According to a newly released survey conducted at Black Hat 2018, 50 percent of hackers said that Windows 8 and Windows 10 have been the easiest attack vectors to exploit this year.
Thycotic surveyed more than 300 hackers – nearly 70 percent of whom identified as white hats – to understand the hacker perspective with regard to vulnerabilities and attack vectors.
In 2018 Black Hat Hacker Report, Thycotic reveals that hackers often leverage the reality that operating systems are only as secure as the people using them.
“The 2018 Black Hat Hacker Report indicates that our operating systems and endpoints remain woefully vulnerable to hackers and threats from cyber-criminals,” said Joseph Carson, chief security scientist at Thycotic, in today’s press release.
While the two Windows operating systems provided easy access, the survey found that 26 percent of hackers infiltrated Windows 10 most often, while 22 percent hacked Windows 8 the most. Linux lagged behind in popularity, with hackers exploiting vulnerabilities in the OS only 18 percent of the time. Less than 5 percent of respondents said that Mac was their easiest or most often-used attack vector.
To take control of privileged accounts, 56 percent of hackers said that social engineering is the fastest account seizing technique. Most often hackers are able to elevate privilege by either using default vendor passwords or exploiting application and OS vulnerabilities, the survey stated.
In addition, survey participants reported that nearly two-thirds (74 percent) of companies are lagging when it comes to implementing the principle of least privilege. In an email interview, Carson said, “Most companies are failing at applying the principle of least privilege as they are trying to solve this challenge with a technology-only approach, which tends to focus more on security without considering employee usability.”
The problem with such an approach is that the focus is most often on security rather than employee usability. “This typically creates a conflict between employee productivity and the need for better cybersecurity, resulting in a poor security experience and employees look for ways around it.”
Because lagging behind in privileged access policies could result in more data breaches, Carson said a failure to implement least privilege will mean a higher cost for companies when they experience a data breach.
Thycotic recommends using a combination approach between people and technology, as it provides the chance to create an experience in which productivity and security work together. “Least privilege can only be successful when employee productivity is not impacted, allowing them to continue doing their job without the need to call the IT help desk continuously," he said.
A leading think tank has called for urgent regulatory and oversight mechanisms to be introduced to govern the use of machine learning technology by UK law enforcers.
The Royal United Services Institute for Defence and Security Studies (RUSI), is the world’s oldest independent defense and security think tank. Its latest report, Machine Learning Algorithms and Police Decision-Making: Legal, Ethical and Regulatory Challenges was published with the Centre for Information Rights, University of Winchester.
It argued that although machine learning is currently being used in limited scenarios such as supporting custody decisions, there’s potential for a much wider expansion of its role in policing, with forces currently trialing its use in a variety of decision-making processes.
It described the lack of a regulatory and governance framework for its use as “concerning.”
“A new regulatory framework is needed, one which establishes minimum standards around issues such as transparency and intelligibility, the potential effects of the incorporation of an algorithm into a decision-making process, and relative ethical issues,” it continued. “A formalized system of scrutiny and oversight, including an inspection role for Her Majesty’s Inspectorate of Constabulary and Fire and Rescue Services is necessary to ensure adherence to this new framework.”
The report also warned that machine learning algorithms require “constant attention and vigilance” to make sure any predictions they provide are as unbiased and accurate as possible. To help in this, RUSI recommended the setting up of local ethics boards to assess each new implementation for police.
The use of emerging technologies in policing has been controversial over the years, as regulatory oversight often struggles to catch-up with day-to-day operations.
In May this year, rights groups called on the police to stop using facial recognition technology, claiming that FOI responses from forces proved it was “dangerous and inaccurate.”
False positives at the Metropolitan Police stood at 98%.
A popular platform for making payments to US government entities leaked over 14 million customer records through a website error before being notified, it has emerged.
However, the online receipts it issued on payment were apparently sequentially numbered and by typing new digits into the address bar individuals could view other records, according to journalist Brian Krebs.
The site was notified on Friday that it had been exposing over 14m records in this way dating back to 2012.
It moved relatively quickly to address the issue over the weekend, admitting in a statement that it “did not adequately restrict access only to authorized recipients.”
“The company has no indication that any improperly accessed information was used to harm any customer, and receipts do not contain information that can be used to initiate a financial transaction,” it continued.
In fact, the exposed data included names, addresses, phone numbers and the last four digits of card numbers: more than enough to theoretically use in realistic-looking follow-on phishing attacks.
