Will the Data Protection and Digital Information Bill actually cut red tape?Posted: June 2, 2023 Filed under: cybersecurity | Tags: compliance, data protection, DPDI, GDPR, uk government Leave a comment
The government’s much-vaunted successor to the GDPR is still working its way through parliament. The Tories are hoping for obvious reasons that it shows how nimble the UK can be in post-Brexit regulation. But will the Data Protection and Digital Information Bill (DPDI) actually achieve the operational compliance benefits for UK PLC that the government is claiming?
Legal experts I spoke to for a new feature are sceptical.
To cut or not to cut?
Cutting red tape is one of the government’s biggest claims for the legislation, which it says will end up saving UK organisations billions over the coming decade. The government claims it will reduce “pointless paperwork” without impacting data adequacy with the EU, which is essential to seamless cross-border data flows.
Antonis Patrikios, global co-chair of global privacy and cybersecurity at Dentons, argues that it could make life easier for some firms.
“It could do so by significantly reducing the instances in which documented assessments or records of processing are required or replacing the requirement for the statutory role of the Data Protection Officer (DPO) with a requirement to appoint a Senior Responsible Individual, a member of senior management,” he tells me.
However, Edward Machin, a senior lawyer in Ropes & Gray’s data, privacy & cybersecurity practice, says that these benefits will only be felt by organisations that are subject solely to the UK GDPR. In other words, those with operations in the EU must either choose to maintain two separate compliance regimes, or else make life easier by sticking to the EU GDPR regime—which they’re allowed to under the new DPDI. If they do the latter, they’ll miss out on those much-touted red tape-cutting benefits.
“Businesses that have an existing compliance programme in place which meets the requirements of the EU GDPR may choose to maintain the status quo in certain respects even where not legally required (e.g., DPOs), given the benefits that doing so could have both for their internal processes and the external trust which will be gained by maintaining what are seen to be higher data protection standards,” Machin tells me.
“But UK companies that are also subject to the EU GDPR—or vice versa—will still have to comply with the more restrictive EU standard. Given that most of these organisations are unlikely to operate dual compliance programmes, particularly where they have spent significant time and money building an EU GDPR compliance framework, the benefits of being subject to a lighter-touch UK regime will probably be limited.”
What’s more, the new bill couldn’t come at a worse time for compliance teams already facing new GDPR-like legislation in several US states. The good news is that there will be some crossover, according to Machin.
“Compliance teams tend to be overwhelmed at the best of times, and the flurry of new data laws in the UK, EU and US isn’t going to lessen their workloads. That said, the good(ish) news is that many of these laws are underpinned by the same, or very similar, core principles and obligations—particularly those around transparency, accountability, security and individual rights,” he concludes.
“This means that existing compliance programmes can be tweaked to meet the new or differing requirements of these laws, rather than starting from scratch each time.”
End-to-end encryption: What happens next?Posted: May 3, 2023 Filed under: Uncategorized | Tags: encryption, end to end encryption, government, privacy Leave a comment
The Online Safety Bill (OSB) is still winding its way through parliament. But while much of the analysis so far has been on its provisions to force social media companies to remove “harmful” content, there’s an elephant lurking in the corner of the room. Clause 110 compels not only social media firms but also messaging app providers to identify and take down child sexual exploitation and abuse (CSEA) content.
There’s one big problem here. End-to-end encryption (E2EE), which makes message content impenetrable to providers like WhatsApp. It appears as if the government might be looking at client-side scanning as a solution. Experts I spoke to for an upcoming feature are unconvinced.
What’s client-side scanning?
Put simply, this “accredited technology” would require individuals to download software to their devices. It would run locally, scanning potentially for suspicious keywords and image content that matches a CSEA database, before a message is encrypted and sent. On paper, this preserves E2EE while allowing the authorities to police child abusers. In reality, it will fail on both counts for several reasons.
- Researchers have already worked out it could generate too many false positives to be useful, and could be hacked in other ways
- If client-side scanning were targeted by foreign governments or cyber-criminals, it would put private data potentially at risk
- The bosses of several big-name messaging apps say they’d rather exit the UK than comply with the OSB, which would also make UK firms and consumers less secure
- If client-side encryption comes into force, child abusers will simply gravitate to unpoliced apps, as criminals have in the past with services like EncroChat
- There’s a concern that the technology could be used in the future to police other content types – government mission creep
Matthew Hodgson, CEO of secure messaging app Element, argued that the new provisions directly contradict the GDPR in undermining encryption.
“It undermines privacy and security for everyone because every secure communication app which happens to have abusive users could be obligated to incorporate a third-party scanning solution, which then means every single user is at risk of that scanning solution being exploited by an attacker to break their privacy,” he told me.
“Any business depending on E2EE for privacy may find themselves at a loss, given encryption vendors would be forced to stop providing their services in the UK, as it is literally impossible to preserve privacy whilst also adding a mechanism to let third parties exfiltrate user data.”
Corelight cyber security specialist, Matt Ellison, cautioned against government putting its faith in a “magic technical solution” that doesn’t exist – adding that Apple abandoned similar plans for client-side scanning after a privacy uproar.
