30 April 2020

News round-up April 2020 — Privacy and security issues with COVID-19

Helping your business stay abreast and make sense of the critical stories in digital risk, cyber security and privacy. Email news@elevenM.com.au to subscribe.

The round-up

COVID-19 is creating a heady and swirling vortex of news, information and disinformation. In this edition we cut through to the key privacy and security issues of the pandemic, including the Government’s contact tracing app and the new risks and scams that security leaders need to be thinking about. We also check in on how cybercriminals are attending to business-as-usual.

Key articles:

ACSC issues FUD-busting COVID-19 WFH guide

Summary: In light of new and more pronounced cyber security vulnerabilities brought on by the workforce’s wholesale transition to working from home, the Australian Cyber Security Centre issued its own official guidance.

Key risk takeaway: Security leaders in businesses right across the economy are responding to working arrangements and circumstances radically different to those for which they devised their risk mitigation strategies and activities. For the many professionals working from home, the ACSC’s tips include being aware of COVID-19 related cyber threats and scams (see next story), adopting strong passphrases and use of multi-factor authentication. Security teams also need to account for the different risk profile that results from a highly distributed workforce working in non-corporate environments. Risks to manage more closely include user adoption of unsanctioned video conferencing platforms and ensuring users connect to networks securely. Other emerging considerations include the need to revisit security provisions in technologies hastily purchased during the pandemic and sharpening governance over “shadow IT”, as workers install and use their own (non-sanctioned) applications to continue to perform their duties in non-standard conditions.

Tags: #securityhygiene #securityawareness #securityriskassessment

Continued widespread reports of COVID-19 malicious scams

Summary: Authorities and businesses around the world are observing a massive surge in internet scams related to the coronavirus pandemic. Says one security professional: “I’ve never seen this volume of phishing. I am literally seeing phishing messages in every language known to man.”

Key risk takeaway: It’s the pandemic edition of the usual refrain – humans are the critical front-line in defending against cyber-attacks. Businesses must take strong steps to make their employees aware of the explosion in COVID-19 themed scams and phishing attacks, which are being deployed to drop malware, steal information and facilitate financial fraud. Thousands of new coronavirus-themed web domains, which are used as phishing sites and to spread malware, are being registered every day. The Australian Signals Directorate is muscling up for the fight, as are US law enforcement authorities and even an army of volunteer cyber defenders.

Tags: #securityawareness

Australia launches COVIDSafe contact tracing app

Summary: The Australian Government launched an app to support health professionals perform contract tracing on individuals that test positive to coronavirus. The Government app faced intense scrutiny over the app’s handling of privacy and security considerations.

Key risk takeaway: The public’s heightened expectations of privacy and transparency in new technologies and services – particularly those involving sensitive information (such as health status) – are brought to the fore in the public conversation surrounding the COVIDsafe app. The Government’s previous mis-steps in adequately addressing privacy and security considerations in technology deployments (eg. Census, My Health Record) have demonstrably impacted this rollout, reflecting the importance of service providers building trust over an extended period. A privacy impact assessment on the app – which made 19 recommendations, the bulk of which were accepted – has helped in some part to ameliorate some of the privacy concerns (read elevenM’s Melanie Marks view of some of these privacy risks here). An auxiliary consideration for organisations will be how they deal with employee queries about the app, particularly in relation to installing it on work-issued mobile devices.

Tags: #privacy #privacyimpactassessment

Zoom bolsters software security in latest move to reassure users

Summary: Video conferencing platform Zoom has faced intense criticism over poor security and privacy practices, leading to “do not use” edicts from everywhere from governments to major corporations.

Key risk takeaway: When your startup’s moment finally comes, will a complacent attitude to privacy and security be your undoing? Widespread self-isolation has certainly been a godsend for video conferencing platforms like Zoom. But despite a massive surge in users, Zoom’s reputation has taken a thorough battering. Like Standard Chartered has done overseas, we’re aware of major Australian organisations issuing guidance to staff to refrain from using Zoom, especially for official business. Zoom has had to move fast to issue mea culpas and patch security and privacy holes. For major developers of digital services and budding start-ups alike, a more efficient and less painful strategy is to bake in good practices through approaches such as privacy-by-design and secure coding.

Tags: #privacybydesign #securecoding

IT services behemoth Cognizant suffers attack by Maze ransomware

Summary: While we’re all pre-occupied with COVID-19, one group (sadly) is carrying on as though everything is normal: ransomware gangs. In the past month foreign exchange business Travelex, insurer Chubb and technology consultancy Cognizant were all revealed to have been hit with ransomware.

Key risk takeaway: Ransomware might be overshadowed now by that other virus, but by no means has it gone away. We wrote in February of the havoc Maze ransomware gangs were already wreaking in 2020. And the fact that cybercriminals are now offering discounts on their services should remind us all that they’re determined to be a viable force throughout and beyond the pandemic. The Cognizant incident – in addition to reminding us of the importance of endpoint protection and detection tools, highlights a couple of considerations. First, the incident affected Cognizant clients, illuminating the issue of supplier risk. Organisations should consider quickly disabling system access for any infected supplier. Second, the particularly aggressive public extortion strategy used by Maze attackers – in which sensitive data is stolen before being encrypted, and its public release threatened if the victim doesn’t pay the ransom – highlights the need for a clear public communications strategy for cyber incidents.

Tags: #solvingransomware #crisiscommunications #crisiscommunications