Category: Uncategorized

February 28, 2023
Tom Spring March 3, 2023
Credential-stuffing attack compromises fast food chain Chick-fil-A customers loyalty accounts.
SC StaffMarch 2, 2023
Government Technology reports that Southeastern Louisiana University had its network shut down following a possible cyberattack on Feb. 23, resulting in difficulties in coursework completion and the need for remote classes.
On-Demand Event
On-Demand Event
On-Demand Event
By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.
Copyright © 2023 CyberRisk Alliance, LLC All Rights Reserved. This material may not be published, broadcast, rewritten or redistributed in any form without prior authorization.
Your use of this website constitutes acceptance of CyberRisk Alliance Privacy Policy and Terms & Conditions.

source

Report: Data breach notices lack key details, enable identity theft ‘Scamdemic’  KOMO News
source

source

By Sandra Wheatley |
CISOs today face an expanding attack surface, increasingly threats, and a cybersecurity skills gap. An integrated and automated approach to security is needed to protect across the infrastructure.
According to the global Fortinet 2022 Cybersecurity Skills Gap Report organizations surveyed say that the cybersecurity skills gap has contributed to 80% of their documented breaches. Clearly, the cyber talent shortage is severely hampering business productivity and progress. The survey of organizations highlighted in the Fortinet report also reveals that globally 64% of organizations have experienced breaches that resulted in loss of revenue, recovery costs, and/or fines.
It’s no wonder that the lack of qualified cybersecurity professionals has become a major concern for leaders everywhere. The lack of cyber skills across the workforce is having many negative effects on organizations, including damage to their reputations and financial losses.
More Stats to Contend With
The cybersecurity workforce needs to expand by 65% to adequately defend organizations. This is a fact according to the (ISC)² 2021 Cyber Workforce Report. While the number of unfilled cybersecurity jobs went down around 400,000 in 2021, there are still 2.72 million unfilled positions that need individuals with the appropriate cybersecurity skills. This is still a significant void in skills that leaves organizations around the world ill-prepared against cybercrime threats. Something must be done to address this shortage of qualified cybersecurity personnel or the working world will face the future shorthanded and very vulnerable to attacks from aggressive and evolving cybercriminal.
The global 2022 Cybersecurity Skills Gap Report also found that 60% of executives surveyed confessed that their organizations are struggling to recruit qualified individuals as well as hang on to current cybersecurity staff. The competition for the cybersecurity talent to fill critical roles ranging from cloud security specialists to SOC analysts is so fierce that more than half (52%) of the same surveyed executives say they are having significant trouble retaining their valuable employees.
What the Numbers Tell Us
The Fortinet skills gap research also indicates that globally 70% of leaders see the recruitment of women as a hurdle, 71% find recruiting new graduates as challenging and 61% say hiring minorities is difficult. All organizations should be focused on developing better ways to recruit women, new graduates, and minorities.
Growing the candidate pool for filling cybersecurity openings by proactively pursuing those in under-represented communities is an excellent method for bridging the gap. The report provides evidence that organizations are doing more than just providing lip service to building more diverse teams:
In addition to proactively recruiting individuals from under-represented communities, providing training and certifications is another method for expanding the cybersecurity candidate pool. The report also reveals that offering employees continuing education and rewarding them for their efforts are effective ways for organizations to counteract the skills gap. The report says that:
Something Must Be Done
Fortinet is committed to addressing the problems outlined in the skills gap report. The Fortinet Training Advancement Agenda (TAA) and Training Institute programs are initiatives focused on educating anyone who is exploring a career change and helping current cybersecurity professionals, who want to expand their knowledge base, achieve certifications. As part of this commitment, we have pledged to train one million professionals by 2026 in cyber skills and awareness. Key to achieving this goal is recruiting more women into the cybersecurity industry.
Fortinet is preparing the cybersecurity workforce of tomorrow through our various Fortinet Training Institute programs, including the award-winning NSE Certification program. The Fortinet Training Institute relies on public and private partnerships to help address the skills gap by increasing the access and reach of its cybersecurity certifications and training. For example, we work with organizations like the World Economic Forum on the most pressing cybersecurity issues. Other partnerships include leaders in industry, academia, government, and nonprofits to reach as many interested parties as possible and help remove the wedges issues that create the cybersecurity skills gap.
 
