Don’t Buy A Breach: Ten Cybersecurity Red Flags to Look For During M&A Due Diligence*:

  • Missing, Weak, Or Poorly Documented Security Practices
    • Start with adherence to (and procedures based on) the latest NIST Cybersecurity FrameworkISO 27001, and SOC 2, and if you’re publicly-traded, Sarbanes-Oxley(SOX).
    • That compliance reporting should include documented, readily-accessible and easily-understood policies and procedures.
    • No documentation can signal poor information asset protection.
  • No Audit History
    • Can the company claim SOX compliance? When was the last SOX review? Does the company practice cadenced cybersecurity audits?
    • Absent audit trails can suggest an undisciplined approach to information management and could even introduce legal vulnerabilities in the case of a subsequent breach.
  • Poor Inventory-Tracking
    • How well does the company track its assets, both tangible and intangible? 
    • It’s difficult to flag theft if you don’t know what’s at risk of being stolen in the first place. 
    • Request a hardware asset inventory, application inventory and data-asset inventory (with classification levels).
  • Poor Application Tracking
    • It’s any-time-of-the-day-o’clock. Do you know where your users are? What apps are they using? Do they bypass firewall proxies to connect directly to them?
    • At a bare minimum, your target IT department should have comprehensive visibility to user app access.
  • No Defined Security Boundary
    • Traditional hub-and-spoke networks are difficult enough to secure in the first place — even when you have a defined perimeter.
    • It should go without saying that an undefined or uncontrolled network boundary is often as secure as no boundary at all.
    • Instead, there should be a readily-accessible, well-articulated network architecture design document that clearly defines identifiable security ingress and egress points with clearly-defined boundaries.
  • Reliance On Remote Local Admin
    • An organization with users with remote local administrative privileges isn’t less secure at face value.
    • But couple that with a lack of centralized privileged account management and you have a recipe for both complex resource management and even exploitation.
    • You’re also vulnerable to the hit-by-a-bus scenario: When privileged users leave the company, you could lose access to remote assets.
    • I recommend looking for a stated policy directive blocking remote-admin access to local email and internet-browsing, as well as enabled multifactor authentication (MFA) for local admin privileges.
  • No Multi-Factor Authentication
    • In my opinion, there’s little to debate here: MFA is more than a must.
    • It’s a bare minimum for a secure threat posture.
    • Any company without it is less secure than one employing at least a dual-evidence authentication mechanism.
  • Underfunded Or Undefined Security Budget
    • It’s hard for some of us in the CISO community to believe, but this question must be asked: What’s your cybersecurity line item?
    • Companies without a defined, detailed cybersecurity budget (or low investment in cybersecurity) may unintentionally obscure more than poor accounting.
  • Lack Of Architectural Discipline
    • How well-defined is the company’s security architecture? Can you trust that scanned diagram on the Powerpoint slide? Has the company integrated its own acquisition infrastructure, or is it running duplicate systems?
    • Poor discipline in managing security architecture — including change-management tracking — can suggest poor oversight and hint at potential vulnerabilities with legacy systems.
    • Signs of good discipline include having an easily understandable, detailed network architectural design document outlining the company’s network infrastructure, security stack, data-system integrations (with classification) and a well-defined technical reference model.
  • Poor Integration With Business Processes
    • How siloed is the company? Is cybersecurity tailored to the way employees actually work? How well do policies address remote, cloud, and mobile access?
    • If end users “go rogue” and bypass corporate security, it may be because network security models don’t support the way those users prefer to work: direct connection via Starbucks Wi-Fi instead of via a slow, VPNed, backhauled journey through a distant corporate firewall gateway.

*Source: Forbes, February 12, 2019

 

Home Loan Details Of 100,000 Customers Hacked In Major Data Breach*:

  • The nation’s biggest banks are scrambling to contact up to 100,000 customers who may have been caught up in a major data breach at property valuation firm, LandMark White.
  • The breach, which LandMark White first revealed late on Friday, could include property valuations and personal contact information of home owners, residents, and property agents, including first and last names, residential addresses and contact numbers.
  • LandMark White is one of the biggest valuation firms used by banks and other lenders across the country for services such as assessing mortgage applications.
  • On Tuesday night Commonwealth Bank of Australia and ANZ Bank revealed they had suspended LandMark White from their panels of valuers while National Australia Bank said it was still assessing the impact on its customers.
  • A well placed source said CBA was contacting more than 20,000 customers in the wake of the breach.
  • The CBA statement said no bank account information was disclosed in the breach and apologised to customers for the incident.
  • LandMark White has set up a website for its customers and said there was no evidence of misuse of any information although that position remained “under close review”.
  • ANZ chief data officer Emma Gray said the bank was still working out how its customers were affected.
  • She said ANZ had suspended the use of LandMark White and had no reason to believe other valuers were involved in the breach.
  • A NAB spokesperson said it was also identifying and contacting customers.

