NPD Massive Data Breach, Pentagon's CMMC Rules, Apple Opens NFC, and Ransomware Surge

[00:00:01] [SPEAKER_02]: It's Tuesday, August 20, 2024, and I'm Dave Sobel. Three things to know today. A massive

[00:00:08] [SPEAKER_02]: data breach in national public data exposes billions of records, highlighting the risks

[00:00:12] [SPEAKER_02]: of data aggregation. The Pentagon proposes CMMC rules for contractors, connect-wise supports

[00:00:18] [SPEAKER_02]: MSPs in achieving compliance, and Apple complies with EU regulations granting NFC secure

[00:00:26] [SPEAKER_02]: element access to developers in iOS 18.1. This is the Business of Tech.

[00:00:34] [SPEAKER_02]: National public data confirmed a significant data breach that leaked names, social security

[00:00:39] [SPEAKER_02]: numbers and other personal information affecting potentially billions of records. The breach

[00:00:45] [SPEAKER_02]: is believed to have involved a third-party hacker with data leaks occurring from late

[00:00:50] [SPEAKER_02]: 2023 through summer 2024. NPD is cooperated with law enforcement but has not disclosed the

[00:00:57] [SPEAKER_02]: number of affected individuals or offered compensation, advising people to monitor their credit reports.

[00:01:03] [SPEAKER_02]: Troy Hunt has a deep dive into this breach as it's a data aggregator and at several

[00:01:08] [SPEAKER_02]: partial datasets, making it particularly complicated if you're interested in diving

[00:01:13] [SPEAKER_02]: in further to learn more. Microsoft Azure's AI Health Bot service was found to have

[00:01:18] [SPEAKER_02]: critical vulnerabilities that allowed for privilege escalation and potential access to cross-tenant

[00:01:24] [SPEAKER_02]: resources. These issues identified by tenable research were quickly patched but highlight

[00:01:29] [SPEAKER_02]: risks associated with chatbot security. Exploitation could have enabled attackers to manage resources

[00:01:35] [SPEAKER_02]: belonging to other Azure customers. The vulnerabilities stemmed from flaws in the services

[00:01:40] [SPEAKER_02]: architecture underscoring the need for secure development practices in AI, especially

[00:01:45] [SPEAKER_02]: in the healthcare sector, which is a prime target for cyber criminals.

[00:01:50] [SPEAKER_02]: The Hunter's International ransomware group is targeting IT workers with a new malware

[00:01:55] [SPEAKER_02]: called Sharp Rhino, a C-Sharp remote access trojan that facilitates initial infections

[00:02:00] [SPEAKER_02]: and privilege escalation. It spreads through a typosquadding site mimicking a legitimate

[00:02:07] [SPEAKER_02]: tool and has been linked to notable cyber attacks against organizations like OSTULA

[00:02:12] [SPEAKER_02]: USA and Hoya. The malware modifies system settings for persistence and can execute

[00:02:17] [SPEAKER_02]: PowerShell commands, posing significant risks. Six ransomware gangs accounted for over 50%

[00:02:25] [SPEAKER_02]: of attacks in the first half of the year with LockBit 3.0 leading with 325 victims.

[00:02:31] [SPEAKER_02]: Other notable gangs include Play, 8Base, Akira, Black Basta, and Medusa. Despite

[00:02:42] [SPEAKER_02]: a new strain, like BrainCypher have emerged indicating a persistent and evolving threat

[00:02:46] [SPEAKER_02]: landscape. And this year, ransomware costs have surged with the largest known payment

[00:02:52] [SPEAKER_02]: reaching $75 million. The median ransom payment has increased dramatically from $200,000 in

[00:02:59] [SPEAKER_02]: early 2023 to $1.5 million in the middle of this year.

[00:03:05] [SPEAKER_02]: Why do we care? Given that NPD is a data aggregator, this breach's impact is

[00:03:10] [SPEAKER_02]: magnified by the aggregation of multi-datasets, making it difficult to assess the full extent

[00:03:15] [SPEAKER_02]: of the damage. The fact that this breach went on for several months before being detected

[00:03:19] [SPEAKER_02]: raises serious concerns about the adequacy of monitoring and security measures in place

[00:03:24] [SPEAKER_02]: at data aggregators. And why should they? What laws and consequences do they face?

[00:03:30] [SPEAKER_02]: And be warned about ransomware groups targeting IT.

[00:03:36] [SPEAKER_02]: Trinity Cyber brings MSPs a revolutionary new capability to grow your business and improve

[00:03:42] [SPEAKER_02]: your margins. Trinity Cyber's world-class threat analysis team works 24-7 to deeply inspect

[00:03:50] [SPEAKER_01]: customer traffic in context. Trinity Cyber stops threats before they even enter your

[00:03:57] [SPEAKER_02]: client's networks, and they do the hunting and event triaging to save you money.

[00:04:02] [SPEAKER_02]: Here's what Wayne Porter, owner of MSP Allegheny Computer Services, has to say.

