.st0{fill:#FFFFFF;}

Podcast

One Click That’s All – Ep 380 

 November 4, 2022

By  Donna Grindle

Share0
Tweet0
Share0

Keeping up on ways to protect your business from a cyber attack can feel intimidating, especially because of the continuously changing methods criminals use to social engineer us. The bottom line is it only takes one click at any time by anyone to open the door to the attackers.

A 5 star review is all we ask from our listeners.
1x
Apple PodcastsGoogle PodcastPlayer EmbedShare Review Us on Apple PodcastsListen in a New WindowDownloadSoundCloudStitcherSubscribe on AndroidSubscribe via RSSSpotify
Free HIPAA Training
Subscribe to the weekly email update from HMWH

I have read and agreed to your Privacy Policy

In this episode:

One Click That’s All – Ep 380

Today’s Episode is brought to you by:

Kardon

and

HIPAA for MSPs with Security First IT

 Subscribe on Apple Podcast. Share us on Social Media. Rate us wherever you find the opportunity. 

The Privacy and Security Boot Camp

3.5 day In Person Event

Mar 12, 13, 14 and 15, 2023

PriSecBootCamp.com

Great idea! Share Help Me With HIPAA with one person this week!

Learn about offerings from the Kardon Club

and HIPAA for MSPs!

Thanks to our donors. We appreciate your support!

If you would like to donate to the cause you can do that at HelpMeWithHIPAA.com

Like us and leave a review on our Facebook page: www.Facebook.com/HelpMeWithHIPAA

If you see a couple of numbers on the left side you can click that and go directly to that part of the audio. Get the best of both worlds from the show notes to the audio and back!

PriSec Session of the Week

[03:34] Monday will be MURPHY’S LAW DAY. Check out Donna’s and David’s description of what we’ll cover on this topic at the PriSec Boot Camp in Louisville, KY.

One Click That’s All

[13:02] 3 days ago, there was this tweet:

https://twitter.com/ClareONeilMP/status/1583710791672307712

It was wonderful to formally launch the Cyber Security Governance Principles, developed by the Australian Institute of Company Directors and the Cyber Security Cooperative Research Centre.

Today:

Hackers hit cybersecurity conference

Thousands of would-be participants began to get antsy when they tried to log on for a 1pm start and the conference didn’t go live on schedule.

As the comments from the waiting participants began to mount, a fake Eventbrite link – which many unsuspecting users clicked upon – was posted in the LinkedIn chat function asking for credit card details, leading the institute to plead with participants not to try to use any links posted in the chat.

When an official-looking AICD link appeared to the event, some users who hadn’t learned their lesson the first time around tried to follow it, only to complain that it didn’t work and eventually, about 30 minutes into the debacle, the institute bowed to the inevitable and canceled the event.

Any bets on what happened here?

Credential theft by some sort of social engineering is the most likely culprit. The news will be interesting to follow on this one. We know the methods for hacking humans continue to grow and be exploited. We can call it social engineering, hacking the human or insider threats. The bottom line is it only takes one click at any time by anyone to open the door to the attackers.

Biggest Risk

[20:11] The UK Information Commissioner’s Office released a great article explaining what happened and why they fined a company £4.4 million. Interserve is a British construction and support services business that exposed the information for their 133,000 employees. Note they said they considered potential factors for reducing the fine but “no reductions were made to the final fine amount”. Ouch!

‘Biggest cyber risk is complacency, not hackers’ – UK Information Commissioner issues warning as construction company fined £4.4 million | ICO

The ICO investigation found that Interserve failed to act on warnings of suspicious activity, used outdated systems and protocols, and lacked adequate staff training.

Here is what happened (according to the nice explainer video): An Interserve employee forwarded a phishing email to another employee. The other employee opened it and downloaded the attachment (or linked to one) which installed malware. Boom, the door was opened just enough to let the attackers roam far and wide. They compromised 283 systems and 16 accounts before launching a ransomware attack.

But wait, there’s more! The company’s AV quarantined the malware when it was launched and sent an alert, but no one looked into it seriously. No one! There you have it folks! That’s your check-the-box security in full display.

The investigation also found they weren’t doing risk assessments, training staff or patching software. The perfect ingredients for an eventual attack. It was like they were sitting ducks waiting for the hunter to find their pond.

In the press release the Commissioner’s quote included a statement that I think we need to reiterate and keep doing so. There was more to it but here is the part that got the headline and also my attention:

The biggest cyber risk businesses face is not from hackers outside of their company, but from complacency within their company.<span class="su-quote-cite"><a href="https://ico.org.uk/about-the-ico/media-centre/news-and-blogs/2022/10/biggest-cyber-risk-is-complacency-not-hackers/" target="_blank">John Edwards, UK Information Commissioner</a></span>

Complacency is exactly what we talk about here in many different ways. The lack of concern, the overconfidence, the failure to take this stuff seriously is how this company was attacked. There were many ways they could have prevented or mitigated the situation but they didn’t make it a priority.

The world we live in continues to evolve as do the methods and reasons these attacks are carried out. Which brings us to another article from CheckPoint Research that is both informative and nerve-racking.

[34:37]

The New Era of Hacktivism – State-Mobilized Hacktivism Proliferates to the West and Beyond – CheckPoint Research

They explain what they see happening concerning the rise of hacktivism that is no longer the loosely organized groups like Anonymous but now formal state-mobilized groups with deep organizational structure, requirements, and sophisticated tools. They are already growing their attack targets outside the Middle East and Eastern Europe moving west to target US governments and businesses.

Here are the core points about their common characteristics:

  1. Clear and consistent political ideology
  2. Well-designed hierarchy for members and leadership
  3. Formal recruitment process
  4. Tools that the groups provide to their members
  5. Aligned on the targets
  6. Robust public relations operations to publicize and promote their successes, including on major media channels and websites

To make that even more concerning is that in some cases there is even organized cooperation between groups which allows them to amplify their abilities exponentially. Just to reiterate all the points made here a very stark paragraph lays out concerns that will keep us awake at night.

These are coordinated organizations which launch organized large-scale DDOS and disruptive attacks against their targets, with far-reaching public relations. Therefore government agencies and organizations should consider themselves duly warned. <span class="su-quote-cite"><a href="https://research.checkpoint.com/2022/the-new-era-of-hacktivism/" target="_blank">The New Era of Hacktivism – State-Mobilized Hacktivism Proliferates to the West and Beyond - CheckPoint Research</a></span>

Nobody ever thinks that they’re going to end up as a target of a hacktivist or other cybercriminal. Until they do.

Go to top

Complacency is the biggest risk we face and the risk keeps coming and getting more complex. Just training your staff once a year or showing them the same security awareness videos doesn’t work anymore. You have to mix it up, do something different to get people’s attention and keep it to have a fighting chance at not being an easy target.

Remember to follow us and share us on your favorite social media site. Rate us on your podcasting apps, we need your help to keep spreading the word. As always, send in your questions and ideas!

HIPAA is not about compliance,

it’s about patient care.TM

Listener Survey

Special thanks to our sponsors Security First IT and Kardon.

Share 0
Tweet 0
Share 0

HelpMeWithHIPAA.com Is A
Collaborative Project

Created & Sponsored By: