Blog

CiSP – Cyber Security at your finger tips

by
Artificial Intelligence

CiSP stands for the Cyber-security Information Sharing Partnership and has been formed jointly by industry and government which sits in CERT-UK.

What is CiSP?

It is an online social networking tool that was established in 2013 which allows members to exchange information on threats and vulnerabilities as they take place. CERT – UK is the national computer emergency response team with a number of responsibilities that stem from the UK Cyber-Security Strategy. It is used by many businesses across industry and provides reports that help its members to improve their awareness of cyber security threats.

www.cert.gov.uk/cisp

Recently the South West Regional Group launch of CiSP took place , this was the 12th and final launch carried out in the UK. This was jointly sponsored by the SW Regional Cyber Crime Unit (RCCU) , CERT-UK and J.P. Morgan (Regional Champion). The profile of the sponsors demonstrates the importance that attaches to CiSP and the impact that is perceived that it can make in developing the cyber security programs of businesses.

Why should you become a member of CiSP?

  • Early warning of cyber threats that may affect businesses
  • Collaboration between businesses and government in a secure environment
  • Ability to help businesses protect their livelihood from cyber threats
  • Businesses can learn from the experiences of others….both mistakes and the successes
  • Availability of specific sector content on cyber threats and incidents that have taken place
  • Businesses that have a small or non-existant cyber security budget can avail themselves of the information
  • Any business can join and benefit from the scheme
  • It costs nothing to become a member and can help a businesses prepare for a cyber attack

CiSP Membership Link

How CiSP can help a Business?

  • Alerts and advisory papers on cyber security
  • Reports om trend threats
  • Malware and phishing e-mail analysis
  • Guidance and best practice on common areas on both a national and global basis

One of the key features is the Fusion Cell that consists of a team of analysts taken from government and industry who provide source analysis of cyber threats and vulnerability updates.

The scheme is aimed at SME’s who are considered one of the most vulnerable business sectors with varying degrees of cyber maturity. It is therefore important that they understand how to protect themselves from cyber attacks and the resulting cyber crime that can occur.

Industry Endorsement

The British Insurance Brokers Association ( BIBA) is going to sponsor its members to join the scheme in order to help improve awareness about cyber cyber risks that exist.

This will no doubt become a common theme within other industries in the future.

Insurance has a role to play 

Cyber insurers and specialist insurance brokers can also contribute to CiSP by providing current data and information of cyber security attacks and data breaches that they have been involved with and managed.

 

Cyber breaches hit UK businesses

by
Ransomware

Cyber breaches are hitting UK businesses according to a recently released commissioned report by the UK Government.

Two thirds of large businesses UK hit by cyber attack in past year

Following the high profile targeting of  TalkTalk , Vodafone , Weatherspoons it is no surprise that large businesses are still the focus of cyber breaches …… the underlying message to these businesses is that they need to improve their cyber security programs in order to combat these threats.

Main Report Findings

  1. 1 in 4 large businesses encountered a breach once a month
  2. Only one-third of all firms had a written security policy
  3. Only 10% of all businesses had an incident response plan in place should a cyber attack occur
  4. 13% of all businesses set cyber security minimum standards for their suppliers
  5. Only 20% of firms validate the providers of cloud computing services.
  6. 7 out of 10 of the attacks involved compromises by viruses, spyware or malware

Why has this happened ?

The report also highlighted the fact that many firms do not have cyber security programs in place that are in accordance with government guidance such as the Cyber Essentials Scheme and the “10 Steps Guide to Cyber Security”. This is must be a major concern to the Government as these two measures alone would install a good level of cyber security.

Cyber Essentials is generally more difficult to achieve for larger businesses as their systems tend to involve the use of bespoke software and its management. This certification is geared more to standardized systems which is more akin to SME’s . There is therefore a question here whether Cyber Essentials needs to be adapted to larger businesses?

Cyber Insurance

The report also makes reference to 37% of firms having in place some form of cyber insurance , this is either in the form of extensions to professional indemnity insurance policies or stand alone policy specific cyber insurance policies.

