Category Archives: Incidents

What’s new in Windows Defender ATP

Across Windows Defender Advanced Threat Protection (Windows Defender ATP) engineering and research teams, innovation drives our mission to protect devices in the modern workplace. Our goal is to equip security teams with the tools and insights to protect, detect, investigate, and automatically respond to attacks. We continue to be inspired by feedback from customers and partners, who share with us the day-to-day realities of security operations teams constantly keeping up with the onslaught of threats.

Today Im excited to share with you some of the latest significant enhancements to Windows Defender ATP. We added new capabilities to each of the pillars of Windows Defender ATPs unified endpoint protection platform: improved attack surface reduction, better-than-ever next-gen protection, more powerful post-breach detection and response, enhanced automation capabilities, more security insights, and expanded threat hunting. These enhancements boost Windows Defender ATP and accrue to the broader Microsoft Threat Protection, an integrated solution for securing identities, endpoints, cloud apps, and infrastructure.

Lets look now at some of the new enhancements to Windows Defender ATP:

New attack surface reduction rules

Attack surface reduction forms the backbone of our answer to a host intrusion and prevention system (HIPS). Attack surface reduction protects devices directly, by controlling and limiting the ways in which threats can operate on a device. Today we are announcing two new rules:

  • Block Office communication applications from creating child processes
  • Block Adobe Reader from creating child processes

These new rules allow enterprises to prevent child processes from being created from Office communication apps (including Outlook) and from Adobe Reader, right at the workstation level. These help eliminate many types of attacks, especially those using macro and vulnerability exploits. We have also added improved customization for exclusions and allow lists, which can work for folders and even individual files.

Emergency security intelligence updates

Emergency security intelligence updates are new, super-fast delivery method for protection knowledge. In the event of an outbreak, Windows Defender ATP research team can now issue an emergency request to all cloud-connected enterprise devices to immediately pull dedicated intelligence updates directly from the Windows Defender ATP cloud. This reduces the need for security admins to take action or wait for internal client update infrastructure to catch up, which often takes hours or even longer, depending on configuration. Theres no special configuration for this other than ensuring cloud-delivered protection is enabled on devices.

Top scores in independent industry tests

Machine learning and artificial intelligence drive our Windows Defender ATP solution to block 5 billion threats every month and to consistently achieve top scores in independent industry tests: perfect scores in protection, usability, and performance test modules in the latest evaluation by AV-TEST; 99.8% protection rate in the latest real-world test by AV-Comparatives; and AAA accuracy rating in the latest SE Labs test.

We have added dedicated detections for cryptocurrency mining malware (coin miners) which have increasingly become a problem, even for enterprises. We have also increased our focus on detecting and disrupting tech support scams while they are happening.

Protecting our security subsystems using sandboxing

Weve also continued to invest in hardening our platform to make it harder for malicious actors to exploit vulnerabilities and bypass the operating systems built-in security features. Weve done this by putting Windows Defender ATPs antivirus in a dedicated sandbox. Sandboxing makes it significantly more difficult for an attacker to tamper with and exploit the antivirus solution as a means to compromise the device itself.

Evolving from individual alerts to Incidents

We are introducing Incidents, an aggregated view that helps security analysts to understand the bigger context of a complex security event. As attacks become more sophisticated, security analysts face the challenge of reconstructing the story of an attack. This includes identifying all related alerts and artifacts across all impacted machines and then correlating all of these across the entire timeline of an attack.

With Incidents, related alerts are grouped together, along with machines involved and the corresponding automated investigations, presenting all collected evidences and showing the end-to-end breadth and scope of an attack. By transforming the queue from hundreds of individual alerts to a more manageable number of meaningful aggregations, Incidents eliminate the need to review alerts sequentially and to manually correlated malicious events across the organization, saving up to 80% of analyst time.

The Incident graph view shows you the relations between the entities, with additional details in the side pane when click on an item.

Automating response for fileless attacks

We expanded automation in Windows Defender ATP to automatically investigate and remediate memory-based attacks, also known as fileless threats. We see more and more of these memory-based threats, and while weve had the optics to detect them, security analysts needed special investigation skills to solve them. Windows Defender ATP can now leverage automated memory forensics to incriminate memory regions and perform required in-memory remediation actions.

