STE WILLIAMS

The Australian government has suffered what must as one of the most ridiculously embarrassing security breach in its history: cabinet records from five successive governments were sent to a second-hand furniture store.

The trove ended up in the hands of the Australian Broadcasting Corporation (ABC – which is in the process of publishing what it judges safe to publish here).

It appears that someone decided to sell two filing cabinets intact because they’d lost the key (really); the buyer applied a power drill to the locks, and the rest is history.

And what a history it’s turned out to be: for the ABC. The broadcaster says it’s “withheld documents if there are national security reasons, if the information is already public, or to protect the privacy of public servants.”

The Department of Prime Minister and Cabinet has already issued a statement saying it will investigate the incredible idiocy that made this possible what happened and won’t comment further for now.

Early NBN negotiating notes among the goodies

Among the documents revealed by the ABC are details of confidential briefings about how the Rudd government intended to fund Australia’s always-controversial National Broadband Network (NBN).

This needs context: in 2009, when it first conceived a universal fibre-to-the-premises build, Australia’s government was dealing with an obstructionist and hostile Telstra, Australia’s dominant telco. Under the “three amigos” led by CEO Sol Trujillo (the other two were Phil Burgess and Bill Stewart, both from Trujillo’s time at US West), Telstra was trying to block the Australian Competition and Consumer Commission’s competitive regulatory interventions (wth High Court action), and delaying or white-anting government attempts to encourage high-speed broadband.

The government of the day conceived its NBN in part to unblock the regulatory deadlocks – but it needed to fund the network and didn’t want the cost to be directly attributed to the federal budget.

One of the documents reveals the range of funding options brought to cabinet. As well as the government’s eventual model of investing equity in NBN Co, various bond sales were considered. The bond options included letting retail investors in at an attractive rate; or long-term infrastructure bonds.

If Australian animals don’t poison you or eat you, they’ll BURN DOWN YOUR HOUSE

READ MORE

The government of the day also had hopes that Telstra would buy into the build, since the NBN’s customer access network would replace its own.

The document entitled “Strategy for negotiating with potential investors in NBN Co” states “there are likely to be many early approaches by a range of possible investors, including Telstra”.

However, the cabinet briefing also stated that nobody would buy in “until the details of the company and the regulatory framework (and, in all likelihood, the legislation) are settled”.

This didn’t bother the government of the day too much, it seems, since its intention was to privatise the network after build: “the Government does not need to rush into negotiations with investors making early offers”, the paper states.

The government had some hope that the existence of NBN Co would make Telstra more co-operative (and, perhaps, offer a chance for a change in strategy).

“The ideal outcome, over time, is the structural separation of Telstra by action of the Board”, the paper states, while noting that an intransigent Telstra might “choose to compete … using platforms such as the HFC network”.

With a fully structurally-separated Telstra, the document shows, the government had no trouble contemplating investment in NBN Co from Telstra Wholesale: before the network was completed, the government would remain its majority shareholder and therefore able to protect retail customers.

Nearly all of those discussions are now moot, since the network that now exists isn’t a particularly saleable asset.

The government was also acutely aware of the kinds of things Telstra would want if it were given a free hand in negotiations. The establishment of NBN Co and its wholesale-only status was non-negotiable from the start; Telstra might want to fold in assets like duct access which would be capped; the carrier would not be given a voice in matters like NBN access, price, rollout timing, and the government clearly expected it to lobby against fibre-to-the-premises.

The Rudd government knew Telstra was likely to be troublesome. Image: the Australian Broadcasting Corporation

Telstra was expected to lobby the government over regulation, something the government wanted nixed, but it would (as has since happened) be allowed to take part in the rollout.

Vulture South will keep our eyes on the cabinet leaks to look for other snippets of interest to our readers. And for chances to point-and-laugh at the government. ®

Sponsored:
Minds Mastering Machines – Call for papers now open

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/01/31/australian_cabinet_leaked_a_cabinet/

Australian car sharing company GoGet today admitted to a June 2017 data breach that includes drivers licence details, payment card numbers and other personal data, but said it did not disclose the matter until now on the advice of Police.

In an email sent to members today (and The Register, thanks to kind readers) plus a breach notification and FAQ the company said “On 27 June 2017, GoGet’s IT team identified suspected unauthorised activity on its system and a full internal investigation was immediately commenced.”

Police from the Australian State of New South Wales were called not long afterwards and the force says it established “Strike Force Artsy” probe the matter in July 2017.

