How do you know when a cybersecurity breach is over? *:

 

  • People often ask, “When does the pain of a security breach finally end?”
  • The answer is often a surprise.
  • It isn’t over when you’ve removed a hacker or insider threat from your network environment, just as it doesn’t begin with the discovery of patient zero of a cyber attack.
  • It ends when your organizational attitudes toward cybersecurity revert to what they were before the breach.
  • The question is: “Is the return to ‘business as usual’ a good thing?”
  • Usually not, especially when you think about how the breach began.
  • Most organizations assume a data breach begins when a hacker penetrates your network.
  • But it actually starts long before — with the sum of bad security habits, mismanaged mergers and acquisitions, budget decisions that scrimp on security and bad choices like relying on outdated equipment or not deploying security patches.
  • In this way, a breach can be a good thing because it wakes everyone up — it serves as the greatest security awareness exercise possible.
  • When a breach occurs, everyone is interested in information security for a brief duration — from the incident response and mitigation teams to public relations.
  • In this disaster-movie atmosphere, there’s a need to be rescued.
  • The organization often enlists a team of cybersecurity experts to build attack timelines for the complete incident response.
  • Then there’s the expectation that the infection and adversary will be ejected from the environment and that the crisis has passed.
  • In reality, a breach is never really over.
  • Years after, many companies still invest their time in mitigating the lasting effects, including:
    • Legal defence efforts and litigation
    • Suffering sales departments
    • Client management challenges
    • Increased regulatory audits and compliance
    • Additional meetings and new processes
    • Difficulties obtaining cyber insurance
  • Organizations may also be confronted with the consequences of the breach, such as brand damage and slower sales.
  • Now, security teams must spend their time on status updates and deploying new technology.
  • And underfunded teams may be asked to perform a three-year security plan in six months — which isn’t usually possible.
  • Not long after the fires are out, the board and C-suite may believe the breach is over. 
  • This stems from the notion that security is transactional — that security is something you bolt on, such as a door lock.
  • If you invest in it once, you’re protected, right?
  • Effective cybersecurity is rooted in an organizational culture that values consistent and dedicated security practices and response capabilities — and understands what it takes to have cybersecurity strategies and programs that work.
  • During the heat of the initial breach response, internal turf wars temporarily stop, and there is unity and clarity.
  • The company becomes laser-focused on data protection, and budget for security also generally becomes available.
  • But following this period of heightened security awareness, problems may emerge, and old ways return.
  • There is a limit to how much security can be absorbed into the environment.
  • You might encounter a “gold rush mentality” where the funds allocated for security attract those seeking your business.
  • And for the C-suite, there’s danger in putting a cinematic “The End” on a breach.
  • By becoming complacent and returning to old habits and poor choices, it’s not the end but another potential beginning.
  • The breach didn’t begin when hackers charged through the door.
  • It started when security wasn’t a priority, or when the company publicly talked about it as an important priority but real support and cooperation weren’t there.
  • It began with the oversights and the lack of funding and prioritization of resources — but not the resources for security and privacy.
  • It may have stemmed from focusing too much attention on compliance — even when those actions actually harmed security by focusing resources on ideas instead of actual capabilities that can assist the defenders.
  • How do you prevent another security incident? A first step is to build awareness that you can’t have world-class information security without world-class IT.
  • And you can’t protect your organization without decisive decision making, coupled with conviction on how to manage risks (like visibility gaps, mergers and acquisitions, and observations about incidents).
  • No one cares about protecting your data as much as your own people.
  • While it’s great to have saviours on call during a breach, what you really need is security experience as an integral part of your organization’s DNA for effective incident detection, analysis, and response.
  • And they should be trained and retained.
  • Make security a habit and a state of mind across the organization — from the C-suite to every level of the organization.
  • By returning to the status quo, you may be leaving the doors and windows open to your IT environment or a risky cloud migration, where cyber threats could appear again.
  • Finally, roll all of this up into a three-year security plan, even if you don’t have the budget today.
  • Include strategies that can best detect, disrupt, and respond to a cyber attack — all ideally based on your real observations, not auditors’ workbooks.
  • And include effective plans for coordinated incident response to mitigate damage, along with cross-functional teams for critical steps such as your public response.
  • When it comes to protecting your brand, sales, and customers’ loyalty, you’ll be judged more on your response than on the breach itself.

