The Information Security Forum (ISF) has updated its risk assessment methodology to address better threat profiling and vulnerability assessment, among other things.
The ISF’s Information Risk Assessment Methodology version 2 (IRAM2) is a practical methodology that helps businesses to identify, analyze and treat information risk throughout the organization. In the updated version, “react and prepare” have been incorporated into the supporting information used during the threat profiling phase, including the common threat list (CTL) and the threat event catalogue (TEC).
Also, on the vulnerability front, the previous IRAM2 control library, consisting of 29 controls, has been replaced with a more comprehensive set of 167 controls based on The Standard of Good Practice for Information Security and the Security Healthcheck. The approach for determining control strength also now includes the extent of ‘relevance’ and ‘implementation’ of environmental controls. This enhanced approach is supported with the introduction of control relevance tables (CRT) to provide objectivity and repeatability.
Its supporting tool, the IRAM2 Assistant, was previously a single, Excel-based supporting tool. It has now been split into four integrated modules collectively referred to as the IRAM2 Assistants. Each module supports one or more phases of the methodology. The IRAM2 Assistants automate parts of the methodology that would otherwise require a greater amount of manual effort and offer in-depth analysis to enhance business decision making. They also deliver specific templates that can be applied for enterprise-wide information risk assessments, and use report templates to convey the key risks to stakeholders. Each IRAM2 Assistant is accompanied by a practitioner guide providing step-by-step instructions on how to use the methodology.
“Developing a robust mechanism to assess and treat information risk throughout your organization is essential,” said Steve Durbin, managing director at the ISF. “Risk assessment is all about balance, and IRAM2 allows for teams to assess risk in a realistic manner. IRAM2 focuses on simplicity and practicality, while embedding reliability and steadfastness throughout the assessment process. This enables consistent results and a depth of analysis that improves decision-making.”
IRAM2 provides organizations with the ability to tailor their threat tables to reflect an organization’s overall risk appetite. IRAM2 works by evaluating and assessing a variety of information risk factors that comprise each information risk equation. Once defined at an organizational level, risk appetite can be communicated and presented differently throughout an organization. If an organization does not have a defined risk appetite, the decisions regarding the treatment for each risk will have to be made by the key stakeholders on a risk-by-risk basis. The practitioner should make the key stakeholders aware that the lack of a defined risk appetite could result in inconsistent decisions regarding the amount of risk the organization accepts.
“Managing information risk fundamentally relates to effectively balancing risk against reward,” continued Durbin. “IRAM2 empowers information risk practitioners to engage with key business, risk and technology stakeholders in an organized and enterprise-aware manner. With this foundation, they can work more effectively across the organization to assess appropriate risk profiles and provide input to the business to address – or not.”
Over 90% of the top firms listed in the US, UK and Australia are exposing their customers and partners to phishing and other email-borne threats because they’ve yet to fully adopt the DMARC standard, according to new research.
Security vendor Agari analyzed public DNS records linked to companies on the Fortune 500, FTSE 100 and ASX 100 and found a similar pattern.
Over two-thirds (67%) of Fortune 500 and FTSE 100 firms and nearly three-quarters (73%) of ASX 100 companies have not published any DMARC policy.
Around a quarter in each region have adopted only a minimal DMARC policy that monitors, but doesn’t prevent, domain name spoofing, the report found.
According to the Domain-based Message Authentication, Reporting & Conformance (DMARC) standard, the next step up from this minimal monitoring policy is “quarantine”, where unauthenticated messages are automatically moved into the spam folder.
However, this was even less common among Fortune 500 (3%), FTSE 100 (1%) and ASX 100 (1%) firms.
Just 5% of Fortune 500, 6% of FTSE 100 and 3% of ASX 100 companies went for the strongest policy, which blocks any unauthenticated messages completely, according to Agari.
It’s notable that UK firms with a large customer base of consumers are most likely to adopt DMARC.
For example, adoption in pharmaceuticals and finance is 100%, although many are still in “monitor” mode, Agari claimed.
"DMARC is an essential tool that helps prevent spam, phishing and data loss," said Shehzad Mirza, director of operations at non-profit the Global Cyber Alliance. "GCA urges organizations of all sizes to embrace this technology standard to eliminate direct domain spoofing.”
Despite poor take-up in the private sector, DMARC received a boost last September when the UK government mandated that its “Reject” policy be the default for all government emails from October.
The HMRC is one of the most phished organizations in the UK, as it handles tax returns and other highly sensitive data.
Identify fraud soared 5% from last year to reach record levels in the first six months of the year, with online scams comprising the vast majority, according to new figures from Cifas.
The anti-fraud non-profit said its members recorded 89,000 incidents in the first half of 2017, with online fraud now accounting for 83%.