The firm continued to play down the potential impact of the security snafu.
“Additionally, most information in the receipts is a matter of public record that may be accessed through other means,” it claimed. “Nonetheless, out of an abundance of caution and to maximize security for users, GovPayNet has updated this system to ensure that only authorized users will be able to view their individual receipts. We will continue to evaluate security and access to all systems and customer records.”
Nick Bilogorskiy, cybersecurity strategist at Juniper Networks, said the leak was relatively minor but that extra should be taken by businesses interacting with the government.
“Online payment providers … should take special care to protect their customers’ receipts by using HTTPS and checking that the user is logged in and has permissions to view them,” he added. “To avoid information disclosure and directory traversal issues, I also recommend denying anonymous web visitors the ability to read permissions for any sensitive data files and removing any unnecessary files from web-accessible directories."
The parent company of GovPayNet, Securus, is no stranger to security incidents, having been successfully hacked in 2015, exposing the records of 70m prisoner phone calls. Another of its services was misused by law enforcers to track real-time location of suspects through their phones.
The FBI has warned US parents that school use of educational technology could be putting their children at risk from identity theft, cyber bullying and more.
Edtech platforms are an increasingly popular way to improve student collaboration and personalize learning experiences, but they also harvest highly sensitive data on students, according to the Feds.
This includes PII, biometrics, medical information, geolocation and classroom activities.
“In late 2017, cyber actors exploited school information technology (IT) systems by hacking into multiple school district servers across the United States. They accessed student contact information, education plans, homework assignments, medical records, and counselor reports, and then used that information to contact, extort, and threaten students with physical violence and release of their personal information,” noted the FBI alert.
“The actors sent text messages to parents and local law enforcement, publicized students’ private information, posted student PII on social media, and stated how the release of such information could help child predators identify new targets.”
Edtech companies themselves can also be targeted: one vendor last year was found to have exposed internal data on a publicly accessible server, while another was breached, with student data ending up for sale on the dark web, according to the FBI.
The Bureau also warned of hackers targeting mobile devices used alongside edtech to get at sensitive data or monitor students via cameras and mics.
The public service announcement encouraged parents and families to discuss with local districts how edtech is used in their schools, consider identity theft monitoring for their kids, research previous school breaches for more contextual information, and more.
In a letter addressed to its shareholders, Altaba Inc. (formerly Yahoo!) announced that it has sold the remaining shares of Yahoo Japan and that it has reached a settlement agreement in the class action lawsuit related to the 2014 Yahoo data breach.
In March of this year, as a result of the massive breaches that occurred between 2013 and 2016 at Yahoo, US District Judge Lucy Koh in San Jose, California, denied Verizon's attempts to dismiss claims of Yahoo's negligence and breach of contract, according to Reuters.
The legal woes resulting from the class action suit have today come to a close. “We are also pleased to announce today that we have reached an agreement in principle (subject to court approval) to settle the consumer class action litigation related to the Yahoo data breach,” Thomas J. McInerney, CEO at Altaba Inc., wrote.
“We have also received final court approval of the securities class action settlement, and we have negotiated an agreement to settle the shareholder derivative litigation (subject to court approval). We estimate that the Company will incur an incremental net $47 million in litigation settlement expenses to resolve all three cases. Together, these developments mark a significant milestone in cleaning up our contingent liabilities related to the Yahoo data breach.”
The settlement announcement comes 10 days after the plaintiffs and defendants engaged in a second day of mediation with Honorable Daniel Weinstein. As part of the agreement, the court has 45 days to approve the terms of the settlement.
“In the meantime, the parties to this action jointly and respectfully request the Court stay this litigation in its entirety to allow the parties to focus their efforts entirely on finalizing the settlement and to avoid any unnecessary waste of judicial resources,” John Yanchunis of Morgan & Morgan, lead counsel for the plaintiffs, and Ann Marie Mortimer of Hunton Andrews Kurth, LLP, attorney for the defendants wrote in a September 14 filing.
Shareholders were also informed that company proceeds will be used to repurchase stock, according to McInerney. He wrote, “Today we are announcing a new share repurchase authorization of $5.75 billion.”
A bill to standardized the data security and breach notification process for financial institutions has been approved by the House Financial Services Committee, despite pleas not to undermine the power of state regulators.
