PC PORTAL

Experienced. Trusted. Solutions.

Incident Response

By

Security newsround: April 2018

We round up reporting and research from across the web about the latest security news. This month: privacy palaver at Facebook, a cyberattack with explosive intent, securing the IoT, sportswear maker uncovers data breach, and authorities arrest an alleged cybercrime mastermind.

Facebook shook by reverberations and revelations

The worlds of privacy and security collided last month after revelations that consulting group Cambridge Analytica had obtained records of 86 million Facebook users. It then used the data to target voters with pro-Trump messages during the 2016 US presidential election campaign. Scientists working on profiling technology had developed a free personality quiz app that harvested the friend information of users who downloaded the app via Facebook. They then provided this data to Cambridge Analytica. The New York Times reported that the idea for building the app came via Palantir, the data analysis company that works with intelligence agencies.

Facebook initially argued that it didn’t consider this as a breach, because anyone using the app had consented to the terms of service. Such semantic gymnastics didn’t cut much ice with commentators who considered it a ‘breach of trust’ – or worse. The scandal seemed to grow ever more complex as more details emerged. At one point, Facebook saw more than $50 billion wiped off its share price. When CEO Mark Zuckerberg eventually broke his silence days later, his response was “evasive and disingenuous”, wrote Karlin Lillington. Facebook has since suspended another data analytics firm, CubeYou, whose tactics were similar to those of Cambridge Analytica.

Sarah Clarke has written a nuanced perspective on the original story and its privacy implications on her Infospectives blog. Meanwhile, SANS published a guide for infosec professionals on communicating to staff about protecting privacy and deactivating social media profiles.

Life’s a breach

Staying with breaches of a different kind, Verizon has just published its 2018 Data Breach Investigations Report. Now in its 11th year, the DBIR is one of the most widely respected and authoritative sources of security research. Here are some of the key findings: financial gain is the motivation behind 76 per cent of incidents. Outsiders conducted 73 per cent of cyber attacks – mostly organised criminal groups. Ransomware’s unstoppable rise continues: it was the leading malware type last year, responsible for 39 per cent of all infections. The report analyses nine industry sectors and looks at the specific security risks facing each one. The full report is here, with an executive summary available here. The 2018 edition draws on more than 53,000 real-world incidents and 2,347 confirmed data breaches. Ireland’s IRISS-CERT was among 67 agencies contributing to the research.

Cyber crossover

Security experts have long argued that before long, a cyber-attack that began in the virtual world would have real-world consequences. Now there’s an example. News emerged that a petrochemical plant in Saudi Arabia suffered a malware intrusion designed to set off an explosion. The only thing that stopped the explosion from triggering was an error in the computer code, the New York Times reported. The attackers reportedly compromised controllers made by Schneider, which are used in 18,000 plants around the world. The NYT quoted an expert who said a technique that worked against Schneider controllers in Saudi Arabia could also be used in the United States. In separate but related news, the US Department of Homeland Security and the FBI accused Russian hackers of attacking energy companies. The attackers reportedly used spear-phishing to compromise networks in small organisations that are part of US critical infrastructure.

Embedded devices to get embedded security

The UK Government has published  a proposed code of practice aimed at improving security for the Internet of Things. The ‘Secure By Design’ report aims to encourage manufacturers and service providers to embed security at the earliest stages of developing IoT products and services. Recommendations include not allowing universal default passwords, securely storing sensitive data, and making it easier for consumers to configure the devices. The average UK household owns at least 10 connected devices. This blog from the Information Commissioner’s Office covers the main points. James Lyne, head of R&D at SANS Institute, described the development as “positive and much needed”. The issue also came into focus after a fatal collision in Arizona last month, involving a self-driving car. After all, what is an autonomous car but a very large connected device? The Electronic Frontier Foundation called for sharing data as a way to improve both safety and security.

Under Armour doesn’t run for cover after breach

Under Armour disclosed that its MyFitnessPal app and website was hacked, exposing personal information about almost 150 million accounts. The incident occurred in February and affected usernames, emails and passwords, but not payment data. Under Armour said it used strong encryption to protect the passwords. This story is important for two reasons. It’s less a finger-pointing exercise at a data breach victim; more a testament to Under Armour’s transparency. The company informed affected users quickly, and was on the front foot when dealing with media questions. Security experts praised the company’s proactive steps to deal with the fallout: it had a plan and executed against it. Financial markets weren’t so forgiving, though. Shares in Under Armour fell 3.8 per cent after the company disclosed the breach.

A win for the good guys as Carbanak chief cuffed

Let’s wrap up this roundup with a good news story for a change. Law enforcement agencies arrested the alleged ringleader behind the Carbanak and Cobalt attacks. The arrest was a complex operation conducted by Spain’s National Police, supported by Europol, the FBI, and authorities in Romania, Moldova, Belarus and Taiwan, along with private cybersecurity companies. Since 2013, the gang had targeted banks worldwide with a combination of spear phishing and malware like Carbanak and Cobalt. The phishing emails contained a malicious attachment that, when downloaded, gave criminals remote control of the infected machines. Europol said this gave the gang access to the internal banking network and infected the servers controlling the ATMs. As the agency’s infographic shows, the group’s ill-gotten gains amounted to more than $1 billion.

 

The post Security newsround: April 2018 appeared first on BH Consulting.

By

Ransomware reminders force focus on prevention and planning

Ransomware reared its ugly head again recently, with some stark reminders that it’s still a serious business risk. A household name suffered what seemed a major infection, while it emerged that many victims never get their data back.

Last week, Boeing narrowly avoided a tailspin after a senior engineer alerted colleagues of a WannaCry infection. It appeared to threaten vital aircraft production systems, though after an investigation, Boeing described it as a “limited intrusion”.