With this new unique capability, we are shifting from simply alerting to a fully automated investigation and resolution flow for memory-based attacks. This increases the range of threats addressable by automation and further reduces the load on security teams.

Process injection automatically investigated and remediated

Threat analytics

Threat analytics is a set of interactive threat intelligence reports published by our research team as soon as emerging threats and outbreaks are identified. The Threat analytics dashboard provides technical description and data about a threat, and answer the key question, Does WDATP detect this threat?. It also provides recommended actions to contain and prevent specific threats, as well as increase organizational resilience.

But we dont stop there. We also provide an assessment of the impact of threats on your environment (Am I hit?), as well as show a view of how many machines were protected (Were you able to stop this?) and how may are exposed to the threat because they are not up-to-date or are misconfigured (Am I exposed?).

Threat analytics dashboard

Custom detection rules

With Advanced hunting, security analysts love the power they now have to hunt for possible threats across their organization using flexible queries. A growing community of security researchers share their queries with others using the GitHub community repository. These queries can now also be used as custom detection rules, which means that these queries will automatically create and raise an alert when a scheduled query returns a result.

Creating custom detection rules from advance hunting queries

Integration with Microsoft Information Protection

Windows Defender ATP now provides built-in capabilities for discovery and protection of sensitive data on enterprise endpoints. We have integrated with Azure Information Protection (AIP) Data Discovery, providing visibility to labeled files stored on endpoints. AIP dashboard and log analytics will include files discovered on Windows devices alongside device risk info from Windows Defender ATP, allowing customers to discover sensitive data at risk on Windows endpoints.

Windows Defender ATP can also automatically protect sensitive files based on their label. Through Office Security and Compliance (SCC) policy, Windows Defender ATP automatically enables Windows Information Protection (WIP) for files with labels that correspond to Office SCC policy.

Integration with Microsoft Cloud App Security

Windows Defender ATP uniquely integrates with Microsoft Cloud App Security to enhance the discovery of shadow IT in an organization as seen from enterprise endpoints. Windows Defender ATP provides a simplified rollout of Cloud App Security discovery as it feeds Cloud App Security with endpoints signals, reducing the need for collecting signals via corporate proxies and allowing seamless collection of signals even when endpoints are outside of the corporate network.

Through this integration, Microsoft Cloud App Security leverages Windows Defender ATP to collect traffic information about client-based and browser-based cloud apps and services being accessed from IT-managed Windows 10 devices. This seamless integration does not require any additional deployment and gives admins a more complete view of the usage of cloud apps and services in their organization.

Innovations that work for you today and the future

These new features in Windows Defender Advanced Threat Protection unified security platform combine the world-class expertise inside Microsoft and the insightful feedback from you, our customers, who we built these solutions for. We ask that you continue to engage and partner with us as we continue to evolve Windows Defender ATP.

You can test all new and existing features by signing up to a free 60-day fully featured Windows Defender ATP trial. You can also test drive attack surface reduction and next-gen protection capabilities using the Windows Defender demo page or run DIY simulations for features like Incidents, automated investigation and response, and others directly from the Windows Defender security center portal to see how these capabilities help your organization in real-world scenarios.

Meanwhile, the work to stay ahead of threats doesnt stop. You can count on the Windows Defender ATP team to continue innovating, learning from our own experiences, and partnering with you to empower you to confidently protect, detect, and respond to advanced attacks.

 

 

Moti Gindi
General Manager, Windows Cyber Defense

 

 

 


Talk to us

Questions, concerns, or insights on this story? Join discussions at the Microsoft community and Windows Defender Security Intelligence.

Follow us on Twitter @WDSecurity and Facebook Windows Defender Security Intelligence.

The post What’s new in Windows Defender ATP appeared first on Microsoft Secure.

NBlog Nov 13 – what to ask in a security gap assessment (reprise)

Today on the ISO27k Forum, a newly-appointed Information Security Officer asked us for "a suitable set of questions ... to conduct security reviews internally to departments".