“Ultimately the government is proposing to significantly weaken the security of almost the entire nation, for the ability to perform a lawful intercept of an individual suspected of a crime,” he told me.
“Should all vehicles be fitted with a remote kill switch, in case you are deemed to be committing a crime in your vehicle? Should all houses have the same door key type, with authorities maintaining a master key that could get into everyone’s house to gather evidence without you knowing, again, if you are under suspicion?”
Ellison argued that smartphones are much more than just a technically advanced mobile phone.
“The reality is that they are an intimate and highly integrated aspect of our lives and mass surveillance approaches such as this are a gross invasion of privacy and civil liberties.”
What should happen?
According to Hodgson, there are plenty of ways law enforcers could hunt down child abusers.
“These include investigation/infiltration of forums where abusers recruit or advertise, or by analysing communication metadata, or by educating users within apps, and in general, to be mindful of abuse,” he added.
“Blanket surveillance which undermines the privacy of everybody is not the answer.”
Ross Anderson, who wrote a paper on this challenging the conclusions of the NCSC technical director Ian levy, agreed that old-fashioned policing techniques are the answer, rather than technology solutions which promise much but deliver little. The debate between law enforcement/government on one side and encryption specialists/tech vendors on the other has been raging for years. Throughout, the former have argued that tech wizards simply need to apply themselves more diligently to the task in order to find an answer. The latter retort that E2EE can’t be broken without undermining security for everyone.
So where does that leave us? With Labour backing the bill, it will undoubtedly become law. But what of Clause 110? If it remains unchanged, it’s unlikely the government will enforce it. The best privacy and security advocates can hope for is that its most controversial provisions are never enforced. That’s what happened with the Investigatory Powers Act – which incidentally already gives the British government theoretical powers to force tech firms to break encryption. It will probably happen again.
Are we paying enough attention to API security?Posted: April 5, 2023 Filed under: Uncategorized Leave a comment
Is API security on the radar of most IT teams? It’s arguably still not as high on the priority list as it should be. Consider this: an Imperva/Marsh McLennan study from 2022 claimed that vulnerable and unsecured APIs cause up to 7.5% of global “cyber events and losses”, and cost businesses an estimated $75bn annually.
The experts I spoke to for an upcoming feature highlighteed complexity, visibility gaps and skills shortages as key barriers to enhanced API security. As digital transformation initiatives push on across the globe, the need to fill these gaps will only increase.
Out of control
APIs are essential to digital projects, connecting as they do applications to backend databases. But by the same token, if compromised, they could be used to provide a neat pathway to exfiltrate corporate and customer data.
“APIs that aren’t closely monitored can easily fall victim to high-volume attacks such as brute force login attempts and enumeration techniques. They are also often easily identified, are web accessible, and each of their methods documented,” Bridewell Consulting senior pen tester, Andy Tyler, told me.
“Once an attacker knows how to interact with your API they can quickly hunt for vulnerabilities; from authentication issues, to injection attacks, or access control misconfigurations. All of these can lead to sudden data theft on a large scale.”
In fact, that happened to T-Mobile USA last year. Although full details of the incident are yet to be released, the firm admitted in January that an attacker took data on 37 million customers via an API.
For Forrester analyst, Sandy Carielli, security teams and tools have been slow to catch up, even as the number of APIs has exploded.
“A lot of the traditional web app security tools didn’t support APIs, leaving holes in the protection – even as API security has evolved and more solutions are available, organisations struggle to understand what combination of tools and processes are needed,” she told me.
“The tools and processes exist to counter this threat, but many organizations struggle due to the newness of the technology and the number of APIs in their organization. It’s not uncommon for enterprises to have tens of thousands or even hundreds of thousands of customer and partner facing APIs – and they may not have a good grasp of what those APIs are and what they do.”
Bridewell’s Tyler agrees, but thinks things are improving.
“The tools and testing techniques needed for assessing APIs have only more recently reached maturity. Automated scanners in particular are still very poor at identifying API security issues, which can lead to false negative results for those organisations running their own checks,” he said.
“Many of us in this industry are working to demystify many of the API-specific issues for the organisations we work with and we have seen great improvements in their overall API security approaches.”
Out of the loop
As is so often the case, API risk seems to have been allowed to snowball because security isn’t brought in early enough in the software development lifecycle.
“Unfortunately, many organisations have little to no oversight over their APIs given the pace of application development and the lack of visibility security teams have into development practices,” Imperva director of technology, Peter Klimek, told me.
“For example, APIs are often released into production before security teams can review and catalogue them. Such inadequate security practices lead to both ‘shadow’ APIs – an API that isn’t cataloged and is therefore invisible to the security team – and “zombie” APIs, which haven’t been properly disabled and are still accessible. Both of these can be a potential breeding ground for cyber-criminal activity.”
There’s no silver bullet to the challenge of escalating, API-driven cyber risk. But shifting security left, and protecting right through layered measures including encryption, API gateways, web app firewalls and zero trust approaches would seem like a good place to start.
How scammers are capitalising on the SVB collapsePosted: April 4, 2023 Filed under: cybersecurity, Uncategorized | Tags: dailyprompt, dailyprompt-1897 Leave a comment
This piece was first published on ESET’s We Live Security site.
