Plain English cybersecurity advice in 3 articles, 2 statistics and 1 action.

This week: What is the significant gap in a new security baseline, what happens when crypto and cybersecurity collide (part 1 and 2), and who and how are the vast majority of breaches launched?

This week’s action: Follow the 80/20 rule and go back to the basics.

>>>>> THREE ARTICLES <<<<<

1: Google and Salesforce create a new cybersecurity baseline for companies checking vendors

“Outsourcing operations to third-party vendors is a double-edged sword.”

To ease the pain, “Google and Salesforce have announced the creation of a vendor-neutral security baseline called the Minimum Viable Security Product (MVSP), which they said was an effort to ‘raise the bar for security while simplifying the vetting process.’”

The MVSP baseline is “designed to eliminate overhead, complexity and confusion during the procurement, RFP and vendor security assessment process by establishing minimum acceptable security baselines.”

I see one significant gap in the MVSP baseline: It requires the use of Single Sign-On (SSO) but does not require the use of multi-factor authentication (MFA).

SSO is “an authentication scheme that allows a user to log in with a single ID and password to any of several systems” (Source: Wikipedia).

In other words, a firm aligning to the MVSP baseline could still have a gaping hole in their security defences that would allow an attacker in possession of a staff member’s username and password to gain immediate access to several systems.

As with all product releases by software companies, I recommend you wait until version 2.0.

Read more: via

2: When Cryptocurrency and Cybsersecurity collide (part 1)

“Hackers have stolen an estimated $130 million worth of cryptocurrency assets from Cream Finance, a decentralized finance (DeFi) platform that allows users to loan and speculate on cryptocurrency price variations. [..] there appears to be a small chance the stolen crypto can be tracked down and returned to the platform. [..] Today’s hack marks the third time Cream Finance has been hacked this year [..] users have lost more than $474 million to attacks on DeFi platforms this year.”

Read more: via

3: When Cryptocurrency and Cybersecurity collide (part 2) have an interesting story about a 17-year old boy in the UK who set up a fake website that fooled customers of a legitimate shopping site to reveal their gift voucher codes and credit card numbers. He then used this information to purchase GBP £200k worth of cryptocurrency.

By the time he was arrested, the value of the cryptocurrency had increased to USD $3m.

But remember, crime does not pay: He got caught in the end.

Read more: via

>>>>> TWO STATISTICS <<<<<

1: 80%

80% of cyber-attacks are being run by criminals seeking financial gain, according to analysis of over 2,000 confirmed data breaches by the authors of the Verizon 2021 Data Breach Investigations Report.

Don’t worry about James Bond. Worry about criminals.

Read more: [Page 12. Figures 15 and 16]

2: 85%

“85% of breaches [incidents that resulted in the confirmed disclosure of data to an unauthorized party] involved a human element”, according to the authors of the Verizon 2021 Data Breach Investigations Report.

Don’t worry about highly sophisticated attacks. Worry about your staff.

Read more: [Page 7. Figure 7.]

>>>>> ONE ACTION <<<<<

1: Go back to basics

80% of attacks are criminals seeking financial gain, and 85% involve a human element. Follow the 80/20 rule and make sure you have the basics in place: Start here with my guide: