Cyber Risk News
The former CEO of the UK government’s National Cyber Security Centre (NCSC) has joined Paladin Capital Group as a managing director.
The appointment of Ciaran Martin by the global cyber and deep tech investor, headquartered in Washington, DC, was announced today.
Previously, Martin was hired as director of security and intelligence at the Cabinet Office in 2008, later accepting the position of constitution director there in 2011. In 2014, he became head of cybersecurity at Government Communications Headquarters (GCHQ) before starting up the NCSC in 2016 and serving as its first CEO.
“Ciaran Martin is an exceptional talent in the cyber sphere and we’re profoundly pleased to have him join the Paladin team," said Michael Steed, founder and managing partner.
"His understanding of the ever-evolving threat landscape and knowledge of the technologies required to meet those challenges will help us assess potential investments and support our portfolio companies in their growth."
Paladin is a venture capital investor in early stage companies that develop products and services that defend, monitor, and secure our shared critical digital infrastructure. The company invests in businesses based in EMEA, North America, and Asia.
Martin will be based in Paladin’s European headquarters in the UK, where he will assist with the development of Paladin’s presence in the growing European cybersecurity early-stage market.
Paladin's newest managing director will also be part of the company's global Strategic Advisory Board, advising the company on threats, trends, risks, and opportunities in cybersecurity for businesses and governments.
This role is in addition to Martin’s position as Professor of Practice at the Blavatnik School of Government at the University of Oxford.
“I am delighted to be working with the Paladin team," commented Martin. "I learned in Government that whether it’s in the UK, Europe, the US or globally, the common cyber threats we face can only be solved if there is a strong, innovative private sector taking care of huge swathes of the problem.
"That presents enormous economic opportunities for talented technologists and entrepreneurs, and I’m looking forward to being part of a venture capital team helping them to succeed."
The cybercrime gang Netwalker claims to have exfiltrated data from the College of the Nurses of Ontario in a ransomware attack.
A screenshot of data allegedly swiped from the college was posted on Netwalker's website, where the college's name has been added to a growing list of the gang's victims.
In a sparsely detailed statement issued yesterday, the college acknowledged that it had been impacted by a cybersecurity incident but didn't specify what had occurred.
The statement read: "The College of the Nurses of Ontario (CNO) is in the process of resuming normal operations following a cyber security incident. Upon discovery of the incident on September 8, CNO took immediate steps to contain the incident and engaged a leading cyber-security firm that is assisting with remediation and conducting a comprehensive forensic investigation."
As a result of the incident, a number of services offered by CNO are temporarily unavailable, including the public register Find a Nurse, the nurse renewal portal Maintain Your Membership, and the portal for applicants.
CNO said that investigators are still trying to find out whether any personal information was compromised as a result of the incident.
As the governing body for nurses in Ontario, the CNO could have personal information on all the state's 121,488 registered nurses, 59,967 registered practical nurses, and 3,864 nurse practitioners.
CNO data that Netwalker claims to have stolen apparently pertains to the college's human resources department.
Ontario Nurses Association (ONA) president Vicki McKenna told CBC News of her disappointment that the registered nurses her association represents hadn't been directly informed of the incident.
“I’m outraged that I didn’t know as a member of the college that this had happened,” said McKenna.
Michael Hurley, the regional vice president for the Canadian Union of Public Employees, said nurses could be placed in physical danger if their address data was stolen.
"I’m concerned about who will have access to private information about these nurses, some of whom have restraining orders against their partners, or have partners who have expressed an intent to be violent," said Hurley.
In July, the FBI issued a flash alert warning that Netwalker ransomware attacks were on the rise, targeting US and foreign health agencies, education entities, private companies, and governments.
Cybersecurity firm OneSpan has announced the appointment of Ajay Keni as its new chief technology officer (CTO).
Keni will replace Benoit Grangé in the post, who will take up a new position as chief technology evangelist, in which he will “focus on sharing OneSpan’s technology vision and deep industry insights with customers, partners and the broader financial services market.”
As CTO, Keni will be tasked with guiding the expansion of OneSpan’s anti-fraud offerings to secure remote banking transactions, in particular the development and delivery of future product innovations. He has more than 20 years of experience in leading technology and product teams, and was former head of product, engineering, quality and DevOps for Oracle’s software-delivered and SaaS-delivered Identity and Access Management products.
He also played a major part in developing Oracle Cloud’s identity strategy as well leading its identity cloud service and key management cloud service.
The move is part of OneSpan’s vision to further transform the global financial services market through secure transaction solutions. Current offerings include identity verification, risk analysis, mobile application security, multi-factor authentication, e-signatures and agreement automation.
Keni commented: “OneSpan has an exciting future ahead in identity and anti-fraud technologies. There is clear market demand for OneSpan’s solutions, a strong worldwide banking customer base and a global team executing on this important and essential work in a digital world.”
