LinkedIn Data Breach, Ransomware Payment Legislation, US Payment Processing Data Security, Google Compute Engine Vulnerability, NIST Critical Software

1.  700 million LinkedIn Users Impacted By a Data Breach

• The corporate social network, LinkedIn, experienced a significant data breach that affected 92% of its user base. This incident was announced by the malicious actors, who successfully accessed sensitive user data by misusing API functionalities to conduct unauthorized data scraping activities.
• According to security researchers, this data breach affected over 700 million users. As a result, their personally identifiable information (PII), such as names, email addresses, and passwords, telephone numbers, physical addresses, profile images, etc., has been compromised and likely auctioned off on suspicious online forums.
• Although LinkedIn claims that data scraping is not a “data breach,” their user base is worried about potential data security threats that could disrupt the business and professional landscape.

Expert Commentary: Social media platforms are massive treasure troves for threat actors looking to leverage the PII records of users to deploy large-scale malicious activities. This data leak unequivocally poses significant security risks for the 700 million LinkedIn users who were affected. LinkedIn users should expect to be victims of targeted social engineering attacks, such as spear-phishing attempts, identity theft, impersonation scams, and other nefarious activities. While the threat actors responsible for this incident auction off stolen data, organizations must be on high alert for potential business email compromise (BEC) attempts.

Learn More

2.  Four States Propose Legislation to Ban Ransomware Payments

• To reduce and eliminate financial incentives associated with ransomware attacks, state lawmakers in Texas, North Carolina, Pennsylvania, and New York support the FBI’s advice against paying ransomware demands. As a result, state lawmakers are considering legislation that will make it illegal to pay ransomware attackers.
• Most states are concerned about using taxpayer monies to pay ransomware attackers. For example, in New York, Senate Bill S6806A will ban government and healthcare entities from paying a ransom associated with cybersecurity incidents.
• While the ransomware threat remains prevalent, no sitting U.S. Congress member has introduced federal legislation against the payment of ransomware demands.

Expert Commentary: It is excellent that lawmakers are becoming attentive to cybersecurity threats; however, legislation is likely not the most effective tool to combat ransomware threats. No matter how well-intentioned these legislations appear, in high-risk industries such as healthcare, paying a ransom is the most logical thing to do – it might save lives. Also, many organizations prefer to pay a ransom to prevent large-scale operational damages. Although ransomware payments may carry steep prices for a poor security posture, it is far more expensive to lose access to critical data assets that maintain business continuity. Therefore, corporate stakeholders are more likely to decide on ransomware payments based on their organization’s business goals and security posture.

Learn More

3. New Data Security Rules Shape U.S. Payment Processing Systems

• The National Automated Clearinghouse Association (NACHA) announced new data security rules to further protect customer financial records by dictating how monetary transactions occur in digital settings. The NACHA now requires that digital money processors make deposit transactions unreadable in electronic storage systems. This rule can be implemented using data encryption, truncation, tokenization, or even data destruction to meet compliance.
• For example, suppose an individual used their account number for an automatic clearing house (ACH) payment. In that case, U.S. payment processors must implement encryption-at-rest controls on system infrastructures that collect, process, transfer, and store said account number.
• The new data security rules also apply to physical documents containing ACH account numbers that are often scanned and transferred into digital storage.

Expert Commentary: Trillions of dollars are processed by ACH networks quarterly. Therefore, the financial services industry will always be a significant target for threat actors. Hence, the U.S. Department of Homeland Security (DHS) designated financial services as critical infrastructure for the U.S. government. Although encryption-at-rest is one of the most fundamental data security best practices, security awareness training measures must also be implemented as a proactive control against human-based security loopholes.

Learn More

4.  An Unpatched Virtual Machine Vulnerability Threatens the Google Compute Engine (GCE) Platform

• Security experts discovered that threat actors possess the capabilities to impersonate the metadata from unpatched virtual machines (VMs) that power Google Compute Engine (GCE) services.
• This exploit, when successfully deployed, also allows an attacker to gain access to public-key authentication parameters, thus granting direct access to the root user’s login.
• Allowing an unpatched VM to remain on a corporate network not only jeopardizes GCE services it also begins to weaken other critical partitions, including the Dynamic Host Configuration Protocol (DHCP) framework that govern network management protocols.

Expert Commentary: Given that metadata infrastructures are used to manage public-key authentication, such as SSH keys, allowing rogue connections to VM connected to live networks is lethal. With such access, an attacker can unequivocally initiate remote processes with God-like privileges over an entire network. Therefore, companies must take security risks associated with unpatched systems very seriously to minimize the threats to critical business operations.

Learn More

5.  NIST Redefines ‘Critical Software’ For U.S. Federal Government Supply Chain

• To begin implementing specific requirements in President Biden’s cybersecurity executive order, the National Institute of Standards and Technology (NIST) released its standard definition for what ‘critical software’ should mean for the U.S. government. Federal agencies shall use these definitions to reevaluate software tools deployed within critical computing environments.
• According to NIST, it is critical for the U.S. federal government supply chain to have a standardized framework for assessing emerging software attributes, including zero trust mechanisms, multi-factor authentication, encryption, and other essential security controls.
• Using NIST’s new definition as a baseline, the U.S. Cybersecurity and Infrastructure Agency (CISA) will release a list of software tools that fall under the new definition. Thus, allowing CISA to develop new security rules to govern how government entities purchase and deploy critical software within critical U.S. government networks.

Expert Commentary: Following the SolarWinds hack, the security posture of critical software that performs essential functions gained the attention of private and government stakeholders. Most significantly, the software supply chain connecting government infrastructures to vendors came under heavy scrutiny. As NIST ensures a standardized method of assessing the security and integrity of critical software, its definition of critical software is comprehensive because it accounts for modern software architectures that power elevated privileges, trust boundaries, networking resources, and other critical data access technologies. This effort from NIST is a positive sign that the federal government’s pledge to protect U.S. critical infrastructure is paying off.

Learn More