Welcome to Cyber Security Today. This is the Week in Review for the week ending Friday, August 11th, 2023. I’m Howard Solomon, contributing reporter on cybersecurity for ITWorldCanada.com and TechNewsday.com in the U.S.
In a few minutes Terry Cutler, head of Montreal’s Cyology Labs will be here to discuss a few of the week’s headlines. But first a look back at some of what happened in the past seven days:
The White House held a summit on how to fight the wave of ransomware attacks hitting American schools. Terry and I will discuss what governments around the world should be doing to help protect the education sector.
More ransomware news we’ll look at: A think tank in the United Kingdom says the government should play a bigger role in encouraging companies to beef up their cybersecurity protection. It also recommends insurance companies require firms to report any data ransom payments to the government.
More organizations are admitting they’ve been victimized directly or through their IT suppliers by hacks of MOVEit file transfer servers.
And Terry will also have thoughts about a report reminding owners of big sports teams that they have a lot of data crooks want to steal.
In other news, the phishing-as-a-service site called 16shop has been shut by a combined group of law enforcement agencies. The alleged operator and a colleague were arrested in Indonesia, and another alleged member was caught in Japan. The platform’s servers were hosted by a company based in the U.S.
Google Messages users are now protected with end-to-end encryption. You know it’s on because there will be a lock symbol throughout a conversation.
The LockBit ransomware gang has listed the California city of El Cerrito as one of its latest victims. The city says its systems are fully operational and isn’t locked out of any devices or data.
New York State now has a cybersecurity strategy. It’s a blueprint for how public and private stakeholders will work together to protect critical infrastructure and the personal data of statewide residents.
And the U.S. National Institute of Standards and Technology has released proposals to improve the NIST Cybersecurity Framework. IT pros use the framework for their cybersecurity strategies. You have until November 4th to file comments. The final version could be published early next year.
(The following is an edited transcript of part of the discussion. To hear the full conversation play the podcast)
Howard: As part of the White House summit it was announced that the Cyber Security and Infrastructure Security Agency is going to step up tailored security assessments for the kindergarten to Grade 12 sector. In addition, technology providers like Amazon Web Services Google and Cloudflare will offer grants and other support for schools. Is that enough?
Terry: I think it’s a very good step in the right direction. Let the vendors handle the cybersecurity so that you don’t have to. You know, vulnerability management services are very important. That’s gonna help you stay up-to-date and current with the latest threats. So as long as they get patched on time. They should be fine.
Howard: In Canada, cyber security for school boards largely falls on the shoulders of the provinces and the territories do you see them being leaders?
Terry: They’re not cyber security experts. However, there are some things the provinces and territories could do as proactive measures in their cybersecurity initiatives. They can do policy development. Certain provinces are currently taking the lead by developing comprehensive cybersecurity policies and guidelines. They also need to make sure they have proper funding. So if they allocate enough funding for resources in cyber security and especially [student] education it’ll help demonstrate their commitment to protecting institutions. Also [they should] work closely with partnerships. There are a lot of experts out there and companies that that the government can team up with to help speed up the adoption of cybersecurity. The government can also provide regulatory frameworks. We’re starting to see more of like Bill 25 here in Quebec. But they also need to team up with research and development groups that are on the cutting edge of technology. And, of course, make sure there’s enough public awareness [about cybersecurity].
Howard: If you’re a budget-constrained IT or security leader at a school board what do you do about fighting ransomware? What do you prioritize?
Terry: If it’s my first day on the job here’s what I would do: First make sure I have my risk assessments all set up. I want to see what systems are most critical and which potentially are most vulnerable. I can use tools like Nmap and OpenVAS and other free tools that will help me get started. I want to make sure to implement a user education program. Start training the staff and the students on the latest cyber threats and what they can do to avoid getting hacked and scammed, which can put the school at risk as well. I would probably get my hands on some open-source patch management solutions which will help me speed up the patching process. I want to make sure to prioritize my backup recovery and have a proper disaster recovery plan. I’m also going to implement network segmentation … so if something does happen a hacker won’t be able to access the entire network from 1 place. And I want to implement multifactor authentication. All that’s going to help thwart some cyberattacks.
I’m also going to make sure I work properly with certain vendors because we’ve seen a lot of third-party suppliers get hacked who have access to my corporate network. I’m also going to be collaborating with other cybersecurity experts either in private forums or public forum meetups. I’m also going to implement [IT network] alerting and monitoring. So at least I can get some basic detection. Lastly, I would definitely put a good CYB document in place a ‘cover your butt’ document that protects me in case of a data breach. That way I can’t be held responsible because I didn’t have the proper budget to lock down the school.