UK Youngsters seeking to Win the European Cyber Security Challenge

This October, ten of the UK’s sharpest young cybersecurity minds will head to Bucharest in Romania to compete against teams from 20 countries across Europe in this year’s European Cyber Security Challenge (ECSC). Managed by Cyber Security Challenge UK and led by Team Captain Sophia McCall, the team has spent the summer training with NCC Group and honing their skills using Immersive Labs. Now, they’re ready to bring home gold.

Sophia Mcall, UK Team Captain

Established in 2009, 'Cyber Security Challenge UK' is a non-profit organisation backed by some of the UK’s leading public, private and academic bodies with a longstanding mission to encourage more cybersecurity talent into the pipeline. 

Cyber Security Challenge UK selects, nurtures and mentors young talent to build the UK team, and strives to include individuals with diverse backgrounds and experiences. The team, from across the UK, has a strong mix of different cyber skills and brings a broad range of experiences to the competition. 

Cyber Security Challenge UK - helping to encourage new talent

In a sector facing an acute shortage of fresh talent, competitions like the ECSC are crucial as they allow competitors to meet industry leaders, network with peers from across the continent and get a taste for working in cybersecurity. By taking part, the team set themselves apart as outstanding individuals, equipped with the skills they need to pursue a career in the industry.

Run by ENISA, the European agency responsible for cybersecurity for the European Union, the ECSC is a three-day competition that challenges competitors to complete a series of security-related tasks from domains such as web and mobile security, reverse engineering and forensics. This year, the competition will be held in Bucharest, Romania from 9th to 11th October 2019.

Team Captain Sophia McCall: “I have the Cyber Security Challenge and my lecturers in college to thank for the fact I’m pursuing a cybersecurity degree. I had no exposure to cybersecurity when I was younger, so without them I may never have ended up in the industry. It’s now my passion to get other young girls and people from all backgrounds involved, and competitions like the ECSC are an incredible way to explore opportunities in the industry and find out if it’s the right career for you.”

Dr Robert Nowill, Chairman, Cyber Security Challenge UK: “Our mission is to be as inclusive as we can in order to increase the number of people entering the cybersecurity industry, and competitions like the ECSC are an integral part of our efforts to broaden the reach of cyber. We have always looked to encourage participation by those who may not otherwise have considered career pathways into cyber, and this year’s team represents an incredible mix of ages, genders and backgrounds. We’re already extremely proud of the team! They’ve been training hard all summer, and we can’t wait to see how they fare in Bucharest.”

Colin Gillingham, Director of Professional Services at NCC Group: “Our long-standing training partnership with the Cyber Security Challenge is part of our mission to increase diversity in cybersecurity. Our aim is to make society safer and more secure, but this will only be achieved when the industry is as diverse and representative as the society that we are working to protect. This year’s Team Captain, Sophia McCall, has just completed a placement year at NCC Group, and we’re delighted to have supported her as she blazes a trail for the female cyber professionals of the future.”

James Hadley, Founder and CEO at Immersive Labs said: “We believe strongly that challenge-based training exercises are by far the best way for cybersecurity experts to keep themselves ahead of the latest threats. We’re delighted to be supporting the UK team with access to our on-demand and gamified cyber skills content. Their points haul from our CTFs and Malware Analysis labs have been particularly impressive. We wish the team every success not just as they head to Bucharest but in their bright futures as professional cyber defenders.”

Cyber Security Roundup for September 2019

Anyone over the age of 40 in the UK will remember patiently browsing for holidays bargains on their TV via Teletext. While the TV version of Teletext Holidays died out years ago due to the creation of the world-wide-web, Teletext Holidays, a trading name of Truly Travel, continued as an online and telephone travel agent business. Verdict Media discovered an unsecured Amazon Web Services Service (Cloud Server) used by Teletext Holidays and was able to access 212,000 call centre audio recordings with their UK customers. The audio recordings were taken between 10th April and 10th August 2016 and were found in a data repository called 'speechanalytics'. Businesses neglecting to properly secure their cloud services is an evermore common culprit behind mass data breaches of late. Utilising cloud-based IT systems does not absolve businesses of their IT security responsibilities at their cloud service provider. 

Booking Holidays on Ceefax in the 1980s

Within the Teletext Holidays call recordings, customers can be heard arranging holiday bookings, providing call-centre agents partial payment card details, their full names and dates of birth of accompanying passengers. In some call recordings, Verdict Media advised customers private conversations were recorded while they were put on hold. Teletext Holidays said they have reported the data breach to the ICO.

Separately, another poorly secured cloud server was discovered with thousands of CVs originating from the Monster.com job-hunting website.  Monster.com reported the compromise of CVs was between 2014 and 2017 and was due to a 'third-party' it no longer worked with.

