Category Archives: Supply Chain Security

The SEC’s New Cyber Rules

what every ciso needs to know about the new cybersecurity sec rules

What Every Public Company CISO Must Know:

The role of a Chief Information Security Officer (CISO) in public companies has never been more pivotal. With cyber threats escalating in scale and sophistication, the Securities and Exchange Commission (SEC) has rolled out new cyber regulations aimed at safeguarding investors, stakeholders, and the broader market. Given that the amendments took effect on September 5, 2023, it’s crucial for your organization to be informed. While the final rules are quite lengthy, I’ll offer a condensed and digestible version in this blog post to help you understand the key points – so make sure to read on!

The Backdrop:

Back in March 2022, the Commission took the bold step of introducing a suite of regulations. The intent was clear: fortify public company disclosures concerning cybersecurity. This encompassed key areas such as cyber threats, strategic countermeasures, governance structures, and insights into major cyber incidents.

At the time, there were several major trends that led the Commission to take this action. The digital evolution and massive work-from-home shifts, intertwined with the allure of cybercrime monetization and an overarching reliance on third-party tech services like cloud platforms, have stretched cyber risk boundaries. The financial fallout from cyber incidents have also skyrocketed. Given all of this, the Commission’s move to ensure transparency isn’t just timely—it’s imperative.

Though the Commission offered guidance in 2011 and 2018, the standards remained inconsistent. The 2022 regulations were introduced to bring consistency and offer investors clearer insights.

Key Mandates To Be Aware Of:

Skip ahead to 2023, and the SEC’s proposed rules have officially transformed into finalized rules. Here are the essential highlights you should be aware of…

  1. Form 8-K Item 1.05: A pivotal element in the new regulations. Public companies now have the duty to report significant cyber incidents. Reports must, “describe the material aspects of the nature, scope, and timing of the incident, as well as the material impact or reasonably likely material impact of the incident on the registrant, including its financial condition and results of operations.” 

  2. Disclosure Timeline: Post a cyber event, companies need to swiftly gauge its significance. If found consequential, a Form 8-K needs to be filed within four business days. However, exceptions do exist. Should the U.S. Attorney General deem a quick disclosure a threat to national or public safety, delays can ensue.

  3. Regulation S-K Item 106: This regulation delves deep. It mandates firms to shed light on their cyber threat assessment, detection, and management strategies. Past incidents that have or might have considerable ramifications also need to be outlined. Plus, it casts the spotlight on how involved the board is in overseeing cyber risks and the prowess of the management in mitigating them.

  4. International Disclosures: The SEC is highlighting that global transparency is crucial. Modifications to Form 6-K and Form 20-F ensure that foreign private entities aren’t left out. Significant cyber events disclosed overseas or required by foreign issuers need to be detailed.

What Lies Ahead:

The new regulations will be operational a month after their Federal Register appearance. For companies, the compliance timelines are split based on the form:

  • Regulation S-K Item 106 & Form 20-F: Disclosure starts with annual statements for fiscal years ending on or after December 15, 2023.

  • Form 8-K Item 1.05 & Form 6-K: Compliance starts 90 days post Federal Register publication or by December 18, 2023, except for smaller firms. They have until June 15, 2024.

  • Finally, when it comes to structured data mandates, the spotlight is on Inline XBRL. The final rules require the cybersecurity disclosures to be presented in Inline eXtensible Business Reporting Language. Entities must tag their disclosures using this format, a year after the kick-off of initial disclosure duties. To simplify what this filing format is for those who may not be aware, it’s a special language for computers that makes it possible to create a single document that’s human and machine readable. So, instead of making two different documents (one for people to read and one for computers to understand), you just make one using Inline XBRL.

Every day we are reminded how crucial cyber resilience is. For CISOs in public companies, aligning with the SEC’s updated cyber regulations is not just about compliance—it’s a commitment to transparency, investor protection, and long-term business sustainability.



August Data Breach And Security Round Up

august security breach round up

August may be known for summer vacations and relaxing by the beach, but in the world of hackers, it was a month of action-packed cyber escapades. As the digital realm grows, so does the audacity of those who breach the walls of data security. In this blog post, I will take you through the breaches that unfolded in the hot days of August. From electric cars to language learning apps, we’ve got it all covered. Let’s dive in.

Tesla:

Tesla recently reported a data breach affecting over 75,000 of its employees to insider misconduct, according to an official statement. The electric vehicle manufacturer, headed by Elon Musk, stated in a data breach report submitted to Maine’s Attorney General that a thorough investigation determined two former employees had disclosed personal information belonging to more than 75,000 individuals to a foreign media organization.

Tesla’s data privacy officer, Steven Elentukh, stated in the report that “the investigation uncovered that two former Tesla employees wrongfully obtained and shared this information, contravening Tesla’s IT security and data protection protocols by providing it to the media outlet.”

The sensitive data included personally identifiable details such as names, addresses, contact numbers, employment records, and Social Security numbers of 75,735 past and current Tesla employees. The report also revealed that the two ex-employees had transmitted this data to the German newspaper Handelsblatt, which assured Tesla it would refrain from publishing the information and adhere to legal restrictions concerning its use.

In May, Handelsblatt had previously reported a significant breach at Tesla, disclosing various internal documents, known as the “Tesla Files,” totaling 100 gigabytes of confidential information. These documents included employee personal data, customer banking information, proprietary production details, and customer grievances regarding Tesla’s Full Self-Driving (FSD) functionalities. Remarkably, the leak even contained Elon Musk’s Social Security number.

Tesla responded by initiating legal action against the individuals believed to be responsible for the data breach, leading to the confiscation of their electronic devices. Additionally, the company obtained court orders to prevent these former employees from further accessing, sharing, or using the data, with potential criminal consequences for violations.

This incident follows a previous report in April by Reuters, which revealed that Tesla employees had shared sensitive images recorded by customer vehicles, including invasive pictures and videos captured by car cameras, over the period from 2019 to 2022.

Duolingo:

In January 2023, a data breach of Duolingo resulted in the exposure of 2.6 million users’ data on a hacking forum. This has created an opportunity for malicious actors to execute targeted phishing campaigns using the compromised information. The dataset consists of public login and real names, along with confidential details, such as email addresses and internal data related to the Duolingo platform, which can be exploited in cyberattacks.

The data was acquired by exploiting a publicly available application programming interface (API), which had been openly shared since at least March 2023. Researchers had been posting on social media and public platforms about the ease of using this API, which ultimately led to the data breach. The API permits anyone to input a username and receive JSON output containing the user’s publicly accessible profile data. Importantly, it also facilitates the input of an email address into the API to confirm its association with a valid Duolingo account.

The presence of email addresses in the dataset raises significant concerns as it can be exploited in phishing campaigns, which can have detrimental effects on individuals and organizations. It is vital to note that while the inclusion of real names and login names is part of a user’s Duolingo profile, the presence of email addresses is not considered public information.

Companies often downplay the significance of scraped data, as much of it is already publicly accessible, even if its compilation is not straightforward. However, when public data is combined with private information, such as phone numbers and email addresses, it amplifies the risk associated with the exposed data and may potentially breach data protection regulations. Facebook encountered a significant breach in 2021 when an “Add Friend” API flaw was exploited to link phone numbers to Facebook accounts for 533 million users. Subsequently, the Irish Data Protection Commission (DPC) imposed a fine on Facebook for this mishandling of scraped data.

