PC PORTAL

Experienced. Trusted. Solutions.

Cyber Crime

By

Plan for potential incidents and breach scenarios, cybersecurity conference hears

Businesses should prepare an incident plan for security breaches in advance to know what resources they’ll need to deal with it. Speaking at the Technology Ireland ICT Skillnet Cybercrime Conference earlier today, Brian Honan said that running different scenarios can help businesses identify whether they’ll need assistance from IT, legal, HR or public relations.

Research from the Institute of Directors in Ireland has found that 69 per cent of SMBs claim they’re prepared for a data breach. Brian flipped that statistic to point out that this means almost one third of business owners have no such plan.

Never mind cyber; it’s crime

He also encouraged companies to report incidents like ransomware, CEO fraud or a website infection. “Don’t forget you’re the victim of a crime. In most cases, a cybersecurity incident is treated as an IT problem, not even a business issue or a crime. It’s a mindset change. It’s not separate to your business, it’s integral to it.” To help make that change, he suggested: “we should drop the name ‘cyber’.”

When businesses have to disclose an incident, Brian called on them not to use the phrase ‘we suffered a sophisticated breach’ – because most times, it’s not true. In many cases, incidents are due human error, or to bad practices like poor passwords. “If you’re using cloud email, enable two-factor authentication and educate people in using secure passwords. Encourage them not to click on suspicious links,” he said.

Other attacks exploit platforms like WordPress and Joomla. Businesses using those tools to run their websites need to continuously manage and update them, Brian said. “Many web vulnerabilities and threats like attack types like SQL injection are known about for over 10 years,” he said.

Steps to better security

Companies can take several steps to improve their security, such as establishing policies. “They’re very important – they set the strategy for the business and help everybody to meet it,” said Brian. Having systems to monitor and respond to suspicious activity is also essential. “Look at the physical world: you can’t guarantee your business won’t be burgled. It’s the same in online world, but we need to be able to detect when it happens,” he said.

The best security investment a business can make is in awareness training for employees, Brian added. These programmes educate staff about how to identify potential attacks, and how to handle information in a secure way.

He also encouraged businesses to disclose when they have suffered an incident, to help improve overall security. “Everybody will have a breach, there’s no shame in that, so let’s get over that and share information to help each other,” he said.

Tackling the cybersecurity skills gap

Research shows a high proportion of security breaches take months to recover from, which is partly due to an industry skills shortage. “The biggest problem we have is a lack of skilled staff in cybersecurity,” Brian said. The conference saw the launch of a new programme to train 5,000 people in cybersecurity over the next three years. The Cybersecurity Skills Initiative aims to address the shortage in skilled security personnel.

It’s worth asking whether the industry is open to candidates without formal degrees in cybersecurity or computer science. Brian said some companies may need to relax restrictive HR policies such as requiring formal degrees in security or computer science to attract the right people into security roles. Otherwise, they could be missing out on enthusiastic, experienced and skilled people.

 

 

The post Plan for potential incidents and breach scenarios, cybersecurity conference hears appeared first on BH Consulting.

By

BH Consulting marks EU Cyber Security Month with daily tips on staying secure

October is EU Cyber Security Month and to mark the occasion, BH Consulting will be sharing advice about digital security and privacy. Every working day during October, we’ll post useful information on our Twitter feed and on our LinkedIn page.

These short tips will draw attention to common security risks and threats that many of us face. We’ll be using various hashtags as appropriate, including #CyberSecMonth, #Cybersecuritymonth2018 #cyberaware, #cyberhygiene and #saferinternet4EU. (We also recommend you visit the official website for the EU-wide awareness campaign, at www.cybersecuritymonth.eu.)

Staying secure at work and in the home

The themes we plan to cover include staying secure in the workplace by preventing CEO fraud, ransomware, phishing and spam. As the month goes on, we’ll also give advice you can pass on to family members about protecting personal information and using digital technology securely.

Many of our posts will link to blogs we have written or to other open source security awareness material. At the end of each week, we’ll round up those tips into a post which we’ll publish here on our blog. This will be a ‘living’ post about EU Cyber Security Month that we’ll keep adding to as each week passes during October.

