3 June 2019

News round-up 3 June 2019

Helping your business stay abreast and make sense of the critical stories in digital risk, cyber security and privacy. Email news@elevenM.com.au to subscribe.

The round-up:

Data, data everywhere. In our latest roundup, we unfortunately read once more that a number of databases with sensitive information have been left exposed on the web. All the more reason for users to protect their accounts with two-factor authentication (2FA) – and new data from Google shows how effective even the weakest 2FA is. And finally, the blows keep coming for Equifax. Ratings agency Moody has downgraded the US consumer reporting agency based on its poor cyber form.

Key articles: 

Chinese database exposes 42.5 million records compiled from multiple dating apps

Summary: Data belonging to Australian users of dating apps is among 42.5 million records found by security researchers on a database left unprotected online.

Key risk takeaway: This story reflects multiple concerning trends for online users – the prevalence of poor database security and the aggregation of sensitive information by potentially disreputable apps and services. We’ve written before about organisations failing to apply configuration settings to protect their cloud-based data stores – this is the case with the exposed “Elastic” database in this story that contained dating users’ information, as well as in separate revelations about an exposed Amazon database containing contact information for Instagram ‘influencers’. Doubly concerning in the story about dating users’ data was the discovery that data in the database had been aggregated from a number of different dating apps, each which presented as a separate company. Companies should educate employees to consider the reputation of online services to which they hand over sensitive information, and to recognise the potential harm that can result from services that apply loose protections to their data.

Tags: #privacy #cloudsecurity #dataprotection #awareness

Under GDPR, UK Data Breach Reports Quadruple

Summary: New privacy laws are driving an increase in data breach notifications globally, increasing public awareness of organisations’ obligations to protect data.

Key risk takeaway: Now more than a year since data breach reporting schemes have taken effect in Australia and Europe, regulators expect not only that organisations are aware of their breach reporting obligations, but that they will have processes in place to prevent breaches and effectively respond should they occur. This was a key takeout from the Office of the Australian Information Commissioner’s 12-month Insights Report, which looked at the first full year of the Australian data breach reporting scheme. The OAIC’s report also revealed a 712 per cent increase in data breach notifications, which echoes the situation in the UK where there has been a quadrupling of data breach notifications since General Data Protection Regulation (GDPR) went into effect. Developing data breach response plans, and running simulation exercises based on those plans, is critical.

Tags: #privacy #databreachresponse

Paul Fletcher named new comms, cyber safety minister

Summary: Australia has a new federal Communications Minister who will also assume ministerial responsibility for cyber safety. The NSW Government has also announced a new leader for its new whole-of-government cyber office, ‘Cyber Security NSW’.

Key risk takeaway: Visible leadership and accountability for cyber security and privacy is critical in a large organisation. While the specific priorities of new federal “cyber safety” minister Paul Fletcher are not yet clear, the nomination of “cyber safety” as a ministerial portfolio of responsibility provides hope of the focus it will receive in the re-elected Morrison Government. A dedicated cyber safety minister also provides industry – which has a major role to play in cyber safety across the community – with a clear point of contact. Criticisms have been made that a similar dedicated ministerial accountability for cyber security (dealing with protection of the economy and national security) doesn’t exist. Making cyber security responsibility explicit and visible at senior levels of an organisation is a critical ingredient in driving focus, accountability and even the right cultural attitudes towards security and data protection.

Tags: #leadership #security

Google’s own data proves two-factor is the best defense against most account hacks

Summary: Newly released Google data demonstrates that even the weakest forms of two-factor can be effective against attacks.

Key risk takeaway: A recent report by the Australian privacy regulator identified “credential compromise” – where a user’s login details are obtained by attackers – as one the most prominent factors behind data breaches affecting organisations. As Google’s data shows, this form of attack can be blunted if organisations activate “two-factor authentication” which requires that users supply a unique code (usually sent to their mobile device) in addition to their username and password in order to access their account. The data revealed that having a text message sent to a person’s phone prevented 100% of automated attacks based on lists of stolen passwords and 96% of phishing-based attacks. While there has been recent coverage of weaknesses in certain forms of two-factor authentication (such as SMS-based codes that can be intercepted), the Google data revealed that implementing some form of two-factor authentication was better than none at all. Adding to the cost or effort of attackers is always a useful guiding principle for preventing security compromises.

Tags: #2fa #securityawareness #credentials

NSA Deflects Blame for Baltimore Ransomware Attack

Summary: The US National Security Agency (NSA) has sought to defend itself after the city of Baltimore was crippled by a ransomware attack that made use of an NSA cyber tool called EternalBlue.

Key risk takeaway: While this story is wrapped in a debate about the appropriateness of government agencies secretly developing offensive cyber tools, for anyone charged with protecting their organisation from cyber-attacks the focus must ultimately be on understanding what measures exist to mitigate the risks posed by the cyber threats that could target their digital assets. In this case, while EternalBlue was an NSA-developed tool, a patch (or fix) for the software vulnerability that the tool exploited had been public for more than two years. But the city of Baltimore had not applied the fix. Rigorous security patching can be resource-intensive – a risk-based approach can help organisations prioritise the most critical patches.

Tags: #securityhygiene #patching #prioritisation

Equifax Becomes First Firm To See Its Outlook Downgraded Due To A Cyber-Attack

Summary: Credit rating agency Moody’s has downgraded its rating on Equifax, for the first time citing cyber security issues as a reason for a downgrade.

Key risk takeaway: The range of financial consequences of having poor data protection measures in place continues to expand. Lost businesslegal costs and regulatory fines are by now recognisable impacts of a cyber or privacy-related compromise. The downgrading of Equifax’s credit rating speaks to the lingering effect these breaches, and the cost of remediating them, can have on continued trustworthiness and stability in the eyes of key stakeholders.

Tags: #trust #reputation