Monday, 15 July 2019

How to Prevent Insider Data Breaches at your Business

Guest article by Dan Baker of SecureTeam

Majority of security systems are installed to try and forestall any external threats to a business’ network, but what about the security threats that are inside your organisation and your network?

Data breaches have the potential to expose a large amount of sensitive, private or confidential information that might be on your network. Insider threats are a significant threat to your business and are increasingly being seen as an issue that needs dealing with.

SecureTeam are experts in cybersecurity and provide a variety of cybersecurity consultation solutions to a range of businesses. They have used their extensive knowledge of internal network security to write this handy guide to help businesses protect themselves from insider data breaches.

Who is considered an Insider Threat?

Insider threats can come from a variety of different sources and can pose a risk to your business that you might not have considered.

Malicious Insider 
This is when an employee who might have legitimate access to your network has malicious intentions and uses that access to intentionally leak confidential data. Employees who intentionally provide access to the network to an external attacker are also included in this threat.

Accidental Insider
This is when an employee makes an honest mistake that could result in a data breach. Something as simple as opening a malicious link in an email or sending sensitive information to the wrong recipient are all considered data breaches. The main cause of accidental insider data breaches is poor employee education around security and data protection and can be avoided by practising good security practices.

Third Party
There is a data protection risk that arises when third-party contractors or consultants are provided with permission to access certain areas of the network. They could, intentionally or unintentionally, use their permission to access private information and potentially cause a data breach. Past employees who haven’t had their security access revoked could also access confidential information they are no longer entitled too and could be seen as a threat.

Social Engineers
Although this threat is technically external a social engineers aim is to exploit employees by interacting with them and then attempting to manipulate them into providing access to the network or revealing sensitive information.

Data breaches from internal threats have the potential to cause the loss of sensitive or confidential information that can damage your business’ reputation and cost you a significant amount of money. There are some ways you can attempt to prevent insider data breaches, however. 

How to prevent Data Breaches

There are a few simple ways you can try to prevent an internal data breach, including:

Identify your Sensitive Data
The first step to securing your data is to identify and list all of the private information that you have stored in your network and taking note of who in your organisation has access to it. By gathering all of this information you are able to secure it properly and create a data protection policy which will help keep your sensitive data secure.

Create a Data Protection Policy
A data protection policy should outline the guidelines regarding the handling of sensitive data, privacy and security to your employees. By explaining to your staff what they are expected to do when handling confidential information you reduce the risk of an accidental insider data breach.

Create a Culture of Accountability
Both employees and managers should be aware of and understand their responsibilities and the responsibilities of their team when it comes to the handling of sensitive information. By making your team aware of their responsibilities and the consequences of mistakes and negative behaviour you can create a culture of accountability. This also has the more positive effect of highlighting any issues that exist before they develop into full problems which can then be dealt with training or increased monitoring.

Utilise Strong Credentials & Access Control
By making use of stronger credentials, restricting logins to an onsite location and preventing concurrent logins you can make your network stronger and remove the risk of stolen credentials being used to access the network from an external location.

Review Accounts and Privileged Access
It is important that you regularly review your user's privileges and account logins to ensure that any dormant accounts no longer have access to private information and that users don’t have unnecessary access to data. This helps to reduce the risks of both accidental and malicious insider data breaches.

Conclusion
The threat of an insider data breach continues to be an issue to businesses throughout a range of sectors. However, by putting a plan in place for these insider security threats it improves the speed and effectiveness of your response to any potential issues that arise.

It is sensible to assume that most, if not all, businesses will come under attack eventually and by taking the threat seriously and adhering to the best security practices then you can help to prevent an attack turning into a full-blown data breach.

Monday, 1 July 2019

Cyber Security Roundup for June 2019

Keep Patching!
June 2019 was another very busy month for security update releases. Microsoft released updates to patch 22 critical rated vulnerabilities, Intel released 11 fixes, and there were also several critical security updates for Apple Airport, Adobe Flash Player, Cisco devices, Cisco Data Centre Network ManagerDell SupportAssistGoogle Chrome, Firefox and Apache.  One further standout vulnerability was the "SACK Panic" TCP Linux and FreeBSD kernel vulnerability, uncovered by Netflix researchers, however, Microsoft released a security advisory in regards to TCP SACK Panic by the end of the month.

