UK needs urgent response to online fraud, says NAO

Online fraud is the most common crime in England and Wales and needs an urgent response according to the Parliament’s public spending watchdog.

Online fraud is the most common crime in England and Wales and needs an urgent response according to the Parliament’s public spending watchdog.

While tackling online fraud is complex, the Home Office’s response is not proportionate to the threat, according to the National Audit Office (NAO).

Although the City of London Police is the national lead force for online fraud and runs the Action Fraud national centre for reporting fraud, police and crime commissioners and chief constables are responsible for policing in their local areas.

Despite the fact the face of crime is changing, the NAO’s report said police forces take different approaches to tackling online fraud and for some it is not a priority. Only 27 out of 41 police and crime commissioners refer to online fraud in their most recent annual police and crime plans.

“For too long, as a low value but high volume crime, online fraud has been overlooked by government, law enforcement and industry,” said Amyas Morse, head of the National Audit Office.

“It is now the most commonly experienced crime in England and Wales and demands an urgent response. While the Home Office is not solely responsible for reducing and preventing online fraud, it is the only body that can oversee the system and lead change.

“The launch of the Joint Fraud Taskforce in February 2016 was a positive step, but there is still much work to be done. At this stage, it is hard to judge that the response to online fraud is proportionate, efficient or effective,” he said.

In the year ending 30 September 2016, the Office for National Statistics (ONS) estimated that there were 1.9 million estimated incidents of cyber-related fraud in England and Wales, or 16% of all estimated crime incidents.

Online fraud includes criminals accessing citizens’ and businesses’ bank accounts, using their plastic card details, or tricking them into transferring money.

“Hidden” crimes require new and different responses yet, despite the level of economic crime, statistics suggest police forces remain more focused on traditional crimes, the report said, highlighting that in 2016, one in six police officers’ main function was neighbourhood policing, while only one in 150 police officers’ main function was economic crime.

According to the NAO, the Joint Fraud Taskforce set up by the Home Office to raise awareness of online fraud, reduce card not present fraud and to return money to fraud victims is a positive step. But the report said the Home Office faces a challenge in influencing other partners such as banks and law enforcement bodies to take on responsibility for preventing and reducing fraud. The report said £130mis held in banks that cannot accurately be traced back and returned to fraud victims.

In addition, without accurate data, the report said the Home Office does not know whether its response is sufficient or adequate.

Measuring the impact of campaigns and the contribution government makes to improving online behaviours is challenging, according to the NAO.

According to the NAO, the growing scale of online fraud suggests that many people are still not aware of the risks and that there is much to do to change behaviour. In addition, the report said that different organisations running campaigns, with slightly different messages, can confuse the public and reduce the campaigns’ impact.

While educating consumers is sensible, the NAO said government and industry still have a responsibility to protect citizens and businesses. The report said the protection banks provide varies, with some investing more than others in educating customers and improving their anti-fraud technology. The ways banks work together in responding to scams also needs to improve.

Although there are examples of good practice in protecting people against online fraud, such as Sussex Police’s initiative to help bodies such as banks and charities identify potential victims, the NAO said there is no clear mechanism for identifying, developing and sharing good practice to prevent people becoming victims.

The government wants the police and judiciary to make greater use of existing laws, but the NAO found that stakeholders had mixed views on the adequacy of current legislation. The international and hidden nature of online fraud makes it difficult to pursue and prosecute criminals because of the need for international co-operation and an ability to take action across borders, the report said.

So if you want to save yourself stress, money and a damaged reputation from a cyber incident please ring us now on 01242 521967 or email assist@cyber139.com or complete the form on our contact page NOWContact Cyber 139

 

Key lessons from Petya cyber security ransomware attack

The recent Petya cyber security attack does not follow other recent attacks.

The recent Petya cyber security attack does not follow other recent attacks.

Security researchers are struggling to reach consensus on whether the ransomware responsible for the latest global attacks is a new version of Petya or not, and even whether it was true ransomware, but what they have learned so far could help guide security strategies.