Wikipedia was the subject to a major DDoS attack, which impacted the availability of the online encyclopaedia website in the UK and parts of Europe. While the culprit(s) behind the DDoS attack remains unknown, Wikipedia was quick to condemn it, it said was not just about taking Wikipedia offline, "Takedown attacks threaten everyone’s fundamental rights to freely access and share information. We in the Wikimedia movement and Foundation are committed to protecting these rights for everyone."

CEO Fraud

The BBC News website published an article highlighting the all too common issue of CEO Fraud, namely company email spoofing and fraud which is costing business billions.  

Criminals are increasingly targeting UK business executives and finance staff with ‘CEO Fraud’, commonly referred to as ‘whaling’ or Business Email Compromise (BEC) by cybersecurity professionals. CEO fraud involves the impersonation of a senior company executive or a supplier, to social engineer fraudulent payments. CEO fraud phishing emails are difficult for cybersecurity defence technologies to prevent, as such emails are specifically crafted (i.e. spear phishing) for individual recipients, do not contain malware-infected attachments or malicious weblinks for cyber defences to detect and block.

Criminals do their research, gaining a thorough understanding of business executives, clients, suppliers, and even staff role and responsibilities through websites and social media sites such as LinkedIn, Facebook, and Twitter.  Once they determine who they need to target for maximum likelihood of a financial reward return, they customise a social engineering communication to an individual, typically through email, but sometimes through text messages (i.e. smishing), or over the phone, and even by postal letters to support their scam. They often create a tremendous sense of urgency, demanding an immediate action to complete a payment, impersonating someone in the business with high authority, such as the MD or CEO. The criminal’s ultimate goal is to pressurise and rush their targetted staff member into authorising and making a payment transaction to them. Such attacks are relatively simple to arrange, require little effort, and can have high financial rewards for criminals. Such attacks require little technical expertise, as email spoofing tools and instructions are freely available on the open and dark web. And thanks to the internet, fraudsters globally can effortless target UK businesses with CEO fraud scams.

UK Universities are being targetted by Iranian hackers in an attempt to steal secrets, according to the UK National Cyber Security Centre and the UK Foreign Office. The warning came after the US deputy attorney general Rod Rosenstein said: “Iranian nationals allegedly stole more than 31 terabytes of documents and data from more than 140 American universities, 30 American companies, five American government agencies, and also more than 176 universities in 21 foreign countries."

Security Updates

'Patch Tuesday' saw Microsoft release security updates for 78 security vulnerabilities, including 17 which are 'Critical' rated in Windows RDP, Azure DevOps, SharePoint and Chakra Core.  

On 23rd September 2019, Microsoft released an ‘emergency update’ (Out-of-Band) for Internet Explorer (versions 9, 10 & 11), which addresses a serious vulnerability (CVE-2019-1367) discovered by a Google researcher and is said to be known to be actively exploited.  The flaw allows an attacker to execute arbitrary code on a victim's computer through a specially crafted website, enabling an attacker to gain the same user rights as the user and to infect the computer with malware. It is a particularly dangerous exploit if the user has local administrator rights, in such instances an attacker gain full control over a user's computer remotely. This vulnerability is rated as 'Critical' by Microsoft and has a CVSS score of 7.6. Microsoft recommends that customers apply Critical updates immediately.

Ransomware

Research by AT&T Cybersecurity found 58% of IT security professionals would refuse to pay following a ransomware attack, while 31% said they would only pay as a last resort. A further 11% stated paying was, in their opinion, the easiest way to get their data back. While 40% of IT Security Pros Would Outlaw Ransomware Payments. It is clear from the latest threat intelligence reports, that the paying of ransomware ransoms is fuelling further ransomware attacks, including targetted attacks UK businesses.

BLOG

• Growing Cyber Threat Facing the UK Legal Sector
• Cyber Security Roundup for August 2019

NEWS

• Teletext Holidays Data Breach Exposes 212,000 Customer Call Recordings
• Monster.com job applicants info Exposed on Unprotected Server
• FS-ISAC and Europol Partner to Combat Cross-Border Cybercrime
• Millions of YouTube accounts hijacked through phishing and compromised 2FA
• Twitter CEO’s account was hacked via a SIM-swapping scheme
• 419 million Facebook Users Personal Information exposed, phone numbers and unique IDs
• Wikipedia took offline in Europe by a DDoS Attack
• DoorDash Breach Exposes Data of 4.9 Million Customers

VULNERABILITIES AND SECURITY UPDATES

• Microsoft Patches 78 Vulnerabilities, including 17 Critical for Windows RDP, Azure DevOps, SharePoint & ChakraCore
• Internet Explorer Emergency Patch for CVE-2019-1367
• Mozilla released Updates for Firefox 69
• Samba developers issued an update for CVE-2019-10197
• PHP Update Fixes Arbitrary Code Execution Flaw
• Apple Updates Software, Fixes Flaw affecting Third-Party Keyboard Apps
• Chrome Security issues Addressed with Stable Channel update
• Adobe Patches Two Critical Issues with Cold Fusion
• Cisco addresses Multiple Bugs in Network Operating Systems
• Cisco issued Advisories for Vulnerabilities in 7 products, including WebEx Teams

