WannaCry ransomware attack goes global

 

News on Friday 12^th May that NHS England had suffered a major ransomware cyber attack has since been extended to a wider victim base. We now know that the attack has affected around 150 countries, with major hits on the UK and Russia. It is estimated to have affected over 200,000 users to date.  In the UK 48 NHS trusts have reported problems at hospitals, GP surgeries and pharmacies, along with 13 NHS bodies in Scotland – and no doubt the early part of this week will result in more problems as staff come into work and switch their PCs back on.

The hack which targeted Windows machines was miraculously stopped in its tracks from spreading by a young security expert (under name @MalwareTechBlog) who accidentally hit the kill switch on the malware by registering the hard code as a domain name which had been seeded by its creator

SAFEGUARDS:

There are some urgent checks that all companies and organisations should be making in the next 24 hours:

1. Ensure you are up to date on patching your environment– a lot of organisations were caught out because they didn’t (and Microsoft released a patch for the vulnerability exploited by WannaCry in March 2017).
2. Check your Anti Virus is up to date (and preferably use a cloud based service ie Webroot)
3. Ensure you back up all your essential data in line with your businesses Recovery Time Objective (RTO) and Recovery Point Objective (RPO), so you can’t be held to ransom and fearful of operational losses.
4. Communicate with your staff to alert them to avoid clicking on any suspicious emails and making sure that your operating system software is up to date (it was a rare move for Microsoft to release security updates for unsupported software such as XP as a direct result of this event)

Companies that want advice on data security, can contact Amicus ITS in confidence on 02380 429429.

 

Taking ownership of cyber – it involves us all

 

New research by BAE Systems of 984 IT managers and 221 executives from Fortune 500 companies across the world, has found that there is still a damaging gulf in the perception of who should take charge to manage the aftermath of a cyber-attack in an organisation.

• The survey suggested that 50% of IT staff believed boardroom executives should take the lead when it comes to deciding how a company should respond and repair after it has been penetrated by hackers.
• In contrast, more than 30% of Chief Executives said that IT staff should be the ones cleaning up, fixing problems and hardening defences.

This, according to Dr Adrian Nish, head of the cyber-threat intelligence unit at BAE Systems, could lead to organisations not being prepared for oncoming attacks.

Cost of attack
There was also a mismatch when it came to the perceived cost of a breach:  technology bosses believed that, on average, a breach could cost a company about $19m (£15m).  This estimate included fines, legal fees, remediation expenses and compensation for customers.  By contrast, boardroom members put an average price tag of $11.6m (£9.2m) on breaches.

Prevention much better than cure
Ultimately, whatever the price of a cyber-attack, unless organisations have taken the necessary preventative steps, they remain highly vulnerable to not only the cost of breach, but the enormous impact of reputational damage and loss of trust.

Oliver Parry, head of corporate governance at the Institute of Directors commented:   “As with other principle risks to a business, responsibility of outlining this strategy should fall with the board.  Lasting cybersecurity only comes from embedding good practice throughout the culture of an organisation, starting from the top. No system or person alone can prevent indefinitely the threat of a cyber-attack.”

This ties in with one of the main recurring themes for Amicus ITS’ Director of Technology, Security & Governance, JP Norman, who has stated many times over recent years that good education and awareness by staff (the “squidgy bits”) around data security remains central to good defence efforts in thwarting a successful attack.  Commenting recently

“At Amicus ITS we carry out a 3 stage review on a monthly basis with data being collated via our support functions, reviewed at a formal Information Security Committee meeting and further reviewed at every Board Meeting. This enables us to ensure strategy, training and new developments flow in both directions across our company” JP Norman – Director of Technology, Security & Governance.

Disaster for Three Mobile as huge data hack is disclosed

News has emerged today that one of Britain’s biggest mobile phone companies has suffered a huge breach of its systems, exposing an estimated six million user account details to  compromise.  This represents two thirds of the company’s customer base.

Believed to have been a hack through an authorised employee login, the hackers were able to access the customer upgrade database.

A spokesman for Three said, “Over the last four weeks Three has seen an increasing level of attempted handset fraud. This has been visible through higher levels of burglaries of retail stores and attempts to unlawfully intercept upgrade devices.  We’ve been working closely with the Police and relevant authorities. To date, we have confirmed approximately 400 high value handsets have been stolen through burglaries and eight devices have been illegally obtained through the upgrade activity”.