A concern raised by the report is that there is a lack of knowledge about what was covered under a cyber insurance policy and the insurance industry therefore has a role to play in helping businesses understand this form of insurance.

Cyber breaches will continue to impact on businesses unless they have a formal cyber security program in place to protect them from the increasingly sophisticated cyber attacks that can compromise a businesses.

Panama : The Cigar is Still Smouldering…

by
Panama

Up until recently Panama was associated with a canal , hats and cigars…..it is now known for one of the biggest data breaches ever known – the Panama Papers.

What are the Panama Papers?

These are a leaked set of 11.50 million confidential documents that provide details of approximately 214,000 offshore companies listed by Panamanian law firm Mossack Fonseca. This information contained identities of shareholders and directors of these companies and showed the wealth of high profile individuals , including the assets that were hidden from the public. Individuals included past and current heads of states, government officials and celebrities from over 40 countries. Investigations have now determined some of the companies may have been utilized for various illegal purposes.

The Panama Papers far exceeds the previous highest data breach record previously held by Wikileaks by 1500 times.

How did this happen?

An anonymous source know as “John Doe” passed the documents to German newspaper Suddeutsche Zeitung which it is understood commenced at the beginning of 2015. The quantum of data involved was 2.6 terabytes which is a vast amount of data In view of the amount of data involved the newspaper recruited the assistance of the International Consortium of Investigative Journalists (ICIJ) which distributed all the documents so that they could be investigated by various journalists and media organizations around the world. The first documents were published on 3rd April. The ICIJ will issue a full list in May of all the companies involved.

What was the cause of this huge data leak ? 

There are a number of different schools of thought as to whether this was due to an insider or outsider hacker attack , but one thing that is certain is that Mossack Fonseca did appear to have very poor cyber security procedures in place.

This has been evidenced by some of the following cyber security flaws that have since been discovered:-

  • The Outlook Web Access login had been utilized since 2009 with the client login not being updated since 2013
  • The computer systems included a high risk SQL injection vulnerability that allows anyone to remotely execute arbitrary instructions.
  • The main computer system included a version of WordPress that was three months out of date.
  • Configuration of the website was not recognized as best practice.
  • Mossack Fonseca’s e-mails were not encrypted
  • The systems were vulnerable to external scanning and possible exploitation

With the amount of data involved it is believed that it took about one year for the data to arrive at its destination. It is a wonder that no one noticed this amount of data leaving the company ? Interestingly enough very few US citizens were listed in the papers , which may be due to the fact that the US does have different corporate tax structures which negates the need for offshore tax arrangements.

www.wired.co.uk   The security flaws at the heart of the Panama papers

Why was Mossack Fonseca targeted ?

Legal firms hold a great deal of data on their clients including copies of personal data , confidential documents and legal transactions which does make them a prominent target for hackers. A high profile legal practice such as Mossack Fonseca involved in the areas that they practiced in therefore represents an ideal victim to a hacker.

With the poor cyber security procedures in place it does perhaps suggest that this data compromise may have come from an insider hacker who knew the computer systems and perhaps an employee with a point  to make or an overarching grudge.

Reputational damage is also a consequence of a breach of this nature , another possible reason for the this attack. which sometimes causes irreversible damage to a firm.

What could have prevented this data breach? 

In the current climate no one business or individual is 100% secure from a cyber security breach but certain procedures seemed to be absent from what would be expected to be standard cyber security risk management procedures:-

  • Prioritising  of cyber security
  • Regular patching of software
  • Updating of software
  • Regular login updating
  • Encryption of all sensitive documents
  • Website security

How Cyber Insurance could have helped ? 

A cyber insurance policy can provide the following coverage.

  1. Data breach costs incurred including notification costs to the appropriate regulatory bodies
  2. Regulatory costs and investigations that may arise as a result of the breach
  3. Post breach costs including investigation and forensics costs incurred to monitor and analyse the data breach which would help identify the cause of the incident.

The proposal for cyber insurance also requires certain minimum security measures to be in place at the onset prior to the policy incepting , the purchase of a cyber insurance policy therefore may have help Mossack Fonseca focus on certain areas of cyber security that may have prevented the hacker to penetrate their computer systems.

