Author Archives: Gordon Smith

Security roundup: July 2019

Every month, we dig through cybersecurity research, trends, advice and news for our readers. This month: T&Cs, stronger security in Europe, and a birthday with bitter memories.

Policing policies to protect privacy

One of the greatest lies on the internet is “I have read the terms and conditions”. But maybe most people aren’t to blame when those same policies read like “an incomprehensible disaster”. That’s what a New York Times investigation found after reviewing 150 privacy policies. The European Commission came to a similar conclusion after surveying 27,000 citizens on their attitudes to data protection. Commissioner Věra Jourová noted that 60 per cent of Europeans read their privacy statements, but only 13 per cent read them fully. “This is because the statements are too long or too difficult to understand,” she said.

But not reading T&Cs could have unwitting consequences; like turning your phone into a spying tool. Spain’s Liga app activated a user’s smartphone audio function when it knew they were in a bar. Spain’s football administrators said the app’s terms made it clear this was to identify places that were streaming matches illegally. The Spanish data protection authority took a different view and slapped the league with a €250,000 fine.

In other privacy news, the UK Information Commissioner’s Office has published guidance providing clarity and certainty on correct cookie use. Cookie rules technically fall under the Privacy and Electronic Communications Regulations, but some of that regulation’s concepts derive from GDPR. As well as a reader-friendly myth-busting blog, there’s also more comprehensive guidance in a longer document.

Strengthening security across Europe

The EU Cybersecurity Act came into force on 26 June. For the first time, it introduces EU-wide cybersecurity certification rules for digital products, services and processes. It also strengthens the mandate for ENISA. The Union’s cybersecurity agency will set up the certification framework and it now has a remit to help Member States to handle cyber incidents.

BH Consulting is a contributor to ENISA and our CEO Brian Honan recently gave a presentation on threat intelligence at an ENISA industry event. The meeting also covered cybersecurity, internet regulation and Europe’s position in the race to a competitive ICT global industry. Brian also spoke to the Irish Times for a feature article about steps under way to improve security. Meanwhile Ireland’s second national cyber security strategy is expected in the coming weeks, as the Irish Examiner reports.

Déjà vu all over again

If working in information security can sometimes feel like Groundhog Day, then you might want to pause before reading further. Consider the following sentences, then guess when they were written (no peeking). “Paradoxically, the drive for business efficiency and globalism serves only to increase the potential damage which computer viruses and other malicious programs can cause… the more streamlined and interconnected computers become, the greater will be the penalties resulting from carelessness, recklessness and vandalism… no-one knows when or where a computer virus will strike. They attack indiscriminately. Virus writers, whether or not they have targeted specific companies or individuals, must know their programs, once unleashed, soon become uncontrollable.”

So how old is that text? Five years? Ten? Fifteen, at a push? Actually, it’s double that number. Edward Wilding penned them in the summer of ’89, for the very first edition of Virus Bulletin (PDF). Brain, the world’s first computer virus, appeared just three years before then.

It says a lot that Wilding could write these words and, without knowing, still have them resonate three decades later. The same issues he identified then have not gone away. (Side note: the same is true of attacks like SQL injection. Even today, they account for two-thirds of all web app attacks, according to new findings from Akamai.) The industry’s progress, or lack of it, is a point to ponder while security professionals (hopefully) enjoy some deserved downtime this summer.

Links we liked

NIST guidance on understanding and managing security risks with IoT devices. MORE

Demand for cybersecurity jobs in Ireland is growing, but supply can’t keep up. MORE

Controversial: you should think about paying to get data back from ransomware. MORE

An open letter to the security profession, from a privacy practitioner. MORE

You know that ‘padlock’ icon in your web browser? It could be a fake. MORE

How a data request can quickly turn into a data breach. MORE and MORE

The Irish privacy champion on a mission to clean up dirty adtech. MORE

A sceptical take on Facebook’s planned move into cryptocurrency. MORE

When BGP goes wrong, the whole internet feels it. MORE

How a trivial cell phone hack is ruining lives. MORE

 

The post Security roundup: July 2019 appeared first on BH Consulting.

