Follow ISA Cybersecurity on LinkedIn for the latest cybersecurity news
Weekly CyberTip: be careful disposing of your old hardware
The rapid pace of change means that technology gets replaced frequently. When upgrading equipment, take care to dispose of your old gear securely. Decommissioned hard drives, USB sticks, phones, and even printers can have potentially sensitive data on them. It’s important to securely wipe these assets before recycling or donating them. The Canadian Centre for Cyber Security (CCCS) provides a comprehensive handbook on the best practices in sanitizing your e-waste.
ISA Cybersecurity Announcements
ISA Cybersecurity, celebrating its 30th year in operation, had three notable announcements last week:
1. Named one of Canada’s Top Small & Medium Employers for 2022.
2. Named a “Major Player” for the second time in row in the IDC MarketScape: Canadian Security Services 2022 Vendor Assessment.
3. Enza Alexander, Executive Vice-President, was featured in The Trailblazer: Women Leaders 2022 edition of Aspioneer Magazine.
MailChimp customers phished after social engineering hack
On April 3, email marketing firm MailChimp disclosed that they had been victimized by a social engineering attack. The hackers reportedly accessed 319 Mailchimp accounts in total, over 100 of which contained customer mailing lists that were exfiltrated in the incident. Armed with this information, the attackers appear to have pivoted to launch phishing attacks against MailChimp customers and their customers.
A statement from MailChimp on the website provides details: “On March 26, our Security team became aware of a bad actor accessing one of our internal tools used by customer-facing teams for customer support and account administration. The incident was propagated by a bad actor who conducted a successful social engineering attack on Mailchimp employees, resulting in employee credentials being compromised.”
The first reports of downstream attacks came from owners of Trezor hardware cryptocurrency wallets, who received bogus notifications prompting them reset the hardware wallet PINs because of a data breach. The link provided in the email actually contained malware that attempted to download cryptocurrency from their wallets. Virtual world Decentraland also reported phishing attacks on their customers as a result of the MailChimp breach.
Acquired by Intuit in November 2021, MailChimp is one of the largest email marketing firms in the world with an estimated 70% market share.
U.S. Department of State announces launch of Bureau of Cyberspace and Digital Policy
On April 4, The Office of the Spokesperson of the U.S. Department of State issued a media note announcing that the new Bureau of Cyberspace and Digital Policy (CDP) has started operations. The CDP was developed to address “national security challenges, economic opportunities, and implications for U.S. values associated with cyberspace, digital technologies, and digital policy.”
In a press briefing the same day, Ned Price DOS spokesperson elaborated: “Within this department, the CDP Bureau will lead and coordinate U.S. cyber and digital diplomacy to encourage responsible state behavior in cyberspace, protect the integrity and security of the internet, promote a competitive digital economy, and uphold democratic values.”
The CDP comprises three policy units: International Cyberspace Security, International Information and Communications Policy, and Digital Freedom. It is seen as one of the five key pillars of revamping the State Department, as outlined by Antony Blinken, U.S. Secretary of State, in his October 27, 2021 speech detailing his modernization agenda.
PCI Version 4.0 published, takes effect March 2024
The PCI Security Standards Council has released Version 4.0 of its PCI DSS (Payment Card Industry Data Security Standard). Version 4.0 is a significant revision to the standard; it features about 60 new requirements that take effect by April 1, 2024, though about 40 of those will be considered “best practices” until they become mandatory a year later. Version 4.0 is considered optional until the current PCI DSS version – 3.2.1 – is retired on March 31, 2024. Assessments performed after that date must be under version 4.0.
Most of the longer-term requirements represent the biggest security gains (and potentially the largest implementation effort). For example, mandatory software inventories of internal and external software in use at the vendor, user and application privilege management in place, mandatory use of multi-factor authentication, an increased focus on encryption, are featured in the new standard. Special requirements are introduced for service providers. And the new version also shifts PCI DSS into a continuing process, rather than an annual checklist item.
PCI has issued an at-a-glance reference document and summary of changes, but emphasizes that the delta documents are for broad reference only: those who require PCI compliance are urged to use 4.0 as a starting point and schedule complete reviews to assess the new requirements. The impacts to process and operations could be significant; vendors are encouraged to start their analysis soon to ensure there is enough time to prepare and implement change.
The end of Patch Tuesdays? Microsoft announces Windows Autopatch service
On April 5, Microsoft announced the July 2022 launch of Windows Autopatch as a feature of Windows Enterprise E3. The new service is designed to accelerate and simplify the deployment of patches for IT administrators, and will let companies pilot updates with a subset of users before rolling out changes across the enterprise. The service has features to pre-screen environments before deployment, and stop/reverse changes in case of issues.
Microsoft has published a blog post with FAQs about the new service.
Snap-on Tools suffers cyber incident
Tool and equipment manufacturer Snap-on has disclosed a cyber incident involving access to staff and franchisee data. According to a bulletin on their home page: “In early March, Snap-on detected unusual activity in some areas of its information technology environment. We quickly took down our network connections as part of our defense protocols, particularly appropriate given heightened warnings from various agencies. We launched a comprehensive analysis assisted by a leading external forensics firm, identified the event as a security incident, and notified law enforcement of the incursion.”
According to a Snap-on breach notification template dated April 7, their investigation thus far suggests that “the incident involved associate and franchisee data including information such as: names, Social Security Numbers, dates of birth, and employee identification numbers.” Fortunately, “there is no evidence that there has been any use or attempted use of the information exposed in this incident,” according to the Snap-on sub-page on the IDX consumer privacy platform and breach response platform site.