Identity fraud is now the most common fraud type, comprising over half (56%) of all incidents reported to Cifas, the organization claimed.
Fraud grew particularly in cases involving loan applications ( 54%) online retail ( 56%), telecoms ( 61%) and insurance (10,250%).
However, scams involving bank accounts (-14.2%) and plastic cards (-12%) fell during the period.
Cifas CEO, Simon Dukes, said SMEs in particular need to educate staff on how to spot social engineering attempts to trick them into divulging sensitive customer information.
“We have seen identity fraud attempts increase year on year, now reaching epidemic levels, with identities being stolen at a rate of almost 500 a day,” he added.
“These frauds are taking place almost exclusively online. The vast amounts of personal data that is available either online or through data breaches is only making it easier for the fraudster.”
Rob Wilkinson, corporate security specialist at Smoothwall, argued that firms also need to look at potential weak points in suppliers and partners to keep customer data secure.
“They need to comply with regulation and build a layered security defense which spans encryption, firewalls, web filtering and ongoing threat monitoring as well as a proactive stance,” he added.
“But the public have a role to play too; they need to be incredibly careful about the information they share online. It can be very easy to pool this information and use it to build a profile which can be used for social engineering. Even something as simple as an email address and password can be all they need to cause financial and reputational damage."
President Trump’s advisers have warned of an impending 9/11-style attack on the nation’s critical infrastructure and called for “direction and leadership to dramatically reduce cyber risks.”
The National Infrastructure Advisory Council (NIAC) was commissioned by the National Security Council (NSC) to review over 140 federal “capabilities and authorities” in order to evaluate what needs to be done to secure infrastructure against targeted attacks.
The resulting report out this week claimed that although both government and private sector have “tremendous” resources to defend critical systems from attack, they’re not properly organized, harnessed or focused.
The challenges the NIAC identified are well-known and reflected in study after study. There is a narrow and fleeting window of opportunity before a watershed, 9/11-level cyber-attack to organize effectively and take bold action. We call on the Administration to use this moment of foresight to take bold, decisive actions.”
Specifically, these recommendations include establishing separate, secure networks for critical infrastructure (CNI), including “dark fiber” networks for critical control system traffic and reserved spectrum for backup communications during emergencies.
Information sharing is also high on the wish list: the report calls for a pilot of M2M info-sharing technologies, and the rapid declassification and proactive sharing of threat intelligence with CNI operators.
That’s not all. The report recommends best-in-class scanning tools and assessment practices; a public-private expert exchange program to strengthen IT professionals’ skill sets and a streamlining of the security clearance process for CNI owners.
The NIAC also wants “limited time, outcome-based market incentives” to encourage CNI owners to invest in state-of-the-art technologies.
An operational task force is required comprising experts in government alongside electricity, finance and communications sectors to take decisive action, it added.
The White House National Security Adviser should review these recommendations and chart a path forward, it concluded.
Although there have been precious few attacks on US CNI over the years – aside from an alleged Iranian attack on a New York dam – the warning signs are that hostile states increasingly have the capabilities to launch one.
Most experts point to the sophisticated Kremlin-linked attacks on Ukrainian power stations in December 2015 and 2016, which led to widespread outages in the country.
Hackers have compromised the social media accounts of crypto-currency platform Enigma, managing to make off with $500,000 in fraudulent scam gains before the company took back control.
Enigma is prepping for a crypto-token sale on Sept.11. Scenting an opportunity, enterprising hackers managed to alter the company’s website, and sent out targeted spam emails asking for interested parties to send funds now for the sale. However, instead of buying tokens of course, the money (in the virtual currency known as Ethereum) went into the criminals’ own wallets.
According to TechCrunch, the spam targeted 9,000 users that were part of an Enigma mailing list. The gambit managed to take in enough of them to net around $500,000, the outlet reported—even though Enigma had previously said it wouldn’t collect funding until next month.
“Cryptocurrencies are one of the more lucrative targets for account hijackers.” Phil Tully, principal data scientist at ZeroFOX, told Infosecurity. “They’re decentralized, making it hard to recover any losses; they’re pseudonymous, making real-world attribution difficult; and they’re irreversible, rendering it impossible to recover losses after attacks like scams and ransomware delivery. For these reasons, among others, cryptocurrencies have blossomed into hackers’ and scammers’ preferred method of payment, especially in the realms of DDoS and ransomware.”
In the case of the Enigma breach, social channels like Slack provided access to a key demographic of digitally-connected people who are most interested in getting into the booming crypto game, but who also lack the specialized expertise necessary to tell a legitimate from an illegitimate offer.
As for how the attackers gained access to Enigma’s accounts in the first place, “attackers compromised accounts through ‘credential stuffing,’ which relies on victims using weak or overlapping passwords among multiple digital accounts,” said Tully. “When attackers discover a password that was dumped as part of a previous third-party breach, they can pivot and try to use the same password or slight variations of it to log into a victim’s other associated digital accounts.”
