Glos Police warn cyber crime is more dangerous than streets at midnight

By Cyber SecurityNo Comments

Gloucestershire Police said in Dec 2016 that within our county 54 % of all reported crime was cyber related.

Glos Police warns cyber crime is more dangerous than streets at midnight.In other words, you have a much higher chance of being mugged online in your home or work place than you do wandering around any of our high streets at midnight at the weekend.

According to the latest report by the Office of National Statistics (ONS), there were 5.8 million incidents of cyber crime and fraud in the 12 months up to March 2016, affecting one in 10 people in England and Wales.

The Federation of Small Businesses (FSB) found last month that small firms are unfairly carrying the cost of cyber crime in an increasingly vulnerable digital economy being collectively attacked seven million times per year, costing the UK economy an estimated £5.26 billion.

Despite the vast majority of small firms (93%) taking steps to protect their business from digital threats, two thirds (66%) have been a victim of cyber crime in the last two years. Over that period, those affected have been victims on four occasions on average, costing each business almost £3000 in total.

The types of cyber crime most commonly affecting small businesses are phishing emails (49%), spear phishing emails (37%), and malware attacks (29%).

Small firms are also concerned about hacking and fraud when the card is not present, with the average information breach setting them back 2.2 days.

However just a quarter of smaller businesses (24%) have a strict password policy, but only four per cent have a written plan of what to do if attacked online, and just two per cent have a recognised security standard such as ISO27001 or the Government’s Cyber Essentials scheme.

So if you want to save yourself stress, money and a damaged reputation from a cyber incident please ring us now on 01242 521967 or email safe@cyber139.com or complete the form on our contact page NOWContact Cyber 139

GDPR data protection fines

By Cyber SecurityNo Comments

GDPR- the General Data Protection Regulations and fines are less than 17 months away warns Cyber139. Happy New Year!

GDPR- the General Data Protection Regulations are less than 17 months away warns Cyber139

A two tiered system of fines will apply. Breaches of some provisions by businesses, which law makers have deemed to be most important for data protection, could lead to fines of up to €20 million or 4% of global annual turnover for the preceding financial year, whichever is the greater, being levied by data watchdogs.

For other breaches, the authorities could impose fines on companies of up to €10 million or 2% of global annual turnover, whichever is greater.

Hoping that BREXIT might help you? Wrong- speaking in parliament in the week before Christmas, UK digital minister Matt Hancock again confirmed that the GDPR “will become directly applicable in UK law on 25 May 2018”.

Data controllers could face more severe regulatory fines than data processors for failing to keep personal data appropriately secure under the new General Data Protection Regulation

One of the many changes that the new Regulation will deliver when it comes into force on 25 May 2018 is a new statutory obligation on data security that data processors must observe above and beyond contractual duties agreed with data controller customers.

Under current EU data protection rules service providers that process personal data on behalf of other businesses cannot be held directly liable to individuals for a breach of data security. If data processors are at fault for data breaches then it is the data controller who contracted with them whose neck is on the block for any non compliance with data protection laws, although the data processor could be liable to the data controller under their contract.

The Regulation addresses this anomaly but makes a distinction between the maximum fine data protection authorities will be able to levy against data controllers compared to data processors for failings on data security.

The relevant provisions on data security are contained under Articles 5 and 32 of the Regulation.

Article 5 sets out basic rules on personal data processing which only apply to data controllers, considered to be fundamental to data protection. One of those rules requires data controllers to ensure that personal data is “processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures”.

According to the Article 83 provisions of the Regulation on administrative fines, where data controllers breach that Article 5 requirement they can be served with the highest possible fine that data protection authorities will be able to issue under the reformed framework.

In contrast if data processors breach their statutory data security obligations, set out under Article 32, which requires them to “implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk” of their personal data processing, then the most they could be fined is up to €10m or 2% of global annual turnover.

