Helping your business stay abreast and make sense of the critical stories in digital risk, cyber security and privacy. Email news@elevenM.com.au to subscribe.
In this edition, a well-known security vendor shuts down a subsidiary business that was on-selling user data, with the CEO admitting the practice wasn’t in line with the company’s “north star” and privacy priorities. Setting up a global privacy office looks to be one way that companies are seeking to avoid going astray on privacy – in this edition we highlight a major Australian bank doing just that. This roundup also examines the attacker tactics that lead to most security incidents.
Summary: The seller of anti-virus software has wound down a subsidiary business found to be selling highly sensitive web browsing data.
Key risk takeaway: The financial implications of poor security and privacy practices are laid bare in this story, with Avast not only winding down a US $180m subsidiary company but also seeing its shares fall 11 percent in value in the wake of the revelations. It’s also a reminder that security tools are by design invasive and often require deep access to systems and data. In the case of this story, Avast’s software tracked its users’ clicks and movements across the web, repackaging that data and selling it on to clients that included Google, Yelp, Microsoft and Pepsi. As with any software supplier, organisations should seek assurances that security vendors will use their access to systems and data appropriately and in line with privacy regulations and expectations. Meanwhile, the effectiveness of security software against well-known attacks is to be evaluated by US non-profit agency MITRE, which produces the respected ATT&CK framework, a knowledge-base of attacker tactics and techniques.
Tags: #softwareassurance #privacy
Summary: National Australia Bank has set up and is expanding a global privacy office under its chief data officer. The remit of the office is to safeguard customer data and champion privacy culture and data ethics.
Key risk takeaway: Establishment of global privacy offices under a chief privacy officer (CPO) continues to gather pace, offering organisations a means to provide greater focus on how they handle growing amounts of customer data. Whilst establishing a Chief Privacy Office is not necessarily a new thing (in some jurisdictions, it may even be required under the regulations) we are seeing an emerging trend to include data ethics as a limb of privacy management, with CPOs assigned accountability for advocating for customers’ data rights. As looks to be the case at NAB, organisations are using the establishment of a global privacy office to go beyond regulatory compliance and drive more ethical uses of data across their business.
Tags: #privacy #dataethics
Summary: An IBM analysis of 70 billion security incidents in 130 countries over the past year has determined that attackers typically used known vulnerabilities or stolen credentials to break into a victims’ networks.
Key risk takeaway: Too often, the first refrain of a company that has been breached is to lament the “sophistication” of attackers – when the truth (revealed again in this story) is that most incidents are the result of well-known and often preventable tactics. Failure to apply security patches has been shown to repeatedly allow attackers to “waltz” into corporate networks, while employees untrained about phishing risks give away corporate account credentials or aid attackers to get malware into a company’s environment. Along with an effective security awareness program, applying foundational security controls such as the Australian Government’s Essential Eight strategies can make life significantly more difficult for attackers.
Tags: #securityhygiene #securityawareness #essentialeight
Summary: Attackers have used a strain of ransomware known as Maze to steal data from and disrupt a number of businesses including law firms, a grocery chain and healthcare facilities. Meanwhile Australian logistics company Toll Group, a US healthcare analytics firm and a US natural gas facility were also affected by ransomware attacks.
Key risk takeaway: Ransomware is already having a devastating impact in 2020, affecting businesses globally and across many industry sectors. We’ve written previously about the common ways organisations can prevent infection by ransomware, most notably educating users against phishing emails (a key delivery mechanism for ransomware), as well as deploying strategies to prevent it spreading. These stories highlight some adjacent considerations. Reporting of the Maze attacks highlight the aggressive, public extortion strategy used by attackers to try and force businesses into paying ransoms. This underscores the need for a proactive public response strategy to ransomware, alongside the deployment of technical measures. The method of attack on the US gas facility also highlights the importance of security detection and monitoring tools. Categorised as a “post-compromise ransomware incident”, in this case attackers’ first gained access to the company’s IT environment before deploying the ransomware, allowing them to first identify critical systems and disable security tools that might block the ransomware.
Tags: #ransomware #securityawareness
Summary: The US Government announced charges against four members of China’s People’s Liberation Army for hacking into credit reporting agency Equifax in 2017 and stealing personal information on 145 million Americans.
Key risk takeaway: The indictment against the Chinese hackers reminds us that growing volumes of information collected by private companies (especially financial institutions) will attract the attention of some foreign governments, particularly given its value for intelligence gathering. Exercises such as threat modelling help organisations identify their critical assets and data and the threat actors likely to target those assets. While the attack on Equifax is now being pinned to a highly capable nation state actor, the indictment nevertheless reveals that the attack succeeded largely due to basic security failings on the part of Equifax. These include failing to patch a known security vulnerability and failing to encrypt sensitive data.
Tags: #threatmodelling #securityhygiene