This is the March news and product review from Cyberday. Our next live admin webinar will take place in May 2024. You can register for it on our Webinars page closer to the date.
Most important cyber security news 3/2024
Traficom recognises cooperation for preventing scam calls and messages with the "Infosec frontrunner" award
Traficom and Huoltovarmuuskeskus organised the Tietoturva 24 seminar in Helsinki on 13.3.2024. At the seminar, the annual recognition award for "infosec frontrunner" is presented to recognise outstanding cooperation and innovation in the field of cyber security. This year, the award was given to organisations that have worked together to develop and implement measures to prevent international spoofed calls and messages.
An important part of the implementation is technical filtering, where proper Finnish calls are allowed, but other traffic is blocked. In addition, the Traficom regulations, which obliged all operators to implement the same filtering, played an essential role in achieving a consistent implementation with no loopholes for cybercriminals.
Between 2020 and 2021, Finns lost €7.1 million just on technical support scam calls. The prevention methods launched in 2022 have significantly reduced the number of scam calls, and the criminal benefit has dropped to €600. Initially even 200,000 scam call attempts were blocked by day. The problem of scam calls and messages is a global one, so Finland's results are of interest at international level.
Thanks to cooperation between telecoms operators and the authorities, spoof calls using fake Finnish numbers have practically stopped.
Awarded to: DNA Oyj, Elisa Oyj, KRP, Traficom, Länsilinkki Oy, Setera Communications Oy, Suomen Numerot NUMPAC Oy, Telia Finland Oyj ja Ålands Telekommunikation Ab
$12.5 billion lost to cybercrime in US
The FBI's annual Internet Crime Complaint Center (IC3) report has been released, and it shows that cybercrime losses have increased at a record rate of 22% in 2023. The figures in the report only include incidents reported to IC3, so the figure may actually be higher.
The most popular types of attacks:
- Ransomware (+18%)
- Investment scams (+33%)
- Technical support scams
- Government impersonation scams
Everyone interested is encouraged to read the report!
Stormous ransomware gang takes credit for attack on Belgian brewer Duvel
In March 2024, the Belgian brewery Duvel was hit by a ransomware attack. Duvel's IT department detected the scam and shut down the company's production lines and servers. As a result, production was disrupted and stalled for days at factories in both Belgium and the US. However, Duvel assured its customers that there would be no availability problems, thanks to the existing stock.
On Thursday 7 March, Duvel was listed on the leakage website of the Stormous ransomware gang. The Stormous site claims that 88 GB of data was stolen from Duvel, including order information, contact details and addresses. The company was given until 25 March to pay up.
Stormous has announced in the past months that it has joined an alliance that includes ThreatSec, GhostSec, Blackforums and SiegedSec. Members of the alliance work together on attacks, as well as developing their own offerings (e.g. RaaS services for lower skill cyber criminals (Ransomware-as-a-Service)).
IAPP publishes ”EU AI Act: 101”
The European Union has developed the world's first comprehensive AI law, EU AI Act, which aims to set requirements for the development and deployment of AI systems at different levels of risk. This aims to safeguard human rights while encouraging innovation.
On Wednesday 13 March 2024, the European Parliament voted in favour of the draft EU AI Act and the text is now available and ready. The AI Act is expected to be published as soon as possible, once the final procedural and language checks have been completed.
IAPP (International association of privacy professionals) has published an easy-to-read summary of the content of the AI Act. The essence of the law is a risk-based approach consisting of four levels of risk:
- Unacceptable risk: AI systems that are considered a threat to human rights, security or livelihoods are banned.
- High risk AI Systems: AI technology that may endanger human safety, rights or livelihoods. These are subject to strict obligations before they can enter the market.
- Low risk AI systems: AI technologies that pose low risk.
- General purpose AI models: General AI models that can be integrated into different production chains or applications.
Most of the AI Act will become applicable two years after its final text is published, so now is a good time to find out and explore whether you are using or providing any of these AI systems in your operations.
NIST Releases Version 2.0 of Cybersecurity Framework
NIST (National Institute of Standards and Technology) has published a new version 2.0 of its framework. The original NIST CSF was originally published in 2014, with a v1.1 update to the CSF released later in 2018.
The NIST CSF was originally intended for critical infrastructure organizations to manage and mitigate cybersecurity risks based on existing standards, guidelines and practices. Even in draft form, the new version of the CSF received extensive feedback, which has been used to expand and build on the current model in 2.0.
The new CSF 2.0 is designed to serve a wider audience, regardless of the level of security, from small schools and organisations to the largest corporations. The NIST CSF 2.0 updates key guidelines and develops a range of tools to help organizations achieve their security goals, with an emphasis on governance and supply chain aspects. The requirements framework also provides more supporting material for digital security work.
Massive Data Breach Exposes Info of 43 Million French Workers
In February-March 2024, France suffered a massive data breach in employment agencies, with 43 million French workers' data leaked. The data included names, IDs and contact details, among other things. The massive data leak may have affected jobseekers over the last 20 years, and around two-thirds of the French population. The data breach affected two French employment agencies, France Travail and Cap Emploi.
The data breach was only discovered after the incident, when people reported the suspicious activity to the French data protection authorities (CNIL). The employment agency itself only reported the breach about a month after the breach began.
Following the data breach, one of the employment agencies, France Travail, has been heavily criticised for security lapses, slowdowns, and the hoarding of customer data. France Travail had also been contacted by an external ethics hacking agency about the inadequate security measures. CNIL has launched a GDPR investigation to assess whether the company is complying with the required security measures. The CNIL also advises potential victims of a data breach to remain vigilant against scams and phishing.
Main things from Cyberday development
Visual mode on documentation cards
See how the different documented objects are connected! We have developed a visual view of the different documentation cards that allows you to better see the connections between the different objects.
On the documentation card, the visual view can be easily accessed using the slide button at the top. Edits to the documentation will still be made from the current card view.
Risk management improvements
We have made improvements to Cyberday's security risk management dashboard and internal risk workflow. A clearer concept for the use of the Security Risk Table has been developed.
At the same time, a possible use for asset-specific risk identification has been introduced. This allows the organisation to direct the owners of important assets (e.g. information system, data warehouse, vendor, branch) to perform a risk assessment that goes through the most relevant associated threats.
New upcoming frameworks: C2M2 & Katakri 2020
Cyberday is about to get two new frameworks: Cybersecurity Capability Maturity Model (C2M2) and Katakri 2020. You can activate and modify frameworks in in Cyberday, from Organization dashboard.
Also, coming soon in Cyberday: The Digital Operational Resilience Act (DORA),
In research state: ISO 9001
Check out the available and upcoming frameworks in Cyberday app or Frameworks-page.
Coming soon: New Cyber security metrics -page
In response to our customers' requests, we are adding a Security Metrics page to the Cyberday to provide a more visual overview of the process. Information about the process and other developments to Cyberday will be added to our development website.
Do you have other questions?
Please feel free to reach out to our team in case we have not answered your questions here. You can use the chat box or contact team@cyberday.ai.