The National Security Agency (NSA) backed up UK National Cyber Security Centre (NCSC) and Microsoft’s continuing strong recommendations for everyone to apply the latest security updates to all versions of Microsoft Windows, including the unsupported XP, Vista and Windows 2003 Server, to protect against the supercritical CVE-2019-0708 “BlueKeep” vulnerability.

More Major Ransomware Attacks coming to the UK?
We all know the United States government famously takes a stand of no negotiation with terrorists and kidnappers, with the specific policy of never paying ransom demands. There is a good reason for this policy, as paying ransoms just serves to encourage further kidnapping and ransom demands. So it was interesting to learn this month, that US local government does not adhere to the same policy when dealing with ransomware demands. Rivera Beach (Florida) paid a whopping $600,000 ransom to hackers after its computers systems were taken over by ransomware after an employee clicked on a link within a phishing email. Phishing emails are the typical starting ingress of most mass ransomware outbreaks which cripple organisations.  The Lake City (Florida) government officials said they had also paid a $460,000 ransom to cybercrooks following a ransomware attack on their municipality on 10th June.  Meanwhile, Baltimore officials approved $10 million to cover ongoing expenses related to its ransomware attack.

Paying ransomware demands will fuel further ransomware attacks, so I expect ransomware attacks to further escalate. So the big question is, can we expect UK further local government authorities and large organisations to be hard hit by mass ransomware outbreaks? The answer to that will come down to how well their patch management is, and whether lessons have been truly learnt from the destructive 2017 WannaCry ransomware outbreaks, which took down a number of NHS services. Given the recent BlueKeep Microsoft Windows critical vulnerability is expected to spark new strains of ransomware in the coming months, ransomware very much like WannaCry with the devasting capability of rapidly infecting and propagating via unpatched Microsoft Windows systems connected to flat networks, we shall soon find out.

Data Breaches
No major UK data breaches were reported in June 2019, but on the other side of the pond, a misconfigured AWS S3 bucket managed by a data integration company led to confidential data from Netflix, TD Bank, Ford and other companies being exposed. And a misconfigured MongoDB database resulted in 5 million personal records left open to the public via a website. Data breaches caused by misconfigured cloud services operated by third parties is becoming a bit of regular theme.

APT10 Cloud Hopper Campaign further Exposed
An interesting article by Reuters revealed eight of the world’s biggest technology service providers were successfully hacked by APT10 aka 'StonePanda'. APT10, linked to China hackers, operated a sustained campaign over a number of years dubbed “Cloud Hopper”, which Reuters revealed affected Hewlett Packard Enterprise (HPE), IBM, Fujitsu, Tata Consultancy Services, NTT Data, Dimension Data, Computer Sciences Corporation, and DXC Technology. The ATP10 attackers searched for access points into networks an IT systems, when found, extracted confidential information and potential trade secrets. These reported hacks may well be the tip of the iceberg. The Register stated, having gained access to the major service providers, the APT10 group may have gained access to many of their customers. Those customers run into the millions, “dramatically increasing the pool of valuable industrial and aerospace data stolen.”

BLOG
NEWS

VULNERABILITIES AND SECURITY UPDATES

HUAWEI NEWS AND THREAT INTELLIGENCE
AWARENESS, EDUCATION AND THREAT INTELLIGENCE
REPORTS

Monday, 24 June 2019

How can UK Financial Services Organisations Combat the Cyber Threat?

Guest article by Genevra Champion, Sector Marketing Manager at IT Governance

The financial services industry is naturally a lucrative target for cyber criminals. Financial organisations trade and control vast amounts of money, as well as collect and store customers’ personal information so clearly, a data breach could be disastrous for an industry that is built on trust with its customers.

The financial services industry is second only to retail in terms of the industries most affected by cyber crime – the number of breaches reported by UK financial services firms to the FCA increased 480 per cent in 2018, compared to the previous year. While financial services organisations are heavily regulated and cybersecurity is becoming more of a business priority, there is still much more to be accomplished when it comes to businesses understanding what measures must be taken – from the C-suite down – to effectively protect organisations against inevitable breaches.

So how can financial services firms proactively equip themselves to respond to increased regulatory scrutiny and mitigate the impact from the growing number of threats they will face?

Mitigating the Cyber Threat Financial institutions were able to defend against two-thirds of unauthorised fraud attempts in 2018, but the scale of attacks significantly increased. Significant market players including Tesco Bank, Metro Bank and HSBC all reported breaches in the last year. Clearly, the banks’ cybersecurity defences have not developed at a fast enough pace. Cyber criminals can and will dramatically outspend their targets with increasingly sophisticated attack methods. In addition, many of the traditional banks struggle with large, cumbersome legacy systems, which pose significant reliability issues, as well as flaws in security.