I will say, it is also pretty concerning that the API, which led to the Duolingo data breach, is still openly accessible on the internet, even after reports of its misuse were forwarded to Duolingo in January. This puts Duolingo users at risk and highlights the need for companies to take data protection seriously. While companies may downplay the significance of scraped data, the potential for harm is significant, and it is crucial to address these issues proactively to ensure that personal information remains secure.

Discord.io:

On August 14, 2023, an unofficial platform known for providing redirect and invitation links to Discord servers, Discord.io, suffered a significant data breach. The hacker “Akhirah” exposed the breach, which has compromised the personal information of more than 760,000 users.

The stolen data from the breach includes usernames, Discord IDs, email addresses, and passwords that have been salted and hashed. While the password encryption offers a degree of protection, the potential for decryption remains a looming threat, underscoring the immediate need for users to bolster their security. Discord.io urges users to change their passwords to mitigate the impact of the breach.

Discord.io has taken the unprecedented step of indefinitely suspending its operations in response to the breach. Visitors to the Discord.io website now encounter a message detailing the seriousness of the breach. The company is being transparent about the compromised data fields, aiming to provide affected users with clarity regarding the information exposed and what remains secure in the wake of this incident.

“We have canceled existing premium subscriptions, and we will be reaching out to affected users individually. As of now, we have not been contacted by those responsible for the breach, nor have we initiated contact with them. To our knowledge, the database has not been made public at this time.” – Discord.io

In an interview with the hacker Akhirah, he expressed a desire for Discord.io to eliminate malicious content from their platform and communicate with him to resolve these issues, without seeking retribution or a reward.

This data breach follows a similar trend in the cybersecurity landscape. Just recently, the LetMeSpy Android Spyware Service also announced its permanent shutdown following a successful breach by a hacker who gained access to user data.

SEIKO: 

SEIKO NPC Corporation, a long-established Japanese semiconductor manufacturer founded in 1975 with approximately 12,000 employees, has officially recognized the possibility of a data breach.

On August 10th, the company posted a data breach notification on its website. However, cybersecurity experts only recently became aware of the breach after the ransomware group BlackCat featured SEIKO on its data leak platform.

SEIKO did not provide specific details but referred to the cybersecurity incident as a “potential” data breach.

According to SEIKO, “On July 28th of this year, the company experienced a potential data breach. It appears that unauthorized individuals or parties gained access to at least one of our servers.”

ALPHV/BlackCat Ransomware, now taking credit for the breach, shared several files on their data leak platform as evidence. Among these files was what appeared to be a copy of Yoshikatsu Kawada’s passport, a director at SEIKO’s well-known Watch Corporation subsidiary.

After an external cybersecurity expert examined the incident, SEIKO determined that a breach occurred, and some of the company’s information may have been compromised.

“At present, we are in the process of confirming the precise nature of the information stored on the affected servers. Once our ongoing investigation yields more specific results, we will promptly provide an update,” the company stated. However, no further updates regarding the breach have been made available thus far.

About ALPHV/BlackCat Ransomware:

ALPHV/BlackCat ransomware first emerged in 2021. Similar to other entities in the cybercriminal realm, this group operates a ransomware-as-a-service (RaaS) enterprise, selling malware subscriptions to criminal actors. Notably, the gang employs the Rust programming language.

According to an analysis by Microsoft, threat actors associated with this ransomware were known to collaborate with other prominent ransomware families such as Conti, LockBit, and REvil.

The FBI has suggested that money launderers affiliated with the ALPHV/BlackCat cartel have ties to Darkside and Blackmatter ransomware cartels, indicating a well-established network of operatives within the RaaS sector.

Recently, ALPHV/BlackCat has been notably active among ransomware groups. According to cybersecurity analyst ANOZR WAY, the group was responsible for approximately 12% of all attacks in 2022.

This gang appears to have recently focused its efforts on professional service providers. In mid-May, it claimed responsibility for breaching Mazars Group, an international firm specializing in auditing, accounting, and consulting services.

Forever 21:

Clothing and accessories retailer, Forever 21, is in the process of sending data breach notifications to over half a million individuals whose personal information was exposed to unauthorized intruders. The company operates a global network of 540 outlets and has a workforce of approximately 43,000 employees.

A portion of the data breach notification, shared with the Office of the Maine Attorney General, reveals that the company detected a cyberattack on multiple systems on March 20. The investigation unveiled that hackers had sporadic access to Forever 21 systems between January and March of this year and utilized this access to pilfer data.

“The investigation determined that an unauthorized third party accessed specific Forever 21 systems at different intervals between January 5, 2023, and March 21, 2023,” states the notice. “Results from the investigation indicate that the unauthorized third party acquired specific files from certain Forever 21 systems during this timeframe” – Forever 21.

The data breach notice, dispatched on August 29 to 539,207 affected individuals, lists the following potentially exposed data types:

  • Full names

  • Social Security Numbers (SSN)

  • Dates of Birth

  • Bank Account Numbers

  • Forever 21 Health Plan information

BleepingComputer reached out to Forever 21 to ascertain if the security incident impacted both customers and employees. A spokesperson from the company issued the following statement: “The incident was limited to current and former Forever 21 employees and did NOT affect personal data pertaining to Forever 21 customers.”

In the notice, Forever 21 reports that they have taken steps to ensure that the hackers have deleted the stolen data, implying that the company may have engaged in communication with the attacker. Such actions often occur following ransomware attacks, where the victim negotiates with the hackers to reach a reasonable ransom. However, it is important to note that a ransomware attack on Forever 21 has not been confirmed.

In November 2017, Forever 21 informed its customers of another data breach affecting its payment system, resulting in the compromise of card data from transactions made between March and October 2017.

Italian Banks Temporarily Disabled by Distributed Denial of Service (DDoS) Attacks:

Several banks in Italy recently experienced temporary outages due to targeted Distributed Denial of Service (DDoS) attacks.

On August 1st, the Agenzia per la Cybersicurezza Nazionale (ACN) announced that it had identified cyberattacks against at least five banks in the country, resulting in a temporary disruption of their services.

The affected banks included BPER Banca (EMII.MI), Intesa Sanpaolo (ISP.MI), FinecoBank (FBK.MI), Popolare di Sondrio (BPSI.MI), and Monte dei Paschi di Siena (BMPS.MI).

According to the ACN, it “detected the resurgence of distributed denial of service (DDoS) attack campaigns carried out by pro-Russian… groups targeting national institutional entities.” The ACN attributed the attacks to the Russian hacking group known as “NoName.”

An employee from one of the affected banks informed Reuters that the bank’s website was taken offline due to a substantial surge in traffic. However, the bank’s mobile app continued to function normally during the attack, and the website was restored after a brief period.

The ACN stated that it provided assistance to all those affected by the DDoS attacks launched by NoName.

What Are DDoS Attacks?

Distributed Denial of Service (DDoS) attacks involve malicious actors attempting to disrupt a website by overwhelming its infrastructure with a significant volume of internet traffic. As DDoS attacks saturate a site’s bandwidth, users are unable to access it.

DDoS attacks can be motivated by various factors, but their primary objective is to cause disruption by temporarily taking websites offline. Due to their disruptive nature, DDoS attacks are employed by malicious entities as a means of directly targeting specific individuals or organizations.

Moving Forward:

Data breaches can have severe consequences for both companies and individuals, including financial loss, reputational damage, and identity theft. As the frequency and sophistication of cyberattacks continue to increase, it is crucial for companies to prioritize data protection and implement robust security measures. By staying vigilant and proactive in their approach to cybersecurity, organizations can minimize the risk of a data breach and protect their customers’ trust.


