WannaCry ransomware attack goes global

 

News on Friday 12th May that NHS England had suffered a major ransomware cyber attack has since been extended to a wider victim base. We now know that the attack has affected around 150 countries, with major hits on the UK and Russia. It is estimated to have affected over 200,000 users to date.  In the UK 48 NHS trusts have reported problems at hospitals, GP surgeries and pharmacies, along with 13 NHS bodies in Scotland – and no doubt the early part of this week will result in more problems as staff come into work and switch their PCs back on.

The hack which targeted Windows machines was miraculously stopped in its tracks from spreading by a young security expert (under name @MalwareTechBlog) who accidentally hit the kill switch on the malware by registering the hard code as a domain name which had been seeded by its creator

SAFEGUARDS:

There are some urgent checks that all companies and organisations should be making in the next 24 hours:

  1. Ensure you are up to date on patching your environment– a lot of organisations were caught out because they didn’t (and Microsoft released a patch for the vulnerability exploited by WannaCry in March 2017).
  2. Check your Anti Virus is up to date (and preferably use a cloud based service ie Webroot)
  3. Ensure you back up all your essential data in line with your businesses Recovery Time Objective (RTO) and Recovery Point Objective (RPO), so you can’t be held to ransom and fearful of operational losses.
  4. Communicate with your staff to alert them to avoid clicking on any suspicious emails and making sure that your operating system software is up to date (it was a rare move for Microsoft to release security updates for unsupported software such as XP as a direct result of this event)

Companies that want advice on data security, can contact Amicus ITS in confidence on 02380 429429.

 

Taking ownership of cyber – it involves us all

 

boardroom1

New research by BAE Systems of 984 IT managers and 221 executives from Fortune 500 companies across the world, has found that there is still a damaging gulf in the perception of who should take charge to manage the aftermath of a cyber-attack in an organisation.

• The survey suggested that 50% of IT staff believed boardroom executives should take the lead when it comes to deciding how a company should respond and repair after it has been penetrated by hackers.
• In contrast, more than 30% of Chief Executives said that IT staff should be the ones cleaning up, fixing problems and hardening defences.

This, according to Dr Adrian Nish, head of the cyber-threat intelligence unit at BAE Systems, could lead to organisations not being prepared for oncoming attacks.

Cost of attack
There was also a mismatch when it came to the perceived cost of a breach:  technology bosses believed that, on average, a breach could cost a company about $19m (£15m).  This estimate included fines, legal fees, remediation expenses and compensation for customers.  By contrast, boardroom members put an average price tag of $11.6m (£9.2m) on breaches.

Prevention much better than cure
Ultimately, whatever the price of a cyber-attack, unless organisations have taken the necessary preventative steps, they remain highly vulnerable to not only the cost of breach, but the enormous impact of reputational damage and loss of trust.

Oliver Parry, head of corporate governance at the Institute of Directors commented:   “As with other principle risks to a business, responsibility of outlining this strategy should fall with the board.  Lasting cybersecurity only comes from embedding good practice throughout the culture of an organisation, starting from the top. No system or person alone can prevent indefinitely the threat of a cyber-attack.”

This ties in with one of the main recurring themes for Amicus ITS’ Director of Technology, Security & Governance, JP Norman, who has stated many times over recent years that good education and awareness by staff (the “squidgy bits”) around data security remains central to good defence efforts in thwarting a successful attack.  Commenting recently

“At Amicus ITS we carry out a 3 stage review on a monthly basis with data being collated via our support functions, reviewed at a formal Information Security Committee meeting and further reviewed at every Board Meeting. This enables us to ensure strategy, training and new developments flow in both directions across our company” JP NormanDirector of Technology, Security & Governance.

Disaster for Three Mobile as huge data hack is disclosed

three-logo

News has emerged today that one of Britain’s biggest mobile phone companies has suffered a huge breach of its systems, exposing an estimated six million user account details to  compromise.  This represents two thirds of the company’s customer base.

Believed to have been a hack through an authorised employee login, the hackers were able to access the customer upgrade database.

A spokesman for Three said, “Over the last four weeks Three has seen an increasing level of attempted handset fraud. This has been visible through higher levels of burglaries of retail stores and attempts to unlawfully intercept upgrade devices.  We’ve been working closely with the Police and relevant authorities. To date, we have confirmed approximately 400 high value handsets have been stolen through burglaries and eight devices have been illegally obtained through the upgrade activity”.

