STE WILLIAMS

Netgear left in its router firmware key ingredients needed to intercept and tamper with secure connections to its equipment’s web-based admin interfaces.

Specifically, valid, signed TLS certificates with private keys were embedded in the software, which was available to download for free by anyone, and also shipped with Netgear devices. This data can be used to create HTTPS certs that browsers trust, and can be used in miscreant-in-the-middle attacks to eavesdrop on and alter encrypted connections to the routers’ built-in web-based control panel.

In other words, the data can be used to potentially hijack people’s routers. It’s partly an embarrassing leak, and partly indicative of manufacturers trading off security, user friendliness, cost, and effort.

Security mavens Nick Starke and Tom Pohl found the materials on January 14, and publicly disclosed their findings five days later, over the weekend.

The blunder is a result in Netgear’s approach to security and user convenience. When configuring their kit, owners of Netgear equipment are expected to visit https://routerlogin.net or https://routerlogin.com. The network’s router tries to ensure those domain names resolve to the device’s IP address on the local network. So, rather than have people enter 192.168.1.1 or similar, they can just use that memorable domain name.

To establish an HTTPS connection, and avoid complaints from browsers about using insecure HTTP and untrusted certs, the router has to produce a valid HTTPS cert for routerlogin.net or routerlogin.com that is trusted by browsers. To cryptographically prove the cert is legit when a connection is established, the router needs to use the certificate’s private key. This key is stored unsecured in the firmware, allowing anyone to extract and abuse it.

Netgear doesn’t want to provide an HTTP-only admin interface, to avoid warnings from browsers of insecure connections and to thwart network eavesdroppers, we presume. But if it uses HTTPS, the built-in web server needs to prove its cert is legit, and thus needs its private key. So either Netgear switches to using per-device private-public keys, or stores the private key in a secure HSM module in the router, or just uses HTTP, or it has to come up with some other solution. You can follow that debate here.

“These certificates are trusted by browsers on all platforms, but will surely be added to revocation lists shortly,” noted Starke and Pohl.

“The firmware images that contained these certificates along with their private keys were publicly available for download through Netgear’s support website, without authentication; thus anyone in the world could have retrieved these keys.”

Netgear did not respond to a request for comment on the report.

We note that while there is a certificate and private key for the routerlogin interface, there is another set for mini-app.funjsq.com, which appears to be a method for playing games online in China.

In addition to exposing the vulnerability in Netgear equipment, the infosec bods also took issue with the way the networking giant deals with security flaws. In particular, its policy of keeping bug reports quiet.

Yeah, says Google Project Zero, when you think about it, going public with exploit deets immediately after a patch is emitted isn’t such a great idea

READ MORE

“We are aware that Netgear has public bug bounty programs. However, at current date those programs do not allow public disclosure under any circumstances,” the duo explained.

“We as researchers felt that the public should know about these certificate leaks in order to adequately protect themselves and that the certificates in question should be revoked so that major browsers do not trust them any longer. We could not guarantee either if we had used the existing bug bounty programs.”

The decision brings up a debate that has plagued developers and security researchers alike for years: how best to handle disclosure.

On one side, there is the argument that keeping bugs under wraps minimizes the chances they will fall into the wrong hands. On the other side, there is the belief that getting issues into the open increases awareness and allows everyone to work on fixing and patching a bug.

In this case, Starke and Pohl went with the latter approach, informing the company last Tuesday and going public after hearing nothing useful back from either the router maker nor the organizer of its bug bounty. ®

Sponsored:
Detecting cyber attacks as a small to medium business

Article source: https://go.theregister.co.uk/feed/www.theregister.co.uk/2020/01/20/netgear_exposed_certificates/

There are many ways to improve your organization’s cybersecurity practices, but the most important principle is to start from the top.

Are we secure yet? I was asked this question in a board meeting a many years ago. The way it was phrased implied that getting secure is a task to be completed. Managing cybersecurity is actually more like doing the laundry, in that it’s never finished. So, are we secure yet? The answer is an emphatic “No!” And we collectively never will be secure. However, we can and must apply rigorous risk management processes, innovative control technologies, and talented teams to our cybersecurity challenges. 

The subject of this discussion is your organization’s cybersecurity culture. It is one of the most critical elements of a successful cybersecurity program and yet one of the most difficult to define, measure, and improve. Over the past decade, we have witnessed a constant cadence of major cyberattacks. The majority of these were cases in which the victims were required to disclose the event by statute or regulation. Others were disclosed as a result of highly visible business disruptions caused by the attack. Many of these were data breaches involving over 100 million records (for example, Target, eBay, Equifax, Capital One, Marriott, etc.) while others were ransomware attacks resulting in major disruption to their victim’s businesses (such as Maersk and the city government of Atlanta).

