For a Good Scam, Call: The Rise of Callback Phishing Emails.
Cybersecurity professionals are meant to be the last line of defense against malicious actors, but what happens when those actors impersonate the entities that are trying to stop them? An article published by Bleeping Computer reports on the rise of “callback” phishing emails that mimic the copy of established cybersecurity companies. This is done to convince targets to unwittingly install remote access software that can compromise their corporate networks. These callback scams are made possible through the process of ‘social engineering’ (a term used to describe the exploitation of human error in tech), where hackers request employees to reach them via phone call before talking these employees through the installation of harmful malware under the guise of strengthening their cybersecurity. The cyber firm CrowdStrike, which is one of the companies these actors have chosen to mimic, has said that these actions often lead to ransomware attacks, and have tied this threat to the Quantum ransomware gang. By pretending to be the very companies that protect against cyber threats, these bad actors have found new avenues for malicious infiltration.
No Shoes No Security No Service: The Cybersecurity Implications of the Rogers Outage
For many Canadians on the morning of July 8th, it felt as if the sky was falling. A nationwide Rogers outage severely limited communication capabilities across Canada, as phone and Internet services went down and services ranging from emergency call lines to payment card processing were taken offline. This event, which lasted over 12 hours, was due to a “maintenance update” according to Rogers CEO Tony Staffieri in a statement following the outage, but as a Yahoo! News article outlines, this blunder has enormous implications for Canada’s cybersecurity. Due to the large presence of Rogers in the Canadian communications industry, a company error became a national crisis, and it begs the question of if the Canadian government should be responsible for mandating a minimum level of resiliency for Rogers’s critical infrastructure if Rogers is to continue being such a larger player in Canadian telecommunications. Cybersecurity would undoubtedly be a sizable part of whatever protections the government would provide, for if a benign blunder was able to compromise Rogers nationwide for most of a day, the possibility of a malicious attack, however remote that may be, could present as a far-reaching disaster. Having a plan to deal with such an event would be critical to ensuring what occurred this past Friday was a regrettable and costly anomaly.
Insurance and Endurance: Problems in Critical Infrastructure with Regards to Cyber Insurance
With the Russia-Ukrainian conflict exacerbating international concerns about international cybercrime, mitigation of serious attacks has become almost as important as prevention. While breaches may not be seen as an inevitability, the prospect of cybersecurity insurance provides an added element of protection in the event of a serious attack. However, as detailed in a CyberScoop article, the market for cyber insurance is by no means static, and there are constant problems in figuring out how to adequately insure critical infrastructure.
While cybersecurity insurance was initially introduced two decades ago to mitigate the costs of regulatory and legal fines that arose from cybersecurity threats, it has evolved to fit the far-reaching and complex threats that have become commonplace in the modern landscape. This changing landscape has made the predictive risk assessment necessary for any functional insurance market a murky proposition for cybersecurity. With rising cyber threats such as ransomware and a lack of accurate threat reporting by governments and private companies, cyber insurers are left unable to accurately quantify cybersecurity threats, a problem that becomes incredibly serious when attempting to assess and insure critical infrastructure.
Cyberscoop suggests that governments may have a hand in remedying this issue. The article proposes that having the US government clearly define what constitutes critical infrastructure and formalize cybersecurity insurance standards can be vital in recognizing, evaluating, and insuring critical infrastructure. This, coupled with reports that CISA and the FIO have been pushed to work with the US Congress to create a funding mechanism as an insurance backstop for the cyber industry, has made government intervention a potential remedy to this complex problem. Whether the solution to the puzzle of cyber insurance is found in the public or private sector, standardizing evaluations and procedures will be integral for dealing with threat mitigation.