 

*Source: Forbes, March 22, 2019

 

 

 

Australian Encryption Laws Sent off to Nat Sec Legislation Monitor For Review*:

 

  • A little over a year has been given for the Independent National Security Legislation Monitor (INSLM) Dr James Renwick to review whether Australia’s encryption laws, waved through Parliament on the last sitting day of 2018 a Labour capitulation on the legislation, contain “appropriate safeguards” for protecting individual rights, are proportionate to national security threats, and are necessary.
  • The referral was made by the Parliamentary Joint Committee on Intelligence and Security (PJCIS), which is currently conducting its own review into the laws, and is due to report on the Act as well as Australia’s data retention lawslater in 2020.
  • It is the first time in the committee’s history that it has referred to the INSLM.
  • Australia gained its now infamous encryption laws when Labour removed its own amendments, allowing the law to pass through the Senate unamended.
  • The government successfully had its 67 pages of amendments added to the Bill in the lower house.
  • PJCIS is currently reviewing those 67 pages of amendments and is set to report back next week.
  • In February, the Australian Senate passed some of Labour’s dumped amendments, but with the federal budget and an election date due to be called at some point next week, there is unlikely to be time to complete the second reading of Labour’s amendments, let alone have the House of Representatives agree to them.

 

*Source: ZDNet, March 27, 2019                             

 

 

 

Insurance Companies Collaborate To Offer Cybersecurity Ratings*:

 

  • In a collaborative effort, some of the world’s largest insurers have set out to create a consumer ratings service for the cybersecurity industry.
  • The initiative, launched Tuesday and set to be led by Marsh & McLennan, will attempt to score best products to reduce hacking risks and will create an assessment of the best cybersecurity offerings available to businesses, according to the Wall Street Journal.
  • The firm will collect and combine scores from participating insurers and will ultimately identify and rate products, offerings and services they believe will be effective in reducing cyber risks.
  • The results will be publicly available on the firm’s website.
  • Panorays CEO and co-founder Matan Or-El applauded the new initiative calling it a win-win for all.
  • Enforcing the collaboration between the insurers is mandatory to ensure that this initiative takes off the ground and becomes effective.
  • Traditional and well-established technologies must be evaluated in a similar manner as innovative technologies that address the newer challenges.
  • In addition, the assessment process must scale to accommodate the evaluation of thousands of cybersecurity products.
  • Not all researchers were on board with the initiative, Jonathan Deveaux, head of enterprise data protection at comforte AG, expressed concern, pointing out that research analyst firms already provide some sort of rating system for the cybersecurity industry and adding another rating system could effect companies.
  • Deveaux added that there are hundreds of products and solutions available which offer various ways to approach cybersecurity and that some solutions are more effective than others in terms of what the solution does and where it actually secures.
  • For example, under the general category of “data security,” the data protection methods vary when it comes to actually securing the data – security professionals today know about Encryption, Tokenization, Data Masking (both dynamic and static) – all of which provide various ways to protect, de-identify, anonymize, or pseudonymization of data.
  • Also under the general category of ‘data security,’ some solutions secure access to the data, rather than provide the protection mechanisms to the data itself.
  • The rating system also raises the question of what will happen if a company follows the system and still suffers a data incident which fails to meet GDPR requirements
  • In this case it is unclear what coverage the insurance company meets or if the GDPR fine of up to four percent of annual revenue be covered and paid by the insurance company.
  • At the end of the day, consumers want to know what companies are securing their data, and hopefully the collaborated rating system will lead to better overall security posture on their end. 

 

*Source: SC Magazine, March 29, 2019

 

 

 

Toyota customer information exposed in data breach*:

 

  • Toyota Motor Corp. dealerships in Japan were hit with a cyberattack earlier this month in which information on 3 million of the carmakers’ customers was stolen.
  • The hack hit Toyota Sales Holdings Inc., a subsidiary of Toyota Motor in Japan, and its affiliates.
  • This marks the second attack reported by Toyota in two months—Toyota Australia reported a breachon Feb. 21 that it said didn’t impact user or customer data.
  • A Toyota spokesperson said the latest attack specifically occurred on the carmakers’ systems in Japan.
  • Additionally, three other independent dealers in Japan are possibly involved.
  • Toyota Motor North America (TMNA) is monitoring the situation closely and is currently unaware of any compromise of TMNA systems associated with this incident or evidence that Toyota or Lexus dealers in the United States have been targeted.
  • The Japan Times, meanwhile, said in a report today that data on the Toyota customers was stolen in the recent attack and the stolen data may include names, birth dates, and employment information but not credit card numbers.