I pointed him at "What to ask in a gap assessment" ... and made the point that if I were him, I wouldn't actually start with ISO/IEC 27002's security controls as he implied. I'd start two steps back from there:
  1. One step back from the information security controls controls are the information risks. The controls help address the risks by avoiding, reducing or limiting the number and severity of incidents affecting or involving information: but what information needs to be protected, and against what kinds of incident? Without knowing that, I don't see how you can decide which controls are or are not appropriate, nor evaluate the controls in place.
  2. Two steps back takes us to the organizational or business context for information and the associated risks. Contrast, say, a commercial airline company against a government department: some of their information is used for similar purposes (i.e. general business administration and employee comms) but some is quite different (e.g. the airline is heavily reliant on customer and engineering information that few government departments would use if at all). Risks and controls for the latter would obviously differ ... but less obviously there are probably differences even in the former - different business priorities and concerns, different vulnerabilities and threats. The risks, and hence the controls needed, depend on the situation.
I recommend several parallel activities for a new info sec pro, ISO, ISM or CISO – a stack of homework to get started:
  • First, I find it helps to start any new role deliberately and consciously “on receivei.e. actively listening for the first few weeks at least, making contacts with your colleagues and sources and finding out what matters to them.  Try not to comment or criticize or commit to anything much at this stage, although that makes it an interesting challenge to get people to open up!  Keep rough notes as things fall into place.  Mind-mapping may help here.
  • Explore the information risks of most obvious concern to your business. Examples:
    • A manufacturing company typically cares most about its manufacturing/factory production processes, systems and data, plus its critical supplies and customers;
    • A services company typically cares most about customer service, plus privacy;
    • A government department typically cares most about ‘not embarrassing the minister’ i.e. compliance with laws, regs and internal policies & procedures;
    • A healthcare company typically cares most about privacy, integrity and availability of patient/client data;
    • Any company cares about strategy, finance, internal comms, HR, supply chains and so on – general business information – as well as compliance with laws, regs and contracts imposed on it - but which ones, specifically, and to what extent?;
    • Any [sensible!] company in a highly competitive field of business cares intensely about protecting its business information from competitors, and most commercial organizations actively gather, assess and exploit information on or from competitors, suppliers, partners and customers, plus industry regulators, owners and authorities;
    • Not-for-profit organizations care about their core missions, of course, plus finances and people and more (they are business-like, albeit often run on a shoestring);
    • A mature organization is likely to have structured and stable processes and systems (which may or may not be secure!) whereas a new greenfield or immature organization is likely to be more fluid, less regimented (and probably insecure!);
  • Keep an eye out for improvement opportunities - a polite way of saying there are information risks of concern, plus ways to increase efficiency and effectiveness – but don’t just assume that you need to fix all the security issues instantly: it’s more a matter of first figuring out you and your organization’s priorities. Being information risk-aligned suits the structured ISO27k approach. It doesn’t hurt to mention them to the relevant people and chat about them, but be clear that you are ‘just exploring options’ not ‘making plans’ at this stage: watch their reactions and body language closely and think on;
  • Consider the broader historical and organizational context, as well as the specifics. For instance:
    • How did things end up the way they are today? What most influenced or determined things? Are there any stand-out issues or incidents, or current and future challenges, that come up often and resonate with people?
    • Where are things headed? Is there an appetite to ‘sort this mess out’ or conversely a reluctance or intense fear of doing anything that might rock the boat? Are there particular drivers or imperatives or opportunities, such as business changes or compliance obligations? Are there any ongoing initiatives that do, could or should have an infosec element to them?
    • Is the organization generally resilient and strong, or fragile and weak? Look for examples of each, comparing and contrasting. A SWOT or PEST analysis generally works for me. This has a bearing on the safe or reckless acceptance of information and other risks;
    • Is information risk and security an alien concept, something best left to the grunts deep within IT, or a broad business issue? Is it an imposed imperative or a business opportunity, a budget black hole (cost centre) or an investment (profit centre)? Does it support and enable the business, or constrain and prevent it?
    • Notice the power and status of managers, departments and functions. Who are the movers and shakers? Who are the blockers and naysayers? Who are the best-connected, the most influential, the bright stars? Who is getting stuff done, and who isn’t? Why is that?
    • How would you characterize and describe the corporate culture? What are its features, its high and low points? What elements or aspects of that might you exploit to further your objectives? What needs to change, and why? (How will come later!)
  • Dig out and study any available risk, security and audit reports, metrics, reviews, consultancy engagements, post-incident reports, strategies, plans (departmental and projects/initiatives), budget requests, project outlines, corporate and departmental mission statements etc. There are lots of data here and plenty of clues that you should find useful in building up a picture of What Needs To Be Done. Competent business continuity planning, for example, is also business-risk-aligned, hence you can’t go far wrong by emphasizing information risks to the identified critical business activities. At the very least, obtaining and discussing the documentation is an excellent excuse to work your way systematically around the business, meeting knowledgeable and influential people, learning and absorbing info like a dry sponge.
  • Build your team. It may seem like you’re a team of 1 but most organizations have other professionals or people with an interest in information risk and security etc. What about IT, HR, legal/compliance, sales & marketing, production/operations, research & development etc.? Risk Management, Business Continuity Management, Privacy and IT Audit pro’s generally share many of your/our objectives, at least there is substantial overlap (they have other priorities too). Look out for opportunities to help each other (give and take). Watch out also for things, people, departments, phrases or whatever to avoid, at least for now.
  • Meanwhile, depending partly on your background, it may help to read up on the ISO27k and other infosec standards plus your corporate strategies, policies, procedures etc., not just infosec. Consider attending an ISO27k lead implementer and/or lead auditor training course, CISM or similar.  There’s also the ISO27k FAQ, ISO27k Toolkit and other info from ISO27001security.com, plus the ISO27k Forum archive (worth searching for guidance on specific issues, or browsing for general advice).  If you are to become the organization’s centre of excellence for information risk and security matters, it’s important that you are well connected externally, a knowledgeable expert in the field. ISSA, InfraGard, ISACA and other such bodies, plus infosec seminars, conferences and social media groups are all potentially useful resources, or a massive waste of time: your call. 
Yes, I know, I know, that’s a ton of work, and I appreciate that it’s not quite what was asked for i.e. questions to ask departments about their infosec controls. My suggestion, though, is to tackle this at a different level: the security controls in place today are less important than the security controls that the organization needs now and tomorrow. Understanding the information risks is key to figuring out the latter.