Australian car-share biz GoGet working on autonomous vehicle

READ MORE

“”With the assistance of company staff, investigators identified that unauthorised access was gained into the company’s fleet booking system and customer identification information from the database was downloaded,” the NSW Police statement says. “Following extensive inquiries, Strike Force Artsy detectives, assisted by the Public Order and Riot Squad, executed a search warrant at a home at Penrose just after 8am yesterday (Tuesday 30 January 2018).

“A 37-year-old man was arrested at the home and taken to Lake Illawarra Police Station, where he was charged with two counts of unauthorised access, modification, or impairment with intent to commit serious indictable offence; and 33 counts of take and drive conveyance without consent of owner.”

The NSW Police statement says it’s found more than 30 attempts to access GoGet’s database.

GoGet’s statement said the company “is limited in what it can say about the specific methods used by the suspect to gain unauthorised access to GoGet’s systems and vehicles.

The company added that the breach only impacts “individuals who signed up to our service or updated their payment card details between the dates of 25 May 2017 and 27 July 2017 may have had their payment card details accessed.”

Other data accessed included names, addresses, email addresses, phone numbers, dates of birth, drivers licence details and “other GoGet administrative account details.”

While payment card details “were not affected by this incident”, the loss of licence data means the potential for identity theft or fraud is high. Happily, GoGet and NSW Police cannot find “evidence of misuse of, or that the suspect has disseminated any of, your personal information.”

“We are sorry that this has happened,” GoGet CEO Tristan Sender signs off in the email. “We take your privacy very seriously and have been working hard to get the best outcome from this police investigation.”

GoGet’s offered “a range of steps individuals can take to maximise the ongoing security of their information.” One of those is to consult Equifax, the credit bureau that itself suffered a massive data breach in 2017.

Sigh. It never ends. ®

Sponsored:
Minds Mastering Machines – Call for papers now open

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/01/30/goget_data_breach/

Australian car sharing company GoGet today admitted to a June 2017 data breach that includes drivers licence details, payment card numbers and other personal data, but said it did not disclose the matter until now on the advice of Police.

In an email sent to members today (and The Register, thanks to kind readers) plus a breach notification and FAQ the company said “On 27 June 2017, GoGet’s IT team identified suspected unauthorised activity on its system and a full internal investigation was immediately commenced.”

Police from the Australian State of New South Wales were called not long afterwards and the force says it established “Strike Force Artsy” probe the matter in July 2017.

Australian car-share biz GoGet working on autonomous vehicle

READ MORE

“”With the assistance of company staff, investigators identified that unauthorised access was gained into the company’s fleet booking system and customer identification information from the database was downloaded,” the NSW Police statement says. “Following extensive inquiries, Strike Force Artsy detectives, assisted by the Public Order and Riot Squad, executed a search warrant at a home at Penrose just after 8am yesterday (Tuesday 30 January 2018).

“A 37-year-old man was arrested at the home and taken to Lake Illawarra Police Station, where he was charged with two counts of unauthorised access, modification, or impairment with intent to commit serious indictable offence; and 33 counts of take and drive conveyance without consent of owner.”

The NSW Police statement says it’s found more than 30 attempts to access GoGet’s database.

GoGet’s statement said the company “is limited in what it can say about the specific methods used by the suspect to gain unauthorised access to GoGet’s systems and vehicles.

The company added that the breach only impacts “individuals who signed up to our service or updated their payment card details between the dates of 25 May 2017 and 27 July 2017 may have had their payment card details accessed.”

Other data accessed included names, addresses, email addresses, phone numbers, dates of birth, drivers licence details and “other GoGet administrative account details.”

While payment card details “were not affected by this incident”, the loss of licence data means the potential for identity theft or fraud is high. Happily, GoGet and NSW Police cannot find “evidence of misuse of, or that the suspect has disseminated any of, your personal information.”

“We are sorry that this has happened,” GoGet CEO Tristan Sender signs off in the email. “We take your privacy very seriously and have been working hard to get the best outcome from this police investigation.”

GoGet’s offered “a range of steps individuals can take to maximise the ongoing security of their information.” One of those is to consult Equifax, the credit bureau that itself suffered a massive data breach in 2017.

Sigh. It never ends. ®

Sponsored:
Minds Mastering Machines – Call for papers now open

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/01/30/goget_data_breach/

Mozilla has patched a nasty security bug in Firefox, affecting versions 56, 57 and 58, and their point updates.

The CVSS-8.8-rated flaw means that if an attacker can get a user to open a malicious document or link, remote code execution becomes a possibility – allowing spyware, ransomware and other nasties to be installed and run.

