Plain English Cyber in 3 articles, 2 numbers and 1 action.
This week: A password manager breach, ransomware triple extortion, cybersecurity for startups, and why the gamer in your life may be a risk in your life.
This week’s action: Love your children. But don’t trust them.
If you’d prefer to listen to Cyber 3-2-1: This week’s episode is accessible from https://www.codeinmotion.ie/podcast or wherever you get your podcasts.
1: Your Password Manager has been breached. Does it matter?
What? LastPass, one of the world’s biggest password managers, recently announced that it had been breached. According to the company, “an unauthorized party gained access to portions of the LastPass development environment through a single compromised developer account and took portions of source code and some proprietary LastPass technical information [..] [Their] investigation has shown no evidence of any unauthorized access to encrypted vault data.”
So what? It’s never good to hear that a service you entrust with sensitive data, such as your passwords, has been breached. However, assuming you can trust their assertion that their “zero knowledge model ensures that only the customer” can access their passwords, then it should be safe to assume that your passwords are still secure. There are a couple of assumptions here, and perhaps these assumptions may prove to be incorrect. Even if this is the case, if you use Multi-Factor Authentication (MFA), then the bad guys need more than just your passwords to get into your accounts anyway. And, unless you have endless time and endless budget, sometimes you just need to work with such reasonable assumptions and focus on the more serious and real gaps in your security defences.
2: Ransomware gang is planning for triple extortion
What? Bleeping Computer (and NCSC) recently reported on the LockBit ransomware gang’s plans to add to their arsenal of attacks, to increase the likelihood of victims paying their ransom demand. The traditional ransomware attack involves the bad guys encrypting your files so you can no longer access them until you pay the ransom (or restore them from a backup). More recently, the bad guys threaten to publish the stolen data on the internet if you don’t pay the ransom. Now, the LockBit gang plans to attack its victims with Denial of Service (DDoS) attacks, which prevents access to the computer systems and websites of victims.
So what? The impact of a ransomware attack is increasing. Having a secure, offline backup of your files should provide a solution if your files are encrypted. And that’s why maintaining such a backup remains important. But the additional repercussions of a ransomware attack may be more difficult to defend against or recover from. All the more reason to ensure the attackers find it difficult to break in to your organisation. If you don’t know where to start, start with your foundations.
3: For startups, cybersecurity is not just a necessity, it could be a competitive advantage
What? A recent article in CPO magazine reminds startups that, without a cybersecurity strategy, “your environment becomes vulnerable to malicious actors that pose not only a risk to the acquisition and integrity of your data but also to your business reputation. [..] Most prospective clients/partnerships now require organizations, regardless of size, to prove their security posture via issued Security Assessment Questionnaires (SAQ’s) – a tedious survey of the policies and procedures implemented to protect data”.. That’s the bad news, but there is some light at the end of the tunnel. As the author states, “It’s important to note that cybersecurity isn’t just a risk mitigator. It can be leveraged as a strategic competitive differentiator [..] and also grow into new geographies with compliance requirements.”
So what? If your organisation is still in its early growth phase, it’s inevitable that your focus will be on survival and growing revenue. During this phase, you need to consider what could put your survival at risk. A cybersecurity attack is one such risk. Not only could it have a significant immediate impact on your bottom line, your reputation may never recover. But on the plus side, if you can get some relatively simple security measures in place, you can significantly reduce the risk. More importantly, you can talk confidently about your security measures, so your prospects are less likely to see you as a risk and more likely to see you as a solution. Once again, if you don’t know where to start, start with your foundations.
What? The number of gamers that were infected by malware in the 12-month period to June 2022 after downloading what they thought were genuine computer games, game hacks, or in-game currency. This is based on data shared voluntarily by customers of Kaspersky and recently reported by The Register (and Secure The Village).
What? According to the same report, this is the number of these 384k gamers who were infected when they downloaded what they thought was a file related to Minecraft, a game that is particularly popular with kids. After Minecraft, the next most popular game used as bait by the bad guys was Roblox, another game loved by children.
So what? Who doesn’t love ‘free’? So, when a gamer spots something online that promises free access to a game or gaming feature, it can be difficult for them to resist the offer. This may be particularly true for younger members of a household who may not have had the pure joy of attending fantastic cybersecurity awareness training. And this leads me nicely into this week’s action.
1: Love your children. But don’t trust them.
What? The bad guys are always looking for ways to get their malicious software (malware) onto your laptops and phones. The malware could steal your passwords and online banking login details, or run ransomware on the device so all of the files that you can access through Windows Explorer become inaccessible to you unless you pay a ransom. As shown in the Kaspersky report, it looks like there are plenty of gamers being fooled by the bad guys into downloading this malware.
So what? If this gaming device is also the device that you use for sensitive activities (e.g. accessing your online bank account, your personal email account, or your employer’s systems and data), the gamer in your family may be exposing these sensitive activities to the bad guys. This is why I highly recommend that you try to have separate devices so high risk activities and users do not use the same device that you use for high value activities. In other words, would I let my son use my personal laptop? Not a chance in hell. PS: I still love you, kiddo!