Last year’s IT banking disaster led to thousands of TSB customers being locked out of their accounts, leading to fraudsters exploiting the situation by posing as bank staff on calls to customers in order to steal significant sums of money from customers. The breach occurred while the company was conducting an upgrade on its IT systems to migrate customer data to a new platform. This wasn’t just bad luck for TSB, but a failure to adequately plan and assess the risks that come with such a huge project. The bank has since pledged to refund all customers that are victims of fraud, a move which will likely see other banks reviewing their approach to the rise of this particular type of cybercrime.

The industry must understand that security incidents are an ever-present risk. However, organisations can be prepared - scoping a defence strategy specific to the firm, with processes for implementation, will mean an attack can be quickly identified, isolated and resolved, minimising business impact.

Appropriate Defence Strategy
The FCA has set out various cybersecurity insights that show how cybersecurity practices of UK financial services firms are under the regulatory microscope, as the cyber threat continues to grow. The approach from the FCA includes practices for organisations to put into action such as those that promote governance and put cyber risk on the board agenda. The advice also covers areas such as identifying and protecting information assets, being alert to emerging threats and being ready to respond, as well as testing and refining defences. With cybercrime tools and techniques advancing at a rapid pace, and increasing regulations, it’s no wonder that many organisations struggle to keep up to ensure their defences stay ahead of the game.

In order for in-house security teams to keep up to date with current and evolving threats and data protection issues, firms must invest in regular training. Specialist skills are required to mitigate cyber risk, which for some could be cost-prohibitive. As an alternative, an insourced model allows you to leverage a dedicated and skilled team on an ‘as you need’ basis to deliver an appropriate strategy. With a Cyber Security as a Service (CSaaS) model in place, organisations can rapidly access a dedicated team with the knowledge and skills to deliver a relevant and risk appropriate cyber security strategy.

Crucially, in addition to completing a gap analysis and a multi-layered defence strategy, the model will also apply to people and processes. Attackers will generally aim at the weakest point of an organisation – often it’s staff. Human nature means passwords are forgotten, malware isn’t noticed, or phishing emails are opened, for example. Therefore, a blended approach of technology, processes and shared behaviour is required that promotes the need for staff awareness and education of the risks, in order to effectively combat the threat.

Conclusion
With increased regulatory attention across security and privacy, firms must take steps to improve their defences, or risk severe financial and reputational damage. The issue of cybersecurity risk must become as embedded within business thinking as operational risk. Anyone within an organisation can be a weak link, so the importance of cybersecurity defences must be promoted at all levels – from the board all the way through to the admin departments. It’s everyone’s responsibility to keep the organisation protected against threats.

While the threat of cyber attack is real, financial services firms do not have to take on the battle alone. With a CSaaS model in place, organisations can start to take back control of their cybersecurity strategy and embed it as a trusted, cost-effective and workable core part of the business’ process.

Friday, 21 June 2019

How organisations can effectively manage, detect and respond to a data breach?

Guest article by Andy Pearch, Head of IA Services at CORVID

78% of businesses cite cyber security as a high priority for their organisation’s senior management. Whilst it is encouraging that this figure has risen year on year, generating awareness of cyber security is only one part of the issue. The next step for organisations to take is not only understanding, but intelligently acting on the risks presented. Despite the heightened awareness, many organisations are still focusing on mitigating assumed risks, rather than real risks, without a robust security strategy in place.

Whilst perimeter security is a key part of any organisation’s security posture, the fact is that it cannot work in isolation. Data breaches are now commonplace and largely regarded as inevitable, and the rise of new technologies means that today’s threats have increased in sophistication. As Andy Pearch, Head of IA Services at CORVID, explains, safeguarding data integrity, confidentiality and availability should be fundamental to all cyber security strategies. After all, it is the speed with which a breach is detected and the effectiveness with which it is remediated that will provide the most value – this can be achieved with a strategic Managed Detection and Response solution.

Unidentified attacks The Government’s Cyber Security Breaches Survey 2019 revealed that in the last 12 months alone, almost one third of UK businesses identified cyber security breaches or attacks. What’s more, the research also showed that just under half of these companies identified at least one breach or attack per month. While these figures should be enough to make a business refocus its strategic security thinking, it is the use of the word ‘identified’ that is significant: many more attacks could have occurred, but not yet been discovered.