Big news events and major crises usually trigger an avalanche of follow-on phishing attempts. The COVID-19 pandemic and Russia’s invasion of Ukraine are perhaps the most obvious examples, but the most recent one is the collapse of Silicon Valley Bank (SVB). The mid-sized US lender and a key financer of tech start-ups held tens of billions of dollars’ worth of assets when it went bust last week after succumbing to a bank run.
Although the US government stepped in days later to guarantee customers would be able to access their money, the damage was done – and even if you or your business wasn’t affected by the bank’s meltdown, you could still be at risk of cybercrime that exploits such events for nefarious gains.
Ambulance-chasing phishing and business email compromise (BEC) attempts are already hitting inboxes across the globe. Once you’ve weathered the storm, there’s plenty of takeaways that can be used to build a more resilient security awareness program going forward.
The story so far
There’s nothing new in scammers piggy-backing on news events to improve their success rates. But the SVB case has several ingredients that make it arguably a more attractive lure than the norm. These include:
- The fact that there’s lots of money at stake: SVB had an estimated US$200 billion in assets when it went bust.
- Extreme anxiety from corporate customers worried about how to pay the bills if they can’t access their assets, and of individuals concerned about whether they’d get paid.
- Confusion over exactly how customers can get in touch with the failed lender.
- The fact that the collapse came after the fall of Signature Bank, sparking even more anxiety about the whereabouts of funds and the health of the financial system.
- SVB’s global reach – including a UK arm and various affiliated businesses and offices across Europe. This expands the pool of potential scam victims.
- The BEC angle: as many SVB corporate customers will be informing their partners of bank account changes, it offers the perfect opportunity for fraudsters to step in first with their own details.
When something like this happens, it’s not unusual to see multiple domains registered by firms looking to offer legitimate loans or legal services to the ailing bank’s customers. It can be difficult to discern the authentic from those registered for nefarious ends.
There’s a long list of newly-registered lookalike domains that may try to deceive people in the future.
SVB phishing attempts
As always, phishing attempts focus on classic social engineering techniques such as:
- Using a breaking news story to lure the recipient in
- Spoofing SVB or other brands to gain recipient trust
- Creating a sense of urgency to force recipients to act without thinking – not hard given the circumstances surrounding the collapse
- Including malicious links/attachments to harvest information or steal funds
Some phishing attempts have focused on stealing the details of SVB customers – possibly to either sell on the dark web or to create a phishing list of targets to hit with future scams. Others have embedded more sophisticated methods of stealing cash from victims.
One effort uses a fake reward program from SVB claiming all holders of stablecoin USDC will get their money back if they click through. However, the QR code the victim is taken to will compromise their cryptocurrency wallet account.
A separate lure with the same QR-related crypto-stealing end goal used an announcement by USDC issuer Circle as its starting point. The firm said USDC would be redeemable 1:1 with the dollar, prompting the creation of new phishing sites with a Circle USDC claims page.
SVB BEC threats
As mentioned, this news event is also slightly unusual in providing the perfect conditions for BEC attacks to flourish. Finance teams are going to be legitimately approached by suppliers that previously banked with SVB and that have now switched financial institutions. As a result, they’ll need to update their account details. Attackers could use this confusion to do the same, impersonating suppliers with modified account payee details.
Some of these attacks may be sent from spoofed domains, but others may be more convincing, with emails that have been sent from legitimate but hijacked supplier email accounts. Organizations without sufficient fraud checks in place could end up mistakenly sending money to scammers.
How to avoid SVB and similar scams
Phishing and BEC are increasingly common. The FBI Internet Crime Report 2022 details over 300,000 phishing victims last year, cementing its status as the most popular cybercrime type of all. And BEC made scammers over US$2.7bn in 2022, making it the second highest-grossing category. Consider the following to stay safe from the scammers:
- Be cautious about unsolicited messages received by email, SMS, social media etc. Try to independently verify them with the sender before deciding whether to reply.
- Don’t download anything from an unsolicited message, click on any links or hand over any sensitive personal information.
- Look for grammatical mistakes, typos etc. that can indicate a spoofed message.
- Hover over the email sender’s display name – does it look authentic?
- Switch on two-factor authentication (2FA) for all online accounts.
- Use strong and unique passwords for all accounts, ideally stored in a password manager.
- Regularly patch or switch on automatic updates for all devices.
- Report anything suspicious to the corporate security team.
- Importantly, ensure you have up-to-date security software on all your devices from a reputable provider.
For BEC specifically:
- Check with a colleague before changing account details/approving payments for new accounts
- Double check any requests for account updates with the requesting organization: don’t reply to their email, verify independently from your records
From a corporate IT security perspective:
- Run continuous, regular phishing training exercises for all staff, including simulations of currently trending attacks
- Consider gamification techniques which may help reinforce good behaviors
- Build BEC into staff security awareness training
- Invest in advanced email security solutions that include anti-spam, anti-phishing and host server protection and protect threats from even reaching their targets
- Update payment processes so that large wire transfers must be signed off by multiple employees
We all need to be on the lookout for unexpected emails or calls – mainly those coming from a bank and requiring urgent action. Never click a link and input your banking login credentials nor give them over the phone at any time. To access your banking information, use your bank’s official website.
