24 February 2019

News round-up 24 February 2019

Helping your business stay abreast and make sense of the critical stories in digital risk, cyber security and privacy. Email news@elevenM.com.au to subscribe.

The round-up: 

From parliament, to hospitals and car manufacturers, Australia had a torrid time with cyber-attacks this past week. We dig into these stories as well as getting a glimpse of what would happen if operational security teams disappeared, thanks to emerging post-mortems from the recent US government shutdown. Oh, and Facebook’s in the frame again for privacy issues.

Key articles: 

Crime syndicate hacks 15,000 medical files at Cabrini Hospital, demands ransom

Summary: A specialist cardiology unit in Melbourne fell victim to an apparent ransomware attack, leaving it unable to access patient files for more than three weeks.

Key risk takeaway: A prominent security report this week showed a fall in the number of ransomware infections – but the experience of this Melbourne healthcare facility and other Australian organisations shows ransomware is a persistent threat with crippling operational impacts for small to medium businesses. The best protections are performing regular backups, installing reputable antivirus and educating users to detect malicious emails. Authorities and security companies are also developing decryption tools for particular strains of ransomware. This could be a preferable path to recovery for many companies, particularly given the ethical quandary around paying ransoms to release encrypted files. In the case of the Melbourne facility, attackers reportedly did not even unencrypt all files despite receiving a ransom payment.

Tags: #ransomware #backups #securityawareness

Scott Morrison reveals foreign government hackers targeted Liberal, Labor and National parties in attack on Parliament’s servers

Summary: The Government said a state actor was responsible for the attack targeting Australia’s parliament and major political parties. Speculation has centred on China, though China denies responsibility.

Key risk takeaway: Lessons for businesses to derive from a state-sponsored attack can be vague at best, beyond being a reminder of the capability of determined and well-resourced cyber attackers to successfully compromise systems and networks. Media coverage in the wake of these incidents typically centre on identifying the culprit, as was the case here. Little has been made public about the method of compromise, but the breach of parliamentary and political parties’ networks just months before a federal election is instructive – an organisation can get a better sense of if and when it might be a target for an attack based on understanding the scope of information it holds and the broader economic, commercial or political contexts in which it operates.

Tags: #nationstate #assetinventory

Aussie IT firms cop customer trust hit as encryption laws bite

Summary: Australian technology companies are regularly fielding questions from customers about how Australia’s encryption-busting laws might impact the products they have installed and are using.

Key risk takeaway: Businesses increasingly must have a positive story to tell about privacy and security to be commercially attractive to clients. The marketplace’s sensitivity to these topics is neatly captured by the assessment by security company Senetas: “Trust in Australian companies operating in this market has been severely damaged”. While this story relates specifically to concerns about the Assistance and Access Bill, in general growing awareness of supply-chain security risks will place increasing pressure on businesses to provide assurances to clients about the security and privacy of their products and processes.

Tags: #trust #supplychain #assurance

Cybersecurity workers scramble to fix a post-shutdown mess

Summary: US government employees are still scrambling to mitigate impacts on federal cyber security defences from the extended shutdown.

Key risk takeaway: You don’t know what you’ve got till it’s gone. In discussions about enterprise security capabilities, routine operational security is often overshadowed by sexier capabilities like penetration testing and threat hunting. The importance of these operational and protective security teams – responsible for so-called security hygiene – is highlighted in this post-mortem of the government shutdown. Expired security certificates (which could mean visitors to websites are issued a security warning) and unanalysed network logs (which mean an attacker’s presence could go undetected) were just two of the consequences of these teams being unavailable or severely constrained by the shutdown. In truth, many large government and private sector companies struggle to stay on top of these routine security activities even without a shutdown. Having good governance and oversight, effective prioritisation and a clear understanding how these tasks mitigate risk (see our post on measuring cyber risk) can drive the right outcomes.

Tags: #securityhygiene #operationalsecurity #riskandcontrols

UK parliament calls for antitrust, data abuse probe of Facebook

Summary: A British parliamentary committee report delivered a stinging rebuke of Facebook’s approach to privacy, labelling the social network “digital gangsters” and calling for the UK’s privacy watchdog to further investigate Facebook’s use of user data. In the US, the Federal Trade Commission (FTC) is reportedly considering hitting Facebook with a multibillion dollar fine for privacy failures.

Key risk takeaway: Armed with tougher regulations like GDPR and growing public outcry, authorities are signalling their intent to severely punish poor privacy practices. The parliamentary report and proposed FTC fine chronicled here follows the French data protection regulator last month issuing Google a €50 million fine, the largest ever fine under GDPR. As we write in our assessment of the one year anniversary of Australia’s Notifiable Data Breaches Scheme, a more proactive approach to privacy can help organisations stay ahead of what looks to be an intensifying regulatory landscape.

Tags: #facebook #privacy #privacybydesign

California to close data breach notification loopholes under new law

Summary: California, which already has some of the strongest data breach notification laws in the US, has announced a new bill that will expand data breach requirements for companies.

Key risk takeaway: This is another data point suporting the growing importance of businesses proactively adopting privacy-centric practices to stay ahead of a trend of expanding data protection regulations globally. California’s push for stronger data breach laws comes only a year after it introduced laws similar to Europe’s GDPR. Approaches such as ‘privacy by design’ are gaining traction as a key way to enhance consumer trust.

Tags: #regulation #privacy #privacybydesign

DNC updates cybersecurity advice to protect candidates from hackers in 2020

Summary: The Democratic National Committee (DNC) has released security guidance to “dramatically reduce the risk” of hackers breaching election candidates’ devices.

Key risk takeaway: Any small to medium business can benefit from reading the straightforward advice released by the DNC. Given the intense scrutiny over election security and the very real threat of foreign interference after the 2016 presidential election, the DNC has invested considerably in improving defenses. Key advice in this checklist includes keeping operating systems up to data, using password managers and two-factor authentication. The full list of advice can be found here.

Tags: #securityawareness

Splunk to exit Russian market amid growing government scrutiny

Summary: A security analytics provider Splunk will no longer do business in Russia, as the Russian government increases its scrutiny of foreign companies. The news reflects further balkanisation of the internet and the escalation of what is being described as a “tech cold war”, in which tensions between states are intensifying over the treatment of global technology companies.

Key risk takeaway: Splunk’s decision highlights the importance of global businesses staying abreast of emerging regulations in markets where they operate as well as the extent to which governments in those regions expect to be able to scrutinise key aspects of their operations. Invasive product reviews and source code reviews are possible requirements for organisations seeking to operate in Russia or China.

Tags: #geopolitics #regulation