Scott Clements, CEO of OneSpan, added: “OneSpan’s trusted identity strategy envisions a cloud-centric technology stack that can be deployed in private, public and hybrid environments; one that will see the company further transition toward a cloud-first offering. Ajay is a proven leader who brings experience in product innovation and in implementing open cloud technologies that can be easily integrated and deployed at scale.”
Cybersecurity leaders need to prepare for the long-term picture as well as deal with current day-to-day issues, according to Toby Bussa, VP analyst at Gartner, speaking during the Gartner Security and Risk Virtual Summit.
As we emerge from a decade of substantial change in the cybersecurity landscape, Bussa expects to see a similar evolution occur in the years up to 2030. “The last 10 years have been interesting, and we anticipate the next 10 years to be even more so,” he stated.
Bussa began by outlining the ways how the cybersecurity landscape has been radically reshaped during the past 10 years. These include advances in IT, such as the explosion in cloud services and Internet of Things (IoT) devices that have expanded the attack surface, privacy and data protection emerging as a much more prominent issue, the rise in cyber-attacks conducted by nation states and ransomware becoming more sophisticated and targeting large organizations.
With this in mind, anticipating further changes over the coming decade will be critical in preventing disruption to business performance and staying ahead of cyber-criminals.
The first expected trend outlined by Bussa is the increasing “balkanization” of the digital world in which enterprises operate. This is borne out of the competing interests of digital nationalists and digital globalists; those who want tight controls over the use of the internet and those much more comfortable with sharing data outside of boundaries.
For example, online filtering is heavily practised in certain digital boundaries, leading to scenarios where “consumers in one part of the world may be unable to access information in other parts of the world because of regulatory concerns.” Bussa added: “What the future of the internet looks like is an important backdrop for what cybersecurity leaders may need to contend with in the future.”
He also stated that technology itself may become balkanized: both in general IT and cybersecurity. This is a result of nation states increasingly developing their own technologies that are used only within certain geopolitical areas. Bussa said this phenomenon is already beginning to take effect and it “is certainly going to be a consideration for cybersecurity leaders, both to contend with the IT that’s being employed by their enterprises but also in the security technologies that they would employ.”
Another area cybersecurity leaders must consider for the coming decade is the likelihood of more regulation and regulatory complexity. Businesses are becoming increasingly digitalized, a trend further accelerated by the COVID-19 pandemic. Bussa noted that “regulators are going to continue to respond and try to understand the impact of these technology innovations on how businesses are moving forward, and this will likely be expressed as laws.”
Anticipating and preparing for these types of trends is therefore crucial to gaining an advantage over cyber-actors. In particular, he cited the need for the concept of “cyber-safety” to the come to the fore, with a broader focus on the “life, kinetic and high risk events that can harm an organization or its customers,” rather than just traditional IT security.
Organizational resiliency should be another focus for cybersecurity leaders, in light of the greater range of potential disrupters and threats, ranging from geopolitical issues to natural disasters and new regulations, according to Bussa. An example of this has been seen with the huge shift to remote working during the COVID-19 pandemic, which cyber-criminals have quickly sought to take advantage of.
Bussa concluded by stating that while many events cannot be predicted, cybersecurity leaders can take steps now to ready their organizations for future trends. However, this requires a fundamental shift in the role CISOs play. “Think about how you shift your role as a cybersecurity leader away from someone who’s going to be viewed as the scapegoat when things go wrong towards being a trusted advisor and guide to the organization by embracing a longer-term view and better understanding of what the future may hold,” he said.
The CEO of a cyber-fraud prevention company has been arrested and charged with fraud.
Adam Rogas is accused of using fraudulent financial data to obtain over $123m in financing for Las Vegas–based tech company NS8 and pocketing $17.5m of the cash for himself.
The 43-year-old Las Vegas resident was arrested yesterday in the District of Nevada, where he is expected to appear before a judge today.
The accused is a co-founder of NS8 and served as its CEO, CFO, and a member of its board of directors. Rogas also had primary responsibility for the company’s fundraising activities.
In a statement released yesterday, FBI Assistant Director William F. Sweeney Jr. said: “It seems ironic that the co-founder of a company designed to prevent online fraud would engage in fraudulent activity himself, but today that’s exactly what we allege Adam Rogas did."
A complaint unsealed today in Manhattan federal court alleges that Rogas provided NS8's finance department with bank statements that had been altered to show tens of millions of dollars in both customer revenue and bank balances that did not exist.
"In the period from January 2019 through February 2020, between at least approximately 40% and 95% of the purported total assets on NS8’s balance sheet were fictitious," stated the United States Department of Justice yesterday. "In that same period, the bank statements that Rogas altered reflected over $40 million in fictitious revenue."
In the fall of 2019 and the spring of 2020, Rogas allegedly used this fictitious revenue in fundraising rounds through which NS8 issued Series A Preferred Shares and obtained approximately $123m in investor funds.
NS8 conducted a tender offer with the funds raised from investors. Rogas received $17.5m in proceeds from that offer, personally and through a company he controlled.
