Threat Summary - Week 48, 2019
Reports / Surveys
52% of US companies will miss CCPA compliance deadline
Three months before the California Consumer Privacy Act (CCPA) goes into effect, only 30% of US organizations are compliant with this sweeping privacy bill, while an additional 18% plan to be compliant before the January 1, 2020 deadline, a recent survey by Egress and Osterman Research found. The 52% that will miss the deadline and could receive major fines as a result, is made up of companies believing they will become compliant sometime next year (27%) or from 2021 onward (13%), or that do not intend on pursuing compliance at all (12%). Moreover, just 55% of firms have a dedicated CCPA compliance budget; only 15% have a “very mature” data protection program; and senior management in a mere 37% of organizations appreciates the importance of CCPA compliance.
49% of Americans have been targeted by cybercriminals
A recent PCI Pal survey indicates that nearly half (49%) of US adults are victims of cybercrime, yet many people continue to engage in risky behavior online. For example, 47% of respondents reuse passwords across multiple accounts, putting them at risk of credential stuffing attacks. While public WiFi is a major security risk, 45% of Americans use it to access sensitive data, including bank account information. The continued success of phishing attacks can be explained by the fact that 30% of consumers still click on links and download attachments in messages from unknown senders. Furthermore, only 24% of respondents protect all their accounts via two-factor authentication, while 23% have never used it.
Most organizations do not sufficiently monitor third-party user activity
A new One Identity report shows that 94% of organizations provide some form of network access to third-party users and of those, only 22% know for sure that none of those users have tried or succeeded in obtaining unauthorized data access in the past year. Similarly, just 15% of companies feel very confident that third-party users follow their access management policy. 17% of firms have detected unauthorized activity by third-party users, although this percentage was higher in the retail (28%), services (20%) and financial services (20%) sectors. A majority (55%) of firms doubt that unauthorized activity by third-party users occurred, but can’t say so for sure. This lack of visibility into third-party user activity still represents a serious security risk.
Companies relying exclusively on CVE/NVD miss 1 in 3 vulnerabilities
Organizations that get their vulnerability information solely from the of Common Vulnerabilities and Exposures (CVE) / National Vulnerability Database (NVD) system, do not learn about one-third of the vulnerabilities in their environment, according to research by Risk Based Security. The total number of known vulnerabilities missing from the CVE/NVD systems exceeds 71,000 and continues to grow. Moreover, every year between 1,500 and 2,000 flaws that do get added, stay in “reserved” status for an extensive period of time, which means that the CVE/NVD database lists the CVE number, but doesn’t provide any information about it. Risk Based Security warns that this is a serious problem, especially since just under half (45.5%) of the flaws that were not entered in the CVE/NVD system last year, were high or critical severity issues, some of which affected products by tech giants like Microsoft and Google.
Data leaks / breaches
1.2B people impacted by monster data leak
In what constitutes one of the biggest data leaks from a single source ever, two security researchers recently found an unsecured database that exposed the private data of 1.2 billion unique individuals. The leaky Elasticsearch server contained 4 terabytes of data, which included names, email addresses, phone numbers and social media profile information. The researchers believe the data was collected from two data enrichment companies by an unknown actor.
Freaky Infosec Fact of the Week
Researchers have found ways to hack the onboard systems of hundreds of airplanes mid-flight, from the ground.
In late 2017, a security researcher took advantage of vulnerabilities in satellite equipment in order to connect to the onboard systems of hundreds of airplanes mid-flight, while he was on the ground. This technique could have allowed threat actors to hack onboard Wi-Fi networks and spy on passenger devices.
What You Can Do
Since many organizations don't have the visibility they need to sufficiently monitor for unauthorized access of data as it relates to third-party vendors, organizations should work on improving this lack of visibility. For a while now, we have known attackers to target Managed Service Providers (MSPs) since they hold the kings to the kingdom. MSPs have a significant amount of access into many organizations' network since they are responsible for managing the network environment.
Since many organizations aren't adequately monitoring for third-party vendor activity, this leaves a pretty significant gap in security and could prove to be valuable to an attacker. Although many organizations trust third-party vendors and use them to help enable day-to-day operations, they should also be treated as a threat and, therefore, monitored for malicious activities.
About Vonahi Security
Vonahi Security is building the future of offensive cybersecurity consulting services through automation. We provide the world's first and only automated penetration test that replicates full attack simulations with zero configuration. With over 30 years of combined industry experience in both offensive and defensive security operations, our team of certified consultants have experience working with a significant number of organizations, industries, networks, and technologies. Our service expertise includes Managed Security, Adversary Simulations, Strategy & Review, and User Education & Awareness. Vonahi Security is headquartered in Atlanta, GA. To learn more, visit www.vonahi.io
Stay Informed