To mitigate credential stuffing attacks, Tully advised that users should always enable multi-factor authentication on all social and digital accounts, check to see if accounts have ever been compromised in a large-scale data breach by using a service like https://haveibeenpwned.com, be wary of too-good-to-be-true offers, especially when they involve sending cryptocurrency payments, and be vigilant when engaging with the social media accounts of legitimate cryptocurrency brokers or trading platforms, as they are frequently victims of convincing impersonations.
A new email exploit, dubbed Ropemaker, allows a malicious actor to edit the content in an email—after it’s been delivered to the recipient and made it through the necessary filters.
For instance, an attacker could swap a benign URL with a malicious one in an email already delivered to an inbox, or edit any text in the body of an email whenever they want—all without direct access to that inbox.
First uncovered by Mimecast’s research team, a successful exploit could even undermine those that use SMIME or PGP for signing.
“The origin of Ropemaker lies at the intersection of email and Web technologies, more specifically Cascading Style Sheets (CSS) used with HTML,” explained Matthew Gardiner, a spokesperson at Mimecast, in a blog. “While the use of these web technologies has made email more visually attractive and dynamic relative to its purely text-based predecessor, this has also introduced an exploitable attack vector for email.”
He added, “Ropemaker could be leveraged in ways that are limited only by the creativity of the threat actors, which experience tells us, is often unlimited.”
Brian Robison, senior director of security technology at Cylance, said that there are aspects of the threat that are not necessarily new, but should nonetheless be on the radar for any organization.
"This advisory simply highlights the fact that if you receive an email with a URL embedded into that HTML email, an attacker COULD change the actual destination of that URL to be something not intended,” he explained in via email. “Modern email applications render HTML as if it were a webpage using CSS to make the email ‘look’ nice. This is currently standard practice within every legitimate marketing organization in the world.”
He added, “Phishing emails have been taking advantage of this for some time, including linking to the original source to make it look more legit. Example: You get an email from your bank; the email pulls the headers and logos directly from the bank’s website; then the button is actually linked to different site entirely—like badbank dot com, or something where you are tricked into clicking on that link that and exposing your credentials on the fake banking site.”
The technique will work on most popular email clients and online email services. Fortunately, Mimecast has yet to see Ropemaker exploited in the wild.
A hacking team calling themselves the Fancy Bears (and which may or may not be affiliated with a similarly named APT group) has continued the tradition of leaking private documents that detail athletes’ use of potentially performance-enhancing drugs.
In this case, the group has published the records of 25 football players—including ex-Premier League players Carlos Tevez, Dirk Kuyt and Gabriel Heinze—that were awarded therapeutic use exemptions (TUEs) during the 2010 FIFA World Cup in South Africa.
Fancy Bears also said that it has proof that 160 players failed drug testing in 2015, including for cocaine and ecstasy.
To be clear—the 25 players who have been compromised have done nothing wrong. TUEs are exemptions given to athletes to use banned substances in very limited situations: The athlete has to show that he or she would suffer significant health problems without taking it; and that there is no reasonable therapeutic alternative.
As the US Anti-Doping Agency explained, “The TUE application process is thorough and designed to balance the need to provide athletes access to critical medication while protecting the rights of clean athletes to compete on a level playing field.”
Tevez and Heinze for example used betamethasone – a corticosteroid used to treat everything from joint inflammation and arthritis to athsma and Chron’s disease; while Kuyt used dexamethasone to combat tooth pain.
The leak echoes previous releases of stolen documents by the Russian APT group known as Fancy Bear (aka APT28). While it’s unclear if Fancy Bears has any relationship with the singular Fancy Bear, the strategies are similar.
In 2016 Fancy Bear released documents from the World Anti-Doping Agency (WADA), with confidential medical information for US Olympic gymnastics star Simone Biles as well as Serena Williams, among others. The docs suggest Biles has ADHD and takes medication for that, and that Williams was treated with corticosteroids for injuries.
The group—well known for APT activities around the world including the US election-season hacking last year—claimed responsibility for the hack of a WADA database. WADA at the time said the hack was likely in revenge for its decision to recommend that the International Olympics Committee ban all Russian athletes at the Rio Games.
Recorded Future’s research arm Insikt Group had the below to say on the attack:
“Previous Fancy Bear dumps were almost always retaliatory and in response to sanctions from various international sports organizations," said Recorded Future’s research arm Insikt Group, in a statement. "When the Russian athletic team was banned from participating in World Athletics Championships in London, embarrassing IAAF doping reports about major Western athletes were made public. As international pressure on Russia intensifies, with open calls to strip Russia of World Cup in 2018 and recent the FIFA investigation into suspected prohibited substance abuse of the national soccer team, today's release was almost guaranteed to surface."