Indeed, global figures reveal that the median dwell time – the time a criminal can be on a company’s network undetected – is over 100 days. And in many cases, the breach is not revealed by the security team itself; it is a call from a supplier, a customer or business partner that brings the problem to light, typically following the receipt of a diversion fraud email requesting, for example, that future payments should be sent to a different bank account.

These breaches not only have the ability to undermine business relationships, but in some cases, can also incur significant financial liability. These frauds usually follow one of two forms: either impersonation, where a criminal masquerades as the business using a very similar domain name and email address, or following a successful compromise, the email comes from the company’s own system. It is the latter case that raises the issue of liability for any financial losses a business partner may have suffered.

Asking the tough questions
Alongside phishing attacks, this approach to cyber attacks completely bypasses the traditional cyber security methods, such as anti-virus (AV) software and firewalls, upon which so many companies still rely. Indeed, while 80% of businesses cite phishing attacks as the cause of breach, 28% confirm the cause was the impersonation of an organisation in emails or online. Only 27% cite viruses, spyware or malware, including ransomware attacks, as the root cause of the breach.

Many companies still depend on perimeter security, and for those that do, it is time to ask some serious questions. Firstly, can you be 100% confident that your business has not been compromised? How would you know if the attacker has not used malware or a virus that would be picked up by the perimeter defences? Secondly, even when a compromise is identified, many companies aren’t sure what the next steps should be. If a supplier makes the call to reveal the business has been compromised, can you confidently identify where that occurred? What part of the business has been affected? What is the primary goal of the attack? Is the attacker only leveraging a compromised email system to defraud customers, or aiming to gain intellectual property or personal data?

The GDPR has demonstrated that the risk associated with a cyber attack is not only financial, as hackers are also actively seeking to access personal information. Security plans, therefore, must also consider data confidentiality, integrity and availability. But it is also essential for organisations to accept that protection is not a viable option given today’s threat landscape: a fundamental shift in security thinking is required. When hackers are using the same tactics and tools as genuine users, preventing these attacks is impossible. Rapid detection and remediation must be the priority.

Removing the burden
Managed Detection and Response (MDR) enables an organisation to spot the unusual activity that indicates a potential breach. For example, if a user is accessing files they would never usually open or view, sending unexpected emails or reaching out to a new domain, such activity should prompt a review. The problem for most companies, however, is they lack not only the tools to detect this activity but also the time and skills to analyse whether it is a breach or actually a false positive.

A managed approach not only takes the burden away from the business, but also enables every company to benefit from the pool of knowledge gathered by detecting and remediating attacks on businesses across the board. With MDR, every incident detected is investigated and, if it’s a breach, managed. That means shutting down the attack’s communication channel to prevent the adversary communicating with the compromised host, and identifying any compromised assets – this can then either be remediated in-house, if preferred, or as part of the MDR service.

Information relating to the mode of attack is also collected. This timely, actionable intelligence is immediately applied to the MDR service, creating either a prevention or detection technique to minimise the chance of this approach succeeding again. Because of this, the speed with which attacks can now be detected is compelling: whilst the average dwell time has continued to decrease in recent years, it is now entirely possible for unknown malware to be detected and nullified within the hour.

Reflect and act
The threat landscape is continuously evolving – it’s important for organisations to recognise this and match security strategies to the true level of risk. What’s more, whilst the increased commitment to security at a Board level is encouraged, organisations cannot equate expenditure with effectiveness.

Organisations must reflect and consider not only the consequences of data loss, but of integrity and availability too. Security strategies can no longer rely on users not making mistakes; when a breach occurs, an organisation must know what happened.

Security strategies cannot afford to stand still. With the rise in phishing and diversion fraud, it is not enough for organisations to simply lock down the perimeter. Companies cannot prevent all attacks, but when a compromise occurs, it is essential to understand how, when and why the attack succeeded so the appropriate response can be determined, and learnings can be applied for the future. It is only with this process in place that organisations can safeguard their business, data and reputation.

Thursday, 20 June 2019

Blocking DDoS Attacks Using Automation

Guest article by Adrian Taylor, Regional Vice President at A10 Networks

DDoS attacks can be catastrophic, but the right knowledge and tactics can drastically improve your chances of successfully mitigating attacks. In this article, we’ll explore the five ways, listed below, that automation can significantly improve response times during a DDoS attack while assessing the means to block such attacks.

