Welcome to this week’s edition of the teiss magazine.
The numerous attacks on pharmaceutical companies developing vaccines for covid-19 has brought the value of scientific and medical research into the limelight. This week we have two more stories on this for you including an article on exosomes (no, we didn’t know what they are either). We also have articles on governance and some suggestions about security strategy. As well as stories about this week’s major leaks.
Celebs have been targeted recently as eight Brits used a SIM swapping attacks to steal over $100m from internet influencers, sports stars and musicians in the US. These attacks are relatively easy technically but take a good deal of intelligence.
That’s why most of us suffer from simpler phishing attacks with Microsoft, Facebook and PayPal named as the favourite brands of the criminals. And, as we all know, remote working is making it harder for organisations to defend against phishers and other cyber criminals. With the technology always evolving, it’s time to get ahead of the next cyber breach.
Bitcoin has been soaring upwards in value recently so we thought a couple of stories might be of interest. We uncover the Biggest Myths About Bitcoin. And we give you the essentials for any novice trading bitcoin. Watch this space for stories about criminals getting in on the act.
Email is still a problem for organisations and stemming the tide of accidental email data leaks is critical. The teiss elves are all for people sending them fewer emails, especially those unnecessary emails where we are copied in for no apparent reason.
Another problem is carelessness – or more charitably, people who are simply unaware of the importance of privacy. One place we have found this is in the medical profession where sensitive medical images are often left in the open. As well as extortion, criminals can use these to steal your identity. And a problem that is not going away anytime soon is ransomware which we think is an existential threat in the new normal.
France is in the headlights this week with two stories of corporate failures. Hackers working for Russia's GRU have targeted IT monitoring software to infect a large number of IT companies and web hosting providers. And French insurance company MNH has been hit by a major ransomware attack.
UK’s cyber security industry: We are hoping that the UK’s new Cyber Security Council will be effective at boosting the industry, helping people to get jobs in this much needed sector and protecting industry and infrastructure along the way.
Florida residents: Mercifully we don’t see too many “Internet of Things” attacks but a water treatment plant in Florida was recently targeted by a hacker who tried to poison the water by remotely changing chemical levels. We can’t overemphasise how scary this is and how it is essential for basic infrastructure to be protected from this type of attack.
Eight cyber criminals were arrested in the UK and two more in Malta and Belgium last week for targeting famous internet influencers, sport stars, musicians, and their families in the United States with sim swapping attacks.
The criminal network targeted high-profile victims with sim swapping attacks throughout 2020, including well-known sports stars, musicians and influencers. According to the National Crime Agency, these hackers illegally gained access to victims' phones and stole more than $100 million either from their bank accounts or in cryptocurrencies.
Sim swapping attacks involve hackers targeting phones and deactivating the SIM and activating the number on a different blank SIM that’s controlled by hackers. This allows them to receive reset codes to change passwords of desired applications and blocking the victim from accessing their mobile phone or any installed applications.
Last Thursday, the National Crime Agency arrested eight suspects in England and Scotland, all aged between 18 and 26. These arrests were a result of a ‘year-long investigation jointly conducted by law enforcement authorities from the United Kingdom, United States, Belgium, Malta and Canada, with international activity coordinated by Europol.’
“Sim swapping requires significant organisation by a network of cyber criminals, who each commit various types of criminality to achieve the desired outcome. This network targeted a large number of victims in the US and regularly attacked those they believed would be lucrative targets, such as famous sports stars and musicians,” said Paul Creffield, head of operations in the NCA’s National Cyber Crime Unit.
“In this case, those arrested face prosecution for offences under the Computer Misuse Act, as well as fraud and money laundering as well as extradition to the USA for prosecution. As well as causing a lot of distress and disruption, we know they stole large sums from their victims, from either their bank accounts or bitcoin wallets.
“Cyber criminality is not restricted by borders and our efforts to tackle it reflect that. This investigation is the result of successful collaboration with international partners in the US and Europol, as well as our law enforcement colleagues here in the UK,” he added.
The sim swapping attacks were first detected in Spring 2020, following which law enforcement authorities from the United Kingdom, United States, Belgium, Malta and Canada came together to investigate the scam and catch the culprits behind the crime. According to Europol, the cyber crime ring targeted thousands of people in the US, including celebrities, but did not divulge the names of any of the victims.
Commenting on the discovery of the lucrative sim swapping scam perpetrated by cyber criminals, Mark Crichton, OneSpan’s Senior Director of Product Management, said that SIM swap attacks continue to raise serious questions about the security of SMS for use in multi-factor authentication that, in some cases, passes on the problem of securing online accounts to mobile network operators.