Data controllers are also subject to the Article 32 obligations. It therefore appears open to national data protection authorities to fine data controllers for any data security failings under Article 5 or Article 32. Their choice in those circumstances would impact on the severity of the fines they could issue.

Whether security measures are appropriate in each instance will depend on “the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons”, according to the Regulation.

Beyond the imposition of administrative fines for data security breaches, the Regulation will also introduce an updated right for data subjects to claim compensation for damages they suffer from such incidents.

A data controller or data processor could be sued for compensation as well as being exposed to the administrative fines – being fined will not shield it from compensation claims, and vice versa.

The revised right will allow data subjects to pursue either data controllers or data processors for all of the compensation owed to them for the damage they have suffered from a data breach, although a processor will only be liable for damage caused by processing where it has not complied with any part of the Regulation that applies to them or if it has “acted outside or contrary to lawful instructions of the controller”.

Data controllers pursued for damages will be able to claim back all or some of the money they pay out from their data processor if the data processor was  in fact responsible, wholly or in part, for the breach.

Equally, data processors will have the same right to claim back money from data controllers, or indeed other data processors involved, whose fault caused or contributed to the damage, if the data subject pursues the data processor for the full compensation pay-out.

So if you want to save yourself stress, money and a damaged reputation from a cyber incident please ring us now on 01242 521967 or email safe@cyber139.com or complete the form on our contact page NOWContact Cyber 139

Cyber 139 wishes you a secure and prosperous New Year

By Cyber SecurityNo Comments

Cyber 139 wishes you a secure and prosperous New Year for 2017.

Cheltenham based cyber security and protection firm Cyber 139 wishes you a secure and prosperous New Year for 2017.

Cheltenham based cyber security and protection firm Cyber 139 wishes you a secure and prosperous New Year for 2017.

Overall 24% of ALL businesses surveyed in 2016 had had one or more cyber security breaches in the past 12 months- so please don’t let you be a victim in 2017.

So if you want to save yourself stress, money and a damaged reputation from a cyber incident please ring us now on 01242 521967 or email safe@cyber139.com or complete the form on our contact page NOWContact Cyber 139

Cyber crime costs small businesses the most

By Cyber SecurityNo Comments

New research has found that cyber crime is disproportionately effecting small businesses the most.

New research has found that cyber crime is disproportinately effecting small businesses the most.

The Federation of Small Businesses (FSB) has found that small firms are unfairly carrying the cost of cyber crime in an increasingly vulnerable digital economy.

The report Cyber Crime: How to protect small firms in the digital economy suggests smaller firms are collectively attacked seven million times per year, costing the UK economy an estimated £5.26 billion.

Despite the vast majority of small firms (93%) taking steps to protect their business from digital threats, two thirds (66%) have been a victim of cyber crime in the last two years. Over that period, those affected have been victims on four occasions on average, costing each business almost £3000 in total.

Cyber crime costs small businesses disproportionately more than big businesses when adjusted for organisational size.

Currently the responsibility largely falls on small businesses to protect themselves. FSB is calling for more support to be given to those smaller firms least able to bear the burden of the increasing global cyber threat.

Almost all (99%) of the UK’s 5.4 million small firms rate the internet as being highly important to their business, with two in three (66%) offering, or planning to offer, goods and services online. Without intervention, the growing sophistication of cyber attacks could stifle small business growth and in the worst cases close them down.

Mike Cherry, FSB National Chairman, said: “The digital economy is vital to small businesses – presenting a huge opportunity to reach new markets and customers – but these benefits are matched by the risk of opportunities for criminals to attack businesses.

“Small firms take their cyber security responsibility very seriously but often they are the least able to bear the cost of doing so. Smaller businesses have limited resources, time and expertise to deal with ever-evolving and increasing digital attacks. We’re calling on Government, larger businesses, individuals and providers to take part in a joint effort to tackle cyber crime and improve business resilience.”

The types of cyber crime most commonly affecting small businesses are phishing emails (49%), spear phishing emails (37%), and malware attacks (29%).

