No final fix for cyber security

There really is no final fix solution endgame when it comes to cyber security.

There really is no final fix solution endgame when it comes to cyber security, according to security industry veteran and chief research officer at F-Secure Mikko Hypponen.The claim was made by security industry veteran and chief research officer at F-Secure Mikko Hypponen and two of the most valuable lessons in cyber security are to know your enemy and not to rely on users to be secure.

“We will always have cyber security problems because we will always have bad people, which means job security in security is likely to continue for ever,” he told the Wired Security conference in London.

Cyber attackers are continually evolving their techniques and capabilities to steal and monetise data in new ways, which means the goalposts are continually moving.

“If we were still fighting the enemy of 10 years ago, we would be in great shape,” he said, alluding to the security tools that have been developed since then, as well as the security improvements in software.

“Attackers will always have the upper hand because they have the luxury of time to study our defences, while defenders do not have that luxury, so it is an unfair contest – a never-ending race.”

Reflecting on lessons learned over his 25 year career in information security, Hypponen said the most important thing is to understand the adversary.

However, he said the days of being able to do that easily are long gone, with most organisations finding themselves faced with a whole range of attackers.

They are all looking to gain something, said Hypponen, whether they are hacktivists supporting a cause, nation state actors or criminals.

“But for most organisations, criminals are the most likely to be attacking them,” he said, noting that of the 350,000 to 450,000 new malware samples that F-Secure sees on a daily basis, 95% comes from organised cyber crime groups.

“It is different when you get targeted by foreign intelligence agencies, because they are really bad, but most organisations are not targeted by foreign spies because most organisations are of no interest to them,” he said.

Although these cyber criminals like to portray themselves as Mafiosi, Hypponen said most are just “geeks” looking to make money from selling things such as hacked PayPal accounts and credit card details along with step-by-step guides on how to use them to make money.

Ransomware most popular form of cyber crime

Ransomware that encrypts victims’ data and demands payment in return for restoring it is fast becoming the most popular way for cyber criminals to make money.

“This is a simple business model based on the principle of selling data to the highest bidder, which is often the person or organisation that owns the data in the first place,” said Hypponen.

F-Security is currently tracking more than 110 different ransomware groups operating around the world and competing for market share.

“Ransomware has become very competitive, with the result of some groups seeking to expand into new markets by translating ransomware campaigns into 26 different languages,” said Hypponen.

Another evolution of ransomware attacks is the shift away from consumers to target enterprises.

“As soon as an infected computer is connected to the corporate network, the attackers enumerate and mount all the file shares the user can access and dynamically set the ransom based on how many files they manage to encrypt on the network,” said Hypponen.

The biggest concern about ransomware for enterprises is that it will stop business operations. With continuity in mind, some enterprises are even setting up bitcoin wallets to be able to pay ransoms quickly and minimise the impact on business continuity.

“This idea of continuity is really backwards, because it does not address the problem,” said Hypponen. “The more enterprises pay these ransoms, the greater and more entrenched this problem will become.”

EDPR and customers data protection

We follow on from our Cyber Security Force’s post yesterday about 96% of firms being unprepared for tougher data protection laws.

We follow on from our Cyber Security Force's post yesterday about 96% of firms being unprepared for tougher data protection.While businesses grapple to become compliant, they remain out of touch with consumer expectations when it comes to data privacy and security.

Nearly three quarters of businesses do not think an organisation’s privacy track record is a top three consideration for customers when choosing who to do business with, despite customers asking about data security in more than a third of transactions.

Equally concerning, the report said, is the finding that 35% of respondents do not believe their organisation takes an ethical approach to securing and protecting data.

These results show there is a significant disconnect with consumer priorities, the report said, with 88% of European consumers regarding data security as the most important factor when choosing a company with which to do business. In fact, 86% consider it more important than product quality.

Unsurprisingly, the study found that 55% of businesses are not confident they completely meet customers’ data security expectations.

The study also found many businesses have not started working out the necessary organisational and cultural changes they need to make ahead of May 2018.

Some 9% of businesses admitted that all employees are able to access customers’ personal information, while 6% admitted that all staff can access customers’ payment details. Only 14% believe everyone in the organisation has a responsibility to ensure data is protected.

With such wide reaching access to people’s personal information, businesses are underestimating the challenges they will face in managing this in line with the GDPR, the report said.

Under half of those surveyed said managing data ethically is a top priority for their organisation, and less than half again said they would be increasing security training. Only 27% of businesses polled said they are planning to overhaul their approach to security in response to the GDPR.
Technical readiness

The majority of respondents (91%) have concerns about the ability of their organisation to comply with the GDPR, due to factors such as the complexity of processing data correctly in time and costs involved.

