Author Archives: Security Experts

One Of Malta’s Major Banks Suffers Cyber Attack, Shutting Down Operations

The Bank of Valletta, one of Malta’s main banks and the financial institution which accounts for almost half of Malta’s banking transactions, suffered a major cyber attack on Wednesday. The bank said it had closed its branches and ATMs on the small Mediterranean island after realizing hackers were trying to access its systems. Its website was also offline.

Experts Comments below: 

Felix Rosback, Product Manager at comforte AG:

“Banks are naturally the target of many breaches due to the highly sensitive data stored. Payment data is extremely useful for hackers to commit fraud and they can make a lot of money from selling this information on the dark web. The targeting of banks is also popular among hacktivist groups with non-commercial interests.

Banking is all about trust but, with an increasing attack surface, it’s nearly impossible to prevent breaches. The most important thing payment organizations can do is protect customer data and make sure that their accounts are not affected, with their privacy protected whenever a breach happens.”

Javvad Malik, Security Advocate at AlienVault:

Javvad Malik“As more companies become largely digital, they need to take into account the risks associated in a holistic manner.

It is no longer enough to implement security simply at one level such as the website or the app. Rather security needs to be baked in all the way across the endpoint, network, to the servers.

Additionally, detection and response controls need to be in place and tested to gain assurance that during an incident core business functions can be maintained.”

The ISBuzz Post: This Post One Of Malta’s Major Banks Suffers Cyber Attack, Shutting Down Operations appeared first on Information Security Buzz.

Equifax Partner Breach

Cybercriminals found a way to penetrate Image-I-Nation Technologies is a North Carolina-based provider of software and hosting services, a company that services the three largest credit reporting services including Equifax. The hackers had access to sensitive information including social security numbers.

Experts Comments below:

Tim Mackey, Technical Evangelist at Synopsys:

“This breach disclosure highlights just how little control individuals have over the security and location of their personal data – let alone the purpose the data might be used for. Regardless of media coverage, it is highly unlikely that most people will pay attention to a data breach at Image-I-Nation Technologies considering they likely never directly did business with the company. In essence this is a repeat of the shock consumers experienced with the Equifax breach in 2017 and which spurred in part the enactment of the California Consumer Privacy Act (CCPA). Given the CCPA comes into effect in less than a year, it would be illustrative to look at this breach through that lens.

“Organisations doing business in the state of California which process information on more than 50,000 devices, individuals or households and which derives more than 50% of their revenue processing personal data would be subject to the CCPA. Consumers would be required to receive notification of the nature of collected data and the purpose of collecting the data when providing any data. Upon request, the organisation would be required to disclose in a human consumable format the collected data, the sources for the data, and the business purpose for both processing and sharing that data. In the event of unauthorised access to consumer data, including as a result of a data breach, the CCPA provides a consumers a right to bring suit against the organisation, including class-wide suits, and recover damages in an amount of not less than $100 per consumer per incident. While the number of California consumers impacted by the Image-I-Nation Technologies breach wasn’t disclosed, under CCPA it’s likely the potential civil suit would be substantial.

“Given the number of data protection laws appearing on the global stage, it’s clear that any business collecting or processing personal data needs to look closely at what data elements they collect, the purpose behind collection, the data retention policy and the consent obtained at the time of collection. Data warehouses with personal data are prime targets for malicious attacks. When the connection between consumer consent and the organisation storing the data is unclear, consumers are placed in a position where they can’t effectively manage and monitor their personal data. Only with greater transparency of data collection and processing practices can consumers effectively manage their digital privacy.”

Chris Olson, CEO at The Media Trust:

Chris Olson“If there is anything we’ve learned from the past few years’ breaches, third parties are an organization’s weakest links in the digital supply chain, and bad actors know it. It is therefore no surprise that the GDPR and, to some extent, California’s landmark consumer privacy law recognize the threats that third parties, unknowingly and otherwise, introduce. Since organizations are held at least partly responsible for their vendors’ actions, they should carefully vet the latter’s security and privacy measures and conduct periodic audits to close any security and privacy loopholes. As regulators ramp up their operations, they will no doubt make examples of high-profile violators of data privacy laws and impose penalties commensurate to their those violations.”

Matan Or-El, Co-founder and CEO at Panorays:

“The hack into Image-I-Nation Technologies, which is connected to the big three credit reporting companies, is a perfect example of how cybercriminals are infiltrating the supply chain to steal data from large organizations. Hackers were able to target a third party in order to gain access to social security numbers, names and addresses of consumers from three credit reporting companies. This breach illustrates why it’s crucial for organizations to perform comprehensive risk assessments of all their supply chain parstners, along with continuous monitoring to spot vulnerabilities.”

The ISBuzz Post: This Post Equifax Partner Breach appeared first on Information Security Buzz.

Dunkin’ Donuts Accounts Compromised In Second Credential Stuffing Attack In Three Months

Dunkin’ Donuts has announced that it was the victim of a credential stuffing attack during which hackers gained access to customer accounts. This marks the second time in three months that the coffee shop chain notifies users of account breaches following credential stuffing attacks.

Experts Comments below:

Stephen Moore, Chief Security Strategist at Exabeam:

Stephen Moore“The most seasoned and well-resourced security teams can be easily overwhelmed by the volume of organisational alerts they receive in a day. That complexity, when combined with the inherent difficulties of detecting credential-based attacks, because the attackers are impersonating legitimate users, creates an environment that lacks control and trust. In this case, the security incident was likely the result of malicious actors using previously collected or breached login data to access accounts.

To protect against these types of attacks, organisations must shift the enterprise security strategy. To remediate incidents involving user credentials and respond to adversaries, the key is to move fast and consider an approach that is closely aligned with monitoring user behaviour – to provide the necessary visibility needed to restore trust, and react in real time, to protect user accounts. This should include the ability to detect, using behavioural characteristics, when events have occurred – especially when it comes to customer–facing incidents.”

Tim Bandos, Vice President of Cyber Security at Digital Guardian:

“In situations like this, the practice of good password hygiene becomes critical otherwise you’re putting sensitive accounts and credentials at risk. We know that in addition to credit cards, email addresses and PII, password credentials are highly sought-after by cybercriminals – so use a different password for each of your online accounts. Make sure your passwords are unique and complex to ensure that hackers cannot guess them. If you’re notified that your account has been comprised, change your password immediately. Lastly, where possible, enable multi-factor authentication. Popular websites like Facebook, Gmail and Skype all offer this service.”

Steve Armstrong, Regional Director UK, Ireland & South Africa at Bitglass:

“It’s imperative that users understand the risk of weak authentication. Reusing the same password allows attackers to use credential stuffing attacks across multiple platforms. For the hacker, once they breach one set of accounts, the pay off can be high. In order to mitigate this risk end users and platform providers should implement both a strong password criteria and a second factor authentication to ensure the user is who they say they are. Ultimately, my recommendation to any customer who has experienced a breach is to change all the passwords across all their accounts online. The use of a password manager would make managing this far simpler. The knock-on effect here is not just the loss of this specific account – but the likelihood of credentials being used elsewhere.”

The ISBuzz Post: This Post Dunkin’ Donuts Accounts Compromised In Second Credential Stuffing Attack In Three Months appeared first on Information Security Buzz.

OkCupid Hit By Hackers

It has been reported that hackers have apparently compromised some user accounts of dating service OkCupid. However, the company has denied any such attempt, triggering the debate on how safe online dating portals are. A user contacted TechCrunch to inform that some hacker broke in his account and changed the password. So much so, even the email address on the file was changed, disabling the user from resetting his password.

Experts Comments below: 

Tim Mackey, Technical Evangelist at Synopsys:

“The reported breach at OkCupid highlights a key issue we face with account and identity management – web sites often use an email address as a form of identification but don’t validate that email address at any point during the account lifecycle. From the reported OkCupid responses to enquiries, it appears a user’s email address is their primary form of account identifier. Given that user’s can change email addresses, that email addresses may no longer become valid (say as the result of a provider shutting down), and that email is an insecure form of communication, the use of email as a primary form of identification is problematic from the outset.

While it’s likely rather difficult for OkCupid to quickly resolve their use of email as an identifier, there some best practices any organisation seeking to use email within their applications should consider.

Consent is key. Don’t assume that a user correctly entered a valid email address. If they can’t confirm via email that they received a confirmation email, then they likely won’t receive any other messages. Worse, if they can’t confirm, then perhaps the email address doesn’t belong to them and you may have leaked personal information on that user who may have done nothing more serious than typo their email address in a form.
Consent is key – again. When changing an email address, don’t assume the user making the change entered the correct email address. Confirm their address with the new email address, and then only once confirmed change over from the prior one. Also send a confirmation email for this operation to the old address. This way if an account take over were to occur, the legitimate user would have an opportunity to identify the issue.
Take the claim of identity fraud seriously. If someone asserts their account was taken over – assist them in their recovery if they have access to any of the prior communication modes.
Retain a log of prior identification modes used. If someone changes their email address, don’t simply overwrite the old value with a new one. Retain that this action occurred. Identity theft can occur with all web properties and businesses aren’t built with frustrated users.”

Juliette Rizkallah, CMO at SailPoint:

“With so many consumer apps available, it is more important than ever for people to be extra diligent about how they manage their personal access to data since consumer-facing breaches can potentially expose the enterprise as well. More hackers are using credential stuffing techniques in which they take advantage of users who are not following password best practices so that they can breach multiple accounts, including business applications, by the same user.

While people can’t go back in time to protect what data may have been compromised, they can use this as an opportunity to get familiar with password management best practices to avoid being targeted by a credential stuffing hack. Some simple measures that people can easily implement right now include using a unique password for every application or account, and making sure the password is long and more complex – the longer and more complex the password, the safer it will be. After all, protecting identity is key to the safety of your own personal data but also to the security of sensitive company data and files, too.”

Sandor Palfy, CTO at LastPass: 

“Reports of hacked OkCupid accounts are a great reminder that even accounts like dating apps can hold information hackers find valuable. Passwords are the first line of defense in keeping your online information safe and protected, yet many people are complacent about password hygiene. Our recent Psychology of Passwords survey found that while 91 percent of people know that using the same password for multiple accounts is a security risk, nearly two-thirds admitted that they continue to do so anyway.

If you use the same password for multiple sites, and one site is breached and your password is cracked, attackers will go after your other accounts, likely even before you learn about the breach. Using unique passwords ensures that a breach at one website doesn’t result in a stolen account at another. The longer the password is, the harder it becomes to crack or brute-force attack, which simply means it takes longer for a computer to correctly guess it. It’s also worth turning on two-factor authentication where possible for an additional layer of protection. Should your password somehow be compromised — perhaps in a phishing attack — the attacker still won’t be able to get into your account without the two-factor authentication information.

While these steps to improve security can seem daunting, using a password manager can help you create long and complex passwords, securely keep track of credentials for each site and recall them automatically the next time you log in to those accounts. This makes life easier for the user, and much more difficult for hackers.”

Terence Jackson, Chief Information Security Officer at Thycotic:

“Passwords are frequently reused across sites and legacy endpoint protection often doesn’t pick up certain malicious tools such as keyloggers. This highlights the need for consumers to practice better cyber hygiene, for example using a password manager, avoiding risky sites and applications and maybe even avoiding services that don’t offer MFA. It’s also likely that some of the OkCupid users were phished and willingly handed over access to their accounts as phishing attacks have gotten more sophisticated and prevalent.”

The ISBuzz Post: This Post OkCupid Hit By Hackers appeared first on Information Security Buzz.

620 Million Account Details For Sale On Dark Web

Following the news that 620 million stolen account details from 16 hacked sites have been posted for sale on the dark web today, IT experts commented below.

Jake Moore, Cyber Security Specialist at ESET UK:

“This is typical of what happens once there is a large breach of passwords. After we saw “Collection #1-5” released in the wild last month, this news is sadly inevitable. However, the value of this database is massively reduced once all the users’ passwords are changed as the details cannot be used by anyone wishing to purchase the list.

So, if you’ve owned an account with a password over the last 10 years and you haven’t changed the password in the last 12 months, I would suggest you change it and add two factor authentication right now. Then you can relax in thinking that at least those hackers purchasing your data have wasted their money.”

Ed Macnair, CEO at CensorNet:

macnair-“It is now uncomfortably commonplace for hackers to be openly selling data they have harvested online. While the details up for sale in this particular collection may not seem to be the most sensitive, there appear to be no bank details included in the sales listings, this does not matter for the types of attack this data is intended for.

“The details available include email addresses and passwords, which are used for credential stuffing: the method of attack where criminals try the same email and password combinations across multiple accounts. With this method, hackers can access sensitive information such as saved card details linked to certain accounts. They may also use it to crack into company networks, which typically contain more valuable information than a personal account. That this data collection has been specifically organised to be used for credential stuffing attacks highlights how popular and lucrative this type of attack is.