Small firms are also concerned about hacking and fraud when the card is not present, with the average information breach setting them back 2.2 days.

To combat this, four in five small firms (80%) use computer securing software, and well over half (53%) perform regular updates of their IT systems.

The FSB report also found room for small firms to improve security.

Currently just a quarter of smaller businesses (24%) have a strict password policy, four per cent have a written plan of what to do if attacked online, and just two per cent have a recognised security standard such as ISO27001 or the Government’s Cyber Essentials scheme.

Mike Cherry added: “Small firms are understandably focussed on building their businesses and creating the jobs which drive economic growth. The vulnerabilities of the digital world affects everyone and the responsibility for improving resilience should not be left to the group with least resource to do something about it.

Yahoo confirms one billion users have had data hacked

By Cyber SecurityNo Comments

Bob Lord, chief information security officer at Yahoo, admits details of the breach in a blog post.

Bob Lord, chief information security officer at Yahoo, admits details of the breach in a blog post.“We believe an unauthorised third party, in August 2013, stole data associated with more than one billion user accounts. We have not been able to identify the intrusion associated with this theft,” he said.

Speaking to Computer Weekly, Jonathan Care, a research director at market watcher Gartner, said Yahoo’s lack of clarity on this point was troubling.

“The implication is that Yahoo has overly focused on deploying protective technologies, and has not put in place effective analytics, detection and response systems and processes,” he said.

“From what we do know, the attackers made use of cookie masquerading, pass-the-hash and a state-sponsored actor. This gives strength to the importance of a strong detection plan.”

The incident came to light after US law enforcers shared files with the company that a third-party claimed contained Yahoo user data.

“We analysed this data with the assistance of outside forensic experts and found that it appears to be Yahoo user data,” said Lord.

Yahoo admits that staff knew about the data breach two years before it was confirmed publicly, and that the incident could affect the $4.83bn sale deal with Verizon.

“For potentially affected accounts, the stolen user account information may have included names, email addresses, telephone numbers, dates of birth, hashed passwords (using MD5) and, in some cases, encrypted or unencrypted security questions and answers.”

“We are notifying potentially affected users and have taken steps to secure their accounts, including requiring users to change their passwords,” he said. “We have also invalidated unencrypted security questions and answers so that they cannot be used to access an account.”

Which suggests that many personal questions have been hacked as well.

This latest breach comes several months after Yahoo revealed details of another historic attack on its systems, dating back to 2014, which led to the personal details of at least 500 million users becoming exposed.

At the time, the incident was reported to be the largest publicly reported breach of its kind, but the August 2013 one is understood to be considerably bigger.

After news of the 2014 hack broke, Yahoo confirmed some staff knew about it several years before details were publicly disclosed, and acknowledged that it could lead to Verizon withdrawing its $4.83bn bid to acquire the company.

In light of its latest disclosure, questions are now being raised about how the news may affect the deal, given Verizon went on record in October 2016 to say the previous breach could pave the way for it to drop its bid.

“It also emphasises the importance of purchasers understanding the security risks of target businesses and building in contractual mechanisms to adjust the price, or even allow them to walk away from the deal if breaches like these come to light before completion.”

“Clearly, the upshot of this is that we need to realise that it’s no longer a case of ‘if we’re targeted or unlucky’, but that we are all targets.”

Camelot’s National Lottery accounts are hacked

By Cyber SecurityNo Comments

It could be you- as tens of thousands of online lottery Camelot players’ accounts are hacked.

It could be you- as tens of thousands of online lottery Camelot players' accounts are hacked.National Lottery operator Camelot says the login details of thousands of people who do the lottery online have been stolen.

There are 9.5 million national lottery players registered online, but Camelot said only around 26,500 accounts were accessed. It added that fewer than 50 accounts have had suspicious activity, such as personal details being changed, since the breach.

The company said it unearthed “suspicious activity on a very small proportion of our players’ online National Lottery Accounts” during its online security monitoring on 28 November 2016.

