Press "Enter" to skip to content

New Essential Eight, bug bounties, and REvil down… and more

The Cybersecurity and Infrastructure Agency has a new head – Jen Easterly has been confimed as the new head by the US Senate.   This fills a vacant position since November.  

The Australian Cyber Security Center has refreshed their Essential Eight implementation guide, making all eight now essential.     The ACSC is specifically focused on “Windows based internet connected networks”, acknowledging that for other environments, there may be more approporate guides.  

Trend Micro is reporting that 84% of US organizations have been hit with ransomware or phishing attacks, and 50% rate themselves ineffective at handling them.   

Microsoft, meanwhile, has been going door to door in Brazil and Latin America to handle the Trickbot malware – replacing routers.     That said, signs are the group is alive and well, even despite last year’s take down by US Cyber Command.     They’re updating their operations and using a new tool. 

Interpol is asking for more collaboration between police and industry, acknowledging the problem is “too large of a threat for any entity or sector to address alone; the magnitude of this challenge urgently demands united global action

Facebook has added a Payout time Bonus to their bug bounties – a bonus if more than 30 days have passed since Facebook first received the bug for payout.  

Gmail has added support for the BIMI security standard.  This allows companies that have implemented standards like DMARC, DKIM and SPF to show authenticated logos inside email clients.    The initiative is designed to improve email sender authenticity.   At present, Yahoo, AOL, and Fastmail are the providers who support the standard, and only DigiCert and Entrust can issue the appropriate certificates, although BIMI expects that to grow.

And, it appears REvil is down.  As of Tuesday morning, their sites were offline.    It’s not clear why.    Some experts believe evidence suggest a planned takedown of their infrastructure… but we may never know full details.    It could be law enforcement, the Russians government, or the group themselves.     REvil can be linked to 42% of all recent ransomware attacks.  

Why do we care?

There’s so much here!

Flip that Trend Micro stat.  Only 50% of organizations can defend themselves.    The opportunity and the risk in one stat.

In terms of resources, so much to leverage.   Grab Australia’s Essential Eight guidance.   Learn more about the security standards in email to help with sender authenticity – and help address phishing.     Pushing adoption on both are standard tactics we need.

I mentioned the bug bounty details because of noise security leaders like Jason Slagle have been making – how bug bounty programs are important and drive part of the solution.     I’ve mentioned financial incentives for executives.   Bug bounty programs are financial incentives for security researchers.   

They’re both linked to disclosure notifications too – two thirds of researchers polled had found bugs… but not reported them.  And the number one reason was the potential for legal backlash.   

Having a formal program, and recognizing the incentive, matters.       If you’re not a researcher, but instead a customer, adding the question of “Do you have a bug bounty program?” to your list of critical questions.     This is all about financial incentives, after all.