Rogas is further accused of supplying falsified bank records to auditors that conducted due diligence on behalf of potential investors.
He is charged with one count of securities fraud, one count of fraud in the offer or sale of securities, and one count of wire fraud. If convicted, he could be sentenced to up to 45 years in prison.
Ensure management adoption and employee engagement in your security awareness program by delivering suitable content in an understandable language.
Speaking at the Gartner Security and Risk Virtual Summit, senior director Brian Reed said that getting investment and support for a security awareness program “depends on persuasive justification, and negotiation skills.”
Asking why gaining support is so important, Reed said that COVID-19 lockdown “provided a unique example of how security can meet the needs of a crisis and an upheaval” and it would be a shame to “waste a crisis” so companies should use this as a security awareness teaching moment.
“The majority of the cost of security awareness is going to come in people and capital, the capital spend requires spending not just on a security awareness tool, but in delivering that content,” he said. “A lot of the organizational negotiation may center around how much training an organization needs, or what the time investment you may need from participants is. Reed said this is worth considering, as well as what the rewards and consequences are.
“There is also the notion that it is always someone else’s problem and not necessarily mine,” he said, saying charts to determine roles and responsibilities can help resolve these issues from the beginning, as well as highlight skills and competencies that the organization has or is missing. He said typically people fall into one of three types:
- People who will not do the right thing no matter what they are told
- People who will do the right thing provided they are told what the right thing is
- People who will do the right thing instinctively every time
Reed said the vast majority are in the middle section, and will do the right thing provided they are told what the right thing is and if they can be shown and empowered to do the right thing. The third group could also be identified as potential security champions, when other employees do not feel comfortable going to the security or IT teams.
When it comes to organizational buy-in, Reed said this is critical for when you’ve got your users on board, “and you’re accurately setting expectations.” The main ways to get buy-in across the organization include respecting the user’s time and speaking in a language that both security and management understand “as there is often a disconnect with the language being used at a business and technical level.”
Another factor is to utilize active listening techniques to demonstrate that you’ve heard the audience’s concerns, and you’re building the case for security awareness by addressing their concerns and actively pursuing resolutions.
He went on to explain that a program should be tailored for a specific country or culture, and that “seduction is a better tool than imposing security awareness programs out of fear” as you want to induce people into knowing this is can be an enabler for your business and not just another compliance training effort.
Reed concluded by saying we should “embrace and celebrate our organization’s history, and we must recognize what progress and transition looks like, and ultimately we should answer the questions of purpose and value and tie them to our security strategy.”
Creating trust on the internet requires the aligning of effective online fraud protection with good customer experience, according to Jonathan Care, senior director analyst at Gartner.
Speaking during the Gartner Security and Risk Virtual Summit, he observed that currently, many e-business fraud prevention teams are overly focused on loss prevention; indeed, 58% of Gartner clients have stated that fraud prevention blocks the goal of having a frictionless customer experience. Yet the two go hand-in-hand. Care said: “Many security failures and omissions can be traced to poorly designed UX.”
Trust often means something different to customers than it does for those in the cybersecurity sector, and if security measures impede user activities, it can prove a source of frustration, potentially leading to the loss of business. “Often this comes from a poorly designed security experience,” noted Care.
This includes upfront demands for sensitive security information and lack of device and channel crossover with regard to security requests. Care stated: “As a consumer, it shouldn’t matter to me if I am transacting via a web portal, a mobile app, or even interacting via the contact center.”
In addition, when online channels are targeted by hackers, this also causes “a reduction in engagement due to the loss of trust. We see a drop in traffic and therefore commerce revenue.”
It is therefore critical that online businesses find a model that combines safety with a seamless customer experience. Care believes there are three pillars to achieving this. Firstly, a commitment to prioritizing trust and safety to ensure the customer experience is slick, including with security measures like authentication.
The second is customizable customer flows, in which the risks associated with individual customers at any point in time are assessed to determine the level of security required. This can be achieved be detecting soft signals such as the use of behavioral analytics and device measurement to see whether additional authentication is needed. Care commented: “When the transaction risk is high and when the trust in the customer is low, then we need to bring in that identity proof.”
The third is the utilization of automated fraud solutions, which use analytics and machine learning to “govern a strongly defined rules base.” For example, this may include the option to redirect a customer to a manual, in-person interaction.
This requires a change in mindset, processes and technologies, according to Care. In terms of the technologies that are needed to underpin this approach, adoption of fraud detection systems that adapt to the user journey are vital, particularly those that incorporate machine learning methods, such as identity graph evaluation and analytics.
This must be done incrementally, as systems should constantly evolve to meet the changing threat landscape, as well as retain flexibility to meet new customer preferences.
Care concluded: “For consumer-facing e-businesses, trust and safety must govern the user experience and not loss prevention.”
UK business owners have been targeted by a new phishing scam that attempts to gain sensitive information, including payment details, by impersonating Her Majesty’s Revenue and Customs (HMRC), according to an investigation by accountancy firm Lanop Outsourcing.