An advisory from Cisco explains: “The vulnerability is due to insufficient sanitisation of HTML fragments in chrome-privileged documents by the affected software … A successful exploit could allow the attacker to execute arbitrary code with the privileges of the user. If the user has elevated privileges, the attacker could compromise the system completely.”

That’s not chrome as in Google Chrome, by the way, that’s chrome as in a confusingly named component of the Firefox engine.

Affected versions are: 56 (.0, .0.1, .0.2), 57 (.0, .0.1, .0.2, .0.3, .0.4), and 58 (.0). The bug is not present in Firefox for Android or Firefox 52 ESR. The fix is in Firefox 58.0.1, which you can download here.

In Firefox’s bug tracker, programmer Kris Maglione explained that the fix sanitizes HTML fragments.

Maglione noted that the problem arises because it’s impossible to block inline scripts: “The risk of XSS in chrome documents is much higher than it is in web content. Unfortunately, we currently rely on so much inline JS in our static XUL documents that that’s not really feasible in the short term.”

The knock-on of that is that an issue has been filed for the future Firefox 60 channel, with developer J Ryan Stinnet explaining: “Once DevTools upgrades to React 16, it should be possible for the Browser component to move away from `innerHTML`. It’s currently used only because React before 16 doesn’t allow non-standard attributes.”

Such changes would inoculate Firefox 60 against a similar bug in future. ®

Sponsored:
Minds Mastering Machines – Call for papers now open

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/01/30/mozilla_patches_critical_firefox_vulnerability/

Mozilla has patched a nasty security bug in Firefox, affecting versions 56, 57 and 58, and their point updates.

The CVSS-8.8-rated flaw means that if an attacker can get a user to open a malicious document or link, remote code execution becomes a possibility – allowing spyware, ransomware and other nasties to be installed and run.

An advisory from Cisco explains: “The vulnerability is due to insufficient sanitisation of HTML fragments in chrome-privileged documents by the affected software … A successful exploit could allow the attacker to execute arbitrary code with the privileges of the user. If the user has elevated privileges, the attacker could compromise the system completely.”

That’s not chrome as in Google Chrome, by the way, that’s chrome as in a confusingly named component of the Firefox engine.

Affected versions are: 56 (.0, .0.1, .0.2), 57 (.0, .0.1, .0.2, .0.3, .0.4), and 58 (.0). The bug is not present in Firefox for Android or Firefox 52 ESR. The fix is in Firefox 58.0.1, which you can download here.

In Firefox’s bug tracker, programmer Kris Maglione explained that the fix sanitizes HTML fragments.

Maglione noted that the problem arises because it’s impossible to block inline scripts: “The risk of XSS in chrome documents is much higher than it is in web content. Unfortunately, we currently rely on so much inline JS in our static XUL documents that that’s not really feasible in the short term.”

The knock-on of that is that an issue has been filed for the future Firefox 60 channel, with developer J Ryan Stinnet explaining: “Once DevTools upgrades to React 16, it should be possible for the Browser component to move away from `innerHTML`. It’s currently used only because React before 16 doesn’t allow non-standard attributes.”

Such changes would inoculate Firefox 60 against a similar bug in future. ®

Sponsored:
Minds Mastering Machines – Call for papers now open

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/01/30/mozilla_patches_critical_firefox_vulnerability/

The US Attorney General has set up a task force of FBI agents and tech nerds to further smoke out online peddlers of illegal opioids.

The team, dubbed the Joint Criminal Opioid Darknet Enforcement, aka J-CODE, will be sent out to a dozen American cities that have hotspots of opioid abuse to work out where the gear is coming from. The force will then try to identify the sources online, and shut them down, as the Trump administration reignites America’s war on drugs.

Announcing the policy in a speech on Monday, Attorney General Jeff Sessions talked tough on crooks lurking within the darknet – which are anonymizing networks, such as Tor, that can be used for good, and can also be used by drug traffickers to evade the cops and Feds.

The FBI has tricks up its sleeve to potentially unmask some Tor users, and has found other ways to take over darknet websites, usually by seizing servers.

“Criminals think that they are safe on the darknet, but they are in for a rude awakening,” Sessions said.

“We have already infiltrated their networks, and we are determined to bring them to justice. The J-CODE team will help us continue to shut down the online marketplaces that drug traffickers use and ultimately that will help us reduce addiction and overdoses across the nation.”

