A Review of the Best News of the Week on Cybersecurity Management & Strategy

Security and Privacy Implications of Zoom (Schneier on Security, Apr 03 2020)
In general, Zoom’s problems fall into three broad buckets: (1) bad privacy practices, (2) bad security practices, and (3) bad user configurations.

New federal guidelines could ban internet in voting machines (POLITICO, Mar 30 2020)
The new rules would represent a landmark development in voting technology oversight.

Coalition of nonprofits push to secure remote workforce (SC Media, Mar 31 2020)
While work from home (WFH) ostensibly protects workers safe from COVID-19, it has exposed them and their companies to a bevy of cybersecurity risks – now a coalition of 13 nonprofit organizations are offering if not a cure, then a treatment, through a Work From Home. Secure Your Business campaign.


Filter Out the Noise
Since I started this curated newsletter in June 2017, I’ve clipped ~13,000 articles and narrowed them down into the best 20 per day & best 15 per week. This is my favorite way to cut through all the security marketing and hype. If you’re enjoying it, tell a friend. If you hate it, tell an enemy.
Thanks! – Lucas Samaras

Share today’s post on Twitter Facebook LinkedIn


Source code of Dharma ransomware pops up for sale on hacking forums (ZDNet, Mar 30 2020)
The source code of one of today’s most profitable and advanced ransomware strains is up for sale on two Russian-language hacking forums.

Benchmarking the State of the CISO in 2020 (Infosec Island, Mar 27 2020)
For its 2020 CISO Benchmark Report, Cisco surveyed some 2,800 CISOs and other IT decision-makers from 13 countries, how they cope with that, and they came up with a number of interesting findings.

Clarifying the Computer Fraud and Abuse Act (Schneier on Security, Mar 31 2020)
A federal court has ruled that violating a website’s terms of service is not “hacking” under the Computer Fraud and Abuse Act.

Securing Your Remote Workforce: A Coronavirus Guide for Businesses (Dark Reading, Mar 30 2020)
Often the hardest part in creating an effective awareness program is deciding what NOT to teach.

Patching Poses Security Problems with Move to More Remote Work (Dark Reading, Mar 31 2020)
Security teams were not ready for the wholesale move to remote work and the sudden expansion of the attack surface area, experts say.

Security tips every teacher and professor needs to know about Zoom, right now (Ars Technica, Apr 02 2020)
With Zoom-bombing a cultural phenomenon, here’s how to protect your meetings.

Zoom Patches Three New Bugs in Scramble to Support Remote Workers (Infosecurity Magazine, Apr 03 2020)
CEO Eric Yuan admits platform has been overwhelmed by new users

Keys Used to Encrypt Zoom Meetings Sent to China: Researchers (SecurityWeek, Apr 03 2020)
“A scan shows a total of five servers in China and 68 in the United States that apparently run the same Zoom server software as the Beijing server. We suspect that keys may be distributed through these servers. A company primarily catering to North American clients that sometimes distributes encryption keys through servers in China is potentially concerning, given that Zoom may be legally obligated to disclose these keys to authorities in China,” Citizen Lab explained in a report published on Friday.

FBI turns to insurers to grasp the full reach of ransomware (CyberScoop, Mar 31 2020)
The FBI is turning to insurers to get data on ransomware attacks since victims are still not reaching out to the bureau when their systems are attacked.

21% of SMBs do not have a data backup or disaster recovery solution in place (Help Net Security, Mar 31 2020)
58% of C-level executives at small and medium businesses (SMBs) said their biggest data storage challenge is security vulnerability, according to Infrascale. The research, conducted in March 2020, is based on a survey of more than 500 C-level executives. CEOs represented 87% of the group.

While nearly 90% of companies are backing up data, only 41% do it daily (Help Net Security, Apr 03 2020)
42% of companies experienced a data loss event that resulted in downtime last year, according to Acronis. That high number is likely caused by the fact that while nearly 90% are backing up the IT components they’re responsible for protecting, only 41% back up daily – leaving many businesses with gaps in the valuable data available for recovery.

Debunking vulnerability management myths for a safer enterprise (Help Net Security, Mar 30 2020)
Cybersecurity is one of the most daunting challenges enterprises will face in 2020. According to IBM’s 2019 Cost of a Data Breach report, the average cost of a data breach in the U.S. is $8.19 million, with companies averaging 206 days to identify breaches before even attempting to address them (a task that averages another 38 days).

NATO Report Warns of New Authoritarian Chinese Splinternet (Infosecurity Magazine, Mar 31 2020)
China’s plans to replace TCP/IP being pushed through at ITU level

OIG Lacks Confidence in FBI’s Adherence to Woods Procedures (Infosecurity Magazine, Mar 31 2020)
Auditor reports missing or non-existent facts in FBI Foreign Intelligence Surveillance Act applications

Dark Web Hosting Provider Hacked (Schneier on Security, Apr 01 2020)
Daniel’s Hosting, which hosts about 7,600 dark web portals for free, has been hacked and is down. It’s unclear when, or if, it will be back up.

Ransomware Payments on the Rise (Infosecurity Magazine, Apr 01 2020)
New research finds more ransomware victims are paying their cyber-attackers

Class Action Lawsuit Filed Against Marriott Over New Data Breach (SecurityWeek, Apr 02 2020)
Law firm Morgan & Morgan announced on Thursday that it has filed a class action lawsuit against Marriott over the recently disclosed data breach that has impacted as many as 5.2 million individuals.