These attacks were costly and traumatic for the victim organizations but also had at least one positive result: They transformed the organization’s cybersecurity culture. The change in attitudes about cybersecurity in these cases can be dramatic. One CIO shared that a security investment decision that once would have taken weeks or even months to make now, after the company’s recent breach, required only a short call or quick meeting.

The value of a strong “post-breach” cybersecurity culture is material. According to the “2018 Cost of Data Breach Study: Impact of Business Continuity Management” from the Ponemon Institute, “The larger the data breach, the less likely the organization will have another breach in the next 24 months.” In fact, organizations that experience a breach of 100,000 or more records reduce their probability of experiencing another data breach in that time frame from 0.279 to 0.015! With the cost of a major breach or attack being measured in the hundreds of millions of dollars, achieving a post-breach cybersecurity culture without experiencing the trauma and impacts of a breach can be a huge benefit for the enterprise.

Measuring Security Culture
How we measure and improve an enterprise’s security culture starts with a discussion of the degree to which leaders, employees, users, vendors, and even customers are aware of and regularly follow effective cybersecurity best practices in seven key areas.

1. Board Expertise and Structure
Boards can play a key role in setting priorities for cybersecurity risk management and ensuring those priorities are being addressed. Having board members who are familiar with cybersecurity issues or have managed cyber-risk in their careers is certainly a plus. Committee structure can also play a key role. Boards generally have agendas packed with mandatory governance topics so establishing a risk committee or, better yet, a cybersecurity committee to focus on cyber issues can be a useful approach for getting the limited number of board members with cyber expertise to focus on the cybersecurity program. Board interest in cyber drives the priorities and intensity of activity throughout the organization and sends a clear message to business leaders that effective management of cybersecurity risks is a key priority.

2. CEO Engagement and Leadership
One criticism of CEOs at victim organization is that they often lack the expertise and focus to effectively drive cybersecurity programs. Establishing a CEO-chaired cybersecurity management review on a regularly basis (at least quarterly) is a powerful statement to senior leadership that cyber-risks are top of mind and high enough in the CEO’s priorities to allocate significant time to understand and drive the topic. Regular communication from the CEO highlighting the critical role that effective security practices play in the performance and long-term growth of the business is extremely valuable in driving a strong cybersecurity culture.

3. Senior Executive Engagement and Leadership
In most enterprises, the technology organization, led by the CIO, oversees cybersecurity and plays a key role in implementation of effective controls. From networks to client devices to data centers, the technology organization is often the arms and legs of the cybersecurity team to ensure holistic coverage and efficacy of those controls. The CIO sets the tone for how important these controls are relative to other technology priorities such as enabling business innovation and ensuring application reliability. Having regular reviews of the cybersecurity program with the full technology leadership team, designating cybersecurity as a strategic imperative, and devoting significant airtime to cybersecurity topics at employee meetings, is a good start.

4. Ecosystem vs. the Enterprise
Few enterprises function independently of suppliers, customers, dealers or retailers, third party service providers, and others who are not employees but nonetheless interact with the enterprise’s technology resources. Policies, communication initiatives, contractual provisions, and cybersecurity assessments are a few of the mechanisms that can be used to expand cybersecurity best practices throughout the ecosystem.

5. Awareness Training
Ensuring everyone in the ecosystem understands how to apply cybersecurity best practices when using technology is essential. Annual training for all users is the minimum, but that training needs to be continuously refreshed to stay current with the rapidly changing cybersecurity threat landscape and use senior leadership messaging to underscore its importance to the organization. Tailored training for special groups such as software developers, network administrators, and infrastructure managers is also valuable to communicate best practices or technical details applicable to those roles. An additional awareness mechanism I’ve used in the past is pushing a daily cyber intelligence synopsis out to senior leadership. This type of messaging includes three or four major cybersecurity news items each day in terms that the business can understand and that offer context about how the items relate to the organization.

6. Post-Mortems with Other Attack Victims
Engaging companies that have suffered a major attack is yet another great tactic to gain insights into new threats and organizational controls. Often, these discussions may be under a nondisclosure agreement but the corrective actions or confirmation that your controls coverage is already adequate are well worth the effort.

7. Closing the Loop
Every user who fails to follow cyber best practices when using the organization’s cyber assets poses a risk to the enterprise. Holding individuals and organizations accountable for their cyber behaviors puts the organization on notice that cybersecurity behavior gaps will be transparent to leadership. Periodic penetration testing is an essential tool to provide a reality check and validate cybersecurity controls coverage and efficacy. Presenting the results of these tests up through leadership to the board of directors ensures the entire management chain is informed and can help drive any required remediation activity.

