In this issue:
- AI and Phishing: The New Threats
- Savvy Cybersecurity quick links
- Cybersecurity shorts
- Software updates
Welcome to your August Savvy Cybersecurity newsletter. Read on to learn more about:
- The new SEC cybersecurity rule
- Software you should update immediately
- And much more
AI and Phishing: The New Threats
Phishing messages have been one of the top cybersecurity threats in the last decade. Phishing is when a hacker creates a fake message that appears to come from a legitimate company or real person. The message typically asks the recipient to click a link or provide personal information which either downloads malware or provides the hacker with information.
Through educational outreach, many have learned the telltale signs of a phishing email or text message. Some of the most noticeable characteristics of phishing messages include spelling mistakes or poor grammar. However, new AI tools can allow hackers to craft well-written phishing messages in seconds. Without these glaring spelling and grammar errors, more people may click on malicious links. AI tools can also make these messages more personal, using the recipient's name or referencing personal information. With this development, it is important to remember our phishing defense.
The acronym for our phishing defense is EMAIL: Examine Message and Inspect Link. While new AI technology means that the message itself may not stand out as a threat, the links in the email will tell a different story. Before clicking on any link in a message, hover your mouse over the link to reveal the true destination. If it does not look right, don't click.
And we can still examine the message in light of AI tools. Phishers rely on a sense of urgency. Read the message carefully to ensure it makes sense. If the message was unprompted, think twice. You can always call the company directly to confirm the message.
How AI can help
AI technology can also help us spot phishing emails. Cybersecurity tools that use AI can be taught to identify new phishing messages and mark them as spam. AI tools can also allow for real-time monitoring of email messages and malware.
Humans still need to be in control of our cybersecurity. Understanding the major threats and knowing what to look for in messages will help you avoid falling victim to phishing messages.
White House announces plans to help fund cybersecurity resources to K-12 schools. This month, the White House announced plans to provide millions in funding and additional federal resources to K-12 schools. This plan outlines a $200 million pilot project under the Universal Service Fund to boost cybersecurity in K-12 schools and libraries, the Department of Education setting up a Government Coordinating Council to coordinate policies, action, and communication between federal, state, local, tribal, and territorial leaders, and more.
Microsoft is called out for its poor cybersecurity practices. Last month, Microsoft disclosed a major breach that was targeting its Azure platform. That breach was traced to a Chinese hacking group known as Storm-0558. This breach contained roughly 25 different organizations and resulted in the theft of sensitive emails from US government officials. Due to this, Microsoft is facing ginormous amounts of criticism and is being called out for 'blatantly negligent' cybersecurity practices. You can read more about the backlash Microsoft is facing here.
A breach of the UK admin agency exposed information of millions of voters. Earlier this month, it was announced that hackers accessed and lurked inside servers within the United Kingdom's top election administration agency and have been doing so for at least a year. Initially, they had first hacked the servers in August 2021, the breach was identified in October 2022, and it was publicly revealed this month. These attackers had access to servers related to the agency's email, control systems, and copies of electoral registers.
New York debuts their cybersecurity strategy. This month, New York State debuted its first cybersecurity strategy which included plans that will modernize government networks, provide digital defenses at the county level, and will regulate critical infrastructure. This strategy comes after the state's Division of Homeland Security and Emergency Services had responded to 57 cyberattacks in 2022 that resulted in a month-long shutdown of municipal systems in one county and numerous attacks on schools and health care systems. You can read more about New York's cybersecurity strategy here.
SEC finalizes cybersecurity incident reporting rules. Late last month, the SEC finalized new rules that mandate public companies to disclose material cybersecurity incidents and provide annual updates on their strategy, governance, and cybersecurity risk management. Additionally, these final rules greatly expand prior guidance in regard to the specificity of required disclosures, and more.
Adobe: Adobe released security updates for Acrobat and Reader addressing over 30 vulnerabilities. These updates are listed as critical and users should update as soon as possible. You can read more about the update here.
Microsoft: Over 70 security holes are closed in this month's Microsoft update. A handful of these issues are classified as critical and are currently being exploited by hackers. Your devices should prompt you to update automatically. Learn more about the security issues and updates here.