Here you will find Shearwater’s latest security advisories, security updates and expert insights.

December 2018 Security Report | Shearwater Solutions


Featured this month: Exposed Remote Desktop connections create a soft target for attackers, email distribution platforms are increasingly being hijacked to facilitate mass phishing campaigns, several Self Encrypting Drives have multiple vulnerabilities, a VirtualBox Zero Day vulnerability, breaches that caused inconvenience for Dell, created danger and disruption for an Ohio hospital and exposed over 500,000 guests’ data in a breach dating back to 2014 for the Marriott hotel chain. In other news, a Windows 10 (1703 and newer) update allows Windows Defender to operate in a sandboxed environment and Google’s Quic protocol will replace TCP, to offer both compression and encryption, in the next revision of the HTTP protocol.

Current Threats and Exploits


  • Exposed Remote Desktop connections create soft target for attackers:
    Remote Desktop provides a convenient tool for remote administration and for users to access internal resources. It’s also commonly scanned for, and targeted by, attackers attempting to gain unauthorized access to internal networks. Typically (via brute forcing of accounts or through the use of known credentials harvested via phishing or breach data) an attacker will look to gain access to the remote desktop host before launching subsequent attacks internal to the network (e.g. ransomware, cryptomining or data exfiltration).
    In order to avoid falling victim, it’s important that exposed Remote Desktop Protocol (RDP), and other services are appropriately hardened. Simple steps such as geoblocking, good password practices and monitoring of external facing hosts can significantly increase the difficulty of entry for attackers trying to take over your RDP host this holiday season.
  • Marketing email campaign hijacking leads to mass distribution of phishing:
    Shearwater has identified a number of incidents where a company’s marketing or email distribution platforms have been compromised in order to facilitate mass phishing campaigns. Through the use of Business Email Compromise (BEC attack), attackers are frequently looking to gain access to platforms such as MailChimp, that are prepopulated with recipient lists. This provides an easy opportunity to further phish unsuspecting victims.
    If you are unsure of the source of an email, a simple phone call to the sender or your IT security team can help validate the contents in a timely fashion. And if you identify a phishing campaign of this nature, contacting the mail platform and sender to alert them to the incident is also recommended.
  • Self-Encrypting Drives have multiple vulnerabilities:
    There are multiple vulnerabilities in implementations of ATA Security or TCG Opal Standards in Self-Encrypting Disks (SEDs), which can allow an attacker to decrypt contents of an encrypted drive. There is no cryptographic relation between the password provided by the end user and the key used for the encryption of user data. This allows an attacker to access the key without knowing the password provided by the end user, allowing the attacker to decrypt information encrypted with that key. According to the National Cyber Security Centre – The Netherlands (NCSC-NL), the following products are affected by CVE-2018-12037:

    • Crucial (Micron) MX100, MX200 and MX300 drives
    • Samsung T3 and T5 portable drives
    • Samsung 840 EVO and 850 EVO drives (In ATA high mode these devices are vulnerable, in TCG or ATA max mode these devices are not vulnerable.)

The vendors have issued patches to address the vulnerabilities. We recommend that you update to the latest patches as soon as possible.

  • VirtualBox Zero Day vulnerability:
    A new vulnerability has been discovered in VirtualBox’s Intel E1000 NIC driver code when it is operating in NAT mode. The vulnerability, which affects all versions of VirtualBox up to and including 5.2.20, allows malicious code running in a guest VM to gain application level control over the host. To make matters worse, the vulnerable code is shared between a number of different guest operating systems, meaning that it can be exploited from almost any guest. The vulnerability was not responsibly disclosed, and therefore there is currently no patch available.
    We recommended that users of VirtualBox change the type of virtual network adapter to something other than the Intel E1000 or place it into a mode other than NAT. (1)

Recent Breaches



A data breach at Marriott hotel chain has exposed personal details of up to 500,000 guests.

  • Dell resets all customer passwords after cyberattack:
    Dell suffered a security breach on November 9, 2018. Hackers succeeded in breaching the company’s network but were detected and stopped. Investigators found no evidence that the hackers succeeded, but they have not ruled out the possibility that some data was stolen. Analysis of the attack concluded the attackers were seeking customer names, email addresses and scrambled passwords.
    We recommend that Dell customers are vigilant for suspicious emails or account activity. (2)
  • Ransomware attack forced Ohio hospital system to divert ER patients:
    A malware infection and ransomware attack that hit computer systems at the East Ohio Regional Hospital and Ohio Valley Medical Centre over the Thanksgiving weekend reportedly disrupted the hospitals’ emergency rooms causing ambulances to be diverted to other area hospital emergency rooms. The attack hit on the evening of Friday, Nov. 23, leaving the hospitals temporarily unable to accept ER patients via emergency responders.
    A spokesperson for the hospitals said that there has been no patient information breach. (3)
  • Marriott’s massive data breach:
    The Marriott hotel chain has reported a massive data breach that was discovered to be related to a cyberattack dating back to 2014. The breach affected personal details of up to 500,000 guests of its Starwood branch, such as Westin, Sheraton, Le Meridien, St Gegis and W Hotels. It’s believed that personal information for around 327,000 reservations was exposed, including name, address, phone number, passport number, details of the stays, etc. Credit card numbers and expiry dates of some guests may also have been taken. (4)

Other News


  • Windows Defender sandboxed:
    Current versions of Windows 10 (1703 and newer) have received an update which will allow Windows Defender to operate in a sandboxed environment. As anti-malware software requires complete visibility over the whole system to provide effective protection, they need to run with very high privileges. As a result of these high privileges, they have become a common target for malware and malicious actors, as a successful compromise could give them control over the system. To reduce the risk, Microsoft have isolated Windows Defender in a sandboxed environment, making it harder for a compromise in Windows Defender to take over the system.
    Sandboxing is not currently enabled by default in Windows. However, if users wish to enable it on their system, they can issue the following command from an administrator command prompt and restart their system “setx /M MP_FORCE_USE_SANDBOX 1”. (5)
  • HTTP 3 using UDP:
    The Internet Engineering Task Force (IETF) has stated that the next revision of the HTTP protocol will not use Transmission Control Protocol (TCP) for its transport layer connections, but Google’s QUIC (Quick UDP Internet Connections) protocol instead. QUIC, which itself operates using UDP, was originally designed by Google and provides both compression and encryption.
    When the new protocol becomes more widely used, firewall rules will need to be permitted to allow UDP 443 connections. (6)

References

  1. Zero-Day Exploit Published for VM Escape Flaw in VirtualBox
  2. Dell.com resets all customer passwords after cyber attack: statement
  3. Ransomware Attack Forced Ohio Hospital System to Divert ER Patients
  4. Massive data breach at Marriott’s hotels exposes private data of 500,000 guests
  5. Windows Defender Antivirus can now run in a sandbox
  6. HTTP-over-QUIC to be renamed HTTP/3

 


This Information Security Report is brought to you by Shearwater Solutions

The Information Security Report is a monthly summary, compiled by Shearwater’s experienced cybersecurity professionals, to highlight the vulnerabilities and new attack vectors in some of the latest active threats, exploits and breaches and share recommendations to help you protect your data and stay a step ahead.

Whatever your Information Security challenge, we’re here to help you find the right solution.

