Author Archives: Security Experts

Ukraine Blocks Major VPNFilter Attack Against Chemical Plant

The Ukrainian Secret Service (SBU) said today it stopped a cyber-attack with the VPNFilter malware on a chlorine distillation plant in the village of Aulska, in the Dnipropetrovsk region.
Commenting on the news are the following security professionals:

Craig Young, Security Researcher at Tripwire:

Consumer routers show up in very unexpected places at times but critical infrastructure is certainly the last place I’d expect to find them. Due to the lack of details provided by Ukranian Secret Service, it is not possible to know which devices may have been compromised with VPNFilter malware and what they were being used for in this plant. It is possible that the infected systems were routers in the homes of employees who remotely access the facility or that the plant may have had some affected network storage devices.

Another big question is when this attack took place and whether this means that VPNFilter has already evolved since the recent FBI shutdown of the botnet’s command and control system. It is possible that VPNFilter has been revived with a more robust operation targeting a wider range of devices including more enterprise-centric devices.

Tim Erlin, VP of Product Management & Strategy at Tripwire:

If your business has an industrial control system footprint now is the time to evaluate how you’re securing that environment. Industrial companies have accepted the reality that digital threats can have tangible consequences. This perception is perhaps heightened by recent attacks that were specifically designed to affect physical operations and have proven capable of doing so. It is vital that organizations properly secure their critical infrastructure by  investing in robust cybersecurity strategies that involve proper foundations of critical security controls and layers of defense. Failure to do so will result in a major breach that will cause catastrophic failure, which is a significant concern (link to survey) among security professionals as a critical disaster could result in significant loss of life.

The ISBuzz Post: This Post Ukraine Blocks Major VPNFilter Attack Against Chemical Plant appeared first on Information Security Buzz.

Telefonica Data Breach

In response to the news that Telefonica has suffered a data breach which exposed the details of millions of Spanish users, Rob Shapland, IT security experts commented below.

Rob Shapland, Principle Cyber Security Consultant at Falanx Group: 

“Telefonica will need to assess the scope of the breach in order to understand how it impacts GDPR. Has the breach been exploited and the information stolen by hackers? If so, they will certainly need to inform the GDPR supervisory authority, and very likely each of the affected customers. They could then be liable to fines of up to €20 million or 4% of their global turnover (their turnover is $53 billion, so potentially over €2 billion in fines though that is highly unlikely).

Flaws like this are quite common in websites. It does imply that the website has not been tested against industry best practice as the flaw that was exploited should be easily discovered during penetration testing. It could also be that Telefonica made changes to the system without running additional checks, which then introduced the vulnerability.

Customers who have been affected should update their password on Telefonica’s systems (and any other websites that same password was used), just in case passwords were exposed, though there is no evidence of this at this stage. It would also be prudent for customers to update their security questions on any key websites such as online banking, in case the personal info that was stolen could be used to answer these questions.”

Ryan Wilk, Vice President at NuData Security:

“This sort of data exposure is why so many organisations who transact with customers online – from the banking and finance sector to eCom and major retailers – are layering in advanced security solutions, such as passive biometrics and behavioural analytics. In doing so, they’re shifting from “let’s make our company a bunker for everyone” to “let’s leave the bunker for risky users only.”  They do so by using technology that doesn’t rely on data that could have been exposed in a breach, thus preventing post-breach damage.

“For years now, many top merchants and financial institutions have incorporated passive and active biometrics and behavioural analytics to verify customer identities online. By analysing hundreds of indicators derived from the user’s online behaviour, companies don’t have to rely on passwords, payment data, and other leaked information to make an authentication decision. Removing the organisation’s reliance on ‘things users know’, companies are far less vulnerable to the data exposed by leaks and breaches.

“Passive biometric technology cannot be mimicked by hackers, and helps break the chain of perpetual fraud that grows whenever customer data is breached and stolen.”

The ISBuzz Post: This Post Telefonica Data Breach appeared first on Information Security Buzz.