Response time is critical for every enterprise because, in our hyper-connected world, DDoS attacks cause downtime, and downtime means money lost. The longer your systems are down, the more your profits will sink.

Let’s take a closer look at all the ways that automation can put time on your side during a DDoS attack. But first, let’s clarify just how much time an automated defence system can save.

Automated vs. Manual Response Time
Sure, automated DDoS defence is faster than manual DDoS defence, but by how much?

Founder and CEO of NimbusDDoS Andy Shoemaker recently conducted a study to find out. The results spoke volumes: automated DDoS defence improves attack response time five-fold.

The average response time using automated defence was just six minutes, compared to 35 minutes using manual processes, a staggering 29-minute difference. In some cases, the automated defence was even able to eliminate response time completely.

An automated defence system cuts down on response time in five major ways. Such systems can:

  • Instantly detect incoming attacks: Using the data it has collected during peace time, an automated DDoS defence system can instantly identify suspicious traffic that could easily be missed by human observers.
  • Redirect traffic accordingly: In a reactive deployment, once an attack has been detected, an automated DDoS defence system can redirect the malicious traffic to a shared mitigation scrubbing center – no more manual BGP routing announcements of suspicious traffic.
  • Apply escalation mitigation strategies: During the attack’s onslaught of traffic, an automated DDoS defence system will take action based on your defined policies in an adaptive fashion while minimising collateral damage to legitimate traffic.
  • Identify patterns within attack traffic: By carefully inspecting vast amounts of attack traffic in a short period of time, an automated DDoS defence system can extract patterns in real-time to block zero-day botnet attacks.
  • Apply current DDoS threat intelligence: An automated DDoS defence system can access real-time, research-driven IP blocklists and DDoS weapon databases and apply that intelligence to all network traffic destined for the protected zone.
An intelligent automated DDoS defence system doesn’t stop working after an attack, either. Once the attack has been successfully mitigated, it will generate detailed reports you and your stakeholders can use for forensic analysis and for communicating with other stakeholders.

Although DDoS attackers will never stop innovating and adapting, neither will automated and intelligent DDoS protection systems.

By using an automated system to rapidly identify and mitigate threats with the help of up-to-date threat intelligence, enterprises can defend themselves from DDoS attacks as quickly as bad actors can launch them.

Three key strategies to block DDoS attacks
While it’s crucial to have an automated system in place that can quickly respond to attacks, it’s equally important to implement strategies that help achieve your goal of ensuring service availability to legitimate users.

After all, DDoS attacks are asynchronous in nature: You can’t prevent the attacker from launching an attack, but with three critical strategies in place, you can be resilient to the attack, while protecting your users.

Each of the three methods listed below is known as a source-based DDoS mitigation strategy. Source-based strategies implement cause as a basis for choosing what traffic to block. The alternative of destination-based mitigation relies on traffic shaping to prevent the system from falling over.

While destination traffic shaping is effective in preserving system health from being overwhelmed during an attack, it is equally fraught with indiscriminate collateral damage to legitimate users.

Tracking deviation: A tracking deviation strategy works by observing traffic on an ongoing basis to learn what qualifies as normal and what represents a threat.
  • Specifically, a defence system can analyse data rate or query rate from multiple characteristics (e.g. BPS, PPS, SYN-FIN ratio, session rate, etc.) to determine which traffic is legitimate and which is malicious or may identify bots or spoofed traffic by their inability to answer challenge questions.
Pattern recognition: A pattern recognition strategy uses machine learning to parse unusual patterns of behaviour commonly exhibited by DDoS botnets and reflected amplification attacks in real time.
  • For example, DDoS attacks are initiated by a motivated attacker that leverages an orchestration platform providing the distributed weapons with instructions on how to flood the victim with unwanted traffic. The common command and control (C&C) and distributed attack exhibit patterns that can be leveraged as a causal blocking strategy.
Reputation: To utilise reputation as a source-based blocking strategy, a DDoS defence system will use threat intelligence provided by researchers of DDoS botnet IP addresses, in addition to tens of millions of exposed servers used in reflected amplification attacks.
  • The system will then use that intelligence to block any matching IP addresses during an attack.
Any of these three source-based DDoS mitigation strategies requires more computing capabilities than indiscriminate destination protection.