While it’s safe to assume the release of this information has been done for politically motivated reasons, such data being released means they could have had access to players' medical records, added Kyle Wilhoit, senior cybersecurity threat researcher at DomainTools, via email: “It is therefore not such a gigantic leap to assume that other private information about these individuals could also be accessed, compromised, and leveraged for more financially sensitive information. Additionally, this attack could be chained with something like spear phishing attacks to further target individuals.”
A new report from Fortinet has revealed that, in Q2 2017, 90% of organizations recorded exploits for vulnerabilities that were three or more years old. Even after 10 or more years following a flaw’s release, 60% of companies still experienced related attacks, the firm discovered.
“This is highly concerning,” Richard Absalom, senior analyst at Information Security Forum, told Infosecurity. “Organizations are still not getting to grips with well-known vulnerabilities and taking basic steps (e.g. patching) to reduce them. A number of factors might cause such slow reactions: from infosec departments being under-resourced, to organizations running old systems that would need to be temporarily shut down in order to be patched.”
Fortinet also claimed that poor security hygiene and risky application usage are enabling cyber-criminals to carry out destructive worm-like attacks that take advantage of exploits at record speed, with adversaries spending less time developing ways to break in. Instead they are focusing on leveraging automated and intent-based tools to infiltrate with more impact to business continuity.
In fact, almost 44% of all exploit attempts occurred on either Saturday or Sunday, showing that automated threats do not take weekends or nights off.
“Newer worm-like capabilities spread infections at a rapid pace and can scale more easily across platforms or vectors,” said Phil Quade, chief information security officer, Fortinet. “Intent-based security approaches that leverage the power of automation and integration are critical to combat this new ‘normal’.”
“You don’t need to look very far into the past to see the impact of a worm attack,” added Absalom. “NotPetya caused severe disruption to operations in many organizations, bringing some to almost a complete halt. For a lot of organizations, it took weeks to recover – some are still dealing with the impact, close to two months since the malware was released.”
DDoS attacks rose again in Q2 for the first time in almost a year as the black hats returned to tried-and-tested tools and techniques including PBot, Mirai and Domain Generation Algorithms (DGA), according to Akamai.
The cloud delivery provider crunched data collected from over 230,000 servers in more than 1600 networks to compile its State of the Internet/Security Report for Q2 2017.
It revealed 28% increase in the volume of DDoS attacks since Q1, following three straight quarters of decline.
Attackers appear to be more determined than ever, with victim organizations being hit on average 32 times over the period. One gaming firm was hit a whopping 558 times in Q2, the report revealed.
To launch such attacks, DDoS-ers are returning to some old favorites, including PBot malware which allowed them to build a mini-botnet capable of launching a 75Gbps attack, the largest recorded in the quarter.
Domain Generation Algorithms were first introduced back in 2008 with Conficker, but are still being commonly used in C&C infrastructure by DDoS-ers today, according to Akamai. This is because the technique allows them to generate an endless number of random domains names, confounding white hat efforts to capture them.
Finally, the report revealed that Mirai is now being used frequently in “pay for play” attacks, as a DDoS service-for-hire.
“Attackers are constantly probing for weaknesses in the defenses of enterprises, and the more common, the more effective a vulnerability is, the more energy and resources hackers will devote to it,” said Martin McKeay, Akamai senior security advocate.
“Events like the Mirai botnet, the exploitation used by WannaCry and Petya, the continued rise of SQLi attacks and the re-emergence of PBot all illustrate how attackers will not only migrate to new tools but also return to old tools that have previously proven highly effective.”
Egypt came out of nowhere to become the biggest source of DDoS attack traffic (32%), with the UK dropping from second place in the past two quarters to a position out of the top five.
However, UK firms were on the receiving end of a huge number of web application attacks during the period: 32.6 million. This is still some way behind the number one target: US firms were hit by over 122 million attacks.
In total, web app attacks increased 5% quarter-on-quarter and 28% year-on-year, with SQLi attacks accounting for more than half (51%).
A group of world-renowned AI and robotics specialists has urged the UN to prevent these technologies being repurpozed into autonomous weapons, as new research from IOActive claims current industrial and commercial robots could already be considered a major insider threat.
The open letter includes signatories such as Tesla founder Elon Musk and cautions that “lethal autonomous weapons threaten to become the third revolution in warfare.”
“Once developed, they will permit armed conflict to be fought at a scale greater than ever, and at timescales faster than humans can comprehend. These can be weapons of terror, weapons that despots and terrorists use against innocent populations, and weapons hacked to behave in undesirable ways. We do not have long to act. Once this Pandora’s box is opened, it will be hard to close. We therefore implore the High Contracting Parties to find a way to protect us all from these dangers.”
