Category Archives: InfoSec

Podcast Two Year Anniversary – The Top 10 Episodes

Two years ago on June 9th, 2017 I released the first episode of Security In Five. Here we are two years later, 500+ episodes recorded and no signs of slowing down. The podcast’s longevity and the energy to keep up the dail episode schedule is all because of the listeners and feedback I have received. […]

The post Podcast Two Year Anniversary – The Top 10 Episodes appeared first on Security In Five.

Cyber News Rundown: Medical Testing Service Data Breach

Reading Time: ~ 2 min.

Quest Diagnostics Customers Affected by Third-Party Breach

The medical testing organization Quest Diagnostics has fallen victim to a third-party data breach that could affect nearly 12 million of their patients. AMCA, a collections agency that works with Quest Diagnostics, noticed unauthorized access to their systems over an eight-month period from August of last year through March 2019. The majority of data targeted were Social Security Numbers and other financial documents, rather than patient’s health records. The market offers a premium for such data.

Adware Installed by Millions of Android Users

Until recently, there were over 230 apps on the Google Play store that had been compromised by a malicious plugin that forced out-of-app advertisements on unsuspecting victims. Globally, over 440 million individuals have installed at least one of these compromised applications and have been affected by overly-aggressive advertisements. While this SDK has been used legitimately for nearly a year, sometime during 2018 the plugin began performing increasingly malicious behaviors, until other developers caught on and began updating their own applications to remove the plugin. 

Chinese Database Exposes Millions of Records

A database belonging to FMC Consulting, a headhunting firm based in China, was recently found by researchers to be publicly available. Among the records are resumes and personally identifiable information for millions of individuals, as well as company data with thousands of recorded messages and emails. Unfortunately for anyone whose information is contained within this database, in the two weeks since being notified of the breach FMC has yet acknowledge the breach or take steps to secure it.

Restaurant Payment Systems Infected

Customer who’ve patronized either Checkers or Rally’s restaurants in recent months are being urged to monitor their credit cards after the chain announced that they discovered card stealing malware on their internal systems. While not all restaurant locations were affected, the company is still working to determine the extent of the compromised payment card systems and has offered credit monitoring services to customers.

University of Chicago Medicine Server Found Online

Researchers have found a server belonging to University of Chicago Medicine with personal information belonging to more than 1.6 million current and past donors. The data includes names, addresses, and even marital and financial information for each donor. Fortunately, the researcher was quick to inform the university of the unsecured ElasticSearch server and it was taken down within 48 hours.

The post Cyber News Rundown: Medical Testing Service Data Breach appeared first on Webroot Blog.

Cyber News Rundown: Popular News Site Breached

Reading Time: ~ 2 min.

News Site Suffers Data Breach

Flipboard, a news aggregation site, recently revealed that it’s been the victim of a data breach that could affect many of their more than 100 million active users. Digital tokens were among the compromised data, which could give the attackers further access to other sites, though Flipboard promptly removed or replaced them. At least two separate breaches have been reported by Flipboard, with one occurring in the middle of 2018 and the other in April of this year. Both allowed the attackers nearly unlimited access to databases containing a wealth of user data.

Keylogger Targets Multiple Industries

At least two separate campaigns have been found to be sending malicious emails to industry-leading companies in several different areas of business. Hidden within these emails are two variants of the HawkEye keylogger that perform various malicious activities beyond simply stealing keystrokes from the infected device. By acting as a loader, HawkEye can install additional malware and even contains a script to relaunch itself in case of a system reboot.

Australian Teen Hacks Apple

A teen from Australia was recently in court to plead guilty to two separate hacks on Apple, which he conducted in hopes of gaining a job with the company. While Apple has since confirmed that no internal or customer data was breached, they have chosen leniency after his lawyer made a case for the perpetrator being remorseful and not understanding the full impact of his crimes.

Fake Crypto-wallets Appear on App Store

Several fake cryptocurrency wallets have made their way into the Google Play store following the latest rise in the value of Bitcoin. Both wallets use some form of address scam, by which the user transfers currency into a seemingly new wallet address that was actually designed to siphon off any transferred currency. The second of the two wallets operated under the guise of being the “mobile” version of a well-known crypto-wallet. It was quickly identified as fake due to an inconsistent icon image. Both fake wallets were tied to the same domain and have since been removed from the store.

Ransomware Focuses on MySQL Servers

While the threat of GandCrab is not new, organizations discovered its persistent risk after researchers found it has been refocused on attacking MySQL servers. By specifically targeting the port used to connect to MySQL servers, port 3306, the attackers have had some success, since many admins allow port 3306 to bypass their internal firewalls to ensure connectivity. As GandCrab continues to narrow it’s attack scope, its remaining viable vectors are likely to be even more lucrative given that most organizations are not able to secure everything.

The post Cyber News Rundown: Popular News Site Breached appeared first on Webroot Blog.

Ransomware remains a risk, but here’s how you can avoid infection

It’s been a case of good news/bad news when it comes to ransomware recently. New figures from Microsoft suggest that Ireland had one of the lowest rates of infection in the world in 2018. But in early May, a sophisticated strain of ransomware called MegaCortex began spiking across Ireland, the US, Canada, Argentina, France, Indonesia and elsewhere.