On September 13, 2018, the committee voted 32-20 to approve the amended Gramm-Leach-Bliley Act (GLBA), now the Consumer Information Notification Requirement Act (H.R. 6743). The existing breach notification standards have been systematically amended to require that all financial institutions notify consumers of a data breach, according to Big Law Business.
The vote to approve comes on the heels of members of the committee receiving a letter from the American Bankers Association, Consumer Bankers Association, Credit Union National Association, Independent Community Bankers of America and the National Association of Federally-Insured Credit Unions.
Writing on behalf of their members, the collective group advocated for Congress to move forward with enacting data breach notification legislation, specifically supporting “a flexible, scalable data protection standard equivalent to what is already in place for financial institutions under the GLBA.”
“Our existing payments system serves hundreds of millions of consumers, retailers, financial institutions and the economy well. Protecting this system is a shared responsibility of all parties involved and we must work together and invest the necessary resources to combat never-ending threats to the payments system,” the letter said.
Yet state regulators oppose the bill. “This bill would preempt state data breach notification laws and undermine state authority, limiting states’ ability to protect its residents and oversee state-chartered and state-licensed financial services providers,” wrote the Conference of State Bank Supervisors (CSBS).
While organizations may disagree over who should have the authority to legislate data breach notifications, the financial sector continues to be the target of cyber-attacks. According to a recent report from ThreatMetrix, 81 million cybercrime attacks occurred across financial institutions during the first half of 2018. The Digital Identity Network study found that of those attacks, 27 million were targeting the mobile channel in light of mobile banking adoption.
According to a September 12 press release from ThreatMetrix, “Financial services mobile transactions are growing globally, with China, South East Asia and India showing the strongest regional growth. Overall, the biggest threat in financial services comes from device spoofing, as fraudsters attempt to trick banks into thinking multiple fraudulent log-in attempts are coming from new customer devices, perhaps by repeatedly wiping cookies or using virtual machines.”
While the fall might seem like a peculiar time to receive emails from the Internal Revenue Service (IRS), researchers at Fortinet have discovered a phishing campaign claiming to be from the IRS but reportedly sent from a server originating in Italy.
The campaign appears to be targeting nonresident aliens, as the fraudulent email is titled “2018 UPDATE: NON RESIDENT ALIEN TAX WITHHOLDING.” The FortiGuard SE team suspects that the intended targets are those who requested a six-month extension on filing their income taxes back in April.
Below is an image of the highly sophisticated and convincing email from the phisher.
“The formal language and basic template (full of lengthy descriptives, no graphics, and no links) mimics a document issued by a government agency, and the form labeled 'W-8BEN Form.PDF' masquerades as an official W-8BEN document from the IRS, which according to Wikipedia is a document used by foreign persons (including corporations) to certify their non-U.S. status,” researchers wrote.
While at first glance, the email seems legitimate, there are grammatical issues and spelling errors that should give readers pause. Unfortunately, because the targets of this campaign are nonresident aliens, English may not be their native tongue, making the less-obvious errors in this message – such as the incorrect name of the agency, Department of the Treasury – difficult to spot, even for U.S. citizens.
Researchers did find that the attached PDF file is free of any embedded executables but noted that the IRS has never sent any official documents via email. Because the attached form contains random spaces and miscellaneous punctuation marks, researchers believe that the PDF was scanned and manipulated.
“While this document states that its last revision was February 2018, the look and feel is not that of a digital document (specifically those found on IRS.gov). Finally, the fonts are mismatched on the form, especially the “FAX TO: 1 877 917 3730” direction at the bottom, which is colored in blue and is in a different font style and size. This is another dead giveaway for this poorly crafted campaign,” researchers wrote.
North Korea has hit back at a landmark US indictment of an alleged cyber operative earlier this month, branding it a “smear campaign” and the individual concerned a “non-entity.”
In a typically bellicose response to the US charges, a statement from Pyongyang’s foreign ministry on Friday claimed they amounted to little more than “vicious slander.”
“The act of cyber-crimes mentioned by the Justice Department has nothing to do with us. The US should seriously ponder over the negative consequences of circulating falsehoods and inciting antagonism against the DPRK that may affect the implementation of the joint statement adopted at the DPRK-US summit,” it reportedly noted.
“The US is totally mistaken if it seeks to gain anything from us through preposterous falsehoods and high-handedness.”
US investigators believe that Park Jin Hyok is a member of the infamous state-backed Lazarus Group responsible for WannaCry, and devastating attacks on Sony Pictures Entertainment, Bangladesh Bank and many more.
