Here you will find Shearwater’s latest security advisories, security updates and expert insights.

April 2019 Security Report | Shearwater Solutions


Featured this security report: ASUS release a critical software update to combat “ShadowHammer” Trojan Malware, CISCO’s RV320 and RV325 small business routers are vulnerable to attack, Zero-day vulnerabilities found in Google Chrome and Microsoft Windows are being exploited simultaneously, the recent WinRaR vulnerability is being abused en-masse by threat actors, Adobe patches Cold Fusion to alleviate vulnerability and Apple also patches up a number of serious vulnerabilities in its iOS platform. The latest data breach news includes; between 6TB and 10TB of data extracted from Citrix’s internal network and a second Toyota data breach has leaked up to 3.1 million pieces of customer data. In other news, Windows 7 and Windows Server 2008 R2 support will cease in January 2020.

Current Threats and Exploits


  • ASUS malware software update:
    A critical software update has been released from ASUS to combat a known Trojan malware attack called “ShadowHammer,” the attack itself was disguised as a “critical” software update. Although ASUS stated that “only a small number of a specific user group was found to be targeted,” Kaspersky Labs predicts that the attack could have been distributed to nearly 1 million machines and installed on hundreds of thousands. Along with the software patch, ASUS also introduced a “Live Security” program that users can use to scan their device to see if it has been involved in any known malware attacks. (1)
  • CISCO vulnerability patching:
    Cisco Systems issued 24 patches tied to vulnerabilities in its IOS XE operating system and warned customers that two small business routers (RV320 and RV325) are vulnerable to attack and that no patches are available for either. A total of 19 of the bugs were rated as “high severity” by Cisco, with the others rated as medium. The two router vulnerabilities are rated as “high severity” and are part of Cisco’s Dual Gigabit WAN VPN RV320 and RV325 line of small business routers. Both router flaws were first patched in January, however Cisco said that both patches were “incomplete” and that both routers were still vulnerable to attack. Firmware updates that address these vulnerabilities are not currently available. Cisco also says that there are no workarounds that address either vulnerability. (2)
  • Google Chrome Zero Day Exploit:
    Google has reportedly patched two previously publicly-unknown vulnerabilities – one affecting Google Chrome and another in Microsoft Windows, both were being exploited together. Google released an update for all Chrome platforms that was delivered through the auto-update feature. This vulnerability leverages a memory mismanagement bug that could allow an attacker Remote Code Execution, allowing unauthorized users to inject malicious code. Google has encouraged all Chrome users to verify that Chrome auto-update has applied the 72.0.3626.121 update. (3)
  • WinRaR ACE file extension:
    WinRAR is a file archival tool that is widely used. Users should update to the latest version of WinRAR, or remove it from their computer, as there is no automatic update feature in the software. Shearwater recommends checking if WinRAR is installed on devices in the network. If WinRAR is discovered and it’s verified that it is required, it is critical that the latest version is installed. If WinRAR Is not required, the software should be removed. (4)
  • Adobe Cold Fusion Exploits:
    Adobe’s “Cold Fusion” website development platform has released a patch to remove a vulnerability that could allow a remote attacker to execute arbitrary code. The vulnerability allows a malicious attacker to upload a file of their own choosing and then cause any code within the file to be executed by issuing a HTTP request. All previous versions of Cold Fusion are reported to be vulnerable to the attack and it is recommended that anyone using Cold Fusion updates to the latest version as soon as possible. Additionally, it has also been observed that attacks against the vulnerability are already being conducted. (5)
  • Apple Patches a Number of Serious Vulnerabilities in iOS
    Apple recently released a patch to fix a number of serious vulnerabilities that were discovered in its WebKit framework, which is used by browsers on the iOS platform. The vulnerabilities range in severity, however at their worst they allow for a specially crafted web page to execute arbitrary code. It is recommended that all users of iOS devices update to the latest version of iOS as soon as possible. (6)


It is important that all users install the latest updates to stay protected from security threats.

Recent Breaches


  • Major Citrix Data Breach:
    Citrix recently released information indicating that they had undergone a major data breach where malicious actors were able to gain access to their internal network. After forensic analysis, the breach was determined to have been performed by a sophisticated attacker and it is thought they were able to extract between 6TB and 10TB of data from the internal Citrix network. Furthermore, this data included business documents with details of several of Citrix’s clients. It was also revealed that the attackers likely gained access into the environment by brute force, several employee’s accounts secured with weak passwords were compromised. This breach, like a number of other recent breaches, re-enforces the need to ensure all users have strong passwords and two factor authentication enabled on their accounts. (7)
  • Second Toyota Data Breach:
    Toyota has apologized to customers after a large data breach at its Tokyo area sales network was discovered on 21st March. Toyota said unauthorized network access to a server used by sales subsidiaries may have leaked up to 3.1 million pieces of customer data outside the company. Toyota is still investigating the extent of the data breach, and whether or not the information was exfiltrated. In late February this year, Toyota Australia suffered a cyber-attack that took out its email service and other systems. Toyota has not attributed either of these hacks to any particular actor or group, or advised whether the two are connected. (8)

Other News


  • End of Windows 7 and Windows Server 2008 R2 support:
    Starting on 18th April 2019, users running Windows 7 will start seeing pop-ups reminding them that support for the aging operating system will end in mid-January 2020. Reasons users may have for not upgrading to Windows 10 include concerns about applications not working and computers that cannot run Windows 10. Users with an enterprise license can arrange continued support for some business Windows 7 installations, and users with embedded Windows 7 may have different life cycle dates. (9)

References

  1. Asus software updates were used to spread malware, security group says
  2. Cisco Releases Flood of Patches for IOS XE, But Leaves Some Routers Open to Attack
  3. Disclosing vulnerabilities to protect users across platforms
  4. ‘100 unique exploits and counting’ for latest WinRAR security bug
  5. Security updates available for ColdFusion | APSB19-14
  6. Latest iOS 12.2 Update Patches Some Serious Security Vulnerabilities
  7. Citrix discloses security breach of internal network
  8. Millions of customers’ data accessed in second Toyota hack
  9. Windows 7 Update Support Ends One Year From Today

This Information Security Report is brought to you by Shearwater Solutions

The Information Security Report is a monthly summary, compiled by Shearwater’s experienced cybersecurity professionals, to highlight the vulnerabilities and new attack vectors in some of the latest active threats, exploits and breaches and share recommendations to help you protect your data and stay a step ahead.

Whatever your Information Security challenge, we’re here to help you find the right solution.

What is the difference between vulnerability assessment and penetration testing?


There is often confusion around the role of a vulnerability assessment versus a penetration test. This is compounded by unscrupulous security vendors presenting (and pricing) a vulnerability assessment as a penetration test. Aside from poor ROI, this can give an organisation a false sense of security, when in fact they have only received a basic level service. In the following blog article, we explain the difference, and how regular vulnerability assessments and penetration testing should work together to enhance an organisation’s security posture.

What is a Vulnerability Assessment?

A vulnerability assessment is the process of identifying if an organisation’s systems/applications have potential known security vulnerabilities. It is an automated scan(s) followed by the generation of a report containing a prioritised list of the vulnerabilities found, the severity and generic remediation advice. This is a useful auditing tool for the security team to remediate any errors that could allow a cybercriminal to gain access to the organisation’s systems and sensitive data. The quality of the results is dependent on the quality/recency of the vulnerability scanning software and the ability of the security professional interpreting the results.

