Key lessons from Petya cyber security ransomware attack

The recent Petya cyber security attack does not follow other recent attacks.

The recent Petya cyber security attack does not follow other recent attacks.

Security researchers are struggling to reach consensus on whether the ransomware responsible for the latest global attacks is a new version of Petya or not, and even whether it was true ransomware, but what they have learned so far could help guide security strategies.

Those in support of retaining the Petya name point out that it essentially behaves in exactly the same way because it is designed to:

Encrypt files on disk without changing the file extension.
Forcibly reboot the machine upon infection.
Encrypt the Master Boot Record on affected machines.
Present a fake CHKDSK screen as a cover for the encryption process.
Present a near-identical ransom demand screen after completing its activities.

According to the latest update on the malware, Kaspersky Lab says code analysis has revealed it is technically impossible to decrypt victims’ disks.

To decrypt a victim’s disk threat actors need the installation ID, and in previous versions of “similar” ransomware like Petya/Mischa/GoldenEye, this installation ID contained the information necessary for key recovery, researchers at the security firm said.

However, they found the new malware – which they have dubbed ExPetr – does not have any such recovery mechanism, which means the threat actor could not extract the necessary information needed for decryption.

In short, victims could not recover their data even if they paid the ransom, the researchers said, which again calls into question the motive behind the malware.

This discovery not only further endorses the security community’s earlier advice not to pay the ransom, but also raises further questions about the true purpose of the malware and is likely to fuel further speculation that it may have been intended purely as a means to cause disruption on to mask some other malicious activity.

This view is supported by the latest statement from the UK National Cyber Security Centre (NCSC) that while managing the impact to the UK of the incident, the NCSC’s experts have found evidence that questions initial judgements that the intention was to collect a ransom. “We are investigating with the NCA and industry whether the intent was to disrupt rather than for any financial gain,” the NCSC said.

Whatever the true purpose, analysis of the malware has confirmed some of the lessons learned from WannaCry and added others which organisations should consider in order to improve their cyber defence capabilities against future threats.

The key lessons from the cyber security attack that have emerged so far are:

1. Having the latest versions of software and ensuring they are patched up to date will go a long way in reducing organisations’ vulnerability to cyber attack.

2. Malware is increasingly using legitimate tools for malicious activity to go undetected. In the case of ExPetr, two common Windows administrative tools, Windows Management Instrumentation Command-line (WMIC) and PsExec were used.

3. Malware is hijacking software updating mechanisms to spread malware, and is likely to use this technique increasingly in future.

4. An appropriate and well-tested backup and recovery plan for critical systems and data will go a long way to mitigating the effects of ransomware and other malware attacks, regardless of its particular characteristics.

5. Malware is abusing security tools to discover usernames and passwords, which means organisations should ensure they have appropriate systems and procedures in place to prevent credential abuse.

ExPetr uses the publically available Mimikatz tool to obtain credentials of all Windows users in plaintext, including local administrators and domain users to spread itself on local networks. You can find more details at: https://github.com/gentilkiwi/mimikatz

So if you want to save yourself stress, money and a damaged reputation from a cyber incident please ring us now on 01242 521967 or email assist@cyber139.com or complete the form on our contact page NOWContact Cyber 139

Victims of latest global ransomware attack urged not to pay

Victims of the latest global ransomware attack are urged not to pay, while some researchers claim to have found a local kill switch or vaccine.

Victims of the latest global ransomware attack are urged not to pay, while some researchers claim to have found a local kill switch or vaccine

The new ransomware, dubbed ExPetr by Kaspersky Lab, has been linked to Petya, because, like that family of ransomware, it also attempts to encrypt the hard drive’s master boot record (MBR), locking victims out of their computer – not just files.

Security researchers have also highlighted that for propagation the ExPetr is not relying only on the EternaBlue exploit that targets a known vulnerability in the server message block protocol in Microsoft Windows.

ExPetr is also being spread using the EternalRomance exploit targeting Windows XP to 2008 systems over TCP port 445 and through abuse of legitimate command line tools PsExec and Windows Management Instrumentation Command-line (WMIC).

