Information Security News 10-28-2024

SEC Charges Tech Firms Over Misleading SolarWinds Hack Disclosures

Article Link: https://www.infosecurity-magazine.com/news/sec-charges-solarwinds-hack/

• The Security and Exchange Commission (SEC) has charged four tech companies, Unisys, Avaya, Check Point Software, and Mimecast, for making misleading disclosures about the 2020 SolarWinds hack. Each company is accused of downplaying the impact of the attack in their public statements.
• Unisys faces a $4 million penalty for describing its information security risks as hypothetical, despite experiencing actual breaches. Avaya, Check Point, and Mimecast will pay penalties of $1 million, $995,000, and $990,000 respectively, for similarly misleading disclosures.
• All companies have agreed to financially settle their cases without admitting wrongdoing.
• The SEC emphasized the importance of transparent communication to protect investors from reporting misinformation about information security incidents.

Major Publishers Sue Perplexity AI for Scraping Without Paying

Article Link: https://www.theregister.com/2024/10/22/publishers_sue_perplexity_ai/

• News giants Dow Jones and NYP Holdings sued AI startup Perplexity for scraping their content without payment, accusing them of multiple counts of copyright infringement and diluting trademarks by using their work to train AI models.
• News Corp is seeking $150,000 per infringement, claiming Perplexity not only scraped content but falsely attributed inaccurate information to their sources, harming their brand and credibility.
• News Corp made a deal with OpenAI for proper compensation, unlike Perplexity, which they accuse of sidestepping payment and misrepresenting original content.
• Moving forward, companies need to prioritize ethical AI usage, paying for content, and accurately citing sources to avoid legal and reputational fallout.

Microsoft Fails to Collect Critical Security Logs, Exposing Customers to Risks

Article Link: https://www.csoonline.com/article/3570263/microsoft-fails-to-collect-critical-security-logs-exposing-customers-to-risks.html

• Microsoft admitted a bug caused critical security logs to go uncollected for nearly a month, from September 2 to October 3, 2024. This issue affected services like Entra, Sentinel, and Azure Monitor, which left customers vulnerable to undetected cyber threats.
• Although Microsoft resolved the issue, it took several weeks to identify the problem, raising concerns about the company’s response time and transparency. Some customers reported they weren’t informed about the log failures, adding to the frustration and raising trust issues.
• To prevent similar risks in the future, industry insiders encourage Microsoft to improve bug detection, speed up incident response, and communicate better with affected customers to maintain trust in its security services.
• Link to Microsoft’s Preliminary Post Incident Review: https://m365admin.handsontek.net/multiple-services-partially-incomplete-log-data-due-to-monitoring-agent-issue/

15 NASA, U.S. Defense Contracts Got Sub-Standard Cybersecurity

Article Link: https://www.pcmag.com/news/15-nasa-us-defense-contracts-got-sub-standard-cybersecurity-penn-state

• Penn State has agreed to pay a $1.25 million fine for failing to properly secure data connected to 15 NASA and Department of Defense contracts between 2018 and 2023, after a whistleblower raised concerns about the university’s information security practices.
• The university was found to have used an insecure cloud provider and misrepresented when it would enhance its information security measures, putting sensitive government information at risk.
• Matthew Decker, a former Penn State employee, reported the issue under the False Claims Act and will receive $250,000 as part of the settlement for his role in exposing the university’s shortcomings.
• This incident points out the growing importance of strong information security practices, especially for federal contractors handling sensitive defense information, and the need for secure cloud solutions as a prioritized layer of their defense.

Be Aware of These Eight Underrated Phishing Techniques

Article Link: https://www.securityweek.com/be-aware-of-these-eight-underrated-phishing-techniques/

• Attackers are using lesser-known phishing techniques like search engine optimization (SEO) poisoning, paid ads, and social media phishing to lure victims into sharing sensitive information or downloading malware.
• Emerging tactics like “quishing” (QR code phishing), mobile app phishing, and call-back scams are also on the rise, exploiting everyday tech and user habits to compromise data.
• Cybercriminals are increasingly leveraging cloud-based services and content injection attacks to bypass traditional security measures, using platforms like Microsoft Teams and cloud storage to spread malicious content.
• To counter these evolving threats, organizations must focus on continuous security training and awareness programs to help employees recognize and avoid these sophisticated phishing techniques.

