SME’s poor security practices targeted by ransomware

SME’s poor security knowledge and practices are being targeted by ransomware.

SME's poor security knowledge and practices are being targetted by ransomware.It is important not to underestimate the scale of ransomware attacks or to believe that you are safe if you are not a Microsoft user, as the first attacks on Android devices were identified in 2011.

According to one industry report, the number of cyber ransomware attacks increased in 2014 by more than 4,000%, with small to medium sized enterprises (SMEs) being the main target due to poor security practices.

On the technical side, we can have spam, malware and bad URL detection engines or services that can be installed in networks – generally as part of an internet security appliance or firewall – rather than individual boxes installed in front of email servers.

The reason we would want such protection as part of the general internet connection is to provide protection for email, browsing and other internet related operations such as file transfer and remote access.

There are also a number of very good commercial cloud based email spam, malware and URL detection services available. These are well worth a look for smaller enterprises that must consider costs of ownership, support and overall effectiveness.

Even with the best spam, malware and URL detection services, some emails that could form the start of a ransomware attack may get through. These emails contain a URL link that, when clicked, will take the user’s web browser to a website that will attempt to download the ransomware.

These emails could not have been detected as malicious for a number of reasons, such as the URL being too new to have been identified as malicious; the patching or updating of an onsite box being out of date; or the URL pointing to a perfectly legitimate website that has been compromised in preparation for a watering hole attack.

The rise in legitimate websites being compromised for the purposes of executing watering hole attacks as a way of delivering malware – including ransomware – means enterprises need to add malware detection to web browsing activities.

Protecting against a ransomware attack

Having got the technical side sorted according an enterprise’s risk appetite and budget, what else can be done to help protect against a successful ransomware attack?

Staff awareness training and regular follow up initiatives are key. It is important to make staff aware that unexpected emails – even from known sources – are suspicious, particularly those that require a URL link to be activated.

If all else fails and a ransomware attack is successful, then having access to good, well-tested backups with at least one copy that is held off network will be vital in service restoration. Note that the off network backup itself should not be used as is, but copied. The copy should then be used to bring the network back, which will protect the good backup from being compromised.

TalkTalk lost 100,000 customers after cyber attack

TalkTalk has admitted that is has lost 101,000 customers since it’s cyber hacking which saw the personal information of 155,000 people compromised.

TalkTalk has admitted that is has lost 101,000 customers since it's cyber hacking which saw the personal information of 155,000 people compromised.The breach shut down TalkTalk’s sales operation for some time and substantially affected its ability to bring on board new customers and upsell mobile, broadband and TV services, it said.

These sales channels took longer than expected to come back online, with full functionality not being restored to its mobile services sales operation until January 2016.

The inability to sell anything meant that TalkTalk saw fewer net customer adds, which, in addition to the high customer churn, had an impact on the headline figure, it said.

The communications service provider (CSP) disclosed the figures in its latest quarterly trading update, in which CEO Dido Harding said it was encouraging to see the business getting back to normal after a period dominated by the breach.

“Our customers have responded well, with almost half a million choosing to take up our unconditional offer of a free upgrade,” said Harding.

“Both churn and new connections recovered during December and January and independent external research has revealed that customers believe we acted in their best interest.

“In fact, trust in the TalkTalk brand has improved since just after the attack and consideration is higher now than it was before the incident.”

TalkTalk estimated the trading impact of the breach at £15m, and said it now looked like the incident would incur exceptional costs of £40-45m, substantially more than it had previously forecast.

These costs include restoring its online capability with fit-for-purpose security measures in place, associated IT costs, incident response and consultancy costs, and free upgrades.

TalkTalk reiterated its confidence in its long-term outlook, and said it saw regulatory opportunities ahead that could support growth in its fixed line and mobile business.
Losing confidence

It is possible that the true number of customers lost was higher than TalkTalk claimed because it was counting net additions in its figures- as such the total loss could be as high as 250,000.

Businesses warned to take action on Data Protection Day

This year Data Protection Day is warning businesses to do more to protect personal data.

This year Data Protection Day is warning businesses to do more to protect personal dataData Protection Day is an international holiday that occurs every January 28. The purpose of Data Privacy Day is to raise awareness and promote privacy and data protection best practices. It is currently observed in the United States, Canada, and 47 European countries.

