So far, 2021 has been fraught with cybersecurity challenges—some of which are the expected aftermath of the SolarWinds attack, but the reality is that crippling cyberattacks are becoming more commonplace. CISA and the FBI released a joint advisory warning that the exploitation of the recent vulnerabilities in Microsoft Exchange on-premise products present major risks to federal agencies and private companies alike.
While risks from the supply chain are certainly nothing new, organizations started waking up to the alarm bells with SolarWinds. Suddenly, everyone is realizing that very few cyberattacks target a single victim. As we’ve seen in the headlines these past several months, even those organizations that presumably build seemingly impenetrable fortresses of defense are vulnerable to attack because of their down-line partners.
In recognition of the many challenges businesses are facing in 2021, IDG Enterprise’s Editor in Chief, Eric Knorr, compiled a collection of articles from CSO, Computerworld, CIO, InfoWorld and Network World offering guidance of best security practices for enterprises. In his article, Knorr points out, “digital integration with partners promises all kinds of new efficiencies – and by definition heightens third-party risk.”
As a result, risk management and how organizations approach risk must be aligned with cybersecurity. A March 10 Tripwire blog post advised, “Risk management should drive all security initiatives within the organization.”
Let’s take a look at what else made industry headlines this week.
Mar. 12: New legislation aimed at enhancing the security of US critical infrastructure include significant funding for hospitals as well as the electrical grid.
Mar. 12: “Beverage giant Molson Coors has released details of what appears to be a ransomware incident,” Infosecurity Magazine reported.
Mar. 11: State-sponsored attackers in China are reported targeting Linux systems with a new malware.
Mar. 11: Security researchers at ESET found more than 10 advanced hacking groups actively exploiting vulnerabilities in Microsoft Exchange, with six of those groups exploiting the security flaws before they were publicly known, Ars Technica reported.
Mar. 11: According to news from Europol, the Spanish National Police successfully dismantled a criminal group that was using a mobile app to distribute illegal video streams.
Mar. 10: CNN reported, “Millions of dollars in funding from the Covid-19 relief bill passed Wednesday will be used to help the federal government improve its cybersecurity efforts in the wake of high-profile breaches that have caused alarm for officials and lawmakers.”
Mar. 10: The FBI issued an alert warning that malicious actors are using deepfakes to influence campaigns, and, “anticipates it will be increasingly used by foreign and criminal cyber actors for spearphishing and social engineering in an evolution of cyber operational tradecraft,” CyberScoop reported.
Mar. 10: In writing about the Defense Department’s growing concerns about interoperability, Washington Technology’s Stephanie Ackman said, “CMMC certification will not be required right away for all defense contractors, although it envisions eventually becoming mandatory for everyone doing business with DOD.”
Mar. 10: K-12 Cybersecurity Resource Center released its 2020 report, The State of K-12 Cybersecurity: 2020 Year in Review, which found, “While policymakers and school leaders have historically demonstrated a reasonable duty of care in protecting members of their school communities from physical security risks… such a commitment has heretofore largely been absent with respect to school-related cybersecurity risk.”
Mar. 9: After releasing seven out-of-band emergency patches for zero-day vulnerabilities, Microsoft released 82 patches as part of its Patch Tuesday program, bringing the total patches for the month to 89.Mar. 8: The Hill reported, “A group of bipartisan House lawmakers on Monday introduced legislation that would allow Americans to hold foreign governments and their employees accountable in court for malicious cyber activity.”