[00:04:08] [SPEAKER_00]: Trinity Cyber is a true game changer for MSPs. It's more affordable, it provides fewer false

[00:04:15] [SPEAKER_01]: positives, and it costs less. Let their threat intelligence experts work for you around the

[00:04:22] [SPEAKER_02]: clock to reduce your workload. Visit trinitycyber.com slash msp4 to learn about their discounted

[00:04:29] [SPEAKER_02]: MSP pricing options.

[00:04:33] [SPEAKER_02]: The Pentagon has released proposed rules to incorporate cybersecurity maturity model

[00:04:38] [SPEAKER_02]: certification or CMMC requirements into the contracting process, featuring a three-year

[00:04:44] [SPEAKER_02]: phased rollout. Contractors will need to either self-assess or obtain third-party

[00:04:49] [SPEAKER_02]: certification based on data sensitivity with compliance required at the time of contract

[00:04:54] [SPEAKER_02]: award. By the end of the rollout, 35% of contractors handling sensitive data will need a Level 2

[00:05:00] [SPEAKER_02]: certification, while 65% will require a Level 1 self-assessment. The common period for the proposed

[00:05:07] [SPEAKER_02]: rule ends on October 14th, 2024. And speaking of CMMC, ConnectWise has announced its commitment to

[00:05:15] [SPEAKER_02]: assist providers in achieving CMMC Level 2 compliance by 2025. The company plans to

[00:05:22] [SPEAKER_02]: stage adherence strategy, including achieving compliance in a separate AWS environment,

[00:05:29] [SPEAKER_02]: evaluating Level 3 requirements, and providing hosted CMMC compliant products.

[00:05:35] [SPEAKER_02]: A key quote, quote, with our hosted solution across the company's solutions, MSPs can easily

[00:05:41] [SPEAKER_02]: access and leverage our CMMC compliant products, empowering them to navigate the complexities

[00:05:46] [SPEAKER_02]: of CMMC 2 with confidence. End quote. Why do we care? I'm a touch worried about misguided providers

[00:05:56] [SPEAKER_02]: thinking that if their tool providers achieve CMMC compliance, that they too will get this by some

[00:06:01] [SPEAKER_02]: kind of osmosis. This rule compliance is a primary concern for the providers and should

[00:06:07] [SPEAKER_02]: absolutely be done in coordination with their vendors. So could also connect twice for doing

[00:06:11] [SPEAKER_02]: their part. I'm just a bit concerned about this kind of potential positioning.

[00:06:16] [SPEAKER_02]: And if you have comments on the requirements, well now is your time.

[00:06:22] [SPEAKER_02]: Apple is opening NFC access to third party developers in iOS 18.1, allowing them to

[00:06:28] [SPEAKER_02]: implement using the iPhone secure element. Developers can create apps for various uses

[00:06:34] [SPEAKER_02]: including payments, transit fares and IDs using the secure element for security.

[00:06:39] [SPEAKER_02]: This decision follows a legal agreement with European commissioners to comply with EU regulations.

[00:06:45] [SPEAKER_02]: Developers must enter a commercial agreement with Apple and pay fees to access the NFC functionality,

[00:06:52] [SPEAKER_02]: which will be available in the US, EU and several other countries.

[00:06:56] [SPEAKER_02]: Apple Pay and Apple Wallet will still be available alongside these new systems.

[00:07:01] [SPEAKER_02]: Why do we care? By allowing third party developers to access the iPhone's NFC secure

[00:07:06] [SPEAKER_02]: element, Apple is significantly expanding the potential use cases for NFC technology on its devices.

[00:07:13] [SPEAKER_02]: There's opportunity to deliver solutions to customers who might want larger NFC deployment

[00:07:18] [SPEAKER_02]: using the device that's already in everyone's pocket. This feels like a notable valuable unlock.

[00:07:26] [SPEAKER_02]: Thanks for listening. Today is National Bacon Lovers Day,

[00:07:30] [SPEAKER_02]: not Bacon Day but the day for lovers of bacon. You can end your day by celebrating the

[00:07:35] [SPEAKER_02]: National Chocolate Bacon Pie Day. Have a question you want answered? Take those questions,

[00:07:41] [SPEAKER_02]: send them in to question at mspradier.com. We'll have a lively live show tomorrow, Wednesday,

[00:07:47] [SPEAKER_02]: 3pm Eastern on YouTube and LinkedIn as I'm joined by Ryan Morris and Seth Robinson

[00:07:52] [SPEAKER_02]: for a roundtable discussion. And if you got a comment or a thought on a story,

[00:07:56] [SPEAKER_02]: put it in the comments if you're on YouTube or reach out on LinkedIn if you're listening

[00:08:00] [SPEAKER_02]: to the podcast. Talk to you again tomorrow, twice.

[00:08:30] [SPEAKER_01]: MSP Radio or buy our Why Do We Care merch at businessof.tech. Finally, if you're interested

[00:08:37] [SPEAKER_01]: in advertising on this show, visit mspradier.com slash engage. Once again, thanks for listening

[00:08:44] [SPEAKER_01]: to me and I'll talk to you again on our next episode of The Business of Tech.