Crackdown

According to the US National Institute of Drug Abuse, opioids kill more than 90 Americans every day through overdoses, and they have been a significant contributor to reduction in life expectancy in America (although this humble hack suggests the parlous and extortionate state of healthcare in this country may have something to do with it.)

Sessions said the darknet has made it far too easy for people to get illegal opioids and have them delivered direct to their front doors. Such suppliers were often overseas. The J-CODE team will primarily focus on domestic sellers, unless it can get cooperation from other nations.

While cracking down on illegal sales of dodgy painkillers is a good thing, the government is being less than active when it comes to combating ostensibly legal opioids. On Tuesday, the House of Reps’ energy and commerce committee announced that it was sending a stern letter to legal opioid sellers who may be breaking the law.

The committee was reacting to press reports from West Virginia, which has the highest opioid death rate in the US, that revealed two drug distribution companies were making some very odd deliveries.

For example, a pharmacy in the small town of Williamson, population around 2,900, received shipments of 10.2 million hydrocodone pills and 10.6 million oxycodone pills over the last ten years. Over a two year period, the 392-person hamlet of Kermit received almost nine million hydrocodone pills. Surely, you might think, this huge stockpile of a controlled substance can’t possibly be used purely for legit medical reasons.

“These numbers are outrageous, and we will get to the bottom of how this destruction was able to be unleashed across West Virginia,” said committee chairman Greg Walden (R-OR) and ranking member Frank Pallone Jr (D-NJ) in a joint statement. Before you get too impressed, this is the second letter on the topic, the first being sent out in September. But apart from letters, it seems very little action is being taken on the issue by the federal government.

How successful will the J-CODE teams be? It’s unlikely that Tor’s integrity and security has been cracked, so they’ll probably focus on sting operations and tracking postal deliveries. When Sessions says agents have infiltrated networks, he mostly likely means supply networks. Meanwhile, the death count clicks higher every day. ®

Sponsored:
Minds Mastering Machines – Call for papers now open

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/01/30/jeff_sessions_war_on_tor/

The US Attorney General has set up a task force of FBI agents and tech nerds to further smoke out online peddlers of illegal opioids.

The team, dubbed the Joint Criminal Opioid Darknet Enforcement, aka J-CODE, will be sent out to a dozen American cities that have hotspots of opioid abuse to work out where the gear is coming from. The force will then try to identify the sources online, and shut them down, as the Trump administration reignites America’s war on drugs.

Announcing the policy in a speech on Monday, Attorney General Jeff Sessions talked tough on crooks lurking within the darknet – which are anonymizing networks, such as Tor, that can be used for good, and can also be used by drug traffickers to evade the cops and Feds.

The FBI has tricks up its sleeve to potentially unmask some Tor users, and has found other ways to take over darknet websites, usually by seizing servers.

“Criminals think that they are safe on the darknet, but they are in for a rude awakening,” Sessions said.

“We have already infiltrated their networks, and we are determined to bring them to justice. The J-CODE team will help us continue to shut down the online marketplaces that drug traffickers use and ultimately that will help us reduce addiction and overdoses across the nation.”

Crackdown

According to the US National Institute of Drug Abuse, opioids kill more than 90 Americans every day through overdoses, and they have been a significant contributor to reduction in life expectancy in America (although this humble hack suggests the parlous and extortionate state of healthcare in this country may have something to do with it.)

Sessions said the darknet has made it far too easy for people to get illegal opioids and have them delivered direct to their front doors. Such suppliers were often overseas. The J-CODE team will primarily focus on domestic sellers, unless it can get cooperation from other nations.

While cracking down on illegal sales of dodgy painkillers is a good thing, the government is being less than active when it comes to combating ostensibly legal opioids. On Tuesday, the House of Reps’ energy and commerce committee announced that it was sending a stern letter to legal opioid sellers who may be breaking the law.

The committee was reacting to press reports from West Virginia, which has the highest opioid death rate in the US, that revealed two drug distribution companies were making some very odd deliveries.

For example, a pharmacy in the small town of Williamson, population around 2,900, received shipments of 10.2 million hydrocodone pills and 10.6 million oxycodone pills over the last ten years. Over a two year period, the 392-person hamlet of Kermit received almost nine million hydrocodone pills. Surely, you might think, this huge stockpile of a controlled substance can’t possibly be used purely for legit medical reasons.