Organizations that behave like a victim of a major cyberattack can help themselves avoid actually becoming a victim of one. Implement a post-breach culture now. Don’t wait for the threat actors to do it for you.

Related Content:

• Assessing Cybersecurity Risk in Today’s Enterprise
• 6 Traits to Develop for Cybersecurity Success
• 5 Tips for Keeping Your Security Team on Target

Check out The Edge, Dark Reading’s new section for features, threat data, and in-depth perspectives. Today’s top story: “How to Keep Security on Life Support After Software End-of-Life.”

Rich Armour is a senior CISO and technology executive with deep experience in cybersecurity and information technology leadership and transformation across large global enterprises. Rich has successfully led large scale global information technology transformation … View Full Bio

Article source: https://www.darkreading.com/risk/are-we-secure-yet-how-to-build-a-post-breach-culture/a/d-id/1336813?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

You’re fat. You’re worthless. You don’t deserve to be alive.

Those are the kind of comments left on social media posts as innocent as a picture of a flower, as Sarah Lechmere – who has struggled with eating disorders – told the BBC. Social media posts also pointed her to pro-anorexia sites that gave her “tips” on how to self-harm, she said.

This is precisely why UK psychiatrists want to see social media companies forced to hand over their data – and to be taxed into paying – for research into the harms and benefits of social media use. The report, published by the Royal College of Psychiatrists, contains a forward written by Ian Russell, the father of Molly Russell, a 14-year-old who committed suicide in 2017 after entering what her father called the “dark rabbit hole of suicidal content” online.

Ian Russell describes how social media’s “pushy algorithms” trapped Molly, sequestering her in a community that encourages suffering people not only to self-harm but to also avoid seeking help:

I have no doubt that social media helped kill my daughter. Having viewed some of the posts Molly had seen, it is clear they would have normalized, encouraged and escalated her depression; persuaded Molly not to ask for help and instead keep it all to herself; and convinced her it was irreversible and that she had no hope.

… Online, Molly found a world that grew in importance to her and its escalating dominance isolated her from the real world. The pushy algorithms of social media helped ensure Molly increasingly connected to her digital life while encouraging her to hide her problems from those of us around her, those who could help Molly find the professional care she needed.

Ian Russell backs the report’s findings – particularly its calls for government and social media companies to do more to protect users from harmful content, not only by sharing content but also by funding research with a “turnover tax” that will also provide training for clinicians, teachers and others working with children, to help them identify children struggling with their mental health and to understand how social media might be affecting them.

A new regulator and a 2% tax on big tech companies

Last year, the UK government announced plans to set-up an online safety regulator to improve internet safety. The College is calling for that regulator to be empowered to compel social media companies to hand over their data.

As far as funding for research and self-harm prevention training goes, the UK has passed the Digital Services Tax. Scheduled to go into effect in April 2020, it will impose a 2% levy on the revenues of search engines, social media platforms and online marketplaces that “derive value from UK users.” That 2% will be assessed on digital companies’ global turnover.

Dr. Bernadka Dubicka, chair of the child and adolescent faculty at the Royal College of Psychiatrists and co-author of the report, said that she’s seeing more and more children self-harming and attempting suicide as a result of their social media use and online discussions. Whatever social media companies are doing to protect their most vulnerable users, it’s not enough, she said:

Self-regulation is not working. It is time for government to step-up and take decisive action to hold social media companies to account for escalating harmful content to vulnerable children and young people.

In November 2019, Facebook included Instagram in its transparency report for the first time. Facebook is getting better at finding self-harm content before it spreads: it said that since May, it’s removed about 845,000 pieces of suicide-related content, 79% of which it was able to proactively find before users reported it.

Privacy implications

The College said that the data to be collected from tech companies would be anonymous and would include the nature of content viewed, as well as the amount of time users are spending on social media platforms.

The civil rights group Big Brother Watch told the BBC that it agrees with the importance of research into the impact of social media, but that users must be “empowered to choose what data they give away, who to and for what purposes”.

The campaign group’s director, Silkie Carlo, said young people should have “autonomy” on social media “without being made to feel like lab rats”. She noted that in the wake of the 2014 Cambridge Analytica scandal, data and privacy rights are facing “significant threats” online, and that user trust is low. That’s why user control should be treated as a priority, she said.

Being online is bad for kids

While the psychiatrists say there’s need for more research, there’s already a growing body of research that’s demonstrated that excessive use of digital devices and social media is harmful to children and teens. Back in January 2018, after Facebook had rolled out Facebook Messenger for Kids, children’s health advocates said that the app was likely to “undermine children’s healthy development” and urged Facebook to ban it.

