Newsletter #22 - August 13, 2024

SecureMyInsights

Author

Aseem Shrey
August 13, 2024

2CyberSecurity 101

how’s everyone doing? 👋 

Heads up!
In August 2024, several significant regulatory updates and compliance challenges are shaping the landscape, particularly in data privacy and cybersecurity.

So we decided to feature that in this week’s newsletter to keep everyone updated and in the know and discuss some challenges with the changes.

🧑‍🏭 Jobs & Internships

  1. VAPT Penetration Tester at SecureMyOrg (Remote, 2+ years exp) - Focus on web, Android, and iOS security projects.

  2. CyberMSI offers a paid cybersecurity internship with hands-on Microsoft cloud security training and potential full-time employment.

  3. HBK seeks an Information Security Compliance Officer to manage ISMS and compliance programs, ensuring global security standards.

  4. Sophos is hiring a Security Operations Manager to oversee their MDR team, manage incident response, and lead threat analysts.

🔏 Last Week in Cyber Security

Join our Discord to get more news in the Security Domain. 🛡️

Invisible PDF Hack: AI Manipulation for Resumes
A new tool allows users to inject invisible text into PDFs, tricking AI systems into ranking resumes higher or summarizing content inaccurately. This method exposes security flaws in AI-driven screening processes and highlights the potential risks of AI manipulation.

Critical RCE Found in Chatbot Platform
Google has announced plans to block certificates issued by Entrust in Chrome due to security concerns. This decision follows the discovery of issues with how Entrust handled its certificate issuance processes, aiming to enhance browser security and protect users from potential vulnerabilities associated with these certificates.

WebSocket Hijacking Vulnerability Discovered in Chatbot
A pentest revealed a Cross-Site WebSocket Hijacking (CSWSH) vulnerability in a chatbot's WebSocket communications. This flaw allows attackers to hijack WebSocket connections and exfiltrate sensitive data. Key mitigation strategies include validating the "Origin" header, setting appropriate SameSite attributes, and enforcing strict validation on session identifiers.

📣 Recent Regulatory Updates in August:

  • New State Privacy Laws: Multiple U.S. states have enacted new data privacy laws. For example, the Texas Data Privacy and Security Act (TDPSA) and the Oregon Consumer Privacy Act (OCPA) took effect in July 2024. These laws impose stricter requirements on businesses, such as data minimization, obtaining consumer consent, and implementing robust data security measures. Additionally, the Florida Digital Bill of Rights and Montana Consumer Data Privacy Act (MCDPA) have set new standards for data privacy, although they differ in enforcement mechanisms and sectoral exemptions.

  • SEC Cybersecurity Rules: The U.S. Securities and Exchange Commission (SEC) has introduced new regulations that require public companies to enhance their cybersecurity governance and transparency. These rules mandate more detailed disclosures on cybersecurity risks and incidents, emphasizing the role of corporate governance in mitigating these risks.

  • EU GDPR Reforms: The European Union has also proposed reforms to the General Data Protection Regulation (GDPR), which include procedural changes aimed at harmonizing enforcement across member states and improving cross-border data handling practices.

❌ Challenges Leading to Data Breaches and Cybersecurity Mishaps:

  1. Increased Complexity of Compliance: As regulations proliferate, businesses are struggling to keep up with varying requirements across different jurisdictions. This complexity often leads to gaps in compliance, increasing the risk of data breaches. For example, failure to implement proper data minimization and consumer consent mechanisms, as required by the new state laws, can expose businesses to legal penalties and security vulnerabilities​.

    ❗️ WHAT TO DO: Implement centralized compliance management and automated tools to handle regulatory complexities.

  2. Supply Chain Vulnerabilities: The interconnectedness of global supply chains poses significant cybersecurity risks. Weaknesses in third-party vendors’ security practices can lead to breaches, as attackers exploit these vulnerabilities to gain access to sensitive data​.

    ❗️ WHAT TO DO: Strengthen supply chain security through rigorous third-party risk management and continuous monitoring.

  3. Inadequate Incident Response: Despite the regulatory emphasis on incident disclosure and response, many organizations still lack robust protocols to manage and mitigate cyber incidents effectively. This deficiency not only heightens the impact of breaches but also complicates compliance with mandatory reporting requirements​.

    ❗️ WHAT TO DO: Enhance incident response by developing a tested plan, automating detection, and ensuring transparent reporting.

💡 Did you know? 💡 

In October 2016, a massive Distributed Denial of Service (DDoS) attack was launched on the DNS provider Dyn, temporarily disrupting access to major websites like Twitter, Netflix, and Reddit. The attack was executed by a botnet comprising millions of Internet of Things (IoT) devices.

The Mirai malware was responsible for the 2016 DDoS attack, and it's estimated that such an attack could be orchestrated for as little as $100, highlighting how low-cost cyberattacks can have significant impacts on billion-dollar companies.

Certainly, staying informed through official government publications and reputable news sources is crucial for understanding and complying with new regulatory changes.

These are some of the updates out there and some existing ones might have already been changed or updated along with the release of this newsletter so be sure to always stay in the know.

Till next issue! 👋😃 

Reply

or to participate.