The sleepy rustbelt town of Steubenville, Ohio, was once best known for high school sports and as the birthplace of Dean Martin. But when a teen sexual assault committed by two members of the football team surfaced, the shadowy hacker group Anonymous caught wind of the story and decided to intervene. After publishing videos and social media from the night of the assault to their millions of online followers, they sparked viral outrage and demands for #JusticeforJaneDoe. They unleashed a passionate mob and their actions divided the small town,but in the process gave strength to generations of women forced to hide abuse. This film asks, when it seems like nothing will change, when is it OK for outsiders to intervene?
Subscribe to The Guardian on YouTube ► http://is.gd/subscribeguardian
Support the Guardian ► https://support.theguardian.com/contribute
Today in Focus podcast ► https://www.theguardian.com/news/series/todayinfocus
Sign up for the Guardian documentaries newsletter ► https://www.theguardian.com/info/2016/sep/02/sign-up-for-the-guardian-documentaries-update
The Guardian ► https://www.theguardian.com
The Guardian YouTube network:
Guardian News ► http://is.gd/guardianwires
Owen Jones talks ► http://bit.ly/subsowenjones
Guardian Football ► http://is.gd/guardianfootball
Guardian Sport ► http://bit.ly/GDNsport
Guardian Culture ► http://is.gd/guardianculture
In the last two years alone, there has been a number of high-profile breaches that have given organizations pause, asking them to consider whether the same kind of event could happen to them. After all, a cybersecurity breach could seriously damage or even level your business if you’re not prepared and do not have the appropriate security programs in place. We’ve seen the implementation of the NYDFS Cybersecurity Regulation, and recent breaches have led to serious fines, potentially in the billions, for violating GDPR.
Most recently, we saw the Ohio Senate Bill 220 (S.B. 220) signed into law and go into effect as of Nov. 2, 2018. S.B. 220, known as the Data Protection Act, serves as an incentive to businesses to ensure that they achieve and maintain a higher level of security by maintaining industry-standard cybersecurity programs.
Recent research has shown that the average cost of a data breach globally is $ 3.86 million – an increase of 6.4 percent from 2017. As data breaches are growing in prevalence and the cost to organizations continue to rise, S.B. 220 serves as a legal “safe harbor” for firms operating in Ohio, if they’re sued for negligently failing to implement reasonable information security controls resulting in a data breach. The organization can use its compliance with the cybersecurity control as an affirmative defense, assuming it is in compliance with one of eight industry frameworks:
- NIST SP 800-171
- NIST SP 800-53 and 800-53(a)
- The Federal Risk and Authorization Management Program (FedRAMP)
- Center for Internet Security (CIS) Critical Security Controls
- The ISO 27000 Family
- The HIPAA Security Rule
- Graham-Leach-Bliley Act
- The Federal Information Security Modernization Act (FISMA)
It is important to note that the Data Protection Act “does not, and is not intended to, create a minimum cybersecurity standard that must be achieved,” and it is not to “be read to impose liability upon businesses that do not obtain or maintain” a cybersecurity program that is compliant with one of the eight recognized frameworks listed above. In fact, the bill highlights that there is no silver-bullet approach to cybersecurity, and in order for an organization to call upon the “safe harbor,” it needs to have a program with a scope and scale appropriate to factors like the size and nature of the business, and the level of personally identifiable information it collects and carries.
In the end, it pays for companies to implement proper cybersecurity programs, because it reduces the risk of breach and it mitigates legal risk if a breach occurs. At the same time, cybersecurity protections are still evolving, and organizations are starting to understand that when they focus solely on network security, web application firewalls, or data leakage prevention tools, they are leaving vulnerable a key attack surface: its web applications.
The past few years have seen a marked increase in the number and severity of successful attacks aimed at the application layer, and our State of Software Security report has shown that 85 percent of applications have at least one vulnerability on initial scan. To begin implementing an AppSec program that scales to the size and needs of your organization – and reduces the risk associated with building, buying, and borrowing software – download our Ultimate Guide to Getting Started with Application Security.
Reading Time: ~ 2 min.
Banking Trojan Shuts Down Ohio School District
After the discovery of the banking Trojan known as Trickbot, an Ohio school district was forced to cancel school since they were unable to fully disinfect the networks before classes resumed the following Monday. Preliminary reports have concluded that no students were responsible for the attack, as it appears to have started its data-gathering on a computer belonging to the district treasurer’s office. In order for classes to resume normally, the IT staff for the district had to re-format nearly 1,000 affected computers.
GetCrypt Spreading Through RIG Exploit Kits
Another ransomware variant, GetCrypt, has been spotted in the wild that spreads itself across systems by redirecting visitors to a compromised website to a separate page hosting an exploit kit. After checking for several Eastern European languages, the ransomware begins encrypting all files on the system and displays a standard ransom note. In addition to removing all available shadow copies from the computer, GetCrypt also appends all encrypted files with a randomized, four-character string based on the CPUID of the device itself.
Google Assistant Logs All Online Purchases
It was recently discovered that Google’s Assistant, released last year, keeps a log of all online purchases for which a receipt was sent to the user’s Gmail account. The “Payments” page on a user’s Google account shows transactions, flight and hotel reservations, and other purchases made up to several years prior, even showing the cost, date, and time of the purchase.
Forbes Joins List of Magecart Victims
It was revealed late last week that Forbes had fallen victim to a Magecart attack possibly affecting anyone who made a purchase on the site during that time. Fortunately, the researcher who discovered the attack quickly notified both Forbes and the domain owner, resulting in a swift removal of the malicious payment card skimmer from the highly-trafficked site. It’s likely that Forbes became a victim after another vendor in their supply chain was compromised.
Australian IT Contractor Arrested for Cryptomining
An IT contractor working in Australia was arrested after being caught running cryptomining software on government-owned computers, which netted him over $ 9,000 in cryptocurrency. The charges encompass misuse of government systems by making modifications to critical functions and security measures for personal gain while in a position of trust. By making these changes, this contractor could have exposed a much larger portion of the network to malicious actors who take advantage of misconfigured settings to access company data.
The post Cyber News Rundown: Banking Trojan Closes Ohio Schools appeared first on Webroot Blog.