Some of the findings cited by the Campaign for a Commercial-Free Childhood (CCFC):

• Eighth graders who are heavy users of social media have a 27% higher risk of depression, while those who exceed the average time spent playing sports, hanging out with friends in person, or doing homework have a significantly lower risk.
• US teenagers who spend three hours a day or more on electronic devices are 35% more likely, and those who spend five hours or more are 71% more likely, to have a risk factor for suicide than those who spend less than one hour.
• Teens who spend five or more hours a day (versus less than one hour) on electronic devices are 51% more likely to get less than seven hours of sleep (the recommended amount is nine hours). Sleep deprivation is linked to long-term issues like weight gain and high blood pressure.
• A study by UCLA researchers showed that after five days at a device-free outdoor camp, children performed far better on tests for empathy than a control group.

Parents, you can check out the BBC’s article for a list of the College’s advice on how to negotiate your children’s online use.

---

Latest Naked Security podcast

LISTEN NOW

Click-and-drag on the soundwaves below to skip to any point in the podcast.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/Yj7ryqZZEUA/

File this in the “What? They didn’t do this already?” pile: The FBI has announced that it will tell local election officials when hackers try to infiltrate their systems. Now, when state actors rattle the doors on election systems around the country, the people responsible for operating them will get to hear about it.

This year is shaping up to be the most challenging yet when it comes to election security. In 2020, cyberattacks against the US election will be more sophisticated than they were in the run-up to the 2016 vote. So said Shelby Pierson, the election security threats executive for the Office of the Director of National Intelligence, speaking at an Election Assistance Commission event earlier this month.

It’s probably a good idea, then, for the FBI to warn local and state election officials of hacking attempts, and last week, it announced just that.

For those of you wondering why the FBI wasn’t doing this already, the problem thus far has been the fragmented nature of the US election system. Each state has a chief official in charge of elections, but local governments and officials own and operate election systems on the ground.

Rolling out a new policy for communicating election cyber incidents, the FBI said:

The FBI’s interactions regarding election security matters must respect both state and local authorities. Thus, the FBI’s new policy mandates the notification of a chief state election official and local election officials of cyber threats to local election infrastructure.

The FBI’s announcement follows political pressure to be more forthcoming about election-related cyber threats. In July 2019, US Reps. Stephanie Murphy (D-Fla.) and Michael Waltz (R-Fla.) announced the bipartisan Achieving Lasting Electoral Reforms on Transparency and Security (ALERTS Act) to force the Department of Homeland Security to notify both state and local officials, along with members of Congress and possibly voters, of election system breaches.

The bill was a response to the hacking of computing networks of two Florida counties before the 2016 election. The news surfaced in the Mueller report about Russian election interference, but the Representatives weren’t briefed on it until they requested one from the FBI after seeing the report. Waltz called the FBI’s policy “inadequate and unacceptable” when launching the legislation.

The Florida hacks weren’t the only ones that Russia pulled off prior to the 2016 election. A Senate Intelligence Committee report released in July 2019 highlighted attempts in all 50 states, with intrusions in at least 21.

---

Latest Naked Security podcast

LISTEN NOW

Click-and-drag on the soundwaves below to skip to any point in the podcast.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/YDB2zgAZ1YM/

The FBI has seized the domain for WeLeakInfo.com, a site that sold breached data records, after a multinational effort by law enforcement.

Authorities have arrested two 22-year-old men alleged to have operated the site. Based in Fintona, Northern Ireland, and Arnhem in the Netherlands, they are believed to have made over £200,000 (about $260,000) between them from the site.

The Internet Archive’s Wayback Machine first shows WeLeakInfo.com surfacing in April 2017, advertising itself as “the Most Extensive Private Database Search Engine”.

The FBI and the District of Columbia explained that the site had harvested over 12 billion records from over 10,000 data breaches, including names, email addresses, usernames, phone numbers, and passwords. The site disclosed records relating to data breaches of sites including Chegg.com, StockX, Dubsmash, and MyFitnessPal.

Customers could subscribe to WeLeakInfo.com for as little as a day, paying a minimum of $2 in return for unlimited access. UK authorities also found links between the site and sales of remote access trojans (RATs) and cryptors (tools that obfuscate malware code to avoid detection). It was available both online and also via the dark web service Tor.

The FBI and the District of Columbia worked with the UK’s National Crime Agency and the Netherlands National Police Corps on the site seizure, along with the German Bundeskriminalamt (the Federal Criminal Police Office of Germany) and the Police Service of Northern Ireland.

In an announcement about the arrests, UK NCA said that it had started investigating WeLeakInfo.com in August 2019. It had spotted people using credentials from the site in cyberattacks in the UK, Germany, and the US. The Agency passed its information to the Bundeskriminalamt and the FBI, and they co-ordinated the seizure of WeLeakInfo.com at 11:30pm UK time on Wednesday 15 January, the same day that the men were arrested.