WebEx, LibSSH Authentication & D-Link Router Vulnerabilities | Shearwater InfoSec Report


The Information Security Report is a monthly summary, compiled by Shearwater’s experienced cybersecurity professionals, to highlight the vulnerabilities and new attack vectors in some of the latest active threats, exploits and breaches and share recommendations to help you protect your data and stay a step ahead.

Featured this month: A WebEx vulnerability that allows a remote attacker to execute code on the machine, a LibSSH authentication vulnerability that allows a remote attacker to authenticate without valid credentials, 3 vulnerabilities in a number of D-Link routers which combine to allow a remote attacker to take over a device, a number of new Drupal code execution vulnerabilities and a Windows zero-day vulnerability. Recent breaches include Cathay Pacific and iNet and in security news, the Californian government has passed a bill to mandate manufacturers improve passwords on IoT devices.

Current Threats and Exploits


  • WebEx Remote Code Execution Vulnerability:
    A vulnerability with Cisco Software’s Web meeting/presentation client, WebEx Client, has been discovered that would allow a remote attacker to execute code remotely on the machine.
    We recommend that users patch their WebEx Client Software to version 33.6.0 to prevent the usage of this vulnerability. (1)
  • LibSSH Authentication Vulnerability:
    A new vulnerability has been discovered in the LibSSH package, which is used to add support for SSH to devices. The vulnerability, assigned CVE 2018-10933, allows a remote attacker to present the server with a successful authentication message (SSH2_MSG_USERAUTH_SUCCESS) upon connecting and the server will accept the message. As a result, the attacker can easily become authenticated to the device without needing to present valid credentials. The vulnerability is reported to exist in all versions of LibSSH after 0.6.
    Users of LibSSH are advised to upgrade to the latest versions, 0.8.4 and 0.7.6, which have been fixed to remove the authentication flaw.(2)
  • D-Link Routers Vulnerable External Control:
    Security researchers have identified three vulnerabilities in a number of D-Link routers which, when combined, allow a remote attacker to take control of the device. The first vulnerability allows an unauthenticated attacker to browse the file system of the router to obtain the password file. The second vulnerability results in the password file they obtain being stored in cleartext, giving them access to the raw passwords. Finally, the authenticated attacker can execute arbitrary code on the device, through the Web interface. As an attacker can obtain the raw passwords using the first two vulnerabilities, they can take over the device. D-Link was informed of the vulnerability back in May this year, however they have failed to release any patches.
    It is strongly advised that anyone using D-Link routers ensures they are not configured to allow access to their Web interface from the Internet. (3)
  • More Drupal Code Execution Vulnerabilities:
    A number of new remote code execution vulnerabilities have been discovered in the Drupal content management system. One of the most critical vulnerabilities exists in the default mail backend, which does not check for shell arguments when processing emails, allowing them to be executed on the server.
    Users should ensure that Drupal 7 is updated to version 7.60, Drupal 8.5 is updated to version 8.5.2 and Drupal 8.6 is updated to version 8.6.2. Additionally, any versions of Drupal 8 before version 8.5 are no longer supported and, therefore, will not receive the security updates. (4)
  • Windows 10/Server 2016/Server 2019 Microsoft Data Sharing Zero-day Vulnerability:
    A security researcher has disclosed a Windows zero-day vulnerability on Twitter for the second time in the span of two months. Proof of Concept (PoC) code for this vulnerability was also published on GitHub, which can be used to delete crucial Windows files and cause the operation system to crash. The vulnerability affects the local Microsoft Data Sharing service (dssvc.dll), present in recent versions of Windows OS, such as Windows 10 (all versions patched with latest October 2018 update), Windows Server 2016 and Windows Server 2019. An attacker, who already has access to the system, can exploit this vulnerability to elevate their privileges allowing them to delete files that normally can only be deleted by admins and take further actions with appropriate modification on the PoC.
    Microsoft is currently working on a fix for this vulnerability. In the meantime, we recommend following best practice security practices and to be vigilant for anomalous activity. (5)

Recent Breaches



A data breach at Cathay Pacific Airways has prompted calls to review Hong Kong’s breach disclosure rules.

  • Cathay Pacific Major Data Breach:
    The Hong Kong flight carrier Cathay Pacific has suffered a major data breach, in which cybercriminals had accessed the personal data of over 9.4 million passengers. The breach exposed private details, including passenger names, nationalities, dates of birth, phone numbers and email addresses. Cybercriminals have also compromised 860,000 passport numbers, 245,000 Hong Kong identity card numbers, 403 expired credit card numbers and 27 credit card numbers with no card verification value (CVV).
    Hong Kong’s Privacy Commissioner, Stephen Wong Kai-yi, has pledged legal help for affected customers. Cathay Pacific and IT experts have recommended that passengers are vigilant for suspicious emails or account activity, as they anticipate phishing activities following the leak. (6)
  • Leaky Amazon S3 Bucket causes Washington ISP Customer data to be Exposed:
    Washington Internet Service Provider Pocket iNet has had over 73GB’s of data publicly exposed due to a misconfigured Amazon S3 Bucket. The exposed data includes plaintext passwords and AWS secret keys for Pocket iNet employees, internal diagrams of their infrastructure, details of configuration, inventory lists and photographs of their equipment. It also exposed priority customer details using the service.
    This type of breach can be mitigated by setting up a policy to check Amazon S3 Bucket configurations, as well as making sure buckets aren’t public facing. (7)

Other News


  • California passes Bill on IoT Device Security:
    The Californian government has passed legislation that bans the use of default weak passwords on IoT devices. Device manufacturers must ensure that IoT devices have a unique default password or a password that changes on the first authentication attempt.
    This should assist in device security, preventing these devices from being compromised by the use of hardcoded and default credentials. (8)

References

What you need to know about Business Email Compromise (BEC) attacks


Business Email Compromise (BEC) attacks are increasing at an alarming rate and look set to continue as a favoured method of cyberattack in the future. In this blog article, Shearwater’s social engineering and phishing expert, Damian Grace, provides guidance on what you can do TODAY to reduce your organisation’s risk.

In a concerning trend, Australia ranked second in the world (at 27.4%) for reports of attempted BEC attacks in the first half of 2017, (1) and reports to the ACSC’s, Australian Cybercrime Online Reporting Network (ACORN) during 2016-17, attributed losses of A$20 million to BEC attacks. This increase of 230% from the $8.6 million during 2015-16 “likely represents only a small percentage of total activity, as both misreporting and underreporting occurs.” say the ACSC in their 2017 Threat Report (2)

What draws cybercriminals to target Australian organisations in this way? Australia’s large number of online transactions, early adoption of emerging technologies and use of software favoured for exploitation by cybercriminals has a role to play, but it is mainly due to the fact that BEC attacks offer a great ROI for cybercriminals; providing high returns – with attacks originating from overseas currently having a low chance of prosecution.

What is a BEC attack?

A Business Email Compromise (BEC) is a form of spear (targeted) phishing that aims to trick employees (generally in finance or HR) into transferring funds into a ‘new’ business bank account (belonging to the cybercriminal) or sharing sensitive information at the request of a cybercriminal impersonating a senior executive.

