Coinhive attacks and how to prepare for the (almost) inevitable
This week’s report that more than 5,000 websites, including that of the Information Commissioner’s Office (ICO) have been hacked, shows that it really can happen to anyone. Other affected websites where malware took over the processing power of their user’s devices include the Student Loans Company, the council website for Manchester City, Camden and Croydon and the home page of the United States Courts. Although the initial reaction may be one of schadenfreude – pleasure in someone else’s misfortune – a more measured response would be to realise and accept that hackers are now so ingenious and creative that everyone, including those with top class cyber defence, is likely to be subject to attack at some point.
This latest hack involved a piece of cryptocurrency mining malware, called Coinhive, which ran in the background while the webpages of the hacked organisations were open. This forced visitors’ computers to run the mining programme which can then be used to gain small fractions of cryptocurrency from each victim.
So, how can we protect ourselves? The honest answer is that we can’t fully. What we can do, however, is to be prepared for the probability that our systems will be attacked at some point and to reduce the potential impact this will have. Developing a robust Incident Response protocol is an important start and here a Retained Forensic (RF) service will be of immense benefit. With a detailed knowledge of your systems, an RF team is able to mitigate the damage swiftly and effectively.
Damage limitation is crucial but, in the long term, building additional layers of security into your system’s architecture is also key. We need to ensure we are not giving away information without meaning to. We should also consider our defensive architecture but it is important that we balance the need for security with the practical requirement for our systems to be functional and easily navigable.
Achieving this balance is a complex issue. SRM’s VirtualCISO (vCISOtm) service can resource and support the incumbent CISO or DPO in managing this task. From providing expert strategic guidance to taking on the full CISO role, our vCISOtm team has many years’ experience in providing robust yet agile defences. We work with our clients across a range of services including Incident Response, Retained PFI, Digital Forensic Investigation and Security Breach, Incident Management and Containment Support.
To find our more, visit our website or contact Mark Nordstrom on 03450 21 21 51 or firstname.lastname@example.org
GDPR: the world will not stand still on 25th May 2018
The 25th May 2018 is not an end date. Far from it. It marks the beginning of a new era in data protection but one that will continue to evolve as our online world continues to develop. So, although organisations will be required to be compliant with the General Data Protection Regulation (GDPR) from that date, it is an ongoing process, not Armageddon.
In the words of the ICO’s Information Commissioner Elizabeth Denham: ‘It’s an evolutionary process for organisations – 25 May is the date the legislation takes effect but no business stands still. You will be expected to continue to identify and address emerging privacy and security risks in the weeks, months and years beyond May 2018.’
For organisations with GDPR firmly on their radar it seems primary focus is on reaching a level of compliance come GDPR Day 1, but about Day 2 and beyond? Those who are fully compliant by 25th May will need to work hard to remain compliant. Those who are not yet completely ready will need to work even harder to reach and maintain compliance or risk substantial fines. The key factor to remember, however, is that it will be nigh on impossible to achieve perfect maintenance of absolute compliance. So, take comfort from the fact that the ICO has stated that those who are able to demonstrate that appropriate systems and thinking are in place will find that the ICO takes this into account when they consider any regulatory action.
So, while absolute compliance may be an intended aim, what organisations really need to focus on is the fact that they can demonstrate the thinking and the steps they have taken to be compliant. That is not to say that anyone will get ‘A’ for effort if no practical steps have been taken.
As Elizabeth Denham explains, there is no excuse when it comes to GDPR: ‘’There will be no ‘grace’ period – there has been two years to prepare and we will be regulating from this date…We all know what’s coming. It’s a known known. Much of the GDPR builds on the existing Data Protection Act 1998. There’s also guidance and a lot of help out there…’
SRM’s GDPR team provides a business-focused service to organisations of all types and size, at all ends of the GDPR-readiness spectrum. While we provide unrivalled technical and compliance expertise, we also understand how businesses operate, working with clients in the GDPR compliance process with the focus on delivering robust, efficient and effective on-going compliance, not on selling products.
SRM has operated in this environment for many years. Our GDPR consultants are trained through a GCHQ-approved qualification and are able to advise on the strategic management of GDPR compliance. We can also take on the full Chief Information Security Officer (CISO) or Data Protection Officer (DPO) roles in either traditional part time roles or via our VirtualCISOtm.