It added that there has been no unauthorised access to core systems. “In addition, no money has been deposited or withdrawn from affected player accounts,” said Camelot.

“However, we do believe that this attack may have resulted in some of the personal information that the affected players hold in their online account being accessed.”

The company said it is now trying to find out what happened, but it believes that “the email address and password used on the National Lottery website may have been stolen from another website where affected players use the same details”.

The affected accounts have been suspended and Camelot will contact the account holders to re-activate them. Camelot added that it is working with the National Cyber Security Centre on the incident.

Are you an online lottery player?

If so, just crossing your fingers is not enough. To mitigate risks in the short term, account holders should update passwords and avoid using the same password across multiple sites.

Why are businesses ignoring cybercrime and cyber risks?

By Cyber SecurityNo Comments

How can cyber security professionals help businesses to understand the cyber risks?

How can cyber security professionals help businesses to understand the cyber risks?

Business owners don’t like spending money on anything that doesn’t make them more money. Even insurance is a grudge purchase. I’m never fond of paying a high premium, but if there’s a risk that I could lose my livelihood and house if I fail to get the right insurance cover, then I accept that.

Mitigating cyber risk is exactly the same. If companies don’t do it, then they could go out of business.

But there’s definitely over-confidence in the space, and I often hear “well, it will never happen to us, we’ve just installed anti-virus on all of our laptops”.

So exactly how do you give the business that niggling feeling that encourages them to mitigate security risks? The reactive approach definitely isn’t the right way, demanding cash after something has happened to plug a hole.

The sales led approach isn’t the right way, where security suppliers force silver bullets down your throat and you end up buying something to help them meet their sales targets, regardless of how nice it makes your treasured server rack look.

It’s about taking a proactive stance, and dealing with cyber security before something happens; and being prepared to tell security suppliers where to stick their hardware if it doesn’t fit into your security programme.

I’ve never seen a business turn down a carefully prepared cyber security risk mitigation programme that fits the business. Fortunately, creating one is remarkably simple. Define scope. Carry out a security audit on said scope. Conduct a gap analysis, work out three costed options with pros and cons to address each gap, and present to the business.

But that still doesn’t mean the business will buy in. We’re missing that niggling feeling. Much as I dislike scare tactics, now would probably be a good time to think about them, with a short, sharp exercise that demonstrates to the business exactly what could go wrong in their cyber world.

Simulate a phishing email. It’s easy enough. Put an EICAR (European expert group for IT-security) malware test file on your CEO’s laptop. Take your CFO’s laptop away for an hour and simulate critical hardware theft. Leave a suspicious package in the mail room. Simulate a web server hack.

These exercises would take less than an hour of the board’s time and, while they won’t get the cheque book out, they will raise awareness over time. Throw in a few fire drills to keep their minds off cyber for a bit. Simulate a flood. The point being, over time, your business can become cyber-aware; and ultimately this loosens the purse strings and gets you that next hire and support for implementing change.

UK organisations are still not taking ransomware seriously enough

By Cyber SecurityNo Comments

UK organisations are still not taking ransomware seriously enough, and continue to fall prey to this method of low cost, low risk cyber extortion.

UK organisations are still not taking ransomware seriously enough

Businesses still get caught by ransomware, even though straightforward avoidance methods exist.The CryptoLocker ransomware caught many enterprises off guard, but there is a defence strategy that works.

Another factor promoting the popularity of ransomware among attackers, is that unlike many other forms of malware, ransomware does not require any special user rights.

“If your system gets infected by a keylogger, it has to escalate privileges to become an administrator on the system so it can survive a reboot, but all ransomware needs is access to the files the infected user can access,” said chief research officer at F-Secure Mikko Hypponen.

“This makes them a unique problem because you can’t fight ransomware by locking down systems, restricting user access or removing administrator privileges from users.

“I fully support this approach to security. Only give users access to what they need, take away admin privileges, but none of these things will protect against ransomware.”