Learn more about the Fortinet free cybersecurity training initiative and Fortinet’s Training Institute, including the NSE Certification program, Academic Partner program, and Education Outreach program which includes a focus on Veterans.
 
 
Copyright © 2022 IDG Communications, Inc.
Copyright © 2023 IDG Communications, Inc.

source

by D. Howard Kass • Dec 23, 2022
The U.S. is ranked 10th in a listing of countries with the highest rates of cybercrimes, according to Bscholarly, an academic and legal blog.
Crime categories range from stealing and fraud to identity theft, money laundering, intellectual property heists, kidnapping, sex trafficking, espionage and more.
Here’s Bscholarly’s full list of countries their unique security issues:
Your email address will not be published. Required fields are marked *
Comment *
Name *
Email *
Website
Save my name, email, and website in this browser for the next time I comment.
Notify me of followup comments via e-mail. You can also subscribe without commenting.


Δ

source

Threat actors continue to adapt to the latest technologies, practices, and even data privacy laws—and it’s up to organizations to stay one step ahead by implementing strong cybersecurity measures and programs.
Here’s a look at how cybercrime will evolve in 2023 and what you can do to secure and protect your organization in the year ahead.
With the rapid modernization and digitization of supply chains come new security risks. Gartner predicts that by 2025, 45% of organizations worldwide will have experienced attacks on their software supply chains—this is a three-fold increase from 2021. Previously, these types of attacks weren’t even likely to happen because supply chains weren’t connected to the internet. But now that they are, supply chains need to be secured properly.
The introduction of new technology around software supply chains means there are likely security holes that have yet to be identified, but are essential to uncover in order to protect your organization in 2023.
If you’ve introduced new software supply chains to your technology stack, or plan to do so sometime in the next year, then you must integrate updated cybersecurity configurations. Employ people and processes that have experience with digital supply chains to ensure that security measures are implemented correctly.
It should come as no surprise that with the increased use of smartphones in the workplace, mobile devices are becoming a greater target for cyber-attack. In fact, cyber-crimes involving mobile devices have increased by 22% in the last year, according to the Verizon Mobile Security Index (MSI) 2022 with no signs of slowing down in advance of the new year.
As hackers hone in on mobile devices, SMS-based authentication has inevitably become less secure. Even the seemingly most secure companies can be vulnerable to mobile device hacks. Case in point, several major companies, including Uber and Okta were impacted by security breaches involving one-time passcodes in the past year alone.
This calls for the need to move away from relying on SMS-based authentication, and instead to multifactor authentication (MFA) that is more secure. This could include an authenticator app that uses time-sensitive tokens, or more direct authenticators that are hardware or device-based.
Organizations need to take extra precautions to prevent attacks that begin with the frontline by implementing software that helps verify user identity. According to the World Economic Forum’s 2022 Global Risks Report, 95% of cybersecurity incidents are due to human error. This fact alone emphasizes the need for a software procedure that decreases the chance of human error when it comes to verification. Implementing a tool like Specops’ Secure Service Desk helps reduce vulnerabilities from socially engineered attacks that are targeting the help desk, enabling a secure user verification at the service desk without the risk of human error.
As more companies opt for cloud-based activities, cloud security—any technology, policy, or service that protects information stored in the cloud—should be a top priority in 2023 and beyond. Cyber criminals become more sophisticated and evolve their tactics as technologies evolve, which means cloud security is essential as you rely on it more frequently in your organization.
The most reliable safeguard against cloud-based cybercrime is a zero trust philosophy. The main principle behind zero trust is to automatically verify everything—and essentially not trust anyone without some type of authorization or inspection. This security measure is critical when it comes to protecting data and infrastructure stored in the cloud from threats.
Ransomware attacks continue to increase at an alarming rate. Data from Verizon discovered a 13% increase in ransomware breaches year-over-year. Ransomware attacks have also become increasingly targeted — sectors such as healthcare and food and agriculture are just the latest industries to be victims, according to the FBI.
With the rise in ransomware threats comes the increased use of Ransomware-as-a-Service (RaaS). This growing phenomenon is when ransomware criminals lease out their infrastructure to other cybercriminals or groups. RaaS kits make it even easier for threat actors to deploy their attacks quickly and affordably, which is a dangerous combination to combat for anyone leading the cybersecurity protocols and procedures. To increase protection against threat actors who use RaaS, enlist the help of your end-users.
End-users are your organization’s frontline against ransomware attacks, but they need the proper training to ensure they’re protected. Make sure your cybersecurity procedures are clearly documented and regularly practiced so users can stay aware and vigilant against security breaches. Employing backup measures like password policy software, MFA whenever possible, and email-security tools in your organization can also mitigate the onus on end-user cybersecurity.
We can’t talk about cybersecurity in 2023 without mentioning data privacy laws. With new data privacy laws set to go into effect in several states over the next year, now is the time to assess your current procedures and systems to make sure they comply. These new state-specific laws are just the beginning; companies would be wise to review their compliance as more states are likely to develop new privacy laws in the years to come.
Data privacy laws often require changes to how companies store and processing data, and implementing these new changes might open you up to additional risk if they are not implemented carefully. Ensure your organization is in adherence to proper cyber security protocols, including zero trust, as mentioned above.
Sign up for free and start receiving your daily dose of cybersecurity news, insights and tips.

