cyber crime

How Secure Is Your Supply Chain?

by
Supply Chain

Many businesses are now reliant on third parties in order to function and to provide their goods or services. These third parties are likely to form a supply chain providing such capabilities as IT services, HR outsourcing and hosting services.

The calibre of these services can vary greatly be they a large conglomerate to small local business. Each suppler will have they own cyber security processes and procedures that should be embedded within the business….. but in practice is this the case and what is the impact on a business if they suffer a cyber security breach?

With reliance now placed on a supply chain it is important that due diligence is carried to ensure that this resilience is in place.

What sort of processes can be carried out in order to provide some assurances?

  • Regular cyber security audits of third party vendors
  • Prioritization of vendors for critical services
  • Review of data monitoring standards of third parties
  • Ensure own security procedures remain at a high standard enforcing regular patching and installation of latest firewalls.
  • Managing of privileges provided outside of the business
  • Robust procurement processes for new vendors
  • Management of contractual liability with the vendor in the event of a possible data breach
  • Due diligence of cloud service providers
  • Insurance checklist for professional indemnity and or cyber insurance by the vendor
  • Review interconnected devices to managed The Internet of Things ( IoT) exposures

The supply chain of a business can be their weakest link and managing this should be given the same level of attention as the internal cyber risks that exist.

The National Cyber Security Center publish a list of some of the risks that businesses should look out for :-

https://www.ncsc.gov.uk/content/files/protected_files/guidance_files/Cyber-security-risks-in-the-supply-chain.pdf

The consequences of a third party suffering a compromise of their computer systems could lead to  the following:-

1.Business Interruption

2. Reputational Damage

3.Regulatory Actions and Fines

4.Loss of customers

5.Costs incurred to the business to rectify loss of data or damage to computer systems

6.There have been a number of high profile data breaches where losses have emanated from the supply chain :-

Target

In December 2003 hackers gained access to the heating and ventilation system of the retailer Target. As a result of network credentials being stolen from a mechanical services engineer the hackers were then able to gain access to credit and debit card data of customers. The cost of the breach is thought to be close to $300M with 100 million individuals being affected and the CIO of Target resigning soon after the breach.

Stuxnet

This was a malicious computer worm that targeted automated processes utilized to control machinery on factory assembly lines and systems within the nuclear industry.

It was introduced into a supply network via an infected USB flash drive by individuals that had access to the system It was then possible for the worm to move across the network which scans software that controls machinery and n influence the commands that were given.

NonPetya

Last year NonPetya was a malicious code aimed at software supply chains. The targets were outdated and unpatched Windows systems utilizing the EternalBlue vulnerability which hit many global businesses such as WPP DLAPiper and Maersk.

The hackers initially breached a financial services company in the name of MeDoc which was a third party software service readily utilized by goverments. Once access had been obtained they were able to install malware on their software which was then distributed to end users when the latest update was downloaded.

A report earlier this year by Symantec reported that there had been a 200% increase over the last 12 months in hackers injecting malware implants into the supply chain to gain access to the organizations computer systems.

https://www.symantec.com/content/dam/symantec/docs/reports/istr-23-2018-en.pdf

Perhaps one of the keys to ensuring that a supply chain is secure is to try and enforce the supply chain to have in place similar robust cyber security procedures and practices to the business in order to manage the evolving cyber risk landscape that exists.

 

Image : Shutterstock

The Holiday Cyber Risk Landscape

by
Holiday

The holiday season is now in full swing where people travel to far off destinations to enjoy a well earned break and to spend time with their families. Unfortutely the cyber threat remains with us …… and arguably is increased as people’s guard is somewhat down due to the relaxed environment that being on holiday promotes.

A survey carried out by Keeper Security Inc last year showed that the US posed to the greatest threat to holiday makers from hackers, however more worryingly the UK came in a second place with France, Spain and Italy also featuring in the top ten.

https://www.marieclaire.co.uk/entertainment/technology/cyber-security-holiday-destinations-523668

Some of the cyber threats that exist to indivuals and businesses are as follows :-

Insecure Wi-Fi Networks

A hotel wi-if network may be vulnerable if not secured with the latest security encryption software. This could also be said of restaurants or cafes. Attacks know as “Man in the Middle” where a third party is listening and changing information pretending to both the user and the application can intercept highly sensitive data and use this to compromise a users details.

GCHQ regularly warn travellers of the threats posed by insecure wi-fi networks and the holidayseason is when these threats become more prevalent. It is therefore important to check that the wi-if has the appropriate safety protocols in place in particularly when money is being transacted.

Holiday Scam E-mails 

It is conceivable that an individual could fall foul of a hacker before they leave their house .Holiday scam e-mails may portray a bogus website that offers a holiday deal which is too good to be true and the likelihood is that this could well be the case. Funds could be stolen by an on-line transaction with debit or credit card details also being compromised by a hacker.

