learn more
<https://castlehalldiligence.com>
shutterstock_490960141-1

Industry News: ESG5

      Know Your Breach: University of Colorado Boulder

      The target: CU Boulder, a U.S based University.

      The take: Exposure of support and procedural documents, configuration files, and personally identifiable information of 30,000 students including: names, student IDs, addresses, dates of birth, phone number, and gender.

      The attack vector: The breach occurred to a known configuration vulnerability in a third-party software that the University employs. While a patch was released by the third party some months prior, it had not been implemented and this let an attacker gain access to the data. 

      This data leak highlights the importance of patching and testing software in a timely manner. Complying with industry standard practices of software management is essential to ensure every point of access to data is secure, up-to-date, and protected against known gaps in third-party applications.

      Read more...

      Microsoft Announces Plan to Cut Cybersecurity Workforce Shortage In Half by 2025

      2021-10-28

      CNBC: Microsoft will partner with community colleges across the U.S. and provide free resources in an attempt to help end a shortage of cybersecurity workers, the company announced.

      Read more...

      Cybersecurity Firm Dragos Worth $2 Billion in New Funding Round

      2021-10-28

      BNN Bloomberg: Cybersecurity startup Dragos Inc. has raised a $200 million funding round co-led by a BlackRock Inc. fund and Koch Industries Inc., an investment that gives the cybersecurity startup a $2 billion valuation.

      Read more...

      Quebec Tables Bill to Create Cybersecurity Ministry As Government Plans for Digital IDs

      2021-10-28

      CTV: Quebec tabled a bill Thursday to create a new cybersecurity ministry that, if passed, would be the first of its kind in North America, officials say.

      Read more...

      FINRA Sees Overlapping Risks in AML, Cybersecurity

      2021-10-27

      Traders Magazine: In its latest podcast, “Encore | Overlapping Risks: Anti-Money Laundering and Cybersecurity”, the first of a two-part series, FINRA was looking at the intersection of a firm’s AML and cybersecurity risks.

      Read more...

      Deloitte: 14% of U.S. Orgs Remain Defenseless As Cybersecurity Threats Loom

      2021-10-26

      Venture Beat: Even as cybersecurity threats rise, a few American organizations still continue to operate without a defense plan or strategy, Deloitte reported.

      Read more...

      Congress May Ban Ransomware Payments, Senate Homeland Security Chairman Says

      2021-10-26

      Market Watch: Lawmakers have not ruled out legislation that could ban private companies from making ransomware payments, Sen. Gary Peters of Michigan, chairman of the Senate Homeland Security Committee.

      Read more...

      Over 3 Million CoinMarketCap Email Addresses Leaked to Dark Web: Report

      2021-10-24

      Coin Desk: Millions of email addresses associated with the crypto market data website CoinMarketCap (CMC) have reportedly been compromised.

      Read more...

      Know Your Breach: Premier Patient Healthcare

      The target: Premier Patient Healthcare, a Texas based accountable care organization.

      The take: Exposure of 38,000 records of Personally Identifiable Information including: name, age, sex, race, county, state of residence, zip code, and Medicare beneficiary information.

      The attack vector: The data was illegally accessed by a former terminated employee of the firm, who used their still active access to view, download and steal the files from a third-party vendor that had a contract with Premier Patient.

      This breach highlights two important lessons for firms. Access control around terminated employees is paramount to maintaining a secure environment for sensitive data. Furthermore, while Patient Data may have followed these steps for their own systems, the attack took place on a third-party vendor, showing that access control must also be applied across all platforms to be fully effective.

      Read more...

      From Zero to $9 Billion: Inside the Growth of U.S.-Listed Cyber ETFs

      2021-10-22

      Traders Magazine: Cyber ETFs are just one of a growing group of increasingly popular “thematic ETFs.” Thematic ETFs give investors quick access to a diversified basket of stocks with exposure to a specific investment or economic theme.