source

The results in this report are from the Cyber Security Hub survey which we fielded to subscribers from May and June 2020 to benchmark actual results from H1 2020 vs. expectations for H2 2020. A balanced representation of the enterprise cyber security mindset, the largest segment of survey respondents (41 percent) describes their job function as cyber security. The next largest segment is IT at (27 percent) followed by corporate management at (9 percent).

Qualified respondents were truly cross industry coming from automotive, education, financial services, government, healthcare/life science, manufacturing, media/telecommunications, retail/consumer packaged goods (CPG), technology, travel/hospitality and utilities/oil and gas/energy.
Also read: CISO Stratgies for proactive threat prevention
There were potentially alarming responses to our global pandemic related questions in this mid-year survey. When asked “Has your approach to security changed as a result of the global pandemic and an increasingly remote workforce?” 40 percent said no.

Roughly two in five cyber security organizations have not changed their approach to security as a result of the global pandemic. Such a large percentage of the CISO community not having changed their approach to cyber security as a result of the global pandemic that has hurdled us all into a new workforce infrastructure is truly concerning.
How the cyber security landscape has changed due to the pandemic:
Why did 40 percent of the cyber security community not change their approach?
In addition to an inert mindset change from a significant portion of the community, the reduction in staff due to financial pressures on companies during the pandemic was similarly concerning. A past potential insider threat now had the potential to become a nefarious external threat.

As reported on Cyber Security Hub in Why Is Top Cyber Security Talent Suddenly In Flight, when asked about the 19 percent unemployed DevOps/DevSecOps community Parag Deodhar, director of information security, Asia Pacific for VF Corporation noted: “when people do not have access to enough money, food or resources, there will be more actors coming up”. Deodhar explained also that the pandemic has expanded the threat landscape, meaning that “not only were folks pushed [towards cyber crime], but also, the landscape open[ed] up for folks as well.”
Jamal Hartenstein, who has worked with the department of defense on military bases as a part of joint task forces and has experience with every branch of service, notes that there was industry realization that organizations needed to be more proactive and better focus on detection and that the global pandemic has accelerated that focus.
When asked what about his perception, he explains that, “if you do not increase your security measures, you have exponentially just multiplied in magnitudes the risk based on all the threat and vulnerability and risk.”
In 2021, 40 percent of the cyber security community said they had not changed their mindset in the face of the global pandemic, while 20 percent of top cyber security talent was made redundant. With this in mind, it was unsurprising that 67 percent of the cyber security community reported their budgets were decreasing or staying the same.

