December 16, 2019
Helping your business stay abreast and make sense of the critical stories in digital risk, cyber security and privacy. Email news@elevenM.com.au to subscribe.
It’s that time of year when the familiar faces who’ve been with you throughout the year get together to see you off into the holiday season. And so it is with the last news roundup for 2019. Regulars of the roundup – ransomware attacks, phishing and online data breaches – pop their heads up for one last hurrah, while focus sharpens just a little more on privacy and the ethical use of consumer data.
Summary: Ransomware hits a city in the US state of Florida, while also disrupting more than 100 US dental practices in a separate attack.
Key risk takeaway: Our last news roundup for 2019 begins with a cyber threat that has regrettably not abated throughout the year. Ransomware (a highly disruptive form of malware) has severely impacted governments, businesses and healthcare facilities this year. While news of these attacks is now a couple of years old, a notable trend with ransomware this year has been the targeting of service providers, such as IT companies. As these businesses service multiple clients, the attacks have wider disruptive potential which, in turn, appears to embolden attackers to demand significantly higher ransom payments. Basic security hygiene measures remain central to fighting ransomware – these include backing up data, keeping software and operating systems updated, patching critical software, using anti-virus and educating users to detect and not click on phishing emails.
Tags: #ransomware #securityawareness
Summary: The Government will examine changes to privacy legislation and new powers and funding for the Australian Competition and Consumer Commission (ACCC) to monitor and report on digital platforms, as part of its response to the consumer watchdog’s digital platforms inquiry earlier this year.
Key risk takeaway: While the ACCC’s report and the Government’s response focus greatly on addressing the power wielded by digital giants such as Facebook and Google, they also pave the way for stronger privacy protections for consumers and increased penalties for businesses that violate privacy regulations. Among the changes to be considered include an expansion in the definition of personal information to include online information collected by digital platforms, stronger consent and notification requirements, the right for consumers to delete information held about them, and to sue on privacy matters. The Government’s response is anticipated to herald a strengthening of Australia’s privacy framework, though there are differing views as to whether it brings Australia in line with privacy regimes internationally quickly enough.
Summary: Australian parliamentarians and staff will be subject to phishing email simulations following the state-sponsored cyber-attack against Parliament House earlier this year.
Key risk takeaway: While not directly attributing the Parliament cyber-attack to phishing, the roll-out of this phishing simulation suggests it was centrally involved in the attack labelled “Australia’s first national cyber crisis”. It comes as Google also reveals data that 90 per cent of state-sponsored attacks against its users between July and September employed phishing emails. Sending simulated phishing emails to staff is widely recognised as one of the more effective ways to build organisational resilience against phishing. This approach involves security teams sending “mock” phishing emails to staff, in order to gauge their susceptibility to the threat and deliver targeted education accordingly. A well-designed phishing simulation program, when combined with an engaging communications strategy, can help drive an organisation-wide conversation about the risks of phishing and foster a proactive security culture. Meanwhile, Google announced it will now warn users of its Chrome browser when they are potentially visiting a phishing page.
Tags: #phishing #securityawareness
Summary: Online companies have been rather leaky lately – applications of copies of birth certificates, GPS coordinates, and companies’ marketing and media data have all been recently exposed by third parties entrusted to hold it.
Key risk takeaway: Once again, we end the year talking about an issue that is sadly becoming old news – the exposure of company data held in cloud-based accounts because of the failure to apply basic security protections. A more common example of this scenario involves Amazon Web Services (AWS) storage buckets – in the headline story about US birth certificates, the “bucket” wasn’t protected by a password. While cloud service providers like AWS undoubtedly have some responsibility to ensure their services are inherently secure, often these data exposures transpire because businesses using the AWS service have overlooked the application of security settings – a task that falls within their responsibility as users. Key measures protect cloud data include preventing folders or “buckets” from being publicly accessible and enforcing basic standards of security on user accounts, for example, the use of strong passwords, preventing password sharing, and turning on multi-factor authentication.
Tags: #cloudsecurity #securityawareness
Summary: Fraudsters have tricked a Chinese venture capital (VC) firm into making a fraudulent US $1 million payment intended as seed money for an Israeli startup.
Key risk takeaway: Email-based fraud – also known as Business Email Compromise – continues to be highly lucrative for cybercriminals, netting US$26 billion in the last three years, according to the FBI. While conceptually simple – business email compromise involves scammers sending fake payment requests and invoices to staff – we see the underlying sophistication of this scam via this story. The attackers registered fake, but almost identical domains, for both the VC firm and the startup, and proceeded to orchestrate extensive correspondence between the two parties, culminating in the fraudulent payment. The evident patience and detailed reconnaissance of attackers, combined with use of tools that enable effective email spoofing, makes detecting these scams increasingly challenging. Nevertheless, education remains an important countermeasure, along with cultivating a culture where payment requests, especially those that are large and unusual, can be questioned by staff. Technical controls include the use of mail filtering and the implementation of DMARC, or “Domain-based Message Authentication, Reporting & Conformance”, widely considered a strong protection against email spoofing.
Tags: #businesemailcompromise #securityawareness
Summary: The consumer watchdog is pushing to reform the loyalty scheme market over concerns with how these schemes are handling consumer data.
Key risk takeaway: The Australian Competition and Consumer Commission’s report into loyalty schemes reflects growing regulatory focus on transparency and ethical use of personal information. The ACCC’s concerns about loyalty schemes mirror similar issues raised in its investigation into digital platforms (see earlier article in the roundup), and signal that privacy is likely to see sustained attention from the competition and consumer regulator. In particular, the ACCC has shone a light on the practice of automatic linking of datasets and giving consumers more meaningful control over their data. Ironically, as the ACCC voiced its concerns, the Australian parliament passed a new Medicare data matching scheme despite prevailing privacy concerns. One of Australia’s major health insurers, nib, also spruiked a major data science play this month that would see it performing extensive analysis against the data held on its members (which includes health information). In announcing the venture, nib’s CEO was required to address concerns around privacy and security – likely a reflection of current consumer, government and regulatory sentiments around data-driven initiatives.
Click here to see past editions of the elevenM News Roundup