Welcome back to the TCE Strategy monthly technology and cybersecurity newsletter! The mission of this publication is to cut through the clutter of cybersecurity news stories and provide you with the most important, relevant and actionable cybersecurity information.
If this newsletter adds value, fantastic! That is the goal. Please forward it on to friends/colleagues. If not, no hard feelings. Please look to the bottom for an easy to click "unsubscribe" button.
In this issue:
Month's News in Review
Upcoming Speaking Events
TCE Strategy in the News
Must Read Articles This Month
Cybersecurity Tip of the Month
Enjoy this month's newsletter? You can use this link to post on social media or send to friends! Thanks for sharing!
This Month's News in Review
BWW vs 23andMe, an exercise in irony.
Welcome back to the latest TCE Strategy newsletter! Last month, we covered the 23andMe breach involving millions of user records. The cybercriminals do not seem to be financially motivated, but instead are claiming to use the data to target Ashkenazi Jews and other ethnic groups. The motivation for hate groups is hard to understand… The 23andMe breach was a credential-stuffing attack. Multi-Factor Authentication, or MFA, along with NOT reusing the same password for all sites are very effective defenses against credential stuffing attacks. If 23andMe had mandated that users set up MFA before this attack occurred, the damage done would have been a small fraction of what it was. As of November 6th, 23andMe has stated that they are going to make MFA mandatory. If they had done this a year ago, their credential stuffing breach likely never would have made the news as the impact would have only impacted those that somehow gave up their MFA code.
In what may be the biggest case of cybersecurity irony since the CNA Financial ransomware attack*, I received an email from Buffalo Wild Wings (BWW) this month (the sports-bar restaurant known for their chicken wings) stating that they are going to start requiring MFA on their customers’ “Blazin’ Rewards” accounts. While I’m a fan of this idea and want all online accounts to be protected with MFA, I’m having a hard time with the fact that 23andMe waited until after a major incident to enforce MFA to protect their customers’ genetic data, yet Buffalo Wild Wings is doing it proactively to protect their customers’ “Blazin’ Rewards” accounts. Kudos to Buffalo Wild Wings. Maybe points toward free chicken wings are somehow more important to protect against cybercrime than genetic code?
My only advice about the incidents above is as follows: Enable MFA everywhere you can. Support companies that embrace MFA and think twice about employing the services of companies that seem to view cybersecurity best practices as an afterthought.
In other news of irony (or perhaps just a wild case of chutzpah), a ransomware gang that TCE Strategy has battled in the past called BlackCat (AKA Alphv) claims to have infiltrated a company called MeridianLink, and when MeridianLink refused to make contact with the cybercriminals behind BlackCat, the criminals contacted the SEC to file a complaint that MeridianLink had not disclosed the breach in a timely fashion. I don’t know… Is this a case of adding insult to injury? Is it calling out the importance of timely disclosure of cybersecurity incidents? Whatever it is, BlackCat is a stunning example of how low the moral bar is among cybercriminals. These are the same people that disclosed breast cancer patients’ clinical photographs to try to coerce a company to pay a ransom.
Finally, TCE Strategy works with many companies on their software patching programs. Any software that is on your computer could have vulnerabilities associated with that software, and a patching program is a means by which fixes to those vulnerabilities are applied. Often, the burden to patch all applications feels overwhelming. For individuals, I recommend that you set everything in your cyberworld to auto-patch itself, and to reboot your computer, smartphone, tablet, etc. at least once a week to let those patches apply themselves. For companies, it is important to set priorities on which vulnerabilities are most important to address. Here is a list of guidelines to use on what patches matter most to take care of in a timely manner:
If the vulnerability is in a very well-known and widely-distributed piece of software, and that software can be exploited with a malicious email. Common examples are Adobe Acrobat (Reader and Pro), the Microsoft Office suite, 7-Zip and WinRAR.
Everything not on the list above.
There is a lot of variability for this list, as some things that are critical for certain companies (such as a denial-of-service attack against a web-based e-commerce company) are not anywhere near as important for many other industries. It is important that your company have coaching to understand which cybersecurity issues matter most to you.
Until next month, stay safe!
* CNA Financial is a large insurance company that sells cybersecurity liability policies, and in 2021 they paid the largest ransom in history ($40 million) because they themselves were ransomwared.
Upcoming Speaking Events
Here is a list of the cities that I will be in over the next few months. Please reach out if you have an event in mind!
November 27-30, Key West, FL
December 4-6, Indianapolis, IN
December 28-30, Rockford, IL
February 27-29, 2024, Clearwater, FL
March 7-10, 2024, Albuquerque, AZ
April 8-9, 2024 Des Moines, IA
"In 2024, cybersecurity is a strategic priority that can no longer be siloed in the IT department. Gartner has predicted that by 2026, 70 percent of boards will include at least one member with expertise in the field. This enables organizations to move beyond reactive defense, meaning that they can act on new business opportunities that come with being prepared."
These are some of the most awesome videos I've seen in YEARS around banking best practices. Definitely worth watching. Banks Never Ask That!!!
Wow! "...the court ruled that it didn't matter if keyword warrants are determined to be illegal, Denver police qualified for a 'good-faith exception' for executing the warrant. Hood said that the cops seemingly had no reason to believe the warrant could trample constitutional rights because 'no court had established that individuals have a constitutionally protected privacy interest in their Google search history.'"
I have multiple clients being actively hit with QR code phishing emails. It is important to incorporate this into your cybersecurity awareness training program.
Cybersecurity Tip of the Month
The holiday season brings a million things that demand our attention—events, activities, shopping, and much more. It’s enough to make anyone’s head spin!
So for this month’s tip, make sure you have the cybersecurity basics in place: secure your passwords, use multi-factor authentication wherever possible, and set your devices to auto-patch.
And then, maybe for a time, give yourself permission to log off and be a little more present with the people and the world around you.