Friday Five: 10/6 Edition
Happy Friday! Catch up on the latest infosec headlines with our weekly news roundup.
1. Cisco sends its employees fake phishing emails to train them not to click on malicious links by Becky Peterson
Steve Martino, chief information security officer at Cisco, promotes security awareness training with employees on a regular basis. Given social engineering and spear-phishing are still the most widely used methods for initial penetration of an organization, Martino’s insights and practices are something all CISOs should look at for their organizations. Martino shared some key tips based on his training, which includes reducing click-through rates in employee email, as that usually leads to a malicious sites or other nefarious activity. Martino also advocates for protecting your most sensitive assets and data, which is absolutely crucial to protecting your most important information, such as intellectual property or customer PII. He also discusses practicing for IR and creating a planned DR playbook in the event your organization is compromised.
2. Yahoo now thinks all 3B accounts were impacted by 2013 breach, not 1B as thought by Ingrid Lunden
Big news this week from Yahoo – after further investigation Yahoo sent out a notification stating that it believes all 3 billion of its accounts were compromised in the 2013 breach, not just the 1 billion previously reported. This includes all email accounts, Flickr users and Fantasy sports accounts. Yahoo claims it did take steps to notify users during the first wave of compromise, which included “directly notifying impacted users ‘identified at the time,’ requiring password changes and invalidating unencrypted security questions and answers so that they could not be used to access an account.” Therefore, Yahoo is not going to re-issue any notifications as the company believes users have already been informed on how to protect themselves. For anyone who was impacted by the breach, Yahoo stated that “stolen user account information may have included names, email addresses, telephone numbers, dates of birth, hashed passwords (using MD5) and, in some cases, encrypted or unencrypted security questions and answers.” Users should update passwords and monitor their accounts for suspicious activity.
3. Equifax says millions more customers affected in cyberattack than previously reported by Wallace Witkowski
Earlier this week Equifax reported that 2.5 million additional users were impacted in their breach, based on the forensic analysis that Mandiant conducted during its investigation. In total, the number of impacted users is now up to 145.5 million users. Richard Smith, former CEO of Equifax (who retired in September following the report of the breach) apologized in a testimony before a House Energy and Commerce subcommittee for not patching a common vulnerability that was exploited by the attackers. According to Mandiant’s investigation, the attackers were inside Equifax’s systems undetected for four months. Equifax will be informing anyone who was implicated in the breach via mail, so check your physical mailbox.
Managing passwords securely is always a challenge in organizations. New research from analyst firm Ovum reports that “78 percent of IT executives lack the ability to control access to the cloud-based applications used by their employees.” This came from research conducted among hundreds of IT professionals. Despite the lack of control and visibility, companies are not doing anything at all to address the situation. The report also had some interesting findings, with the predominant themes showing employees have too much control over their passwords, and defenses against sharing passwords was extremely weak, with very little control or oversite from IT. Organizations should strongly consider implementing password management applications to close the password security gap.
Within the next five years, three quarters of NA utility executives believe there is a moderate chance that the electrical grid will be targeted by a cyberattack within the next five years. This came from a recent study by Accenture among 100 power utility executives from 20 countries. 76% in North America believed power interruptions or outages was possible in the next five years. This is an interesting study, but the vulnerabilities and likelihood of potential attacks targeting our critical infrastructure has been an on-going topic for years. This study proves it’s still a strong area of concern among utility executives. Hopefully proactive steps will be taken to strengthen the U.S.’ critical infrastructure and mitigate any potential attacks.