News round-up Oct 2020 — Update on ServiceNSW databreach, Twitter upping its security game, and more

Helping your business stay abreast and make sense of the critical stories in digital risk, cyber security and privacy. Email to subscribe.

The round-up

It’s in the nature of this game that there’ll always breaches and bungles, so increasingly it matters how you respond. And in our eyes, some recent response actions are worth commending. The NSW Government opened up on how it might have prevented the Service NSW breach, while Twitter laid out how it is upping its internal security game after a hack in July. We also explore if NAB’s step into the world of bug bounties sets a new bar for security maturity.

Key articles:

Australians want more control over privacy, survey shows

Summary: Privacy is a major concern for 70% of Australians while 87% want more control and choice over the collection and use of their personal information, a new study shows.

Key risk takeaway: As businesses roll out services that are increasingly data-driven, one of the more salient findings of the survey was that privacy is now the leading consideration when individuals choose an app or program to download, ahead of quality, convenience and price. Concerns around collection practices – particularly around the purpose for which data was collected – was another prominent finding. These views reinforce the importance of approaches such as privacy-by-design and practices such as Privacy Impact Assessments (PIA), which seek to “bake in” good privacy practices early into the development of new projects or initiatives. The Office of the Australian Information Commissioner this month also issued guidance for agencies on how to screen for potentially ‘high privacy risk’ projects to determine whether a PIA is required under the agencies’ privacy code.

Tags: #privacy #communityattitudes #privacyimpactassessments  

Service NSW hack could have been prevented with simple security measures

Summary: The personal data of 186,000 customers and staff were leaked after a cyber-attack on Service NSW in April that compromised the email accounts of 47 employees.

Key risk takeaway: We covered the news of this attack in our May roundup – our focus here is on Service NSW’s response. Transparency, responsiveness and empathy for affected customers are core principles of a trust-building response. Service NSW has attracted criticism for taking four months to notify affected customers, illuminating a key challenge in translating these principles into reality. In the wake of a breach many organisations lack the capabilities to quickly identify and assess the data types involved and, more pertinently, the extent of likely harm for affected customers – resulting in lengthy delays to notification. That appears to have been the case here, with Service NSW describing that much of the breached data was in unstructured form (eg. in emails, handwritten notes, forms and scans). Encouragingly, head of Cyber Security NSW Tony Chapman demonstrated commendable transparency in his responses around root causes, citing the preventative roles multi-factor authentication and reduced email-based data sharing could have played. Some may argue these concessions are like shutting the gate after the horse has bolted – another perspective is that these disclosures demonstrate an understanding of what is required to prevent recurrence of similar incidents in the future.

Tags: #databreachresponse

Woman dies during a ransomware attack on a German hospital

Summary: In what is being described as the first possible death directly linked to a cyber-attack, a woman has died after a German hospital couldn’t accept emergency patients due to a ransomware attack.

Key risk takeaway: In seeking to illuminate why cyber security matters, we often describe the potential impacts of cyber incidents. Large financial, reputational and operational impacts are serious enough, but for organisations in the health sector, impacts to the wellbeing of individuals (to the point of death) are sadly also very much on the cards. Do incidents like this – where human life is at stake – complicate advice to “never pay ransoms”? It’s hard to say, but seems fair to observe that there’s mixed views in some quarters, with some organisations reserving the right to make a risk-based judgement. In this scenario, even the attackers tweaked the ‘conventional’ rules of extortion – when told they had impacted a hospital treating emergency patients, they withdrew the ransom demand and provided a decryption key. Sadly, it was too late for the impacted woman. This incident follows ransomware attacks on a Thai hospital and on one of Chile’s biggest banks, resulting in the shutdown of all its branches, with disruptions lasting over a week.

Tags: #ransomware

NAB crowdsources cyber security with bug bounty program

Summary: NAB is the first of the Big Four banks to include a bug bounty program in its security strategy

Key risk takeaway: We’ve previously written that bug bounties are increasingly seen as a sign of a mature approach to security. The foray of a major Australian bank (traditionally more conservative) into the world of “crowdsourced security assurance” is arguably further evidence of the mainstreaming of these approaches, and a step we wager took some hearty advocacy by the security team to get sign-offs from legal-types and executives. Given the global cyber security skills shortage, bug bounties can offer organisations access to a broader and internationally-based pool of security talent to test and assure key systems. A key consideration is to see bug bounties not as a replacement but a complement to existing capabilities within a layered security strategy.

Tags: #bugbounty #layereddefence

Twitter prepares for US election with new security training, penetration tests

Summary: Ahead of the US election Twitter has been bolstering its internal security and privacy controls, including by requiring staff to complete additional training, deploying hardware security keys to employees, and engaging in penetration tests and privacy impact assessments.

Key risk takeaway: Here’s something of a blueprint for hardening systems in the wake of a phishing-based breach. After suffering such a breach in July, Twitter has stepped up a range of protections – most notably around employees – by increasing training requirements, enhancing checks on employees with key systems access and rolling out “phishing-resistant security keys”. A mix of baseline security/privacy training for all staff coupled with more targeted and dynamic learning content for specific role types (as Twitter appears to be pursuing) also reflects the strategies that we are increasingly seeing being pursued in the local market. Also of note is Twitter’s push to ensure appropriate privacy measures are implemented before projects launch: in the first six months of 2020 Twitter completed more than 300 privacy impact assessments compared with 100 PIAs in 2018.

Tags: #securityawareness

News round-up February 2020 — Privacy priorities and on-selling data

Helping your business stay abreast and make sense of the critical stories in digital risk, cyber security and privacy. Email to subscribe.