From the BH Consulting archives: fake invoicing scams are a constant security risk

Trawling through archives can quickly turn bittersweet when it hits home how little has changed between past and present. Looking back through the posts on BHconsulting.ie, invoice redirect scams have featured regularly since 2015. Fast forward to 2019: An Garda Siochana warned that this fraud cost Irish businesses almost €4.5 million this year. The global costs are even more sobering – but more of that later.

Back in 2015, we reported the Irish Central Bank was fleeced to the tune of €32,000. This fraud was a growing trend even then. Our blog quoted Brian Honan’s Twitter account: “Looks like a fake invoice scam we’ve seen with other clients”. The same post also referred to Ryanair, which was duped around the same time and reportedly lost around €4.5 million.

The impersonation game

Scams like this have many names, like CEO fraud, invoice redirection fraud, or business email compromise. Preventing them from being successful is about knowing how they work and spotting potential red flags. Brian blogged about this in December 2015, detailing scammers’ steps when executing CEO fraud and fake invoicing tricks.

“The premise of the attack is the criminals impersonate the CEO, or other senior manager, in an organisation (note some attacks impersonate a supplier to the targeted company). The criminals may do this by either hijacking the email account of the CEO or setting up fake email accounts to impersonate the CEO.”

Next, criminals send an email seeming to come from the CEO to a staff member with access to the company’s financial systems. The email will request that payment be made to a new supplier into a bank account under the criminals’ control. Alternatively, the email may claim the banking details for an existing supplier have changed and will request payments into a new bank account under the criminals’ control.

Video to beat the scam

In February 2017, we blogged about an educational video that Barclays Bank developed to raise awareness of fake invoicing and similar online scams.

 

Later that same year, we covered the issue again, twice in quick succession. The first of these posts, in August 2017, noted how legitimate email senders do themselves no favours by composing messages that “practically begged to be treated” as fakes. A genuine email from a large insurer was so poorly composed that it would have raised suspicion with anyone who’d been paying attention during security awareness training.

The process problem

Now we’re getting to the heart of the problem. Call it what you want, but this scam is a people and process failure. That was our conclusion from another post in August 2017, after news emerged of yet another victim in Ireland. “The effectiveness of an email scam like CEO fraud relies on one person in the target organisation having the means and the opportunity to make payments. It’s not a security problem that technology alone can fix.”

In the same blog, we noted how the FBI has been tracking this scam since 2013. The agency put collective losses between then and August 2017 at an eye-watering $5 billion. As we blogged then, ways to fix this issue don’t necessarily need to involve technical controls. For example, companies could make it compulsory to have a second signatory whenever they need to make payments over the value of a certain amount.

The risk of these frauds goes beyond just commercial businesses. As we noted in a blog from October 2017, local public sector authorities are also potential victims. The post referred to Meath County Council, which had €4.3 million stolen from it in a dummy invoicefraud.

Staying ahead of the fraudsters

Our August blog included FBI special agent Martin Licciardo’s very practical advice: “The best way to avoid being exploited is to verify the authenticity of requests to send money by walking into the CEO’s office or speaking to him or her directly on the phone. Don’t rely on e-mail alone.”

This brings us neatly back to 2015, where we provided similar advice to avoid falling victim to fake invoice scams. The steps include:

  • Ensure staff use secure and unique passwords for accessing their email
  • Ensure staff regularly change their passwords for their email accounts
  • Where possible, implement two factor authentication to access email accounts, particularly when accessing web-based email accounts
  • Have agreed procedures on how requests for payments can be made and how those requests are authorised. Consider using alternative means of communication, such as a phone call to trusted numbers, to confirm any requests received via email
  • Be suspicious of any emails requesting payments urgently or requiring secrecy
  • Implement technical controls to detect and block email phishing, spam, or spoofed emails
  • Update computers, smartphones, and tablets with the latest software and install up-to-date and effective anti-virus software. Criminals will look to compromise devices with malicious software in order to steal the login credentials for accounts such as email accounts
  • Provide effective security awareness training for staff.

The post From the BH Consulting archives: fake invoicing scams are a constant security risk appeared first on BH Consulting.

