News & Noteworthy

 We aren’t here to discuss politics; we’re here to look at how cybersecurity factors into this election process and how it affects all of us, regardless of which “side” you fall on. 

When it comes to cybercrime,

we should all be a united front.

RedPenSec Announces Commitment to Global Efforts Supporting and Promoting Online Safety and Privacy for Cybersecurity Awareness Month

This year’s initiative highlights the importance of empowering everyone to better protect their part of cyberspace in an increasingly connected world.  

Clothing Retailer H&M Fined $41.3 Million for Breaking GDPR over Illegal Employee Surveillance 

The investigation was launched in October 2019 after a DATA BREACH caused by a configuration error revealed just how much data H&M was collecting and storing about the private lives of its' employees.

The Cybersecurity Infrastructure Security Agency (CISA) Issues Final Vulnerability Disclosure Policy Directive for Federal Agencies

The recognition by the federal government to make this mandatory for their agencies and get public input shows us how important strong cybersecurity is. 

Is Your Personal Information

For Sale on the Dark Web?

The personal data leaked from every major data breach - including your social security number, PayPal account information and credit card number could be for sale on the dark web for as little as $35! 

Don't Fall Victim to

Business Email Compromise (BEC)

Ongoing training is one of the best ways to arm your family, friends, employees, vendors and clients with the right tools to catch the phish

10/19/2020

SAFE VOTING: Foreign hackers are a problem with cybercrime and the voting process has only increased their interest and role in the equation. This may be seen in false and fraudulent online ads on social media or other websites. The goal is for them to have an influence on your decision, they aren't hoping to steal your identity – just manipulate how you view certain situations.

 

The voting process, where and how you cast your ballot, has a very small likelihood of fraud happening. Officials from the FBI and the United States Cybersecurity and Infrastructure Security Agency are letting voters know that hackers can instill fear in your minds that they have affected or changed the voting records, but in truth, that is unlikely to happen. At the state level, there are measures implemented that monitor the networks for cyberattacks and regular check-ins for potential threats and assessment of vulnerabilities.

What about mail-in ballots? Your ballot can be tracked in some if not all states to put your mind at ease with this. The likelihood of fraud is extremely unlikely and mail-in ballots have been safely submitted for 150 years.

There will always be factors that we didn’t account for or suspicions that arise without a full explanation, but the bottom line is that the odds are in your favor to safely vote in whichever way you choose to do so. As with so many things in today’s world, the biggest threat to the process or situation is misinformation and that means trusting that what you see or read online is legitimate, safe, and true. Like you research your candidate or issue before the voting, pause, and take a moment to research the source of information that you are trusting.

For more information on voting safety and to report suspected election crimes, visit:  

https://www.fbi.gov/scams-and-safety/common-scams-and-crimes/election-crimes-and-security

Help defend the right to vote by reporting any suspected instances of voter suppression—especially those received through a private communication channel like texting—to your local FBI field office or at tips.fbi.gov.

 

10/3/2020

GDPR: The Second-Largest Fine Has Been Levied Under the European Union General Data Protection Regulation on Swedish Multi-National Fashion Giant H&M for Mishandling Employee Data

 

The Data Protection Authority of Hamburg (HmbBfDI) announced the fine on Thursday after the company was found to have excessively monitored and kept records on several hundred employees and their families, in a Nuremberg service centre. The watchdog said that since at least 2014, parts of the workforce had been subject to "extensive recording of details about their private lives".  A German Subsidiary of Hennes & Moritz, H&M's privacy violations included extensive staff surveys, with details of holidays, medical symptoms and diagnoses for illnesses, the year-long investigation found.  "After absences such as vacations and sick leave the supervising team leaders conducted so-called Welcome Back Talks with their employees. After these talks, in many cases not only the employees' concrete vacation experiences were recorded, but also symptoms of illness and diagnoses,” HmbBfDI said.  “In addition, some supervisors acquired a broad knowledge of their employees' private lives through personal and floor talks, ranging from rather harmless details to family issues and religious beliefs.”

The investigation was launched in October 2019 after a DATA BREACH caused by a configuration error revealed just how much data H&M was collecting and storing about the private lives of its' employees.

After evaluating 60GB of H&M data and reviewing witness evidence and the company's internal procedures, HmbBfDI ruled that “the combination of collecting details about their private lives and the recording of their activities led to a particularly intensive encroachment on employees’ civil rights.”

 

The fine is the highest GDPR penalty levied in Germany since the legislation come into force in 2018, and the second highest of its kind throughout the continent. Last year, France’s data protection watchdog fined Google €50 million (U.S. $57 million).

The retail giant said it will now review the decision carefully. “The incident revealed practices for processing employees’ personal data that were not in line with H&M’s guidelines and instructions,” the company stated.   H&M has apologized to its' employees and taken full responsibility and will compensate "all currently employed at the service centre, and all who have been employed for at least one month since May 2018, when GDPR came into force."  H&M also revealed that it had taken "forceful measures" to correct any related shortcomings.

“A comprehensive action plan has been launched to improve the internal auditing practices to ensure data privacy compliance, strengthen leadership knowledge to assure a safe and compliant work environment, and continue to train and educate both staff and leaders in this area,” the company said.

