Researchers at ESET have discovered several high-profile espionage attacks aimed at government and diplomatic entities in Eastern Europe.
According to the analysis, the attacks were conducted using a previously unreported cyber-espionage platform, which is notable for its modular architecture, along with two prominent features: the AT protocol used by one of its plugins for GSM fingerprinting, and Tor, which is employed for its network communications. Given these features, ESET researchers have named the platform Attor.
“The attackers who use Attor are focusing on diplomatic missions and governmental institutions,” said Zuzana Hromcová, ESET malware researcher. “These attacks, ongoing since at least 2013, are highly targeted at users of these Russian services, specifically those who are concerned about their privacy.”
ESET explained that Attor consists of a dispatcher and loadable plugins that rely on the dispatcher for implementing basic functionalities. The plugins are delivered by to the compromised computer as encrypted DLLs and are only fully recovered in memory. “As a result, without access to the dispatcher, it is difficult to obtain Attor’s plugins and to decrypt them,” added Hromcová.
The platform targets specific processes, including processes associated with Russian social networks and some encryption/digital signature utilities.
Among Attor’s capabilities implemented by its plugins, two stand out for their uncommon features: network communication and the fingerprinting of GSM devices.
Attor’s infrastructure for C&C communications spans four components – the dispatcher providing encryption functions and three plugins implementing the FTP protocol, the Tor functionality and the actual network communication. “This mechanism makes it impossible to analyze Attor’s network communication unless all the pieces of the puzzle have been collected,” explained Hromcová.
“Fingerprinting a device can serve as a base for further data theft. If the attackers learn about the type of connected device, they can craft and deploy a customized plugin that would be able – using AT commands – to steal data from that device and make changes in it, including changing the device’s firmware,” concluded Hromcová.
At Digital Transformation EXPO Europe Samy Kamkar, independent security researcher and ‘Samy’ MySpace computer worm creator, reflected upon the current cyber-threat landscape and warned that defenders are being challenged to a far greater degree than ever before.
That’s because of the ever-increasing numbers of internet-connected devices being used across the world, extremely high levels of information being shared online and the extremely sophisticated technology cyber-criminals now adopt in their attacks.
“Security is challenging,” Kamker said. “It’s very difficult to secure everything and as somebody who is trying to defend, you have maybe 100 holes and maybe you can cover 99 of them. For an attacker it’s much easier, you only need to find one problem, one hole to break in.”
So attacks are now very difficult to stop, he added, and that’s because they are now possible to carry out “with low cost tools – tools that even you and I can purchase, with open source software and hardware that anyone can access.”
Staying secure is therefore not easy, Kamkar warned, but he said there are three fundamental steps that can be taken to make better security more achievable.
The first “is using two-factor authentication wherever you can.”
Next, “do not use SMS two-factor authentication. The SMS network is like your local area network – anyone with access can essentially take over any phone number. Do not use SMS if you have the ability to use something like an authenticator or software on your mobile device.”
Lastly, “please use a password manager. There are pros and cons, and yes you are storing passwords in one place that’s centralized, but do anything [you can] to prevent you from using the same password over and over again, which is how all of the largest attacks I have ever seen occurred,” Kamkar concluded.
According to a new research survey, 68% of IT security stakeholders aren't sure whether they've experienced a Pass the Hash attack, and 4% don't even know what this globally prevalent form of attack is.
One Identity field strategist Dan Conrad told Infosecurity Magazine: "While 4% seems like a small percentage, that means nearly one in every 20 IT security professionals does not even know about a significant cyber-attack method.
"As attacks that have such a large impact on organizations, it’s imperative that the security industry continues to emphasize the importance of understanding PtH attacks and the proper methods to combat them."
In a PtH attack, a threat actor obtains privileged credentials by compromising an end user’s machine. The attacker then simulates an IT problem, which prompts a privileged account holder to log into an administrative system. When they do, the attacker stores their login credentials as a hash that can be extracted and used to access additional IT resources across the organization.
This attack technique has been doing the rounds since the 1990s and was first reported by Paul Ashton on Bugtraq in 1997. Back then it consisted of a modified Samba SMB client that accepted user password hashes instead of cleartext passwords.
Among the survey’s most noteworthy findings is that 95% of respondents say that PtH attacks have a direct business impact on their organizations, with 70% reporting a direct impact on operational costs.
A large majority (87%) of survey respondents say they are already taking steps to prevent PtH attacks, but only 55% have implemented privileged password management.