Most Women in IT Work Overtime to Advance in Their Careers

Article Link: https://www.helpnetsecurity.com/2024/10/23/women-it-roles-career-development/

• In a 2023 Acronis survey, sample size not published, 71% of female IT professionals reported working extra hours for career advancement, with only 32% feeling gender equality exists in their field and 31% believing men are promoted faster.
• Despite women’s presence in teams, 63% noted a lack of female leadership in information security, and 84% agreed that the tech industry would benefit from more women in leadership roles.
• Many women find career development lacking, with 63% pursuing additional training and 51% seeking more mentoring opportunities to advance in their careers.
• Acronis advocates that hiring women in IT is a strategic advantage, offering a different perspective, driving innovation and diversity, while advocating for mentorship, pay equity, and diverse hiring to promote gender equality.
• Link to Acronis’ Survey: https://www.acronis.com/en-eu/pr/2024/acronis-external-survey-of-women-in-the-it-workforce-finds-71-of-females-work-longer-hours-to-advance-their-careers/

U.S. Energy Sector Vulnerable to Supply Chain Attacks

Article Link: https://www.infosecurity-magazine.com/news/us-energy-vulnerable-supply-chain/

• Security Scorecard and KPMG’s study of 250 U.S. energy companies found that 45% of sector breaches last year involved third-party vendors, well above the 29% global average. The MOVEit flaw, exploited by Clop, accounted for 39% of these incidents.
• Energy companies face heightened risks due to heavy reliance on third-party IT providers, with 90% of breaches being repeat attacks and further threats from geopolitical and tech challenges.
• Smaller, newer renewable energy firms had the weakest information security, increasing their vulnerability.
• To reduce these risks, firms should strengthen vendor security, improve third-part software protections, and enhance applications, DNS, and network security.
• Link to Security Scorecard’s Report: https://securityscorecard.com/wp-content/uploads/2024/10/Third-Party-Breaches-are-the-Top-Threat-for-the-U.S.-Energy-Sector.pdf

Security Priorities Emphasize CISO Role on the Rise

Article Link: https://www.csoonline.com/article/3578736/security-priorities-emphasize-ciso-role-on-the-rise.html

• Foundry/CSO’s 2024 Security Priorities report surveyed 870 global IT security leaders, highlighting CISOs’ expanding roles due to AI adoption and resilience demands.
• With 98% of CISOs seeing benefits in AI-enabled security, nearly half plan to boost AI spending in 2024 to improve threat remediation and workload efficiency.
• Rising cyber complexities and expectations for resilience have placed CISOs in a critical role, especially in high-stakes sectors like healthcare.
• Key 2024 priorities include securing sensitive data, enhancing resilience, and training end-users in cyber awareness, with increased investments in AI-based security tools.
• Link to Foundry’s Study: https://foundryco.com/research/security-priorities/

The Evolution of Cybercrime: How Ransomware Became the Weapon of Choice

Article Link: https://www.techradar.com/pro/the-evolution-of-cybercrime-how-ransomware-became-the-weapon-of-choice

• Cybercrime began with small-scale, low-tech scams and experimentation, primarily by individuals. Computers were isolated, limiting the scope of early attacks.
• As digital systems became essential to daily life, criminals saw new opportunities. Small-time scams evolved, and more organized groups emerged to exploit interconnected networks.
• Ransomware became the preferred attack method as it provided high financial rewards with minimal effort. Attackers simply use tactics like phishing to access systems, encrypt data, and demand anonymous cryptocurrency payments.
• With ransomware now a major threat, organizations are implementing layered defenses, such as isolated and rigorously tested backup systems, employee training on phishing, and augmenting network security to minimize their risks and operational disruptions.