How is it different from Penetration Testing?

Penetration testing has much greater potential breadth of scope (e.g. social engineering) and depth than a vulnerability assessment. It should only be conducted by certified cybersecurity professionals who use their experience and technical abilities to mimic multiple types of attack used by cybercriminals, targeting both known and unknown vulnerabilities. Vulnerability assessments are often used to scope a penetration test or as a research tool during the reconnaissance phase of a penetration test. Unlike a vulnerability scan, where identified vulnerabilities are not exploited, in a penetration test, the tester will modify their approach until they can provide proof of vulnerability through exploitation and gain access to the secure systems or stored sensitive information that a malicious attack could compromise.

A penetration test report is customised to the organisation and the scope of the engagement and provides the data that is critical to secure an organisation’s systems and stored sensitive information. It supplies the management team with a fast and proven benchmark of the organisation’s level of risk, at a given moment in time, and prioritises the vulnerabilities found, in order of severity, with detailed and customised advice to expediate remediation. This then provides the IT security team with the information they require to fast-track remediation work, demonstrates the ROI of existing security tools and facilitates the management team’s confident approval of security expenditure.


A penetration testing report supplies the management team with a fast and proven benchmark of the organisation’s level of risk, at a given moment in time, and prioritises the vulnerabilities found.

The Difference Between Vulnerability Assessment and Penetration Testing

The key characteristics of a vulnerability assessment and penetration test are compared in the table below.

Vulnerability Assessment

Penetration Test

Purpose

To scan systems to identify potential ‘known’ vulnerabilities and provide generic remediation advice to improve the security of scanned target(s).

Purpose

To identify and demonstrate proof of exploit and provide customised remediation advice to improve the security of the scoped target(s).

Characteristics

  • Automated process

  • Scanning software scans the entire target(s).

  • Scanning software includes networks, web applications, source code and ASV for PCI DSS

  • Scanning software has signatures to identify unpatched or out-of-date software updates, incomplete deployment of security software, bugs and open ports.

  • Scanning software is limited to identify only vulnerabilities it has signatures for. It cannot find vulnerabilities that are unknown.

  • Results may include false positives and negatives. Results identify potential vulnerabilities.

Characteristics

  • Largely a manual process – using a mix of penetration testing software and custom written exploits

  • The tester may use a vulnerability assessment in the reconnaissance phase of a penetration test and then go on to exploit chosen prioritised vulnerabilities.

  • Demonstrates actual risk by emulating a cybercriminal

  • Types of penetration testing include: networks (external, internal, mobile, wireless), applications (mobile, Web, Web service/API), physical security, social engineering and phishing, secure code reviews and red teaming.

  • Able to exploit known and unknown vulnerabilities

  • Testing is rarely exhaustive – tester focuses attention within the scope of the engagement

Results

An automated report with a prioritised list of the vulnerabilities found, the severity and generic remediation advice.

Results

A hand-written report listing the vulnerabilities and exploits, categorised according to risk level and recommendations for remediation based on key insights into the cyberthreat landscape.

Recommended frequency

Outside of meeting a specific compliance requirement, vulnerability scans should be performed externally to the network and from within at least quarterly, or more frequently for organisations with a high-risk profile.

Recommended frequency

Outside of meeting a specific compliance requirement, penetration tests should be performed at least annually, or more frequently for organisations with a high-risk profile.

 

Together, vulnerability assessments and penetration testing enhance an organisation’s security posture. Both are essential components for achieving a strong cybersecurity and information security program – and a requirement for achieving and maintaining compliance.

We hope you’ve found this blog article useful. For more information about penetration testing, download A Guide for First-time Penetration Testing Buyers here >>  In this free guide we answer the questions commonly asked by first-time penetration testing buyers and provide guidance to help you achieve a successful penetration testing experience.

Penetration Testing Complete Guide


Questions & More Information 

Do you have a question about penetration testing? Contact Us today to speak to one of Shearwater’s certified Ethical Hackers. They have extensive experience in providing penetration testing services and assisting clients to achieve and maintain accreditation. 

Demonstrating the ROI of Security Penetration Testing to Management


How do you demonstrate the ROI of Security Penetration testing ? From the management team’s point of view, making the decision to commit to an ongoing cybersecurity budget may be seen as adding yet another expense, with little visibility of a return on investment (ROI). This is particularly true for organisations who are not involved in the riskier areas of application development or ecommerce – perhaps they are a mid-sized manufacturing, transport or construction business – and think they’re not an attractive enough target for a cybercriminal. Think again!

High profile cybersecurity breaches regularly make national and even international news, and are often the result of a targeted attack. What is less well publicised are the more pervasive, lower profile breaches which are more opportunistic in nature and increasingly impact small and medium-sized organisations. This trend can be linked to the sophisticated way in which cyberattacks can now be automated and the introduction of new vulnerabilities resulting from the adoption of new technology and working practices (remote working and BYOD, such as laptops, tablets and phones).


Lower profile breaches which are more opportunistic in nature can impact small and medium-sized organisations.

In a rapidly changing technological landscape, organisations must not only keep pace with the speed of innovation, but also the resulting risks to information security.

Increasingly, organisations are incorporating cybersecurity into their overall risk management policy and business objectives into their security programs, with cybersecurity and information security management fast becoming the domain of management teams, not just the internal IT team. These organisations recognise that cybersecurity and information security are, ultimately, just like any other risk that they face in their business and therefore need to be managed like all those other risks, be they legal, operational, financial etc. They understand not only that they can’t afford a ‘head in the sand’ approach, but that good security practices (and compliance) is a competitive advantage.

For the organisations (predominantly SMEs), who are yet to adopt a more proactive approach to cybersecurity, complacency can be disastrous. With the increase in automated cyberattacks, you can no longer hope that cybercriminals won’t take an interest in your business.

From February 2018, the amended Australian privacy act made the disclosure of cyber breaches to regulators and shareholders mandatory. The penalty for not doing so can be up to $1.8 million for organisations and, with the inclusion of additional fines of up to $360,000 for each board member, the message is clear; take cybersecurity seriously.

Read how specialist web solutions provider The Reach Agency uses regular penetration testing to increase their competitive advantage >>

So what value does a penetration test provide?


A penetration test provides your management team with an extremely fast and proven benchmark of the organisation’s level of risk, at a given moment in time, and prioritises the vulnerabilities found, in order of severity, with advice to expedite remediation. This then provides your IT security team with the information they require to fast-track remediation work, demonstrates the ROI of existing security tools and facilitates the management team’s confident approval of security expenditure.

Explain to management that you can acquire this data in one of two ways, either proactively or via incident post-mortem and, put simply, investing in penetration testing is preferable to responding to a breach from a malicious hacker. The decision of whether to invest in penetration testing is as simple as asking: “Do you want to choose your hacker?”

