A major security breach at Equifax has taken place over a two month period

It is thought to have affected 143 million customers in the US, as well as an undisclosed number of Britons and Canadians.

The perpetrators exploited a vulnerability in a US website application to gain access to confidential information – including names, social security numbers, birth dates, addresses and driver’s license numbers, as well as around 209,000 credit card numbers – over a two month period from May 2017.

It also found unauthorised access to “limited personal information” of a number of British and Canadian customers, and will work with regulators in both countries to determine an appropriate path forward. It added that it had found “no evidence” of any unauthorised activity on its core consumer or enterprise credit reporting databases.

Since halting the intrusion on 29 July, Equifax has been working closely with law enforcement and brought in a cyber security partner to conduct a thorough forensic review of its systems. This investigation is mostly complete, but more detailed information is expected to emerge in the coming days and weeks.

Equifax has confirmed that the massive data breach was result of missed patch and appear to have failed to roll out a patch that might have stopped the massive breach of its systems.

From a hacker perspective, many organisations are still leaving the front door open and the windows unlocked. Failure to protect and handle data correctly can also result in punitive actions for companies participating in the digital economy.

In a brief update statement, Equifax said it had been “intensely investigating” the scope of the intrusion with the help of an undisclosed cyber security firm – thought to be Mandiant – to find out exactly what information was accessed and whom it belongs to.

“We know that criminals exploited a US website application vulnerability. The vulnerability was Apache Struts CVE-2017-5638,” it said. “We continue to work with law enforcement as part of our criminal investigation, and have shared indicators of compromise with law enforcement.”

Apache Struts is an open-source model-view controller (MVC) framework for building Java web applications, and is well used across the financial services sector. The vulnerability causes it to mishandle file upload, which enables malicious actors to execute arbitrary commands via a command string in a crafted content-type HTTP header.

This was first highlighted in March 2017, and patches were subsequently released for it.

However, the Equifax breach began in May, which would seem to suggest the organisation did not bother to apply the updates to its systems.

Since news of the breach emerged, it has also emerged that the incident may have resulted in many more Britons than at first suspected having their data compromised – around 44 million by some estimates.

This is because even if people do not directly purchase Equifax’s consumer services themselves, some of their sensitive personal data is almost certainly held by enterprises, which use its corporate services to check credit scores for loans, for example.

Experts criticised the Equifax breach response as insufficient given the size and scope of the data loss, and said the company was likely not prepared for such an incident.

While doing preparation work for GDPR, organisations should look at the Equifax breach and understand they would have to notify customers of a problem much sooner.

“We will be advising Equifax to alert affected UK customers at the earliest opportunity. In cyber attack cases that cross borders the ICO is committed to working with relevant overseas authorities on behalf of UK citizens.”

So if you want to save yourself stress, money and a damaged reputation from a cyber incident please ring us now on 01242 521967 or email assist@cyber139.com or complete the form on our contact page NOW

Emails are becoming increasingly dangerous for cyber security risks.

About 200 billion emails are sent every day, but because of its importance email is constantly exploited by attackers – yet is often overlooked in cyber security strategies

From a hacker perspective, many organisations are still leaving the front door open and the windows unlocked. Failure to protect and handle data correctly can also result in punitive actions for companies participating in the digital economy.

The General Data Protection Regulation (GDPR), set to come into force in May 2018, is designed to protect European Union (EU) citizensí data, and organisations that want to operate within the EU will be expected to comply with it.

Section 2 of the GDPR states that organisations must ìprotect personal data against accidental or unlawful destruction or accidental loss and to prevent any unlawful forms of processing, in particular any unauthorised disclosure, dissemination or access, or alteration of personal dataî.

The European Commission defines personal data as ìany information relating to an individual, whether it relates to his or her private, professional or public life. It can be anything from a name, a home address, a photo, an email address, bank details, posts on social networking websites, medical information, or a computerís IP addressî.

This regulation of greater email protection arrives shortly after the WannaCry and Petya cyber attacks. Despite emails being used regularly, they remain vulnerable to attack, both as a target and as an attack vector.

Several malware families, such as Emotet and Trickbot, have recently added functionality that enables them to spread via email. Emotet, for example, now has the capability to steal email credentials from infected computers and use these to send out emails to spread itself further.

The dangers that organisations can expose themselves to through unsecured email accounts are often more than just compromised emails. Financial account information can be leaked, ransomware and viruses can infect networks, and reputational damage can occur from hacks being disclosed. This disclosure will become mandatory under the GDPR.