IOActive principal security consultant, Lucas Apa, told Infosecurity that it’s not just robots in the defense industry that people should be worried about, but the ones in homes and factories.
That’s because the research firm has just released an update to research released earlier this year which discovered around 50 vulnerabilities in six of the biggest robotics manufacturers, including SoftBank Robotics, UBTech and Universal Robots.
These could be exploited to steal sensitive corporate information, spy on users or even launch physical attacks.
Some of the vulnerabilities discovered included data sent unencrypted; no, or easy-to-bypass, authentication; insufficient authorization to protect key functionality; weak cryptography; weak default configurations and weak open source frameworks and libraries.
So-called “cobots” built by Universal Robotics could be hacked remotely to bypass in-built safety features, causing potentially fatal harm to their human colleagues on the factory floor.
Those used in the home or in commercial environments like SoftBank’s popular Pepper robot, could be hacked to do the same, said IOActive.
In fact, Pepper, of which tens of thousands of units have been sold worldwide, could also be hacked to capture and leak audio and video. This is what IOActive means when it describes robots as the next potential 'insider threat'.
“Companies, IT teams and end-users should be aware of the possible risks and threats robots can introduce if they are insecure. On top of this knowledge, education on security comes second for everyone in their organization, with training not only for engineers and developers, but also for executives and all others involved in product decisions,” explained Apa.
“Developers, engineers and product managers should learn at least the foundations of security best practices, and adapt them to their development life-cycle. Furthermore, vendors should have a clear communication channel for reporting security issues and handling reports, we expect more security research to be done in the future on this field so they should get ready.”
Security researchers have spotted the first phishing site hosted on the aptly named .fish domain.
Netcraft web tester Paul Mutton explained in a blog post that parser.fish won the prize for being the first to host malicious credential slurping content directly on its homepage.
“Fraudsters lured unsuspecting suckers to the fishy site, where a cheeky 99-char meta redirect sent them off to a separate phishing site hosted in Vietnam,” he wrote in a pun-laden post. “This then attempted to steal online banking credentials by impersonating the French banking cooperative, BRED.”
The .fish and .fishing generic Top Level Domains (gTLDs) were launched back in 2014, but it seems the internet doesn’t much need a specialized area dedicated to all things piscine: just one of Netcraft's top one million websites is a .fish domain, while .fishing also claims just a single spot on the list.
Although the parser.fish domain played host to a Netflix phishing site a week before this current one was discovered, it’s not clear whether the owner has malicious intent or not, according to Mutton.
“The parser.fish domain has been registered through Tucows, using its Contact Privacy domain privacy service to prevent the registrant's details being displayed publicly; but this could just be a red herring and doesn't necessarily mean it was registered with fraudulent intent,” he explained.
“The fact that the phishing content has also already been removed from its homepage suggests that the site may simply have been compromised rather than having been created specifically for the porpoise of phishing.”
However, joking aside, phishing is proving an increasingly popular tactic for cyber-criminals to grab privileged account log-ins, enabling them to carry out corporate data theft, or consumers’ PII to sell on the black market.
Verizon’s latest Data Breach Investigations Report claimed that one in 14 users were tricked into following a link or opening an attachment last year, and a quarter of those went on to be duped more than once.
The number of attacks on cloud-based accounts has increased by 300%, according to Microsoft’s Security and Intelligence report.
It claimed that consumer and enterprise Microsoft accounts are a tempting target for attackers, and the frequency and sophistication of attacks on cloud-based accounts are accelerating. “The Identity Security and Protection team has seen a 300% increase in user accounts attacked over the past year” it said, claiming that a large majority of these compromises are the result of weak, guessable passwords and poor password management, followed by targeted phishing attacks and breaches of third-party services.
Elsewhere, the number of Microsoft account sign-ins attempted from malicious IP addresses has increased by 44% in comparison to Q1 of 2017 to Q1 of 2016. “Security policy based on risk-based conditional access, including comparing the requesting device’s IP address to a set of known ‘trusted IP addresses’ or ‘trusted devices’, may help reduce risk of credential abuse and misuse,” the report advised.
Oliver Pinson-Roxburgh, EMEA director at Alert Logic said: “There are a number of sophisticated attacks that rely on new detection capabilities most organizations do not have today and they are increasing as organizations get better at security best practices.”
In the recent Alert Logic Cloud Security report for 2017, it claimed that it saw close to 37% more incidents in on-premise data centers, leaving each public cloud deployment to withstand just over (on average) around 400 incidents in the 18-month period covered by this report. “Even lower incident rates do not necessarily translate to lower risk—especially when, as is increasingly more common, businesses rely on the public cloud to handle their highest-value assets,” he said.