Cybercriminals use social engineering and/or hacking techniques to compromise legitimate email accounts or spoof (create fake) emails to make them appear to be from a high-level employee, co-worker or supplier. The most commonly spoofed positions are the CEO and managing director, targeting the CFO and finance director (3)

The five common types of BEC attack are:

CEO Fraud

A scammer impersonates the CEO (or high ranking executives) then sends scam emails trying to get an employee to transfer funds or confidential information.

Attorney Impersonation

A scammer impersonates a law firm, or someone from a law firm, usually requesting that funds be transferred into an account to settle an ‘overdue bill’.

Fake Billing

A scammer hacks into the email account of a business that has a relationship with a supplier. They then impersonate the supplier and request that ‘unpaid bills’ be paid to a ‘new’ account.

Accont Compromise

A scammer hacks into the email account of an employee (usually Finance) and contacts customers on the contact list stating a problem with a payment and requesting that payments are made to a ‘new’ account.

Data Theft

A scammer impersonates targeted employees (usually HR) and then sends out requests to employees and executives requesting personal information verification or updates.

Cybercriminals use both a low quality (basic research), high quantity approach, bombarding an organisation with multiple spear phishing emails in the hope that a link will be clicked, and also a high quality (highly researched), low quantity approach, where it is much harder for employees to spot the difference between real and counterfeit emails and the more likely the email will pass spam filters and whitelisting.

A cybercriminal researches their targets using company websites, LinkedIn and social media to learn the names, work titles, email addresses and interests of their targets. Once they’ve compromised their target employee’s email account “they’ll generally wait and observe email communications for at least a month before initiating the attack,” say Shearwater’s Incident Response Team, based on their findings when providing post-attack security hardening services. They’ll look for upcoming travel and events, suppliers and regular financial transactions, the arrival of new starters and key decision makers taking leave in their target department.

BEC & Social Media
Cybercriminals research their targets using social media, in preparation for a BEC attack..

BEC attacks are dangerously effective because they are socially engineered – designed to leverage human nature. They will be addressed from a senior colleague or a supplier, may appear to cc other employees or be a forwarded email, will request actions within the target employee’s normal range of duties and will often display knowledge of confidential company information – all designed to reduce suspicion. Attacks are usually initiated when key decision makers are away from the office, at an inconvenient or busy time and the request is always ‘urgent’ and ‘important’.

There are 2 mechanisms for the delivery of a BEC attack.

Email spoofing

A range of tactics are used to make an email appear to be from a trusted source or colleague:

  • Using the email header – to make the message appear to have originated from a trusted source
  • Using an email address that is almost identical to the address they are impersonating
  • Using an almost identical domain name (that the cybercriminal has purchased and configured to look like the company domain.)

A spoofed email may contain a link that will install malware, leading to account compromise.

Account compromise

The attacker’s aim is to gain access to their target employee’s email account. This is commonly achieved using a phishing email which includes a link to install malware, phone-based vishing, or USB drop to trick victims into divulging login credentials or installing malware or keyloggers into their computers or devices. Once compromised, the attacker will monitor the account for opportunities for exploitation; using the account for further research and to send emails to target employees, taking steps to ensure that the legitimate owner of the account is unaware.

What you can do TODAY to protect your organisation


An effective defence from BEC attacks requires a proactive, three-pronged approach, focusing on:

  1. Employee training
  2. Updating business policies and procedures
  3. Selecting and configuring technology

1. Employee training

Ensure that ALL employees within your organisation receive the latest phishing prevention training. For a fast and effective solution, offering an excellent ROI, seek a third-party provider that can deliver a proven, scalable, cloud-based solution that incorporates engaging cybersecurity training and phishing simulations and reporting to benchmark and provide ongoing risk reduction. As BEC attacks generally target CEO, CFO, HR and finance roles, it is imperative that training is prioritised for these roles.

In the interim, advise employees of the tell-tale-signs of a basic BEC attack email. Look out for a combination of:

  • A request to change bank account details, make a money transfer or provide confidential information
  • A request that is urgent and requests secrecy.
  • An email signature that is missing, incomplete or incorrect
  • Poor grammar or spelling

If employees receive an email with these characteristics, they should:

  • Check the address in the ‘from’ field (is it really from who they think)
  • Check with the sender either face-to-face or by phone (using the company directory, NOT the contact details within the email)
  • Not open any attachments or click on any links
  • Notify their IT department.

Phriendly Phishing Training
Ensure that ALL employees receive the latest phishing prevention training.

2. Update policies and procedures

The following updates to your organisation’s policies and procedures will help to reduce your BEC attack risk and help you to correctly manage phishing emails that reach employee inboxes.

  • You may choose to make it mandatory that requests for transferring funds, payment changes or providing confidential information:

    • Are not made via email, and/or
    • Require a 2-step, or more, verification process, with written approval for large amounts and confirmation face-to-face or via telephone (using an internal phone book, NOT a number in the email)
  • Create/update policies and procedures for the safe handling of suspicious emails.
  • Create/update policies and procedures for communicating with suppliers.
  • Promote file sharing on your organisation’s internal networks to reduce the need to email files.

Ensure that ALL employees are made aware of these changes.

3. Select and configure technology

The following technology solutions will help to reduce your BEC attack risk by blocking or quarantining suspicious emails before they reach employee email inboxes and flagging higher risk emails or content to alert users.

Multi-factor authentication

  • Implement multi-factor authentication for both employee workstations and remote access, to make it harder for cybercriminals to compromise employee email inboxes.

Domains

  • Ensure your organisation publishes SenderID/SPF records for their domain and that checks are conducted on emails claiming to be sent from this domain. Request that your suppliers do the same.
  • Register domains that vary slightly from your organisation’s actual domain to prevent cybercriminals from being able to do this.
  • Implement/correctly configure Domain-based Message Authentication, Reporting and Conformance (DMARC) to enhance Sender Policy Framework (SPF) and/or Domain Keys Identified Mail (DKIM) to enable 2 email authentication technologies on all emails, to identify the sender of a message and:

    • Block SPF hard fails (emails verified as not originating from the domain they claim to originate from)
    • Block DKIM verification fails – log and investigate and inform the spoofed organisation
    • Quarantine and flag to users any SenderID/SPF soft fails

Flags and alerts

  • Flag external emails e.g. add [EXT] to the start of the subject
  • Set alerts on the creation of mail forwarding rules, or unusually high outbound email volumes.
  • Flag emails with extensions that are similar to your corporate email

Software and logging

  • Ensure that antivirus software is up-to-date and correctly configured.
  • Keep blacklisting and whitelisting up-to-date
  • Provide users with the ability to report suspicious emails to IT (e.g. with free outlook add-ins like S.C.A.M. Reporter)
  • Ensure that logging is switched on for the email content filter and email servers and that logs are regularly audited. If your organisation is the victim of a successful cyberattack, these logs will enable faster detection and remediation work.

Environments

  • Provide a safe environment for the IT security team to investigate suspicious emails.
  • Provide the ability for file sharing on your organisation’s internal networks to reduce the need to email documents.