BH Consulting in the media: supply chain security still a concern

The Huawei controversy has raised fundamental questions around supply chain security, Brian Honan has told Infosecurity Magazine. In a video interview recorded at Infosecurity Europe 2019 conference in London, BH Consulting’s CEO said the issue of technology containing alleged backdoors to enable spying has led to “interesting conversations” in the security community.

The question boils down to whether it’s possible to build secure systems if there’s no trust in the technology platform they’re built upon, Brian said. “Unless we actually build something ourselves from absolute scratch, we are relying on third parties, and how much trust can we give to those third parties? So the bigger issue becomes: how you secure your supply chain?”

For security professionals, securing their company’s supply chain needs a more rigorous due diligence process than asking vendors whether they have antivirus software on their PCs. It’s about “asking the right questions into the right levels, and digging deep into the technology, depending on what your requirements are,” Brian said.

Huawei to the danger zone

Noting the accusations that Huawei technology has security bugs, Brian said that the same is true of products from many other places including the US, UK or Europe. “There’s no such thing as 100% secure systems. Take the Intel chips that we have in all our servers: they have security bugs in them,” he said.

Emphasising that he wasn’t trying to defend Huawei, Brian said: “A lot of what we’re reading in the press and the media, there’s nothing to substantiate the claims behind it.” The larger question about whether any bugs are accidental, or deliberately placed backdoors that allow Government-level spying, is “outside the remit of our industry,” he said.

The chain

Even if a security professional decided not to use a certain brand of equipment in their network, there’s a question of what happens when their information travels elsewhere within their company’s external supply chain, or through its internet service provider. Instead, infosec professionals should focus on protecting information at rest or in transit, since the early internet engineers designed it to share information, not keep it secret. “We have been trying to build security on top of a very unsafe foundation. We need to look at ways of how we keep our data safe, no matter where it goes or how far it travels,” Brian said.

As for what’s next in security, Brian said regulations will stay at the forefront over the next year. “GDPR isn’t over. GDPR is the evolution of data protection laws that we had already… the regulations are still being enforced. We still have to continue looking after GDPR.”  Some of the earliest court cases relating to GDPR are due to conclude soon, with potentially large fines for offenders. He also said Brexit is “the elephant in the room”, given how it could affect the way that European companies deal with UK businesses, and vice versa.

Toys in the attic

The ePrivacy Regulation (ePR) will have a huge say in how companies embed cookies on their websites and how they communicate and market to customers. Regulations like the EU Cybersecurity Act look set to impose rules on IoT or ‘smart’ devices. Their security – or lack of it – has long been a thorny issue. Brian recently commented on this issue in an article for the Irish Times about smart toys and we’ve also blogged about it before on Security Watch.

Summing up the likely short-term developments in security, Brian said: “A lot of things in the next 12-24 months are going to have a big impact on our industry, and it’s where the regulators are going to play catch-up on the technology. It’s going to be interesting to see how those two worlds collide.” You can watch the 15-minute video here (free, but sign-in required).

Panel discussion at Infosecurity Europe 2019. From left: Peter Brown, Group Manager Technology Policy, UK ICO; Steve Wright, GDPR & CISO Advisor, Bank of England; Titta Tajwe, CISO, News UK; Deborah Haworth, Penguin Random House UK; and panel moderator Brian Honan, CEO of BH Consulting

Regulate

Also during Infosecurity Europe, Brian moderated a debate on dealing with complex regulations while ensuring privacy, security and compliance. It featured with data protection and security practitioners from the Bank of England, Penguin Random House UK, News UK and the UK Information Commissioner’s Office. Bank Info Security has a good writeup of some of the talking points. Its report noted that Brian focused the discussion on the broader regulatory landscape, including the updated EU ePrivacy Directive, while panellists and audience questions kept returning to GDPR.

The article noted how the panelists broadly agreed that regulations, including GDPR, helped to improve their organisation’s security posture. It quoted Titta Tajwe, CISO of News UK, who said: “With the EU GDPR, it really helped for executives to understand what needs to happen to protect the data of your customers. So it did allow the CISOs to get the budget they needed to do the work they’d already been asking for, for a long, long time.”

