The Biden administration is taking new actions to make it more difficult to profit from ransomware attacks, and one of those actions is sanctions. The first are against a Russian based cyrptoexchange involved in ransomware. The Treasury department is expected to issue new guidance on the risks for facilitating ransomware payments, including fines and other penalties. There will be new anti-money laundering rules and terror finance rules too, designed to limit the use of cryptocurrency for payments in ransomware.
It also appears both branches of Congress are working to make CISA more powerful – there is legislation to fund the agency from both chambers.
Some insight into multi-party data breaches – they are 26 times more damaging than the worst single party breach. The researchers found that financial and business support organizations dominate the top two slots in terms of ripple-generating victims and recipients of downstream loss events.
HackerOne is expanding the Internet Bug Bounty program to help open source, taking over management. Google, too, funding opensource – it’s now specified the eight projects they are supporting, supporting the Open Source Technology Improvement Fund.
And here’s one I didn’t think of – ever tried to guess your boss’s password? Beyond Identity says that about 19.9% of those surveyed had, and 21.7% had tried for a co-worker. On the personal side, it’s 51.6% for romantic partners and 40.2% for parents.
Finally, I want to direct listeners to a resource. Daniel Miessler has written a piece on Vendor Security 2.0, focusing on assuming vendor compromise and how to leverage Risk Visibility, reduction, and Communication approaches. It’s an internal risk analysis approach rather than external security checks.
Why do we care?
If nothing else, my hope is that these discussions are causing a change in approaches. I shake my fist a lot, and the point is changing your own perspective. Miessler’s methodology is worth a read for exactly this reason.
Which leads to bug bounties. I have more to come on this — look for a bonus episode soon. The approach laid out in Vendor Security 2.0 includes understanding of the risk of the vendor, and their approach on bug bounties is part of that. Most IT service providers are managing vendors more than than doing the work, particularly with increasing cloud reliance. In an all SaaS future state for most SMBs… the responsibility is disproportionately in this space. And so, flex those muscles now and get into fighting shape.