HUAWEI NEWS AND THREAT INTELLIGENCE

• Huawei accuses the U.S. of cyberattacks, pressing employees to spy

AWARENESS, EDUCATION AND THREAT INTELLIGENCE

• Spoofing Emails: The Trickery Costing Businesses Billions
• Ryuk-like Malware targeting Law, Military and Finance Groups
• Magecart Skimming Attack Targets Mobile Users of Hotel Chain Booking Websites
• Notorious GandCrab Hacker Group 'returns from retirement’
• UK Universities targeted by Iranian Hackers, NCSC and Foreign Office says
• China’s APT3 Pilfers Cyberweapons from the NSA
• AT&T Cybersecurity Survey:: 40% of IT Security Pros Would Outlaw Ransomware Payments
• Enterprise Ransomware Report: Shines spotlight on Poor Patch Management
• Metasploit Project publishes exploit for Bluekeep bug

Growing Cyber Threat Facing the UK Legal Sector

Guest Article by Andy Pearch, Head of IA Services at CORVID

Andy Pearch outlines one of the biggest cyber threats facing the legal sector, and steps that can be taken to save law firms from the devastating consequences.

Cyber crime is a growing concern for all businesses across every industry, and even more so for those who operate in vulnerable sectors, such as law firms. A threat report from the NCSC highlighted that 60% of law firms reported an information security incident in 2018, an increase of 20% from 2017.

Law firms, as with all modern day working practices, are heavily reliant on technology – the sheer amount of expected connectivity makes everyone vulnerable. Research enforces the scale of the problem: in 2017, 60% of law firms reported an incident, but that’s only those who identified an issue. There has also been a significant 42% increase in reported incidents in the last five years. This could mean that either businesses are more aware so are reporting cases, or cyber crime is on the rise. It's most likely a combination of both.

Facing Vulnerabilities
The legal sector is particularly vulnerable to cyber attacks due to the volume of data, sensitive information, financial responsibility and authority it holds. If a law firm specialises in corporate or property law, they are at greater risk, as the potential for financial gain is unprecedented. Although the main reason law firms are targeted is for financial gain, there is also a growth in cyber adversaries seeking political, economic or ideological goals.

Law firms are perceived to be an easy target – particularly smaller firms, as they don’t have the same resources as larger practices, but still hold significant funds. Also, they most likely have a small team managing their entire business infrastructure, with limited IT security resources available. It is often misconstrued that cyber security is the sole responsibility of the IT department, but the reality is that every department is accountable. Cyber security is part of the bigger information risk management picture, and requires emphasis from business leaders.

Not only do law firms and their clients have to consider the financial impact of a cyber attack, but reputational damage for their practice can be irreversible. Therefore, to ensure law firms are protected, they need to be aware of the consequences of a phishing attack.

Acknowledging Threats
Email is the main route in for cyber criminals. Phishing attacks can take the form of impersonation, intercepted emails and/or malicious attachments. The aim of threat actors responsible for these attacks is to coerce users into making a mistake, such as disclosing sensitive information, providing users’ credentials or downloading malware.

Unfortunately, not a single law firm – or any organisation, for that matter – is exempt from being the next victim of a cyber attack. Law firms need to take action and be prepared. When it comes to mitigating email compromise, law firms cannot expect employees to bear the burden of identifying threats, but instead must utilise the technology available to spot incoming threats as they arise.

The use of multiple detection engines and threat intelligence sources transforms email security and threat protection. Real-time fraud detection and content checking automatically highlight phishing and social engineering techniques, removing the burden from users and bringing a level of sophistication to current cyber strategies that is needed to keep today’s threats at bay. By automatically flagging potentially concerning emails – such as those attempting to mislead, harvest credentials or spread malicious elements – individuals can make fast, informed and confident decisions regarding their legitimacy.

Without doubt, impersonation attacks, payment diversion fraud and business email compromise attacks are on the rise, but there are robust solutions in place to mitigate the associated risks. There is no need for – and indeed no excuse for – passing the buck to the user community. There is an abundance of resources available to help law firms adopt a proactive cyber security mindset – notably, the threat report from the NCSC raises awareness and highlights specific safeguards that can be put in place.

It is time for the legal sector to take cyber security seriously. Failing to do so will only lead to devastating repercussions in the not-so-distant future. For a sector that is so protective of its reputation, every precaution should be put in place to keep it safe.

Cyber Security Roundup for August 2019

Twitter boss, Jack Doresy, had his Twitter account was hacked at the end of August, with hackers using his account to send a stream of offensive messages to his 4.2 million followers. It appears Jack was using his mobile phone to provide multi-factor authentication access to his Twitter account, a good solid security practice to adopt, however, it appears his Twitter account password and his mobile phone SMS service were both compromised, the latter probably due to either sim card swap fraud social engineering by the hacker, or by an insider at his mobile network service provider.

