In this episode of Inside the CISO’s Office, the hosts discuss the biggest cybersecurity highlights of 2023, including ransomware attacks on organizations like MGM Resorts, the MOVEit vulnerability that led to lawsuits, and the use of generative AI in phishing attacks. They emphasize the importance of security awareness, network segmentation and trust—but verify practices and discuss following FTC safeguard rules and training to combat advanced phishing threats.
Trends and statistics from the 2023 cyber threat landscape
As the cyber threat landscape evolves, humans remain the top target of threat actors and are targeted more aggressively than in previous years. The two most significant ransomware attacks of the year (to date)—the MGM Resorts and the MOVEit hacks—highlight hacking techniques that don’t use new AI-generated phishing e-mail or deepfake voice technology, but rather plain old-fashioned trickery. The depth and breadth of the MOVEit breach is impressive. The number of companies and the size of the organizations impacted are significant. Major organizations—including the Department of Education and TIAA-CREF—have been hit to the tune of millions of disclosed records.
While MOVEit didn’t sway the SEC to update its cyber rules for 2023, the SEC did add regulation regarding how many days an organization had before reporting material breaches. Publicly traded companies only have four business days to notify the SEC when they have a material breach.
The most popular attack vector is still e-mail. An estimated 90% of cyberattacks begin with a phishing e-mail. The chance of a successful breach increases dramatically when paired with a “vishing” attack (voice phishing). IBM found that vishing attacks were three times more likely to succeed than phishing alone.
This companion post to the above Tech Talk reviews these recent breaches and the implications of the updated FTC and SEC cyber rules. Additionally, we’ll summarize some basic steps to avoid being the victim of a ransomware attack.
Exploring the MGM and MOVEit breaches
On September 11, 2023, MGM Resorts reported a cybersecurity issue. For the next ten days, the resort company lost access to and control of various devices in their IT environment—from slot machines to room keys. Cashiers even had to issue handwritten receipts. By September 20, MGM reported that operations had been restored with “intermittent” issues. In early October, they notified guests that criminals had gained access to sensitive data, including some social security numbers. So far, it’s estimated that MGM lost over $100 million in the attack.
A sophisticated social engineering attack to reset a password with vishing caused the devastating breach. The cybercriminal called tech support and impersonated a high-level employee to gain access to their credentials. The criminals did their research and were able to impersonate the employee well enough that the tech support team believed the attacker.
The MGM hack comes on the heels of the MOVEit breach earlier this year, the implications of which are still being revealed. MOVEit is a file transfer service used by organizations worldwide. The latest estimates say that over 1,000 companies had systems exposed due to this zero-day vulnerability. Initial reports of the issue came in May of this year, and the vendor had a patch ready days later. The exposed organizations include government branches, public universities, the New York Public School system, and the BBC. Additionally, over 60 million user records were exposed, and countless lawsuits are underway.
Navigating the new SEC cyber rules and FTC Safeguards update
The MOVEit event and other large-scale attacks prompted the SEC to change its cybersecurity breach disclosure rules. Now, organizations must report material breaches—namely those incurring significant financial damages or risks to customer data—within four business days to the SEC. There are exceptions, but only as they pertain to national security. These cyber rules and regulations take full effect by the end of this year, but companies should ensure they are ready to comply, as the SEC is beginning to dole out punishments for non-compliant CISOs. We will closely watch this precedent-setting development unfolding in 2024 and beyond.
Additionally, the FTC safeguard rules went into effect this year. These rules require companies with long term financial relationships with customers to have a real cybersecurity program in place—one that manages data compliance programs for organizations such as colleges, payday lenders, car dealerships, etc. The revised regulations update the 20-year-old Gramm-Leach-Bliley Safeguards Rule—designed to “develop, implement, and maintain reasonable administrative, technical, and physical safeguards to protect the security, confidentiality, and integrity of customer information.” The changes expand on the original act pertaining to breaches affecting 500 or more people within the non-banking finance space.
Also read: Data protection and managed backup for secure cloud organizations
Emerging threats to the cybersecurity landscape
Generative AI and deepfake technology are improving the sophistication of cybercriminals.
Generative AI helps create more believable, error-free phishing e-mails. This complicates the threat landscape because, previously, grammar mistakes were often an indicator of phishing attempts and a key component of anti-phishing training. Call ID spoofing allows bad actors to imitate reputable organizations or people. And now, high-quality voice and even video call imitations could soon bring a new level of plausibility and danger to the threat landscape for a very low price—think a $5 monthly fee—to launch a high-quality voice vishing campaign.
Also read: Seven security pitfalls of legacy applications and environments
CISO strategies for responding to emerging threats and vulnerabilities
ked Chris how he would mitigate the risks involved in these recent breaches. His answer included:
- Utilize a zero trust framework to enhance segmentation and understand network risk.
- Implement an engaging, memorable, and continuous cybersecurity training program.
- Remain diligent at all times.
- Align your cybersecurity program to a well-known security framework, like NIST CSF or CIS Controls.
Ryan emphasized one of the core tenets of zero trust, which is “always verify.” John recommends deploying the “standard blocking and tackling of cyber defense”:
- Encrypt sensitive data at rest and motion.
- Dynamic, tested backups and disaster recovery systems in place.
- Develop an instant response plan that is not overly complicated but informed by security standards.
- Continuous, evolving training that implements penetration testing as well as phishing and vishing testing.
All three experts recommend gentleness and providing additional training for employees who fail simulated phishing and vishing attempts.
Ryan expanded, “A lot of companies stop at just sending the phishing e-mail and saying, ‘Hey, you got phished.’ Instead, follow up with additional training for those individuals, whether video-based or computer-based assessments. Nobody wants to be the point of an intrusion; be that person who let that access happen. But having followed that up with additional training sources is key to that whole awareness process—not just doing the phishing connection.”
Read more: Top five cybersecurity actions to take right now
Cybersecurity solutions from CBTS
As we have seen, 2023 has already proven a momentous year for cybersecurity with the constant evolution of cyber-attacks and the new SEC rules and regulations. CBTS cybersecurity experts can help future-proof your defense posture and avoid devastating breaches like the MGM Resorts and MOVEit Breach. Get in touch to schedule a vulnerability assessment.