Vulnerability.pngThis week we saw different vulnerabilities of different degrees disclosed to vendors with an effort to patch; with the frequency of data breaches, insurance companies are finding loop holes not to cover data breach costs; Trump extends Executive Order 13694 that was passed by Obama to issue sanctions to individuals behind cyber attacks/crime.

 

Highlighting the cyber-security news from the past week in a 120 sec. read. Starting now.

 

 

 

 


Vulnerabilities Disclosure

Disclosing vulnerabilities to vendors has been a sensitive subject, usually the typical response time a researcher gives to a vendor to patch is 90 days.  Below are 3 vulnerabilities from this week.

 

Why is this significant?


  •  enSilo’s Omer Medan, found a vulnerability that “allowed an attacker to change file system permissions on arbitrary files. The vulnerability affected all Apple products that rely on macOS,.”  Apple included this patch release in the latest iOS 10.3 release.
  • Google’s Project Zero, Tavis Ormandy recently found numerous vulnerabilities in the password manager of LastPass.  Just last week, LastPass engineers worked on patching other flaws that Tavis pointed out to them. 
  • Signalling System No. 7, or SS7 vulnerability is a flaw in global telephony routing protocol for phone calls/SMS exchanged for different carriers.  2 lawmakers ask that the FCC to disclose cybersecurity vulnerabilities warnings to customers.

 

Read the full stories in The RegisterSD TimesBloomberg BNA

 

 

Data Breach Cost

American Express, Mastercard and Visa are fining Rosen Hotels $2.4M for a data breach and Rosen Hotels' insurance company is refusing to pay.

 

Why is this significant?


  • In March 2016, Rosen Hotels warned customers that their credit/debit cards may have been breached in a PoS attack that had occurred, 1-1/2 year prior.
  • Rosen Hotels attempted to claim commercial general liability policy to cover the debts inflicted post data breach, but St. Paul Fire & Marine Insurance Company stated that Rosen Hotels' insurance policy did not cover the cost of the fines. 
  •  As time goes on, so does the cost of data breaches.  Some companies claim that the cost of the cybersecurity is more expensive than the data breach.  Companies such as Target, may have relied on their insurance to cover the majority of data breach costs, but times have changed.  IBM sponsored a report in 2016, indicating the average cost of a breach is $4M.

Read the full stories Orlando Sentinel

 

U.S. Policy

Executive Order 13694 , introduced by Obama in 2015, was set to expire this weekend ~ has now been extended by 1 year by President Trump.

 

Why is this significant?

  • This executive order allows the U.S. government to issue sanctions against people and organizations behind significant cyberattacks and cybercrime against the U.S.
  • The executive order gave the U.S. new powers to retaliate for hacking of critical infrastructure, major denial of service attacks or large scale economic hacking.”
  • This is President Trump’s first action that publicly addresses cybersecurity.  Last month, there was talk of an executive order for cybersecurity that hasn’t been addressed since.

Read the full story in CSO Online