 

9/26/2020

Is Your Personal Information For Sale on the Dark Web?  Simple Steps Can Help You Keep Your Personal Information, Personal.

 

It’s no secret that the dark web is full of stolen data that ranges from pilfered credit card information and hijacked payment services accounts to hacked social media accounts. But have you ever wondered how much your personal information goes for on the dark web?  Researchers at Privacy Affairs have sifted through the listings in the internet’s seedy underbelly and created an overview of the average price tags attached to your stolen personal data.

Called Dark Web Price Index 2020, the price breakdown of various kinds of pilfered personal information shows that a cloned American Express card with PIN tops the payment card menu at a mere $35 a pop (other cloned credit cards sell for as little as $10), whereas stolen credentials to your online banking account can be purchased for just $65 on average.  As for payment processing services, PayPal accounts are by far the most commonly listed items, with an average price of $320 for stolen account credentials that could net the cyber-criminal a transfer of up to $3,000.  Gmail accounts command a relatively high price at an average of $156, which may be due to the fact that a lot of people use single sign-on options, making a compromised email account a treasure trove of data and access to various other services and information.

There's a good chance that the security of your personal information, bank and credit card accounts is worth much more to you than the low-low price it fetches on the black market, and you can help protect it by following a few simple rules to protect your identity and accounts:  

For more information on what to do should you find that your personal information has been exposed or compromised in a data breach, visit 

https://www.identitytheft.gov/info-lost-or-stolen

 
 

9/17/2020

RedPenSec Announces Commitment to Global Efforts Supporting and Promoting Online Safety and Privacy for Cybersecurity Awareness Month

 

October is Cybersecurity Awareness Month, a global effort to help everyone stay protected whenever and however you connect. The overarching theme for the month is, ‘Do Your Part. #BeCyberSmart.’ and RedPenSec, Powered by Crafted Compliance, Inc. is proud to be a champion and support this online safety and education initiative this October.  This year’s initiative highlights the importance of empowering individuals and organizations to better protect their part of cyberspace in an increasingly connected world.  The overarching message of this year’s theme, ‘If you Connect it, Protect it,’ dives into the importance of keeping connected devices safe and secure from outside influence. More than ever before, connected devices have been woven into society as an integral part of how people communicate and access services essential to their well being. Data collected from these devices can detail highly specific information about a person or business which can be exploited by bad actors for their personal gain. Cybersecurity Awareness Month aims to shed light on these security vulnerabilities while offering guidance surrounding simple security measures to limit the susceptibility of threats for commonly used devices.

 

This year, the Cybersecurity Awareness Month’s main weekly focus areas will revolve around:

  • Understanding and following general security hygiene for connected devices and home networks

  • The importance of connected devices security for remote workers

  • How connected devices play a pivotal role in the future of healthcare; and

  • The overall future of connected devices for consumers, professionals, and the public domain

 

If everyone does their part – implementing stronger security practices, raising community awareness, educating vulnerable audiences or training employees – our interconnected world will be safer and more resilient for everyone.

 

Now in its 17th year, Cybersecurity Awareness Month continues to build momentum and impact with the ultimate goal of providing everyone with the information they need to stay safer and more secure online. RedPenSec is proud to support this far-reaching online safety awareness and education initiative which is co-led by the National Cyber Security Alliance (NCSA) and the Cybersecurity and Infrastructure Agency (CISA) of the U.S. Department of Homeland Security.

 

“Cybersecurity is important to the success of all businesses and organizations. NCSA is proud to have such a strong and active community helping to encourage proactive behavior and prioritize cybersecurity in their organizations,” said Kelvin Coleman, Executive Director, NCSA.

 

For more information about Cybersecurity Awareness Month 2020 and how to participate in a wide variety of activities, visit staysafeonline.org/cybersecurity-awareness-month/. You can also follow and use the official hashtag #BeCyberSmart on social media throughout the month.

 

About Cybersecurity Awareness Month
Cybersecurity Awareness Month is designed to engage and educate public- and private-sector partners through events and initiatives with the goal of raising awareness about cybersecurity to increase the resiliency of the nation in the event of a cyber incident. Since the Presidential proclamation establishing Cybersecurity Awareness Month in 2004, the initiative has been formally recognized by Congress, federal, state and local governments, and leaders from industry and academia. This united effort is necessary to maintain a cyberspace that is safer and more resilient and remains a source of tremendous opportunity and growth for years to come. For more information, visit staysafeonline.org/cybersecurity-awareness-month/ 

 

About NCSA

NCSA is the Nation’s leading nonprofit, public-private partnership promoting cybersecurity and privacy education and awareness. NCSA works with a broad array of stakeholders in government, industry, and civil society. NCSA’s primary partners are the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) and NCSA’s Board of Directors, which includes representatives from ADP; AIG; American Express; Bank of America; Cofense; Comcast Corporation; Eli Lilly and Company; ESET North America; Facebook; Intel Corporation; Lenovo; LogMeIn; Marriott International; Mastercard; MediaPro; Microsoft Corporation; Mimecast; KnowBe4; NortonLifeLock; Proofpoint; Raytheon; Trend Micro, Inc.; Uber: U.S. Bank; Visa and Wells Fargo. NCSA’s core efforts include Cybersecurity Awareness Month (October); Data Privacy Day (Jan. 28); STOP. THINK. CONNECT.™, the global online safety awareness, and education campaign co-founded by NCSA and the Anti-Phishing Working Group with federal government leadership from the Department of Homeland Security; and CyberSecure My Business™, which offers webinars, web resources and workshops to help businesses be resistant to and resilient from cyberattacks.

