Spring seems to be all around us. But the feeling of optimism and happiness that spring generally produces hasn’t rubbed off on the cyber-criminal brotherhood (yes, most of them are men). We are still seeing ransomware causing enormous damage and the pandemic adding its own level of difficulty to manage. If only there were cyber vaccines we could employ!
We report on news that the Universal Health Services lost $67m to a Ryuk ransomware attack last year. Separately, experts have analysed the PrismHR outage and believe that it too was caused by a ransomware attack.
Understanding how disease works is important for combatting the pandemic of course. But it has other benefits too. Understanding how the human immune system works has inspired a new approach to cyber-security.
This week, it’s been reported that hackers exploited flaws in Accellion FTA to steal data from Qualys. And the SITA data breach is said to have compromised data associated with multiple international airlines.
Industrial IoT: Security companies are getting far better at detecting pre-existing threats inside industrial control systems. Given the attack on the Florida water treatment plant we have reported on previously, that has to be good news.
Malaysia Airlines: A massive 9 year long data breach has impacted the frequent flyer programme of Malaysia Airlines. While credit card data wasn’t affected, the theft of birthdate and frequent flyer level could easily be used for a nasty birthday treat scam.
Originally Aired: Tuesday 2nd March 2021, 16:00
This episode is now available to view on-demand.
An instant move towards zero trust wasn’t so difficult to manage. It was the very rapid increase in the requirements for home working infrastructure such as VPNs that caused problems. Some organisations were forced to rely on home office solutions, some companies had to rely on insecure communications networks, and there were plenty of cases of employees going home on the bus clutching their work computers! And other organisations had very few problems at al. It was a case of who was prepared and who wasn’t.
Risk management doesn’t mean eliminating risk. Sometimes it means making sure you have controls so you can detect and manage incidents as they happen. It’s like physical health: eating a peck of dirt will protect you for life. You can’t protect people from the world. And with cyber security you need to take risks. This helps you learn.
It isn’t surprising that the majority of large organisations have been attacked – and perhaps those that haven’t simply failed to detect the attacks! Even small cyber attacks can be damaging, especially if there are a lot of them: you can be pecked to death by chickens, especially if you don’t notice they are there.
If you don’t have the ability to detect problems and the ability to proactively sweep for them, there is a real risk that you will miss major attacks as well as minor ones. There needs to be an acceptance that there is a risk and a need to manage it.
Of course measuring risk isn’t easy. And there is no standard of level that is acceptable. But once you have established what you risk appetite is, you need to be proactive about monitoring the effectiveness of your risk controls.
Actionable intelligence is essential. In areas like actuary and insurance, there is a direct link between risk and money. If you understand the money side you can decide whether to take a risk. And you do need to be able to take risks as otherwise you will reduce the opportunities open to you.
Every organisation wants to improve over time, and risk management is no exception. But with technology moving so rapidly it’s hard to measure how risks are changing. The CISO’s role is to speak in business and risk terms. Technology is part of how you manage risk but using technology to reduce risk isn’t the key goal of many businesses! It’s just an enabler.
Everyone in an organisation has a role to play in security. You can’t define that role with a few posters and a bit of training every years. There is a need for a constant campaign to support people to act cyber safely.
It isn’t a black art. You don’t need to understand how the technology works in order to act safely. You just need to act safely.
Even the CISO shouldn’t be focussed on technology. They should be driving their team forward to maintain secure operations; they should be working with IT to ensure that systems are secure; they need to help managers to develop secure processes; and they need to empower other employees to be secure. In some way their role is to translate the technological risk into something that the business can understand and decide on the resources that are needed to meet it.
You need to look at the universe of bad things that surround you and then identify the bad things that turned into incidents. And you also need to look at the number and type of crises that go beyond the remit of CISOs to manage. By illustrating this, you can explain that all the universe of bad things could turn into incidents, and that would have a major impact on the business.
As a CISO you need to get senior allies. You need to relate your processes with the processes that senior managers are responsible for. This can even be a way of getting more budget – an allied senior manager who wants to run a new project can sometimes be persuaded to invest in a security tool in order to achieve success with that project. CISOs are working for the organisation and those senior managers are their customers: they need to be selling security in the way that marketing and sale sell products.
Ultimately CISOs always need to understand the business requirements. Money is hard to come by for any business. If it is going to be spent on security then it needs to be justified. We didn’t get attacked” isn’t a justification. But saying “We stopped this attack which would have wrecked this contract” might.
The European Banking Authority has confirmed that hackers recently compromised its email servers and possibly accessed personal details of users after exploiting security flaws in Microsoft Exchange.
Last Tuesday, Microsoft's Threat Intelligence Center released a report on Hafnium, a China-based hacker group which is in the business of targeting U.S.-based organisations across all industries using leased virtual private servers (VPS) in the U.S. Its list of victims include infectious disease researchers, law firms, higher education institutions, defense contractors, policy think tanks and NGOs.
Recently, Hafnium exploited previously-unknown vulnerabilities in Microsoft's on-premises Exchange server software and also used stolen credentials to infiltrate Exchange servers owned by a number of organisations worldwide. According to Microsoft, after infiltrating an Exchange server, Hafnium would create a webshell to control the compromised server remotely, and then use the remote access to steal data from the network.
