Cybersecurity Without Insanity in 3 articles, 2 numbers and 1 thing to think about.

This week: What have traffic lights, JD Sports, and Microsoft OneNote got in common? They all star in this week’s Cyber 3-2-1. Also this week, a reminder as to why regulators are so keen for us to get better at third-party risk management, especially when it comes to our IT service providers.

To listen to Cyber 3-2-1: All episodes are accessible from https://www.codeinmotion.ie/podcast or wherever you get your podcasts.

THREE ARTICLES

1. Watch out for killer traffic lights

Bitdefender recently reported on a software vulnerability that only affects 150,000 devices. Unfortunately, these 150,000 devices are traffic lights.

Why are traffic lights connected to the internet? Well, for convenience, of course – It makes it far easier to manage the devices if you can do so from anywhere in the world.

It also makes it far easier for cyber attackers to gain access and switch any light from red to green.

Or perhaps thousands of lights from red to green.

At the same time.

So, just because of lax security by one company, 150,000 traffic lights pose a significant risk to public safety.

 

2. Not a great look for JD Sports

JD Sports has notified 10 million customers of a recent data breach.

According to a report in Silicon Republic, the breach “relates to online orders placed between November 2018 and October 2020 for several of the retailer’s brands”, including JD Sports, Size?, Millets, Blacks, and Scotts. The breach means cyber criminals have the names, addresses, phone numbers, email addresses and purchase details of its customers.

If you are one of the 10 million, expect an increase in the number of phishing emails and dodgy phone calls that you receive.

 

3. It’s time to block most file attachments

Bleeping Computer recently reported that cyber attackers continue to try different types of file attachments to fool your staff. Now that it is harder for the bad guys to use Word / Excel documents to deliver their malicious software, they are switching to other file types.

I’ve mentioned this before, flagging that LNK, HTML, EML, and PST file types are not to be trusted. This week, we’re talking about Microsoft OneNote attachments.

It’s time for us to block or quarantine any emails that include an attachment with a file type that is seldom used for genuine business purposes. In other words, instead of blacklisting specific file types and only blocking these, we need to whitelist specific file types and block all others. (Credit to Secure The Village for sharing this article with me)

 

TWO NUMBERS

98%

98% of organisations have a relationship with “at least one third party that has experienced a breach in the last 2 years”, according to research recently published by Security Scorecard,

You may argue that this figure is an over-estimate because it was published by a company that sells monitoring services for third parties, although Security Scorecard states that these figures come from automated systems, which gather information on over 300,000 organisations.

Such a statistic indicates why regulators are so keen for us to get better at Third Party Risk Management (TPRM).

 

50%

According to the same research, half of all organisations have indirect relationships “with at least 200 fourth parties that have had breaches in the last two years”. The report research suggests that most organisations “are no more than 2 steps removed from each of the Top 50 [IT / technology] vendors [..] Even if your organization doesn’t use a certain vendor or technology, there’s a good chance that those you depend upon do.”

This may help us understand why the EU’s DORA (Digital Operational Resilience Act) regulation is going to require financial services firms to get serious about managing IT third-party risk [DORA Article 1(a) and Articles 25-27].

PS Fourth parties are the third parties of your third parties. For example, if you rely on an IT MSP, and this IT MSP relies on SolarWinds, a popular IT management system used by many IT MSPs, then SolarWinds is one of your fourth parties. Unfortunately, it also means your IT MSP may have been one of the estimated 30,000 organisations breached when SolarWinds was hacked in 2020. And because this software is used by IT MSPs to manage the IT infrastructure of organisations like yours, this SolarWinds breach could also have put you at risk. I wonder how many IT MSPs that use SolarWinds informed their clients of the breach at that time?

 

ONE THING TO THINK ABOUT

This week, I asked my email subscribers to think about one thing.

If you aren’t a subscriber, you don’t need to think about anything.. Apart from the successor to ChatGPT…

Introducing CatGPT!