The difference between an Ethical Hacker and Malicious Hacker


The below is a simple comparison between controlled expenditure on security penetration testing and the uncontrolled chaos that results from having your systems compromised by a malicious hacker. Download this infographic in PDF format here>>

 

Ethical Hacker

Malicious Hacker

 Intention is to help your organisation to succeed

Intention is to extort money or damage your organisation

 Known, proven, highly trained IT professional has access to your IT infrastructure in partnership with your IT department

 Unknown hacker has access to your IT infrastructure

 Careful with your IT infrastructure

 Careless with your IT infrastructure

  You control:

  • Cost (average cost of a pen test $7,000+)

  • Scope and methodology – non-disruptive

  • Timing – convenient

They control:

  • Cost (average cost of a breach US$3.86 million)

  • Scope and methodology – disruptive 

  • Timing – inconvenient

  At the conclusion of testing you are provided with:

  • A comprehensive report listing the vulnerabilities and exploits categorised according to risk level (or at time of discovery for critical/high risk vulnerabilities) and recommendations for remediation to improve your organisation’s IT security.

  • Debriefing for Executives and IT team.

Any data obtained during the test will be treated as confidential and will be returned or destroyed at the conclusion.

 At the conclusion of a malicious breach you could face:

  • A potential ransom

  • Exploited intellectual property

  • Exploited customer data

  • Potential fines and legal ramifications

  • Damaged IT infrastructure and code that takes time/money to investigate and remediate

The whereabouts of any data obtained during the breach is unknown.

Outcome:

Proactive and empowering experience, Improved IT security/compliance is achieved, maintain customer confidence and brand loyalty, security stakeholders have peace of mind.

Outcome: 

Reactive and disempowering experience, damaged IT systems, lost customer confidence, damage to brand loyalty, loss of revenue, loss of share value, security stakeholders have sleepless nights/potential job losses. May bankrupt SMEs.

 

 

When compared in this way, the benefits of investing in penetration testing are self-evident.

We hope you’ve found this blog article useful. For more information about penetration testing, download A Guide for First-time Penetration Testing Buyers here >>  In this free guide we answer the questions commonly asked by first-time penetration buyers and provide guidance to help you achieve a successful penetration testing experience.

Penetration Testing Complete Guide


Questions & More Information 

Do you have a question about penetration testing? Contact Us today to speak to Shearwater’s certified Ethical Hacking Team. They have extensive experience in providing penetration testing services and assisting clients to achieve and maintain accreditation.

December 2018 Security Report | Shearwater Solutions


Featured this month: Exposed Remote Desktop connections create a soft target for attackers, email distribution platforms are increasingly being hijacked to facilitate mass phishing campaigns, several Self Encrypting Drives have multiple vulnerabilities, a VirtualBox Zero Day vulnerability, breaches that caused inconvenience for Dell, created danger and disruption for an Ohio hospital and exposed over 500,000 guests’ data in a breach dating back to 2014 for the Marriott hotel chain. In other news, a Windows 10 (1703 and newer) update allows Windows Defender to operate in a sandboxed environment and Google’s Quic protocol will replace TCP, to offer both compression and encryption, in the next revision of the HTTP protocol.

Current Threats and Exploits


  • Exposed Remote Desktop connections create soft target for attackers:
    Remote Desktop provides a convenient tool for remote administration and for users to access internal resources. It’s also commonly scanned for, and targeted by, attackers attempting to gain unauthorized access to internal networks. Typically (via brute forcing of accounts or through the use of known credentials harvested via phishing or breach data) an attacker will look to gain access to the remote desktop host before launching subsequent attacks internal to the network (e.g. ransomware, cryptomining or data exfiltration).
    In order to avoid falling victim, it’s important that exposed Remote Desktop Protocol (RDP), and other services are appropriately hardened. Simple steps such as geoblocking, good password practices and monitoring of external facing hosts can significantly increase the difficulty of entry for attackers trying to take over your RDP host this holiday season.
  • Marketing email campaign hijacking leads to mass distribution of phishing:
    Shearwater has identified a number of incidents where a company’s marketing or email distribution platforms have been compromised in order to facilitate mass phishing campaigns. Through the use of Business Email Compromise (BEC attack), attackers are frequently looking to gain access to platforms such as MailChimp, that are prepopulated with recipient lists. This provides an easy opportunity to further phish unsuspecting victims.
    If you are unsure of the source of an email, a simple phone call to the sender or your IT security team can help validate the contents in a timely fashion. And if you identify a phishing campaign of this nature, contacting the mail platform and sender to alert them to the incident is also recommended.
  • Self-Encrypting Drives have multiple vulnerabilities:
    There are multiple vulnerabilities in implementations of ATA Security or TCG Opal Standards in Self-Encrypting Disks (SEDs), which can allow an attacker to decrypt contents of an encrypted drive. There is no cryptographic relation between the password provided by the end user and the key used for the encryption of user data. This allows an attacker to access the key without knowing the password provided by the end user, allowing the attacker to decrypt information encrypted with that key. According to the National Cyber Security Centre – The Netherlands (NCSC-NL), the following products are affected by CVE-2018-12037:

    • Crucial (Micron) MX100, MX200 and MX300 drives
    • Samsung T3 and T5 portable drives
    • Samsung 840 EVO and 850 EVO drives (In ATA high mode these devices are vulnerable, in TCG or ATA max mode these devices are not vulnerable.)

The vendors have issued patches to address the vulnerabilities. We recommend that you update to the latest patches as soon as possible.

  • VirtualBox Zero Day vulnerability:
    A new vulnerability has been discovered in VirtualBox’s Intel E1000 NIC driver code when it is operating in NAT mode. The vulnerability, which affects all versions of VirtualBox up to and including 5.2.20, allows malicious code running in a guest VM to gain application level control over the host. To make matters worse, the vulnerable code is shared between a number of different guest operating systems, meaning that it can be exploited from almost any guest. The vulnerability was not responsibly disclosed, and therefore there is currently no patch available.
    We recommended that users of VirtualBox change the type of virtual network adapter to something other than the Intel E1000 or place it into a mode other than NAT. (1)

Recent Breaches



A data breach at Marriott hotel chain has exposed personal details of up to 500,000 guests.

  • Dell resets all customer passwords after cyberattack:
    Dell suffered a security breach on November 9, 2018. Hackers succeeded in breaching the company’s network but were detected and stopped. Investigators found no evidence that the hackers succeeded, but they have not ruled out the possibility that some data was stolen. Analysis of the attack concluded the attackers were seeking customer names, email addresses and scrambled passwords.
    We recommend that Dell customers are vigilant for suspicious emails or account activity. (2)
  • Ransomware attack forced Ohio hospital system to divert ER patients:
    A malware infection and ransomware attack that hit computer systems at the East Ohio Regional Hospital and Ohio Valley Medical Centre over the Thanksgiving weekend reportedly disrupted the hospitals’ emergency rooms causing ambulances to be diverted to other area hospital emergency rooms. The attack hit on the evening of Friday, Nov. 23, leaving the hospitals temporarily unable to accept ER patients via emergency responders.
    A spokesperson for the hospitals said that there has been no patient information breach. (3)
  • Marriott’s massive data breach:
    The Marriott hotel chain has reported a massive data breach that was discovered to be related to a cyberattack dating back to 2014. The breach affected personal details of up to 500,000 guests of its Starwood branch, such as Westin, Sheraton, Le Meridien, St Gegis and W Hotels. It’s believed that personal information for around 327,000 reservations was exposed, including name, address, phone number, passport number, details of the stays, etc. Credit card numbers and expiry dates of some guests may also have been taken. (4)