Please like and share widely to help us spread the word and improve security awareness for everyone. And a quick reminder: we also publish a monthly newsletter for information security professionals and people working in related roles. You can sign up for the newsletter

The post BH Consulting marks EU Cyber Security Month with daily tips on staying secure appeared first on BH Consulting.

By

Security newsround: September 2018

We round up interesting research and reporting about security developments from around the web. This month: the devastation from NotPetya, a sound idea for authentication, help with NIST and cutting-edge security analysis.

The shipping news

If the truly wise learn from the experiences of others, then there are lessons galore from Maersk’s ransomware infection. You know, the one that cost the world’s largest shipping company $300 million. Thanks to an eye-watering account in Wired, you can vicariously experience the eye of a storm during a crippling ransomware outbreak.

The story details Maersk’s troubles during the NotPetya outbreak in 2017, aka “the most devastating cyberattack in history”. Weighing in at more than 6,000 words, it’s a meaty read. The excellent in-the-trenches reporting from Andy Greenberg offers plenty of ‘what-if’ scenarios that security and risk professionals can use for developing response plans.

Listen to this: a wearable solution to 2FA trouble?

Build a better mousetrap and the world will beat a path to your door. In this case, the trap in question is authentication. Researchers at the University of Alabama have developed a wearable device that uses two-factor authentication to foil attackers that are remote or in close proximity. It requires minimal effort on the part of users, who don’t even need to install browser plugins. CSO reports that “the browser would play back a short random code encoded into human speech when a user attempts to login”.

The University’s own summary describes it as “a complete re-design of the sound-based TFA systems to thwart both remote and proximity attacks”, while still being easy to use. Sophos notes that usability has been a sticking point when it comes to 2FA adoption. It cited one 2016 study showing that 28 per cent of users don’t use 2FA, and 60 per cent of those that do only do it because someone makes them.” The original research paper is here.

Plotting a secure path through the NIST

This year, the National Institute of Standards and Technology updated its 2014 framework for improving the security of critical infrastructure. (Here’s the framework as a free PDF.) Now, Mukul Kumar and Anupam Sahai of Cavirin Systems have written a guide to help security professionals turn the framework theory into security reality for their needs. They outline five high-level steps for following the NIST advice, with detailed explanations for each step.

Researchers look to security’s future at Usenix 2018

The 27th Usenix security symposium took place in August, and it often hosts interesting sessions giving a glimpse of where security might be heading. This year was no exception, with the largest event in the conference’s history. Researchers from around the world presented at the three-day event. As part of their commitment to open access to research, the organisers publish links to all 100 papers at Usenix’s publications page.

There’s no shortage of tantalising titles to choose from. Among our favourites are: You can run, but can you hide? (analysing privacy protection in fitness trackers), The Battle for New York: (a case study of enterprise-level digital threat modelling), and O Single Sign-Off, Where Art Thou? (which analyses single sign-on account hijacking).

Possibly the best is Harvard professor James Mickens’ 50-minute keynote called “Q: Why Do Keynote Speakers Keep Suggesting That Improving Security Is Possible? A: Because Keynote Speakers Make Bad Life Decisions and Are Poor Role Models”.

Things we liked

Europol warns that GDPR fears could lead breached companies to do deals with cybercriminals to avoid regulatory fines. MORE

The world is changing. Time to change how security professionals and CISOs approach their roles, argues Joseph DiBiase. MORE

Is two-factor authentication the security panacea some claim it is? Stuart Schechter argues caution before making the leap: “All security measures have trade-offs”, he warns. MORE

Patch, and patch often. This piece asks why does it take so long to install security updates? MORE

As the UK data protection regulator imposes a £500,000 fine on Equifax, the Register describes the company’s security failings as “the gift that keeps on giving”. MORE

 

The post Security newsround: September 2018 appeared first on BH Consulting.

By

CEO fraud: call it what you want, but I call it messing with the quids

A ruse by any other name, invoice redirection scams are a huge and growing business problem. They’re also known as fake boss scams, impersonation fraud, CEO fraud, or business email compromise, and they’ve risen by 58 per cent in the past year. That’s according to Lloyds Bank which estimates that UK SMEs lose £27,000 on average to such scams. The bank says this type of fraud affects up to half a million businesses.