If your organisation is high risk, the ACSC recommends the following to reduce the likelihood of a user clicking on a malicious link or opening a spoofed attachment(4):

  • Convert attachments to PDF (and quarantine originals)
  • Whitelist attachments based on file typing to identify and block spoofed attachments
  • Block encrypted attachments
  • Disable macros and JavaScript content and quarantine originals
  • Replace active web addresses in an email’s body with non-active versions. The user must then copy and paste the URL and will have the opportunity to detect a difference between the displayed and actual URL.
  • You may also wish to block any non-authorised third-party email services.

The three-pronged approach above provides general recommendations for reducing your organisation’s risk in relation to BEC attacks. For a more tailored approach, contact your cybersecurity partner to enquire about cybersecurity and information security risk assessment services.

Resources

Download a free poster to assist your employees to identify 5 Common Types of Business Email Compromise (BEC) Attack

References

  1. Micro 2017 Midyear Security Roundup: The Cost of Compromise
  2. Australian Cyber Security Centre 2017 Threat Report
  3. Trend Micro 2017 Midyear Security Roundup: The Cost of Compromise
  4. Malicious Email Mitigation Strategies

PhriendlyPhishing by Shearwater Solutions

Phishing Awareness Training & Simulation Program 

Phishing awareness training is a scaleable, cloud-based phishing awareness and simulation program developed by certified cybersecurity professionals at specialist information security services provider Shearwater Solutions. Phriendly Phishing benchmarks employees’ existing phishing knowledge (before deploying educational modules), tests improvements and supports re-education. This journey-based approach encourages users to reach milestones and includes an option to gain practical experience with simulated phishing campaigns. It is these features that make Phriendly Phishing both engaging and extremely effective, and through ongoing research and practical experience in the field, Phriendly Phishing developers ensure that training remains current with real-world phishing threats and techniques.

IRAP Frequently Asked Questions


What is IRAP?


The Information Security Registered Assessors Program (IRAP) is an initiative of the Australian Signals Directorate (ASD) through the Australian Cyber Security Centre (ACSC) to ensure the standard of cybersecurity and information security assessments for Information and Communications Technology (ICT) systems that process or store government information. A certified IRAP Assessor’s role is to conduct independent assessments of any system, network or gateway, for compliance with the Australian Government Information Security Manual (ISM), the Protective Security Policy Framework (PSPF) and other Australian Government guidance, to ensure the safety of government information. An assessment is the first stage in the process towards achieving Australian Government security accreditation for suitability to process, store or communicate government or sensitive information.

 

Why conduct an IRAP Assessment?


Cybersecurity and information security are a top national security priority for government, to prevent cyberintrusions on government systems, critical infrastructure and other information networks that could threaten Australia’s national security and national interests.

An Information Security Registered Assessors Program (IRAP) assessment is the first stage in the process towards achieving accreditation for suitability to process, store or communicate government or sensitive information. Government agencies and commercial Information and Communications Technology (ICT) systems, Cloud providers, Networks and Gateways that process or store government information (or wish to do so) are required to achieve and maintain Australian Government security accreditation by demonstrating compliance with the Australian Government Information Security Manual (ISM) and the Protective Security Policy Framework (PSPF) and other Australian Government guidance.

 

Who is responsible for IRAP?


The Information Security Registered Assessors Program (IRAP) is an initiative of the Australian Signals Directorate (ASD) through the Australian Cyber Security Centre (ACSC).

 

Who are IRAP Assessors?


Information Security Registered Assessors Program (IRAP) Assessors are Australian Signals Directorate (ASD)-certified Information and Communications Technology (ICT) professionals from across Australia who have:

  • the necessary experience and qualifications in ICT, security assessment and risk management, and
  • a detailed knowledge of Australian Government information security compliance requirements.*

Becoming a certified IRAP assessor requires extensive, prerequisite qualifications and experience and the completion of IRAP training and examinations. Thereafter, IRAP assessors are required to maintain these prerequisite qualifications and complete annual training.

Shearwater has several Security Consultants who are certified IRAP Assessors.

* ACSC, Who are IRAP Assessors?, accessed 9 October 2018, <https://acsc.gov.au/infosec/irap/who_assessors.htm>.

 

What can an IRAP Assessor assess?


Assessments of up to SECRET classified systems can be undertaken by agency Information Technology Security Managers (ITSMs) and Information Security Registered Assessors Program (IRAP) Assessors. Assessments of TOP SECRET systems can only be undertaken by the Australian Signals Directorate (ASD) and IRAP Assessors with appropriate clearance.

IRAP Assessors may provide assessment for:

  • Cloud services
  • Gateways
  • Information systems
  • Gatekeeper
  • FedLink

 

What is the Australian Government security accreditation process?


The accreditation process is as follows:

  1. Assessment
    • Audit stage 1 –Assessor provides a Findings Report to the system owner
    • System owner implements controls
    • Audit stage 2 – When controls have been met, an Audit Report is sent to the Certification Authority
  2. Certification Authority Assessment of Audit Report and residual risk. If successful;
  3. Certification awarded. Certification Report is then sent to the Accreditation Authority.
  4. Assessment of Certification Report, residual risk and other factors. If successful;
  5. Accreditation awarded.*

In most cases, reaccreditation is generally required every 2-3 years. For Australian Signals Directorate (ASD) Certified Cloud Services, ASD recertification is required every 2 years for UNCLASSIFIED DLM services and every 1 year for PROTECTED services.

* Abbreviation of process described by ACSC, Accreditation, accessed 9 October 2018, <https://acsc.gov.au/infosec/irap/accreditation_framework.htm>.

 

What is the IRAP Assessment process?


An Information Security Registered Assessors Program (IRAP) assessment has two stages:

  • Audit Stage 1 – Security deficiencies are identified and a Findings Report is provided to the System Owner.
  • Audit Stage 2 – Remediated security deficiencies are audited and an Audit Report is sent to the Certification Authority.

During Audit Stage 1, the IRAP Assessor:

  • defines the statement of applicability in consultation with the system owner
  • gains an understanding of the system
  • reviews the system architecture and the suite of system security documentation, including:
  • seeks evidence of compliance with Australian Government Information and Communications Technology (ICT) requirements and recommendations, and
  • highlights effectiveness of ICT controls and recommends actions to address or mitigate non-compliance.

The outcome of a Stage 1 Security Assessment is a Findings Report, given to the System Owner.

During Audit Stage 2, the IRAP Assessor looks deeper into the system’s operation, focusing on seeking evidence of compliance with, and the effectiveness of, security controls. The IRAP Assessor will conduct a site visit where they will:

  • conduct interviews with key personnel
  • investigate the implementation and effectiveness of security controls in reference to the security documentation suite, and
  • sight all physical security and information system certifications and any related waivers.

The outcome of a Stage 2 Security Assessment is an Audit Report, given to the Certification Authority that:

  • describes areas of compliance and non-compliance
  • suggests remediation actions, and
  • makes a certification recommendation.

The Certification Authority uses the report to:

  • assess the residual risk relating to the operation of the system
  • assess any remediation activities the system owner has undertaken, and
  • make a decision on whether to grant certification.

* ACSC, What is an IRAP Assessment?, accessed 9 October 2018, <https://acsc.gov.au/infosec/irap/irap_assessments.htm>.

 

Who is the Certifying Authority and what is their role?


