I haven’t updated this as frequently as I had hoped, but I’m going to attempt to get back to it. Here is some of what happened this week.
The big news this week is obviously the Equifax breach. Potentially 143 million people (including some from Canada and the U.K.) have had their personal information stolen including Social Security numbers, driver’s licenses, and credit cards. The hack was allegedly done via a vulnerability in their website though no details have come out yet as to what that was. Lots of speculation still, but if you have web applications you need to make sure that you have continuous vulnerability scanning and thorough testing as part of your SDLC
“What you need to know” – https://nakedsecurity.sophos.com/2017/09/08/equifax-data-breach-what-you-need-to-know/
Significant Critical Infrastructure Breach
An item that has received less press this week but is probably more significant from a safety perspective is the release of information about the “DragonFly” attacks on U.S. electrical infrastructure. A Symantec report released this week outlines how attackers have managed to gain access, at the operational level, to some power generation facilities. While nothing has been done, it is known that the attackers were able to gather reconnaissance information including screenshots of HMI’s. This has led to speculation that the attackers chose not to do damage rather than not being able to.
Wired magazine story – https://www.wired.com/story/hackers-gain-switch-flipping-access-to-us-power-systems/
Symantec Report – https://www.symantec.com/connect/blogs/dragonfly-western-energy-sector-targeted-sophisticated-attack-group
Canadian Federal Government Finally Working on Breach Notification Regulation
Alberta has had a breach notification law on the books for a few years now (one of only two in Canada I think) but the Federal government is finally getting into the act. Released last week is the first official draft of the proposed legislation. It looks like it’s pretty similar to Alberta’s so there won’ be huge changes for Albertans but will be for companies operating in other provinces.
IAPP Analysis – https://iapp.org/news/a/canada-stays-close-to-home-in-new-data-breach-regulations/
Something for Travel Security Awareness
Don’t forget about travel security when conducting awareness campaigns. Here’s a good article on the risks of exposing the information (specifically the barcode) from boarding passes. Surprisingly (or not, unfortunately), a lot of people like to share pictures of their boarding passes on social media to show where they’re traveling.