Financial impact of ransomware

Boeing’s experience shows that companies face a financial impact beyond paying a ransom if criminals encrypt their data. Ransomware infections can also cause huge disruption as IT teams scramble to lock down the source and prevent further spread. At the time of writing, the city of Atlanta, Georgia was still restoring systems 10 days after an attack of the SamSam ransomware. The incident reportedly affected at least five municipal departments, disabling some city services and forcing others to revert to paper records.

According to SANS, in the past six months at least three other US companies suffered work stoppages due to WannaCry infections. Last year, more than 80 organisations in the UK National Health Service shut down their computers. All told, WannaCry led to 20,000 cancelled appointments, 600 GP surgeries using pen and paper, and five hospitals diverting ambulances.

Criminals don’t give money-back guarantees

Facing similar scenarios, many organisations might choose to pay up rather than risk prolonged disruption, lost revenue or angry customers. But recent surveys might cause them to pause before parting with their cash. A report from CyberEdge found that 51 per cent of ransomware victims who paid the ransom never got their files back. A separate study from SentinelOne had similarly depressing news. It found that 45 per cent of US companies infected last year paid at least one ransom, but only 26 per cent of them had their files unlocked afterwards.

BH Consulting advises victims not to pay the ransom. As the surveys above tell us, payment is no guarantee of recovering files. “Criminals prove to be untrustworthy” was The Register’s snarky but accurate take on the story. Paying also encourages criminals that a business is an easy mark. TechRepublic noted that 73 per cent of organisations that paid the ransom were targeted and attacked again.

Take preventative steps

The key with ransomware is to prevent it before it spreads. Last year, BH Consulting published a guide to preventing ransomware infections just as some of the biggest outbreaks took hold. The document includes technical and business-process steps to avoid further infection. Given the latest developments, now seems like a good time to revisit those recommendations. They include:

  • Review and regularly test backup processes – still the most effective way to recover
  • Establish a baseline of normal network behaviour – unusual activity will be easier to spot
  • Segment your network – this will limit the ability of worms and other infections to spread
  • Implement ad blocking – to stop compromised adverts from delivering malware
  • Review security of mobile devices – because ransomware is migrating to mobiles

You can download the free guide here. Another useful resource is the NoMoreRansom initiative, which is a partnership between law enforcement and industry. It provides free tools to decrypt  many common types of ransomware. BH Consulting is among the partners from across the private and public sectors.

Let’s wrap up with some encouraging news. The CyberEdge report found that just 13 per cent of companies that refused to pay lost their files. In other words, 87 per cent subsequently recovered their data. It bears repeating: prevention, not payment, is a better way to keep ransomware out of your business.

The post Ransomware reminders force focus on prevention and planning appeared first on BH Consulting.

By

Prepare for breach: 10 steps to better incident response planning

Developing an incident response plan – and testing various scenarios against it – is now a must. Let’s all remember the Central Bank of Ireland’s stark warning back in 2016. “Firms should assume they will be subject to a successful cyber-attack or business interruption.”

Having a structured and formalised response plan ensures organisations can deal with any security incidents quickly, efficiently and effectively. (GDPR provides another good reason to get your response planning in order. Enforcement is mere months away, and its terms include mandatory reporting of breaches to the appropriate data protection authority.)

Here at BH Consulting, we offer incident response planning as a service for our customers. We have developed these 10 steps which can guide your efforts:

  • Involve the appropriate people and processes. The incident response team should represent functions such as IT security, IT operations, physical security, HR, legal and PR
  • Look outside the organisation if necessary to augment the internal team’s skills and knowledge
  • Ensure the team has full backing of senior management
  • Establish the appropriate levels of response to an incident: these might be for example no response, or automated response, or involving team members or management
  • Integrate your incident response plans with business continuity planning
  • Ensure necessary levels of authorisation and autonomy (for example, there’s no need to involve senior management for an issue with minimal business impact)
  • Train all incident response personnel in their responsibilities
  • Keep an incident response log for an accurate record of all actions and outcomes
  • Test and review all policies and procedures regularly to ensure effectiveness and applicability
  • Finally, implement a review process to learn from any incidents that required a response, and to uncover where to make process improvements.

Useful resources

Here are some other useful resources to help you devise an effective response plan. The UK Information Commissioner’s Office has a GDPR-focused checklist for handling data breaches. ENISA has developed a tool for completing and submitting a personal data breach notification. This is suitable for all business sectors or public agencies. The US National Institute for Standards and Technology (NIST) has a free computer security incident handling guide. The UK Government has advice about handling media attention and crisis communications. Last year’s Irisscon conference in Dublin had two excellent talks on incident response, from Dr Ciaran McMahon and David Stubley (videos).

Incident response in context

We now live in a world where more organisations feel comfortable disclosing when they’ve had an attempted breach. Last year, both the ESB and Musgrave Group publicly said that attackers had tried – unsuccessfully – to break into their systems. Last month, the CEO of AP Møller-Maersk told an audience at Davos that the shipping company recovered its IT infrastructure in 10 days, after last summer’s NotPetya ransomware outbreak. As Lee Neely noted in the recent SANS newsletter, such a rapid timeframe is only possible with a working and tested business continuity plan.

Now that it’s accepted that a security incident could happen to anyone, the focus has turned towards how organisations respond. Unlike the examples above, think of the criticism heaped on Equifax and Uber after their respective breaches. That’s the kind of negative publicity nobody wants.

Beyond public shaming, there’s also a financial impact from badly handled breaches. The UK Information Commissioner’s Office recently fined Carphone Warehouse £400,000 over its 2015 data breach.

If you’re interested in developing or updating your incident response planning, you can contact us to find out more.

 

The post Prepare for breach: 10 steps to better incident response planning appeared first on BH Consulting.