 

For more information on NCSA, please visit https://staysafeonline.org.

 

9/2/2020

The Cybersecurity Infrastructure Security Agency (CISA) Issues Final Vulnerability Disclosure Policy Directive for Federal Agencies

 

The Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA) division announced a final directive this week that requires all individual federal civilian executive branch (FCEB) agencies to “develop and publish a vulnerability disclosure policy (VDP) for their internet-accessible systems and services and maintain processes to support their VDP.”

Identified as the Binding Operational Directive 20-01 (BOD 20-01), this agency-wide initiative is in line with the goal of making 2020 the “year of vulnerability management”, including the focus of making disclosures of vulnerability easier for the public.

 

Now, aside from a whole lot of acronyms, what exactly does this mean?

The government is not only underlining the importance of cybersecurity with this, they are saying that the public needs to have easy access to contribute to aiding in making it relevant. This means that agencies need to make it easy for citizens to find and report vulnerabilities and do it in a legal manner. The collaboration component is important here because not only does it open up the conversation, it allows for the removal of the fear factor in being penalized for reporting and also will provide consistency in how the data and information is reported.

Yes, It Is THAT Important

The recognition by the federal government to not only make this mandatory for their agencies but also to get public input shows us just how important having strong cybersecurity is. This is not a political, religious, or other divisive topics. We must be unified in our efforts to fend off cyber criminals as a nation. That should emphasize to you as MSPs and to your clients how important it is to create a strong cybersecurity plan. One that is proactive as well as reactive in the case of a breach. This isn’t a one and done scenario. The changes to how businesses are attacked are ever-changing, and training and learning must be ongoing to provide current information.

As a community, we must work together to fight cybercrime. Otherwise, we could collectively fall to a breach of our information. This will not just affect one person with a stolen identity, but entire businesses may not recover, leading to job loss and a much larger impact. Together we are stronger!

Read the Directive here: https://www.cisa.gov/news/2020/09/02/cisa-issues-final-vulnerability-disclosure-policy-directive-federal-agencies

 

8/24/2020

Impersonation Nation: Don't be a Victim - Catch the Phish! 

Business Email Compromise (BEC) is not a new term. BEC scams have been growing in popularity for some time now. If you’re not familiar with BEC, it’s when a fraudulent email is sent to a company or individual, and the email appears to be from a legitimate business resource or person, often varying from the legitimate email address by just a letter or two. There may be instructions within the scam email for the recipient to transfer money, purchase gift cards, click on a malicious link, or perform some other activity at the behest of the sender. Unfortunately, BEC scams often put the recipient at a disadvantage because they see the name or title of the sender and react quickly, or are hesitant to question authority.

So, what’s the secret sauce that cybercriminals use across the board when launching their attacks on unsuspecting victims? According to a recent report from Barracuda, it’s surprisingly simple and straightforward: legitimate email accounts.

Let’s elaborate on that. Barracuda found that hackers launched 100,000 BEC attacks on over 6,000 organizations by using 6,170 legitimate email accounts (which of course, were created with malicious intent). We’re talking Gmail, AOL, and other verified email services.

The report further outlines the details of the attacks, identifying that 45% of the BEC attacks since April of 2020 were carried out with these email accounts. It appears that Gmail is the platform of choice with 59% of the accounts originating there. This may be a result of the cost to create an account (it is free), the ease of registration of a new account, and the solid reputation that a company like Google carries – meaning it is much more likely to pass through security filters.

 

Change in Identity  While the email account will remain the same, the sender name does get updated from time to time by the cybercriminal in order to go unnoticed by the recipient. These accounts are not often used for more than a 24-hour period and then will go dormant for a while to lessen suspicion or if it has been flagged already, to reduce the likelihood of being detected by another server. That doesn’t mean it goes away forever. Like your MySpace account, it stays out there in cyberspace waiting to be revisited.

 

Phishing for…Anything  Again, BEC scams are not new and they are just a small ‘subdivision’ of the much bigger issue of phishing – the single most used point of entry to a company in order to breach the data contained within the business infrastructure. And with the cost being minimal (basically it is free to do) and return on investment being potentially huge, the risk far outweighs the benefits.

 

Ongoing training is one of the best ways to arm employees and clients (as well as your family and friends) with the right tools to catch the phish.

  • LinkedIn
  • Facebook
  • Instagram
REDPENSEC Powered by Crafted Compliance, Inc.

Copyright © 2021 REDPENSEC, A Crafted Compliance, Inc. Company. All Rights Reserved.