Being Aware

Leaving a laptop or smart phone on your beach towel of on a cafe table opens opportunity for a speculative hacker to steal an electronic device and use data themselves or to post on the dark web to be sold at a later date.

Keeping a tight ship

The same principle applies to businesses during the holiday season who may not have their usual numbers in their cyber security team which creates an environment where threats could be missed or not acted upon as quickly as normal. A greater reliance therefore is imposed on everyday users to carry out good cyber hygiene in their everyday work schedule. Watching out for phishing e-mails and dubious website links which could lead for example to an incident of fraud or a ransom ware attack.

Back Home

Once back home it is good housekeeping to to check matters such as bank statements to ensure that no fraudulent transactions have taken place and that you can account for everything spent.

At work looking for any unusual e-mail activity or change in the functionality of your computer in case a virus may have downloaded itself whilst you were away.

Wherever you are on holiday cyber threats exist in many forms , hackers do not go on holiday so it is vitally important that you maintain the same cyber security posture.

The Challenges Facing Cyber Security

by

What are the challenges facing cyber security in 2018?

These will involve the development of existing threat vectors and the emergence of new ones, keeping up with the evolving capabilities of hackers will never be more difficult to repel and prevent.

General Data Protection Regulations (GDPR)

This presents a major challenge to all organisations with time marching towards the 25th May deadline. Many businesses in the SME space are behind the curve in their preparations for this and will do well to meet this deadline. If missed they will face the wrath of the ICO and possible fines for non-compliance.

https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/

Artificial Intelligence (AI) 

AI and machine learning is now available to hackers to conduct cyber attacks providing a challenging new cyber threat landscape that will need to be navigated. Machine learning will also be used for the good as it can assist the cyber security sector in analysing and monitoring new and existing threats.

Internet of Things (IoT)

The IoT theat is likely to develop further with possible focus on critical infrastructures and home devices. With it now being possible to purchase botnet kits on the dark web it is becoming easier to set up DDoS attacks.

State Sponsored Cyber Attacks

These do not look they will be alleviating any time soon and are likely to grow eminating from countries that look to install government instalibility or to carry out cyber espionage.

Ransomware

Ransomware will continue to be a major cyber security threat with new strains being developed by hackers focusing on businesses that have immature cyber risk management.

Mobile Breaches

The threat of mobile breaches is still very much with us and this could be the year that a substantial breach occurs. This could happen via a vulnerability in an app which may itself contain considerable amounts of data that a hacker could gain access to for ill gains.

Bitcoin and Blockchain

Bitcoin, the leading cryptocurrency made the headlines at the end of last year with its value increasing by leaps and bounds before coming back down to a more sensible valuation. Blockchain is not very well understood , but is now recognized as method in which fraud can be prevented and will gain in popularity as it becomes more mainstream.

Trust

Trust is emerging as a side issue in the development of cyber security. Trust that business are safe to trade with and that in the event of a data breach they will act in an honorable fashion and in the best interests of their employees and shareholders. This will impact on future trading and the reputation of a business.

What Will Cyber Criminals focus on?

  • Supply Chain

Cyber threats are being targeted on supply chains as their computer systems do not always have the same standard of cyber security as the main contractor this presenting oportinuties for hackers to exploit inferior systems as a gateway to compromising the main contractors systems. This is likely to continue.

  • The Healthcare Sector

This sector has always been a principal focus for hackers as the stolen data can be used for a number of things.With the standard of cyber security not being considered the most robust this presents this sector as being vulnerable to hackers.

SME businesses

The general immaturity of SME’s computer systems and lack of cyber risk management makes them a prime target for hackers . The mentality of “ it won’t happen to us “ does not hold true and is a dangerous game to play.

Adequate levels of cyber security risk management and the emergence of cyber insurance will play an important part in managing a cyber attack on a businesses’s computer systems. The challenges that lay ahead in the coming year will be huge and defending a business against such a varied threat landscape will be demanding.

Image : Shutterstock

Hackers Raise Cyber Risk Awareness in 2017

by
Mergers and Acquisitions

Hackers raise Cyber Risk awareness in 2017….. this is the one upside where Hackers have again grabbed the headlines with many high profile cyber attacks taking place resulting in cyber crime and data breaches. These are proving to shape the world of cyberspace and how cyber risk will be managed in the future.

What have been the high profile cyber security breaches this year ? 

Ransomware feature highly as the main attack vector utilized by hackers and proved to be the most effective in terms of impact and the disruption that was caused to businesses.

WannaCry

This was one of the main strains of ransomware that hit over 150 businesses throughout the world in May this year. This compromised the NHS and car manufacturing plants  such as Nissan  and Renault in the UK and the global corporations of  Telefonica and FedEX.