They do, however, have the significant advantage of being able to prevent legitimate users from being blocked, thereby reducing downtime and preventing unnecessarily lost profits.

Knowing that, it’s safe to say that these three mitigation strategies are all well worth the investment.

Adrian Taylor, Regional Vice President at A10 Networks

Friday, 7 June 2019

UK Security BSides, Mark Your Calendar & Don't Miss Out

BSides conferences are fantastic events for budding cyber and information security novices through to seasoned security professionals to learn, discuss the latest security challenges, network with peers and to make new contacts from across the UK cyber security scene. 
Some BSides conferences are run in tandem with nearby popular mainstream security conferences, but unlike most mainstream security conferences, BSides agendas are more participation driven and are more collaborative focused. Any group of security passionate individuals can organise a BSides event at a city not already covered, under the official Security BSides direction. In recent years, following on from the multi-year success of BSides London, there has been a steady stream of new BSides conferences popping up at the various regions throughout the UK.

Mark Your Calendar & Don't Miss Out
UK BSides events are incredibly popular, they tend to be ticket only events, with tickets often selling out weeks and sometimes months prior to the event. Below lists the current UK Security BSides scene (as of 7th June 2019), so mark your calendar and avoid missing out on these excellent and highly rewarding events.

BSides London
Website:
 https://www.securitybsides.org.uk/
Twitter: @BSidesLondon
Last Event: 5th June 2019
Next Event: TBC (expected June 2020)

Notes: Annually held in since April 2011

BSidesMCR (Manchester)
Website: https://www.bsidesmcr.org.uk/
Twitter: @BSidesMCR
Last Event: 16th Augst 2018
Next Event: 29th August 2019 (tickets on sale soon)
Notes: Annually held in August since 2014

BSides Liverpool
Twitter: @bsideslivrpool
Next Event: Saturday 29th June 2019 (Sold Out)
Past Event: Inaugural event June 2019

BSides Bristol
Twitter: @bsidesbristol
Next Event: 20th June 2019 (Sold Out)
Past Event: Inaugural event June 2019

BSides Cymru (Wales)
Twitter: @BSidesCymru
Next Event: In Cardiff on 28th September 2019
Past Event: Inaugural event September 2019

BSides Scotland
Twitter: @BSidesScot
Next Event: Expected April 2020
Past Event: at Edinburgh on 23rd April 2019
Notes: Annually held since 2017

BSides Belfast
Twitter: @bsidesbelfast
Next Event: TBC
Past Event: 27th September 2018

BSides Leeds
Twitter: @bsidesleeds
Next Event: TBC
Past Event: 25th January 2019 

Sunday, 2 June 2019

Cyber Security Roundup for May 2019

May 2019 was the busiest month of the year for critical security vulnerabilities and patch announcements. The standout was a Microsoft critical security update for Windows, rated with a CVSS score of 9.8 of 10. This vulnerability fixes CVE-2019-0708 aka 'BlueKeep', which if exploited could allow the rapid propagation of malware (i.e. worm) across networked devices, similar to the devastating WannaCry ransomware attacks of 2017.  Such is the concern at Microsoft, they have released BlueKeep patches for their unsupported versions of Windows (i.e. XP, Visa, Server 2003), a very rare occurrence. Researchers at Errata Security said they have found almost one million internet-connected systems which are vulnerable to the BlueKeep bug.

A zero-day Microsoft vulnerability was also reported by an individual called 'SandboxEscaper', which I expect Microsoft will patch as part of their monthly patch cycle in June.  And a past Microsoft vulnerability, CVE-2019-0604, which has a security update available, has been reported as being actively exploited by hackers.

There were also critical security vulnerabilities and patch releases for Adobe, Drupal, Cisco devices, WhatsApp and Intel processorsThe WhatsApp vulnerability (CVE-2019-3568) grabbed the mains stream news headlines. Impacting both iPhone and Android versions of the encrypted mobile messaging app, an Israeli firm called NSO, coded and sold a toolkit which exploited the vulnerability to various government agencies. The NSO toolkit, called Pegasus, granted access a smartphone's call logs, text messages, and could covertly enable and record the camera and microphone. New and fixed versions of WhatsApp are available on AppStore, so update.

Political and UK media controversy surrounding the Huawei security risk went into overdrive in May after Google announced it would be placing restrictions on Chineses telecoms giant accessing its Android operating system. For the further details see my separate post about The UK Government Huawei Dilemma and the Brexit Factor and Huawei section towards the end of this post.

