- Top 10 Cyberattacks of 2024
- A Hit-and-Miss First Year for SEC’s Cyber-Incident Reporting Rules
- The Pen Test Trap: Why Most Businesses Get It Wrong
Each week ChannelE2E compiles a list of the top stories we’ve covered about what’s going on in the security services services market from our affiliate brand MSSP Alert. Here’s this week’s round up of news from MSSP Alert.
Top 10 Cyberattacks of 2024
The cyberthreat landscape continued to expand and accelerate in 2024, keeping MSSPs busy, as bad actors expanded their arsenals – in particular, their embrace of generative AI – and tactics, including their growing use of cybercrime-as-a-service, which gave criminals new revenue streams and lesser-skilled hackers easy access to ready-to-use tools for launching increasingly sophisticated attacks.
State-sponsored threat groups from foreign adversaries like China, Russia, North Korea, and Iran put critical infrastructure in the United States and other countries in their crosshairs for espionage and other purposes, including in the case of North Korea to steal money to bypass international sanctions and fund their massive weapons operations.
In all, it was another year of escalating and evolving attacks that results in massive amounts of personal and sensitive data being exposed and billions of dollars being stolen Below are 10 of the most significant cyberattacks of 2024.
A Hit-and-Miss First Year for SEC’s Cyber-Incident Reporting Rules
It’s been a year since the U.S. Securities and Exchange Commission (SEC) set in place its controversial cyberattack reporting rules, and the takeaway seems to be that companies need to be more complete when making their filings, that the rule helped accelerate the reporting of cybersecurity incidents, and that there is room for improvement. MSSPs are positioned to help public companies navigate these rules.
Yet it’s also unclear what will happen to the rules when the new presidential administration, which is aggressively anti-regulation, comes into power next month.
“While the rules have made strides in encouraging accountability, they should provide clearer guidelines on reporting ongoing threats – not just incidents after they occur – to give investors a more comprehensive understanding of risk,” Shai Mendel, co-founder and CTO of cybersecurity firm Nagomi Security, told MSSP Alert. “This will improve how organizations disclose the specific nature of cyber threats.”
That said, Andy Lunsford, founder and CEO of incident management and response company BreachRx, doesn’t believe the regulations are doing what the SEC intended.
The Pen Test Trap: Why Most Businesses Get It Wrong
COMMENTARY: Think you need a pen test? Fred Langston says you might be wrong.
In the cybersecurity world, penetration testing—or pen testing—has become the gold standard for evaluating an organization’s defenses. But according to Fred Langston, a pen testing veteran with over 20 years of experience, most businesses asking for a pen test don’t actually need one.
“Pen testing should be a late validation stage activity,” Langston said during a recent webcast hosted by MSSP Alert. “If you’re doing it at the beginning of your security journey, you’re wasting your money.”
Langston is a pen testing expert at Critical Insight, a managed security services provider. He has decades of experience spanning back to his role as one of the authors of the HIPAA security rule.
His statement feels almost heretical in an industry where pen testing is often sold as an essential first step. But Langston’s argument is hard to ignore: The value of pen testing lies in testing the strength of existing defenses—not in identifying basic vulnerabilities.
