Cyber Security

Is BYOD an acceptable Cyber Risk?

by
BYOD

BYOD know as Bring Your Own Device is a practice whereby businesses permit the use of employees own laptops, notebooks or smartphones in the working environment.

The cyber risk associated with this philosophy is very real and it is vitally important that this is managed within the businesss.

A survey carried out by Information Security last year reported that 1 in 5 businesses around the world suffered a mobile security breach. The survey also identified that the main concern of usage of BYOD’s was data leakage or loss.

Did you know that 35% of employees store their work password on their smartphone (Source : SecureEdge Networks)

BYOD Policy

It is crucial that the business has a clear and robust BYOD policy which should include the following:

1.An acceptable use policy that reflects appropriate guidance and accountability with input from other stakeholders of the business.

2.Management of Social Media as it is likely that there will an an increased use of this.

3.The type of personal data that can be processed on the device.

4. Ensure that a back up plan is in place as mobile devices can fail or be compromised.

5.Reporting of incidents in a prompt fashion in order to comply with company policy and to meet any legal obligations.

The Information Comissoners Office provides guidance notes on BYOD which are a good reference point for businesses.

https://ico.org.uk/media/for-organisations/documents/1563/ico_bring_your_own_device_byod_guidance.pdf

What are the risks?

The main feature of BYOD is that the user owns, maintains and supports the device. As a result of this the data controller will not have as much control as they would should the device be provided by the business.The main concern is the security of the data and this is monitored over a number of devices.

With the focus on data the business should be aware of the following:-

The type of data held on the device

What application data will be held on

How the data will be transferred and asssessment of any possible leakage.

The type of security that is operated under the device.

The line between personal use and business use.

Can Cyber Insurance help?

It is possible for a cyber insurance to provide coverage for cyber risks arising from BYOD devices within a business. Insurers will ask certain risk management questions in order to assess the risk and if acceptable will include this aspect of coverage under the policy.

Image : Shutterstock

What is a Denial of Service Attack?

by
Denial of Service

What is a Denial of Service attack?

A denial of service attacks is a form of cyber attack where a hacker aims to make a computer or network unavailable to its user.

It’s full description is described as a Distributed Denial of Service (DDoS) attack and is carried out by disrupting the services of a host that are connected to the internet by flooding the target with bogus requests which will overload the computer making it inaccessible by the users.

The UK is only second behind the US as being the most targeted country for DDoS attacks. The UK is subject to just under 10%of the world’s DDoS attacks, whereas the US boasts 50.30% of the total of attacks.

Over the last year DDoS attacks have increased by 211% as reported by cyber security consultants Imperva. The main source of the attacks is South Korea over taking China .

In recent months the size of attacks have started to become much larger. An average attack is around 200 Gigabits per second but attacks of between 600Gbps and 1 Terrabit per second are now evident. An attack of this magnitude would cause serious disruption to a businesses computer systems.

Consequences of a DDoS Attack

Business Interruption

A business could be severely disputed for a period of  time which prevents the business from trading normally.On-line retailers for example could loose a high volume of sales.

Reputational Harm

The business may suffer reputational issues following a DDoS attack and the perception by it customers that its cyber security procedures are not of a sufficiently robust standard

Common Types of DDoS Attacks

UDP Flood

User Datagram Protocol is where random ports are attacked on a computer system by packets which cause it to listen for applications on those ports and signal back with a ICMP packet.

Ping of Death

This is known as a “POD” that manipulates IP protocol by sending packets larger than the maximum byte allowance. As a result this causes the computer servers to crash.

Peer to Peer

This is where a peer to peer server is compromised to route traffic to a target website. Users are resultantly sent to the target website where it is eventually overwhelmed and is taken off line.

https://www.rivalhost.com/12-types-of-ddos-attacks-used-by-hackers

Dyn – The Largest DDoS Attack – Case Study 

This DDOS attack heralded a new dawn of what these forms of cyber attacks can achieve as it bought down a huge chunk of the US internet.

It was called the Mirai bonnet and targeted the servers of Dyn which is a company that controls a large proportion of the the DNS infrastructure.This occurred in October last year and took place for almost a day. In its wake it bought down household names such as Twitter, the Guardian and Netflix in Europe and the US.

A network of computers were infected with malware know as a “botnet” and coordinates into bombarding a sever with traffic until it gives way under the weight of the traffic that it is being hit with.

What was unusual with the Mirai botnet which normally consists of a number of computers but this consisted of Internet of Things devices that included digital camera and DVR players.

Due to the fact that so many devices connected to the internet this enabled the attack to be so much larger than any other previous DDoS attack. The attack was thought to be the strength of 1.2 Tbps and twice as powerful of  the next most powerful attack.

It is good business for hackers ….

Kaspersky Labs have carried out studies on Denial of Service attacks exploring the business model and its popularity. A DDos attack can costs as little as $7 an hour with the average rice being $25 an hour . The profit margin can be as much as 95%.

https://www.thecsuite.co.uk/cio/security-cio/ddos-attacks-the-hackers-profit-margin/

Cyber Insurance 

Cyber Insurance can provide assistance in the event of DDos attack by providing the following policy coverage :-

Business Interruption

Cyber Extortion

Incident Response Services

Businesees need to be prepared for the threat that a DDos attack can bring and it important that their cyber security risk management procedures are effective to combat attacks of this nature which are being bought about with increasing severity by hackers.

Image : Shutterstock

The Human Factor in Cyber Risk

by
Deep Fake

The Human Factor in Cyber Risk is the biggest cyber threat that businesses face today……

Businesses recognize the cyber risk created by the outside threat of a hacker but the human factor or insider threat is the greater threat . By virtue of human nature, people are susceptible to making mistakes and it is this unpredictability that offers most businesses most concern and the ability in which to manage this.

The Facts

  • The Kroll Annual Global Fraud and Risk Report identified that 56% of businesses advised that insiders were the key perpetrators of cyber security incidents , with former employees being a high percentage of these at 23%.

http://www.kroll.com/en-us/intelligence-center/press-releases/building-resilience-in-a-volatile-world

  • The Mimecast study last year showed that 45% of businesses felt that they were not prepared against insider attacks.

https://www.mimecast.com/resources/press-releases/Dates/2016/8/malicious-insiders/

A PWc report prepared last year also found that current employees are the top insider cyber risk to UK businesses, so what are the main forms of cyber risk that are bought about by human factors…..

1.Malicious 

Motivated by a user wishing to cause a businesses harm, possibly for revenge or spite due to frustration at work, reward by an outside organisation or competitor.

As an insider they do not need to get around firewalls and can avoid detection and are normally in a position of trust where their actions are not questioned.

The attacks consist of deliberate acts such as :-

Infection of Computer Systems with Malware  

An employee could deliberately inject a malicious software in the businesses computer system which would cause disruption.

Selling of Passwords

This could lead to corporate data being being stolen and passed to a competitor

Abuse of Internal Logins

The Ponemon Institutes’study on the Insecurity of Privileged users last year identified that 21% of the respondents felt that privileged access was not actually necessary. The report highlighted that users with access to the most sensitive information are the most likely to be an insider risk.

https://www.ponemon.org/

2. Accidental

These are caused by carelessness and lack of awareness perhaps during a busy period at work, at a certain time during the day after lunch or a Friday afternoon when thoughts could be on the weekend.

Negligence 

An inadvertent transmission of a virus via an e-mail that could corrupt a third parties computer system

The leaving of a laptop   on a train or in shop

Uploading of sensitive information that may be sent out into the public domain.

Social Engineering

An employee may open an innocent looking attachment to an e-mail which contains a virus that compromises the business computer systems. This is known as a phishing attack and could lead to the system being locked down from a ransomware virus attack.

Phishing attacks can be targeted i.e Spear Phishing or ciculated non discrimently.

Poor Password Housekeeping

An employee may keep their password by writing it on a postit note on their computer screen or have this written on their desk note pad, this provides an opportunity for another employee to access their computer profile.

Examples of Insider Attacks in the UK 

Tesco

40,000 customer accounts of Tesco bank out of a total of 136,000 were subject to suspicious transactions, 9,000 of these had money stolen from their accounts. The sums taken were relatively small varying up to amounts of £600 but eventually totaled £2,500,000. It is suspected that the compromise of the customer accounts were as a result of an insider.

Sage

The accounting and HR software firm suffered a data breach, which appeared to be an insider attack. Employee data of 280 UK customers was accessed and possibly compromised. It is understood that an internal login was used to gain unauthorized access to the data.