How to repel cyber-attacks on the COVID-19 vaccine supply chainPosted: December 23, 2020 Filed under: Uncategorized | Tags: covid-19, COVID19, gchq, supply chain cyber attacks, vaccine, vaccine cyber attack Leave a comment
With COVID-19 vaccines finally being rolled out to a relieved world, the focus for cybersecurity experts has evolved from attacks on pharma companies that make the stuff to the companies that distribute it. Already, IBM has observed a major nation state phishing campaign targeting various supply chain organisations.
I recently spoke to a few experts for an upcoming Infosecurity Magazine feature to better understand the threats facing these organisations, and what they can do about the situation.
It’s a sabotage
The main threats they highlighted revolved around potential sabotage of distribution pipelines and/or misinformation campaigns designed to discourage users from getting inoculated. Both could be the result of hostile nations like Russia calculating they could gain an economic and geopolitical advantage by getting back to “business as usual” and economic stability before their rivals. There are also opportunities here for more financially minded cyber-criminals.
“It is clear that cyber-criminals will stop at nothing. Whether the motivation is financial gain, disruption, or because they’re on the payroll of a nation-state; not even a pandemic is beyond cyber exploitation,” Nominet’s government cybersecurity expert, Steve Forbes, told me. “Now as the vaccine moves to the transportation phase, there have been more attacks on the vaccine cold chain, the temperature-controlled environment needed to transport and store the vaccine, and the manufacturers of cold chain equipment.”
Unfortunately, there are many points of weakness in supply chains which could be exploited to devastating effect, according to Lux Research senior research associated, Lewie Roberts.
“Attackers are going to look for the easiest way in to a network, which is typically some kind of human error. People are statistically bound to make mistakes sometimes, especially as you increase the number of targets,” he told me. “Stuff like confidential customer information or trade secrets are the types of items that get more focus in the IT world. But as you get closer to physical industries, you’re protecting different types of things. False data on cold chains can result in tons of spoiled products. Attacks on operational tech can pose real safety threats to workers.”
Two former UK intelligence experts had some interesting things to say about the threat of misinformation.
“The overwhelming majority of activity will be criminal attacks for money. However, we have also seen nation states spreading confusion and undermining confidence, as well as stealing vaccine IP,” former GCHQ boss, Robert Hannigan told me. “Hacktivists and hostile nation states will amplify anti-vax messages for the same reasons: to sow division and polarise societies in the West.”
Former British army electronic warfare operator, Martyn Gill, who is now global managing partner at Wembley Partners, had more.
“Political hacktivists look to spread disinformation and noise through such channels as social media, as per the state-sponsored aim of increasing the lack of confidence in what the broad message may be around the vaccine. In many cases these actors are driven by their ideological and political beliefs, however, there remains a subset of actors who seek to cause disruption primarily as a means of entertainment,” he told me.
“Since the UK announced it was rolling out a COVID-19 vaccine, we have seen an increase in related phishing domains set up looking to target this new opportunity, as the general populace looks to understand what this means for them.”
So what happens next? For Gill, information sharing is crucial.
“Strong communication and agreed intelligence sharing around trusted eco-systems will support a broad range of businesses to help them understand new threats whilst being able to share indicators of ongoing campaigns,” he explained. “Micro, small and medium businesses who don’t have big security budgets or security teams to monitor networks, implement vulnerability management and threat intelligence programs can look open source platforms like IBM X-Force, Alien Vault OTX but also trusted individuals who deliver awesome advice through social media.”
According to Lux Research’s Roberts, the right response should focus on people as much as technology.
“Mapping data flows and endpoints, evaluating vendors, and having plans for breaches are all important and deep topics,” he argued.
“But moving away from the technology and towards the organization side, businesses need to hire experts and give them the influence and resources necessary to do the job. Safety and security aren’t often glamorous, but winning players recognise their importance before a problem arises.”
Asia tech in 2021: this way to the next normalPosted: December 23, 2020 Filed under: Uncategorized | Tags: Ant Group, apac, Asia COVID-19, asia tech, Google Cloud, US China trade war Leave a comment
These are perilous times to be making predictions about the future. The bolt-out-of-the-blue that was COVID-19 rendered many forecasts this time last year almost immediately worthless by March. Governments and businesses in APAC, as in the rest of the world, have spent most of 2020 first in fire-fighting mode, reacting to stem the immediate public health and economic damage from the pandemic. More recently, there’s been a concerted attempt by larger organisations to adapt, and even thrive in the new conditions. This will continue into 2021.
In many ways, APAC is one of the regions best equipped to do so. Many countries such as China, Vietnam and South Korea have seen their public policies pay dividends through declining infection rates and a recovering economy. However, there are two important caveats: Asia Pacific is a huge region with much diversity, making it difficult to draw simple conclusions. There’s also the small matter of US-China relations, which are more than likely to continue in a downward trajectory, even with Joe Biden in the White House.
US-Sino tensions set to continue
There are many officials in both governments who may hope that the Biden era will signify a new thawing of relations with China. After all, as Veep under Barack Obama, Biden pursued a far more conciliatory approach to the Middle Kingdom. However, things have changed a lot since then, with strong bipartisan opposition to China hardening in Congress and among most Americans.
