learn more
<https://castlehalldiligence.com>
shutterstock_490960141-1

Industry News: ESG5

      Know Your Breach: GM

      The Target: General Motors, a U.S based automobile company.

      The Take: Exposure of Personally Identifiable Information including: first and last names, email address, physical address, username, phone numbers, profile picture, and usable reward point balance. 

      The Vector: Through a credential stuffing attack, the threat actors leveraged customer’s unsecure passwords already exposed through other means and were able to access user’s GM customer accounts. While banking information was not exposed, customer reward-card balances were freely able to be accessed and were used by the attackers to fraudulently redeem rewards. 

      This breach is a stark reminder that credential hygiene is an important piece in an overall robust cybersecurity posture. Enforcing multi-factor authentication, reasonably regular forced password resets, and password length and complexity rules are all effective strategies to mitigate these kinds of breaches to protect a firm’s customer base.

      Read more...

      MAS Slaps Additional S$330m Capital Requirement on OCBC Over its Response to SMS Scams

      2022-05-26

      The Business Times: THE Monetary Authority of Singapore (MAS) has imposed an additional capital requirement of about S$330 million on OCBC Bank for its deficiencies in responding to a wave of spoofed SMS phishing scams in December 2021.

      Read more...

      How Private Equity Firms Can Prepare For The SEC's Proposed Cybersecurity Rules

      2022-05-25

      Mondaq: On February 9, 2022, the SEC released proposed rules relating to cybersecurity risk management, incident reporting, and disclosure for registered investment advisers ("RIAs") and funds that would impose sweeping new cybersecurity obligations for RIAs to private equity funds. 

      Read more...

      Cybersecurity Firm Semperis Raises Over $200 Million in KKR-Led Round

      2022-05-24

      U.S. News: U.S. cybersecurity software firm Semperis said it has raised over $200 million in a funding round led by private equity firm KKR & Co Inc at a valuation substantially higher than in its previous round.

      Read more...

      New Hedge Fund Cybersecurity Report Reveals Changes Firms are Making in a Post-Pandemic World

      2022-05-24

      Cision: Agio, a leading cybersecurity and managed IT provider for financial services firms, published its inaugural 2022 Hedge Fund Cybersecurity Trends Report today. The survey was conducted in Q1 and captured the opinions and perceptions of recent, current, and future cybersecurity programs, readiness, and initiatives from 100 hedge fund practitioners across the technology, operations, cybersecurity, and compliance fields.

      Read more...

      Cloudflare CEO Explains Why the Cybersecurity Firm is Still Operating in Russia

      2022-05-24

      Yahoo News: Cloudflare CEO Matthew Prince is standing by the secure networking company's decision to keep operating in Russia even as most Western companies have pulled out of the country for its war on Ukraine.

      Read more...

      US Senate: Govt’s Ransomware Fight Hindered by Limited Reporting

      2022-05-24

      Bleeping Computer: A report published today by U.S. Senator Gary Peters, Chairman of the Senate Homeland Security and Governmental Affairs Committee, says law enforcement and regulatory agencies lack insight into ransomware attacks to fight against them effectively.

      Read more...

      SolarWinds: Here's How We're Building Everything Around This New Cybersecurity Strategy

      2022-05-24

      ZDNet: It was one of the largest cyber-espionage attacks of recent times: hackers compromised several United States government federal agencies as well as big tech companies, and were inside networks for months before anyone spotted them. 

      Read more...

      Know Your Breach: TDI

      The Target: Texas Department of Insurance. 

      The Take: 2 million records of Personally Identifiable Information affecting 1.8 million individuals were exposed, including: social security numbers, addresses, dates of birth, phone numbers, and worker injury information. 

      The Vector: A configuration error with an online web portal which manages worker’s compensation information was not properly secured, allowing members of the public to freely access pages of the site containing sensitive information.

      This breach is a stark reminder of the importance of access control around public-facing web applications and the configuration of settings that control them. Sensitive information must be protected and ensuring proper authentication and credential management is being used is a key core of maintaining a robust cybersecurity posture.

      Read more...