The indictment, filed on June 8 and made public at the start of the month, alleges he worked for a government front company known as Chosun Expo Joint Venture, or Korea Expo Joint Venture (KEJV), which operated out of Dalian, China.
The DoJ claimed Park and unnamed co-conspirators were given away via social media and email accounts used to send spear-phishing emails, their online aliases, accounts used to store stolen credentials, malware code libraries, proxy services and IP addresses linked to the attacks.
Park is charged with two counts of conspiracy to commit computer and wire fraud, but according to Pyongyang he is a “non-entity” — which could be interpreted to mean he doesn’t exist, or that he is a person of no importance.
A similar line was used by the Russian government in response to overwhelmingly incriminating UK intelligence and CCTV evidence of two men alleged to be responsible for attempting to assassinate a former Kremlin military man in Salisbury. The two men involved were paraded on Russian TV last week as innocent tourists.
Normal service was finally resumed at Bristol airport yesterday after two days of ransomware-related outages caused a blackout of flight information screens.
Staff were forced to hand-write regular updates on whiteboards to provide passengers with crucial information on flight arrival and departure details, while additional airport staff were deployed to help answer questions from anxious travelers.
A post on the airport’s official Twitter feed on Friday had the following:
“We are currently experiencing technical problems with our flight information screens. Flights are unaffected and details of check-in desks, boarding gates, and arrival/departure times will be made over the public address system. Additional staff are on hand to assist passengers.”
It urged passengers to arrive early “and allow extra time for check-in and boarding processes.”
Flight information was finally restored in arrivals and departures on Sunday.
Airport spokesman, James Gore, told the BBC that it had been hit by a “speculative” ransomware attack.
“We believe there was an online attempt to target part of our administrative systems and that required us to take a number of applications offline as a precautionary measure, including the one that provides our data for flight information screens,” he said.
"That was done to contain the problem and avoid any further impact on more critical systems.”
The airport had not paid the ransom, Gore added.
The incident is another reminder of the continuing threat posed to organizations by ransomware, even at a time when the general trend appears to be of cyber-criminals favoring easier and more lucrative ways to make money, like crypto-jacking and BEC attacks.
A midyear report from Trend Micro recently claimed that ransomware detections grew just 3% from the second half of 2017 to the first six months of 2018, while the number of new ransomware families detected dropped 25%.
In contrast, the number of cryptocurrency mining detections jumped 141% over the same period.
The UK’s universities and colleges are facing a growing threat from DDoS attacks, with reports suggesting that students may be to blame for many of them.
They reveal that while 64 higher education partners were targeted by 276 DDoS attacks in 2016/17, 82 members were hit by 386 attacks in 2017/18. The figure for further education (colleges) jumped from 75 members and 302 attacks to 107 members and 475 attacks over the same time period.
“DDoS attacks are designed to disrupt or bring down a network. If connectivity to the network is lost for any length of time, it can be catastrophic for any organization, both financially and reputationally,” a Jisc statement noted.
“Students might, through no fault of their own, miss the deadline for handing in assignments online, and teaching would resort to ‘chalk and talk.’ Fortunately, attacks that cause this much damage are rare, and we encourage our members to be robust in their approach to cybersecurity.”
Last week, Edinburgh university became the latest big name to fall victim to a DDoS outage after its main website was down for over a day.
The head of Jisc’s security operations centre, John Chapman, told the BBC that many of the attacks may be the result of student activity, rather than cybercrime groups.
It noted how one four-day attack was traced back to a hall of residence — the result of one gamer trying to take another out of action.
Attacks are also concentrated during working hours in term time and tail off significantly during the holidays, although any DDoS-ers would probably focus their efforts when they're most likely to affect the victim organization.
"There is evidence... to suggest that students and staff may well be responsible for many of the DDoS attacks we see," Chapman reportedly claimed.
A new survey by Jisc found that universities and colleges rank lack of awareness and accidental breaches as their number one cybersecurity risk followed by ransomware/malware, and then phishing and social engineering, external attacks and DDoS in fifth place.
Microsoft Office documents accounted for the delivery of nearly half of all malicious macros in August 2018, according to Cofense.
A recent blog post found that the macro remains the email attachment of choice for delivering malicious payloads. Of all the mechanisms analyzed, 45% of attackers used these documents to delivery malicious macros, including Geodo, Chanitor, AZORult and GandCrab.
According to researchers, the macro is a top choice because it either is enabled on a machine or only requires a single mouse click to be enabled. “This makes it almost trivial to launch the first stage of an infection chain,” Cofense wrote.