WeLeakInfo’s operators ran it like a business. It had its own Twitter account, where they would update their customers about their new database acquisitions, while also justifying their site as a public service:

We just added 315 new data breaches!

See if your information was leaked for free at weleakinfo.com… twitter.com/i/web/status/1…

—
We Leak Info (@weleakinfo) November 24, 2019

They would even run special offers and promos:

Happy New Years! Thank you for all your support!

Use code “NEWYEARS” to get 15% off of all plans except Trial.

Ex… twitter.com/i/web/status/1…

—
We Leak Info (@weleakinfo) January 01, 2020

They would also use third-party text storage sites to list new sets of stolen credentials.

The URL for the credential sales service now displays a notice from the FBI explaining that it has seized the domain.

WeLeakInfo isn’t the only site to have sold breached data. LeakedSource shut down in 2017, as did LeakBase.

---

Latest Naked Security podcast

LISTEN NOW

Click-and-drag on the soundwaves below to skip to any point in the podcast.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/XbN7y20SIRI/

Updated Password manager LastPass appears to have had a big night out on Friday, to the point where the service needed a lenghty lie down over the weekend. In fact, for some users it is still horizontal.

Social media is awash with customers unable to connect to the service either via the company’s website or through its various apps. For some, the problem has been going on for days.

@LastPass since three days I can’t log-in, getting message “An error has occurred while contacting the LastPass server. Please try again later.”. The best part is that LP says everything is ok: https://t.co/Ad4SJvOiFj

No information, no help, sad 😢😥

— Jacek Zloty (@JacekZloty) January 20, 2020

While the company’s status page insists that everything is hunky-dory, the volume of wailing indicates that something has gone awry. Customers have been asked to clear caches, reinstall apps, everything bar the immortal “turn it off and turn it on again” to no avail. Some have indulged in a bit of amateur sleuthing to identify a pattern in the affected accounts.

I got a reply from LastPass support saying to clear my cache… @!$# Multiple browsers, multiple devices, same issue everywhere!

One thing I’m curious about is maybe it’s only happening with people who have had LastPass for a certain amount of time? I’ve had mine since 2014.

— Charles Lehardy (@BetaBlueIS) January 20, 2020

I’m sorry Dave, I’m afraid I can’t do that

Fanning the flames is the company’s attitude, which seems akin to the “works alright on my PC, guv” so beloved by techies and users alike.

Still, at least whoever is running the LastPass Status Twitter account said the company was looking into the wave of wailing, before once again insisting that “no service issues have been identified.”

It’s not us, it’s you.

This hasn’t been working for me for 3+ days – neither Chrome extension or website: pic.twitter.com/YJ8BijMhYN

— Henrik Helmø Larsen (@H3nr1kL4rs3n) January 20, 2020

Password managers are tremendously useful tools in a world where every website seems to require a login with ever more convoluted passwords. Such is the level of slickness with which the tools integrate both within browsers and the iOS and Android platforms that users frequently never know what password has been used.

Naturally, some users have been quick to trumpet the names of competing managers to which they intend to jump. We, however, remain rather taken by the Terence Conran leatherbound “Logins Passwords” book.

Maybe the current outage is a sign that a return to a more analogue world is due.**

The Register contacted LastPass to find out what in blue blazes is going on and will update if an explanation is forthcoming.

* Total Inability To Serve User Passwords

** Please don’t do this

Updated to add

LastPass issued this statement to The Register following publication of the article:

“We are aware and actively investigating reports from a few LastPass customers from over the weekend who may be experiencing issues and receiving errors when attempting to log in. At this time we believe this is an isolated issue with limited impact and our engineers are working to resolve the issue.”

LastPass has made contact again to say:

“After a thorough investigation, we have determined it was the result of a bug in a recent release and was limited to a very small set of users (a fraction of a percent of our user base). This has been resolved and all services are now functional. There is no user action needed. As always, delivering a reliable and secure service for our users is top priority, and we will continue to respond and fix reports as quickly as possible.” ®

Sponsored:
Detecting cyber attacks as a small to medium business

Article source: https://go.theregister.co.uk/feed/www.theregister.co.uk/2020/01/20/lastpass_outage/

Game developer Ubisoft has lodged a claim against the owners of a website that allegedly sells DDoS attacks against the servers of its best-selling game, Tom Clancy’s Rainbow Six: Siege (R6S).

The lawsuit, filed in the US Court Central District of California on Thursday, holds the owners of the SNG.ONE website – who hail from Germany, Nigeria, and the Netherlands – responsible for DDoS attacks that have disrupted their multiplayer game servers by causing lag and crashing servers.

