142 shares, 164 points

Welcome to Cyber Security Today. This is the Week in Review version for the week ending Friday December third. I’m Howard Solomon, contributing author on cybersecurity for ITWorldCanada.com.

I’ll be joined in a couple of minutes by Jim Love, IT World Canada’s CIO, to debate a few security-related incidents from the final seven days. But first a glance again at among the information:

An American firm that exams DNA has acknowledged the theft of non-public info of over 2 million folks earlier this 12 months. The knowledge got here from previous backups of an unused database. Jim and I’ll focus on this incident.

We’ll additionally look into an electronic mail marketing campaign concentrating on staff of furnishings maker Ikea. Staff are getting phishing messages from the e-mail addresses of individuals they know.

A report from Google is a reminder that configurations and worker errors can nonetheless result in knowledge theft in cloud purposes and providers. Many profitable assaults on cloud purposes are resulting from poor cyber hygiene and never implementing primary safety controls, Google mentioned.

Consumer electronics large Panasonic mentioned some knowledge on a file server had been accessed by a 3rd social gathering final month.

Medical clinic Planned Parenthood Los Angeles mentioned the private info of 400,000 sufferers was stolen in a ransomware assault in October. Hackers accessed names, dates of beginning, addresses, insurance coverage identification numbers, medical knowledge, diagnoses, therapies offered and prescription info.

An American choose sentenced a Russian man to 60 months in jail for being the pinnacle of an organization that offered what’s referred to as “bulletproof” IT internet hosting providers for cybercriminals. This adopted the sentencing of two companions to 48 months and 24 months respectively in jail. A fourth man who pleaded responsible to a cost will probably be sentenced shortly. Bulletproof internet hosting corporations are utilized by risk actors to distribute malware, steal knowledge and create botnets.

Also this week the final of six folks concerned in a world smartphone SIM hijacking group was despatched to jail by an American choose. Hijacking SIM playing cards permits hackers to take over and steal knowledge on the telephones, in addition to use the telephones to entry victims’ financial institution and cryptocurrency accounts and company electronic mail accounts. Police estimate this gang, which referred to as itself ‘The Community.” stole tens of hundreds of thousands of {dollars} of cryptocurrency. Sometimes the gang bribed a wi-fi telephone firm worker of their assaults. Other instances they referred to as victims posing as a cellular supplier worker.

Finally, house owners and directors of HP LaserJet and multifunction printers are urged to examine for system safety updates after safety researchers found vulnerabilities affecting 150 units.

(The following is an edited model of the dialogue with Jim Love. The hear the complete model play the podcast)

Howard: Let’s begin with the massive theft of knowledge from a lab in Ohio referred to as DNA Diagnostics Center. In August it realized there had been a knowledge breach. On investigation, it discovered an archived database of non-public info of greater than 2 million collected between 2004 and 2012 had been copied between May and July of this 12 months. This database belonged to a nationwide genetic testing group the corporate purchased in 2012. The database was by no means utilized by DDC. According to at least one information report, the copied knowledge consists of peoples’ names and their credit score or debit card numbers, in addition to their monetary account quantity and platform account quantity with the opposite genetic testing firm.

What struck you about this incident?

Jim: A few issues: One is we hold speaking about ‘know your data, know what data you have and know where it is.’ And that’s actually essential. By the best way, I don’t wish to appear to be preaching to those folks. This is a very powerful one: You purchase an organization, you take in it and also you’ve bought all this knowledge there, and so what’s in there? The reality that folks have knowledge that’s not used, that’s not irregular. The stats inform you that there’s one thing like 70 p.c of knowledge is darkish knowledge, and darkish knowledge by nature is stuff that you simply’re not utilizing for analytics. So perhaps it’s not on anyone’s radar. But that is a type of issues additionally the place you may have a spotlight downside. This is a medical firm they usually’re speaking about DNA, so perhaps they’re crown jewels. But you may’t ignore the opposite parts of knowledge that you’ve, so it’s important to widen your imaginative and prescient and search for knowledge if you happen to purchased an organization. You’re answerable for it. But this might have occurred: They’re targeted on the medical knowledge [not the data from the acquisition] and medical knowledge is attractive and everyone needs to be speaking about defending that. And that’s nice, however don’t overlook the nuts and bolts.
So a few issues: When you’re shopping for an organization it’s important to do a reputable inspection of the information. There’s additionally a lesson about good [cyber] hygiene. I’m of two minds on this: I hate deleting knowledge as a result of I’m an analytics man and at coronary heart I need all the information that’s there. But you retain knowledge at a price, so when there’s knowledge that now not has a use do you have to actually hold it offline, and air hole it. Know your knowledge, transfer stuff out that you simply don’t want. When you want it, transfer it again in.

Howard: I believe that when corporations purchase different corporations they’re most likely extra involved concerning the monetary ramifications and ensuring that they will begin recovering their funding, they usually may overlook concerning the different firm’s knowledge. They could have purchased an organization to take out a competitor. They don’t care concerning the different firm’s knowledge.