Global businesses are re-evaluating their data privacy programmes this year as new privacy regulations targeted at businesses start to gather.

The European General Data Protection Regulation (GDPR), which is expected to come into force in 2018, provides for fines of up to 4% of annual global revenue or €20 million- whichever is greater for failing to safeguard data of EU citizens and residents.

However, despite the introduction of this legislation, many enterprises are still not doing enough to protect consumer data, according to security and privacy industry experts.

“Data privacy day is a great opportunity for organisations to re-evaluate their privacy programme,” said Tim Erlin, director of IT risk and security strategy for security firm Tripwire. “Privacy is often treated as part of larger security initiatives. While this approach addresses some key privacy issues, others may not get the attention they deserve.”

According to Erlin, the top five data privacy mistakes businesses make are:

  • Failure to keep only essential consumer data
  • Failure to encrypt customer data
  • Failure to secure access to data at all times
  • Failure to patch known vulnerabilities
  • Failure to monitor and control simple misconfigurations

Many organisations keep a lot of customer data in case they need it, he said, but it can easily become a major target for cyber attackers, and may not receive the same level of protection as business critical data.

The EU’s data protection rules will impact every entity that holds or uses European personal data both inside and outside of Europe.

More than two thirds of global companies expect EU data protection laws to dramatically increase costs of doing business in Europe.

Erlin said companies need to establish internal processes to keep data encrypted. “Leaving customer data unencrypted makes it much easier for attackers to grab.”

And while encrypting customer data is important, it must be decrypted for use in an application at some point, with attackers trying to compromise those applications so they can get to that data, Erlin warned.

Successful attacks are more likely to exploit vulnerabilities that are several years old if that gets them access to high value data. Patching systems isn’t glamorous but it’s essential to protecting data.

More than one of the security breaches that have been in the headlines recently has been the result of a misconfigured database or server, said Erlin. “If you’re not monitoring server configurations for change, you have a blind spot in your security that attackers can exploit.”

The UK’s Information Commissioner’s Office (ICO) has also highlighted the potentially devastating effect of reputational damage as a result of a personal data breach.

And it is not only the new privacy legislation in Europe and the US that is a factor. Lawrence Munro, European director at security firm Trustwave for Europe and Asia-Pacific, said the mounting number of breaches involving consumers’ financial and private data means that people are increasingly aware that their information is at risk, and much less willing to forgive businesses that betray their trust.

Munro said security professionals see “Password1” as the most common password year after year. “Such abysmal security presents an open door to hackers. Likewise, phishing scams over email and phone continue to trick droves of workers,” he said.

According to Munro, security in many organisations continues to be seen as a “box to be ticked” as cheaply as possible rather than an essential operation necessary for survival.

“Practices such as regular intensive network testing using real experts rather than occasional automated scans are crucial if businesses are to avoid the reputational and financial fallout of a breach this year,” he said.

Phishing cyber fraud up 21% reports police fraud unit

Cyber fraud linked to social engineering phishing attacks has increased by 21% in a year according to the City of London Police’s National Fraud Intelligence Bureau (NFIB).

Cyber fraud linked to social engineering phishing attacks has increased by 21% in a year according to the City of London Police’s National Fraud Intelligence Bureau (NFIB)Social engineering phishing is a non technical method of intrusion used by cyber criminals that relies heavily on human interaction and often involves tricking people into breaking normal security procedures.

Typically, the aim is to trick people into malware laden email attachments or to divulge sensitive information that can be used to steal information and credentials to commit fraud.

The harvesting of account and login information is known as phishing and can happen through fake emails, phone calls, texts or social media posts.

Phishing attacks frequently involve piecing together information from various sources- such as social media and intercepted correspondence, to appear convincing and trustworthy.

The most common themes for contacting potential victims are an update to BT account details, an iTunes invoice and a tax refund.

Others themes include Tesco vouchers, Apple ID, accident injury claim, invoices, suspended bank and credit card accounts, and Sky services upgrades.

According to the government backed GetSafeOnline campaign, cyber criminals have become increasingly sophisticated in their attacks, with more than 95,500 phishing scams reported in the 12 months up to October 2015.

Research by GetSafeOnline reveals that 26% of victims of online crime have been scammed by these types of social engineering emails or phone calls.