Data from Microsoft’s products found that malware and ransomware attacks declined by 60 per cent in Ireland between March and December 2018. Just 1.26 per cent reported so-called ‘encounter rates’, giving Ireland the lowest score in the world.

Hoorays on hold

Don’t break out the bunting just yet, though. As BH Consulting’s CEO Brian Honan told the Daily Swig, the risk for businesses hasn’t disappeared the way it seems. One explanation for the reduced infection rates could be that 2017 happened to be a banner year for ransomware. In that context, that year’s global WannaCry and NotPetya outbreaks skewed the figures and by that reasoning, the ‘fall’ in 2018 is more likely just a regression to the mean.

Security company Sophos analysed MegaCortex and found it uses a formula “designed to spread the infection to more victims, more quickly.” The ransomware has manual components similar to Ryuk and BitPaymer but the adversaries behind MegaCortex use more automated tools to carry out the ransomware attack, which is “unique”, said Sophos.

History lesson

The risk of ransomware is still very much alive for many organisations, so we’ve combed through our blog archives to uncover some key developments. The content also includes tips and advice to help you stay secure.

In truth, ransomware isn’t a new threat, as a look back through our blog shows. New strains keep appearing, but it’s clear from earlier posts that some broad trends have stayed the same. As Brian recalled in 2014, many victims chose to pay because they couldn’t afford to lose their data. He pointed out that not everyone who parts with their cash gets their data back, which is still true today. “In some cases they not only lose their data but also the ransom money too as the criminals have not given them the code to decrypt it,” he said.

The same dynamic held true in subsequent years. In 2015, Lee Munson wrote that 31 per cent of security professionals would pay if it meant getting data back. It was a similar story one year later. A survey found that 44 per cent of British ransomware victims would pay to access their files again. Lee said this tendency to pay explains ransomware’s popularity among criminals. It’s literally easy money. For victims, however, it’s a hard lesson in how to secure their computer.

Here’s a quick recap of those lessons for individuals and businesses:

  • Keep software patched and up to date
  • Employ reputable antivirus software and keep it up to date
  • Backup your data regularly and most importantly verify that the backups have worked and you can retrieve your data
  • Make staff and those who use your computers aware of the risks and how to work securely online

Preventative measures

By taking those preventative steps, victims of a ransomware infection are in a better position to not pay the ransom. As Brian said in the post: “It doesn’t guarantee that they will get their data back in 100 per cent of cases, and payment only encourages criminals. We have also seen that once victims pay to have their data decrypted, they’re often targeted repeatedly because criminals see them as a soft touch.”

Fortunately, as 2016 wore on, there was some encouraging news. Law enforcement and industry collaborated on the No More Ransom initiative, combining the resources of the Dutch National Police, Europol, Intel Security and Kaspersky Lab. Later that year, BH Consulting was one of 20 organisations accepted on to the programme which expanded to combat the rising tide of infections.

The main No More Ransom website, which remains active today, has information about how the malware works and advice on ransomware protection. It also has free ransomware decryptor tools to help victims unlock their infected devices. Keys are available for some of the most common ransomware variants.

Steps to keeping out ransomware

By 2017, ransomware was showing no signs of stopping. Some variants like WannaCry caused havoc across the healthcare sector and beyond. In May of that year, as a wave of incidents showed no signs of letting up, BH Consulting published a free vendor-neutral guide to preventing ransomware. This nine-page document was aimed at a technical audience and included a series of detailed recommendations such as:

  • Implement geo-blocking for suspicious domains and regions
  • Review backup processes
  • Conduct regular testing of restore process from backup tapes
  • Review your incident response process
  • Implement a robust cybersecurity training programme
  • Implement network segmentation
  • Monitor DNS logs for unusual activity.

The guide goes into more detail on each bullet point, and is available to download from this link.

Infection investigation

Later that year, we also blogged about a digital forensics investigation into a ransomware infection. It was a fascinating in-depth look at the methodical detective work needed to trace the source, identify the specific malware type and figure out what had triggered the infection. (Spoiler: it was a malicious advert.)

Although ransomware is indiscriminate by nature, looking back over three years’ worth of blogs shows some clear patterns. As we noted in a blog published in October 2017, local government agencies and public bodies seem to be especially at risk. Inadequate security practices make it hard to recover from an incident – and increase the chances of needing to pay the criminals.

Obviously, that’s an outcome no-one wants. That’s why all of these blogs share our aim of giving practical advice to avoid becoming another victim. Much of the steps involve simple security hygiene such as keeping anti malware tools updated, and performing regular virus scans and backups. In other words, basic good practice will usually be enough to keep out avoidable infections. Otherwise, as Brian is fond of quoting, “those who cannot remember the past are condemned to repeat it”.

The post Ransomware remains a risk, but here’s how you can avoid infection appeared first on BH Consulting.

Cyber News Rundown: Banking Trojan Closes Ohio Schools

Reading Time: ~2 min.