Photos used with kind permission of Mathew Schwartz.

The post BH Consulting in the media: supply chain security still a concern appeared first on BH Consulting.

Upcoming cybersecurity events featuring BH Consulting

Here, we list upcoming events, conferences, webinars and training featuring members of the BH Consulting team presenting about cybersecurity, risk management, data protection, GDPR, and privacy. 

ISACA Last Tuesday: Dublin, 25 June

BH Consulting COO Valerie Lyons will present a talk on building an emotionally intelligent security team, and the role that leadership plays in influencing team style. It will be an interactive and fun session with several takeaways and directions to free online tools to help analyse team member roles. The evening event will take place at the Carmelite Community Centre on Aungier Street in Dublin 2. Attendance is free; to register, visit this link

Data Protection Officer certification course: Vilnius/Maastricht June/July

BH Consulting contributes to this specialised hands-on training course that provides the knowledge needed to carry out the role of a data protection officer under the GDPR. This course awards the ECPC DPO certification from Maastricht University. Places are still available at the courses scheduled for June and July, and a link to book a place is available here

IAM Annual Conference: Dublin, 28-30 August

Valerie Lyons is scheduled to speak at the 22nd annual Irish Academy of Management Conference, taking place at the National College of Ireland. The event will run across three days, and its theme considers how business and management scholarship can help to solve societal challenges. For more details and to register, visit the IAM conference page

The post Upcoming cybersecurity events featuring BH Consulting appeared first on BH Consulting.

Security roundup: June 2019

Every month, we dig through cybersecurity trends and advice for our readers. This edition: GDPR+1, the cost of cybercrime revealed, and a ransomware racket.

If you notice this notice…

If year one of GDPR has taught us anything, it’s that we can expect more data breach reports, which means more notifications. Most national supervisory authorities saw an increase in queries and complaints compared to 2017, the European Data Protection Board found.

But are companies following through with breach notifications that are effective, and easy to understand? Possibly not. Researchers from the University of Michigan analysed 161 sample notifications using readability guidelines, and found confusing language that doesn’t clarify whether consumers’ private data is at risk.

The researchers had previously found that people often don’t take action after being informed of a data breach. Their new findings suggest a possible connection with poorly worded notifications. That’s why the report recommends three steps for creating more usable and informative breach notifications.

  • Pay more attention to visual attractiveness (headings, lists and text formatting) and visually highlight key information.
  • Make the notice readable and understandable to everyone by using short sentences, common words (and very little jargon), and by not including unnecessary information.
  • Avoid hedge terms and wording claims like “there is no evidence of misuse”, because consumers could misinterpret this as as evidence of absence of risk).

AT&T inadvertently gave an insight into its own communications process after mistakenly publishing a data breach notice recently. Vice Motherboard picked up the story, and pointed out that its actions would have alarmed some users. But it also reckoned AT&T deserves praise for having a placeholder page ready in case of a real breach. Hear, hear. At BH Consulting, we’re big advocates of advance planning for potential incidents.

The cost of cybercrime, updated

Around half of all property crime is now online, when measured by volume and value. That’s the key takeaway from a new academic paper on the cost of cybercrime. A team of nine researchers from Europe and the USA originally published work on this field in 2012 and wanted to evaluate what’s changed. Since then, consumers have moved en masse to smartphones over PCs, but the pattern of cybercrime is much the same.

The body of the report looks at what’s known about the various types of crime and what’s changed since 2012. It covers online card frauds, ransomware and cryptocrime, fake antivirus and tech support scams, business email compromise, telecoms fraud along with other related crimes. Some of these crimes have become more prominent, and there’s also been fallout from cyberweapons like the NotPetya worm. It’s not all bad news: crimes that infringe intellectual property are down since 2012.

Ross Anderson, professor of security engineering at Cambridge University and a contributor to the research, has written a short summary. The full 32-page study is free to download as a PDF here.