According to the research, 29% of reported phishing emails contained a potentially malicious link that could infect a victim’s computer with malware, 17% requested a reply and 15% requested personal information.

The research notes that although the number of emails with malicious links is decreasing, requests for money transfers are on the rise.

In response to these findings, GetSafeOnline has launched an advertising campaign to warn of the dangers of social engineering, in partnership with Barclays, NatWest, Royal Bank of Scotland, Lloyds, Halifax, Bank of Scotland, City of London Police, anti-fraud organisation Cifas and Financial Fraud Action UK (FFAUK).

Phishing attacks are the most popular causes of data breaches in the enterprise. Phishing attacks on mobile devices are increasing as adoption of internet connected mobile devices and services grows.

Tony Neate, chief executive of GetSafeOnline, said social engineering is becoming ever more targeted and personal.

“What is worrying, however, is the complex nature of these scams and how they tap perfectly into feelings that make us panic,” he said. “If you get an email purporting to come from someone we trust, such as our bank, about something that is emotive to us all, like money, and then demand that we act urgently, it’s almost like the perfect storm.”

The newly launched advertising campaign aims to encourage people to think twice before they act and not to let panic override common sense.

The campaign highlights the importance of having strong passwords or pass codes to secure devices, and ensuring that all software and apps are up to date.

Research shows that email is the most popular channel for phishing, accounting for 77% of all reported incidents, followed by phone calls, making up 12% of incidents.

Cybercrime and cyber security tops business worries for 2016

Cybercrime and cyber security tops business worries for 2016.

Cybercrime and Cyber security tops business worries for 2016This year, cybersecurity will be the main issue worrying global business, firms say, and it will become more critically important as the internet of things takes off and our world becomes ever more mobile and connected.

Lawyers, accountants, digital agencies, research analysts, telecoms and tech firms all gave the BBC’s Technology of Business their views on what the key tech trends were likely to be in 2016.

Here’s a summary of the Top 10 tech trends affecting business in 2016 that emerged:

  1. Cybercrime and a renewed emphasis on cybersecurity
  2. The internet of things and the development of the hyper connected world
  3. Real time data analytics, not intuition, driving business decisions
  4. New data protection laws forcing firms to rethink compliance strategies
  5. Artificial intelligence and robotics replacing repetitive tasks
  6. Smartphones becoming the primary tool for almost everything
  7. More business applications for virtual and augmented reality tech
  8. Increased personalised and in-store location-based marketing
  9. Drones to be allowed to make deliveries and perform other public tasks
  10. Established businesses to face increased competition from start-ups

Allowing customers’ data to be stolen by hackers is not good for business, firms are finally realising. It damages corporate reputations and erodes the public’s “comfort with sharing their data”, says Rashmi Knowles of cybersecurity company RSA.

But the worrying news is that breaches are inevitable, warns Geoff Smith of Experis, while a shortage of skilled cybersecurity professionals is likely to push up the costs of beefing up defences and dealing with attacks.

On top of this, new European data protection laws coming into effect in 2018 will see a “dramatic increase in fines” for data breaches, says James Mullock of law firm Bird and Bird, forcing firms to reassess their compliance procedures this year. Dedicated Data Protection Officers reporting to the board would be “a sensible measure”, he says.

Ransomware is opening up new income for cybercriminals.

Several security experts are forecasting an increase in ransomware attacks, whereby criminals hack into your system, encrypt your data and then demand a ransom before they decrypt it.

“The ransomware arms race will come to the fore in 2016,” says Hitesh Sheth, chief executive of Vectra Networks. “The threat will take on a new, larger role by concentrating attacks on enterprises, holding critical assets hostage in return for even bigger money.”

Other experts warn that the growth of mobile payments systems will offer new opportunities for hackers, while others think criminals will increasingly target employees, suppliers and contractors as a way of infiltrating corporate systems.

Gadgets and objects wirelessly transmitting sensor data to each other and central computers will accelerate in 2016, many believe, leading to a host of new applications – and a host of new cybersecurity threats.

Internet of Things (IOT) cybersecurity concerns will also loom large in 2016.

This new world of “connected everything”, says Tudor Aw, head of technology sector at consultancy KPMG, “should finally see real momentum in 2016”, from connected cars recording driver behaviour data for insurance purposes, to smart watches and other wearables delivering health data and even initial diagnoses.