Only 28% of IT and business decision makers realise the right to be forgotten is part of GDPR, while 90% of businesses say customers requesting their data be deleted will be a challenge for their organisation.

Only 9% of respondents have already received requests to be forgotten, but 81% believe their customers would exercise their right for data to be deleted, and 60% of businesses do not currently have a system in place that enables them to respond to these requests.

With less than two years before the EU data protection rules come into force, there are 10 key areas businesses need to focus on to ensure they will be compliant.

The European Parliament’s official publication of the General Data Protection Regulation means it will become enforceable on 25 May 2018.

Companies that fail to start planning to deal with the EU’s data protection requirements are in for a real shock, warns the International Association of Information Technology Asset Managers.
The GDPR is about enabling organisations to realise the benefits of the digital era, but it is serious about enforcement for those that do not play in the rules, says UK information commissioner.

Nearly all European businesses unprepared for new data protection laws

96% of companies still do not fully understand the European General Data Protection Regulation (GDPR), a survey has revealed.

96% of companies still do not fully understand the European General Data Protection Regulation (GDPR), a survey has revealed.

Lack of consumer and regulatory understanding, combined with low technical and cultural preparedness, represents a major threat to revenue and brand value, according to a Symantec state of privacy report

As a result, 91% of 900 businesses and IT decision makers polled in the UK, France and Germany have concerns about their ability to become compliant by the time the GDPR comes into force on 25 May 2018, according to Symantec’s State of Privacy Report.

The report coincides with a call by the Payment Card Industry Security Standards Council (PCI SSC) for firms to act now to avoid exponentially increased penalties under new European Union (EU) data protection regulations.

UK businesses could face up to £122 billion in penalties for data breaches when new EU legislation comes into effect, the PCI SSC has warned.

The Symantec study also revealed only 22% of businesses consider compliance a top priority in the next two years, despite only 26% of respondents believing their organisation is fully prepared for the GDPR.

Nearly a quarter of those polled said their organisation will not be compliant at all, or will be only partly compliant, by 2018.

Of this group, only a fifth believe it is even possible to become fully compliant with the GDPR, with nearly half believing that while some company departments will be able to comply, but others will not.

This stark lack of confidence in meeting the May 2018 deadline leaves businesses at risk of incurring significant fines, the report said.

These findings show businesses are not only underprepared for the GDPR, they are under preparing,” said Kevin Isaac, senior vice-president, Symantec.

“There is a significant disconnect between how important privacy and security is for consumers, and its priority for businesses. The good news is there’s still time to remedy the situation, but only if firms take immediate action,” he said.

National Cyber Security Centre (NCSC) launched today

The National Cyber Security Centre (NCSC) is officially launched and open for business today 4 October 2016.

The National Cyber Security Centre (NCSC) is officially launched and open for business today 4 October 2016.The government outlined what the NCSC would do, how it would work and who it would work for in May this year, but had not given a precise date for the official opening of the centre until now.

The NCSC will be led by CEO Ciaran Martin, formerly director general of government and industry cyber security at intelligence agency GCHQ, and the technical director will be Ian Levy, formerly technical director of cyber security at GCHQ.

The NCSC will be run from new offices in London as well as from offices near Cheltenham, Gloucestershire.

The primary goal of the NCSC is to simplify the complicated cyber security picture across government that made it difficult for organisations to know who to talk to.

It brings together all the key organisations under a single organisational umbrella to provide better support and bridge the gaps between government, industry and critical national infrastructure.

There were four main goals for the NCSC, which began preparatory work and conducted trials and pilot studies over the summer:

  • These are to reduce cyber security risk to the UK;
  • To respond effectively to cyber incidents and reduce the harm they cause to the UK;
  • To understand the cyber security environment, share knowledge and address systemic vulnerabilities and;
  • To build the UK’s cyber security capability, providing leadership on key national cyber security issues.

The NCSC has five areas of focus: engagement, strategy and communications, incident management, operations, and technical research and innovation.

In the next six months, the NCSC will test its strategic plan and refine it further based on feedback received.

Yahoo hack effects Sky and BT emails as well

The world’s largest hacking of Yahoo also effects BT and Sky email users.

The world's largest hacking of Yahoo also effects BT and Sky email users.Yahoo wasn’t the tech giant in Silicon Valley that it used to be, but the news that half a billion user details were stolen from it over two years ago in 2014 should still concern everyone.