Developing a security policy for email can be relatively simple, and a natural first step for bringing organisations into alignment with GDPRís requirements. However, a companyís email security protocols are only as strong as the employees who use them.

Email cyber security risks

Anti-virus filtering should be used on all email traffic.

Although this will not be a complete solution in itself, it will remove much of the background noise – the easy-to-spot threats -allowing security teams to focus on the more sophisticated attacks. Organisations should also consider using a secure anti-malware proxy or next-generation firewalls.

Some organisations may want to consider whitelisting or blacklisting filters for managing their email security. With whitelisting, only known, trusted email sources are allowed through; with blacklisting, all but the known, malicious email sources are blocked.

Whitelisting offers more protection, but it will inevitably block some important emails, which can cause frustration for employees.

Some organisations have gone as far as to block all attachments, which is effective in preventing malicious attachments, but naturally has consequences.

But there is no such thing as 100% security.

Organisations need to educate their employees in how to spot fraudulent emails and raise awareness of the dangers of malicious emails.

To engage the participants, this education should be easy to understand and should not rely on technical jargon. Staff should be positively encouraged to report suspicious emails and given feedback about any emails reported. Not only will this allow the security settings to be updated, but it will also educate staff further.

It is also vital to tailor the message to the particular audience. For example, telling an HR department not to open attachments from external addresses will not work, because they deal with people who are applying for jobs.

Following recent incidents of leaked emails, many organisations are now encrypting emails, installing encryption protocols as add-ons to existing email apps.

Not only do these systems rely on end-to-end encryption to secure their content, but some also ensure compliance with the GDPR. ìThere are hundreds of email security or encryption services, but we have found customers need verifiability, which is in high demand because of GDPR,î says Kurt Kammerer, CEO of Regify.

So if you want to save yourself stress, money and a damaged reputation from a cyber incident please ring us now on 01242 521967 or email assist@cyber139.com or complete the form on our contact page NOW

Cyber security researchers are urging businesses to prepare for ransomware attacks after the discovery of a massive cyber attack campaign

Businesses should ensure employees are aware of the dangers of email attachments in the light of evidence of large scale ransomware distribution campaigns.

On 28 August, more than 23 million email messages were sent in just 24 hours with malicious attachments containing variants of the Locky ransomware, according to researchers at AppRiver.

As a first line of defence, businesses are urged to inform employees of the ransomware risks associated with email attachments.

Businesses are advised to pay particular attention to raising awareness among employees who have access to sensitive data with high business impact.

In the second quarter of 2017, ransomware was the most popular form of malware, with 68% of all malicious email messages bearing some variant of ransomware, according to security firm Proofpoint.

In particular, email recipients should be wary of any attachments to email with the subject such as: please print, documents, photo, images, scans, pictures, and payment.

Some of the latest Locky campaings send emails appearing to be from the targeted organisationís scanner, printer or other legitimate source, warns Comodo Threat Intelligence Lab.

The latest versions of the Locky ransomware are typically downloaded by a Visual Basic Script file in a ZIP file nested in another ZIP file as soon as the attachment is clicked.

Locky then encrypts all files on the system before instructing the victim to install the TOR browser and visit a .onion (Darkweb) site to process payment of .5 Bitcoins worth around $2,150.

Once the ransom payment is made the attackers promise a redirect to the decryption service, but the consensus among law enforcement and security industry representatives is to advise against payment because there is no guarantee the files will be decrypted or that the attackers will not strike again.

As there are currently no publicly shared methods to reverse the latest Locky variants, security researchers say employee awareness is paramount.

As a second line of defence, businesses are advised to ensure they have systems in place that can block spoofed emails and detect new variants of malware such as advanced analysis at the email gateway.

However, with each resurgence of Locky, the ransomware has continued to evolve to evade enterprise security defences, making it notoriously difficult to detect.

In the latest round of Locky ransomware campaigns that started around 9 August 2017, some Locky variants include sandbox evasion capabilities, according to security researchers at Malwarebytes Labs.

Malware authors have used booby trapped Office documents containing macros to retrieve their payloads for some time, but ordinarily, the code executes as soon as the user clicks the ìEnable Contentî button.

Sandboxes will not help the cyber security risks

For analysis purposes, many sandboxes lower the security settings of various applications and enable macros by default, which allows for the automated capture of the malicious payload.