Three added that the data accessed included names, phone numbers, addresses and dates of birth, but added that it did not include financial information. Customers whose data has been affected have not yet been informed at this time. However the speed of intercept is indicated by the revelation by the National Crime Agency that they are investigating the breach and that three people have already been arrested, two for computer misuse and one for perverting the course of justice.

With the Chancellor, Philip Hammond’s speech at the beginning of November calling on companies to do more to protect their customers against cyber crime after the series of high-profile breaches in the last few years, the commercial imperative for businesses to create stronger security measures with GDPR on the horizon shows that the need for diligence in compliance is greater than ever.

As part of its ongoing efforts to keep its customers and regional businesses best informed, Amicus ITS has been conducting a series of cyber security roadshow events to help inform and educate businesses in the region.  The next one is on Thursday 24th November 2016 at its headquarters in Totton.  For details click here

UK will be implementing the EU General Data Protection Regulations in May 2018

Elizabeth Denham the UK Information Commissioner confirmed on 31st October 2016 that the UK would be implementing the EU General Data Protection Regulations.

She reported that The Secretary of State Karen Bradley MP announced the decision at the Culture, Media & Sport Committee meeting on 24th October 2016, confirming the following:   “We will be members of the EU in 2018 and therefore it would be expected and quite normal for us to opt into the GDPR and then look later at how best we might be able to help British business with data protection while maintaining high levels of protection for members of the public.”

Elizabeth Denham confirmed, “I see this as good news for the UK. One of the key drivers for data protection change is the importance and continuing evolution of the digital economy in the UK and around the world. That is why both the ICO and UK government have pushed for reform of the EU law for several years.  The digital economy is primarily built upon the collection and exchange of data, including large amounts of personal data – much of it sensitive. Growth in the digital economy requires public confidence in the protection of this information.
 
Citizens want the benefits of these digital services but they want privacy rights and strong protections too.  Having sound, well-formulated and properly enforced data protection safeguards help mitigate risks and inspire public trust and confidence in how their information is handled by business, third sector organisations, the state and public service.
 
The major shift with the implementation of the GDPR will be in giving people greater control over their data. This has to be a good thing. Today’s consumers understand that they need to share some of their personal data with organisations to get the best service. But they’re right to expect organisations to then keep that information safe, be transparent about its use and for organisations to demonstrate their accountability for their compliance”.

As Amicus ITS reported in our blog on 14th October 2016, the Information Commissioner’s Office is committed to helping UK businesses and public bodies to prepare to the meet the requirements for GPDR ahead of May 2018 and beyond.  It’s 12 point plan for business is published and all organisations are urged to review it against their current data protection measures.

Elizabeth Denham added:  “I acknowledge that there may still be questions about how the GDPR would work on the UK leaving the EU but this should not distract from the important task of compliance with GDPR by 2018.  We’ll be working with government to stay at the centre of these conversations about the long term future of UK data protection law and to provide our advice and counsel where appropriate”.

The ICO advise they will be publishing guidance on different areas over the next six months.  Amicus ITS will ensure that we share these with you as they arise so you can best prepare your organisation for the tighter regulations, responsibilities and accountability.

Defend, deter, develop – strategy to counter being in a widely connected world

The Chancellor, Philip Hammond announced on 1st November 2016 the UK Government’s plans for a new £1.9 billion strategy to defend the nation against cyber attack over the next five years, as well as outlining a more attacking stance on going after those who would seek to do the nation harm.

Philip Hammond added, “If we do not have the ability to respond in cyberspace to an attack which takes down our power network – leaving us in darkness or hits our air traffic control system grounding our planes – we would be left with the impossible choice of turning the other cheek, ignoring the devastating consequences, or resorting to a military response,” Philip Hammond said as he described the National Cyber Security Strategy in London. “That is a choice we do not want to face and a choice we do not want to leave as a legacy to our successors.” He went on to say, “Trust in the internet and the infrastructure on which it relies is fundamental to our economic future.”

The Government announcement follows the recent speech from the National Cyber Security Centre’s Director General, Andrew Parker and warnings from the head of MI5 about the increasingly aggressive behaviour in cyberspace from nation state threats from countries like Russia. Russia is suspected of trying to influence the US elections by creating distrust in the electoral process, plus the usual espionage, subversion and cyber attacks.  All in all – the stakes continue to escalate in volume and severity of national scale.  Unsurprisingly, the Kremlin has dismissed the allegation.

