Cyber Security Headlines Week in Review: Pentagon papers leak, keeping breaches quiet, Cisco air-gaps Webex

This week’s Cyber Security Headlines – Week in Review, April 10-14, is hosted by Rich Stroffolino with our guest, Dmitriy Sokolovskiy, CISO, Avid

Cyber Security Headlines – Week in Review is live every Friday at 12:30pm PT/3:30pm ET. Join us each week by registering for the open discussion at CISOSeries.com

Tracing leaked Pentagon documents

Aric Toler of Bellingcat traced the leak of US Justice Department and Pentagon documents online, some of which the government designated Top Secret, with some involving the invasion of Ukraine. Toler found evidence these documents were first posted as early as January on a Discord server, but may have appeared online before that. Toler spoke with some on the Discord server that the documents were originally posted on a now deleted server earlier, but could not confirm. From there the documents spread to 4Chan. In March they made their way to Telegram channels and Twitter, where the New York Times and other media outlets picked them up. 

(Bellingcat)

Over 40% of cybersecurity teams told to keep breaches confidential

A new report from Bitdefender suggests that 42% of the total IT/security professionals surveyed said they have been told to keep a breach confidential when they knew it should be reported and 30% said they have kept a breach confidential. The U.S. had the highest rate with 71% of IT/security professionals being told to keep quiet, followed by the U.K. at 44%, Italy, Germany, and Spain in the mid 30 percents. In addition, 52% of global respondents said they have experienced a data breach or data leak in the last 12 months. 

(Security Magazine)

Cisco to air-gap Webex

The networking giant announced plans to offer an air-gapped version of its Webex cloud collaboration system, designed to cater to companies in highly controlled industries, think national security and defense. Cisco will introduce Air-Gapped Trusted Cloud next year. Like other similar services, servers on the service will be air-gapped from public networks, operated in the US, and staffed with properly cleared local staff. The company claims this will meet US security standards across industries without sacrificing user experience. 

(Computer World)

Netherlands to adopt RPKI

The Dutch government plans to transition to Resource Public Key Infrastructure standards by the end of 2024 in an effort to improve the security of its internet routing. This will use digital certificates to secure BGP, protecting against malicious or accidental rerouting of network traffic. The country’s Standardization Forum mandated all communication devices managed by the government must make the transition by the end of next year. 77.9% of Dutch government sites already use RPKI. According to NIST however, global adoption lags behind, with only 41% of verifiable IPv4 prefix-origin pairs complying. For some context, that marks an increase from 33.5% at the start of 2022.  

(Bleeping Computer)

Thanks to today’s episode sponsor, AppOmni

Can you name all the third party apps connected to your major SaaS platforms, like Salesforce,  Microsoft 365, or Google Workspace? What about the data these apps can access? After all, one compromised 3rd party app could put your entire SaaS ecosystem at risk. With AppOmni, you get visibility to all third party apps and SaaS-to-SaaS connections — including which end users have enabled them, and the level of data access they’ve been granted. Visit AppOmni.com today to request a free risk assessment.

EU sets up ChatGPT task force

When Italy dropped the hammer on OpenAI, it remained an open question how other data regulators in the EU would react. Now we have an indication. The European Data Protection Board announced it set up a ChatGPT task force. This body will “foster cooperation and to exchange information on possible enforcement actions conducted by data protection authorities.” Reuter’s sources say the body will try to align regulators across the block on policy positions with generative AI in general, and will not seek to make rules specifically to target OpenAI. Outside of Italy, regulators in Spain and Germany also announced investigations into OpenAI. 

(Reuters)

Hikvision flaw exposes video data

The surveillance company confirmed an “access control issue” on its Hybrid SAN and cluster storage portfolio could allow an attacker with network access to obtain admin access to these devices and gain access to stored video security data. These devices are often exposed to the internet, opening the door to a large attack surface.In its advisory, the company stated it did not find evidence of active exploitation. Security researchers at Redinent reported the flaw in December, with Hikvision issuing a patch on April 10th. 

(Security Week)

Cisco to air-gap WebEx

The networking giant announced plans to offer an air-gapped version of its WebEx cloud collaboration system, designed to cater to companies in hight controlled industries, think national security and defense. Cisco will introduce Air-Gapped Trusted Cloud next year. Like other similar services, servers on the service will be air-gapped from public networks, operated in the US, and staffed with properly cleared local staff. The company claims this will meet US security standards across industries without sacrificing user experience. 

(Computer World)

Western Digital attackers say they have customer data

Earlier this month, the storage giant Western Digital confirmed it experienced a “network security incident” that saw data exfiltration across its systems. It remains cagey on specifics of what the attackers actually obtained. Well the attackers aren’t being mum about it. Speaking to TechCrunch one of their representatives said it obtained roughly 10 terabytes of data in the attack, including customer information. It shared a file it created signed by WD’s certificate and shared executives’ phone numbers. The attackers say they performed the attack for financial gain. 

(TechCrunch)

Steve Prentice
Author, speaker, expert in the area where people and technology crash into each other, viewed from the organizational psychology perspective. Host of many podcasts, voice actor and narrator for corporate media and audiobooks. Ghost-writer for busy executives.