The certification authority for government systems is generally the owning agency’s Information Technology Security Advisor (ITSA). The Australian Signals Directorate (ASD) is the certification authority for all TOP SECRET systems and for gateways and cloud services hosting multiple government agencies. The certifying authority is responsible for reviewing the Audit Report provided by the Information Security Registered Assessors Program (IRAP) Assessor. Certification will be awarded if the Certification Authority is satisfied that:

  • The system has been appropriately audited, and
  • Associated security controls have been implemented and are operating effectively.

The Certification Authority will then make a recommendation to the Accreditation Authority based on any identified non-compliance and mitigation strategies.*

* ACSC, Accreditation, accessed 9 October 2018, <https://acsc.gov.au/infosec/irap/accreditation_framework.htm>.

 

Who is the Accreditation Authority and what is their role?


The Accreditation Authority is typically the agency head or a senior executive who has an appropriate level of understanding of the risks they are accepting on behalf of the agency. The Accreditation Authority:

  • Accepts any residual risks that were identified during the audit and certification process, and
  • Awards accreditation.

Accreditation of a system ensures that either sufficient security issue remediation has been achieved or that deficiencies have been accepted by an appropriate authority.*

*ACSC, Accreditation, accessed 9 October 2018, <https://acsc.gov.au/infosec/irap/accreditation_framework.htm>.

 

What is the Protective Security Policy Framework (PSPF)


The Protective Security Policy Framework (PSPF) is the responsibility of the Attorney-General’s Department. Its purpose is to provide policy, guidance and best practice advice for security governance, personnel security, physical security and information security for government agencies or commercial Information and Communications Technology (ICT) systems, Cloud providers, Networks and Gateways that process or store government information.*

*Australian Government Attorney-General’s Department, The Protective Security Policy Framework, accessed 9 October 2018, <https://www.protectivesecurity.gov.au/Pages/default.aspx>

 

What is the Australian Government Information Security Manual (ISM)?


The Australian Government Information Security Manual (ISM) is the responsibility of the Australian Signals Directorate (ASD), through the Australian Cyber Security Centre (ACSC). It is the standard which governs the security of government Information and Communications Technology (ICT) systems. All government agencies and commercial ICT systems, Cloud providers, Networks and Gateways that process or store government information are required to comply with the ISM.

 

How often is reaccreditation required?


In most cases, reaccreditation is generally required every 2-3 years. For Australian Signals Directorate (ASD) Certified Cloud Services, ASD recertification is required every 2 years for UNCLASSIFIED DLM services and every 1 year for PROTECTED services.

 

How long does an IRAP Assessment take?


The length of time for an Information Security Registered Assessors Program (IRAP) Assessment can vary depending on the complexity of the system being assessed. Typically, this could range from 1-3 months.

 

What is an organisation expected to do during an IRAP Assessment?


Your organisation will be expected to participate in several activities throughout the Information Security Registered Assessors Program (IRAP) assessment, including:

  • Scheduling and participating in interviews with key stakeholders
  • Organising the IRAP assessors’ access to all system documentation
  • With the guidance of the IRAP Assessor, schedule meetings with system administrators, engineers, and/or security operations personnel to validate the implementation of security controls
  • Outline and demonstrate any additional security controls implemented.

 

Useful Links

The 5 most important things to consider during a data breach

Notifiable Data Breach


Learning that you have experienced a data breach is an uncomfortable moment in any person’s life. Especially if you are a cyber security professional charged with keeping information safe and secure. More so if a third party tells you that you have seemingly lost information. Unfortunately, any day involving a data breach will be a bad day. How bad a day, will depend on a number of factors, and your level of readiness. The five important things to consider during a data breach presented here aim to help make a bad day, just a little bit easier.

Please keep in mind that managing a data breach is complex. There is no substitute for experience and knowledge, as no two data breaches are identical. The caveat I need to provide with this advice, is that the five most important things to consider during a data breach is not exhaustive advice and there are nuances that you need to consider. Please treat the following as general good practice advice.

Before we dive into a Top 5

There is a propensity to look for blame and jump to conclusions. Keep in mind, if you take your security obligations seriously, respect the role you have as a custodian of sensitive information, invest appropriately in security and manage your risk appropriately, you need to accept the fact that you are not alone. You are not incompetent or even special, breaches happen, and are a part of the world we live in. You are not the first person or organisation to experience a breach and unfortunately, you won’t be the last. Having said that, if you are guilty of consistently ignoring your security obligations, underinvesting in people, process and technology, overlooking your obligations to protect sensitive information, and trusting to providence that everything will be fine, those feelings of regret, remorse and discomfort are entirely appropriate.

At this stage you haven’t even confirmed whether it really is a security incident, you’ve just received (or uncovered) some information that indicates there might be a breach. So, before we panic, we really just need to work through the steps and work the facts.

Incident response is a process typically consisting of six main steps:

1.  Preparation

2.  Identification

3.  Containment

4.  Eradication

5.  Recovery

6.  Lessons Learned

Now if you haven’t actually done step number 1. Preparation, then a little bit of panic is probably appropriate at this stage, but all is not lost.

 

#1 – Confirm the breach, work the data.

Before we get carried away let’s establish whether there, in fact, has been a breach. This is part of the identification stage in the incident response process. You need to look at what has been reported and how. Was it third-party notification? i.e. someone outside the organisation told you a customer perhaps or business partner. Was it an internal staff member that reported something weird, or clicked a link? Was it your bank letting you know that there have been fraudulent transactions on credit cards and the common factor is your organisation. Was there data on Pastebin or similar services that looked like it may have come from your databases? Was there an alert from an IDS/IPS, SIEM event or other systems that indicated there may be a breach? Are files on the network suddenly encrypted?

These notifications all need to be validated and confirmed. It wouldn’t be the first time an incident turned out to be a new feature on a website, a new system or a misconfiguration (which can be a breach as well BTW).

How do you confirm the breach? Simple, assume the information received is correct and form a hypothesis of how it could have occurred. We’re doing a privacy blog here so let us use the loss of Personally Identifiable Information (PII) as an example. Let’s say data has been identified on Pastebin and it looks like your client records. Some key questions you will need to ask are:

  • Where does this information exist in our organisation?
  • How can it be accessed, is it internal only or internet facing? Perhaps it is stored by a third party?

Asking these two questions will help you establish whether it is indeed your data and perhaps give a clue as to which controls may have failed. These questions will provide guidance as to where you need to look next. Are we looking through web and application logs, or are we digging through internal access logs in Active directory, proxy logs, email logs, etc? By just following up on these two questions, the Shearwater team have in the past confirmed incidents where hackers had gained access to systems and were actively retrieving data, but we’ve also identified incidents where a staff member inadvertently mailed out the bulk of a confidential database. In one case, the breach was actually at a third party where the data was stored for other purposes.

Now that you have validated it is indeed a breach or a suspected breach we can move on to containment. If you haven’t already done so to help identify the issues this is a good time to get the incident response team together. It might be a good time to let management know there is a potential breach that needs to be dealt with and give the privacy officer a heads up to let them know that there may be a notifiable data breach requirement. But this is all in your incident response plan…. right ?

Manage Data Breach
Having a structured approach to a security incident will help make a bad day, just a little bit easier.