However, Malwarebytes researcher Marcelo Rivero discovered that some of the latest versions of Locky do not simply trigger by running the macro itself, but wait until the fake Word document is closed by the user before it starts to invoke a set of command to download the ransomware and issue the ransom demand.

‘While not a sophisticated technique, it nonetheless illustrates the constant cat and mouse battle between attackers and defenders. We ascertain that in their current form, the malicious documents are likely to exhibit a harmless behavior in many sandboxes while still infecting end users that would logically close the file when they realise there is nothing to be seen,’ Rivero and colleague JÈrÙme Segura wrote in a blog post.

So if you want to save yourself stress, money and a damaged reputation from a cyber incident please ring us now on 01242 521967 or email assist@cyber139.com or complete the form on our contact page NOW

Business digital transformation and cyber security threats have outpaced enterprise security capacity, a survey has revealed

An average of 40% of organisations experienced five or more significant security incidents in the past 12 months, according to the survey report by digital threat management firm RiskIQ.

The most cited external threats included malware, ransomware, phishing, domain and brand abuse, online scams, rogue mobile apps, and social impersonation.

In the face of these threats, 70% of respondents said they had little or no confidence in reducing their digital attack surface, expressing the least confidence in threats against web, brand and ecosystem assessment.

The majority of those surveyed are aware some of their digital security measures are immature or ineffective, with only 31% expressing high confidence in the likelihood their organisations can mitigate or prevent digital threats despite all respondents increasing their near-term digital security spend.

More than half of survey respondents expect their near term digital defence investment to increase between 15% to 25% or more.

Correspondingly, nearly half of respondents view cyber threat intelligence as ‘very important’, and all respondents saw cyber threat intelligence tools as being ‘very important’or ‘somewhat important’- especially in fortifying research and reducing time to respond to external threats.

However, confidence in capacity to address digital threats appears to be higher in the UK, with UK respondents seeing more value than US counterparts in the ability for cyber threat intelligence and digital threat management tools in reducing time to remediate threats.

In terms of industry sectors, the survey shows digital threat management appears more progressive among organisations in financial services, manufacturing and consumer goods in terms of overall expenditure.

Larger companies felt they were better able to update control systems and collaborate across departments perhaps showing the benefits of scale and smaller companies felt best able to inform others about the status of external attacks, perhaps reflecting the benefits of having a smaller base to worry about.

Nearly a quarter of healthcare and pharmaceutical respondents felt little to no confidence in their ability to assess digital risk.

Outsourcing the cyber security risks

In an attempt to mitigate the cyber security risks organisations are outsourcing a third of digital threat management tasks to managed security service providers (MSSPs), and outsourcing looks set to grow by nearly 13% in compound annual growth rate by 2019.

The survey shows the UK is growing faster in its plans to outsource digital threat management tasks to MSSPs, with an expected year-on-year growth rate for the UK of 17% compared with just 11% in US.

‘The independent research provides a useful litmus test for the level of exposure, controls and investment regarding external web, social and mobile threats among global industries,’ said Scott Gordon, chief marketing officer at RiskIQ.

‘The findings validate the need for enterprises to leverage cross-channel intelligence, automation and resource optimisation as they build out digital defences to reduce operational and reputational risk.’

So if you want to save yourself stress, money and a damaged reputation from a cyber incident please ring us now on 01242 521967 or email assist@cyber139.com or complete the form on our contact page NOW

Whilst it may be simple to claim a complete cyber security solution- the reality is somewhat different.

There are no shortage of companies out there making claims that there is a universal solution to security- after all it makes for a good marketing message, but unfortunately, in practice there is no one complete cyber security solution.

What key things should organisations be doing in terms of cyber defences to ensure they are robust and resilient?

Determining which practices, controls and countermeasures will work best in a given organisation is based on that organisation’s own needs: what works for it culturally, the level of risk that its business is subject to, and so on.

For example, the security techniques and methods that work best for a large hospital might be very different from what would work best for a corner shop retailer ñ and more different still from a government agency or large financial institution. So, answering the question what should organisations do? is a bit more nuanced than it might seem on the surface.

In Cyber 139’s opinion, there are two things every organisation should be doing: risk management and intelligence gathering.

Risk management is the process of figuring out which risks the organisation needs to address, and putting measures in place to find them, track them, mitigate them, and make sure they stay mitigated going forward.

Likewise, intelligence gathering, particularly of the threat environment -what the bad guys might be interested in and how they might attack -informs the risk management process directly.

Both of these areas are systematic processes rather than solutions that can be bought off the shelf, so the good news is that no special equipment is required to accomplish this.