*Source: Sydney Morning Herald, February 12, 2019          

 

Hacker Destroys Email Provider VFEmail’s Entire US Infrastructure, Will ‘Likely not return’*:

  • If you use your email client of choice for particularly important correspondence — perhaps for business or private conversations — you’d probably be pretty shocked to wake up one day only to find that its servers have been completely wiped out.
  • Unfortunately for users of VFEmail, that’s precisely what happened on Monday.
  • As spotted by Ars Technica, VFEmail owner Rick Romero recently found evidence that a hacker was attempting to systematically destroyhis service’s hard drives – backups and redundancies included.
  • Though it sounds like Romero was able to put an end to the attack, it was too little, too late for VFEmail’s users.
  • According to an official notification posted on the email provider’s website, “all data” in their US servers has been completely wiped out, and it’s seemingly beyond recovery.
  • Romero says the person, who used the IP of “[email protected],” was most likely using a virtual machine and multiple means of access to carry out the attack – no one method of protection, such as 2-factor authentication, would have protected VFEmail from the assault.
  • Unfortunately, the attacker’s motivations are unknown.
  • The individual did not ask for a ransom, nor do they seem to be taking any sort of moral stance against VFEmail.

*Source: TechSpot, February 12, 2019

 

2018 Was Second Most Active Year For Data Breaches*:

  • More than 6,500 data breaches were reported in 2018, a new report from Risk Based Security shows.
  • The breaches, both big and small, were reported through Dec. 31, 2018 — marking a 3.2% decline from the 6,728 breaches reported in 2017 and making it the second-most active year for data breaches on record.
  • Some 5 billion records were exposed, or about 36% less than the nearly 8 billion records exposed in breaches in 2017.
  • In addition, more records were compromised last year than in any previous year than 2017 and 2005.
  • As has been the case previously, a handful of mega breaches accounted for a vast proportion of the compromised records.
  • In 2018, the 10 largest breaches accounted for approximately 3.6 billion exposed records — or a startling 70% of the total.
  • In all, 12 breaches in 2018 exposed at least 100 million records. 
  • Organizations that disclosed the largest breaches last year included Facebook, Under Armor, Starwood Hotels, and Quora.
  • For a vast majority of breaches, however, the number of exposed records was 10,000 or less — as has been the case since at least 2012.
  • The medical and education sectors, often denigrated for having poor security, ironically enough exposed far fewer records than other supposedly more secure sectors.
  • Risk Based Security’s analysis shows that financial services companies, technology firms, retailers, restaurants, hotels, and other businesses were responsible for nearly 66% of the reported breaches and a near identical proportion of the records that were exposed last year.
  • In contrast, the medical and education sectors combined exposed less than 10 million records.
  • More than six in 10 of the breaches exposed email addresses, and about 57% involved passwords.
  • The proportion of breaches that exposed Social Security numbers and credit card numbers — the two most valuable pieces of data for criminals — was somewhat smaller in contrast, at 13.9% and 12.3%, respectively.
  • Risk Based Security’s reportshows that hacking by malicious external actors remained the cause for most data breaches (57.1%), but Web breaches, such as those resulting from intrusions and data publicly accessible via search engines, exposed more records (39.3%).
  • Insider breaches — of the accidental, negligent, and malicious variety — accounted for about 14% of all breaches last year.
  • One surprise in the data was the scant progress that organizations appear to be making in closing the gap between breach discovery and breach disclosure, says Inga Goddijn, executive vice president at Risk Based Security.
  • The data shows that government and private institutions took an average of 49.6 days last year to publicly report a breach after its initial discovery.
  • That was actually marginally longer than the 48.6 days it took in 2017, suggesting that organizations are struggling to speed up incident response despite the increased pressure on them to do so in recent years.
  • The general anticipation was that mandates such as the European Union’s General Data Protection Regulation would put pressure on enterprise organizations to improve breach disclosure times.
  • So it was surprising to see little movement on that front last year.
  • The GDPR also has a clear distinction between disclosing a breach to authorities and notifying victims about it, Goddijn says.
  • The mandate requires breach entities to inform data regulators in their jurisdictions about the incident within 72 hours.
  • But it offers some discretion around when and even whether an organization needs to notify those impacted by a breach “So even if an event is swiftly reported to privacy regulators, it is possible the event will be publicly disclosed weeks later, if at all,” Goddijn says.
  • Risk Based Security’s report does not include “dwell time,” or the duration between when an attacker first breaks into a network and when the intrusion is first discovered.
  • But it does show that nearly 70% of organizations that disclosed a data breach in 2018 learned of it from an external source.
  • In fact, only 680 of the more than 6,500 disclosed breaches last year were internally discovered.

