Wednesday, 28 February 2018
Thursday, 8 February 2018
Company preparations for GDPR compliance are (or should be!) in full swing with the 25th May enforcement date fast looming on the horizon. With that in mind, I found the following set of recent GDPR articles a decent and interesting read. The list was compiled by Brian Pennington of Coalfire, he has kindly allowed me to repost.
- ISACA has pulled together a list of some of the main tips that can help any enterprise to tackle GDPR
If you are after further GDPR swatting up, you could always read the actual regulation EU General Data Protection Regulation (EU-GDPR), and don't forget to read all the Recitilies.
If you have any offer GDPR related articles or blogs of note, please post in the comments.
Thursday, 1 February 2018
2018 started with a big security alert bang after Google Security Researchers disclosed serious security vulnerabilities in just about every computer processor in use on the planet. Named 'Meltdown' and 'Spectre’, when exploited by a hacker or malware, these vulnerabilities disclose confidential data. As a result, a whole raft of critical security updates was hastily released for computer and smartphone operating systems, web browsers, and processor drivers. While processor manufacturers have been rather lethargic in reacting and producing patches for the problem, software vendors such as Microsoft, Google and Apple have reacted quickly, releasing security updates to protect their customers from the vulnerable processors, kudos to them.
The UK Information Commission's Office (ICO) heavily criticised the Carphone Warehouse for security inadequacies and fined the company £400K following their 2015 data breach, when the personal data, including bank details, of millions of Carphone Warehouse customers, was stolen by hackers, in what the company at the time described as a "sophisticated cyber attack", where have we heard that excuse before? Certainly the ICO wasn't buying that after it investigated, reporting a large number Carphone Warehouse's security failures, which included the use of software that was six years out of day, lack of “rigorous controls” over who had login details to systems; no antivirus protection running on the servers holding data, the same root password being used on every individual server, which was known to “some 30-40 members of staff”; and the needless storage of full credit card details. The Carphone Warephone should thank their lucky stars the breach didn't occur after the General Data Protection Regulation comes into force, as with such a damning list of security failures, the company may well have been fined considerably more by ICO, when it is granted vastly greater financial sanctions and powers when the GDPR kicks in May.
The National Cyber Security Centre warned the UK national infrastructure faces serious nation-state attacks, stating it is a matter of a "when" not an "if". There also claims that the cyberattacks against the Ukraine in recent years was down to Russia testing and tuning it's nation-state cyberattacking capabilities.
At the Davos summit, the Maersk chairman revealed his company spent a massive £200m to £240m on recovering from the recent NotPeyta ransomware outbreak, after the malware 'totally destroyed' the Maersk network. That's a huge price to pay for not regularly patching your systems.
It's no surprise that cybercriminals continue to target cryptocurrencies given the high financial rewards on offer. The most notable attack was a £290k cyber-heist from BlackWallet, where the hackers redirected 700k BlackWallet users to a fake replica BlackWallet website after compromising BlackWallet's DNS server. The replica website ran a script that transferred user cryptocurrency into the hacker's wallet, the hacker then moved currency into a different wallet platform.
In the United States, the Federal Trade Commission (FTC) fined toy firm VTech US$ 650,000 (£482,000) for violating a US children's privacy laws. The FTC alleged the toy company violated (COPPA) Children's Online Privacy Protection Rule by collecting personal information from hundreds of thousands of children without providing direct notice.
It was reported that a POS malware infection at Forever21 and lapses in encryption was responsible for the theft of debit and credit card details from Forever21 stores late last year. Payment card data continues to be a high valued target for cyber crooks with sophisticated attack capabilities, who are willing to invest considerable resources to achieve their aims.
Several interesting cybersecurity reports were released in January, the Online Trust Alliance Cyber Incident & Breach Trends Report: 2017 concluded that cyber incidents have doubled in 2017 and 93% were preventable. Carbon Black's 2017 Threat Report stated non-malware-based cyber-attacks were behind the majority of cyber-incidents reported in 2017, despite the proliferation of malware available to both the professional and amateur hackers. Carbon Black also reported that ransomware attacks are inflicting significantly higher costs and the number of attacks skyrocketed during the course of the year, no surprise there.
Malwarebytes 2017 State of Malware Report said ransomware attacks on consumers and businesses slowed down towards the end of 2017 and were being replaced by spyware campaigns, which rose by over 800% year-on-year. Spyware campaigns not only allow hackers to steal precious enterprise and user data but also allows them to identify ideal attack points to launch powerful malware attacks. The Cisco 2018 Privacy Maturity Benchmark Study claimed 74% of privacy-immature organisations were hit by losses of more than £350,000, and companies that are privacy-mature have fewer data breaches and smaller losses from cyber-attacks.
- Meltdown & Spectre: Critical Intel, AMD and ARM Processor Vulnerabilities
- ICO fines £400,000 fine on Carphone Warehouse following 2015 Data Breach
- Forever 21 Blames Malware & Lapses in Encryption, for Payment Card Compromise
- Major UK Infrastructure Cyberattack is 'When, not If' the National Cyber Security Centre
- Hackers steal $400,000 (£290,000) BlackWallet Crypto-Currency after DNS Hack
- NotPetya Attack Totally Destroyed Maersk's Computer Network
- US FTC fines VTech Toy Firm over Data Breach
- Sensitive Medical Records on AWS (Cloud) Bucket found to be Publicly Accessible
- Meltdown & Spectre Vulnerability & Patching Details
- Microsoft releases 16 Security Updates for IE/Edge, .NET, SQL, Office, & Windows
- Apple releases updates for Safari, iOS, watchOS and macOS
- Adobe releases fix for Flash Player
- Cisco warns of a Critical Vulnerability in its SSL VPN solution
- Cisco Security Updates nix high-impact DoS and Privilege Escalation Bugs
AWARENESS, EDUCATION AND THREAT INTELLIGENCE
- CrossRAT: Advanced APT Undetectable Malware Globally Targeting all OS Platforms
- Necurs Botnet launches Massive 47 million emails per day Campaign
- CryptoMix Ransomware variant carries new ‘.tastylock’ Extension
- Satori Creator linked with new Mirai variant Masuta
- Cyber Breach Trends Report: 2017 Cyber-incidents Doubled, 93% preventable
- Carbon Black Report 2017 Threat Report
- Netscout Annual Worldwide Infrastructure Security Report: DDoS Complexity Rising
- Malwarebytes 2017 State of Malware Report: Spyware increasing
- Cisco 2018 Privacy Maturity Benchmark Study