It now transpires that both BT and Sky used Yahoo’s email system and labelled it as their own.  Which is particularly ironic given that Sky’s parent company Fox has had to pay out hundreds of millions to people it had itself hacked it’s customers.

What is even more worrying is customer inertia- that’s because stubborn user behavior and the economics of darknet markets mean the chances of a serious breach at another major internet service increase dramatically with each hack.

The user behavior part is that people like to reuse their passwords—a lot.

One estimate, from Cambridge University’s Security Group, puts password reuse as high as 49%.

That is, we use the same password for every two accounts that require a log-in.

When a big cache of hacked passwords ends up traded on darknet markets, it often gets added to password databases. These databases can be used by corporations to ensure their users don’t use previously published, insecure passwords—or more maliciously by hackers, who will try to find passwords reused on other services.

It’s the equivalent of trying millions of different keys on a particular door, except it’s all automated and can be done in days, as the password cracker Jeremi Gosney has detailed for Ars Technica.

Password reuse and marketplaces for stolen data mean that password databases grow larger and more robust with each major breach. For example, LinkedIn was hacked in 2012 for more than 100 million user accounts. Parts of those stolen credentials wound up in darknet data dumps.

One of those log-ins belonged to a Dropbox employee, who apparently reused a password, allowing a hacker to enter the file-sharing platform’s corporate network. This led to the theft of 70 million Dropbox user passwords, which the company confirmed in August. One massive hack leads to another, forming a daisy-chain of insecurity.

The Yahoo breach is five times the size of the LinkedIn theft. That’s a lot more data to add to password-cracking lists.

The only thing we internet users have going for us now is to hope the “state-sponsored actor” that Yahoo says is behind the hack doesn’t dump the data in public, or sell it for profit. When that happens, we’re due for a password reset.

You can check if your email has been hacked and touted online at: https://haveibeenpwned.com/

UK organisations not taking ransomware seriously

UK organisations are still not taking ransomware seriously enough and continue to fall prey to low cost, low risk cyber extortion.

UK organisations are still not taking ransomware seriously enough and continue to fall prey to low cost, low risk cyber extortion.Cyber criminals simply have to infect computer systems with malware designed to lock up critical data by encrypting it and demand ransom in return for the encryption keys.

The occurrence of ransomware attacks nearly doubled, up by 172%, in the first half of 2016 compared with the whole of 2015, according to a recent report by security firm Trend Micro.

Ransomware, the report said, is now a prevalent and pervasive threat, with variants designed to attack all levels of the network.

Ransomware is typically distributed through phishing emails designed to trick recipients into downloading the malware, or through app downloads and compromised websites.

The business model is proving extremely successful for cyber criminals, as many organisations are not prepared for it, and paying the ransom is often the best or only option open to them.

Two separate studies have revealed that universities and NHS trusts in England have been hit hard by ransomware in the past year.

A freedom of information request by security firm SentinelOne revealed that 23 of 58 UK universities polled were targeted by ransomware in the past year, but all claim not to have paid any ransom.

In a similar study by security firm NCC Group, 47% of NHS Trusts in England admitted they had been targeted, while one single trust said it had never been targeted, and the rest refused to comment on the grounds of patient confidentiality. Only one trust said it had contacted the police.

While ransomware writers were sometimes careless in the past so there was often a way to retrieve files,  that is seldom the case now, making preparation even more important.

Security firm Sophos has developed a whitepaper advising businesses on how to stay protected against ransomware.

Here are a list of best practices that businesses and public sector organisations should apply immediately to prevent falling victim to ransomware:

  • Backup regularly and keep a recent backup copy off-site
  • Do not enable macros in document attachments received via email
  • Be cautious about unsolicited attachments
  • Do not give users more login power than they need
  • Consider installing Microsoft Office viewers to see what documents look like without opening them in Word or Excel
  • Patch early, patch often because ransomware often relies on security bugs in popular applications
  • Keep informed about new security features added to your business applications
  • Open .JS files with Notepad by default to protect against JavaScript borne malware
  • Show files with their extensions because malware authors increasingly try to disguise the actual file extension to trick you into opening them

UK data well protected after Brexit says new ICO head

UK data is well protected after the Brexit vote according to the new Information Commissioner.

UK data is well protected after the Brexit vote according to the new Information Commissioner.Elizabeth Denham made the observation in the first newsletter to be published by the Information Commissioner’s Office (ICO) since she took up the role on 18 July 2016.

“The result of the EU referendum and its impact on data protection reforms will undoubtedly create uncertainty, as any period of flux does,” she said. “It’s clear to me, though, that the UK is well equipped to navigate the changes ahead successfully.”

