We’re at the tail end of another year and, as always, we’ve had plenty to talk about in the realm of cyber security. As a wrap up, we’ve put together a list of some of the cyber security lessons from 2018 that made it into Cyber Bytes, in the hope that we won’t see too many repeats in 2019.
Facebook hack attack
Back in October, reports emerged that up to 50 million Facebook accounts had been compromised due to a weakness in the platform’s code.
This wasn’t the first case of a social media platform suffering a data breach, and it likely won’t be the last, so what can we learn from this?
- Make sure you change your password on Facebook (and change it regularly) – even if you were not contacted by Facebook to change it.
- Use a different password for all your different online accounts.
- Enable two-factor authentication on any platforms that give access to your finances or personal data.
- Decouple any applications and accounts you’ve configured to use your Facebook (or other apps such as Twitter) credentials to login. If a Facebook account is compromised, then the attackers potentially have access to all these other apps.
- Check your privacy settings on Facebook and make sure you’re not sharing more than you need to. You should get into the habit of doing this on a regular basis e.g. at least every three months.
Town dusts off typewriters after cyber-attack
In June this year, staff at a Borough in Alaska were forced to dust off old typewriters to continue with their duties after ransomware infected the computer system.
In the current environment, it’s not unusual for a business to have one or two devices infected with ransomware. Typically, those devices are isolated from the network and all other machines are checked to ensure that patching and antivirus signatures are up to date. In this case, the entire network—including servers—were infected and devices had to be built from scratch, with alternative technology being used in the meantime.
Prevention of ransomware is certainly better than reacting to an infection. Training staff to be vigilant to phishing emails, ensuring your systems are patched with the latest updates and maintaining separate back-ups of important data are all basic steps that every business should take. This example in Alaska provides a timely reminder to find out:
- Does your organisation have an incident response plan and does it include a scenario like this?
- Are your organisation’s patching and antivirus regimes appropriate, and is there any kind of reporting in place to identify gaps?
- Does your organisation have a standard build, and are the build states known?
- How are backups checked and stored?
- What scanning of incoming attachments is carried out?
- What training have staff had in respect of phishing emails and incident response procedures?
World Cup Phone app phishing
The phones of soldiers in the Israel Defence Forces were compromised earlier this year when Palestinian Islamist group, Hamas, loaded fake football and dating apps with malware.
Fake apps are becoming increasingly common, especially for major sporting events such as the Olympics and other global competitions. Therefore, users should be increasingly vigilant about where they are downloading additional apps from.
As mentioned above, it is important to make sure that any email, app or software you download is genuine. With most phishing campaigns there are tell-tale signs, including incorrect grammar or strange formatting, but detecting fake apps is much harder for end users. Although technical measures to identify malicious apps is improving, increasing user awareness is key and anyone downloading any new apps should ensure they only do so from official stores such as Google Play and the App Store.
Researchers show how Amazon Echo can be used for eavesdropping
With the use of handy ‘personal assistants’ like Google Home and Amazon’s Alexa increasing significantly in 2018, it is no surprise that their capability as listening—or ‘eavesdropping’—devices is causing concern amongst technology experts and device owners.
Whilst they are undoubtedly innovative and entertaining, the reality is that any device which is connected to the internet is at risk of being compromised. Security concerns have been raised that due to the listening capabilities, a compromised device could be configured to stream conversations without the owner’s knowledge.
Although it is likely to cause a feeling of unease in many, some users may not be concerned if their innocent conversations in their homes are being listened to. However, imagine you’re talking in a meeting room, discussing plans for an upcoming merger or acquisition and your competitors find out what your plans are and how much you’re willing to spend. This has significant implications and could lead to a serious advantage for your competition.
Anyone who is considering purchasing one of these devices should make a personal choice as to whether the benefits outweigh the potential risks of having one. Owners should ensure they change the default password that their new device comes with, that any software updates are applied as soon as possible, and that they exercise caution around what is said within listening range of these devices.
150m MyFitnessPal users hit by data breach
Back in April, health and fitness app MyFitnessPal was hit by one of the biggest data breaches to date, when hackers accessed the personal data of 150 million users.