The ransomware also uses the publically available Mimikatz tool to obtain credentials of all Windows users in plaintext, including local administrators and domain users.

This means computers may still be vulnerable even if Microsoft patches issued by have been applied for the EternalBlue and EternalRomance expoits that are believed to have been developed by the NSA and subsequently stolen and leaked by the ShadowBrokers hacking group.

However, the immediate application of the Microsoft patches is still advised for any unpatched machines.

In light of the fact that the attackers’ email account for accepting ransom payments has been shut down, victims are also advised not to pay the $300 ransom as it is unlikely they will receive a key for decrypting affected files.

Security researchers monitoring the bitcoin wallet associated with the ransomware report that a few hours after the attack began, the wallet began receiving funds, indicating some victims were willing to pay almost immediately. However, only about 26 victims are believed to have paid on the first day.

To prevent the ransomware from spreading in the network, it is recommended to turn off computers that have not been infected, disconnecting the infected hosts from the network, and making images of compromised systems.

This approach could be useful for restoring data, the firm said, if researchers find a way to decrypt the files. In addition, these images can be used to analyse the ransomware.

Researchers at the firm also claim to have found a kill switch to disable the ransomware locally.

The researchers found that the ransomware checks if the perfc file is present in the C:\Windows\ folder before executing. They suggest creating a file with the correct name in this folder can prevent the substitution of the MBR and further encryption. Similarly, other researchers have suggested that blocking C:\Windows\perfc.dat from writing or executing could halt the ransomware.

Anti-ransomware recommendation for businesses

Use the Windows AppLocker feature to disable the execution of any files that carry the name “perfc.dat” as well as the PSExec utility from the Sysinternals Suite.
Isolate infected endpoints as soon as possible.
Use the indicators of compromise to update security systems.
Develop a system of regular training courses for employees to increase their awareness of information security issues by demonstrating practical examples of potential attacks on the company’s infrastructure.
Install antimalware software with self-protection that requires a special password for disabling or changing its settings.
Ensure regular updates of software and operating systems on all hosts of the corporate infrastructure, as well as an effective process of managing vulnerabilities and updates.
Conduct regular information security audits and penetration testing will allow timely detection of existing deficiencies in protection and vulnerabilities.
Monitor the corporate network perimeter to control network service interfaces accessible from the internet and correct the configuration of firewalls in a timely manner.
Monitor the internal network to detect and eliminate an attack that has already occurred.

To apply this local kill switch or vaccine, administrators need to locate the C:\Windows\ folder and create a file named perfc, with no extension name.

According to Kaspesky Lab, around 2,000 machines had been hit by the ransomware by the end of the first day of attacks, which appears to indicate ExPetr is spreading much more slowly than WannaCry.

Code analysis showed that the new ransomware does not attempt to spread itself beyond the network it is placed on, leading several experts to predict the attack will not spread significantly further than it did on the first day unless it is modified.

Known victims of the ransomware include Ukraine’s central bank, Ukraine’s Ukrenego electricity supplier, the Chernobyl nuclear power plant, airport and metro services throughout the Ukraine, UK advertising firm WPP, US-based pharmaceutical company Merck, multinational law firm DLA Piper, Danish shipping company A.P. Moller-Maersk, Russian oil company Rosneft, Pennsylvania hospital operator Heritage Valley Health System, Netherlands-based shipping company TNT and French construction materials company Saint-Gobain.

So if you want to save yourself stress, money and a damaged reputation from a cyber incident please ring us now on 01242 521967 or email assist@cyber139.com or complete the form on our contact page NOWContact Cyber 139

UK’s Parliament suffered cyber security attack over the weekend.

Both Houses of Parliament sustained a determined cyber security attack to it’s networks.

Both Houses of Parliament sustained a determined cyber security attack to it's networks.

Remote access to the accounts of parliamentary network users was suspended on Saturday 24 June after unauthorised access attempts were detected.

