.png?width=200&height=78&name=CH%20Diligence%20(thicker%20line).png "CH Diligence (thicker line).png")
The target: UScelluar, the fourth largest mobile network operator in the United States.
The take: Customer records of personally identifiable information including: names, addresses, account names and PIN codes, telephone numbers, information on their phone service plans, and the ability to alter the phone number on accounts which receive two-factor authentication texts.
The attack vector: The attackers tricked retail employees into downloading malicious software which contained a RAT (remote access tool), allowing the threat actors to access the computer systems remotely. As the employees were already logged into the CRM (customer retail management) software, the hackers were able to move freely within the systems using an employee’s credentials.
Social engineering is a widely used tactic by attackers to exploit our innate desire to be helpful in a quick manner without thinking through the consequences. The employee’s mistake, innocent or not, of clicking on an unverified link granted the attacker the ability to install a Remote Access Tool and navigate through the company’s systems under legitimate credentials. Continuous employee education around suspicious links, and the social engineering tactics they’re paired with, are critical components of a firm’s robust cybersecurity posture.
Insurance Journal: The New York State Department of Financial Services (DFS) has issued new guidance spelling out best practices for New York-regulated property/casualty insurers that write cyber insurance. This serves as the first guidance the regulator has issued on cyber insurance in particular.
Bleeping Computer: Leading French cybersecurity company StormShield disclosed that their systems were hacked, allowing a threat actor to access the company's support ticket system and steal source code for Stormshield Network Security firewall software.
Security Magazine: Cybersecurity training today is much different than it was 10 years ago. In most organizations, we have developed training that is engaging, interactive, even enjoyable at times. Security leaders of yesterday realized that having a once a year, boring, PowerPoint like training that employees had to undergo to check a box was not working. Everyone dreaded that training and that led to skimming the material and clicking through slides, then brute-forcing their way through the answers on the final exam.
Funds Europe: According to a survey of IT directors and chief technology officers by consulting firm Sionic, 93% of asset management firms have employees creating and designing their own applications.
Reuters: Suspected Chinese hackers exploited a flaw in software made by SolarWinds Corp to help break into U.S. government computers last year, five people familiar with the matter told Reuters, marking a new twist in a sprawling cybersecurity breach that U.S. lawmakers have labeled a national security emergency.
Help Net Security: Trend Micro shared results from a study that reveals systemic challenges with security integration into business processes. The report includes the top ways to drive engagement and agreement around cybersecurity strategies within an organization.
IT Pro Portal: Cybersecurity plays an essential role in protecting us and the digital systems we use on a daily basis. Although technology is rapidly evolving, we are witnessing a vast number of data breaches due to organizations facing minimal charges for poor protection of data and storage.
The target: Bonobos, a men’s clothing store.
The take: 70GB database containing personally identifiable information such as: 7 million order records, account information of 1.8 million customers with phone numbers, shipping and email addresses, 3.5 million partial credit card records, and hashed passwords.
The attack vector: While Bonobos’ own internal systems show no signs of breach, an externally hosted backup of the database was accessed in a provider’s cloud storage environment.
Security controls must always be commensurate with the sensitivity of data being stored, and must travel with that data, both within internal systems, and when transferring sensitive data to backup media or external vendor or partner’s systems. This attack highlights the importance of auditing and validating security controls at every stage of the data lifecycle.
Investment Week: WisdomTree Cybersecurity UCITS ETF (WCBR) has been developed alongside venture capital firm Team8 and will track the bespoke WisdomTree Team8 Cybersecurity index. It will be available to investors on the London Stock Exchange, Borsa Italiana and Börse Xetra for a total expense ratio of 0.45%.
Castle Hall helps investors build comprehensive due diligence programs across hedge fund, private equity and long only portfolios More →
Montreal
1080 Côte du Beaver Hall, Suite 904
Montreal, QC
Canada, H2Z 1S8
+1-450-465-8880
Halifax
168 Hobsons Lake Drive Suite 301
Beechville, NS
Canada, B3S 0G4
Tel: +1 902 429 8880
Manila
10th Floor, Two Ecom Center
Mall of Asia Complex
Harbor Dr, Pasay, 1300 Metro Manila
Philippines
Sydney
Level 15 Grosvenor Place
225 George Street, Sydney NSW 2000
Australia
Tel: +61 (2) 8823 3370
Abu Dhabi
Floor No. 15 Al Sarab Tower,
Adgm Square,
Al Maryah Island, Abu Dhabi, UAE
Tel: +971 (2) 694 8510
Copyright © 2021 Entreprise Castle Hall Alternatives, Inc. All Rights Reserved.
Terms of Service and Privacy Policy