 20 top-level controls that addressed, for example,access control, vulnerability assessment, audit log maintenance,and other foundational controls that mitigate security risk. Eachtop-level control includes specific "safeguards"(previously called "sub-controls"), which are actions,tools, or other resources that support the top-level control.
The key difference between the CIS Controls and other frameworksis their organization of the controls into "ImplementationGroups" (IGs), which define a set of recommended securitycontrols based on risk. Organizations may choose the IG appropriateto their risk and budget, then implement the controls listed forthat IG.
This grouping makes the CIS Controls an attractive option forbusinesses of varying sizes and risk profiles, including small- andmedium-sized businesses focused on basic cyber hygiene anddefense.
In addition to creating IGs, Version 8 consolidates severaltop-level controls, thereby reducing the total number from 20 to18, renames many of the controls, and reorganizes the relationshipbetween the controls and many of their underlying safeguards. TheVersion 8 safeguards place much more emphasis on mobile and cloudsecurity than prior versions' sub-controls.
In large part, these changes reflect CIS's goal of focusingmore holistically on system and asset security-regardless of wherethose systems or assets reside (within the corporate network, inthe cloud, at an employee's home, etc.) and which IT teamsmight be responsible for them. For example, Version 7.1 has acontrol specifically for "Wireless Access Control," whichincludes a sub-control to "Leverage the Advanced EncryptionStandard (AES) to Encrypt Wireless Data" (among others).
In Version 8, there is no control singularly focused on wirelesssecurity. Instead, wireless safeguards are dispersed throughout,and encryption of wireless traffic is rolled into a more generalsafeguard to "Encrypt Sensitive Data in Transit" underthe "Data Protocol" control. Version 8 notes that"[p]hysical devices, fixed boundaries, and discrete islands ofsecurity implementation are less important" in computing nowthan they were when prior versions were adopted.
New data privacy and security laws are increasing pressure onorganizations to adopt "reasonable" security controls forpersonal data. For instance, the New York Stop Hacks and Improve Electronic DataSecurity (SHIELD) Act, which went into effect in March 2020,requires businesses to "implement and maintain reasonablesafeguards to protect the security, confidentiality and integrityof the private information."
On the other side of the country, the CPRA will updateCalifornia law as of January 1, 2023, to require "[a] businessthat collects a consumer's personal information [to] implementreasonable security procedures and practices appropriate to thenature of the personal information to protect the personalinformation from unauthorized or illegal access, destruction, use,modification, or disclosure in accordance with Section1798.81.5."
Likewise, the Virginia Consumer Data Protection Act, which alsobecomes operative on January 1, 2023, requires businesses to"[e]stablish, implement, and maintain reasonableadministrative, technical, and physical data security practices toprotect the confidentiality, integrity, and accessibility ofpersonal data."
The White House, too, has joined the fray with its recent Executive Order on Improving the Nation'sCybersecurity (which we previously covered here). Intentionally or not, Version 8'smore holistic approach to security and increased emphasis on cloudand mobile technologies echoes many provisions of the ExecutiveOrder.
Among other things, the Executive Order directs the governmentto accelerate its movement to cloud systems and to adopt"zero-trust architecture" (ZTA), a security model thatchallenges the traditional notion of a security"perimeter" and focuses on the defense of computingassets wherever they reside.1Government contractors and suppliers who may need to shift towardscloud-based systems and ZTA-based security might consult the newCIS Controls to evaluate and develop their security programs.
Organizations of all sizes face some degree of informationsecurity risk to confidential or personal data. CIS ControlsVersion 8 makes mitigating those risks even more accessible andprovides a great excuse to take account of your securityposture.
Footnote
The National Institute of Standards and Technology (NIST) statesthat ZTA's "focus on protecting resources rather thannetwork segments is a response to enterprise trends that includeremote users and cloud-based assets that are not located within anenterprise-owned network boundary."
Originally published 05.24.21
The content of this article is intended to provide a generalguide to the subject matter. Specialist advice should be soughtabout your specific circumstances.