Other News


  • Windows Defender sandboxed:
    Current versions of Windows 10 (1703 and newer) have received an update which will allow Windows Defender to operate in a sandboxed environment. As anti-malware software requires complete visibility over the whole system to provide effective protection, they need to run with very high privileges. As a result of these high privileges, they have become a common target for malware and malicious actors, as a successful compromise could give them control over the system. To reduce the risk, Microsoft have isolated Windows Defender in a sandboxed environment, making it harder for a compromise in Windows Defender to take over the system.
    Sandboxing is not currently enabled by default in Windows. However, if users wish to enable it on their system, they can issue the following command from an administrator command prompt and restart their system “setx /M MP_FORCE_USE_SANDBOX 1”. (5)
  • HTTP 3 using UDP:
    The Internet Engineering Task Force (IETF) has stated that the next revision of the HTTP protocol will not use Transmission Control Protocol (TCP) for its transport layer connections, but Google’s QUIC (Quick UDP Internet Connections) protocol instead. QUIC, which itself operates using UDP, was originally designed by Google and provides both compression and encryption.
    When the new protocol becomes more widely used, firewall rules will need to be permitted to allow UDP 443 connections. (6)

References

  1. Zero-Day Exploit Published for VM Escape Flaw in VirtualBox
  2. Dell.com resets all customer passwords after cyber attack: statement
  3. Ransomware Attack Forced Ohio Hospital System to Divert ER Patients
  4. Massive data breach at Marriott’s hotels exposes private data of 500,000 guests
  5. Windows Defender Antivirus can now run in a sandbox
  6. HTTP-over-QUIC to be renamed HTTP/3

 


This Information Security Report is brought to you by Shearwater Solutions

The Information Security Report is a monthly summary, compiled by Shearwater’s experienced cybersecurity professionals, to highlight the vulnerabilities and new attack vectors in some of the latest active threats, exploits and breaches and share recommendations to help you protect your data and stay a step ahead.

Whatever your Information Security challenge, we’re here to help you find the right solution.

WebEx, LibSSH Authentication & D-Link Router Vulnerabilities | Shearwater InfoSec Report


The Information Security Report is a monthly summary, compiled by Shearwater’s experienced cybersecurity professionals, to highlight the vulnerabilities and new attack vectors in some of the latest active threats, exploits and breaches and share recommendations to help you protect your data and stay a step ahead.

Featured this month: A WebEx vulnerability that allows a remote attacker to execute code on the machine, a LibSSH authentication vulnerability that allows a remote attacker to authenticate without valid credentials, 3 vulnerabilities in a number of D-Link routers which combine to allow a remote attacker to take over a device, a number of new Drupal code execution vulnerabilities and a Windows zero-day vulnerability. Recent breaches include Cathay Pacific and iNet and in security news, the Californian government has passed a bill to mandate manufacturers improve passwords on IoT devices.

Current Threats and Exploits


  • WebEx Remote Code Execution Vulnerability:
    A vulnerability with Cisco Software’s Web meeting/presentation client, WebEx Client, has been discovered that would allow a remote attacker to execute code remotely on the machine.
    We recommend that users patch their WebEx Client Software to version 33.6.0 to prevent the usage of this vulnerability. (1)
  • LibSSH Authentication Vulnerability:
    A new vulnerability has been discovered in the LibSSH package, which is used to add support for SSH to devices. The vulnerability, assigned CVE 2018-10933, allows a remote attacker to present the server with a successful authentication message (SSH2_MSG_USERAUTH_SUCCESS) upon connecting and the server will accept the message. As a result, the attacker can easily become authenticated to the device without needing to present valid credentials. The vulnerability is reported to exist in all versions of LibSSH after 0.6.
    Users of LibSSH are advised to upgrade to the latest versions, 0.8.4 and 0.7.6, which have been fixed to remove the authentication flaw.(2)
  • D-Link Routers Vulnerable External Control:
    Security researchers have identified three vulnerabilities in a number of D-Link routers which, when combined, allow a remote attacker to take control of the device. The first vulnerability allows an unauthenticated attacker to browse the file system of the router to obtain the password file. The second vulnerability results in the password file they obtain being stored in cleartext, giving them access to the raw passwords. Finally, the authenticated attacker can execute arbitrary code on the device, through the Web interface. As an attacker can obtain the raw passwords using the first two vulnerabilities, they can take over the device. D-Link was informed of the vulnerability back in May this year, however they have failed to release any patches.
    It is strongly advised that anyone using D-Link routers ensures they are not configured to allow access to their Web interface from the Internet. (3)
  • More Drupal Code Execution Vulnerabilities:
    A number of new remote code execution vulnerabilities have been discovered in the Drupal content management system. One of the most critical vulnerabilities exists in the default mail backend, which does not check for shell arguments when processing emails, allowing them to be executed on the server.
    Users should ensure that Drupal 7 is updated to version 7.60, Drupal 8.5 is updated to version 8.5.2 and Drupal 8.6 is updated to version 8.6.2. Additionally, any versions of Drupal 8 before version 8.5 are no longer supported and, therefore, will not receive the security updates. (4)
  • Windows 10/Server 2016/Server 2019 Microsoft Data Sharing Zero-day Vulnerability:
    A security researcher has disclosed a Windows zero-day vulnerability on Twitter for the second time in the span of two months. Proof of Concept (PoC) code for this vulnerability was also published on GitHub, which can be used to delete crucial Windows files and cause the operation system to crash. The vulnerability affects the local Microsoft Data Sharing service (dssvc.dll), present in recent versions of Windows OS, such as Windows 10 (all versions patched with latest October 2018 update), Windows Server 2016 and Windows Server 2019. An attacker, who already has access to the system, can exploit this vulnerability to elevate their privileges allowing them to delete files that normally can only be deleted by admins and take further actions with appropriate modification on the PoC.
    Microsoft is currently working on a fix for this vulnerability. In the meantime, we recommend following best practice security practices and to be vigilant for anomalous activity. (5)

Recent Breaches



A data breach at Cathay Pacific Airways has prompted calls to review Hong Kong’s breach disclosure rules.

  • Cathay Pacific Major Data Breach:
    The Hong Kong flight carrier Cathay Pacific has suffered a major data breach, in which cybercriminals had accessed the personal data of over 9.4 million passengers. The breach exposed private details, including passenger names, nationalities, dates of birth, phone numbers and email addresses. Cybercriminals have also compromised 860,000 passport numbers, 245,000 Hong Kong identity card numbers, 403 expired credit card numbers and 27 credit card numbers with no card verification value (CVV).
    Hong Kong’s Privacy Commissioner, Stephen Wong Kai-yi, has pledged legal help for affected customers. Cathay Pacific and IT experts have recommended that passengers are vigilant for suspicious emails or account activity, as they anticipate phishing activities following the leak. (6)
  • Leaky Amazon S3 Bucket causes Washington ISP Customer data to be Exposed:
    Washington Internet Service Provider Pocket iNet has had over 73GB’s of data publicly exposed due to a misconfigured Amazon S3 Bucket. The exposed data includes plaintext passwords and AWS secret keys for Pocket iNet employees, internal diagrams of their infrastructure, details of configuration, inventory lists and photographs of their equipment. It also exposed priority customer details using the service.
    This type of breach can be mitigated by setting up a policy to check Amazon S3 Bucket configurations, as well as making sure buckets aren’t public facing. (7)

Other News


  • California passes Bill on IoT Device Security:
    The Californian government has passed legislation that bans the use of default weak passwords on IoT devices. Device manufacturers must ensure that IoT devices have a unique default password or a password that changes on the first authentication attempt.
    This should assist in device security, preventing these devices from being compromised by the use of hardcoded and default credentials. (8)

References

What you need to know about Business Email Compromise (BEC) attacks


Business Email Compromise (BEC) attacks are increasing at an alarming rate and look set to continue as a favoured method of cyberattack in the future. In this blog article, Shearwater’s social engineering and phishing expert, Damian Grace, provides guidance on what you can do TODAY to reduce your organisation’s risk.

