Businesses are instituting widespread remote work policies and procedures to facilitate social distancing and “flatten the curve.” Enterprises simultaneously need to be mindful of increased data privacy and security risks. The risks can range from pandemic-related phishing emails to increased pressure on network architecture to well-intentioned employee shortcuts. Hackers will try to take advantage of … Continue Reading
As this recent article illustrates, many ransomware operators are now collecting information from victims before encrypting their data, and then threatening to release what they’ve collected – or actually releasing some of it – to increase the chance they’ll get paid. There have been many cases already where at least a portion of data has … Continue Reading
According to Crowdstrike’s most recent Global Threat Report, in 2019 they observed that malware-free attacks – attacks where malicious files are not written to disk – outpaced malware attacks by 51% to 49%. In Malware-free attacks, the attackers leverage Tactics, Techniques and Procedures (TTPs) that are less likely to be detected by traditional anti-malware solutions. … Continue Reading
In a recent Cybercrime Tactics and Techniques Report focusing on the health care industry, cybersecurity company Malwarebytes discovered a significant 82% spike in Trojan malware attacks on health care organizations in Q3 2019. Emotet and TrickBot, two especially sophisticated and dangerous forms of malware, were mostly responsible for this surge. Used primarily as ’banking Trojans” … Continue Reading
For Cybersecurity and Privacy, “What Are the Industry Standards? Are We Meeting Them?” These are questions the FTC Chairman, Joseph Simons, strongly suggested a CEO must ask before a data breach occurs to avoid the prospect of personal liability. These questions and statements by other commissioners emphasizing the FTC’s role – to bring about a … Continue Reading
Stoel Rives LLP is pleased to announce that information privacy & data security attorney Dustin Berger has been recognized as an (ISC)2 Certified Information Systems Security Professional (CISSP). This certification demonstrates an individual’s understanding of cybersecurity strategy and its hands-on implementation. It also confirms that the holder has the advanced knowledge and technical skills to … Continue Reading
Until recently, hackers have had limited success stealing Two-Factor Authentication (2FA) PIN and token information. Unfortunately, a tool has been released that will now make it much easier for practically any bad actor to bypass many implementations of 2FA: https://www.zdnet.com/article/new-tool-automates-phishing-attacks-that-bypass-2fa/ This does not mean we should stop using Two-Factor Authentication (2FA). We should still use … Continue Reading
The Office of Civil Rights (OCR) announced in a press release this week that Anthem, Inc. (Anthem), one of the nation’s largest health benefit companies, has agreed to pay $16 million and take substantial corrective action to settle potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules. This settlement … Continue Reading
A presentation at Black Hat recently revealed that the creators of the “SamSam” ransomware have netted over $6M to date, attacking mostly medium-to-large public and private sector organizations. And they’re showing no signs of slowing down. In the most recent SamSam attacks, the attackers concentrated their efforts on brute-force hacking of weak passwords on devices accessible … Continue Reading
Health care providers and suppliers should be wary of the “Orangeworm” threat, an implementation of malware out in the wild that’s gathering information off of compromised medical equipment, especially old systems where file shares and Windows XP are still in use: https://www.zdnet.com/article/mysterious-cyber-worm-targets-medical-systems-found-on-x-ray-machines-and-mri-scanners/ While this group seems to be limiting their actions to reconnaissance and compromising … Continue Reading
While we have yet to see much in the way of major changes (or punishment) following the massive Equifax data breach last year, there are many changes being introduced at the state level with regard to breach notification, penalties, whether or not credit reporting agencies can charge you for freezing your credit, and consumer rights … Continue Reading
Some notable stats showed up in the recently-released 2017 Veracode State of Software Security report: while “nearly a third (29 percent) of survey respondents indicated that they are actively pursuing digital transformation projects [and] … a further 29 percent stated that they are either planning for or considering digital transformation projects for the future,” there … Continue Reading
As a firm with a large real estate practice, we are keenly aware of the risks of wire transfer fraud in real estate transactions – which has exploded from a reported $19 Million in 2016 to almost $1 Billion in 2017. Often this fraud is the result of the hacker compromising a legitimate email account … Continue Reading
Per the Freedom of Information Act, US citizens have the right to access information from the federal government. We can visit Data.gov to search the more than 197,000 current datasets currently indexed on the site. While the intent is to leverage that data for the public good, there’s also an enormous amount of information available … Continue Reading
The United States Computer Emergency Readiness team (US-CERT) operates within the U.S. Department of Homeland Security’s National Cybersecurity and Communications Integration Center (NCCIC), protecting America by responding to major incidents, analyzing threats, and exchanging critical cyber security information with trusted partners around the world. You may have already signed up for the popular email alert … Continue Reading
WPA2 is the “secure” implementation option used by the vast majority of enterprise WiFi systems – other protocols have their own security issues, which is why everyone moved to WPA2. Unfortunately, researches have found a way to break that security. The good news is, for most attacks the attacker has to be on the same access … Continue Reading
A good lesson for technology providers: if security researchers reach out to you, acknowledge them as quickly as possible, especially when they’ve discovered a critical vulnerability. If you work with them to remediate the issue, you may be able to get a patch out before they feel the need to publish the vulnerability for the … Continue Reading