Microsoft issued guidance back in 2017 for companies to implement Active Directory Red Forest Design, aka Enhanced Security Administrative Environment (ESAE), to help prevent PtH attacks. The survey found that just a paltry 16% of small organizations and 31% of larger companies have followed this advice.
Perhaps most shockingly, among the respondents that have not taken any steps at all to prevent a PtH attack, 85% have no plans to do so.
Dan Conrad told Infosecurity Magazine: "As attacks that typically begin with a phishing email and could lead to a ransomware attack or sensitive data being accessed and stolen, the impact of a PtH attack can be widespread and severe.
"With data breaches creating a significant time and financial burden on any organization, it’s imperative that businesses take these attacks seriously and put privileged access management strategies and protocols in place to defend themselves."
The McCombs School of Business at the University of Texas at Austin has launched America's first professional cybersecurity certificate program specifically geared toward protecting healthcare providers from cyber-attacks.
The Leadership in Healthcare Privacy and Security Risk Management program has been launched by the school in a bid to help close the 1.8 million person gap that the 2017 Global Information Security Workforce Study predicted will hit the global cybersecurity workforce in 2022.
This unique certification course sprang forth from a collaboration between the school and the cybersecurity industry, healthcare organizations, and governmental agencies. It is endorsed by the Texas Hospital Association, cyber risk management and compliance solution provider Clearwater, and CynergisTek, Inc., a cybersecurity consulting firm dedicated to serving the information assurance needs of the healthcare industry.
"This unique leadership program will rapidly equip individuals with the knowledge, leadership skills, and problem-solving competencies needed to manage risk in healthcare environments," said a statement from the McCombs School of Business.
Cross-sector experts in healthcare privacy and security and experienced healthcare technology educators are being brought in to teach the course, which will run for eight weeks starting in July 2020. Students will learn via practical, case-based simulations and hands-on exposure to current and future healthcare cybersecurity technologies.
The course, which has been developed to meet the needs of healthcare organizations, vendors, and governmental agencies, will be built around multiple thematic modules. Modules confirmed so far include "Processes to Ensure Organizational Safety and Security" and "Policies and Governance in Healthcare Entities."
To ensure that the curriculum keeps up with the ever-evolving cybersecurity threat landscape, the program will be shaped by ongoing feedback from members of the privacy and cybersecurity industries, and in the future by program graduates as well.
With nearly 500 US healthcare organizations having been targeted by ransomware attacks since the start of the year, the need for a training program geared toward their protection is unequivocal.
Founder and executive chairman of Clearwater, Bob Chaput, who described the new certification as a "much-needed program," said: "While there’s a massive shortage of traditional technical cybersecurity talent in all industries, healthcare has been specifically challenged as one of our nation’s last industries to undergo significant digital transformation."
Britain's National Cyber Security Centre has reported a significant increase in the number of young women applying for cybersecurity courses.
Rather appropriately, the surge in female applicants for the free cybersecurity courses was announced on Ada Lovelace Day, an international celebration of women in science, technology, engineering, and math (STEM) held every year on the second Tuesday of October.
According to the figures, nearly 12,000 girls took part in the prestigious CyberFirst Girls Competition 2019. Also, the CyberFirst Defenders course, which introduces teenagers to how to build and protect small networks and personal devices, had 705 female participants.
NCSC's cybersecurity courses, which are held at venues across the UK, have proved to be popular beyond just girls, with the center reporting a 29% rise in overall applications in 2019 compared to the year before.
Participants are given the opportunity to encounter and explore everyday technology so they can build an understanding of how it works. They also attend lectures, learn through hands-on practical projects, and have the chance to hear presentations by guest speakers.
Saskia, who attended the CyberFirst Futures course that took place in Cardiff, said: "I haven't had the opportunity to study computer science at school, but CyberFirst has encouraged me to consider the subject at University—I just wish the course was longer!"
As part of the NCSC's CyberFirst initiative, young people interested in studying cybersecurity at university can apply for an annual bursary of £4,000. They can also put themselves forward for three-year apprenticeships in the cybersecurity industry, which allow them to earn while they complete a recognized degree course.
Chris Ensor, NCSC deputy director for growth, said: "We're delighted to see so many young people interested in finding out more about cybersecurity. The significant rise in female applications is especially pleasing, and something we want to see continue into the future.
"It's never been more important to increase and diversify the cybersecurity workforce and we're committed to nurturing the next generation of skilled experts and addressing the gender imbalance."
At Digital Transformation EXPO Europe Samy Kamkar, independent security researcher infamous for creating the ‘Samy’ Myspace computer worm that gained notoriety when it propagated across the social networking site in 2005, said that hacking exploits are not always malicious in nature, and are rather often imbedded in inquisitively and a determination to push boundaries.