From the wider perspective the insurance market is assessing its exposure by gathering data from insurers and reinsurers in order to ascertain the consequences of this loss to the industry. One thing for sure is that insurance coverage would not respond to any illegal activities.

General Data Protection Regulations

Despite being passed the GDPR are not yet in force , but what would have been the ramifications of this on Mossack Fonseca.. ? These rules will apply to entities that carry out business with companies based in the EEC , whether the complicated legal structures put in place by Mossack Fonseca would have implicated by this is difficult to tell , but fines of 4% of annual global turnover or E20,000,000 , which ever is the less would apply if this was the case.

Lessons to be learned 

  • Robust cyber security measures and procedures are paramount to a business armoury in protecting their mere existence.
  • Law firms will be alerted to this data breach and with recent attacks in the US , this sector is clearly currently a target for hackers
  • Cyber Insurance can help improve cyber security and mitigate the effects of a data breach

The biggest data breach ever experienced is still being uncovered, further revelations will no doubt come to light in the coming months… the cigar is still smoudering.

 

Malvertising…..the hidden threat

by
Malvertising

Malvertising …… the hidden threat – last week a number of major news websites saw their advertisment hijacked by a malicious angler campaign that attempted to install ransomware on users computers. The attack, which was initially targeted at US users, hit websites including the BBC, AOL, New York Times and the NFL ……the combined volume of traffic for these websites totalled billions of visitors.

http://www.theguardian.com/technology/2016/mar/16/major-sites-new-york-times-bbc-ransomware-malvertising

It is understood that the malware was delivered through multiple ad networks, and used a number of vulnerabilities, which included a recently-patched flaw in Microsoft’s former Flash competitor Silverlight.

The Daily Mail , Skype and and the Premier League Fantasy website have all been targeted within the last month with malvertising campaigns.

Malvertising uses advertising networks to spread malicious flash objects and other pieces of malicious code to other websites. Hackers will then upload these malicious flash objects and other pieces of malicious code to ad networks, paying the network to distribute them like as if they are real advertisements.

For example you could visit a newspaper’s website and an advertising script on the website would download an ad from the ad network. The malicious advertisement would then in turn try to compromise the web browser.

Malvertising takes advantage of flaws in software that the user is utilizing in order to infect the user on a legitimate websites, this reduces the need to fool the user to visiting a malicious website.

The most popular times for these attacks are on a Friday when there is less monitoring being carried out for suspicious activities and when there is heavy web surfing during the weekends.

There are a number of methods used for injecting malicious advertisements or programs into webpages such as :-

  • Pop-up ads
  • Drive by downloads
  • Web widgets
  • Malicious banners on websites
  • Third party advertisments on websites
  • Third party forums such as forums or help desks

There are a number of ways of protecting websites from malvertising attacks such as keeping plug-ins and web browsers updated. Risk management also has an important role to play in particularly management and surveillance of the supply chain.

A cyber insurance policy can provide coverage for an attack of this nature through the disruption it may cause to a business and also the vendor services provided via monitoring and forensic investigation.

Cyber Business Interruption – “Biggest Concern”

by
cyber business interruption

Cyber business interruption is considered by 49% of businesses to be their biggest concern in the event of  a cyber breach according to the Institute of Directors recent policy report “Cyber Security; underpinning the digital economy”

Cyber security: underpinning the digital economy

The report, sponsored by Barclays carried out a survey of 1000 businesses which showed that one in eight members suffered damage as a result of a cyber business interruption attack. Of this 11% suffered actual financial loss which demonstrates that cyber crime can impact on the balance sheet of businesses in a significant fashion. Interestingly only 28% of these incidents were reported to the police.

Some other highlights of the Institute of Directors Policy Voice Survey were as follows:-

  • 57% had a formal cyber/information security strategy in place
  • 49% said they provided cyber awareness training for employees
  • 43% didn’t know where their data was physically stored
  • 72% experienced social engineering scams
  • 20% hold cyber insurance (with 21% unsure if they did have this)
  • 21% are considering the purchase of cyber insurance

The survey demonstrates that cyber security is taking a much higher profile within businesses and they are now actively improving their cyber security but there is room for considerable improvement. There were many key moments in 2015 with the high profile breaches of TalkTalk and Ashley Madison which has made businesses look up and think ” could this happen to us”? The answer is of course “yes” and in fact could be happening right now with an average breach taking six months to discover.