      Read more...

      Drawbridge Wins ‘Best Cyber Security Provider’ At the 2021 Private Equity Wire US Awards

      2021-10-22

      Private Equity Wire: Drawbridge, a provider of cybersecurity software and solutions to the alternative investment industry, has been named ‘Best Cyber Security Provider’ at the 2021 Private Equity Wire US Awards.

      Read more...

      What Are Your SEC Reporting Requirements for Cybersecurity Incidents?

      2021-10-21

      IT Governance: The odds of an organization experiencing a cyber security breach are about 30% in any two-year period.

      Read more...

      Governments Turn Tables On Ransomware Gang REvil By Pushing It Offline

      2021-10-21

      Financial Post: The ransomware group REvil was itself hacked and forced offline this week by a multi-country operation, according to three private sector cyber experts working with the United States and one former official.

      Read more...

      Supply Chain Attacks Are the Hacker's New Favourite Weapon. And the Threat Is Getting Bigger

      2021-10-20

      ZDNet: Compromising a business supply chain is a key goal for cyber attackers, because by gaining access to a company that provides software or services to many other companies, it's possible to find a potential way into thousands of targets at once.

      Read more...

      Aussie Cyber Spies to Control Critical Infrastructure During Ransomware Attacks

      2021-10-20

      Coin Telegraph: Australia’s top cyber spies are set to gain greater powers in the event of ransomware or other cyber attacks on critical infrastructure.

      Read more...

      Allocators and Managers Remain Vulnerable to Cybersecurity Threats

      2021-10-20

      Institutional Investor: Traditional asset managers, hedge funds, and private equity firms are spending billions to protect against hackers and cybersecurity attacks. But public pension plans, which are often understaffed and underfunded, are among the most vulnerable. Still, no matter how much is spent to protect vulnerable systems, the breaches often involve simple ruses. 

      Read more...

      Know Your Breach: Portpass

      The target: Portpass, a private proof-of-vaccination mobile application.

      The take: Exposure of potentially 650,000 records of personally identifiable information including: email addresses, names, blood types, phone numbers, birthdays, and driver's licences

      The attack vector: Portpass stored user profiles on their website, accessible to the public, which exposed the above information to anyone visiting the site. This data not encrypted and was stored as plain text.

      Use of industry standard authentication protocols is an integral part of maintaining a rigorous cybersecurity posture, and it is critical to employ robust practices of credential management, user authentication and validation, around all points of access, especially public facing ones, in a firm’s IT network. This breach also highlights the important of encryption as a method to improve the security of stored data, which can still protect the exposed information.

      Read more...

      How Hedge Funds Solve Cyber Security Issues with Software

      2021-10-13

      Legal Reader: The institutions offering financial services are 300 times more exposed to the threat of cyber criminals. According to the latest survey of KPMG Business Instincts, many C-suites are always at the risk of some form of cyber-attack due to low technology investment. If the companies continue overlooking the pressing and rising concern surrounding cyber security, they are at risk of losing everything.

      Read more...

      Apple Warns of Cybercrime Risks if EU Forces It to Allow Others' Software

      2021-10-13

      O' Canada: Apple Inc ramped up its criticism of EU draft rules that would force it to allow users to install software from outside its App Store, saying that would boost the risk of cybercriminals and malware.

      Read more...

      Russia Excluded from 30-country Meeting to Fight Ransomware and Cyber Crime

      2021-10-13

      CTV News: Russia was not invited to attend a 30-country virtual meeting led by the United States that is aimed at combating the growing threat of ransomware and other cyber crime, a senior administration official said.

      Read more...

      Stronger Cyber Controls Are Needed to Counter Ransomware Pandemic, According to New Allianz Risk Report

      2021-10-13

      Business Wire: During the Covid-19 crisis, another outbreak took place in the cyber space: a digital pandemic driven by ransomware. In a new report, cyber insurer Allianz Global Corporate & Specialty (AGCS) analyzes the latest risk developments around ransomware and outlines how companies can strengthen their defenses with good cyber hygiene and IT security practices.