“The size of this particular collection of data is worrying. Consumers and businesses alike will be affected, so it is essential that users who think they have been affected change their passwords, and use a unique password for every account. Businesses should instruct all of their employees to update their login details, and implement authentication requirements so that an employee’s identity is guaranteed when they are logging into company resources. As the volume of these databases continues to increase, this is more important than ever.”

Emmanuel Schalit, CEO at Dashlane:

5-10 years ago, consumer cybersecurity was about protecting your device with and anti-virus software or an anti-spam filter. Today your data is not only on your device, it is in the cloud and the last/only line of defense there is likely to be your passwords.

Encrypted passwords are amongst the data that has been leaked here, and even though they must be cracked before they are able to be used, this still presents a big problem. Passwords are to the digital age what seatbelts were to the auto industry. They protect your identity, finances, and other critical personal information – so should they be cracked and used, all this data could be used for nefarious means.

Given the sheer quantity of this data on sale, we would advise all consumers, not just those affected, to change their passwords immediately, across all of their accounts. For those affected, this is even more important. You may not be able to control the security architecture of the digital services you use every day, but you can take measures to make sure you have optimal password hygiene. This is the digital version of the “containment” doctrine. Best practice password hygiene calls for unique and complex passwords for each and every account, which ensures that if one account is breached, then your other accounts will be secure. Some breaches, as we see here, aren’t discovered or disclosed for months or even years, so in addition to this, changing your passwords regularly is crucial, as you never know when your account might have been exposed.

Ilia Kolochenko, CEO at High-Tech Bridge:

“Without further verification, it rather looks like a secondary offering of breached databases on the black market. The first, thus exclusive and the most expensive sale, usually takes place in confidence and without notice to the breached party. Once multiple databases are grouped to be publicly offered, they are likely sold not for the first time.

The biggest risk of targeted individual attacks against the victims, however, is probably already in the past: now the buyers will likely conduct large-scale phishing and malware campaigns without a high degree of sophistication. Nonetheless, the victims may still face password re-use attacks and therefore should be particularly cautious within the next few months.

Those websites that haven’t yet discovered the breaches themselves should immediately initiate a forensics procedure and talk to their legal advisors to coordinate disclosure imposed by the applicable law. Failure to do so may increase the damages sought by the victims and lead to supplementary monetary penalties by the authorities.”

Gavin Millard, VP of Intelligence at Tenable:

“There appears to be a disconcerting trend developing of combining historic data breaches and packaging them up for sale on the dark web, as was evidenced earlier this year with 773 million records known as Collection #1 published. What is notable about this recent set of data is that there are several breaches from within the last year, some of which have already been publicly reported.
“As credential stuffing attacks are becoming increasingly more common, repositories like this will be invaluable. For instance, dating app and website OKCupid [whose parent company is Match Group Inc] has been dealing with reports from users of their accounts being hacked. The company has denied the claim that their website was compromised making it very likely that the account takeovers users are experiencing are the result of credential stuffing attacks.
“Some companies have taken some novel steps to try to thwart credential stuffing attacks against their users by obtaining the breached data themselves and cross referencing it against their own database. They can then warn users of password reuse or issue a password reset to ensure their accounts are protected from credential stuffing. Individuals can also take such precautions by visiting sites, such as ‘ https://haveibeenpwned.com/ ’ to determine if they’ve an account that has been compromised.
“Of course, the best way to avoid credential stuffing attacks is to always create unique email and password combinations for every account. Doing this manually is untenable hence good practice is to always use a password manager that can create and store complex passwords, and even alert users to compromised passwords found in data breaches.”

The ISBuzz Post: This Post 620 Million Account Details For Sale On Dark Web appeared first on Information Security Buzz.

59K Data Breaches Reported But Only 91 Fines Imposed Since GDPR

In response to the new 2018 breach report from cybersecurity watchdogs with DLA Piper that European companies experience 60,000 data breaches in last 8 months.

Experts Commented below:

Byron Rashed, VP of Marketing at Centripetal Networks:

“It’s no surprise the amount of data breaches that are now reported. Before GDPR, it may not have been reputationally feasible to report data breaches. However, with GDPR, it’s mandatory. Whenever a regulation is enacted, it requires a large amount of internal and external resources as well as capital investment to ensure compliance. Many organizations in the EU were not investing in the proper cybersecurity practices.

“In many cases where compliance is a factor, the cost of fines would have to outweigh the capital investment needed to ensure compliance. An organization can spend several hundred thousand Euros to prepare and maintain compliance. If the fine is only 10,000 Euros, it’s actually cost beneficial to take the fine and remediate the breach.

“The bottom line here is that many organizations were not prepared for GDPR and fell short in compliance.”

Ryan Tully, Vice President, Product Strategy at STEALTHbits Technologies:

“These fines and breaches are an excellent indicator of how seriously Europeans take their data privacy, and how seriously the rest of the world should as well. These fines will only be the start – other countries and states are discovering their own regulations to match the basic guidelines laid out by EU’s GDPR. It’s encouraged that all organizations, large and small, take whatever steps they can to comply with GDPR regardless of whether they interface with European Union citizens; not only to comply with best practices user data handling but to also prepare for a future where user and data privacy becomes global.”

The ISBuzz Post: This Post 59K Data Breaches Reported But Only 91 Fines Imposed Since GDPR appeared first on Information Security Buzz.

Australian Parliament Cyber-Hack Attempt

Australian authorities are investigating an attempt to hack into the national parliament’s computer network, two senior lawmakers said on Friday, but there was no evidence yet that any data had been accessed or stolen.

Experts Comments below:

Dr Darren Williams, CEO and Founder at BlackFog:

“Nobody is safe from cyber-attack, not even governments. Whilst Australian lawmakers have claimed there’s no sign that the hacking attempt aimed to “disrupt or influence electoral or political processes” we are seeing signs of war being waged through coordinated cyber-attacks targeting both citizens and institutions for both political and monetary gain and governments must be prepared.

“Hackers have become increasingly sophisticated and are attacking organisations from all directions. History tells us that cyber criminals will always find a way of getting in so attackers must be stopped from removing or leaking confidential and classified data, before it causes untold damage and potentially brings a company – or in this case a government – down.”

Ilia Kolochenko, CEO at High-Tech Bridge:

“Attribution of such attack can be very expensive and time-consuming, if feasible. The attackers usually have plenty of resources and skills to destroy any technical evidence in an irrecoverable manner.

Moreover, even if some elements will nonetheless permit to charge with the attack one of the alleged suspects, the legal avenues for a viable remedy will very limited and economically futile.

Perhaps, the budget allocated for the forensics is better spent on network hardening and enhancement of continuous security monitoring to prevent such incidents in the future.”

Alvin Rodrigues, Security Strategist, APAC and Sam Ghebranious, Senior Regional Director, ANZ at Forcepoint:

“Reports emerging today that the Australian Parliament’s computer network has been hacked are deeply concerning – and yet not surprising. The government should be lauded for their efforts to quickly identify the breach and take precautionary steps to avert any leakage of data. While investigations into the attack are still underway, the precaution taken – resetting passwords – suggest that nefarious actors may be looking to steal the digital identities/ credentials of approved users, so as to operate within the parliamentary computer network without being identified.

“Internationally, we’re seeing governments and enterprises alike faced with increasingly sophisticated cyber attacks on their infrastructure. We’re learning that traditional security approaches for combatting cybercrimes are no longer effective. To better protect state secrets and intellectual property, nation-state and enterprises need to understand who is internally accessing critical data and why. Organisations (including government) should focus on understanding the normal behaviour of legitimate users, online and offline, who have access to trade secrets. By understanding a normal baseline behaviour, it becomes easier to know when this behaviour changes – signalling a range of behaviours from corporate non-compliance, an attempted breach or a compromised insider.”

The ISBuzz Post: This Post Australian Parliament Cyber-Hack Attempt appeared first on Information Security Buzz.

Phishers Target Anti-Money Laundering Officers At U.S. Credit Unions

This morning noted security blogger Brian Krebs reported on a highly targeted, malware-laced phishing campaign landed in the inboxes of multiple credit unions last week. The missives are raising eyebrows because they were sent only to specific anti-money laundering contacts at the CUs.

Experts Comments below:

Colin Bastable, CEO at Lucy Security:

“This phishing campaign is a classic, multi-stage “Golden Keyholder” attack. A Golden Keyholder is a highly trusted employee or associate, with access to and influence over core systems, people and information. In this case, it appears that a spearphishing attack was launched on a Golden Keyholder in a national regulatory body. This attack has yielded a treasure trove of Golden Keyholders throughout the US financial industry – not just credit unions.

By obtaining the names, the employer identities and the email addresses of the nation’s Bank Secrecy Act (BSA) staff, the attackers are leveraging the special roles and credibility of these individuals to drop malicious code into those organizations’ IT infrastructure. BSA staff have a high level of trust with each other, as well as being authority figures with inside their Financial Institutions. This attack is designed to maximize the impact of the PDF-borne payload.

The initial attack has exposed a weakness of centrally-directed, government-mandated regulation. By mandating that these identities are stored centrally, the USA Patriot Act has made them vulnerable, thus enabling this attack.

Unfortunately, PDFs are wrongly considered to be trustworthy, “inert” attachments. So an email from a trusted peer at another financial institution, containing a PDF attachment, has a high probability of being read, and the PDF opened.

The attackers now know the identities of the nation’s BSA staff, and we can assume that further spoof email attacks will be launched, harnessing the roles and credibility of these people.”

Will LaSala, Director Security Solutions, Security Evangelist at OneSpan:

“Spear phishing attacks are becoming more and more common as the wealth of personal information leaked from the massive amount of new data leaks in 2018. It is important that users stay vigilant and look for the common hallmarks of an attack.

As it’s been reported, it appears this attack contained numerous grammatically and spelling errors throughout the campaign, these should immediately tip off users to stop interacting with the email and to contact their security team or to delete the email immediately. Technologies such as risk analytics play a big part in monitoring for fraud that occurs as a result of successful attacks.

Being able to identify attack patterns across multiple solutions in real-time with machine learning and artificial intelligences will help credit unions and other financial institutions protect their users and themselves from these successful spear phishing attacks.”

The ISBuzz Post: This Post Phishers Target Anti-Money Laundering Officers At U.S. Credit Unions appeared first on Information Security Buzz.

Mumsnet Data Leak

Mumsnet, has experienced a data leak. Users logging into their accounts were given access to other users’ details, with account information being “switched”. It appears this happened while Mumsnet was migrating services to the cloud.

Experts Comments below: 

Stephen Gailey, Solutions Architect at Exabeam:

“The Mumsnet breach is not that shocking, at least to me. It is not the activity of malicious hackers trying to steal data; instead it seems to be the result of poor programming – again. And this particular problem is also nothing new. Banks and other online organisations have been experiencing just this problem for at almost two decades now; I think the first report of synchronous logins revealing the other users data that I can recall was in the early 2000s. What this underlines is that the root cause of most security breaches, whether they are malicious or accidental as in this case, tends to be poor software development processes or poor operational processes.

Organisations tend to look outwards to understand the threats they face, but perhaps they should look inwards at how they build and run Internet facing systems. The new rush to digitisation is likely to fill our press with reports like this one. The truth of the matter is the same as it has always been, the limiting factor for any organisation is the quality of the people it can hire and retain.”

Naaman Hart, Managed Services Solutions Engineer at Digital Guardian:

“It’s really pure speculation as to this incident happened, but it would likely have been caused by a mix up in the intermediary steps of the login process. Typically when logging in you validate yourself and you’re given an identity. That identity has access to your data. In a case where this process has a problem it’s possible that the identity you’re given is someone else’s. This can happen if the service already has an answer in mind, cached/remembered, and it serves up that answer instead of doing the legwork to find the real answer.

Moving to the cloud has nothing to do with this failure. It simply highlights that the company is going through a large IT project where complications can arise. That said, security is different in the cloud but typically it’s purely misconfiguration that leads to problems. There is also a lack of rigour applied to validation processes to ensure that companies truly know where their data is stored once in the cloud and how much control they actually have over it.

Every cloud service that interacts with that data is a potential for a leak and companies need to ensure they’re very well versed in who touches what and where it moves. A prime example comes from the very design of cloud hosted systems. By their very nature they are meant to be resilient. Resilient means they have copies of everything in case of failure. These copies can extend to your data and you can very easily find that your data exists in many places you didn’t think it did. Data sovereignty therefore needs to be taken seriously.

The best practices are to learn the benefits and pitfalls of moving to the cloud. Companies will likely gain some native security benefits from moving to newer technologies but they also gain the headache of learning the intricacies of these platforms. If they do not learn how to work well with them then they can find themselves making small misconfigurations that lead to big problems.”

Steve Armstrong, Regional Director, UK & Ireland at Bitglass:

“Indications are that this issue was fixed with a roll back. This likely suggests an underlying database configuration issue. It’s very unlikely to be a caching issue browser side – so this suggests a server-based issued. This in turn would speak to a misconfiguration either in the database platform or potentially, on the infrastructure the database was hosted. There are generally security models built into most platforms, but they only solve part of the problem – security in depth is always a better approach.

