A New Attack Category is Born: You Now Need to Also Worry About Evasive Spear Phishing

Spear phishing has long been a serious concern for organizations battling the constant onslaught of social engineering attacks pointed at their users.  This post from the team at KnowBe4 sheds some light on a new form of spear phishing that often focuses in on technology firms and other high value targets.  The depth and level of sophistication associated with these attacks should raise red flags.  The more accurate and relevant the phishing content, the higher the likelihood the end user will fall into the trap and click the link.

Please be diligent in your awareness training and notifications to end users.  These threats are very real!


Web scraping doesn’t violate anti-hacking law, appeals court rules

This is an intriguing legal development that may have far reaching implications on intellectual property and privacy fronts.  The fact that current legal standards cannot appropriately address web scraping means that our US laws are woefully outdated and unable to tackle the challenges of a highly technical and quickly evolving society.  Agility should be an important component to all future legislative processes.


Wikipedia, World of Warcraft Downed By Weekend DDoS Attacks

This article discusses yet another series of DDOS attacks targeting well known websites.  Based on the article, these DDOS attacks are an example of a hacking group trying to validate skills and work toward larger attacks which will in turn inspire other attacks against new targets by other new hacking groups.  This is a systemic problem that will continue to grow and plague businesses and organizations worldwide.

It is important to consider the potential damage that can be caused by a DDOS attack and how your organization would remediate or mitigate such an attack.


Louisiana governor declares state emergency after local ransomware outbreak

At first blush, many of us would see this article and immediately file it away in the back of our minds as yet another example of the pervasiveness and destructive nature of ransomware.  To be honest, we would not be wrong to reach that conclusion, but I want to challenge you to read a little closer this morning.  There is a small ray of hope in this article that can be easily overlooked.  The governor of Louisiana is declaring a state of emergency because of these ransomware attacks, but he is doing so because the state of Louisiana has a plan!  

The state of Louisiana has a Cybersecurity Commission and a well defined, properly tested and well funded incident response plan.  They are prepared to respond to and address these ransomware outbreaks.  Resources from state police, the Governor’s office of Homeland Security and the Louisiana National Guard are being coordinated and rallied to the cause of mitigating these attacks.  That fact is both noteworthy and exciting.  Preparation and proper incident response is an absolutely vital component to any cybersecurity program.  Far too often, organizations find themselves shocked, flat footed and lost when ransomware strikes.  But not in the Bayou state.  Kudos to Louisiana for having a plan!


Communication – The Forgotten Security Tool

This article provides tremendous advice concerning a vital component of IT security often overlooked and ignored.  To simply state the obvious – communication is key.  Yet, in the world of IT security, we very quickly get lost in a sea of technical jargon and alphabet soup acronyms.  Technical speakers often get their audiences lost in the weeds of the “how’s” and “why’s” a security control is needed or a risk is eminent, yet those same speakers never realize anyone is lost because they alone hold the map and never look back.

We as IT professionals need to understand our audiences and their capacity for understanding and reason.  Technical controls and eminent risks should be translated into real world examples and practical analogies.  We need to be succinct, clear, and timely in our comments.  We need to choose our conversational battles and not find ourselves perpetually holding an umbrella while ranting as the sky falls around us.

And above and beyond all of these things, we need to shut up from time to time and truly listen.  We need to hear what management teams and end users have to say.  We need to ask for and receive with a decent modicum of humility constructive criticism about what is working in the security practice and what might be a significant hinderance to business success.  There is always more than one way to tackle a problem, and though many of us have our favorite ways of doing things, those favorite approaches do not hold exclusivity when it comes to what is right for any given business environment.