October 17, 2023
In this Episode:
Marcel Brown: October 17, 1990. Colin Needham, an English movie fan, launches the “rec.arts.movies movie database,” which would later be known as the Internet Movie Database, or IMDb. An engineer working for HP at the time, by 1996, Needham quit his job to work on IMDb full-time.
Edwin Kwan: Equifax has been fined £11 million by Britain’s financial watchdog for the 2017 cybersecurity breach. The British Financial Conduct Authority, or FCA, said that the cyber attack and unauthorized access to UK consumer data was entirely preventable.
Mark Miller: The Broken Access Control Vulnerability in the Confluence Data Center and Server has been getting a lot of attention. This is a Level 10 vulnerability, the highest warning available. There is evidence that this is a nation-state attack, actively exploiting the vulnerability.
Ian Garrett: Everyone hates hidden costs, and it’s only worse when you’re already on a shoestring budget. As CISOs navigate a landscape of complex pricing structures, overlapping services, and other traps, there are more than enough hidden costs that constrain precious cybersecurity budgets.
The Stories Behind the Cybersecurity Headlines
Equifax Ltd fined £11 million for Preventable Cybersecurity Breach
This is Edwin Kwan from Sydney, Australia.
Equifax suffered one of the largest cybersecurity breaches in 2017, which affected 147.9 million US customers. The UK arm of the credit reporting firm, Equifax Limited, had 13.8 million UK consumers that were also impacted, as their data was outsourced to the parent US company for processing.
Hackers had stolen names, date of birth, phone number, partially exposed credit card details, and residential addresses of the UK consumers. The British Financial Conduct Authority, or FCA, said that the cyber attack and unauthorized access to UK consumer data was entirely preventable. It said that Equifax did not treat its relationship with its parent company as outsourcing, and as a result, did not provide sufficient oversight on how data it was sending was managed and protected. There were known weaknesses in the parent’s company data security systems and the company did not take appropriate action in response to protect its UK customer data.
As a result, the FCA fined Equifax Limited for failing to manage and monitor the security of UK consumer data that it outsourced to its US-based parent company. The fine amount was discounted by 30 percent as Equifax had agreed to resolve the matter and cooperate to a high level with the financial watchdog.
– FCA: https://www.fca.org.uk/news/press-releases/equifax-ltd-fine-cyber-security-breach
– The Record: https://therecord.media/uk-fines-equifax-millions-for-2017-data-breach
– IT News: https://www.itnews.com.au/news/uk-watchdog-fines-equifax-for-role-in-cyber-breach-601233
Follow Up to Atlassian Confluence Level 10 Vulnerability Alert
I’m Mark Miller, Executive Producer of It’s 5:05.
The Broken Access Control Vulnerability in the Confluence Data Center and Server has been getting a lot of attention from CISA, the FBI, and MS-ISAC, as I mentioned in yesterday’s report. There is evidence that this is a nation-state attack, actively exploiting the vulnerability.
It’s a zero-day vulnerability. A successful attack enables malicious cyber threat actors to obtain initial access to Confluence instances by creating unauthorized Confluence administration accounts. Due to the ease of exploitation of the vulnerability, the joint report expects more attacks to occur.
Again, this is a Level 10 vulnerability, the highest warning available. The recommendation is to immediately apply the upgrades provided by Atlassian. There is a complete list of affected product versions and the IOCs within the Atlassian security advisory. There is also a comprehensive FAQ that covers the most pertinent questions about steps for mitigation.
This isn’t something to be messed with if you’re running Confluence. Links to the joint advisory, the FAQ, and Atlassian updates are available at 505updates.com.
– Altlassian: https://confluence.atlassian.com/security/cve-2023-22515-privilege-escalation-vulnerability-in-confluence-data-center-and-server-1295682276.html
– Atlassian FAQ: https://confluence.atlassian.com/kb/faq-for-cve-2023-22515-1295682188.html
– CISA: https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-289a
10 Hidden Costs Draining CISO Security Budgets (Part 1)
Everyone hates hidden costs, and it’s only worse when you’re already on a shoestring budget. As CISOs navigate a landscape of complex pricing structures, overlapping services, and other traps, there are more than enough hidden costs that constrain precious cybersecurity budgets. Over my next two segments, we’ll dive into a number of pitfalls to avoid while optimizing security spending.
Hey folks, this is Ian Garrett in Arlington, Virginia.
Let’s dig into some of these hidden expenses.
Trap 1: Complex Pricing Structures. Many CISOs face a challenge with the complex charging structures that some security vendors use for their products. Initial purchases might seem affordable, but advanced features that CISOs require can come with additional costs. This can be common with solutions like SIEM and SOC, where charges can quickly escalate as data volume and monitoring requirements increase.
Trap 2: Review Third-Party Costs. Before investing in a cybersecurity service or engaging with a third party, CISOs should inquire about all the potential additional costs associated with its use. Negotiation can lead to more reasonable prices, especially for new products. When negotiating for services, consider the value of professional services to implement a product effectively.
Trap 3. Internal Running Costs: Hidden costs aren’t limited to product and service pricing. Consider the internal costs of running these solutions. For example, seams and DLPs can require significant data management, training, maintenance, and dealing with false positives, all contributing to hidden expenses.
Trap 4: hidden Costs in Penetration Testing and Open-Source Solutions. Even when using penetration testing, the time, resources, and potential downtime caused by security measures must be considered. Open-source solutions often seem as cost effective, can require investments in implementation, management, and external expertise offsetting initial savings.
Trap 5: beware of Overlapping Services. Overlapping services that duplicate functions can needlessly strain budgets. Paying for duplicate security functions is not only inefficient, but can lead to integration complexities, creating interoperability challenges.
Check back on Thursday for the second set of five traps that constrain security budgets.
This Day, October 17, in Tech History
October 17th, 1907. Guglielmo Marconi officially opens the first commercial transatlantic wireless telegraph service, which runs between Nova Scotia and Ireland. This opened up additional options to the existing submarine cable operators that had a monopoly on international telegraph service at the time.
October 17, 1990. Colin Needham, an English movie fan, launches the “rec.arts.movies movie database,” which would later be known as the Internet Movie Database, or IMDb. An engineer working for HP at the time, by 1996, Needham quit his job to work on IMDb full-time. The IMDb is one of the most visited sites on the internet, and was acquired by Amazon in 1998. Needham is still the general manager of the IMDb to this day.
That’s your tech history for today. For more, tune in tomorrow and visit my website, thisdayintechhistory.com.