What to do first when hit by a cyber attack
At some point, the chances are growing that your business will have to deal with a cyber security incident.
But when you are under pressure and your team is stressed, people make mistakes.
Crisis patterns over the past decade have changed dramatically. 10 years ago elements such as civil war and oil prices were the top global risks to take into account. Now we see water crisis and extreme weather events taking control of keeping us up at night.
Delaying too long in making critical response decisions may exacerbate the impact of the incident but, conversely, making knee-jerk decisions can cause further damage to the business or hinder a complete response.
There are many ways you may suspect that a security incident has happened, from detecting unusual activity through proactive monitoring of critical systems or during audits, to outside notification from law enforcement and compromised data located in the wild.
However, indicators such as unusual CPU (central processing unit) and network usage on a server may have multiple potential causes, many of which are not information security incidents. So it is vital to investigate further before jumping to conclusions.
Do you have any corroborating evidence? For example, if the IDS (intrusion detection system) detects a brute force attack against the website, do web logs support this having occurred? Or, if a user reports a suspected phishing attack, has this email been received by other users and did the user click on links or open documents?
You also need to think about answering questions about the nature of the incident. Is it a generic malware infection, or an active system hack? Is there an intentional denial of service (DoS) attack in progress and is this an incidence of deliberate insider action?
Once you have confirmed an incident has occurred, you need to take time out from initial response activities to prioritise your actions and decide, definitively, what the business objectives are for the response operation. Incident triage generally consists of classifying the incident in terms of impact and urgency and how it should be handled. The incident response team can then use the impact, urgency and priority evaluation to define the objectives for the incident response operation and assign actions or further investigation, as required.
Impact classifications defined by the National Cyber Security Centre’s (NCSC) GovCertUK and adopted by Crest, the body that represents the technical security industry, may provide a useful point of reference for initial classification based on the perceived or established impact.
Many minor types of incident can be capably handled by internal IT support and security. All events should be reported back to the information security team who will track occurrences of similar events. This will improve understanding of the IT security challenges and may raise awareness of new attacks.
It is not necessary to report on incidents with little or no impact or those affecting only a few users, such as isolated spam or antivirus alerts, minor computer hardware failure and loss of network connectivity to a peripheral device, such as a printer.
The urgency of an incident should also be assessed along with the impact. Some incidents are unlikely to worsen over time, such as the discovery of a historical compromise by a former employee. But in other cases, such as a ransomware outbreak, it may be absolutely critical to respond rapidly to isolate the infection.
Mobilising full emergency incident response capabilities may not be applicable or appropriate in every situation. You need to understand as much about what you are dealing with as you can. For example, who is the attacker? How was the attack introduced? When did the attack occur? What data or systems have been compromised? Is the attack ongoing? Why were we the target of the attack?
The goal of triage is to understand the methodology and the extent of the attack as fully as possible, in the shortest possible time.
Information about the incident, the impact, urgency and business impact analysis for the affected data or systems will guide the incident response operation. If possible, the business priorities should be pre-determined and documented in incident response plans.
Objectives for the incident response team could include:
Resumption of service as quickly as possible, where the affected system is critical in terms of availability for the business.
Rapid ring-fencing and protection of confidential information, where the affected system or network is critical in terms of confidentiality for the business.
Integrity checking of the affected systems, where integrity of data is critical for the business.
Preservation of evidential integrity, where criminal activity is suspected and prosecution is likely to be an outcome of the incident, or where culpability must be established definitively.
Identification of the origin of the threat and gathering intelligence about the activities being conducted during the incident.
For organisations with known advanced threat actors, continued covert observation of an attacker to determine their goals and modus operandi may be an objective of the incident response operation for intelligence-gathering purposes, even if the urgency for containment is high. Experienced internal or external incident handlers should be used to inform these decisions.
Once the priority of the incident and the objectives of the response have been defined, it is time to act and allocate activities to the incident response teams.
So if you want to save yourself stress, money and a damaged reputation from a cyber incident please ring us now on 01242 521967 or email assist@cyber139.com or complete the form on our contact page NOW
Average DDoS attacks fatal to most businesses, report reveals
Criminal activity is top motivation for DDoS attacks as average attacks become strong enough to down most businesses.
There were also reports of attacks of 450Gbps, 425Gbps and 337Gbps, but these are fairly rare, said Gary Sockrider, principal security technologist at Arbor Networks.
Another significant change, he said, is that for the first time in several years criminal activity has replaced hacktivism and vandalism as the top motive for DDoS attacks.