Moving to the cloud poses some new challenges to any organisation – being able to securely configure platforms requires a robust set of controls and processes to be in place. Outside of the human factor or testing before a release, it is important to have the appropriate technology controls in place. These controls should help reduce risk whilst enabling the business. When moving to the cloud it is important to first assess the risks and map those to the required controls.

If there is a gap in control versus risk an organisation typically has two approaches. The first approach is to update its risk register and accept there is some form of risk. Second, they can implement the controls through the use of technology designed to secure and monitor these environments. In the main these organisations have a risk versus reward balance to maintain – controls should be sufficient enough to mitigate the risk whilst not hindering business agility. The challenge of securing the cloud is ever changing; the pace at which platforms, service and infrastructure in the cloud changes makes risk a moving target that can be hard to 100% mitigate.”

Carl Leonard, Principal Security Analyst at Forcepoint:

“Whilst the size of this data breach may seem small in comparison to other recent incidents, the real impact will be on Mumsnet’s reputation and ultimately user trust. Even one user seeing another user’s personal information is a breach of privacy, and it will be interesting to see how the ICO’s response sets the tone going forward.

Users are only becoming more savvy about the value of their personal data and who they’re entrusting to protect it. Mumsnet have suffered similar incidents before and in this case acted quickly to rectify the situation, but more must be done to in future ensure that data remains protected before it’s too late.”
Dan Pitman, Principal Security Architect at Alert Logic:

“Session Management is a key part of the OWASP Top 10 web application vulnerability list. The list says “Broken authentication occurs when the application mismanages session related information such that the user’s identity gets compromised. The information can be in the form of session cookies, passwords, secret keys etc.”

When users log into a website they are given some kind of unique reference on the server and possible on their local computer that identifies them for the duration of their browsing session on that site. In this case, it is most likely that a bug in bespoke software or a vulnerability from a third party component was introduced that caused people to receive someone else’s session management unique ID and the server proceeded to serve up the other individual’s data based on that.

This issue correlates with moving to the cloud but is most likely not caused by it. Their statement reads “a software change, as part of moving our services to the cloud” – the issue here is an application (software) change, most likely in how they are managing user sessions in the application as above.

Moving to the cloud is often seen as an opportunity for transformation, in the application itself, release management and other areas – doing this these things should not be attempted in one go unless absolutely required (e.g. the application will not run in a virtualised environment) – when it is required, there should be awareness that multiple areas of transformation increase the quality assurance by significant factors.

When moving to the cloud, organisations should get specialist advice. If they do not have in-house expertise, they should employ a third party who has experience and do not depend on individuals. Migration from one place to another is always prone to failure in some areas, so minimise changes into phases and make sure that security is a top priority.”

Lamar Bailey, Director of Security Research and Development at Tripwire:

“Every change to an organisation’s infrastructure is a delicate process that needs to be planned out and carefully executed. While – depending on the cloud service model – the responsibility of maintaining the security ‘of the cloud’ is entrusted to the cloud service provider, while the security of the data ‘in the cloud’ is still the responsibility of the customer, and so is the security and effectiveness of the migration process. It makes sense for a glitch like the one experienced by Mumsnet to have happened as a consequence of a misconfiguration during the migration process, but thankfully, the breach was contained and swiftly reported.”

“The most common reason for a failure in the cloud migration process is poor planning. Organisations need to be able to allocate the necessary resources into the migration process. This could be having increased personnel, training for existing staff and taking experts’ advice on realistic budget and execution time.”

“The best way to prevent these issues happening is to prepare thoroughly for cloud migration, taking into account that the process could potentially take time and resources. Not rushing is paramount to maintaining the security of the enterprise, and sometimes it might be advisable to migrate services one by one, starting with the less critical, to ensure that the process is running smoothly. Organisations should also ensure that they have well trained and skilled personnel on the task.”

“The best way for organisations to maintain security when moving to the cloud is to have in place foundational controls, that monitor file integrity, configuration management, asset discovery, vulnerability management, and log collection. The majority of cloud breaches, however, can be traced back to misconfiguration and mismanagement of cloud-native controls, therefore it is careful planning and preparation that will ultimately protect businesses during the migration to a cloud environment.”

Todd Petereson, IAM Evangelist at One Identity:

“Just like any technology move, most moves to the cloud are driven by the desire to achieve certain functionality, not security. Consequently security is usually an afterthought and retrofitted on the cloud application, and not as a core tenant of the adoption. If you were adding something to the on-pram enterprise, you would go through a thorough review and testing to make sure it met your needs and was secure. Because the cloud is so easy to adopt (you just subscribe and go) the tendency is to avoid the important security review step.

The best practices for maintaining security when moving to the cloud are to treat all of your cloud infrastructure just like you treat your on-prem stuff. Strive to have consistent policies across both. Put as much rigor into your security approach to the cloud as you do to your on-prem stuff. Plan for the worst and act accordingly.

The ISBuzz Post: This Post Mumsnet Data Leak appeared first on Information Security Buzz.

South African State-Owned Electricity Company Suffers Data Leak

Eskom, South Africa’s state-owned electricity company, left a database containing a swathe of financial data from their customers including name, card type, partial card numbers and CVV codes unsecured without a password. The exact number of customers affected is unknown but Eskom accounts for approximately 5.7 million customers across South Africa, according to 2016 estimates. The company also has a Trojan on one of their networked, corporate devices due to a senior infrastructure advisor downloading a fake SIMS 4 game installer.

Expert Comments below:

Kevin Gosschalk, CEO at Arkose Labs:

“The public exposure of customer data, such as Eskom’s account IDs, is not going away. If anything, there will be more of these in the future as attackers use more sophisticated tools and techniques. Companies not directly involved in this data exposure also need to be aware of the risks because having credentials compromised expands beyond Eskom due to people reusing credentials across multiple sites.

Organizations must be aware of the risk of its user’s accounts being hijacked through the use of automation, and organizations must take steps to prevent it. Attackers will use the spilled account IDs from Eskom with automated scripts to try the top 10 most common passwords and other previously leaked passwords against these account IDs. By doing this at scale, the attackers will gain access to accounts and use that to commit malicious activity elsewhere.

As a next step, consumers should use a password manager to ensure they are not re-using passwords across multiple sites. Have multi-factor authentication enabled where available, and opt to use a token-based (not SMS-based) option if possible.”

Anna Russell, VP at Comforte AG:

“This example clearly shows just how bad the situation is in a lot of cases when it comes to data security and protecting privacy. Someone getting access to an organisation’s billing software database is about as bad as it can get. At least the credit card number was protected and only showed the last four digits. But all other personal data was available for pretty much anyone to just take it. This is a prime example of a breach that is really going to hurt, mainly because all this personal, sensitive data is without any encryption or tokenization to protect it. Most, if not all, of this data, is probably being sold and exploited for identity theft right now. What do we learn from this? No matter what leads to a breach, the data itself must be protected. Otherwise, you will have to switch off the lights very soon.”

The ISBuzz Post: This Post South African State-Owned Electricity Company Suffers Data Leak appeared first on Information Security Buzz.

New Google Chrome “Password Checkup” Feature

In light of the news that Google has launched an extension, “Password Checkup”, that will show a warning when it detects a password that has been exposed online, IT security experts commented below.

Jake Moore, Cyber Security Expert at ESET UK:

“This is an excellent way to remind many people about their possibly weak or compromised passwords that need to be updated. It would be an incredible feat to have not had one of your passwords stolen in a data breach in recent years, so hopefully Google’s new tool will be a way of highlighting this and reminding you to change it.

For those who might feel uncomfortable checking their passwords with such a tool, Google has reassured that it has all the necessary security in place. Furthermore, if you don’t feel confident putting in your passwords into this new extension, after all the recent new breaches there’s no better time for users to update all their passwords anyway.”

Martin Cannard, VP, Privileged Access Management Product Strategy at STEALTHbits Technologies:

“While I applaud Google for taking steps to keep people aware of breached passwords, this is not an “easy” button to better security. Users have to leverage password managers to ensure strong unique passwords are used for all online sites. Credential stuffing is a more effective hack if you reuse passwords for more than one site. The Password Checkup tool should be used in conjunction with a password management tool to be totally effective.”

.

Ameya Talwalkar, Co-founder and CPO at Cequence:

This is a great move from Google because it can strengthen the security posture of millions of Google Chrome users. “Credential Checking” attacks, which exploit stolen credentials available on the dark web, have increased in volume and sophistication. Thousands of enterprises and literally billions of end-users are suffering because of this problem. Efforts by Google and others to warn users about their credentials will help put a spotlight on a big problem the industry faces at the moment.

.

Byron Rashed, VP of Marketing at Centripetal Networks:

“Compromised credentials are the basis for a threat actor to perform network infiltration, data exfiltration, spoofing, account takeover, stolen PII, and various other malicious activities that can create huge risks for businesses and individuals. Most Internet users (consumers) do not have even a basic knowledge of what a compromised credential is, or the ramifications of having their credentials stolen.

“Most likely Google is obtaining these credentials from dumps that are readily available and most likely have been for sale or trade in the underground economy. The real challenge of mitigating risk with regard to compromised credentials is to obtain the list from the threat actor before it is available for sale or on dump sites that are public. Most compromised credential sites only deliver those credentials that are already available. However, there is value into that since the credential may not be leveraged by cybercriminals…yet, and the user most likely has no knowledge of this since most are unaware of compromised credentials and where to find them. Google is using Chrome, which is used ubiquitously by their users to deliver this warning.

“Privacy is an issue, these credentials must be stored somewhere and transmitted to the browser. Any time credentials or PII are stored, it will create a target for cybercriminals that have very complex tools to extract them. The security of these credential that Google has I’m sure will be tested since it’s “password compromised-based,” not the username, meaning the compromised password for that site is still using the compromised credential.”

John Gunn, CMO at OneSpan:

“If Google really wants to help, they should include a Public Service Message reminding everyone to stop using the decades-old and unsafe practice of user name and password. Biometrics and other methods of authentication are far more secure and much easier for users.”

The ISBuzz Post: This Post New Google Chrome “Password Checkup” Feature appeared first on Information Security Buzz.

China Hacks Norwegian Software

Recorded Future, in partnership with Rapid7, published a new report that underscores the vulnerabilities that third parties introduce to organizations. The report details a new sustained cyber-espionage campaign by a Chinese threat actor targeting Visma, a major European managed service provider, an international apparel company, and a U.S. firm that does IP law for the pharmaceutical, tech, biomedical and automotive industries.

By targeting managed service providers, the attackers are exploiting the trust companies place in the security of their technology partners. The campaigns were designed to steal IP and to create launching pads for attacks on third-parties associated with the victims. Below are other highlights, and the full report is attached, also available online here.

· The campaign targeting Visma, a $1B Norwegian MSP with 850,000+ customers throughout Europe, and the retailer and U.S. law firm ran from Nov 2017 to Sep 2018.

· In all three incidents, the attackers gained access to networks through deployments of Citrix and LogMeIn remote-access software using stolen valid user credentials.

· Recorded Future identified a new variant of the Trochilus remote access Trojan malware that was used in the attacks, as well as the storage of stolen data in Dropbox.

Experts Comments below: 

Eoin Miller, Principal MDR Analyst at Rapid7:

“Unfortunately, this is the type of nefarious behavior we witness regularly. But there are steps organizations can take to combat these issues. For example, we recommend implementing two-factor authentication for everything. Additionally, strengthening the reviews of authentication attempts against low cost VPN providers or ‘out of the norm’ networks or countries for an individual user is equally important. Organizations should also consider implementing extremely strict application white-listing on sensitive systems.”

.

Simon Whitburn, SVP Cyber Security Services at Nominet:

State hacking campaigns, such as Cloudhopper, that target software supply companies are incredibly dangerous. By breaching one company you can create a backdoor into thousands of others. The information gathered from these types of attacks can then be used for spear phishing attacks on high value individuals which is where serious damage can be done.
“Defending against this type of campaign can be very tough. There is a feeling amongst users that if lots of people trust and use a service then it must be secure. This can result in companies downloading software without checking it themselves first. Cloudhopper demonstrates that this is a dangerous assumption. Whenever a company uses an outside service, even from a reputable source, they need to check that there is nothing malicious lurking in the code. This will add to the deployment time but could help protect organisations against this type of malware spreading. One way of noticing if third party services have been compromised is to measure DNS traffic which could flag if a programme is calling out to a command and control centre.”