Three added that the data accessed included names, phone numbers, addresses and dates of birth, but added that it did not include financial information. Customers whose data has been affected have not yet been informed at this time. However the speed of intercept is indicated by the revelation by the National Crime Agency that they are investigating the breach and that three people have already been arrested, two for computer misuse and one for perverting the course of justice.

With the Chancellor, Philip Hammond’s speech at the beginning of November calling on companies to do more to protect their customers against cyber crime after the series of high-profile breaches in the last few years, the commercial imperative for businesses to create stronger security measures with GDPR on the horizon shows that the need for diligence in compliance is greater than ever.

As part of its ongoing efforts to keep its customers and regional businesses best informed, Amicus ITS has been conducting a series of cyber security roadshow events to help inform and educate businesses in the region.  The next one is on Thursday 24th November 2016 at its headquarters in Totton.  For details click here

UK will be implementing the EU General Data Protection Regulations in May 2018

_90944246_elizabethdenham

Elizabeth Denham the UK Information Commissioner confirmed on 31st October 2016 that the UK would be implementing the EU General Data Protection Regulations.

She reported that The Secretary of State Karen Bradley MP announced the decision at the Culture, Media & Sport Committee meeting on 24th October 2016, confirming the following:   “We will be members of the EU in 2018 and therefore it would be expected and quite normal for us to opt into the GDPR and then look later at how best we might be able to help British business with data protection while maintaining high levels of protection for members of the public.”

Elizabeth Denham confirmed, “I see this as good news for the UK. One of the key drivers for data protection change is the importance and continuing evolution of the digital economy in the UK and around the world. That is why both the ICO and UK government have pushed for reform of the EU law for several years.  The digital economy is primarily built upon the collection and exchange of data, including large amounts of personal data – much of it sensitive. Growth in the digital economy requires public confidence in the protection of this information.
 
Citizens want the benefits of these digital services but they want privacy rights and strong protections too.  Having sound, well-formulated and properly enforced data protection safeguards help mitigate risks and inspire public trust and confidence in how their information is handled by business, third sector organisations, the state and public service.
 
The major shift with the implementation of the GDPR will be in giving people greater control over their data. This has to be a good thing. Today’s consumers understand that they need to share some of their personal data with organisations to get the best service. But they’re right to expect organisations to then keep that information safe, be transparent about its use and for organisations to demonstrate their accountability for their compliance”.

As Amicus ITS reported in our blog on 14th October 2016, the Information Commissioner’s Office is committed to helping UK businesses and public bodies to prepare to the meet the requirements for GPDR ahead of May 2018 and beyond.  It’s 12 point plan for business is published and all organisations are urged to review it against their current data protection measures.

Elizabeth Denham added:  “I acknowledge that there may still be questions about how the GDPR would work on the UK leaving the EU but this should not distract from the important task of compliance with GDPR by 2018.  We’ll be working with government to stay at the centre of these conversations about the long term future of UK data protection law and to provide our advice and counsel where appropriate”.

The ICO advise they will be publishing guidance on different areas over the next six months.  Amicus ITS will ensure that we share these with you as they arise so you can best prepare your organisation for the tighter regulations, responsibilities and accountability.

Defend, deter, develop – strategy to counter being in a widely connected world

GCHQ

The Chancellor, Philip Hammond announced on 1st November 2016 the UK Government’s plans for a new £1.9 billion strategy to defend the nation against cyber attack over the next five years, as well as outlining a more attacking stance on going after those who would seek to do the nation harm.

Philip Hammond added, “If we do not have the ability to respond in cyberspace to an attack which takes down our power network – leaving us in darkness or hits our air traffic control system grounding our planes – we would be left with the impossible choice of turning the other cheek, ignoring the devastating consequences, or resorting to a military response,” Philip Hammond said as he described the National Cyber Security Strategy in London. “That is a choice we do not want to face and a choice we do not want to leave as a legacy to our successors.” He went on to say, “Trust in the internet and the infrastructure on which it relies is fundamental to our economic future.”