The most effective way to counter ransomware, said Hypponen, is to backup all critical data, but many organisations are failing in this.

“They may be backing up data, but they are typically not doing it often enough. They are not backing up all the information they really need because files are not being saved to the right folders, and they are not testing their backups regularly. Even if they have backed up the information, they are often unable to restore it to a usable form,” he said.

“In addition to regularly tested backups, organisations should also ensure they would be able to detect and respond to a live ransomware Trojan on their network before it has succeeded in locking up all the data,” said Hypponen.

One way of approaching this is to plant dummy “canary” files throughout the network. These should never be touched by legitimate users and act as alarms. If these files are touched, it points to malicious activity on the network.

Ransomware is also popular, he said, because its developers are able to outsource the risk to partners whose role is infect computers in return for a share in the money extorted from victims.

In addition to ransomware, another new business model for cyber criminals is circumventing the fingerprint locks on iPhones.

“Once fingerprint readers were added to iPhones, users were able to lock and unlock them quickly and easily. This meant that if the phone was stolen, it was useless and could be only sold for spares, which did not yield very much,” said Hypponen.

But researchers are now starting to see criminal organisations that are able to trick victims of mobile phone theft into revealing their iCloud credentials.

“Victims typically receive an email message a few days after their phone is stolen to say it has been located using the ‘track my iPhone’ facility, telling them to click the link embedded in the message,” said Hypponen.

“But the link takes them to a phishing site that asks them to log into their iCloud account, and once they have done that, the criminals have the information to reset the stolen phone and sell it as a fully working device.”

The second lesson learned in 25 years of cyber security, said Hypponen, is that people will never learn, and that user education is a waste of time.

“It doesn’t matter how many times you tell them, they will always double click on every executable. They will always follow every link, they will always type their password and credit card number into any online form that asks for that information, and they will always post their credit card picture and even CVV numbers on Twitter,” he said.

Admitting this may be overly pessimistic, Hypponen said that instead of trying to “patch” people by educating them, the responsibility should be shifted to those better equipped to handle it.

“We should be thinking about where we really want the responsibility to be,” he added. “Do we really want people to be responsible for security when most of them can’t handle it, or should we be thinking about taking the responsibility away from the user and giving it to operating system developers, security companies, and internet service providers and mobile operating firms that provide the connectivity that causes the problems in the first place?”

No final fix for cyber security

By Cyber SecurityNo Comments

There really is no final fix solution endgame when it comes to cyber security.

There really is no final fix solution endgame when it comes to cyber security, according to security industry veteran and chief research officer at F-Secure Mikko Hypponen.The claim was made by security industry veteran and chief research officer at F-Secure Mikko Hypponen and two of the most valuable lessons in cyber security are to know your enemy and not to rely on users to be secure.

“We will always have cyber security problems because we will always have bad people, which means job security in security is likely to continue for ever,” he told the Wired Security conference in London.

Cyber attackers are continually evolving their techniques and capabilities to steal and monetise data in new ways, which means the goalposts are continually moving.

“If we were still fighting the enemy of 10 years ago, we would be in great shape,” he said, alluding to the security tools that have been developed since then, as well as the security improvements in software.

“Attackers will always have the upper hand because they have the luxury of time to study our defences, while defenders do not have that luxury, so it is an unfair contest – a never-ending race.”

Reflecting on lessons learned over his 25 year career in information security, Hypponen said the most important thing is to understand the adversary.

However, he said the days of being able to do that easily are long gone, with most organisations finding themselves faced with a whole range of attackers.

They are all looking to gain something, said Hypponen, whether they are hacktivists supporting a cause, nation state actors or criminals.

“But for most organisations, criminals are the most likely to be attacking them,” he said, noting that of the 350,000 to 450,000 new malware samples that F-Secure sees on a daily basis, 95% comes from organised cyber crime groups.

“It is different when you get targeted by foreign intelligence agencies, because they are really bad, but most organisations are not targeted by foreign spies because most organisations are of no interest to them,” he said.