In emails purporting to be from the HMRC, recipients are told that their VAT deferral application has been rejected. This follows an initiative by the UK government to allow businesses to defer VAT payments between March and June 2020 until March 31, 2021 in order help struggling companies during the COVID-19 lockdown. At least 100 business owners have so far reported receiving this scam.
The message, which uses official HMRC branding and graphics, begins by saying “Dear customers, Your request for a deferral of VAT payments due to coronavirus (COVID-19) has been rejected… Summary of reject justification: the claimant is in arrears.”
A false document is also attached which the email claims there are “more details and a full report on your application.” It also shares a one-use password to open the document and suggests the original application has been reshared.
The victim is then redirected to a false website and asked to enter sensitive information such as email, passwords and payment details, which are then harvested by the hacker.
This is the latest in a number of phishing scams associated with financial relief measures introduced by the UK government during the COVID-19 pandemic. Others have included an attempt to steal personal and financial details of self-employed workers using the Self-Employment Income Support Scheme (SEISS) and the harvesting of data of UK workers who are expecting COVID-19 tax relief grants.
Commenting on the story, Steve Peake, UK systems engineer manager at Barracuda Networks, said: “This phishing attack is the latest in a series of HMRC-branded email scams, designed to trick business owners into handing over confidential data. With many companies struggling due to the disruption caused by the COVID-19 outbreak, we have seen a real uptake in the number of COVID-19 related attacks targeting business owners and employees. In fact, we recently observed a 667% spike in coronavirus-related spear-phishing attacks from February compared to March, during the start of the UK’s lockdown. Thus, it was only a matter of time before hackers targeted the government’s VAT deferment scheme as a new route to obtaining the bank details of unsuspecting victims.
“Socially engineered service impersonation attacks using trusted brands is unfortunately a growing practice which can be a very successful method of attack, especially when combined with the current world situation. Attackers frequently rely on this form of attack as it delivers an instant level of trust with the email recipient, with many organizations lacking the layered security approach that modern day email security requires.”
Security and risk leaders need to know where their plans for digital transformation are going.
Speaking in the closing keynote of the Gartner Security and Risk Virtual Summit, distinguished VP analyst Mary Mesaglio said leaders are facing four current crises in health, climate, economic and social issues, and this can lead to “transformation fatigue” as leaders are asked to accelerate digital transformation during volatile times.
“So how do we deal with this notion of fatigue with this notion that we have to double down on acceleration? The first rule is to know what we want to change into. I work with a lot of executive teams and know what they want to transform into, but that is not enough to drive the change,” Mesaglio explained.
She said the issue is the people who do the changing are led by you, and it is difficult to determine a clear and motivated endgame for them: “you’ll find the people lower down are not that clear.” Mesaglio highlighted five questions that can be asked to figure out what the transformation is, and why:
- What are you transforming into and why?
- Can you tell me that in under two minutes – this is a test of clarify, but are you sure what the destination is and where you’re going?
- Can you do it using no corporate speak? Use real language and not just buzzwords
- Can you do it in a way that would be comprehensible and motivating to the front line – to those doing the changing?
- Would your peers say it too? Not using the same words, but with the same coherence “as you don’t want transformation schizophrenia as it leads to bad things”
She added: “It’s a high bar, but it is necessary for any change you want.” Mesaglio said that, too often, corporate messages use pictures of young, beautiful people and the message doesn’t make sense, “this is why you need a real destination and real language.
“If you are undergoing fatigue and still need to digitally accelerate, the first rule is to know what you want to transform into; this is a non-trivial exercise regardless of if you are a small or a large team,” she concluded. “Make sure you know, that there is no corporate speak as that is not going to save you and once you know that, don’t assume a big problem needs a big solution.”
IT firm Pure Storage has entered into a definitive agreement to acquire Portworx, a Kubernetes data services platform. The deal, which is believed to be worth around $370m, is part of Pure Storage’s plan to expand into the market for multi-cloud data services to support Kubernetes and containers.
There has been substantial growth in the use of the cloud native stack to process data into value and insight in recent years, and currently 95% of new applications are developed in containers. It has also been predicted by Gartner that 85% of global businesses will be running containers in production, which is a huge rise from 35% in 2019. In order to keep up with the scaling up of multi-cloud deployments, organizations are likely to require storage services platforms to address challenges in data resiliency, mobility, security, backup and recovery.
Currently, Portworx is the Kubernetes Data Services Platform most used by Global 2000 companies to provide persistent storage, high availability, data protection, data security and cloud mobility for containers deployed in hybrid cloud architectures. Users include Carrefour, Comcast, GE Digital, Kroger, Lufthansa and T-Mobile.
Pure Storage now aims to combine this with its data-platforms and Pure Service Orchestrator software to provide a more comprehensive offering to customers.
