Whether it’s new policies or the latest security breach, several cybersecurity events are driving discussion and decisions across organizations worldwide.
Security leaders are hit with a barrage of threats and an ever-changing environment. As leading outlets cover the latest developments, SecurityScorecard is delivering perspective and insight on the most pressing issues of our time:
Politico – “Changes afoot for U.S. spy catchers” (22 Sept. 2022)
In the latest edition of Politico’s Pro Newsletter Sue Gordon, a former spy who was the second-highest ranking U.S. intelligence official, argues that ransomware attacks have forced more companies to examine their cybersecurity posture. Gordon recommends that the government “be more prescriptive” toward the private sector, and she stressed the importance of KPIs in the fight against cybercrime: “…if you don’t know what is important to you, you don’t know what to measure. And if you don’t measure, then you’re not going to be able to do something about it.”
This week, Gordon joined SecurityScorecard’s board of directors.
Dark Reading – “Quantify Risk, Calculate ROI” (21 Sept. 2022)
At a time of economic uncertainty and increased cybercrime activity, organizations need to know the ROI of their cybersecurity investments. SecurityScorecard recently released its ROI calculator, which provides a high-level estimate of the Total Economic Impact of the SecurityScorecard platform.
The tool was developed based on the Forrester Consulting Study, “Total Economic Impact of SecurityScorecard.” Dark Reading shared exciting details on how the calculator can help justify spend, and get executive buy-in.
AP News – “Serious breach at Uber spotlights hacker social deception” (17 Sept. 2022)
Social engineering is one attack vector that’s hard to protect against. In a recent breach, a lone hacker posed as an Uber employee, tricking an actual employee into revealing their credentials. Although Uber denied the severity of the breach, screenshots the hacker shared with security researchers show that he gained full access to Uber’s cloud platform, where sensitive user and financial data is stored.
Per SecurityScorecard’s SVP, Threat Research & Intelligence, Ryan Sherstobitoff, “attackers are getting better at by-passing or hi-jacking MFA (multi-factor authentication).” In this case, the hacker spammed the Uber employee with requests to confirm their identity. After the employee didn’t respond, the hacker sent a WhatsApp message posing as a co-worker from the IT department. The employee fell for it and confirmed the login request.
Bleeping Computer – “The Week in Ransomware – September 16th 2022 – Iranian Sanctions” (16 Sept. 2022)
In its weekly edition of ransomware highlights, Bleeping Computer included mention of a detailed analysis of the Quantum ransomware, which is known for encrypting data on victim computers. Read SecurityScorecard’s Senior Malware Analyst Vlad Pasca’s full, detailed analysis of the Quantum Ransomware here.
The Register – “Lloyd’s to exclude certain nation-state attacks from cyber insurance policies” (24 Aug. 2022)
Lloyd’s of London, an insurance market comprising 76 syndicates, announced that it would limit coverage of cyber attacks. Namely, the market will try to protect itself from certain nation-state actors and attacks that happen during wars. The market has found these attacks particularly costly, making it hard for syndicates to cover. Lloyd’s will remain active in the cyber insurance business but will include clauses in all cyber attack policies that exclude “liability for losses arising from any state-backed cyberattack.”
SecurityScorecard’s international director for insurance solutions, Peter Hawley, told the Register that the language surrounding “state-backed” is open for interpretation, which leaves insurers at risk of paying for an unsanctioned event or going to court for declining a claim. Read everything he had to say on the issue here.
Axios – “Twitter’s security alarm” (24 Aug. 2022)
Pieter Zatko, Twitter’s former head of security turned whistleblower, exposed several security vulnerabilities with Twitter in an 84-page Federal complaint that was made public in August. Zatko testified, “The company’s cybersecurity failures make it vulnerable to exploitation, causing real harm to real people.” Among the cybersecurity failures Zatko highlights are:
A large portion of employee computers and data servers running on outdated software
Over half of employees have access to Twitter’s live code and data
As a result of these failures, Twitter “dealt with more than 50 incidents in the past year.”
According to SecurityScorecard, however, Twitter’s security approach is average, rather than “vulnerable to exploitation,” as Zatko claims.
Historically, Twitter has held a rather high 80 (out of 100) cybersecurity rating with SecurityScorecard’s ratings platform. It’s worth noting that the rating relies on publicly available information, which is less than what Zatko had access to.
About SecurityScorecard
SecurityScorecard is the global leader in cybersecurity ratings and the only service with millions of organizations continuously rated. Thousands of organizations leverage our patented rating technology for self-monitoring, third-party risk management, board reporting, and cyber insurance underwriting. But we don’t stop there. Through a customer-centric, solution-based commitment to our partners, we are transforming the digital landscape building a path toward resilience.