Although these cyber criminals like to portray themselves as Mafiosi, Hypponen said most are just “geeks” looking to make money from selling things such as hacked PayPal accounts and credit card details along with step-by-step guides on how to use them to make money.

Ransomware most popular form of cyber crime

Ransomware that encrypts victims’ data and demands payment in return for restoring it is fast becoming the most popular way for cyber criminals to make money.

“This is a simple business model based on the principle of selling data to the highest bidder, which is often the person or organisation that owns the data in the first place,” said Hypponen.

F-Security is currently tracking more than 110 different ransomware groups operating around the world and competing for market share.

“Ransomware has become very competitive, with the result of some groups seeking to expand into new markets by translating ransomware campaigns into 26 different languages,” said Hypponen.

Another evolution of ransomware attacks is the shift away from consumers to target enterprises.

“As soon as an infected computer is connected to the corporate network, the attackers enumerate and mount all the file shares the user can access and dynamically set the ransom based on how many files they manage to encrypt on the network,” said Hypponen.

The biggest concern about ransomware for enterprises is that it will stop business operations. With continuity in mind, some enterprises are even setting up bitcoin wallets to be able to pay ransoms quickly and minimise the impact on business continuity.

“This idea of continuity is really backwards, because it does not address the problem,” said Hypponen. “The more enterprises pay these ransoms, the greater and more entrenched this problem will become.”

EDPR and customers data protection

By Cyber SecurityNo Comments

We follow on from our Cyber Security Force’s post yesterday about 96% of firms being unprepared for tougher data protection laws.

We follow on from our Cyber Security Force's post yesterday about 96% of firms being unprepared for tougher data protection.While businesses grapple to become compliant, they remain out of touch with consumer expectations when it comes to data privacy and security.

Nearly three quarters of businesses do not think an organisation’s privacy track record is a top three consideration for customers when choosing who to do business with, despite customers asking about data security in more than a third of transactions.

Equally concerning, the report said, is the finding that 35% of respondents do not believe their organisation takes an ethical approach to securing and protecting data.

These results show there is a significant disconnect with consumer priorities, the report said, with 88% of European consumers regarding data security as the most important factor when choosing a company with which to do business. In fact, 86% consider it more important than product quality.

Unsurprisingly, the study found that 55% of businesses are not confident they completely meet customers’ data security expectations.

The study also found many businesses have not started working out the necessary organisational and cultural changes they need to make ahead of May 2018.

Some 9% of businesses admitted that all employees are able to access customers’ personal information, while 6% admitted that all staff can access customers’ payment details. Only 14% believe everyone in the organisation has a responsibility to ensure data is protected.

With such wide reaching access to people’s personal information, businesses are underestimating the challenges they will face in managing this in line with the GDPR, the report said.

Under half of those surveyed said managing data ethically is a top priority for their organisation, and less than half again said they would be increasing security training. Only 27% of businesses polled said they are planning to overhaul their approach to security in response to the GDPR.
Technical readiness

The majority of respondents (91%) have concerns about the ability of their organisation to comply with the GDPR, due to factors such as the complexity of processing data correctly in time and costs involved.

Only 28% of IT and business decision makers realise the right to be forgotten is part of GDPR, while 90% of businesses say customers requesting their data be deleted will be a challenge for their organisation.

Only 9% of respondents have already received requests to be forgotten, but 81% believe their customers would exercise their right for data to be deleted, and 60% of businesses do not currently have a system in place that enables them to respond to these requests.

With less than two years before the EU data protection rules come into force, there are 10 key areas businesses need to focus on to ensure they will be compliant.

The European Parliament’s official publication of the General Data Protection Regulation means it will become enforceable on 25 May 2018.

Companies that fail to start planning to deal with the EU’s data protection requirements are in for a real shock, warns the International Association of Information Technology Asset Managers.
The GDPR is about enabling organisations to realise the benefits of the digital era, but it is serious about enforcement for those that do not play in the rules, says UK information commissioner.