“Users should be wary about using SMS as their primary form of two-factor authentication. Many financial institutions have already started to make the switch to Mobile PUSH notifications, which are inherently more secure than SMS.
“Mobile PUSH notifications have the added benefit of being protected with application shielding technology, while providing banks with a stronger interface for a frictionless user experience that meets customer's demands in this increasingly digital age,” he added.
Javvad Malik, security awareness advocate at KnowBe4, told Teiss last year that it's not just SIM swap that opens the door for attackers. We've seen growing instances of where attackers will use SMS as an attack vector themselves (SMishing), or phone up a victim and ask for the SMS code as proof of identity (which they go on to use to log onto the victims account).
“Over time, we will likely see the frequency and sophistication of attacks against SMS-based authentication increase. From a user perspective, the first step they should consider is to use a more secure, or genuine 2FA mechanism to sign onto their account. Where that is not possible, they should be educated on the risks around SMS attacks, and report any suspicious SMS's or phone calls to their IT teams.
“Similarly, organisations should look to deploy more robust 2FA options to their staff and customers, provide education and awareness of threats, and consider additional monitoring controls that can quickly detect where an account may be compromised,” he added.
Episode: Measuring up: how to evaluate your infosec posture
Originally Aired: Thursday 18th February 2021, 10:00 (GMT)
This episode is now available to view on-demand
Main take-aways:
Is it possible to have a single set of metrics that will enable you to manage security?
The CFO doesn’t have a single set of measures when they are managing a business. And neither should the CISO. We seem to be obsessed by converging all elements of security into a single view which tells us whether we are winning or not. An admirable ambition perhaps, but impractical.
Key measures should include how the team is doing. If the whole team is happy and healthy you can be less worried because things are probably being done properly. But if you need to check particular metrics every morning it is probable that something not working.
Outside incident mode, where everything is urgent and time critical, metrics about what is happening today are far less relevant – monthly or quarterly trends will be far more important to the organisation.
How do you manage the issues of human failure?
Errors will occur – that is the way that humans are. But it is dangerous to get fixated on particular incidents, unless they are very significant. It is more important to uncover systemic issues that suggest processes are consistently failing – in a certain region or area of the organisation. There are techniques you can employ to understand the detail but you need to focus on the trends rather than individual incidents.
How do you deal with data overload?
There is potentially so much data available. Security leaders need to cling tightly to the questions they want answers to and not be distracted by interesting things you don’t need to know.
The Board will know what questions they want to ask but may struggle to articulate them. And if this happens you can be talking about the same things but from different angles. This leads to lowered engagement. So work with the Board to enable them to ask the right questions and you can then decide how you want to answer them.
Risk measurement and appetite are difficult issues and people from different parts of the organisation will have different approaches. So expressing whether you are withing the accepted appetite for risk can be difficult As a result we default to charts and metrics rather than describing how things are working and how people are feeling. Inevitably there will be compromises. There is no silver bullet here.
Another problem is that everyone records information in different ways. Departments aren’t neat and tidy so when you are in the centre you need to think about what isn’t being shown as well as the precise meaning of what is being showed. Precise definitions of things such as “what is a cyber-attack” (spam isn’t the same as a nation-state cyber-attack!) need to be agreed and shared.
What is the relationship between government and private sector cyber security data?
There is a big potential for government to be involved I collecting cyber data. Obviously there are agencies like NCSC that are set up for helping private organisations that can use cyber security data that is shared with them by private companies. Unfortunately might be a fear that government will use data to name and shame individual organisations.
Another problem is that when you ask the private sector about what metrics they would like to see you often get a very unfocussed answer with a desire for interesting rather than useful data. We need to find the metrics that are important to the country and that will help the country thrive.
Would it be useful to have a dashboard with key metrics that you can check every day?
There are things you might want to check. But the CISO role is very varied and your focus is always changing. So the dashboard would always be changing. CISOs need to have confidence in their teams who should be digging into and sifting the data and asking for help when it is needed. Dashboards might be interesting to talk about but they are not going to help you manage a business.
Risk is by definition about the future. And predicting the future is almost impossible although strong probabilities can be identified. Instead it is helpful to look at what other companies are doing and what risks they are prioritising. From that you can make a judgement about what the Board needs to know and what you, as a CISO, need to be doing.
