Plain English cybersecurity advice in 3 articles, 2 statistics and 1 action.
This week: Why it’s probably no big deal that Accenture got hit by ransomware, why technology should make you paranoid, why you should never annoy a nerd, and why losing your wallet takes on a different meaning when it comes to cryptcurrency.
This week’s action: Protect your crown jewels.
>>>>> THREE ARTICLES <<<<<
1: Accenture is hit by ransomware. Their response: “So what?”
Accenture was the target of a ransomware attack last week, with the criminal gang threatening to leak terabytes of stolen data unless a ransom of USD $50 million was paid.
Accenture issued a statement about the incident: “Through our security controls and protocols, we identified irregular activity in one of our environments. We immediately contained the matter and isolated the affected servers. We fully restored our affected systems from back up. There was no impact on Accenture’s operations, or on our clients’ systems.”
Given the threat that terabytes of data could be leaked unless they paid a ransom, the statement appears somewhat understated.
But the evidence to-date suggests it is accurate. For example, some of the stolen files were published online and they appeared to be of relatively low value, including “brochures for Accenture products, employee training courses, and various marketing materials. No sensitive information appeared to be included in the leaked files.”
In an ideal world, your organisation will not be the victim of an attack. But we don’t live in an ideal world. Even one of the world’s biggest technology and consulting firms can be breached. So, the next-best-thing is to ensure your crown jewels (e.g. sensitive customer data) are protected from the attackers. The evidence so far suggests Accenture did this.
2: How deepfake technology should make us even more paranoid
If you haven’t seen the video of former President Obama apparently insulting then-President Trump. here’s your chance. It’s a very effective example of what’s coming our way.
Remember, don’t trust emails, SMS messages, phone calls, or video calls. Or anything to do with technology. Simple!
3: Noisy neighbours? You need to become a hacker
At last, proof that nerds will rule the world. Or at least enforce house rules.
An interesting story about the steps a hacker took to deal with a noisy neighbour. If you make phone calls at 2am, you probably deserve this kind of payback.
>>>>> TWO STATISTICS <<<<<
The cybersecurity government agencies in the US (CISA), Australia (ACSC), the UK (NCSC), and the FBI published a joint paper on the software vulnerabilities most regularly exploited by cyber actors during 2020. Of the top 12, 100% of the vulnerabilities can be addressed by installing a software update. While most attacks on most organisations succeed because a staff member is fooled by an email, it is also important to ensure the criminal’s job is made more difficult by ensuring security updates / patches are installed on your systems in a timely manner. This is especially true for systems that are accessible from the internet (e.g. VPN servers; remote access systems).
2: $9.5 million
UK police have seized a USB stick containing $9.5 million worth of cryptocurrency. The cryptocurrency appears to be part of the proceeds of a recent international cryptocurrency scam.
There are probably many genuine crypto investors / gamblers who also store their cryptocurrency on a USB key. Imagine the pain of losing that USB key? I can’t sleep if I forget where my wallet is, even though I haven’t carried cash since early 2020.
For the crypto gamblers who don’t trust an online custodian to protect their crypto wallets, there’s definitely an opportunity for a USB stick manufacturer to build the world’s biggest and most-luminous USB stick. And maybe another opportunity for those who provide secure vaults.
>>>>> ONE ACTION <<<<<
1: Protect your crown jewels
It’s too early to say whether the Accenture ransomware attack that I mentioned earlier will develop into something more damaging, but the evidence to-date suggests their “important stuff” was protected.
Think about your defences, and focus on your “important stuff” – customer data; sensitive financial information – and where it may be stored – e.g. attachments in your email account.
Then check that you have taken reasonable steps (a) to protect these systems and (b) to train the people who have access to these systems so they know how they will be targeted by cyber-attackers.