WannaCry ransomware cripples major Taiwan chip maker, a malicious botnet found in Twitter and are you doing enough security awareness training?
Welcome to Cyber Security Today. It’s Wednesday August 8th. To hear the podcast, click on the arrow below:
Just over a year ago the WannaCry ransomware struck companies around the world. By now you’d think every company in the world has patched their Windows machines to prevent another attack. Nope. This week Taiwan Semiconductor Manufacturing, a huge chip maker for many companies including Apple, admitted the computer virus that brought its production to a halt for two days was a variant of WannaCry. The infection was caused when employees failed to do a virus scan of new software being installed. The malware then spread to other computers. “This is purely our negligence so I don’t think there is any hacking behavior,” the CEO was quoted as saying. The lesson here is anything downloaded from the Internet is a potential source of infection. Scan everything before installation. And – I hate being repetitious – but keep patching your devices.
Botnets are usually large groups of separate devices like Internet routers or surveillance cameras that have been joined by malware to create a huge robot for distributing more malware. But other things, like web sites can be used to create a botnet. According to a report issued this week by Duo Security, so can automated accounts on Twitter.. Yes, sometimes there are multiple Twitter accounts firing off the same tweet simultaneously. Sometimes they just want to boost followers. Sometimes they spread spam. In late May, Duo discovered what appeared to be thousands of automated accounts spoofing otherwise legitimate cryptocurrency Twitter accounts to spread a “giveaway” scam. To spread the spam, the bot would reply to a real tweet posted by the legitimate account. This reply would contain a link inviting the victim to take part in a cryptocurrency giveaway. The link, of course, leads to the installation of malware. Twitter is now actively looking for and removing suspicious accounts. You can make sure your Twitter account is safe by using a secure password and not clicking on links in Twitter messages unless you’re sure of the sender.
Finally, regular security awareness training in any organization is essential. It’s also usually boring. It doesn’t have to be, but that’s one of the side-effects of repetition. But a recent survey by Finn Partners Research suggests there isn’t enough training. It’s a small sample – only 500 respondents in the U.S. – but only 29 per cent said they receive quarterly training, which most experts I talk to say is the minimum needed. True, 25 percent receive training once a month, which is great. But 42 per cent said they only get security awareness training either once or twice a year. That’s just not good enough. A good awareness training program has sessions with staff once a quarter, plus regular small reminders – like in company Tweets, email, calendars or wall posters. If your organization needs inspiration for security awareness training, the Internet is full of ideas. I’ve written a few articles on IT World Canada.
That’s it for Cyber Security Today. Subscribe on Apple Podcasts, Google Play, or add us to your Alexa Flash Briefing. Thanks for listening. I’m Howard Solomon.