May was a 'fairly quiet' month for data breach disclosures. There were no media reports about UK pub chain 'Greene King', after they emailed customers of their gift card website, to tell them their website had been hacked and that their personal data had been compromised. I covered this breach in a blog post after being contacted by concerned Greene King voucher customers. It seems that TalkTalk did not inform at least 4,500 customers that their personal information was stolen as part of the 2015 TalkTalk data breachBBC consumer show Watchdog investigated and found the personal details of approximately 4,500 customers available online after a Google search. The Equifax data breach recovery has surpassed $1 billion in costs after it lost 148 million customer records in a 2017 security breach.

The UK army is to get a new UK Based Cyber Operations Centre, to help the army conduct offensive cyber operations against 'enemies', following a £22 million investment by the defence secretary Penny Mordaunt. She said "it is time to pay more than lip service to cyber. We know all about the dangers. Whether the attacks come from Russia, China or North Korea. Whether they come from hacktivists, criminals or extremists. Whether its malware or fake news. Cyber can bring down our national infrastructure and undermine our democracy."  The army's cyber operation centre will be up and running next year and should help to plug a 'grey area' between the British security intelligence services and the military.

Action Fraud and the Financial Conduct Authority (FCA) said UK victims lost £27 million to cryptocurrency and foreign exchange investment scams last year, triple the number of the previous year.

The 2019 Verizon Data Breach Investigations Report was released, a key report in understanding what cyber threat actors have been up to and what they are likely to target next. 

BLOG

NEWS
VULNERABILITIES AND SECURITY UPDATES
HUAWEI NEWS AND THREAT INTELLIGENCE
AWARENESS, EDUCATION AND THREAT INTELLIGENCE

Wednesday, 29 May 2019

The Price of Loyalty, almost half of UK Office Workers are willing to sell Company's Information

A new report released by Deep Secure revealed 45% of office workers surveyed would sell their company's corporate information. Just £1,000 would be enough to tempt 25% of employees to give away company information, while 5% would give it away for free.

59% of staff admitted at some point to have taken company information from a corporate network or devices, which matches up to known industry trends. 

Common Staff Data Exfiltration Tactics
  • Digital; email, uploading to cloud services and copying to external storage (11%)
  • Using steganography or encryption tools to hide exfiltration (8%)
  • Printing information (11%)
  • Handwriting copying information (9%)
  • Photographing information (8%)
Type of Information Taken
  • Personal Work (19%)
  • Customer Information i.e. contact details, confidential market information, sales pipeline  (11%)
  • Company Assets i.e. passwords to subscription services, company benefits (7%)
The Motivation for staff taking Information?
  • Value for their future career success in their next role (12%)
  • To keep a record of their work (12%)
  • Benefit their career (10%)
  • Financial, specifically paid to do so by an outside third party (8.5%)
The Insider Threat and DLP
Often businesses have their heads in the sand when comes to managing their insider threat, although some do turn to sophisticated IT Data Loss Prevention (DLP) solutions as a silver bullet for managing this risk. However, DLP solutions would be infective against the final four bulleted 'Staff Data Exfiltration' methods listed above.  Particularly the use of cyber tools to steal company information digitally has been democratised by the availability of toolkits on the dark web. For example, steganography toolkits, which enable cybercriminals to encode information into an image or text, can be downloaded for free and guarantee an undetectable route for getting information out of the company network.

Deep Secure CEO Dan Turner concluded “The cost of employee loyalty is staggeringly low. With nearly half of all office workers admitting that they would sell their company and clients’ most sensitive and valuable information, the business risk is not only undisputable but immense in the age of GDPR and where customers no longer tolerate data breaches. And it appears to be growing, with the 2018 Verizon DBIR showing that insiders were complicit in 28% of breaches in 2017, up from 25% in 2016. Given the prevalent use of digital and cyber tactics to exfiltrate this information, it’s critical that businesses invest in a security posture that will help them both detect and prevent company information from leaving the network,” he continued. 

The Cost of Staff Data Thefts
The theft of corporate information can hurt business competitiveness and future profit margins, and there are significant financial losses which could be incurred should staff take personal data on mass. UK supermarket giant Morrisons lost a landmark data breach court case in December 2017 took a financial hit after a disgruntled Morrisons' employee had stolen and posted the personal records of 100,000 co-workers online, the supermarket chain was held liable for the data breach by the UK High Court. With the GDPR coming into force just over a year ago, the Information Commissioner's Office is now empowered to fine British businesses millions of pounds for mass personal data losses. The Morrisons court case demonstrates UK companies will be brought to book for staff malicious data thefts.