Here’s how it works: criminals write an email supposedly from a company CEO or CFO, and send it to an employee requesting an urgent payment. Then the unwitting worker transfers the cash to an unauthorised account belonging to the criminals.

You know my name

Despite the name ‘CEO fraud’, bosses are rarely at risk from these scams. Barracuda Networks recently analysed 3,000 scam messages from its Sentinel system and found just 2 per cent target CEOs. Their names are more likely to appear on the emails that scammers send to other employees. Most of these messages land in the inboxes of staff in sales, accounts, operations or marketing departments. To avoid email filters, 60 per cent of messages don’t include links.

Criminals’ efforts are relentless: Valimail estimates that there are 6.4 billion fake emails in circulation every day. Help Net Security said this shows the scam isn’t just a social engineering problem. Because email has no built-in authentication mechanism, it’s easy for criminals to spoof senders.

Stop making cents

Fortunately, there are resources to help recognise these scams and prevent them from working. This month’s SANS Ouch! Newsletter includes tips on spotting and stopping BEC fraud. Lloyds released an awareness video to go with its survey as part of an awareness raising campaign with Get Safe Online. The short film portrays lookalike CEOs, showing how easy it is to appear to be someone else. We’ve also blogged about CEO fraud before and how to avoid becoming a victim. For example, making payment processes more rigorous can reduce the chances of the scam working.

To end on a positive note: the crime doesn’t always pay. Irish police raided 15 homes around Ireland in September as part of a major fraud investigation. They had been tracking a gang they believed were laundering €14.6 million in proceeds from scams like invoice redirection. The crackdown shows why it’s important for victims to report these crimes to police. “While your individual experience as a victim of cyber-crime may not lead directly to an arrest it is invaluable to law enforcement as a source of intel,” said BH Consulting CEO Brian Honan.

 

The post CEO fraud: call it what you want, but I call it messing with the quids appeared first on BH Consulting.

By

Security newsround: July 2018

We round up reporting and research from across the web about the latest security news and developments. This month: stress test for infosec leaders, cybercrime by the numbers, financial fine for enabling cyber fraud, third party risk leads to Ticketmaster breach, Privacy Shield in jeopardy, and a win for Wi-Fi as security improves.

Under pressure: stress levels rise for security professionals

Tense, nervous headache? You might be working in information security. A global survey of 1,600 infosec leaders has found that the role is under more stress than ever. Rising malware threats, a shortage of skilled people, and budget constraints are producing a perfect storm of pressure on professionals. The findings come from Trustwave’s 2018 Security Pressures Report. It found that the trend of increasing stress has been edging steadily upwards since its first report five years ago.

Some 54 per cent of respondents experienced more pressure to secure their organisation in 2017 compared to the previous year. More than half (55 per cent) also expect 2018 to bring more pressure than 2017 did. Dark Reading quoted Chris Schueler of Trustwave saying the pressure to perform will push security leaders to improve performance or burn out. SecurityIntelligence led with the angle that the biggest obligation facing security professionals is preventing malware. Help Net Security has a thorough summary of the findings.

There was some good news: fewer professionals reported feeling pressure to buy the latest security tech compared to past years. The full report is available to download here.

CEO fraud scam hits companies hard

CEO fraud, AKA business email compromise, was the internet crime most commonly reported to the FBI during 2017. Victims lost a combined amount of more than $676 million last year, up almost 88 per cent compared to 2016. Total cybercrime-related losses totalled $1.42 billion last year. The data comes from the FBI’s 2017 Internet Crime Report, which it compiles from public complaints to the agency. (No vendor surveys or hype here.)

The next most prominent scams were ransomware, tech support fraud, and extortion, the FBI said. Corporate data breaches rose slightly in number year on year (3,785 in 2017, up from 3,403 in 2016) but the financial hit decreased noticeably ($60.9 million in 2017 vs $95.9 million in 2016). There were broadly similar numbers of fake tech support scams between 2017 and 2016, but criminals almost doubled their money. The trends in the report could help security professionals to evaluate potential risks to their own organisation and staff.