Those in support of retaining the Petya name point out that it essentially behaves in exactly the same way because it is designed to:

Encrypt files on disk without changing the file extension.
Forcibly reboot the machine upon infection.
Encrypt the Master Boot Record on affected machines.
Present a fake CHKDSK screen as a cover for the encryption process.
Present a near-identical ransom demand screen after completing its activities.

According to the latest update on the malware, Kaspersky Lab says code analysis has revealed it is technically impossible to decrypt victims’ disks.

To decrypt a victim’s disk threat actors need the installation ID, and in previous versions of “similar” ransomware like Petya/Mischa/GoldenEye, this installation ID contained the information necessary for key recovery, researchers at the security firm said.

However, they found the new malware – which they have dubbed ExPetr – does not have any such recovery mechanism, which means the threat actor could not extract the necessary information needed for decryption.

In short, victims could not recover their data even if they paid the ransom, the researchers said, which again calls into question the motive behind the malware.

This discovery not only further endorses the security community’s earlier advice not to pay the ransom, but also raises further questions about the true purpose of the malware and is likely to fuel further speculation that it may have been intended purely as a means to cause disruption on to mask some other malicious activity.

This view is supported by the latest statement from the UK National Cyber Security Centre (NCSC) that while managing the impact to the UK of the incident, the NCSC’s experts have found evidence that questions initial judgements that the intention was to collect a ransom. “We are investigating with the NCA and industry whether the intent was to disrupt rather than for any financial gain,” the NCSC said.

Whatever the true purpose, analysis of the malware has confirmed some of the lessons learned from WannaCry and added others which organisations should consider in order to improve their cyber defence capabilities against future threats.

The key lessons from the cyber security attack that have emerged so far are:

1. Having the latest versions of software and ensuring they are patched up to date will go a long way in reducing organisations’ vulnerability to cyber attack.

2. Malware is increasingly using legitimate tools for malicious activity to go undetected. In the case of ExPetr, two common Windows administrative tools, Windows Management Instrumentation Command-line (WMIC) and PsExec were used.

3. Malware is hijacking software updating mechanisms to spread malware, and is likely to use this technique increasingly in future.

4. An appropriate and well-tested backup and recovery plan for critical systems and data will go a long way to mitigating the effects of ransomware and other malware attacks, regardless of its particular characteristics.

5. Malware is abusing security tools to discover usernames and passwords, which means organisations should ensure they have appropriate systems and procedures in place to prevent credential abuse.

ExPetr uses the publically available Mimikatz tool to obtain credentials of all Windows users in plaintext, including local administrators and domain users to spread itself on local networks. You can find more details at: https://github.com/gentilkiwi/mimikatz

So if you want to save yourself stress, money and a damaged reputation from a cyber incident please ring us now on 01242 521967 or email assist@cyber139.com or complete the form on our contact page NOWContact Cyber 139

Victims of latest global ransomware attack urged not to pay

Victims of the latest global ransomware attack are urged not to pay, while some researchers claim to have found a local kill switch or vaccine.

Victims of the latest global ransomware attack are urged not to pay, while some researchers claim to have found a local kill switch or vaccine

The new ransomware, dubbed ExPetr by Kaspersky Lab, has been linked to Petya, because, like that family of ransomware, it also attempts to encrypt the hard drive’s master boot record (MBR), locking victims out of their computer – not just files.

Security researchers have also highlighted that for propagation the ExPetr is not relying only on the EternaBlue exploit that targets a known vulnerability in the server message block protocol in Microsoft Windows.

ExPetr is also being spread using the EternalRomance exploit targeting Windows XP to 2008 systems over TCP port 445 and through abuse of legitimate command line tools PsExec and Windows Management Instrumentation Command-line (WMIC).

The ransomware also uses the publically available Mimikatz tool to obtain credentials of all Windows users in plaintext, including local administrators and domain users.

