Follow ISA Cybersecurity on LinkedIn for the latest cybersecurity news
Weekly CyberTip: Check the email recipient address!
Making sure you are sending your email to the right recipient sounds like Security 101. But the headlines this week remind us that verifying the destination before clicking send is still an issue for some people. This comes after news that the British Ministry of Defence (MOD) is investigating a report that government officials accidentally emailed “state secrets” to the West African nation of Mali.
The emails were supposed to go to an American military address – which uses the domain name .mil – but were inadvertently address to the government of Mali, whose domain name is .ml.
While the MOD downplayed the report, saying they are “confident there was no breach of operational security or disclosure of technical data,” the incident should cause all of us to reflect on what to share via email, and to always pay close attention to the delivery address – every time.
IBM publishes latest Cost of a Data Breach Report
IBM’s annual Cost of a Data Breach Report 2023 was published on July 24. The 18th annual version of the report reveals that the global average cost of a data breach reached a record $4.45 million (all figures USD) in 2023 – a 15% increase from the 2020 report. The average cost per record involved in a data breach also reached an all-time high at $165.
Detection and escalation costs jumped 42% over the same three-year period, reflecting a shift towards more complex breach investigations in recent years. Cost increases in the healthcare sector were particularly dramatic, with a 53.3% increase in breach costs since 2020. For the 13th year in a row, the healthcare sector reported the highest average cost at $10.93 million.
The report also found that nearly all of the 553 companies involved in the surveyed had experienced more than one breach, at 95%.
Second vulnerability identified in cyber attack on Norwegian government
On July 23, hackers exploited a zero-day vulnerability in Ivanti mobile endpoint management software to compromise a dozen Norwegian government agencies. On July 28, Ivanti announced that they had discovered a second zero-day vulnerability in the software – a unique issue distinct from the initial bug report CVE-2023-35078. This second software flaw, which has been coded as CVE-2023-35081, was also exploited by the hackers as part of the initial attack vector.
“A vulnerability has been discovered in Ivanti Endpoint Manager Mobile (EPMM), formerly known as MobileIron Core. This vulnerability impacts all supported versions – releases 11.10, 11.9 and 11.8. Older versions/releases are also at risk. This vulnerability is different from CVE-2023-35078, released on July 23,” Ivanti explained in the second advisory.
“As of now we are only aware of the same limited number of customers impacted by CVE-2023-35078 as being impacted by CVE-2023-35081.” Nonetheless, Ivanti warned: “It is critical that you immediately take action to ensure you are fully protected.”
The second advisory suggests that the vulnerability could allow a threat actor to take a variety of actions on a victim device and can be used in conjunction with the first bug to bypass administrator authentication. According to CISA, which posted its own advisories on the first and second vulnerabilities, the bug could allow hackers to access mobile users’ personally-identifiable information, including names, phone numbers, and other mobile device details.
SEC adopts new rules on cyber management
On July 26, the U.S. Securities and Exchange Commission (SEC) adopted new rules “requiring registrants to disclose material cybersecurity incidents they experience and to disclose on an annual basis material information regarding their cybersecurity risk management, strategy, and governance. The Commission also adopted rules requiring foreign private issuers to make comparable disclosures.”
The new rules will require registrants to disclose any cybersecurity incident they determine to be material and to describe the material aspects of the incident’s nature, scope, and timing, and “material impact or reasonably likely material impact on the registrant”.
Once the changes are in full effect, registrants will be required to describe their processes “for assessing, identifying, and managing material risks from cybersecurity threats, as well as the material effects or reasonably likely material effects of risks from cybersecurity threats and previous cybersecurity incidents,” as well describing the roles and expertise of management and the board of directors in overseeing cyber risk.
Most of the new rules take effect in December 2023, or a defined number of days after being published in the Federal Register, whichever comes later.