You are here

Home » Cybersecurity

Cybersecurity

CISA Announces Reduce the Risk of Ransomware Campaign

Today the Cybersecurity and Infrastructure Security Agency (CISA) announced the Reduce the Risk of Ransomware Campaign, a focused, coordinated and sustained effort to encourage public and private sector organizations to implement best practices, tools and resources that can help them mitigate this cybersecurity risk and threat. “CISA is committed to working with organization at all levels to protect their networks from the threat of ransomware,” said CISA Acting Director Brandon Wales.

Security Awareness – Stolen Credentials from Xerox-themed Phishing Campaign Publicly Exposed

If your organization uses Xerox multifunctional devices (and even if it doesn’t) this incident may be of interest. It seems attackers inadvertently exposed more than 1,000 stolen corporate credentials obtained through a Xerox-themed phishing campaign. While 1,000 credentials may not seem significant, this incident represents a typical lure that staff are likely to fall for, especially if your organization uses Xerox devices.

Security Awareness – Do Three Words Pass the Crack?

PenTestPartners (PTP) is known for straightforward posts and practical analysis. This cyber hygiene article respectfully challenges some authoritative guidance (from the National Cyber Security Centre) – whether or not three random word passwords are strong enough. This is another good candidate for security awareness reminders on the importance of creating less crackable passwords.

CISA Capacity Enhancement Guides for Strong Authentication, Secure Web Browsers/Malvertising, and Phishing

The Cybersecurity and Infrastructure Security Agency (CISA) is announcing the issuance of three “Capacity Enhancement Guides.” While these guides are specifically directed at federal agencies, they contain best practices that can be applied more broadly across state, local, tribal, and territorial governments and the private sector. Access the guides at CISA.

The guides include:

NSA Releases Guidance on Encrypted DNS in Enterprise Environments

The National Security Agency (NSA) has released an information sheet with guidance for enterprise network owners and administrators on adopting encrypted Domain Name System (DNS) over Hypertext Transfer Protocol over Transport Layer Security (HTTPS), referred to as DNS over HTTPS (DoH). When configured appropriately, strong enterprise DNS controls can help prevent many initial access, command and control, and exfiltration techniques used by threat actors.

FBI PIN: Cyber Criminals Exploit Network Access and Privilege Escalation

The FBI has published a Private Industry Notification (PIN) observing that cyber criminals are focusing their operations to target employees of companies worldwide who maintain network access and an ability to escalate network privilege. The FBI explains that during COVID-19 shelter-in-place and social distancing orders, many companies had to quickly adapt to changing environments and technologies and may not be fully monitoring network access and privilege escalation.

No Joke – Joker’s Stash Calling it Quits, This Time

Joker’s Stash, one of the oldest, most successful credit card and point-of-sale dump repositories appears to be closing its doors. According to Flashpoint, between PCI-DSS enhancements, COVID-19, and blockchain domain takedowns, Joker’s Stash may have finally succumbed to death by a thousand cuts. As many utilities accept credit cards for payments, there is always concern about the card processing platform or service becoming compromised and actors absconding with hundreds or thousands of payment card records processed for utility payments.

WaterISAC Spotlighted during Recent Cybersecurity Evangelist Podcast

WaterISAC Cybersecurity Risk Analyst Jen Walker put the spotlight on WaterISAC during a recent “Cybersecurity Evangelist” podcast she hosts for risk management firm Gate 15. Jen spoke with WaterISAC Director of Preparedness and Response Chuck Egli, and together they discussed how WaterISAC operates in support of the security and resilience of the water and wastewater sector. Their conversation included discussions of WaterISAC’s products and services, providing an orientation for new and aspiring members and a refresher for WaterISAC veterans.

CISA Analysis Report: Strengthening Security Configurations to Defend against Attacks Targeting Cloud Services

The Cybersecurity and Infrastructure Security Agency (CISA) has published an analysis report advising that threat actors are using phishing and other vectors to exploit poor cyber hygiene practices within a victims’ cloud services configuration, adding that it is aware of several recent successful attacks. CISA observes these types of attacks frequently occurred when victim organizations’ employees worked remotely and used a mixture of corporate laptops and personal devices to access their respective cloud services.

Pages

Subscribe to Cybersecurity