Banking Trojan Shuts Down Ohio School District

After the discovery of the banking Trojan known as Trickbot, an Ohio school district was forced to cancel school since they were unable to fully disinfect the networks before classes resumed the following Monday. Preliminary reports have concluded that no students were responsible for the attack, as it appears to have started its data-gathering on a computer belonging to the district treasurer’s office. In order for classes to resume normally, the IT staff for the district had to re-format nearly 1,000 affected computers. 

GetCrypt Spreading Through RIG Exploit Kits

Another ransomware variant, GetCrypt, has been spotted in the wild that spreads itself across systems by redirecting visitors to a compromised website to a separate page hosting an exploit kit. After checking for several Eastern European languages, the ransomware begins encrypting all files on the system and displays a standard ransom note. In addition to removing all available shadow copies from the computer, GetCrypt also appends all encrypted files with a randomized, four-character string based on the CPUID of the device itself.

Google Assistant Logs All Online Purchases

It was recently discovered that Google’s Assistant, released last year, keeps a log of all online purchases for which a receipt was sent to the user’s Gmail account. The “Payments” page on a user’s Google account shows transactions, flight and hotel reservations, and other purchases made up to several years prior, even showing the cost, date, and time of the purchase.

Forbes Joins List of Magecart Victims

It was revealed late last week that Forbes had fallen victim to a Magecart attack possibly affecting anyone who made a purchase on the site during that time. Fortunately, the researcher who discovered the attack quickly notified both Forbes and the domain owner, resulting in a swift removal of the malicious payment card skimmer from the highly-trafficked site. It’s likely that Forbes became a victim after another vendor in their supply chain was compromised.

Australian IT Contractor Arrested for Cryptomining

An IT contractor working in Australia was arrested after being caught running cryptomining software on government-owned computers, which netted him over $9,000 in cryptocurrency. The charges encompass misuse of government systems by making modifications to critical functions and security measures for personal gain while in a position of trust. By making these changes, this contractor could have exposed a much larger portion of the network to malicious actors who take advantage of misconfigured settings to access company data.

The post Cyber News Rundown: Banking Trojan Closes Ohio Schools appeared first on Webroot Blog.

Cyber News Rundown: WhatsApp Vulnerability Could Install Spyware

Reading Time: ~2 min.

WhatsApp Exploited to Install Spyware through Calls

A serious flaw has been discovered in the messaging app WhatsApp that would allow an attacker to install spyware on a victim’s device by manipulating the packets being sent during the call. Further disguising the attack, the malicious software could be installed without the victim answering the call, and with access to the device the attacker could also delete the call log. Fortunately, the Facebook-owned app was quick to respond and quickly released an update for affected versions. 

SIM Swapping Group Officially Charged

Nine men in their teens and 20s have been arrested and charged for a SIM-swapping operation that netted the group over $2 million in stolen cryptocurrency. The group operated by illicitly gaining access to phone accounts by having the phone swapped to a SIM card in their control. The group would then fraudulently access cryptocurrency accounts by bypassing 2-factor authentication, since login codes were sent to devices under their control. Three of the group were former telecom employees with access to the systems needed to execute the scam.

Web Trust Seal Injected with Keylogger

A recent announcement revealed that scripts for the “Trust Seals” provided by Best of the Web to highly-rated websites were compromised and redesigned to capture keystrokes from site visitors. While Best of the Web was quick to resolve the issue, at least 100 sites are still linking customers to the compromised seals. This type of supply chain attack has risen in popularity recently. Hackers have been seen injecting payment stealing malware into several large online retailer’s websites since the beginning of the year.

Fast Retailing Data Breach

The online vendor Fast Retailing is currently investigating a data breach that gave attackers full access to nearly half a million customer accounts for two of the brand’s online stores. The attack took place within the last three weeks and targeted payment information with names and addresses for customers of UNIQLO Japan and GU Japan. Fast Retailing has since forced a password reset for all online customers and delivered emails with further information for those affected by the attack.

Data Leak in Linksys Routers

Last week researchers discovered a flaw in over 25,000 Linksys routers that could give attackers access to not only the device’s MAC address, but also device names and other critical settings that could compromise the security of anyone using the router. Additionally, by identifying the device’s IP address, attackers could even use geolocation to gauge the approximate location of the exploited device, all without authentication.

The post Cyber News Rundown: WhatsApp Vulnerability Could Install Spyware appeared first on Webroot Blog.

That’s classified! Our top secret guide to helping people protect information

As information security professionals, we often face a challenge when trying to explain what we mean by ‘data classification’. So here’s my suggestion: let’s start by not calling it that. In my experience, the minute you call it that, people switch off.

Our role should be to try to engage an audience, not scare them away. Classification sounds like a military term, and if the reaction that greets you is an eye-roll that says: ‘you’re talking security again’, then they’ve zoned out before you’ve even got to the second sentence. I try and change the language, because otherwise, what we have here is a failure to communicate.

In reality, it’s very simple if you explain what you mean by classification. If we strip away any jargon or names, what we’re doing is asking an organisation to decide what information is most important to it. Then, it’s about asking the organisation’s people to apply appropriate layers of protection to that information based on its level of importance.

