learn more
<https://castlehalldiligence.com>
shutterstock_490960141-1

Industry News: ESG5

Know Your Breach: MCA Wizard

The target: MCA Wizard, a now defunct mobile app for loaning money to small business owners developed jointly by Advantage Capital Funding and Argus Capital Funding in 2018.

The take: 425GB of data comprising over 500,000 documents, including credit reports, bank statements, contracts, legal paperwork, driver’s licenses, purchase orders & receipts, tax returns, social security information and more.

The attack vector: Even though the app itself was pulled from both Google Play and the App Store, the data behind it remained online, stored in an unsecured AWS S3 bucket which was accessible without a password. Security researchers noted that while the app was no longer available, new documents were being added to the database right up until its removal, suggesting that another application or service could have been using the same bucket.

While this is yet another example of a misconfigured storage bucket, it also raises the issue of security controls and management of the lifecycle of data. If an app or service reaches its end of life, there is absolutely an onus on the responsible firm to manage any sensitive data collected or processed by that app through to secure deletion.

Read more...

Developed APAC States Most Exposed to Cyber Risks

2020-03-26

Computer Weekly: Developed countries in Asia-Pacific (APAC) with more established digital economies may be most vulnerable to cyber attacks, but they are also among the most prepared in the region to deal with cyber threats, a new study has found.

Read more...

This Attack is the Most Common Threat You Will Face

2020-03-26

ZDNet: Almost half of businesses have experienced a cyberattack or data breach in the past year – and almost all of the organisations that know they've been on the receiving end of attacks have reported being targeted by phishing and other fraudulent emails as the volume of these attacks continues to rise.

Read more...

U.S. Cybersecurity Experts See Recent Spike in Chinese Digital Espionage

2020-03-25

Reuters: A U.S. cybersecurity firm said Wednesday it has detected a surge in new cyberspying by a suspected Chinese group dating back to late January, when coronavirus was starting to spread outside China.

Read more...

10 Ways Hackers are Using Automation to Boost Their Attacks

2020-03-25

ZDNet: Automation is something businesses in almost every sector are familiar with, as part of their efforts to make systems more efficient. It's something that the cybersecurity industry is increasingly using, with automated data collection and processing playing an ever-growing role in protecting against data breaches and cyberattacks.

Read more...

Banks, Regulators Move to Protect Customers from Wave of Coronavirus Scams in UK, U.S.

2020-03-24

Reuters: UK banks are stepping up fraud prevention measures to protect customers from scammers eager to exploit the coronavirus pandemic with a whole range of new tricks, including fake sales of medical supplies and bogus government relief schemes.

Read more...

Cybersecurity and Fraud Risks for Fund Managers in the Wake of Coronavirus

2020-03-24

JDSUPRA: COVID-19 has created many new concerns for private fund managers; however, managers should be particularly mindful of heightened cybersecurity and fraud risks. With increased numbers of employees teleworking, there are increased vulnerabilities for cybercriminal intrusions creating privacy-related risks for fund portfolio information, LP confidential data, and other sensitive electronically-stored materials.

Read more...

Exclusive: Elite Hackers Target WHO as Coronavirus Cyberattacks Spike

2020-03-23

Reuters: Elite hackers tried to break into the World Health Organization earlier this month, sources told Reuters, part of what a senior agency official said was a more than two-fold increase in cyberattacks.

Read more...

Know Your Breach: Virgin Media

The target: Virgin Media, a British telephone, television and internet provider

The take: ‘Limited contact information’ of 900,000 customers, including names, home and e-mail addresses, and phone numbers along with some birth dates and technical and product information.

The attack vector: A misconfigured marketing database left the information exposed for nearly a year, and was confirmed to have been accessed ‘on at least one occasion’ by an outside party.

This incident highlights the need to ensure regimented security controls are established and verified anywhere that an organization stores personally protected information. Security controls must always be commensurate to the type of data being stored, and they must travel with that data to protect the firm and it’s clients from a data breach.

Read more...

Financial Companies Leak 425GB in Company, Client Data Through Open Database

2020-03-19

ZDNet: vpnMentor researchers led by Noam Rotem said the database appears to be connected to MCA Wizard, a now-defunct app that appears to have been developed by Advantage Capital Funding and Argus Capital Funding. 

Read more...