In addition, the recent targeting of WIFI-enabled domestic appliances to create a DDoS attack to seek to disable specific websites via the Internet of Things (IoT), has started to create uncertainty in the minds of the public as to what they can trust with technology.  The situation is not helped by a lack of education around the need to create fresh passwords on receipt to avoid default factory settings which can be overrun.  Neither is the situation helped if the manufacturers install a factory setting password which in itself cannot be changed.

Web founder Tim Berners-Lee attending the Open Data Institute’s forum on the same day commented in a Radio 4 interview:  “The United Kingdom needs to have a strong but responsible and accountable police force, and [cyber-intelligence agency] GCHQ needs to have the tools to be able to defend us and defend the open internet.”

What the £1.9 billion is expected to translate into is specialist police units to tackle organised online gangs, some money towards education and the training of 50 cyber security specialists at the National Cyber Security Centre.

Where historically, it was the Americans who sought to confront Russia, the UK’s desire to have a visibly active stance should be welcomed by UK business, although much will depend on whether we get enough ‘boots on the ground’ or ‘hands on the keyboards’ to counter the high volume of lower end cyber attacks which has been identified as a real need.

Wake up call on cost estimate to UK business from EU GDPR

The EU General Data Protection Regulations (GDPR) which are already in force, become law formally from 25th May 2018.  Many businesses have not started to take countermeasures to review their data protection.

Recent analysis published by the Payment Cards Industry Security Standards Council (PCI SSC), using survey figures from the Office of National Statistics, suggested that there were 2.46 million ‘cyber incidents’ in 2015.  If the Information Commissioner’s Office (ICO) were notified of every breach and imposed the maximum penalty, this would result in large organisations facing fines totalling £533m and SMEs having to pay £908m under the existing data protection laws.

Under the new GDPR law this would result in a truly massive hike in financial penalties for the same offences – triggering fines of £70bn for major organisations and £52bn on SMEs.

These estimates are based on a maximum fine being levied on day one of the breach under the rules and each national information commissioner is likely to be more lenient in the early stages of EU GDPR implementation.  Added to this, following Brexit, the UK data protection legal landscape and penalties have yet to be defined. However, businesses operating internationally nonetheless have to work within the GDPR framework and many are now starting to appoint data protection officers.

The message is clear – businesses cannot afford to dally.  Whatever the size, all organisations need to start their preparations now.  Companies should conduct reviews to understand and map their data and put in place robust standards and procedures around the management of data to counter any cyber security threat.  Only by taking these steps can organisations seek to avoid the increasingly overwhelming size of fines that could legitimately be imposed.

United Airlines hit in further power outage for airline industry

The world’s third largest airline, United Airlines has been a dealt a serious blow today as a reported ‘systems issue’ has delayed flights worldwide this morning.

At 8.15am London time, United said: “As of 3 am ET [Eastern Time], the system issue has been resolved. Any delayed flights are resuming”.

As we reported in our blog of 6 September, the previous month, Delta, the world’s largest carrier experienced a worldwide ‘systems failure’ and in September, BA passengers suffered long delays after what was described as ‘a problem with our check-in system’.

So what was to blame?  Cyber security experts remain sceptical about the public attributions of the airlines to causes other than cyber attack, however with airlines heavily dependant on their computer systems for almost every aspect of their operations there still remain a number of possibilities .  Yes, cyber attack by a malicious actor could be one possibility, however it could also have been a patching issue; a lack of immediate failover to their back up system; or even a third party to blame in the chain.  Yet, Delta is huge – and an organisation of its size is going to have pretty substantial IT systems and robust security measures in place to protect its infrastructure and passenger safety.

Ultimately, we may have suspicions but will have to wait and see if any further details come to light about these incidents. In the end it is unlikely that the airlines themselves will choose to disclose the root cause for fear of giving anyone any insight into any potential system vulnerabilities.

ICO fine on TalkTalk revealed

The ICO has revealed this week that it has fined communications company TalkTalk £400,000 (out of a maximum £500,000) for its poor web security following the theft of nearly 157,000 customer account details in October 2015.  As we reported in our blog of 13th May 2016, the company’s profits were deeply hit also as a direct result of the attack and the firm lost 101,000 subscribers in the first quarter after the attack.

The report by the ICO was scathing, with Information Commissioner Elizabeth Denham commenting, “Yes hacking is wrong, but that is not an excuse for companies to abdicate their security obligations. TalkTalk should and could have done more to safeguard its customer information. It did not and we have taken action”, she added.

In nearly 16,000 cases, the attacker was able to steal bank account details.  Additionally, legacy software dating back from when TalkTalk took over rival Tiscali was found to be out of date enabling vulnerable web pages to be attacked using SQL injection.  TalkTalk had been unaware of the problem, which could have been readily fixed if its security measures were kept up to date.