As a relative newcomer, doing your homework and building the bigger picture will give you an interesting and potentially valuable insight into the organization, not just on the information risk and security stuff … which helps when it comes to proposing and discussing strategies, projects, changes, budgets etcHowyou go about doing that is just as important as what it is that you are proposing to do. In some organizations, significant changes happen only by verbal discussion and consensus among a core/clique (possibly just one all-powerful person), whereas in some others nothing gets done without the proper paperwork, in triplicate, signed by all the right people in the correct colours of ink! The nature, significance and rapidity of change all vary, as do the mechanisms or methods.

So, in summary, there's rather more to do than assess the security controls against 27002. 



PS  For the more cynical among us, there’s always the classic three envelope approach.

NBlog Oct 13/2 – CERT NZ goes phishing

CERT NZ (apparently) has once again circulated an email warning about phishing, containing a distinctly phishy link to "READ MORE INFORMATION". The hyperlink leads from there to certnz.cmail20.com with a tracker-type URL tail.

Unlike most of the intended audience, I guess, I'm cyber-smart enough to check out the whois record: cmail20.com domain is registered to Campaign Monitor Pty Ltd of New South Wales - presumably a legitimate mass emailer/marketing company whose services are being used by CERT NZ to circulate the warnings - but that's not the point: the fact is that the embedded link target is patently not CERT NZ's own domain.

What's more, the body of the email is a rather vaguely-worded warning, not entirely dissimilar to many a classic phisher. "Nasty stuff is going to happen unless you do something" just about sums it up. It isn't even addressed to me by name, despite me being required to supply my name and email address when I signed up for CERT NZ's "updates". They know who I am.