While over two thirds of cyber security professionals noted their budget was staying the same or decreasing in July 2020, just one year ago 59 percent reported an increase in budget in the Mid-Year Market repor 2019. This means the pandemic had a significant impact on cyber security spend.
In the wake of the global pandemic with attacks on the rise, it would be expected that cyber security budgets would increase to combat this. Those in the cyber security community, however, disagree with 62 percent expecting budgets will decrease or stay the same.


Taking a step back shows that the industry feels that things are positive and getting better. When asked “Do you feel as though the overall state of cyber security, meaning resiliency, compliance, awareness, etc., is improving?” 84 percent said ‘yes’.



The top three areas of focus for respondents during the pandemic were security awareness, detection and incident response and access controls, inkeeping with the results of the last three Cyber Security Hub surveys. Just outside of that group is elevating cyber security with top-level management, a topic that was similarly highlighted over the previous two surveys.

As a majority of cyber security budgets had not yet shifted in the face of a momentous societal occurrence, how money is spent became all the more important. Endpoint security went from the fifth highest to the second highest spend in the from November 2019 to June 2020, most likely as a response to employees working from home and therefore increasing the chance of an endpoint being used as a vector for attack.

While compliance priority decreased 17 percent from 2019 to 2020, this may be because those in cyber security had finished making the inital major chanegs needed to comply with GDPR. The 9 percent increase in SIEM focus showed that the community was looking to further adopt automation tools, potential due to the decrease in workforce and need to streamline cyber security.
Whether it is cloud or devices perimeter, there is a level to which a human element can make them fail but it is rare. Generally, people who play with firewalls tend to be security savvy. So, if they make a mistake, for example opening up a hole for a vendor or for an audit and then not shutting it down, that is generally when they are overworked.
Corporate email and personal email relies on common security awareness and intelligence, and the lowest common denominator usually wins. Malicious actors can go and find the CFO administrative assistant’s Facebook page, find out who their kids are and what school they go to, then easily craft an email that will make the CFO think, “Hey, my secretary just asked me to contribute to her son’s scholarship fund on GoFundMe.”
People naturally want to trust and playing on that trust is so easy to do and to make it look good. Especially in this Covid-19 world while most of us are working from home, you drop your guard a little bit because you are in unfamiliar surroundings. You are in that home setting rather than that work setting. That is what scares the tar out of me about email.
If you have got a great team, each member usually does one thing well. Even if you have already got the technology in place, can one person take care of firewall, compliance, intrusion detection, threat intelligence? Can they execute on multiple things? Each of these takes time, and if each member has to take care of three of them, how are they actually going to get each done well?
Our biggest customer was bringing in three new technologies simultaneously. Each technology takes six months to get right. They tried to go it alone with vendor products and failed. When they came to us they said, “We missed a breach,” because either their SIEM or SOAR were not tuned properly, or they never got our end point fully deployed.
I am not sure how much of a shameless plug this should be, but a different way to deal with the staffing issue depending upon where you are is to rely on third parties who may have more people. One of our key selling advantages is that because we deal with thousands of customers, I can take that really good smart security person, and maybe she can look at a bank in the morning and hotel chain in the afternoon and a web front the next day. So, we provide variety. We provide something always challenging to our talent. Complacency hopefully never sets in and I have got the staffing capabilities to have a person work on a project three months to avoid burnout. That is really difficult to do unless you are a Fortune 100 company.
“You drop your guard a little bit because you’re in unfamiliar surroundings.”
Sam McLane
Head of Security Engineering, Arctic Wolf
 
There are two main issues that faced the cyber security community in building teams during the pandemic – a perceived shortage of talent and insufficient budget.