Lots of organisations start from a compliance and auditing perspective, That’s fine but you need to expand from that – security isn’t something that starts and finishes. It is something that needs attention all the time, and the fact that you have ticked a regulatory “box” won’t necessarily be very relevant.
That isn’t to say that those boxes that have been ticked are useless – at the heart of them there is likely to be something very useful. So we should use the box not to say “we are clear” but to ask “are we managing this particular issue as well as we could?” Use them to tie back the actions you are taking to real business issues. They can provide a common and consistent risk based language that the Board will understand and react to, and thus they can be very useful for CISOs. Metrics are liable to change and open to misinterpretation. Risk statements are consistent and far easier to understand.
Metrics though can underpin an understanding of risk. So monitoring them constantly – looking for trends as well as worrying incidents – is important. And there are plenty of tools that enable you to monitor metrics. The important thing is to use these tools to provide numbers that describe the organisation’s position against risk appetite and risk management. And don’t let the metrics you have access to today define the metrics that you use. Instead take care to understand the metrics that you really need and find the tools that will provide these.
Episode: Don’t get board senseless: how to get your message across to the C-suite
Originally Aired: Tuesday 16th February 2021, 16:00 (GMT)
This episode is now available to view on-demand
Main take-aways:
SIM swapping is in the news. Why is it such a problem?
SIM swapping where criminals take over a phone account so that they can use your phone number. It tends to be a relatively targeted crime. But it is also relatively easy to commit. For instance we are often asked key information such as “what is your WhatsApp account?” We give a lot of information away that criminals can use. Two factor authentication is useful. However things like SIM swapping can get around this. Tech is constantly moving on – which is why the security industry continues to exist. The reality is that we need to rely on several security processes. And the infrastructure providers – in this case telcos – need to be better with security and ask better security questions.
Even so we need to take account of people. People can’t remember lots of different passwords. And lots of different types of authenticator can be complex to manage. In some countries where there are national identity schemes it is easier to give people a digital identity – but that is a hard sell in the UK! And we are often using old technology like SMS as the second authentication process. Instead we will need to think of different and new ways of keeping safe such as in-app authentication.
It is possible that celebrities add to the problems of cyber-crime by saying that cyber-crime is “just one of those things”, and there is certainly a lot of fatigue out there as cyber-crime happens so frequently.
Is it really the case that we are still bad at reporting to the Board?
We have got better at this undoubtedly. We can tell the Board that it is “when not if” and help them understand that they need to prepare for it. But it works both way. The Board needs to be prepared to take what the CISO says seriously. There may be a need to massage the communications, to warn Board members up front so that a major problem doesn’t come as a surprise when they are in a meeting with their peers.
Influencing is a key skill security people needs. But so is personal resilience: especially if you don’t give bad news in a good way, if you tell the Board in such a way that they over-react.
We need to change the language. For instance we need to explain why systems that take people time to comply for reasons of security with are important. CISOs must understand business language – and they shouldn’t talk about security. Instead they should talk about the way operations, customers, the bottom line are affected by security – the things that the Board cares about. The Board assume you have security covered – that’s what you are paid for.
Another issue is jargon. We also need to simplify the language – including the way we use language in training. Why do we talk about “phishing” when in fact we are just talking about a scam email.
CISOs will always need to have insight into the make-up and culture of Boards. What sort of people they are, how much knowledge they have, what jeeps them awake at night? If they understand their audience, if they can be empathetic, they will be able to communicate far better.
A failure in communication can be seen when information security comes down to a single line in a risk register: “hacking”. It’s far more complex than that and doesn’t only include hackers but also people stealing or extorting money and employees stealing data for their own advantage.
Simplicity is a great advantage. Pretty dashboards look lovely but are complex and hard to understand. Simplifying things down to a single red/green light and an indication of how much it is costing you to stay green or return to green makes the conversation far simpler to manage.
FUD – fear uncertainty and doubt has not been our friend. If we point out the potential for major problems and these don’t actually happen then all we have done is cry wolf
What are the metrics that you need to communicate?
There are always metrics that you need to communicate. But basically you need to say: these are the risks and these are the defences. And you should do this by telling a story, with the metrics feeding into it.. It should be about the story not the metrics! Don’t just focus on one metric And always remember that metrics aren’t everything. We also need to consider the opportunities that are lost because of security. Ultimately we need to exploit this knowledge so that we can take appropriate positive risks, and so that we can manage the priorities based on the risk appetites we have. In other words, the metrics you use should be those that drive the behavioural change that the business needs.
