As I sit here writing this blog post in my pajamas, I can’t help but notice how fast time has been moving lately. It seems like just yesterday that we were having our first 4th of July with no fireworks, and now we are quickly approaching August and the end of summer. News in the InfoSec community appears to be moving at light speed too, as massive stories from last week are quickly forgotten and replaced with new headlines.
We have a great installment of Byte Sized News for all of you this week. While not as large and groundbreaking as last week, the stories for this installment of Byte Sized News are just as engaging and interesting for readers. This week’s highlights cover a couple stories relating specifically to women in cybersecurity, a massive flaw that was patched by Adobe, and much more!
As always, this series isn’t intended to provide readers with details on every story and topic, but rather to fill busy professionals in on the most compelling developments in the field.
Without further ado, let’s get to this week’s top news stories!
The first article from this week is a disheartening one from InfoSecurity Magazine. This article discusses that while women now make up almost a third of the global cybersecurity workforce, a large gender pay gap continues to blight the industry. These findings came from the company ISC2 in their new Cybersecurity Workforce Study, which sought to better understand the role that women play in the industry. One of the largest takeaways from the study was that women are consistently paid less than men in cybersecurity. The average salary for cybersecurity women in North America was $80,000, compared to $96,500 for men. Additionally the numbers in Europe read as $40,500 for women and $67,000 for men. This represents a 21% overall gender wage gap. Additionally, 22% of women surveyed cited discrimination in the workplace directly as opposed to just 13% of men. These statistics show that we still have a lot of work to do in the industry to shrink the gap and create a level playing field for both men and women. While the survey cited plenty of negative statistics, it’s not all doom and gloom. The survey also stated that women now make up 30% of the workforce, compared to around 25% last year. Additionally, 63% of women say they plan to stay in cybersecurity for the rest of their careers and almost 70% say they are partially or fully satisfied with their jobs in the field now.
Our next article from the week also comes from InfoSecurity Magazine but is a lot more positive. This article details how Responsible Netism has teamed up with the Maharashtra State Commission for Women to develop a cyber-safety training program for young women in India. This program aims to teach around 5000 women in India how to stay safe on the Internet. The students participating will be aged between 16 and 25. This program will be launched via webinar sessions, instructional videos, PowerPoint presentations, and online workshops. The young women who complete the training will be given the title of “Cyber Sakhee.” Topics covered in this program include fake profiles, account hacking, cyber-bullying, gender-based trolling, online harassment, stalking, and more. Additionally, real-world case studies will be used in the program, placing the real danger of cyber-threats in context for those in the program. We at PlexTrac, as a cybersecurity company, believe that education around proper Internet protocol and practices is extremely important for everyone. We applaud India for offering this program to young women in their country.
Our next article on the week comes from Threatpost. This article discusses a critical flaw in Photoshop that was discovered and quickly patched this past week. Overall, Adobe issued out-of-band patches that were tied to 12 CVEs in Photoshop, Bridge, and Prelude. This update comes just a week after Adobe released its regularly scheduled July update for its software. Adobe has since stated that there were no known exploits of the bugs patched in the update. No additional details were given regarding the technical details of the Photoshop CVEs. All of the previously reported vulnerabilities stem from out-of-bounds read and write, which occur past the end of or before the beginning of the intender buffer. These flaws can result in the corruption of confidential information, a crash, or even a code execution. To avoid these exploits be sure to update your Photoshop 2019 to 20.0.10 and Photoshop 2020 to 21.2.1 respectively.
Our second to last article of the week is the third to come from Info Security Magazine. This article reports on a new story detailing that the United Kingdom’s sporting organizations have been told to greatly increase their cybersecurity. This notification comes after a GCHQ report claimed that 70% of these organizations have experienced a breach in the last year. This 70% is a number that is twice the business average. To make matters worse, The National Cyber Security Center (NCSC) also claims that 30% of these organizations have experienced over five incidents in the past year. The attacks on these organizations are not extremely sophisticated either, as most involve phishing, credential stuffing, malware and password spraying. The most common threat to these organizations is business email compromise (BEC). All facets of this report prove to be damning for many sporting organizations in the UK. The industry contributes over £37bn to the UK economy, which explains why it is such a popular target for nefarious attackers. “I would urge sporting bodies to use this time to look at where they can improve their cybersecurity — doing so now will protect them and millions of fans from the consequences of cybercrime,” NCSC director of operations Paul Chichester stated.
I am beginning to sound like a broken record. Our last story on the week also comes from InfoSecurity Magazine, and details a “meow” attacker who wiped over 1500 online databases. These databases apparently were targeted for no other reason than they were “misconfigured and exposed to the public internet.” A researcher named Bob Diachenko was the first one to call attention to the campaign after he noticed a misconfigured database on the VPN provider UFO. The “cat burglar” later conducted another attack, this time overwriting all of the data with “meow” along with a set of numbers. However, this was not a ransom attack as no note was left for the victims of the wipe. “After the exposed data had been secured, it resurfaced a second time on July 20th at a different IP address — all of the records destroyed now by a new ‘meow’ bot attack,” Diachenko tweeted. Globally there were 1269 Elasticsearch servers that were impacted and 276 MongoDB instances hit by the “meow” bot. Boris Cipot, who is a senior security engineer at Synopsys described the attacks as a “game changer,” hopefully motivating organizations to up their security best practice.