Tuesday, 28 May 2019

UK Pub Chain 'Greene King' Gift Card Website Hacked

Major UK pub chain, Greene King (Bury St. Edmunds), had its gift card website (https://www.gkgiftcards.co.uk) compromised by hackers. The personal data breach was discovered on 14th May 2019 and confirmed a day later. The pub, restaurant and hotel chain informed their impacted customers by email today (28th May 2019).


Greene King said the hackers were able to access:
  • name
  • email address
  • user ID
  • encrypted password
  • address
  • post code
The pub chain did not disclose any further details on how passwords were "encrypted", only to say within their customer disclosure email "
Whilst your password was encrypted, it may still be compromised". It is a long established good industry coding practice for a website application's password storage to use a one-way 'salted' hash function, as opposed to storing customer plaintext passwords in an encrypted form.

No details were provided on how the hackers were able to compromise the gift card website, but there is a clue within Greene King's email statement, which suggests their website had security vulnerabilities which were fixable, "
we have taken action to prevent any further loss of personal information"

The number of customer records impacted by this data breach has also not disclosed. However, as this was a breach of personal information, Greene King was obligated under the DPA\GDPR to report the breach to the Information Commissioner's Office (ICO) as well as its impacted customers. Both Greene King and ICO are yet to release a press statement about this data breach.

This is not the first data breach reported by Greene King in recent times, in November 2016 2,000 staff bank details were accidentally leaked.

Greene King Personal Data Compromise Email to Customers
Dear Customer,
I am writing to inform you about a cyber-security breach affecting our website gkgiftcards.co.uk.

Suspicious activity was discovered on 14th May and a security breach was confirmed on 15th May. No bank details or payment information were accessed. However, the information you provided to us as part of your gift card registration was accessed. Specifically, the hackers were able to access your name, email address, user ID, encrypted password, address, post code and gift card order number. Whilst your password was encrypted, it may still be compromised. It is very important that you change your password on our website, and also any other websites where this password has been used.

When you next visit our website, using the following link (https://www.gkgiftcards.co.uk/user) you will be prompted to change your password. As a consequence of this incident, you may receive emails or telephone calls from people who have obtained your personal information illegally and who are attempting to obtain more personal information from you, especially financial information.

This type of fraud is known as 'phishing'. If you receive any suspicious emails, don't reply. Get in touch with the organisation claiming to have contacted you immediately, to check this claim. Do not reply to or click any links within a suspicious email and do not dial a suspicious telephone number given to you by someone who called you. Only use publicly listed contact details, such as those published on an organisation's website or in a public telephone directory, to contact the organisation to check this claim. At this stage of our investigation, we have no evidence to suggest anyone affected by this incident has been a victim of fraud but we are continuing to monitor the situation. We have reported the matter to the Information Commissioner's Office (ICO).

As soon as we were made aware of the incident, our immediate priority was to close down any exposure, which has been done, and then confirm which customer accounts have been affected. I recognise that this is not the sort of message you want to receive from an organisation which you have provided your personal information to. I want to apologise for what has happened, and reassure you that we have taken action to prevent any further loss of personal information, and to limit any harm which might otherwise occur as a result of this incident.

Phil Thomas
Chief Commercial Officer of Greene King Plc.

Advice
  • Change your Greene King account password immediately, use a unique and strong password.
  • Ensure you have not used the same Greene King credentials (i.e. your email address with the same password) on any other website or app, especially with your email account, and with banking websites and apps. Consider using a password manager to assist you in creating and using unique strong passwords with every website and application you use.
  • Always use Multi-factor Authentication (MFA) when offered. MFA provides an additional level of account protection, which protects your account from unauthorised access should your password become compromised.
  • Check https://haveibeenpwned.com/ to see if your email and password combination is known to have been compromised in a past data breach.
  • Stay alert for customised messages from scammers, who may use your stolen personal information to attempt to con you, by email (phishing), letter and phone (voice & text). Sometimes criminals will pretend to represent the company breached, or another reputable organisation, using your stolen personal account information to convince you they are legit.
  • Never click on links, open attachments or reply to any suspicious emails.  Remember criminals can fake (spoof) their 'sender' email address and email content to replicate a ligament email.