Several members of the Data Connectors community, including companies like Security Scorecard, Rapid7 and Cybereason, are teaming up with industry leaders across government, academia, non-profit organizations and other private-sector organizations to form a Ransomware Task Force.

This group was organized by the Institute for Security and Technology (IST), who plans to convene the task force and begin work in January 2021. At that point, the organization will launch a website highlighting the leadership roles and complete list of members.

IST convened this group with the understanding that one organization or industry can’t face the ever-growing threat of ransomware attacks happening throughout the world. Such a task requires collaboration between public and private sectors, plus legal and academic scholars, insurance professionals and international organizations. 

“Ransomware incidents have been growing unchecked, and this economically destructive cybercrime has increasingly led to dangerous, physical consequences. Hospitals, school districts, city governments, and others have found their networks held hostage by malicious actors seeking payouts,” IST wrote in its blog, which announced the task force. “This crime transcends sectors and requires bringing all affected stakeholders to the table to synthesize a clear framework of actionable solutions, which is why IST and our coalition of partners are launching this Task Force for a two-to-three month sprint.”

The Institute cited its list of founding members to include the following:

Aspen Digital
Citrix
The Cyber Threat Alliance
Cybereason
The CyberPeace Institute
The Cybersecurity Coalition
The Global Cyber Alliance
McAfee
Microsoft
Rapid7
Resilience
SecurityScorecard
Shadowserver Foundation
Stratigos Security
Team Cymru
Third Way
UT Austin Strauss Center

Concerns surrounding ransomware are nothing new, but the threat has grown in the last year. The incidence and prevalence of ransomware attacks prompted the U.S. Department of Homeland Security Cybersecurity and Infrastructure Security Agency (CISA) to publish a new set of guidelines in September 2020. 

You can meet with any of our ransomware subject matter experts during one of the 2021 virtual summits. Click on the button below to join us for an upcoming summit.

Data Connectors Partners Join Multi-Sector …

Hot Topics in Cybersecurity Posted by Jen Greco on Jan 1, 2021

Regardless of your political take on those $600 stimulus checks (that may already be in some people’s accounts, per Treasury Secretary Steve Mnuchin), there’s one thing everyone can agree on: hackers will stop at nothing to get their hands on that cash.

Fraud-finding firm Bolster issued a report back in spring that found nearly 61,000 fake banking websites popped up following the promise of stimulus checks. Pair that with the 145,000 newly registered domains carrying some version of the phrase “stimulus check,” and you have an extremely unfortunate number of people getting drained of a much-needed lifeline. 

Check Point Software Technologies, a vital member of the Data Connectors community, also did some research on the topic. They published some examples of the phishing scams that were tricking unsuspecting people our of their stimulus and relief checks, and to grab their bank account information via phishing.

The research team with Check Point highlighted in their April 20th blog post on the topic:

These scam websites use the news of the coronavirus (Covid-19) financial incentives, and fears about Coronavirus to try and trick people into using the websites or clicking on links.  Users that visit these malicious domains instead of the official Government websites risk having their personal information stolen and exposed, or payment theft and fraud.

They found that there were 3.5 times more domains registered after Congress announced the first stimulus. So, how can you keep yourself safe from these scams?

One important thing to note is that the Treasury Department has made it clear that any communication about this pay-out will call it an Economic Impact Payment — the term “stimulus” or anything like it would not be used in any official capacity. 

Another tip: the IRS will never (ever, ever, ever) email, call or text you. Your check will be issued via direct deposit, or by the U.S. Post Office. That said, if you do get a random check in the mail with a suspicious amount (as well as instructions to call a number to get the money), don’t fall for it. Per the current bill, the checks include $600 payments for each individual that was claimed on your most recent tax return. Certain income brackets will receive different payments, but it’s very unlikely that these checks will contain cents.

What are some of the craziest scams you’ve heard of regarding the economic relief payments? Let us know in the comments below.

Hackers Want Your Stimulus Check. Here̵ …

Hot Topics in Cybersecurity Posted by Jen Greco on Dec 30, 2020

Finally — 2020 is almost over. But before you breathe that sigh of relief, ask yourself: Am I prepared for the impending changes to privacy compliance laws? Whether you’re a PI-pro, or wishing we were talking pie instead — stick around. Our team has a huge pile of resources for you to ring in the New Year with a stress-free compliance plan.

Let’s take a quick dive into the world of the complex world of California consumer protection laws.

Basics, Please. What are these acronyms?

CCPA is the California Consumer Privacy Act. CPRA is the California Privacy Rights Act.

Good start. What is CCPA?
CPRA was adopted in 2018, and chances are, you’re already compliant within your organization (particularly if you do a lot of business in California). But for the uninitiated, and per the Golden State’s Department of Justice, CCPA includes:

• The right to know about the personal information a business collects about them and how it is used and shared;
• The right to delete personal information collected from them (with some exceptions);
• The right to opt-out of the sale of their personal information; and
• The right to non-discrimination for exercising their CCPA rights.

Fair enough. So what’s the deal with CPRA?
The citizens of California voted for CPRA via a ballot measure on Nov. 3, 2020. It takes CCPA and, basically, bolsters it quite a bit. For you, this means taking a look at your current compliance in terms of protecting your clients’ privacy. CPRA is way more specific. 