There have been several fitness app breaches in the past few years and the severity of a compromise is determined by the immediate mitigating actions of the companies involved. In this case, the owner of MyFitnessPal, Under Armour, handled this breach very well as they addressed the affected users immediately and were using a strong encryption (bcrypt) which should slow any attempt to crack a user’s password from the data breach.
Slowing down an attacker’s chance to retrieve a password from a data ‘dump’ is vital in allowing users a chance to change their password on any other site where they may have re-used the same password as they did with MyFitnessPal.
Did you know? Over 80% of users aged 18 or over reuse the same password across multiple accounts, meaning an account being compromised on one site can impact the same user across multiple sites.
With almost every site online now requiring users to register with an email and password (research has found that the average person may have as many as 90 different accounts requiring passwords), manging them all manually is becoming a virtually impossible task. The use of a password manager can help eliminate password reuse and will also generate complex, high entropy passwords that would be extremely difficult to crack if compromised.
UK firms failing to make financial plans for cyber attacks
A survey by Lloyds Bank in early 2018 showed that only a third of companies have a financial plan in place should a cyber-attack ever occur. Sadly, companies often look at the risks from cyber-attacks with a very narrow viewpoint – failing to consider that it is not just an IT issue. As well as the obvious business availability problems, there is a larger impact when a company is a victim of a cyber-attack – the bottom line.
Calculating the overall cost of a cyber breach is notoriously difficult. After the breach of Point-of-Sale machines at US retailer Target in 2013, the loss of business, cost of replacing compromised cards, refunds and equipment upgrades is believed to have cost them in excess of $400 million.
The recent NotPetya malware attacks are also estimated to have cost TNT Express around $300 million dollars in the last quarter of 2017, and in this case no data breach actually occurred. Such disruption can cause operational issues, which can lead to reputational damage and significant cash-flow problems. Whilst many large corporations may be able to absorb short-term availability issues and potential share price fluctuations, many small to medium sized businesses can be put out of business within days of such an attack.
While cyber insurance can provide a blanket of comfort and peace of mind for some organisations, prevention should be a key focus, rather than recovery. There are many frameworks, such as ISO 27001, that allow businesses to develop and mature their internal policies so that a good cyber security posture becomes engrained in the workflow. Regular testing of these implemented controls is vital to ensure that they are working, rather than waiting to discover the presence of security holes when an incident takes place for real.
Don’t fall for fake iTunes and App Store messages
Phishing emails are becoming more and more sophisticated, particularly those claiming to come from brands we trust, like Apple or Amazon. It just takes one click on a link in a fake email for a computer to be infected with malware and, following the recent flurry of online purchasing during the seasonal Black Friday event, criminals will be seeking to exploit this annual opportunity with a deliberate increase in fake purchase messages.
Often, companies do not help themselves or their customers by placing links to their website inside important email communications. If Apple users do receive any messages about an App Store or iTunes purchase, we recommend manually visiting the App Store or iTunes websites to check, rather than risk clicking on a link in an email which might be trap. This equally applies to any messages from financial institutions where customers may be asked to update personal details via links in email messages.
Never click on these links as banks have pledged not to ask their customers to do so in these situations so any such requests are likely to be a scam.
Police hand out Malware-infected USBs as prizes at cyber-security event
In probably one of the most ironic stories of the year—as part of a celebration of cracking down on cybercrime—Police in Taiwan accidentally distributed USBs containing a malware file. Out of 250 prizes given out to attendees at a cyber security expo, 54 drives were found to be compromised.
This is a clear example of why companies must ensure their supply chain is reliable and trustworthy, for both security reasons and reputational damage. It is also a reminder of the dangers of a social engineering technique known as USB baiting. This is a tactic used by criminals (and indeed many other malicious threat groups) where they purposely leave USB drives in public spaces in the hope that curious individuals will pick up the infected device and plug it into a workstation.
Back in 2008, the US suffered what was described at the time as ‘the worst ever cyber-attack against the US military’ after abandoned USB sticks were found in the Middle East and plugged into computers inside a US base. It took the Pentagon nearly 14 months to clear up the infection.