However, doing these things well and comprehensively takes discipline, planning and preparation.

For ransomware specifically, one very helpful measure is to conduct a pre-planning tabletop exercise to ensure that individuals in the organisation are prepared for a ransomware event.

For example, think through your response and discuss specific decision points ahead of time rather than when the heat is on during an actual incident.

The normative position of law enforcement (and most security practitioners) is not to pay the ransom -it can cause a criminal to ‘retarget’ the organisation down the road, and only sometimes will the attacker actually make good if the ransom is paid.

However, this can be a more difficult stance to take in the heat of an incident: the dollar amount can seem small compared with the impact of the ransomware. Decisions like this are best thought through in advance.

In terms of limiting the impact of cyber attacks in general and recovering quickly, tabletop and planning exercises are again a good idea, as is a systematic risk management process.

Beyond these, helpful practices can include building capabilities to understand and react to the threat environment -in particular, keeping tabs on big ticket events such as ongoing malware or ransomware attacks – as well as testing the organisationís defensive posture through vulnerability assessment, penetration testing and other techniques that allow an organisation to systematically measure its defences.

So if you want to save yourself stress, money and a damaged reputation from a cyber incident please ring us now on 01242 521967 or email assist@cyber139.com or complete the form on our contact page NOW

Internet connected cars will have to be better protected from cyber attackers

The Department for Transport (DOT), has issued guidance that includes eight principles for future UK use.

The DOT in conjunction with Centre for the Protection of National Infrastructure (CPNI), wants eight principles for use throughout the automotive sector for connected and autonomous vehicles, intelligent transport systems, and their supply chains.

‘While smart cars and vans offer new services for drivers, it is feared potential hackers could target them to access personal data, steal cars that use keyless entry, or even take control of technology for malicious reasons,’ the guidelines state.

The eight principles set out how vehicle manufacturers can make sure cyber security is properly considered at every level, from designers and engineers, through to suppliers and senior-level executives.

The measures are aimed at ensuring engineers developing smart vehicles toughen up cyber protections and design out cyber security risks.

In announcing the guidelines, the government highlighted the ìbroader programme of workî announced in the Queenís speech in June 2017 under the Autonomous and Electric Vehicles Bill that aims to create a new framework for self-driving vehicle insurance.

The legislation, the government said, will put the UK at the centre of the new technological developments in smart and autonomous vehicles, while ensuring safety and consumer protection remain at the heart of the emerging industry.

The measures to be put before Parliament, the government said, mean that insuring modern vehicles will provide protection for consumers if technologies fail.

The government said measures, alongside the guidelines for manufacturers to make smart cars cyber secure, are aimed at making the UK a world-leading location for research and development for the next generation of vehicles. This forms part of the governmentís drive to ensure the UK harnesses the economic and job-creating potential of new tech industries.

Eight principles of vehicle cyber security

Organisational security is owned, governed and promoted at board level.
Security risks are assessed and managed appropriately and proportionately, including those specific to the supply chain.
Organisations need product aftercare and incident response to ensure systems are secure over their lifetime.
All organisations, including sub-contractors, suppliers and potential third parties, work together to enhance the security of the system.
Systems are designed using a defence-in-depth approach.
The security of all software is managed throughout its lifetime.
The storage and transmission of data is secure and can be controlled.
The system is designed to be resilient to attacks and respond appropriately when its defences or sensors fail.

Transport minister Martin Callanan said it is important that smarter and self-driving technologies are protected against cyber attacks.

‘That’s why it’s essential all parties involved in the manufacturing and supply chain are provided with a consistent set of guidelines that support this global industry. Our key principles give advice on what organisations should do, from the board level down, as well as technical design and development considerations,’ he said.

Mike Hawes, chief executive of the Society of Motor Manufacturers and Traders, welcomed the government initiative: ìWeíre pleased that government is taking action now to ensure a seamless transition to fully connected and autonomous cars in the future and, given this shift will take place globally, that it is championing cyber security and shared best practice at an international level.î

Hawes said autonomous vehicles promise to reduce road accidents dramatically and save thousands of lives. ìA consistent set of guidelines is an important step towards ensuring the UK can be among the first ñ and safest ñ of international markets to grasp the benefits of this exciting new technology,î he said.

In July 2015, the government announced a £20 million fund to research and develop driverless car technology in the UK, launched a joint policy team to co-ordinate cross-departmental work, and established a non-statutory code of practice to help ensure public safety.