6 September 2019

News round-up 9 September 2019

Helping your business stay abreast and make sense of the critical stories in digital risk, cyber security and privacy. Email news@elevenM.com.au to subscribe.

The round-up: 

The inter-connectedness of the digital economy means the digital risks an organisation faces are likely the product of many factors, and mitigating these risks likely requires the interplay of many parties. This theme comes through strong in our latest roundup, with stories on the security of widely-used industry platforms, the lurking of nasty sites on the web, and how law enforcement and regulators are doing their bit to clean things up.

Key articles: 

Feds call for input on Australia’s next cyber security strategy

Summary: The Federal Government has commenced a consultation phase ahead of the the development of Australia’s 2020 cyber security strategy.

Key risk takeaway: While largely a call for submissions, the Federal Government’s discussion paper signals a growing role for government in the management of cyber security risks in the economy. This could potentially take place through greater Government oversight and assessment of the cyber security posture of private businesses. Citing recent cyber security threats as an example, the paper ponders whether “it may be appropriate for Government to proactively identify any vulnerable systems to assess Australia’s exposure and better assist the community”. Given the implications for industry, its critical that businesses read the discussion paper and share their views with the Government, both directly and through coordination with counterparts. The sentiments in the paper are also another reminder of the need for businesses to proactively and continuously assess their levels of cyber risk, and instigate programs to address those risks.

Tags: #cybersecuritystrategy

Aussie banks warn customers after fresh PayID data breach

Summary: More than 90,000 Australian bank customers had bank details and personal data exposed after real-time payment service PayID was breached, in the second attack on the New Payments Platform (NPP) in recent months.

Key risk takeaway: While businesses become more aware of digital risks and take steps to secure their own infrastructure, this story illuminates how industry-wide platforms and infrastructure can also introduce risks for participants. Similar concerns were raised last year at the introduction of the My Health Record system across the health sector. The recent concerns over NPP have now led to increased focus on security at participating banks, illuminating the growing importance of proactively assessing security controls. Additionally, where organisations are dependent on industry platforms that potentially pose additional risk, organisations may need to consider introducing compensating security controls, as well as participating in coordinated lobbying for stronger security assessments of those industry platforms.

Tags: #securitycontrolsassurance #NPP

Malicious websites were used to secretly hack into iPhones for years, says Google

Summary: Security researchers say they’ve found a number of malicious websites which, when visited, could hack into a victim’s iPhone by exploiting software flaws.

Key risk takeaway: The potential dangers of malicious content hosted on the web come through strong both in this story and in another report last month that states up to 70 percent of newly registered web domains are malicious or suspicious. Various (commercial and non-commercial) threat intelligence services can provide organisations’ IT teams with lists of known malicious domains, while web and URL filtering tools can help them block access to them. Links to these malicious websites are also often promoted via phishing emails, which is why both domain “whitelisting” and educating users to be wary of links in emails (particularly from parties they don’t recognise) are considered key defensive measures.

Tags: #websecurity #securityawareness

ABS re-examines how long it keeps Census names, addresses

Summary: The Australian Bureau of Statistics (ABS) is reassessing the duration it retains data collected as part of the Census, as part of a process to explore potential privacy issues or risks. 

Key risk takeaway: While the benefits of data analysis and data matching have been made increasingly attractive to businesses and governments in recent years, there’s now also a matching upswell in understanding of the implications of these capabilities and initiatives on user privacy. For the ABS, a privacy impact assessment is cause for reflection on the retention period of Census data, a period it reportedly extended to allow it to match the data against other government databases. In a somewhat related story about the privacy implications of data matching, a feature (or bug?) in messaging app Telegram may have allowed law enforcement to identify Hong Kong protestors. Telegram is largely used because it supports anonymous, encrypted communication. The Australian Competition and Consumer Commission this week also flagged growing privacy concerns with customer loyalty schemes, including that they were being used to build detailed profiles about consumers and often had vague privacy policies. Many of these privacy issues can be uncovered and mitigated via privacy impact assessments and a privacy-by-design approach to new projects. 

Tags: #privacybydesign #privacy

US Justice Department indicts 80 people in international Nigerian email scam

Summary: Nigerian nationals have been charged by the US Justice Department in connection with $46 million in theft and money laundering targeting businesses of all via a number of scams, including business email compromise (BEC).

Key risk takeaway: In these roundups we speak primarily of what businesses can do to mitigate cyber risks – but cyber security is truly a shared responsibility and it’s important we occasionally highlight the activities of government authorities. And law enforcement has achieved some major wins in recent weeks. This includes the above indictment against 80 people for fraud, most of whom are based in Nigeria. French police also neutralised a botnet – a network of infected private computers that are controlled by cyber attackers – that controlled just under a million computers. Hacktivist groups – cyber actors that are motivated by ideology – have also reduced their activity partly as a result of successful prosecutions, says another report last month. A few good weeks for the good guys.

Tags: #lawenforcement

Microsoft’s lead EU data watchdog is looking into fresh Windows 10 privacy concerns

Summary: The Dutch data protection agency has asked Microsoft’s lead privacy regulator in Europe to investigate ongoing concerns regarding how Windows 10 gathers user data.

Key risk takeaway: The trend of intensifying regulator attention on privacy and security matters continues across the globe. The Dutch data protection authority’s concerns with Microsoft 10’s data collection and processing will now be investigated by its Irish counterpart under the General Data Protection Regulation, which carries significant fines. Locally, the Australian Securities and Investments Commission also fired a shot across the bow, signalling a much sterner approach to data breaches and online fraud in the banking sector. Meanwhile Australia’s privacy regulator, the Office of the Australian Information Commissioner, has published its latest report on the Notifiable Data Breaches Scheme, which found human factors continue to be at the heart of most data breaches. More than ever, businesses must proactively address privacy and security risks, if for no other reason than to be able to demonstrate appropriate attention to these issues should there be an incident and subsequent regulator inquiry.

Tags: #regulation #privacy #security

 BEC overtakes ransomware and data breaches in cyber-insurance claims

Summary: Business email compromise (BEC) has overtaken ransomware and data breaches as the main reason companies filed a cyber insurance claim, according to a major insurer.

Key risk takeaway: Notwithstanding the major arrests highlighted earlier in this news roundup, these statistics – from an analysis of insurance findings in Europe, the Middle East, and Asia – confirm the severe impact of BEC scams on businesses around the globe. Also known as CEO fraud, BEC typically involves a company employee receiving an email request for payment from someone impersonating a senior executive or supplier. These email requests are often not blocked by security technologies (because they often don’t contain malicious links or attachments). Key mitigations include educating staff to be aware of this threat and detect these emails and having policies and procedures (such as checks) to reduce the likelihood of staff executing a large, fraudulent payment.

Tags: #securityawareness