Air Date: Tuesday 23rd February 2021, 16:00 (GMT)
Guests:
Greg van der Gaast, Head of Information Security, The University of Salford
Bharat Thakrar, Director, Professional Services, Peak Cyber Institute
Nicky Keeley, Head of Cyber Security Oversight, Civil Aviation Authority
Thom Langford, Security Advocate, SentinelOne
Air Date: Thursday 25th February, 10:00 (GMT)
Guests:
Linus Neumann, Hacker and Psychologist
Stephen Spick, Head of Information Security, Cyber Security and Compliance, SHL
Ed Williams, Director, Trustwave SpiderLabs EMEA
Air Date: Tuesday 2nd March 2021, 16:00 (GMT)
Guests:
Allan Alford, CISO/CTO, TrustMAPP
Vicki Gavin, Head of Information Security & Compliance, Kaplan International
Bridget Kenyon, Chief Information Security Officer – EMEA, Thales Digital Identity and Security
Nick Martin, Consulting Director, Iomart
Air Date: Thursday 4th March 2021, 10:00 (GMT)
Guests:
Deborah Haworth, Chief Information Security Officer, Penguin Random House
Nick Thimianis, Chief Information Security Officer, Caresocius
Ian Brown, Group Cyber Security Director, Spectris Plc
Be sure to add these dates to your diary!
Cyber security experts have warned that organised crime groups have developed a new phishing tool by leveraging the NHS brand name to lure victims into handing over their personal and financial data.
Cyber criminals have reportedly started a new COVID-19-related phishing scam that uses the NHS branding in emails sent out to victims. In this campaign the victims are sent emails with a link to a carefully designed website that resemble official government domains. It’s hard to identify as fake as this time there aren’t any grammatical or spelling errors.
The fake website associated with the scam states that the recipients have been selected for a shot of the COVID-19 vaccine based on their family and medical history. Victims need to update their personal information on the fake website in order to receive their shots.
According to experts at Mimecast, personal information like name, date of birth and financial details of Internet users were obtained through this phishing scam only to be either sold at the dark web or commit a fraud. Possibly buoyed by recent successes, fraudsters behind the phishing campaign has ramped up the email volume by 350% to target as many victims as possible.
Phishing scams related to COVID-19 have become more targeted and sophisticated with scammers moving beyond common themes to novel ones like unemployment, welfare benefits, and stimulus packages. Millions of people, even those in economically well-off regions, are now worried about whether they will be able to retain their jobs or find new ones, whether they will receive welfare benefits on time, whether their destroyed businesses will ever recover, or whether they will survive the pandemic.
With COVID-19 related lockdowns restricting people to their homes, people are using the Internet more than ever to connect with their loved ones, to do business, and to search for information about the pandemic and other areas of interest. This very trend has attracted online scammers who are experienced in exploiting people's curiosities and fears to win their trust and rob them of their privacy and money.
A recent study by Computer Disposals revealed that only 5% of the British public can accurately detect a phishing scam and differentiate between a genuine email and a scam email. Such being the case, the success of phishing scams leveraging genuine concerns related to the pandemic is almost guaranteed.
Commenting on the new COVID-19 phishing scam that leverages the NHS brand name, Sam Curry, chief security officer at Cybereason, says that COVID-19 related vaccine cyber scams are occurring at as rapid a pace as the vaccines are now being rolled out, and these phishing scams haven't reached their crescendo by any stretch. Once the vaccines started rolling out, it was only a matter of time before threat actors turned their attention away from the hospitals and researchers and focused on consumers.
“The year-long attacks on companies at the forefront of medical care and research had shown a cold-calculus, and now brazen phishing attacks against people looking to schedule a vaccine appointment are gutless and heartless. For anyone scheduling a vaccination, this isn't the first or last time social engineering will be used to steal proprietary information from you,” he added.
Boris Cipot, senior security engineer at Synopsys, said “Scammers and cyber criminals are good at taking advantage of situations in which people are emotionally and personally involved. Phishing emails and fake webpages are both tactics that have been employed for years to lure people into sharing their personal and financial data. These techniques and a close attention to detail have improved in the past few years, making it harder to identify a scam. One must trust their common sense and question everything that appears suspicious.
“Do not blindly comply with requests for data through email. Do not open email attachments or click on links. Moreover, do not enter any personal information into webpages you do not know. Even if the domain appears legitimate and the information on it seems plausible, you need to question it. Remember, there is no fast lane offered in the vaccination policy and even if there was, the government would not ask you for your financial details. You cannot buy a vaccination or a faster vaccination date,” he added.