This meant MPs and other staff were unable to access their accounts remotely, but IT services within the parliament building continued to functional normally.

Parliament said in a statement on Sunday that the parliamentary network and systems had been protected from the attack to ensure the Houses’ business could continue.

Although investigations are ongoing, the statement said that “significantly fewer” than 90 of the 9,000 accounts on the parliamentary network had been compromised as a result of the use of weak passwords that did not conform to guidance issued by the Parliamentary Digital Service.

“As they are identified, the individuals whose accounts have been compromised have been contacted and investigations to determine whether any data has been lost are under way,” the statement said, adding that Parliament was putting plans in place to resume its wider IT services.

In an email to parliamentary network account holders late on Friday, Rob Greig, director of the Parliamentary Digital Service, said unusual activity and evidence of an attempted cyber attack had been discovered earlier in the day.

“Closer investigation by our team confirmed that hackers were carrying out a sustained and determined attack on all parliamentary user accounts in attempt to identify weak passwords,” he said. “These attempts were specifically trying to gain access to users emails.”

Although the Parliamentary Digital Service was able to detect the unusual activity indicating that an attempted cyber attack was under way and took swift action to limit the potential impact by temporarily shutting down remote access to the network, it is unclear why password guidance was not enforced properly.

The statement issued by Parliament appears to blame to account holders for not following official password guidelines, but uncovers that fact that there is no mechanism for enforcing password policy.

UK security services believe the attack is more likely to be state sponsored than carried out by group of hackers, which cited an unnamed security source as saying it was a brute force attack that appeared to be state sponsored.

The incident comes just days after it emerged that the passwords and email addresses of MPs, parliamentary staff, diplomats and senior police officers had been sold, bartered and then made available for free on Russian-speaking hacking forums.

The Guardian reported that the Russian government was the top suspect in the parliamentary attack, but the paper’s source also said it was “notoriously difficult” to attribute an incident to a specific actor, and security commentators have said it is too early to say who was responsible.

“Such an attack is very simple and cheap to organise, and virtually any teenager could be behind it,” said Ilia Kolochenko, CEO of web security company High-Tech Bridge.

“I would abstain from blaming any state-sponsored hacking groups because with such an unacceptably low level of security, they have likely already been reading all emails for many years without leaving a trace.”

Kolochenko said this incident highlighted once again that cyber security fundamentals were being ignored even by the governments of leading countries.

“Today, two-factor authentication, advanced IP filtering and anomalies detection systems are a must-have for critical systems accessible from the internet,” he said.

“Strict password policies and regular audits for weak and non-compliant passwords are also vital for corporate security. However, apparently, none of these simple but efficient security controls were properly implemented.”

 

 

So if you want to save yourself stress, money and a damaged reputation from a cyber incident please ring us now on 01242 521967 or email assist@cyber139.com or complete the form on our contact page NOWContact Cyber 139

Queen’s Speech praised for certainty on data protection

The Queen’s Speech has been praised for removing any doubt about the UK’s commitment to data protection.

The Queen’s Speech has been praised for removing any doubt about the UK’s commitment to data protection

The government has promised a new data protection law aimed at incorporating the EU General Data Protection Regulation (GDPR) into UK law.

This is a significant move that will provide businesses with certainty on the UK’s intention to meet the obligations of the GDPR.

The UK has long been a world leader in data protection. We have one of the strongest regulatory frameworks in the world and our system is highly respected. We can now build on these foundations to ensure the country continues to be a real destination for data-driven business post-Brexit.

Although the GDPR has been finalised and will come into effect in May 2018, it gives EU member states some leeway to introduce their own optional exceptions in areas such as crime prevention, and also to add their own provisions in areas such as staff data processing.

Countries such as Germany have already started this process, so it is in the UK’s interests that the government follows suit and gives businesses some certainty as soon as possible, given the high fines which will apply in this area in less than 12 months’ time.

While GDPR will be included into UK law post-Brexit, the proposed bill adds additional safeguards, including overhauling the powers of law enforcement and the powers of the information commissioner.