James Clegg, VP EMEA at FireMon, said: “Attacks on cloud providers is the easy way into hybrid cloud enterprises who are struggling with the complexity of controlling security across all domains and security vendors. Just relying on the encryption from your SD-WAN vendor does not assure the journey.”
Many of the UK’s charities lack awareness of and resources to address cyber-threats, despite being as vulnerable to attack as private sector businesses, according to a new government report.
The Cyber security among charities report is based on qualitative research into the UK’s third sector.
Unsurprisingly it revealed that awareness of cyber-threats can be lacking and often left to the outsourced IT provider to deal with.
There’s a perception in the sector that businesses are actually more at risk from attack, despite many charities holding sensitive information on donors.
Part of the issue here is that many such organizations don’t have the resources to fund a permanent IT security expert in-house, with responsibility in some cases handed to CEOs and even finance staff.
Cybersecurity training is rarely given to staff and volunteers as the perception is it’s too expensive and difficult to arrange given the large number of remote workers. Cyber-insurance is also largely eschewed in the industry because of financial pressures, the report claimed.
Although many charities are concerned with the loss of sensitive information associated with donors or service users, the loss of non-personal data apparently causes fewer sleepless nights.
This is despite the fact that the research uncovered several examples of non-personal data loss where the charities involved “incurred a sizeable financial cost” from the breach, although the experience of such an incident is more likely to spur them on to taking action, it claimed.
“There is a need for basic awareness raising among staff and trustees, and upskilling of those responsible for cyber security – so they know the basic technical controls they can put in place. It may also help to disseminate government information and support via the organizations with which charities already have established relationships, such as the Charity Commission. Finally, making use of private sector expertise among trustees may also help individuals within charities to champion the issue.”
The government backed its Cyber Essentials scheme and the National Cyber Security Centre’s 10 Steps to Cyber Security guide as good places to start in helping organizations get a baseline of best practice security in place.
Helen Stephenson, CEO of the Charity Commission for England and Wales, also promoted the organization’s Charities Against Fraud website.
“Charities have lots of competing priorities but the potential damage of a cyber-attack is too serious to ignore,” she added. “It can result in the loss of funds or sensitive data, affect a charity’s ability to help those in need, and damage its precious reputation. Charities need to do more to educate their staff about this threat and ensure they dedicate enough time and resources to improving cybersecurity.”
UK boardrooms are woefully unprepared to cope with cyber-threats, with only 2% of the UK’s largest firms offering comprehensive training to their executives, according to a new government report.
The Cyber Governance Health Check analyzes the state of security in FTSE 350 firms.
It found that although cyber-risk has been elevated to the top of the list in over half (54%) of organizations, much higher than the 2014 figure of 29%, training remained a challenge.
Over two-thirds (68%) of boardrooms polled claimed that they’ve not received any training to deal with a cyber incident, while 10% don’t even have an incident response plan in place.
What’s more, 46% of boards still don’t review or challenge any reports on the security of customer data. Although that figure has fallen by 15% from the previous study, it’s still a worryingly high proportion, given the coming GDPR.
In fact, only 6% of firms said they’re completely prepared for the sweeping new privacy legislation from Brussels, which will come into force in May 2018.
The right to erasure (right to be forgotten) is causing the biggest compliance headaches (45%).
In addition, less than a third (31%) of boards receive comprehensive management information related to cyber-risk, and just over half (57%) said they have a clear understanding of the potential impact of loss of, or disruption to, key info and data assets.
Rob Wilkinson, corporate security specialist at Smoothwall, argued that boardroom education on cyber-risk is vital given that most incidents occur through human error on the part of employees.
“Security is an issue that must be taken seriously by each and every company; whether you’re an SME as part of a wider supply chain, a large telecoms company or even an electricity firm, no company is immune to a hack or breach,” he added.
“In this vein, ensuring a strong security culture is instilled throughout the workforce is crucial to making sure staff are constantly vigilant and aware of the threats. If the top brass don’t pay attention to these threats, it’s not going to set a good example for the rest of the business’ employees.”
Apple has released a new feature for its upcoming iOS 11 platform designed to allow users to disable Touch ID in a hurry, which could be help to bolster privacy in the face of increasingly intrusive state demands.
According to the new capabilities, if a user hits the power/sleep button five times in quick succession it will bring up a new screen.
This second screen requires users to manually enter a passcode to unlock the device, plus it offers a sliding button to dial the emergency services.
Eagle-eyed Apple fans have spotted the new feature in the beta version of iOS 11 and claim it could help iPhone users protect their privacy in the face of demands to access their phone.
The key here is that, according to legal precedent in the US, police can force users to unlock their devices via a built-in fingerprint reader. However, they can’t demand a passcode or password as this is covered by the Fifth Amendment, which protects individuals from self-incrimination.
