HomePodcastCyber Security HeadlinesCyber Security Headlines – July 29, 2021

Cyber Security Headlines – July 29, 2021

Federal agencies directed to develop cyber security standards for infrastructure

President Biden issued this directive to federal agencies, which will establish voluntary cybersecurity goals for critical infrastructure companies. The project will be headed by CISA and NIST, which will coordinate with other agencies. A preliminary baseline security standard will be due by September, with final goals due within a year. The agencies will also have a year to determine “whether additional legal authorities would be beneficial” to safeguard critical infrastructure. This comes after a May executive order to establish cybersecurity baselines for federal agencies themselves, and last week’s cybersecurity requirements for oil pipeline operators issued by the TSA. 


Controversial vulnerability search engine re-released at Defcon

Security researchers Alejandro Caceres and Jason Hopper plan to re-release an upgraded version of PunkSpider at DefCon, a search engine which constantly crawls the web and automatically publishes hackable vulnerabilities in websites, as well as a Chrome plugin to scan visited sites. Both will rank sites on a scale of one to five dumpster fires. The search engine will mostly be scanning for low hanging fruit, looking for seven kinds of exploitable bugs, repeatedly trying variations of common hacking methods to check if a site is vulnerable. PunkSpider originally launched in 2013, before lapsing due to lack of funding around 2015. It’s initial incarnation scanned websites once a year.


The most exploited vulnerabilities of the year

Joint security advisories from the Australian Cyber Security Centre,  the UK National Cyber Security Centre, CISA, and the FBI list the most commonly exploited security vulnerabilities from 2020 and 2021 across the three countries. Most of these vulnerabilities are recently discovered, showing that threat actors can weaponize security flaws increasingly quickly to exploit systems. Vulnerabilities to Microsoft Exchange, Accellion, VMware and Fortinet topped the 2021 list, while 2020 featured the Windows Netlogon privilege escalation, Atlassian remote code execution, and the Citrix Netscaler directory traversal were the most popular. 

(The Record)

Google shows off Play Store safety listings

Google initially announced safety listings would be coming to the Play Store back in May, similar to Apple’s App Store nutrition labels. Each label will include information on data collected by the developer, if the app encrypts data, if its suitable for children, and if the app’s security has been validated by a third-party. A detailed view of the label will show how collected data is used and if users are able to opt-out of this collection. Developers have until April 2022 to declare their privacy information. 


Thanks to our episode sponsor,

Varonis will help you get meaningful data security results faster than you thought possible. Protect sensitive data, detect sophisticated threats and streamline privacy and compliance. Visit varonis.com/risk for a demo of Varonis’ leading data security platform.

The cost of enterprise data breaches hits record high

According to IBM Security’s “Cost of a Data Breach” report, the average data breach costs an enterprise $4.24 million dollars, up 10% from last year. The report found that “drastic operational shifts” as a result of the pandemic increased the difficulty of containing security events, resulting in higher costs. This came as 60% of organizations ramped up cloud initiatives without a corresponding increase in security controls. Compromised credentials was the most common vector, and Personally identifiable information was stolen roughly 50% of the time a network was compromised. Reaction time also suffered, with organizations taking  287 days to detect and contain a data breach on average, a 7 day increase from the year before. 


California cookies could qualify as a sale

According to enforcement letters sent out by the California Attorney General’s office, under the California Consumer Privacy Act, data tracking for advertising and analytics purposes, including using cookies, fits the law’s definition of a data “sale.” So far letters from the DA office have given companies notice and 30-days to make sure they are in compliance with the law. However experts warn that the law allows for charging sites for each individual instance of a cookie-related violation.


Organizations hit by hundred of social engineering attacks a year

A new report from Barracuda looks at the scale of social engineering attacks against organizations. Overall from May 2020 through June 2021, the report monitored 12 million social engineering attacks impacting 17,000 organizations. The report found that 43% of all phishing attacks were attempting to impersonate Microsoft. WeTransfer, DHL, Google, DocuSign, and Facebook were the other most commonly impersonated. CEOs received an average of 57 targeted phishing attacks each year, while IT staff saw 40. Cryptocurrency-related phishing increased 192%, with volume closely tracking crypto prices. 


Don’t earn gold in bad password etiquette

Authlogics looked at the most common Olympic sport-based passwords in its cache of password-related data. They found over 1 million passwords using one of the top 15-sports from the games. Baseball and Soccer were by far the most popular, accounting for 46.5% of all passwords in the category. Ironically “sprint” managed to find its way into last place, although at least this means it wasn’t juicing.  


Rich Stroffolino
Rich Stroffolino is a podcaster, editor and writer based out of Cleveland, Ohio. He's spent the past five years creating media for technology enthusiasts and IT practitioners. He dreams of someday writing the oral history of Transmeta.

Most Popular