Meanwhile, one expert has estimated fraud and cybercrime costs Irish businesses and the State a staggering €3.5bn per year. Dermot Shea, chief of detectives with the NYPD, said the law is often behind criminals. His sentiments match those of the researchers above. They concluded: “The core problem is that many cybercriminals operate with near-complete impunity… we should certainly spend an awful lot more on catching and punishing the perpetrators.” Speaking of which, Europol released an infographic showing how the GozNym criminal network operated, following the arrest of 10 people connected with the gang.

Ransom-go-round

Any ransomware victim will know that their options are limited: restore inaccessible data from backups (assuming they exist), or grudgingly pay the criminals because they need that data badly. The perpetrators often impose time limits to amp up the psychological squeeze, making marks feel like they have no other choice.

Enter third-party companies that claim to recover data on victims’ behalf. Could be a pricey but risk-free option? It turns out, maybe not. If it sounds too good to be true, it probably is. And that’s just what some top-quality sleuthing by ProPublica unearthed. It found two companies that just paid the ransom and pocketed the profit, without telling law enforcement or their customers.

This is important because ransomware is showing no signs of stopping. Fortinet’s latest Q1 2019 global threat report said these types of attacks are becoming targeted. Criminals are customising some variants to go after high-value targets and to gain privileged access to the network. Figures from Microsoft suggest ransomware infection levels in Ireland dropped by 60 per cent. Our own Brian Honan cautioned that last year’s figures might look good just because 2017 was a blockbuster year that featured WannaCry and NotPetya.

Links we liked

Finally, here are some cybersecurity stories, articles, think pieces and research we enjoyed reading over the past month.

If you confuse them, you lose them: a post about clear security communication. MORE

This detailed Wired report suggests Bluetooth’s complexity is making it hard to secure. MORE

Got an idea for a cybersecurity company? ENISA has published expert help for startups. MORE

A cybersecurity apprenticeship aims to provide a talent pipeline for employers. MORE

Remember the Mirai botnet malware for DDoS attacks? There’s a new variant in town. MORE

The hacker and pentester Tinker shares his experience in a revealing interview. MORE

So it turns out most hackers for hire are just scammers. MORE

The cybersecurity landscape and the role of the military. MORE

What are you doing this afternoon? Just deleting my private information from the web. MORE

The post Security roundup: June 2019 appeared first on BH Consulting.

Security awareness training: a constant in a changing world

There are two schools of thought when it comes to users and cybersecurity. Some people working in the industry think of users as the weakest link. We prefer to see them as the first line of defence. Cybersecurity training programmes can address staff shortcomings in knowledge, promote positive behaviour and equip non-experts with enough information to be able to spot potential threats or scams.

In our previous post, we looked back through the BH Consulting blog archives to trace the evolution of ransomware. This time, we’ve gone digging for a less technical threat. Instead, it’s a constant challenge for any infosec professional: security awareness.

Training shortfall

Back in April 2014, we reported on a survey which found that just 44 per cent of employees received cybersecurity training. David Monahan, research director with Enterprise Management Associates, summed up the issue perfectly:

“Without training, people will click on links in email and release sensitive information in any number of ways. In most cases they don’t realise what they are doing is wrong until a third-party makes them aware of it. In reality, organisations that fail to train their people are doing their business, their personnel and, quite frankly, the Internet as a whole a disservice because their employees’ not only make poor security decisions at work but also at home on their personal computing devices as well.”

One year later, little had changed. In a post from April 2015, Lee Munson covered a survey by SpectorSoft of 772 IT security professionals. “Not only do many firms have staff who lack even a basic level of security awareness they often, as the report concludes, have poorly trained staff too, with many of the survey respondents citing a lack of expertise as being a significant problem in terms of defending against insider threats.”

Accidents will happen

At least the post acknowledged that damage can sometimes be the result of accidental actions. Too often, security vendors throw around phrases like ‘insider threat’ that, intentionally or not, tar all user actions as malicious.

But could it be that some people are just naturally more susceptible to spilling the beans? Another post from April 2015 reported on a study from Iowa State University that claimed to spot which people are likely to fall for social engineering tricks that cybercriminals often use. It did this by analysing brainwaves. People with low levels of self control were more likely to reveal confidential information like company secrets, the researcher observed.

That’s not, admittedly, an approach many companies could take in practice, but it couldn’t hurt to ask some targeted questions at interview stage.