“There is something super-intoxicating about being able to use some sort of tool and manipulate a system across the internet without knowing anything else about it,” he explained.
It is that capability that often inspires hackers and researchers to continually evolve and develop different attack methods, and explains why threats are not only constantly changing, but are also constantly harder to defend against, Kamkar argued. “Once there is no challenge, the fun is gone [for hackers].”
Kamkar likened hacking to “solving a puzzle” and “it’s always really fun to solve a puzzle – it feels good to get to the other side."
He said: “It’s as if somebody designed a maze; in a typical maze you can escape if you find the right path out. With computer hacking, it’s as if somebody designed a maze and then they blocked off all of the exits, but when you’re hacking, you’re still able to get to the other side.”
Twitter has admitted that personal contact information of users may have “inadvertently been used for advertising purposes.”
According to a statement published earlier, it discovered that when users provided an email address or phone number for safety or security purposes (for example, two-factor authentication) this data may have been the recipient of Twitter’s Tailored Audiences and Partner Audiences advertising system.
“Tailored Audiences is a version of an industry-standard product that allows advertisers to target ads to customers based on the advertiser's own marketing lists (e.g., email addresses or phone numbers they have compiled)” it explained, while Partner Audiences allows advertisers to use the same Tailored Audiences features to target ads to audiences provided by third-party partners.
The statement read: “When an advertiser uploaded their marketing list, we may have matched people on Twitter to their list based on the email or phone number the Twitter account holder provided for safety and security purposes. This was an error and we apologize.”
It could not say “with certainty” how many people were impacted by this, but it clarified that no personal data was ever shared externally with partners, or any other third parties.
“As of September 17, we have addressed the issue that allowed this to occur and are no longer using phone numbers or email addresses collected for safety or security purposes for advertising.”
In an email to Infosecurity, Javvad Malik, security awareness advocate for KnowBe4, said that many companies have implemented two-step authentication for services via an SMS message to the users phone, as this protects accounts against attacks such as credential stuffing, where attackers can access accounts by having the password.
“However, with email address and phone numbers, advertisers are able to profile people more accurately across multiple services and target them with more accuracy,” he said. “It is unfortunate that Twitter allowed this to happen, as these details were only provided for security purposes.
“In light of this, and other similar revelations in the past, as well as the growing number of attacks such as SIM swap, which hijack users phone numbers, companies should make the strategic decision to move away from using a phone number as a primary means of authentication, and adopt more secure alternatives for multi-factor authentication.”
Stuart Sharp, VP of solution engineering at OneLogin, said that it would be up to the lawyers to decide whether or not Twitter's misuse of personal contact details broke the letter of the law, but “it certainly broke the spirit of GDPR.”
He said: “This type of activity will likely result in users removing their phone numbers from the site, which will ultimately affect the number of people using additional factors for authentication such as text verification, which is a massive step backwards for all those working hard to push MFA as a method of increasing security online. Ultimately, everyone will lose as Twitter accounts will be more vulnerable to malicious take-over.”
At Digital Transformation EXPO Europe Sir John Sawers, former chief, Secret Intelligence Service (MI6), explored the recent growth of cyber technology and its impact on cyber-threats and cyber-defense.
Reflecting upon his career at MI6, Sawers noted how cyber and technology became an integral part of the secret service’s work during his tenure.
“Even at MI6, a human-intelligence service, I had to increase our spend on technology from about a third of our budget to half of our budget during the five years that I was chief of the service,” he explained. “Technology was such a big driver of everything we did; the power of data analytics in terms of piecing together puzzles about terrorist plots and identifying who was posing a threat was an absolutely vital tool.”
Sawers saw a “lot of life move online,” including the significant rise of extremist websites and chatrooms, and “the role of cyber developed as both an attack tool, and as a crucial part of national defenses.”
This has led to hostile cyber-attacks, particularly nation state attacks, becoming ever more sophisticated, powerful and capable of reaching diverse, widespread targets. He added that, through cyber and tech evolutions, the “skills of offensive cyber are becoming readily available,” and whilst defenses are getting better and better at both a corporate and state level, the “attack tools available to hostile actors are getting more and more powerful.
“That battle, in the cyber-domain, is bound to continue.”
Speaking in the opening keynote session of Digital Transformation EXPO Europe Sir John Sawers, former chief, Secret Intelligence Service (MI6), said that the ongoing dispute between the US and Chinese telecommunications giant Huawei is symbolic of broader problems affecting the global telecoms industry.