It is often the case that the Microsoft Office macro feature is enabled by default, leaving users completely unaware that there were any problems with opening the document. Yet researchers noted that even with appropriate protections in place, users only see a warning that can be dismissed with one click.
“Abuse of this feature can be easily mitigated by disabling macros enterprise-wide. However, macros do have legitimate and valuable usage, upon which many businesses rely. To help reduce the attack surface introduced by this feature, businesses have some option,” Cofense wrote. While a blanket policy of blocking documents at the gateway is the most effective solution, these strict policies can hinder user productivity.
Defending against phishing attacks is further complicated by social engineering tactics. Additional findings from a FireEye study, which revealed that one in every one hundred emails represent a phishing or malicious email. Of those attempted email attacks, 90% are malware-less. The goal with malware-less attacks is to trick the user into sharing information about the company by impersonating a trusted source.
“Phishing has been around since the mid-to-late ’90s, and yet it’s still a significant problem as a direct effect of how successful it remains, even decades later. People are, and always will be, the weakest link,” said Thomas Pore, director of IT and services for Plixer.
“Social engineering will succeed, which means your organization is vulnerable. You must constantly monitor network traffic and digital communication to look for behavior anomalies. Operating the SOC under the assumption that you’ve already been infected puts you in a state of mind to stay diligent when network traffic behavior anomalies rise up. A combination of regular staff training, critical-asset tagging, patching and behavior anomaly detection is the foundation of a strong and successful security program.”
In response to reports that the US State Department is lagging in its implementation of basic cybersecurity standards, a group of bipartisan senators have written a letter to Secretary of State Mike Pompeo urging him to augment security mechanisms and improve compliance.
The senators point out that the password-only approach is not reliable protection, particularly with the increased number of phishing attacks. Additionally, they referenced the 2018 General Service Administration assessment, which evidenced that across the Department of State only 11% of agency devices had enhanced security controls deployed.
“The US government, through NIST [National Institute of Standards and Technology], has done a great job of providing best-practice guidance to enterprise via the Cybersecurity Framework and other documents,” said Anupam Sahai, vice president of product management at Cavirin.
“However, it is sad that they are not as widely adopted across the different agencies. Is this any different from Congress being unable to come to agreement on securing voting machines in advance of the November elections, knowing the published risks?”
Senators Ron Wyden, Ed Markey, Jeanne Shaheen, Cory Gerdner and Rand Paul wrote, “We are sure you will agree on the need to protect American diplomacy from cyber attacks, which is why we have such a hard time understanding why the Department of State has not followed the lead of many other agencies and complied with federal law requiring agency use of MFA [multifactor authentication].”
“You would expect anyone handling sensitive data today to have enabled multifactor authentication as one of their basic security protocols,” said Steve Durbin, managing director of the Information Security Forum.
“It’s imperative that all types of organizations ensure they have strong standard security measures in place. This requires more diligence and organization-wide discipline than throwing money at the latest hyped-up software solution.”
The letter requested that Secretary Pompeo respond with details to three questions by October 12, 2018. Among other things, lawmakers want to know what actions the Department of State has taken to implement MFA, specifically for accounts with elevated privileges. In addition, they have requested statistics with details on the number of attempted and successful attacks on the Department of State systems located abroad for each of the past three years.
The company issued its first biannual state of cloud native security report in which researchers analyzed deployments of common cloud-native applications and ran honeypots to collect data on risk factors and attack patterns against cloud native services.
Researchers focused on two main sampling methods, which involved scanning the internet internally and discovering openly accessible servers using public scanning services. From that list of commonly used applications, they then scanned the banners to identify different versions and vulnerabilities.
The second sampling method used honeypots to mimic the behaviors of popular cloud-native applications to detect patterns of attacks on open servers. “The team found a disturbing number of out-of-date applications, with many open to known vulnerabilities (with CVEs). Some of these were vulnerabilities that were disclosed years ago. Additionally, the team found a great number of active bots/attackers that search for these applications in an attempt to exploit them,” the report said.
What researchers discovered was that 60% of cloud-native services are not automatically patched to the latest version. Additionally, over 90% of attacks are automatically executed against outdated code and known CVEs.
In their survey of the top cloud-native applications, researchers discovered that 25% were running with CVEs where a known exploit existed. The application most likely to be outdated was MySQL, with more than 80% of deployments at least one version behind. More than 60% of these cloud-native application attacks originated from Chinese IPs.
