Hackers Raise Cyber Risk Awareness in 2017

Hackers

Hackers raise Cyber Risk awareness in 2017….. this is the one upside where Hackers have again grabbed the headlines with many high profile cyber attacks taking place resulting in cyber crime and data breaches. These are proving to shape the world of cyberspace and how cyber risk will be managed in the future.

What have been the high profile cyber security breaches this year ? 

Ransomware feature highly as the main attack vector utilized by hackers and proved to be the most effective in terms of impact and the disruption that was caused to businesses.

WannaCry

This was one of the main strains of ransomware that hit over 150 businesses throughout the world in May this year. This compromised the NHS and car manufacturing plants  such as Nissan  and Renault in the UK and the global corporations of  Telefonica and FedEX.

Not-Petya

This was the second significant ransomware attack within the space of two months and should have heighten businesses concerns that cyber risk was now a boardroom issue after the WannaCry attack.  Not-Petya took place in late June again reaching out to hit high profile global corporations that included Merck, WPP and AP Moller-Maersk having longer lasting consequences on their trading ability and reputations.

Equifax

The US credit reporting agency revealed in September that they suffered a data breach which compromised the accounts of 143 million US customers, it is believed that a certain percentage of these were also UK citizens.

Uber

It was announced by Uber last month that they were hit by a data breach which affected 57 million users by an attack that occurred 12 months earlier. A ransom of $100,000 was also paid to the hackers.

Morrisons

Whilst this breach was not new it does have potential far reaching consequences for the directors of a business. It was found by the High Court that those affected by a data breach which was caused by an employee, were allowed to claim compensation for the ” upset and distress” caused.

What happened in the UK ?

Whilst hackers infiltrated many businesses worldwide, in the UK we also saw businesses and organisations being hit demonstrating that cyber attacks are closer to home that many people may believe, here are a few examples :-

Sports Direct revealed in February that they had been hit by a data breach where a hacker had gained access to their 30,000 employees personal details which included names , addresses and e-mail details.

Wonga announced in April that 245,000 of its customers in the UK had been affected by a data breach, personal details this time included bank account details.

RingGo, the parking payment app was subject to a data breach in April whereby 2,000 customers were affected

Hotpoint UK had their website compromised in May when malware was discovered on their computer system luckily no data was taken on this ocassion.

Cardiff City Centre suffered the embarassment of their computer system being compromised in August with a Swastika being posted on a shopping billboard.

The Scottish Parliament suffered a brute force attack in August where hackers targeted the e-mail accounts of MP’s in an attempt to obtain passwords

Lessons to be learned …..

Cyber crime and data breaches will not go away and will continue to be a prominent threat to busineesss

This is a major issue for businesses so much that it is now on boardroom agendas

Cyber risk needs to be managed at all levels of a business

Cyber attacks can happen to any business , SME’s are faced with the same vulnerabilties as larger organzations

Cyber risk needs to be embedded into a business’s risk management procedures and processes.

Inadequate cyber risk management will impact of the reputation of a business.

2018 will be a testing time for many business sectors with the volatility of the economy, unstable governments and Brexit to name a few but cyber risk should also sit alongside these challenges as the impact of failure to address this is likely to be just as influential.

Image : Shutterstock

The Good,The Bad and the Dark Web

The Dark Web

So what is the Dark Web?

We have all heard of the dark web but it is unlikely that we actually know what it is…..

The Dark Web is part of the world wide web and requires specific software in order for it to be accessed, once this is in place its websites and other services can be readily accessed. Not all sites are visible and can be hidden because they have not been indexed by a search engine and can only be accessed if the precise address of the website is known.

The dark web sits below the “Surface Web” i.e.Google and Yahoo and the “Deep Web” which includes scientific and government reports and subscription-only information.

Certain markets operate within the dark web and are known as “darkest markets”which tend to sell illegal goods such as drugs and firearms, the currency of which is bitcoin where it is difficult to trace the source of the recepient.

Individuals and groups can seek total anonymity as these are generally groups who wish to stay hidden on line from the police and governments.

Let’s go Dark….

This is possible by downloading software such as Tor known as the “Onion Router” where users can be idenitified by the domain name “onion” and focus in providing anonymous access for users. Whilst 12P  the “Invisible Internet Project” permits the anonymous hosting of websites. It is not possible to identify the IP address and track dark net users due to the layered encryption systems that are in place. Intermediate servers are also used which helps in making identification impossible.

The Dark Side 

Hackers exist here to sell their services offering services such as :-

  • Tools for DDoS attacks
  • Fraud services
  • Phishing of websites
  • Scams
  • The recruitment of hackers

The Impact on Cyber Insurance 

The insurance industry focuses on loss prevention and it is important therefore that they are alive to new and developing threats which can in the first instance be discovered on the dark web.

Stolen data can appear in the dark web which can include for example names , addresses, credit card and bank account details rails  and medical records, these will be for sale from various sources.