In fact, Biden has already pledged to restrict imports from China deemed a national security threat, and to hit back at any countries that try to undercut US manufacturing using state subsidies, according to The Economist. This would seem to suggest his first term could pick up from where 2020 left off, although with more clarity of messaging and unity of purpose than we’ve seen in the past four years. Expect the US to engage internationally to form a coalition of nations pushing back against Chinese geopolitical bullying, state subsidised tech exports and cyber-espionage.
For those businesses stuck in the middle of the escalating trade war, including many technology firms, this could make for another challenging year ahead. Those with manufacturing plants and suppliers in China may want to continue moving operations out to nearby countries such as Vietnam and Malaysia, that can offer what they’re looking for at the right price. An additional factor is the growing disquiet over China’s treatment of Uyghurs: as Apple found out this year, suppliers may be blacklisted by the US over alleged forced labour abuses.
It’s not just the impact of the trade war, Uyghur oppression and US national security concerns that are forcing the hand of business leaders here, it’s also the lessons learned by COVID-19 and the huge impact it had on supply chains. Diversity of suppliers and geographies will be key to spreading risk in 2021 and beyond.
China goes it alone
In response, China will increasingly look to drive self-sufficiency in tech via massive state subsidies, global espionage and huge R&D spending. It’s unlikely that it will produce a domestic operating system to rival Windows, Android or iOS in 2021, but don’t rule it out happening in the next few years. Other areas China will be looking to reduce its reliance on the US include chip-making, where Huawei’s HiSilicon has already broken into the global top 10, and artificial intelligence. In fact, China is so fixed on becoming the world leader in AI that it recently labelled it a matter of “national economic security”. The missive was intended to signal in no uncertain terms that ByteDance would not be able to sell its prized “recommends” algorithm to a US firm.
As China’s global tech swagger grows it’s also likely to be more brazen in efforts to punish US firms operating in the country, and to institute strict controls over private business. Xi Jinping has already signalled his intent to tighten the Communist Party’s grip over domestic enterprises, which could make it harder for firms like ByteDance and Huawei to claim autonomy from government and geopolitical matters in the face of US hostility. The last minute suspension of fintech giant Ant Group’s $37 billion IPO is a clear signal that no company can be above the Party.
Digital growth will help APAC bounce back
Away from China, the big story in APAC as a whole next year will be increased spending on digital transformation to drive post-pandemic growth. As we revealed earlier in the year, IDC estimates that APAC spending in public cloud will reach $34.5bn in 2020 — up from $26bn in 2019. Forrester reckons it will grow another 35% in 2021 as businesses double down on the computing model that helped to save operations during the darker days of the pandemic. This will be good news for US tech giants AWS and Microsoft Azure, although the analysts predicted Alibaba will take the number three spot revenue-wise globally thanks to its anticipated gains in 2021, pushing Google Cloud out.
However, Google will be making some notable gains in specific geographies like Indonesia, where it beat its US and Chinese rivals by launching a cloud datacentre last year. Expect these investments in various APAC countries to support a new wave of digital disruption as businesses look to meet customer and employee demand for seamless app-driven experiences.
In migrating to these new environments, the region’s businesses must ensure that cybersecurity and data protection are designed into new technologies from the outset. In fact, cybersecurity was highlighted by over half of respondents to 2020 IDG Connect poll as the biggest IT challenge of the pandemic. Local organisations must tackle not only cybercrime attacks but also the increasingly aggressive behaviour of state-backed operatives in China and elsewhere. A recent report revealed yet another Beijing-backed APT has been targeting multiple southeast Asian governments over the past two years.
Ultimately, APAC will thrive in 2021. The World Bank predicts that growth will soar from -0.5% in 2020 to hit 6.9% as economic activity normalises once again. The trends for digital transformation present before the pandemic will gain extra urgency, and budget, over the year ahead, expanding corporate attack surfaces but also driving profits—especially those of Western tech firms. However, deteriorating China-US relations could result in a few surprises along the way: perhaps not the fireworks of previous years, but enough to make boardrooms continue to rethink their options in APAC.
This was my latest for IDG Connect, published here earlier this month.
Covid-19: the delicate balance between security and productivityPosted: May 6, 2020 Filed under: Uncategorized | Tags: business continuity, covid-19, home working, patch, phishing, ransomware, remote working, SoC Leave a comment
As many countries enter their second full month of Covid-19 lockdown, its impact on the threat landscape and enterprise cybersecurity is starting to become clear. I spoke to several experts a few weeks back for an Infosecurity Magazine news feature on the topic.
Some of the key challenges facing organisations are in enabling secure remote working en masse without impacting productivity.
“The fact that employees are transitioning to working from home is the key risk. All these employees are now working in new environments using technology and processes they are not used to, something bad guys will take advantage of,” SANS Institute director of security awareness, Lance Spitzner told me.
“All of this change creates an environment where it is very simple for bad guys to take advantage of and trick people working from home for the first time. They don’t have all the security technology protecting them at home that they normally would at work.”