In a concerning trend, Australia ranked second in the world (at 27.4%) for reports of attempted BEC attacks in the first half of 2017, (1) and reports to the ACSC’s, Australian Cybercrime Online Reporting Network (ACORN) during 2016-17, attributed losses of A$20 million to BEC attacks. This increase of 230% from the $8.6 million during 2015-16 “likely represents only a small percentage of total activity, as both misreporting and underreporting occurs.” say the ACSC in their 2017 Threat Report (2)

What draws cybercriminals to target Australian organisations in this way? Australia’s large number of online transactions, early adoption of emerging technologies and use of software favoured for exploitation by cybercriminals has a role to play, but it is mainly due to the fact that BEC attacks offer a great ROI for cybercriminals; providing high returns – with attacks originating from overseas currently having a low chance of prosecution.

What is a BEC attack?

A Business Email Compromise (BEC) is a form of spear (targeted) phishing that aims to trick employees (generally in finance or HR) into transferring funds into a ‘new’ business bank account (belonging to the cybercriminal) or sharing sensitive information at the request of a cybercriminal impersonating a senior executive.

Cybercriminals use social engineering and/or hacking techniques to compromise legitimate email accounts or spoof (create fake) emails to make them appear to be from a high-level employee, co-worker or supplier. The most commonly spoofed positions are the CEO and managing director, targeting the CFO and finance director (3)

The five common types of BEC attack are:

CEO Fraud

A scammer impersonates the CEO (or high ranking executives) then sends scam emails trying to get an employee to transfer funds or confidential information.

Attorney Impersonation

A scammer impersonates a law firm, or someone from a law firm, usually requesting that funds be transferred into an account to settle an ‘overdue bill’.

Fake Billing

A scammer hacks into the email account of a business that has a relationship with a supplier. They then impersonate the supplier and request that ‘unpaid bills’ be paid to a ‘new’ account.

Accont Compromise

A scammer hacks into the email account of an employee (usually Finance) and contacts customers on the contact list stating a problem with a payment and requesting that payments are made to a ‘new’ account.

Data Theft

A scammer impersonates targeted employees (usually HR) and then sends out requests to employees and executives requesting personal information verification or updates.

Cybercriminals use both a low quality (basic research), high quantity approach, bombarding an organisation with multiple spear phishing emails in the hope that a link will be clicked, and also a high quality (highly researched), low quantity approach, where it is much harder for employees to spot the difference between real and counterfeit emails and the more likely the email will pass spam filters and whitelisting.

A cybercriminal researches their targets using company websites, LinkedIn and social media to learn the names, work titles, email addresses and interests of their targets. Once they’ve compromised their target employee’s email account “they’ll generally wait and observe email communications for at least a month before initiating the attack,” say Shearwater’s Incident Response Team, based on their findings when providing post-attack security hardening services. They’ll look for upcoming travel and events, suppliers and regular financial transactions, the arrival of new starters and key decision makers taking leave in their target department.

BEC & Social Media
Cybercriminals research their targets using social media, in preparation for a BEC attack..

BEC attacks are dangerously effective because they are socially engineered – designed to leverage human nature. They will be addressed from a senior colleague or a supplier, may appear to cc other employees or be a forwarded email, will request actions within the target employee’s normal range of duties and will often display knowledge of confidential company information – all designed to reduce suspicion. Attacks are usually initiated when key decision makers are away from the office, at an inconvenient or busy time and the request is always ‘urgent’ and ‘important’.

There are 2 mechanisms for the delivery of a BEC attack.

Email spoofing

A range of tactics are used to make an email appear to be from a trusted source or colleague:

  • Using the email header – to make the message appear to have originated from a trusted source
  • Using an email address that is almost identical to the address they are impersonating
  • Using an almost identical domain name (that the cybercriminal has purchased and configured to look like the company domain.)

A spoofed email may contain a link that will install malware, leading to account compromise.

Account compromise

The attacker’s aim is to gain access to their target employee’s email account. This is commonly achieved using a phishing email which includes a link to install malware, phone-based vishing, or USB drop to trick victims into divulging login credentials or installing malware or keyloggers into their computers or devices. Once compromised, the attacker will monitor the account for opportunities for exploitation; using the account for further research and to send emails to target employees, taking steps to ensure that the legitimate owner of the account is unaware.

What you can do TODAY to protect your organisation


An effective defence from BEC attacks requires a proactive, three-pronged approach, focusing on:

  1. Employee training
  2. Updating business policies and procedures
  3. Selecting and configuring technology

1. Employee training

Ensure that ALL employees within your organisation receive the latest phishing prevention training. For a fast and effective solution, offering an excellent ROI, seek a third-party provider that can deliver a proven, scalable, cloud-based solution that incorporates engaging cybersecurity training and phishing simulations and reporting to benchmark and provide ongoing risk reduction. As BEC attacks generally target CEO, CFO, HR and finance roles, it is imperative that training is prioritised for these roles.

In the interim, advise employees of the tell-tale-signs of a basic BEC attack email. Look out for a combination of:

  • A request to change bank account details, make a money transfer or provide confidential information
  • A request that is urgent and requests secrecy.
  • An email signature that is missing, incomplete or incorrect
  • Poor grammar or spelling

If employees receive an email with these characteristics, they should:

  • Check the address in the ‘from’ field (is it really from who they think)
  • Check with the sender either face-to-face or by phone (using the company directory, NOT the contact details within the email)
  • Not open any attachments or click on any links
  • Notify their IT department.

Phriendly Phishing Training
Ensure that ALL employees receive the latest phishing prevention training.

2. Update policies and procedures

The following updates to your organisation’s policies and procedures will help to reduce your BEC attack risk and help you to correctly manage phishing emails that reach employee inboxes.

  • You may choose to make it mandatory that requests for transferring funds, payment changes or providing confidential information:

    • Are not made via email, and/or
    • Require a 2-step, or more, verification process, with written approval for large amounts and confirmation face-to-face or via telephone (using an internal phone book, NOT a number in the email)
  • Create/update policies and procedures for the safe handling of suspicious emails.
  • Create/update policies and procedures for communicating with suppliers.
  • Promote file sharing on your organisation’s internal networks to reduce the need to email files.

Ensure that ALL employees are made aware of these changes.

3. Select and configure technology

The following technology solutions will help to reduce your BEC attack risk by blocking or quarantining suspicious emails before they reach employee email inboxes and flagging higher risk emails or content to alert users.

Multi-factor authentication

  • Implement multi-factor authentication for both employee workstations and remote access, to make it harder for cybercriminals to compromise employee email inboxes.