VirtualCISOtm is proving a popular option for businesses which require broad levels of expertise to complement existing skill sets and roles in a flexible manner.
To find out where you are in terms of GDPR readiness, complete our free online GDPR Self Assessment Questionnaire.
To find out more about what SRM’s GDPR can do for you, contact Mark Nordstrom (email@example.com) or 03450 21 21 5https://blog.srm-solutions.com/are-you-ready-for-gdpr/1 or check out our website.
Or read our blog:
GDPR: a question of confidence
GDPR has been developed to protect us from breaches like Uber
After GDPR what will happen to ICO notification fees?
Shipping news: how to manage a ransomware attack
Disproving the idea that there is no such thing as bad publicity, the shipping company Clarksons is doing its level best to limit the PR damage caused by a recent ransomware attack. They have so far done an admirable job, demonstrating that transparency is key in the early days of a breach.
Firstly, the world’s largest ship broker has admitted to the fact that the breach has taken place and that data is soon to be released. Secondly the company has clearly setting out the steps they are taking to minimise the potential damage. They have announced that they have taken immediate steps to manage the incident and are working with specialist police and data security experts. The initial investigation has shown that unauthorised access was gained via a single and isolated user account which has now been disabled.
At the moment, the exact extent of the data stolen is unknown but, having refused to pay a ransom to the hacker who carried out a criminal attack on the company’s computer systems, a large scale leakage of private data is to be expected.
In the short term, the company has been hit by the announcement. Shares in Clarksons fell by more than 2 per cent, despite the company’s insistence that the hack would not affect its ability to do business. In the longer term, however, their diligent and principled stance should stand them in good stead. Hiding a breach from the media and even more importantly, those who have potentially been affected, is much more damaging in the longer term. Consider Uber’s recent exposure for having tried to cover up a large scale breach.
Issues of cybersecurity are now at the forefront of most board agendas. The imminent enactment of the EU General Data Protection Regulation (GDPR) in May is bringing the issue into even sharper focus. Under the terms of GDPR and the proposed UK Data Protection Bill, fines will be significantly higher if an organisation is considered to have been negligent in the event of a breach. Investments in providing support and resource to Chief Information Security Officers (CISOs) and Data Protection Officers (DPOs) is now considered a cost-effective investment.
Yet in today’s digital and commercial landscape even the best-resourced companies will be prey to this type of criminal attack. The most important thing is to recognise this probability and ensure that a proactive approach is taken to both defence and, in the event of an attack, incident response.
A robust defence will include an expert scoping of the system which identifies gaps in compliance and security. This is likely to include advanced penetration testing as well as retained forensics. Having a cyber security specialist involved in the correct mapping and identification of data means that, in the event of an unforeseen attack, they have the knowledge and capability to minimise and mitigate the effect of the incident swiftly. As the Clarksons incident demonstrates, the ability to deploy an immediate response is an important element of damage limitation.
For more information:
Or see some of our blogs:
What is Red Team engagement?
It’s not a question of if, but when
US statistics warn of new trends in cybercrime: how retained PFI can mitigate the risks
What is the password?
By Gerard Thompson, Information Security Consultant
With over 3,500 MPs, lords and staff, being a computer security administrator in the Houses of Parliament must be a stressful job. They have a lot to think about. There is the possibility of state-sponsored brute force cyberattacks, much like the one that compromised 90 ministerial accounts in June 2016. There are also other, more delicate issues to be negotiated; like the fact that there were 113,208 attempts to access pornographic material within Westminster in 2016 alone. Yet in actual fact one of the most alarming revelations from the Houses of Parliament this month, has been the admission by a number of MPs that their passwords are far from secure.
Admittedly, the social media admissions by MPs that they shared log in details with staff were posted to help defend Damien Green who has recently been accused of accessing thousands of pornographic images on his House of Commons computer back in 2008. They wanted to make the point that it might not have been him, given the fact that others might have his password information. Yet, for information security professionals, these admissions were probably more shocking than the news story they were attempting to deflect.
One MP tweeted: ‘My staff log onto my computer on my desk with my login every day. Including interns on exchange programmes. For the officer on @BBCNews just now to claim that the computer on Greens desk was accessed and therefore it was Green is utterly preposterous!!’
The same MP went further that afternoon: ‘All my staff have my login details. A frequent shout when I manage to sit at my desk myself is, ‘what is the password?’’