Response to attacks improving
Nearly 30pc SME staff lack cyber threat training
Some 27% of small to medium sized enterprises (SMEs) are failing to educate staff on the threat of a cyber attack.
According to research by cyber insurance provider CFC this is despite the fact that nearly fourty per cent of CFC’s claims in 2016 were caused by phishing attacks that could have been avoided with better education and training.
According to CFC, the main reason given for this it that SMEs are “not sure where to start”, which could be a result of not understanding their cyber risk profile, with 20% of SMEs never assessing the business exposure to cyber risk.
In September 2016, a Juniper Research report revealed that 74% of UK SMEs think they are safe from cyber attack, despite half of them admitting having suffered a data breach.
There is still naivety about the significance of a data breach, according to the report, which showed that although 69% of respondents would contact someone immediately if they discovered a cyber breach, 18% would wait until the next working day if they did not consider it a big problem.
CFC reported a 78% rise in cyber claims from 2015 to 2016, with 90% of claims by volume coming from businesses with less than £50 million in revenue, highlighting just how vulnerable SMEs are to relatively unsophisticated cyber attacks.
When SMEs were asked what poses the biggest threat to their business, cyber crime came in second, topped only by Brexit.
Some 31% of IT companies report cyber crime as the main threat, followed by 25% in the manufacturing sector. By comparison, just 8% overall are concerned about traditional crime. Despite these worries, 80% of SMEs still do not buy cyber insurance.
At CFC’s recent Cyber Symposium, Inga Beale, CEO of Lloyd’s, said: “It’s one of the most high profile risks businesses are facing at the moment, and yet CEOs seem to be in denial about its impacts and their ability to deal with it.
“Businesses are either not looking for solutions, or if they are, they don’t know where to find them or understand the value of them. Insurers need to explain the benefits cyber insurance can bring.”
Graeme Newman, chief innovation officer at CFC, said it was worrying to see that 56% of SMEs do not have an incident response plan in place that outlines roles and responsibilities in the event of a cyber attack.
“SMEs must take a two-pronged approach to guarding against an attack – implementing good security and risk management practices along with a strong cyber insurance policy,” he said.
“For SMEs that are time-poor and cash-strapped, cyber insurance policies exist not only to pay for financial losses should their systems be compromised, but also to help them handle and resolve incidents quickly and effectively.”
However, Newman predicted that although only 9% of SMEs are worried about regulatory fines as a result of a cyber attack, that figure is likely to increase once companies are required to comply with the EU’s General Data Protection Regulation (GDPR) from 25 May 2018.
Whereas the UK’s privacy watchdog, the Information Commissioner’s Office, is currently able to issue penalties of up to £500,000, the GDPR will introduce fines of up to €20 million or 4% of an organisation’s annual global turnover, whichever is greater.
This means that if data breaches remain at 2015 levels, the fines paid to the European regulator could see a near 90 fold increase, from £1.4 billion in 2015 to £122 billion, the Payment Card Industry Security Standards Council (PCI SSC) has calculated, based on the maximum fine of 4% of global turnover.
For UK SMEs, this could see regulatory fines for data breaches rise to £52 billion, a 57 fold increase, averaging £13,000 per SME.
So if you want to save yourself stress, money and a damaged reputation from a cyber incident please ring us now on 01242 521967 or email assist@cyber139.com or complete the form on our contact page NOW
Only 5% of FT 100 cos have cyber board member expertise
Only 5% of FT 100 company boards have a board director with specialist technology or cyber security experience, according to research by Deloitte.
This is despite cyber risk being identified as a principal risk by the vast majority of them. Of the type of cyber attacks disclosed as a threat, unauthorised access to systems ranked most common (19%), followed by hacking (13%) and malware (13%). Distributed denial of service (DDoS) attacks were only mentioned by five companies, despite Deloitte predictions that we could see ten million DDoS incidents in 2017.
More than half of companies mentioned cyber contingency, crisis management or disaster recovery plans in their annual report. Of these, however, only 58% disclosed that these plans had been simulated in test scenarios over the year.
The most commonly disclosed potential impacts of cyber breaches were business disruption (68%), reputational damage (58%), and data loss (45%).
Clearly, the more frequently and stringently mitigation plans are tested, the more resilient and responsive the company. Interestingly, very few reports identified employee action as one of their cyber security threats. Company employees are, knowingly or unintentionally, the most common cause of a cyber breach.
Deloitte’s analysis proposes seven principles to improve cyber disclosure when finalising reporting:
- Every sector, although not every company, identifies cyber as a principal risk – think carefully if you have not done so.