Richard Benham, Professor of Cyber Security Management , the author of the report has identified four key trends that are likely to become increasingly important in the coming years:-

  1. Cyber in the boardroom – cyber risk is now at boardroom level and cyber risk strategies are likely to be formulate here.
  2. Cyber education – the UK government will play an important role through the promotion of Cyber Essentials and the instigation of courses such as The National Awareness Course.
  3. The Cloud – this will rise in prominence but businesses most not ignore the management of their data.
  4. Cyber insurance – this form of insurance has developed in recent years to cover both first and third party exposures of a businesses , whilst still an evolving product it is being considered by more businesses and this is likely to increase.

The Institute commented  “Our report shows that cyber must stop being treated as the domain of the IT department and should be a boardroom priority. Businesses need to develop a cyber security policy, educate their staff, review supplier contracts and think about cyber insurance.”

The report concludes highlighting that cyber security is an international threat, the suggested key is to have in place a credible plan that can assess the large spectrum of threats and how these can best be managed by a business.

UK businesses can achieve this through robust cyber security management , this should be complemented with cyber insurance on the basis that coverage is appropriate for the business and that it is not recognized to be the “cure for all evils” in the cyber threat landscape that exists today.

A cyber insurance policy can provide coverage for cyber business interruption by way of standard coverage or a bespoke policy endorsement therefore helping a business to manage this cyber peril.

Cyber Security risks face education sector

by
cyber security risks

Is the education sector facing cyber security risks?

In the US last week a hacker broke into the University of California’s computer system which contained 80,000 students. This apparently occurred in December whilst the university was in the process of patching a security flaw in their financial management system.

University of California

This followed a similar breach earlier this year at the University of Florida where private information of current and former employees were accessed going back to 1980. A lawsuit has been issued which is seeking a class action status. There was also criticism on how the breach was managed.

On this side of the Atlantic in December university students were unable to submit work as a result of the academic computer network called “Janet” coming up against a distributed denial of service (DDOS) attack causing reduced connectivity and disruption. The University of Manchester was one of the universities impacted by the DDOS attack.

Earlier, last year the University of London Computer Centre (ULCC) was hit by a cyber attack which again left millions of students unable to access the organisation’s IT services. The centre provides services to over 300 UK institutions and supports over two million higher education and further education students on its open-source learning platform Moodle.

The education sector accounted for nearly 10 per cent of all breaches in the past year, according to cyber security company Symantec.

Symantic Internet Threat Report 2015

Personal Data

Universities and colleges contain an abundance of personal data which makes them attractive to hackers, such as credit card details, medical information of current and former students and employees. This also becomes complicate to manage as students come from many different parts of the world bringing with them wide ranging data protection regulations.

Multiple Entry Points

The education sector traditionally provides multiple entry points with a huge spectrum of users having access to its networks. The access is also available 24/7 365 days a year via many devices that may not be secure such as laptops logging in from remote wi-fi locations.

Social Media

Within the education framework social media features prominently and in the absence of social media policies with specific standards in place this can leave a university vulnerable in terms of the inadvertent sharing of information that may not be meant for the public domain.

Separate Networks

A college or polytechnic may consist of a number of separate networks which may not contain a high level cyber security and therefore present a number of cyber security risks.

Intellectual Property

Certain establishments contain highly sensitive research information in the fields of science, health , defense  and aerospace. This could make them a target for hackers and terrorist organisations.

Cyber Security Research

Cyber security research itself could also be a target with the Global Centre for Cyber Security Capacity building  in Oxford University’s Martin School. A number of universities have been awarded Academic Centres for Excellence in Cyber Security Research, such as the Bristol and Kent Universities which means that they will work more closely with the Government Communications Headquarters (GCHQ).

Cyber liability insurance can play a very important role in supplying an extra layer of comfort in the event of a cyber attack to education establishments, providing coverage for a significant number of the potential cyber security risks that exist in this sector.