Read the rest here:
Center For Internet Security Updates CIS Controls With Focus On Cloud, Mobile, And Remote Work - Technology - United States - Mondaq News Alerts
Cloudflare Solves the Internet’s Need for Speed and Security – InvestorPlace
Cloudflare(NYSE:NET) investors had to ride a roller coaster for the first five months of 2021. However, since mid-May, NET stock has been in growth mode, posting gains of over 50% from its low point. On July 9, it closed at $108.97, a new all-time high, though it has since eased back. Still within spitting distance of that record close, will NET stock run out of momentum, or does it still have room for growth?
I would argue that Cloudflare is a company with the right product mix at the right time to continue fueling long-term growth. Online shopping is only continuing to grow in popularity. Other services are moving online, including the transition from cable TV to streaming video services.
Cloudflare provides the critical services that keep online services fast, and keep them safe. Its even a big part of exploding IoT (Internet of Things) growth. This Portfolio Grader B rated stock is up nearly 500% from its September 2019 public debut. Given the business Cloudflare is in, the stock growth may just be getting started.
One of CloudFlares primary lines of business is being a CDN, or content delivery network. That may not sound exciting, but it is an increasingly important service and one that was in the spotlight during the pandemic.
Cloudflare uses local servers to host critical website services so that users enjoy the speed they expect. Even if a user is logging in on a PC across the country from a companys main data center, they hit a Cloudflare regional server first so there is no lag and no overload. That ensures online shopping, video conferencing, and other web-based activities offer a positive experience for all users, regardless of their location.
Now, more than ever, slow-loading websites are simply not acceptable. As Forbes Jason Hall wrote in 2019:
If a page loads slowly, many people will give up and go somewhere else. That can mean a loss of traffic to your site and a loss of dollars in your pocket. Your conversion rates may suffer, and your bounce rates the number of people who leave your site after only visiting one page may increase.
In addition, loading speed is also a factor in used search engine page rankings. Slow-loading websites show up lower in search results.
What holds true for websites also holds true for internet-based services. Streaming video, social media and mobile apps often rely on CDNs to keep their services fast and responsive no matter where customers are located.
Being a leading CDN is a big part of the NET stock story. Its going to continue to be a big part of the long-term growth story for Cloudflare stock as well.
Cybercrime is on the rise. Ransomware is a big problem, as seen from attacks like the Colonial Pipeline shutdown. Weve also seen an escalation in DDoS (distributed denial of service) attacks, with the volume of attack attempts up 31% in the first quarter. According to stats published by Cybercrime Magazine, damage from these attacks (including destroyed data, theft of money, and disruption to business) cost $3 trillion in 2015. By the time the damages are tallied for 2021, that number is expected to hit $6 trillion.
Boston Universitys Sharon Goldberg explains that taking security measures is a huge step in protection against ransomware attacks:
Attackers are not going to go after the organizations that are hard to breachtheyre going to go after the ones that are weaker.
Cloudflare security solutions protect companies against cyber attacks. This includes DDoS attacks that slow a website or service, even taking it offline. And we know how people react to slow websites. Cloudflare also protects against ransomware attacks. Security is a big market for the company, and its only going to continue to grow.
Is now the time to make a move on NET stock? The company is due to report second quarter earnings in three weeks, so you might want to take that into account. The current rally began shortly after Cloudflare delivered solid Q1 earnings that included 51% year-over-year revenue growth, a 70% increase in large customers, and boosted full-year 2021 guidance. If the market reacts in a similar fashion to Q2 earnings, todays price might seen like a bargain by then.
On the date of publication, Louis Navellier had a long position in NET. Louis Navellier did not have (either directly or indirectly) any other positions in the securities mentioned in this article. InvestorPlace Research Staff member primarily responsible for this article did not hold (either directly or indirectly) any positions in the securities mentioned in this article.
Louis Navellier, who has been called one of the most important money managers of our time, has broken the silence inthis shocking tell all video exposing one of the most shocking events in our countrys history andthe onemoveevery American needs to make today.