A database holding over a million fingerprints and personal data was exposed on the net by Suprema, a biometric security company. Researchers at VPNMentor didn't disclose how they were able to find and access the 'Biostar 2' database, nor how long the data was accessible online. Biostar 2 is used by 5,700 organisations, including governments, banks and the UK Metropolitan Police. In a similar fashion, an independent researcher found a 40Gb Honda Motor Company database exposed online.

TfL took their Oyster system offline to 'protect customers' after a credential stuffing attack led to the compromise of 1,200 Oyster customer accounts. A TfL spokesman said 'We will contact those customers who we have identified as being affected and we encourage all customers not to use the same password for multiple sites.' I was also directly made aware that restaurant chain TGI Friday was also hit were a credential stuffing attack(s) after it urgently warned its UK customers on the importance of using strong unique passwords for its reward scheme.

It was another bumper 'Patch Tuesday', with Microsoft releasing security updates for 93 security vulnerabilities, including 31 which are 'critical' rated in Windows, Server 2019, IE, Office, SharePoint and Chakra Core. 

Amongst the Microsoft patch release were patches for two serious 'bluekeep' or 'WannaCry' wormable vulnerabilities in Windows Remote Desktop Services, CVE-2019-1181 and CVE-2019-1182.  A Microsoft Security Response Center (MSRC) blog post said Microsoft had found the vulnerabilities as part of a project to make Remote Desktop Services more secure, and stated 'future malware that exploits these could propagate from vulnerable computer to vulnerable computer without user interaction.” The fixes for these are available for download in the Microsoft Security Update Guide.

A United Nations report concluded North Korea funded its weapons programme to the tune of $2 billion from profits from cyber attacks. 'Democratic People’s Republic of Korea cyber actors, many operating under the direction of the Reconnaissance General Bureau, raise money for its WMD (weapons of mass destruction) programmes, with total proceeds to date estimated at up to two billion US dollars,' the UN report said. The report referred at least 35 instances of North Korean-sponsored cryptomining activity or attacks on financial companies and cryptocurrency exchanges. The attacks spanned a total of 17 countries and were designed to generate funds the would be hard to trace and elude regulatory oversight.

NEWS

• Cybersecurity Firm Imperva Discloses Breach
• Eurofins Scientific Cyber-attack leads to a backlog of 20,000 UK Forensic Samples
• Serious Cyber Attack could trigger full NATO response, says Jens Stoltenberg 
• TfL takes the Oyster system offline after Customer Accounts accessed
• TGI Fridays frantically warn customers to urgently change app passwords
• French ‘Cybercops' dismantle Pirate Computer Network
• Twitter boss Jack Dorsey’s account hacked sending out a stream of offensive messages
• BioStar 2 Database Leaked One Million Fingerprints and Facial Recognition Data 
• Capital One accused 'breached 30 other organisations’
• A Researcher uses GDPR’s Right of Access to steal others’ personal information
• 700,000 Choice Hotels Customer Records Compromised 
• Honda Motors Company databases leaked 40GB of employee data 
• North Korea took $2 billion in Cyberattacks to fund weapons program according to a U.N. report
• Pearson Data Breach Impacts thousands of University Accounts
• Google finds 'indiscriminate iPhone attack lasting years'

VULNERABILITIES AND SECURITY UPDATES

• Microsoft Patches 93 Vulnerabilities, including 31 Critical for Windows, Server2019, IE, Office, SharePoint & ChakraCore
• BlueKeep-like RCE flaws in RDP among 93 Vulnerabilities Patched by Microsoft 
• Adobe Releases Fixes at least 76 ‘important’ Vulnerabilities in Acrobat and Acrobat Reader
• Intel Rolls Out Security Updates for Seven Products lines, three rated as High
• Critical Patches released for Adobe Photoshop
• Cisco issues multiple product updates, fixes critical flaws in small business switches 

HUAWEI NEWS AND THREAT INTELLIGENCE

• U.S. renews temporary license allowing companies to sell to Huawei, adds 45 to blacklist
• Huawei confident UK will resist 'politically motivated' pressure from US over 5G 

AWARENESS, EDUCATION AND THREAT INTELLIGENCE

• MegaCortex variant redesigned a self-executing, incorporates features of the previous version
• Record Future Research: Hacktivism activity and chatter has markedly dropped since 2016
• Exabeam Survey: Red/Blue team exercises show defensive Shortfalls
• Risk-Based Security 2019 MidYear QuickView Data Breach Report: 4 Billion Records Exposed
• Cloud Atlas Threat Group Updates Weaponry with Polymorphic Malware
• New Saefko Trojan focuses on Stealing Credit Card details and Crypto wallets
• LokiBot Malware now hides its source code in Image Files