The Top 10 Things Every CISO Should Know

what every ciso should know about

What Every CISO Should Know in 2023 to Protect Their Business


In our rapidly evolving digital age, the role of a Chief Information Security Officer (CISO) has never been more crucial. As a CISO, your role stretches far beyond traditional IT security measures. You are the protector of your organization’s most valuable assets, from intellectual property to customer data. The following insights delve deeper into what every CISO should know in 2023 to ensure they’re at the forefront of safeguarding their business.


1. Grasping the Business

Understanding your business inside out is paramount. The best CISOs fully comprehend the company’s goals, mission, and operational mechanics. Why is this so vital? Because only with this understanding can you adequately prioritize and champion security initiatives. Furthermore, by aligning security measures with business goals, you ensure that security is not viewed as a roadblock but rather an enabler of growth and success.


2. Emphasizing Effective Risk Management

Risk management isn’t just a box to tick; it’s a continual process. This involves constant vigilance—identifying emerging threats, assessing their potential impact, and implementing controls to counteract them. Today’s cyber threats are dynamic, with cybercriminals using sophisticated techniques that change by the minute. Hence, regular risk assessments and updates are non-negotiable. But, just as crucial is the art of communication. The ability to articulate these risks, along with their potential implications to the board and executives, can make the difference between proactive action and reactive damage control.


3. Moving Beyond Compliance

While regulatory compliance is essential, in 2023, it’s merely a starting point. With the ever-evolving threat landscape, relying solely on regulations and standards can render a business vulnerable. It’s like only installing a front door lock while leaving all the windows open. Instead, a proactive approach, involving continuous assessment and adaptation of security measures to the unique needs and threats faced by your organization, is pivotal.


4. Championing Security Awareness

The human factor can often be the weakest link in any security chain. As such, empowering every single employee with the knowledge and tools to act as the first line of defense is vital. This means ongoing training, regular reminders, and cultivating a culture where security is everyone’s business. Remember, from the receptionist to the CEO, everyone can either be an asset or a vulnerability.


5. Harnessing the Power of Effective Communication

Clear, concise, and compelling communication can be one of the most potent tools in a CISO’s arsenal. It’s essential to translate the often complex world of security into language that everyone—from the tech newbie to the seasoned board member—can grasp. Regularly updating stakeholders about security postures, potential risks, and ongoing initiatives not only fosters trust but also reinforces the importance of collective vigilance.


Expanding the CISO’s Toolkit in 2023:

But let’s push the envelope further. In addition to the critical pointers above, CISOs in 2023 should be aware of:


6. Embracing the Cloud and Zero Trust: 

As businesses transition to cloud infrastructures, understanding cloud security best practices becomes paramount. Moreover, adopting a Zero Trust approach—where every access request is fully authenticated, authorized, and encrypted before granting access—ensures layered defense in a distributed work environment.


7. Machine Learning and AI:

Cybercriminals are leveraging AI; so should you. Incorporating machine learning can help in anomaly detection, identifying potential threats faster than any human could, and enhancing predictive analytics. Findings not only automates assessments and the auditing process for all of your company’s vendors, but we also offer real time updates on your risk posture powered by RiskRecon and Anomali.


8. Regular Penetration Testing:

Gone are the days when an annual penetration test sufficed. Regularly challenging your systems can expose vulnerabilities before cybercriminals exploit them.


9. Incident Response Preparedness:

It’s not about if, but when a breach might occur. Having a well-rehearsed incident response plan ensures rapid containment, minimizing potential damage.


10. Collaborative Security:

Partnering with other businesses, industry groups, and governmental bodies can provide invaluable intelligence and resources. Cybersecurity is a collective endeavor.


In conclusion, being a CISO in 2023 means juggling many balls—compliance, risk management, employee training, effective communication, technological advancements, and more. The threat landscape might be challenging, but with the right approach, tools, and mindset, CISOs can ensure their organizations are robustly defended and primed for growth.


We’re Here To Help

Data Breaches and Cyber Attacks Round Up: June 2023

Findings.co data breaches and cyber attacks in review june 2023

In a world where technology reigns supreme and cyber crime lurks around every digital corner, organizations find themselves locked in a never-ending battle to protect their precious data. From the daring MOVEit vulnerability that left organizations trembling, to the turbulence in the airline industry caused by data breaches, and even a ransomware attack on a tech titan. Buckle up and get ready to explore these hair-raising incidents that prove cybersecurity is no joke in the fast-paced digital age. It’s time to dive into the data breaches and cyber attacks that organizations faced in June 2023. 



MOVEit:


Recently, a significant incident involving the MOVEit vulnerability and data extortion has had a global impact on numerous organizations. Exploiting a vulnerability in Progress Software’s widely-used MOVEit file transfer application, criminals targeted organizations, particularly those within supply chains utilizing the app, resulting in data breaches and the theft of customer and/or employee data.


In more detail, Progress Software Corporation, a company specializing in software and services for user interface development, devops, and file management, issued a warning to its customers regarding a critical vulnerability called CVE-2023-34362. The vulnerability affects the MOVEit Transfer and MOVEit Cloud products, which provide a secure and convenient way to store and share files within teams, departments, companies, and supply chains. MOVEit Transfer’s web-based front end, designed to simplify file sharing and management through a web browser, was discovered to have a SQL injection vulnerability. This vulnerability occurs when an HTTP request sent to a web server is improperly converted into a database query, leaving the server open to manipulation. Attackers can inject malicious commands through URLs, potentially leading to data loss or unauthorized access. Progress Software released patches for the affected versions of MOVEit, but unauthorized commands may have been injected before the patch, resulting in data compromise. To mitigate the risk, Progress recommends ensuring that all instances of MOVEit software are patched, disabling the web-based interfaces if patching is not immediately possible, monitoring logs for suspicious activities, and adopting secure programming practices such as input sanitization and parameterized queries to prevent SQL injection attacks.



Additional Victims of the MOVEit Hack:


The total number of impacted organizations has come to over 130, affecting over 16 million individuals. Brett Callow, a threat analyst at cybersecurity firm Emsisoft, has so far identified around 138 organizations that have fallen victim to the campaign, resulting in the compromise of personal information for over 15 million people. It is expected that these numbers will rise as more victims come forward. The cybercrime group, believed to have ties to Russia and known for their use of the Cl0p ransomware, has claimed responsibility for the attack. They boast being the sole threat actor aware of the MOVEit zero-day exploit before it was patched. Recently, they have started naming organizations that have refused to pay their ransom demands or engage in negotiations. 


Their list includes notable entities such as Shell, Siemens Energy, Schneider Electric, UCLA, Sony, EY, PwC, Cognizant, AbbVie, Kirkland & Ellis, and K&L Gates. Siemens Energy and Schneider Electric have confirmed being targeted. UCLA acknowledged the exploitation of the vulnerability but clarified that it does not classify the incident as a ransomware attack, likely because no file-encrypting malware was employed and there is no evidence of other system compromises on campus. Government organizations, including the US Department of Energy and the Health Department, have also been affected. The New York City Department of Education, the Oregon DMV, the National Student Clearinghouse, and associated schools have reported being victims as well. The cybercriminals, however, claimed on their website that they have deleted data from over 30 government-related organizations as their focus is purely financial and not interested in such entities. Gen Digital, the parent company of renowned cybersecurity brands including Avast, Avira, AVG, Norton, and LifeLock, has also officially acknowledged that the personal information of its employees was compromised during the recent MOVEit ransomware attack. 