“These numbers are outrageous, and we will get to the bottom of how this destruction was able to be unleashed across West Virginia,” said committee chairman Greg Walden (R-OR) and ranking member Frank Pallone Jr (D-NJ) in a joint statement. Before you get too impressed, this is the second letter on the topic, the first being sent out in September. But apart from letters, it seems very little action is being taken on the issue by the federal government.

How successful will the J-CODE teams be? It’s unlikely that Tor’s integrity and security has been cracked, so they’ll probably focus on sting operations and tracking postal deliveries. When Sessions says agents have infiltrated networks, he mostly likely means supply networks. Meanwhile, the death count clicks higher every day. ®

Sponsored:
Minds Mastering Machines – Call for papers now open

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2018/01/30/jeff_sessions_war_on_tor/

Here are six key measures for enterprises to prioritize over the next few months.

The massive data breaches that have hit the headlines in recent years, including Yahoo, Verizon, and particularly Equifax, have taken a toll on breach victims, consumers, and corporations. We’ve seen stocks drop precipitously, class-action lawsuits filed, CEOs shown the door, and executives called before Congress. This year, breaches could be even more costly for companies once the European Union’s General Data Protection Regulation (GDPR) rules are in place come May 25.  

The rules require businesses to protect the personal data and privacy of EU citizens for transactions that occur within EU member states, and also regulate the exportation of personal data of those consumers outside the EU. Penalties include fines of more than $27 million, or 4% of revenue, whichever is greater. For Equifax, which reported $3.14 billion in 2016 revenue, that could mean fines of $125.7 million. The company has already incurred $87.5 million in expenses so far in dealing with the breach and its aftermath. For a company the size of Apple, at $229.2 billion in revenue, the fines could reach as high as $9.17 billion. GDPR will apply to any company that processes the data of EU citizens, regardless of where the company is based. Given the global nature of Internet commerce, its impact will be far reaching.   

Organizations are under the gun to get systems in place now to ensure that they are in compliance with the regulations, before it’s too late. Here are six key measures for enterprises to prioritize over the next few months:

1. Protect data beyond your perimeter. Corporate networks continue to expand with increased use of the cloud. The average enterprise has over 1,000 cloud services on average in use, 92% of which are not enterprise-ready, according to a report last year from cloud security company Netskope. (Full disclosure: Netskope is among a number of companies that provide cloud security services.) Companies need to expand security practices to cover all the new ways in which users are interacting with technology. Expanding use of enterprise security controls is crucial, but end-to-end data protection is one of the most potent safeguards.
2. Make privacy awareness mandatory. By requiring every employee to participate in cybersecurity awareness training and conducting training on an ongoing basis, organizations can foster a culture of security awareness. Security team leads are responsible for identifying risks of noncompliance with GDPR, and managing those risks by implementing controls, policies, and procedures, and then communicating these and other security best practices to their employees. Employees need to hold themselves accountable for doing their part in helping the company comply with the GDPR — just as much as leadership does.
3. Ensure secure transmission of data in the cloud. As cloud adoption expands and data increasingly crosses physical boundaries, it becomes that much more important to vet and manage cloud providers where transmission and controls for data are monitored. With email, cloud storage, or collaboration apps like Slack, security teams need to keep a close eye on the many channels being used to communicate and share data. Rather than blocking use of those channels, security leads need to have the right guardrails in place to ensure employees aren’t intentionally or inadvertently exposing the data to the outside world, and in turn exposing the company to fines.
4. Check the terms and conditions. Nearly 40% of cloud services provide terms and conditions that lack specifics around data ownership. In some cases, the user owns the data, but in others the cloud service provider owns it. Security teams need to increase employee awareness about this and encourage them to steer clear of services that want to own the data.
5. Know your data well. When I say get to know your data, I mean really know the data — what information is being collected, who’s collecting it, and who’s sharing it throughout the organization. Also, don’t assume that your understanding of protected health information (known as PHI), personally identifiable information (PII), and other data profiles will directly map to the GDPR rules, because the scope of the regulations are different and can include things such as hobbies, political affiliations, and sexual orientation.
6. Follow your data. You need to know where your data travels — especially if it crosses geopolitical boundaries. In fact, 80.3% of the time, cloud data gets backed up to another geographic area. That is, after all, a deliberate design specification and a strength of the cloud for enabling high availability and disaster recovery. If that data includes regulated data under the GDPR, you’ll need to talk to your cloud service provider about restricting backups to certain geographies. If your cloud service provider can’t do that, look to third-party controls to take necessary precautions.