“A big thing has been made about the intelligence and security threat posed by having Huawei equipment in the British national system," he said. “I actually tend to play that down a little bit. I think we have a rather good system here in the UK whereby all Chinese equipment that goes into the UK national infrastructure goes through a checking station run by GCHQ, and we’ve not, in the 20 years that we’ve had Huawei equipment in our system, experienced it being used by the Chinese state for espionage purposes.”
However, there is a wider problem in the telecoms industry because there are so few suppliers and manufacturers supplying goods, he explained, and you have no “big American player.”
This is what has led to the US making such an issue around Huawei technology in recent months, Sawers argued, pin-pointing three issues that have had a significant impact.
The first is that there is a potential espionage threat that needs to be managed, and we do all have to be mindful of that.
Secondly, and more importantly, “there’s the industrial policy argument, where the West needs its own telecoms national infrastructure manufacturers, so that we can rely on Western-made, Western-designed kit,” Sawers argued.
Thirdly, Huawei has become a “point of leverage in the wider US-China trade negotiations.”
So, the Huawei issue is “much more complicated than is sometimes presented (as a simple one about national security and intelligence threats) and it’s about a much wider issue of the control of technology,” Sawers pointed out.
“In essence, it’s a microcosm of the challenges the West is going to face during the 2020s. As we move into a world of competition between powers, competition over technology and a time when Western politics is not as healthy or as unified as it has been before, it creates a very complicated backdrop for those who are in the technology business,” he concluded.
Microsoft patched 59 vulnerabilities yesterday, releasing one advisory for Windows 10 Servicing Stack.
Of the 59 vulnerabilities patched, nine are classified as “critical.” There were no vulnerabilities exploited in the wild this month, nor were any publicly disclosed prior to Patch Tuesday.
Jimmy Graham, senior director of product management at Qualys, said that alongside these patches, a Remote Code Execution vulnerability (CVE-2019-1372) exists in Azure App Service on Azure Stack which escapes the sandbox and can execute malicious code as System. “If you have the Azure App Service deployed to your Azure Stack, this patch should be prioritized,” he said.
Satnam Narang, senior research engineer at Tenable, said: “Two more vulnerabilities in Remote Desktop were patched this month. CVE-2019-1333 is a remote code execution vulnerability in Remote Desktop Client which requires an attacker to convince a user to connect to a malicious server using the Remote Desktop Protocol (RDP), or compromise an existing server and host malicious code on it, while waiting for vulnerable clients to connect.
“CVE-2019-1326 is a denial of service flaw in RDP that would allow an attacker to exploit it by connecting to the server and sending specially crafted requests, causing the RDP service on the vulnerable server to stop responding.
"There is also a pair of Win32k elevation of privilege vulnerabilities (CVE-2019-1362, CVE-2019-1364) caused by a failure in how the Windows kernel-mode driver handles objects in memory. These vulnerabilities require an attacker to have previously compromised a system before they can elevate privileges. Both vulnerabilities affect Windows Server 2008 and Windows 7, which will no longer receive security updates after January 14, 2020."
Preparing for data breach response should involve practising with third parties, and repeating the processes.
He said that reputation is fundamentally based on two things: what you do; and what you say, also consider how you perform. “If you don’t do everything you can, you’re losing the ability to influence in the first place,” he said. “In terms of how you plan and how you prepare, your role and influence becomes incredibly important and brand and reputation means a lot more than you think it does.”
He recommended having in place the following steps, as “no matter how good you get it, you will never be famous for doing it well, but you will be infamous for doing it badly.” These were;
- Communications – How do you get out ahead of social media, and don’t develop messages on the fly
- Speed – This is of the essence, as if you don’t respond quickly, you will be behind the message and the press
- Capacity and Capability – You have capability designed and sized to support ‘business as usual’ so consider how manage that and support those customers who are affected
- Identity Protection and Repair – Your insurance will cover this, but only 10-20% of customers will take this opportunity up, so consider if it is an effective means of protecting customers?
- Professional Expertise – Whether it is a law firm, crisis communications or a claim team, it is important to have professional entities of people who have been through the process before
Whitehead said breach response preparation was a classic case of “make friends before you need them” in the event of a crisis. Pointing at the Information Commissioner’s Office, he said that it is clear in the guidance from the EU to the supervisory authorities' 11 criteria to assess organizations with after a data breach, and whether a fine is relevant, and what the size of the fine should be.
One point states that “any action taken by a controller to mitigate the damage suffered by data subjects” should be considered, and of the 11 criteria, “this is the only one to talk duty of care to data subjects.”
