In this episode of Inside the CISO’s Office, the hosts discuss the biggest cybersecurity highlights of 2023, including ransomware attacks on organizations like MGM Resorts, the MOVEit vulnerability that led to lawsuits, and the use of generative AI in phishing attacks. They emphasize the importance of security awareness, network segmentation and trust—but verify practices and discuss following FTC safeguard rules and training to combat advanced phishing threats.
As the cyber threat landscape evolves, humans remain the top target of threat actors and are targeted more aggressively than in previous years. The two most significant ransomware attacks of the year (to date)—the MGM Resorts and the MOVEit hacks—highlight hacking techniques that don’t use new AI-generated phishing e-mail or deepfake voice technology, but rather plain old-fashioned trickery. The depth and breadth of the MOVEit breach is impressive. The number of companies and the size of the organizations impacted are significant. Major organizations—including the Department of Education and TIAA-CREF—have been hit to the tune of millions of disclosed records.
While MOVEit didn’t sway the SEC to update its cyber rules for 2023, the SEC did add regulation regarding how many days an organization had before reporting material breaches. Publicly traded companies only have four business days to notify the SEC when they have a material breach.
The most popular attack vector is still e-mail. An estimated 90% of cyberattacks begin with a phishing e-mail. The chance of a successful breach increases dramatically when paired with a “vishing” attack (voice phishing). IBM found that vishing attacks were three times more likely to succeed than phishing alone.
This companion post to the above Tech Talk reviews these recent breaches and the implications of the updated FTC and SEC cyber rules. Additionally, we’ll summarize some basic steps to avoid being the victim of a ransomware attack.
On September 11, 2023, MGM Resorts reported a cybersecurity issue. For the next ten days, the resort company lost access to and control of various devices in their IT environment—from slot machines to room keys. Cashiers even had to issue handwritten receipts. By September 20, MGM reported that operations had been restored with “intermittent” issues. In early October, they notified guests that criminals had gained access to sensitive data, including some social security numbers. So far, it’s estimated that MGM lost over $100 million in the attack.
A sophisticated social engineering attack to reset a password with vishing caused the devastating breach. The cybercriminal called tech support and impersonated a high-level employee to gain access to their credentials. The criminals did their research and were able to impersonate the employee well enough that the tech support team believed the attacker.
Ryan explained, “It’s still people. A lot of the breaches that we’re going to talk about today, that we talk about all the time, are still people-based breaches. It’s not necessarily a vulnerability in software. It’s not necessarily an improperly open port. It’s sending a link or making the right phone call to the right person, finding that way in, getting an identity reset, and taking over that identity and leveraging it.”
Ryan Hamrick, Security Consulting Services Manager
The MGM hack comes on the heels of the MOVEit breach earlier this year, the implications of which are still being revealed. MOVEit is a file transfer service used by organizations worldwide. The latest estimates say that over 1,000 companies had systems exposed due to this zero-day vulnerability. Initial reports of the issue came in May of this year, and the vendor had a patch ready days later. The exposed organizations include government branches, public universities, the New York Public School system, and the BBC. Additionally, over 60 million user records were exposed, and countless lawsuits are underway.
The MOVEit event and other large-scale attacks prompted the SEC to change its cybersecurity breach disclosure rules. Now, organizations must report material breaches—namely those incurring significant financial damages or risks to customer data—within four business days to the SEC. There are exceptions, but only as they pertain to national security. These cyber rules and regulations take full effect by the end of this year, but companies should ensure they are ready to comply, as the SEC is beginning to dole out punishments for non-compliant CISOs. We will closely watch this precedent-setting development unfolding in 2024 and beyond.
Additionally, the FTC safeguard rules went into effect this year. These rules require companies with long term financial relationships with customers to have a real cybersecurity program in place—one that manages data compliance programs for organizations such as colleges, payday lenders, car dealerships, etc. The revised regulations update the 20-year-old Gramm-Leach-Bliley Safeguards Rule—designed to “develop, implement, and maintain reasonable administrative, technical, and physical safeguards to protect the security, confidentiality, and integrity of customer information.” The changes expand on the original act pertaining to breaches affecting 500 or more people within the non-banking finance space.
Also read: Data protection and managed backup for secure cloud organizations
Generative AI and deepfake technology are improving the sophistication of cybercriminals.
John weighed in, “In the generative AI space, I think it will certainly improve the readability of phishing e-mails. And the thing that people need to prepare for is there are tools out there, very, very cheap tools, that you can buy that will imitate my voice. So people could sample my voice from this or other episodes, make a decent-sounding copy of my voice, and do it.”
John Bruggeman, Consulting CISO
Generative AI helps create more believable, error-free phishing e-mails. This complicates the threat landscape because, previously, grammar mistakes were often an indicator of phishing attempts and a key component of anti-phishing training. Call ID spoofing allows bad actors to imitate reputable organizations or people. And now, high-quality voice and even video call imitations could soon bring a new level of plausibility and danger to the threat landscape for a very low price—think a $5 monthly fee—to launch a high-quality voice vishing campaign.
Also read: Seven security pitfalls of legacy applications and environments
ked Chris how he would mitigate the risks involved in these recent breaches. His answer included:
Ryan emphasized one of the core tenets of zero trust, which is “always verify.” John recommends deploying the “standard blocking and tackling of cyber defense”:
All three experts recommend gentleness and providing additional training for employees who fail simulated phishing and vishing attempts.
Ryan expanded, “A lot of companies stop at just sending the phishing e-mail and saying, ‘Hey, you got phished.’ Instead, follow up with additional training for those individuals, whether video-based or computer-based assessments. Nobody wants to be the point of an intrusion; be that person who let that access happen. But having followed that up with additional training sources is key to that whole awareness process—not just doing the phishing connection.”
Read more: Top five cybersecurity actions to take right now
As we have seen, 2023 has already proven a momentous year for cybersecurity with the constant evolution of cyber-attacks and the new SEC rules and regulations. CBTS cybersecurity experts can help future-proof your defense posture and avoid devastating breaches like the MGM Resorts and MOVEit Breach. Get in touch to schedule a vulnerability assessment.