Monday 22 June 2015

Hackers Ground 1,400 Airline Passengers

Polish state-owned airline LOT suffers hacking assault on ground systems that causes 10 national and international flights to be cancelled

Around 1,400 passengers of the Polish airline LOT have been grounded at Warsaw Chopin airport after hackers attacked the airline ground computer systems used to issue flight plans, the company said.
The computer system was hacked on Sunday afternoon and fixed after about five hours, during which 10 of the state-owned carrier’s national and international flights were cancelled and about a dozen more delayed, spokesman Adrian Kubicki said.
LOT was taking care of the passengers on Sunday evening and some were already able to board flights. The airline said it was providing hotels for those who needed to stay overnight.
At no point was the safety of ongoing flights compromised, Kubicki said, and flights destined for Warsaw were able to land safely. No other airports were affected, he added.
“We’re using state-of-the-art computer systems, so this could potentially be a threat to others in the industry,” Kubicki said. The attack is now being investigated by the authorities.
The airport itself was not affected, its spokesman said.

Thursday 18 June 2015

UK firms Failing to Assess Insider Cyber Threats

A recent study by Marsh has revealed that many UK firms are failing to adequately assess customers and trading partners for cyber risk. 
Marsh found nearly 70% of respondents do not assess the suppliers and/or customers they trade with for cyber risk. 50% of respondents also stated their organisations have not been asked to demonstrate a competent standard of their IT security practices to their bank and/or customers to do business with them. 
Stephen Wares, Marsh’s cyber risk practice leader in Europe, said more work needs to be done to consider cyber security as a business issue, as opposed to a technical problem.
“This is especially true for larger organisations, which attract highly motivated and sophisticated hackers that might identify smaller business partners that are typically less well protected as the ‘back door’ into their IT systems,” he said.  
Organisations should include supply chain security as part of their strategy to reduce the risk of data breaches, an expert panel told attendees of Infosecurity Europe 2015 in London.
Information security weaknesses at suppliers have been responsible for several high-profile breaches in recent years, including malware-laced phishing emails sent via an air-conditioning supplier to US retailer Target in 2013.
Cited and more on this story at Computer Weekly 

How do you assess the Security risk that your third party providers bring to your front door? 
This ties in quite nicely with a recent published post Supply chain Risk: Defending Business Continuity & Improving Cyber Security  

We had a webinar a few weeks ago on this subject; recording in link below:

Led by ZeroDayLab’s Managing Director, Kevin Roberts (left) and Pre-Sales Manager, Stuart Peck (right); the webinar was hot on the heels of the latest supplier breach suffered by TalkTalk, and looked at supply chains, breaches and how you can get better visibility and management over your risk..

Friday 12 June 2015

Kaspersky Lab - Cyber Security Firm is Hacked

One of the leading anti-virus software providers has revealed that its own systems were recently compromised by hackers.
Kaspersky Lab said it believed the attack was designed to spy on its newest technologies.
It said the intrusion involved up to three previously unknown techniques. The Russian firm added that it was continuing to carry out checks, but believed it had detected the intrusion at an early stage.
Although it acknowledged that the attackers had managed to access some of its files, it said that the data it had seen was "in no way critical to the operation" of its products.
"Spying on cybersecurity companies is a very dangerous tendency," said the company's chief executive Eugene Kaspersky.
"The only way to protect the world is to have law enforcement agencies and security companies fighting such attacks openly.
"We will always report attacks regardless of their origin."

Kaspersky Lab said that it had detected the breach in the "early spring", and described it as "one of the most sophisticated campaigns ever seen".

The malware does not write any files to disk, but instead resides in affected computers' memory, making it relatively hard to detect.
Cited BBC News

What attacks have you combated with recently? 

How are you armed to deal with such attacks?

Tuesday 2 June 2015

The Human Error Risk in Cyber Security

Is The Future Cyborg?  Waking Up to the Human Error Risk in Cyber Security

By Stuart Peck, Pre-Sales Manager, ZeroDayLab

Human achievement is incredible, just look at digital technology and the internet, but people can also make mistakes.  When APTs are increasing and targeting weaknesses in staff and suppliers to overcome improved technical defences; can organisations control the risk of human fallibility or is the only answer to employ cyborgs?

Since 2012 there has been a 51% increase in security budgets, yet incidents are up 25% and financial costs of a breach are up 18% (The Global State of Information Security Survey 2014, PWC).  The importance of implementing improved security technologies is irrefutable and this is exactly why exploiting human weakness has become the lucrative path for cyber criminals from poor configuration and password management to social engineering and spear phishing.

IBM’s 2014 Cyber Security Intelligence Index cites human error as a contributing factor in 95% of incidents.  What we regularly see in businesses is an improved top-level approach employing technology, technical controls and automation but the technology is in reality just the safety net.  What is lacking is an understanding throughout organisations of the individual’s contribution to security both on and offline.  To achieve this, a top-down cyber strategy is required involving a combined focus on people, process and technology.

People as the First Line of Defence

When human error can happen even within IT teams who know best (we regularly come across admin accounts with passwords set as ‘admin’) how do you motivate your privileged insiders, staff and third party suppliers to be the first line of defence?

Current office culture creates a belief that it is IT’s role to protect the organisation, not staff members or third party suppliers.  Simple things such easy-to-guess passwords, carrying data on USBs, leaving desktops unlocked, or opening attachments may not be something people may be aware of.

Organisations winning the fight with human error have shifted their focus to processes and training in four areas:

1) People 
Regular education programmes are key; highlighting the individual’s role in security, the latest threats and how they target people (both on and offline), policies, procedures and just as importantly the consequences of human error; namely fines, reputation/brand damage and loss of business.  Tailor it to departments and roles and aim to refresh training at a minimum of every 6 month

2)  Processes 
Tighten processes and procedural controls from application implementation and administrator controls, to privileged access, data handling and also physical office security.

3) Test & Review 
Some organisations test their internal controls by sending phishing attacks to their own staff.  That way, they can identify who would benefit from further security awareness training.  Similarly physical security processes should be audited on a regular basis.

4)  Technology testing 
Applications and websites develop and change and weaknesses can appear in code and privileges.  Ensure you have a regular and frequent penetration testing plan to ensure all controls are properly in place and are keeping pace with changes in the external threat environment.

Do we need cyborgs?  While they might be the ultimate hybrid of the human and technology, we can mitigate the risk of human error with the right strategy.  To err is human; people, process and technology is the divine.

We ask this question to you; How do you motivate your users (and other binding parties) to be the first line of defence/IT Security conscious?