De do do do, de da da da

Who needs to use data classification? These days, it’s everyone. Why is it important? Why make people do this work? Data is a precious commodity. Think of it like water in many parts of the world: there’s a lot of it about, it’s too easily leaked if you don’t protect it, it’s extremely valuable if you control the source, and you can combine it with other things to increase its worth. Well, it’s a similar story with data. Data is just a bunch of numbers, but context turns it into information. You could have 14 seemingly random numbers, and that’s data. Now, split them into two groups, one of eight digits and another of six digits with some dashes in between. Suddenly those numbers become a bank account number and sort code. Then it’s information.

Message in a bottle

The first step for security professionals to win people over to the concept is to make it real for their audience. If your message is personal, people can relate it to what they have to do in their work.

We handle types of information in different ways and make decisions all the time on who should have access to it. Think of it this way: do you file paperwork – utility bills, appointment letters, bank statements – at home? Would you leave your payslip lying around the home for your kids to read?

In a work context, a CEO might want their executive assistant to access their calendar for meetings, but they don’t necessarily want to share their bank account details to see how much money they make or what they spend it on.

Naturally, the type of information that’s most valuable will vary by industry, so you have to adapt any message to suit. In healthcare, it might be sensitive medical records about someone’s health. For someone working in food and drinks industry, maybe IP (intellectual property) like the recipe to the secret sauce or the package design are the most valuable items to protect. In pharmaceuticals, it might be the blueprints or ingredients in a new drug.

You don’t have to put on the red light

So now we’ve established that information may have different values, how do we group them? Deciding on the value of information may require the employee to apply good judgement. I like using the traffic light idea of three tiers of information (red amber and green) rather than the binary option of just public or private. Those three levels then become public (green), confidential (amber), and restricted or private (red). It allows for an extra level of data management, and therefore protection, where needed but is still a simple number to grasp.

Photo by Harshal Desai on Unsplash

This approach is easy to picture. People can very quickly understand what category information falls into, and what to do with it. Using the traffic light approach, public material (green) might be a brochure about a new product, or it could be the menu in the staff canteen. That’s the material that you want many people to see. The company contact directory or minutes from a meeting would be confidential (amber). Items that aren’t for general distribution outside board level (such as merger discussions) are extremely sensitive or privileged (red).

Once we know what we’re protecting, we get to the how.

  • If we’re dealing with physical paper documents, we can mark the sensitive information with a red sticker or red mark on the corner. The rule might be: never leave a red file unattended unless an authorised person is actively reading it and doing something with it. You know it shouldn’t leave the building unless it’s extremely well protected.
  • If the mark or sticker is amber, the person holding it must lock it away overnight.
  • Any document with a green mark doesn’t have to be locked away.

Every breath you take

You can extend that system beyond individual files to folders and to filing cabinets if necessary. You can apply this very easily by adding the appropriate colour to each document, folder, filing cabinet or even rooms in the building. Leave marker pens, stickers or anything that clearly shows the classification available for people to use.

It’s relatively easy to get people to apply the exact same marking system to electronic data. So you mark the Word file or Excel sheet with the same colour scheme, and folders, and so on. Once you’ve put the colours on it, the application of it is easy. If you use templates or forms of any kind it’s easy to start applying rules automatically, and you can then tie in the classification to your data leakage prevention tools, or DLP solutions, by blocking the most sensitive information from leaving the organisation, or at least flagging it for attention. It’s possible to put markers in the metadata of document templates, so amber or red documents could flag to the user that they need to encrypt before sending.

Ultimately, we’re in the business of changing behaviour, and the net result should be that people become more aware of information and data protection because it’s a relatable concept that they’re applying in their daily work, almost without realising.

So if not classification, what do we call it? The importance of information? Data management? It’s still not very snappy, so any suggestions or answers on a postcard please.

Oh, and as a footnote, if you have any information you want everyone in the company to read, just put it in an unsealed envelope marked “CONFIDENTIAL” and leave it near the printer/photocopier/coffee area. I guarantee everyone passing will take a look.

The post That’s classified! Our top secret guide to helping people protect information appeared first on BH Consulting.

Cyber News Rundown: FBI Phishing Scam

Reading Time: ~2 min.

“FBI Director” Phishing Campaign

A new email phishing campaign has been making its way around the web that claims to be from “FBI Director Christopher Wray,” who would love to assist with a massive wire transfer to the victim’s bank account. Unfortunately for anyone hoping for a quick payday, the $10 million check from Bank of America won’t be arriving anytime soon, unless they are willing to enter more personal information and send it to a Special FBI agent using a Yahoo email address. While most phishing campaigns use scare tactics to scam victims, taking the opposite approach of offering a large payout seems less likely to get results.

Magecart Skimming Script Works on Dozens of Sites

Following the many Magecart attacks of recent years, a new payment skimming script has been found that allows attackers to compromise almost any online checkout page without the need to customize it for the specific site. The script currently works on 57 unique payment card gateways from around the world and begins injecting both the loader and the exfiltration script when the keyword “checkout” is searched for in the address bar.

Scammers Target Google Search Ads

Scammers are now turning towards Google Ads to post fake phone numbers posing to be customer support for popular websites such as eBay and Amazon. These phone scammers will often tell those who call that there is something wrong with their account and ask for a Google Play gift card code before they can help. The ads will look as if they are legitimate which causes confusion to those who call the phony numbers listed.  