Cyber Security Roundup for July 2019

July was a month of mega data privacy fines. The UK Information Commissioners Office (ICO) announced it intended to fine British Airways £183 million for last September's data breach, where half a million BA customer personal records were compromised. The ICO also announced a £100 million fine for US-based Marriot Hotels after the Hotel chain said 339 million guest personal data records had been compromised by hackers. Those fines were dwarfed on the other side of the pond, with Facebook agreeing to pay a US Federal Trade Commission (FTC) fine of $5 billion dollars, to put the Cambridge Analytica privacy scandal to bed. And Equifax paid $700 million to FTC to settle their 2017 data breach, which involved the loss of at least 147 million personal records. Big numbers indeed, we are seeing the big stick of the GDPR kicking in within the UK, and the FTC flexing some serious privacy rights protection punishment muscles in the US. All 'food for thought' when performing cybersecurity risk assessments.

Through a Freedom of Information request, the UK Financial Conduct Authority (FCA) disclosure a sharp rise of over 1000% in cyber-incidents within UK financial sector in 2018. In my view, this rise was fueled by the mandatory data breach reporting requirement of the GDPR, given it came into force in May 2018. I also think the finance sector was reluctant to report security weakness pre-GDPR, over fears of damaging their customer trust. Would you trust and use a bank if you knew its customers were regularly hit by fraud?

Eurofins Scientific, the UK's largest forensic services provider, which was taken down by a mass ransomware attack last month, paid the cybercrooks ransom according to the BBC News. It wasn't disclosed how much Eurofins paid, but it is highly concerning when large ransoms are paid, as it fuels further ransomware attacks.

A man was arrested on suspicion of carrying out a cyberattack against Lancaster University. The UK National Crime Agency said university had been compromised and "a very small number" of student records, phone numbers and ID documents were accessed. In contrast, the FBI arrested a 33 old software engineer from Seattle, she is alleged to have taken advantage of a misconfigured web application firewall to steal a massive 106 million personal records from Capital One. A stark reminder of the danger of misconfiguring and mismanaging IT security components.

The Huawei international political rhetoric and bun fighting has gone into retreat. UK MPs said there were no technological grounds for a complete Huawei ban, while Huawei said they were 'confident' the UK will choose to include it within 5G infrastructure. Even the White House said it would start to relax the United States Huawei ban. It seems something behind the scenes has changed, this reversal in direction is more likely to be financially motivated than security motivated in my rather cynical view.

A typical busy month for security patch releases, Microsoft, Adobe and Cisco all releasing the expected barrage of security updates for their products. There was security updates released by Apple as well, however, Google researchers announced six iPhone vulnerabilities, including one that remains unpatched.

BLOG

• Four Key Questions to ask following a Cyber Attack
• How to Prevent Insider Data Breaches at your Business
• Cyber Security Roundup for June 2019

NEWS

• ICO to fine BritishAirways £183 Million for Data Breach
• ICO to fine Marriot nearly £100 Million for 2018 Data Breach 
• Cyber-Incident Reports from the UK Finance Sector spiked by 1,000% in 2018
• Facebook pay $5 billion fine over the Cambridge Analytica Scandal
• UK Forensic Services firm Eurofins Scientific Paid Ransom after Cyber-Attack
• Capital One Hacker who stole Personal information on 106M individuals Arrested
• Equifax to pay up to $700m to settle Data Breach
• Former Equifax executive sentenced to prison for insider trading prior to Data Breach 
• E.On 'error’ Reveals 498 Customers’ Email Addresses
• Fake Voices 'help cyber-crooks steal cash’
• Internet wobble caused by Cloudflare Glitch 
• Lancaster University cyber-attack Suspect Arrested

VULNERABILITIES AND SECURITY UPDATES

• Microsoft Patches 77 Vulnerabilities, including 16 Critical for Windows, IE, .NET, SQL Server, Visual Studio & Chakra
• Google Researchers Discover Six iPhone Vulnerabilities, One Unpatched
• Cisco Releases Updates for 10 High-Rated Vulnerabilities 
• Mozilla’s latest Firefox releases Fix 21 Bugs
• Adobe’s July Patch Tuesday includes Bridge CC, Experience Manager, Dreamweaver fixes
• Apple Patches Bugs in Four Operating systems and Safari browser 
• Apple Watch bug allowed iPhone Eavesdropping
• Intel releases Updates for Processor Diagnostic tool and SSD DC S4500/S4600 Series
• Cisco releases Updates for ASA DoS Vulnerability
• Cisco releases Updates, One ‘Critical,’ Two ‘High’ Severity ratings

HUAWEI NEWS AND THREAT INTELLIGENCE

• No technological grounds for complete Huawei ban, say MPs
• Huawei 'confident' UK will choose to include it within 5G infrastructure 
• US to start to relax Huawei ban, announces White House