      U.S. Narrows Scope of Anti-Hacking Law Long Hated by Critics

      2022-05-19

      Insurance Journal: The Department of Justice is changing its policy around a controversial anti-hacking law, addressing longstanding complaints from cybersecurity researchers that the law could criminalize good-faith efforts to improve technology.

      Read more...

      Ransomware Gangs Rely More on Weaponizing Vulnerabilities

      2022-05-19

      Bleeping Computer: Security researchers are warning that external remote access services continue to be the main vector for ransomware gangs to breach company networks but there's a notable uptick in exploiting vulnerabilities.

      Read more...

      India to Press Ahead with Strict Cybersecurity Rules Despite Industry Concerns

      2022-05-18

      Financial Post: India will not change upcoming cybersecurity rules that force social media, technology companies and cloud service providers to report data breaches swiftly, despite growing industry concerns, the government said.

      Read more...

      Ballistic Ventures Launches $300 Million Cybersecurity Venture Fund

      2022-05-17

      SC Media: The firm, which launched last year, is headed by Ted Schlein, formerly of Kleiner-Perkins, who is also on the board of trustees of the non-profit national security venture capital group In-Q-Tel and the board of the CISA Cybersecurity Advisory Committee.

      Read more...

      Cybersecurity Agencies Reveal Top Initial Access Attack Vectors

      2022-05-17

      Bleeping Computer: The advisory, jointly released by agencies from the United States, Canada, New Zealand, the Netherlands, and the United Kingdom, includes guidance to mitigate these routinely exploited weak security controls, poor security configurations, and bad practices.

      Read more...

      Don’t Delegate Away Cyber Security Risk: ASIC

      2022-05-16

      Money Management: Appearing at FINSIA's ‘The Regulators’ event, ASIC commissioner, Cathie Armour, said the case of RI Advice has brought cybersecurity into the public eye as it was the first of its kind in Australia.

      Read more...

      Researchers Warn of APTs, Data Leaks as Serious Threats Against UK Financial Sector

      2022-05-16

      ZDNet: KELA's security team published a report examining the cybersecurity issues and attacks that surfaced in 2021 and early 2022, specifically focused on the United Kingdom's banks and other financial services.

      Read more...

      Know Your Breach: MM.Finance

      The Target: MM.Finance, the largest decentralized finance platform on the Cronos blockchain.

      The Take: $2 Million

      The Vector: A DNS (domain name service, a server that directs users to the appropriate website upon entering the name of a site) vulnerability allowed attackers to inject a malicious website address into the code on the front-facing website as a redirected destination. When users visited the site to make transactions, they were instead sent to a bad website address where the threat actor was able to steal the funds being transacted.

      This breach is an important reminder of the critical nature of user-facing website security. Any method which allows public access must be secured to the highest standard and regularly audited for potential breaches. Furthermore, monitoring and updating, if necessary, configurations of key infrastructure like DNS servers is part of maintaining a robust cybersecurity posture.

      Read more...

      EU's 'Patchy' Cybersecurity Efforts Creating Risk of Criminal Hacks

      2022-05-12

      Irish Examiner: The European Union’s “fragmented” approach to cybersecurity and the “patchy” capabilities of member states is creating several problems in terms of combating State-level attacks and criminal hacks, according to an international expert.

      Read more...

      US Charges Hacker for Breaching Brokerage Accounts, Securities Fraud

      2022-05-11

      Bleeping Computer: The U.S. Department of Justice (DoJ) has charged Idris Dayo Mustapha for a range of cybercrime activities that took place between 2011 and 2018, resulting in financial losses estimated to over $5,000,000.

      Read more...

      NSA Warns Managed Service Providers Are Now Prime Targets for Cyberattacks

      2022-05-11

      Dark Reading: The National Security Administration (NSA), along with a coalition of international cybersecurity authorities, today issued an advisory warning managed service providers (MSPs) of an escalating threat of attack from both everyday cybercriminals and state-sponsored threat actors. 

      Read more...

      YL Ventures Announces $400 Million Fund to Boost Israeli Cybersecurity Innovation

      2022-05-11

      Help Net Security: The significantly oversubscribed fund is the largest seed stage cybersecurity-focused fund ever raised, bridging Israeli innovation and the US market. The fund will continue the firm’s long-standing strategy of supporting Israeli founders from inception through every critical stage of building a category-leading company and bolstering its position in the global market.