In June of that year, a UK Government survey found that the number of breaches had increased year on year. The findings also showed that more businesses large and small were providing ongoing security awareness training to their staff compared to the previous year. Despite that, many of the organisations surveyed also saw an increase in staff-related security breaches during the same period.

Must try harder

As Lee Munson wrote: “While budgets and technical controls obviously come into play and affect an organisation’s ability to protect its digital assets, the human aspect still appears to be the area requiring the most work. Staff training and awareness programmes are known to be effective but many companies do not appear to have leveraged them to their full potential.”

Another post put the need for cybersecurity training and awareness squarely into perspective. Security company Proofpoint showed the extent to which attackers aim for an organisation’s human resources rather than its technical defences. Its report found that people still click on 4 per cent of malicious links they find in emails. BH Consulting’s regular blogger Lee Munson found this to be a surprisingly high figure. “Attackers employ psychology to improve the chances of their attacks succeeding,” he wrote.

And if at first you don’t succeed? A post from early in 2016 suggested a radical approach to poor security behaviour: disciplinary measures. The blog quoted a survey by Nuix which determined that human behaviour was the biggest threat to an organisation’s security. It said corporations would tolerate risky behaviour less, and would likely penalise staff who “invite a data breach”. That’s one way to “encourage” people to show better security behaviour.

Communication breakdown

Lee rightly raised the question of whether companies have sufficiently communicated their security policies and procedures in the first place. “So, if companies (including yours) are going to penalise employees for not being up to date on all of their security policies, who is going to police the writing and dissemination of those documents in the first place?”.

The message is that security policies need to be clear, so that even a non-technical member of staff can:

  • Understand them
  • Act on them
  • Remember them.

Taken as a whole, the blogs show that while cybersecurity training is a valuable exercise, it’s got to be delivered in a way that the intended audience will understand.

The post Security awareness training: a constant in a changing world appeared first on BH Consulting.

Ransomware remains a risk, but here’s how you can avoid infection

It’s been a case of good news/bad news when it comes to ransomware recently. New figures from Microsoft suggest that Ireland had one of the lowest rates of infection in the world in 2018. But in early May, a sophisticated strain of ransomware called MegaCortex began spiking across Ireland, the US, Canada, Argentina, France, Indonesia and elsewhere.

Data from Microsoft’s products found that malware and ransomware attacks declined by 60 per cent in Ireland between March and December 2018. Just 1.26 per cent reported so-called ‘encounter rates’, giving Ireland the lowest score in the world.

Hoorays on hold

Don’t break out the bunting just yet, though. As BH Consulting’s CEO Brian Honan told the Daily Swig, the risk for businesses hasn’t disappeared the way it seems. One explanation for the reduced infection rates could be that 2017 happened to be a banner year for ransomware. In that context, that year’s global WannaCry and NotPetya outbreaks skewed the figures and by that reasoning, the ‘fall’ in 2018 is more likely just a regression to the mean.

Security company Sophos analysed MegaCortex and found it uses a formula “designed to spread the infection to more victims, more quickly.” The ransomware has manual components similar to Ryuk and BitPaymer but the adversaries behind MegaCortex use more automated tools to carry out the ransomware attack, which is “unique”, said Sophos.

History lesson

The risk of ransomware is still very much alive for many organisations, so we’ve combed through our blog archives to uncover some key developments. The content also includes tips and advice to help you stay secure.

In truth, ransomware isn’t a new threat, as a look back through our blog shows. New strains keep appearing, but it’s clear from earlier posts that some broad trends have stayed the same. As Brian recalled in 2014, many victims chose to pay because they couldn’t afford to lose their data. He pointed out that not everyone who parts with their cash gets their data back, which is still true today. “In some cases they not only lose their data but also the ransom money too as the criminals have not given them the code to decrypt it,” he said.

The same dynamic held true in subsequent years. In 2015, Lee Munson wrote that 31 per cent of security professionals would pay if it meant getting data back. It was a similar story one year later. A survey found that 44 per cent of British ransomware victims would pay to access their files again. Lee said this tendency to pay explains ransomware’s popularity among criminals. It’s literally easy money. For victims, however, it’s a hard lesson in how to secure their computer.