Whitehead said that, if you have exercised duty of care, you may or may not get a fine. “So worry about duty of care and your customers; not just because from a brand and reputation perspective, as if you don’t look after them they will go elsewhere,” he said. “But you should also worry about your duty of care as it is the tipping point for the supervisory authorities to decide on the size of the fine.”
A new report by email and data security company Mimecast has revealed a staggering increase in the number of Business Email Compromise (BEC) cyber-attacks.
The quarterly Email Security Risk Assessment (ESRA) report, released today, found a 269% increase in the number of BEC attacks in quarter two of 2019, compared to the first quarter of the year.
BEC attacks are sophisticated scams that typically target businesses working with foreign suppliers and businesses that regularly perform wire-transfer payments. Formerly known as Man-in-the-Email scams, these schemes compromise official business email accounts to conduct unauthorized funds transfers.
According to the FBI, there are five main types of BEC scams, all of which allow threat actors to commit email-based impersonation fraud using methods that evade many traditional email security systems.
The Bogus Invoice Scheme involves an attacker impersonating a company's supplier and requesting funds transfers to the attacker's bank account in payment of services rendered. An attacker committing CEO Fraud will pose as one of the company's most senior executives and send an email to the finance department requesting that money be transferred to an account they control.
If the attack is an Account Compromise, an executive or employee’s email account is hacked and used to request invoice payments to vendors listed in their email contacts. Payments are then sent to fraudulent bank accounts.
A Data Theft BEC attack targets employees in the HR and finance departments to fraudulently obtain personally identifiable information (PII) or tax statements of employees and executives, which can be sold on the dark web or used for future attacks.
Finally, threat actors can launch an Attorney Impersonation BEC attack, in which they pretend to be a lawyer or someone from a law firm in order to access confidential information.
A further finding of the ESRA report is that 28,783,892 spam emails, 28,808 malware attachments, and 28,726 dangerous files types were all missed by incumbent providers and delivered to users’ inboxes.
The sharp rise in BEC attacks identified by the report echoes the findings of the State of Email Security 2019 report, which revealed that 85% of the 1,025 global respondents experienced an impersonation attack in 2018, with 73% of those victims having experienced a direct business impact, like financial, data, or customer loss.
An industry initiative to allow data sharing and interoperability in the cybersecurity sector has won the support of 18 vendors.
The Open Cybersecurity Alliance (OCA), created by international consortium OASIS, will unite end users and organizations in an open cybersecurity ecosystem where products can share information, insights, orchestrated responses, and analytics.
The OCA will strive to increase the cybersecurity value of existing products and discover new security insights by supporting commonly developed code and tooling and encouraging practices for interoperability and sharing data among cybersecurity tools.
A key aim of the OCA will be to make it easier for different cybersecurity technologies to work together across the entire lifecycle of a threat.
In a statement issued earlier today, the OCA wrote: "According to industry analyst firm, Enterprise Strategy Group, organizations use 25 to 49 different security tools from up to 10 vendors on average, each of which generates siloed data.
"Connecting these tools and data requires complex integrations, taking away from time that could be spent hunting and responding to threats. To accelerate and optimize security for enterprise users, the OCA will develop protocols and standards which enable tools to work together and share information across vendors."
The alliance was spearheaded by IBM Security and McAfee and quickly attracted the support of Advanced Cyber Security Corp, Corsa, CrowdStrike, CyberArk, Cybereason, DFLabs, EclecticIQ, Electric Power Research Institute, Fortinet, Indegy, New Context, ReversingLabs, SafeBreach, Syncurity, ThreatQuotient, and Tufin.
At OCA's heart will be two technologies developed by its founding members. The first is McAfee's cybersecurity messaging format OpenDXL Standard Ontology. The second is STIX-Shifter, a search capability for all types of security products based on an IBM open source library. This useful tool can identify information in data repositories that relates to potential threats, pop it into a usable format, and share it with any enabled security tool.
"Attackers maximize damage by sharing data with one another. Our best defense strategy is to share data too," said D.J. Long, vice president of business development at McAfee.
"Organizations will be able to seamlessly exchange data between products and tools from any provider that adopts the OCA project deliverables. We’re looking at the potential for unprecedented real-time security intelligence."
Researchers at the University of Arizona are developing a fresh approach to cybersecurity modeled on the human central nervous system.
The new method, which is being created as part of the Partnership for Proactive Cybersecurity Training project, will aim to detect and neutralize cyber-threats in their earliest stages before they have a chance to do any serious damage.