Asset manager’s lax oversight opens door to fraud and a fine

Interesting reading for security and risk professionals in the Central Bank of Ireland’s highly detailed account of a cyber fraud. Governance failings at Appian Asset Management led to it losing €650,000 in client funds to online fraud. Although Appian subsequently replaced the funds in the client’s account, the regulator fined the firm €443,000. A CBI investigation uncovered “significant regulatory breaches and failures” at the firm, which exposed it to the fraud. It’s the first time the Irish regulator has imposed such a sanction for cyber fraud.

The fraud took place over a two-month period, starting in April 2015. The CBI said a fraudster hacked the real client’s webmail account to impersonate them during email correspondence with an Appian employee. The fraudster also used a spoofing technique to mimic that employee’s email address. The criminal intercepted messages from the genuine client and sent replies from the fake employee email to hide traces of the scam.

The press release runs to more than 3,200 words, and also goes into great detail about the gaps in policy and risk management at Appian.

Tales from the script: third-party app flaw leads to Ticketmaster data breach

As growing numbers of websites rely on third-party scripts, it’s vital to check they don’t put sites’ security at risk. That’s one of the lessons from the data breach at Ticketmaster UK. The company discovered malicious code running on its website that was introduced via a customer chat feature. This exposed sensitive data, including payment details, of around 40,000 customers. Anyone who bought a ticket on its site between September 2017 and June 2018 could be at risk, Ticketmaster warned.

On discovering the breach, Ticketmaster disabled the code across all its sites. The company contacted all affected customers, recommending they change their passwords. It published a clearly worded statement to answer consumer questions, and offered free 12-month identity monitoring.

Although this first seemed like good crisis management and proactive breach notification, the story didn’t end there. Inbenta Technologies, which developed the chat feature, weighed in with a statement shifting some blame back towards Ticketmaster. The vulnerability came from a single piece of custom JavaScript code Inbenta had written for Ticketmaster. “Ticketmaster directly applied the script to its payments page, without notifying our team. Had we known that the customised script was being used this way, we would have advised against it, as it incurs greater risk for vulnerability,” Inbenta CEO Jordi Torras said.

Then Monzo, a UK bank, blogged in detail about the steps it took to protect its customers from the fallout. This included the bombshell that Ticketmaster knew about the breach in April, although the news only went public in June. Wired said these developments showed the need to thoroughly investigate potential breaches, and to remember subcontractors when assessing security risks.

Privacy Shield threat puts EU-US data sharing in doubt

US authorities have two months to start complying with Privacy Shield or else MEPs have threatened to suspend it. The EU-US data sharing framework replaced the Safe Harbor framework two years ago. Privacy Shield was supposed to extend the same rights for protecting EU citizens’ data as they have in Europe. In light of the Facebook-Cambridge Analytica scandal (both of which were certified under Privacy Shield), it seems that’s no longer the case.

MEPs consider privacy and data protection as “fundamental rights … that cannot be ‘balanced’ against commercial or political interests”. They voted 303 to 223 in favour of suspending the Privacy Shield agreement unless the US complies with it.

This could have implications for any organisation that uses a cloud service provider in the US. If they are using Privacy Shield as an adequacy decision for that agreement, they may no longer be GDPR-compliant after 1 September. Expect more developments on this over the coming months.

Welcome boost for Wi-Fi security

The Wi-Fi Alliance’s new WPA3 standard promises enhanced security for business and personal wireless networks. It will use a key establishment protocol called Simultaneous Authentication of Equals (SAE) which should prevent offline dictionary-based password cracking attempts. Announcing the standard, the Wi-Fi Alliance said the enterprise version offers “the equivalent of 192-bit cryptographic strength, providing additional protections for networks transmitting sensitive data, such as government or finance”. Hardware manufacturers including Cisco, Aruba, Broadcom and Aerohive all backed the standard.

Tripwire said WPA3 looks set to improve security for open networks, such as guest or customer networks in coffee shops, airports and hotels. The standard should also prevent passive nearby attackers from being able to monitor communication in the air. The Register said security experts have welcomed the upgrade. It quoted Professor Alan Woodward, a computer scientist at the University of Surrey in England. The new form of authentication, combined with extra strength from longer keys, is “a significant step forward”, he said.

 

The post Security newsround: July 2018 appeared first on BH Consulting.