In 2014, a Virginia District Court ruled that passcodes but not biometrics are protected by the constitution, and in January a Minnesota court of appeals ruled against a burglar who complained of being forced by the authorities to unlock a seized device with his fingerprint.
However, the law is still not 100% clear on the subject.
A child abuse suspect was jailed in Miami for six months earlier this year after refusing to hand over their passcode to the authorities.
In the UK, meanwhile, police can’t force suspects to unlock their device via fingerprint, but they’ve hit upon a new strategy.
In December last year it was revealed that Scotland Yard staged a street mugging to deprive a suspect of his phone as he was making a call; ensuring it was unlocked at the point of seizure and could be kept that way until forensics teams could search it.
Popular content management system (CMS) Drupal has released several patches to address concerning vulnerabilities, including one in Drupal 8 Core engine that could allow remote attackers to view, create, update or delete website content.
This critical access bypass vulnerability joins two moderately critical bypass bugs in the patch round. Drupal Core 8.x versions prior to 8.3.7 are vulnerable, according to the Drupal Security Team.
The more severe issue (CVE-2017-6925) only affects entities that “do not use, or do not have, UUIDs (Universal Unique Identifier), and entities that have different access restrictions on different revisions of the same entity,” Drupal said in its warning.
A second access bypass vulnerability in the Core Engine allows unauthorized persons to view files (CVE-2017-6923)
“When creating a view, you can optionally use Ajax to update the displayed data via filter parameters,” Drupal noted. “The views subsystem/module did not restrict access to the Ajax endpoint to only views configured to use Ajax.”
The last flaw (CVE-2017-6924) allows users to post comments on webpages, even if they don’t have the permission to do so.
“When using the REST API, users without the correct permission can post comments via REST that are approved even if the user does not have permission to post approved comments,” Drupal explained. “This issue only affects sites that have the RESTful Web Services (rest) module enabled, the comment entity REST resource enabled, and where an attacker can access a user account on the site with permissions to post comments, or where anonymous users can post comments.”
So far, no working exploits have been uncovered. Mitigation for all Drupal 8 CVEs includes updating to the latest version, Drupal 8.3.7; also, administrators should make sure they have enabled access restrictions on the view.
The Faketoken malware is not such an old dog, and now has learned some new tricks for stealing bank card information. It infects Android devices—and, straying from its previous MO of targeting banking applications—can now spoof taxi and ride-share apps, among other things.
According to Kaspersky Lab, in the past year or so since its discovery, Faketoken has worked its way up from primitive bankbot capabilities like intercepting mTAN codes, to being able to encrypt files and eavesdrop on communications. While the modifications continue, its focus is spreading too, to the point where it can overlay about 2,000 financial apps to capture user credentials.
Now, Kaspersky has detected a new variant with a mechanism for attacking apps for booking taxis, hotels and flights, and for paying traffic tickets.
The malware, which likely sneaks onto smartphones through bulk SMS messages with a prompt to download some pictures, begins by monitoring all of the calls and apps the user launches. Upon receiving a call from (or making a call to) a certain phone number, the malware begins to record the conversation and sends it back to command and control. By the same token, when a user launches a targeted application, Faketoken substitutes its UI with a fake (but identical) one, prompting the victim to enter his or her bank card data.
Also, to get around two-factor authentication, the malware can steal incoming SMS messages and forwarding them to command-and-control servers too.
As for how widespread this is, the good news is that this version could represent a trial only.
“To this day we still have not registered a large number of attacks with the Faketoken sample, and we are inclined to believe that this is one of its test versions,” researchers said in a posting. “According to the list of attacked applications, the Russian UI of the overlays, and the Russian language in the code, Faketoken.q is focused on attacking users from Russia and CIS countries.”
Obviously, users should avoid downloading anything from unknown senders of text messages, and beware unofficial app stores.
Worldwide spending on information security products and services will reach $86.4 billion in 2017, an increase of 7% over 2016, with that amount expected to grow to $93 billion in 2018, according to the latest forecast from Gartner.
Security testing, the GDPR and the rise of managed services will all contribute to this.
Within the infrastructure protection segment, Gartner forecasts fast growth in the security testing market (albeit from a small base), due to continued data breaches and growing demands for application security testing as part of DevOps. Spending on emerging application security testing tools, particularly interactive application security testing (IAST), will contribute to the growth of this segment through 2021.
Security services will continue to be the fastest growing segment, especially IT outsourcing, consulting and implementation services. However, the firm said that hardware support services will see growth slowing, due to the adoption of virtual appliances, public cloud and software as a service (SaaS) editions of security solutions, which reduces the need for attached hardware support overall.
"However, improving security is not just about spending on new technologies,” said Sid Deshpande, principal research analyst at Gartner. “As seen in the recent spate of global security incidents, doing the basics right has never been more important. Organizations can improve their security posture significantly just by addressing basic security and risk related hygiene elements like threat centric vulnerability management, centralized log management, internal network segmentation, backups and system hardening.”
