23 August 2019

News round-up 23 August 2019

Helping your business stay abreast and make sense of the critical stories in digital risk, cyber security and privacy. Email news@elevenM.com.au to subscribe.

The round-up:

Cyber attackers are a heterogeneous group. In this month’s roundup, we learn state-sponsored actors may be acting on motivations not normally associated with them. Cyber security also marches up the organisational hierarchy as a conversation topic, with a couple of stories reveal how executive decisions have implications for security risks. And a series of data recent breaches again draws attention to key privacy issues.

Key articles: 

Meet APT41, The Chinese hackers moonlighting for  personal gain

Summary: State-sponsored Chinese hackers are using their skills not only for espionage, but also for financially-motivated attacks targeting the gaming industry – and with personal profit in mind.

Key risk takeaway: Studying the range of motivations of attacker groups can provide an organisation with insight into the reasons it may be targeted. While state-sponsored attackers typically engage in cyber-attacks for espionage and other geo-political reasons, this story reveals financial motivations are also a factor, meaning any business could potentially be targeted. This theme is amplified by another report this month that reveals North Korea stole US $2b via cyber-attacks on financial institutions and cryptocurrency exchanges in order to fund its military programs. At the same time, recent research reveals that cybercrime groups (more commonly driven by the profit motive) are also getting more sophisticated. Exercises such as threat modelling can help an organisation identify its most critical assets and the threat actors targeting those assets, and frameworks like MITRE’s ATT&CK can shed light on attackers’ tactics.

Tags: #threatmodelling

HealthEngine App faces multi-million dollar fine due to data breach

 Summary: Australia’s largest medical appointment booking app HealthEngine is facing fines for selling patients data, while sensitive medical information of thousands of Australians has been exposed in a data breach of a company that paid them to participate in a clinical trial.

Key risk takeaway: These stories reflect both inadequate privacy (how data may be handled) and security (how data is protected) protections in some parts of the health sector – a regrettable situation given that all personal information captured in providing a health service to an individual is considered sensitive information. Focus on the health sector by regulators may intensify in the wake of incidents such as these, and in light of the health sector being the leading source of data breaches in the first 12 months of the Notifiable Data Breaches Scheme (NDBS). Authorities are notably playing closer attention to how individual industry sectors are managing the risks associated with holding sensitive information. The Australian Prudential Regulation Authority’s new CPS 234 standard has increased cyber security requirements on financial institutions, while in the US the education sector has come into the frame in recent weeks as lawmakers – recognising the ever larger amounts of personal information being collected in the sector – sought strong assurances around data privacy.

Tags: #privacy #security

Customers could face long term privacy issues after Air New Zealand data breach

Key risk takeaway: The data breach affecting customers of Air New Zealand’s loyalty program provides yet another reminder about one of the most successful cyber “threat vectors” – phishing. Various reports and analyses reflect that more than 90% of data breaches start with phishing – in which users receive emails that attempt to trick them into giving out sensitive information (such as their login details) or to download a malicious file. Educating users to detect and report phishing emails, as part of broader security and privacy training, remains one of the key ways to mitigate this threat. Air New Zealand faced criticism for the time taken to inform customers of the breach, having first notified its privacy commissioner. This reflects growing public expectations of breached companies to take steps to minimise potential harm. In related data breach news, the NSW Government is considering making data breach reporting mandatory for state agencies and councils, while the Office of the Victorian Information Commissioner (OVIC) published a report criticising Victoria’s public transport authority for releasing a dataset that exposed commuters’ travel histories. The latter case highlights the need to manage re-identification risk in datasets, especially those with linked transactional data.

Tags: #securityawareness #privacy #databreach

Departmental shake-ups a cyber risk declares ACSC

Summary: Attackers may target government agencies and departments undergoing structural changes because the disruption opens up potential holes and weaknesses, says the Australian Cyber Security Centre (ACSC).

Key risk takeaway: This story illuminates the extent to which security is now intertwined with business strategies and operations, and the need for security and privacy considerations to form a core part of any high-level business decisions (including acquisitions). In this case, the ACSC warns that mergers and acquisitions could negatively influence an organisation’s security “posture”, including through leading to inaccurate assumptions about the completeness of security controls and the introduction of new processes and relationships that can be exploited through social engineering. Reinforcing the link between security outcomes and business strategy, the head of Australia’s Foreign Investment Review Board has also urged that protecting personal data should be a consideration in proposed foreign takeovers of local companies. Last month’s major breach of US financial services company Capital One was also partially attributed to the aggressiveness of its digital strategy.

Tags: #businessstrategy #executiveawareness #securityassessments

Apple offers record ‘bounty’ to researchers who find iPhone security flaws

Summary: Apple is offering security researchers up to $1m to detect security flaws in iPhones.

Key risk takeaway: Bug bounties – in which companies offer rewards to security researchers that find and report security flaws in their products – are increasingly seen as a sign of a mature approach to security. In theory, these programs allow companies to strengthen their products by better understanding its flaws, but they also incentivise hackers to first report bugs to the company rather than sell them on the black market – where there is a lucrative trade in security vulnerabilities. Government bodies such as the European Union and Singapore Government have also announced bug bounties this year.

Tags: #bugbounty #securityposture

Cloud computing’s no PICNIC

Summary: A new report finds that concerns over the security of cloud services relate more to how customers use and configure the services, versus issues that fall into the responsibility of the providers of cloud services.

Key risk takeaway: In these news roundups we regularly present (and here’s another for good measure) reports of exposure or unauthorised access to companies’ data that is held in the cloud. While this may give the impression that these cloud services are inherently insecure, this report outlines that management and user decisions can play a more prominent role. Common causes of cloud-related data exposures include poor configuration (eg. setting folders or “buckets” to be publicly accessible when they shouldn’t be) and inadequate account security (eg. sharing passwords on public respositories, or failing to enable multi-factor authentication).

Tags: #cloudsecurity


Click here to see past editions of the elevenM News Roundup