“Adoption of cloud-native technologies gives organizations a chance to build and deploy software faster and scale and manage deployments with ease. But this speed and agility is often coming at the expense of foundational security practices,” said Dima Stopel, Twistlock co-founder and VP of research and development, in a press release.
“Organizations need to build automatic enforcement of security into their application pipelines...to prevent vulnerable code from reaching production but also to quickly triage and patch new risks in production.”
Let’s change the way we talk about security, as global news and incidents are creating new threats.
Speaking at 44CON exploring how “Bad analogies make bad realities,” Charl Van Der Walt, strategic director at Sensepost, said that “while we were talking about hacking sex toys, Russian hackers changed the world quite substantially” and began “a new era in on our industry.”
He said that this changed the cybersecurity industry significantly, and as attackers upped their game “our world is different to what we knew before, a threat is emerging that has potential to change the world.”
He told the audience that as the world is “going to change in significant ways, then you’re a part of that battle and at the front of a war that shapes our world in a substantial way,” and we can shape it in the decisions we make, and it is “up to us to determine how to change.”
Using a series of analogies including the 2008 financial crisis and the Doomsday clock, van der Walt argued that it was time to develop the “why” of security and “why it matters” if it is done right, and how we need to explain why security is important in a way others can understand.
“Metaphors matter, and changes the way we think,” he said. “Compare severity and likelihood, and express where the Doomsday Clock is in terms of the security concept. The problem is risk is thumb sucking; estimating concepts with no way to quantify them.”
Speaking on debt management, van der Walt recommended creating and maintaining a debt register, and deciding who is best positioned to determine the right thing to do, and think at the right level of security.
“Every time a security trade-off is made, get the recommended cost and what the actual cost is and deduct one from the other and get the debt. Dial it up or down depending on the severity of issue, and once you have the register you communicate it to the board for them to consider.”
He concluded by saying that we see breaches all of the time, and it is easy to look at each in isolation, but collectively these can be a problem for everyone. “We are facing real threats and that is where the fundamentals of the world can be changed,” he said. “If we address the ways we talk and analogies we use.”
News has emerged of yet another Magecart victim following a major breach affecting British Airways: this time a push notification service provider known as Feedify has been repeatedly targeted.
However, RiskIQ threat researcher, Yonathan Klijnsma, explained that Feedify had actually been “affected” by Magecart since August 17. Despite the firm remediating the issue, it appeared that the hackers re-inserted it soon after.
Security researcher Kevin Beaumont warned e-commerce firms to remove Feedify.
Feedify is the latest in a long line of Magecart victims. However, contrary to previous reports, Klijnsma explained that the attacks aren’t tied to a specific group but a number of separate entities all using the same code.
This explains why some attacks go for a supply chain provider, such as Feedify or Ticketmaster partner Inbenta Technologies, while others have targeted the e-commerce site directly, like the sophisticated BA attack.
Another victim of the group over recent weeks is fashion and home décor provider Groopdealz, according to Klijnsma. He revealed this week that the firm’s site was infected with the Magecart skimmer on August 5.
Magecart has been tracked since 2016: it’s code that operates on a website a bit like a card skimmer in that it detects and then steals card data as it is entered into an e-commerce site. Unlike in most traditional breaches where the attackers go after card databases, the CVV numbers can also be hoovered up via this skimming technique, making the stolen data more easily monetizable.
The ICO has received 500 calls each week to its breach reporting helpline since the GDPR came into force in May, but around a third of these don’t meet the minimum threshold, according to the deputy commissioner of operations.
James Dipple-Johnstone told the CBI Cyber Conference in London this week that the UK privacy watchdog had been inundated as anxious firms over-report.
In the privacy watchdog’s first update since the new data protection regime came into force, he also revealed that many organizations are “struggling with the concept” of 72-hour breach notifications, interpreting it incorrectly as 72 “working hours.”
Dipple-Johnstone urged organizations to get their incident response plans in place and ensure senior employees are ready to provide as much detail as possible from the start, adding that some breach reports are incomplete.
“It is not very helpful to be told there is a breach affecting lots of customers but the reporter isn’t authorized by the general counsel to tell us more than that,” he argued. “If you don’t assign adequate resources to managing the breach we may ask you why not.”
He urged organizations to check the ICO’s reporting guidelines, and to ensure they have multi-layered security in place, including elements such as two-factor authentication, email filters and anti-spoofing controls, and enhanced staff training and awareness.