The SANS guide to secure home working advises users to: be suspicious of any emails trying to create a sense of urgency to click through or enter info; take steps to protect home Wi-Fi (change default passwords and restrict access); create strong passwords on any websites; ensure all devices are running the latest software; and don’t let family and friends use work devices.
Proofpoint’s senior director of threat research and detection, Sherrod DeGrippo, agreed that users are at the frontline when it comes to tackling Covid-19 cyber-threats.
“We recommend that organisations prioritise a people-centric approach to security that protects all parties (their employees, customers, and business partners) against these threats, including layered defences at the network edge, email gateway, in the cloud, and at the endpoint, along with strong user education,” he told me.
“Users should be encouraged to approach all unsolicited emails with caution, especially ones that request the user to act, like downloading/opening an attachment, clicking a link, or entering credentials.”
Restricting users according to least privilege policies is also a must-follow best practice, as hackers go after VPN log-ins to directly access data and applications, DeGrippo added. In fact, there have been widespread reports of cyber-criminals targeting remote access infrastructure; not only via phishing emails and brute forcing but also exploiting unpatched vulnerabilities. Microsoft has warned of APT-like behaviour from many well-known ransomware groups, which are targeting hospitals.
Time to automate?
However, aside from the uptick in Covid-themed phishing, which is delivering crypto-jacking malware, ransomware, info-stealers and more, the pandemic has forced IT security teams to work in different ways. Michael Armistead, co-founder and CEO of Respond Software, argued that SOCs and security departments are faced with both minor and meta challenges.
“Making sure practitioners can perform their jobs remotely with adequate bandwidth and communication platforms, and have the ability to act on security incidents will be a challenging undertaking for many firms,” he told me.
“I believe many of those tools and platforms are in place … but you just never know how well they will work in practice if an organisation is now distributed for the first time. Still, I’d count these very real and very practical issues as minor because they can be solved in relatively short order.”
In fact, research emerging suggests that security teams are struggling. A global poll by industry body ISACA found that only around half (59%) of members feel their cybersecurity team has the right tools and resources at home to perform their job effectively. Tellingly, just 51% are highly confident that these teams are ready and able to detect and respond to rising volumes of threats. A separate study from (ISC)² revealed that nearly half (47%) of global security professionals have been taken off some or all of their typical tasks to support other IT-related jobs, like WFH. A third report, from Barracuda Networks, ominously suggested that 41% of firms have actually cut IT security budgets to save money during the crisis.
In fact, investments in specific technologies could be a smarter way of reducing costs and improving security outcomes during the crisis, according to Armistead.
“The situation screams out for automation to relieve the pressure on people to sift through mountains of data and to act quickly,” he said. “SOCs and IT security teams need to look at their processes and procedures in light of the distributed workforce. Do they make sense and how quickly can issues be resolved?”
The immediate future remains uncertain, but if remote working is to become more widespread as the pandemic recedes, IT and security leaders better adapt to the new reality fast.
Covid-19 and the problem with IT supply chainsPosted: February 25, 2020 Filed under: Uncategorized | Tags: china, coronavirus, covid-19, supply chain, us trade war Leave a comment
Here’s an article I wrote the other week for IDG Connect. The situation is rapidly evolving, but most of the commentary is still bang on:
As the world’s IT manufacturing centre and a huge market in its own right, anything that happens in the China can have a significant impact on the tech industry. So the boardrooms of multi-national IT players everywhere will once again be on high alert as the new coronavirus brings factories to a halt in the Middle Kingdom.
As if the persistent threat posed by Donald Trump’s protectionist trade war wasn’t enough to contend with, the newly named Covid-19 is already having a chilling effect on key supply chains and components. It may further accelerate plans for manufacturers to move facilities out of China and could even impact 5G deployments, according to analysts.
Bigger and badder than SARS
First reported to the World Health Organisation (WHO) on December 31, Covid-19 has now claimed over 1,000 victims and infected nearly 43,000, mainly in China. As such, it’s now more deadly than the SARS epidemic of 2002-3, which had a major impact on the Chinese and global economy at the start of the century.
It’s impact on tech is two-fold: in closing down factories in quarantined areas and preventing workers from travelling to facilities; and in subduing the usual sales bonanza in China around the Lunar New Year holidays at the end of January. In many cases, it appears as if workers have been stranded in their home towns, unable to travel back to the regions in which they usually live and work.
The annual Mobile World Congress (MWC) event in Barcelona has even been cancelled after big-name Asian firms pulled out. This is not insignificant, according to Forrester analyst, Alla Valente.
“For the thousands, if not millions of meetings, conversations and deals that would have taken place, this has long-term implications for vendors, suppliers and customers,” she tells me by email.
Huawei also postponed its annual developer conference in Shenzhen this week. Analysts tell me that tech giants including Dell, HP, Apple, Samsung, Qualcomm, Microsoft, Google, Intel, Sony, LG and even Facebooks’ Oculus brand are in the firing line. But some sectors are more exposed than others.
Where is Covid-19 hitting hardest?
Displays: With five large display factories located in the Covid-19 ground zero of Wuhan, it’s perhaps not surprising that this sector is impacted. According to analyst Omdia, utilisation rates at Chinese display fabs will drop by 20-25% in February with total production/output set to fall by 40-50%. Producers are hit by both component and labour shortages thanks to quarantining efforts by the Chinese government.