Citycomp Data Dumped After Blackmail Attempt

Shortly after discovering that their systems had been breached, Citycomp announced they would not be paying a ransom for a large chunk of stolen client data. Unfortunately for Citycomp, the hackers decided to make the data publicly available after not receiving their requested $5,000. Amongst the stolen data is financial and personal information for dozens of companies for which Citycomp provides infrastructure services, though it may only be an initial dump and not the entire collection.

Email Scam Robs Catholic Church of Over $1.7 Million

The Saint Ambrose Catholic Parish in Ohio recently fell victim to email scammers who took nearly $2 million from the church currently undergoing a major renovation. The scammers targeted monthly transactions made between the church and the construction company by providing “updated” bank information for the payments and sending appropriate confirmations for each transfer. The church was only made aware of the breach after the construction company called to inquire about two months of missing payments.

The post Cyber News Rundown: FBI Phishing Scam appeared first on Webroot Blog.

Password-less future moves closer as Google takes FIDO2 for a walk

For years, many organisations – and their users – have struggled with the challenge of password management. The technology industry has toiled on this problem by trying to remove the need to remember passwords at all. Recent developments suggest we might finally be reaching a (finger) tipping point.

At Mobile World Congress this year, Google and the FIDO Alliance announced that most devices running Android 7.0 or later can provide password-less logins in their browsers. To clarify, the FIDO2 authentication standard is sometimes called password-less web authentication. Strictly speaking, that’s a slightly misleading name because people still need to authenticate to their devices a PIN, or a using a biometric identifier like a fingerprint. It’s more accurate to say FIDO2 authentication, but not surprisingly, the term ‘password-less’ seems to have caught the imagination.

Wired reported that web developers can now make their sites work with FIDO2, which would mean people can log in to their online accounts on their phones without a password. This feature will be available to an estimated one billion Android devices, so it’s potentially a significant milestone on the road to a password-less future. Last November, Microsoft announced password-less sign-in for its account users, with the same FIDO2 standard. One caveat: Microsoft’s option requires using the Edge browser on Windows 10 1809 build. So, the true number of users is likely to be far lower than the 800 million Microsoft had been promising. But this is just the latest place where Microsoft has inserted FIDO technology into its products.

It’s not what you know

I spoke to Neha Thethi, BH Consulting’s senior information security analyst, who gave her reaction to this development. “Through this standard, FIDO and Google pave way for users to authenticate primarily using ‘something they have’ the phone – rather than ‘something they know’ the password. While a fingerprint or PIN would typically be required to unlock the device itself, no shared secret or private key is transferred over the network or stored with the website, as it is in case of a password. Only a public key is exchanged between the user and the website.”  

From the perspective of improving security, Google’s adoption of FIDO2 is a welcome development, Neha added. “Most of the account compromises that we’ve seen in past few years is because of leaked passwords, on the likes of Pastebin or through phishing, exploited by attackers. The HaveIbeenpwned website gives a sense of the scale of this problem. By that measure, going password-less for logging in to online accounts will definitely decrease the attack surface significantly,” she said.

“The technology that enables this ease of authentication is public key cryptography, and it has been around since the 1970s. The industry has recognised this problem of shared secrets for a long time now. Personally, I welcome this solution to quickly and securely log in to online accounts. It might not be bulletproof, but it takes an onerous task of remembering passwords away from individuals,” she said.

Don’t try to cache me

Organisations have been using passwords for a long time to log into systems that store their confidential or sensitive information. However, even today, many of these organisations don’t have a systematic way of managing passwords for their staff. If an organisation or business wants to become certified to the ISO 27001 security standard, for example, they will need to put in place measures in the form of education, process and technology, to ensure secure storage and use of passwords. Otherwise, you tend to see less than ideal user behaviour like storing passwords on a sticky note or in the web browser cache. “I discourage clients from storing passwords in the browser cache because if their machine gets hacked, the attacker will have access to all that information,” said Neha. 

That’s not to criticise users, she emphasised. “If an organisation is not facilitating staff with a password management tool, they will find the means. They try the best they can, but ultimately they want to get on with their work.”

The credential conundrum

The security industry has struggled with the problem of access and authentication for years. It hasn’t helped by shifting the burden onto the people least qualified to do something about it. Most people aren’t security experts, and it’s unfair to expect them to be. Many of us struggle to remember our own phone numbers, let alone a complex password. Yet some companies force their employees to change their passwords regularly. What happens next is the law of unintended consequences in action. People choose a really simple password, or one that barely changes from the one they’d been using before.

For years, many security professionals followed the advice of the US National Institute of Standards and Technology (NIST) for secure passwords. NIST recommended using a minimum of seven characters, and to include numbers, capital letters or special characters. By that measure, a password like ‘Password1’ would meet the recommendations even if no-one would think it was secure.

Poor password advice

Bill Burr, the man who literally wrote the book on passwords for NIST, has since walked back on his own advice. In 2017, he told the Wall Street Journal, “much of what I did I now regret”. He added: “In the end, it was probably too complicated for a lot of folks to understand very well, and the truth is, it was barking up the wrong tree”. NIST has since updated its password advice, and you can find the revised recommendations here.