This means computers may still be vulnerable even if Microsoft patches issued by have been applied for the EternalBlue and EternalRomance expoits that are believed to have been developed by the NSA and subsequently stolen and leaked by the ShadowBrokers hacking group.

However, the immediate application of the Microsoft patches is still advised for any unpatched machines.

In light of the fact that the attackers’ email account for accepting ransom payments has been shut down, victims are also advised not to pay the $300 ransom as it is unlikely they will receive a key for decrypting affected files.

Security researchers monitoring the bitcoin wallet associated with the ransomware report that a few hours after the attack began, the wallet began receiving funds, indicating some victims were willing to pay almost immediately. However, only about 26 victims are believed to have paid on the first day.

To prevent the ransomware from spreading in the network, it is recommended to turn off computers that have not been infected, disconnecting the infected hosts from the network, and making images of compromised systems.

This approach could be useful for restoring data, the firm said, if researchers find a way to decrypt the files. In addition, these images can be used to analyse the ransomware.

Researchers at the firm also claim to have found a kill switch to disable the ransomware locally.

The researchers found that the ransomware checks if the perfc file is present in the C:\Windows\ folder before executing. They suggest creating a file with the correct name in this folder can prevent the substitution of the MBR and further encryption. Similarly, other researchers have suggested that blocking C:\Windows\perfc.dat from writing or executing could halt the ransomware.

Anti-ransomware recommendation for businesses

Use the Windows AppLocker feature to disable the execution of any files that carry the name “perfc.dat” as well as the PSExec utility from the Sysinternals Suite.
Isolate infected endpoints as soon as possible.
Use the indicators of compromise to update security systems.
Develop a system of regular training courses for employees to increase their awareness of information security issues by demonstrating practical examples of potential attacks on the company’s infrastructure.
Install antimalware software with self-protection that requires a special password for disabling or changing its settings.
Ensure regular updates of software and operating systems on all hosts of the corporate infrastructure, as well as an effective process of managing vulnerabilities and updates.
Conduct regular information security audits and penetration testing will allow timely detection of existing deficiencies in protection and vulnerabilities.
Monitor the corporate network perimeter to control network service interfaces accessible from the internet and correct the configuration of firewalls in a timely manner.
Monitor the internal network to detect and eliminate an attack that has already occurred.

To apply this local kill switch or vaccine, administrators need to locate the C:\Windows\ folder and create a file named perfc, with no extension name.

According to Kaspesky Lab, around 2,000 machines had been hit by the ransomware by the end of the first day of attacks, which appears to indicate ExPetr is spreading much more slowly than WannaCry.

Code analysis showed that the new ransomware does not attempt to spread itself beyond the network it is placed on, leading several experts to predict the attack will not spread significantly further than it did on the first day unless it is modified.

Known victims of the ransomware include Ukraine’s central bank, Ukraine’s Ukrenego electricity supplier, the Chernobyl nuclear power plant, airport and metro services throughout the Ukraine, UK advertising firm WPP, US-based pharmaceutical company Merck, multinational law firm DLA Piper, Danish shipping company A.P. Moller-Maersk, Russian oil company Rosneft, Pennsylvania hospital operator Heritage Valley Health System, Netherlands-based shipping company TNT and French construction materials company Saint-Gobain.

So if you want to save yourself stress, money and a damaged reputation from a cyber incident please ring us now on 01242 521967 or email assist@cyber139.com or complete the form on our contact page NOWContact Cyber 139

UK’s Parliament suffered cyber security attack over the weekend.

Both Houses of Parliament sustained a determined cyber security attack to it’s networks.

Both Houses of Parliament sustained a determined cyber security attack to it's networks.

Remote access to the accounts of parliamentary network users was suspended on Saturday 24 June after unauthorised access attempts were detected.

This meant MPs and other staff were unable to access their accounts remotely, but IT services within the parliament building continued to functional normally.

Parliament said in a statement on Sunday that the parliamentary network and systems had been protected from the attack to ensure the Houses’ business could continue.