Here’s a quick recap of those lessons for individuals and businesses:

  • Keep software patched and up to date
  • Employ reputable antivirus software and keep it up to date
  • Backup your data regularly and most importantly verify that the backups have worked and you can retrieve your data
  • Make staff and those who use your computers aware of the risks and how to work securely online

Preventative measures

By taking those preventative steps, victims of a ransomware infection are in a better position to not pay the ransom. As Brian said in the post: “It doesn’t guarantee that they will get their data back in 100 per cent of cases, and payment only encourages criminals. We have also seen that once victims pay to have their data decrypted, they’re often targeted repeatedly because criminals see them as a soft touch.”

Fortunately, as 2016 wore on, there was some encouraging news. Law enforcement and industry collaborated on the No More Ransom initiative, combining the resources of the Dutch National Police, Europol, Intel Security and Kaspersky Lab. Later that year, BH Consulting was one of 20 organisations accepted on to the programme which expanded to combat the rising tide of infections.

The main No More Ransom website, which remains active today, has information about how the malware works and advice on ransomware protection. It also has free ransomware decryptor tools to help victims unlock their infected devices. Keys are available for some of the most common ransomware variants.

Steps to keeping out ransomware

By 2017, ransomware was showing no signs of stopping. Some variants like WannaCry caused havoc across the healthcare sector and beyond. In May of that year, as a wave of incidents showed no signs of letting up, BH Consulting published a free vendor-neutral guide to preventing ransomware. This nine-page document was aimed at a technical audience and included a series of detailed recommendations such as:

  • Implement geo-blocking for suspicious domains and regions
  • Review backup processes
  • Conduct regular testing of restore process from backup tapes
  • Review your incident response process
  • Implement a robust cybersecurity training programme
  • Implement network segmentation
  • Monitor DNS logs for unusual activity.

The guide goes into more detail on each bullet point, and is available to download from this link.

Infection investigation

Later that year, we also blogged about a digital forensics investigation into a ransomware infection. It was a fascinating in-depth look at the methodical detective work needed to trace the source, identify the specific malware type and figure out what had triggered the infection. (Spoiler: it was a malicious advert.)

Although ransomware is indiscriminate by nature, looking back over three years’ worth of blogs shows some clear patterns. As we noted in a blog published in October 2017, local government agencies and public bodies seem to be especially at risk. Inadequate security practices make it hard to recover from an incident – and increase the chances of needing to pay the criminals.

Obviously, that’s an outcome no-one wants. That’s why all of these blogs share our aim of giving practical advice to avoid becoming another victim. Much of the steps involve simple security hygiene such as keeping anti malware tools updated, and performing regular virus scans and backups. In other words, basic good practice will usually be enough to keep out avoidable infections. Otherwise, as Brian is fond of quoting, “those who cannot remember the past are condemned to repeat it”.

The post Ransomware remains a risk, but here’s how you can avoid infection appeared first on BH Consulting.

Security roundup: May 2019

We round up interesting research and reporting about security and privacy from around the web. This month: password practice, GDPR birthday, c-suite risk, and further reading for security pros.

Passwords: a good day to try hard

No self-respecting security pro would use easy passwords, but could they say the same for their colleagues (i.e. everyone else)? The answer is no, according to the UK National Cyber Security Centre. It released a list of the 100,000 most hacked passwords, as found in Troy Hunt’s ‘Have I Been Pwned’ data set of breached accounts. Unsurprisingly, ‘123456’ topped the list. A massive 23 million accounts use this flimsy string as “protection” (in the loosest possible sense of the word). Next on the list of shame was the almost as unimaginative ‘123456789’, ‘qwerty’, ‘password’ and 1111111.

The NCSC released the list for two reasons: firstly to prompt people to choose better passwords. Secondly, to allow sysadmins to set up blacklists to block people in their organisations from choosing any of these terrible passwords for themselves. The list is available as a .txt file here and the agency blogged about the findings to give more context. Help Net Security has a good summary of the study. The NCSC published the research in the buildup to World Password Day on May 2, which Euro Security Watch said should be every day.