The website sells $30 monthly subscriptions to services purportedly designed to help clients “test” their own website security. But screenshots taken by Ubisoft claim to show the website listing specific game servers, such as Fortnite, FIFA20, and Call of Duty: Modern Warfare 4, as potential targets.

Ubisoft alleges the defendants are “well aware of the harm” their services have caused to its business. In court documents seen by The Register, the company said the defendants “have gone out of their way to taunt and attempt to embarrass Ubisoft for the damage [their] services have caused”.

“By this lawsuit, Ubisoft seeks to stop an unscrupulous commercial group of hackers and profiteers dedicated to harming Ubisoft’s games and destroying the R6S player experience for their own personal financial benefit.”

The gaming company also alleges the defendants “falsely claimed” Microsoft and Ubisoft had taken over their website. In the court filing, the defendants admitted to fabricating the seizure notice.

Ubisoft has long wrestled with DDoS attacks on its R6S servers. In September, the company announced plans to prevent further attacks, which included banning certain players and reducing the workload of its servers. Ubisoft says the number of attacks has dropped by 93 per cent since the announcement.

Ubisoft has asked the court to shut down the websites and is suing for damages and its legal costs.

The Register has asked SNG.ONE to comment. ®

Sponsored:
Detecting cyber attacks as a small to medium business

Article source: https://go.theregister.co.uk/feed/www.theregister.co.uk/2020/01/20/ubisoft_sues_gamers_rainbow_six_ddos_claim/

There are many ways to improve your organization’s cybersecurity practices, but the most important principle is to start from the top.

Are we secure yet? I was asked this question in a board meeting a many years ago. The way it was phrased implied that getting secure is a task to be completed. Managing cybersecurity is actually more like doing the laundry, in that it’s never finished. So, are we secure yet? The answer is an emphatic “No!” And we collectively never will be secure. However, we can and must apply rigorous risk management processes, innovative control technologies, and talented teams to our cybersecurity challenges. 

The subject of this discussion is your organization’s cybersecurity culture. It is one of the most critical elements of a successful cybersecurity program and yet one of the most difficult to define, measure, and improve. Over the past decade, we have witnessed a constant cadence of major cyberattacks. The majority of these were cases in which the victims were required to disclose the event by statute or regulation. Others were disclosed as a result of highly visible business disruptions caused by the attack. Many of these were data breaches involving over 100 million records (for example, Target, eBay, Equifax, Capital One, Marriott, etc.) while others were ransomware attacks resulting in major disruption to their victim’s businesses (such as Maersk and the city government of Atlanta).

These attacks were costly and traumatic for the victim organizations but also had at least one positive result: They transformed the organization’s cybersecurity culture. The change in attitudes about cybersecurity in these cases can be dramatic. One CIO shared that a security investment decision that once would have taken weeks or even months to make now, after the company’s recent breach, required only a short call or quick meeting.

The value of a strong “post-breach” cybersecurity culture is material. According to the “2018 Cost of Data Breach Study: Impact of Business Continuity Management” from the Ponemon Institute, “The larger the data breach, the less likely the organization will have another breach in the next 24 months.” In fact, organizations that experience a breach of 100,000 or more records reduce their probability of experiencing another data breach in that time frame from 0.279 to 0.015! With the cost of a major breach or attack being measured in the hundreds of millions of dollars, achieving a post-breach cybersecurity culture without experiencing the trauma and impacts of a breach can be a huge benefit for the enterprise.

Measuring Security Culture
How we measure and improve an enterprise’s security culture starts with a discussion of the degree to which leaders, employees, users, vendors, and even customers are aware of and regularly follow effective cybersecurity best practices in seven key areas.

1. Board Expertise and Structure
Boards can play a key role in setting priorities for cybersecurity risk management and ensuring those priorities are being addressed. Having board members who are familiar with cybersecurity issues or have managed cyber-risk in their careers is certainly a plus. Committee structure can also play a key role. Boards generally have agendas packed with mandatory governance topics so establishing a risk committee or, better yet, a cybersecurity committee to focus on cyber issues can be a useful approach for getting the limited number of board members with cyber expertise to focus on the cybersecurity program. Board interest in cyber drives the priorities and intensity of activity throughout the organization and sends a clear message to business leaders that effective management of cybersecurity risks is a key priority.

2. CEO Engagement and Leadership
One criticism of CEOs at victim organization is that they often lack the expertise and focus to effectively drive cybersecurity programs. Establishing a CEO-chaired cybersecurity management review on a regularly basis (at least quarterly) is a powerful statement to senior leadership that cyber-risks are top of mind and high enough in the CEO’s priorities to allocate significant time to understand and drive the topic. Regular communication from the CEO highlighting the critical role that effective security practices play in the performance and long-term growth of the business is extremely valuable in driving a strong cybersecurity culture.