The report also found that the EU General Data Protection Regulation (GDPR) has created renewed interest, and will drive 65% of data loss prevention (DLP) buying decisions today through 2018. The GDPR will have a global effect since multinationals will also need to adhere to the new law.
Gartner found that while organizations are working toward strengthening their knowledge of the regulation, those with some form of DLP already implemented are determining what additional capabilities they need to invest in (specifically, integrated DLP such as data classification, data masking and data discovery). In addition, organizations that do not already have strong DLP in place are looking to increase their capabilities.
"Rising awareness among CEOs and boards of directors about the business impact of security incidents and an evolving regulatory landscape have led to continued spending on security products and services," said Deshpande.
And finally, to deal with the complexity of designing, building and operating a mature security program in a short space of time, Gartner found that many large organizations are looking to security consulting and ITO providers that offer customizable delivery components that are sold with managed security service (MSS). By 2020, 40% of all contracts will be bundled with other MSS security services and broader IT outsourcing (ITO) projects, up from 20% today.
As ITO providers and security consulting firms improve the maturity of the MSS they offer, customers will have a much broader range of bundling and service packaging options through which to consume MSS offerings. The large contract sizes associated with ITO and security outsourcing deals will drive significant growth for the MSS market through 2020.
Hiring more ‘people’ is top of the list of needs to improve security in businesses this year, according to findings from Tripwire.
The firm surveyed 108 pros at Black Hat USA last month and revealed that more than two-thirds (70%) of respondents who said ‘people’ consider hiring ‘experienced professionals’ as a priority whilst 30% said that they were willing to hire inexperienced individuals and training them on the job.
Organizations are clearly still struggling to cope with a lack of staff amid the ongoing cyber skills gap, something that looks set to continue over the next few years. It is therefore not a great surprise that companies see bolstering workforces as key to strengthening their security.
“I think this is an acknowledgement that technology will never solve the problems we face,” Adrian Davis, managing director EMEA, (ISC)2, told Infosecurity. “Security is people and is about creating processes, mind-sets and environments where individuals can work to their best in a secure manner (often without realizing it). People are essential to creating these processes, mind-sets and environments and it is these that have a much higher impact than technology.”
Therefore, as Nigel Harrison, acting CEO at Cyber Security Challenge UK explained, it’s encouraging to see that almost a third of companies would consider taking on less-experienced staff and giving them the training they need to succeed.
“In my experience, when looking at job adverts, companies quite often end up over-specifying the qualifications that they expect their security team to have at the outset,” he said. “Indeed, there have been many cases of companies advertising entry-level roles and demanding qualifications which cannot be achieved without a number of years of experience in the industry.
“The key skills that companies should be looking for from those that they hire is aptitude and mind-set; if an individual has these traits then the rest can be taught.”
Davis echoed similar sentiments, stating that only by expanding the talent pool and looking beyond the ‘experienced professional’ will the industry be able to meet the demands placed on it and grow for the future.
“Additionally, this gives us the opportunity to recruit across a wider group of individuals and experience, expanding our knowledge base and bringing in new ways of thinking and tackling problems,” he added.
Privacy watchdog the Information Commissioner’s Office (ICO) has been busy again, this time fining Islington Council for exposing citizens’ personal data via a parking system website.
The London borough was fined £70,000 following issues with its Ticket Viewer system, which allows people accused of parking offences to view the offence via CCTV footage.
A fault in the system’s design meant 89,000 people were at risk of having their personal information accessed by others. In some cases, this included highly sensitive medical details related to appeals, the ICO claimed.
A member of the public first brought the issue to light, informing the council that by changing the URL, anyone could access system folders containing personal data.
After investigating, it found there had been unauthorized access to 119 documents 235 times from 36 unique IP addresses, affecting 71 people, the ICO revealed.
The watchdog claimed Islington Council should have tested the system thoroughly before it went live and then regularly after that, as per best practice.
“People have a right to expect their personal information is looked after. Islington Council broke the law when it failed to do that,” said ICO enforcement manager, Sally Anne Poole.
“Local authorities handle lots of personal information, much of which is sensitive. If that information isn’t kept secure it can have distressing consequences for all those involved. It’s therefore vital that all council staff take data protection seriously.”
The ICO used the announcement to remind local authorities that much work still lies ahead in preparing for the forthcoming EU General Data Protection Regulation when it comes into force in May 2018.
The new law would have required Islington Council conduct a comprehensive privacy impact assessment before launching the Ticket Viewer system.
Fines under the new regime could go far higher than the current maximum of £500,000 which the ICO is able to levy; up to 4% of global annual turnover or €20m (£17m), whichever is higher.