I've notified CERT NZ about this kind of thing privately before, to no avail, so this time around I'm going public, here on the blog.

CERT NZ, you are perpetuating the problem. Wake up guys! It's simply not good enough. I expect more of you. Your sponsors, partners and taxpayers expect more of you. NZ expects more of you.

Is it really that difficult to either drop the marketing tracking, or at least to route clickers via cert.govt.nz first, with a redirect from there to the tracker?

Is there nobody in CERT NZ with sufficient clue to appreciate and respond to such an obvious concern? 

Am I wasting these bytes? Hello, CERT NZ! Anyone home?

Ironically, CERT NZ has allegedly been promoting the past five days as "Cyber Smart Week 2018", which as far as I can make out appears to consist of a single web page on CERT NZ's website expanding a little on these four simple tips:
  1. Use unique passwords
  2. Turn on 2FA
  3. Update your apps
  4. Check your privacy

Admirably brief ... but there's nothing explicit about phishing or business email compromise, nor social engineering, scams and frauds. No obvious links to further information. 

Ironically, again, the Cyber Smart page ends: 
"Report any cyber security issue you experience to CERT NZ. We’ll help you identify it and let you know what the next steps are to resolve it. We’ll also use the information to create advice and guidance for others who might be experiencing the same issue."
Been there, done that, got precisely nowhere. I despair.

Next time I receive a phishing-like email from CERT NZ, I'll take it up with the news media. Maybe they care as much as me.

NBlog Oct – phishing awareness & training module

It's out: a fully revised (almost completely rewritten!) awareness and training module on phishing.

Phishing is one of many social engineering threats, perhaps the most widespread and most threatening.

Socially-engineering people into opening malicious messages, attachments and links has proven an effective way to bypass many technical security controls.

Phishing is a business enterprise, a highly profitable and successful one making this a growth industry. Typical losses from phishing attacks have been estimated at $1.6m per incident, with some stretching into the tens and perhaps hundreds of millions of dollars.

Just as Advanced Persistent Threat (APT) takes malware to a higher level of risk, so Business Email Compromise (BEC) puts an even more sinister spin on regular phishing. With BEC, the social engineering is custom-designed to coerce employees in powerful, trusted corporate roles to compromise their organizations, for example by making unauthorized and inappropriate wire transfers or online payments from corporate bank accounts to accounts controlled by the fraudsters.

As with ordinary phishing, the fraudsters behind BEC and other novel forms of social engineering have plenty of opportunities to develop variants of existing attacks as well as developing totally novel ones. Therefore, we can expect to see more numerous, sophisticated and costly incidents as a result. Aggressive dark-side innovation is a particular feature of the challenges in this area, making creative approaches to awareness and training (such as NoticeBored!) even more valuable. We hope to prompt managers and professionals especially to think through the ramifications of the specific incidents described, generalize the lessons and consider the broader implications. We’re doing our best to make the organization future-proof. It’s a big ask though! Good luck.

Learning objectives

October’s module is designed to:
  • Introduce and explain phishing and related threats in straightforward terms, illustrated with examples and diagrams;
  • Expand on the associated information risks and controls, from the dual perspectives of individuals and the organization;
  • Encourage individuals to spot and react appropriately to possible phishing attempts targeting them personally;
  • Encourage workers to spot and react appropriately to phishing and BEC attacks targeting the organization, plus other social engineering attacks, frauds and scams;
  • Stimulate people to think - and most of all act - more securely in a general way, for example being more alert for the clues or indicators of trouble ahead, and reporting them.
Consider your organization’s learning objectives in relation to phishing. Are there specific concerns in this area, or just a general interest? Has your organization been used as a phishing lure, maybe, or suffered spear-phishing or BEC incidents? Do you feel particularly vulnerable in some way, perhaps having narrowly avoided disaster (a near-miss)? Are there certain business units, departments, functions, teams or individuals that could really do with a knowledge and motivational boost? Lots to think about this month!