The round-up

In this edition, a well-known security vendor shuts down a subsidiary business that was on-selling user data, with the CEO admitting the practice wasn’t in line with the company’s “north star” and privacy priorities. Setting up a global privacy office looks to be one way that companies are seeking to avoid going astray on privacy – in this edition we highlight a major Australian bank doing just that. This roundup also examines the attacker tactics that lead to most security incidents.

Key articles:

Avast shuts down marketing analytics subsidiary Jumpshot amid controversy over selling user data

Summary: The seller of anti-virus software has wound down a subsidiary business found to be selling highly sensitive web browsing data.

Key risk takeaway: The financial implications of poor security and privacy practices are laid bare in this story, with Avast not only winding down a US $180m subsidiary company but also seeing its shares fall 11 percent in value in the wake of the revelations. It’s also a reminder that security tools are by design invasive and often require deep access to systems and data. In the case of this story, Avast’s software tracked its users’ clicks and movements across the web, repackaging that data and selling it on to clients that included Google, Yelp, Microsoft and Pepsi. As with any software supplier, organisations should seek assurances that security vendors will use their access to systems and data appropriately and in line with privacy regulations and expectations. Meanwhile, the effectiveness of security software against well-known attacks is to be evaluated by US non-profit agency MITRE, which produces the respected ATT&CK framework, a knowledge-base of attacker tactics and techniques.

Tags: #softwareassurance #privacy


NAB sets up a global privacy office

Summary: National Australia Bank has set up and is expanding a global privacy office under its chief data officer. The remit of the office is to safeguard customer data and champion privacy culture and data ethics.

Key risk takeaway: Establishment of global privacy offices under a chief privacy officer (CPO) continues to gather pace, offering organisations a means to provide greater focus on how they handle growing amounts of customer data. Whilst establishing a Chief Privacy Office is not necessarily a new thing (in some jurisdictions, it may even be required under the regulations) we are seeing an emerging trend to include data ethics as a limb of privacy management, with CPOs assigned accountability for advocating for customers’ data rights. As looks to be the case at NAB, organisations are using the establishment of a global privacy office to go beyond regulatory compliance and drive more ethical uses of data across their business.

Tags: #privacy #dataethics


Known bugs and predictable phishing are behind your average security incident, IBM says

Summary: An IBM analysis of 70 billion security incidents in 130 countries over the past year has determined that attackers typically used known vulnerabilities or stolen credentials to break into a victims’ networks.

Key risk takeaway: Too often, the first refrain of a company that has been breached is to lament the “sophistication” of attackers – when the truth (revealed again in this story) is that most incidents are the result of well-known and often preventable tactics. Failure to apply security patches has been shown to repeatedly allow attackers to “waltz” into corporate networks, while employees untrained about phishing risks give away corporate account credentials or aid attackers to get malware into a company’s environment. Along with an effective security awareness program, applying foundational security controls such as the Australian Government’s Essential Eight strategies can make life significantly more difficult for attackers.

Tags: #securityhygiene #securityawareness #essentialeight


Maze ransomware spree continues amid advisories from French, FBI officials

Summary: Attackers have used a strain of ransomware known as Maze to steal data from and disrupt a number of businesses including law firms, a grocery chain and healthcare facilities. Meanwhile Australian logistics company Toll Group, a US healthcare analytics firm and a US natural gas facility were also affected by ransomware attacks.

Key risk takeaway: Ransomware is already having a devastating impact in 2020, affecting businesses globally and across many industry sectors. We’ve written previously about the common ways organisations can prevent infection by ransomware, most notably educating users against phishing emails (a key delivery mechanism for ransomware), as well as deploying strategies to prevent it spreading. These stories highlight some adjacent considerations. Reporting of the Maze attacks highlight the aggressive, public extortion strategy used by attackers to try and force businesses into paying ransoms. This underscores the need for a proactive public response strategy to ransomware, alongside the deployment of technical measures. The method of attack on the US gas facility also highlights the importance of security detection and monitoring tools. Categorised as a “post-compromise ransomware incident”, in this case attackers’ first gained access to the company’s IT environment before deploying the ransomware, allowing them to first identify critical systems and disable security tools that might block the ransomware.

Tags: #ransomware #securityawareness


How 4 Chinese Hackers Allegedly Took Down Equifax

Summary: The US Government announced charges against four members of China’s People’s Liberation Army for hacking into credit reporting agency Equifax in 2017 and stealing personal information on 145 million Americans.

Key risk takeaway: The indictment against the Chinese hackers reminds us that growing volumes of information collected by private companies (especially financial institutions) will attract the attention of some foreign governments, particularly given its value for intelligence gathering. Exercises such as threat modelling help organisations identify their critical assets and data and the threat actors likely to target those assets. While the attack on Equifax is now being pinned to a highly capable nation state actor, the indictment nevertheless reveals that the attack succeeded largely due to basic security failings on the part of Equifax. These include failing to patch a known security vulnerability and failing to encrypt sensitive data.

Tags: #threatmodelling #securityhygiene

News round-up December 2019 — Ransomware attacks, phishing and online data breaches

Helping your business stay abreast and make sense of the critical stories in digital risk, cyber security and privacy. Email to subscribe.

The round-up:

It’s that time of year when the familiar faces who’ve been with you throughout the year get together to see you off into the holiday season. And so it is with the last news roundup for 2019. Regulars of the roundup – ransomware attacks, phishing and online data breaches – pop their heads up for one last hurrah, while focus sharpens just a little more on privacy and the ethical use of consumer data.