AWARENESS, EDUCATION AND THREAT INTELLIGENCE

• Flaws in Visa Contactless Cards allow for bypass of anti-fraud checks, researchers warn
• BlueKeep built into exploitation tool, sparks fear of WannaCry style infections
• APT34 Spread Malware via LinkedIn invites
• APT-hunting group claims China’s Security Ministry is behind APT17
• Ke3chang APT group linked to Okrum Backdoor
• Scams use false alerts to target Office 365 users 
• Cybersecurity Should Be Handled by Law Enforcement and Government, Report

Four Key Questions to ask following a Cyber Attack

Guest Article by Andy Pearch, Head of IA Services at CORVID

Cyber attacks are inevitable, but it’s how an organisation deals with them that can make or break their business. Have they got all the answers, and do they fully understand the implications? Can they be sure the attack won’t happen again?

Swift and comprehensive incident response is a critical step to ensuring the future security of a business and protecting its reputation. It’s not enough to be aware that an attack is taking (or has taken) place. There are four key questions organisations need to be able to answer following a cyber security breach – if a single answer is missing, the security team won’t have the full picture, leaving the business vulnerable to impending attacks. Not having this level of insight can also damage an organisation’s relationships with suppliers and affect customer confidence, as it means the business itself is not in control of the situation.

Andy Pearch, Head of IA Services at CORVID, outlines four key questions all organisations must be able to answer after a cyber attack.

1. How and where did the Security Breach take place?The first step of an effective incident response strategy is to identify how the attackers got in. Quite simply, if an organisation misses this first crucial step, attackers will exploit the same vulnerability for future cyber attacks. Guesswork won’t cut it – any security professional can hypothesise that “it was probably an email”, but security teams need clear evidence so they can fully analyse all aspects of the problem and devise an appropriate solution.

2. What Information was Accessed?

Understanding specifically what information was accessed by the attacker is paramount to knowing what impact the attack will have on the organisation. Identifying which departments were targeted or what types of information might have been stolen isn’t good enough; organisations need to be able to articulate exactly which files were accessed and when. 

Headlines about attackers stealing information are common, but just as importantly, you need to know the scope of the information they’ve seen, as well as the information they’ve taken. Not only will this inform the next steps that need to be taken, and shed light on which parts of the business will be affected, but it will also enable the organisation to remain compliant with legal obligations, for example, identifying if a data breach needs to be reported under GDPR.

3. How can Systems be Recovered Quickly?

Organisations will understandably want to get their IT estate back to normal as soon as possible to minimise damage to their business, service and reputation. If the compromise method is identified and analysed correctly, IT systems can be remediated in seconds, meaning users and business operations can continue without downtime for recovery.

4. How do you prevent it from happening again?

Knowing the IT estate has been compromised is useless without taking steps to make sure it doesn’t happen again. Managed Detection and Response (MDR) is all about spotting the unusual activity that indicates a potential breach. If a user is accessing files they would never usually touch, sending unexpected emails or reaching out to a new domain, for example, such activity should prompt a review. The problem for most companies, however, is they lack not only the tools to enable such detection, but also the time and skills to undertake thorough analysis to determine whether it is a breach or a false positive.

A managed approach not only takes the burden away from businesses, but also enables every company to benefit from the pool of knowledge built up as a result of detecting and remediating attacks on businesses across the board. With MDR, every incident detected is investigated and, if it’s a breach, managed. That means shutting down the attack’s communication channel to prevent the adversary communicating with the compromised host, and identifying any compromised asset which can then be remediated.

Shifting Security Thinking

Clearly, GDPR has raised awareness that the risks associated with a cyber attack are not only financial, as hackers are actively seeking to access information. Security plans, therefore, must also consider data confidentiality, integrity and availability. But it is also essential to accept the fundamental shift in security thinking – protection is not a viable option given today’s threat landscape. When hackers are using the same tactics and tools as bona fide users, rapid detection and remediation must be the priority.

How to Prevent Insider Data Breaches at your Business

Guest article by Dan Baker of SecureTeam

Majority of security systems are installed to try and forestall any external threats to a business’ network, but what about the security threats that are inside your organisation and your network?

Data breaches have the potential to expose a large amount of sensitive, private or confidential information that might be on your network. Insider threats are a significant threat to your business and are increasingly being seen as an issue that needs dealing with.

SecureTeam are experts in cybersecurity and provide a variety of cybersecurity consultation solutions to a range of businesses. They have used their extensive knowledge of internal network security to write this handy guide to help businesses protect themselves from insider data breaches.

Who is considered an Insider Threat?
Insider threats can come from a variety of different sources and can pose a risk to your business that you might not have considered.

Malicious Insider 

This is when an employee who might have legitimate access to your network has malicious intentions and uses that access to intentionally leak confidential data. Employees who intentionally provide access to the network to an external attacker are also included in this threat.