- The value destruction capability of cyber risk is very high, ranging from remediation demands to huge reputational damage. Detailed disclosure is therefore worthwhile to highlight the risks to shareholders and let them know you are taking it seriously.
- The better disclosures are company specific, year specific and provide sufficient detail to give meaningful information to investors and other stakeholders.
- Boards and board committees are increasingly educating themselves about the cyber threat and challenging management on how they are dealing with the risk.
- Companies should take credit for what they are doing, including describing who has executive responsibility, board level responsibilities, the policy framework, internal controls, and disaster recovery plans.
- Boards should think about what could be missing from their disclosures, for example a clear indication of the main threats facing the company, who poses those threats, the likelihood, possible impact and detail about what the company – and the board – is doing to manage or mitigate those particular risks.
- Finally, if your disclosure does not look strong enough after taking credit for what the company is doing already, it is time to ask whether you are actually doing enough to manage cyber risk.
The report can be found at: https://www2.deloitte.com/uk/en/pages/press-releases/articles/just-5-of-ftse-100-companies-disclose.html
So if you want to save yourself stress, money and a damaged reputation from a cyber incident please ring us now on 01242 521967 or email safe@cyber139.com or complete the form on our contact page NOW
Cost of Yahoo hack shows executive cyber security responsibilities
Yahoo’s recent hacks reinforces the responsibilities on board executives for cyber security as the data losses have cost its top lawyer his job, CEO Marissa Mayer millions in bonuses, and $350 million off its sale price.
The Yahoo board has decided to withhold CEO Marissa Mayer’s 2016 annual bonus in connection with a series of data breaches and accepted her offer to forego her 2017 stock award.
The SEC filing also revealed that general counsel Ronald Bell has resigned without severance pay after an independent committee brought in to investigate the breaches concluded that the Yahoo management team failed to respond effectively to the breach discovered in 2014.
The investigation report said that although Yahoo’s security team had uncovered evidence that a hacker backed by an unnamed foreign government had breached user accounts in 2014, executives “failed to act sufficiently” and that the incident “was not properly investigated and analysed at the time.”
The investigation revealed that at the time the breach was discovered, Yahoo notified only 26 people that their accounts had been breached.
“The Independent Committee found that failures in communication, management, inquiry and internal reporting contributed to the lack of proper comprehension and handling of the 2014 Security Incident. The Independent Committee also found that the Audit and Finance Committee and the full board were not adequately informed of the full severity, risks, and potential impacts of the 2014 Security Incident and related matters,” according to the SEC filing.
Yahoo did not disclose the 2014 breach until September 2016, when it began notifying holders of 500 million accounts that associated email addresses, birth dates, security question answers, and other personal information may have been stolen.
Don’t forget that this hack also effected BT and Sky email users- as they use the Yahoo email system as the backbone for their own white label systems.
Three months later, Yahoo revealed it had uncovered a separate hack in 2013 affecting about one billion accounts.
However, the SEC filing revealed that 32 million user accounts have also been accessed over the past two years by state-sponsored hackers using forged cookies. Evidence of the intrusions was discovered by an external forensic team investigating the previously disclosed breaches.
According to some security commentators, the news of the 32 million compromised accounts indicates that Yahoo is probably still struggling to understand the true scope of the breaches.
After months of speculation, Verizon announced in February 2017 a revised deal for acquiring Yahoo’s core business that was $350 million less than the original due to revelations of two major data breaches that were made after the deal was signed in July 2016.
The business cost of poor cyber security has been further underlined by the fact that more than 40 lawsuits have been filed seeking damages for the breaches, and Yahoo is facing an SEC probe into whether it appropriately disclosed information about the data breach.
The impact of the breaches hows that a cyber attack could also have a significant impact for companies in merger and acquisition discussions.
While the damage to reputation and brand has always been a primary reason for concern for organisations that were not seen to be implementing sufficient housekeeping and security controls, the real damage to Yahoo’s valuation will ensure that cyber security related issues become an even higher priority.
So if you want to save yourself stress, money and a damaged reputation from a cyber incident please ring us now on 01242 521967 or email safe@cyber139.com or complete the form on our contact page NOW
The National Cyber Security Centre officially opens for business
The Queen officially opened the National Cyber Security Centre (NCSC) yesterday- the single, central body for cyber security at a national level.
The NCSC is core to the government’s National Cyber Security Strategy, which was unveiled on 1 October 2016.
Staff in Victoria, central London, will be joined by experts from GCHQ and the private sector to help identify threats.