 

#2 – Contain the pain

Containment of the incident is the next step in the process. It is possible that the damage has been done, true, but you still need to deal with the fact that an attacker may still be in your network and may still have access to the data. There is an argument to allow the breach to continue as it may provide you with valuable information that may allow you to better prosecute the perpetrator. To be honest, to me this is like saying “let the bank robbers get away with the money because I want to see how they make their getaway”. If you are losing PII the best response is generally to shut them out. Remember the attacker doesn’t necessarily know why they lost access. They will often assume they did something wrong.

In the identification stage you would have looked at the various logs and established how the deed occurred, or at least you’ll have a good idea. If the web logs indicate an SQL injection, perhaps remove the application, or configure a WAF to drop those requests. Maybe shut the service down whilst you identify the root cause and eradicate the issue (the next step). If it was a mail-out by a staff member, have a chat to the culprit and explain the result of their actions. So to contain the issue you may be:

  • Resetting passwords and disabling compromised credentials
  • Addressing known vulnerabilities and bugs via patching
  • Blocking network access
  • Quarantining compromised hosts or applications or shutting down systems.
  • Having some stern discussions on following processes.

Various business decisions should inform all of the above approaches, and should weigh up the harm occurring due to the compromise/breach versus the harm that could occur from shutting down systems. The decision to shut down systems that effectively shut off business operations should not be taken lightly, but may be necessary to help prevent a greater harm. Don’t forget if your systems are being used to attack others, you may be in deeper water than you first realised. Also don’t forget to communicate to management what has been happening and where things are at.

 

#3 – Fumigate, eradicate, exterminate

Once the containment has been accomplished, there is huge pressure to remove the badness immediately. However, you need to identify the root cause of the issue. During identification you had the first clues, during containment you shut them out and hopefully gained more insight. Now it is time to do some navel gazing and identify exactly the how, what and why of the issue. There really is no substitute for a thorough investigation. This is no time to take shortcuts. If you do not have the skills, consider getting some in. Getting this wrong will result in a system that is compromised over and over and over. We see this quite often when organisations miss this step or get the next step (recovery) wrong.

Identifying the root cause of the issue is paramount. Analysis should be undertaken and the path to compromise understood in intimate detail. If you can’t explain the breach in excruciating detail and don’t have a complete timeline of events (within the realms of what is possible), then the investigation is not complete. You will be under pressure to undertake the investigation quickly but resist the urge to finalise the investigation until you understand the breach and can have sufficient input for recovery. Make sure you have your facts and are as certain as you can be. Remember number 1, the issue has been contained, you are no longer hemorrhaging data.

When looking for the root cause make sure you manage your evidence, establish your timelines and identify the how and why. Was it missing patches, misconfiguration of a system, a missing firewall rule, a bad piece of code in an application, a WAF that was switched off. Creating a timeline is by far the best approach to get clarity on the events that have resulted in the breach.

Go through all the elements. On servers perhaps take a forensically sound image or snapshot. Safeguard log files. All of these can be used as evidence and help identify the how. Use the tools you have to identify the vulnerability that was exploited. It could be technical, it could be procedural. Consider deploying an incident response tool to help identify the compromised systems or malware if present.

Once you have established the how you can now devise strategies to eradicate the issue.

In the case where you have lost PII your privacy officer or committee should now have the relevant information that they need to complete their analysis on whether the breach needs to be reported or not. You will have information on:

1.  the timeframe (when did the breach start?)

2.  what systems and information has been disclosed, accessed modified or lost

3.  who has been impacted. Is the impact likely to cause serious harm

4.  are third parties involved or impacted

You may have some of the information already from the previous stages, but until the investigation has concluded you may not have certainty.

Manage Data Breach
Post-breach clean-up is vital to prevent recurrence.

 

#4 – FIX IT, once, correctly.

This is the recovery stage of the incident response process. Rebuilding systems, recovering data, patching systems, fixing the configuration to make sure the same issue does not reoccur. This step is informed and guided by the output of the previous eradication steps. Post-breach clean-up is vital to prevent recurrence. We have instances where a breach occurred in 2011, every two or three days the attackers return to test and see if the system is vulnerable again. That is a long-term game. We have seen instances where the system was brought back online prematurely and the attackers took control before all security measures could be implemented. We’ve seen organisations recover corrupted data from backups, only to be breached again because the application was not fixed.

Build it from scratch, patch it, test it, scan it, patch it again, test it again, make sure that you apply all the additional controls you identified that would have helped prevent the issues. Test it again. After all that is complete, that is the stage where the system can be put back online.

Keep in mind that during recovery, your support and administration staff are likely to remain overworked and under pressure. Implement and enforce fatigue management processes to manage workloads to ensure silly mistakes don’t creep in at this stage.

Then watch it as they will be back, remember they do not know why the system went away or they lost access to the system.

 

#5 – Notify and Prevent

The lessons learned at preparation stage is key. Once the incident is over sit down and debrief. See what should have gone better. Review the information from the root cause analysis and determine what is to become BAU and what is part of incident response. Update documentation, perhaps write a rough post-incident report and go to sleep. As soon as you are able to, complete the Post Incident Report (PIR). It provides great lessons learned, enables objective review of current processes, and provides opportunities for improvement.

From a NDB notification perspective there is still some work left to do. The NDB scheme provides clear guidelines on how to notify individuals and the OIAC (please see my earlier posts). You should follow their recommendations to the letter and meet all scheme compliance requirements.

If I put myself in the position of an individual affected by a breach. I will evaluate the breach to see if the breached organisation has made every effort to secure my personal information and sensitive data prior to the breach. I am probably going to be understanding to a point. What will matter most to me from the point of being notified, is how the organisation manages the breach, and recovery. If the recovery and management are exemplary, I am more likely to provide the disclosing firm with a degree of understanding and give them the benefit of the doubt. If the breach management is poor or slipshod, I’m taking my data and my business elsewhere.

Hopefully, you have found this post helpful and the series of blog posts on the data breach topic illuminating. If you have any follow up questions, or would like some further information on related topics, please don’t hesitate to get in contact.

 

5 things to help you prepare for the Notifiable Data Breach scheme


Following on from my last post that covered the 5 things you need to know about the Notifiable Data Breach (NDB) scheme, this post is focused on the 5 things you really must do, in order to be prepared for the Notifiable Data Breach scheme. As you will remember the NDB impacts a significant number of organisations and requires specific actions to be followed in the event of a breach. So here is a top 5:

  1. Find out whether you need to comply with the provisions of the NDB.
  2. Determine what sensitive personal information you hold, and make a determination of what the following terms mean to you and your organisation:
    a. likely to ‘occur’
    b. ‘serious harm’.
  3. Prepare a step by step process of what you need to do in the event of a breach.
  4. Educate your stakeholders.
  5. Run a practice drill.

1.  Find out whether you need to comply with the provision of the NDB Scheme

This task should be the simplest of the 5 things you need to do. A good starting point is provided in my previous blog post, but if you are in any doubt, please refer to the Office of the Australian Information Commissioners website.

If you are covered by the scheme and need to comply, and haven’t already started on your NDB compliance journey, I’d suggest you need to initiate some internal conversations. If necessary engage some external expertise.

Even if you don’t need to comply, the investment you make in preparing a breach process will not be wasted.