Microsoft has released security updates to help organisations defend against such attacks launched by Hafnium, but the move seems to have come a little too late. According to security researcher Brian Krebs, the Chinese hacker group successfully hacked at least 30,000 organisations across the U.S., and is moving quickly to target as many organisations worldwide as possible before the vulnerable Exchange servers are patched by their owners.
Two cyber security experts also told Krebs that Hafnium has taken control over hundreds of thousands of Microsoft Exchange servers worldwide. The numbers indicate that this hacking attack is several times worse compared to the successful exploitation of a vulnerability in Solarwinds' Orion software by Russian hackers which affected 18,000 organisations worldwide.
Last Sunday, the European Banking Authority, the Paris-based regulatory agency of the European Union which regulates European banks on standards like transparency and strong capital structures, said a cyber attack compromised its Microsoft Exchange servers and enabled hackers to gain access to personal data in emails that were stored in the targeted servers. To mitigate the breach, EBA quickly took the servers offline and launched an investigation into the incident.
In another notification it released this Monday, EBA said it successfully secured its email infrastructure and could confirm that hackers did not exfiltrate any data from the affected servers and that the breach was only limited to its email servers. The agency released another notification today to advise users that its email communications services have been restored.
"The European Banking Authority (EBA) has established that the scope of the event caused by the recently widely notified vulnerabilities was limited and that the confidentiality of the EBA systems and data has not been compromised. Thanks to the precautionary measures taken, the EBA has managed to remove the existing threat and its email communication services have, therefore, been restored.
"Since it became aware of the vulnerabilities, the EBA has taken a proactive approach and carried out a thorough assessment to appropriately and effectively detect any network intrusion that could compromise the confidentiality, integrity and availability of its systems and data.
"The analysis was carried out by the EBA in close collaboration with the Computer Emergency Response Team (CERT-EU) for the EU institutions, agencies and bodies, the EBA’s ICT providers, a team of forensic experts and other relevant entities. Besides re-securing its email system, the EBA remains in heightened security alert and will continue monitoring the situation," it said.
Commenting on the widespread hacking of vulnerable Microsoft Exchange servers worldwide, Mark Bower, SVP at Comforte AG, told TEISS that the recent threat to Microsoft Exchange servers has the potential to go far beyond just email itself. CISA’s recent guidance indicates the potential for server and downstream system compromise which is extremely concerning for leaders of affected organisations.
"The capacity for attackers to extract sensitive data from emails, spreadsheets in mailboxes, insecure credentials in messages, as well as attached servers presents an advanced and persistent threat with multiple dimensions. This is yet again a reminder to take steps to discover sensitive data exposure, protect it, and ensure the security isn’t limited to infrastructure and perimeter controls that were no barrier to this extensive and damaging attack. I predict affected entities and their supply chain partners will see persistent secondary impact as a result over the a long period of time," he added.
Originally Aired: Thursday 4th March 2021
This episode is now available to view on-demand.
The pandemic has caused a major increase in work load for security teams as businesses pivot. Not all businesses can work form home. Lots of businesses need physical premises like warehouses and factories and these still need to be protected. And while office workers can be sent home, a rapid increase in the extent of home working can also cause problems. So security teams are having to look after physical premises and virtual premises – a hybrid workplace.
An important thing is to maintain a sense of fairness, related to where, when and how people work; part of that is making sure that people’s wellness is supported. And it’s also important to trust people, to accept that they will work conscientiously in a new environment such as home working.
The biggest challenge wasn’t protecting high spec devices. It was getting hold of the more basic equipment, the lower end laptops, that were needed to support home working.
All that covid did was to exacerbate existing business risks, and the top of one those faced by businesses for 2021 is cyber security. However there are still things that had to be done during the pandemic.
Some things like building new devices from scratch and installing security software had to be done in a physical environment. And this had to be a covid-secure environment. Then there is the need to ensure that moving large numbers of people to working from home 5 days a week is managed efficiently: there are issues around VPNs, and the need for larger devices to handle more remote working. In addition sometimes you need to enable people to connect from their own devices rather than corporate devices.
It is about protecting data from loss or corruption. And it’s about protecting corporate infrastructure from threats. So there is a need to enable people to work from home without letting them transfer data to their machines. And there is a need to prevent them uploading files that might contain malware to our systems. Doing this enables you to maintain key systems even if the user experience isn’t quite as good as it would be if they were working in the office.
Helping people keep safe, for instance by offering family orientated cyber safety courses, including information aimed at various age ranges is also important. Education needs to change too. For instance you may need to emphasise the need to look after physical information assets like business reports if people don’t have access to secure waste disposal at home.
You can argue that conducting security exercises during a crisis is not a particularly good idea. A crisis will generate a new set of phishing scams using the crisis as a lure and the coronavirus was no exception. Many organisations have continued with their usual processes for educating people about phishing. However, trust is important and so using the crisis as a lure in an organisational phishing exercise is not necessarily a good idea as it may destroy trust. There is no right answer though and largely this will depend on the organisation’s culture.