Content outline



Get in touch to purchase the phishing module alone, or to subscribe to the NoticeBored service for more like this every month. Phishing is undoubtedly an important topic for awareness and training, but definitely not the only one. Build and sustain your corporate security culture through NoticeBored.

NBlog Sept 28 – phishing awareness module imminent

Things are falling rapidly into place as the delivery deadline for October's NoticeBored awareness module on phishing looms large.

Three cool awareness poster graphics are in from the art department, and three awareness seminars are about done. 

The seminar slides and speaker notes, in turn, form the basis for accompanying awareness briefings for staff, managers and professionals, respectively.  

We also have two 'scam alert' one-pagers, plus the usual set of supporting collateral all coming along nicely - a train-the-trainer guide on how to get the best out of the new batch of materials, an awareness challenge/quiz, an extensive glossary (with a few new phishing-related terms added this month), an updated policy template, Internal Controls Questionnaire (IT audit checklist), board agenda, phishing maturity metric, and newsletter.  Lots on the go and several gaps to be plugged yet.


Today we're ploughing on, full speed ahead thanks to copious fresh coffee and Guy Garvey singing "It's all gonna be magnificent" on the office sound system to encourage us rapidly towards the end of another month's furrow.  So inspirational!  

We've drawn from at least five phishing-related reports and countless Internet sources, stitching together a patchwork of data, analysis and advice in a more coherent form that makes sense to our three audience groups. I rely on a plain text file of notes, mostly quotable paragraphs and URLs for the sources since we always credit our sources. There are so many aspects to phishing that I'd be lost without my notes!  As it is, I have a headfull of stuff on the go so I press ahead with the remaining writing or I'll either lose the plot completely or burst!

For most organizations, security awareness and training is just another thing on a long to-do list with limited resources and many competing priorities, whereas we have the benefit of our well-practiced production methods and team, and the luxury of being able to concentrate on the single topic at hand. We do have other things going on, not least running the business, feeding the animals and blogging. But today is when the next module falls neatly into place, ready to deliver and then pause briefly for breath before the next one. Our lovely customers, meanwhile, are busy running their businesses and rounding-off their awareness and training activities on 'outsider threats', September's topic. As those awareness messages sink in, October's fresh topic and new NoticeBored module will boost energy and take things up another notch, a step closer to the corporate security culture that generates genuine business returns from all this effort.

NBlog Sept 21 – phishing awareness

Today marks the end of a long but successful week. We've been slogging away at the phishing awareness topic for October's NoticeBored module, picking out the key issues, coming up with the awareness messages and figuring out the stories to tell.

Despite technology being such a small part of phishing, it plays an important part that we can't just ignore. Multi-Factor Authentication, for example, is increasingly being used by organizations that care about identification and authentication, so workers are quite likely to have at least heard of it, even if they are not actually using it as yet. Explaining what MFA is would set them up to appreciate what it means when they are offered or required to accept it.

At the same time, MFA is not a universal or ultimate solution. Managers and professionals should appreciate that there are pros and cons to implementing MFA, and lots of choices in exactly what form of MFA the organization might adopt ... but explaining all that in detail would divert or distract attention from  phishing, the main subject. 

Fortunately, we don't need to delve too deep. The rolling monthly sequence of topics means we can pick up on MFA and other aspects another time, without feeling guilty about just skimming over in October.

By the same token, although we haven't delivered an awareness and training module purely on phishing for some time (too long really), we have mentioned/skimmed it repeatedly, several times a year in fact, in the course of covering other topics such as email security, Internet security, malware, social engineering and fraud. 

That's enough for now. Time for a break, re-girding our loins prior to finalizing and polishing October's materials next week.

Which reminds me, why are loins girded anyway? What's that all about, Google?

NBlog Sept 17 – fragility

In preparation for a forthcoming NoticeBored security awareness module, I'm researching business continuity.  Today, by sheer coincidence, I've stumbled into a business discontinuity: specifically, the website for a commercial company advertising/sponsoring a popular multi-week New Zealand radio show promotion is currently unavailable. It seems to have been so fragile that it broke.