Dr. Darren Williams, CEO and Founder at BlackFog:

“With the news that your devices could get hacked just by looking at a photo on your phone, it’s clear that keeping your personal information private is getting harder every day. Even just viewing an innocent-looking image could lead to your data getting leaked without you ever realising. In this day and age, attackers can get in at all angles and they will always be many steps ahead of the average consumer.
“Generally, we can say that about 20% of all data flowing from your phone / device is being sent to China, Russia and the Ukraine on a daily basis (based on internal data collected by BlackFog). This is most often used for data profiling and data coming off the device generally. This can include personal information and files on the device itself. And this is all happening without your knowledge or importantly, your consent. This is why it’s important to take steps to prevent data from leaving your personal devices, such as your laptop or mobile, without your permission. Technology now exists that can stop unwanted data collection and identity profiling by increasingly sophisticated hackers by eliminating content requests that haven’t been requested. Unfortunately, consumers today must resign themselves to the fact that attackers are always going to get in – the key is to prevent them from taking anything out.”

Max Vetter, Chief Cyber Officer at Immersive Labs:

Max Vetter“Software companies are in increasingly being dragged unwittingly in the crosshairs of hacking teams with longer term agendas. They are a ripe target because, whilst being relatively low-profile, often the products they build make up the infrastructure for much bigger end-users. It’s a trojan horse approach – if hackers can find a backdoor in the platforms used by numerous businesses, it can be used time and again.”

The ISBuzz Post: This Post China Hacks Norwegian Software appeared first on Information Security Buzz.

Booz Allen 2019 Cyber Threat report

Following is new expert commentary on the Booz Allen “2019 Cyber Threat Outlook”, which outlines eight new areas of cyber threats in 2019.

Security Experts Comments:

George Wrenn, CEO at CyberSaint:

“Cyber defense will only evolve, and must evolve, with technology and the increasing risks we see in this heavily digital era. The key risk areas identified in this report- IoT, Social Media, Business Leadership- are evidence that digital risk management isn’t just a cybersecurity issue, and as many of us know, cybersecurity isn’t just a technical issue anymore.
Leadership that understands how to approach risk management on a continual basis, in a way that connects all business unity and not simply engages the cybersecurity unit, is key. Even better is implementing technology to help link relevant threats to live controls across business assets, which allows for prioritization, efficiency, effective remediation and therefore more resilience.”

Pravin Kothari, CEO at CipherCloud:

Pravin Kothari“Booz Allen’s new cyber report highlights key threat areas for 2019. Most interesting is the focus on internet of things (IoT) devices as a high risk area. The Booz Allen report brings focus to the open vulnerabilities in these devices. You may be aware that a recently passed California law SB-327 requires any manufacturer of an IoT device must ship with a unique password as of January 1, 2020. No more default passwords! As California goes, so goes the United States so this law will have broad impact. IoT devices are also very difficult to defend as most customers have no real visibility into IoT operations. Assuming malware or an attacker back-door has been detected, it is also almost impossible to clean the devices.
Another area the Booz Allen report highlights is that of information warfare leveraged by the power of social media and malign websites. Increasingly, nation-states and other entities use the power of social media to support information warfare campaigns. Social media can be deployed as a cannon of misinformation to damage corporate reputations, attack government institutions and their policies, attack individual politicians and organizations, and in general obfuscate the truth and confuse the public.”

The ISBuzz Post: This Post Booz Allen 2019 Cyber Threat report appeared first on Information Security Buzz.

Hackers Stole Nearly Half Billion Personal Records In 2018

2018 End-of-Year Data Breach Report from the Identity Theft Resource Center (noting a 126% uptick in the numbers of records breached containing the continued use and re-use of passwords and usernames, and the vulnerabilities caused by third party vendors), experts with Cequence, CyberSaint and STEALTHbits offer perspective.

Franklyn Jones, CMO at Cequence:

Franklin Jones“Unfortunately, for the bad guys these data breaches are gifts that keep on giving, long after the news headlines fade away. Millions of these stolen credentials find their way to the dark web, where they are acquired by other bad actors who then orchestrate automated bot attacks targeting other web sites where those credentials might give them fraudulent access to private accounts. Without proper security safeguards, those automated attacks can be quite successful because people tend to use the same login credentials on multiple sites.”

George Wrenn, CEO at CyberSaint Security:

“Due to the complexity of our day to day lives and the technology, processes, and people involved in them, the question of a cybersecurity incident is no longer a matter of “if”, but “when”. Cyber criminals are picking up on weak spots that organizations have, and are evolving just as we are at the pace of technical innovation, such that the complexities only continue to accumulate.
“This is why cybersecurity management must include measurement. Every business function has metrics- not just the finance unit where financial health is concerned, but the HR unit measures employee turnover, marketing and sales units manage customer adoption… cybersecurity too needs measurement in order to be effective. Without a truly metrics-driven approach when adopting best practices, especially cybersecurity frameworks such as the NIST Cybersecurity Framework, there is no tangible way to communicate program effectiveness. The only way we can continue to keep up- and more importantly get better at keeping up- with the “bad guys” is if we have an efficient cycle of best practice adoption, measurement, analysis, and remediation that is easily communicable and measurable like any other business function.”

Rod Simmons, VP of Product Strategy at STEALTHbits Technologies:

“In situations where a user has a weak password it is an “Aw-shucks” moment for the user, however the administrators of the system shoulder some of the blame as they allowed the users to be so careless. As an attacker, the more frequently you see an email address used as a primary logon method or recovery method, the more apparent it becomes whether that account is critical. If I have access to this email address, I can request password resets.
“Single Sign-on using technologies like Microsoft Account, Google Account, or Facebook are great for users, as it means there’s one less credential to manage poorly. The problem is once that credential is owned, not only can a bad actor assume your identity any place you have used, it they can use it in new places you are not aware of to assume your identity.”

The ISBuzz Post: This Post Hackers Stole Nearly Half Billion Personal Records In 2018 appeared first on Information Security Buzz.

New ITRC Breach Report – 500 Million Personal Records Stolen In 2018

NBC News is among outlets covering the new 2018 End-of-Year Data Breach Report from the Identity Theft Resource Center, which discusses that hackers stole nearly half a billion personal records in 2018.

Experts Comments below:

Colin Bastable, CEO at Lucy Security:

“Third-parties are significant multipliers in the risks faced by consumers and businesses: the fewer moving parts we have between us and our data, the safer we are.
By making login more convenient for users, for example by using Facebook, Google or another intermediary, organizations are exposing consumers to significant, chronic risk.
By combining different accounts, such as by enabling hotel loyalty programs to access airline rewards accounts, users not only increase their risk profile significantly, they may be blind-sided: you reset your hotel account password, but you did not realize that your airline and car rental accounts may also be compromised. Many business cloud applications use APIs to integrate with corporate email and other systems – each connection multiplies our risks of loss from being hacked.
Using email addresses as usernames is to be avoided whenever possible. Organizations don’t do this to help consumers, but to reduce the support burden and lost business from forgotten usernames. Convenience is a double-edged sword – if it’s easy for you, it’s easier to attack you.
From an organizational perspective, the technologies already exist to protect data. We have encryption, tokenization, MFA, anti-malware software, firewalls and so on, but attacks keep succeeding at increasing rates. Therefore, we can conclude that cybersecurity technology is never going to solve this problem. In February 2020, reports will show that 2019 was another stellar growth year for hackers. Businesses, Consumers, Governments, Militaries, NGOs and Politicians will all be hacked this year as never before: your job is to make sure that you, your family and your organization are not one of them. If you don’t have to hold consumer data – don’t. Train your people relentlessly, and run “what-if?” scenarios for the 20% of them who will click on a phishing link. Test systems and people in a holistic model, and let someone else be the victim.”

Anthony James, Chief Strategy Officer at CipherCloud:

“Inside of your computers and networks, personal information should always be encrypted and protected. This should include all of your on-premise applications, SaaS-based applications, and custom IaaS-based applications. Zero Trust strategies necessarily take this to the boundary, that is to say, that encryption should protect the enterprise on-premise and to the edges of the extended enterprise within all of the clouds that you use.
Recognize that it is more common to find cyberthieves attacking APIs, middleware, and database-only encryption – these are the new skirmish lines for cyberattacks, especially within the cloud where you’re most vulnerable. Tools that automatically implement encryption and protect your data, such as data loss prevention (DLP) and digital rights management (DRM), help secure the extended enterprise. In the event that an important vendor doesn’t have the right data protection, you can wrap their applications with a cloud access security broker(CASB) to provide the necessary cloud security for your data.
Beyond the skirmish over encryption, credential access remains in the midst of a full pitched battle. Attackers will use one of many techniques such as account manipulation, bash history, brute force, credential dumping, registry- based credentials, forced authentication, hooking, input capture, kerberoasting, and keychain attacks and many more. While it’s possible to intercept 2FA logins generally, for most consumers and business, 2FA adds the layer of security that will protect your data. Find vendors that support 2-factor authentication (2FA) and single-sign-on (SSO) technology for both the applications you build and buy.”

The ISBuzz Post: This Post New ITRC Breach Report – 500 Million Personal Records Stolen In 2018 appeared first on Information Security Buzz.

Houzz Data Breach

The home improvement site Houzz announced a data breach this week involving third-parties gaining access to a file that contains publicly visible user data as well as private account information. In an email sent to affected users, Houzz stated that an unauthorized third-party gained access to a file containing both publicly available information as well as internal account information such as user IDs, email address, one-way encrypted passwords, IP addresses, city and zip codes derived from IP addresses, and Facebook information.

Experts Comments below:

Eoin Keary, CEO and Co-founder at EdgeScan:

“Depending on the type of password storage protection used, Houzz may have dodged a bullet! If they applied “Hashed and Salted” protection using an industry recommended algorithm (bcrypt or PBKDF2 for example) they may be ok. If not, they may have a problem. Unfortunately, many people reuse passwords across multiple websites to avoid having to remember too many log-in credentials. A type of attack that exploits this common habit is called “Credential Stuffing” and can be used by attackers who have obtained email addresses and passwords. Criminals use the passwords and email addresses they “harvested” from one breach to gain access to other websites or services that contain more sensitive information. This is a very simple and effective way to access accounts across different web applications based on the fruits of an initial breach.
In order to mitigate the effects of the attack, Houzz should require users to reset their password and ask them to enable multi-factor authentication. This way, if the password is known by an attacker, a second factor of authentication is required before access is granted. Multi-factor authentication is becoming more mainstream and should be recognised as an essential security practice. Houzz has rightly informed users of the breach and hopefully will monitor access attempts to account data where applicable.
My best advice to users is: don’t reuse passwords across multiple sites. If you are, reset all your passwords now. Use a password manager and choose complex passwords or a passphrase. And if there is the option to activate multi-factor authentication, enable it!”

Todd Peterson, IAM Evangelist at One Identity:

“The reality of doing business today is that you often must rely on third-parties for key IT activities. This has certain advantages in that it allows an organisation to focus on their core competencies rather than IT activities that are outside of their main scope. However, this practice also opens up additional layers of risk. As with any IT administration activity, simply enabling an individual (or a third party) to do their job requires that they receive elevated permissions on the system they administer, and those permissions often open the doors to sensitive systems and data. This is dangerous enough with internal staff but exponentially riskier when the permissions need to be granted to a third party. Many high-profile breaches are the result of a well-intentioned third-party access falling into the wrong hands or being abused by the third party.
There are some basic privileged access management practices that can significantly mitigate the risk:
Never share the passwords – set up a system and practice of only issuing privileged credentials on as as-needed basis and only for the duration of time and the specific activities for which they are required. This applies to internal staff as well as third-parties.
Audit and monitor all activities performed with these credentials – ensure that you know what the people (including third parties) are doing with the elevated permissions they are issued
Follow the principle of least-privilege – while natively most systems require the full administrative credential to perform even the most basic task, there are technologies available (for example sudo for Unix/Linux systems) that allow you to delegate just the permissions necessary to do the job. For on-going access where a third-party is consistently required to perform specific IT tasks, try to delegate just those permission, nothing more nothing less
Use analytics – implement technologies that can detect and notify you of permissions that fall outside the norm for what is required of the third-party and that can detect when a third-party’s behaviour deviates from established patterns.
Use multi-factor authentication – perhaps the simplest way to ensure appropriate access is to shore up authentication by requiring a second factor (beyond the administrative password). Modern multifactor authentication solutions are now easy to implement, painless to use, and provide the extra level of assurance necessary when trusting your crown jewels to outsiders.”

The ISBuzz Post: This Post Houzz Data Breach appeared first on Information Security Buzz.

Hackers Targeting UK Banks Through SS7 Attacks

It has been reported that Metro Bank has been targeted by attacks that bypass two-factor authentication using vulnerabilities in the mobile network. Flaws in the SS7 protocol, used by telecoms operators, mean that the codes sent out over SMS can be intercepted.