Accidental Insider

This is when an employee makes an honest mistake that could result in a data breach. Something as simple as opening a malicious link in an email or sending sensitive information to the wrong recipient are all considered data breaches. The main cause of accidental insider data breaches is poor employee education around security and data protection and can be avoided by practising good security practices.

Third Party

There is a data protection risk that arises when third-party contractors or consultants are provided with permission to access certain areas of the network. They could, intentionally or unintentionally, use their permission to access private information and potentially cause a data breach. Past employees who haven’t had their security access revoked could also access confidential information they are no longer entitled too and could be seen as a threat.

Social Engineers

Although this threat is technically external a social engineers aim is to exploit employees by interacting with them and then attempting to manipulate them into providing access to the network or revealing sensitive information.

Data breaches from internal threats have the potential to cause the loss of sensitive or confidential information that can damage your business’ reputation and cost you a significant amount of money. There are some ways you can attempt to prevent insider data breaches, however. 

How to prevent Data Breaches
There are a few simple ways you can try to prevent an internal data breach, including:

Identify your Sensitive Data

The first step to securing your data is to identify and list all of the private information that you have stored in your network and taking note of who in your organisation has access to it. By gathering all of this information you are able to secure it properly and create a data protection policy which will help keep your sensitive data secure.

Create a Data Protection Policy

A data protection policy should outline the guidelines regarding the handling of sensitive data, privacy and security to your employees. By explaining to your staff what they are expected to do when handling confidential information you reduce the risk of an accidental insider data breach.

Create a Culture of Accountability

Both employees and managers should be aware of and understand their responsibilities and the responsibilities of their team when it comes to the handling of sensitive information. By making your team aware of their responsibilities and the consequences of mistakes and negative behaviour you can create a culture of accountability. This also has the more positive effect of highlighting any issues that exist before they develop into full problems which can then be dealt with training or increased monitoring.

Utilise Strong Credentials & Access Control

By making use of stronger credentials, restricting logins to an onsite location and preventing concurrent logins you can make your network stronger and remove the risk of stolen credentials being used to access the network from an external location.

Review Accounts and Privileged Access

It is important that you regularly review your user's privileges and account logins to ensure that any dormant accounts no longer have access to private information and that users don’t have unnecessary access to data. This helps to reduce the risks of both accidental and malicious insider data breaches.

Conclusion
The threat of an insider data breach continues to be an issue to businesses throughout a range of sectors. However, by putting a plan in place for these insider security threats it improves the speed and effectiveness of your response to any potential issues that arise.

It is sensible to assume that most, if not all, businesses will come under attack eventually and by taking the threat seriously and adhering to the best security practices then you can help to prevent an attack turning into a full-blown data breach.

Cyber Security Roundup for June 2019

Keep Patching!
June 2019 was another very busy month for security update releases. Microsoft released updates to patch 22 critical rated vulnerabilities, Intel released 11 fixes, and there were also several critical security updates for Apple Airport, Adobe Flash Player, Cisco devices, Cisco Data Centre Network Manager, Dell SupportAssist, Google Chrome, Firefox and Apache.  One further standout vulnerability was the "SACK Panic" TCP Linux and FreeBSD kernel vulnerability, uncovered by Netflix researchers, however, Microsoft released a security advisory in regards to TCP SACK Panic by the end of the month.

The National Security Agency (NSA) backed up UK National Cyber Security Centre (NCSC) and Microsoft’s continuing strong recommendations for everyone to apply the latest security updates to all versions of Microsoft Windows, including the unsupported XP, Vista and Windows 2003 Server, to protect against the supercritical CVE-2019-0708 “BlueKeep” vulnerability.

More Major Ransomware Attacks coming to the UK?
We all know the United States government famously takes a stand of no negotiation with terrorists and kidnappers, with the specific policy of never paying ransom demands. There is a good reason for this policy, as paying ransoms just serves to encourage further kidnapping and ransom demands. So it was interesting to learn this month, that US local government does not adhere to the same policy when dealing with ransomware demands. Rivera Beach (Florida) paid a whopping $600,000 ransom to hackers after its computers systems were taken over by ransomware after an employee clicked on a link within a phishing email. Phishing emails are the typical starting ingress of most mass ransomware outbreaks which cripple organisations.  The Lake City (Florida) government officials said they had also paid a $460,000 ransom to cybercrooks following a ransomware attack on their municipality on 10th June.  Meanwhile, Baltimore officials approved $10 million to cover ongoing expenses related to its ransomware attack.

Paying ransomware demands will fuel further ransomware attacks, so I expect ransomware attacks to further escalate. So the big question is, can we expect UK further local government authorities and large organisations to be hard hit by mass ransomware outbreaks? The answer to that will come down to how well their patch management is, and whether lessons have been truly learnt from the destructive 2017 WannaCry ransomware outbreaks, which took down a number of NHS services. Given the recent BlueKeep Microsoft Windows critical vulnerability is expected to spark new strains of ransomware in the coming months, ransomware very much like WannaCry with the devasting capability of rapidly infecting and propagating via unpatched Microsoft Windows systems connected to flat networks, we shall soon find out.