Although investigations are ongoing, the statement said that “significantly fewer” than 90 of the 9,000 accounts on the parliamentary network had been compromised as a result of the use of weak passwords that did not conform to guidance issued by the Parliamentary Digital Service.

“As they are identified, the individuals whose accounts have been compromised have been contacted and investigations to determine whether any data has been lost are under way,” the statement said, adding that Parliament was putting plans in place to resume its wider IT services.

In an email to parliamentary network account holders late on Friday, Rob Greig, director of the Parliamentary Digital Service, said unusual activity and evidence of an attempted cyber attack had been discovered earlier in the day.

“Closer investigation by our team confirmed that hackers were carrying out a sustained and determined attack on all parliamentary user accounts in attempt to identify weak passwords,” he said. “These attempts were specifically trying to gain access to users emails.”

Although the Parliamentary Digital Service was able to detect the unusual activity indicating that an attempted cyber attack was under way and took swift action to limit the potential impact by temporarily shutting down remote access to the network, it is unclear why password guidance was not enforced properly.

The statement issued by Parliament appears to blame to account holders for not following official password guidelines, but uncovers that fact that there is no mechanism for enforcing password policy.

UK security services believe the attack is more likely to be state sponsored than carried out by group of hackers, which cited an unnamed security source as saying it was a brute force attack that appeared to be state sponsored.

The incident comes just days after it emerged that the passwords and email addresses of MPs, parliamentary staff, diplomats and senior police officers had been sold, bartered and then made available for free on Russian-speaking hacking forums.

The Guardian reported that the Russian government was the top suspect in the parliamentary attack, but the paper’s source also said it was “notoriously difficult” to attribute an incident to a specific actor, and security commentators have said it is too early to say who was responsible.

“Such an attack is very simple and cheap to organise, and virtually any teenager could be behind it,” said Ilia Kolochenko, CEO of web security company High-Tech Bridge.

“I would abstain from blaming any state-sponsored hacking groups because with such an unacceptably low level of security, they have likely already been reading all emails for many years without leaving a trace.”

Kolochenko said this incident highlighted once again that cyber security fundamentals were being ignored even by the governments of leading countries.

“Today, two-factor authentication, advanced IP filtering and anomalies detection systems are a must-have for critical systems accessible from the internet,” he said.

“Strict password policies and regular audits for weak and non-compliant passwords are also vital for corporate security. However, apparently, none of these simple but efficient security controls were properly implemented.”

 

 

So if you want to save yourself stress, money and a damaged reputation from a cyber incident please ring us now on 01242 521967 or email assist@cyber139.com or complete the form on our contact page NOWContact Cyber 139

Queen’s Speech praised for certainty on data protection

The Queen’s Speech has been praised for removing any doubt about the UK’s commitment to data protection.

The Queen’s Speech has been praised for removing any doubt about the UK’s commitment to data protection

The government has promised a new data protection law aimed at incorporating the EU General Data Protection Regulation (GDPR) into UK law.

This is a significant move that will provide businesses with certainty on the UK’s intention to meet the obligations of the GDPR.

The UK has long been a world leader in data protection. We have one of the strongest regulatory frameworks in the world and our system is highly respected. We can now build on these foundations to ensure the country continues to be a real destination for data-driven business post-Brexit.

Although the GDPR has been finalised and will come into effect in May 2018, it gives EU member states some leeway to introduce their own optional exceptions in areas such as crime prevention, and also to add their own provisions in areas such as staff data processing.

Countries such as Germany have already started this process, so it is in the UK’s interests that the government follows suit and gives businesses some certainty as soon as possible, given the high fines which will apply in this area in less than 12 months’ time.

While GDPR will be included into UK law post-Brexit, the proposed bill adds additional safeguards, including overhauling the powers of law enforcement and the powers of the information commissioner.

If the government is serious about making the UK the safest country in the world to be an online user, this legislation is another step towards that goal.