Inspiration for the project came from human biological responses; for example, how the body's immune system fights a virus and how a person will instinctively pull their fingers away from a burning hot surface before their brain has even received the message that the body is at risk of harm.
"I felt we could learn about how the body protects us by reacting to threats and maybe apply it to cyber by building a 'cyber immune system,'" said Salim Hariri, UA electrical and computer engineering professor and the project's principal investigator.
"We're trying to build these abilities where, when somebody attacks your computer, these measures can detect the attack and act on it before you're even aware something is compromised."
In contrast with security methods that deal with cyber-threats in a reactive way, the new system being constructed is being designed to function proactively. The plan is to use artificial intelligence and machine learning to train machines to recognize cyber-threats on their own, as a doctor might recognize diseases from their symptoms.
To stop the threats before they infect a network or device, researchers will also teach the machines how to recognize threats as they evolve and how to execute a wide range of cures. With an encyclopedia of remedies at their disposal, the machines will be able to search for the one that is most appropriate and automatically apply it to the threat.
"An attacker can reach hundreds of thousands of devices in a fraction of a second, so we need our ability to detect threats and protect a system to work just as quickly," said Hariri.
The National Nuclear Security Administration's Minority Serving Institution Partnership Program has awarded the project a $3 million grant to be paid over a three-year period. Under the terms of the grant, researchers will train students, especially underrepresented minorities, from the University of Arizona, Howard University, and Navajo Technical University as they work to develop new cybersecurity techniques.
Don’t treat cyber-risk any differently to any other risk to your business, as engagement with senior management continues to be a challenge.
Speaking at the ATM & Cybersecurity 2019 conference in London, Nina Paine, global head of cyber partnerships and government strategy, Standard Chartered (UK), discussed the need to keep senior management engaged when creating and maintaining a cybersecurity culture internally.
Paine said that with growing teams there is a “race to keep pace against cyber-criminals and cyber-threat actors” and this means that security teams “cannot do it alone and it is incredibly important that we share knowledge and insights and key learnings with partners across the world.”
Paine said that people ask if a cybersecurity culture can be driven from the “top down or bottom up” and she said that it is probably both as “the tone from the top and senior executive engagement is the key differentiator.” She also said that cyber-leaders are clear on the strategic implications that cyber-risks represent, and this may be about metrics that the business has put in place.
One tone to adopt for senior executives is to stress that “cybersecurity is tremendously important to our customers.” Therefore, cybersecurity has to be treated as a business risk, “as we know the consequences of not doing so are stark.”
Paine also said that cyber-risk should be “normalized as part of enterprise risk management as a whole.”
So how cybersecurity can be part of the wider business discussion? This needs to be done with a trickle down through the business, and not just by having a technical team in a separate room, Paine advised. She said that at Standard Chartered, cybersecurity is treated as a principal risk type, and this means it is subjected to enterprise-wide risk management rules.
She added: “Whether you have got that or not, you have got some principles to think about within each function around challenges and assurance that are absolutely vital to all firms.”
Paine recommended setting up a layered effort to enable better adoption of culture, and one thing firms have done is to set up a senior executives’ safe space “where there are not stupid questions and everybody is a human.” She said that this forum can allow increased understanding of risks, as we “cannot simply rely on small groups of technical experts to keep our organization safe.”
She acknowledged that employee awareness can “sound pink and fluffy,” but you can make it a hard skill set and discipline through automated platforms. She said that as Standard Chartered was automating its awareness, this will enable training and results and learning to be better collected, adding an element of gamification.
To conclude, she pointed out that “what gets measured gets done” and recommended introducing security measurement tools, as well as publishing test scores to divisional heads, as that can drive cultural change in a business.
“I’d like to reiterate that cybersecurity risk and its management is very much a shared responsibility, and everyone from the board to the front line has a critical role to play,” she said. “Whilst an organization’s risk culture does have formal risk policies in it, there is also a really important people side.”
Speaking at the ATM & Cybersecurity 2019 conference in London, detective superintendent Andrew Gould, National Cybercrime Programme Lead, National Police Chief’s Council, detailed common attackers, attack tactics and the most common ways to prevent them from happening.
Saying that the main attack groups were “no great surprise,” he highlighted the hostile states as having different motives but having “really invested in their capabilities” which he said was the main challenge, as “if a hostile state comes after you as an organization they are probably going to get you” unless you have significantly invested in your protection. “For most people though, that is probably not going to be a significant concern.”