If the government is serious about making the UK the safest country in the world to be an online user, this legislation is another step towards that goal.

Establishing a world class data protection regime

Peter Carlisle, vice-president for Europe at Thales e-Security, said it was encouraging to see that the UK government will be placing a greater emphasis on establishing a world-class data protection regime.

“The greater the volumes of data accessible online, the greater the potential for exposure and the increased chance of hackers taking advantage of systems that some have thought impregnable,” he said. “Ensuring that both individuals and businesses have as much control as possible over where and how their data is used is critical to the UK’s broader cyber security strategy.”

Beaming, a specialist business internet service provider also welcomed the government’s commitment to improving cyber security.

“Cyber security breaches cost businesses almost £30 billion last year, and small firms in particular are accelerating investment in security technologies to protect themselves and their customers from threats online,” said Sonia Blizzard, managing director of Beaming.

“Making the UK the best place to start and run a digital business requires far more than a commitment to boosting security,” she said. “As customer expectations and data usage grow, factors such as speed and service resilience become ever more important, so it is vital that the Conservatives keep their manifesto pledge to accelerate rollout of the full-fibre technology that will improve service across the country and establish the clear path to national fibre coverage they’ve promised over the next decade.”

Research conducted for Beaming earlier this year revealed UK businesses were subjected to almost 230,000 cyber attacks each during 2016, on average, that 52% of UK businesses fell victim to some form of cyber crime in 2016 at a cost of £29.1bn, that viruses and phishing attacks were the most common corporate cyber threats faced by businesses impacting 23% of the businesses surveyed, and that just under a fifth of firms suffered some form or hack or data breach in 2016.

 

So if you want to save yourself stress, money and a damaged reputation from a cyber incident please ring us now on 01242 521967 or email assist@cyber139.com or complete the form on our contact page NOWContact Cyber 139

How to prevent cyber security attacks and protect your organisation

Taking action in 10 key areas can prevent cyber security attacks and protect your organisation against the risk of breaches.

Taking action in 10 key areas can prevent cyber security attacks and protect your organisation against the risk of breaches.

A classic example of this is that attackers are relying less on malware and using administrative tools built into operating systems such as Microsoft Windows instead.

Similarly, fewer attackers are using round the clock communications with their command and control servers to avoid detection by security tools that monitor for such communications.

Attackers are also developing anti-forensics techniques, by determining what artefacts such tools are using and then either avoiding using them or ensuring that they wipe then as part of the attack.

Increasingly common ways of getting into organisations, include carrying out phishing attacks through compromised email accounts of the friend, partners, clients and colleagues of their target person and through subscribed mailing lists that tend to be trusted by recipients.

We are also seeing the use of publicly available information from a variety of sources to be able to reset account passwords to take control or to create subdomains of legitimate organisations to trick people into sharing their usernames and passwords.

Cyber defenders should also be aware that attackers are increasingly breaching branch or overseas office networks so they can use various techniques to hop over to the main network and exploiting undisclosed vulnerabilities in publicly available portals, such as password reset portals.

We are seeing attackers using a webshell on web servers to issue commands, using tools such as Mimikatz and Mimikittenz to extract passwords from computer memory, using task scheduler to execute commands, using tunnelling tools such as Tunna Webshell on a compromised webserver to hop around networks, and using signed binaries to run malicious code in dynamic link libraries (DLLs).