The Government announcement follows the recent speech from the National Cyber Security Centre’s Director General, Andrew Parker and warnings from the head of MI5 about the increasingly aggressive behaviour in cyberspace from nation state threats from countries like Russia. Russia is suspected of trying to influence the US elections by creating distrust in the electoral process, plus the usual espionage, subversion and cyber attacks.  All in all – the stakes continue to escalate in volume and severity of national scale.  Unsurprisingly, the Kremlin has dismissed the allegation.

In addition, the recent targeting of WIFI-enabled domestic appliances to create a DDoS attack to seek to disable specific websites via the Internet of Things (IoT), has started to create uncertainty in the minds of the public as to what they can trust with technology.  The situation is not helped by a lack of education around the need to create fresh passwords on receipt to avoid default factory settings which can be overrun.  Neither is the situation helped if the manufacturers install a factory setting password which in itself cannot be changed.

Web founder Tim Berners-Lee attending the Open Data Institute’s forum on the same day commented in a Radio 4 interview:  “The United Kingdom needs to have a strong but responsible and accountable police force, and [cyber-intelligence agency] GCHQ needs to have the tools to be able to defend us and defend the open internet.”

What the £1.9 billion is expected to translate into is specialist police units to tackle organised online gangs, some money towards education and the training of 50 cyber security specialists at the National Cyber Security Centre.

Where historically, it was the Americans who sought to confront Russia, the UK’s desire to have a visibly active stance should be welcomed by UK business, although much will depend on whether we get enough ‘boots on the ground’ or ‘hands on the keyboards’ to counter the high volume of lower end cyber attacks which has been identified as a real need.

government_communications_headquarters_logo_svg

Wake up call on cost estimate to UK business from EU GDPR

eulaw

The EU General Data Protection Regulations (GDPR) which are already in force, become law formally from 25th May 2018.  Many businesses have not started to take countermeasures to review their data protection.

Recent analysis published by the Payment Cards Industry Security Standards Council (PCI SSC), using survey figures from the Office of National Statistics, suggested that there were 2.46 million ‘cyber incidents’ in 2015.  If the Information Commissioner’s Office (ICO) were notified of every breach and imposed the maximum penalty, this would result in large organisations facing fines totalling £533m and SMEs having to pay £908m under the existing data protection laws.

Under the new GDPR law this would result in a truly massive hike in financial penalties for the same offences – triggering fines of £70bn for major organisations and £52bn on SMEs.

These estimates are based on a maximum fine being levied on day one of the breach under the rules and each national information commissioner is likely to be more lenient in the early stages of EU GDPR implementation.  Added to this, following Brexit, the UK data protection legal landscape and penalties have yet to be defined. However, businesses operating internationally nonetheless have to work within the GDPR framework and many are now starting to appoint data protection officers.

The message is clear – businesses cannot afford to dally.  Whatever the size, all organisations need to start their preparations now.  Companies should conduct reviews to understand and map their data and put in place robust standards and procedures around the management of data to counter any cyber security threat.  Only by taking these steps can organisations seek to avoid the increasingly overwhelming size of fines that could legitimately be imposed.

United Airlines hit in further power outage for airline industry

1024px-united_airlines_logo_svg

The world’s third largest airline, United Airlines has been a dealt a serious blow today as a reported ‘systems issue’ has delayed flights worldwide this morning.

At 8.15am London time, United said: “As of 3 am ET [Eastern Time], the system issue has been resolved. Any delayed flights are resuming”.

As we reported in our blog of 6 September, the previous month, Delta, the world’s largest carrier experienced a worldwide ‘systems failure’ and in September, BA passengers suffered long delays after what was described as ‘a problem with our check-in system’.

So what was to blame?  Cyber security experts remain sceptical about the public attributions of the airlines to causes other than cyber attack, however with airlines heavily dependant on their computer systems for almost every aspect of their operations there still remain a number of possibilities .  Yes, cyber attack by a malicious actor could be one possibility, however it could also have been a patching issue; a lack of immediate failover to their back up system; or even a third party to blame in the chain.  Yet, Delta is huge – and an organisation of its size is going to have pretty substantial IT systems and robust security measures in place to protect its infrastructure and passenger safety.

Ultimately, we may have suspicions but will have to wait and see if any further details come to light about these incidents. In the end it is unlikely that the airlines themselves will choose to disclose the root cause for fear of giving anyone any insight into any potential system vulnerabilities.