Curated advice, guidance, learning and trends in cybersecurity and privacy, as chosen by our consultants.
Free tools help in the fightback against ransomware
Ransomware has been everywhere this year, so organisations need to use any and all means to guard against it. Fresh help comes from the U.S. Cybersecurity and Infrastructure Security Agency (CISA). Its Ransomware Readiness Assessment (RRA) is a desktop software tool that uses a step-by-step process to evaluate current security practices. It’s suitable for use on IT networks and industrial control system networks. It’s also available on GitHub.
In Europe, the NoMoreRansom initiative celebrated its fifth anniversary recently. The partnership between law enforcement and private industry has a portal with 121 tools to combat over 150 ransomware strains. Since 2016, Europol said it saved close to €1 billion in ransom payments, and helped millions of victims to recover their data. (BH Consulting has been a partner from year one.) Meanwhile, a Stanford University student has launched ‘Ransomwhere’, a crowdsourcing project to track Bitcoin payments associated with known ransomware gangs, in a bid to increase transparency around ransomware’s impact. Research from Coveware found that average ransomware payments fell by 38% in Q2 over Q1 this year. But what seems like good news might have a sting in the tail. The decrease may be due to increased activity by ‘ransomware-as-a-service’ affiliates, Coveware said.
Safer account access means sweet 2FA to most people
Discouraging news for anyone hoping that two-factor authentication (2FA) would help more people to stop relying on passwords. Figures from Twitter show that just 2.3 per cent of all its users had enabled 2FA on their accounts last year. For context, Twitter had 192 million active users in the fourth quarter of 2020, so that’s a large sample size. In its Transparency Report, Twitter said 2FA “is one of our strongest protections against account compromise”. That remains the case even where someone has reused their Twitter password on another service, it said.
Bleeping Computer’s writeup noted that the low rate of 2FA adoption “is an industry-wide issue, with users being discouraged by the overly complicated and non-intuitive procedure they need to go through to enable it”. In other login-related news, a survey of 1,000 workers found that one in four still have access to accounts from previous jobs.
DPC: report recommends regulatory reforms
A hard-hitting Government report has called for a wide-ranging review of the Data Protection Commission. In a 92-page document, the Joint Oireachtas Committee on Justice made 17 recommendations about how the regulator goes about its work. These include urgently adopting a culture of enforcement over “emphasising guidance”, and a tougher approach to cases. The DPC needs to use its sanctioning powers more, together with “dissuasive fines” to discourage “systematic infringers”. The Committee also recommended the appointment of two additional commissioners, along with a review of staffing levels and resource allocation.
Arguably the headline finding was the Committee’s statement that it “fears that citizens’ fundamental rights [to privacy] are in peril”. The recommendations followed hearings in April with the Commissioner and staff, along with prominent privacy campaigners.
Links we liked
UCD’s Jan Carroll lists affordable or free cybersecurity training courses in Ireland. MORE
The top 30 vulnerabilities routinely exploited by malicious actors in 2020. MORE
Why the Kaseya hack was one of the year’s most important security events. MORE
Here’s a good roundup covering the Pegasus spyware scandal. MORE
Behind the scenes on the hunt to discover the origin of the Kaseya ransomware. MORE
Is it possible to access a company network with a stolen laptop? (SPOILER: yes.) MORE
Red Hat’s State of Kubernetes Security Report 2021. MORE
The risk of remote management tools when they fall into the wrong hands. MORE
How the Covid-19 vaccine supply chain stayed secure from hackers. MORE
A controversial search engine lists vulnerabilities in thousands of public websites. MORE
Have you signed up to our monthly newsletter? Every month we send out the latest cybersecurity and data protection news, trends and advice from around the globe. Sign up here