Steps to improve your cyber security protection

1) There needs to be a mindset shift. Organisations need to understand that if they have any data of value, attackers will come after them. Having a protection plan of highest risk assets is one thing, but organisations need to ask if they can detect unauthorised access to the assets.
2) Know where there is a security risk. We often hear that organisations are unaware of the existence of a server or that it contained sensitive data.
3) Organisations need to understand that it is not enough to secure the data on servers because there is a lot of sensitive data on endpoints. Organisations often overlook data in emails, spreadsheets, browser password and session cookies.
4) Avoid single factor authentication, not just for the main VPN access, but whatever other public portals an organisation has, such as Outlook Web Access (OWA).
5) Consider advanced threat detection systems to get more context on threats. Remember, real attacks start when attackers get inside the environment and pose like insiders.
6) Avoid burn out for cyber security administrators. When you hire top talent for security innovations, don’t give them the day to day stuff that consumes most of their time as continuity in a security team is a good thing as it ensures defenders know as much or more than attackers about their IT environment, instead of the other way around.
7) Pay attention to systems that have propagation capabilities. This includes security tools like antivirus servers, Microsoft SCCM and file integrity management servers because attackers like to use a victim’s security tools against them.
8) Whitelisting security systems are not enough. Defenders need to understand what built-in Windows applications could cause them harm. Monitor logs like you mean it, not just for compliance. Network metadata should be retained for monitoring and investigations.
9)Invest in a threat hunting programme to scan proactively for attackers’ techniques, tactics and procedures. The goal should be to stop attackers before they complete the full attack.

So if you want to save yourself stress, money and a damaged reputation from a cyber incident please ring us now on 01242 521967 or email assist@cyber139.com or complete the form on our contact page NOWContact Cyber 139

UK firms buying bitcoins for ransomware attacks

Large UK firms are prepared to pay out more than £136,000 on average to cyber criminals who launch ransomware attacks.

Large UK firms are prepared to pay out more than £136,000 on average to cyber criminals who launch ransomware attacks.

The amount firms with 250 employees or more are willing to pay ransomware attackers is up nearly four times compared with a year ago, according to a survey of 500 IT decision makers by One Poll.

The survey, commissioned by secure connectivity firm Citrix, also shows that more than two-fifths are stockpiling bitcoins in case of a ransomware attack, compared with a third a year ago.

On average, UK firms are stockpiling bitcoin cryptocurrency worth around £46,000, while a third have bitcoins worth more than £50,000 on standby.

The survey also shows that smaller companies are more likely to keep a supply of cryptocurrency such as bitcoin on hand than larger businesses.

Half of the businesses with 250-500 employees polled said they were stockpiling digital currency, up from 36% of this group a year ago. In comparison, just a quarter of businesses with 1,000 or more employees are accumulating cryptocurrency, which is unchanged from 2016.

The decision to stockpile digital currency reflects a widespread attitude that paying a ransom may be necessary. Only 22% of businesses polled said they would be unwilling to pay anything if struck by a ransomware attack, down from 25% a year ago.

UK firms unprepared for ransomware cyber security attack

The 2016 research revealed that one-fifth (20%) of companies with 250-500 employees did not have any contingency measures in place in case of a ransomware attack, however this has fallen to just 7% in 2017.

While many businesses are preparing to block ransomware attacks or pay out if hit, others are missing out on simple cyber hygiene procedures which can limit the impact of a ransomware attack. For instance, over half of large UK firms (55%) still do not back up their data at least once a day.

“Cyber criminals are resorting to ransomware to exploit the vulnerabilities that exist within UK organisations,” said Chris Mayers, chief security architect at Citrix.

“This is no secret, with global attacks hitting the headlines, yet many businesses are still being caught out. Organisations must ensure they’re prepared for the reality of this threat and take action to safeguard the IT network for an attack and protect mission-critical data,” he warned.

Stockpiling a potential ransom may alleviate concerns about ensuring constant access to data, but Mayers said there was no guarantee that data would be returned once a ransom had been paid.

“Instead, committing to robust cyber security techniques and ensuring specific contingency measures are in place to deal with an attack can reduce the chances of falling prey to ransomware in the first place.”

“While more companies are preparing to pay out, many still fail to back data up each day. Organisations should look at dedicated techniques, from encryption to virtualisation, to keep data and apps safe across all devices and desktops – and out of reach of today’s persistent cyber attackers,” he said.

