Experts On American Payroll Assn attack; Fed. Acquisition Supply Chain Security Act

Free Services to help you during COVID-19 Learn More

Support Request a Demo Contact Us Blog

by Security Experts | informationsecuritybuzz.com »

The nonprofit American Payroll Association (APA) notified members and customers of a data breach resulting from a web skimmer on its website login and online store checkout pages. The Association and its 121 local chapters organize training seminars and events that are attended by more than 36,000 yearly.

EXPERTS COMMENTS
Saryu Nayyar

| September 02, 2020

 Saryu Nayyar, CEO, Gurucul

Government acquisition and supply contracts are a complex issue.

“Government acquisition and supply contracts are a complex issue. Every organization needs to balance capability, cost, and security, when they’re buying new hardware or software, but buyers in the Federal space have National Security concerns that civilian agencies don’t have to consider. Hopefully, this new guidance from OMB (Office of Management and Budget) will provide a transparent and consistent way to assure resources acquired through the Federal supply chain remain secure.”

 

Saryu Nayyar

| September 02, 2020

 Saryu Nayyar, CEO, Gurucul

If it was a CMS flaw, it shows that security holes aren’t being patched in a timely fashion.

“The American Payroll Association breach shows a number of places where the industry as a whole still needs to do a better job. Attackers were apparently able to leverage a flaw in APA’s content management system (CMS) or a compromised admin account to place their skimmer. If it was a CMS flaw, it shows that security holes aren’t being patched in a timely fashion. Whether it was because the flaw was undetected, the patch hadn’t been released, or an existing patch hadn’t been applied, the result is the same. APA was able to identify this attack in under 90 days, which is an improvement over previous years in reducing attacker dwell time, but is still much too long. Better analytic tools could have mitigated the situation by recognizing the behaviors associated with an attack, both on the affected servers and in user activity with stolen credentials. Separately, the US Office of Management and Budget today issued the Federal Acquisition Supply Chain Security Act and a request for comments (open through Nov. 2, 2020) designed to control who supplies the US Federal government with technology and technology services. The Act is intended to help curtail procurements from vendors and organizations that may pose a threat to national security.”

 

External Link: Experts On American Payroll Assn attack; Fed. Acquisition Supply Chain Security Act

Share this page:

Related Posts