Seyfarth Synopsis: In the past week, the cybersecurity community has seen a dramatic increase in the number of attacks being made on healthcare organizations around the globe. Despite the despicable nature of these attacks by malicious attackers trying to get rich off the suffering of others, there is a force of good that’s arisen from
Seyfarth Synopsis: As individuals and businesses continue to focus on the rising number of confirmed Coronavirus cases throughout the world and what steps they can take to guard against infection, malicious actors are exploiting those very same fears for their own profit. A dramatic increase in the number of employees working from home coupled with overworked business and commercial IT staff has resulted in a higher likelihood that security best practices may be forgotten or disregarded entirely.
A number of recent examples are discussed below:
While the U.S. Treasury has issued a relatively simplistic notice warning of an increase in phishing communications with instruction to simply disregard them, the FCC has provided a number of recordings of phishing attempts related to obtaining a complimentary COVID-19 testing kit and scheduling HVAC cleaning to protect against the spread of COVID-19.
Other phishing attempts seen in recent weeks involve the threat actor posing as members of the Center for Disease Control and Prevention or the World Health Organization in an attempt to legitimize their scams. A common tactic is for these scammers to register malicious domain names (cdc-gov.org and cdcgov.org) that are similar to valid domains (cdc.gov) in order to confuse already worried recipients.…
Continue Reading The Impact of COVID-19 on Cybersecurity
In this unprecedented time, businesses are, more than ever, implementing and rapidly rolling out programs for remote or at-home work by employees. The quick changes in local and state governmental “shelter in place” instructions and Public Heath directives have placed significant strains on remote networks and caused local shortages of laptop computers at office supply and electronic stores across the country.
With this unexpected increase in remote workers, many companies are pushing the limits of their existing remote access technology, or deploying ad hoc technology and access solutions as quickly as possible. Some of those companies are not taking the time to consider potential information security, privacy, and other compliance ramifications for those same remote workers.
It is entirely appropriate and necessary for companies to adapt their technology and work networks are utilized to the greatest degree possible to remain in operation and serve business and customer needs. But as always, data security and privacy should always be part of the equation.
Below are some essential things to know about the security risks posed by remote or at-home worker, and a Technical Checklist for Remote employees to make sure your corporate data is safe, and you do not risk compliance challenges with data privacy law and requirements.…
Continue Reading Cybersecurity, Data Privacy, and Compliance Issues Related to Remote Workers
For Marvel Entertainment fans, this one’s for you: Step aside Nick Fury, New York has a new SHIELD. New York state recently passed a new law extending protections against cyber-attacks for its residents with NY Senate Bill S5575B, also known as the “Stop Hacks and Improve Electronic Data Security Act” or SHIELD Act, for short. This Act expands New York’s data breach notification statute in definition, notice, scope, and compliance requirements of any individual or business handling New York residents’ computerized private information.
The SHIELD Act first redefines “private information” to include username or e-mail address in combination with a password or security question and answer for online accounts as well as biometric information. It also allows for reporting a breach if an account or credit card number alone (i.e. without an account access code or password) is compromised “if circumstances exist wherein such number could be used to access an individual’s financial account without additional identifying information, security code, access code, or password.” Slightly more nuanced, it expands the definition of “breach of security of the system” to include an unauthorized access of private information as well as an unauthorized acquisition. Addition of “access” means the statute will be triggered without an incident having to reach “acquisition,” a term more readily applicable in scenarios impacting control, possession and use of that private information.…
Continue Reading Look Out Marvel, There’s a NEW SHIELD in Town
This month, the Federal Bureau of Investigation published information and guidance for organizations about ransomware attacks, along with some suggested preventative measures. There is a section in the bulletin discussing whether victims should consider paying ransom to attackers. According to the statement, the FBI “does not advocate paying a ransom, in part because it does not guarantee and organization will regain access to its data,” and paying ransoms emboldens criminals to target others.
Several of the suggested “best practices” are somewhat generalized, such as increased employee awareness about how ransomware is delivered, and basic security techniques (we would recommend adding anti-phishing training and tests to the list). However, several others are more specific. All of the measures listed should be considered as parts of a comprehensive standard information security program.
Among the list of the FBI’s “Cyber Defense Best Practices” recommended are:…
Continue Reading FBI Public Service Announcement on Ransomware
The eDiscovery and Information Governance Group has been ranked in Tier Three in the latest Legal 500 ranking. Richard (Rick) Lutkus was also recognized as a Rising Star in Media, Technology & Telecoms – Cyber Law. Rick Lutkus and Kathleen McConnell were also recognized by the editorial as recommended lawyers. Led by Scott Carlson (also…
Every day all over the world, companies fall victim to cybersecurity attacks. It’s nearly a constant these days. Many of these attacks are preventable with the right amount of attention to detail in system setup and hardening. The three common themes in postmortem examination of all of these attacks boil down to 1) human error; 2) configuration error; 3) failing to proactively defend. In this series of six posts, we will dive into each attack’s anatomy, the attack vector, and the ways companies can attempt to avoid being victim to them. In the last post, guest bloggers from G2 Insurance will walk through how insurance companies react to claims, what to watch out for in your policies, and appropriate coverage levels for cyber insurance based on their experience handling claims.
#1 Email Spoofing and Wire Fraud
This attack is essentially a wire instruction interception/redirection or wholly fake request for a transfer. This is an event that comes up daily or at least weekly in any cybersecurity professional’s world. This attack typically plays out with a threat actor masquerading as a legitimate authority within a company, typically someone in the C-suite or Director level. To make it successful, the recipient of the wire transfer request has to believe it’s legitimately originating from one of those authoritative people.
One way attackers do this is using actual stolen credentials. Despite the flood of data security breaches and database hacks, people unfortunately still use weak passwords and also re-use passwords. We have seen dozens of instances of successful credential attacks where the attacker used publicly available database leak information to gain unauthorized access to corporate accounts. The approach goes like this: an attacker harvests information regarding corporate leadership from various data sources about companies (LinkedIn, Dunn & Bradstreet, Bloomberg, Google Finance) and chooses a few people to target. They then cross-reference those names to leaked credential databases, often times hosted on Darkweb sites, IRC chat rooms, or other forums dedicated to hacking. If the attacker is able to find other accounts belonging to their targets that have been compromised and have a password, they can try that password, and tens of thousands of variations of it, to attack the corporate account of their victim.
Prevention, Crisis Management, and Mitigating Personal Liability
Thursday, January 31, 2019
8:00 a.m. – 8:30 a.m. Breakfast & Registration
8:30 a.m. – 10:30 a.m. Program
Seyfarth Shaw LLP New York Office
The New York Times Building
620 Eighth Avenue
New York, NY 10018
November 16, 2018 – President Donald Trump signed the Cybersecurity and Infrastructure Security Agency Act of 2018, which establishes the Cybersecurity and Infrastructure Security Agency (“CISA”) at the Department of Homeland Security (DHS). The law reorganizes DHS’ National Protection and Programs Directorate (NPPD) into an agency that will focus on cybersecurity threats.
With its promotion…
Seyfarth Synopsis: Please join us at our Chicago Willis Tower office on Thursday, December 6th, for breakfast along with a Seyfarth Legal Forum and Continuing Legal Education (CLE): 2018 Highlights and a Look Ahead to 2019.
About the Program
Providing our clients with a multidisciplinary overview of Legal Hot Button issues and Best Practice. …