Cybersecurity Tips

Share this post

CISA's Cyber guidance for small businesses and trains stop for 5 hours šŸš‚ - Newsletter #8

cyb3rsecurity.tips

CISA's Cyber guidance for small businesses and trains stop for 5 hours šŸš‚ - Newsletter #8

India's GDPR is also taking shape and Discord fined $830k for GDPR "lapses"

Nuno
Dec 15, 2022
2
Share this post

CISA's Cyber guidance for small businesses and trains stop for 5 hours šŸš‚ - Newsletter #8

cyb3rsecurity.tips

First of all, sorry for the delay on the November newsletter. Some people asked (the majority didn’t), but rest assured we have good content coming down the pipe.

Last month was eventful, with relevant news all over the field: critical vulnerabilities, GDPR fines, breaches, etc. - at the end, nothing we’re not used to. On the incident front, the Danish train operator (DSB) had to stop its trains for several hours after a supply chain attack took the enterprise asset management solution provider Supeo out of business. It’s still not clear who was behind the attack.

If supply chain attack was not yet on your risk register, you might consider adding it now.

How Dall-E sees ā€œHackers at the train stationā€

Also in November, CISA released a ā€œCyber Guidance for Small Businessesā€ that include a number of interesting recommendations. One of the most interesting is how CISA tells company owners to basically go to cloud for security reasons:

While it’s not possible to categorically state that ā€œthe cloud is more secure,ā€ we have seen repeatedly that organizations of all sizes cannot continuously handle the security and time commitments of running on-prem mail and file storage services. The solution is to migrate those services to secure cloud versions, such as Google Workspace or Microsoft 365 for enterprise email. These services are built and maintained using world-class engineering and security talent at an attractive price point. We urge all businesses with on-prem systems to migrate to secure cloud-based alternatives as soon as possible.

You can read the guide here.

Thanks for reading Cybersecurity Tips! Subscribe for free to receive new posts and support my work.


On privacy, two pieces took my attention: first is how India is setting up their own GDPR program, with the following objectives:

The Bill provides for the processing of digital personal data in a manner that recognizes the right of individuals to protect their personal data, societal rights and the need to process personal data for lawful purposes.

As a reminder, India has 760 million active internet users.

The last one is how Discord was fined €800,000 by the French data protection authority (CNIL). This is their reasoning:

  • lack of a written data retention policy, violating Article 5(1)(e) of the GDPR;

  • lack of information regarding retentionĀ periods provided to data subjects, violating Article 13 of the GDPR;

  • failure to inform users of voice channel connections and transmissions to third parties, or utilise the appropriate technical measures to ensure this was not possible without said information, violating the obligation to guarantee Data Protection by Default under Article 25(2) of the GDPR;

  • accepting a password consisting of six characters, including letters and numbers, violating Article 32 of the GDPR; and

  • determining it was not necessary to carry out a Data Protection Impact Assessment ('DPIA'), violating Article 35 of the GDPR.

More information here.

Other articles I read last month

  • How we handled a recent phishing incident that targeted Dropbox (Dropbox Tech Blog)

  • UK Government scans all web servers hosted in the UK for vulnerabilities (NCSC)

  • PayPal Allows Bypassing Two-Factor Authentication With a Button Click (blog.devgenius.io)

  • Microsoft is phoning home the content of your PowerPoint slides (rogermexico.bearblog.dev)

  • Indian ISPs: We already give govt full access to web traffic (entackr)

  • French Court rules that refusing to disclose a mobile passcode to law enforcement is a criminal offence (Fairtrials.org)

  • Open-source software vs. the proposed Cyber Resilience Act (blog.nlnetlabs.nl)

  • A third of organisations don’t know if they were hacked in the last year (Busycontinent)

  • The FBI alleges TikTok poses national security concerns (NPR)

  • Germany Forces a Microsoft 365 Ban Due to Privacy Concerns (Techgenix)

  • Vulnerability Management at Lyft: Enforcing the Cascade (Lift Blog)

  • India’s GDPR is taking shape (The Cybersecurity Times)

  • Tax filing websites have been sending users’ financial information to Facebook (The Verge)

On Twitter

Twitter avatar for @CaseyNewton
Casey Newton @CaseyNewton
According to messages shared in Twitter Slack, Twitter’s CISO, chief privacy office, and chief compliance officer all resigned last night. An employee says it will be up to engineers to ā€œself-certify compliance with FTC requirements and other laws.ā€
3:13 PM āˆ™ Nov 10, 2022
67,288Likes15,509Retweets

My bet? it’s a matter of time until we see a significant Cybersecurity incident coming from Twitter. Firing security teams + leaving engineers to compliance + rushing features = 🚩🚩🚩🚩

Twitter avatar for @rafaelshimunov
Rafael Shimunov is on Mastodon @rafaelshimunov
Did Twitter Blue tweet just cost Eli Lilly $LLY billions? Yes.
Image
Image
6:20 PM āˆ™ Nov 11, 2022
416,325Likes63,044Retweets

This is one of those simple risk assessments: probability that someone impersonates our brand with an official badge? = close to zero. Impact? extreme.

Twitter avatar for @gwendallecoguic
Gwendal Le Coguic @gwendallecoguic
New GitHub search is šŸ”„šŸ”„šŸ”„
Image
4:06 PM āˆ™ Nov 28, 2022
11,166Likes1,508Retweets

Be careful with what you commit.

Thanks for reading Cybersecurity Tips! Subscribe for free to receive new posts and support my work.


Cybersecurity Tips Telegram Channel

Join our Telegram Channel to follow the latest news in Privacy and Cybersecurity.

Telegram Channel

Share this post

CISA's Cyber guidance for small businesses and trains stop for 5 hours šŸš‚ - Newsletter #8

cyb3rsecurity.tips
Previous
Comments
TopNewCommunity

No posts

Ready for more?

Ā© 2023 Nuno Batista
Privacy āˆ™ Terms āˆ™ Collection notice
Start WritingGet the app
SubstackĀ is the home for great writing