Mostly things have stayed the same. But some advice needs upweighting. For instance it may be important to upweight the amount of advice relating to downloading apps from trusted sources, given the increase in covid apps available. And there may be a need for more advice about smart speakers at home which could record and share confidential information if they are not switched off during a business call.
This can happen in any organisation. Politics can be a problem until trust between people or teams is established. And some teams, perhaps in particular countries, may be far less aware of security issues or far more aware of privacy requirements. There can be a lack of trust about security processes where people feel they may cause privacy problems or indeed make everyday business processes less effective.
Where organisations are used to remote working this will be less of a problem of course, although an organisation’s business partners can be unused to remote working and this can be a source of concern for security professionals.
The website of West Ham United football club was recently found leaking the personal details of account holders to other users, reminding us of a similar incident involving the club that took place in 2018.
The data leak affecting the West Ham United website came to light shortly after the club announced its financial results for the year ending 31 May 2020. In the period, the club suffered losses to the tune of £65.3m due to the onset of the coronavirus pandemic which also resulted in the loss of £44.9m in broadcast income.
According to Forbes, the club's website started displaying several error messages this morning and sometime later, began displaying the profile information of supporters to other users who logged in to their accounts. These details included fans' names, phone numbers, dates of birth, addresses, and email addresses.
The online login was associated with the club's online ticketing service but it is unlikely that many people logged in to their accounts as ticket sales are presently suspended due to the ongoing pandemic. The issue, however, did not last long as West Ham United rectified the leak soon after it learned about the incident.
"We are aware there was a technical issue when signing into online accounts this morning. We worked with our third-party service provider and they have already resolved this issue," a club spokesperson told Forbes. However, the leak had already attracted a lot of attention from supporters before it was fixed. Here are some comments made by the club's fans on its official fans' forum:
"I’ve tried logging into the West Ham ticket website this morning to update my details and it seems to take me to different accounts. Three times it took me to accounts that weren’t mine, although I’ve only tried this on my iPad and phone, no idea what my computer will do, but it seemed fine yesterday. I’ve emailed the ticket office."
"I've just tried it on desktop and I get the same.... My user ID took me to two different accounts from two login attempts..... they have some serious IT issues…"
"I've just logged in and there's some completely random bloke's details under my account. I've got his name, address, DOB, phone number and email address."
"Same, I logged in and got a Stewart Knight's details. Surely a massive GDPR breach."
Commenting on the leak of West Ham United fans' personal details to others, David Kennefick, Product Architect at Edgescan, told TEISS that this may just have been a few small isolated incidents, that impacted a minority of users. However, in case the breach affected a larger pool of users the club will presumably follow the usual protocols, and if there is a personal data breach the Information Commissioner’s Office (ICO) will be informed.
"The West Ham data leak will put club supporters at real risk of being targeted by the bad actors of the world with phishing attempts via email, text, and phone calls. Supporters will need to beware of any communications that appear to come from the club, as hackers will seek to extract more information (such as financial information) from the victims of the leak," said Chris Hauk, consumer privacy champion at Pixel Privacy.
This incident reminds us of a similar leak that impacted the club's reputation in 2018. In August that year, the email addresses of hundreds of the club's supporters were exposed when it sent out a bulk email to fans who had secured tickets for the Carabao Cup match against AFC Wimbledon. The leak occurred as the club pasted its fans' email addresses in the "To" field instead of in the "bcc" field.
"You may have received an email that included a segment of email addresses of those who were also successful in the ballot. The Club apologises that this information was inadvertently included and has reported this matter to the Information Commissioner's Office.
"The email was recalled where possible and we ask that if you did receive this email to please disregard it immediately. Beyond your email address, no other information has been shared. The Club will take the necessary steps to review and amend the process with the view to prevent this from happening again," West Ham United said in an email addressed to affected fans.
Air Date: Thursday 11th March 2021, 10:00 (GMT)
Cristian Cucu - Chief Information Officer, Societatea Nationala Nuclearelectrica
Russell Favell - Head of Security Operations, Close Brothers
Ste Watts - Head of Security Operations, Aldermore Bank PLC
David Petty - Cyber Specialist, OpenText
Air Date: Tuesday 16th March 2021, 16:00 (BST)
Paul Raines - Chief Information Security Officer, United Nations Development Programme
Bernard Swierczyna - Executive Director & Chief Information Security Officer, First Ireland Risk Management
Max Heinemeyer - Director of Threat Hunting, Darktrace
Air Date: Thursday 18th March 2021, 10:00 (GMT)
Adrian Searle - Head of Security Risk, Royal Bank of Scotland
Mike Seeney - Head of Supply Chain Information Risk, Pinsent Masons
Jean Carlos - Group Head of Information Security, Nomad Foods
Andrew Rose - Resident CISO (EMEA), Proofpoint
Air Date: Tuesday 23rd March 2021, 16:00 (GMT)
Dr Dave Chatterjee - Associate Professor, The University of Georgia
Garry Scobie - Deputy Chief Information Security Officer, The University of Edinburgh
Enis Sahin - Head of Information Security, Federated Hermes – International