Experts Comments below:

Michael Downs, Telecoms Cyber Security Director of EMEA at Positive Technologies:

“For years, it has been known that the Signally Systems No.7 (SS7) protocol, widely used by telecoms operators, has major security flaws. Its security weaknesses can not only be used for SMS interception – as is the case here with Metro Bank – but also to steal user’s personal data, location tracking through their phones, signalling fraud and also hijacking devices to orchestrate denial of service attacks. SMS interception is just one of the easiest ways to exploit these flaws – our own research on telecoms infrastructure has found that nine out of ten attempted SMS interception attacks are successful.
“What is even more worrying is that, despite the fact that operators have spent billions on upgrading networks, our research shows that the same vulnerabilities exist. The risk of attacks and consequences will only grow as the world moves to be more and more connected with Internet of Things a primary driver. What this attack shows is that a security issue within the telecoms industry isn’t just a problem for the telecoms industry – it effects every company and device that relies on the network – which is pretty much everyone.
“Users need to know that these type of attacks can be mitigated against and this is an opportunity for the operators to do so. This is not the first instance of this type of attack and it will not be the last.”

Jon Bottarini, Hacker and Lead Technical Program Manager at HackerOne:

“Whether criminals use man-in-the-middle Signaling System 7 (SS7) attacks or engage in SIM card swapping, it just goes to show that relying on a SMS based method of two-factor authentication is not the most secure way to protect your most sensitive accounts. Using an Authenticator App or time-based one-time password (TOTP) for two-factor authentication is the best method to prevent against these types of attacks.”

The ISBuzz Post: This Post Hackers Targeting UK Banks Through SS7 Attacks appeared first on Information Security Buzz.

Mega Leak Of 2.2 Billion Records

Hackers are passing around a vast database of 2.2 billion unique names and passwords skimmed from some of the biggest data breaches like Dropbox and LinkedIn. Collection #1 and #2-5 have been uncovered by several security researchers.

Experts Comments below: 

Ryan Wilk, VP of Customer Success at NuData Security:

“This latest dump of names and passwords reveals the enormity of the exposure of personal information worldwide and how cheap or free personal information has become as hackers try to race to squeeze the last value out of it. New technologies that don’t rely on passwords, like behavioral analytics and passive biometrics, are thwarting fraudsters who are increasingly failing at their account takeover attempts. These new authentication platforms are devaluing this type of personal information removing stolen credentials from the equation.”

Anthony James, Chief Strategy Officer at CipherCloud:

“The cyberwar over your data privacy has pretty much been declared and we’re taking very heavy fire. There are now over 2.2 billion unique passwords and credentials offered For Free on the dark web. This is rumored to be supplemented by another collection of authentication data, which may total 25 billion records. So much has been stolen and breached that the cyberthieves are obviously trading these massive databases among themselves. What can you do? Use a unique password for each account and change them on a regular basis, favor vendors that provide 2-factor authentication, (2FA), and to the greatest extent practical ,encrypt all of your data.”

Frederik Mennes, Senior Manager Market & Security Strategy at OneSpan:

 2.2 billion unique records is a staggering number. We are becoming accustomed to breach notification news, but sad to say, the use of multi-factor authentication is still not utilised whenever and wherever possible. Companies should remember that easy targets will continue to be exploited first, because cybercrime follows the path of least resistance. Technology is evolving, and next-generation authentication, intelligent adaptive authentication, is gaining momentum. This technology utilises AI and machine learning to score vast amounts of data, and based on patterns, analyses the risk of a situation and adapts the security and required authentication accordingly.

Steven Murdoch, Chief Security Architect at OneSpan:

This password leak shows that large quantities of stolen passwords are readily available to anyone, regardless of how low their budget. However, data from recent breaches will be considerably more expensive to obtain.

Companies should recognise the limitations of password authentication and are in the best position to mitigate the weaknesses. They should implement additional measures, such as detection of suspicious behaviour. Two-factor authentication, or even better, FIDO/U2F, should be offered to customers. Customers can also help by not re-using passwords across multiple sites and using a password manager if needed. The website https://twofactorauth.org gives instructions on how to enable two-factor authentication on many popular sites, as enabling 2FA, and preferably FIDO/U2F, will significantly help to improve their security.

Tom Garrubba, Sr. Director at Shared Assessments: 

This is indeed a massive amount of records, and we don’t know all of the sources of these breached records, the importance of a healthy third party risk management program that includes continuous monitoring and effective threat management over your organization’s data becomes even more crucial than ever. All data connection points need to be understood, reviewed, assessed, and continuously monitored in alignment with the outsourcing organization’s risk posture to ensure that both the they as the outsourcer and their full network of service providers and other third parties with whom they share data are all fulfilling their security and privacy expectations laid out in their contracts.

For those individuals who have not yet locked down there credit history and files, it’s worth considering.  Basic steps to do this are at:

https://www.consumer.ftc.gov/articles/0497-credit-freeze-faqs#place

Frederik Mennes, Senior Manager Market & Security Strategy at Security Competence Center OneSpan:

2.2 billion records is a staggering number. We are becoming accustomed to breach notification news, but sad to say, the use of multi-factor authentication is still not utilized whenever and wherever possible.

MFA combines at least two out of three of the following technologies: something you know (such as a PIN), something you have (such as an authentication app on the smartphone) or something you are (such as a fingerprint or facial recognition). The passwords that are generated only last for a limited period of time, which makes it useless for hackers to intercept and reuse them.

Technology is evolving. Next-generation authentication, intelligent adaptive authentication, is gaining momentum. This technology ensures the precise level of security for each level of interaction with the best possible experience for the user. Adaptive authentication utilizes AI and machine learning to score vast amounts of data. Based on patterns, it analyses the risk of a situation and adapts the security and required authentication accordingly.

Companies should remember that easy targets will continue to be exploited first, because cybercrime follows the path of least resistance. Applying multi-factor authentication may stop an attacker as the attacker might go after only users that have not enabled stronger authentication.

Oliver Muenchow, Security Evangelist at Lucy Security:

“There are billions of records out there accessible to anyone who looks. We’ve seen the data from collection one…in fact, anyone can put those old records in a zip and give them a label like collection 1, collection 2, or 3.”

The ISBuzz Post: This Post Mega Leak Of 2.2 Billion Records appeared first on Information Security Buzz.

Experts Reaction On State Bank Of India Exposes Millions Of Customers’ Data….More Leaks Trading On The Dark Web

Earlier today, TechCrunch has reported that the government-owned State Bank of India (SBI), India’s largest bank and the number four company in the Fortune India 500, left a server unprotected, allowing anyone to access the financial information of millions of customers including partial bank account numbers, phone numbers, balances and recent transactions. The server stored two months of data from SBI Quick, a text message and call-based system used to request basic information about bank accounts by the bank’s customers. The exact number of users that had their data compromised is uncertain, however SBI boasts 500 million customers across the globe and 740 million accounts.

In 2016, massive indian bankls were reported being breached but SBI at that time assured they were safe.

But not long enough:

Experts Comments below:

Stephan Chenette, CTO and Co-founder at AttackIQ: 

“Operating a server without any access security controls, the State Bank of India (SBI) exposed their customer information allowing real-time access to anyone. Malicious actors could use the information to target bank customers known to have high account balances, or their phone numbers to launch social engineering attacks against the bank’s 500 million customers. All organizations are tasked with the responsibility of protecting user data, but Fortune India 500 companies such as SBI must take additional precautions due to the fact that they are prime targets for data theft and other cybercrimes.

This kind of data leak—which is so easily preventable with even basic security practices—directly undermine customer confidence. Exposure of any type of user information is a major concern. All organizations trusted with sensitive consumer data must continuously assess the viability of their security controls to make sure that they are enabled, configured correctly and operating effectively. It shouldn’t take a massive breach such as this to make companies realize they need a more proactive approach to strengthen security.”

Oliver Muenchow, Security Consultant and  Evangelist at Lucy Security:

“There are millions of servers out there exposed right now. The State Bank of India got “officially” hacked. It’s not the first time, and it probably won’t be the last time.  Not only is the customer’s data exposed, but also the employees’ accounts and passwords are out there floating around.  It’s shocking to see that around 86,000 leaks are currently being traded in the Dark Net for the domain sbi.co.in.”

The ISBuzz Post: This Post Experts Reaction On State Bank Of India Exposes Millions Of Customers’ Data….More Leaks Trading On The Dark Web appeared first on Information Security Buzz.

Apple Fixes Grouop FaceTime ‘Eavesdropping’ Bug

Following the news that Apple has temporarily disabled the group FaceTime functionality while it fixes a bug which let users eavesdrop on those they were calling, security experts commented below.

Jake Moore, Cyber Security Expert at ESET UK:

“Technology bugs occur far more often than the average user may think. Luckily Apple is usually quick to adapt and patch up the flaws. However, we do not know how long this bug has been around for and if it has been taken advantage of by cybercriminals who exploit these vulnerabilities.

Apple is currently fixing the issue, and like any precaution technique it’s always good to be on the safe side, so it is worth disabling FaceTime on your devices until Apple has officially issued the specific software update.”

Marten Mickos, CEO at HackerOne:

Why is it hard for regular people to report bugs? 

“It should not be hard for anyone to report a bug to a company or government agency, but unfortunately it still often is. The US Deputy Attorney General has said that every organisation should have a vulnerability disclosure program, which is exactly a way for people who see something to say something. DOJ, FTC, NIST and other federal agencies have published their recommendations and frameworks on this topic, but they have not yet been universally adopted. The good news is that all of this is changing. Leaders in business and politics agree that the only way to make the internet more secure is to invite the broad public (which includes some very smart whitehat hackers) to report the bugs they find.”

Do they even find many major bugs in your experience?

“Yes, they do. We all instinctively know that the general public are not security experts and will not be able to find and report a bug. But when you invite anyone to report a bug, you are sure to find among them the few absolutely brilliant and passionate security experts who will painstakingly test out a product and figure out even its smallest deficiency. Even if millions of people find nothing to report, and thousands may report something that isn’t really a bug, it still is worth it when just one person finds and can describe the bug. The noise of the crowd is absolutely worth it when you actually WILL find the needle in the haystack. And, interestingly, often the engineers working for the company in question are unable to detect those bugs, just like it is difficult for people to see typos in their own text although they see them in other people’s text. We need the scrutiny of the unbiased people on the outside.”

Q: What are the recommendations for companies like Apple? Should they have a easy form anyone can fill out, a phone number? 

“Apple represents a very high level of cybersecurity awareness and discipline. They do have a way to receive bug reports. Take a look at this web page: https://support.apple.com/en-us/HT201220. On that page, it says “To report security or privacy issues that affect Apple products or web servers, please contact product-security@apple.com.” What a company ofApple’s size and presence must be ready for (and they are) is the large volume of incoming bug reports that may actually not be that relevant. With the help of software automation and human beings you can sift through those incoming reports and find the truly valuable ones, or you can turn to a provider like HackerOne to get that work done for your company. Any company receiving bug reports (in practice, any company with digital assets) also needs to have an ability and readiness to fix the most severe bugs. Often, software development teams are asked to produce a lot of new features that customers are waiting for. They also need to carve out dedicated time for fixing the security issues that are reported to them. The average time from when a bug was reported to when it gets fixed is an important metric when assessing cybersecurity posture of an organisation.”

The ISBuzz Post: This Post Apple Fixes Grouop FaceTime ‘Eavesdropping’ Bug appeared first on Information Security Buzz.

Discover Card Breach

Cybersecurity executives commented on the early news of a Discover Card customer data breach, including fraud and compliance concerns:

Expert Comments below:

Anthony James, Chief Strategy Officer at CipherCloud:

“Discover’s breach is very typical of the news we hear continually concerning financial firms and credit processors. In today’s environment attackers will get into your networks. That’s a fait accompli. We also expect that it will take months even before a card processor such as Discover is even aware of the intrusion and possible breach What we don’t expect to hear is that the databases and credit card data are, amazingly, unencrypted.

New legislation, such as the EU’s GDPR, the pending California Data Privacy coming into force in  2020, and the new national bill proposed by Marco Rubio, the American Data Dissemination Act, create a regulatory barrier only met by the end-to-end use of encryption within these financial systems. You must ensure that your data is encrypted, both in the database, and in transit (middleware, API, etc.) and in use. Similarly, your business partners must be held to the new standards you require internally.”

Felix Rosbach, Product Manager at Comforte AG:

“Payment card data is some of the most sensitive data of all. Fraud is easy to commit with stolen card account information. Therefore these kind of breaches create a lot of stress on both the issuers’ side and on consumers – regardless of whether an issuer was actually the target of a breach or a merchant in the network.

It’s crucial to protect sensitive data over the entire data lifecycle – from the POS device to processing to backup. Implementing data centric security, which means protecting data at the earliest possible point and de-protecting it only when absolutely necessary, is the only way forward.

One very effective way to protect sensitive data is to pseudonymize it. Acquirers, merchants and issuers should only use tokens instead of clear text data to process payments and store sensitive data. If hackers get access to these tokens, the data is useless. This also reduces stress on both sides: for businesses and consumers.”