Data Breaches

No major UK data breaches were reported in June 2019, but on the other side of the pond, a misconfigured AWS S3 bucket managed by a data integration company led to confidential data from Netflix, TD Bank, Ford and other companies being exposed. And a misconfigured MongoDB database resulted in 5 million personal records left open to the public via a website. Data breaches caused by misconfigured cloud services operated by third parties is becoming a bit of regular theme.

APT10 Cloud Hopper Campaign further Exposed

An interesting article by Reuters revealed eight of the world’s biggest technology service providers were successfully hacked by APT10 aka 'StonePanda'. APT10, linked to China hackers, operated a sustained campaign over a number of years dubbed “Cloud Hopper”, which Reuters revealed affected Hewlett Packard Enterprise (HPE), IBM, Fujitsu, Tata Consultancy Services, NTT Data, Dimension Data, Computer Sciences Corporation, and DXC Technology. The ATP10 attackers searched for access points into networks an IT systems, when found, extracted confidential information and potential trade secrets. These reported hacks may well be the tip of the iceberg. The Register stated, having gained access to the major service providers, the APT10 group may have gained access to many of their customers. Those customers run into the millions, “dramatically increasing the pool of valuable industrial and aerospace data stolen.”

BLOG

• How can UK Financial Services Organisations Combat the Cyber Threat?
• How organisations can effectively manage, detect and respond to a data breach?
• Blocking DDoS Attacks Using Automation
• UK Security BSides, Mark Your Calendar & Don't Miss Out
• Cyber Security Roundup for May 2019

NEWS

• UK Police suspend use of Hacked Police Forensics Eurofins
• Riviera Beach, Florida pays $600,000 Ransomware Payment
• Second Florida City hit by Ransomware
• Baltimore approve $10 for Ransomware relief and expects $18 million in damages
• Six Arrested in European heist that netted £21M in Cryptocurrency
• Raspberry Pi used to Steal Data Nasa's Jet Propulsion Laboratory
• Deliveroo and Just Eat Customers Complain of Fraud
• Data Management Firm Exposed Client Info on Open Amazon S3 buckets
• 5M records exposed by misconfigured MedicareSupplement.com MongoDB
• Silex bricks 2,000 plus IoT devices, the 14-year-old author has bigger plans for botnet

VULNERABILITIES AND SECURITY UPDATES

• Microsoft Patches 91 Vulnerabilities, including 22 Critical for Windows, IE, Chakra and Flash Player
• NSA Urges Admins to Patch the BlueKeep Vulnerability on Legacy Versions of Windows
• Adobe Releases Critical Fix for Flash Player
• Intel Release 11 Security Updates
• Cisco announces 26 new vulnerabilities, three Critical
• Cisco Updates include fixes for ‘high’ rated RCE, DoS flaws
• Excel Vulnerable by default as a new flaw, Microsoft’s familiar refrain ‘Disable macros to avoid malware’
• Google Chrome 75 rolls out with 42 Security Fixes
• Firefox Updates address takeover Vulnerability
• Dell SupportAssist bug leaves millions of PCs Vulnerable
• Apache Advisory Addresses incomplete Tomcat Update
• Cisco release Security Updates for Data Center Network Manager
• Apple releases eight updates for AirPort BaseStation bugs
• Palo Alto’s Unit 42 discovered 10 ‘Important’ Microsoft bugs
• Netflix Patches Linux SACK Vulnerability

HUAWEI NEWS AND THREAT INTELLIGENCE

• Huawei building UK 5G 'like letting a kleptomaniac into your house', US ambassador says
• Huawei's US head of security hints that the company would be open to working with the US government to ease its concerns over cybersecurity
• Facebook stops apps being pre-installed on Huawei phones
• Huawei products riddled with backdoors, zero days and critical vulnerabilities
• The US 'could ease Huawei sanctions' if China trade deal advances
• Huawei: We don't have to cooperate with the Chinese state
• Huawei cancels laptop launch because of US trade blacklist
• Nokia distances itself from boss's warning over Huawei 5G kit

AWARENESS, EDUCATION AND THREAT INTELLIGENCE

• Inside the West’s failed fight against China’s ‘Cloud Hopper’ (APT10) Hackers
• Operation Soft Cell campaign targets cellular telecom providers, points to China’s APT10
• Russian Cyber Spies likely Hijacked Iranian APT34 Turla Group’s Infrastructure to deliver Backdoor
• New ‘BlackSquid’ Malware targets Web Servers and Drives 

REPORTS

• Tripwire 2019 Vulnerability Management Survey: 34% of European organisations breached due to unpatched Vulnerability
• The 2019 NTT Security Global Threat Intelligence Report: UK Cyber preparedness lags behind awareness