*Source: Dark Reading, February 13, 2019

 

Hackers Tried To Steal €13 Million From Malta’s Bank Of Valletta*:

  • Malta’s oldest bank resumed operations today after it shut down all IT systems yesterday when hackers tried to steal roughly €13 million ($14.7 million) from its reserves.
  • Bank of Valletta (BOV) employees discovered the hackers’ intrusion during daily reconciliationoperations of international transfers.
  • Roughly 30 minutes after finding the unauthorized operations, the bank closed all its branches, shut down its ATM and point-of-sale systems, along with its website and e-banking servers.
  • According to local press, the hackers tried to transfer €13 million to different bank accounts in the UK, the US, the Czech Republic, and Hong Kong.
  • In an address to the Maltese Parliament, Prime Minister Joseph Muscat saidBOV officials notified all foreign banks and were working to revert the transactions and regain access of their funds.
  • In a statementon its website, BOV said it was working with local and international police authorities to track down the attackers.
  • The bank’s operations returned to normal today, according to a subsequent statement.
  • Bank of Valletta is Malta’s oldest bank and one of its largest.
  • Maltese government officials paid close attention to the bank’s operations on Wednesday because the hack crippled the small island’s economy, forcing a large number of citizens and tourists to cash transactions only.
  • The government is also one of BOV’s clients, whose services it uses to make social security payments.
  • On the North American continent, CI Banco, a Mexicco-based bank also reported a cyber-attack on Wednesday.
  • The bank shut down all operations after its IT staff detected a virus in the equipment of one of its employees, according to local press, with one report claiming it was ransomware.
  • The bank has resumed operations

*Source: ZDNet , February 14, 2019

 

RBI AnyDesk Warning: This App Can Steal All Money From Your Bank Account, Never Download*:

  • The Reserve Bank of India has a warning for you.
  • If you are suggested to download an app called “AnyDesk” through social media or any other channel then do not do this.
  • After downloading this app, your bank account may become empty within minutes.
  • Reserve Bank of India (RBI) has issued a warning in this regard.
  • “AnyDesk” is a software that can do transactions from your bank account through your mobile or laptop.
  • On February 14, the RBI alerted banks about potential fraudulent transactions on the unified payments interface (UPI) platform.
  • RBI said that the cautionary notice was issued in the wake of rising number of fraud using the UPI platform.
  • In the notice, the central bank informed the commercial lenders that a mobile app named “AnyDesk” was being allegedly used to target the mobile phones of customers. 
  • The alert was issued by the RBI’s cybersecurity and IT examination cell.
  • It said that once the app is downloaded on a mobile phone, it seeks permission to access control of the phone like other applications.
  • However, when the permission is granted by a user, AnyDesk app allegedly steals confidential data on the phone to carry out fraudulent transactions through other payments app available on the phone.
  • Reports say the RBI alert also applies to all other forms of mobile payments, not just the UPI. RBI notice said it had sent a similar advisory last month.
  • Once downloaded, “AnyDesk” generates a 9-digit app code on the user’s device and calls the cybercriminals and asks the user for the code in the name of the bank.
  • Once this code is found, the hacker gets control of the user’s device and can download all the information of his device can do the transaction.

*Source: Zee Biz , February 18, 2019