Colin Bastable, CEO at Lucy Security:

“Third parties are the CISO’s Achilles Heel. It appears to be a classic case of a third party’s failure to protect Discover Card customer data. Discover is not going to feel it, but the buck has stopped somewhere down their food chain.

We should be realistic – the costs for Discover will be a rounding error, and have already been built into their Q4 provisions (up 18% over Q4 2017). The 176 million card-carrying US consumers are generally inured to the consequences of these breaches – between them, they have some 985 million credit and store cards, and the card issuers are very good at shipping out replacement cards.

The real problem is that these thefts are not victimless crimes – real money is involved. Crime rings and governments are stealing from the American consumer and using it to finance more crime.”

The ISBuzz Post: This Post Discover Card Breach appeared first on Information Security Buzz.

Phishing Campaign Targets Australian Netflix Users

Following the news that a phishing campaign has been targeting Netflix users across Australia, with users reporting having been sent an email from an address posing as the legitimate support team for the streaming service asking them to enter their account information and payment details, security experts commented below.

Dean Ferrando, System Engineer Manager (EMEA) at Tripwire:

“This is just the latest of a series of phishing campaigns that posed as Netflix, which because of its popularity allows criminals to cast a wide net of potential victims. This kind of attacks exploit customer’s trust in brands they can recognise, and are becoming increasingly sophisticated, adding backsplashes and logos to the fake emails to trick victims into clicking on the malicious links.

The best way to avoid falling victim of these scams is to always be on the look for suspicious details that may reveal the email as fictitious, which can be spelling mistakes, poor grammar or a link that directs to a suspicious URL. Reputable brands also often have a support page that helps customers identify and report fake email campaigns and would never ask for personal information or payment details without a reasonable cause.”

Tim Sadler, Co-founder and CEO at Tessian:

“In this case, scammers are using the very familiar and trusted Netflix brand to dupe loyal customers into revealing personal and financial information. Many users will have an established relationship with Netflix and communicate with the brand via email or other messaging platforms. This kind of interaction can engender trust and complacency on the part of the customer. It is the relationship between user and brand, which phishers are attempting to hijack in order to pharm valuable financial credentials.

Strong-form impersonation methods like this, where the attacker is posing as the legitimate Netflix support team with branding and an email format that closely mimics a typical Netflixcommunication, can be difficult for a typical user to identify. However, to minimise the risk of falling victim to scams like this, users must be vigilant. They should be suspicious of any email that requests personal and/ or financial information. It is also important that they alert the necessary authorities if they spot a phishing email in their inbox.”

Corin Imai, Senior Security Advisor at DomainTools:

“Netflix customers seem to be incredibly popular targets for threat actors engaged in phishing campaigns, for good reason; Netflix is a globally renowned business, with an easily identifiable name and logo which a significant amount of consumers will have a relationship with, making them more likely to engage with emails pertaining to be from the brand. Netflix phishing scams in the past have been notoriously sophisticated, such as the 2017 campaign which leveraged Netflix content as backing images to the fraudulent emails and web pages, lulling the victim into a false sense of security. Australian Netflix users should treat any email communication from Netflix suspiciously in order to keep their PII safe, particularly one regarding account suspension.”

The ISBuzz Post: This Post Phishing Campaign Targets Australian Netflix Users appeared first on Information Security Buzz.

DailyMotion Credential Stuffing Attack; Intl Data Privacy Day

In response to DailyMotion’s disclosure on Friday that it’s suffered a credential stuffing attack (which it’s reported to France’s Commission nationale de l’informatique et des libertés [CNIL] complying with GDPR requirements), four experts with OneSpan and STEALTHbits offer perspective.

Scott Clements, CEO at OneSpan:

“Passwords and personal identifiable information are almost guaranteed to be exposed in ever increasingly sophisticated and frequent data breaches. It’s more important than ever to secure and protect the entire digital customer journey, and the data captured within, by taking a layered approach to security. This helps capture and analyze multiple complementary authentication factors and correlational data to establish trusted identities, devices and transactions. This is how we help our global banking customers – by making it harder for cybercriminals to capture data and commit fraud.”

Michael Magrath, Director, Global Regulations & Standards at OneSpan:

“Consumers who have not yet upgraded to multifactor authentication (MFA) to login to websites, more often than not, reuse a few static passwords across multiple websites.  Given the vast number of password-related breaches over the past few years, the convenient, yet insecure reuse of static passwords exposes individuals to the credential stuffing attack used in this case.  Consumers should always use MFA, where available, to add an additional layer of security to protect their privacy. Many websites support MFA today.  The good news is, more and more are supporting frictionless solutions such as intelligent adaptive authentication and behavioral biometrics which balance ease of use with security.”

.

Rod Simmons, Vice President of Product Strategy, Active Directory at STEALTHbits Technologies: 

“In giving users flexibility to set any desired password we fail to fix stupid. Carbon based life forms cannot trip over creating secure passwords.  Our challenge as system owners is to prevent users from doing lazy and stupid things. For example, so I don’t forget my password let me include my logon name in it plus by date of birth. Users will go out of their way, unintentionally, and do the least secure thing possible. As an administrator prevent it.”

.

Martin Cannard, VP of Privileged Access Management Product Strategy at STEALTHbits Technologies:

“Sharing passwords between sites is a recipe for disaster, especially when the same credentials are used for business. One exposed password along with an exposed username/password is all it takes to for attackers to brute force their way into your account. Today there is a plethora of personal password management tools which makes the process of maintaining unique credentials a no-brainer. Keep your passwords strong and unique, and NEVER use the same password for a business as you would for personal sites.”

The ISBuzz Post: This Post DailyMotion Credential Stuffing Attack; Intl Data Privacy Day appeared first on Information Security Buzz.

DailyMotion Credential Stuffing Attack

The popular video platform DailyMotion’s disclosed a credential stuffing attack on Friday.  In response, experts with Cequence and Shared Assessments offer perspective.

Mike Jordan, CISSP, CRISC, CTPRP, Senior Director at The Shared Assessments Program:

“Credential Stuffing is the unfortunate consequence of using the same password on different sites.  Just last week, over 772 million passwords were offered for sale in one of the largest public data breaches of this sort.  It’s no surprise to see a corresponding breach.

“Hacking passwords on public video sites and forums could be used for troll farming and disinformation campaigns. More troubling are the breached banks and retailers where actual transactions are at risk.  And don’t forget the smaller sites that don’t have the resources to detect this kind of attack.  Consumers may never hear about these types of attacks, and any site can store more of your information than you may realize.

“I strongly recommend making passwords unique and storing them in a trusted password manager app.  Opt into two-step or Multi-Factor sign-in where possible, whereby the website sends you a code or uses an app to log you in along with your password. Email accounts can be used to reset all your other passwords, so prioritize those along with your financial and work passwords.”

Franklyn Jones, CMO at Cequence:

Franklin Jones“One of the reasons credential stuffing is so hard to prevent is that the attack vector is a valid username and password combination. No malicious content there, so the attack is often undetectable until it’s too late. So in this case, it’s more effective to focus on the underlying behavior and intent of the request to determine its authenticity.”

The ISBuzz Post: This Post DailyMotion Credential Stuffing Attack appeared first on Information Security Buzz.

Data Protection Day

Data Protection Day comments from Imperva, Veritas, KCOM and Tanium.

The comments include:

  • Spencer Young, RVP EMEA at Impervaexplaining where companies are going wrong in getting data protection right, including data that is difficult to find, using the wrong technology and failing to govern data access
  • Jasmit Sagoo, senior director, Northern Europe atVeritas describing the data power shift we have seen between businesses and consumers post-GDPR, where businesses are going wrong in the cloud, and the need for a culture of compliance
  • David Francis, Information Security Consultant at KCOM, explaining the road to success on Data Protection Day, and the two key questions businesses should ask themselves: do you know when you’ve been attacked, and have you been paying attention to the news around GDPR?

Spencer Young, RVP EMEA at Imperva:

Today marks the 13th annual Data Protection Day, a day aimed at raising awareness and promoting good data privacy practices around the world.

The past year saw vast changes impacting the UK’s data protection landscape, not the least of which is due to the EU’s General Data Protection Regulation (GDPR) officially coming into play. The regulation means that regardless of the industry or location, any business that holds and processes personal data must prioritise data protection.

The fines associated with non-compliance are hefty, to say the least, and the potential damage to the brand’s reputation can be even costlier. Yet, we have seen big brands including the likes of Google tripping up on their data protection journey. Where are companies going wrong in getting data protection right?

1/ Finding the data is not easy

 Data protection is complex and involves multiple teams, technologies and systems to work together.

One of the first hurdles IT teams face is in conducting a Data Assessment Report, which requires organisations to locate any personal data they are holding and document how the data is collected and processed. This detailed assessment must be kept current and ready for regulatory inspection or compliance audits.

However, many businesses find it challenging to locate that data. When you are a large enterprise, this can take more than just a call to your IT department and can take weeks – even months – of investment.

2/ Not having the right technologies in place

 Perhaps most significantly, regulations require any company that experiences a data breach to publicly acknowledge the breach and notify the local Data Protection Authorities (DPA) in the member states where the people affected by that breach reside. Businesses must notify the DPA’s within 72 hours of identification or confirmation of the breach. They must be able to tell them what data was breached, how many records were taken and provide a member-state specific report around the infringement.

This requirement means all businesses need to be able to understand who accessed the data, what activity they performed and when they performed it. Any organisation without strong technology solutions in place will struggle to provide the requested information within the 72-hour window.

3/ Failure to govern data access

Limiting access to certain information and making sure that access is authorised and reflects any changes within the business is a critical step in data protection that many companies tend to neglect.

It’s important to analyse policies on data collection, handling, test data usage, data retention, and data destruction. At each point, access must be on a need-to-know basis. Users should not be allowed to accumulate access rights as they are promoted or move laterally within an organization. Privileged accounts, including DBAs, Admins and Service accounts should be carefully monitored to ensure they are not used to bypass policies.

Not doing so will inevitably lead to disastrous consequences.

There may be many reasons why an organisation’s data protection strategy is not up to par, but they will reside somewhere within having inadequate or ineffective processes, people, and technology. It is critical to be aware of potential pitfalls and actively work towards more robust data protection practices.

GDPR or not, Data Protection Day should be every day in our data-driven business landscape.

Jasmit Sagoo, Senior Director, Northern Europe at Veritas:

 The data power shift

2018 marked a pivotal change for data privacy and protection across the globe. For a long time, personal data has been leaked, shared, tracked and analysed without consumers’ prior knowledge or consent. But the introduction of the General Data Protection Regulation (GDPR) has offered individuals in the EU an olive branch: more control over their data.

For years, organisations have failed to understand the real value of their data, or the repercussions of mishandling it. Our Truth in Cloud research found that most UK businesses (75%) export full responsibility for data protection to their cloud providers, with over half (52%) wrongly assuming their cloud providers are responsible for complying with data privacy regulations.

We also found that 42% of companies’ total data environments are either stale (i.e. have not been modified in the last three years) or ancient (i.e. have not been modified in the last seven years).

However, the change in data privacy regulations has served as a much needed wake-up call for organisations. Beyond the hefty fines for regulatory non-compliance, companies have begun taking notice of the real reputational damage that could result in a lack of responsibility for protecting and managing their data. Our research revealed UK consumers would punish organisations that don’t protect their data by shopping elsewhere or by attacking their brand reputations.

Meanwhile, the potential benefits of investing in effective data protection and management are vast, such as the ability to personalise and improve customer service and create information-centric business models that give way to new revenue streams. In addition, nearly half (46 per cent) of UK consumers say they would spend more money with organisations they trust to look after their data, with over a fifth (21%) willing to spend up to 25% more with businesses that take data protection seriously.

Today, more and more companies are beginning to realise the importance of not only protecting their data, but also understanding exactly what data they hold, where it sits, who has access to it and how quickly they can retrieve it. Businesses must now be able to automatically classify large volumes of digital data, scanning and tagging it in a granular, intelligent manner to ensure that information is managed effectively and can be accessed efficiently and on-demand.

Technology aside, businesses must also instil a culture of digital compliance and responsibility among their employees. And there’s no question about whether this is needed: an overwhelming majority (91%) of organisations admit that they lack a culture of good data governance. With a three-fold approach to managing data which includes technology, processes and people, organisations will be in strong position to reap the rewards associated with protecting and managing data and building customer confidence in today’s digital economy.

David Francis, Information Security Consultant at KCOM:

Data Protection Day falls on Monday 28th January this year. In previous years, this day has been overlooked. However, in 2019, we’re finally starting to see people and businesses give it the recognition it deserves.

So why is data protection so important in 2019? Last year we saw some immense upsets, from the BA data breach to the Cambridge Analytica scandal. The range of consumer-facing breaches in 2018 have truly proved that cyber security is the last line of defence for personal security. In addition, since the last Data Protection Day, we have seen the introduction of the GDPR.

The first question you should ask yourself today is: Do you know when you’ve been attacked?

