Friday Five 8/20
Exposed web cams, mistakes made when hiring cybersecurity roles, and a $1 million breach settlement - catch up on the week's infosec news with the Friday Five!
1. Millions of Web Camera and Baby Monitor Feeds Are Exposed by Lily Hay Newman
Not to sound like a broken record but in case you haven’t heard it before, many web cameras are insecure by design. That’s just the way it is. We tweeted about this the other day but in case you missed it, the latest line of susceptible devices includes those with a software development kit (SDK) known as ThroughTek Kalay implemented. Wired’s Lily Hay Newman digs into the research, which was publicized by the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency on Tuesday. The vulnerability is pretty serious - it ranks as a CVSS v3 base score of 9.8, mostly because it's remotely exploitable and not complicated to carry out an attack. The kicker is how many devices the SDK is present in: 83 million devices that make over a billion connections to the internet each month.
2. CISA offers ransomware response guidelines to organizations by Alexander Culafi
Just a few weeks after launching its Stop Ransomware website, CISA has provided defenders with more guidance on defending against and responding to ransomware attacks. TechTarget's SearchSecurity recaps the resource, which recommends a lot of steps that organizations have already heard before: keep robust backups and disabling or blocking Windows Server Message Block (SMB) for example. Not to be overlooked is CISA's recommendations around protecting sensitive data, steps organizations can take to protect data from access in the first place, including taking an inventory of your data, encrypting it, and protecting it behind firewalls and potentially network segmentation.
3. Cybersecurity jobs: This is what we're getting wrong when hiring – and here's how to fix it by Danny Palmer
ZDNet this week dug into some of the missteps companies are making when it comes to hiring that's widening the gap between having a content and happy IT team and an understaffed and burnt out one. Danny Palmer talks to a few experts - Alyssa Miller, Adam Enbar, who runs the Flatiron School and Christine Izuakor, who runs Cyber Pop-Up - and finds that on the whole, we're hiring workers for the wrong roles, asking prospective employees to have too many accreditations, and not investing in training them. Izuakor has one of the best quotes, if you’re interested in reading more: "Due to the pace at which technology is evolving, constant development of talent is critical. By implementing a robust training and upskilling program, individuals are given the opportunity to learn and progress in their own careers while organisations can get ahead of the growing competition in the industry by building up internal talent."
4. Wanted: Disgruntled Employees to Deploy Ransomware by Brian Krebs
When the going gets tough, the tough gets desperate? Ransomware operators have apparently taken to what's essentially a cold call - emailing employees directly - and asking them to spread ransomware throughout their company in exchange for a percentage of the profits. Krebs breaks down a tale from Abnormal Security's Crane Hassold who went down the rabbit hole with one scammer who wanted to phish his executives: "According to this actor, he had originally intended to send his targets—all senior-level executives—phishing emails to compromise their accounts, but after that was unsuccessful, he pivoted to this ransomware pretext,” Hassold writes.
5. SEC, education company Pearson settle charges over 2018 security incident for $1 million by Tim Starks
The latest cyber settlement is in the books and it comes in at $1 million. This one involves the Securities and Exchange Commission and the British educational software company Pearson. The settlement stems from how the company handled a 2018 data breach; Pearson said in July 2019 that a potential data privacy incident could result in a major data privacy or confidentiality breach. In reality, the company had already been breached and it knew about it for months. Login data for 13,000 district, school and university customer accounts were stolen as part of the attack. "As the order finds, Pearson opted not to disclose this breach to investors until it was contacted by the media, and even then, Pearson understated the nature and scope of the incident and overstated the company's data protections," Kristina Littman, chief of the SEC Enforcement Division's Cyber Unit, said on Monday.