As you can tell, this recent MOVEit data breach has had a domino effect.  The personal information of approximately 769,000 retired members of CalPERS, the California Public Employees’ Retirement System. The breach also affected 415,000 members and beneficiaries of CalSTRS, the California State Teachers’ Retirement System. The breach was reported by CalPERS after their third-party vendor, PBI Research Services, discovered a vulnerability in their MOVEit Transfer Application. The vulnerability allowed unauthorized access to sensitive data such as names, dates of birth, Social Security numbers, and even the names of family members of the affected members. CalPERS is the largest public pension fund in the United States, serving over 2 million members in its retirement system and more than 1.5 million in its health program. CalSTRS, on the other hand, is the second-largest public pension fund in the country and the largest retirement system for teachers, serving more than 947,000 members.


American Airlines:


American Airlines and Southwest Airlines, two major global airlines, have recently reported data breaches resulting from a security incident involving Pilot Credentials, a third-party vendor responsible for managing pilot applications and recruitment portals for multiple airlines. Both airlines were notified about the incident on May 3, clarifying that the breach was limited to the systems of the third-party vendor and did not impact their own networks or systems. The unauthorized individual behind the breach gained access to Pilot Credentials’ systems on April 30 and stole documents containing information submitted by certain applicants during the pilot and cadet hiring process.


American Airlines stated that the breach affected 5,745 pilots and applicants, while Southwest reported a total of 3,009 affected individuals. The compromised data included personal information such as names, Social Security numbers, driver’s license numbers, passport numbers, dates of birth, Airman Certificate numbers, and other government-issued identification numbers. It’s worth noting that American Airlines has experienced previous data breaches, including one in September 2022 resulting from a phishing attack and another in March 2021 due to a breach in SITA’s Passenger Service System, which affected multiple airlines globally.



Taiwan Semiconductor Manufacturing Company (TSMC):


The world’s largest contract chipmaker, has confirmed a data breach after being targeted by the LockBit ransomware gang. The gang, linked to Russia, listed TSMC as a victim and demanded a $70 million ransom. TSMC stated that the breach did not impact its business operations or compromise customer information. The incident originated from a cybersecurity breach at one of TSMC’s IT hardware suppliers, Kinmax Technology. TSMC terminated its data exchange with Kinmax and assured that customer information remains secure. Kinmax also apologized for the incident and indicated that other customers may have been affected. The breach follows recent arrests related to LockBit ransomware attacks. Taiwan Semiconductor Manufacturing Company (TSMC), a major semiconductor supplier for Apple, recently attributed a data breach and subsequent $70 million ransom demand from the LockBit ransomware group to a third-party IT hardware supplier. TSMC confirmed the security incident but refrained from disclosing the specific data accessed or held for ransom by LockBit actors. The company assured that the breach did not impact its business or customer information. TSMC identified the third-party supplier as Kinmax Technology, an Hsinchu-based systems integrator known to collaborate with various technology companies. It remains uncertain if other customers were affected by the attack.


The National Hazard Agency, a subgroup of LockBit, set a deadline of August 6 for TSMC to pay the ransom, threatening to publicly release the stolen data. The threat actors also claimed to possess “points of entry” to TSMC’s network, along with login credentials, which are valuable to cyberattackers. TSMC reported robust financial figures for 2022, making it an enticing target. Following the incident report, TSMC conducted a thorough review of its hardware components and security configurations, discontinuing data exchange with Kinmax and reinforcing security measures. The company emphasized its commitment to raising security awareness among suppliers and ensuring compliance with its security requirements.


Kinmax, the implicated IT supplier, downplayed the breach, stating that the intruder accessed system installation preparation information in the engineering test environment, which was unrelated to customers’ actual applications. Kinmax expressed regret and extended apologies to affected customers, mentioning enhanced security measures implemented to prevent future incidents.


TSMC’s breach highlights the growing trend of third-party compromises leading to data breaches in various organizations. It coincides with reports of organizations falling victim to the Cl0p ransomware gang due to a vulnerability in the widely used MOVEit Transfer app by Progress Software. The Biden administration’s cybersecurity executive order in May 2021 has underscored the significance of securing IT supply chains.


Microsoft:


In early June 2023, Microsoft encountered a surge in traffic that affected the availability of some services. To address this issue, Microsoft promptly launched an investigation and began monitoring ongoing Distributed Denial-of-Service (DDoS) activity conducted by a threat actor known as Storm-1359. These attacks seem to rely on the utilization of multiple virtual private servers (VPS), rented cloud infrastructure, open proxies, and DDoS tools. No evidence suggests that customer data has been accessed or compromised during these recent DDoS attacks. The focus of these DDoS attacks was primarily on layer 7 rather than layer 3 or 4. To enhance customer protection against similar DDoS attacks, Microsoft has fortified its layer 7 defenses by optimizing the Azure Web Application Firewall (WAF). While these measures have proven effective in mitigating most disruptions, Microsoft consistently evaluates the performance of its defenses and incorporates lessons learned to further refine and enhance their effectiveness.


Customers are advised to review the technical details and recommended actions provided in this blog to bolster the resilience of their environments and mitigate the impact of comparable attacks.


Technical Details:

Microsoft’s assessment reveals that Storm-1359 possesses a collection of botnets and tools that enable the threat actor to launch DDoS attacks from various cloud services and open proxy infrastructures. Storm-1359 appears to be primarily focused on causing disruption and gaining publicity.


Storm-1359 has been observed employing different types of layer 7 DDoS attack traffic, including:


HTTP(S) flood attack: This attack exhausts system resources by inundating them with a high volume of SSL/TLS handshakes and HTTP(S) requests. The attacker distributes a large number of HTTP(S) requests from different source IPs across the globe, overwhelming the application’s backend and depleting compute resources (CPU and memory).


Cache bypass: This attack attempts to bypass the Content Delivery Network (CDN) layer, potentially overwhelming the origin servers. The attacker sends a series of queries against generated URLs, causing the frontend layer to forward all requests to the origin instead of serving cached content.


Slowloris: In this attack, the client establishes a connection with a web server, requests a resource (e.g., an image), but intentionally fails to acknowledge or accepts the download slowly. This forces the web server to keep the connection open and retain the requested resource in memory.


Recommendations – Layer 7 DDoS Protection Tips:


To mitigate the impact of layer 7 DDoS attacks, Microsoft recommends that customers consider the following measures:


Utilize layer 7 protection services like Azure Web Application Firewall (WAF) (available with Azure Front Door, Azure Application Gateway) to safeguard web applications.


When using Azure WAF:


Employ the bot protection managed rule set, which provides defense against known malicious bots. For more information, refer to the configuration instructions for bot protection.

Block IP addresses and ranges that you identify as malicious. Examples of how to create and use custom rules can be found in the provided resources.

Consider blocking, rate limiting, or redirecting traffic from outside or within defined geographic regions to a static webpage. Refer to the examples in the provided resources for more information on creating and using custom rules.

Create custom WAF rules that automatically block and rate limit HTTP or HTTPS attacks with known signatures.


DMPS:


Des Moines Public Schools is currently contacting approximately 6,700 individuals to inform them about a data security event that occurred earlier this year. This incident, which occurred in January, involved a cyberattack on the school district and may have led to the potential exposure of personal information belonging to those affected. 


