Tuesday, 28 February 2017

GPDR and Cloud Services – Prepare for Stormy Weather

Will Lambert, Cyber Security Sales Support, ZeroDayLab

25th May 2018 is a date that many businesses are almost relishing, they see it as a fresh challenge:a new way to do business, an exciting opportunity to use BREXIT to enhance and develop their existing security controls.  These companies get it.  They understand the cyber threat landscape, the dangers of the web, have carried out the crucial Business Impact Assessments (BIA) and have, or are in the process of getting, their house in order; not unlike some American states battening down the hatches in preparation for an earth-shattering tornado.  However, there are businesses that are unwilling to admit, or are still unaware of the storm of implications a post-BREXIT Britain and the legalities, more specifically, the penalties the EU will deliver to British business. 

I should make it clear at this point, I am no lawyer.  For many of you who know me personally, you are probably thinking, 'thank goodness'! After recently attending The European Information Security Summit (TEISS) held in London in February of this year, I picked up points that I, myself, was unaware of and if I can share this information freely to strengthen Britain's business; then that can be only a good thing - agreed?

Take a mixing bowl, add 200g of privacy as a declared human right and gently fold in 400g of technological culture, a culture that values the need for WIFI and enhanced battery life as more important than basis physiological needs (water, food, shelter...AIR! Maslow's hierarchy).  Add into the mix the known cyber skills shortage felt globally, add just a pinch of the fact that cloud services are not regulated; do I dare say it's a recipe for disaster?  Too obvious?  Maybe, but it is fair to proclaim we are facing quite a challenge to adequately protect Personally Identifiable Information (PII) data from pernicious attack.

In today's digital age, we expect our tech to always be on, available anywhere, dynamic and agile.  These expectations are being significantly boosted by the Internet of Things, which of course, are all Secured by Design because of the basic human right of privacy.  It's expected, right?  We place our trust in regulatory bodies to ensure that the products we buy are harmless.  We don't expect our water to be poisoned, or our vehicles to be released with faults; why would our smart tech be any different?  That being said, we don't have to look far to see examples of everyday devices (thermostats, smart watches, fridges - and in the future ...toasters!) being hacked to prove that maybe, we trust these devices a little too much. 

This issue extends to cloud-based tech also. Who regulates the Cloud? The worrying answer is, unfortunately at this moment in time... no one.   No regulatory body has stood up and taken responsibility for cloud-based tech.  The issue becomes even more disturbing considering cloud services have been running since 2006 (Amazon released Elastic Compute Cloud) but some rumour a date of 1996! Cloud Service Providers (CSP) have been operating using best practice for 10+ years and we have several examples of best practice such as, ISC2 STARWatch program and the Cloud Computing Security Professional training that they offer.  Now, I'm not saying that CSP are inherently a bunch of cowboys doing what they want, the message that I am trying to get across is simply this; if your organisation processes or stores PII in a cloud environment, you are ultimately responsible for data on someone else's machine. 

As I understand it, (remember, I'm not a lawyer!) Article 32 examines due care and due diligence responsibilities.  Have you done your research?  Are the protective controls of your customer's data as best as they can be? Can you prove that through thorough Cost Benefit Analysis (CBA) of business actions/risks of your own environment?  If yes, great! Now, do you or your suppliers use a CSP to process PII data? If yes, more good news.  Apply the same works to these environments, including the physical verification of where the CSP hosts their services. Just because they say to you 'we host in the UK, so GDPR doesn't apply', diligently check and provide evidence of this check.  The fine will be yours if they are found to be being 'creative' with the truth.  The process is a long and costly one, but remember, breaches will happen.  That is a disappointing fact of modern life. 

I know what you are thinking, breaches are mainly caused by the carbon-based interface, i.e. the users.  I completely agree, the EU agrees, but it's only the eye of the storm.  A cool, calm area, all parties agree, it's almost harmonious.  Moving on! In case of a breach through a user, can you, as an organisation, provide evidence that you have delivered effective threat awareness and education?  How often?  When was this training delivered, how was it delivered? You will need to provide evidence of training, if not, you will be without a stitch.  We must also work to provide an effective layered defence approach to protect our business assets.  We must be able to demonstrate that we have 'done our homework', that we can show due care and due diligence to protect our customers PII through effective BIA.  All of these elements combined will provide an umbrella from the storm of penalties the European Court of Justice has at its disposal.  Don't be left naked in the wind and rain and feel the full force of a penalty of up to 4% global turnover or €20 million.  I'm not saying you won't get wet but there's a marked financial difference between slightly soggy and saturated. 