Not-Petya

This was the second significant ransomware attack within the space of two months and should have heighten businesses concerns that cyber risk was now a boardroom issue after the WannaCry attack.  Not-Petya took place in late June again reaching out to hit high profile global corporations that included Merck, WPP and AP Moller-Maersk having longer lasting consequences on their trading ability and reputations.

Equifax

The US credit reporting agency revealed in September that they suffered a data breach which compromised the accounts of 143 million US customers, it is believed that a certain percentage of these were also UK citizens.

Uber

It was announced by Uber last month that they were hit by a data breach which affected 57 million users by an attack that occurred 12 months earlier. A ransom of $100,000 was also paid to the hackers.

Morrisons

Whilst this breach was not new it does have potential far reaching consequences for the directors of a business. It was found by the High Court that those affected by a data breach which was caused by an employee, were allowed to claim compensation for the ” upset and distress” caused.

What happened in the UK ?

Whilst hackers infiltrated many businesses worldwide, in the UK we also saw businesses and organisations being hit demonstrating that cyber attacks are closer to home that many people may believe, here are a few examples :-

Sports Direct revealed in February that they had been hit by a data breach where a hacker had gained access to their 30,000 employees personal details which included names , addresses and e-mail details.

Wonga announced in April that 245,000 of its customers in the UK had been affected by a data breach, personal details this time included bank account details.

RingGo, the parking payment app was subject to a data breach in April whereby 2,000 customers were affected

Hotpoint UK had their website compromised in May when malware was discovered on their computer system luckily no data was taken on this ocassion.

Cardiff City Centre suffered the embarassment of their computer system being compromised in August with a Swastika being posted on a shopping billboard.

The Scottish Parliament suffered a brute force attack in August where hackers targeted the e-mail accounts of MP’s in an attempt to obtain passwords

Lessons to be learned …..

Cyber crime and data breaches will not go away and will continue to be a prominent threat to busineesss

This is a major issue for businesses so much that it is now on boardroom agendas

Cyber risk needs to be managed at all levels of a business

Cyber attacks can happen to any business , SME’s are faced with the same vulnerabilties as larger organzations

Cyber risk needs to be embedded into a business’s risk management procedures and processes.

Inadequate cyber risk management will impact of the reputation of a business.

2018 will be a testing time for many business sectors with the volatility of the economy, unstable governments and Brexit to name a few but cyber risk should also sit alongside these challenges as the impact of failure to address this is likely to be just as influential.

Image : Shutterstock

The Good,The Bad and the Dark Web

by
The Dark Web

So what is the Dark Web?

We have all heard of the dark web but it is unlikely that we actually know what it is…..

The Dark Web is part of the world wide web and requires specific software in order for it to be accessed, once this is in place its websites and other services can be readily accessed. Not all sites are visible and can be hidden because they have not been indexed by a search engine and can only be accessed if the precise address of the website is known.

The dark web sits below the “Surface Web” i.e.Google and Yahoo and the “Deep Web” which includes scientific and government reports and subscription-only information.

Certain markets operate within the dark web and are known as “darkest markets”which tend to sell illegal goods such as drugs and firearms, the currency of which is bitcoin where it is difficult to trace the source of the recepient.

Individuals and groups can seek total anonymity as these are generally groups who wish to stay hidden on line from the police and governments.

Let’s go Dark….

This is possible by downloading software such as Tor known as the “Onion Router” where users can be idenitified by the domain name “onion” and focus in providing anonymous access for users. Whilst 12P  the “Invisible Internet Project” permits the anonymous hosting of websites. It is not possible to identify the IP address and track dark net users due to the layered encryption systems that are in place. Intermediate servers are also used which helps in making identification impossible.

The Dark Side 

Hackers exist here to sell their services offering services such as :-

  • Tools for DDoS attacks
  • Fraud services
  • Phishing of websites
  • Scams
  • The recruitment of hackers

The Impact on Cyber Insurance 

The insurance industry focuses on loss prevention and it is important therefore that they are alive to new and developing threats which can in the first instance be discovered on the dark web.

Stolen data can appear in the dark web which can include for example names , addresses, credit card and bank account details rails  and medical records, these will be for sale from various sources.

An innovative step by CFC Underwriting Limited has been launched with RepKnight whereby they offer a dark web monitoring tool called BreachAltert for its policyholders that provides alerts in real time should their data become exposed on the dark web. This can be configured for e-mail domains server IP addresses, employee login credentials and lists of clients and employees. This will enable policyholders to be the first to know if their information has been leaked.

https://www.repknight.com/cfc-underwriting-cyber-policyholders-set-to-benefit-from-free-dark-web-monitoring-in-industry-first/

Image : Shutterstock