As nearly half of the community perceived a shortage of talent, it is important to consider what companies were doing to acquire talent during the pandemic. More than one in five respondents reported implementing mentor programs. Another 20 percent saw interns as the answer, with nearly 10 percent reported engaging with universities to procure employees.
It was not all change, however, as just under two in five noted that they were simply going to maintain current behaviors and activities to move forward.
Also read: Automating enterprise cyber security report
There was a marked shift in industry thinking from November 2019 to June 2020 around the concept of defense in depth. There was been a 10 percent composite swing from the concept of industry consolidation to defense in depth.

The industry craves standardization as so indicated by the continued increased use of industry frameworks.
 
In 2020, the state actor hacker space was becoming ever more crowded. Unemployed cyber security talent was a new and looming threat. Dovetailing with cyber-criminal sophistication and collaboration was a brand-new wide-open threat landscape. This all put increased pressure on cyber security professionals.

Read the PDF report here
Reach Cyber Security professionals through cost-effective marketing opportunities to deliver your message, position yourself as a thought leader, and introduce new products, techniques and strategies to the market.
Join CSHUB today and interact with a vibrant network of professionals, keeping up to date with the industry by accessing our wealth of articles, videos, live conferences and more.
Cyber Security Hub, a division of IQPC

Careers With IQPC| Contact Us | About Us | Cookie Policy
Become a Member today!
Already an IQPC Community Member?
Sign in Here or Forgot Password
Sign up now and get FREE access to our extensive library of reports, infographics, whitepapers, webinars and online events from the world’s foremost thought leaders.
We respect your privacy, by clicking ‘Subscribe’ you will receive our e-newsletter, including information on Podcasts, Webinars, event discounts, online learning opportunities and agree to our User Agreement. You have the right to object. For further information on how we process and monitor your personal data click here. You can unsubscribe at any time.

source

The data breaches LastPass suffered in August and November 2022 resulted in confidential customer information being compromised.
In a statement, LastPass explained that the August breach saw a malicious actor steal source code and technical information from LastPass’ development environment that was then used to target an employee. This allowed the hacker to gain access to credentials and keys, which they then used to access LastPass’ third-party cloud storage service in November 2022. Using the keys, the malicious party was able to decrypt some storage volumes within the storage service.
After the information was decrypted, the hacker accessed and copied information stored on a backup stored on the cloud that included “basic customer account information and related metadata” including “company names, end-user names, billing addresses, email addresses, telephone numbers and the IP addresses from which customers were accessing the LastPass service”. The number of customers affected has not yet been shared.
LastPass explained that the hacker was also able to “copy a backup of customer vault data from the encrypted storage container which is stored in a proprietary binary format that contains both unencrypted data, such as website URLs”, as well as “fully-encrypted sensitive fields such as website usernames and passwords, secure notes and form-filled data”.
The password management company reassured their customers about the safety of their encrypted data, noting that all encrypted files remain “secured with 256-bit AES encryption”, meaning they need a unique encryption key derived from each user’s password to decrypt it. As LastPass does not know, store or maintain user master passwords, this reduces the chance of compromise. 
LastPass warned its customers to be wary of social engineering or phishing attacks in the wake of the attack. It also noted that while the company uses hashing and encryption methods to protect customer data, the malicious actors may use “brute force” in an attempt to guess customers’ master passwords and decrypt the copies of the vault data they stole.  
The company noted that if customers follow its default settings and best practices for master passwords, it would “take millions of years to guess [a] master password using generally-available password-cracking technology”. It recommended that those who do not follow these best practices change passwords for the websites they currently have stored in their LastPass account.
LastPass told customers that “sensitive vault data, such as usernames and passwords, secure notes, attachments and form-fill fields, remain safely encrypted based on LastPass’ Zero Knowledge architecture”, adding that there were no recommended further actions for its customers to take.
Learn more about the breach here. 
08 – 09 March 2023
Free CS Hub Online Event
08 March, 2023
Online
15 March, 2023
Online
15 March, 2023
Online
March 21, 2023
Free CS Hub Online Event
22 March, 2023

