News round-up April 2020 — Privacy and security issues with COVID-19

Helping your business stay abreast and make sense of the critical stories in digital risk, cyber security and privacy. Email news@elevenM.com.au to subscribe.

 

The round-up

COVID-19 is creating a heady and swirling vortex of news, information and disinformation. In this edition we cut through to the key privacy and security issues of the pandemic, including the Government’s contact tracing app and the new risks and scams that security leaders need to be thinking about. We also check in on how cybercriminals are attending to business-as-usual.

Key articles:

ACSC issues FUD-busting COVID-19 WFH guide

Summary: In light of new and more pronounced cyber security vulnerabilities brought on by the workforce’s wholesale transition to working from home, the Australian Cyber Security Centre issued its own official guidance.

Key risk takeaway: Security leaders in businesses right across the economy are responding to working arrangements and circumstances radically different to those for which they devised their risk mitigation strategies and activities. For the many professionals working from home, the ACSC’s tips include being aware of COVID-19 related cyber threats and scams (see next story), adopting strong passphrases and use of multi-factor authentication. Security teams also need to account for the different risk profile that results from a highly distributed workforce working in non-corporate environments. Risks to manage more closely include user adoption of unsanctioned video conferencing platforms and ensuring users connect to networks securely. Other emerging considerations include the need to revisit security provisions in technologies hastily purchased during the pandemic and sharpening governance over “shadow IT”, as workers install and use their own (non-sanctioned) applications to continue to perform their duties in non-standard conditions.

Tags: #securityhygiene #securityawareness #securityriskassessment

 

Continued widespread reports of COVID-19 malicious scams

Summary: Authorities and businesses around the world are observing a massive surge in internet scams related to the coronavirus pandemic. Says one security professional: “I’ve never seen this volume of phishing. I am literally seeing phishing messages in every language known to man.”

Key risk takeaway: It’s the pandemic edition of the usual refrain – humans are the critical front-line in defending against cyber-attacks. Businesses must take strong steps to make their employees aware of the explosion in COVID-19 themed scams and phishing attacks, which are being deployed to drop malware, steal information and facilitate financial fraud. Thousands of new coronavirus-themed web domains, which are used as phishing sites and to spread malware, are being registered every day. The Australian Signals Directorate is muscling up for the fight, as are US law enforcement authorities and even an army of volunteer cyber defenders.

Tags: #securityawareness

 

Australia launches COVIDSafe contact tracing app

Summary: The Australian Government launched an app to support health professionals perform contract tracing on individuals that test positive to coronavirus. The Government app faced intense scrutiny over the app’s handling of privacy and security considerations.

Key risk takeaway: The public’s heightened expectations of privacy and transparency in new technologies and services – particularly those involving sensitive information (such as health status) – are brought to the fore in the public conversation surrounding the COVIDsafe app. The Government’s previous mis-steps in adequately addressing privacy and security considerations in technology deployments (eg. Census, My Health Record) have demonstrably impacted this rollout, reflecting the importance of service providers building trust over an extended period. A privacy impact assessment on the app – which made 19 recommendations, the bulk of which were accepted – has helped in some part to ameliorate some of the privacy concerns (read elevenM’s Melanie Marks view of some of these privacy risks here). An auxiliary consideration for organisations will be how they deal with employee queries about the app, particularly in relation to installing it on work-issued mobile devices.

Tags: #privacy #privacyimpactassessment

 

Zoom bolsters software security in latest move to reassure users

Summary: Video conferencing platform Zoom has faced intense criticism over poor security and privacy practices, leading to “do not use” edicts from everywhere from governments to major corporations.

Key risk takeaway: When your startup’s moment finally comes, will a complacent attitude to privacy and security be your undoing? Widespread self-isolation has certainly been a godsend for video conferencing platforms like Zoom. But despite a massive surge in users, Zoom’s reputation has taken a thorough battering. Like Standard Chartered has done overseas, we’re aware of major Australian organisations issuing guidance to staff to refrain from using Zoom, especially for official business. Zoom has had to move fast to issue mea culpas and patch security and privacy holes. For major developers of digital services and budding start-ups alike, a more efficient and less painful strategy is to bake in good practices through approaches such as privacy-by-design and secure coding.

Tags: #privacybydesign #securecoding

 

IT services behemoth Cognizant suffers attack by Maze ransomware

Summary: While we’re all pre-occupied with COVID-19, one group (sadly) is carrying on as though everything is normal: ransomware gangs. In the past month foreign exchange business Travelex, insurer Chubb and technology consultancy Cognizant were all revealed to have been hit with ransomware.

Key risk takeaway: Ransomware might be overshadowed now by that other virus, but by no means has it gone away. We wrote in February of the havoc Maze ransomware gangs were already wreaking in 2020. And the fact that cybercriminals are now offering discounts on their services should remind us all that they’re determined to be a viable force throughout and beyond the pandemic. The Cognizant incident – in addition to reminding us of the importance of endpoint protection and detection tools, highlights a couple of considerations. First, the incident affected Cognizant clients, illuminating the issue of supplier risk. Organisations should consider quickly disabling system access for any infected supplier. Second, the particularly aggressive public extortion strategy used by Maze attackers – in which sensitive data is stolen before being encrypted, and its public release threatened if the victim doesn’t pay the ransom – highlights the need for a clear public communications strategy for cyber incidents.

Tags: #solvingransomware #crisiscommunications #crisiscommunications

Four principles for contact tracing technology

elevenM Principal Melanie Marks takes a closer look at proposals to use digital technology to support contact tracing, as governments seek better ways to manage the COVID-19 pandemic.


With reports that Australia may follow in Singapore’s footsteps to build a tracking and tracing app which allows governments and citizens to get ahead of the COVID-19 pandemic, we must ensure that innovation and laws are channeled towards the “right” intended outcomes.

The benefits of introducing greater data sharing at a time of crisis are obvious. However, there are also risks, so it’s critical we proceed in a considered way.

For me the key principles are:

  1. Do what you can to save lives.
  2. There shall be no scope creep.
  3. Permissions shall be wound back when the crisis passes.
  4. Post implementation review is essential (covering law and processes).

We need to build for the short term or at least for a series of stages, featuring “gates” where civil liberties are checked before continuing. And we need guarantees that new architectures being introduced will not be put to secondary purposes. For example, whilst we might consider it okay to trace the movements of a COVID-19 affected patient in order to prevent exposure to others (primary purpose), we should not accept that the tracing can be used to identify how far a person strays from home, in order to hit them with a fine (secondary purpose). This is especially so if we consider that channels of procedural fairness may be harder to access in the circumstances (Robodebt comes to mind).

I had a chance to discuss these ideas recently with Jeremy Kirk, together with Patrick Fair and Susan Bennett, in an article published in DataBreachToday. Click here to read more.