Indicating that she means to continue her predecessor Christopher Graham’s policy of engagement with stakeholders, Denham said data protection was a “team sport”.

“Effective regulation requires engagement with the public sector, with industry, with civil society and with the public at large,” she said. “We all have an important role to play in this.”

Although Graham left the ICO on 28 June 2016 after seven years, there was a delay in Denham taking over because of a failure by government to obtain the Queen’s consent for the appointment in time.

Graham’s deputy, Simon Entwistle, was acting information commissioner until Denham was able to take over the leadership of the ICO, which regulates the UK’s Data Protection Act, Freedom of Information Act and the rules around marketing calls and texts.

Denham was shortlisted in April 2016, and was approved for the post of information commissioner by the Parliamentary Committee for the Department of Culture, Media and Sport on 27 April.

She was appointed for a five year term as information commissioner after holding senior positions in privacy regulation in Canada for the past 12 years.

Since 2010, Denham has been the commissioner at the Office of the Information and Privacy Commissioner for British Columbia, Canada.

“Over more than a dozen years in this sector, I’ve seen the pace of the privacy regulator job quicken, and the scope of the work grows wider every day,” Denham wrote in the newsletter.

“Access to information and privacy touch nearly all aspects of public and commercial life and our work is at the centre of some of the most compelling issues of our time.”
ICO makes a difference

Denham noted that the ICO’s work makes a difference to citizens and consumers, employees and other rights holders.

In addition to helping navigate the changes necessitated by the Brexit vote, Denham is the first UK information commissioner since the European Union General Data Protection Regulation (GDPR), Network Information Security (NIS) Directive and EU-US Privacy Shield framework were approved.

Referring to these challenges, Denham said there was “a lot happening this side of the pond” but that the coming weeks would enable her to become more familiar with the work of the ICO and “get to grips” with the challenges ahead.

Denham, who has a track record of taking a proactive approach to enforcing data protection law and tackling government on privacy issues, will also have to deal with implications for UK business of the controversial Investigatory Powers Bill, which is well on its way to becoming law.

Cyber crime included in official statistics

Cyber Security Force welcomes the inclusion of cyber crime in the latest crime survey for England and Wales by the Office for National Statistics (ONS).

Cyber Security Force welcomes the inclusion of cyber crime in the latest crime survey for England and Wales by the Office for National Statistics (ONS).

According to the latest report, there were 5.8 million incidents of cyber crime and fraud in the 12 months up to March 2016, affecting one in 10 people in England and Wales.

Just over half of the fraud incidents were cyber related, with 28% of these being non-investment fraud relating to online shopping or computer service calls. Some 68% of computer misuse crimes were related to malware and 32% were from unauthorised access to personal information including hacking.

However, the ONS cyber crime and fraud figures are an estimate, as specific questions relating to cyber crime were only added to the survey in October 2015 following a field trial.

“Headline estimates will include these offences for the first time in January 2017 once the questions have been asked for a full 12 months,” the report said.

According to the report, there were 4.5 million crimes reported in the period, excluding the 3.8 million cyber-related fraud incidents and 2 million compute misuse offences.

But the ONS said it would be incorrect to assume that once the figures are combined in the next report that the overall crime figure will double.

“This is the first time we have published official estimates of fraud and computer misuse from our victimisation survey, and ONS is leading the world in doing this. Together, these offences are similar in magnitude to the existing headline figures covering all other crime survey offences,” the ONS said.

“However, it would be wrong to conclude that actual crime levels have doubled, since the survey previously did not cover these offences. These improvements to the crime survey will help to measure the scale of the threat from these crimes, and help shape the response.”
Security should be top of board’s agenda

According to the ONS, cyber crime now makes up 40% of all recorded criminal incidents.

The technical capabilities of cyber criminals continue to outpace the UK’s ability to deal with cyber threats.

For the majority of organisations, the main two lessons to take from these statistics are the rapid evolution of cyber crime, and the number of threats that any individual or organisation will face.

As a result investment tends to flow into areas where it will be most productive, and crime is no different.

While there are government initiatives underway to tackle fraud, it is largely down to organisations to take care of themselves and the people they service.  The basics still apply:

  • Using strong passwords,
  • applying caution when using public Wi-Fi networks,
  • not revealing too much information about ourselves online and
  • regularly backing up personal data.

Experian’s Annual Fraud Indicator 2016 said fraud could be costing the UK economy up to £193 billion a year, with phishing attacks up by 21% in 2015 and were estimated to cost the UK more than £280 million.