Cybercrime Damage Costs May Double Due to Coronavirus (COVID-19) Outbreak

2020-03-19

Cision: According to the report, cybercrime will cost the world $6 trillion annually by 2021, up from $3 trillion in 2015. This represents the greatest transfer of economic wealth in history, risks the incentives for innovation and investment, and will be more profitable than the global trade of all major illegal drugs combined.

Read more...

Coronavirus Cyberhygiene: Dos and Don'ts for COVID-19 Remote Work

2020-03-18

Katten: In the wake of the coronavirus (COVID-19) pandemic, government officials have urged companies to allow more employees to work from home in an effort to halt the spread of the disease. As businesses shuffle to operationalize remote work policies, bad actors continue to exploit the vulnerabilities associated with remote work and target employees working from home.

Read more...

IFAs Warned Not to Reply to 'Fake' FCA Authorisation Email

2020-03-18

Citywire: A compliance expert has issued a warning after a number of advice firms received a scam email purporting to be from the FCA.The email, seen by several financial planners and passed to New Model Adviser, claims to be from an FCA employee in the ‘claims and firm-authorization' department, and includes a request for a letter to be certified by the recipient, by the end of the working day. The letter is not attached.

Read more...

Private Equity Is a Tantalizing Target for Ransomware Hackers

2020-03-17

Bloomberg: Norm Hullinger was heading into work one day in October when he got a call that his company’s network was acting up. It was no simple glitch. Hackers had started freezing the data of Alphabroder, a sportswear distributor. They wanted more than $3 million to restore it. Grappling with whether to pay, Hullinger, the chief executive officer, embarked on a journey that’s increasingly familiar to law firms, hospitals, and cities that have found themselves on the other end of negotiations with ransomware criminals.

Read more...

Cyber-Attack Hits U.S. Health Agency Amid Covid-19 Outbreak

2020-03-16

Bloomberg: The U.S. Health and Human Services Department suffered a cyber-attack on its computer system, part of what people familiar with the incident called a campaign of disruption and disinformation that was aimed at undermining the response to the coronavirus pandemic and may have been the work of a foreign actor.

Read more...

Hellman & Friedman to Acquire Cybersecurity Leader Checkmarx at a $1.15B Valuation

2020-03-15

Checkmarx: Checkmarx, the global leader in software security solutions for DevOps, today announced that Hellman & Friedman (“H&F”) has entered into a definitive agreement to acquire the Company from Insight Partners, which will continue to own a substantial minority interest. The deal represents the largest acquisition of an application security company to date.

Read more...

Know Your Breach: Angeles Investment Advisors

The target: Angeles Investment Advisors, an asset manager based in Santa Monica, California

The take: The e-mail account of Michael Rosen, Chief Investment Officer, was compromised and used to send a bogus ‘bid for proposal’ link to his contacts.

The attack vector: While details have not been published at this time, it is likely that the initial compromise of Rosen’s account was as a result of a targeted phishing attack. Once attackers had control of his e-mail account, they were able to send a malicious attachment to his contact list, and even responded to individuals who questioned the legitimacy of the e-mail – assuring them that attachment was safe, and that they should open it post-haste.

One of the most insidious risks in an e-mail compromise is that the compromised account will be used as a pivot point, and that the trust in that individual will be exploited for criminal gain. These attacks highlight not only the need to ensure that technical controls are in place to prevent accounts from being compromised in the first place – but also the need to train staff to think critically about the content of messages they receive, and to confirm any suspicious communications or requests via a separate channel of communication.

Read more...

Hackers are Seizing on Coronavirus Fears to Steal Data, Researchers and U.S. Regulators Warn

2020-03-12

The Washington Post: Chinese hackers have used fake documents about the coronavirus to deliver malicious software and steal sensitive user information, according to a report Thursday from researchers documenting a growing wave of cybercrime exploiting fears about the global pandemic.

Read more...

Cybersecurity Expert: ‘An Ounce of Prevention is Worth a Pound of Cure’

2020-03-11

CPA: The average cost of cybercrime surged 29 per cent in the U.S. between 2017 and 2018, reaching US$27.4 million per organization, according to an Accenture Security and Ponemon Institute study, which was based on interviews with more 2,600 senior security professionals at 355 companies in 11 countries (including Canada).

Read more...

Panel Calls for ‘Layered Cyber Deterrence’ to Protect National Security

2020-03-11

The Crime Report: The U.S. government should adopt structural changes not seen since the 2001 terrorist attacks to confront proliferating cyber threats that increasingly endanger national and economic security, a federal commission concluded, reports the Wall Street Journal. 