However, a rising threat is from organized crime, which he said has involved a blurring between a hostile state and organized crime, whether it is being franchised or “tasked out,” while there are organized crime groups who do this as a way to make money.
What has also been a major concern over the last couple of years is “more and more high-level sovereign state tools leaked out.” He explained that these may have been the preserve of American intelligence agencies, but are now in the wild and “available for anyone to download and use as part of criminal enterprise.”
As well at attacks such as more DDoS and Business Email Compromise, Gould also said that “the most common type of cyber-dependent crime, where computers are attacking computers” and affecting organizations, is ransomware. While he admitted that detections and infections are down, the trend is towards more targeted ransomware, and recommended businesses protect and test backups.
In terms of sophistication, Gould said that attackers are getting better in how they are targeting organizations, as one in five “are successful with spray and pay” techniques. “Actually a lot of criminals are investing time and effort in their targets, and we make it easy for them by putting our personal information online,” he added.
Moving on to the role of the police, he acknowledged that the attitude of the police toward cybercrime has changed over time; “we know there are millions of offences committed in the country each year, but only 25-26,000 of those get reported to Action Fraud.”
However, that has improved, Gould said, “and now we've got teams dealing with cyber-dependent crime like ransomware in every force in England and Wales, when 18 months ago nothing existed.” He continued that every incident is investigated and every victim is advised “to stop them being a victim again.”
He concluded by highlighting the most common mistakes that businesses make in dealing with cyber-incidents, which were:
- No plan, nothing exercised
- Unmapped and poorly understood networks and endpoints
- Business negotiates with blackmailers
- Slow to ask for police help (if at all)
- Only communicate with police through lawyers
- Media messaging does not consider secondary fraud
- Ineffective back ups
Join our webinar on 24th October where we will be discussing advanced attackers, and how to defend against automated attacks - register here
The firms surveyed more than 3000 IT and IT security practitioners in Australia, Brazil, France, Germany, India, Japan, the UK and the US, discovering that whilst nearly half (48%) of all corporate data is stored in the cloud, only 32% of organizations believe protecting data in the cloud is their own responsibility.
What’s more, the study found that organizations consider cloud service providers to be the ones to bear the most responsibility for securing sensitive data in the cloud (35%), although just 23% of respondents said security was a factor to them when selecting a cloud service provider.
Furthermore, the research found that more than half (51%) of businesses and other organizations still do not use encryption or tokenization to protect sensitive data in the cloud, whilst 54% of respondents stated that cloud storage makes it more difficult to protect sensitive data.
“With businesses increasingly looking to use multiple cloud platforms and providers, it’s vital they understand what data is being stored and where,” said Larry Ponemon, chairman and founder of the Ponemon Institute. “Not knowing this information makes it essentially impossible to protect the most sensitive data – ultimately leaving these organizations at risk. We’d encourage all companies to take responsibility for understanding where their data sits to ensure it’s safe and secure.”
Tina Stewart, vice-president of market strategy for cloud protection and licensing activity at Thales, added: “This study shows that businesses today are taking advantage of the opportunities that new cloud options offer, but aren’t adequately addressing data security. Having pushed the responsibility towards cloud providers, it is surprising to see that security is not a primary factor during the selection process. It does not matter what model or provider you choose, the security of your business’ data in the cloud has to be your responsibility. Your organization’s reputation is on the line when a data breach occurs, so it is critical to ensure in-house teams keep a close eye on your security posture and always retain control of encryption keys.”
A health organization in New Zealand that was targeted in a global cyber-incident in August has uncovered evidence of earlier attacks dating back three years.
Tū Ora Compass Health took its server offline and strengthened its IT security following a cyber-attack on its website in August. On Saturday, the primary health organization (PHO) announced that an investigation by authorities, including the police, Ministry of Health, and the National Cyber Security Centre, has found evidence of multiple earlier attacks dating from 2016 to early 2019.
Martin Hefford, chief executive officer of Tū Ora Compass Health, said: "As stewards of people’s information, data security is of utmost importance to Tū Ora Compass Health. We are devastated that we weren’t able to keep people’s information safe.
"While this was illegal and the work of cybercriminals, it was our responsibility to keep people’s data safe, and we’ve failed to do that."
Tū Ora holds information dating back to 2002 on approximately 1 million individuals from the greater Wellington, Wairarapa, and Manawatu regions. Tū Ora does not hold GP notes, which are held by individual medical centers.
The organization is one of 30 PHOs that collect data from medical centers, then analyze it to ensure patients are screened for diseases like cancer and receive treatment for chronic conditions, including diabetes.