Jim: But you don’t simply purchase the corporate, you purchase the corporate’s property and all of us say knowledge is an asset. So do due diligence. You need to know all of the property you’re shopping for. But the second piece is you’re shopping for their failings, too. It’s an excellent lesson for all of us. You’re not simply shopping for the strengths of an organization, you’re shopping for their weaknesses too and also you higher be bit fairly sharp about that.

Howard: And asset administration is realizing your {hardware} property and your software program property. That’s one of many fundamentals of cyber hygiene.
Another factor that struck me right here is that this knowledge wasn’t encrypted — and I suppose as a result of they’d forgotten about it for 10 years it’s not a shock that it it wasn’t encrypted.

Jim: My idea is encrypt no matter you may.

Howard: I suppose it may have been worse as a result of it appears they didn’t have medical knowledge on this database. It was largely bank card and debit card knowledge. And it was at the very least 10 years previous and going farther again. Don’t bank card corporations lately situation new automobiles each 4 years, so wouldn’t lots of this knowledge be ineffective to a criminal?

Jim: I’m not an skilled in monetizing stolen knowledge, but when they bought passwords, how many individuals have modified their passwords [in 10 years]? I nonetheless assume it’s a hazard and other people should be warned.

Howard: The Ikea assault is fascinating. Employees are getting phishing emails from workers at associate corporations or suppliers of electronic mail. Some of those electronic mail messages are being inserted into a sequence of messages between folks, in order that not solely is the sender’s electronic mail handle legit the phishing message appears prefer it’s a continuation of an electronic mail dialog an worker is having with one other agency. It isn’t clear whose electronic mail system has been hacked right here. Ikea has solely famous that the interior company alert being despatched to its workers is about suspicious emails coming from outdoors the businesses. Have you come throughout this earlier than?

Jim: The occasion, sure. This is the horror film for a CISO or CIO, and that’s someone breaks into the trusted chain. We spend lots of time making an attempt to show our staff to do the fitting factor and watch suspicious emails that are available in. But when the trusted chain is damaged they [the attackers] at the moment are within the belief stage. People don’t take a look at the third electronic mail they get within the string. So even all of the coaching we do will get blown away. There are two points on this: The provide chain piece has been there. But. I believe all of us dwell in worry of people that discover intelligent methods to get into that that the locations we belief there are fewer and fewer of them. But after they try this they get missed.

Howard: So how do you shield staff from this type of assault?

Jim: There’s software program on the market that may assist [people] consider their electronic mail. It might help cease spot anomalous software program. Another factor is coaching. People must learn stuff and ask themselves, ‘Does this really sound right?’ I’ve seen some actually good ones [phishing emails] lately and have I been fooled? Probably. But I’ve caught quite a lot of them, too, since you take a look at them and say, ‘Would that person act like that?’ I’ll provide you with an instance of the kind of behaviour we wish to see: I despatched an electronic mail to a good friend of mine and I requested him about his opinion on one thing, and I despatched him a hyperlink. I don’t usually ship him hyperlinks. I bought a telephone name from him asking, ‘Jim, was this you?’ And if that was the behaviour that we have to have in corporations. People are our largest line of defence.

Howard: One factor listeners can do is periodically look of their Outbox and examine to see if the messages which are going out out of your electronic mail are ones you wrote.

Jim: Except it doesn’t all the time occur in your Outbox. So if you happen to ship stuff out of your telephone you may not see it in your company outbox. But that’s good to do. But the second factor is there are merchandise that’ll hold you from pinging out to or sending emails out to different websites. Or even accessing the IP addresses of suspicious websites.

Howard: The final information merchandise that we’ll take a look at is the ransomware assault and theft of the private info of 400,000 folks from Planned Parenthood Los Angeles. It’s a clinic that performs abortions, medical exams, advises folks on contraception. A variety of delicate private info was captured. We don’t know lots of element about this hack but it surely strikes me that is one other instance of the necessity for encrypting knowledge.

Jim: It is. But I’ve to inform you my coronary heart goes out to those not-for-profits — and right here I’m going to perform a little little bit of a industrial for CISOs as a result of I do the identical factor for CIOs: Find and ‘adopt’ a not-for-profit. Help them as a result of they don’t have massive cash to spend on on cybersecurity. Be a volunteer for a short while and assist your native not-for-profit as a result of they’ve invaluable info. This [the Planned Parenthood attack] is an instance of the dangerous guys going, ‘We can attack these not-for-profits because they don’t have the sources …’ Maybe [the stolen data] is about melancholy or your little one’s medical incapacity. They [non-profits] must encrypt the information and we have to assist them …
We’ve additionally bought to get higher at detecting exfiltration of knowledge, notably at small companies … They ought to take a look at issues like Canadian Shield [offered by the Canadian Internet Registry Authority (CIRA)]. There’s a free model.

Like it? Share with your friends!

142 shares, 164 points

What's Your Reaction?

confused confused
lol lol
hate hate
fail fail
fun fun
geeky geeky
love love
omg omg
win win