And all the data that these connected things generate will be stored, analysed and translated into practical insights using real-time analytics, enabling companies to “move beyond just quickly responding to changing customer needs, to actually anticipating those changes,” says Andy Lawson, managing director at Salesforce UK.

But many warn that greater connectivity means more points of entry for hackers constantly on the look out for weak points in any network.

Security of UK ISPs failing users

The security of the UK’s biggest ISPs needs “major improvement”, according to one expert.

The security of the UK's biggest ISPs needs improvementSecurity consultant Paul Moore examined the publicly available information of the UK’s six biggest ISPs. He said he found plenty of bugs that could be exploited by hackers.

But he said most ISPs had been in contact with him and had worked to tighten security once told of the issues.

The audit of TalkTalk, Sky, BT, Plusnet, EE and Virgin Media was kicked off in the wake of the TalkTalk hack, which saw the personal details of 157,000 of its customers exposed and more than 15,600 bank account number and sort codes were stolen.

Similar problems to those encountered by TalkTalk could have been experienced by any of the major ISPs, Mr Moore believes.

The audit found a variety of problems, including passwords stored in plain text, exposed code that would allow hackers to inject their own code on to ISPs’ websites and, potentially load malware on to them, and issues with encryption certificates that meant Mr Moore could apply for them from the certificate authority and pose as the webmaster for a set of ISP-owned websites.

Mr Moore said he was impressed by most of the ISPs’s responses when he raised the issues with them.

“Ordinarily they would not be so open and honest with me but, after what happened at TalkTalk, they have been stepping in quickly,” said Mr Moore.

“On one occasion I notified BT and PlusNet about a bug at 14:00 and they kept people back until 22:00 to fix it.”

But, he added, TalkTalk was yet to contact him. TalkTalk did supply a statement saying it had “integrated Paul Moore’s comments into an ongoing programme of work”.

“We constantly run vulnerability checks using industry-standard third party tools. The vulnerability exploited by the hackers was not picked up by this testing, and if it had been, we would clearly have acted on that information straightaway to secure our system,” it added.

Prof Alan Woodward, a security expert at Surrey University, said he was shocked by the findings.

“TalkTalk still has problems and others have not dissimilar ones,” he said. “I find it very surprising that after the TalkTalk hack, they the six ISPs still appear not to be attending to the basics.

He added: “ISPs are the single biggest handlers of our personal data and I would expect them to get this right.”

Web spying proposals may be costly

MPs are investigating what it will cost ISPs to meet government proposals to log online Britons.

MPs are investigating what it will cost ISPs to meet government proposals to log online BritonsThe House of Commons Science and Technology committee is looking at whether gathering data on online citizens is even financially feasible.

It also wants to look into the potential impact that logging browsing will have on how people use the web.

The consultation comes as questions mount over the money the government will set aside to support monitoring.

The draft Investigatory Powers Bill (IP Bill) was unveiled as it attempts to update the way the state, police and spies gather data to fight crime, terrorism and other threats.

One of the most contentious aspects of the IP Bill obliges ISPs to record information about the services, websites and data every UK citizen uses. These “Internet Connection Records” would hold a year’s worth of data.

The Science and Technology committee has said it wants to look more deeply into this and its potential cost.

In a notice announcing the inquiry, the Committee said it wanted to find out if it was possible for ISPs to meet the IP Bill’s requirements. The text of the Bill asks ISPs to log where people go but not what they do when on a site or using a service.

MPs also want to find out how easy it is for ISPs to separate data about a visit to a site from what happens once people log in, because more stringent rules govern who can discover what people do on a site as opposed to the sites they use.

The Committee will also look at how much it might cost the providers to do this.

The government has said it will provide £175 million to ISPs over 10 years to pay for data to be gathered and stored.

Adrian Kennard, head of UK ISP Andrews and Arnold, said it was not clear whether that was enough because the government had not specified what exactly it wanted recorded.

Added to this will be the “big issue” of how to meet the need to separate data about the sites people visit from what they do, he said.

ISPs watch the flows of data across their networks to help manage traffic, he said, but they typically only sample these streams because they deal with such massive quantities of information every day.