Insights from the world’s foremost thought leaders delivered to your inbox.
2023-04-20
10:00 AM – 11:00 AM EST
2023-04-12
10:00 AM – 11:00 AM EST
2023-04-05
10:00 AM – 11:00 AM SGT
Reach Cyber Security professionals through cost-effective marketing opportunities to deliver your message, position yourself as a thought leader, and introduce new products, techniques and strategies to the market.
Join CSHUB today and interact with a vibrant network of professionals, keeping up to date with the industry by accessing our wealth of articles, videos, live conferences and more.
Cyber Security Hub, a division of IQPC

Careers With IQPC| Contact Us | About Us | Cookie Policy
Become a Member today!
Already an IQPC Community Member?
Sign in Here or Forgot Password
Sign up now and get FREE access to our extensive library of reports, infographics, whitepapers, webinars and online events from the world’s foremost thought leaders.
We respect your privacy, by clicking ‘Subscribe’ you will receive our e-newsletter, including information on Podcasts, Webinars, event discounts, online learning opportunities and agree to our User Agreement. You have the right to object. For further information on how we process and monitor your personal data click here. You can unsubscribe at any time.

source

On October 5, 2022, a federal jury in the Northern District of California convicted former Uber Chief Security Officer Joseph Sullivan of obstructing a federal proceeding and misprision of a felony for his role in deceiving management and the federal government to cover up a 2016 data breach that exposed personally identifiable information (“PII”) of approximately 57 million users, including approximately 600,000 drivers’ license numbers, of the ride-hailing service. Sullivan, a former federal prosecutor, appears to be the first corporate executive criminally prosecuted—let alone convicted—for his response to a data security incident perpetrated by criminals. Sullivan faces a maximum of five years in prison for the obstruction charge, and a maximum three years in prison for the misprision charge.
Uber hired Sullivan as its first Chief Security Officer (“CSO”) following a data breach in September 2014 related to the unauthorized access of approximately 50,000 consumers’ personal information, including their names and drivers’ license numbers. In the wake of the 2014 breach, the Federal Trade Commission (“FTC”) initiated an investigation into Uber’s data security program and practices. As CSO, Sullivan oversaw Uber’s response to federal regulators and provided testimony regarding Uber’s data security practices. During this testimony, Sullivan made specific representations about steps he claimed Uber had taken to keep customer data secure. However, in November 2016—mere days after testifying before the FTC in its ongoing investigation of the 2014 breach—hackers contacted Sullivan to inform him of a vulnerability they had discovered that permitted the extraction of a large volume of Uber’s data. The Company did not disclose the 2016 incident to FTC investigators, and entered into a consent decree with the FTC in August 2016.
According to the Complaint, while conducting an investigation into the incident two years later, Uber’s outside lawyers discovered Sullivan’s misconduct. In response, Uber disclosed the breach publicly, and to the FTC, in November 2017.
The failure to disclose the incident to the FTC during the FTC’s investigation was a critical fact, but perhaps not the most important fact, leading to the prosecution in this case. As properly stated in the jury instruction used in this case for the misprision offense: the “[m]ere failure to report a federal felony is not a crime. The defendant must also commit some affirmative act designed to conceal the fact that a federal felony has been committed. Such an act does not need to be made directly to an authority.” In a Complaint filed in August 2020, federal prosecutors alleged that instead of initiating steps to notify the affected users and relevant authorities as may be required by certain state data breach notification laws, and as Uber had done in 2014 when similar data had been impacted, Sullivan “instructed his team to keep knowledge of the 2016 Data Breach tightly controlled” while he quietly engaged in weeks-long backchanneling with the hackers responsible for it. The negotiations enabled Sullivan to secure nondisclosure agreements from the hackers—including a promise to destroy the data and attestations that they “did not take or store any data” in the first place—in exchange for $100,000. But, as prosecutors alleged, those attestations were false. The government charged that Sullivan improperly made the payment to hackers under a “bug bounty” program intended to incent white-hat hackers to identify security vulnerabilities proactively and in good faith, not to repay those who had in fact accessed and obtained large volumes of personal data in an attempt at extortion. Moreover, the government charged that Sullivan concealed certain details about the incident resulting in affirmative misrepresentations and misleading omissions when Sullivan briefed the new CEO about the incident. Not only did Sullivan’s actions conceal the data breach, the affirmative steps to cover up the crime by the hackers contributed to the ability of the hackers to potentially commit other hacks. 