2.  Determine what sensitive personal information you hold

This task may actually sound a little easier than it is for a large number of organisations. Unfortunately, many organisations have a very poor understanding of their information assets, what is important to them, and what information they need in order to run their business. If sensitive information is not understood, you may be capturing, storing or processing more sensitive information than you need to.

You should also consider, where that sensitive information is stored. Long gone are the days when you could safely say that all my data is on my big file server in my data centre under lock and key. When you really look into where sensitive personal data is stored, you are likely to find that it is located on multiple servers and applications, SAN devices, laptops, iphones, USB sticks, on your backups media, on SharePoint, OneNote, DropBox, and in a myriad of other cloud and/or shadow IT environments.

The next consideration needs to be who has access to the sensitive personal information you possess. Questions to consider include: Do you outsource functions, systems or operational tasks. Are you storing data entirely within Australia, or are you working offshore and around the Globe. Do your partners know that you have an NDB obligation. What is the state of your information supply chain, and where are you exposed. In fact, the legislation does recognise that organisations can jointly hold personal information, and has made provisions to avoid duplicate obligations.

Only once you have a full appreciation of what information you hold custodial responsibility over, where it is, and who else has access to it, can you make a determination and a judgement on what is ‘likely to result in serious harm’.

As with most approaches to information security and privacy matters, a solid understanding of risk management in terms of likelihood and consequence should be leveraged to inform the conversation around the serious harm question. The implementation of the NDB scheme effectively raises the bar on expectations from a risk management perspective.

 

Security News and Alerts

Get updates and exclusive content from our security experts
  • This field is for validation purposes and should be left unchanged.

 

3. Prepare step by step process of what you need to do in the event of a breach

After you have undertaken an information asset inventory and understood what sensitive personal information you have, where it is and who has access to it, you need to prepare for a breach by developing a breach response framework. The framework should include:

  • A process that provides:
    • Identification, investigation, validation and containment rules
    • Clear authority to initiate an investigation and declare a breach
    • High-level resolution guidelines and plans
    • Permitted timeframes for each phase of the breach
    • Communications protocols internally including a clear RACI model
    • Key contacts both within your organisation and with specialist external parties to assist with investigation and resolution where required
    • Plugs in to your work health and safety policy to help manage fatigue
  • Notification protocol for individuals affected. There are proforma’s available and these can be leveraged rather than invented. The information provided that relates to the breach should include:

    • the date, or date range, of the unauthorised access or disclosure
    • the date the data breach was detected
    • the circumstances and or known causes of the data breach
    • who has obtained or is likely to have obtained access to the information
    • the steps undertaken to contain or remediate the breach
  • Options for notifying individuals include:

    • Notify all individuals impacted
    • Notify only individuals who are at likely risk of serious harm
    • Publish your notification, and publicise it to bring it to the attention of individuals at likely risk of serious harm
  • Notification protocol for the OAIC. Again, proforma’s exist that can be used. Items required to be provided in the notification to the OAIC include:
    • Contact details for your organisation
    • A description of the data breach
    • The kind of information involved in data breach
    • The steps you recommend for impacted individuals in response to the breach

4. Educate your stakeholders

Without appropriate education and guidance, responsibility for everything during a breach may fall on you – the reader of this blog! Each stakeholder must know their roles and responsibilities and must be able to operate autonomously and as part of a team when it comes to managing a breach. An internal education activity is definitely something that you should undertake as a priority after your preparation activities. But don’t forget step 5. Knowledge helps, but nothing makes that knowledge stick like having stepped through the protocol at least once.

5. Running a practice drill

As the old saying goes, practice makes perfect. Running a breach practice drill doesn’t have to be onerous or take massive amounts of time to prepare. Although the more you plan and the more often you can practice, the better off you will be. As a first step, prepare some meaningful scenarios, book a meeting with relevant stakeholders, establish some ground rules and run through your established breach process for each of the practice scenarios. Appoint a note taker who will observe and record variations to the process flow. Initially, stick to the process that you have designed, but annotate any issues. Then roll those lessons learned into a second iteration of your NDB process.

Then keep practicing. Perhaps utilise your regular business continuity and disaster recovery drills as a vehicle to test your NDB processes.

The 5 things you need to know about the Notifiable Data Breach scheme


Mandatory Data Breach Disclosure and the Notifiable Data Breach (NDB) scheme are both really hot topics at the moment. There is a number of experts from the legal, cyber security and business community all providing their advice, many providing guidance in forensic detail on what should be done to prepare an organisation for this change.

I’m not planning to cover NDB in detail, the aim of this blog post is to quickly and succinctly outline the 5 most important things you need to know about NDB scheme within Australia.

Essentially, the why, what, when, who, and which of NDB. I’ll follow with a number of additional posts designed to provide practical guidance for organiations on this topic.

Why NDB?

With the prevalence and increased impact of data breaches on the news and in our lives, there is a greater need than ever for a consistent treatment mechanism. The absence of any industry consensus on data breach notification meant that it was only a matter of time before the Government put in place a scheme to protect the interests of consumers, and individuals.

After extensive industry and professional consultation, the Notifiable Data Breaches (NDB) scheme was passed under Part IIIC of the Privacy Act 1988 (Privacy Act).

What is the NDB?

The Notifiable Data Breaches (NDB) scheme establishes a framework governing how data breaches are assessed and responded to, and the obligations of organisations in reporting breaches.

Specifically, the NDB introduces obligations for organisations who experience a data breach that exposes personal information and meets the criteria specified as likely to cause ‘serious harm’. More on what constitutes ‘serious harm’ in a moment.

Any breach notification must include recommendations for impacted individuals on the steps that they should take as a result of the breach.

The NDB also specifies that the Australian Information Commissioner must be notified of eligible data breaches.

When does NDB come into effect?

The NDB comes into effect on the 22nd of February 2018.

Who does the NDB impact?

Unless you live entirely off the grid and share no personal information, ultimately, the NDB affects us all.

Whilst not an exhaustive list, with some exceptions, a good summary of the organisations that are impacted by the NDB include:

  • Australian Government agencies
  • Businesses and not-for-profit organisations with an annual turnover of $3 million or more
  • Credit reporting bodies
  • Credit providers:
    • banks, building societies, credit unions, finance companies
    • retailers who issue credit card
    • organisations where payment is deferred for at least 7 days – telco’s, energy and water utilities
    • organisations that provide credit for hiring, leasing or renting goods
  • Health service providers
  • TFN recipients, which likely impacts State Government entities if they use TFN’s

An important thing to note is NDB applies to overseas organisations that have been incorporated or formed in Australia.

Which breaches are covered by the NDB?

In broad terms a data breach is defined as either: unauthorised access; unauthorised disclosure; or loss of personal information. The type of personal information covered includes:

  • An individual’s health information or other ‘sensitive’ information
  • information used as a precursor to identity fraud (Medicare card, driver licence, and passport details)
  • financial information
  • a combination of types of personal information.

As with all legislation, the devil is in the detail. This information does not seek to be exhaustive, and the usual legal disclaimers around seeking professional legal advice do apply.

The Office of the Australian Information Commissioner (OIAC) states:

The NDB scheme only applies to data breaches involving personal information that are likely to result in serious harm to any individual affected. These are referred to as ‘eligible data breaches’. There are a few exceptions which may mean notification is not required for certain eligible data breaches.