As well as fending off cybercrime risks, another good reason for implementing good access control is GDPR compliance. Although the General Data Protection Regulation doesn’t specifically refer to passwords, it requires organisations to process personal data in a secure manner. The UK’s Information Commissioner’s Office has published useful free guidance about good password practices with GDPR in mind.

Until your organisation implements the password-less login, ensure you protect your current login details. Neha recommends using a pass phrase instead of a password along with two factor authentication where possible. People should also use different pass phrases for each website or online service we use, because using the same phrase over and over again puts us at risk if attackers compromised any one of those sites. Once they get one set of login credentials, they try them on other popular websites to see if they work. She also recommends using a good password manager or password keeper in place of having to remember multiple pass phrases or passwords. Just remember to think of a strong master password to protect all of those other login details!

The post Password-less future moves closer as Google takes FIDO2 for a walk appeared first on BH Consulting.

Security roundup: March 2019

We round up interesting research and reporting about security and privacy from around the web. This month: ransomware repercussions, reporting cybercrime, vulnerability volume, everyone’s noticing privacy, and feeling GDPR’s impact.

Ransom vs ruin

Hypothetical question: how long would your business hold out before paying to make a ransomware infection go away? For Apex Human Capital Management, a US payroll software company with hundreds of customers, it was less than three days. Apex confirmed the incident, but didn’t say how much it paid or reveal which strain of ransomware was involved.

Interestingly, the story suggests that the decision to pay was a consensus between the company and two external security firms. This could be because the ransomware also encrypted data at Apex’s newly minted external disaster recovery site. Most security experts strongly advise against paying extortionists to remove ransomware. With that in mind, here’s our guide to preventing ransomware. We also recommend visiting NoMoreRansom.org, which has information about infections and free decryption tools.

Bonus extra salutary security lesson: while we’re on the subject of backup failure, a “catastrophic” attack wiped the primary and backup systems of the secure email provider VFE Systems. Effectively, the lack of backup put the company out of business. As Brian Honan noted in the SANS newsletter, this case shows the impact of badly designed disaster recovery procedures.

Ready to report

If you’ve had a genuine security incident – neat segue alert! – you’ll probably need to report it to someone. That entity might be your local CERT (computer emergency response team), to a regulator, or even law enforcement. (It’s called cybercrime for a reason, after all). Security researcher Bart Blaze has developed a template for reporting a cybercrime incident which you might find useful. It’s free to download at Peerlyst (sign-in required).

By definition, a security incident will involve someone deliberately or accidentally taking advantage of a gap in an organisation’s defences. Help Net Security recently carried an op-ed arguing that it’s worth accepting that your network will be infiltrated or compromised. The key to recovering faster involves a shift in mindset and strategy from focusing on prevention to resilience. You can read the piece here. At BH Consulting, we’re big believers in the concept of resilience in security. We’ve blogged about it several times over the past year, including posts like this.

In incident response and in many aspects of security, communication will play a key role. So another helpful resource is this primer on communicating security subjects with non-experts, courtesy of SANS’ Lenny Zeltser. It takes a “plain English” approach to the subject and includes other links to help security professionals improve their messaging. Similarly, this post from Raconteur looks at language as the key to improving collaboration between a CISO and the board.

Old flaws in not-so-new bottles

More than 80 per cent of enterprise IT systems have at least one flaw listed on the Common Vulnerabilities and Exposures (CVE) list. One in five systems have more than ten such unpatched vulnerabilities. Those are some of the headline findings in the 2019 Vulnerability Statistics Report from Irish security company Edgescan.

Edgescan concluded that the average window of exposure for critical web application vulnerabilities is 69 days. Per the report, an average enterprise takes around 69 days to patch a critical vulnerability in its applications and 65 days to patch the same in its infrastructure layers. High-risk and medium-risk vulnerabilities in enterprise applications take up to 83 days and 74 days respectively to patch.

SC Magazine’s take was that many of the problems in the report come from companies lacking full visibility of all their IT assets. The full Edgescan report has even more data and conclusions and is free to download here.

From a shrug to a shun

Privacy practitioners take note: consumer attitudes to security breaches appear to be shifting at last. PCI Pal, a payment security company, found that 62 per cent of Americans and 44 per cent of Britons claim they will stop spending with a brand for several months following a hack or breach. The reputational hit from a security incident could be greater than the cost of repair. In a related story, security journalist Zack Whittaker has taken issue with the hollow promise of websites everywhere. You know the one: “We take your privacy seriously.”

If you notice this notice…

Notifications of data breaches have increased since GDPR came into force. The European Commission has revealed that companies made more than 41,000 data breach notifications in the six-month period since May 25. Individuals or organisations made more than 95,000 complaints, mostly relating to telemarketing, promotional emails and video surveillance. Help Net Security has a good writeup of the findings here.

It was a similar story in Ireland, where the Data Protection Commission saw a 70 per cent increase in reported valid data security breaches, and a 56 per cent increase in public complaints compared to 2017. The summary data is here and the full 104-page report is free to download.

Meanwhile, Brave, the privacy-focused browser developer, argues that GDPR doesn’t make doing business harder for a small company. “In fact, if purpose limitation is enforced, GDPR levels the playing field versus large digital players,” said chief policy officer Johnny Ryan.