Unsurprisingly, cybersecurity professionals on Twitter have been shocked by such admissions, with many pointing out that it demonstrates a severe lack of privacy and security understanding within Westminster. To the consternation of the information security industry, however, other MPs have proceeded to jump in, tweeting their own confessions. One such tweet said: ‘I often forget my password and have to ask my staff what it is.’
Another tweeted: ‘Less login sharing and more that I leave my machine unlocked so they can use it if needs be.’
With these admissions, it might be believed that the House of Commons does not have an Information Security policy. Of course it does. The House of Commons Staff Handbook has a specialised section on Information Security Responsibilities and the House of Commons Advice for Member and their staff specifically states that MPs should not share passwords. It is therefore more a question of awareness and training rather than policy. After all, the majority of breaches occur through user error so Westminster staff need to be reminded of their responsibilities.
Other government departments are exemplary in their information security procedures, providing best practice examples of how it should be done. With GDPR and the UK Data Protection Bill soon to be enacted, making the responsibilities of data holders even more stringent, the Houses of Parliament should also lead the way in demonstrating a robust stance on data defence.
SRM provides a complete range of information security services, from GDPR compliance to advanced penetration testing; from its Virtual CISO service to full blown Incident Response. To find out more, for a no-obligation discussion contact firstname.lastname@example.org or call 03450 21 21 51.
Law practices are prime targets for criminals
PWC’s 25th Annual Law Firms Survey found that 73 per cent of respondents had suffered a security incident in 2016. These ranged from insider threats to the phishing of login credentials and ransomware. Routinely keeping large amounts of extremely sensitive data on file for long periods of time, law firms need to be particularly vigilant. Yet awareness, training and a top-of-the range technology solutions will only go some way in providing a defence. Given the ingenuity of hackers, they are unlikely to be sufficient in the long term.
The good news is that the solution is not about buying lots of additional products or simply throwing money at the problem. A strategic approach will provide a more robust and more cost-effective solution. The effective scoping of the risks and vulnerabilities to which an individual firm is exposed means that defences are maximised using only precisely-targeted and relevant services.
When the EU General Data Protection Regulation (GDPR) becomes effective in May 2018 the regulatory obligations of any organisation which holds data on EU citizens becomes even stricter. The new legislation will not just apply to those with European customers. The current UK Data Protection Bill, which is also due to be enacted in May, enshrines the principles of GDPR into UK law. In addition to new reporting requirements, there will be a greater emphasis on mapping data, knowing exactly what information is held and where.
A specialist consultancy has the experience and expertise to ensure that top level security is provided in the most cost-effective way possible. From advanced penetration testing to compliance and regulatory issues; from data mapping to ensuring there are no gaps anywhere in the system; it is important to have an overall strategic and correctly scoped plan.
While Data Protection Officers (DPOs) and Chief Information Security Officers (CISOs) take on the day-to-day responsibility, every member of the board or partnership is also responsible for compliance. To ensure that the ever-changing cyber threat landscape is fully understood, additional support and resource is required. Just as a finance director receives support from accountants, a consultancy which operates at all levels of the cyber security spectrum will be able to provide additional expert guidance to DPOs, CISOs, boards and partners. The reputational and financial consequences of a breach can have devastating effect on the whole firm. Board or partner level support for information security and compliance is therefore essential.
SRM is at the forefront of information security in the UK. As cyber security supplier to H M Government, we understand large organisations, but our clients also include corporates, charities and SMEs. Our GDPR team provides expert guidance and is also able to scope a client’s system for frailties and vulnerabilities through bespoke penetration testing, assist with accurate data mapping and provide a whole range of additional services developed to support CISOs and DPOs at various levels from compliance to disaster recovery.
Our eDiscovery team is also on hand to provide technical expertise and resource for all aspects of eDiscovery, from the reduction and redaction of data to the presentation of evidence in a legally acceptable manner. SRM provides a range of highly professional cost-effective solutions, suitable for all sizes of law firms. From the provision of a low cost ‘E-Discovery Lite’ package to the involvement of Expert Witness Forensic Consultants or the use of a Virtual Chief Information Security Officer VCISOtm.
For a no obligation chat, contact Mark Nordstrom or call 0345 21 21 51
Find out more:
Test and exercise
Read our other blogs:
eDiscovery: the issues facing law firms
Client files on home computers must be encrypted
The technology gap which leaves organisations vulnerable to attack