The cyberattack on DMPS also involved a ransom demand. However, in accordance with the advice of cybersecurity experts and considering the best interests of the school district and community, no ransom has been or will be paid in response to this attack.


And speaking of schools, the university of Manchester also recently disclosed a breach. In the week starting on June 6th, the University received news of a cyber incident, where unauthorized individuals gained access to certain systems and likely copied data. Our dedicated team of experts, both internal and external, is diligently working day and night to address this incident and determine the extent of the data accessed. Our main focus is to swiftly resolve this situation and promptly inform those affected. We are allocating all possible resources towards achieving these objectives.



Cybersecurity is Essential:


The incidents surrounding MOVEit, American Airlines, TSMC and Microsoft serve as stark reminders of the importance of cybersecurity in our fast-paced digital age. These incidents underscore the serious and ongoing nature of cybersecurity threats, reminding organizations to remain vigilant, strengthen their defenses, and prioritize the safeguarding of valuable data in the digital landscape. 





Discover How Findings Can Help



Top Cyber Attacks and Data Breaches: May 2023 Round Up

May 2023 data breaches

In an era dominated by digital connectivity, the frequency and impact of data breaches continue to escalate, leaving individuals and organizations vulnerable to devastating consequences. From state-sponsored hacking campaigns to opportunistic cybercriminals, the realm of data security is constantly under siege. Recent events have once again thrust data breaches into the spotlight, as major corporations and industry giants grapple with the aftermath of malicious intrusions. In this blog post, I will delve into a series of alarming incidents that have unfolded in May 2023, shedding light on the tactics employed, the extent of compromised information, and the potential ramifications for affected individuals and businesses. Brace yourself for an eye-opening exploration of the evolving threat landscape as we navigate the treacherous waters of data breaches and their far-reaching impact.


  1. On May 24,2023, Microsoft reported that it found targeted malicious activity by Volt Typhoon, a state-sponsored group from China, aiming to access unauthorized credentials and explore critical infrastructure networks in the US. This campaign supposedly  intends to disrupt communication infrastructure between the US and Asia during future crises. Volt Typhoon has been active since mid-2021, primarily targeting critical infrastructure organizations in Guam and other US regions across various sectors. They employ stealth techniques, living-off-the-land methods, and manipulate systems using command line instructions. The threat actor maintains persistent access and attempts to conceal their activities by routing network traffic through compromised SOHO network equipment. 


  1. Sysco, a major U.S. multinational food distribution corporation, recently revealed that approximately 126,243 current and former employees may have had their sensitive data accessed and acquired in a cyberattack that took place in January. According to notification letters sent to affected individuals, Sysco’s systems were initially breached on January 14, but the intrusion was only discovered nearly two months later. The company assured that its operational systems, business functions, and customer services remained unaffected by the breach. While specific details about the data accessed for each individual are yet to be confirmed, Sysco stated that the compromised information may include personal data provided for payroll purposes, such as names, Social Security numbers, account numbers, or similar information. 


  1. On May 26, 2023, Managed Care of North America (MCNA) Dental published a data breach notification on its website, informing approximately 9 million patients that their personal data was compromised. MCNA Dental is one of the largest government-sponsored (Medicaid and CHIP) dental care and oral health insurance providers in the U.S. On March 6, 2023, the insurance provider discovered unauthorized activity in their computer system. They took immediate action to halt the activity and initiated an investigation with the assistance of a specialized team. It was determined that an unauthorized user was able to access and make copies of certain information between February 26, 2023, and March 7, 2023. The potentially compromised information includes contact details such as first and last name, address, date of birth, phone number, and email address. Social Security numbers, driver’s license numbers or other government-issued ID numbers were also accessed. Additionally, health insurance information such as plan details, insurance company information, member numbers, and Medicaid-Medicare ID numbers may have been involved. Specific information related to dental care, including visits, dentist and doctor names, past treatments, x-rays/photos, prescribed medicines, and treatment details, as well as bills and insurance claims, were also potentially exposed. 


  1. NextGen Healthcare, a vendor of cloud-based electronic health records, has been informing over 1 million individuals about a data compromise that involves the unauthorized acquisition of login credentials. This incident marks at least the second alleged data security breach that the company has probed since January. The company explained an unknown third-party gained unauthorized access to a limited set of personal data between March 29, 2023, and April 14, 2023. The accessed information includes names, dates of birth, addresses, and social security numbers. Out of the 198 significant breaches of health data that have been reported on the Department of Health and Human Services’ HIPAA Breach Reporting Tool website in 2023, impacting a total of 17.4 million individuals, it has been disclosed that at least 75 of these incidents affecting 9.8 million individuals were reported to involve business associates. Approximately 38% of the major health data breaches reported on the HIPAA Breach Reporting Tool website in 2023 involved vendors and other business associates. Interestingly, despite accounting for a smaller proportion of breaches, these incidents were responsible for impacting 56% of the individuals affected by breaches in the healthcare sector.


  1. Luxottica, the world’s largest eyewear company known for brands like Ray-Ban, Oakley, and Chanel, has officially confirmed a data breach that occurred in 2021 via BleepingComputer. The breach exposed the personal information of approximately 70 million customers when a database was recently made available for free on hacking forums. Luxottica revealed that one of its partners experienced the breach, involving a security incident that affected a third-party contractor responsible for holding customer data. The exposed data includes sensitive details such as full customer names, email addresses, phone numbers, residential addresses, and dates of birth. Luxottica emphasized that financial information, social security numbers, login credentials, and other critical data that could endanger customer safety were not compromised. The FBI has made an arrest in connection with the incident, resulting in the shutdown of the website where the data was published. 


  1. On May 11, 2023, Brightly informed present and past SchoolDude users that a security incident occurred. SchoolDude is an online platform used by educational institutions for placing and tracking maintenance work orders. Information such as name, email address, account password, phone number, and school district name were potentially breached. 


  1. On May 8, 2023, Dragos, a company specializing in industrial cybersecurity, experienced a failed extortion scheme by a cybercriminal group. The group gained unauthorized access by compromising the personal email of a new sales employee, allowing them to impersonate a Dragos employee and access resources in SharePoint and the contract management system. Although they accessed a report with customer IP addresses, Dragos’ security controls prevented the threat actor from deploying ransomware or making further infrastructure changes. The cybercriminals resorted to extortion attempts, escalating their messages and contacting Dragos executives and known contacts. However, Dragos chose not to engage with the criminals and promptly activated their incident response retainer and involved their third-party MDR provider. The investigation is ongoing, but Dragos has implemented additional verification steps for their onboarding process and emphasizes identity and access management, multi-factor authentication, continuous monitoring, and incident response preparedness.


In other news, in May, it was discovered that Apple banned its employees from using generative AI tools like OpenAI’s ChatGPT and GitHub’s Copilot due to concerns about potential data leaks and disclosure of sensitive information. Apple’s decision is based on the fact that OpenAI stores all user interactions by default, including conversations with ChatGPT, which are used for training and subject to moderation. While OpenAI introduced an option to disable chat history, conversations are retained for 30 days for abuse review before permanent deletion. Apple worries that employees may unintentionally reveal confidential project information within ChatGPT, which could be accessed by OpenAI moderators. Similar restrictions have been implemented by other companies like JP Morgan, Verizon, and Amazon. Despite the ban, OpenAI recently launched an iOS app for ChatGPT, making Apple’s decision notable, considering the app’s availability and future expansion plans. 