WP Engine recently performed its own analysis of 10 million compromised passwords, including some belonging to prominent (and anonymised) victims. It makes a useful companion piece to the NCSC study by looking at people’s reasons for choosing certain passwords.

Encouraging better security behaviour through knowledge is one part of the job; effective security controls are another. In April, Microsoft said it will stop forcing password resets for Windows 10 and Windows Server because forcing resets doesn’t improve security. CNet’s report of this development noted Microsoft’s unique position of influence, given its software powers almost 80 per cent of the world’s computers. We recently blogged about what the new FIDO2 authentication standard could mean for passwords. Better to use two-factor authentication where possible. Google’s Mark Risher has explained that 2FA offers much more effective protection against risks like phishing.

GDPRversary getting closer

Almost one year on from when the General Data Protection Regulation came into force, we’re still getting to grips with its implications. The European Data Protection Supervisor, Giovanni Buttarelli, has weighed in on the state of GDPR adoption. He covered many areas in an interview with Digiday, including consent, fines, and legitimate interest. One comment we liked was how falling into line with the regulation is an ongoing activity, not a one-time target to hit. “Compliance is a continued working progress for everyone,” he said.

The European Data Protection Board (formerly known as the Article 29 Working Group) recently issued draft guidance on an appropriate legal basis and contractual obligations in the context of providing online services to data subjects. This is a public consultation period that runs until May 24.

The EDPB is also reportedly planning to publish accreditation requirements this summer. As yet, there are no approved GDPR certification schemes or accreditation bodies, but that looks set to change. The UK regulator recently published its own information about certification and codes of conduct.

Meanwhile, Ireland’s Data Protection Commission has started a podcast called Know Your Data. The short episodes have content that mixes information for data controllers and processors, and more general information for data subjects (ie, everyone).

Breaching the c-suite

Senior management are in attackers’ crosshairs as never before, and 12 times more likely to be targeted in social engineering incidents than in years past. That is one of the many highlights from the 2019 Verizon Data Breach Investigations Report. Almost seven out of ten attacks were by outsiders, while just over a third involved internal parties. Just over half of security breaches featured hacking; social engineering was a tactic in 33 per cent of cases. Errors were the cause of 21 per cent of breaches, while 15 per cent were attributed to misuse by authorised users.

Financial intent was behind 12 per cent of all the listed data breaches, and corporate espionage was another motive. As a result, there is a “critical” need for organisations to make all employees aware of the potential threat of cybercrime, Computer Weekly said. ThreatPost reported that executives are six times more likely to be a target of social engineering than a year ago.

Some sites like ZDNet led with another finding: that nation-state attackers are responsible for a rising proportion of breaches (23 per cent, up from 12 per cent a year ago). It also highlighted the role of system admin issues that subsequently led to breaches in cloud storage platforms. Careless mistakes like misconfiguration and publishing errors also left data at risk of access by cybercriminals.

The Verizon DBIR is one of the most authoritative sources of security information. Its content is punchy, backed by a mine of informative stats to help technology professionals and business leaders plan their security strategies. The analysis derives from 41,000 reported cybersecurity incidents and 2,000 data breaches, featuring contributions from 73 public and private organisations across the globe, including Ireland’s Irisscert. The full report and executive summary are free to download here.

Links we liked

Challenge your preconceptions: a new paper argues cybersecurity isn’t important. MORE

An unfortunate trend that needs to change: security pros think users are stupid. MORE

It’s time to panic about privacy, argues the New York Times in this interactive piece. MORE

Want a career in cybersecurity, or know someone who does? Free training material here. MORE

NIST has developed a comprehensive new tool for finding flaws in high-risk software. MORE

NIST also issued guidelines for vetting the security of mobile applications. MORE

Cybersecurity threats: perception versus reality as reported by AT&T Security. MORE

Here’s a technical deep dive into how phishing kits are evolving, courtesy of ZScaler. MORE

A P2P flaw exposes millions of IoT security cameras and other devices to risks. MORE

A new way to improve network security by analysing compressed traffic. MORE

 

The post Security roundup: May 2019 appeared first on BH Consulting.