Read more...

Coronavirus: Engineer Who Attended Cybersecurity Conference Tests Positive for Bug

2020-03-11

The Straits Times: An engineer who attended the annual RSA cybersecurity conference in San Francisco last month (February 2020) has tested positive for the coronavirus and is seriously ill with respiratory issues.

Read more...

Look Ahead to Cybersecurity and Fintech ETFs as a Future Play

2020-03-10

ETF Trends: Cybersecurity breaches over the years have certainly put the need for preventative measures at the forefront, and that can only intensify as the financial technology (fintech) space continues to advance. For investors looking to park their capital at the current low prices amid the coronavirus outbreak, cybersecurity and fintech ETFs is one area to watch.

Read more...

Stop Saying Employees are the Weakest Link in Cybersecurity

2020-03-10

The Next Web: There are a few things we just won’t stand for in 2020 – but first on the list is the phrase, “employees are the weakest link in cyber security.” It’s a saying that people really should have ditched in 2019.

Read more...

Cybersecurity Arrangements at Asset Management Firms Need to be Improved - Central Bank

2020-03-10

Central Bank: The Central Bank has today published the findings of a Thematic Inspection into the cybersecurity risk management practices in Asset Management firms. The purpose of the Inspection was to determine the adequacy of cybersecurity controls and cybersecurity risk management practices of the inspected firms and to identify good practices.

Read more...

Know Your Breach: UK Rail Passengers

The target: C3UK, a provider of Free WiFi at railway stations across the UK

The take: Personal data of more than 10K rail passengers including dates of birth, email addresses and travel plans

The attack vector: A security researcher discovered that C3UK had left a database backup publicly exposed on an Amazon Web Services storage device with no password protection.

While security controls around production systems and databases are missions critical, care must also be taken when storing and transferring backups and duplicate copies of production data. Security controls must always be commensurate to the level of sensitivity of data being handled, and must travel with that data throughout its lifecycle.

Read more...

FBI Working to 'Burn Down' Cyber Criminals' Infrastructure

2020-03-04

ABC News: To thwart increasingly dangerous cyber criminals, law enforcement agents are working to “burn down their infrastructure” and take out the tools that allow them to carry out their devastating attacks, FBI Director Christopher Wray said.

Read more...

Cathay Pacific Fined £500,000 Over Customer Data Protection Failure

2020-03-04

BBC: The UK watchdog said the airline's computer systems had exposed details of 111,578 UK residents and a further 9.4 million people from other countries. These included names, passport details, dates of birth, phone numbers, addresses and travel history. "Appropriate security" was not in place between October 2014 and May 2018.

Read more...

Regulators and Supervisors Divide Over Third-party Concentration Risk

2020-03-03

Bob's Guide: According to James Kemp, managing director, Association for Financial Markets in Europe (AFME), there is uncertainty over how to regulate concentration risk in a way that does not stifle innovation or eradicate smaller third-party suppliers.

Read more...

Biden May Not Be Savvy About Big Tech, but He Understands Cybersecurity

2020-03-03

Coindesk: The world of blockchain, unsurprisingly, is not exactly Joe Biden’s bailiwick. But don’t let his age fool you. He’s not blind to tech, data privacy or the thorny issues of digital misinformation. For instance, he recently called for the revoking of Section 230 (which protects companies like Facebook from liability for material published on its networks), saying Facebook “is not merely an internet company. It is propagating falsehoods they know to be false.”

Read more...

Optima Partners Selects Drawbridge Partners Connect Platform

2020-03-02

Hedgeweek: DrawbridgeConnect allows customers to aggregate cybersecurity program data to drive analysis and determine program strength, remediation, and create and manage a resilient program to fulfil evolving regulatory and investor demands.

Read more...

Hackers and Cryptocurrencies: Nearly $10B Stolen Since 2017

2020-03-02

Cryptopolitan: As per the report, hackers have stolen at least 9.8 billion dollars in crypto from investors and holders. KPMG, one of the big four accounting firms, stated that it was essential for the crypto industry to improve security before it can truly grow.

Read more...

Hackers Hit $34B Angeles Investment Advisors

2020-02-28

Institutional Investor: Hackers this week took over the email account of Michael Rosen, chief investment officer of consulting and asset management firm Angeles Investment Advisors. 

Read more...