Interesting footnote: a US insurance company, Coalition, has begun offering GDPR-specific coverage. Dark Reading’s quotes a lawyer who said insurance might be effective for risk transference but it’s untested. Much will depend on the policy’s wording, the lawyer said.

Things we liked

Lisa Forte’s excellent post draws parallels between online radicalisation and cybercrime. MORE

Want to do some malware analysis? Here’s how to set up a Windows VM for it. MORE

You give apps personal information. Then they tell Facebook (PAYWALL). MORE

Ever wondered how cybercriminals turn their digital gains into cold, hard cash? MORE

This 190-second video explains cybercrime to a layperson without using computers. MORE

Blaming the user for security failings is a dereliction of responsibility, argues Ira Winkler. MORE

Tips for improving cyber risk management. MORE

Here’s what happens when you set up an IoT camera as a honeypot. MORE

The post Security roundup: March 2019 appeared first on BH Consulting.

Information Security no longer the Department of “NO”

The information security function within business has gained the rather unfortunate reputation for being the department of “no”, often viewed as a blocker to IT innovation and business transformation. A department seen as out of touch with genuine business needs, and with the demands of evolving workforce demographic of increasing numbers of numbers Millennials and Centennials. However, new research by IDC\Capgemini reveals that attitudes are changing, and business leaders are increasingly relying on their Chief Information Security Officers (CISOs) to create meaningful business impact.


The study bears out a shift in executive perceptions that information security is indeed important to the business. With the modern CISO evolving from that of a responder, to a driver of change, enabling to build businesses to be secure by design. The survey found CISOs are now involved in 90% of significant business decisions, with 25% of business executives perceive CISOs as proactively enabling digital transformation, which is a key goal for 89% of organisations surveyed by IDC.

Key findings from the research include: 

  • Information security is a business differentiator – Business executives think the number one reason for information security is competitive advantage and differentiation, followed by business efficiency. Just 15% of business executives think information security is a blocker of innovation, indicating that information security is no longer the ‘department of no’ 
  • CISOs are now boardroom players – 80% of business executives and CISOs think their personal influence has improved in the last three years. CISOs are now involved in 90% of medium or high influence boardroom decisions 
  • CISOs must lead digital transformation efforts – At present, less than 25% of business executives think CISOs proactively enable digital transformation. To stay relevant, CISOs must become business enablers. They need to adopt business mindsets and push digital transformation forward, not react to it. CISOs that fail to adopt a business mindset will be replaced by more forward-thinking players.
From NO to GO
CISOs have made great leaps forward
  • Focused on making security operations effective and efficient 
  • Engaged with the rest of the business 
  • Seen as key SMEs to the board 
  • Responding to business requests and enabling change
 

CISOs now need to pivot to because business leaders
  • Need to be part of the business change ecosystem
  • Must be seen as drivers rather than responders
  • CISO as entrepreneur and innovator

Cyber Security Conferences to Attend in 2019

A list of Cyber and Information Security conferences to consider attending in 2019. Conference are not only great places to learn about the evolving cyber threat landscape and proven security good practices, but to network with industry leading security professionals and likeminded enthusiasts, to share ideas, expand your own knowledge, and even to make good friends.

JANUARY 2019

SANS Cyber Threat Intelligence Summit
Monday 21st & Tuesday 22nd January 2019
Renaissance Arlington Capital View Hotel, VA, USA
https://www.sans.org/event/cyber-threat-intelligence-summit-2018


AppSec California 2019 (OWASP)
Tuesday 22nd & Wednesday 23rd January 2019
Annenberg Community Beach House, Santa Monica, USA
https://2019.appseccalifornia.org/


PCI London
Thursday 24th January 2019
Park Plaza Victoria Hotel, London, UK
https://akjassociates.com/event/pcilondon

The Future of Cyber Security Manchester
Thursday 24th January 2019
Bridgewater Hall, Manchester, UK
https://cybermanchester.events/

BSides Leeds
Friday 25th January 2019
Cloth Hall Court, Leeds, UK
FEBRUARY 2019
Cyber Security for Industrial Control Systems

Thursday 7th & Friday 8th February 2019
Savoy Place, London, UK
https://events.theiet.org/cyber-ics/index.cfm

NOORD InfoSec Dialogue UK
Tuesday 26th & Wednesday 27th February 2019
The Bull-Gerrards Cross, Buckinghamshire, UK

MARCH 2019
RSA Conference
Monday 4th to Friday 8th March 2019
At Moscone Center, San Francisco, USA
https://www.rsaconference.com/events/us19

17th Annual e-Crime & Cybersecurity Congress
Tuesday 5th & Wednesday 6th March 2019
Park Plaza Victoria

Security & Counter Terror Expo
Tuesday 5th & Wednesday 6th March 2019
Olympia, London, UK
https://www.counterterrorexpo.com/


ISF UK Spring Conference
Wednesday 6th & Thursday 7th March 2019
Regent Park, London, UK
https://www.securityforum.org/events/chapter-meetings/uk-spring-conference-london/