Go here to read the rest:
Cloudflare Solves the Internet's Need for Speed and Security - InvestorPlace
If your company is held hostage, should you pay the ransom? Or should you be forced to tell the authorities? – ABC News
If someone broke into your home, and held all of your possessions to ransom, you would call the police.Right?
Or would you quietly pay whatever sum the thieves were demanding, and get your life back as quickly and easily as possible?
It might be a simple enough decision in a real-world scenario, but when it comes to cyber crime and ransomware, it seems to be much more complex.
Big companies can make good targets for cyber criminals who, in some cases, can extort millions of dollars with a pretty simple operation.
Ransomware attacks often see cyber criminals steal and encrypt data, or damage internal networks, and demand money to undo it.
More Australians are alert to the threat of cyber attacks but are we doing enough to prepare against the threat?
They might even threaten to publish sensitivestolen information, or offer it to competitors.
Sometimes paying the ransom can be easier than asking for help and fighting back.
Policy experts from the Cyber Security Cooperative Research Centre want to make it mandatory for Australian companies to tell authorities when they are being targeted.
And they want more clarity on whether paying ransoms is legal at all.
They warn a "tsunami of cyber crime" has cost the global economy about $1 trillion, and say Australia is a soft target.
In late March staff at Nine arrived at work on a Sunday morning, ready to put the Today show to air only to find they had been the victim of a near-crippling cyber attack.
It rocked the company's operations, with many Sydney-based staff forced to work from home or temporarily move to Melbourne, and it took weeks for workflows to be back to normal.
Nine was very upfront about the attack, and sought the help of authorities like the Australian Signals Directorate in managing it.
Knocking out the news is one thing, but only a few months ago a huge slice of the US was left scrambling for petrol after a ransomware attack knocked out Colonial Pipeline's networks.
Leanne Sherriff
The company was forced to completely shut down its pipelines, responsible for about half of the US East Coast's fuel supplies, for days.
Colonial later confirmed it paid a $US4.4m ($5.6m) ransom.
Australian logistics giant Toll Holdings was hit in two separate attacks last year.
It too worked with experts from the Australian Signals Directorate, and said at the time it had "no intention of engaging with any ransom demands."
And steaks were on the line when global meat processing company JBS Foods paid a $US11 million ($14.2 million) ransom in bitcoin about a month ago.
Its global operations, including in Australia, were all but brought to a standstill by the attack, and the company said it paid the money to avoid data being stolen.
Some experts warn many Australian companies do not fully appreciate the scale of the threats their companies face.
They compare the amount of money paid for security guards, alarms and sensors to protect a company's physical assets, compared to the relatively little money paid for cyber security.
ABC News
Rachael Falk from the Cyber Security Cooperative Research Centre said it is more common, and more serious, than many businesses appreciate.
"I think businesses are still woefully under prepared," she said.
"There are examples happening all around the world, and in Australia, almost on a weekly basis."
There are two things Ms Falk is suggesting the federal government could do to help companies better defend themselves.
The first is to use tax incentives to encourage businesses to invest in their cyber security.
The second is force them to speak up when they suffer an attack, and let authorities and security agencies know,to help protect others in future.
"We're saying be more transparent, because once it's out in the open, it helps everyone," she said.
"I can understand the need to want to protect the company, protect customers, and also the deep need to want to just get on with remediating what's going on, and not have to shout from the rooftops.
"I entirely understand that, but I think being transparent about it is helpful."
Those ideas are being pitched separately to legislation the government is already considering, imposing greater cyber security obligations on operators ofcritical assets like water, health energy and transport.
In a new policy paper, Ms Falk also argues the federal government has to clarify the legalities of paying ransoms.
While the official advice is always against paying ransoms, and instead working with authorities to combat ransomware attacks, some companies do take up the option.
It gets complex, because it is against the law to "deal with"money that could finish up involved in crime.
It is also illegal to provide funds to terrorist organisations which is another risk, in such a circumstance.
It used to be a business needed a lock on its door and a CCTV camera to protect against criminals, now experts say they need to invest in security they cannot see.
But duress is a defence, given the companies can reasonably believe a threat will be carried out if they do not pay.
