Category Archives: Security newsround

Security newsround: January 2019

We round up interesting research and reporting about security and privacy from around the web. This month: the security year in review, resilience on rails, incidents in depth, phishing hooks millennials, Internet of Threats, and CISOs climbing the corporate ladder.

A look back at cybercrime in 2018

It wouldn’t be a new year’s email without a retrospective on major security incidents over the previous 12 months. Credit to CSO Online for assembling a useful overview of some of last year’s most common risks and threats. To beef up this resource, it sourced external research and stats, while adding plenty of links for further reading. Some of the highlights include the massive rise in cryptocurrency mining. “Coin miners not only slow down devices but can overheat batteries and sometimes render a device useless,” it warned.

The article also advises against posting mobile numbers on the internet, because criminals are finding ways to harvest them for various scams. CSO also advises organisations about knowing the value of their data in order to protect it accordingly. Threatpost has a handy at-a-glance guide to some of the big security incidents from the past year. Meanwhile, kudos to Vice Motherboard for its excellent ‘jealousy list’ which rounds up great hacking and security stories from 2018 that first appeared in other media outlets.

Luas security derails tram website

The new year got off to a bad start for Dublin’s tram operator Luas, after an unknown attacker defaced its website in a security incident. On January 2nd, the Luas site had this message: “You are hacked… some time ago i wrote that you have serious security holes… you didn’t reply… the next time someone talks to you, press the reply button… you must pay 1 bitcoin in 5 days… otherwise I will publish all data and send emails to your users.”

The incident exposed 3,226 user records, and Luas said they belonged to customers who had subscribed to its newsletter. News of the incident spread widely, possibly due to Luas’ high profile as a victim, or because of the cryptocurrency angle.

The tram service itself was not affected, nor was the company’s online payments system. While the website was down, Luas used its Twitter feed to communicate travel updates to the public, and warned people not to visit the site. Interviewed by the Irish Times, Brian Honan said the incident showed that many organisations tend to forget website security after launch. As we’ve previously blogged, it’s worth carrying out periodic vulnerability assessments to spot gaps that an attacker could exploit. With the Luas site not fully back six days later, Brian noted on Twitter that it’s important to integrate incident response with business continuity management.

One hacked laptop and two hundred solemn faces

When an employee of a global apparel company clicked on a link in a phishing email while connected to a coffee shop wifi, they unwittingly let a cybercrime gang onto their corporate network. Once in, the attackers installed Framework POS malware on the company’s retail server to steal credit card details. It’s one real-life example from CrowdStrike’s Cyber Intrusion Casebook. The report details various incident response cases from 2018. It also gives recommendations for organisations on steps to take to protect their critical data better. In addition to coverage in online news reports, the document is available as a free PDF on CrowdStrike’s site.

Examples like these show the need for resilience, which we’ve blogged about before. No security is 100 per cent perfect. But it shouldn’t follow that one gap in the defences brings the entire wall crumbling down.

Digitally savvy, yes. Security savvy, not so much

Speaking of phishing, a new survey has found that digital natives are twice as likely to have fallen victim to a phishing scam than their older – sorry, we mean more experienced –  colleagues. Some 17 per cent in the 23-41 age group clicked on a phishing link, compared to 42-53 years old (6 per cent) or 54+ (7 per cent). The findings suggest a gap between perception and reality.

Out of all the age groups, digital natives were the most confident in their ability to spot a scam compared to their senior peers. Yet the 14 per cent of digital natives who weren’t as sure of their ability to spot a phish was strikingly close to the percentage in the same age bracket who had fallen for a phishing email. The survey by Censuswide for Datapac found that 14 per cent of Irish office workers – around 185,000 people – have been successfully phished at some stage.

OWASP’s IoT hit list

Is your organisation planning an Internet of Things project in 2019? Then you might want to send them in OWASP’s direction first. The group’s IoT project aims to improve understanding of the security issues around embedding sensors in, well, anything. To that end, the group has updated its top 10 list for IoT. The risks include old reliables like weak, guessable passwords, outdated components, insecure data transfer or storage, and lack of physical hardening. The full list is here.