Charles Giancarlo, chairman and CEO at Pure Storage, commented: “As forward-thinking enterprises adopt cloud native strategies to advance their business, we are thrilled to have the Portworx team and their ground breaking technology joining us at Pure to expand our success in delivering multi-cloud data services for Kubernetes. This acquisition marks a significant milestone in expanding our modern data experience to cover traditional and cloud native applications alike.”
Murli Thirumale, CEO at Portworx, added: “The traction and growth we see in our business daily shows that containers and Kubernetes are fundamental to the next-generation application architecture and thus competitiveness. We are excited for the accelerated growth and customer impact we will be able to achieve as a part of Pure.”
The US has indicted two Iranians in connection with the theft of hundreds of terabytes of sensitive data from computers in America, Europe, and the Middle East.
Hooman Heidarian, aged 30, and Mehdi Farhadi, 34, were allegedly involved in a slew of coordinated hacks perpetrated to make money or for political reasons.
Data stolen in the attacks and later allegedly sold on the black market by the defendants included confidential communications pertaining to national security, foreign policy intelligence, non-military nuclear information, aerospace data, human rights activist information, victim financial information and personally identifiable information, and intellectual property, including unpublished scientific research.
The defendants are further accused of politically motivated hacking on behalf of Iran to steal information relating to dissidents, human rights activists, and opposition leaders.
Heidarian, otherwise known as Neo, and Farhadi, also known as Mehdi Mahdavi and Mohammad Mehdi Farhadi Ramin, are both from Hamedan, believed to be one of Iran’s oldest cities.
According to the ten-count indictment, since at least 2013, the defendants have been responsible for a coordinated campaign of cyber-intrusions into computer systems around the world.
Among the campaign's victims are several American and foreign universities, a think tank in Washington, DC, a defense contractor, an aerospace company, a foreign policy organization, non-governmental organizations (NGOs), non-profits, and governments and other entities they identified as rivals or adversaries to Iran.
In addition to the alleged theft of highly sensitive data, the defendants are further accused of vandalizing websites. Using the pseudonym “Sejeal,” the defendants allegedly posted messages appearing to signal the demise of Iran’s internal opposition, foreign adversaries, and countries marked out as rivals to Iran, including Israel and Saudi Arabia.
Tools and tactics allegedly used by the defendants to gain and maintain unauthorized access to victim networks included vulnerability scanning tools, session hijacking, SQL injection, malicious programs installations, and keyloggers.
The pair are further accused of developing a botnet tool, which facilitated the spread of malware, denial of service attacks, and spamming to victim networks.
Each defendant is charged with conspiracy to commit fraud and related activity in connection with computers and access devices; unauthorized access to protected computers; unauthorized damage to protected computers; conspiracy to commit wire fraud; access device fraud; and aggravated identity theft.
A woman in need of urgent medical treatment has died after a hospital under cyber-attack was unable to admit her.
Attackers struck the Düsseldorf University Clinic (DUC) last Thursday, causing IT systems at the major hospital to fail. Because of the attack, a woman seeking emergency treatment at the hospital on Friday night died after she had to be transported to a hospital in another city for treatment.
Treatment of the deceased woman was delayed by an hour as she had to travel an additional 20 miles to a hospital in Wuppertal.
The DUC said that computer forensic experts investigating the incident determined that threat actors had managed to exploit a vulnerability in "widely used commercial add-on software." The software that contained the weakness was not named by the hospital.
Following the attack, systems at the DUC gradually crashed, preventing the hospital from being able to access data. As a result, operations were postponed, and emergency patients were redirected to alternative healthcare providers.
Hospital staff said that they believe data temporarily placed off limits as a result of the cyber-assault has not been irretrievably lost. A week on from the attack, the DUC's IT systems are slowly being restarted.
In what may have been a deadly mistake by the attackers, it seems the real target of this cyber-crime may have been Heinrich Heine University, with which the DUC is affiliated.
News agency DPA reported that 30 servers at the hospital were encrypted last week and an extortion note was left on one of the servers, according to a report from North Rhine-Westphalia state's justice minister.
The note was addressed to the Heinrich Heine University and not the DUC. It asked for the university to make contact but did not mention a specific ransom demand.
Düsseldorf police used the contact details given in the note to reach out to the attackers, informing them that their attack had impacted a hospital. The attackers subsequently provided a digital decryption key and made no attempt to extort money.
Communication with the attackers has since broken down. An investigation has been launched that could see the perpetrators charged with negligent manslaughter.
Google has told app developers to remove from its Play Store stalkerware capable of operating behind the scenes without the user's consent.
The tech giant yesterday issued an update to its Developer Program Policy requiring all apps that track users and send their data to another device to include an "adequate notice or consent" and show a "persistent notification" that the actions of the user are being tracked.
While an exception was made for apps used by parents to track their children, Google said that stalkerware was not to be used to track an adult without their consent.
The update states: "Only policy compliant apps exclusively designed and marketed for parental (including family) monitoring or enterprise management may distribute on the Play Store with tracking and reporting features, provided they fully comply with the requirements described below."