An innovative step by CFC Underwriting Limited has been launched with RepKnight whereby they offer a dark web monitoring tool called BreachAltert for its policyholders that provides alerts in real time should their data become exposed on the dark web. This can be configured for e-mail domains server IP addresses, employee login credentials and lists of clients and employees. This will enable policyholders to be the first to know if their information has been leaked.

https://www.repknight.com/cfc-underwriting-cyber-policyholders-set-to-benefit-from-free-dark-web-monitoring-in-industry-first/

Image : Shutterstock

Equifax …The Anatomy of a Data Breach

Data Breach

Equifax , one of the largest US credit reporting agencies last week suffered a massive data breach, early indications are that it has affected as many as 143 mllion US customers whilst also impacting on individuals in the UK and Canada. This attack has been further compounded by a subsequent attack in Argentina which again targeted the US.

http://cyberbrokers.co.uk/cyber-news-2/

The Facts

The incident occurred between May and July this year involving the compromise of social security numbers , birth dates , addresses and driving licence details. In addition to this it is understood that the hackers managed to access 209,000 credit card numbers and other documents disclosing personal identifiable information relating to a further 182,000 customers of Equifax.

The credit reporting agency looks after the data of 44 million British customers for British Gas , BT and Capital One and it is understood that up to 400,000  may have had their details compromised during the breach.

https://krebsonsecurity.com/2017/09/the-equifax-breach-what-you-should-know/

The Breach Response 

Forensic Investigation

Cyber security consultants have been appointed in order to carry out a forensic investigation to try and ascertain the scope of the hackers intrusion into their systems and exactly what data has been compromised. Action Fraud in the UK have also posted guidance on their website in the event of possible fraudulent activity on UK citizens accounts following this data breach.

Credit Monitoring

All customers affected have been offered credit monitoring and identity theft protection free of charge.

Data Notification

In the US the average per person cost of a data breach is believed to be $225 , with possibly 143 million individuals affected the financial implications of this are extremely high

Cyber Insurance

It is understood that Equifax did take out cyber insurance and this will go some way to mitigate the financial costs associated with such as breach. Other insurance policies may also be able to respond in relation to this loss.

Notification to Regulatory Bodies

This cyber attack has also been reported to the relevant US law enforcement agencies, in addition to this the ICO in the UK has been alerted to assess the implications for UK citizens.

The Consequences of the Breach

Impact on Share Price

It is too early to assess the ramifications of the data breach on Equifax , however the shares of Equifax dropped nearly 9% equivalent to $3.50 billion of their share value.

Executives depart

A few days after the incident it has been announced that the Chief Information Officer and Chief Security Officer would be departing from the business.

What went wrong ?

It is unclear how the initial breach was caused but it is believed that the hackers exploited a vulnerability in a piece of software that could be used with Apache web server program. A patch had been issued to update the software but it appears that this may not have been updated. The more recent incident is believed, according to various reports to have resulted from an online employee tool that enabled “admin” to be utilized for both login and password which then made it possible to gain access to customers data.

The Equifax Factor

The Equifax data breach should be a warning to UK businesses that that need to have the appropriate procedures in order to manage the data that they hold ahead of the implementation of the GDPR on  25th May 2018 . Should such a data breach occur once the GDPR is in force UK citizens would be able to avail themselves of protection under this forthcoming piece of legislation.

 

The Cyber Threat to Critical Infrastructure

Cyber Threat

The operation of Critical Infrastructure in the UK is pivotable in the safety and economic prosperity of the country…. but what protection is being provided to mitigate the cyber threat posed by hackers ?

We are seeing increasing threats to key infrastructure such as airports and power stations with the cyber threat now emerging as a very real risk. This concern is also now at the forefront of governments on both sides of the Atlantic with initiatives being put in place to protect our critical infrastructure.

Europe – The Network and Information Systems (NIS) Directive 

The European Commission agreed to implement the Network and Information Services Directive in late 2015 as reported in our post http://cyberbrokers.co.uk/cyber-security/   

This Directive needs to be complied with by May 2018 however according to a report by Corero Network Security suggests that it may prove difficult for certain sectors of the UK’s critical infrastructure to achieve this. The report found that 39% of the critical infrastructure in the UK did not reach basic cyber security standards. Key sectors were the NHS and the police.

https://www.corero.com/company/newsroom/press-releases/uks-critical-infrastructure-skipping-basic-cyber-security-checks-and-ignoring-ddos-threats-/

The main reason for the Directive is to increase the security of Network and Information Systems within the European Union with the aim to bring the following:-

  •  Minimum standards of cybersecurity for banks, energy, transport , health and water utilities.
  •  EU-wide rules on cybersecurity.
  •  Cooperation between EU companies on cyber security
  •  The sharing of information of breaches
  •  Best practices in cyber security
  •  Mutual help in securing a country’s critical infrastructure

In addition to critical infrastructure these regulations will apply to certain technology firms and it is possible that this will also be applicable to major online marketplaces, such as eBay and Amazon, and search engines such as Google.