It takes companies an average of 206 days to discover a breach, so the answer is ‘probably not.’ And the threat doesn’t just have to be external: you could have sleeper agents placing time bombs in advance. They don’t necessarily need to be onsite at the crucial moment.

It could be a developer with a grudge placing a time bomb in the system to erase crucial intellectual property, or even an outgoing executive quietly deleting things in the background. If done quietly over a period of time, you could lose your backups as well, with no way of tracing the culprit. This is in addition to the huge GDPR fines you would face. Companies need to have measures in place to track data movement to prevent this kind of insider threat.

The next question to ask yourself today is whether you have been paying attention to the news around GDPR.

If 2018 was the year of compliance, 2019 will be the year of retribution for everyone’s favourite data privacy regulation. The period of grace is drawing to a close, and we’re already seeing the ICO taking its first high-profile scalp over treatment of personally identifiable information, with Google being the first to fall in France.

This has set the precedent by which all further cases are judged – letting companies know along the way just how strictly enforced the rules are going to be, and how heavy the fines. Now is the time to check your compliance levels.

If 2019 is anything like 2018, consumers are in the firing line. With these scenarios in mind, on Data Protection Day, it’s time to re-evaluate your security plans and consider: Does this plan put the customer first? Is your security system tracking insider threats? Are you aware of which employees have access to what data? Are you GDPR compliant?

If your organisation can safely answer yes to all these questions, congratulations, you have had a successful Data Protection Day. However, that doesn’t mean it’s time to stop evaluating your systems, in today’s security landscape, you can never be too safe.

Chris Hodson, EMEA CISO at Tanium:

“As we approach the first data privacy day since GDPR has been in force, there is no doubt that analysing the effectiveness of the regulation will dominate. For me, as a CISO, there are many common misconceptions of GDPR. Firstly, we must remember that approximately 80% of GDPR isn’t directly within the CISO’s purview. The whole business, most notably the DPO, must be responsible for driving data privacy across the enterprise. The security function can certainly help with the “how” of data protection and must be responsible for putting the processes in place to ensure that data is safeguarded. However, we are often very little use in ascertaining the “why” of data collection. For a security team or CISO, it’s about ensuring that controllers (and processors) carry out data processing in a transparent fashion. It’s about making sure that information is not left lying around in servers ad infinitum.

“That’s why the best defence is a model for qualification and assurance. That means having real-time visibility of the data stored across your network and where threats and vulnerabilities exist. But it also means taking a role in educating our boards, executives, and fellow employees on their role in protecting data: choosing systems and practices that support GDPR principles and maintaining practices that safeguard customer data in the long-term.”

The ISBuzz Post: This Post Data Protection Day appeared first on Information Security Buzz.

More Than 24 Million Financial And Banking Documents Found Online After A Server Security Lapse

A trove of more than 24 million financial and banking documents, representing tens of thousands of loans and mortgages from some of the biggest banks in the U.S., has been found online after a server security lapse, as reported in Techcrunch.

Experts Comments Below: 

Ilia Kolochenko, CEO at High-Tech Bridge:

“Unprotected cloud storage and passwordless databases exposed online are unfortunately very widespread these days. Large organizations struggle to maintain petabytes of their data under control and inventory.
Numerous suppliers and partners may urgently need their data for various legitimate business purposes, but fail to maintain appropriate internal security controls. Third-party risk management is not a silver bullet either, as quite frequently access to data is time-sensitive and many companies are prone to close their eyes to some of the imperfections of the third-party security mechanisms. A large-scale scan of the Internet, will likely produce hundreds, if not thousands of similar databases with critical, sensitive and privileged data being hosted somewhere without any protection.

From a legal point of view, the companies whose negligence leads to data exposure may be liable for considerable financial penalties and/or face individual and even class action lawsuits. Security researchers who access and process the data should also be careful, as under certain circumstances they may break the criminal law and also expose themselves to other legal ramifications.”

Paul Bischoff, Privacy Advocate at Comparitech:

“If you’ve received a notification from your financial institution saying your details were involved in the breach, then you are at risk of identity theft. Go to annualcreditreport.com and get a free copy of your credit report. Check for any unfamiliar activity and follow up on anything suspicious. You’re allowed one free credit report per year. If you want something a little more vigilant, consider purchasing a subscription for an identity theft protection service. Freeze your credit if you can, but if that’s not an option, at least place a fraud alert on your report. Creditors will be forced to take extra steps to verify your identity when they pull your credit report to check it.

Tax season is coming up, so be ready for tax scams. Tax scams almost always rely on the scammer impersonating an authority figure, like your bank or the IRS. Leaked tax documents such as these allow the scammer to tailor their pitch to the victim and sound more convincing. Remember that the IRS almost always initiates contact over snail mail, not phone calls or email. They’ll let you pay how you want and won’t request payment in cryptocurrency, through money wire services, or in prepaid debit and gift cards. Never give up any payment or personal information before verifying the sender or caller’s identity. If you’re not sure, look up the number for the bank or IRS on Google and give them a call to ask what’s up.”

Javvad Malik, Security Advocate at AlienVault:

Javvad Malik“This is a huge breach and comprises of two issues. The first being third party security. The data was given to a third party who didn’t secure it properly.

The second issue is that of misconfiguration. Unfortunately it’s a common issue that we see and an easy mistake to make. It’s why it’s important for companies to have assurance controls and checks in place to validate the right controls are consistently applied across the environments.”

Jonathan Deveaux, Head of Enterprise Data Protection at Comforte AG:

“Applied for a loan in the past 10 years? Then your personal data may have been exposed.

What’s unique about this cyber security leak, is that the data may have originated at major banks (Citi, HSBC, and Wells to name a few) but they didn’t expose the data. A company who obtains the data for analytical purposes (think Big Data and ML) is most likely the source. It was reported that their servers were misconfigured and there were no password requirements to access the data.

If the banks are securing personal data when taking the loan application, but handing the data off to another company *unprotected* then this is a major security gap. And even if the data is secured when given to a company for analytical purposes, the next step is to ensure the data stays protected while they analyze it.

One of the data elements exposed in the report was social security numbers. There’s really no useful reason why a SSN is needed for analysis. SSNs could have been masked or tokenized, while other data was used for analytical purposes.

Banks and other Fintech companies need to really understand how other parties will use the personal data they provide them. And maybe it’s time they stop working with companies who don’t do more to secure sensitive data.”

 Colin Bastable, CEO at Lucy Security:

“When US lenders offload our mortgages and loans to third parties, they offload the data too, and wash their hands of all responsibility. In its drive for profitability, the USfinancial industry has outsourced many services to third party service providers, and at the heart of this fragmented industry is consumer data. Our Data.

The relentless drive for greater margins comes at the expense of consumer data protection: our loans and our data are commodities to be traded, whereas consumers are still under the illusion that they have a relationship with their banks.

Dumpster Diving is bad enough – we often read about confidential papers being dumped in the trash when financial offices close.

In this case, the data has been re–digitized from paper records and mismanaged in a now notorious database known for great data analysis but lousy security. That the database admins forgot to secure the data with a password should shock us, but it doesn’t.

US consumers urgently need Congress to give consumers lifetime rights over their data, so that every organization taking or handling consumer data has a lifetime liability in the case of any data breach.”

Ruchika Mishra, Director of Products and Solutions at Balbix:

“Armed with exposed Social Security numbers, names, addresses, credit history, phone numbers, W2 forms and other sensitive information, a malicious actor can level significant damage against individuals affected by this breach. Actions could range from identity theft, filing false tax returns, applying for loans or credit cards in a victim’s name—the list goes on. This exposure is another unfortunate example of a lack of authentication on an Elasticsearch server leading to a massive data leak like AIESEC’s recent breach of 4 million intern applications and last year’s Voxox misconfiguration which led to the exposure of 26 million 2FA codes, password reset links and delivery tracking details.

Misconfigurations like this are, unfortunately, a dime a dozen. Organizations are tasked with the hefty burden of continuously monitoring all assets and more than 200 potential attack vectors to detect vulnerabilities. Through this process, companies are likely to detect thousands of vulnerabilities—far too many to tackle all at once. The key to preventing a breach as devastating as Ascension’s is to leverage security tools that employ artificial intelligence and machine learning that analyze the tens of thousands of data signals to prioritize which vulnerabilities to fix first, based on risk and business criticality. Obviously in this case, a database containing such sensitive information is critical to the business and addressing any vulnerabilities in its security should have been highly prioritized. Organizations must adopt advanced security platforms to proactively manage risk and avoid breaches instead of reacting to a security incident after it occurs.”

George Wrenn, CEO at CyberSaint Security:

“This incident is a reminder that it is critical that we set high expectations for security and data protection when dealing with sensitive information. Organizations need to understand their gaps, and identify areas to build on their security posture at all times. This is especially true in cases where sensitive and personal information could be exposed.”

The ISBuzz Post: This Post More Than 24 Million Financial And Banking Documents Found Online After A Server Security Lapse appeared first on Information Security Buzz.

UK Hit With 30m Cyberattacks In Just Three Months

Almost 30 million cyberattacks were carried out in the United Kingdom in the fourth quarter of last year. This is according to a new report by Kaspersky Lab, based on an analysis of threats between October and December 2018 in the country.

The report claims that browser-based attacks were the primary method from spreading malicious programs in the country. There were more than 12 million detected threats. Out of all Kaspersky users that were attacked by malicious software, 16 per cent were web-borne threats.

Commenting on the news are the following security professionals:

Todd Peterson, IAM Evangelist at One Identity:

“The reason browser-based attacks are so prevalent is because everything is moving to the web/cloud and a browser is one of the primary ways you access it. So, avoiding those attacks is really just a matter of common-sense and vigilant behavior. Do you trust the source of the thing you are clicking on?

IAM (identity access management) can help to minimise the risk surface once an attack has occurred. For example, if an unsuspecting user in your company clicks on something that they shouldn’t have and opens up their system (on your network) to the hacker, good IAM in the form of business-driven authorisation and – above all – deep and thoughtful privileged access management will limit the damage to only those systems and data that the compromised user has legitimate access to. It will also prevent the attacker from making lateral moves and rights elevation activities to get to the ‘good stuff.'”

Felix Rosbach, Product Manager at Comforte AG:

“We all have to find a balance between security and comfort, between protection and business enablement. With too much security, users are unable to be productive. Too much access opens up organisations to a data breach.

While the chances of being breached are higher than ever before, there is not much you can do about it. Classic defense like firewalls and anti-Virus only protects you from known attack methods. To protect what is worth being protected you have to make sure that your identity and access management is under control – and that you render sensitive data unreadable.”

The ISBuzz Post: This Post UK Hit With 30m Cyberattacks In Just Three Months appeared first on Information Security Buzz.

Experts Comments On First FDPR Fine Of $57 Million To Google

CNIL, the French data protection watchdog, issued its first GDPR fine of $57 million to Google, claiming that they failed to comply with GDPR when new Android users set up a new phone and follow Android’s onboarding process.

Experts Comments Below:

Anurag Kahol, CTO and Co-founder at Bitglass:

“Google being fined for its noncompliance with GDPR will likely pave the way for penalties for other prolific companies that have not yet met the demands of the new law. Until this point, data protection authorities have been incredibly patient with companies – GDPR has been in full effect for nearly a year now. However, it seems this grace period is more or less passing. While Google may be able to absorb this financial penalty, other companies are likely not large or successful enough to do so. This instance should be a wakeup call for organizations everywhere to begin taking data privacy far more seriously.”

Jonathan Bensen, interim CISO at Balbix:

“CNIL’s decision to fine Google does not seem to be aimed towards solving the issue, but towards making money. Most people should be aware that if they want enhanced digital services, they must pay the price of giving some reasonable amount of privacy away.

If CNIL wanted to take a step in the right direction, they should suggest Google change the language in its Terms of Service versus imposing a fine without offering a solution. While it is possible to run an Android phone without a Google account, it makes it almost unusable. The same argument can be made about iPhones and needing an account with Apple. You can run the phone without one, but it severely limits the capabilities of the device.”

Dr Guy Bunker, SVP of Products at Clearswift:

“The key thing to take from this news is that this is a substantial fine in the name of GDPR. It’s nowhere near the maximum available fine, but it is enough to make organisations sit up and take note. It also shows that no organisation is above the law and the regulators will go after big names.

“For businesses now fearing the risk of substantial fines to their own organisations, the key to compliance centres on three aspects. People, processes and technology are vital areas that organisation’s need to review to gain visibility and control of critical data in order to comply with the GDPR.  The board should be working together with middle management on their organisation’s GDPR compliance to maintain a clear understanding of the state of their organisation’s data security status.”

Ouad Khalil, Vice President of Compliance at SecurityScorecard:

“The new year is upon us as is GDPR enforcement and fines. Companies that have sat back and watched the privacy tidal wave hoping that it will miss them, should reconsider. As with any new regulation, most companies scramble to comply once they realise the ramifications are real!! We are learning that no one is beyond GDPR reach – Google was fined 50 million euros on January 21, 2019 due to people “not sufficiently informed” about how Google collected data to personalise advertising.