Added to this, he said, was the question of how to log which device was being used for which visit.

Microsoft builds UK cloud data centres

Microsoft is building two cloud data centres in the UK next year.

Microsoft is building two cloud data centres in the UK next yearThe move will allow the company to bid for cloud computing contracts involving sensitive government data, which it was restricted from providing before.

Consumers should also benefit from faster running apps.

The announcement, made by Microsoft chief executive Satya Nadella in London, follows a similar declaration by Amazon last week.

The two companies vie to provide online storage and data crunching tools via their respective platforms Microsoft Azure and Amazon Web Services.

The companies’ latest efforts should address highly regulated organisations’ privacy concerns.

In a related development, the firm has also announced plans to offer its Azure and Office 365 cloud services from two German data centres controlled by a third-party, a subsidiary of Deutsche Telekom.

“Microsoft will not be able to access this data without the permission of customers or the data trustee, and if permission is granted by the data trustee, will only do so under its supervision,” it said.

The move will make it even harder for overseas authorities to gain access to the files.

Microsoft is currently engaged in a legal battle with the US Department of Justice, which is trying to make it hand over emails stored on a server in Ireland – the tech firm says the government is trying to exceed its authority.

Mr Nadella announced the plan to open a data centre near London and another in elsewhere in the UK – whose location has yet to be named – in 2016.

They will bring the company’s tally of regional data centres to 26.

He added Microsoft had also just completed the expansion of existing facilities in Ireland and the Netherlands.

“It really marks a huge milestone and a commitment on our part to make sure that we build the most hyperscale public cloud that operates around the world with more regions than anyone else,” he told the Future Decoded conference.

Scott Guthrie, Microsoft’s cloud enterprise group chief, added that the move would address privacy watchdogs’ concerns about “data sovereignty”.

Amazon has also committed itself to multiple UK data centres, but has not said how many at this stage. It will make the UK its 15th regional base.

Although that is fewer than Microsoft’s, the company is currently the global leader in this field in terms of market share.

Announcing its move, Amazon said an added benefit of having a local data centre was that the public would experience less lag when using net-based services.

Amazon’s other EU-based data centres are in Ireland and Germany.

Although outsourcing computing work to one of the big tech companies offers the potential for savings – as they do not have to build and maintain their own equipment – there are also risks involved.

A fault with Azure knocked many third-party websites offline last year, and Amazon has experienced glitches of its own. However, major faults taking clients’ services offline are a relatively rare occurrence.

New EU data laws threaten huge fines

Companies could face fines of up to 4% of their global annual turnover under new European rules on data protection.

Companies could face fines of up to 4% of their global annual turnover under new European rules on data protection
The European Union has approved significant changes to data laws, aimed at putting individuals back in charge of their information.

It is the biggest shake up to privacy regulation for 20 years, according to experts. The changes would make privacy “a board-level issue”, one lawyer said.

Peter Church, a technology lawyer at Linklaters, said it would make businesses “start taking these issues a lot more seriously”.

US technology companies already have problems with European regulators, with both Google and Facebook facing big fines – Facebook over its use of cookies and Google over its privacy policy.

Although this new law will not come into force until 2018, the changes meant the tech giants would have to “pay more attention to what regulators are saying”, said Mr Church.

The new draft policy, in discussion since 2012, will need to be ratified by the European Parliament next year.

Other changes include:

  • Firms will have to report serious data breaches to regulators within 72 hours
  • Consumers’ right to be forgotten will be extended beyond search engines to all aspects of their web history – so, for example, a user could request to have his or her Facebook profile removed
  • Consumers have the right to transfer their data from one company to another – so, for example, a user could request all data relating to shopping purchases be sent to them so they can transfer their preferences to a rival supermarket
  • Companies that handle significant amounts of data will have to employ a data protection officer

Jan Philipp Albrech, chief negotiator, said of deal: “This would be a major step forward for consumer protection and competition and ensure Europe has data protection rules that are fit for purpose in the digital age.”

 “The scale and breadth of the EU’s changes to privacy rules will deliver unprecedented challenges for business and every entity that holds of uses European personal data both inside and outside the EU.”

“Most companies will be shocked at the scale of the new rules and the work that needs to be done before the laws take effect in two years – it is not much time for the magnitude of the internal changes that will be required.”