Lillian Tsang, senior data protection and privacy consultant at the Falanx Group, argued companies are over-reporting to be on the safe side.
“It is the assessment, ‘whether a breach poses a fundamental risk to people’s right and freedom’ which makes a breach reportable — this part is the difficult/uncertain element that a company faces,” she explained.
“A company would have to come down to a decision and it would be their decision alone, so it can become a matter of subjectivity: a case of ‘do we or don’t we?’ Companies don’t want to play a guessing game because they would rather report a breach, to avoid fines of non-reporting than potentially face the financial and reputational consequences.”
To mitigate these challenges, companies need a clear breach reporting procedure outlining which types of incident are worth reporting and which aren’t, she advised.
“This will help them make a decision within the allotted 72-hour time period. It is also important that these criteria are shared and adopted throughout the whole organization by training staff and creating greater awareness,” said Tsang.
“Understanding the products and services where potential risks of a fundamental breach might occur is also vital by using tools, such as privacy by design and data protection impact assessments, continuously throughout the whole product life cycle. Finally, they companies need to look at and understand guidance from the regulator and the European Commission.”
Board members need to improve their understanding of cybersecurity to better manage business risk, the head of the National Cyber Security Centre (NCSC) has argued.
Speaking at the CBI Cyber Conference in London this week, Ciaran Martin claimed that senior business leaders are laboring under three dangerous misapprehensions, that cybersecurity is: too complex so they won’t understand it, too sophisticated so they can’t do anything to stop it and targeted, so they’re not at risk.
Yet board members can’t manage risk they don’t understand, so they must become more cyber-literate, he said.
“No-one in government is asking you to make cybersecurity your top priority. Your core business is your top priority,” said Martin.
“We do expect you, however, to be good enough at cybersecurity to take care of the things you care about. And that means you have to understand what they are, and what you can do to protect yourselves. This means you need to be – at least a little bit – cyber-literate.”
Martin admitted that the government’s strategy on providing businesses with cybersecurity advice and best practice hasn’t worked out as expected, with organizations focusing on good governance and simply outsourcing expertise.
“If you look at some of the previous guidance it simply says — cybersecurity should be discussed at board level. It doesn’t say how, and that a plan should be in place. That’s what we are moving on from today,” said Martin.
“So, over the past few months, we have been talking to businesses to work out where the gaps in their cybersecurity knowledge lie. And over the next few months we will be rolling out a suite of guidance on cybersecurity for large corporate organizations.”
During the speech, Martin posed five basic questions board members should be asking of their technical teams.
These cover: how the organization deals with phishing, privileged IT accounts, software and device patching, supply chain security and authentication.
“Crucially, we are also telling you what to look for in the response,” he added.
“If the answer is: ‘We have hired X and bought Y to address the problem,’ ask the question again. You need to understand what is actually happening — not what activity has been bought.”
Speaking at the Spotlight18 conference in Las Vegas today, Deloitte experts weighed in on how to build an insider threat program during a round table discussion. Participating in the keynote discussion were Linda Walsh, managing director, Cyber Risk Services; Peter Hodge, senior manager, Cyber Risk Services; and Naj Adib, senior manger, cybersecurity advisor.
The success of Deloitte’s user entity and behavior analytics (UEBA) projects stems directly from the fact that they are built within the framework of an overarching risk-program approach, and the Deloitte team said its three key pillars of a successful insider threat program include people, process and technology.
“Scaring people doesn’t work well,” said Walsh, who spent 21 years working on insider threats for the FBI. A common problem that Walsh has seen throughout her career is with system admins who leave access open to be able to perform tasks or with admins who have turned into disgruntled employees and maliciously leave access open in order to steal user credentials. “That type of problem, that lateral movement is a hard thing to solve for,” she said.
Developing an insider threat program requires that organizations first define who and what insider threats actually are. “There are not a lot of organizations that have not defined what insider threat means to them. Insiders can be current employees, privileged IT users/admins, contractors/service providers, customers/clients, and their behaviors can be malevolent or unintentional,” said Adib. "Defining insiders and understanding the motivational factors of their behaviors is foundational to building your program."
Because all organizations are different, insider threat programs will vary from company to company, but regardless of size or risk, every organization should develop an insider threat working group. A working group is the first step and a key answer to the often-asked question of how to get mobilized.