The ICO explained that TalkTalk had been very lax in enforcing proper security on its own website.  Ms Denham added, “In spite of its expertise and resources, when it came to the basic principles of cyber-security, TalkTalk was found wanting.  Today’s record fine acts as a warning to others that cyber security is not an IT issue, it is a boardroom issue”.  These comments completely echo the advice Amicus ITS has consistently given to its customers and shared with the wider business community at its regional thought leadership cyber security roadshows.

The next Amicus ITS cyber security event will be held on 24th November 2016.  Further details will be posted on the main Amicus ITS events page

Bad Vibrations at Ing Bank Leads to Damaging Outtage

Dutch multinational banking and financial services organisation, Ing, reported recently that a fire extinguisher test in one of its Romanian branches, had set off an unprecedented and disastrous chain of events, resulting in cash machines, online banking and its website going down for over ten hours on Saturday 10th September 2016.

The bank, which has over 48 million individual and institutional clients in over 40 countries, could not explain the situation to its customers as the outtage had affected the bank’s main communication systems as well.

Ironically, it was not the fire extinguisher’s gases that caused the problem, rather, the loud sound emitted by the inert gases released at over 130 decibels which destroyed dozens of hard drives, according to tech magazine Motherboard.

A Siemens report in 2015 warned of the risk of fatal damage to hard drives through sound wave vibrations which concluded:

•         above 110dB, most hard disks would deliver a degraded performance
•         above 130dB most disks would stop delivery data
•         above 140dB, most disks would suffer permanent damage and there could also be other unpredictable faults

Whilst it may have been unprecedented for Ing, it is not unknown.   In 2013, French media reported that accountancy software used by the French Government became temporarily ‘unavailable’ after a fire protection system was accidentally triggered at a data centre issuing a loud noise and causing an outage there.  Whilst more locally, in Glasgow in December 2015, a fire suppression system triggered by an air conditioning unit was blamed for bringing Glasgow City Council to its knees for several days affecting council tax and benefits systems, disabling MS Outlook email services and the Cisco telephone switchboard system.

For any organisation therefore, there are some easy precautions to check and apply:
1.       Review the physical security of your server systems and their environment.
2.       Protect the full integrity of your data by scrutinising all your equipment
3.       Ensure you have failover availability with full back up and replication systems in place to keep your business up and running.

‘Defence and protect’ marketing gets displayed in new smartphone technologies

With the news of the Yahoo cyber attack on 23rd September 2016, it is worth taking a look back at new technology developments and launches in 2016, which put privacy and security at the forefront of their marketing spiel.

Solarin smartphone at a sky high price

In May 2016 Sirin Labs launched a new military-grade encrypted smartphone, the ‘Solarin’ (retailing at an eye watering £11,400 per device). It offers encrypted calls with a 256-bit AES algorithm. However the screen is 2K not 4K and runs on Android Lollipop, not Marshmallow and its Qualcomm processor is 2015’s model.

Whilst clearly targeting wealthy professionals for whom privacy and security is a driver to purchase, this ‘hostage’ price will be way beyond the pocket of most. However, businesses and consumers shouldn’t be alarmed, as putting up to date cyber security antivirus and anti-malware software on smartphone devices goes a long way to protecting the user, at less than a tenth of the price on top end devices.

You won’t find me – Snowden’s iPhone introspection machine

Meanwhile, a smartphone sleeve methodology (currently only for the iPhone 6), that tells its owner when their phone is being hacked, is being designed by US whistleblower Edward Snowden in conjunction with hardware hacker Andrew ‘Bunnie’ Huang, was revealed at a closed MIT Media Lab launch in July. The iPhone was selected as it is generally regarded as being hard to hack.

Whilst Snowden’s motivations to thwart digital surveillance may be politically motivated in seeking to protect activists from location detection by law enforcement agencies, the dual edge of their pitch highlights the trend for cyber criminals to seek to seek to install malware on smartphone devices, whilst the user is on the move (all unbeknownst to the user). The case aims to track whether or not the phones’ radios are transmitting, as trusting the phone is in airplane mode or sticking it in a ‘Faraday bag’ to block radio signals has proven insufficient. With the prevalence of clever malware which can make a smartphone appear to be off, it is daunting to users to know how well protected they and their data are from harm. Again, it’s a mixture of best practice vigilance, cyber security software and good information security management.