Establishing a world class data protection regime

Peter Carlisle, vice-president for Europe at Thales e-Security, said it was encouraging to see that the UK government will be placing a greater emphasis on establishing a world-class data protection regime.

“The greater the volumes of data accessible online, the greater the potential for exposure and the increased chance of hackers taking advantage of systems that some have thought impregnable,” he said. “Ensuring that both individuals and businesses have as much control as possible over where and how their data is used is critical to the UK’s broader cyber security strategy.”

Beaming, a specialist business internet service provider also welcomed the government’s commitment to improving cyber security.

“Cyber security breaches cost businesses almost £30 billion last year, and small firms in particular are accelerating investment in security technologies to protect themselves and their customers from threats online,” said Sonia Blizzard, managing director of Beaming.

“Making the UK the best place to start and run a digital business requires far more than a commitment to boosting security,” she said. “As customer expectations and data usage grow, factors such as speed and service resilience become ever more important, so it is vital that the Conservatives keep their manifesto pledge to accelerate rollout of the full-fibre technology that will improve service across the country and establish the clear path to national fibre coverage they’ve promised over the next decade.”

Research conducted for Beaming earlier this year revealed UK businesses were subjected to almost 230,000 cyber attacks each during 2016, on average, that 52% of UK businesses fell victim to some form of cyber crime in 2016 at a cost of £29.1bn, that viruses and phishing attacks were the most common corporate cyber threats faced by businesses impacting 23% of the businesses surveyed, and that just under a fifth of firms suffered some form or hack or data breach in 2016.

 

So if you want to save yourself stress, money and a damaged reputation from a cyber incident please ring us now on 01242 521967 or email assist@cyber139.com or complete the form on our contact page NOWContact Cyber 139

How to prevent cyber security attacks and protect your organisation

Taking action in 10 key areas can prevent cyber security attacks and protect your organisation against the risk of breaches.

Taking action in 10 key areas can prevent cyber security attacks and protect your organisation against the risk of breaches.

A classic example of this is that attackers are relying less on malware and using administrative tools built into operating systems such as Microsoft Windows instead.

Similarly, fewer attackers are using round the clock communications with their command and control servers to avoid detection by security tools that monitor for such communications.

Attackers are also developing anti-forensics techniques, by determining what artefacts such tools are using and then either avoiding using them or ensuring that they wipe then as part of the attack.

Increasingly common ways of getting into organisations, include carrying out phishing attacks through compromised email accounts of the friend, partners, clients and colleagues of their target person and through subscribed mailing lists that tend to be trusted by recipients.

We are also seeing the use of publicly available information from a variety of sources to be able to reset account passwords to take control or to create subdomains of legitimate organisations to trick people into sharing their usernames and passwords.

Cyber defenders should also be aware that attackers are increasingly breaching branch or overseas office networks so they can use various techniques to hop over to the main network and exploiting undisclosed vulnerabilities in publicly available portals, such as password reset portals.

We are seeing attackers using a webshell on web servers to issue commands, using tools such as Mimikatz and Mimikittenz to extract passwords from computer memory, using task scheduler to execute commands, using tunnelling tools such as Tunna Webshell on a compromised webserver to hop around networks, and using signed binaries to run malicious code in dynamic link libraries (DLLs).