3. Senior Executive Engagement and Leadership
In most enterprises, the technology organization, led by the CIO, oversees cybersecurity and plays a key role in implementation of effective controls. From networks to client devices to data centers, the technology organization is often the arms and legs of the cybersecurity team to ensure holistic coverage and efficacy of those controls. The CIO sets the tone for how important these controls are relative to other technology priorities such as enabling business innovation and ensuring application reliability. Having regular reviews of the cybersecurity program with the full technology leadership team, designating cybersecurity as a strategic imperative, and devoting significant airtime to cybersecurity topics at employee meetings, is a good start.

4. Ecosystem vs. the Enterprise
Few enterprises function independently of suppliers, customers, dealers or retailers, third party service providers, and others who are not employees but nonetheless interact with the enterprise’s technology resources. Policies, communication initiatives, contractual provisions, and cybersecurity assessments are a few of the mechanisms that can be used to expand cybersecurity best practices throughout the ecosystem.

5. Awareness Training
Ensuring everyone in the ecosystem understands how to apply cybersecurity best practices when using technology is essential. Annual training for all users is the minimum, but that training needs to be continuously refreshed to stay current with the rapidly changing cybersecurity threat landscape and use senior leadership messaging to underscore its importance to the organization. Tailored training for special groups such as software developers, network administrators, and infrastructure managers is also valuable to communicate best practices or technical details applicable to those roles. An additional awareness mechanism I’ve used in the past is pushing a daily cyber intelligence synopsis out to senior leadership. This type of messaging includes three or four major cybersecurity news items each day in terms that the business can understand and that offer context about how the items relate to the organization.

6. Post-Mortems with Other Attack Victims
Engaging companies that have suffered a major attack is yet another great tactic to gain insights into new threats and organizational controls. Often, these discussions may be under a nondisclosure agreement but the corrective actions or confirmation that your controls coverage is already adequate are well worth the effort.

7. Closing the Loop
Every user who fails to follow cyber best practices when using the organization’s cyber assets poses a risk to the enterprise. Holding individuals and organizations accountable for their cyber behaviors puts the organization on notice that cybersecurity behavior gaps will be transparent to leadership. Periodic penetration testing is an essential tool to provide a reality check and validate cybersecurity controls coverage and efficacy. Presenting the results of these tests up through leadership to the board of directors ensures the entire management chain is informed and can help drive any required remediation activity.

Organizations that behave like a victim of a major cyberattack can help themselves avoid actually becoming a victim of one. Implement a post-breach culture now. Don’t wait for the threat actors to do it for you.

Related Content:

• Assessing Cybersecurity Risk in Today’s Enterprise
• 6 Traits to Develop for Cybersecurity Success
• 5 Tips for Keeping Your Security Team on Target

Check out The Edge, Dark Reading’s new section for features, threat data, and in-depth perspectives. Today’s top story: “How to Keep Security on Life Support After Software End-of-Life.”

Rich Armour is a senior CISO and technology executive with deep experience in cybersecurity and information technology leadership and transformation across large global enterprises. Rich has successfully led large scale global information technology transformation … View Full Bio

Article source: https://www.darkreading.com/risk/are-we-secure-yet-how-to-build-a--post-breach--culture/a/d-id/1336813?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Have you ever tried to persuade a friend or family member to do something they don’t really want to?

Not easy – the person being persuaded knows you’re trying to persuade them, which makes them more likely to question your motives and resist.

Now imagine there was a way to persuade that individual to agree with your wishes by feeding them advertising on your behalf without them being aware that’s happening.

It’s the principle on which a lot of internet advertising is based, which presumably is where the idea for a startup service called the Spinner came from.

Just as conventional advertising tries to target groups of people, so the Spinner personalises “subconscious influencing” for a specific person and no one else.

Cease and desist

Facebook and Instagram have just banned the service from their platform.

According to the BBC, Facebook is so hostile to the Spinner that it’s even sent the company a formal cease and desist.

The problem? Facebook’s letter accuses the Spinner of targeting its users via fake accounts and fake pages, activities which violate the company’s ad policies. A Facebook spokesperson told the BBC:

We have no tolerance for bad actors that try to circumvent our policies and create bad experiences for people on Facebook.

Manchurian candidates

The Spinner currently offers 23 different persuasion campaigns that cost $49 or $79 depending on the topic, although it’s also possible to define your own.

Some of the pre-defined campaigns sound inoffensive enough – reminding a young person to drive carefully, getting someone to lose weight, or to stop smoking.

Others are decidedly more sinister, for instance trying to influence someone to have sex or not to seek a divorce.