      Read more...

      Scammer Posed as Cybersecurity Chief in Phishing Email

      2022-05-10

      ZDNet: A record number of scams have been removed from the internet as part of a scheme to help protect people from fraud and cybercrime. The National Cyber Security Centre (NCSC) says it removed a total of 2.7 million scams, illicit domains and phishing services during 2021, nearly four times more than during 2020.  

      World’s Largest Cybersecurity Benchmarking Study Finds that Top Executives Believe their Organizations are Not Prepared for New Era of Risk

      2022-05-10

      Yahoo Finance: ThoughtLab, a leading global research firm, today announced the findings of its 2022 cybersecurity benchmarking study, Cybersecurity Solutions for a Riskier World.

      Read more...

      UK Govt Releases Free Tool to Check for Email Cybersecurity Risks

      2022-05-10

      Bleeping Computer: The United Kingdom's National Cyber Security Centre (NCSC) has announced a new email security check service to help organizations identify vulnerabilities that could allow attackers to spoof emails or lead to email privacy breaches.

      Read more...

      Know Your Breach: Heroku

      The Target: Heroku, a cloud platform as a service with support for several programming languages.

      The Take: Exposure of customer passwords, file storage, and internal source code.

      The Vector: The threat actor used previously exposed GitHub authorization tokens, general use tokens issued to third-party integration software firms by GitHub to allow them to integrate with their platform, and exploited these to connect to Heroku’s internal systems, allowing the attackers to exfiltrate and download the data from their database of customer accounts. 

      This breach is an important reminder of the danger of pivot attacks. While initially the authorization tokens which were stolen provided access only to customer accounts of Heroku who made use of the tokens, the attackers were able to pivot through these exposed accounts and access Heroku’s internal systems. No matter which level the breach takes place, it’s critical to evaluate all possible avenues of attack and take appropriate precautions.

      Read more...

      Court Finds RI Advice Failed to Adequately Manage Cybersecurity Risks

      2022-05-05

      Money Management: The Federal Court has found Australian Financial Services licensee, RI Advice, breached its license obligations to act efficiently and fairly when it failed to have adequate risk management systems to manage its cybersecurity risks.

      Read more...

      Why Cybersecurity is a Social Investment Concern

      2022-05-04

      ESG Clarity: Cybercrime has become an increasingly harmful threat to businesses over the past few decades, and the frequency and scale of attacks rose significantly during the pandemic. But many people think only of the technological disruption, or economic cost a cyberattack could cause their investments, failing to appreciate wider ESG implications.

      Read more...

      FBI Says Business Email Compromise is a $43 Billion Scam

      2022-05-04

      Bleeping Computer: The Federal Bureau of Investigation (FBI) said today that the amount of money lost to business email compromise (BEC) scams continues to grow each year, with a 65% increase in the identified global exposed losses between July 2019 and December 2021.

      Read more...

      SEC Nearly Doubles Crypto Unit Staff to Crack Down on Abuses in the Booming Market

      2022-05-03

      CNBC: The Securities and Exchange Commission announced that it will almost double its staff responsible for protecting investors in cryptocurrency markets.

      Read more...

      Chinese Hackers Perform 'Rarely Seen' Windows Mechanism Abuse in Three-year Campaign

      2022-05-03

      ZDNet: According to Cybereason, the Chinese advanced persistent threat (APT) group Winnti is behind the campaign, which has gone undetected for years.

      Read more...

      Pentagon Contractors Go Looking for Software Flaws as Foreign Hacking Threats Loom

      2022-05-02

      CNN: A year-long Pentagon pilot program found an array of software vulnerabilities at dozens of defense contractors as Russian and Chinese hackers continue to try to steal sensitive data from the US defense industrial base.

      Read more...

      Cybersecurity Metrics Corporate Boards Want to See

      2022-05-02

      CSO: Cybersecurity pros interested in metrics and measures frequently ponder and pontificate on what measures would be best to show the board of directors.

      Read more...