Steps to improve your cyber security protection

1) There needs to be a mindset shift. Organisations need to understand that if they have any data of value, attackers will come after them. Having a protection plan of highest risk assets is one thing, but organisations need to ask if they can detect unauthorised access to the assets.
2) Know where there is a security risk. We often hear that organisations are unaware of the existence of a server or that it contained sensitive data.
3) Organisations need to understand that it is not enough to secure the data on servers because there is a lot of sensitive data on endpoints. Organisations often overlook data in emails, spreadsheets, browser password and session cookies.
4) Avoid single factor authentication, not just for the main VPN access, but whatever other public portals an organisation has, such as Outlook Web Access (OWA).
5) Consider advanced threat detection systems to get more context on threats. Remember, real attacks start when attackers get inside the environment and pose like insiders.
6) Avoid burn out for cyber security administrators. When you hire top talent for security innovations, don’t give them the day to day stuff that consumes most of their time as continuity in a security team is a good thing as it ensures defenders know as much or more than attackers about their IT environment, instead of the other way around.
7) Pay attention to systems that have propagation capabilities. This includes security tools like antivirus servers, Microsoft SCCM and file integrity management servers because attackers like to use a victim’s security tools against them.
8) Whitelisting security systems are not enough. Defenders need to understand what built-in Windows applications could cause them harm. Monitor logs like you mean it, not just for compliance. Network metadata should be retained for monitoring and investigations.
9)Invest in a threat hunting programme to scan proactively for attackers’ techniques, tactics and procedures. The goal should be to stop attackers before they complete the full attack.

So if you want to save yourself stress, money and a damaged reputation from a cyber incident please ring us now on 01242 521967 or email assist@cyber139.com or complete the form on our contact page NOWContact Cyber 139

UK firms buying bitcoins for ransomware attacks

Large UK firms are prepared to pay out more than £136,000 on average to cyber criminals who launch ransomware attacks.

Large UK firms are prepared to pay out more than £136,000 on average to cyber criminals who launch ransomware attacks.

The amount firms with 250 employees or more are willing to pay ransomware attackers is up nearly four times compared with a year ago, according to a survey of 500 IT decision makers by One Poll.

The survey, commissioned by secure connectivity firm Citrix, also shows that more than two-fifths are stockpiling bitcoins in case of a ransomware attack, compared with a third a year ago.

On average, UK firms are stockpiling bitcoin cryptocurrency worth around £46,000, while a third have bitcoins worth more than £50,000 on standby.

The survey also shows that smaller companies are more likely to keep a supply of cryptocurrency such as bitcoin on hand than larger businesses.

Half of the businesses with 250-500 employees polled said they were stockpiling digital currency, up from 36% of this group a year ago. In comparison, just a quarter of businesses with 1,000 or more employees are accumulating cryptocurrency, which is unchanged from 2016.

The decision to stockpile digital currency reflects a widespread attitude that paying a ransom may be necessary. Only 22% of businesses polled said they would be unwilling to pay anything if struck by a ransomware attack, down from 25% a year ago.

UK firms unprepared for ransomware cyber security attack

The 2016 research revealed that one-fifth (20%) of companies with 250-500 employees did not have any contingency measures in place in case of a ransomware attack, however this has fallen to just 7% in 2017.

While many businesses are preparing to block ransomware attacks or pay out if hit, others are missing out on simple cyber hygiene procedures which can limit the impact of a ransomware attack. For instance, over half of large UK firms (55%) still do not back up their data at least once a day.

“Cyber criminals are resorting to ransomware to exploit the vulnerabilities that exist within UK organisations,” said Chris Mayers, chief security architect at Citrix.

“This is no secret, with global attacks hitting the headlines, yet many businesses are still being caught out. Organisations must ensure they’re prepared for the reality of this threat and take action to safeguard the IT network for an attack and protect mission-critical data,” he warned.

Stockpiling a potential ransom may alleviate concerns about ensuring constant access to data, but Mayers said there was no guarantee that data would be returned once a ransom had been paid.

“Instead, committing to robust cyber security techniques and ensuring specific contingency measures are in place to deal with an attack can reduce the chances of falling prey to ransomware in the first place.”

“While more companies are preparing to pay out, many still fail to back data up each day. Organisations should look at dedicated techniques, from encryption to virtualisation, to keep data and apps safe across all devices and desktops – and out of reach of today’s persistent cyber attackers,” he said.

 

 

So if you want to save yourself stress, money and a damaged reputation from a cyber incident please ring us now on 01242 521967 or email assist@cyber139.com or complete the form on our contact page NOWContact Cyber 139

GCHQ-developed phone security open to surveillance

A security researcher has said software developed by the UK intelligence agency GCHQ contains weaknesses making it possible to eavesdrop on phone calls.

A security researcher has said software developed by the UK intelligence agency GCHQ contains weaknesses making it possible to eavesdrop on phone calls.

The security protocol is used to encrypt Voice Over Internet Protocol (Voip) calls.
In a blog, University College London researcher Steven Murdoch said the encryption process was vulnerable.
GCHQ said it was “totally wrong” to suggest there was a “backdoor” into conversations.
Dr Murdoch did not say that the vulnerability would give direct access to conversations, but that it would make it possible to undermine the system’s security.
The network operator could listen in to calls, or authorise someone else to, and anyone who hacked the system would be able to eavesdrop, he said.

One of Dr Murdoch’s chief concerns was that the security standard has “key escrow” by design – meaning, for example, that a third party has access to data sent between two people in a conversation.

This, he said, is an example of a backdoor. In this case, it could allow an intelligence agency, or the organisation which is using the standard, to intercept phone calls, Dr Murdoch said.
“I think this comes from a conflict of interest within GCHQ in that they are there to prevent spying but they are also there to spy – so they facilitate spying,”
Dr Murdoch added that he was aware of two products which use the standard, both of which are government certified. “They could be in use inside government,” he said.

The protocol in question is known as Mikey-Sakke (Sakai-Kasahara key encryption in multimedia internet keying).

It works by generating encryption keys that are used to encrypt and decrypt voice conversations. Although it is technically possible to create these keys on two separate computers and only share part of those keys publicly, the Mikey-Sakke protocol does not do this.
Instead, keys are distributed by a third party to the conversation participants – the process known as key escrow – meaning that they are much more vulnerable to interception.
It was up to GCHQ, he said, to make the scope of the protocol clear.
“If you don’t explain how you’re going to use it, what systems it’s going to be used in, what the scope and limit of the escrow facility is, then you’re going to get bad publicity,” he said.
A spokesman for GCHQ said: “We do not recognise the claims made in this paper.
“The Mikey-Sakke protocol enables development of secure, scalable, enterprise grade products.”
In a statement, GCHQ added: “Organisations using Mikey-Sakke do not share a common Key Management Server, so it is totally wrong to suggest there is a secret master key or ‘backdoor’ that would allow GCHQ or any other third party to access real time or historic conversations.

Only 5% of FT 100 cos have cyber board member expertise

Only 5% of FT 100 company boards have a board director with specialist technology or cyber security experience, according to research by Deloitte.

Only 5% of FT 100 company boards have a board director with specialist technology or cyber security experience, according to research by Deloitte.This is despite cyber risk being identified as a principal risk by the vast majority of them. Of the type of cyber attacks disclosed as a threat, unauthorised access to systems ranked most common (19%), followed by hacking (13%) and malware (13%). Distributed denial of service (DDoS) attacks were only mentioned by five companies, despite Deloitte predictions that we could see ten million DDoS incidents in 2017.

More than half of companies mentioned cyber contingency, crisis management or disaster recovery plans in their annual report. Of these, however, only 58% disclosed that these plans had been simulated in test scenarios over the year.

The most commonly disclosed potential impacts of cyber breaches were business disruption (68%), reputational damage (58%), and data loss (45%).

Clearly, the more frequently and stringently mitigation plans are tested, the more resilient and responsive the company. Interestingly, very few reports identified employee action as one of their cyber security threats. Company employees are, knowingly or unintentionally, the most common cause of a cyber breach.

Deloitte’s analysis proposes seven principles to improve cyber disclosure when finalising reporting:

  • Every sector, although not every company, identifies cyber as a principal risk – think carefully if you have not done so.
  • The value destruction capability of cyber risk is very high, ranging from remediation demands to huge reputational damage. Detailed disclosure is therefore worthwhile to highlight the risks to shareholders and let them know you are taking it seriously.
  • The better disclosures are company specific, year specific and provide sufficient detail to give meaningful information to investors and other stakeholders.
  • Boards and board committees are increasingly educating themselves about the cyber threat and challenging management on how they are dealing with the risk.
  • Companies should take credit for what they are doing, including describing who has executive responsibility, board level responsibilities, the policy framework, internal controls, and disaster recovery plans.
  • Boards should think about what could be missing from their disclosures, for example a clear indication of the main threats facing the company, who poses those threats, the likelihood, possible impact and detail about what the company – and the board – is doing to manage or mitigate those particular risks.
  • Finally, if your disclosure does not look strong enough after taking credit for what the company is doing already, it is time to ask whether you are actually doing enough to manage cyber risk.

The report can be found at: https://www2.deloitte.com/uk/en/pages/press-releases/articles/just-5-of-ftse-100-companies-disclose.html

So if you want to save yourself stress, money and a damaged reputation from a cyber incident please ring us now on 01242 521967 or email safe@cyber139.com or complete the form on our contact page NOWContact Cyber 139

Cost of Yahoo hack shows executive cyber security responsibilities

Yahoo’s recent hacks reinforces the responsibilities on board executives for cyber security as the data losses have  cost its top lawyer his job, CEO Marissa Mayer millions in bonuses, and $350 million off its sale price.

Cost of Yahoo hack shows executive cyber security responsibilitiesThe Yahoo board has decided to withhold CEO Marissa Mayer’s 2016 annual bonus in connection with a series of data breaches and accepted her offer to forego her 2017 stock award.

The SEC filing also revealed that general counsel Ronald Bell has resigned without severance pay after an independent committee brought in to investigate the breaches concluded that the Yahoo management team failed to respond effectively to the breach discovered in 2014.

The investigation report said that although Yahoo’s security team had uncovered evidence that a hacker backed by an unnamed foreign government had breached user accounts in 2014, executives “failed to act sufficiently” and that the incident “was not properly investigated and analysed at the time.”

The investigation revealed that at the time the breach was discovered, Yahoo notified only 26 people that their accounts had been breached.

“The Independent Committee found that failures in communication, management, inquiry and internal reporting contributed to the lack of proper comprehension and handling of the 2014 Security Incident. The Independent Committee also found that the Audit and Finance Committee and the full board were not adequately informed of the full severity, risks, and potential impacts of the 2014 Security Incident and related matters,” according to the SEC filing.

Yahoo did not disclose the 2014 breach until September 2016, when it began notifying holders of 500 million accounts that associated email addresses, birth dates, security question answers, and other personal information may have been stolen.

Don’t forget that this hack also effected BT and Sky email users- as they use the Yahoo email system as the backbone for their own white label systems.

Three months later, Yahoo revealed it had uncovered a separate hack in 2013 affecting about one billion accounts.

However, the SEC filing revealed that 32 million user accounts have also been accessed over the past two years by state-sponsored hackers using forged cookies. Evidence of the intrusions was discovered by an external forensic team investigating the previously disclosed breaches.

According to some security commentators, the news of the 32 million compromised accounts indicates that Yahoo is probably still struggling to understand the true scope of the breaches.

After months of speculation, Verizon announced in February 2017 a revised deal for acquiring Yahoo’s core business that was $350 million less than the original due to revelations of two major data breaches that were made after the deal was signed in July 2016.

The business cost of poor cyber security has been further underlined by the fact that more than 40 lawsuits have been filed seeking damages for the breaches, and Yahoo is facing an SEC probe into whether it appropriately disclosed information about the data breach.

The impact of the breaches hows that a cyber attack could also have a significant impact for companies in merger and acquisition discussions.

While the damage to reputation and brand has always been a primary reason for concern for organisations that were not seen to be implementing sufficient housekeeping and security controls, the real damage to Yahoo’s valuation will ensure that cyber security related issues become an even higher priority.

So if you want to save yourself stress, money and a damaged reputation from a cyber incident please ring us now on 01242 521967 or email safe@cyber139.com or complete the form on our contact page NOWContact Cyber 139