EU GDPR will not be dissimilar to, and as common to society as, lawyers.  I'm not going into lawyer bashing mode here; that's too easy (I'm only jealous). Everyone thinks that they are just after picking money out of deep pockets and to a certain extent, it is my personal belief that harvesting the money will indeed please them.  I know it would me but I also believe, more importantly, they want to improve our digital age.  The Regulations have been brought about to improve our digital landscape so we are all safe to operate and trade in a secure environment via the implementation of an innocuous networking culture where our business PII and indeed our own personal data can be exchanged with minimal fear of compromise. 

"We will pay for security, one way or another."

Monday, 19 December 2016

LinkedIn training arm Lynda.com suffers data breach

Online training company Lynda.com, owned by LinkedIn (which itself is being acquired by Microsoft), has suffered a security incident which saw a user database accessed by unauthorised parties.

The "cryptographically salted and hashed" passwords of some 55,000 accounts were reportedly accessed in the incident, which Lynda.com is resetting.

A further 9.5 million users of the skill-learning site are being warned in an advisory email that other information has been accessed - including contact information and details of viewed courses - although their password data is said not to have been exposed.

In an advisory email, Lynda.com is informing those users of the incident:

We recently became aware that an unauthorized third party breached a database that included some of your Lynda.com learning data, such as contact information and courses viewed. We are informing you of this issue out of an abundance of caution.

Please know that we have no evidence that this data included your password. And while we have no evidence that your specific account was accessed or that any data has been made publicly available, we wanted to notify you as a precautionary measure.

If you have questions, we encourage you to contact us through our Support Center.

The Lynda.com team

The wording of the email is a little odd, and makes me wonder whether this was a traditional "hack" or more a case of a security researcher stumbling across a user database on a server that shouldn't have been publicly accessible, or found a vulnerability that allowed them to access user information.

Disappointingly, I was unable to find any reference to the data breach on the Lynda.com website. I always think breached sites should post an online notice so users can confirm the incident, rather than blindly trust an email received in their inbox.

Cited by Graham Cluley 

300,000 PayAsUGym user details compromised in hack attack

The company, which sells passes for gyms around the UK, acknowledged that 300,000 email addresses and passwords of its members had been accessed on Thursday.
The website said it did not hold financial or credit card details of its users on its servers.
Customers have been advised to change their passwords and the company has also migrated to new servers.
PayAsUGym alerted its members to the security breach in an email on Friday which said "one of the company's IT servers was accessed by an unauthorised person".
It went on: "Although we do not hold any financial or credit card information, the unauthorised person could have accessed the e-mail address and password of our customers.
"Passwords are encrypted when saved in the database, nevertheless I would encourage you to change your password."
Several customers' email addresses and passwords appear to have been published online.
PayAsUGym said once it was alerted, it "closed down" the breach and contacted the police.
It has also started using new servers after speaking with cybersecurity professionals.
The website uses a "tokenised system" for customer payments which, it says, means card details are stored at the payment gateway - not on its servers.
"This is the highest level of security process for dealing with payments," it said.
PayAsUGym added: "We take the security of customer information very seriously. Unfortunately cyber attacks are becoming more frequent which is why, as a policy, we do not (and will never) hold financial or credit card details and we insist that all passwords are encrypted when stored."
Cited at BBC news

Friday, 18 November 2016

Three Mobile hit by a Data Breach

'What you need to know' about the Three Mobile Data Breach 

By Tarun Samtani
Group Cyber Security Advisor

Article Link

Three Mobile hit by a Data Breach 

Police have arrested three men in connection with a data breach at the Three mobile network.

The company said details, including names and addresses, had been accessed by using a login to its database of customers eligible for a phone upgrade.

It said the breach then allowed upgrade devices to be "unlawfully intercepted".

On Wednesday the National Crime Agency (NCA) said it had arrested two men from Manchester and one man from Kent as part of its inquiries.

A 48-year-old man from Orpington, Kent, and a 39-year old man from Ashton-under-Lyne, Greater Manchester, were arrested on suspicion of computer misuse offences, the NCA said.

The third man, a 35-year old from Moston, Greater Manchester, was arrested on suspicion of attempting to pervert the course of justice. All three have been released on bail pending further enquiries, an NCA spokeswoman said.

Three, which has nine million customers, is investigating how many accounts were accessed, but said the database did not contain payment, card or bank details.

A spokesman for the company said:

"Over the last four weeks Three has seen an increasing level of attempted handset fraud. This has been visible through higher levels of burglaries of retail stores and attempts to unlawfully intercept upgrade devices.

"We've been working closely with the police and relevant authorities.To date, we have confirmed approximately 400 high value handsets have been stolen through burglaries and eight devices have been illegally obtained through the upgrade activity."

The company said it has since strengthened its data controls and is contacting the eight handset fraud victims.

Cited BBC News