Morrisons

An insider published details of the entire Morrison 100,000 employee database which appeared to be motivated as a revenge attack. The employee was likely to have taken advantage of his privileged rights. A number of employees have now launched legal action against Morrison’s

Ten ways to help manage the Human Factor  

1.Ensure that cyber security policies and procedures are in place

2.Introduce staff awareness of current cyber security threats

3.Robust training of staff on all aspects of cyber security

4.Employee conduct review prior to joining company

5.Monitoring of employees that are leaving the company in terms of their on-line activity

6.Monitoring of internal network activity and review of unusual activity

7.Assessment of large amounts of data being accessed or moved

8.Sharing of best practices

9.Restriction of  administrator login

10.Purchase of cyber insurance to help mitigate losses

The Human Factor can also be one of the best defences against cyber attacks if employees are appropriately trained and aware of the changing threat landscape that businesses face.

Image : Shutterstock

Rio 2016 – The Cyber Threats

by
Rio 2016

Rio 2016 is here …..expectations are high for another GB medal haul,  but this major sporting event is inevitably going to be a target for cyber attacks

Some facts that will make Rio 2016 a draw for hackers  …

  • Brazil is already recognized as hub for cybercrime ranking 10th in the Symantec 2015 Internet Security Threat Report
  • London 2012 experienced 165 million attempts to breach cyber security , at Rio 2016 it is anticipated that this could be 4 times this….
  • 5th August to 21st August presents a significant window for hackers to exploit
  • 37 Venues
  • 306 Events
  • 10,500 Athletes
  • 206 Countries participating
  • 7.50M Tickets available for the events
  • 500,000 overseas travelers expected in Rio de Janeiro

Why The Olympics?

Major sporting events grab the attention of the entire world but unfortunately this also attracts elements of the population who perceive this as an opportunity to be exploited  ….. the world of cyber crime.

The threat that cyber crime poses to an event such as this is similar to that which exists for any other business but on a much larger scale and with more dramatic consequences due its high profile and the many threat vectors that exist.

The Cyber Threat Landscape

Some of the targets for cyber criminals are likely to be the following :-

1.The Official Rio 2016 Website

Distributed denial of service (DDoS) attacks preventing access to website by fans.

The accessing of the website by hackers, altering the data such as falsifying the results and interfering with medal tables.

Defacement of the website by a hacktivist.

Spectators and visitors will no doubt access the website via Wi-Fi and vulnerability will exist if they inadvertently log in through a rogue Wi-Fi connection which could lead to the stealing of their personal data.

2.Event Tickets

Ticket fraud with the setting up of bogus websites taking fans money and issuing counterfeit tickets.

Website scamming offering last minute match day tickets for the big events with no ticket actually being produced.

3.The Venues

Technology will be pivotal in all aspects of the running of the 37 venues being used in Rio 2016. Entry to the venues, ticketing processing, management of lighting and associated infrastructure would all be impacted in the event of a cyber attack.

4. Competitors Data 

The event will involve a huge amount of data ranging from credit card data of spectators, athletes confidential information or the database of the organizers which is likely to be targeted by hackers. This could occur through phishing attacks in order to steal personal private information (PPI)and then lead to possible bank fraud of individuals. Brazil does have an established reputation for on-line banking fraud.

5.E-mail Transmission

E-mail scamming could be caused by bogus e-mails set up to obtain athletes and officials personal information that could be disseminated over the internet. The endless sending and exchanging of e-mails also presents an opportunity or spamming.

6.Media Coverage

World wide coverage will be provided to this event by television companies who will be reliant on technology and the service could be interrupted or even blacked out by a hacker wishing to cause transmission downtime. For example a video re-run of the 200 m final could be disrupted by a ransomware attack.

7. Computer Network 

The spreading of a malware attack within the internal computer network and third party providers could cause enormous interruption to the running of the numerous events taking place. The reliance on technology reaches far and wide ranging from the transportation network to close circuit TV surveillance systems.

8. Mobile Applications 

Fake mobile apps devised by developers to give the impression of the official Olympics app. Smartphones area also at risk if stolen and personal data is sourced.

9.Cyber Terrorism

Cyber terrorism could occur in a number of forms. A ransomware attack would limit or entirely restrict the use of computer systems affecting the running of Rio 2016.

