Attack or Mistake? Avoiding the Self-Own
4–24–2023 (Monday)
Hello and welcome to Cyber Risk at Deal Speed, your weekly video update on the one big thing in cybersecurity for private equity investors and the management teams of their portfolio companies.
I’m your host, Shay Colson, Managing Partner for Cyber Diligence at Coastal Cyber Risk Advisors, and you can find us online at coastalcyber.io
Today is Monday April 24th, and most of the cybersecurity world is focused on the RSA conference in San Francisco. Instead, we’re going to talk a little bit about things that look like security issues or cyber attacks, but are really much more mundane - and common. Let’s dig in.
Beware The Self-Own
There have been a couple of news stories in the past few weeks that looked a lot like cyber attacks, but it turns out, were simple mistakes made by the enterprise that threat actors took advantage of.
The first of these comes out of Washington DC, with a breach involving DC Health Link - the health insurance exchange used by members of Congress here in the United States.
The breach, which was discovered in early March, included “date of birth, Social Security numbers and contact information — for “56,415 current and past customers including members of Congress, their families, and staff.”
As you might imagine, this resulted in some congressional hearings and we now see that that this was less of an attack, but rather a simple misconfiguration.
While this data did end up shared in a forum, the FBI Cybersecurity Task Force characterized this as the following:
“a particular computer server that was “misconfigured to allow access to the reports on the server without proper authentication. Based on our investigation to-date, we believe the misconfiguration was not intentional but human mistake.”
At the same time, we saw another article out of Washington DC detailing the “unauthorized transfer of records containing personal information on approximately 256,000 customers at one institution, as well as confidential supervisory information on 45 institutions” - all overseen by the Consumer Financial Protection Bureau.
The source of the incident? In this case, it was an employee forwarding information to a personal email account.
The details are a bit light - including why this employee was forwarding so much data - but these human errors should serve as a good reminder that as scary as the threat landscape of China, Russia, Iran, and North Korea can seem, we need to make sure that we are at least doing enough with our internal controls to identify, prevent, and detect these human errors.
Things like Data Loss Prevention systems and Penetration Testing may seem routine, but a simple version of each of these would’ve likely prevented both of these issues.
Beyond just these tool, businesses have an obligation to do everything that can to support the value and efficiency that technology can bring in a secure manner.
This might mean deploying cloud-based collaboration tools like Microsoft 365, Teams or Slack to prevent employees from emailing data home.
It also means ensuring that internet facing systems are properly architected and implemented, as well as supporting robust development and testing activities during your Software Development Lifecycle (SDLC).
There are enough threats out there to try to defend against. Don’t start this exercise by putting an own goal up on the board.
Fundraising
A slightly more subdued round of fundraising last week - totaling just over $8.3B, but worth noting a wide range of funds, including both venture capital and private equity, and a range of sizes and focuses.
We’re seeing funds for climate, music, digital health, credit, transportation, and even non-traditional industries like sex-tech and psychedelics all putting up new funding rounds.
We’ll continue to look for exits in both the public market and private markets as indicators that the bottom of this funnel are starting to move, but it’s good to see that the top is still getting fed in a diverse way.
You can find all the links to the stories we covered below, find back issues of these videos and the written transcripts at cyberriskatdealspeed.com, and we’ll see you next Monday for another edition of Cyber Risk at Deal Speed.
Links
https://apnews.com/article/congress-dc-data-breach-cyber-security-7505d83dfa5ddb06765e6ff4de9abfcc