Domains

  • Ensure your organisation publishes SenderID/SPF records for their domain and that checks are conducted on emails claiming to be sent from this domain. Request that your suppliers do the same.
  • Register domains that vary slightly from your organisation’s actual domain to prevent cybercriminals from being able to do this.
  • Implement/correctly configure Domain-based Message Authentication, Reporting and Conformance (DMARC) to enhance Sender Policy Framework (SPF) and/or Domain Keys Identified Mail (DKIM) to enable 2 email authentication technologies on all emails, to identify the sender of a message and:

    • Block SPF hard fails (emails verified as not originating from the domain they claim to originate from)
    • Block DKIM verification fails – log and investigate and inform the spoofed organisation
    • Quarantine and flag to users any SenderID/SPF soft fails

Flags and alerts

  • Flag external emails e.g. add [EXT] to the start of the subject
  • Set alerts on the creation of mail forwarding rules, or unusually high outbound email volumes.
  • Flag emails with extensions that are similar to your corporate email

Software and logging

  • Ensure that antivirus software is up-to-date and correctly configured.
  • Keep blacklisting and whitelisting up-to-date
  • Provide users with the ability to report suspicious emails to IT (e.g. with free outlook add-ins like S.C.A.M. Reporter)
  • Ensure that logging is switched on for the email content filter and email servers and that logs are regularly audited. If your organisation is the victim of a successful cyberattack, these logs will enable faster detection and remediation work.

Environments

  • Provide a safe environment for the IT security team to investigate suspicious emails.
  • Provide the ability for file sharing on your organisation’s internal networks to reduce the need to email documents.

If your organisation is high risk, the ACSC recommends the following to reduce the likelihood of a user clicking on a malicious link or opening a spoofed attachment(4):

  • Convert attachments to PDF (and quarantine originals)
  • Whitelist attachments based on file typing to identify and block spoofed attachments
  • Block encrypted attachments
  • Disable macros and JavaScript content and quarantine originals
  • Replace active web addresses in an email’s body with non-active versions. The user must then copy and paste the URL and will have the opportunity to detect a difference between the displayed and actual URL.
  • You may also wish to block any non-authorised third-party email services.

The three-pronged approach above provides general recommendations for reducing your organisation’s risk in relation to BEC attacks. For a more tailored approach, contact your cybersecurity partner to enquire about cybersecurity and information security risk assessment services.

Resources

Download a free poster to assist your employees to identify 5 Common Types of Business Email Compromise (BEC) Attack

References

  1. Micro 2017 Midyear Security Roundup: The Cost of Compromise
  2. Australian Cyber Security Centre 2017 Threat Report
  3. Trend Micro 2017 Midyear Security Roundup: The Cost of Compromise
  4. Malicious Email Mitigation Strategies

PhriendlyPhishing by Shearwater Solutions

Phishing Awareness Training & Simulation Program 

Phishing awareness training is a scaleable, cloud-based phishing awareness and simulation program developed by certified cybersecurity professionals at specialist information security services provider Shearwater Solutions. Phriendly Phishing benchmarks employees’ existing phishing knowledge (before deploying educational modules), tests improvements and supports re-education. This journey-based approach encourages users to reach milestones and includes an option to gain practical experience with simulated phishing campaigns. It is these features that make Phriendly Phishing both engaging and extremely effective, and through ongoing research and practical experience in the field, Phriendly Phishing developers ensure that training remains current with real-world phishing threats and techniques.

IRAP Frequently Asked Questions


What is IRAP?


The Information Security Registered Assessors Program (IRAP) is an initiative of the Australian Signals Directorate (ASD) through the Australian Cyber Security Centre (ACSC) to ensure the standard of cybersecurity and information security assessments for Information and Communications Technology (ICT) systems that process or store government information. A certified IRAP Assessor’s role is to conduct independent assessments of any system, network or gateway, for compliance with the Australian Government Information Security Manual (ISM), the Protective Security Policy Framework (PSPF) and other Australian Government guidance, to ensure the safety of government information. An assessment is the first stage in the process towards achieving Australian Government security accreditation for suitability to process, store or communicate government or sensitive information.

 

Why conduct an IRAP Assessment?


Cybersecurity and information security are a top national security priority for government, to prevent cyberintrusions on government systems, critical infrastructure and other information networks that could threaten Australia’s national security and national interests.

An Information Security Registered Assessors Program (IRAP) assessment is the first stage in the process towards achieving accreditation for suitability to process, store or communicate government or sensitive information. Government agencies and commercial Information and Communications Technology (ICT) systems, Cloud providers, Networks and Gateways that process or store government information (or wish to do so) are required to achieve and maintain Australian Government security accreditation by demonstrating compliance with the Australian Government Information Security Manual (ISM) and the Protective Security Policy Framework (PSPF) and other Australian Government guidance.

 

Who is responsible for IRAP?


The Information Security Registered Assessors Program (IRAP) is an initiative of the Australian Signals Directorate (ASD) through the Australian Cyber Security Centre (ACSC).

 

Who are IRAP Assessors?


Information Security Registered Assessors Program (IRAP) Assessors are Australian Signals Directorate (ASD)-certified Information and Communications Technology (ICT) professionals from across Australia who have:

  • the necessary experience and qualifications in ICT, security assessment and risk management, and
  • a detailed knowledge of Australian Government information security compliance requirements.*

Becoming a certified IRAP assessor requires extensive, prerequisite qualifications and experience and the completion of IRAP training and examinations. Thereafter, IRAP assessors are required to maintain these prerequisite qualifications and complete annual training.

Shearwater has several Security Consultants who are certified IRAP Assessors.

* ACSC, Who are IRAP Assessors?, accessed 9 October 2018, <https://acsc.gov.au/infosec/irap/who_assessors.htm>.

 

What can an IRAP Assessor assess?


Assessments of up to SECRET classified systems can be undertaken by agency Information Technology Security Managers (ITSMs) and Information Security Registered Assessors Program (IRAP) Assessors. Assessments of TOP SECRET systems can only be undertaken by the Australian Signals Directorate (ASD) and IRAP Assessors with appropriate clearance.

IRAP Assessors may provide assessment for:

  • Cloud services
  • Gateways
  • Information systems
  • Gatekeeper
  • FedLink

 

What is the Australian Government security accreditation process?


The accreditation process is as follows:

  1. Assessment
    • Audit stage 1 –Assessor provides a Findings Report to the system owner
    • System owner implements controls
    • Audit stage 2 – When controls have been met, an Audit Report is sent to the Certification Authority
  2. Certification Authority Assessment of Audit Report and residual risk. If successful;
  3. Certification awarded. Certification Report is then sent to the Accreditation Authority.
  4. Assessment of Certification Report, residual risk and other factors. If successful;
  5. Accreditation awarded.*

In most cases, reaccreditation is generally required every 2-3 years. For Australian Signals Directorate (ASD) Certified Cloud Services, ASD recertification is required every 2 years for UNCLASSIFIED DLM services and every 1 year for PROTECTED services.

* Abbreviation of process described by ACSC, Accreditation, accessed 9 October 2018, <https://acsc.gov.au/infosec/irap/accreditation_framework.htm>.

 

What is the IRAP Assessment process?


An Information Security Registered Assessors Program (IRAP) assessment has two stages:

  • Audit Stage 1 – Security deficiencies are identified and a Findings Report is provided to the System Owner.
  • Audit Stage 2 – Remediated security deficiencies are audited and an Audit Report is sent to the Certification Authority.