There may be political motivation from countries that want to disrupt the Olympics. This could be to make a political stand on an issue or perhaps a country that failed to win an event or perhaps a competitor that was disqualified and the country that was represented takes retaliation.

The threat of remotely controlled drones by cyber terrorist entering an event causing disruption and delay to matches.

10.Social Media

Infiltration of social media websites by hackers of the tournament and personal accounts pose a threat to fans , players and officials privacy.

Cyber Risk Management Program

The International Olympic Committee will no doubt have in place a comprehensive cyber risk management program to manage the programs of events which is likely to be broken down into the following :-

  • Identification of cyber risk vectors
  • The mitigation of cyber risk within the tournament
  • The transfer of residual cyber risks that they are unwilling or unable to manage.

Cyber Insurance

Cyber Insurance can assist with the transfer of cyber risks associated with sporting events by providing the following insurance modules :-

  • Network Security Liability
  • Data Privacy Liability
  • Multimedia Liability
  • Network Business Interruption
  • Data Asset Protection
  • Cyber Extortion
  • Crisis Management

A cyber insurance policy also provides post breach vendor assistance helping with data breach notification , forensic investigation and public relations.

Rio 2016 is global event that is reliant on technology which does make it especially vulnerable to cyber security threats, it is therefore important that these are recognized and measures are put in place to mitigate the potentially severe consequences that could impact on the games.

Image Credit: rvlsoft / Shutterstock.com

EU-US Privacy Shield – En Garde !

by
EU-US Privacy Shield

EU-US Privacy Shield will come into force on the 1st August and this now replaces the defunct Safe Harbour.

What has caused the delay?

Finally getting this over the line has been frustrating as it has met the resistance of the European Commission whose fault finding Article 29 Working Parties Opinion on this was delaying the final agreement.

This has now been given approval by the Article 31 Committee on 8th July and on 12th July the European Commission issued an “implementing decision” which ratifies that the Privacy Shield will be adopted.

Despite criticism from certain quarters during the negotiation phase this does now provide some certainty on how businesses can legally transfer personal data between the EU and US.

The Background

In February we covered the announcement of the  hotly awaited replacement to the Safe Harbour in our post

EU-US Privacy Shield – Is data safe again?

The main obligations imposed on firms handling Europeans personal data are as follows:-

  • Individual Notification

Businesses must inform individuals of their rights under the US-EU Privacy Shield and what rights they have including specific reference to how their particular data is processed

  • Opt Out

Individuals can object to the disclosure of their personal data to third parties or for specific purposes.

  • Responsibility for movement of personal data

This should be limited and made clear for what purpose this is going to be utilised. The level of protection of the data in this process must be no lesser to that set out under the Privacy Shield.

  • Security Measures

These must be in place commensurate with the type and sensitivity of the data and how this will be processed.

  • Access to Data

This must be possible and if amendments are required to the data then this must be carried out promptly.

  • ƒData Integrity

Data must be set out in accordance to its’ relevance and end use, this must be up to date and accurate in all respects.

  • Consequences of non adherence

Processes to be put in place to ensure that compliance is achieved and a system of redress with options for legal remedies.

A copy of the Framework Principles as issued by the US Department of Commerce is available at the link below

EU-US Privacy Shield Framework Principles

What will the impact of Brexit?

This is going to be one of the many issues that will need to be negotiated with the U.K. leaving the EU. The protection of personal data is a foremost consideration all around the world today and this geographical location is no exception.

Would the UK now need to negotiate a separate Privacy Shield with the US – will we therefore see a US-UK Privacy Shield?

How does this interact with the General Data Protection Regulations that come info force on 25th May 2017? The UK will need to implement similar data protection regulations when dealing with the EU and the personal data of individuals within these European States. Data from the EU may also circulate via the UK to the US which is a further dilemma that will need to be addressed.

Can Cyber Insurance Help?

This form of policy provides protection for loss of personal data for such scenarios as a result of a hacker attack , the inadvertent loss of data by an employee or the destruction of data by a malicious act. The post breach response vendors provided by insurers also provides a significant benefit to businesses.

Cyber Insurance can therefore play a role in mitigating the impact of a data loss irrespective of the changing legal landscape that is evolving.

The underlying message to the business environment is that they must have heighten awareness and be very much ” En Garde” as to the dynamic changes on how data is processed and protected and the pitfalls of non-compliance.