Cybersecurity News: Ransomware Summit, SEC Regulations for Public Companies, Apple Zero-Day, Google Ad Phishing Warning
Trending headlines in cybersecurity from the week:
The second annual global Ransomware Summit
Changes to SEC disclosures for publicly-held companies
The latest Apple zero-day threat
Cautions on Google ads
Workplace security and employee training
Watch now this episode of GRXcerpts now:
Government and Regulatory Updates
The second annual Ransomware Summit was held last week, hosted by the US with leaders from 36 countries and the European Union participating. The two-day event opened with a threat briefing, which outlined the current state of the problem and detailed 4,000 ransomware attacks, broken down by sector. Globally, the ransomware challenge continues to grow, with attacks commonly targeting school districts, hospitals, and critical services around the world. Summit discussions focused on how to strengthen resilience against ransomware attacks and stop the cybercriminals behind them. Additionally, the participants worked together to develop a shared statement to put pressure on countries harboring cybercriminals. Russia, of course, is one of the harboring countries, and was not invited to the Summit.
And in regulatory news, the Security and Exchange Commission (SEC) is pushing for tighter rules to enhance and standardize disclosures regarding cybersecurity risk management, strategy, governance, and cybersecurity incident reporting by public companies. Specifically, the SEC is proposing amendments to require reporting about material cybersecurity incidents, disclosures about procedures to identify and manage cybersecurity risks, and management’s role in implementing cybersecurity policies.The tighter requirements are designed to ensure resources and investments are applied to the cyber risks that have the most material, financial, business, and operational impact, and sends a message that enterprise risk management isn’t just for the CIO or CISO, but rather should be a senior management and board discussion, too.
Zero-Day and Phishing Warnings
Apple recently released a new update to fix its ninth zero-day vulnerability since the beginning of this year. The bug is an out-of-bounds write that can result in data corruption, application crashes, or code execution because of undefined or unexpected results (also known as memory corruption) resulting from subsequent data written to the buffer. If successfully exploited in attacks, this zero-day could have been used by potential attackers to execute arbitrary code with kernel privileges.
The list of impacted devices includes iPhone 8 and later, all models of iPad Pro, iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later.
And a warning for employees searching and clicking on Google ads. A new Google ad for GIMP.org led clickers to a cleverly disguised malware site. The advertisement appeared legitimate for GIMP, short for the GNU Image Manipulation Program, as it stated GIMP.org as the destination domain. However, visitors were taken to a lookalike phishing website that provided them with a 700 megabyte executable, which was malware. Google allows publishers to create ads with two different URLs: a display URL to be shown in the ad, and a landing URL where the user will actually be taken to. The two need not be the same, but there are strict policies around what is permitted when it comes to display URLs, and that they need to use the same domain as the landing URL. Users are puzzled as to why Google would show GIMP.org as the destination domain– Google has not commented on the topic although there is speculation that this could be related to a bug in Google Ad Manager, allowing maladvertising. The bottom line: be extra careful on what you’re clicking on, as it may not be what it appears.
The new EY CEO Outlook Pulse Survey conducted in October finds that 1 out of 3 CEOs believe that cyber risk is the greatest threat to their businesses. And while technology is an important component of a cybersecurity plan, CEOs also recognize that employees are important to their line of defense, and proper employee training can reduce exposure to cyber losses.
As a result of the pandemic, 64% of employees work from home. To assure security in the new hybrid workplace culture, businesses are expected to invest in training their staff about cybersecurity, enhance their awareness, and help them to understand their roles and responsibilities in protecting the organization. Effective workplace security goes beyond routine phishing simulations and annual training sessions. Rather, executives need to bake in good cybersecurity habits into the culture of the organization.
All information is current as of November 1, 2022. Subscribe to receive future episodes as they are released.
View previous episodes of GRXcerpts:
Get Cyber Risk Intel delivered to your inbox each week: