Category Archives: Expert Comments

State Department Data Breach

Rich Campagna, CMO at Bitglass:

“All organizations have a responsibility to keep their employee data safe – there is no room for error. This is particularly true of governmental groups that are supposed to be serving citizens and protecting their personal information. Unfortunately, despite the amount and type of data that these organizations handle, many are unprepared when it comes to cybersecurity. The State Department’s recent authentication debacle serves as an example of this.

These kinds of breaches can have lasting consequences for all parties involved. Institutions that expose data lose the trust of employees and consumers, while individuals who have their information stolen may be forced to grapple with the long-term effects of identity theft. As such, governmental organizations must adopt modern security technologies. Dynamic identity management solutions, for instance, can verify users’ identities, detect potential intrusions, and enforce multi-factor authentication in a real-time, step-up fashion.”

Ruchika Mishra, Director of Products and Solutions at Balbix:

“It has become increasingly difficult for large organizations to watch over the ever-growing volume of end-users, devices and applications, which has accelerated with the proliferation of IoT and Industrial Control Systems (ICS) in the workplace.

Further challenges appear as organizations commonly allow employees to access their work from their own devices (BYOD), whether it is managed by their IT department or not. Government organizations, in particular, need to have full visibility into all of their IT assets and the devices accessing their network.

A proactive approach to breach avoidance starts with putting the right tools in place. While only a small percentage of State Department employees were impacted and the breach did not appear to put classified information at risk, it is clear that a number of government departments must do more to identify potential breach risk scenarios and proactively take the necessary steps to avoid future breaches.”

The ISBuzz Post: This Post State Department Data Breach appeared first on Information Security Buzz.

Credential Stuffing Attacks Target Financial Services

A new report from Akamai reveals that the financial services industry has become a prime target for credential stuffing botnets. The report highlights two attacks on financial services sites. One botnet attack caused a major financial company’s login attempts to spike from an average of approximately 50,000 an hour to over 350,000 in one afternoon. The other saw a credit union attacked by three botnets at the same time, the most dangerous not being the biggest, but the one which kept up a sustained lower level attack over a longer period so as not to arouse suspicion.

Ryan Wilk, Vice President at NuData Security:

“Based on what we’ve seen at NuData, 90% of attacks start with some sort of automation, credential stuffing being a prominent one. The software for credential stuffing is now so affordable that this type of attack is becoming accessible for almost anyone. What this means is that adversaries can automatically cycle through username and password pairs against login portals. This technique, known as credential stuffing, is a type of brute force attack whereby large sets of credentials are automatically inserted into login pages until a match with an existing account is found.

Having customers change their passwords is a temporary fix, a band-aid that doesn’t get to the root of the problem. One effective way to stop this type of attack is to implement security solutions that detect this sophisticated automated activity at login and other placements. By using technologies that include behavioural biometrics, automated activity is flagged at login before it can even test any credentials in the company’s environment. At the same time, companies should stay alert for any leaked credentials of their employees or customers along with mentions of the company and brand names across cracking forums to stay on top of this trend.”

The ISBuzz Post: This Post Credential Stuffing Attacks Target Financial Services appeared first on Information Security Buzz.

Nonprofit Nursing Agency Hit

Details are emerging about a recent ransomware attack against VON Canada, the nation’s only nonprofit home and community care organization. Reports state that the organization discovered the problem on September 1 but as of now it hasn’t fully resumed normal operations.

They haven’t found evidence to indicate any employee, client or volunteer information has been compromised but they were forced to resort to manual operations for scheduling care and client information, compromising care for thousands of customers.

At this point, leading cyber-security experts are looking into the problem.

Caroline Seymour, Director, Product Marketing at Zerto:

 “The news that VON Canada – Canada’s only national nonprofit home and community care organization – has been the target of a ransomware incident this month is concerning for the organization and the vulnerable clientele it serves. A recent analyst study determined that 50% of surveyed organizations have suffered an unrecoverable data event in the last three years. For most companies, customer loyalty, company brand and reputation are at risk.  But in the health services industry, so much more is at stake: the health and survival of patients.  Regrettably, prevention of these attacks is not always possible, but diminishing the threat is. For an industry that literally holds the care of thousands in its hands, it’s critical to take a more dynamic, modern approach to business continuity and disaster recovery (DR). Solutions utilizing Continuous Data Protection and hybrid cloud DR can help organizations like VON Canada better manage their IT infrastructures and achieve IT Resilience – so that downtime of more than mere seconds becomes a thing of the past.”

The ISBuzz Post: This Post Nonprofit Nursing Agency Hit appeared first on Information Security Buzz.

Mirai Authors Avoid Prison

In response to the news that the authors of the Mirai botnet have avoided prison sentences after cooperating with the FBI and providing substantial assistance in other complex cybercrime investigations, IT security experts commented below.

Nadav Avital, Threat Analytics Manager at Imperva:

“Assuming that the justice system in cases of cybercrimes works in the same way as in other type of crimes, it is a common practice to cut a deal with the state to get a reduced sentence.

I trust that the justice system carefully weighed the consequences in this case and can only guess that the benefits from the defendant’s assistance was substantial.

The silver lining here, in my opinion, is that the Mirai authors were brought to justice. Unfortunately, the attribution problem, in the cybercrime world, is very difficult and consequently not enough criminals are apprehended.”

Jake Moore, Security Specialist at ESET:

“The idea of the FBI employing convicted criminal hackers sounds like a perfect tagline for a movie yet it’s not too farfetched when it comes as a way of injecting young hacker knowledge and enthusiasm into an arguably behind the times law enforcement body. Putting hackers inside the government seems at first a wildly unorthodox idea but when it is broken down, it could be argued as a far cheaper option on public money. Although law enforcement lacks money and young blood, it does need updating with ethical hacking techniques that could be time consuming to train the older generations, not to mention it is a far more inviting and romanticized option than jail time for the criminals.

There is always a threat that fresh faced hackers would desire being placed on the payroll after an attack but this can’t be the majority. Being vetted to work in highly confidential areas of law enforcement is a serious procedure and can be highly intrusive. In my previous role investigating highly confidential computer forensics for the police even put me and my loved ones in interviews to talk aspects such as finances in fear of corruption. So when hiring potentially unknowns purely down to their skills, there will always be a risk attached – but like anything in cyber security, it’s about weighing up that risk.”

Sean Newman, Director Product Management at Corero Network Security:

“It’s interesting to hear reports of the Mirai botnet authors now helping law enforcement agencies.  However, with their original code in the public domain for almost two years now, and so many derivative botnets created since, it’s hard to see that this is going to make too much of an impact on the level of IoT device abuse that is now occurring and, hence, result in any reduction in the damaging DDoS attacks they have been the source of.”

.

.

Ben Herzberg, Director of Threat Research at Imperva:

By being involved in Mirai and such activities, these people may have been exposed to more details of other criminal cyber activity. If by cutting a deal with them, the law enforcement agencies got concrete evidence about more severe criminals, they got my ‘like’.”

The ISBuzz Post: This Post Mirai Authors Avoid Prison appeared first on Information Security Buzz.

State Department Email Breach

Last night, it was reported that the State Department has suffered a data breach. According to reports, some employees had their personal information exposed by a breach of an unclassified email system. Other reports stated that a report published earlier this year by administration watchdog Government Accountability Office said that the State Department had only rolled out some form of two-factor authentication to 11 percent of required agency devices, despite a legal requirement to secure all accounts with higher privileges.

Pleas see below for commentary from cybersecurity experts.

Sam Curry, Chief Security Officer at Cybereason:

“In the past, the State Department has turned down help from other agencies to help them identify problems and improve. There are a lot of reasons for this such as they don’t want national security agencies snooping through their networks, can’t afford any down time, etc. However, considering the immense target that the Department represents, it is not a very compelling case. One of the other challenges they face is the government procurement process. It is very difficult for State to buy new technology and continually improve the way the Global 1000 companies do and fundamentally this is likely a hack that led to a breach and not some type of insider issue. It’s no more or no less, and how it is handled, the context of it as an incident, the PII exposed, the response and the future readiness by the State Department and other agencies is what matters.”

Gary McGraw, Vice President of Security Technology at Synopsys:

“Sadly, many important departments in the US government continue to lag when it comes to computer security.  If the State Department has trouble rolling out two factor authentication to protect the majority of its users (something that many corporations have had in place for years), how can we expect other aspects of its operations to be secure?  This breach provides more evidence that leadership in computer security can more likely be found in the private sector than in the public sector.”

Ryan Wilk, VP of Customer Success at NuData Security:

“Governments and online companies that provide services online, must secure all the links in their security chain. Bad actors look for the weakest point to access information, so companies have to be extra diligent in keeping their security up to date on all placements. Additionally, companies that identify users online need to devalue the data that bad actors steal and use to misrepresent legitimate users – like they do in account takeover attacks. By creating a new authentication framework that identifies customers by their online behavior instead of relying on credentials, personally identifiable information such as names and passwords become valueless to cybercriminals. New authentication technologies which incorporate passive biometrics and behavioral analytics can identify consumers by thousands of online authenticators. This way, if credentials or devices are stolen, entities can still recognize the person behind the device or block transactions altogether when fraud is detected.”

The ISBuzz Post: This Post State Department Email Breach appeared first on Information Security Buzz.

Independence Blue Cross Data Breach

Philadelphia-based insurer Independence Blue Cross confirmed about 17,000 people have been affected by a data breach when an employee uploaded member information including names, birth dates and diagnosis codes to a public website.

Zohar Alon, Co-founder and CEO at Dome9 Security:

Zohar Alon“The Independence Blue Cross data breach represents yet another example of an exposure of sensitive information at the hands of an employee. This underscores the critical importance of properly training all employees in an organization on cybersecurity best practices, and providing continuous educational opportunities as threats evolve. Additionally, because humans are prone to error, companies need to be looking to automate processes as much as possible, minimizing the need for human handling of data and reducing the risk of errors that can lead to data exposure.”

The ISBuzz Post: This Post Independence Blue Cross Data Breach appeared first on Information Security Buzz.

Cold Boot Attacks A Threat To All Modern Computers

After researchers recently discovered a way to physically hack into PC’s, Tyler Reese, Product Manager from One Identity, explains how organisations can protect systems from these attacks and what users can do to protect their data.

Tyler Reese, Product Manager at One Identity:

“Physical security is just as important as cyber security.  Organization should make sure their systems are physically secured.  Techniques such as physical locks, educating employees to not let suspicious people into the building, locking IT equipment to your desk, and employees physically securing IT equipment while traveling, such as keeping laptops in hotel safes when away from your room, are all ways that organizations can help protect against physical attacks.

Encrypting your hard drive with TPM/Bitlocker, continuing to keep your operating system and applications patched, and applying new firmware/microcode updates as they become available.  Many computers also have tamper notification if someone has opened the case of a computer, letting the user or admin know that someone has been tampering with the internals of the system.

Users should only keep the data they need on their machines.  If you have sensitive files that you don’t need access to, archive it off the machine.  Cloud file services such as One Drive have the ability to disable local caching of files so they are downloaded when needed.”

The ISBuzz Post: This Post Cold Boot Attacks A Threat To All Modern Computers appeared first on Information Security Buzz.

US Government Payment Service Leaks

It’s been reported this morning that a payment website – Government Payment Service Inc.-  used to process US government payments for traffic citations, court-ordered fines, bail payments and more has leaked more than 14 million customer records. The leak included names, addresses. phone numbers and sections of the credit card number used. IT security experts commented below.

Andy Norton, Director of Threat Intelligence at Lastline:

“Another day another breach. An abundance of caution has become the default cyber notification, philosophy or cyber risk culture advocated by legal counsel following a data breach. Unfortunately we need organisations to be abundantly cautious before, not after a data breach occurs. We need organisations to Adopt AI and behavioural intelligence to reduce the risk from malicious encounters. Every organisation has a responsibility to protect our sciences, culture and freedoms. We have unpredictable opponents with obscured intentions whose constant changes suppress our awareness to the actual dangers we face. Notifications out of an abundance of caution, are really just admissions of, “too little too late”. This is because we have not created a culture that addresses the asynchronous nature of cyber conflict, of unprepared defenders constantly underestimating and failing to resist the intentions of a more sophisticated attacker.”

James Hadley, CEO & Founder at Immersive Labs:

“While the article highlighted that the fix for these types of breaches is simple and incidents are preventable, these organisations should already know better and hold the security of their data to higher standards. With the ever-increasing cyber skills shortage, getting the right people to ensure these errors aren’t overlooked has proven to be increasingly difficult. One solution would be to provide better all-round cyber training on a continuous cycle to ensure cyber teams are kept up with the latest best practice. This could ensure that even non-cyber security professionals learn to be more security conscious and provide a bigger barrier when it comes to cyber criminals carrying out these easily preventable attacks.”

Lillian Tsang, Senior Data Protection and Consultant at Falanx Group:

“If we put it into context along  the GDPR (albeit this news is US driven), the breach has resulted in a high risk to the rights and freedom of individuals. There is the potential for identity theft and fraud even to cloning depending on the full scale of the type of information leaked. The mastery held by hackers and the “trades” in personal information in the murky underworld is limitless.

Although the data has been leaked – this in itself is somewhere in the murky lands of it being potentially exchanged, manipulated and cloned. This part cannot be controlled. However, what can be controlled is the frequency of periodic reviews of systems and controls. GovPayNet acknowledges, “it did not adequately restrict access to authorised recipients”. This could have been picked up during a Data Protection By Design and Default approach or the use of DPIAs particular for projects such as an online portal in this instance where the velocity and volume of personal data is incredibly high. Even where Data Protection by Design and Default has not been mandated in a country – its equivalent or standard risk assessments used in industry or specific sectors would be a good start for  product and service development that processes personal data.

Whether there has been a leak of login details – naturally customers should be advised to change login and password with advice on strength of passwords.  “Cat” as a password may not cut it. “Cat2Twinkles6Liberty$” may.  Reciprocal approach – Entities serves customers. Customers get informed as well.  Banks and relevant institutions ought to be notified. Several communications should be used, as opposed to a single contact channel and not part of a by-line with marketing material and general newsletters. Direct emails and SMS good examples. Banners on corporate website and advertisement in print media may also be an avenue to explore.”

The ISBuzz Post: This Post US Government Payment Service Leaks appeared first on Information Security Buzz.

Nearly Of All Cyber Attacks Reported To ICO Are Phishing

In light of the news that nearly half of the cybersecurity incidents reported to the ICO are phishing attacks, please see a comment from David Emm, principal security researcher at Kaspersky Lab, addressing how enterprises can defend from cyber attacks.

David Emm, Principal Security Rresearcher at Kaspersky Lab UK:

“The fact that phishing scams account for nearly half of the cyber incidents reported to the ICO clearly shows that it remains a tactic favoured by cybercriminals, and highlights that more needs to be done to tackle this within organisations. One particular strategy which cybercriminals are utilising in order to steal money and gain access to corporate data is that of BEC (Business E-mail Compromise) – a form of phishing specifically targeted at business, especially SMBs. With this new method, cybercriminals gain access to a corporate email account and mimic the owner’s identity to trick employees, customers or partners into approving money transfers to illegal accounts.

“There are some tell-tale signs that indicate that something is a phishing message (for example, banks and other organisations never send e-mails asking for confidential data) so if employers receive such an e-mail, they should assume that it’s phishing. Remember, if it looks important, and you’re not sure, you should always call to check. Phishing relies on social engineering, i.e. manipulating human psychology. There are always new ways to try and trick people, and just like road safety, it’s best to adopt a security culture that will keep you safe in any situation – not just some that you’ve practised. For example, it’s best never to click on links in e-mails; if you adopt this rule, you never need to rely on being able to distinguish a real from a phishing link.”

The ISBuzz Post: This Post Nearly Of All Cyber Attacks Reported To ICO Are Phishing appeared first on Information Security Buzz.

Companies Are Over Reporting Data Breaches Post GDPR

The Information Commissioner’s Office revealed it has been receiving 500 reports by telephone per week since GDPR came into force, a third of which are considered to be unnecessary or fail to meet the threshold for a data incident. ICO deputy commissioner James Dipple-Johnstone revealed that misconceptions are still commonplace among organisations more than three months after GDPR came into force, leading to a large number of needless calls to the regulator.

Andy Norton, Director of Threat Intelligence at Lastline:

“In the first 32 days of GDPR coming into existence, there were 4009 complaints lodged across the various European Data Protection Offices. Unfortunately many of the stipulations in GDPR are open to subjective interpretation currently. For example, how does someone accurately access the llikeilhood of harm coming to an effected data subject following a leak or theft of data? So, we are witnessing organisations being abundantly cautious and notifying the data regulators at any breach which has the potential for harm, in an attempt to avoid heavy fines.”

The ISBuzz Post: This Post Companies Are Over Reporting Data Breaches Post GDPR appeared first on Information Security Buzz.

Altaba To Settle Lawsuits Relating To Yahoo Data Breach For $47 Million – Victory For Yahoo Legal Team

Following the news about the Yahoo data breach for $47 million, Ilia Kolochenko, CEO of web security company at High-Tech Bridge commented below.

Ilia Kolochenko, CEO at High-Tech Bridge:

“Class actions are known to provide their members with very modest compensation compared to individual lawsuits. The settlement (subject to approval by court) makes slightly above $10 per breached account – a scanty amount in the GDPR era. Should a similar data breach happen today with the same disclosure timeline and similar circumstances, the amount of settlement could be significantly higher. Therefore, I think this is a considerable legal victory for Yahoo’s legal team.”

The ISBuzz Post: This Post Altaba To Settle Lawsuits Relating To Yahoo Data Breach For $47 Million – Victory For Yahoo Legal Team appeared first on Information Security Buzz.

Post-Copyright Directive, Bright Future For Britain

Could this be one last positive from Brexit? The European Commission has scrapped 300,000 UK resident-owned .eu domain names. The EU is pushing through its anti-meme (and more importantly, data) Copyright Directive. Increasingly-frequent disruptions raise the serious question of the future of European business with such uncertainty.

The UK government is making no changes to online copyright, domains and data. This strongly signals Britain cares about its data industry and is still a place of stability for them in an otherwise ever-changing landscape. As such, the UK is well-placed to receive a boost from data industry businesses moving somewhere they are valued.

Big data expert and founder of Big Data London -the largest data event in the UK- Bill Hammond has this to say about the future of the UK in light of these changes.

Bill Hammond, Big data expert and founder at Big Data London:

“The UK’s thriving data industry is well-positioned to answer this new compliance challenge. Depending on how it is implemented this could lead to either shackles limiting the freedom of the internet, or it could be another step toward a more data-ethical society.

The new EU copyright directive voted this wednesday has numerous caveats and still present a lot of uncertain ramifications. However, the amended text sets the direction for conversation on the issue, and we now know what questions to ask.

This new directive poses some thorny challenges to UK data experts that will have to be more vigilant than ever in order to be compliant to this demanding regulation.

The EU copyright directive will have consequences beyond consumers not being able to post memes online, or regulating tech giants like Google or YouTube. It will also affect SMEs and the tech start-up scene. The good news is that the directive is not one-size-fits-all, as the burden will be appropriate to the size of the company, indicating the main targets are Silicon Valley giants.

It’s up to UK data experts to inform, communicate and partner with the government in order to best implement this directive. Data experts will also have to dialogue internally and with all stakeholders to make sure they won’t get fined. Data industry should discuss best practices, the right tools and engage in the right discussions.”

The ISBuzz Post: This Post Post-Copyright Directive, Bright Future For Britain appeared first on Information Security Buzz.

GovPayNow Data Leak

It has been reported by Krebs that Government Payment Service Inc. — a company used by thousands of U.S. state and local governments to accept online payments for everything from traffic citations and licensing fees to bail payments and court-ordered fines — has leaked more than 14 million customer records dating back at least six years, including names, addresses, phone numbers and the last four digits of the payer’s credit card. IT security experts commented below.

Pravin Kothari, CEO at CipherCloud:

Pravin Kothari“Recently acquired by Securus Technologies, a Carrollton, Texas-based company, GovPayNet is a major provider of credit and debit card payments to government agencies. They process millions of payments annually to over 2,600 agencies across the United States. This past month their website GovPayNow.com exposed what has been described as at least 14 million customer receipts dating back to 2012. Securus has had other issues with cybersecurity over the past few years including the misuse of a service that tracked convicted felons’ cellphones, hackers penetrating this same system and subsequently stealing logins and legitimate credentials, and finally another flaw in May that allowed unauthorized access to accounts by guessing answers to the security questions.”

“All in all, many of these flaws are simple to find and fix. That’s not the issue. The issue is that there will always be open vulnerabilities, misconfigurations, and missing updates that attackers can exploit. You cannot fix them all. With increasing numbers and an escalating volume of persistent attacks, at some point attackers will get into your network. It is really unavoidable. Best practices today position safekeeping of your data, at all times, in a pseudonymized form. This might be achieved using technologies such as encryption and tokenization. If end-to-end encryption is used then the data would be well protected all of the time – in use, at rest (in the database), and in transit (middleware, network, API, etc.). This makes it an order of magnitude harder for the attackers to acquire useful information which they can exploit from within your on-premise networks or your cloud services.”

Nick Bilogorskiy, Cybersecurity Strategist at Juniper Networks:

“Compared to other breaches this year, this one is fairly minor considering that no passwords were compromised and only partial credit card numbers were disclosed.

“Online payment providers, especially those doing business with the government, should take special care to protect their customers’ receipts by using HTTPS and checking that the user is logged in and has permissions to view them. To avoid information disclosure and directory traversal issues, I also recommend denying anonymous web visitors the ability to read permissions for any sensitive data files and removing any unnecessary files from web-accessible directories.”

Javvad Malik, Security Advocate at AlienVault:

Javvad Malik“The type of vulnerability, where attackers can sequentially change the URL to see other customers data is a trivial vulnerability that should be picked up during the application testing phase, or via third party penetration testing. It also appears as if the company didn’t have monitoring and threat detection controls in place that could have picked up if many accounts were being sequentially accessed.”

The ISBuzz Post: This Post GovPayNow Data Leak appeared first on Information Security Buzz.

Students Blamed For University And College Cyber-Attacks

Following the news that a security analysis of cyber-attacks against universities and colleges in the UK has discovered staff or students could often be responsible, rather than organised crime or hacking groups. A government-funded agency that provides cyber-security has examined the timing of 850 attacks in 2017-18. Jisc found a “clear pattern” of attacks being concentrated during term times and during the working day. When the holidays begin, “the number of attacks decreases dramatically”.

Dave Aitel, Chief Technology Officer, Security at Cyxtera:

“Generally, a single indicator, like timing of attacks, shouldn’t be the primary attribution method. For example, it’s possible that attacks decrease when students are on vacation because attackers know they won’t be as responsive, so phishing attempts will be less successful.”

The ISBuzz Post: This Post Students Blamed For University And College Cyber-Attacks appeared first on Information Security Buzz.

Why University Breach Is Likely Caused By Staff And Students

With a recent security analysis of cyber-attacks against universities and colleges in the UK has discovered that staff or students could be responsible,  Dr Guy Bunker, SVP of Products at data security company, Clearswift commented below. Guy reveals why the insider is a major threat to organisations and what universities and similar bodies can do to mitigate the risk, including promoting cybersecurity as a career choice.

Dr Guy Bunker, SVP of Products at Clearswift:

 Guy Bunker“It’s very easy in this day and age to immediately jump to the conclusion that external cybercriminals are responsible for cyber-attacks and breaches, despite research indicating that most attacks come from inside the organisation. In this instance, this appears to be the case, with the pattern of attacks being linked to term time and during the day (no doubt students have better things to do in the evenings!) Add to this, that students see the educational network they are on as a ‘safe’ place to carry out their early forays into cyber-attacks, ‘I wonder if we can…’ being a common attitude. As with any cyber-attack, organisations need to be prepared, monitoring networks for anomalous behaviour and then tracking down the source. The monitoring needs to happen on the gateways to the Internet as well as internal networks, as this will cover both eventualities of an external attack as well as an internal one.

“There are a number of alternative scenarios to be considered here too. It could be that an external cyber-criminal has gained access to legitimate credentials – such as usernames or passwords – in order to launch an attack inside. In this case, monitoring then needs to extend to the time/day of logins as well. Going about an attack in this way, there is a considerable amount of information that can be gathered, which then creates the resource issue for the university of correlating and then analysing data to figure out what to do next. It could also be that student devices, laptops, smart phones, tablet, can also become infected with malware because of IoT and cause issues when connecting to the network. This reiterates why the need for a segregated network for ‘uncontrolled’ devices is essential. It also becomes even more important to put strong defences around research which could be targeted by external cyber-criminals.

“We are short of cyber security experts in the UK (and across Europe and the world), so it would be ideal if the internal students who are doing these things could be encouraged to put their skills to better use and potentially a career in cybersecurity. There are a number of great national initiatives, such as the Cyber Security Challenge, but it is also possible for universities to arrange local events, hackathon, etc to encourage participation. Educating people on how to cyber-attack an academic networks is a bad idea – but  encouraging people with the skills to become ‘white hats’ is a way to start to close the skills gap. For those who are truly being malicious, there is a need to find them and take appropriate actions, but this isn’t easy. Putting in place appropriate monitoring will help, but perhaps an amnesty with a constructive programme of education and training might work better in this instance for the majority.”

The ISBuzz Post: This Post Why University Breach Is Likely Caused By Staff And Students appeared first on Information Security Buzz.

Amazon Investigation

Amazon is investigating allegations that some employees may have sold customer data to third-party companies that Amazon did business with particularly in China. IT security experts commented below.

Niles Rowland, Director of Product Development at The Media Trust:

“Most threats are internal and they can cause the most significant damage. These threats include those related to third parties with whom organizations have become increasingly dependent. And, when you transplant operations to geographies where legal infrastructures are weaker, these threats can escalate. The growing number of consumer data protection laws like GDPR that are sweeping across the world will require companies to be more vigilant about how they and their third parties collect, process, share, and store personally identifiable information. These laws should be a top management and board issue because they can have an impact on how businesses perform and are evaluated. Lack of preparation for these laws can result not only in penalties tied to infringement of such laws, but also shareholder lawsuits if the lack of preparedness impacts shareholder value.”

Matt West, CRO at Feefo: 

“Deleting negative reviews is counter-intuitive. Not only does it falsely distort the image of the product or services a company like Amazon is selling, but it also causes doubt in the consumers mind that the reviews are even real in the first place, a wholly positive picture is too good to be true,” said Matt West, CRO at Feefo.

“It’s rare to buy something online without seeing some negative sentiment, and in most cases it’s not even about the product but poor delivery, for example. Businesses need to realise that consumers value trust and transparency above all else, our research indicates that 89% of UK consumers agree with this.

“This demonstrates the need for retailers to become more transparent. Retailers must ensure their customers are basing decisions from real opinions of other customers rather than cherry-picked, positive reviews that suit the retailer, in order for customers to trust them. A direct result will be customers sticking with that brand for the long-term.”

The ISBuzz Post: This Post Amazon Investigation appeared first on Information Security Buzz.

Getting Hooked On Phishing

One in every one hundred emails represent a phishing or malicous email according to a study by FireEye.

Thomas Pore, Director of IT and Services at Plixer:

“Phishing has been around since the mid-to-late 90’s, and yet it’s still a significant problem as a direct effect of how successful it remains, even decades later. People are, and always will be, the weakest link. Social engineering will succeed, which means your organization is vulnerable. You must constantly monitor network traffic and digital communication to look for behavior anomalies. Operating the SOC under the assumption that you’ve already been infected puts you in a state of mind to stay diligent when network traffic behavior anomalies rise up. A combination of regular staff training, critical asset tagging, patching and behavior anomaly detection is the foundation of a strong and successful security program.”

The ISBuzz Post: This Post Getting Hooked On Phishing appeared first on Information Security Buzz.

ICO Inundated With False Data Breach Reports Since GDPR Came Into Force

Following the Information Commissioner’s Office (ICO) report that reveals it has been receiving 500 reports by telephone per week since GDPR came into force, a third of which are considered to be unnecessary or fail to meet the threshold for a data incident, Lillian Tsang, Senior Data Protection and Privacy Consultant from Falanx Group, explains why this over-reporting is happening, what organisations can do to reduce and how it may effect the ICO and its ability to deal with genuine data breach reports.

Lillian Tsang, Senior Data Protection and Privacy Consultant at Falanx Group:

“The over reporting is due to companies wanting to do the “right” thing and wanting to report breaches as and when they occur. It is difficult for a company to decide what is a reportable breach and what is not, even though the legislation is clear. It is the assessment, “whether a breach poses a fundamental risk to people’s right and freedom” which makes a breach reportable – this part is the difficult/uncertain element that a company faces. A company would have to come down to a decision and it would be their decision alone, so it can become a matter of subjectivity: a case of “do we or don’t we”. Companies don’t want to play a guessing game because they would rather report a breach, to avoid fines of non-reporting (10 million euros / 2% of global annual turnover) than potentially face the financial and reputational consequences. A breach where sensitive data is leaked relating to individuals is reportable, but an outage where individuals cannot access their personal data is not going to cause too much distress in most cases. However, such outages are commonly reported because companies would “rather be safe than sorry”

Companies should have a clear breach reporting procedure. They should outline which types of “incident” are worth reporting and those that are not. This will help them make a decision within the allotted 72-hour time period, which isn’t a great deal of time to make an assessment. This is probably another reason why breaches get reported so quickly- in keeping with the “more safe than sorry” approach. It is also important that these criteria are shared and adopted throughout the whole organisation by training staff and creating greater awareness. Understanding the products and services where potential risks of a fundamental breach might occur is also vital by using tools, such as privacy by design and data protection impact assessments, continuously throughout the whole product life cycle. Finally, they companies need to look at and understand guidance from the regulator (UK -ICO) and the European Commission.

I think the ICO are inundated enough, not only with the breach reporting division. Given the ICO has first-hand knowledge of the types of breaches coming forward, they might want to expand on their guidance over time. Provide explicit examples for examples given they know what they are rejecting and upholding.”

The ISBuzz Post: This Post ICO Inundated With False Data Breach Reports Since GDPR Came Into Force appeared first on Information Security Buzz.

Benefits Of Biometrics

The latest report* from Goode Intelligence lays out the business benefits of biometrics for companies to help authenticate customers. The report shows that once a customer is established,  customer satisfaction goes up due to less transactional friction.

Ryan Wilk, VP of Customer Success at NuData Security:

“Physical biometrics is helping companies verify users without creating cumbersome authentication processes. Many businesses are also including passive biometrics in their arsenal to transparently verify users and only ask for a physical biometrics step up to those who show high-risk signals. Passive and physical biometrics can work in conjunction so that customers can be identified beyond their credentials as the correct person behind the device. With behavioral identifiers, online companies can make an informed decision on each transaction without the need for step ups. The benefits for customers are an enhanced user experience that is easy and convenient while online companies can cut cybercriminals out of the equation. This type of approach helps companies even during high-traffic seasons, where cybercriminals try to blend in with holiday shoppers.”

The ISBuzz Post: This Post Benefits Of Biometrics appeared first on Information Security Buzz.

Two-Thirds Of German Manufacturers Hit By Cyber Attacks, Costing $50 Billion

Research has found that two thirds of Germany’s manufacturers have been hit by cyber-crime attacks, costing industry in Europe’s largest economy some 43 billion euros ($50 billion). Industry association Bitkom surveyed 503 top managers and security chiefs from across Germany’s manufacturing sector, and found the small and medium-sized companies that are the economy’s backbone were particularly vulnerable to attacks.

James Hadley, CEO and Founder at Immersive Labs:

“Many cyber authorities from across Europe have recently delivered warnings to industry, advising them that cyber security is no longer a strategy to be created and then forgotten about. Instead, as echoed by Bitkom, a cyber security strategy should be taken seriously as a constantly developing process that starts with the CEO and carried throughout the business.”

The ISBuzz Post: This Post Two-Thirds Of German Manufacturers Hit By Cyber Attacks, Costing $50 Billion appeared first on Information Security Buzz.

GCHQ Found To Be In Breach Of Privacy Rules

Randhir Shinde, CEO at Galaxkey:

“The government is far too complacent about data privacy – it does not understand data, nor its intimacy, and would rather give its intelligence agencies free reign to violate our digital privacy.

“This access helps fight external threats, such as terrorism and hostile state activity, but there comes a point when our individual rights need to come first. Otherwise we erode the rights and standards we seek to protect. It could only take one crisis  for this power to be abused, for evermore invasive surveillance to become the norm.

“If these invasions of privacy go unchecked, we risk setting the path for a tomorrow that apes China, a country where the government is using cyber-surveillance to remove all privacy from an individual’s life.”

The ISBuzz Post: This Post GCHQ Found To Be In Breach Of Privacy Rules appeared first on Information Security Buzz.

Freshmenu Fails To Inform Users Of Data Breach

It’s been reported that cloud kitchen platform Freshmenu has come under severe attack over allegations that it chose to keep under wraps a data breach two years ago that exposed the personal information of over 110,000 users. The incident from July 2016 was brought to light this week by data breach-tracker HaveIBeenPwned.com. As per HIBP, a breach in the systems of Freshmenu exposed personal data including names, email addresses, phone numbers, home addresses, and order histories.

Tim Mackey, Senior Technical Evanglist at Synopsys:

“With India’s Freshmenu withholding disclosure of a data breach for over two years, we’re reminded why the EU enacted GDPR and why India is in the process of enacting its own personal information law – currently known in draft form as Personal Data Protection Bill 2018. Customers place their trust in organisations for a variety of reasons, but given modern business involves the collection and processing of personal data, all organisations have a responsibility to safeguard their customer data. Part of the data safeguard process involves ensuring users are aware of when an event which compromises their data has occurred.

Historically, organisations experiencing data breaches attempted to protect their brand reputation by failing to disclose any breach. In doing so, these organisations permitted successful malicious activity to continue because other organisations were effectively prevented from learning the techniques used by successful attacks. Lack of disclosure further prevented their users from being an active participant in protecting their personal data from future attacks.

With GDPR, as described in Article 33(1), a 72 hour window was defined wherein the breached organisation is required to notify the appropriate regulatory body. The current draft of India’s Data Protection Bill lacks such a window, preferring instead for disclosures to the Data Protection Authority of India to occur when, as described in section 32(1), the breached organisation determines “such breach is likely to cause harm to any data principal”. Put another way, upon identifying that a breach has occurred, it is the breached entity’s responsibility to determine whether harm to a user or customer could occur and only then would disclosure to regulators be required.

Such requirements are in direct conflict with the stated purpose of the Bill “the right to privacy is a fundamental right and it is necessary to protect personal data as an essential facet of informational privacy”. It is my hope that India’s regulators will reconcile this disconnect and mandate disclosures to the Data Protection Authority upon any data breach. Doing so would both increase customer and user confidence, but also improve overall data security through sharing of learned experiences.”

The ISBuzz Post: This Post Freshmenu Fails To Inform Users Of Data Breach appeared first on Information Security Buzz.

Latest Report From Threatmetric Re: Mobile Fraud

Sam Bakken from OneSpan comments on new research that shows a sharp rise in mobile transactions and mobile attacks.

Sam Bakken at OneSpan:

“This proves yet again that criminals are opportunistic–they follow the money. So it comes as no surprise that with more consumers transacting via mobile apps, the mobile channel becomes a juicier target and worth malicious actors’ time researching, developing and executing attacks.

Businesses have a challenge. They absolutely must offer differentiated mobile services or they risk losing customers to other providers that do. At the same time, a number of reports on fraud in the first half of the year show the threat increasing, so what is a business to do? Contextual data from mobile devices help provide stronger authentication, which helps mitigate some of the risk. Yet the fact remains that mobile devices are still untrusted environments.