      Read more...

      The Next Big Cyberthreat Isn't Ransomware. It's Killware. And It's Just As Bad As It Sounds.

      2021-10-12

      Yahoo: As most Americans are still learning about the hacking-for-cash crime of ransomware, the nation’s top homeland security official is worried about an even more dire digital danger: killware, or cyberattacks that can literally end lives.

      Read more...

      Gov’t Moves to Fortify ‘Ring of Steel’ Against Cyber Attacks

      2021-10-12

      Cayman Compass: With Cayman’s economic stability now heavily vested in financial services, as tourism remains closed, keeping assets ‘cyber secure’ within that industry and within government is not just a reputational concern, but crucial to the country’s very survival.

      Read more...

      New Cyber Offences for Targeting Key Infrastructure, Reporting of Ransomware Attacks Made Mandatory

      2021-10-12

      ABC News: Businesses hit by cyber attacks will be required to report the incidents to federal authorities, as new specific offences for criminals operating online are announced by the Federal Government.

      Read more...

      Know Your Breach: Twitch

      The target: Twitch.tv, a U.S based video game streaming service.

      The take: Exposure of 125GB of information including source code and commit history dating back to the company’s founding, creator payout revenue from 2019 to 2021, their internal cybersecurity tool NOC tool, and which AWS services they use.

      The attack vector: A misconfiguration error left one of its servers exposed, allowing the attacker to gain access to the server and exfiltrate the data of some 6000 repositories of firm storage. 

      It is critical to employ robust practices of credential management, user authentication and validation around all points of access. An unprotected point of entry on a key piece of equipment like a server can lead to a breach with a cascading effect on data exposure.

      Read more...

      European Investment Advisory Hub and European Cyber Security Organisation Announce First Step Towards A New Pan-European Cybersecurity Investment Instrument

      2021-10-07

      EIB: The European Cyber Security Organisation (ECSO) and the European Investment Advisory Hub, a joint advisory initiative of the European Investment Bank (EIB) Group and the European Commission, announced their participation in a feasibility study on the design and set-up of a European Cybersecurity Investment Platform (ECIP).

      Read more...

      Cybersecurity Best Practices Lagging, Despite People Being Aware of the Risks

      2021-10-07

      Help Net Security: The National Cybersecurity Alliance and CybSafe announced the release of a report which polled 2,000 individuals across the U.S. and UK. The report examined key cybersecurity trends, attitudes, and behaviors ahead of Cybersecurity Awareness Month this month.

      Read more...

      Deputy Attorney General Lisa O. Monaco Announces National Cryptocurrency Enforcement Team

      2021-10-06

      The United States Department of Justice: Deputy Attorney General Lisa O. Monaco announced the creation of a National Cryptocurrency Enforcement Team (NCET), to tackle complex investigations and prosecutions of criminal misuses of cryptocurrency, particularly crimes committed by virtual currency exchanges, mixing and tumbling services, and money laundering infrastructure actors.

      Read more...

      A New US bill Would Force Companies to Disclose Ransomware Payments

      2021-10-06

      Yahoo Finance: The bicameral Ransom Disclosure Act, drafted by Sen. Elizabeth Warren and Rep. Deborah Ross, would mandate companies and organizations — though not individuals — to provide the U.S. Department of Homeland Security data on ransomware payments, including the amount and type of cryptocurrency demanded and the sum that was paid.

      Read more...

      Financial Firms Urged to Take Cyber Security More Seriously

      2021-10-05

      Money Marketing: Financial firms must start taking cyber security more seriously, as it is something the UK regulator is likely to get tough on, Financial Technology Research Centre founder and director Ian McKenna has warned.

      Read more...