 

 

So if you want to save yourself stress, money and a damaged reputation from a cyber incident please ring us now on 01242 521967 or email assist@cyber139.com or complete the form on our contact page NOWContact Cyber 139

Europe faces shortage of 350,000 cyber security professionals by 2022

European companies are expected to go on the world’s biggest cyber security hiring spree in the next 12 months, driving demand for cyber talent that will far outstrip supply, a report has revealed

European companies are expected to go on the world’s biggest cyber security hiring spree in the next 12 months, driving demand for cyber talent that will far outstrip supply, a report has revealed

Nearly 40% of European firms want to grow their cyber security teams by at least 15% in the next year, according to the latest report based on the 2017 Global Information Security Workforce Study.

The study, commissioned by information security certification body (ISC)2, is based on a survey of 19,000 cyber security professionals around the world, including nearly 3,700 respondents in Europe.

Although European organisations have the most ambitious hiring targets in the world, two thirds say they currently have too few cyber security professionals.

Europe faces a projected skills gap of 350,000 workers by 2022, according to the report, which calls for employers to do more to embrace newcomers and a changing workforce.

The study revealed that 92% of hiring managers admit they prioritise previous cyber security experience when choosing candidates, and that most recruitment comes from their own professional networks.

Hiring managers also admitted that they are relying on their social and professional networks (48%), followed closely by their organisation’s HR department (47%), as their primary source of recruitment.

Globally, the report shows that strong recruitment targets, a shortage of talent, and disincentives to invest in training are contributing to the skills shortage, with 70% of employers around the world looking to increase the size of their cyber security staff this year.

The demand is set against a broad range of security concerns that continue to develop at pace, the report said, with the threat of data exposure clearly identified as the top security concern among professionals around the world.

Concern over data exposure is linked to new regulations aimed at enhancing data protection around the world, including Europe’s General Data Protection Regulation (GDPR).

The deadline for compliance with the GDPR is 25 May 2018. After that date, organisations found in breach of the regulation faces fines of up to €20m or 4% of global turnover, whichever is greater.

The report describes a revolving door of scarce, highly paid workers with an unemployment rate of just 1% in Europe.

Organisations are struggling to retain their staff, with 21% of the global workforce saying they have left their jobs in the past year, and facing high salary costs, with 33% of the workforce in Europe in particular making more than £78,000 ($100,000) a year.

“The combination of virtually non-existent unemployment, a shortage of workers, the expectation of high salaries, and high staff turnover that only increases among younger generations creates both a disincentive to invest in training and development and a conundrum for prospective employers of how to hire and retain talent in such an environment,” the report says.

The report recommends that organisations adapt their approach to recruitment and draw from a broader pool of talent. This is backed by findings that show workers with non-computing-related backgrounds account for nearly one-fifth of the current workforce in Europe and that they hold positions at every level of practice, with 63% at manager level or above.

The report also highlights a mismatch between the skills recruiters are looking for and workers’ priorities for developing a successful career, suggesting skillsets may not be keeping pace with requirements.

Currently, the top two skills workers are prioritising include cloud computing and security (60%) and risk assessment and management (41%), while employers prioritise looking for communication (66%) and analytical skills (59%). Only 25% and 20% of workers are prioritising communication and analytical skills, respectively.

Other recommendations include:

Looking beyond social and professional networks as the main channel of recruitment to open doors for new, younger and more diverse talent.
Accepting the need to invest in development and training because more talent is needed to stem the high levels of movement on job markets.
Better communication of current employer requirements because workers prioritise different skills for their professional development than what employers look for in the workforce.

So if you want to save yourself stress, money and a damaged reputation from a cyber incident please ring us now on 01242 521967 or email assist@cyber139.com or complete the form on our contact page NOWContact Cyber 139

Twenty years of online banking has increased financial awareness

Online banking is helping people manage their finances better and reduce their debt as a result

More than two-thirds of consumers can keep on top of their finances because of the arrival and evolution of online banking, and even more control is guaranteed as competition in the banking sector drives investment in technology.
Download this free guide
94.4% of cloud apps are not secure enough for enterprises

Twenty years after Nationwide launched the UK’s first online banking service, the building society has surveyed 2,000 people in the UK to find out how online banking has changed the way they manage their money.