Once selected, the user is sent a shortened URL which they forward to the individual they’re targeting via SMS or email.

Assuming the target clicks this link, a cookie bound to that individual link is dropped on their smartphone, identifying them to websites which then serve special content to them.

The promise is that over a three-month period, on 180 occasions the target will be served a selection of 10 different articles from legitimate websites pushing the chosen subject.

While internet ad targeting and surveillance is already contentious, covertly targeting individuals with content in this way pushes things a stage further.

The Spinner’s founder, Elliot Shefler, once described the service as a kind of “brainwashing”, which probably didn’t help the company’s cause.

Unhappy Facebook

Shefler claimed to the BBC that his company had used Facebook for some of its advertising for a year without its content being deemed a problem.

The Spinner’s website claims the service is legal and given the sort of surveillance on which the web economy is based, that it is probably correct.

However, the idea that its platform might be used by individuals to target other individuals in a potentially manipulative or even distressing way without consent probably didn’t strike the social media giant as something it wanted to be associated with.

Arguably, the real problem with the Spinner isn’t the content it pushes or the targeted surveillance on which it is based but its inability to regulate how it is used and to what end.

The irony is that Facebook’s action is probably the best thing that’s ever happened to the service. It’s not clear how popular it is – nor whether its crude concept of persuasion even works as advertised – but Facebook’s ban might inadvertently give the service the precious oxygen of notoriety.

---

Latest Naked Security podcast

LISTEN NOW

Click-and-drag on the soundwaves below to skip to any point in the podcast.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/mqrBZgA8Jh0/

A Stoke-on-Trent hospital administrator has avoided prison after hacking his NHS trust and helping himself to almost 9,000 heart scan images.

Daniel Moonie, a 27-year-old of Waterlily Close, Etruria, Stoke-on-Trent, was cautioned by police in 2017 after he was caught remotely accessing the internal network of the Royal Stoke hospital, something he wasn’t authorised to do.

Moonie, who was employed by the hospital’s heart and lung department as an administrator, was sacked. As part of the police caution he agreed not to access any IT system within the hospital, not to enter the hospital unless he was ill or visiting a patient, and not to contact hospital staff unless asked to by the HR department.

He later unsuccessfully appealed against the caution. Crown prosecutor Paul Spratt told Stoke-on-Trent Crown court: “He made an error in March 2017 and was cautioned for accessing the hospital computer by a home computer. He had, in truth, not obtained any material of a sensitive nature at that time.”

Nursing a grievance over his treatment, and believing he wasn’t the only one remotely accessing the hospital network, Moonie changed the password for an admin account in order to maintain his illicit access.

In December 2017, the Royal Stoke’s head of cybersecurity discovered that changed password, as related in a report of Moonie’s sentencing by the Daily Mail.

Police were called in and they searched Moonie’s home, discovering 14 files relating to his sacking – as well as 600 staff-related documents, “about 150 documents related to management matters”, and photos of patients’ medical procedures across two disk drives.

Crown prosecutor Spratt told the court: “There were 8,895 images of cardiac tests but they were unattributed. He used the computer to reveal information to him that he had no right to. He was misguided and motivated out of a desire that he was not carrying the can for another.”

Another unnamed person, who was allowed to resign, was also said to have been involved with Moonie’s illicit access.

His Honour Judge David Fletcher told Moonie: “You are not lacking in intelligence. You clearly know your way around computers. You need now to concentrate very hard on utilising the skills you have in going forward in a positive manner and not resort to this behaviour which could result in something that causes a massive blow to public confidence.”

Moonie admitted one offence under section 1(1) of the Computer Misuse Act 1990 between 1 August 2016 and 31 December 2017.

He was handed a 12-month community order including 160 hours’ unpaid work and must pay £2,000 in prosecution costs.

Mark Bostock, director of Information Management and Technology at University Hospitals of North Midlands NHS Trust, said in a canned statement: “Concerns about Daniel Moonie’s activity were raised by a colleague and immediate action was taken to launch an internal investigation, involve the police and notify the Information Commissioner’s Office.”

Bostock added: “The full extent of Mr Moonie’s activity has only come to light during the police investigation and now that the trial has concluded we will be working with the Police and the ICO to establish what, if any action should now be taken in terms of notifying individual members of the public or staff about their data. We would like to reassure patients that there is no evidence of harm or risk to their care as a result.”

Moonie’s case has some similarities with that of Jet2 hacker Scott Burns, who was also sacked, held a grudge and was later caught logging back into his former employer’s network. ®

Sponsored:
Detecting cyber attacks as a small to medium business

Article source: https://go.theregister.co.uk/feed/www.theregister.co.uk/2020/01/20/stoke_on_trent_hospital_hacker_9000_cardiac_images/