      Training and Technology Are Critical to Ensuring Cybersecurity for Private Equity Firms

      2021-10-05

      Private Equity Wire: Over the past 18 months, the shift towards working from home has exposed private equity firms to a far higher threat of cyberattacks, and many have wanted to review their cybersecurity options to ensure good defences against cyber-attack, says George Ralph, Global Managing Director and CRO of business IT consultancy RFA, who specialise in cloud, data, and cybersecurity solutions.

      Read more...

      Bank of England-backed Cyber Security War Game Opens to More Companies

      2021-10-04

      California News Times: A Bank-backed initiative to test cyber defenses in the UK financial sector is open to financial services companies of all types and sizes on Monday with the most extensive exercises of its type.

      Read more...

      Know Your Breach: Portpass

      The target: Portpass, a private proof-of-vaccination mobile application.

      The take: Exposure of potentially 650,000 records of personally identifiable information including: email addresses, names, blood types, phone numbers, birthdays, and driver's licences

      The attack vector: Portpass stored user profiles on their website, accessible to the public, which exposed the above information to anyone visiting the site. This data not encrypted and was stored as plain text.

      Use of industry standard authentication protocols is an integral part of maintaining a rigorous cybersecurity posture, and it is critical to employ robust practices of credential management, user authentication and validation, around all points of access, especially public facing ones, in a firm’s IT network. This breach also highlights the important of encryption as a method to improve the security of stored data, which can still protect the exposed information.

      Read more...

      AdvIntel & KPMG LLP Announce Alliance Around Cyber Threat Detection and Ransomware Response

      2021-09-30

      Cision: AdvIntel, a leading cybersecurity threat prevention and loss avoidance company with a unique and unparalleled ability to detect and disrupt ransomware and KPMG LLP, the global audit, tax and advisory firm, today announced an alliance around AdvIntel's "Andariel" Threat Prevention & Loss Avoidance Platform.

      Read more...

      NSA, CISA Partner for Guide On Safe VPNs Amid Widespread Exploitation By Nation-states

      2021-09-30

      ZDNet: The NSA and CISA have released a detailed guide on how people and organizations should choose virtual private networks (VPN) as both nation-states and cybercriminals ramp up their exploitation of the tools amid a global shift to remote work and schooling.

      Read more...

      Russia Arrests Leading Cybersecurity Exec On Treason Charges

      2021-09-29

      ABC News: Russian authorities have arrested an executive of a top cybersecurity company on the charges of high treason, a move that has sent shock waves through Russia's business community.

      Read more...

      States at Disadvantage In Race to Recruit Cybersecurity Pros

      2021-09-28

      Canadian Security: Austin Moody wanted to apply his cybersecurity skills in his home state of Michigan, teaming up with investigators for the State Police to analyze evidence and track down criminals.

      Read more...

      Google, AWS, IBM, Microsoft and Morgan Stanley Partner for a New Cloud Data Framework

      2021-09-28

      ZDNet: Amazon Web ServicesGoogleIBMMicrosoft and other major tech giants have joined forces with the EDM Council -- a cross-industry trade association for data management and analytics -- to create the Cloud Data Management Capabilities (CDMC) framework.

      Read more...

      CSC Finds Majority of World's Largest Companies Susceptible to Phishing and Brand Abuse Due to Improper Domain Security

      2021-09-28

      Financial Post: CSC, a world leader in business, legal, tax, and domain security, released its annual Domain Security Report: Forbes Global 2000 Companies, which found that despite the shift to modernize business environments and operations among the Global 2000 companies, web domains remain dangerously under protected.

      Read more...

      VCs Continue to Flock to Cyber Insurance As Coalition’s Valuation Doubles In 6 Months

      2021-09-28

      Crunchbase News: San Francisco-based Coalition just closed a $205 million Series E at a $3.5 billion-plus valuation—doubling what it was when it raised its $175 million Series D just six months ago.

      Read more...