App developers were told that they can no longer present their product as an aid to spying or a secret surveillance solution. Nor can they hide or cloak tracking behavior in an attempt to mislead users about an app's true functionality.
App developers have until October 1 to comply with the directives.
Google has also said that, starting October 21, it will remove any apps "that engage in coordinated activity to mislead users."
Christoph Hebeisen, director of security intelligence research at Lookout, a California provider of mobile phishing solutions, welcomed Google's new approach to the stalkerware permitted in its app store.
“The use of mobile technology for surveillance in abusive relationships is a disturbing trend. Google's move to curb such apps on Play is a step in the right direction," said Hebeisen.
Lookout already considers any app that doesn't make it clear tracking is taking place to be malicious. Users receive alerts when surveillance-ware that is independent of the stated purpose of the app is deployed.
Hebeisen said: "We consider such apps malicious if the app doesn't show a persistent notification, hides its icon, masquerades as something other than its true functionality or hides a part of its functionality. We apply this logic no matter if the app has been loaded from an official app store or sideloaded onto the device.”
Security information and event management (SIEM) company Securonix has announced two new C-suite appointments to bolster its growth.
Brett Bowman joins Securonix as chief financial officer and Dilshan Ratnayake as chief people officer.
Bowman brings previous experience in defining and executing growth strategy within tech startups and will lead Securonix’s finance and accounting operations, whilst Ratnayake, with a 25-year background in human resources leadership, will head up the people and talent functions across the company’s global footprint and scale growth and expansion plans.
Bowman said: “It’s clear from recent company trajectory that Securonix provides a platform solution that is purpose built for today’s enterprise security needs and holds unlimited growth potential, which is why joining Securonix is so exciting.”
Ratnayake added: “Coming from several publicly-traded organizations, I recognize the promise Securonix holds and am fully committed to helping it achieve its goals as one of cybersecurity’s next great companies.”
Securonix also announced that has added product engineering leadership from companies including Amazon, Microsoft and IBM.
“Securonix has experienced unprecedented market traction by allowing customers to cut the cord on traditional security monitoring and leverage the cloud-based SaaS model of the Securonix Next-Gen SIEM platform,” said Dave Colesante, COO of Securonix. “In order to capitalise on recent success and take the next step in our company lifecycle, we must continue to enhance our offerings with the best people, process and technology.”
Academia has faced fresh warnings of cyber-attacks after a rise was recorded in August when students returned.
According to an alert issued by the National Cyber Security Centre (NCSC) there has been a recent spike in ransomware attacks against UK schools, colleges and universities. It claimed that, in recent incidents, it has observed remote desktop protocols and unpatched software and hardware being utilized, as well as attackers using phishing emails to deploy ransomware.
Attackers have also sabotaged backup or auditing devices to make recovery more difficult, encrypted entire virtual servers and used scripting environments (including PowerShell) to deploy tooling or ransomware.
Paul Chichester, director of operations at the NCSC, called the targeting of the education sector “utterly reprehensible” at such a challenging time.
“While these have been isolated incidents, I would strongly urge all academic institutions to take heed of our alert and put in place the steps we suggest, to help ensure young people are able to return to education undisrupted,” he said. ““We are absolutely committed to ensuring UK academia is as safe as possible from cyber-threats, and will not hesitate to act when that threat evolves.”
David Corke, director of education and skills policy at the Association of Colleges, said: “As the last six months have shown us, it has never been more important for colleges to have the right digital infrastructure in order to be able to protect their systems and keep learning happening, whatever the circumstance.”
Corke called for a “whole college approach and for a focus wider than just systems” to include supporting leaders, teachers and students to recognize threats, mitigate against them and act decisively when something goes wrong.
The NCSC recommended a number of actions to better disrupt ransomware attacks, such as having effective vulnerability management and patching procedures, secure remote desktop protocols with multi-factor authentication, enabling anti-virus and phishing preventions.
Dr Jamie Collier, intelligence analyst at Mandiant Threat Intelligence, said the influx of attacks against universities at the beginning of term “is indicative of threat actors’ ultimate aim with ransomware attacks – to maximize leverage and increase the chance of being paid.”
Collier said the start of term is a critical time for universities trying to onboard students, and their IT infrastructure being held to ransom will cause major operational issues, especially this year. “The issue for universities is compounded by the fact that they have a large and complicated network – which has to account for many departments, students using their own devices and sophisticated computing systems for research – making it difficult to enforce blanket security controls,” he said.
“The attack surface is large and constantly evolving, which means there are more opportunities for attackers to exploit it. Moreover, the data universities hold, including valuable or sensitive research and intellectual property, as well as thousands of students’ personal information, means that there is a lot at stake.”
He echoed the NCSC’s recommendations on patching and authentication, and also recommended universities use threat intelligence to identify the most likely ransomware attacks they will face to put the correct protection measures in place.
Collier said: “Ransomware groups are increasing and diversifying, which is why we are seeing more attacks. Only by identifying the techniques and methods of the most likely ransomware families for their region or the types of data they hold can universities be better prepared for the attacks they may face.”