Does CPRA replace CCPA?
Nope. It serves more to augment the initial law, rather than replace it. What’s the best way to break down the differences? Attend our upcoming Web Briefing — here’s a sneak preview of this session. Hear a conversation between Data Connectors Chief Strategy Officer Michael Hiskey and Spirion’s Scott Giordano from the Atlanta Virtual Cybersecurity Summit in the video below:

There are 49 other states aside from California, and I’m in one of them. Does this apply to me?

You have to meet one of three standards to fall under the law. 

1. Your business pulls at least half of your annual revenue from sharing or selling the personal information of California customers.
2. Your business has a gross revenue greater than $25 million
3. Your business buys/sells/shares the personal information of greater than 100,000 California customers or households. 

Remember — all you need is ONE of those three. That makes this legislation fairly far-reaching, much like many of the state’s consumer protection laws. 

For instance, anyone who has ever manufactured and sold a product to anyone in the U.S. knows that California laws strong-arm the entire industry into posting CA Prop. 65 warnings on, well, basically everything (we’re talking aloe vera, parking garages, and coffee). That means that even if you roast your coffee beans in Oregon, but sell it over state lines, you need to carry a Prop. 65 warning on your packaging. 

So, if you meet the criteria, welcome to the wild West Coast. You’re expected to comply with CPRA as well as its predecessor, CCPA. And, if your goal is customer happiness and good business practice, then it makes sense to adhere to these guidelines — even if you have a very small number of customers or clients from California.

The challenge is in preparing your business for CPRA compliance — and, in a hurry. The measure that passed in November is going into law on January 1, 2021. 

This is bigger than me. How do I learn more?
Fortunately, you don’t need a degree from a prestigious California law school to navigate these laws, because Spirion’s Scott Giordano already did that for you. Hop onto our Web Briefing on Dec. 17th at 2PM ET, and hear from Scott and a full panel of CISOs on how to help your business handle these changes and protect your customers’ data.

CCPA and CPRA 2.0: Navigate the California …

Hot Topics in Cybersecurity Posted by Jen Greco on Dec 8, 2020

Since COVID19 took over the national conversation in March, the world has changed in unprecedented ways. But what does life look like after the pandemic is behind us? What are our current and future threats? We talked to Cybersecurity expert EJ Hilbert and got his thoughts on the future of our country, as well as our industry.

For Hilbert, who has been a staple on the Data Connectors’ virtual summit circuit, the threats that exist stem from our lack of a “common enemy” — combined with a general lack of trust in the data presented by media and the government.

“Common enemies allow governments to join together and point in one direction while hiding the things they are doing that might equal criticism and impact their livelihood,” Hilbert said.

You might be saying to yourself, “What about the pandemic? What about global warming?” It’s not fair to describe those as a common enemy — they’re intangibles. We can’t put COVID-19 on trial, we can’t attribute any human qualities to global warming. It’s possible that our most recent global common enemy was Al Qaeda — collectively hated by the United States, Russia, China, and all their respective enemies. 

What happens when we don’t have a common enemy? Per Hilbert, it forces our social consciousness to look inward and look at ourselves. This brings forward the bevy of social justice issues — whether real or perceived — that have been cropping up across the country, he said. 

This civil unrest has likely been goaded by outside forces. His example is that of Russian and Chinese actors running the largest sets of bots and fake accounts that are searching and publicizing social issues in the United States — essentially forcing the national government to focus on the domestic crisis and is thus unable to focus externally.

“This is all done through data manipulation. Parties collect data on people, communities, et cetera, and profile them and pander their manipulation of data to those groups to sway opinions,” he said. “They do this by appearing as legit media outlets or government agencies to make people believe them. Mainstream media picks it up with limited background, and now it must be true.”

And unfortunately, the media retractions are often buried or lost in the news cycle. This leaves a few paths for the news consumer — accept the media’s narrative, or lose trust and turn to seek like-minded people and develop a cult mentality.

“This is the threat against the US. We can’t trust because everything is being manipulated.  We have nowhere to turn for the truth because the news is now about grabbing eyeballs via click bait headlines rather than reporting facts,” Hilbert said. 

He likened the follow up of the recent shooting of Jacob Blake. While the police were called for a domestic violence incident, along with a perpetrator trying to steal a car with children inside, there was a group looking to sow discontent in the United States by leaving out the crime — simply publishing “Police Shoot Black Man in the Back” — intentionally leaving out context. 

“If you can control beliefs, you can get people to fight each other and that can all be done through data, not guns or bombs,” Hilbert said. “It is a cyber-enabled attack, meaning it is a real world attack that can be expanded via the Internet.”

This isn’t a crazy conspiracy or anything like that, either — the idea of Psy-Ops has been used in limited capacity, like Radio-Free Europe (and mentioned in a previous post in this very blog). 

“Data manipulation based attacks have been red-teamed by multiple groups in multiple nations,” Hilbert said. “If you use it on an adversary there is nothing stopping them from using it on you.  It’s almost a mutually assured destruction type scenario. The US is using it on its foes and they are using it on us in return.”

Want to hear more from EJ? Check out his brand new podcast, “My Junk,” and come hear him give our Day 1 Keynote at the Data Connectors SoCal Virtual Cybersecurity Summit on Oct. 14.

Interview: EJ Hilbert on the Post-Pandemic …

Hot Topics in Cybersecurity Posted by Jen Greco on Sep 30, 2020