LCD polarisers and LCD module printed circuit boards (PCBs) are in particularly short supply due to logistics issues, even as most facilities resume production. This could apparently affect 5G smartphone production as well as other products: China reportedly makes around half the world’s supply of TVs, laptops, and PC monitors.
Smartphones: Along with the problems in LCD displays, many of the world’s biggest producers of smartphones including Apple have major production facilities in China. Two major Foxconn facilities used by the iPhone-maker were reportedly given the green light to reopen this week, but only 10% of workers had so far been able to return. Foxconn shares slumped 11% since markets reopened following the New Year break. Analyst Trendforce reportedly cut its forecast for iPhone production in the first quarter of 2020 by around 10% to 41 million handsets.
It’s not just production of smartphones that’s at stake. Although the giant Chinese market was set to rebound in 2020, this now seems unlikely, in the short term at least. IDC expects China’s smartphone shipments to slump more than 30% year-on-year in Q1 2020, and warned of “uncertainty in product launch plans, the supply chain, and distribution channels, in the mid and long term.”
Servers: According to reports from Taiwan, server shipments grew by over 13% in Q4 2019 but are expected to be affected by Covid-19 in the first three months of 2020. Although demand from large datacentres remains strong, the virus outbreak has impacted the upstream supply chain, which will cause shipments to decline 9.8% from the previous quarter, versus a previous estimate of 1.2% growth.
What happens next?
Although some reports from China claim hopefully that the disease appears to be slowing, it took five months before the SARS outbreak was officially recognised by the WHO as contained. As such, it’s still far from certain when travel restrictions will be relaxed by Beijing so that workers can return to production plants. The longer the current situation continues, the bigger the potential impact on supply chains.
Omdia claims, for example, that while currently global semiconductor supply appears unaffected, this could change if the public health situation worsens. Meanwhile, IDC analysts warned in an emailed note: “Since a large amount of the surface mount technology (SMT) and PCB manufacturing factories for both consumer goods and datacentre products are produced in China, and even in Wuhan in some cases, much of the supply chain is at the mercy of the government closure of critical infrastructure.”
For Forrester’s Valente, Covid-19 has the potential to disrupt not just 5G rollouts but the wider global economy.
“It will delay product launches – if they’re lucky. With so many supply chains adopting the Just-In-Time approach to inventory and manufacturing, some launches may need to be cancelled outright,” she argues.
“As the pandemic impacts more supply chains, what happened when products, parts, resources run out? Will all the business depending on them experience disruption? The long-term impact is greater than the economy of China or the region. We’re living in an interconnected business economy, and Covid-19 could impact the global economy.”
The future: diversify
In the meantime, the best thing organisations can do to mitigate the risks posed by the next Covid-19 is to revise and update business impact analyses (BIAs), according to Forrester. This should include four main steps:
- Classify business processes according to criticality
- Improve supply chain resilience by diversifying with multiple suppliers and geographies
- Identify which customers should receive priority treatment
- Provide extra resources and enhance automation to take the strain off your reduced workforce
The analyst warned that climate change will make pandemics like this more common in the future. As the tech industry picks up the pieces once Covid-19 has blown over, the lasting impact may be an acceleration of a trend already begun thanks to the US trade war. Namely, moving tech production out of China.
How do US cities tackle the ransomware threat in 2020?Posted: January 1, 2020 Filed under: Uncategorized | Tags: cybersecurity, disaster recovery, information security, outages, ransomware, us municipalities, US ransomware Leave a comment
If there’s one cybersecurity story that dominated the headlines more than any other in 2019, it was the surge in high-profile ransomware attacks on the US public sector. Municipalities all over the country were caught out, leading to major disruption of local schools, emergency services, courts and other public services. It was a reminder, if any were needed, of the absolutely critical role IT systems now play in society.
But what can IT security chiefs learn from the travails of the past year to improve resilience as we head into a new decade? I spoke to several experts recently for an upcoming Infosecurity Magazine feature.
Drowning in ransomware
According to estimates from Emisoft, 103 municipalities and 759 healthcare providers, along with 1,224 schools, may have been impacted by ransomware as of December 2019. These include major cities such as Baltimore and New Orleans, as well as countless other smaller local authorities like Pensacola and Riviera Beach.
Why are these organisations suffering in such great numbers? According to the experts I spoke to, it’s a combination of under-investment in cybersecurity, and the propensity of some high-profile targets to pay-up — encouraging copycat attacks.
“Public sector bodies have been very heavily targeted by ransomware lately. This trend has likely been helped by some public sector entities paying substantial sums to ransomware criminals,” said SANS Institute dean of research, Johannes Ullrich. “Access to information is also very important to public sector entities to conduct business, and under-investment in business recovery plans has led to a lack of backups or other fallback mechanisms.”
According to Scott Styles, data orchestration and resiliency lead at Raytheon Intelligence, Information and Services, current security systems are struggling to keep pace with evolving threat techniques.