Even with improved public awareness, this is still a remarkably successful attack vector and we encourage all users to be suspicious of any unclaimed USB devices found lying around, and especially any that are given out as prizes or free gifts at events.
Here’s to a cyber safe 2019
As they say, the best defence is prevention. These are just a handful of the cyber security issues we saw in 2018 and we hope this blog post will help prevent a few in the future.
However, if your organisation’s IT security needs a review, a boost, or you need to start from scratch, talk to us. We have cyber experts on hand who can work with you to ensure you won’t be the next victim of cyber criminals.
Your free global geopolitical
PGI’s Risk Portal tool provides daily intelligence feeds, country threat assessments and analytical insights, enabling clients to track, understand and navigate geopolitical threats.
The Risk Portal gives users up-to-date information and analysis on global affairs.
The Risk Portal allows users to visualise information in a unique and instantly understandable way. Mapping filters enable the visualisation of incidents by threat category, time period, perpetrator and target type.
Risk Portal users can upgrade their accounts to include the Report Builder and Country Profile Generator features. The Report Builder allows users to select information, data and images from the Risk Portal and create bespoke reports and emails.
Subscribers to PGI’s Bespoke services receive tailored analysis on specific sectors and geographies of interest, delivered at a frequency they determine.
Making ongoing compliance easier for you and your business
GDPR is now in force – make sure your business meets the necessary requirements and assurance for all your customers and employees
A full audit of your business to assess the level of your compliance against GDPR requirements
Become GDPR compliant with minimal work – we’ll conduct an analysis, review, report and implementation of necessary changes to your business
We’ll carry out simple assessments of security to help you understand and mitigate the potential risks to your business
Get your business ready to face the cyber challenge
We provide a full range of accredited, certified and bespoke services that assess the resilience of your cyber security posture
PGI’s Qualified Security Assessors (QSA) will help you meet Payment Card Industry Data Security Standards (PCI DSS)
Find out more on PCI DSS
Demonstrate your commitment to cyber security by achieving and maintaining accreditation for the globally-recognised information security standard
Find out more on ISO 27001
Understand the threats of phishing and malware to avoid being targeted
Undertake our phishing capability assessment to reduce your organisation’s risk of of attack, by measuring the cyber awareness of your workforce.
PGI will conduct a tailored phishing campaign, using multiple methods, to identify realism and train employees where necessary to mitigate future attacks
PGI monitor multiple metrics to identify the types of phishing, generate in-depth analysis reports and provide an informed decision to help improve your organisation’s level of security and awareness
Prevent attacks, respond to breaches and protect your business
Our bespoke range of cyber security services not only protect your critical assets but provide the education you need to keep your operations and data safe.
implement the cost-effective cyber security measure launched by the government to prevent cyber-attacks, demonstrate commitment to your clients, and attract new business by being recognised as a secure organisation
Find out more on Cyber Essentials Accreditation
The most effective way to identify how attackers target your organisation’s weaknesses by evaluating your system and network security and reporting on any vulnerabilities that could lead to a business impact
Find out more on Penetration Testing
If your business has experienced breaches, network compromises or operational disruption, our team of cyber security specialists can deploy quickly, and efficiently begin the process of detecting and eliminating the threat
Find out more on Data Breach Response & Recovery
Data Breach Response & Recovery
We prevent attacks, respond to security breaches, and protect your business
Our team of specialists can deploy quickly and efficiently to begin the process of detecting, eliminating and prevention of future threats of a breach.
A vital part of the response process is making a copy of your data for safe forensic analysis. We will work with you to preserve and use this evidence to discover the extent of an intrusion
Find out more on Digital Forensics
We will identify and minimise the risks, as well as the possibility of future risks to your business
Consistent interaction with your management team and recommendations on how to approach all outcomes that need attention
Subscribe to our Cyber Bytes Newsletter
Keep yourself in the loop with PGI by signing up to our Monthly Cyber Bytes email. You will receive updates, tips and narrative around what has been happening in the world of information security.