This is how the web page looks right now:

Mostly white space. 502 is the standard error message number indicating a 'bad gateway', meaning that the company's website cannot be contacted by some intermediate network system. It appears to be dead. Resting maybe.

The HTML code for the sparse error page is almost as sparse - just these 14 lines, half of which are comments:


DownForEveryoneOrJustMe.com tells me its not just my Internet connection playing up.  The website really is unreachable.

That's the NZ website. The company's Australian website is also unavailable, whereas its US site is up and running. 

nginx is the name of a webserver front-end load-balancer utility/application/system.  Given the radio promotion, it is possible the company is using nginx as a cache to reduce an anticipated heavy load on the webserver, or to balance the load across several webservers, but either way evidently it isn't working out right now.  

Summing up the situation:
  • The company has planned and paid for a radio promotion including links to its website: management must have known this was coming;
  • Management appears (at some point) to have made technical arrangements to cope with a heavy load on the webserver: presumably, it anticipated the risk of the website being overloaded;
  • The technical arrangements appear to have failed: the website is currently unavailable;
  • Either management doesn't know the corporate website is down (due to the lack of effective monitoring) or it knows but hasn't reacted effectively (maybe nginx was the response: it hasn't worked for me, today);
  • The company has fallen off the web, making it hard for potential customers to make contact and do business;
  • That, in turn, has implications for its public image: its brand is becoming somewhat tarnished by this incident. It's not a good look.
This is a classic information security (availability and integrity) incident with business implications. The website evidently wasn't sufficiently resilient, and the incident does not appear to have been handled effectively. 

Of course, we can only guess at some of this in the absence of further information. Perhaps my assumptions are wrong. Maybe the fault lies elsewhere and/or the situation is more complex than it appears. Conceivably, the site might even have been taken down deliberately as a response to some other incident. We just don't know.

But we do have a little case study for the awareness module. I'll continue checking the site to see what happens next - how the situation resolves and perhaps gleaning further information about the incident.

[I haven't named the company because it isn't necessary to do so, and I don't want to make the incident any worse for them than it already is by prompting YOU to go check out their website as well!]

UPDATE: by 9am the following day, both the NZ and Australian websites were back on the air.

NBlog Sept 15 – the business value of infosec

Thanks to a heads-up from Walt Williams, I'm mulling over a report by CompariTech indicating that the announcement of serious "breaches" by commercial organizations leads to a depression in their stock prices relative to the stock market.

I'm using "breach" in quotes because the study focuses on public disclosures by large US commercial corporations of significant incidents involving the unauthorized release of large quantities of personal data, credit card numbers etc. That's just one type of information security incident, or breach of security, and just one type of organization. There are many others.

The situation is clearly complex with a number of factors, some of which act in opposition (e.g. the publicity around a "breach" is still publicity!). There are several constraints and assumptions in the study (e.g. small samples) so personally I'm quite dubious about the conclusions ... but it adds some weight to the not unreasonable claim that "breaches" are generally bad for business. At the very least, it disproves the null hypothesis that "breaches" have no effect on business.

Personally, I'm intrigued to find that "breaches" do not have a more marked effect on stock price. The correlation seems surprisingly weak to me, suggesting that I am biased, over-estimating the importance of infosec - another not unreasonable assumption given that I am an infosec pro! It's the centre of my little world after all!

Aside from the fairly weak "breach" effect, I'd be fascinated to learn more about the approaches towards information risk, security, privacy, governance, incident management, risk & security strategy, compliance etc. that differentiate relatively strong from relatively weak performers on the stock market, using that as an indicator of business performance ... and indeed various other indicators such as turnover, profitability, market share, brand value etc. I'm particularly interested in leading indicators - the things that tend to precede relatively strong or weak performance.

On the flip side, I'd be interested to know whether 'good news' security disclosures/announcements (such as gaining ISO27k or other security certifications, or winning court cases over intellectual property) can be demonstrated to be good for business. Given my inherent personal bias and focus on infosec, I rather suspect the effect (if any) will be weaker than I expect ... but I'm working on it!