The number’s up for CISO promotions

Why do relatively few security professionals ascend to the highest levels of business? That’s the provocative question from Raj Samani, chief scientist with McAfee. In an op-ed for Infosecurity Magazine, Samani argues that security hasn’t yet communicated its value to the business in an identifiable way. Proof of this is the fatigue or indifference over ever-mounting numbers of data breaches. Unlike a physical incident like a car accident where the impact is instantly visible, security incidents don’t have the same obvious cause and effect.

“The inability to determine quantifiable loss means that identifying measures to reduce risk are merely estimated at best. Moreover, if the loss is rarely felt, then the value of taking active steps to protect an asset can simply be overlooked,” Samani writes. “We can either bemoan the status quo or identify an approach that allows us to articulate our business value in a quantifiable way.”

The post Security newsround: January 2019 appeared first on BH Consulting.

Security newsround: November 2018

We round up interesting research and reporting about security developments from around the web. This month: blaming the user (or not), passwords, protecting data and privacy, and security leadership (or the lack of it).

The blame game

Who’s to blame when poor passwords lead to breaches? That was a matter for debate among the respected security professionals Troy Hunt and Javvad Malik recently. Hunt began by blogging that when security incidents come to light, bad password choices are often the root cause. “The account holder is the victim but they must also share the blame,” he said. Javvad Malik responded with a rebuttal, taking security professionals to task for an ‘us vs them’ mentality. There’s also a wider issue of technologists building systems with poor security that pushes responsibility back on people who are least qualified to know what’s best, he said. Both blogs are worth reading in full; in Javvad’s words they are “a natural part of a much-needed dialogue in the security industry”.

GDPR guidance on protecting data with passwords

The UK’s Data Protection Authority, ICO, has published new guidance on passwords as a means of protecting data in light of GDPR. Although the GDPR doesn’t specifically mention passwords, it requires organisations to process personal data securely using appropriate technical and organisational measures, and passwords are a common way of doing this. The guidance includes details of what to consider when designing and implementing password systems. The page includes links to the relevant sections of GDPR, along with password guidance from the UK National Cyber Security Centre. It also suggests that organisations should think about whether there are any better alternatives to using passwords.

GDPR slows the M&A train

Call it the (corporate) law of unintended consequences: could GDPR compliance concerns be causing M&A activity to slow down? That seems to be the key finding in a survey of more than 500 EMEA M&A professionals from Merrill Corporation. More than half said compliance and data protection at a target company was the main reason why deals collapsed. The Times described the regulation as “a significant fetter” on mergers and acquisitions. Two-thirds of those surveyed believe that GDPR will increase potential buyers’ scrutiny of a target company’s data protection policies and process. This will further complicate the deal-making process, Merrill concluded.

Separately, Irish business leaders say GDPR has been beneficial for society and individuals. In a survey from Mazars and McCann Fitzgerald, 73 companies said complying with the regulation had been a challenge but many were confident in their efforts. A massive 88 per cent of the firms believe they have interpreted their obligations correctly.

“Who’s in charge here?” “Ain’t you?”

No one senior executive function is taking responsibility for managing security, a new survey has found. The NTT Security 2018 Risk:Value report found a “narrowing gap” between the roles of CEO, CISO and CIO for security. Its report is based on responses from 1,800 decision makers from non-IT functions. The report suggests that this lack of cohesion at the top means that many organisations are struggling to secure their most important digital assets. Just 48 per cent of respondents globally say they have fully secured all of their critical data.

NTT Security’s Azeem Aleem said: “Responsibility for day-to-day security doesn’t seem to fall on any one particular person’s shoulders among our response base. This narrow gap between the roles of CIO, CEO and CISO shows that no one executive function is stepping up to the plate. It could be a sign of unclear separation between the CIO and CISO though, as often they are the same or collaborate closely.”

Worryingly, one-third of respondents also said they would pay a ransom to malicious attackers rather than investing in information security. For those troubling stats and more, the full report is here.

Simple SME security from the US FTC

The US Federal Trade Commission has launched a website with free security resources aimed specifically at small businesses. In a similar vein to the UK NCSC’s excellent site, the American equivalent covers areas like phishing, ransomware, email authentication, physical security, fraud and securing remote access. The site has a clean design that’s easy to navigate. It also has a guide for employers along with links to useful security materials and a series of videos.

 

The post Security newsround: November 2018 appeared first on BH Consulting.