18 November 2018

News round-up 18 November 2018

Helping your business stay abreast and make sense of the critical stories in digital risk, cyber security and privacy. 

 The round-up: 

0days, patch management and global approaches to cyber threats lead the news this week. APRA is looking to take a more aggressive approach on cyber risk with increased funding and a new mandate. And a new turn in the data breach story of the moment, Cathay Pacific, with the possibility of the involvement of EU regulators looking more likely.

Key articles: 

Microsoft closes an actively exploited 0day vulnerability in Windows 

Summary: Network Admins and Windows users have been urged to apply the November 2018 round of security patches urgently, to close off vulnerabilities, one of which is under active exploitation currently. 

Key risk takeaway: The cadence at which security researchers find new software vulnerabilities in commonly used software continues increase. It’s increasingly clear that organisations need to have a formal and effective patch management capability. Whilst this isn’t the most exciting part of cyber security, patch management is arguably the most important.  

Things to ask of your organisation: 

  • Is there an established vulnerability management process in place? 
  • Is it effective, what is the metric you use to determine effectiveness? 
  • What is the relationship like between our incident response teams and technology operations, can we move quickly if we need to? 
  • Do we periodically test this relationship through threat simulations? 

Tags: #0day #vulnerabilitymanagement #threatsimulations 

Pentagon starts outing 0days 

Summary: The United States Cyber National Mission Force (CNMF) has, as of this month, started to upload otherwise undetected malware samples it has found to the public VirusTotal scanning service, in a new effort to share security information 

Key risk takeaway: Advanced threat actors sometimes have access to software vulnerabilities that no one else has seen. These vulnerabilities are used to attack high value assets and then escape without detection. Occasionally these vulnerabilities are identified and that allows the defenders to monitor for future attacks.  

This is where it gets interesting. If a country detects another country using a specific vulnerability, should they tell the world of its existence and let the threat actor know they have been spotted, or continue to monitor to gather intelligence? The US is choosing the first option. The US will upload the vulnerabilities it sees in the wild to a public platform. This will allow the security operations team at your organisation to monitor for attacks using these vulnerabilities or to patch (see above) critical services which may be subject to attack. 

Tags: #0day #vulnerabilitymanagement  

APRA gets funding to monitor cyber risk 

Summary: Australia’s banking regulator will receive an extra $58 million and have its chairman’s tenure extended amid a period of sustained criticism for the organisation. 

Key risk takeaway: APRA’s new information security regulation CPS234 comes into effect on July 2019. Like most new regulations, the level of monitoring or enforcement through its initial launch was unclear. This article outlines a clear enforcement intent from the Government in the form of $58.7 million of new funding. 

Whilst many of you may not be in line of sight for CPS234, the principles it sets out are well thought out and are a likely to influence the approach of other regulators. Identify the important information assets you have, monitor your ability to defend those assets and seek assurance from those suppliers who help you protect those assets. 

Tags: #APRA #CPS234 #informationsecurity 

With Cathay Pacific bosses set for grilling on massive data breach, is carrier heading for hefty EU fine 

Summary: Cathay Pacific has been forced to admit to Hong Kong lawmakers that the  cyber attack that compromised their systems in March this year, resulting in the loss of over 9 million customer records, continued longer than previously admitted. If the attack continued beyond 25 May, Cathay could be at risk of a fine up to $680 million AUD under the EU General Data Protection Regulation (GDPR) for failing to notify regulators and affected individuals of the breach.  

Key risk takeaway: Cathay’s months-long delay in notifying affected individuals and regulators has potentially exposed them to significant regulatory risk, and their failure to be proactive and take control of the narrative continues to damage their brand. Mandatory data breach notification requirements are being increasingly adopted in jurisdictions around the world – it is critical for organisations to understand their obligations if a data breach occurs, and to be able to meet those obligations including mandatory notification. Regulators not only expect organisations to be have documented response plans and be prepared to manage a data breach, but to prioritise the wellbeing of their customers and end users. Attempts to cover up or obfuscate will be met with harsher regulatory responses and a loss of public trust. 

Tags: #cathaypacific #databreach #GDPR