As data breaches continue to make headlines, it becomes abundantly clear that the protection of sensitive information is of paramount importance. The incidents highlighted in this blog post serve as a stark reminder that no individual or organization is immune to the persistent and ever-evolving threats posed by cybercriminals. As we move forward, it is imperative for individuals and businesses alike to prioritize robust security measures, including stringent access controls, advanced encryption protocols, and employee education programs. By staying vigilant, proactive, and informed, companies can fortify their defenses and mitigate the risks associated with data breaches. 


Learn More About Findings



Automated Security Assessments: Expectations and Preparation

What to expect during an automated security assessment and how to prepare for it - findings.co

Automated security assessments are one of the most talked about features in the supply chain management industry. Organizations have turned to automated solutions to enhance their risk management and supply chain compliance after recognizing the need to eliminate the burdensome and time-consuming task of manually auditing and tracking numerous vendors. It makes sense after all. Who wants to spend hours on end of manual work to audit and chase hundreds of thousands of vendors? 


The answer is: no one. 


Findings’ comprehensive platform has gone above and beyond to automate risk management and supply chain compliance, saving organizations of all sizes extensive manual work and reducing friction. 


Now, let’s break down some things you should expect to see when using the platform that will ultimately help you prepare. 


  1. Assessment Logic 


When managing assessments in Findings platform, you can create an assessment from scratch with branching logic or upload pre-existing assessments and tweak it to suit your needs. When you create an assessment from scratch, you can create a question with various answer choices. If the answer choices are branching types such as the Radio button, multiply select, or dropdown, you can create a follow-up question based on a certain response chosen. 


When it comes to uploading assessments from pre-existing documents, you can edit the subjects and alter the logic to suit the vendor’s needs via our assessment wizard. Once the assessment has been uploaded you can clone, edit and tailor custom it with various app integrations for the associated vendors. 


  1. Findings and Remediation:


Imagine the ability to pre-create remediation plans and suggestions. Essentially, rather than sending out an assessment to a vendor and having to review it and write out compliance corrections and suggestions manually, this is pre-prepared before the vendor even begins the assessment. For any answer choice that is not in compliance, you can create a remediation suggested plan for that answer and change the risk level that will affect the vendor’s overall score. When the vendor completes the assessment, they already have a remediation plan ready for them, so that they can bridge the gaps without all the time-consuming back and forth. 


  1. Response Repository (NLP):


Our response repository is based on neuro-linguistic programming and is one of the biggest assets our users hold. When a vendor or customer completes an assessment, our system scans the answers and creates a respiratory for similar written questions the next time an assessment is completed. The next time a user completes an assessment, our automated suggested answers pop up and the user can insert the answers based on the relevant match. This saves numerous hours of manual work by having to complete assessments from scratch. Within seconds, your assessment can be completed and you can focus on other essential tasks. 


Automated security assessments provided by Findings are perfect for organizations seeking efficient risk management and streamlined supply chain compliance. By automating the assessment process, organizations of all sizes can save valuable time and resources that would otherwise be spent on manual audits and vendor follow-ups. By utilizing the features we offer, organizations can complete assessments quickly and focus on other essential tasks, ultimately improving their overall security posture and supply chain management.






Learn More Today

Benefits of Automating Security Assessments for Your Organization

Findings.co explores the benefits of automating security assessments

It is indeed true that companies that fail to leverage automated tools are overlooking significant opportunities. This hold particularly true when it comes to security and compliance. Companies are finding it increasingly challenging to proactively identify, address, and mitigate security issues, since, well – there’s more threats than ever. Conducting regular security assessments is essential to detect vulnerabilities and reduce the risk of future breaches. However, relying on manual methods and outdated procedures can be unreliable and diminish the effectiveness of risk mitigation strategies. To ensure secure and robust networks, as a business leader, you must prioritize the implementation of automated security assessments. They not only minimize risk exposure, but they can shorten the sales cycle and save a company money, and they also strengthen cybersecurity defenses, making it a crucial investment for your company. 

(Source: CISA – Continuous Diagnostics and Mitigation Learning Program: Benefits of Automating Security Control Assessments)

Automation Speeds Up Reaction and Activity:

Automation plays a vital role in streamlining processes and driving transformation in modern industries. By automating the risk assessment process and management, organizations can make informed financial decisions, streamline risk and compliance procedures, and enhance their overall risk profile. This automation eliminates human error, enables faster response times, and promotes growth. Real-time threat information and risk reports empower security teams to handle threats more effectively and improve response and action times. Automated risk management strategies can efficiently compile, classify, upload, and organize incoming data, which allows for the identification of similar incidents and the implementation of prepared actions or responses.

Enhanced Cybersecurity Risk Management:

Automated assessments provide organizations the ability to manage cybersecurity risks more comprehensively and effectively. These assessments offer security teams up-to-date and detailed data about ALL their vendors that can be shared with senior management and executives. By eliminating manual tasks and enabling real-time monitoring, automation allows risk managers to focus on risk avoidance and mitigation. Furthermore, automation expedites the entire risk management process by instantly uploading fresh data and promptly reporting any issues. Through continuous monitoring and real-time visibility, organizations can identify gaps in their cybersecurity posture and take the necessary security measures to rectify them.

Standardizing Data and Improving Collaboration:

In many organizations, different departments rely on separate and potentially incompatible data to analyze and assess cyber risks. With so much data floating around in different hands, conflicting reports create confusion among managers. Automated security assessments provide a centralized platform for data collection, ensuring consistent and standardized data across the organization. This eliminates discrepancies and enables effective collaboration among departments. Executives and managers can access accurate and comprehensive information, leading to better-informed decision-making and improved cyber risk management strategies.

Scaling Security Risk Assessment:

Automation significantly simplifies the scalability of security risk assessment processes within a company. Automated assessment platforms like Findings are designed to handle both small and large-scale tasks, allowing organizations to adapt to changing demands without the need for hiring and training new personnel. Predictability is another advantage of automation, as most response actions can be anticipated, making it easier to manage various system interactions securely. Additionally, automation provides better tracking capabilities, allowing organizations to monitor progress, identify completed assessment components, and address pending tasks more efficiently.

Measuring ROI of Automation:

Calculating the return on investment (ROI) for automated security risk assessment involves considering the time and resources saved by automating time-consuming tasks and preventing adverse outcomes. While evaluating the ROI for automated security risk assessment may differ from other business operations, the goal is to demonstrate to IT management that the investment was worthwhile, considering the resources and time allocated.

Out With the Old, in With the New:

In today’s digital landscape, where cyberattacks are a constant threat, automating security assessments is not just beneficial but imperative for organizations aiming to protect their assets, maintain customer trust, and ensure business continuity. It is an investment that pays off in terms of enhanced security, streamlined processes, and improved risk management.

Collaborating with companies like Findings – who specialize in security risk assessment automation can help organizations identify weaknesses and risks more effectively. Automated security risk assessments provide a proactive approach to maintaining the security of organizational systems, preventing potential breaches, and ensuring a safe operating environment. By leveraging automation, organizations can improve response times, standardize data, enhance collaboration, and scale security risk assessment processes. It is crucial for businesses to embrace automation.


Learn More Today

How Hackers Are Utilizing Lateral Movements

Findings.co explores how hackers are utilizing Lateral Movements

A Hacker’s Playground


In the world of cybersecurity, lateral movement is one of the most commonly used and destructive tactics employed by hackers. It is a technique in which an attacker who has gained access to a compromised device within a network then uses that access to move across the network, compromising other devices and systems. According to a study by VMware Contexa, 44% of intrusions include lateral movement, making it a significant threat to organizations of all sizes.