Information security professionals not too worried by Brexit

The UK’s decision to leave the European Union (EU) has raised concerns in the information security world, but most professional organisations are urging calm and pragmatism.

The UK’s decision to leave the European Union (EU) has raised concerns in the information security world, but most professional organisations are urging calm and pragmatism.According to The Security Institute, the Brexit decision may have significant implications for the security profession and will inevitably present fresh challenges.

However, the organisation’s vice-president Alison Wakefield said security professionals pride themselves on being able to take the objective view, to put aside emotion and to focus instead on the hard facts of a situation.

“One thing we categorically disagree with is Michael Gove’s assertion that people in this country have had enough of experts,” she said.

“As an organisation that numbers a great many security experts in its membership, we believe the changes Brexit will bring mean that we, as a nation, will more than ever rely on these experts.”

Whatever cyber security challenges lie ahead as a result of Brexit, Wakefield said they will be met and overcome by the application of expertise and the diligent efforts of experts.

“The Security Institute’s raison d’être is to promote the professionalisation of security. Now that our country has chosen to go through a period of economic and political turbulence, let’s collectively – as experts in our field – do our utmost to re-emphasise professionalism, and redouble our efforts to help nurture security practitioners who can carry the ‘expert’ label with justification, pride and the external recognition they are due,” she said.

Adrian Davis, European managing director at security certification body (ISC)2, said information security is well-recognised as an international concern that has motivated levels of co-operation that already transcend national boundaries and politics.

“There is no reason to believe that this will come to an end or even be significantly interrupted by the Brexit vote,” he said, despite concerns by some information security professionals the cyber threat intelligence sharing may be impeded.

According to Davis, information security professionals in the UK and across Europe have at least two years to understand the practicalities that will affect their day-to-day job, and there is a good chance that quite a lot of what is anticipated over this time will not change.

The need in the UK to comply with the EU’s General Data Protection Regulation (GDPR) for example, will remain the same, he said, as UK businesses will continue handling EU citizens’ data.

“The march of technical innovation reflects global trends and will continue to shape the challenges we face on the front lines, and we all understand that threats and attacks are international. The work we do as a profession already ensures that the standards and practices required to face them account for differences in markets and regulatory expectations. I’m confident that, as a profession, information security professionals right across Europe will continue to work together,” said Davis.

UK consumers want fines for firms that lose personal data

Most UK consumers want the government to fine companies who don’t protect personal information.

Most UK consumers want the government to fine companies who don't protect personal information.A majority of UK consumers would like to see government fines for companies that fail to provide sufficient safeguards for personal information, a survey has revealed.

Some 86% of more than 1,000 UK consumers polled by the Institute of Customer Service (ICS) think the government should review data protection laws, while 77% feel it should do more to protect data from cyber attacks.

The findings of the survey are in line with the recommendations by the Department of Culture, Media and Sport (DCMS) Committee’s inquiry into the October 2015 data breach at TalkTalk, which saw the personal information of 155,000 people compromised.

The committee has published a set of recommendations in its inquiry report for improving data security in the UK, including the introduction of escalating fines for delays in reporting breaches of personal data.

The report also recommends that the government initiates a public awareness-raising campaign about online scams and allocate more resources to the Information Commissioner’s Office (ICO), the UK’s data protection authority.

Although most UK consumers would like to see more government action on data protection, 62% also believe businesses should do more to safeguard personal information, according to the ICS survey, which was included in a written submission to the DCMS committee’s inquiry.

The ICS survey shows only 13% of respondents are confident that their personal information is protected and only 15% trust organisations do everything possible to prevent security breaches.

“Businesses need to accept responsibility, rather than offer excuses, if customer data is exposed in a cyber security breach” said Jo Causon, chief executive of the ICS.

“Almost one in four consumers say nothing can restore their trust after a data breach, so if cyber security attacks continue at the current pace, business performance will suffer as concerned customers swap loyalty for personal data safety,” she said.

The ICS survey shows that 22% of respondents no longer trust companies that have suffered a breach, while 28% said they avoid organisations that have suffered a breach. In the event of a breach, 41% seek immediate notification, 23% want compensation and 10% look for an apology.

To reassure customers, the ICS outlines a series of actions businesses can take in its response to the DCMS Committee inquiry.

These include ensuring staff have the appropriate skills to communicate how data is protected and what is happening in the event of a cyber-attack; setting out the approach taken to protect customers’ data so consumers are fully informed and able to make a decision about what to share; and following a consistent set of standards across an organisation so that customer data is continuously protected no matter where it is held or analysed.