This is the first large fine by a GDPR regulator. Given the fact that it was the French privacy watchdog (CNIL) that issued the fine is no surprise. CNIL is the only regulator that issued any kind of GDPR compliance guidance in an effort to shed light on compliance requirements. Even though Google’s European headquarters is based in Ireland, that did not stop GDPR watchdogs from transitioning the enforcement to France where it is considered to be more effective.

The regulator indicated that Google provided inadequate information to its consumers as well as had invalid consent for personal data use. This confirms how critical an accurate and up-to-date personal data inventory is. Organisations must ensure all data is properly identified, classified, processed, transmitted, consented for use and much more. Furthermore, point-in-time compliance does not cut it as continuous assurance (monitoring and auditing) is a must to ensure ongoing compliance.

In today’s world, managing privacy has become the norm as regulators, auditors and privacy rights groups are keeping a watchful eye. Slapping Google with such a large fine is only possible due to confirmed violations most surely reported by consumers and privacy rights groups. I suspect this will be the first of many to follow in 2019 as GDPR compliance is now in the enforcement phase.”

Matt Lock, Director of Sales Engineering at Varonis:

“The new fine facing Google will quickly dispel any lingering doubts that the EU would go easy on companies found in violation of the GDPR. The news should be hitting companies like a cold shower. It’s not a stretch to say that a proverbial storm is gathering as privacy groups rally to their cause and seek to uphold major global companies as examples of lax privacy controls. The news should serve as an impetus to organisations that have yet to prioritise their GDPR compliance programs and hoped to simply fly under the radar– their luck may be running out soon.”

Javvad Malik, Security Advocate at AlienVault:

Javvad Malik“This could be one of the first high profile tests of GDPR and how it pans out in the real world.

The fine can be summed up into a lack of transparency. Companies need to be transparent and clear with its users as to what data it is capturing and for what purposes. In this case, CNIL has decided that Google was neither transparent, nor clear with users – resulting in users making misinformed choices.

Customer data of all sorts, whether that be PII, or even metadata should be considered carefully by companies. Before storing or processing information about customers, companies should ask themselves two questions. First, what purpose the data is being used for and for how long, and secondly, have the users truly given informed consent – if the answer to either is unclear, then they should not go ahead with it.”

Matt Walmsley, EMEA Director at Vectra:

“And so CNIL, the French Supervisory Authority flexes its muscles and Google is the first big scalp for GDPR fines. Others will follow!

User experience and clarity in terms and conditions have been used to remind us that data management and use are just as important as data security within GDPR. I’d expect Google to challenge the ruling, and we may see the conclusion produce an important test in law that will bring clarity around GDPR implementation for others.”

The ISBuzz Post: This Post Experts Comments On First FDPR Fine Of $57 Million To Google appeared first on Information Security Buzz.

108M Records Exposed via Misconfigured ElasticSearch Server

ZDNet reported that a password-less ElasticSearch server belonging to a variety of online casinos has compromised the information on over 108 million bets, including customers’ payment card info, full names, home addresses, phone numbers, email addresses, birth dates, site usernames, account balances, IP addresses, browser and OS details, last login information and more. The payment card details indexed in the server were partially redacted however, meaning that they were not exposing each user’s full financial details. The leaky server was found last week and was just taken offline today and is not accessible anymore.

Experts Comments Below:

Mark Weiner, CMO at Balbix:

“This breach is yet another example of a company leaving a server and critical information unsecured without any password protection, an unfortunate trend that has been the cause of many recent leaks such as the VOIPo and Oklahoma Securities Commission’s latest incidents. 108 million bets were exposed by this data leak, including full names, home addresses, phone numbers, email addresses and account balances that could be used by malicious actors as a part of phishing scam to target those who recently won large sums of money. Fortunately, the exposed payment card data was partially redacted, meaning that users did not have their full financial information exposed.

Organizations must understand that proper, organization-wide cybersecurity is no longer a human-scale task, and it is mathematically impossible for people alone to constantly monitor and assess all IT assets and infrastructure to stay ahead of 200+ attack vectors for potential vulnerabilities. Companies must adopt security platforms that leverage artificial intelligence and machine learning to enable security teams to proactively manage risk and avoid breaches.”

Rich Campagna, CMO at Bitglass:

“This breach is yet another example of a company that exposed massive amounts of consumer data due to a simple security mistake. Leaving a server publicly accessible is unacceptable – even smaller companies with limited IT resources must ensure that they are properly securing data. As such, they must turn to flexible, cost-effective solutions that can prevent data leakage; for example, data loss prevention (DLP), user and entity behavior analytics (UEBA), and encryption of data at rest. It is only with these types of capabilities that an enterprise can be certain that its data is truly safe.

Companies that fail to invest in their own cybersecurity readiness must recognize that the fines they could face for noncompliance with data privacy laws are incredibly expensive – not to mention the cost of losing the trust of their customers. In fact, Google was just fined $57 million by CNIL, the French data protection watchdog, for failing to comply with GDPR’s transparency and consent laws.”

Jonathan Deveaux, Head of Enterprise Data Protection at Comforte AG:

“Merry belated Christmas, millennials. By the way, your data was exposed… Of the 4 million intern applications unprotected, a company rep claims only 40 of the records were actually exposed.

No matter what the count is, it just goes to continue prove a major point… companies all around the world are not all protecting personal data. When writing personally identifiable information on to a database or file, organizations need to do more. Even just following the basics sometimes, would help. Even though this company is a Non-profit organization, GDPR fines may still apply.  If “Taylor Smith” was tokenized and protected as “FSLIDB ZPMDQ” we wouldn’t be having this issue.”

Carl Wright, CCO at AttackIQ:

“Lately we have seen a proliferation of protection failures resulting in massive data leakages. Almost all of these instances would have been preventable if the affected organizations understood that their security stack was misconfigured.  It is time that enterprises test their respective security posture proactively rather than waiting for cyber attackers to thwart any existing, or lack of, cyber defense.  There is no excuse for deploying security controls that are not properly configured, therefore resulting in protection failures.”

The ISBuzz Post: This Post 108M Records Exposed via Misconfigured ElasticSearch Server appeared first on Information Security Buzz.

New Magecart Attacks On Ad Supply Chain

A new Magecart attack aimed at French advertising agency Adverline, has been discovered by RiskIQ. This new Magecart attack steals customer credit card details by compromising a content delivery network for ads so that any website loading the script from the ad agency’s ad tag would also be loading the digital skimmer at the same time.

Experts Comments below:

Mike Bittner, Digital Security and Operations Manager at The Media Trust:

“This new malware strain is just one more indication of how sophisticated and organized bad actors have become. It has not only affected the French ad agency, but at least two large digital ad technology vendors, who saw a malicious domain pop up in their payment pages, but were able to thwart the infection by continuously monitoring their digital ecosystem for unauthorized code and terminating the malware at its source. Other players along the supply chain should be just as vigilant, especially retail sites at the receiving end of infected ads and whose users will inevitably be affected. If EU consumer information is stolen, affected companies could face GDPR fines.”

Matan Or-El, Co-Founder and CEO at Panorays:

“This new attack underscores the need for enterprises to constantly assess and manage the risk from third parties and the supply chain. A crucial tool for enterprises would be a system that automates this process and shines the light on those vendors and partners who pose the biggest threat to an enterprise data.”

The ISBuzz Post: This Post New Magecart Attacks On Ad Supply Chain appeared first on Information Security Buzz.

MEGA Data Breach

newly revealed trove of 772,904,991 unique email addresses and more than 21 million unique passwords that have been aggregated from over 2,000 leaked databases was recently discovered by Troy Hunt, the security researcher who maintains HaveIBeenPwned. The records were stored on one of the most popular cloud storage sites, MEGA, until it got taken down, and then on a public hacking site. The credentials were not even for sale; they were just available for anyone to take. In total, 1,160,253,228 unique combinations of email addresses and passwords were exposed.

Experts Comments below:

Ruchika Mishra, Director of Products and Solutions at Balbix:

“In terms of scale, this enormous trove of email addresses and unique passwords is monumental. Hackers could have accessed this data at any point while it was stored on MEGA, or the following hacking forum where it lived after MEGA took it down. This information could be used for credential stuffing attacks which can harm businesses and individual users alike. Most enterprises today do not have the foresight and visibility into the hundreds of attack vectors that could be exploited, such as employees using credentials across personal and business accounts. Weak passwords, default passwords, password reuse, passwords stored incorrectly on disk, or transmitted in the clear on the network are all various flavors of the “Password Misuse Risk” attack vector and according to the Verizon Data Breach Report from 2017, more than 80% of breaches involve password issues at some stage of the breach.

To best combat the chances of further breaches, organizations must implement security solutions that scan and monitor not just the organization-owned and managed assets, but also all third-party systems. Proactively identifying and addressing vulnerabilities that would put them at risk before they become entry points for attackers is the only way to stay ahead of breaches.”

Jacob Serpa, Product Marketing Manager at Bitglass:

“When individuals create user accounts on websites, they should be able to trust that their personal information will be kept safe – obviously, having this data fall into the wrong hands can be incredibly dangerous for those who are affected. This recently uncovered cache of unique email addresses and passwords was aggregated from more than 2,000 hacked databases. This means that the organizations that were originally responsible for this information failed in their responsibility to secure it.

Leaked credentials leave individuals vulnerable to account hijacking across all services where they recycle their usernames and passwords. Unfortunately, this includes the corporate accounts they use for work purposes, meaning that their employers are also put at risk by their careless behavior. As such, organizations must simultaneously defend their data against leakage and authenticate their users to ensure that they are who they say they are. Fortunately, security technologies like data loss prevention (DLP), multi-factor authentication (MFA), user and entity behavior analytics (UEBA), and encryption of data at rest can help ensure that enterprise data is truly safe.”

The ISBuzz Post: This Post MEGA Data Breach appeared first on Information Security Buzz.

Less Than Half Of Firms Able To Detect IoT Breaches

A new research that has revealed less than half of firms are able to detect IoT breaches.  Only 48% of European firms can detect when any of their internet-connected devices have been breached, a survey shows.

In the UK, this figure drops to 42%, the second lowest in Europe after France, where only 36% of companies polled said they can detect if any of their devices making up the internet of things (IoT) suffers a breach, according to the study. It goes on to suggest blockchain as a means of securing the IoT.

Experts Comments below:

Barry Shteiman, VP Research and Innovation at Exabeam on why monitoring IoT devices and understanding their normal behaviour will help get an early indication of when the device has been hijacked:

“One thing is clear, as more devices become “smart” and also internet-enabled, they often are given the ability to send, query, or process information that resides elsewhere in the office, via network or cloud. To do so, these IoT devices often use embedded accounts that are difficult to monitor and may also have hard-coded passwords. The combination of smart devices with credentials to access external systems, via unmonitored, privileged accounts means that IoT represents a risky and unwatched channel for data theft or larger participation in botnet attacks. The best way to illuminate this attack risk is to monitor the behaviour of office IoT devices in much the same way as actual human users. By understanding what normal behaviour for these devices looks like, it’s possible to get an early indication of when a device has been highjacked by hackers and is likely being used to access and steal data. IoT will continue to grow and gain greater access to data; already a simple and lucrative target for attackers.”

Todd Kelly, CSO at Cradlepoint, found it surprising that there was such apprehension around IoT technology security concerns:

“Cybersecurity concerns are real but by using expert cloud-based management platforms and software-defined perimeter technologies, they can be effectively addressed. There will always be devices that are compromised and vulnerabilities that are exposed but just as we’ve built these technologies, we’ve also built the safety constructs to protect them. If we commit to tried and true security practices while adopting new approaches that leverage wireless, software-defined and cloud technologies we don’t have to let our concerns unduly impact our progress.”

Jan van Vliet, VP EMEA at Digital Guardian discusses the risk of default credentials and insecure configurations and protocols, making IoT devices easy to compromise:

“The reality is that a huge number of the IoT devices currently in operation are extremely vulnerable to cyber attack. Why? In their rush to surf the crest of the IoT popularity wave over the last few years, manufacturers and vendors were creating and selling millions of IoT devices as fast as they could, with device security seen as little more than an afterthought. As a result, the majority of devices out there today have default credentials, use insecure configurations and protocols, and are notoriously hard to upgrade, making them extremely easy to compromise.

“To make matters worse, the appearance of low-level protocol hacks are providing attackers with new ways to bypass and compromise IoT infrastructure and inject or manipulate data found within devices. This will have serious implications if the devices need to synchronise or receive control messages from a cloud application, with manipulated data potentially sending incorrect settings or actions back to the device.”

The ISBuzz Post: This Post Less Than Half Of Firms Able To Detect IoT Breaches appeared first on Information Security Buzz.