Like most people, IT pros need time off during the holidays to go shopping, scour the neighborhood for missing packages, and string up a few Christmas lights. But the end of the year is an especially tough time for the security department. Cyber scams are often executed during periods like the holidays, when IT teams might be understaffed.

Most phishing attacks occur between Black Friday and the end of the year, according to a 2022 analysis from the threat-intel company Cybersixgill, citing both an increase in toolkit purchasing and phishy discourse in underground forums leading up to the big shopping day. Phishing-related products offered for sale on underground markets were highest in the third quarter of 2022, according to the researchers.

When December arrives, an eight-person prime shift may be reduced to two, said Doug Saylors, partner and cybersecurity unit leader at the consultancy ISG. “You have reduced shifts, [but] you have the same, if not higher, number of alerts,” Saylors said.

As IT shops where employees are OOO are hit with holiday-themed, malware-filled delivery notifications, businesses increasingly require contingency plans that include automation, rehearsals, and basics like multi-factor authentication.

The season of giving…malware. A December report from security services provider Trustwave found a number of order scams and courier notifications containing malware. In one example, a phisher pretending to be DHL crafted a “delivery failed” email that contained a credential-stealing Trojan.

Holiday seasons are opportune times for cybercriminals, according to Oz Alashe, CEO of the data-analytics provider CybSafe. “Black Friday, people are expecting to get offers and deals with things that are too good to be true,” said Alashe. “Likewise, if you are trying to attack an organization and get access to an organization, you know [that] on a Friday, quite often people have started to think about the weekend.”

Read the rest here.—BH

Do you work in IT or have information about your IT department you want to share? Email [email protected] or DM @BillyHurls on Twitter.

When the federal government’s new cybersecurity agency chose to cover Log4j for its first report rather than SolarWinds, the reaction among some observers was akin to Swifties missing out on Eras Tour tickets

The Cyber Safety Review Board (CSRB) was created in February 2022 after an executive order in May 2021 on “Improving the Nation’s Cybersecurity.” The board was tasked with investigating hacks and other cybersecurity challenges, and is made up of a mix of public servants and representatives from private companies.

There was an expectation that the board would start its review with one of the biggest cybersecurity breaches in US history, the 2019–2020 SolarWinds hack, believed to be connected to Russia—which led to data being exposed from at least eight federal institutions.

But the CSRB instead focused on the Log4j open-source software vulnerability threat in its first report in July.

Focus featured. That decision has earned the board and the federal government criticism for what detractors describe as an effort on the part of the government to shield private industry from public exposure of security flaws that might prove costly to their bottom line. A month after the report was released, reporters at the Black Hat cybersecurity conference asked DHS under secretary Rob Silvers about the Log4j prioritization.

“We felt together with the White House that the best use of the board when we launched in February was to review Log4j,” Silvers said, according to a report in SC Media. “It was fresh, it was an extremely broad and wide impact, and I think the report bears that out,” he added.

Not everyone agrees. According to SC Media, information security professional Tarah Wheeler argued during a separate presentation that without a “coherent government report” on the SolarWinds hack, it’s hard to figure out the “multiple reasons why there are process failures, and multiple places that you can fix that process failure for the future.”

Read more here.—EH

Do you work in IT or have information about your IT department you want to share? Email [email protected] or DM @EoinHiggins_ on Twitter.

A lot is made of how data sovereignty applies to managing information from country to country—the back and forth between the US and the EU over the latter’s General Data Protection Regulation (GDPR) shows the intensity of the topic.

Making sure that competing laws are reconciled between countries is a challenge. But as John Wills, field CTO at data management company Alation, recently told IT Brew, in the US it can even vary state to state.

Data privacy has been of growing concern to state and federal lawmakers, leading to the development of varying degrees of regulation depending on location. Sorting that out can be difficult for teams looking to ensure they fulfill all relevant data management needs.

Wills told IT Brew that the landscape is evolving quickly, and that the traditional leader on progressive legislation, California, isn’t the only state driving the conversation. Colorado, Connecticut, Utah, and Virginia all have comprehensive data privacy laws on the books.

This interview has been lightly edited and condensed.

What should IT teams consider when managing data? Should they primarily look at California and the other four states with privacy laws?

The dirty little secret is that there’s already been this massive explosion of laws and regulations. And if you’re an enterprise—and of course the larger you are, and the more that you cross jurisdictions, the more complex it is—you already have an overwhelming tsunami of interrelated and conflicting laws you need to abide by. It’s very, very confusing, and very difficult to handle.

Read more here.—EH

Do you work in IT or have information about your IT department you want to share? Email [email protected] or DM @EoinHiggins_ on Twitter.

Today’s top IT reads.

Stat: $2.5 million. That’s how much Sophos said cybercriminals got scammed by fellow scammers on three dark-web forums in the last 12 months. (The Register)

Quote: “We’ve seen these waves of attacks: It’s calm, calm, calm and then there comes a big wave, then again there is quiet, quiet, quiet, then again it comes.”—Gert Auväärt, head of cybersecurity and deputy director of Estonia’s Information Security Authority, on Russian cyberattacks against the Estonian Parliament (Politico)

Read: It turns out the answer to stabilizing a statewide power grid might not be bitcoin mining. (Wired)

Low-code learnin’: Remember buying software off the shelf? Anyone? These days, it’s all about saving time and $$$ with cloud services and low-code dev. OutSystems’ on-demand webinar will show you how to drive transformation with high-performance low-code. Register here.*

^{*This is sponsored advertising content.}