IBM Reveals High Cost Of Data Breaches

IBM and the Ponemon Institute are out with a new study:  Hidden Costs of Data Breaches Increase Expenses for Businesses – Study for First Time Calculates the Full Cost of “Mega Breaches,” as High as $350 Million. Among key findings:

  • Average cost of a data breach of 1 million compromised records is nearly $40 million dollars
  • At 50 million records, estimated total cost of a breach is $350 million dollars
  • The vast majority of these breaches (10 out of 11) stemmed from malicious and criminal attacks (as opposed to system glitches or human error)
  • The average time to detect and contain a mega breach was 365 days – almost 100 days longer than a smaller scale breach (266 days)

In response IT security experts commented below.

Christian Vezina, CISO at OneSpan:

“Why is it that in spite of ever-increasing spending in cybersecurity ,organizations worldwide are still hit with major data breaches? The security perimeter has dissolved and as a result the attack surface has increased way beyond what organizations want to realize. With the prevalence of IoT, increased mobility and cloud usage, the use of complex supply chains, and the increased speed of business, organizations can’t get a complete grasp over their attack surface. Organizations will need to re-think their cybersecurity investments and prioritize their initiatives carefully.  If what you do doesn’t work, you may want to change your approach. As you cannot possibly protect from everything, you will probably be better off shifting your cybersecurity investments and approach from ‘prevention only’ (which seems to be failing) to a ‘detect and respond’ approach.”

Jonathan Sander, CMO at STEALTHbits Technologies:

“One thing we see is what turns a run of the mill breach into a mega-breach is the attacker getting insider access. Sometimes that happens because it’s insider threat and they had it all along. Most of the times an attacker captures insider access through weak configurations and exploitation of busy users. With insider level access, the bad guys can strike at less well secured but still information rich targets like documents, scanned information, and other file data. If you look at all the largest breaches that have hit the headlines, they all included attackers running off with saved emails, scanned contracts, and simple files filled with passwords. That stuff is truly toxic and is only available once the bad guys make that leap to insider status and turn these incidents into mega-breaches.”

Pravin Kothari, Founder and CEO at CipherCloud:

Pravin Kothari“From any perspective the cost of a data breach is painfully high in the short-term for remediation expense and lost business, in the longer-term as a result of damage to the brand, and then the ongoing impact to revenue and customers. IBM’s study brings sharp focus to the numbers and clearly highlights the high cost of failure for executives and their board of directors. The lesson to learn? Data breaches are inevitable for any large enterprise. Attackers will get into your networks. This rising tide of cyberattacks represent an expensive and almost existential threat to your business. Given the current set of breaches being announced almost daily, it’s both prudent and necessary to move aggressively to update your security strategy and then add the best-of-breed security technologies necessary to support them.

Some very basic technologies, implemented correctly, can make a significant impact on the potential risk to your organization. For example, by our estimate, the use of end-to-end encryption would likely have reduced the list of successful breaches in IBM’s study by over 75%. Why? Encrypted data is unintelligible to the cyber attackers and hence the breach of this data is inconsequential. Other important technologies, such as 2-factor authentication, would also have made a very significant impact in reducing the number of successful data breaches.”

Andy Norton, Director of Threat Intelligence at Lastline:

“The fact that the cost of breaches has risen so starkly shouldn’t come as a surprise to many. These mega breaches have increased sharply in recent years, and show no signs of slowing. Cybercrime has become increasingly more organised and easy to access, with ransomware-as-a-service and phishing-as-a-service packages readily available on the dark web. These breaches also work as something of a self-fulfilling prophecy, as the stolen data provides a pipeline for future cyberattacks. GDPR will also have help the impact of breaches to be felt more financially, as the fines associated with poor data protection have rocketed. Although these breaches may not be as a direct result of human error, a general lack of security awareness outside of IT or security departments is undoubtedly a contributing factor. A combination of educational initiatives and appropriate spending on cyber defences is the best approach to stemming the flow of data breaches.”

The ISBuzz Post: This Post IBM Reveals High Cost Of Data Breaches appeared first on Information Security Buzz.