During Audit Stage 1, the IRAP Assessor:

  • defines the statement of applicability in consultation with the system owner
  • gains an understanding of the system
  • reviews the system architecture and the suite of system security documentation, including:
  • seeks evidence of compliance with Australian Government Information and Communications Technology (ICT) requirements and recommendations, and
  • highlights effectiveness of ICT controls and recommends actions to address or mitigate non-compliance.

The outcome of a Stage 1 Security Assessment is a Findings Report, given to the System Owner.

During Audit Stage 2, the IRAP Assessor looks deeper into the system’s operation, focusing on seeking evidence of compliance with, and the effectiveness of, security controls. The IRAP Assessor will conduct a site visit where they will:

  • conduct interviews with key personnel
  • investigate the implementation and effectiveness of security controls in reference to the security documentation suite, and
  • sight all physical security and information system certifications and any related waivers.

The outcome of a Stage 2 Security Assessment is an Audit Report, given to the Certification Authority that:

  • describes areas of compliance and non-compliance
  • suggests remediation actions, and
  • makes a certification recommendation.

The Certification Authority uses the report to:

  • assess the residual risk relating to the operation of the system
  • assess any remediation activities the system owner has undertaken, and
  • make a decision on whether to grant certification.

* ACSC, What is an IRAP Assessment?, accessed 9 October 2018, <https://acsc.gov.au/infosec/irap/irap_assessments.htm>.

 

Who is the Certifying Authority and what is their role?


The certification authority for government systems is generally the owning agency’s Information Technology Security Advisor (ITSA). The Australian Signals Directorate (ASD) is the certification authority for all TOP SECRET systems and for gateways and cloud services hosting multiple government agencies. The certifying authority is responsible for reviewing the Audit Report provided by the Information Security Registered Assessors Program (IRAP) Assessor. Certification will be awarded if the Certification Authority is satisfied that:

  • The system has been appropriately audited, and
  • Associated security controls have been implemented and are operating effectively.

The Certification Authority will then make a recommendation to the Accreditation Authority based on any identified non-compliance and mitigation strategies.*

* ACSC, Accreditation, accessed 9 October 2018, <https://acsc.gov.au/infosec/irap/accreditation_framework.htm>.

 

Who is the Accreditation Authority and what is their role?


The Accreditation Authority is typically the agency head or a senior executive who has an appropriate level of understanding of the risks they are accepting on behalf of the agency. The Accreditation Authority:

  • Accepts any residual risks that were identified during the audit and certification process, and
  • Awards accreditation.

Accreditation of a system ensures that either sufficient security issue remediation has been achieved or that deficiencies have been accepted by an appropriate authority.*

*ACSC, Accreditation, accessed 9 October 2018, <https://acsc.gov.au/infosec/irap/accreditation_framework.htm>.

 

What is the Protective Security Policy Framework (PSPF)


The Protective Security Policy Framework (PSPF) is the responsibility of the Attorney-General’s Department. Its purpose is to provide policy, guidance and best practice advice for security governance, personnel security, physical security and information security for government agencies or commercial Information and Communications Technology (ICT) systems, Cloud providers, Networks and Gateways that process or store government information.*

*Australian Government Attorney-General’s Department, The Protective Security Policy Framework, accessed 9 October 2018, <https://www.protectivesecurity.gov.au/Pages/default.aspx>

 

What is the Australian Government Information Security Manual (ISM)?


The Australian Government Information Security Manual (ISM) is the responsibility of the Australian Signals Directorate (ASD), through the Australian Cyber Security Centre (ACSC). It is the standard which governs the security of government Information and Communications Technology (ICT) systems. All government agencies and commercial ICT systems, Cloud providers, Networks and Gateways that process or store government information are required to comply with the ISM.

 

How often is reaccreditation required?


In most cases, reaccreditation is generally required every 2-3 years. For Australian Signals Directorate (ASD) Certified Cloud Services, ASD recertification is required every 2 years for UNCLASSIFIED DLM services and every 1 year for PROTECTED services.

 

How long does an IRAP Assessment take?


The length of time for an Information Security Registered Assessors Program (IRAP) Assessment can vary depending on the complexity of the system being assessed. Typically, this could range from 1-3 months.

 

What is an organisation expected to do during an IRAP Assessment?


Your organisation will be expected to participate in several activities throughout the Information Security Registered Assessors Program (IRAP) assessment, including:

  • Scheduling and participating in interviews with key stakeholders
  • Organising the IRAP assessors’ access to all system documentation
  • With the guidance of the IRAP Assessor, schedule meetings with system administrators, engineers, and/or security operations personnel to validate the implementation of security controls
  • Outline and demonstrate any additional security controls implemented.

 

Useful Links

The 5 most important things to consider during a data breach

Notifiable Data Breach


Learning that you have experienced a data breach is an uncomfortable moment in any person’s life. Especially if you are a cyber security professional charged with keeping information safe and secure. More so if a third party tells you that you have seemingly lost information. Unfortunately, any day involving a data breach will be a bad day. How bad a day, will depend on a number of factors, and your level of readiness. The five important things to consider during a data breach presented here aim to help make a bad day, just a little bit easier.

Please keep in mind that managing a data breach is complex. There is no substitute for experience and knowledge, as no two data breaches are identical. The caveat I need to provide with this advice, is that the five most important things to consider during a data breach is not exhaustive advice and there are nuances that you need to consider. Please treat the following as general good practice advice.

Before we dive into a Top 5

There is a propensity to look for blame and jump to conclusions. Keep in mind, if you take your security obligations seriously, respect the role you have as a custodian of sensitive information, invest appropriately in security and manage your risk appropriately, you need to accept the fact that you are not alone. You are not incompetent or even special, breaches happen, and are a part of the world we live in. You are not the first person or organisation to experience a breach and unfortunately, you won’t be the last. Having said that, if you are guilty of consistently ignoring your security obligations, underinvesting in people, process and technology, overlooking your obligations to protect sensitive information, and trusting to providence that everything will be fine, those feelings of regret, remorse and discomfort are entirely appropriate.

At this stage you haven’t even confirmed whether it really is a security incident, you’ve just received (or uncovered) some information that indicates there might be a breach. So, before we panic, we really just need to work through the steps and work the facts.

Incident response is a process typically consisting of six main steps:

1.  Preparation

2.  Identification

3.  Containment

4.  Eradication

5.  Recovery

6.  Lessons Learned

Now if you haven’t actually done step number 1. Preparation, then a little bit of panic is probably appropriate at this stage, but all is not lost.

 

#1 – Confirm the breach, work the data.

Before we get carried away let’s establish whether there, in fact, has been a breach. This is part of the identification stage in the incident response process. You need to look at what has been reported and how. Was it third-party notification? i.e. someone outside the organisation told you a customer perhaps or business partner. Was it an internal staff member that reported something weird, or clicked a link? Was it your bank letting you know that there have been fraudulent transactions on credit cards and the common factor is your organisation. Was there data on Pastebin or similar services that looked like it may have come from your databases? Was there an alert from an IDS/IPS, SIEM event or other systems that indicated there may be a breach? Are files on the network suddenly encrypted?

These notifications all need to be validated and confirmed. It wouldn’t be the first time an incident turned out to be a new feature on a website, a new system or a misconfiguration (which can be a breach as well BTW).

