This Month in Cybersecurity - January Edition

WordPress Plugin Containing Vulnerabilities Found in over 300,000 Websites

According to security researchers, there were two flaws found inside of a Mailer Plugin associated with WordPress hosted websites discovered in the month of December. The researchers stated that the flaws affected over 300,000 websites and were discovered within a few weeks of each other. One flaw allowed for the hijacking of the password reset function through the plugin’s authentication API and the other allowed for threat agents to insert dangerous or malicious code into the webpages.

Read More

Navigating the Challenges of SSPR: A Balanced View on the DFS Industry Letter

Discover practical insights in our latest blog post on navigating the complexities of Self-Service Password Reset (SSPR) systems for small businesses. As we delve into the New York State Department of Financial Services (DFS)'s recent guidelines, we uncover the unique challenges faced by smaller entities in implementing these security measures. Learn about the real-world implications of the DFS's recommendations and explore viable, resource-conscious compensating controls. This post is a must-read for small business owners and information security professionals seeking practical solutions in a landscape dominated by stringent security demands. Stay ahead in information security with our expert analysis and tailored advice.

Read More

Don't Get Breached: How the DFS Part 500 Amendment Strengthens Insurance & Finance Resilience

In a sea of shifting regulatory landscapes, the New York Department of Financial Services (NYDFS) has dropped a new anchor: the Part 500 amendment. This critical update significantly strengthens cybersecurity mandates for insurance and finance players, placing business continuity and disaster recovery (BCDR) plans at the helm of resilience.

But are these companies truly prepared for the data breach tsunami this amendment anticipates?

This comprehensive blog dives deep into the revised requirements, unpacking key changes like:

  • Deeper risk assessments: Forget surface-level skimming! The amendment demands deep dives into vulnerabilities and specific data breach scenarios.

  • Beyond the basics: Dust off those outdated "power outage" plans. Robust data breach response, containment,and recovery protocols are now center stage.

  • Boardroom buy-in: Cybersecurity isn't just an IT issue anymore. Senior management and boards are now crucial players in building a secure future.

Don't get swept away by the tide of cyber threats! Whether you're a seasoned insurance giant or a nimble fintech startup, this blog equips you with actionable steps to navigate the new landscape and build a fortress against data breaches.

Discover:

  • Expert tips for crafting a watertight BCDR plan

  • Common pitfalls to avoid in your data breach response

  • Why proactive preparedness is your strongest defense

Ready to weather the storm of cyberattacks with confidence? Then chart your course!

Read More

This Month in Cybersecurity - December Edition

Final Patch Tuesday of 2023 - Microsoft and Adobe

Both Adobe and Microsoft have released the notes for the final patches to occur this year for both companies as 2023 closes out. Microsoft disclosed vulnerabilities for Office and Components, Win32k, Windows Kernel, the Microsoft Bluetooth Driver, among other things. The tech giant has fixed several flaws within their software that allowed for Denial of Service (DoS) exploits, spoofing, Elevation of Privelege (EoP), information disclosure, and remote code execution. Of these flaws, Microsoft has confirmed that there are 4 critical level vulnerabilities among the 38 they found and corrected within the patch.

Adobe experienced a slightly larger vulnerability load, disclosing that the company has found and patched 212 vulnerabilities, of which 13 were labeled as critical severity amongst their software suites. Adobe Experience Manager was the recipient of the lion’s share of these vulnerabilities, logging 185 of the 212 patched vulnerabilities.

None of these vulnerabilities were known to be exploited in the wild, but as always, we suggest that you update to the latest security build on any device/software/network to stay as secure as possible.

SEC Clarifies New Incident Disclosure Rules Coming into Effect

In July, the SEC announced that it would be adopting and implementing new rules surrounding the disclosure of a cybersecurity incident for public companies. These new rules would require companies to disclose any material breach within four business days of discovering the incident, if it had a material impact. Companies would also be required to submit annual reports regarding the information on their cybersecurity risk management, strategy, and governance. These rules, according to the SEC, are to provide investors with “timely, consistent, and comparable information”.

There was some concern raised by industry professionals pointing to the fact that the information the SEC is forcing victims to provide could be very useful to threat agents, providing insight to help set ransom demands. Erik Gerding, director of the SEC’s Division of Corporation Finance, has clarified that the final versions of the rules will require less information than initially outlined, even allowing for delayed response, or exemption if the company can verify that releasing that information will cause more harm or prove a substantial risk to public safety or national security.

The FBI has allowed delayed responses on behalf of the Justice Department in regards to cybersecurity incidents, providing some guidelines for how this process may work. The SEC has promised to assist companies regarding these new rules and promises to create a formal definition of what is “material” to an organization.

Guidance on Incorporating SBOMS Issued by NSA

Guidance on how organizations can incorporate software bill of materials (SBOMs) and mitigate supply chain risks has been published by the National Security Agency (NSA). In May 2021, an executive order concerning cybersecurity mandated the use of SBOMs to create transparency for users and to allow an understanding of related software components.

In the guidance, the NSA states that consumers should be leveraging available government resources to ensure that the software they acquire is secure. The agency also suggests software suppliers to mature their SBOM exchange practices, putting responsibility on the software providers to ensure that their software is secure by design.

 

Defensible Strategies

Learn from those who have been attacked

7 Million Exposed in Customer Data Breach at Delta Dental

Delta Dental, a large dental insurance company in California, has sent out notification letters to impacted individuals that their personal information was compromised. The company disclosed that on the 27th of November, they were able to determine that personal information of clients were included in the breach that occurred in late May. The breach was a result of the MOVEit Incident, a zero day exploit of the software’s file transfer tool.

The incident has affected more than 2600 organizations, including many Upstate New York entities, including healthcare organizations, SUNY schools, private colleges and universities, and many other organizations alongside Delta Dental. Reports are showing that more than 6.9 million individuals are involved in the Delta Dental breach and upwards of 62 million total individuals across the rest of the breach.

Instances such as the MOVEit breach are glaring examples of why companies should prioritize third-party risk management. If you and your organization have any questions, or would like to take a deeper look into your risk management plans, please feel free to reach out to Cyber Defense!

Hospitality Industry Targeted by Resurfacing Malware, Qakbot

The hospitality industry is being targeted by a phishing campaign that is seeing a new version of a previously dismantled malware. Qakbot, also known a Qbot or Pinkslipbot, was once the target of a coordinated effort, known as Operation Duck Hunt, where authorities managed to gain access to its infrastructure and enabled infected PCs to uninstall the malware and render ineffective.

The campaign, that is ongoing, was first discovered by Microsoft who noticed a wave of phishing emails from users claiming to be an IRS employee starting on December 11th of 2023. The tech giant has said that it is a low volume campaign, utilizing a URL within a PDF to download a Windows Installer onto the target’s computer. Once the installer has run, Qakbot is capable of of harvesting sensitive information, as well as delivering additional malware, and even ransomware.

While phishing campaigns are not new, it is imperative that we continue to teach and learn about attempts to infiltrate through phishing lures and spam emails. If you would like help learning more about how to prevent breaches like these, please reach out to us for Phishing and Internet Security Training!

NOTICE

New York has implemented an amendment to the DFS Regulation that may significantly impact your operations. Many of these changes were original proposed in the regulation proposal stage.

For a comprehensive overview of these changes, we have prepared a detailed web page where Jim has outlined the amendments section-by-section. You can access this valuable resource at the following link: https://cyberd.us/dfs-reg-500-2nd-amendment

Cyber Defense is happy to assist with navigating these changes and getting your company, so please do not hesitate to contact us as soon as possible!