Follow ISA Cybersecurity on LinkedIn for the latest cybersecurity news
Weekly CyberTip: Making a career change? Watch out for fake job postings
The recent news of the social engineering incident at Axie Infinity is a reminder for job seekers to be on the lookout for bogus careers postings. Virtual recruiting makes it easier for scammers to create fake jobs to extract personal information from you, or exploit you as a means of compromising the company you work for. Watch for the following red flags during an e-recruitment:
• requests for a lot of personal information (e.g., bank account information, social insurance numbers, driver’s license, etc.) early in the process
• job postings that have spelling mistakes, grammatical errors, or typos
• a lack of information about the company or the recruiter online
• a posting that appears an online job board, but not on the company’s website
• a job offer that seems too good to be true
SANS releases annual security awareness report
SANS has released its seventh annual Security Awareness Report – Managing Human Risk. The 2022 report probes the maturity of corporate security awareness programs, explores the reasons why programs stall, and highlights ways of increasing the maturity of your program.
The report recognizes that the human element remains the biggest target for cyber attackers, and that effective security awareness programs and personnel and the key to managing that significant risk area.
Of the over 1000 organizations surveyed, the report suggested that about 5% have no awareness program in place at all, and that about 30% still only consider security awareness training as a compliance exercise, instead of a program that helps shape and evolve staff behaviour toward better cybersecurity.
The report suggests seven key ways to increase the maturity of an awareness program in any organization:
• focus on risk – not just what your program is, but why you are doing it
• leverage real-life data to create a sense of urgency among staff and management to support your program
• communicate the risks and consequences of cyber attack
• ensure your awareness program team is adequately staffed
• document your corporate business risks as well as the operational requirements for your program
• develop internal partnerships to foster support and commitment
• keep your programs sustainably simple, focusing on employee engagement
LendingTree denies one data breach, confirms another
LendingTree has formally denied any connection to a trove of over 200,000 loan applications posted on the dark web, allegedly stolen from the U.S.-based online financial services provider and offered for sale by a hacking gang.
Speculation arose about the veracity of the hackers’ claim about the loan data when LendingTree began sending breach notification letters to customers in late June. However, the company had “determined that this data leak did not originate at LendingTree. In fact, we obtained the full data set and found there to be no match when compared to our consumer database,” said Megan Greuling, Director, PR & Communications at LendingTree in a statement to The Record.
“The threat actor who was selling the data set on the dark web must have mislabeled the data source accidentally or intentionally mislabeled the data set source for malicious intent, perhaps in an attempt to increase black market value.”
Grueling confirmed that the notification letters actually referred to an unrelated incident in February 2022, wherein the data for over 70,000 customers was exposed due to a “code vulnerability” in LendingTree’s virtual financial platform.
LendingTree is an online lending marketplace connecting potential borrowers with multiple loan operators to shop for competitive rates and terms across financial products like credit cards, deposit accounts, insurance, loans, etc.
CISA orders agencies to apply new Patch Tuesday fix for Windows vulnerability
One of the 84 vulnerabilities addressed in July 2022’s “Patch Tuesday” release from Microsoft has been added to CISA’s Known Exploited Vulnerabilities (KEV) catalogue. Once a vulnerability appears on the list, U.S. government agencies are given three weeks to address the fix in their systems. While’s CISA directive only applies to agencies that deal with the U.S. government, all organizations are urged to apply the patches or mitigations to entries on the KEV, as they pose a clear risk.
The new issue – tracked as CVE-2022-22047 – is a local privilege escalation vulnerability in the Windows Client/Server Runtime Subsystem (CSRSS). Microsoft has confirmed that the vulnerability has been exploited in the wild, though they offered no information as to the nature of the attacks. The high-severity bug affects all supported Windows workstation and server platforms. The Microsoft Security Update entry for the bug confirms the vulnerability’s low complexity, and high risk of affecting the confidentiality, integrity, and/or availability of affected systems.