Ms Falk does not suggest explicitly criminalising the payment of ransoms, arguing doing so would only further add to the burden of ransomware victims.
But she said those facing that difficult prospect should know legally where they stand.
"It will provide the victims with at least some certainty," she said.
"If we pay this, because we have to, we at least won't be facing some sort of action down the track from the Commonwealth that accuses our board of paying a ransom when we shouldn't have."
But she said better defences, and preventing an attack in the first place, were much simpler solutions.
"Ransomware is entirely foreseeable, and every business is at risk," she said.
"It's not just big organisations and household names, it's small companies.
"If they run a computer connected to the internet, they're at risk."
Continued here:
If your company is held hostage, should you pay the ransom? Or should you be forced to tell the authorities? - ABC News
Connecticut Becomes Third State to Incentivize Cybersecurity Best Practices for Businesses – PRNewswire
HARTFORD, Conn., July 12, 2021 /PRNewswire/ -- Connecticut Governor, Ned Lamont signed HB 6607, "An Act Incentivizing the Adoption of Cybersecurity Standards for Businesses" into law last week. The bill, introduced by Representative Caroline Simmons, prohibits the Superior Court from assessing punitive damages against an organization that implements reasonable cybersecurity controls, including industry recognized cybersecurity frameworks such as the National Institute of Standards and Technology Cybersecurity Framework (NIST CSF) and the Center for Internet Security (CIS) Critical Security Controls (CIS Controls).
The Connecticut bill states that in the result of a data breach of personal and restricted information, the court may not assess punitive damages if the organization created, maintained, and complied with a written cybersecurity program containing administrative, technical, and physical safeguards for protecting PII and restricted information.
"It is critically important to do a better job of protecting businesses and consumers against cyber-attacks," said Representative Simmons. "In Connecticut, we took a step to accomplish this voluntarily without regulation by incentivizing organizations to adopt cyber best practices, like the NIST framework and the CIS Critical Security Controls."
Connecticut joins Ohio and Utah in legislative efforts to adopt an incentive-based approach for businesses to implement cybersecurity best practices.
"Cybersecurity is largely unregulated today; there is no national statutory minimum standard of information security, making it difficult to improve cybersecurity on a wholesale basis," said CIS Executive Vice President & General Manager, Security Best Practices, Curtis Dukes. "Connecticut's cybersecurity bill introduces a critical interim step: incentivizing the adoption of cyber best practices like the CIS Controls, to improve cybersecurity and protect citizen data."
The CIS Controls are a set of internationally-recognized, prioritized actions that form the foundation of basic cyber hygiene and essential cyber defense. Applying the CIS Controls provides a critical, measurable security value against a wide range of potential attacks. Analysis shows that implementing the CIS Controls mitigates the majority of cyber-attacks when evaluated against attack patterns in the widely referenced ATT&CK framework published by the MITRE Corporation. Specifically, the CIS Controls mitigate:
Further, Implementation Group 1 (IG1), a subset of the Controls that is considered basic cyber hygiene, is effective in mitigating:
Under the bill, organizations have to conform with revisions and amendments to identified industry-recognized cybersecurity frameworks (like the CIS Controls), laws, and regulations within six months after the revised document is published.
The bill becomes law on October 1, 2021.
About CIS:The Center for Internet Security, Inc. (CIS) makes the connected world a safer place for people, businesses, and governments through our core competencies of collaboration and innovation. We are a community-driven nonprofit, responsible for the CIS Controls and CIS Benchmarks, globally recognized best practices for securing IT systems and data. We lead a global community of IT professionals to continuously refine these standards to proactively safeguard against emerging threats. Our CIS Hardened Images provide secure, on-demand, scalable computing environments in the cloud. CIS is home to the Multi-State Information Sharing and Analysis Center (MS-ISAC), the trusted resource for cyber threat prevention, protection, response, and recovery for U.S. State, Local, Tribal, and Territorial (SLTT) government entities, and the Elections Infrastructure Information Sharing and Analysis Center (EI-ISAC), which supports the cybersecurity needs of U.S. elections offices. To learn more, visit CISecurity.org or follow us on Twitter: @CISecurity.
