Lloyd's Says Cyber-Attack Could Cost $120bn*:
- Lloyd’s of London, the world’s oldest insurance market, has warned that a serious cyber-attack could cost the global economy more than $120bn – as much as catastrophic natural disasters.
- The report from Lloyd’s says the threat posed by such global attacks has spiralled and poses a huge risk to business and governments over the next decade.
- The most likely scenario is a malicious hack that takes down a cloud service provider with estimated losses of $53bn, though the figure could be as high as $121bn.
- At the upper end, the cost would outstrip the damage wreaked by Hurricane Katrina in 2005, estimated at $108bn.
- Cyber events can cause a severe impact on businesses and economies, trigger multiple claims and dramatically increase insurers’ claim costs.
- The second-most likely threat stems from attacks on computer operating systems run by a large number of businesses around the world, which could cause losses of up to $28bn.
- The majority of these losses are not insured, leaving governments and businesses vulnerable if cyber-attacks happen.
- The global cyberattack in May showed that these sorts of attacks are possible.
- Financial services are most at risk, followed by software and technology, hospitality, retail and healthcare.
*Source: The Guardian, July 17, 2017
US to Create Independent Military Cyber Command*:
- The Trump administration is finalizing plans to revamp the nation's military command for defensive and offensive cyber operations.
- Under the plans, US Cyber Command would eventually be split off from the intelligence-focused National Security Agency.
- Making cyber an independent military command will put the fight in digital space on the same footing as more traditional realms of battle.
- The US has long operated quietly in cyberspace, using it to collect information, disrupt enemy networks and aid conventional military missions, but the US is determined to improve its ability to incorporate cyber operations into its everyday warfighting.
- The U.S. has increasingly used cyber as a tactical weapon, bolstering the argument for separating it from the NSA; the two organizations have been under the same four-star commander since Cyber Command’s creation in 2009.
- It's unclear how fast the Cyber Command will break off on its own, and some officials believe the new command isn't battle-ready, given its current reliance on the NSA's expertise, staff and equipment.
- Its proposed budget for next year is $647 million – a 16% increase over this year’s budget to cover costs associated with building the cyber force, fighting IS, and becoming an independent command.
*Source: AP News Archive, July 17, 2017
50% of Ex-Employees Still Have Access to Corporate Applications*:
- Nearly half of businesses say former employees are still able to access corporate accounts according to a new study.
- Ex-employees pose a big security risk: twenty percent of businesses have experienced data breaches by former staff.
- Researchers conducted 500 interviews among IT employees who are at least partially responsible for security and make decisions about hardware, software, and cloud-based services and half say ex-employees’ accounts remain active for longer than a day after they leave the company.
- Twenty percent take a month or more to remove access after employees leave.
- The more engrained someone is in an organization, the harder it is to ‘deprovision.’
- Half of respondents don’t use automated deprovisioning and must manually remove access to corporate applications, a lengthy process that increases the chance former employees can still access their accounts.
*Source, Dark Reading, July 17, 2017
A Smart Fish Tank Let Hackers into a Casino*:
- A hacker managed to use a smart fish tank to gain access to a casino.
- The fish tank was used as a point of entry, allowing the intruders to move laterally through the network.
- They managed to use the tank to send data to Finland before security firm Darktrace shut them down.
- In a separate incident, someone stored data on a tank’s internal memory and then used its connection to move the data outside the building into nefarious hands.
- In both cases the smart tank was being monitored by an external party responsible for its water levels.
*Source: The Next Web, July 20, 2017
Decades-Old Network Protocol Puts Companies at Risk and Refuses to Die*:
- Twenty-five years is a very long time in the world of technology.
- The Server Message Block version 1 (SMBv1) is a network file-sharing protocol that was created in 1983 at IBM and made its way into Windows in 1992.
- Microsoft later expanded the protocol and renamed its implementation CIFS, short for the Common Internet File System.
- If you’ve ever shared files or printers between two computers on a local network, you’ve likely used one of the three major versions of the SMB protocol.
- Linux users might be more familiar with the name Samba, which is the most widely used implementation on that platform.
- Two aggressive ransomware attacks, WannaCry and NotPetya, disrupted normal operations of organizations worldwide by exploiting critical vulnerabilities in Microsoft’s implementation of SMBv1.
- By the time the malware attacks hit in May and June, Microsoft had already released security fixes for the two SMBv1 vulnerabilities, so organizations that were hit were partially at fault for not installing patches in a timely manner.
- Microsoft has been trying to get companies to stop using SMBv1 for years and has even created a list of third-party products, such as printers and software programs that should be avoided because they require the old version of the protocol.
- Compared to SMBv2, which was introduced in Windows Vista, and SMBv3, which was added in Windows 8, SMBv1 lacks essential security features and performance optimizations.
- Recent data suggests that on average over 40% of SMB-enabled computers inside large corporate networks support this old version of the protocol. And for smaller networks, the average ratio can be as high as 70%.
*Source: Forbes, July 21, 2017
MeitY Seeks Help from Vidhi for Data Shield Law*:
- The ministry of electronics and IT (MeitY) has sought help from the think tank instrumental in drafting of Aadhaar Act and Bankruptcy Code for the path breaking legislation.
- The committee that is responsible for drafting new data protection legislation has sought help from the Vidhi Centre for Legal Policy.
- The government has not put a time frame to it, but wants to come up with the law as soon as possible; the first draft is expected before the end of the year.
- This is the first time that India has started work on a specific data protection law, which is expected to look at aspects such as data sovereignty, data retention and responsibilities of government, companies as well as individuals while handling third party data.
- Even though the Information Technology Act contains certain provisions about data protection and handling, experts believe it may be inadequate to deal with the current requirements as it was drafted in 2000.
- There has been a lot of debate recently about the handling of citizen data especially which has been linked to sensitive information such as Aadhaar or people's bank accounts.
- A data protection framework is also important since India is one of the leading users of data from outside and European Union has also been asking India to have a data protection law.
*Source: Telecom, July 18, 2017
Half of German Companies Hit by Sabotage, Spying in Last Two Years*:
- More than half the companies in Germany have been hit by spying, sabotage or data theft in the last two years according to the German IT industry association Bitkom.
- Bitkom estimated the attacks caused around 55 billion euros' worth of damage a year.
- Several high-profile attacks have occurred recently, such as the WannaCry ransomware attacks and a virus dubbed "NotPetya" that halted production at some companies for more than a week.
- Some 53 percent of companies in Germany have been victims of industrial espionage, sabotage or data theft in the last two years, which is up from 51 percent in 2015.
- The damage caused rose by 8 percent to around 55 billion euros a year, the survey of 1,069 managers and people responsible for security in various sectors found.
- Many big companies and especially those operating critical infrastructure were generally well-prepared for cyber-attacks, but smaller and medium-sized companies did not take the threat seriously enough.
- Some 62 percent of companies affected found those behind the attacks were either current or former employees.
- Forty-one percent blamed competitors, customers, suppliers or service providers for the attacks.
- Twenty-one percent believed hobby hackers were responsible while 7 percent attributed attacks to organized crime.
*Source: Reuters, July 21, 2017