The survey revealed that 22% of people are in less debt because they can keep a closer eye on their finances. Almost 70% of people said online banking helps them keep on top of their finances and 40% said it helps them budget better.

Saving time is another benefit identified for online banking, with 28% of people saving at least an hour a week by not having to carry out traditional banking tasks such as waiting at ATMs and visiting branches.

Although 10% of people still don’t use online banking services, the pace of take-up and use has accelerated in recent years as the fintech revolution leads to more customer acceptance. Nationwide itself has reported a 73% increase in the number of customer logins in 2016 compared with 2015.

James Smith, Nationwide’s director of mobile and digital, said: “People are using the ability to log on any time, anywhere to try to ensure they are staying well in control of their finances and attempting to avoid any unnecessary debt.”

Smith said consumers are increasingly being drawn to new ways of making their money management easier. “Innovation in personal finance is clearly something that intrigues people, as three in five believe we will be paying for everything via our thumbprint by 2037,” he said.

According to the survey, about half (55%) of people think phones or watches will be used to pay for everything by 2037, and 40% think cash will stop being used in the next 25 years.

But despite the undoubted consumer thirst for online banking services, a recent major survey of UK consumers revealed that bank branches are more important than mobile apps.

The report, conducted by PwC and the British Banking Association, surveyed 2,000 consumers in the UK about their banking preferences. It showed that 68% of consumers think a bank branch is essential when opening a new current account, compared with 25% who favour a mobile app.

So if you want to save yourself stress, money and a damaged reputation from a cyber incident please ring us now on 01242 521967 or email assist@cyber139.com or complete the form on our contact page NOWContact Cyber 139

Top UK firms’ websites violate key GDPR principle

Over one third of all the public web pages of leading UK companies that collect personal information violate a key principle of new European data protection

Over one third of all the public web pages of leading UK companies that collect personal information violate a key principle of new European data protection

With just a year to go before the deadline to comply with the EU General Data Protection Regulation (GDPR), many UK firms’ websites are capturing personal data insecurely, a study shows.

More controls are needed because most data capture forms found on websites fall within the scope of the GDPR, according to new research by digital threat management firm RiskIQ.

h3::
The EU regulation requires that provisions should be in place to ensure that personally identifiable information (PII) is captured and processed securely.

In the UK, the Information Commissioner has provided guidance that, in the case of data loss where encryption software has not been used to protect the data, regulatory action may be pursued.

The study revealed that 34% of web pages of FT30 firms that collect PII are doing so insecurely, 29% are not using encryption, 3.5% are using vulnerable encryptions algorithms, and 1.5% have expired security certificates.

While the insecure collection of PII is a violation of the GDPR, the study said the loss of personal data, profit and reputation resulting from the use of insecure forms is a legitimate concern for consumers and shareholders.

In addition to personal claim liability, Article 83 provides guidance on fines for GDPR faults, which start at €10m or 2% of global annual turnover for the preceding financial year, whichever is greater – or even double, depending on the infraction.

This applies to all companies actively engaging with European citizens, regardless of whether the firms have a physical presence in Europe.

The GDPR also requires companies to state clearly at the point of capture how they will use an individual’s data. Permission to use their data must be explicit and demonstrated through an action such as ticking a box – a significant departure from the “opt out” process most organisations currently have in place.

The challenge for large, global organisations is the sheer volume and complexity of websites and web applications that need to be accounted for, not only for security purposes, but also for regulatory compliance, such as the GDPR.

Information commissioner Elizabeth Denham called on businesses to see the benefits of sound data protection and act now to prepare for what she called “the biggest change to data protection law for a generation”.

However, 24% of companies polled in the UK and US expect to miss the GDPR compliance deadline and 30.6% said they had no timetable for being GDPR compliant, according to security firm Guidance Software.

Almost 18% said they were in the moderate planning stages and 11% said they were only in the initial stages of implementing processes to ensure compliance.