There has been a 151% increase in the number of DDoS attacks in the first half of 2020, compared to the same period in 2019.
As reports of the number of detected DDoS attacks increase, Neustar said the number of attacks sized 100 Gbps and above grew by 275%, and the number of “small attacks,” sized 5 Gbps and below, increased by more than 200%. These small 5 Gbps and below attacks represented 70% of all attacks mitigated by Neustar between January and June 2020.
Michael Kaczmarek, Neustar vice-president of security products, said: “These shifts put every organization with an internet presence at risk of a DDoS attack – a threat that is particularly critical with global workforces reliant on VPNs for remote login. VPN servers are often left vulnerable, making it simple for cyber-criminals to take an entire workforce offline with a targeted DDoS attack.”
There was also evidence of 52% of mitigated threats leveraging three vectors or more, with the number of attacks featuring a single vector essentially non-existent. Neustar tracked new amplification methods and attacks of higher intensity targeted at critical pieces of web infrastructure. The previous high-water mark of 500 millions-of-packets-per-second (Mpps) was topped this year, with an attack of over 800 Mpps recorded.
In an email to Infosecurity, Rory Duncan, security GtM Leader at NTT Ltd, said: “DDoS attacks are increasing in size partly because it is easier: cyber-criminals are now able to compromise more end points with commercialized DDoS services. In addition, organizations have more capacity than ever before to “absorb” or mitigate DDoS attacks, which means that basic volumetric DDoS attacks need to be bigger to overwhelm defenses. In response, our adversaries are also constantly evolving their techniques – and automation is a tool used on both sides of the battle.”
Duncan recommended utilizing incident response and digital forensics capabilities when hit by a DDoS attack, as “having awareness of whether the organization’s infrastructure is compromised and contributing to the botnets that are launching the DDoS attacks is key.” That forensic investigation will involve reviewing and monitoring what every endpoint is doing.
“DDoS attacks can cripple employee productivity, damage brand reputation and eat into sales and profits,” he said. “DDoS protection is therefore an insurance policy against this worst-case scenario. It can be a significant investment with plenty of variables — so it pays for an organization to plan ahead to find the right option. We recommend a hybrid approach which combines on-premise inline devices, to protect against application layer attacks and signal to the cloud if a volumetric attack is detected and cloud-based scrubbing solutions which allow sanitized business traffic to pass.”
A ransomware attack need not be tragic for midsized enterprises.
That is according to Paul Furtado, senior director, midsized enterprise security at Gartner, speaking at the Gartner Security and Risk Virtual Summit. He said a midsized enterprise is defined as a company with up to 1001 employees, with revenues of $50m to $1bn. Furtado said these businesses typically have an IT budget of less than $20m, and under three people working in IT with no cybersecurity leader.
Furtado explained the issue of ransomware is continuing to be a problem as costs go up, and ransomware can sit dormant on your network for around three days and often executes outside of working hours. In terms of what businesses can do, Furtado said ransomware can be handled in the same way as malware, as it comes into the network in the same way, propagates in the same “and we can defend against it in the same way.”
Looking at steps for ransomware response, Furtado recommended the following:
- Isolate the System(s) – Unplug but do not power it down, as you may need the device, but make sure it cannot connect to other devices on the network
- Identify Port of Entry – Identify how it got in, and close that method, so it is not moving around
- Prepare a New Device From Image – Do a restore from a gold standard image, you don’t want to risk something sitting on the system that you may miss
- Scan Backups to Ensure No Infection – Scan backups so ransomware is not part of the backup set
- Restore Files to a Time Prior to Infection
- Investigate all Systems in Contact with the Impacted Resource – What other devices did that machine connect to, as we need to go through exercise on all devices
- Conduct a Post-Incident Review – This is not about a pass or fail, but identifying gaps and how you can tackle the problem, and what you can do to further improve your security moving forward
Furtado also recommended keeping third parties close for when this does happen, as you will need guidance from legal counsel and bring them in early in the discussion. He also recommended bringing in a managed security services provider or a managed detection partner as part of your security team, as they can help contain and minimize the impact.
He also recommended keeping incident response partners, a cyber insurance provider and law enforcement informed too.
“Keep in mind ransomware prevention is both doable, and manageable, yes it is scary, but you can handle it,” he said. “Stick to doing the fundamentals well and it is very important to go back and not over complicate the process, do the basics right.”
Commenting on the debate on if a ransom should be paid or not, Furtado said it is up to the company, and it depends on your ability and the impact to the business, and to pay and get the decryption key or to try and recover from backups. “When you do pay, there is no guarantee you’re going to get all of your data back,” he warned. “Also, you’ll be a target for future attacks, and keep in mind any cryptocurrency transaction you do is part of public record.”
Former Australian Prime Minister Tony Abbott’s passport details and personal phone number were obtained by a hacker, it has been reported.