Sullivan’s prosecution and trial are notable given that the government put on evidence from one of the very hackers who initially had breached Uber’s systems along with testimony from Uber executives. Prosecutors from the U.S. Attorney’s Office for the Northern District of California charged two individuals, Vasile Mereacre and Brandon Glover, with conspiring to commit extortion involving computers. Both pled guilty in 2019, and Mereacre testified at trial, confirming that he and Glover had downloaded data including the names, email addresses, and phone numbers of 57 million users of the Uber application, along with 600,000 drivers’ license numbers.
In July 2022, the government also entered into a non-prosecution agreement with Uber for a term tied to entry of a final judgment in the prosecution against Sullivan, citing several factors weighing against corporate prosecution:
As noted in the DOJ’s press release, Uber’s full cooperation played an important role in this decision. According to Deputy Attorney General Lisa Monaco’s September 2022 revision to DOJ’s Corporate Enforcement Policy, a company is eligible to receive “full cooperation credit” from the DOJ when it has not only “promptly notified prosecutors of particularly relevant information once it was discovered,” but also “prioritized” the production of that information deemed “most relevant for assessing individual culpability.” The Monaco Memo emphasizes that a company may lose its “eligibility for cooperation credit”—in whole or in part—if it “delays its disclosure” of significant facts once it identifies them. 
The failure to disclose the 2016 incident amidst the FTC’s investigation of Uber’s privacy and cybersecurity practices for a similar incident also lead to a revision of the FTC’s consent order to require Uber to notify the FTC of certain incidents involving unauthorized access to consumer information in the future. This revision also could subject the Company to civil penalties if it fails to notify the FTC of incidents in the future in accordance with the terms of the settlement.   
This case serves as a cautionary tale for any corporation that runs a bug bounty program, and provides critical lessons for data breach response and cybersecurity governance. For example, companies may want to review their bug bounty programs to ensure proper governance and controls are in place. Companies should also consider their data breach notification obligations following any bug bounty report or cyber incident.
Senior managing associate Alexander J. Kellermann and associate Connor G. Boehm contributed to this Sidley Update.
Sidley Austin LLP provides this information as a service to clients and other friends for educational purposes only. It should not be construed or relied on as legal advice or to create a lawyer-client relationship. Readers should not act upon this information without seeking advice from professional advisers.
Attorney Advertising—Sidley Austin LLP, One South Dearborn, Chicago, IL 60603. +1 312 853 7000. Sidley and Sidley Austin refer to Sidley Austin LLP and affiliated partnerships, as explained at www.sidley.com/disclaimer.
© Sidley Austin LLP
This website uses cookies. Analytical cookies help us improve our website by providing insight on how visitors interact with our site, and necessary cookies which the website needs to function properly.
Necessary Cookies
The website cannot function properly without these necessary cookies, and they can only be disabled by changing your browser preferences. To learn more about these cookies, how we use them on our website, and how to revise your cookie settings, please view our cookie policy.
You have successfully set your edition to Global. Would you like to make this selection your default edition?
*Selecting a default edition will set a cookie.
This website uses cookies. Analytical cookies help us improve our website by providing insight on how visitors interact with our site, and necessary cookies which the website needs to function properly.
Necessary Cookies
The website cannot function properly without these necessary cookies, and they can only be disabled by changing your browser preferences. To learn more about these cookies, how we use them on our website, and how to revise your cookie settings, please view our cookie policy.

source

First, what is Cyber Security authentication?