Last month the Government launched a consultation paper which sets out the proposed implementation in the UK which will also reflect the UK departure from the EU. The consultation will ascertain the views from industry, regulators and other relevant parties

The consultation will cover the following :-

  • The essential services the directive needs to cover
  • The possible penalties that could be applied
  • The authorities that will regulate and audit specific sectors
  • The security measures that will be imposed
  • Appropriate timelines for incident reporting
  • Assessment of the impact on Digital Services Providers

https://www.gov.uk/government/consultations/consultation-on-the-security-of-network-and-information-systems-directive

USA – Homeland Security – The Presidential Policy Directive /PPD-21

The main purpose of this directive is to provide the provision of strategic guidance and to promote the security and resilience of the US’s critical infrastructure.

Within this directive Homeland Security will support the following:-

  • Identify and prioritize critical infrastructure, considering physical and cyber threats and vulnerabilities.
  • Maintenance  of national critical infrastructure centers in order to provide a situational awareness capabilities  about emerging trends and imminent threats
  • The coordination of appropriate bodies and Federal departments to provide analysis, expertise, and other technical assistance to critical infrastructure businesses
  • Facilitate the exchange of information and intelligence necessary
  • Work to improve the resilience of critical infrastructure against cyber threats
  • Annual review of the protection required by statute to protect national critical infrastructure.

The critical infrastructure of a country’s is a prime target for hackers and it is therefore essential that appropriate cyber security standards are in place and that this continues to keep place with the changing cyber threat landscape.

Image : Shutterstock

Are You Prepared For A Data Breach?

Data Breach

Are you prepared for a Data Breach ?

Every business should be prepared for a data breach …… hackers act indiscriminately and any business could be a legitimate target.

An incident response plan is essential part of the jigsaw in managing cyber risks and does play a very important role in being prepared for a data breach.

The plan should be constantly updated on at least an annual basis with consideration given to the following:-

  • Breach experience of a businesses peer group
  • Independent third party review of the incident response plan
  • Tabletop exercises to ensure effective implementation of the plan
  • Appropriate employee training
  • Crisis management scenarios played out in order to address changing cyber risk landscape
  • Ensure that effective communication is practiced at all levels of the business in the event that the plan becomes operative.

What makes a good Incident Response Plan?

1.Buy in of implementation of plan by all relevant stakeholders to include the legal team , IT , risk management , HR    Public relations and facilities management.

2.Board level support lead by CISCO.

3. An on-going synopsis of cyber threats to the business so the plan can be adapted or revised

4. Assessment of any third parties cyber exposures that may impact on the businesses with checks carried out on their own cyber risk posture.

5. Minimum security standards implemented with third party providers

6. The purchase of cyber insurance to support the business and avail assistance of insurers incident response team of professionals.

The Experian Data Response Guide is an annual report that provides plans and processes to implement when a data breach occurs within a business.

The most recent report shows that the awareness is now at a much higher profile that it ever has been with senior management more involved with being data breach prepared. There is still however a lack of confidence in actually being able to manage a data breach. The report also showed that incident response plans were not regularly updated with 35% of businesses not updating this since the plan was first instigated. It was also discovered that very few businesses have a “dry run” to see how the plan would work in practice.

http://www.experian.com/assets/data-breach/white-papers/2016-2017-experian-data-breach-response-guide.pdf

The stakeholders of the incident response plan need to be at all levels from senior board members, finance and HR directors and employees representing different sectors of the business.

General Data Protection Regulations (GDPR)

The GDPR comes into force on 25th May 2018 and with this brings an obligation to protect personal data of individuals with the onus to report any data breach that may impact on such individuals.

It is important therefore that businesses have robust systems in place to manage the appropriate handing of data but also how cope with a data breach should this occur.

This includes who to report the breach to and what to report and make reference to such matters as the nature of the breach, the consequences of the breach and measures taken to address the breach. Systems therefore need to be in place so that this information can be provide to the ICO or other relevant regulatory body.

Experian Data Breach Resolution and Ponemom Institute released an industry study on 27th June this year which revealed that whilst most businesses are aware of global and data security regulations they have not yet have addresses the necessary organizational changes in order to achieve compliance.

The study carried out on 550 IT security and compliance officers entitled “Data Protection & Regulations in the Global Economy” ascertained that only 32% of the respondents still didn’t have an incident response plan in place. Furthermore only 9% of business stated that they were ready to comply with the GDPR next year with 59% stating that they did not know how to comply……

https://www.experianplc.com/media/news/2017/experian-data-breach-resolution-and-ponemon-institute/

Cyber Insurance

Cyber insurance can help with managing and mitigating a data breach, the following services are included when a cyber insurance policy is purchased :-

  • Legal assistance in notifying data subjects that may have lost data
  • Forensic Investigation is provided to help ascertain how the breach was caused and if the hacker is still able to infiltrate the computers systems.
  • Public Relations to help manage the impact that this might have on the public’s perception of the breach.
  • Credit Monitoring services to monitor individuals bank accounts should their date be used to carry out fraudulent transactions.

The appointment of such specialists on an individual basis can be very expensive and it is worth considering this form of insurance for this reason alone.

To sum up an incident response plan is a key piece of armoury to help protect a business from the consequences of a data breach and should be an integral part of the overall cyber risk management procedures and practices.

 

Image : Shutterstock