Writing on his personal blog, Australian hacker Alex Hope outlined that he was able to gain this sensitive information after Abbott posted a picture of his boarding pass back in March 2020 on the social media site Instagram. Hope said he was able to log in to Abbott’s online booking page with Australia’s national airline carrier Qantus, by typing in the reference number displayed on the boarding pass.
He then gained Abbott’s passport and phone number, as well as staff comments about the former Prime Minister’s seat requests, by using the page’s HTML code.
However, Hope did not reveal these details, and instead took steps to firstly inform the Australian government of what he had done and then Qantus regarding the flaw on the booking page that enabled these details to be accessed. Following initial correspondence, the latter informed Hope five months later that the bug in question had been fixed.
Hope was eventually also able to contact Abbott’s staff, who informed him that they were aware of the situation and were in the process of getting a new passport for the former PM.
Abbott himself, who has recently been appointed as an official UK trade advisor, then phoned Hope to discuss the incident, requesting more information about how it occurred.
Quoted in The Guardian, a spokesman for Abbott said: “Mr Hope brought this to the attention of relevant bodies earlier this year, and it has since been resolved.”
Commenting on the story, Jake Moore, cybersecurity specialist at ESET, said: “Few people realize the dangers of photographing seemingly innocuous information such as plane tickets and then posting it on social networks. Yet, as we have seen here, the internet can easily carve up personal details after a little trawling. Many airlines now require information such as a username and password to obtain more personal details, but there are still a number of providers where only the ticket reference from the boarding pass is needed to unravel the more private details on anyone who flies with them.
“Many people now live their whole lives through social media and give little thought to the consequences of what might happen should personal data get into the wrong hands. We need to educate those users and remind them to think twice when posting sensitive information. Furthermore, information that seems trivial to them could just be the missing piece in the jigsaw to a cyber-criminal.”
A lawsuit has been filed against Warner Music Group following the disclosure of a data breach that compromised customers' sensitive personal information.
Attackers were able to access personal data entered by customers into the impacted sites between April 25, 2020, and August 5, 2020. Information compromised in the attack included names, email addresses, telephone numbers, billing addresses, shipping addresses, credit card numbers, card expiration dates, and CVC and CVV codes.
Levi Combs of Marysville, Ohio, and Esteban Trujillo of Orlando, Florida, purchased items from websites operated by Warner in July 2020 and May 2020, respectively.
Both men subsequently received Warner's Notice of a Data Breach document at the beginning of September.
Combs and Trujillo allege that Warner failed to "properly secure and safeguard personal identifiable information, including without limitation, unencrypted names, email addresses, telephone numbers, billing addresses, shipping addresses, payment card numbers, payment card CVV security codes, and payment card expiration dates."
The plaintiffs further claim that the company "failed to provide timely, accurate, and adequate notice to plaintiffs and similarly situated WMG customers ('Class Members') that their PII had been stolen by hackers, and precisely what types of information was unencrypted and in the possession of unknown, unauthorized third parties."
In August, the same payment cards that Combs and Trujillo had used to make purchases from Warner's hacked websites were used by an unknown third party or parties to make two unauthorized purchases, one of which was declined by the bank after appearing suspicious.
“These large companies know the risk posed by cyber-criminals and continue to be cavalier with their customers’ personal information," said Morgan & Morgan attorneys John Morgan and Jean Martin in a statement.
"The fact that this breach allegedly went on undetected for more than three months demonstrates the alleged lack of care taken by Warner Media Group to secure its customers’ information."
One of the largest IT staffing companies in America has been hit by a second ransomware attack in nine months.
Attackers deployed the ransomware three days after gaining unauthorized access to some of the company's systems. The incident was picked up by the company following reports of suspicious activity on the user account of an Artech employee.
Ransomware gang REvil (Sodinokobi) presented themselves as responsible for the attack on Artech. After apparently failing to blackmail a ransom payment out of the company, on January 11 the gang leaked what they claimed was 337 MB of data stolen from Artech's servers.
Now it appears that the company has been hit with ransomware for a second time, but from a different source.
The profitable business, which brought in around $810m in annual revenue last year, is among the victims listed on the website of the threat group MAZE.
Along with the announcement of the alleged hack, MAZE has uploaded a zip file of data it claims to have stolen from Artech.
Commenting on the alleged second ransomware attack, Emsisoft threat analyst Brett Callow told Infosecurity Magazine: "It’s not uncommon to see companies hit for a second time, and sometimes by a different ransomware group. In some cases, this will simply be coincidence. In other cases, it’s likely that the network was backdoored during the initial attack and the backdoor was subsequently sold or traded to whichever group carried out the second attack."
Callow added that it was absolutely critical for any company hit by ransomware to take appropriate action to remediate the incident.
"Failing to do so can result in a second attacker's maintaining a foothold in the network, monitoring communications, continuing to exfiltrate data, and encrypting it for a second time," said Callow.
Artech is a privately-held firm that provides government services, workforce and staffing solutions, and program management. It employs over 10,500 staff and consultants across the United States, Canada, China, and India.