What does all this mean? The terms ‘likely’ and ‘serious harm’ are key.

  • ‘Likely to occur’ means more probable than not/possible
  • ‘Serious harm’ may include serious physical, psychological, emotional, financial, or reputational harm to an individual

These terms are subjective and require some assessment against the so called ‘reasonable person’ test. Harm can include: loss of business or employment opportunity, damage to a person’s reputation, relationships; humiliation; identity theft; significant financial loss; threats to physical safety; and workplace or social bullying or marginalisation. The circumstances of the breach is also an important factor.

The stated exceptions are interesting, because if an organisation acts quickly to remediate a data breach, and as a result of their quick response the impact of the data breach reduces the breach to something less than what is termed serious harm, then there is no requirement to notify any individuals or the Commissioner.

Hopefully you have found this blog useful to set the scene for NDB. I’ll be following up with an additional series of posts on how to prepare for NDB, what is important during a breach and how your organisation can be prepared.

Information Security Report – December 2017


Over the past month, we have seen a number of threats, vulnerabilities, and spear phishing attacks affecting organisations worldwide. Read on for a summary of these events to help you assess their implication on your environment.

Threats and Exploits


Mailsploit

Mailsploit Allows Spoofed Mails to Fool DMARC. Mailsploit is a collection of vulnerabilities in various email clients which allow an attacker to perform code injection attacks, spoof senders and bypass email protection mechanisms such as DMARC(DKIM/SPF). The security researcher who developed Mailsploit described how Mailsploit allows an attacker to send emails from any address they choose by taking advantage of how servers validate the DKIM signature of the original domain and not the spoofed one. It has been reported that this technique does not currently get detected or blocked by the majority of mail client vendors.

All major email clients and web mail vendors were notified about Mailsploit prior to its public release, however a large number of popular clients still remain vulnerable.

The list of impacted mail clients can be found here >>

It is recommended that users should update their email client whenever there’s a software update available, use end-to-end encrypted messages for personal conversations and at work and/or use PGP/GPG to verify the identities and encrypt email contents.

You can read more on Mailsploit on info security magazine and mailsploit.com

Spear Phishing

Huge Increase in Email Impersonation Attacks: According to Email Security Risk Assessment (ESRA) report, a report released byMimecast Data Security, it was discovered that although organisations continue to face an ongoing threat from malware, the fastest growing threat is impersonation attacks. An organisation is seven times more likely to be hit by an impersonation attack than by email-borne malware. These attacks are also known as whaling or spear phishing where attackers trick recipients into wiring money transfers to the fraudster. These scams are highly targeted and often done after a cybercriminal has gathered enough information to send the right person the right message. These attacks continue to grow faster than malware due to the fact that it’s very hard for traditional defenses like email filters to detect them.

Good user training will give an edge in avoiding most of these payment and impersonation scams. A few other tips for security teams to help combat the social engineering threat include:

  • Conducting internal phishing by phishing your own employees and sharing the results of the testing with them so that they can learn what to look out for. This should be combines with good training on how the users can detect the phishing emails.
  • Impersonation attacks often try to mimic emails from C-level executives. Implement a company policy that closes scam avenues for would-be spear phishers (e.g., never request the sharing of sensitive documents via email).
  • Disable links inside email bodies to force users to manually navigate to the site mentioned in the email. It adds extra steps, but it can prevent a user from clicking on a phishing link by accident.

Read more on info security magazine and TechRepublic

 

Security News and Alerts

Get updates and exclusive content from our security experts
  • This field is for validation purposes and should be left unchanged.

 

Breaches


Virtual Keyboard App Data Breach

Massive Breach Exposes Keyboard App that Collects Personal Data on its 31 Million Users. A team of security researchers have discovered a huge trove of personal data of the users of the virtual keyboard app ‘AI.type’ that was accidentally leaked online for any one to download. This app is a customization for on-screen keyboards on mobile phones and tablets with more than 40 million users worldwide. It is reported that the app requests for ‘full access’ to all user data stored on the phone and appears to collect everything from contacts to keystrokes. The leaked data includes full names, phone numbers, email addresses, device information including device name, screen resolution, model details, android version, mobile network name, country of residence, GPS location and even links and information associated with social media profiles.

Events such as this raise the question about what permissions mobile applications have on our devices (and just how much access these applications NEED). In order to best protect yourself against this form of application privilege abuse, it is recommended to always read and be cautious of what access is granted to applications.

Read more on The Hacker News

Uber Technologies Data Breach

Personal data of 57 million customers and drivers was stolen last year from ride-sharing company Uber with the breach revealed to have been concealed by the company for more than a year. It is suggested that the company paid $100,000 to the attackers. The company however advised that no social security numbers, credit card information, trip location details or other data were taken. Uber is being condemned for how it chose to deal with the issue after discovery of the attack and has also been sued for negligence over the breach by a customer.

It is reported that two attackers were able to retrieve login credentials from a private GitHub coding site which they used to access Uber data from an Amazon Web Services account where they discovered customer and driver related information. Although there are state and federal laws in the United States that require companies to alert people and government agencies when sensitive data breaches occur, Uber failed to comply.

Read more on Bloomberg.com

Breach at PayPal Subsidiary Affects 1.6 Million Customers. Paypal disclosed on 1st December 2017 a data breach on its recently acquired company TIO Networks. Personal information for 1.6 million individuals may have been compromised. TIO is based in Canada and serves some of the largest telecom and utility network operator in North America. Paypal pointed out that the Paypal platform has not been impacted as the TIO systems have not been integrated into its own platform. Paypal advised that affected companies and individuals would be contacted via mail and email, and offered free credit monitoring services via Experian. The data breach was discovered as part of ongoing investigations for identifying vulnerabilities in the processing platform.

Read more on SecurityWeek.com

Other News


Simulated Attacks Uncover Real-World Problems in IT Security. A research report by SafeBreach, a cybersecurity company that has developed a platform that simulates hacker breach methods, reveals that virtual hackers “have a 60% success rate of using malware to infiltrate networks. And once in, the malware could move laterally almost 70% of the time. In half the cases, they could exit networks with data.” The research found that it was not hard to get past the perimeter and once in, it was easy for attackers to move around and exfiltrate data. This is because most organisations overlook concerns over lateral movement as they mostly focus on the perimeter.

According to the report, malware infiltration methods like nesting or “packing” malware executables were effective in bypassing security controls 50% of the time. The success rate of infiltrating a network using packed executables was found to be 55%-61% using JavaScript, VBScript (VBS) using HTTP and using HTML file format (CHM) extension. It is recommended that network security controls should be VBScript (VBS) using HTTP and using HTML file format (CHM) extension. It is recommended that network controls should be configured to scan for malicious files and block them before they make their way to the endpoints/hosts for installation to disk. The report
further outlines how cybercriminals exfiltrate data using the easiest methods which are often through traditional clear or encrypted Web traffic. Ports having the highest exfiltration success rate include Port 443 (HTTPS) and Port 123 (NTP).

It is recommended that in order to better protect resources, organisations should optimize their current security solutions, constantly update the configurations as needed, and then test the changes they make.

Read more on DARKReading.com