"We don’t know the motive behind the attacks, and we cannot say for certain whether or not these have resulted in any patient information being accessed, but we have laid a formal complaint with police," said Hefford. "Experts say it is likely we will never know. However, we have to assume the worst, and that is why we are informing people."
New Zealand's director-general of health, Dr. Ashley Bloomfield, said: "We have been working with the Government Communications and Security Bureau's National Cyber Security Centre to investigate this intrusion and check if other PHOs and DHBs might be at risk.
"This work is ongoing, and we expect to have an initial assessment in the next two weeks. We are also commissioning further independent reviews of the security of PHO and DHB information systems."
Elad Shapira, head of research at Panorays, commented that the best way for hackers to reach sensitive and confidential information is often through third parties, who can access data but lack the adequate security to guard it.
He said: "For this reason, assessing and continuously monitoring healthcare organizations' third-party security is critical."
The personal information of 92 million Brazilian citizens has been discovered for sale to the highest bidder on an underground forum auction.
According to BleepingComputer, the auction is present on multiple dark web marketplaces that can only be accessed by paying a fee or via an invitation from someone who is already on the inside.
The information is being sold as a 16GB database in SQL format and has a starting price of $15,000 and a step-up bid of $1,000. According to its seller, X4Crow, the records include names, dates of birth, taxpayer IDs, and some address details.
A sample of the database, which was seen and verified as genuine by BleepingComputer, also contained information relating to gender and the names of individuals' mothers.
The origin of the database is unclear, though the inclusion of the taxpayer IDs and the seller's claims that it contains the unique information of 92 million Brazilian citizens could indicate that it's a government database of the approximately 93 million Brazilians who are currently employed.
In addition to offering the data for sale, X4Crow claims that they can retrieve data available in national identification documents, such as ID cards and driving licenses, together with phone numbers, email addresses, previous addresses, professions, education levels, and vehicles. And all they need to do it is the individual's full name, taxpayer ID, or phone number.
Under Article 18 of the Brazilian General Data Protection Law ("Lei Geral de Proteção de Dados" or "LGDP"), consumers have rights relating to their data, and organizations need to ensure personal data is anonymized, redacted, or eliminated. Unfortunately, the law does not go into effect until August 15, 2020, a six-month extension from the previous February 2020 date.
Jonathan Deveaux, head of enterprise data protection with comforte AG, believes that in the future, companies may rely more on methods like tokenization to protect valuable consumer data.
He said: "An emerging best practice among many technology leaders is to adopt a data-centric security approach, which protects personal data with anonymization technology like tokenization.
"Not only does tokenization allow organizations to meet compliance requirements and remain secure, but tokenization also allows organizations to securely embrace modern technology like hybrid or multi-cloud computing, which has been scrutinized as having major data security gaps."
Leading online gift shop CafePress is the target of a proposed national class-action lawsuit in the United States after allegedly failing to update its security software and taking months to inform customers of a data breach.
The retailer was heavily criticized earlier this year for its poor cybersecurity and incident response after it emerged that 23 million customers had their personal data stolen in a breach that is thought to have occurred in February 2019.
Third-party consumer sites, including weleakinfo.com and haveibeenpwnd.com, were independently warning consumers of the breach as early as July 13, 2019, but the incident was not officially reported by CafePress to their customers until last week.
Data exposed by the breach included email addresses, names, physical addresses, phone numbers, and passwords stored as SHA-1 hashes.
The suit has been filed by consumer-rights law firm FeganScott, which alleges that CafePress failed to employ best practices when alerting customers of the data breach. According to the complaint, CafePress’ first notifications appeared on its website on September 5, but the company did not directly notify its customers until October 2, 2019.
"As galling as it is to know that a national retailer like CafePress failed in its duty to safeguard consumer information, it is reprehensible that they knew—or should have known—about the breach and failed to warn their customers that their credit card information and Social Security numbers could be for sale to the highest bidder on the dark web," said Beth Fegan, a founder of FeganScott.
It is further alleged that CafePress failed to offer adequate protection to its customers by neglecting to update security software that was widely known to be flawed.
"CafePress allegedly relied on Secure Hash Algorithm 1 (SHA-1) as the lynchpin of its data security," said Fegan. "Hackers and security experts know that SHA-1 has been useless in protecting data since about 2005. These days, SHA-1 is the digital equivalent of a picket fence when it comes to keeping the wolves from the sheep."
The suit, filed today in US District Court in Illinois, seeks to represent all US consumers who were impacted by the breach. Consumers who are interested in learning more about this class-action suit can contact firstname.lastname@example.org.