At the time, Chancellor of the Exchequer Philip Hammond said: “The new National Cyber Security Centre will provide a hub of world-class, user-friendly expertise for businesses and individuals, as well as rapid response to major incidents.”
Hammond said the government’s 2015 Strategic Defence and Security Review classified cyber as a Tier One threat to the UK, and outlined the actions the government needed to take to secure the country.
According to the National Cyber Security 2016-2021 report, NCSC’s role will be to manage national cyber incidents, provide an authoritative voice and centre of expertise on cyber security, and deliver tailored support and advice to government departments, the devolved administrations, regulators and businesses.
“The NCSC will analyse, detect and understand cyber threats, and will also provide its cyber security expertise to support the government’s efforts to foster innovation, support a thriving cyber security industry, and stimulate the development of cyber security skills,” the report said.
There were 188 cyber attacks classed by the NCSC as Category Two or Three during the last three months.
And even though the UK has not experienced a Category One attack – the highest level, an example of which would have been the theft of confidential details of millions of Americans from the Office of Personnel Management – there is no air of complacency at the NCSC’s new headquarters.
Ciaran Martin, the centre’s chief executive, said “We have had significant losses of personal data, significant intrusions by hostile state actors, significant reconnaissance against critical national infrastructure – and our job is to make sure we deal with it in the most effective way possible.”
As well as protecting against and responding to high-end attacks on government and business, the NCSC also aims to protect the economy and wider society.
The UK is one of the most digitally dependent economies, with the digital sector estimated to be worth over £118 billion per year – which means the country has much to lose.
It is not just a crippling cyber-attack on infrastructure that could turn out the lights which worries officials, but also a loss of confidence in the digital economy from consumers and businesses, as a result of criminals exploiting online vulnerabilities.
A sustained effort was required by government and private sector working together to make the UK the hardest possible target, officials say.
Russia has been the focus of recent concern, following claims it used cyber-attacks to interfere with the recent US presidential election.
“I think there has been a significant change in the Russian approach to cyber-attacks and the willingness to carry it out, and clearly that’s something we need to be prepared to deal with,” Mr Martin said.
Kreb’s Immutable Truths About Data Breaches
Cyber 139 have been following Brian Kreb’s writings for a while and his Dilbert style post below caught our imagination:
I’ve had several requests for a fresh blog post: A list of immutable truths about data breaches, cybersecurity and the consequences of inaction.
“There are some fairly simple, immutable truths that each of us should keep in mind, truths that apply equally to political parties, organizations and corporations alike:
-If you connect it to the Internet, someone will try to hack it.
-If what you put on the Internet has value, someone will invest time and effort to steal it.
-Even if what is stolen does not have immediate value to the thief, he can easily find buyers for it.
-The price he secures for it will almost certainly be a tiny slice of its true worth to the victim.
-Organizations and individuals unwilling to spend a small fraction of what those assets are worth to secure them against cybercrooks can expect to eventually be relieved of said assets.”
They may not be complete, but as a set of truisms these tenets probably will age pretty well. After all, taken as a whole they are practically a model Cybercriminal Code of Ethics, or a cybercrook’s social contract.
Nevertheless, these tenets might be even more powerful if uttered in the voice of the crook himself. That may be more in keeping with the theme of this blog overall, which seeks to explain cybersecurity and cybercrime concepts through the lens of the malicious attacker (often this is a purely economic perspective).
So let’s rifle through this ne’er-do-well’s bag of tricks, tools and tells. Let us borrow from his literary perspective. I imagine a Cybercriminal Code of Ethics might go something like this (again, in the voice of a seasoned crook):
-If you hook it up to the Internet, we’re gonna hack at it.
-If what you put on the Internet is worth anything, one of us is gonna try to steal it.
-Even if we can’t use what we stole, it’s no big deal. There’s no hurry to sell it. Also, we know people.
-We can’t promise to get top dollar for what we took from you, but hey — it’s a buyer’s market. Be glad we didn’t just publish it all online.
-If you can’t or won’t invest a fraction of what your stuff is worth to protect it from the likes of us, don’t worry: You’re our favorite type of customer!
From: https://krebsonsecurity.com/2017/01/krebss-immutable-truths-about-data-breaches/
Glos Police warn cyber crime is more dangerous than streets at midnight
Gloucestershire Police said in Dec 2016 that within our county 54 % of all reported crime was cyber related.
In other words, you have a much higher chance of being mugged online in your home or work place than you do wandering around any of our high streets at midnight at the weekend.
According to the latest report by the Office of National Statistics (ONS), there were 5.8 million incidents of cyber crime and fraud in the 12 months up to March 2016, affecting one in 10 people in England and Wales.