Financial institutions in particular must ensure the integrity of the device and the mobile app that resides upon it, and this goes beyond secure coding. The app’s runtime itself needs to be protected. For example, free tools make it easier and easier for individuals with a certain level of skills to inject code into an app at runtime to bypass authentication controls. So, real-time monitoring of these sorts of external threats become all the more important as attackers invest more and more resources in attempting to defraud organizations via the mobile channel.

Even if a security-conscious app maker follows mobile app security best practices throughout their software development lifecycle, other vulnerable apps or malware on their users’ Android devices can put them at risk. Depending on the importance of the app to their customer experience and revenue generating activities, it makes vulnerable apps a serious issue that should be included in their threat models. For example, a number of Trojans have made it onto the Google Play store itself. If a user downloads a Trojan to their device, the Trojan probably targets financial services apps and may launch an attack on a developer’s app. App makers need to protect their apps’ runtime against external threats over which they don’t have control such as malware or other benign but vulnerable apps.

Consumers also need to be careful because developers don’t always have their customers’ best interests in mind when it comes to mobile app security. It’s all-too-common that getting new features out the door will take priority over security. And these day we’re carrying mobile devices with us everywhere and sharing untold amounts of personal data with apps on those devices (knowingly or unknowingly). If those devices and apps aren’t secured, consumers are at risk. It’s not always possible, but whenever it is, consumers should research the security practices of the developers of apps they use and only download apps from official sources wherever possible (though malicious apps still make it into those marketplaces).”

The ISBuzz Post: This Post Latest Report From Threatmetric Re: Mobile Fraud appeared first on Information Security Buzz.

UK Business Leaders Warned About Cybersecurity

British business leaders need to extend their cyber security defences beyond the threat posed by Russia to other states and criminal syndicates, one of the UK’s leading spymasters has warned.

In an interview with the Financial Times, Ciaran Martin, chief executive of the UK’s National Cyber Security Centre, which is part of the communications intelligence agency GCHQ, said that while Russia remained a serious threat to businesses, Iran and North Korea, as well as international cyber criminals, presented equal if not greater risks. IT security expetrs commented below.

Andy Norton, Director of Threat Intelligence at Lastline:

“Unfortunately the advice given is not actionable. How can businesses protect themselves from Russian national interests, when in actual fact they don’t know how to protect themselves from Russian inspired cyber attacks in the first place?

The UK needs a “cyber home front” initiative. It is in an Asynchronous Warfare situation, and the attackers constantly obscure their real intentions with a mosaic of apparently unstructured intrusions against any and all economic and political targets. This serves to dull our awareness to the overarching strategic goal of reducing western economic power, constricting political alliances and isolating individual nations.

The question that needs to be asked is “in a state of cyber warfare, what should we do differently?” and the answer to that question needs to be delivered to business leaders. Then, we might stop the death of a thousand cuts.”

Tim Helming, Director of Product Management at DomainTools:

“While it’s a sad fact that these measures are needed in the current geopolitical climate, it is a fact nonetheless. Threat actors from a number of hostile states are engaging in campaigns of cyber disruption and warfare in order to destabilise and damage political process in the West and further their own political aims: This is evident on both sides of the Atlantic. Detailed threat intelligence on the context and sources of these campaigns are necessary, but increasingly more difficulty to carry out in the current legislative climate. Much has been said of the dangers of cyber threats to physical infrastructure, but the threats to our political infrastructure can affect something even more critical; Our democracies.”

Josef Williamson, Threat Intelligence Analyst at EclecticIQ:

“Today’s five question guide for boards by the NCSC is a welcome initiative in light of recent incidents like the British Airways breach. It’s vital that cyber strategy is discussed at board-level and that organisations begin to take a more proactive approach to their cyber defences, considering their responses to the key questions outlined this morning. Providing organisations with best practice with a formal toolkit later this year will ensure UKbusinesses have the best chance in defending against any potential threats.

“The next step from there is that businesses become more open in their intelligence sharing, putting collaboration at the centre of the fight against the evolving threat landscape. Standards are maturing, technology is maturing, and there is a big push from government to set up collaborative initiatives to ensure the public and private sectors are sharing insight on threats. Transparency is vital to success in business and embracing a stance of openness cannot only improve a business’s view of cyber threats, but can also fuel a wider cyber intelligence revolution.”

The ISBuzz Post: This Post UK Business Leaders Warned About Cybersecurity appeared first on Information Security Buzz.

Companies Should Gear Up To Handle Data Privacy Laws

Freshmenu, a cloud kitchen platform is garnering criticism for not informing customers of a breach two years ago that exposed personal information of 110,000 users. It is incidents like these that are propelling countries to institute strict data protection laws.

Niles Rowland, Director of Product Development at The Media Trust:

“Few companies will escape the growing number of consumer data privacy laws sweeping across geographies. In India, the government is considering a bill that requires companies to, among others, appoint a data privacy officer, have annual third-party audits of data collection processes, and notify regulators and individuals of a breach. Penalties for infringing the proposed bill can amount to as much as 2% of the previous year’s turnover. Companies should therefore start gearing up for new laws that will impact how they operate and how their performance is evaluated. A breach in today’s post-GDPR world could lead to a perfect storm of issues, not the least of which are shareholder shareholder lawsuits.”

The ISBuzz Post: This Post Companies Should Gear Up To Handle Data Privacy Laws appeared first on Information Security Buzz.