What is Lateral Movement?


Lateral movement is a technique used by hackers to gain access to additional devices and systems within a network. Once a hacker has successfully breached one device, they can use the access they have gained to move laterally across the network, potentially accessing valuable data, exfiltrating data, or deploying ransomware.


Lateral movement can take many forms, but one of the most common is the use of stolen credentials. Hackers often use phishing or other social engineering tactics to obtain user credentials, such as usernames and passwords, which they can then use to access other devices within the network. Once inside the network, the hacker can use various techniques to evade detection, such as using encryption, tunneling, or other forms of obfuscation to hide their activity.


Another common form of lateral movement is the exploitation of unpatched vulnerabilities. Hackers can use known vulnerabilities in software or systems to gain access to a device, and then use that access to move laterally across the network. In some cases, hackers may even create new vulnerabilities in the software or systems they compromise to make lateral movement easier.


Why is Lateral Movement so Dangerous?


Lateral movement is dangerous because it allows hackers to access multiple devices and systems within a network, potentially compromising valuable data and systems. This can lead to data theft, financial losses, and even system shutdowns. Lateral movement also allows hackers to “island hop” across networks, gaining access to systems in other organizations that are connected to the compromised network.


Once hackers have gained access to a network, they can use lateral movement to maintain persistence, meaning that they can continue to access the network even if some of their access points are detected and removed. This makes it more difficult for organizations to detect and remove the hackers from their networks, increasing the potential damage that can be done.


How Can Organizations Protect Themselves?


Organizations can protect themselves from lateral movement by implementing several cybersecurity best practices. One important step is to implement multi-factor authentication, an extra level of security, which requires users to provide additional forms of identification beyond just a username and password. While it isn’t completely foolproof, it can help prevent hackers from using stolen credentials to access additional devices within the network.


Another important step is to regularly patch software and systems to address known vulnerabilities. When companies stay on top of it, they can prevent hackers from using vulnerabilities to gain access to the network and move laterally across devices. Additionally, organizations should use network segmentation to limit the lateral movement of hackers. In an explanation provided by the Cybersecurity and Infrastructure Security Agency (CISA) they explain that it is “a physical or virtual architectural approach dividing a network into multiple segments, each acting as its own subnetwork providing additional security and control. Creating boundaries between the operational technology (OT) and information technology (IT) networks reduces many risks associated with the IT network, such as threats caused by phishing attacks. Segmentation limits access to devices, data, and applications and restricts communications between networks.” This can help contain the spread of a potential attack and limit the damage that can be done.


Organizations should also regularly monitor their networks for suspicious activity, such as unusual login attempts or data exfiltration. This can help identify potential breaches early on and allow organizations to take action before the damage is done.


Finally, it is important for organizations to provide regular cybersecurity training to their employees. This can help employees recognize and avoid common phishing and social engineering tactics, which are often used by hackers to obtain credentials and gain access to networks.


Key Takeaways:


It’s extremely important for organizations to take lateral movement seriously and take steps to protect themselves against this type of attack. By implementing best practices and staying vigilant, organizations can reduce the risk of a successful lateral movement attack and protect their valuable data and systems. Continuous monitoring is a cybersecurity practice that involves constantly monitoring an organization’s networks and systems for suspicious activity or threats. By implementing continuous monitoring, organizations can detect potential lateral movement attacks early on and take action before any significant damage is done.


Continuous monitoring involves the use of automated tools that can detect and alert security teams of any unusual activity on the network. This can include unexpected login attempts, unauthorized access to sensitive data, and attempts to exploit vulnerabilities in software and systems.


In addition to automated tools, continuous monitoring also involves regular human oversight and analysis. Security teams can review alerts and data logs to identify potential threats and investigate any suspicious activity. This can help identify and stop lateral movement attacks early on, before they can cause significant damage.


Overall, continuous monitoring can be a valuable tool in the fight against lateral movement attacks and other cybersecurity threats. By implementing this practice, organizations can improve their security posture and reduce the risk of a successful attack.




Learn About Our Continuous Monitoring Solution

Don’t Let Hackers In: Your Company Needs to Enforce 2FA ASAP

what is two factor authentication? 2fa

There’s no denying it – 2FA is a game-changer. Two-factor authentication (2FA) is a security process that requires a user to provide two different factors to verify their identity. It adds an extra layer of security beyond passwords and is an important tool for companies to use to protect their sensitive information and prevent unauthorized access. In this blog post, we will explore the benefits of 2FA and look at some real-world examples of cyberattacks that could have been prevented or mitigated if 2FA had been used.


What is Two-Factor Authentication (2FA)?


2FA is a security process that requires a user to provide two different factors to verify their identity. These factors typically include something the user knows, such as a password or PIN, and something the user has, such as a security token or mobile device. By requiring two different factors, 2FA ensures that only authorized users can access systems and data, helping to prevent unauthorized access and protect against phishing attacks.


Benefits of Two-Factor Authentication (2FA):


The importance of 2FA cannot be overstated. In today’s digital landscape, cyberattacks are becoming increasingly sophisticated, and it’s becoming more difficult to protect against them. However, by implementing 2FA, companies can significantly reduce the risk of a breach occurring.


There are many benefits to using 2FA to protect sensitive information and prevent unauthorized access. Some of the key benefits include:


Increased Security:

  • 2FA adds an extra layer of security beyond passwords, making it more difficult for attackers to gain access to systems and data. By requiring two different authentication factors, 2FA ensures that only authorized users can access sensitive information, helping to prevent data breaches and other security incidents.

Protection Against Phishing Attacks: 

  • Phishing attacks are a common tactic used by cybercriminals to trick users into revealing their login credentials. 2FA can help protect against phishing attacks by requiring users to provide a second factor of authentication, making it more difficult for attackers to gain access to sensitive information.

Compliance Requirements: 

  • Many regulatory frameworks require the use of 2FA to protect sensitive information. For example, the Payment Card Industry Data Security Standard (PCI DSS) requires merchants who accept credit card payments to use multi-factor authentication for remote access to the cardholder data environment. In addition, some states have passed laws that require companies to implement 2FA in certain situations. For example, the New York State Department of Financial Services (NYDFS) Cybersecurity Regulation requires covered entities to implement multi-factor authentication for access to sensitive data and systems. Internationally, the European Union’s General Data Protection Regulation (GDPR) does not explicitly require companies to implement 2FA, but it does require companies to implement appropriate technical and organizational measures to ensure the security of personal data. The GDPR also requires companies to notify data subjects in the event of a data breach, and 2FA can be an effective means of preventing unauthorized access to personal data. Overall, while there is no universal requirement for companies to implement 2FA, many industries and regulatory bodies recognize its importance in improving security and protecting sensitive data. By implementing 2FA, companies can ensure that they are in compliance with these requirements, helping to avoid potential fines and other penalties.

Trust:

  • Enforcing 2FA builds trust with customers, who will appreciate the additional security measures in place to protect their data. 


Why 2FA isn’t enough sometimes:


The effectiveness of 2FA lies in its deployment, rather than the security measure itself. If any component of the 2FA process is compromised, it can result in a security breach. Traditional methods like phishing and social engineering are now being used to bypass 2FA more and more. As written by Steven J. Vaughan-Nichols, “In short, 2FA can’t stop human stupidity.” 