The Federation of Small Businesses (FSB) found last month that small firms are unfairly carrying the cost of cyber crime in an increasingly vulnerable digital economy being collectively attacked seven million times per year, costing the UK economy an estimated £5.26 billion.
Despite the vast majority of small firms (93%) taking steps to protect their business from digital threats, two thirds (66%) have been a victim of cyber crime in the last two years. Over that period, those affected have been victims on four occasions on average, costing each business almost £3000 in total.
The types of cyber crime most commonly affecting small businesses are phishing emails (49%), spear phishing emails (37%), and malware attacks (29%).
Small firms are also concerned about hacking and fraud when the card is not present, with the average information breach setting them back 2.2 days.
However just a quarter of smaller businesses (24%) have a strict password policy, but only four per cent have a written plan of what to do if attacked online, and just two per cent have a recognised security standard such as ISO27001 or the Government’s Cyber Essentials scheme.
So if you want to save yourself stress, money and a damaged reputation from a cyber incident please ring us now on 01242 521967 or email safe@cyber139.com or complete the form on our contact page NOW
GDPR data protection fines
GDPR- the General Data Protection Regulations and fines are less than 17 months away warns Cyber139. Happy New Year!
A two tiered system of fines will apply. Breaches of some provisions by businesses, which law makers have deemed to be most important for data protection, could lead to fines of up to €20 million or 4% of global annual turnover for the preceding financial year, whichever is the greater, being levied by data watchdogs.
For other breaches, the authorities could impose fines on companies of up to €10 million or 2% of global annual turnover, whichever is greater.
Hoping that BREXIT might help you? Wrong- speaking in parliament in the week before Christmas, UK digital minister Matt Hancock again confirmed that the GDPR “will become directly applicable in UK law on 25 May 2018”.
Data controllers could face more severe regulatory fines than data processors for failing to keep personal data appropriately secure under the new General Data Protection Regulation
One of the many changes that the new Regulation will deliver when it comes into force on 25 May 2018 is a new statutory obligation on data security that data processors must observe above and beyond contractual duties agreed with data controller customers.
Under current EU data protection rules service providers that process personal data on behalf of other businesses cannot be held directly liable to individuals for a breach of data security. If data processors are at fault for data breaches then it is the data controller who contracted with them whose neck is on the block for any non compliance with data protection laws, although the data processor could be liable to the data controller under their contract.
The Regulation addresses this anomaly but makes a distinction between the maximum fine data protection authorities will be able to levy against data controllers compared to data processors for failings on data security.
The relevant provisions on data security are contained under Articles 5 and 32 of the Regulation.
Article 5 sets out basic rules on personal data processing which only apply to data controllers, considered to be fundamental to data protection. One of those rules requires data controllers to ensure that personal data is “processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures”.
According to the Article 83 provisions of the Regulation on administrative fines, where data controllers breach that Article 5 requirement they can be served with the highest possible fine that data protection authorities will be able to issue under the reformed framework.
In contrast if data processors breach their statutory data security obligations, set out under Article 32, which requires them to “implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk” of their personal data processing, then the most they could be fined is up to €10m or 2% of global annual turnover.
Data controllers are also subject to the Article 32 obligations. It therefore appears open to national data protection authorities to fine data controllers for any data security failings under Article 5 or Article 32. Their choice in those circumstances would impact on the severity of the fines they could issue.
Whether security measures are appropriate in each instance will depend on “the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons”, according to the Regulation.
Beyond the imposition of administrative fines for data security breaches, the Regulation will also introduce an updated right for data subjects to claim compensation for damages they suffer from such incidents.
A data controller or data processor could be sued for compensation as well as being exposed to the administrative fines – being fined will not shield it from compensation claims, and vice versa.
The revised right will allow data subjects to pursue either data controllers or data processors for all of the compensation owed to them for the damage they have suffered from a data breach, although a processor will only be liable for damage caused by processing where it has not complied with any part of the Regulation that applies to them or if it has “acted outside or contrary to lawful instructions of the controller”.
Data controllers pursued for damages will be able to claim back all or some of the money they pay out from their data processor if the data processor was in fact responsible, wholly or in part, for the breach.
Equally, data processors will have the same right to claim back money from data controllers, or indeed other data processors involved, whose fault caused or contributed to the damage, if the data subject pursues the data processor for the full compensation pay-out.
So if you want to save yourself stress, money and a damaged reputation from a cyber incident please ring us now on 01242 521967 or email safe@cyber139.com or complete the form on our contact page NOW
You must be logged in to post a comment.