Follow ISA Cybersecurity on LinkedIn for the latest cybersecurity news
Weekly CyberTip: Check your email before you click “Send”
These days, the pace of work is faster than ever. But rushing to send an email can have serious security consequences. Make sure you always pause to double-check a few key items before click “Send”:
- Did you spell the recipients’ names correctly, and get their domains correct? A “.com” can become a “.co” accidentally; a “.ca” could be used instead of a “.com” if you’re in a rush. Consider the consequences of your message falling into the wrong hands.
- Do you need to “reply all”, or are you over-sharing information with a large group when your response is better suited for one individual? Reduce the copy-list on replies to only those who need to know.
- Should you consider bcc instead of cc? Is it appropriate to share everyone’s email addresses with all recipients, particularly on external emails?
- Most importantly: Are you sharing sensitive information? If so, you likely should reconsider sending the email at all – for example, you should never send financial information, passwords, or other confidential data via email.
Most provinces follow Canadian government lead in banning TikTok
Just days after the Canadian federal government announced that it is banning TikTok from government devices, almost all regional jurisdictions in the country have followed suit. As of March 5, only Ontario, the Northwest Territories, and Nunavut have not announced prohibitions on the popular social media app; Canada’s 10 other jurisdictions have announced bans.
Indeed, many municipalities are also now implementing or considering bans: for example, the City of Calgary has banned the app from staff members’ devices; in Ontario, the cities of Ottawa, Toronto, Guelph, and Kitchener among others are looking at outlawing TikTok as well. ISA Cybersecurity Executive Vice President Enza Alexander spoke to CTV News about speculation of even wider bans affecting private citizens in Canada.
The volume of data collected by TikTok, coupled with the Chinese ownership of the app, have driven concerns about the security of the social media platform. The week of Canadian announcements follows similar moves in other jurisdictions around the world in recent months. In December 2022, the United States passed the No TikTok on Government Devices Act, while the European union issued a statement on February 23, calling for the removal of TikTok from “its corporate devices and on personal devices enrolled in the Commission mobile device service” in an effort to “strengthen cybersecurity.”
IBM Threat Intelligence team releases new report
IBM’s Threat Intelligence team has released their annual X-Force Threat Intelligence Index report. The 2023 edition is loaded with stats and insights compiled by IBM’s security researchers over the course of the past year.
According to the report, phishing was the top infection vector, identified in 41% of incidents handled by the X-Force team. The next highest category of incident was exploitation of public-facing applications at 26%.
The report explained that a new record number of vulnerabilities was discovered in 2022, with 23,964 systems flaws identified compared to 21,518 in 2021. The severity profile of those vulnerabilities has worsened as well: in 2018, 58% of vulnerabilities had a CVSS score of “medium”, compared to 36% ranked as “high”. In 2022, 47% of vulnerabilities were categorized as “high” severity, while “medium” threats have dropped to 42%.
The report also identified LockBit as the most commonly used ransomware strain of 2022, appearing in 17% of ransomware incidents in the study.
Proofpoint releases annual State of the Phish report for 2023
Proofpoint has published the new State of the Phish 2023, a report “drawn from a survey of 7,500 working adults and 1,050 IT security professionals across 15 [countries],” sourced from 135 million simulated phishing attacks and analysis of over 18 million suspected phishing emails.
Some of the key findings in the report:
- 67% of security professionals surveyed said that phishing rates went down after a security awareness program was implemented
- 300K-400K telephone-oriented attack delivery attempts were made daily, with a peak of 600K per day in August 2022.
- 98% of organizations had a training program of some sort, but only 56% trained everyone in the organization and only 35% ran phishing simulations to test employee awareness
- 63% of users don’t know that an email link text might not match the website it goes to
- 44% of people think an email is safe when it contains familiar branding; however, over 30 million malicious messages sent in 2022 involved Microsoft branding or products
Hacker allegedly releases stolen City of Oakland data
Nearly a month after a ransomware attack hit the city of Oakland, California, a hacker has allegedly published 10Gb of data stolen in the incident.
According to a March 3 update on the city’s website, Oakland “recently became aware that an unauthorized third party has acquired certain files from our network and intends to release the information publicly”. That threat became a reality on March 4, when a ransomware gang known as “The Play” posted 10G of compressed data on its dark web portal, alleging that it came from the city. The leaked data appears to contain confidential documents, full employee information profiles, passports, and IDs.
The initial attack on the city began late on February 8, and was discovered on February 9. The city declared a state of emergency on February 14. Since then, services have slowly been coming back online. However, as of March 5, still-affected systems included “key services such as Oak311, permitting and business tax. Several non-emergency systems including phone lines within the City of Oakland are currently impacted or offline” as well, according to the city website.