So if you want to save yourself stress, money and a damaged reputation from a cyber incident please ring us now on 01242 521967 or email assist@cyber139.com or complete the form on our contact page NOWContact Cyber 139

People can be strongest link in cyber security, says NCSC

People are often seen as the weakest link when it comes to cyber security, but that must change, says the National Cyber Security Centre (NCSC).

People are often seen as the weakest link when it comes to cyber security, but that must change, says the National Cyber Security Centre (NCSC).

Information security has traditionally been led by technology and, as a result, the role and value of people has been overlooked. That is the view of Emma W, people-centred security team lead at the UK’s National Cyber Security Centre.

From a hacker perspective, many organisations are still leaving the front door open and the windows unlocked. Failure to protect and handle data correctly can also result in punitive actions for companies participating in the digital economy. Wake up and get the knowledge to get protected.

The perception of people as the weakest link is unfair and a natural consequence of a technology-led security culture.

“We have not always had people working in cyber security with a deep understanding of human behaviour or the input of psychologists, social scientists and the like to tell us why people behave the way they do.

“As a result, organisations tend to treat users as people who should do as they are told, but they don’t always, and often the reason is because they can’t.

“However, these reasons are often not recognised, and instead users are seen as either being unco-operative or stupid, but this is not true and is a perception that we have to turn around,” she said.

An example of where end-users are typically blamed for failures is around passwords, but many organisations have unreasonable expectations.

Most people find it challenging to remember multiple passwords, especially when organisations insist on long and complex passwords that must be changed regularly.

Instead of being critical of employees who fail to adhere to unreasonable password policies, organisations need to have a more sophisticated understanding of how humans can be a security asset, she said.

“They need to understand that if humans appear to be poor at security, it is because they are being required to do things that are difficult or impractical to do.”

The NCSC believes this indicates a need to reshape the relationship between the IT security team in an organisation and users of the IT systems.

While some information security professionals understand that their role is to support and enable the business, Emma W said less progress has been made in understanding how to relate to end-users.

Users still commonly see security as policing role, she said, and do not feel confident enough or too afraid to talk to security teams about the challenges they have and where they feel the need to bend or even flout security rules in order to get their jobs done, for fear of being sanctioned in some way.

“This is the relationship we need to reshape, and a critical part of that is enabling two-way communication between security teams and the rest of the organisation, rather than users’ current common perception that security just sits in its own silo and tells everybody else what they need to do,” she said.

“In reality, security professionals don’t have all the answers and users have a contribution to make in supplying some of the answers. Security professionals need to start listening to what users are trying to do and understand that they can be the strongest, not the weakest link in security.”

End-users should be viewed as a positive asset who have information that security professionals do not have about how the business runs and how it needs to run, rather than be seen as a liability that has to be managed, said Emma W.

“Security professionals need to review how they gather information about security, so they can get the right support to discover the real problems facing their business and fix them,” she said.

Security professionals also need to understand that occasional security awareness training and a poster-based awareness campaign are no substitute for meaningful two-way communication that enables them to know what people need from security and how security can help to support the business.

“It is about security teams finding out what is really going on in an organisation, and why people are not doing the things the security team want them to do – and it is probably not because people are weak, stupid or deliberately trying to sabotage security efforts,” said Emma W.

“Mostly people are well-intentioned and know what they are supposed to be doing, but they are trying to get a work task done and the organisation is not giving them the right way to do it,” she said, with the result that the task may be getting done, but not in the most secure manner possible.

Where employees feel they cannot work within the system or that they are running the risk of being punished for things beyond their control, they will look for alternative ways of working and that is what gives rise to shadow IT and real work processes being driven underground, she said.

For this reason, the NCSC is championing the view that people are potentially organisations’ strongest link when it comes to cyber security and are encouraging organisations to move towards generating positive, collaborative solutions that give users a chance to show that they are the greatest assets in security, as much as they are in business.

Users are typically blamed for failings around passwords, but this is mainly because most people find it difficult to follow company policies on passwords.