Media Contact: Autum Pylant [emailprotected]518-266-3495
SOURCE Center for Internet Security
Here is the original post:
Connecticut Becomes Third State to Incentivize Cybersecurity Best Practices for Businesses - PRNewswire
Ericsson to partner with Verizon in $8.3 billion deal to expand 5G coverage – The Dallas Morning News
Ericsson, a Swedish telecom company with its North American headquarters in Plano, will partner with Verizon to expand its U.S. 5G network in a $8.3 billion deal announced Friday.
Under the five-year agreement, Verizon will utilize Ericssons different technology solutions to expand its ultra-wideband 5G coverage. This includes the Massive MIMO, Ericsson Spectrum Sharing and the Ericsson Cloud Radio Access Network.
The deal is the single largest in Ericssons history, which stretches back to 1876.
This is a significant strategic partnership for both companies, and what were most excited about is bringing the benefits of 5G to U.S. consumers, enterprises and the public sector, said Niklas Heuveldop, president and head of Ericsson North America.
Ericsson and Verizon have a long track record of partnering together. In 2020, Verizon became the first communications service provider to receive a commercial 5G base station from the Ericsson smart factory in Lewisville.
Verizon wants to rapidly expand its 5G network as it competes with AT&T and T-Mobile to grant its customers reliable 5G access. The company pledged over $45.5 billion in a C-band auction that closed in February to secure more mid-band spectrum coverage.
5G is really going to change the future, said Karen Schulz, who works in global network and technology communications for Verizon. The fundamental capabilities of 5G will usher in applications and innovations that weve never seen before.
5G has the potential to enhance apps and technologies like augmented reality and the Internet of Things, Schulz said.
In Texas, Verizon users are connected to 5G over 12% of the time, while T-Mobile users are connected 40% of the time and AT&T users are connected over 26% of the time, according to the latest 5G User Experience Report by Opensignal. Nationally, Verizon users are connected to 5G over 10% of the time.
As 5G expands in Texas, businesses are most likely to initially see the largest changes in coverage because they can tap into the networks full capabilities, said Ram Dantu, director of the Center for Information and Cyber Security at the University of North Texas.
Consumers may not be able to see the immediate effects of 5G, Dantu said. Theyll see greater bandwidth, but likely this will be best for enterprise.
Even though 5G is still being rolled out, companies are looking ahead to the next generation of mobile networks. Last week, the University of Texas at Austin announced the launch of the 6G@UT research center in partnership with several industry partners, including AT&T and Samsung.
Ericsson announced its own partnership with the Massachusetts Institute of Technology to research the design of hardware that could power the 6G networks.
Read more from the original source:
Ericsson to partner with Verizon in $8.3 billion deal to expand 5G coverage - The Dallas Morning News
Israeli company is behind malware that affected Windows PCs: Microsoft – WION
Microsoft believes malware used to infect PCs running its Windows operating system was created by an Israeli organisation.
Microsoft is taking a new effort to reduce internet security issues.
The company has also been looking for government-backed hackers, such as the Chinese organisation Hafnium, which it believes is responsible for attacks on its Exchange Server email software.
The problem was only recently rectified by Microsoft, and it took them a long time to resolve, with several people claiming that it was ineffective for their experience.
The threat actors were revealed to be from the private sector, and the company launched an inquiry to learn more about their genuine motives.
Microsoft's investigation into their latest breach and zero-day vulnerability came from an Israeli private sector business called "Sourgum," according to the company's blog post.
Watch: India rolls out new education policy, teams up with Microsoft
The company in question is a PSOA, or private sector offensive actor, intending to sell "cyberweapons" to its clients to hack them.
Another group discovered in the investigation is known as "Candiru," and they have been related to Sourgum with regards to the recent Microsoft attack.
While the motives of Candiru are unknown, it poses a direct threat to Microsoft and would be subject to an inquiry in the hopes of apprehending the perpetrator.
(With inputs from agencies)
Continued here:
Israeli company is behind malware that affected Windows PCs: Microsoft - WION