BSidesSF
Sunday 3rd and Monday 4th March 2019
City View at Metreon, San Francisco, USA
https://bsidessf.org/

Cloud and Cyber Security Expo
Tuesday 12th to Wednesday 13 March 2019
At ExCel, London, UK
https://www.cloudsecurityexpo.com/

APRIL 2019

(ISC)2 Secure Summit EMEA
Monday 15th & Tuesday 16th April 2019
World Forum, The Hague, Netherlands
https://web.cvent.com/event/df893e22-97be-4b33-8d9e-63dadf28e58c/summary

Cyber Security Manchester
Wednesday 3rd & Thursday 4th April 2019
Manchester Central, Manchester, UK
https://cybermanchester.events/

BSides Scotland 2019
Tuesday 23rd April 2019
Royal College of Physicians, Edinburgh, UK
https://www.contextis.com/en/events/bsides-scotland-2019


CyberUK 2019
Wednesday 24th & Thursday 25th April 2019
Scottish Event Campus, Glasgow, UK
https://www.ncsc.gov.uk/information/cyberuk-2019

Cyber Security & Cloud Expo Global 2019
Thursday 25th and Friday 29th April 2019
Olympia, London, UK
https://www.cybersecuritycloudexpo.com/global/


JUNE 2019
Infosecurity Europe 2019
Tuesday 4th to Thursday 6th June 2019
Where Olympia, London, UK
https://www.infosecurityeurope.com/

BSides London

Thursday 6th June 2019
ILEC Conference Centre, London, UK
https://www.securitybsides.org.uk/

Blockchain International Show
Thursday 6th and Friday 7th June 2019
ExCel Exhibition & Conference Centre, London, UK
https://bisshow.com/

Hack in Paris 2019
Sunday 16th to Friday 20th June 2019
Maison de la Chimie, Paris, France
https://hackinparis.com/

UK CISO Executive Summit
Wednesday 19th June 2019
Hilton Park Lane, London, UK
https://www.evanta.com/ciso/summits/uk#overview

Cyber Security & Cloud Expo Europe 2019
Thursday 19th and Friday 20th June 2019
RIA, Amsterdam, Netherlands
https://cybersecuritycloudexpo.com/europe/

Gartner Security and Risk Management Summit
Monday 17th to Thursday 20th June 2019
National Harbor, MD, USA
https://www.gartner.com/en/conferences/na/security-risk-management-us

European Maritime Cyber Risk Management Summit
Tuesday 25th June 2019
Norton Rose Fulbright, London, UK


AUGUST 2019
Black Hat USA
Saturday 3rd to Thursday 8th August 2019
Mandalay Bay, Las Vegas, NV, USA
https://www.blackhat.com/upcoming.html

DEF CON 27

Thursday 8th to Sunday 11th August 2019
Paris, Ballys & Planet Hollywood, Las Vegas, NV, USA
https://www.defcon.org/


SEPTEMBER 2019
44Con
Wednesday 11th to Friday 13th September 2019
ILEC Conference Centre, London, UK
https://44con.com/

2019 PCI SSC North America Community Meeting
Tuesday 17th to Thursday 19th September 2019
Vancouver, BC, Canada
https://www.pcisecuritystandards.org/about_us/events

OCTOBER 2019

Hacker Halted
Thursday 10th & Friday 11th October 2019
Atlanta, Georgia, USA
https://www.hackerhalted.com/

BruCON
Thursday 10th & Friday 11th October 2019
Aula, Gent, Belgium
https://www.brucon.org/2019/

EuroCACS/CSX (ISACA) 2019

Wednesday 16th to Friday 19th October 2019
Palexpo Convention Centre, Geneva, Switzerland
https://conferences.isaca.org/euro-cacs-csx-2019

6th Annual Industrial Control Cyber Security Europe Conference
Tuesday 29th and Wednesday 30th October 2019
Copthorne Tara, Kensington, London, UK
https://www.cybersenate.com/new-events/2018/11/13/6th-annual-industrial-control-cyber-security-europe-conference

2019 PCI SSC Europe Community Meeting

Tuesday 22nd to Thursday 24th October 2019
Dublin, Ireland
https://www.pcisecuritystandards.org/about_us/events

ISF 30th Annual World Congress
Saturday 26th to Tuesday 29th October 2019
Convention Centre Dublin, Dublin, Ireland



NOVEMBER 2019
Cyber Security & Could Expo North America 2019
Wednesday 13th and Thursday 14th November 2019
Santa Clara Convention Centre, Silicon Valley, USA
https://www.cybersecuritycloudexpo.com/northamerica/

DevSecCon London 
Thursday 14th & Friday 15th November 2019
CodeNode, London, UK


Cyber Security Summit 2019
Wednesday 20th November 2019
QEII Centre, London, UK
https://cybersecuritysummit.co.uk/

2019 PCI SSC Asia-Pacific Community Meeting 

Wednesday 20th and Thursday 21st November 2019
Melbourne, Australia
https://www.pcisecuritystandards.org/about_us/events

DeepSec
Thursday 20th to Saturday 30th November 2019
The Imperial Riding School Vienna, Austria
https://deepsec.net/

Post in the comments about any cyber & information security themed conferences or events you recommend.