Running simulation attacks, such as a Phishme (now Cofense) campaign, can be enlightening. “Now they get it,” said Walsh, “and it oftentimes works so well that they are not opening things they should. That’s the type of awareness you can start. Those are your quick wins.”
The key guiding principles of building a successful insider threat program are that it must be holistic, coordinated, proactive and risk based. “It’s about setting the right policies and standards so that users understand the expectations. We don’t want to go out and have policies and standards that are shelf-ware. Security awareness training within organizations is out there, so add in concepts of what constitutes an insider. Train people to become your frontline,” Abid said.
The goal is to reduce the number of false positives, which comes back to the insider threat working group, said Walsh. "Once you've found all the meaningful data and you can correlate it – which is a challenge that takes a lot of work – you can start prioritizing to reduce false positives to come out with some meaningful, actionable data. A lot of people are hesitant to start turning out that data because there is so much noise, but ignorance is not a security strategy anymore."
Though Bomgar was itself acquired by Francisco Partners earlier this year, the company has announced today that it will acquire Phoenix, Arizona, based BeyondTrust, a privilege-centric security company. The joint company will operate under the BeyondTrust name, though the company will be headquartered in Bomgar's Atlanta office.
No specific terms of the acquisition were disclosed, but the deal is expected to close in October. “I’m confident that the additional investment and scale resulting from this combination will drive innovation for our customers and new opportunities for our partners as we expand our leadership position in the fast-moving Privileged Access Management market,” said Kevin Hickey, president and CEO of BeyondTrust, in today’s press release.
With the goal of moving its mission to help customers better defend against cyber-attacks forward, Bomgar has signed the agreement securing BeyondTrust’s extensive privileged access management (PAM) platform.
“We are extremely excited to build upon BeyondTrust’s Privileged Access Management leadership and the significant benefits it will bring to our joint customers, partners and people,” said Matt Dircks, CEO of Bomgar, who will lead the merged company as CEO.
“Both organizations bring talented employees who are passionate about protecting organizations from attacks related to privilege access. The greater scale and resources of the combined company will allow us to accelerate innovation and deliver technology that protects our customers from constantly evolving threats.”
As threats continue to evolve across endpoints, servers, internet of things, cloud and network device environments, the marriage of Bomgar’s security offerings and the BeyondTrust PAM portfolio – currently used by more than 19,000 customers worldwide – will enhance privileged credentials, remote access sessions and endpoint protections.
“Both Bomgar and BeyondTrust have a long history of driving innovation and efficiency and delivering solutions, services and support that customers love,” said Francisco Partners’ co-founder and CEO Dipanjan “DJ” Deb.
“Privileged Access Management is one of the top priorities for today’s security leaders, and we see incredible opportunity with the combination of Bomgar’s and BeyondTrust’s technology and talent,” said Brian Decker, partner and head of security investing at Francisco Partners.
“The joint team is focused on developing integrated and usable products, building an even stronger channel and continuing to deliver the highest levels of customer service and support.”
A key part of the UK’s mass surveillance regime has been ruled illegal by a European court.
The European Court of Human Rights ruled that bulk interception of communications data and the obtaining of data from comms service providers violated Article 8 of the European Convention on Human Rights: the right to respect for private and family life/communications.
They also contravened Article 10 in that there were “insufficient safeguards in respect of confidential journalistic material.”
However, there are some rather large caveats to the judgement.
The court found that bulk interception doesn’t “in and of itself” violate human rights, just that the government didn’t have enough independent oversight in place to monitor “interception and the filtering, search and selection of intercepted communications for examination, and the safeguards governing the selection of ‘related communications data’.”
The court also found that sharing intelligence with foreign governments — as GCHQ has done with the NSA for years — did not violate the law.
Finally, this judgement only applies to the previous regime and not the new Investigatory Powers Act — although the latter is seen by many as even more controversial.
Also known as the 'Snoopers’ Charter' this surveillance legislation has already seen a major setback when in April the High Court told ministers to redraft the section requiring communications providers to retain phone records, location data, internet browsing history and info on everyone a user emails and texts for a year.
Although the judges again said that the bulk collection in itself wasn’t illegal, they ruled that the fact police, regulators and other bodies can then access this info without independent authorization and for reasons unrelated to investigating terrorism or serious crime, most definitely is.
The latest European court case was brought by Big Brother Watch, Amnesty and other human rights groups after revelations by Edward Snowden in 2013 on the mass collection of data on citizens, even if they are not suspected of a crime.