 

*Source: Dark Reading, March 29, 2019

 

researchers find mountains of sensitive data on totalled teslas in junkyard*:

 

  • Teslas are incredibly data-hungry, storing massive troves of data about their owners, including videos of crashes, location history, contacts and calendar entries from paired phones, photos of the driver and passengers taken with interior cameras, and other data.
  • This data is stored without encryption, and it is not always clear when Teslas are gathering data.
  • The only way to comprehensively switch off data-gathering also de-activates over-the-air software updates for the cars, which have historically shipped with limited or buggy features that needed the over-the-air updates to fix them.
  • Tesla has a history of being secretive about the data its cars collect, fighting customer attempts to recover data from their cars, and selling a special cable needed to access limited car telemetry for $995.
  • Tesla employees told CNBC that the company uses telemetry to secretly identify Tesla owners who tinker with or investigate their cars, and flags them for late software updates.
  • Two pseudonymous security researchers called GreenTheOnly and Theo recovered “hundreds” of wrecked Teslas from scrappers and junkyards and systematically investigated the data left behind on the cars.
  • Much of the data that these junked Teslas store is not unique — other manufacturers’ “smart” car systems store mountains of driver data in the clear (this is especially a problem for rental and fleet cars, which harvest data from many different drivers).
  • But Tesla does store more data than its rivals, and goes further than other manufacturers in disincentivizing independent security research through its alleged blacklisting system
  • The fact that Tesla also operates a robust bug bounty system reveals a deep ambivalence about independent scrutiny about its products.

 

*Source: Boing Boing, March 30, 2019

 

The latest Dark Web Cyber-Criminal Trend: Selling Children’s Personal Data*:

 

  • Cyber criminals are hacking into sensitive networks to steal the identities of children and are selling it on in underground market places.
  • Personal information is leaked in data breaches all the time, but what makes the data on children so useful to cyber criminals is how they don’t have any credit history – so they offer a free pass for fraudulent purchases, loans and other transactions without the barriers that might be associated with data belonging to adults.
  • On the dark web in this criminal data trade, freshness is the name of the game.
  • Vendors pride themselves on having fresh data that their buyers are able to exploit effectively.
  • Advertisements in cyber-criminal markets offer what the illicit sellers describe as ‘child fullz’ – full identity kits of information about victims, including name, date of birth, address, and social security numbers.
  • Essentially, everything a criminal needs to commit fraud.
  • Demand for this data appears to be growing in dark markets, with a small group of sellers repeatedly emerging to offer data to customers at a cost of just $25 for data about a child.
  • One seller who regularly deals in this information re-emerged in January this year.
  • They claim to have hacked into a paediatrician in the US, offering buyers information on children as young as four years old.
  • Cyber criminals will often take this information and use it to make fraudulent claims for child tax credit – especially if they also have data on the parents and can paint an accurate picture of a whole family.
  • But others go further, exploiting the information to take out large loans or make big purchases – all while nobody is aware that a child’s credit rating is being destroyed.
  • The fraudsters create a synthetic ID around the stolen child’s data, sometimes creating whole new identities, but tied to the identifying social security number.
  • With this and a blank credit history, the criminals can approach banks to apply for loans and other means of finance.
  • In the US, there are only limited checks which are made in order to determine the authenticity of an application and in many cases, a social security number with some personal information – even if it’s a synthetic ID – can be enough.
  • That makes using children’s data highly appealing to criminals, because they’re likely to be the first to exploit it – and the lack of credit history means they don’t have to gamble like they would with the data of an adult victim, who could turn out to already have an actual poor credit history.
  • Now we know this is an issue, now we recognise that there need to be checks in place to not only to keep consumers safe, but protect financial institutions, retailers.
  • But unfortunately, but it’s probably going to be too little too late and how many children will be harmed in the meantime?
  • The best means of countering that, is to know that children might be targeted and to protect their credit, either by freezing it or conducting regular checks.

*Source: ZDNet, March 27, 2019

 

Share This