The process of authenticating the identity of a user or device seeking to access a system, network, or application is known as cyber security authentication. Authentication is an important aspect of cyber security since it ensures that only authorized people and devices have access to sensitive resources and data.
Cyber security is all about closing gaps. The best place to start is by authenticating access points. This is a function done on many different levels, all depending on the security requirements put in place.
Let us dive deeper into what authentication is and what it is not, so you can determine how well secure is your organization and where your cyber security is lagging behind.

Authentication vs. Authorization

Authorization is the process of deciding whether a previously authenticated person or device is permitted to execute a certain activity or access a specific resource. This is often determined by the user’s system role, permissions, or privileges. A user, for example, may be authenticated to access a system but only permitted to view specific data or execute specific activities inside that system.
As you see, the two are not the same and they work together to secure organizations, identities, devices, and networks.
One prominent system of granting privileged access to privileged users is known as Privileged Access Management (PAM).
Authentication is the process of validating a person’s or device’s identity, whereas authorization is the process of determining what that authenticated user or device is permitted to do or access. Authentication and authorization are both key components of cybersecurity, and they are frequently used in tandem to guarantee that only authorized people and devices have access to sensitive resources and data.
Learn more about the difference between Authentication vs Authorization.

5 types of cyber security authentication

1. Password-Based Authentication

This is the most common type of authentication, which involves users entering a username and password to access a system or application. Password-based authentication is easy to implement, but it can be vulnerable to password theft, social engineering attacks, and brute force attacks.
When it comes to password protection, it is impossible to discuss this authentication method without mentioning Password vaults.
A password vault, sometimes known as a password manager, is a piece of software that securely saves and manages passwords and other confidential data, such as credit card numbers and personal identification numbers (PINs). A password vault allows users to generate and save complex, unique passwords for many accounts and websites, removing the need to recall them all.
Password vaults function by encrypting user passwords and other private data and storing it in a secure database. Users may access their password vault with a single master password, providing an additional degree of protection.

2. Multi-Factor Authentication (MFA)

Multi factor authentication (MFA) requires users to provide two or more forms of authentication before being granted access to a system or application. This can include something the user knows (such as a password), something the user has (such as a security token or smart card), or something the user is (such as biometric data). MFA is more secure than password-based authentication, as it requires attackers to compromise multiple factors in order to gain access.

3. Certificate-Based Authentication

Certificate-based authentication involves the use of digital certificates to authenticate users and devices. Digital certificates are issued by trusted authorities and can be used to verify the identity of users and devices. Certificate-based authentication is more secure than password-based authentication, as it is difficult to forge or steal digital certificates.

4. Biometric Authentication

Biometric authentication involves the use of physical characteristics, such as fingerprints, facial recognition, or iris scans, to verify the identity of users. Biometric authentication is more secure than password-based authentication, as it is difficult to fake or steal physical characteristics. However, it can be vulnerable to spoofing attacks, where attackers use fake fingerprints or facial images to gain access.
There are hundreds of different biometric authentication methods. This depends on what level of security is required. On-prem, network, cloud, device, etc. All these different attack points would entail a different security method.
We could deep dive further into each case. On-prem laboratory conditions may require fingerprint authentication, or even visual (eyeball) authentication. It all depends on the level of security.
Other methods, similar to the aforementioned are fingerprints, facial recognition, or voice recognition, to verify the identity of a user.

5. Behavioral Authentication

This method involves analyzing the behavior of users, such as keystroke dynamics, mouse movements, or device usage patterns, to verify their identity. Behavioral authentication is more secure than password-based authentication, as it is difficult for attackers to replicate user behavior. However, it can be vulnerable to false positives, where legitimate users are denied access due to changes in their behavior.
A modern type of this authentication is the behavioral driven governance (BDG).
Proud Members of:
Top 100 Events in New York City:
 

source