How do you confirm the breach? Simple, assume the information received is correct and form a hypothesis of how it could have occurred. We’re doing a privacy blog here so let us use the loss of Personally Identifiable Information (PII) as an example. Let’s say data has been identified on Pastebin and it looks like your client records. Some key questions you will need to ask are:

  • Where does this information exist in our organisation?
  • How can it be accessed, is it internal only or internet facing? Perhaps it is stored by a third party?

Asking these two questions will help you establish whether it is indeed your data and perhaps give a clue as to which controls may have failed. These questions will provide guidance as to where you need to look next. Are we looking through web and application logs, or are we digging through internal access logs in Active directory, proxy logs, email logs, etc? By just following up on these two questions, the Shearwater team have in the past confirmed incidents where hackers had gained access to systems and were actively retrieving data, but we’ve also identified incidents where a staff member inadvertently mailed out the bulk of a confidential database. In one case, the breach was actually at a third party where the data was stored for other purposes.

Now that you have validated it is indeed a breach or a suspected breach we can move on to containment. If you haven’t already done so to help identify the issues this is a good time to get the incident response team together. It might be a good time to let management know there is a potential breach that needs to be dealt with and give the privacy officer a heads up to let them know that there may be a notifiable data breach requirement. But this is all in your incident response plan…. right ?

Manage Data Breach
Having a structured approach to a security incident will help make a bad day, just a little bit easier.

 

#2 – Contain the pain

Containment of the incident is the next step in the process. It is possible that the damage has been done, true, but you still need to deal with the fact that an attacker may still be in your network and may still have access to the data. There is an argument to allow the breach to continue as it may provide you with valuable information that may allow you to better prosecute the perpetrator. To be honest, to me this is like saying “let the bank robbers get away with the money because I want to see how they make their getaway”. If you are losing PII the best response is generally to shut them out. Remember the attacker doesn’t necessarily know why they lost access. They will often assume they did something wrong.

In the identification stage you would have looked at the various logs and established how the deed occurred, or at least you’ll have a good idea. If the web logs indicate an SQL injection, perhaps remove the application, or configure a WAF to drop those requests. Maybe shut the service down whilst you identify the root cause and eradicate the issue (the next step). If it was a mail-out by a staff member, have a chat to the culprit and explain the result of their actions. So to contain the issue you may be:

  • Resetting passwords and disabling compromised credentials
  • Addressing known vulnerabilities and bugs via patching
  • Blocking network access
  • Quarantining compromised hosts or applications or shutting down systems.
  • Having some stern discussions on following processes.

Various business decisions should inform all of the above approaches, and should weigh up the harm occurring due to the compromise/breach versus the harm that could occur from shutting down systems. The decision to shut down systems that effectively shut off business operations should not be taken lightly, but may be necessary to help prevent a greater harm. Don’t forget if your systems are being used to attack others, you may be in deeper water than you first realised. Also don’t forget to communicate to management what has been happening and where things are at.

 

#3 – Fumigate, eradicate, exterminate

Once the containment has been accomplished, there is huge pressure to remove the badness immediately. However, you need to identify the root cause of the issue. During identification you had the first clues, during containment you shut them out and hopefully gained more insight. Now it is time to do some navel gazing and identify exactly the how, what and why of the issue. There really is no substitute for a thorough investigation. This is no time to take shortcuts. If you do not have the skills, consider getting some in. Getting this wrong will result in a system that is compromised over and over and over. We see this quite often when organisations miss this step or get the next step (recovery) wrong.

Identifying the root cause of the issue is paramount. Analysis should be undertaken and the path to compromise understood in intimate detail. If you can’t explain the breach in excruciating detail and don’t have a complete timeline of events (within the realms of what is possible), then the investigation is not complete. You will be under pressure to undertake the investigation quickly but resist the urge to finalise the investigation until you understand the breach and can have sufficient input for recovery. Make sure you have your facts and are as certain as you can be. Remember number 1, the issue has been contained, you are no longer hemorrhaging data.

When looking for the root cause make sure you manage your evidence, establish your timelines and identify the how and why. Was it missing patches, misconfiguration of a system, a missing firewall rule, a bad piece of code in an application, a WAF that was switched off. Creating a timeline is by far the best approach to get clarity on the events that have resulted in the breach.

Go through all the elements. On servers perhaps take a forensically sound image or snapshot. Safeguard log files. All of these can be used as evidence and help identify the how. Use the tools you have to identify the vulnerability that was exploited. It could be technical, it could be procedural. Consider deploying an incident response tool to help identify the compromised systems or malware if present.

Once you have established the how you can now devise strategies to eradicate the issue.

In the case where you have lost PII your privacy officer or committee should now have the relevant information that they need to complete their analysis on whether the breach needs to be reported or not. You will have information on:

1.  the timeframe (when did the breach start?)

2.  what systems and information has been disclosed, accessed modified or lost

3.  who has been impacted. Is the impact likely to cause serious harm

4.  are third parties involved or impacted

You may have some of the information already from the previous stages, but until the investigation has concluded you may not have certainty.

Manage Data Breach
Post-breach clean-up is vital to prevent recurrence.

 

#4 – FIX IT, once, correctly.

This is the recovery stage of the incident response process. Rebuilding systems, recovering data, patching systems, fixing the configuration to make sure the same issue does not reoccur. This step is informed and guided by the output of the previous eradication steps. Post-breach clean-up is vital to prevent recurrence. We have instances where a breach occurred in 2011, every two or three days the attackers return to test and see if the system is vulnerable again. That is a long-term game. We have seen instances where the system was brought back online prematurely and the attackers took control before all security measures could be implemented. We’ve seen organisations recover corrupted data from backups, only to be breached again because the application was not fixed.

Build it from scratch, patch it, test it, scan it, patch it again, test it again, make sure that you apply all the additional controls you identified that would have helped prevent the issues. Test it again. After all that is complete, that is the stage where the system can be put back online.

Keep in mind that during recovery, your support and administration staff are likely to remain overworked and under pressure. Implement and enforce fatigue management processes to manage workloads to ensure silly mistakes don’t creep in at this stage.

Then watch it as they will be back, remember they do not know why the system went away or they lost access to the system.

 

#5 – Notify and Prevent

The lessons learned at preparation stage is key. Once the incident is over sit down and debrief. See what should have gone better. Review the information from the root cause analysis and determine what is to become BAU and what is part of incident response. Update documentation, perhaps write a rough post-incident report and go to sleep. As soon as you are able to, complete the Post Incident Report (PIR). It provides great lessons learned, enables objective review of current processes, and provides opportunities for improvement.

From a NDB notification perspective there is still some work left to do. The NDB scheme provides clear guidelines on how to notify individuals and the OIAC (please see my earlier posts). You should follow their recommendations to the letter and meet all scheme compliance requirements.

If I put myself in the position of an individual affected by a breach. I will evaluate the breach to see if the breached organisation has made every effort to secure my personal information and sensitive data prior to the breach. I am probably going to be understanding to a point. What will matter most to me from the point of being notified, is how the organisation manages the breach, and recovery. If the recovery and management are exemplary, I am more likely to provide the disclosing firm with a degree of understanding and give them the benefit of the doubt. If the breach management is poor or slipshod, I’m taking my data and my business elsewhere.

Hopefully, you have found this post helpful and the series of blog posts on the data breach topic illuminating. If you have any follow up questions, or would like some further information on related topics, please don’t hesitate to get in contact.