“Ransomware is designed to avoid detection and exploit the social nature of the network by hiding in files or hyperlinks that businesses need for day-to-day operations. In addition, ransomware only has to be executed once to be successful and it must be detected as well as removed quickly before it can lock or overwrite files. This is unlike other malware that may need to remain in a system for a significant amount of time, or evade detection within a vulnerable system, allowing more time for detection and removal,” he told me.
“While the time-sensitive value of data and services within these organisations makes them prime targets, the main challenges are not much different than other sectors. Vulnerabilities are numerous, people make mistakes and the threat evolves quickly, creating a perfect storm.”
Weathering the storm
The good news is that a defence-in-depth approach utilising key best practice controls can make a big difference, he added. These include AV, up-to-date patching and configuration management, regular backups, and employee security awareness training.
“They should also consider a multi-dimensional approach that integrates hardware, software, network, and behavioural monitoring into a zero-trust resilient solution,” explained Styles. “These solutions typically have the ability to remain operational even if the threat has defeated perimeter defences or is an insider threat.”
For Kevin Lancaster, general manager of security solutions at Kaseya, one of the biggest threats to US public sector bodies is their use of legacy systems. This makes prompt patching more challenging, but also more important than ever.
“The US Department of Homeland Security (DHS) recently issued a new Binding Operational Directive (BOD 19-02) instructing government organisations to patch critical vulnerabilities within 15 days, and high severity vulnerabilities within 30 days,” he told me.
“Patching on time helps reduce the attack surface and ensures vulnerabilities are mitigated quickly. Automating patch management is moving a step ahead. With tight budgets and limited manpower, government agencies can make sure that patches are not missed across the entire network with an automated patch management solution.”
Local governments must get proactive, by developing and testing incident response and business continuity/disaster recovery plans — if necessary, in concert with third-party providers. However, city staff are also a vital asset in helping to mitigate the threat, Lancaster added.
“For government organisations to be fully prepared to tackle cyber threats, IT directors should have a long-term vision which includes up-skilling their employees in areas of cybersecurity,” he concluded. “With budget constraints always at the forefront of concerns, it might not be feasible to routinely train every member of the team. Instead, areas to focus can be prioritised and worked upon to implement effective up-skilling.”
When ethics meets cybersecurity: how should vendor choose who to sell to?Posted: December 18, 2019 Filed under: Uncategorized Leave a comment
When we talk about ethics in cybersecurity, it’s largely a matter of where researchers should draw the line so that their behaviour doesn’t start to resemble the black hats their tracking. But there are also serious choices to be made by the security vendors they work for in terms of who ultimately gets to use their products. After all, in the wrong hands, legitimate tools could make the world a darker place, and expose vendors to potential fines and reputational damage.
I spoke to some experts about this for an upcoming Infosecurity Magazine article.
Complexity is everywhere
Discussions around ethics and cybersecurity came to a head recently when WhatsApp launched legal proceedings against a well-known Israeli ‘cyber intelligence’ firm, NSO Group, alleging it had helped to develop and deploy malware that was subsequently used to spy on civilians in the Middle East and elsewhere.
Firms like these notoriously operate in a grey area, claiming they only sell their wares for legitimate law enforcement and intelligence uses. Yet what about the much larger market of ‘regular’ cybersecurity vendors? What controls have they, or should they have, in place to limit who gets hold of their kit? After all, deep packet inspection tools could be subverted by despotic regimes to monitor legitimate internet traffic, and IP address filtering to enforce rigorous state censorship, for example.
Trade association techUK has developed a lengthy guidance document for organisations not sure of where their legal obligations stand, and how to comply. But even then, programme manager, Dan Paterson, told me that it can be difficult for especially smaller vendors to conduct due diligence effectively, particularly in the tricky area of dual-use technologies.
No cause for concern?
Even if they can’t, there may be no cause for concern, according to Privacy International’s state surveillance program lead, Edin Omanovic. He told me that, in fact, current UK export rules rely too much on “non-binding and unenforced risk assessments”, which makes it easy for unscrupulous vendors to sell to hostile nations.
It’s a point echoed by Luta Security CEO, Katy Moussouris, who is helping the US government negotiate the global control regime known as the Wassenaar Arrangement. She suggested when I spoke to her that export controls in tech aren’t even really there to restrict the flow of goods outwards, but merely to give domestic governments a better understanding of what its companies are producing.
If that’s true, then what’s the harm? Well, there are still major risk calculations that organisations must undertake — and it’s not just about selling to authoritarian regimes, according to Amanda Finch, CEO of the Chartered Institute of Information Security (CIISec).
“As with any other aspect of security, vendors need to consider risk when choosing their customers. Selling to the wrong customer might mean that a vendor has no way to support its product or resolve contractual disputes, resulting in wasted resources. It might mean that the vendor loses its unique IP, and ultimately its market position,” she explained to me.
“It might mean that the vendor loses the trust of many customers, if a new line of business opens those customers up to new threats. Even if there is no direct risk to the vendor itself, dealing with customers seen as unethical can still damage a business’s reputation. The vendor may still feel that going ahead with a sale is the right decision, but it needs to have weighed the risks beforehand.”
As with most things cybersecurity, therefore, it all boils down to risk management. And with CSR increasingly important in what is a crowded marketplace, ensuring you’re seen to be acting ethically is vitally important, even if export controls aren’t.