We all know that cybersecurity is no joke. That’s why 2FA is a must-have tool in any company’s arsenal to safeguard their sensitive information and prevent unwanted visitors from sneaking in. By requiring not just one, but two authentication factors, companies can ensure that only those with the key to the kingdom are granted access to their systems and data. This helps keep everything locked up tight, safe from the prying eyes of cybercriminals. Time and time again, it’s proven to be the hero we need to foil malicious attacks and protect our valuable data.



FIND OUT MORE

How Security Assessments Help Prevent Breaches

Findings.co explores how security assessments can help prevent data breaches

Data breaches can cause significant damage to a business, both in terms of financial losses and damage to reputation. In recent years, the number of data breaches reported has increased dramatically, with cybercriminals using increasingly sophisticated methods to gain access to sensitive data. One of the most effective ways to prevent data breaches is by conducting regular security assessments.

A security assessment is a comprehensive evaluation of an organization’s security posture. It involves reviewing all aspects of the organization’s security, including policies, procedures, infrastructure, and personnel. The goal of a security assessment is to identify vulnerabilities and weaknesses that could be exploited by an attacker. There are many types of security assessments, including vulnerability assessments, penetration testing, and risk assessments. Each of these assessments has its own unique methodology, but they all aim to achieve the same goal: to identify vulnerabilities and weaknesses in an organization’s security.

By conducting a security assessment, organizations can identify vulnerabilities before they are exploited by attackers. This allows the organization to take proactive steps to mitigate the risk of a data breach. For example, if a security assessment identifies that the organization’s password policies are weak, the organization can implement stronger policies to prevent unauthorized access.

Another benefit of conducting a security assessment is that it can help organizations comply with industry and regulatory requirements. Many industries have specific regulations that organizations must follow to protect sensitive data. By conducting a security assessment, organizations can ensure that they are meeting these requirements and avoid costly fines and legal action.

Additionally, conducting a security assessment can help organizations identify areas where they need to invest in additional security measures. For example, if a security assessment reveals that the organization’s network infrastructure is outdated, the organization can allocate resources to upgrade the infrastructure to better protect against attacks.

It’s important to note that conducting a security assessment is not a one-time event. Security threats and vulnerabilities are constantly evolving, and organizations must regularly review and update their security measures to stay ahead of attackers.

Why are Security Assessments Important?

Security assessments are essential for preventing data breaches because they help organizations identify vulnerabilities before they are exploited by attackers. By conducting a security assessment, organizations can take proactive steps to mitigate the risk of a data breach.

For example, a vulnerability assessment can identify vulnerabilities in an organization’s software or hardware systems. These vulnerabilities could be used by an attacker to gain unauthorized access to sensitive data. By identifying these vulnerabilities, organizations can take steps to patch or fix them before an attacker can exploit them.

Similarly, a penetration test can simulate an attack on an organization’s systems to identify weaknesses that could be exploited by an attacker. By conducting a penetration test, organizations can identify vulnerabilities and weaknesses in their systems and take steps to improve their security.

Security assessments are also important for helping organizations comply with industry and regulatory requirements. Many industries have specific regulations that organizations must follow to protect sensitive data. By conducting a security assessment, organizations can ensure that they are meeting these requirements and avoid costly fines and legal action.

Examples of Security Assessments in Action:

Now that we’ve explored why security assessments are important, let’s take a look at some examples of how they’ve helped organizations prevent data breaches.breaches.

Example 1: Target Data Breach

In 2013, retail giant Target suffered a massive data breach that compromised the personal and financial information of millions of customers. The breach was caused by a vulnerability in Target’s payment system that was exploited by attackers.

Following the breach, Target conducted a security assessment to identify the root cause of the attack and prevent future breaches. The assessment identified a number of vulnerabilities in Target’s systems, including weaknesses in the company’s password policies and network segmentation.

Based on the findings of the assessment, Target implemented a number of security measures, including two-factor authentication for remote access, improved password policies, and increased network segmentation. These measures helped to prevent future data breaches at Target.

Example 2: Equifax Data Breach

In 2017, credit reporting agency Equifax suffered a data breach that exposed the personal and financial information of over 140 million customers. The breach was caused by a vulnerability in Equifax’s web application software that was exploited by attackers.

Following the breach, Equifax conducted a security assessment to identify the root cause of the attack and prevent future breaches. The assessment identified a number of vulnerabilities in Equifax’s systems, including weaknesses in the company’s patch management processes and web application security.

Based on the findings of the assessment, Equifax implemented a number of security measures, including improved patch management processes, enhanced web application security, and increased employee training on cybersecurity best practices. These measures helped to prevent future data breaches at Equifax.

Example 3: University of Virginia Data Breach

In 2014, the University of Virginia suffered a data breach that exposed the personal and financial information of over 18,000 current and former employees. The breach was caused by a vulnerability in the university’s payroll system that was exploited by attackers.

Following the breach, the university conducted a security assessment to identify the root cause of the attack and prevent future breaches. The assessment identified a number of vulnerabilities in the university’s systems, including weaknesses in the company’s patch management processes, access controls, and network security.

Based on the findings of the assessment, the university implemented a number of security measures, including improved patch management processes, enhanced access controls, and increased network security. The university also provided additional cybersecurity training to its employees to help prevent future data breaches.

As we’ve seen in these examples, security assessments can be a powerful tool for preventing data breaches. By identifying vulnerabilities and weaknesses in an organization’s security posture, organizations can take proactive steps to mitigate the risk of a data breach. This can include implementing security measures such as two-factor authentication, improved password policies, enhanced patch management processes, and increased employee training on cybersecurity best practices.

In addition to preventing data breaches, security assessments can also help organizations comply with industry and regulatory requirements. By conducting a security assessment, organizations can ensure that they are meeting these requirements and avoid costly fines and legal action.

Ultimately, conducting regular security assessments is essential for any organization that wants to protect its sensitive data from cybercriminals. By taking proactive steps to identify and address vulnerabilities, organizations can help prevent data breaches and protect the privacy and security of their customers and employees.



Automate Your Assessments Today

Supply Chain Risk Monitoring as a Service
Join us today
Supply Chain Risk Monitoring as a Service
Join us today
Waitlist signup

Welcome to Findings

Let's go over some details to setup your tailor-made account


Please fill your details below and click "Next" to create your account:

Payment

Feature
Startup
Business
Enterprise
Price
$10 / Month
$10 / Month
$25 / Month
VDPaaS
Alerts
Assessments
Integrated Apps
API
Join today and scan ALL YOUR VENDORS for FREE*
* FREE VENDOR SCAN for all of your vendors during your first month.
Feature
Startup
Business
Enterprise
Price
$25 / Month
$200 / Month*
Contact Us
Free vendors scan for 1 month
Findings search engine
Rapid security and compliance profile
Profile/showcase engagements per year
5
40
Unlimited
Multi/unlimited showcase use cases
Showcase compliance badge for your website
Best practice self-assessment
1 Findings or 1 BYOC
Assessment response automation
Personalizable, branded security & compliance showcase page
File/evidence repository
OKTA
DKIM
Out-of-the-box TPRM
20 vendors +
20 rating scans
50 vendors +
50 rating scans
Support
Email
Priority via Phone / Email
Internal Workflows (SO/BO)
Onboarding and customization account setup
*Price for every 40 engagements
Automate assessment response and showcase your cybersecurity posture
Supply Chain Risk Monitoring as a Service
Join us today
.
.
.
.

Thank you for signing up!

Supply Chain Risk Monitoring as a Service
Join us today
.
.
.
.

Thank you for signing up!