The GDPR may be a European Union regulation, but its reach covers businesses the world over. It will force companies to strengthen their protections for customer data or face fines. The regulations may not prevent breaches from happening, but they will help minimize the amount and severity of the data that gets exposed, and thus reduce the harm to consumers. Organizations need to hasten their efforts to put measures in place to comply with the new regulations. Doing so won’t just save them money; it’s good for business in general to have strong data protections in place.

Related Content:

• GDPR Compliance: 5 Early Steps to Get Laggards Going
• GDPR: Ready or Not, Here It Comes
• We’re Still Not Ready for GDPR? What is Wrong With Us?

Sanjay Beri brings nearly two decades of innovation, experience, and success in networking and security technology, and a unique business sense, to his role as founder and CEO of Netskope. He has held leadership positions at Juniper Networks, Ingrian Networks, McAfee, and … View Full Bio

Article source: https://www.darkreading.com/cloud/breach-proofing-your-data-in-a-gdpr-world/a/d-id/1330917?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Here are six key measures for enterprises to prioritize over the next few months.

The massive data breaches that have hit the headlines in recent years, including Yahoo, Verizon, and particularly Equifax, have taken a toll on breach victims, consumers, and corporations. We’ve seen stocks drop precipitously, class-action lawsuits filed, CEOs shown the door, and executives called before Congress. This year, breaches could be even more costly for companies once the European Union’s General Data Protection Regulation (GDPR) rules are in place come May 25.  

The rules require businesses to protect the personal data and privacy of EU citizens for transactions that occur within EU member states, and also regulate the exportation of personal data of those consumers outside the EU. Penalties include fines of more than $27 million, or 4% of revenue, whichever is greater. For Equifax, which reported $3.14 billion in 2016 revenue, that could mean fines of $125.7 million. The company has already incurred $87.5 million in expenses so far in dealing with the breach and its aftermath. For a company the size of Apple, at $229.2 billion in revenue, the fines could reach as high as $9.17 billion. GDPR will apply to any company that processes the data of EU citizens, regardless of where the company is based. Given the global nature of Internet commerce, its impact will be far reaching.   

Organizations are under the gun to get systems in place now to ensure that they are in compliance with the regulations, before it’s too late. Here are six key measures for enterprises to prioritize over the next few months:

1. Protect data beyond your perimeter. Corporate networks continue to expand with increased use of the cloud. The average enterprise has over 1,000 cloud services on average in use, 92% of which are not enterprise-ready, according to a report last year from cloud security company Netskope. (Full disclosure: Netskope is among a number of companies that provide cloud security services.) Companies need to expand security practices to cover all the new ways in which users are interacting with technology. Expanding use of enterprise security controls is crucial, but end-to-end data protection is one of the most potent safeguards.
2. Make privacy awareness mandatory. By requiring every employee to participate in cybersecurity awareness training and conducting training on an ongoing basis, organizations can foster a culture of security awareness. Security team leads are responsible for identifying risks of noncompliance with GDPR, and managing those risks by implementing controls, policies, and procedures, and then communicating these and other security best practices to their employees. Employees need to hold themselves accountable for doing their part in helping the company comply with the GDPR — just as much as leadership does.
3. Ensure secure transmission of data in the cloud. As cloud adoption expands and data increasingly crosses physical boundaries, it becomes that much more important to vet and manage cloud providers where transmission and controls for data are monitored. With email, cloud storage, or collaboration apps like Slack, security teams need to keep a close eye on the many channels being used to communicate and share data. Rather than blocking use of those channels, security leads need to have the right guardrails in place to ensure employees aren’t intentionally or inadvertently exposing the data to the outside world, and in turn exposing the company to fines.
4. Check the terms and conditions. Nearly 40% of cloud services provide terms and conditions that lack specifics around data ownership. In some cases, the user owns the data, but in others the cloud service provider owns it. Security teams need to increase employee awareness about this and encourage them to steer clear of services that want to own the data.
5. Know your data well. When I say get to know your data, I mean really know the data — what information is being collected, who’s collecting it, and who’s sharing it throughout the organization. Also, don’t assume that your understanding of protected health information (known as PHI), personally identifiable information (PII), and other data profiles will directly map to the GDPR rules, because the scope of the regulations are different and can include things such as hobbies, political affiliations, and sexual orientation.
6. Follow your data. You need to know where your data travels — especially if it crosses geopolitical boundaries. In fact, 80.3% of the time, cloud data gets backed up to another geographic area. That is, after all, a deliberate design specification and a strength of the cloud for enabling high availability and disaster recovery. If that data includes regulated data under the GDPR, you’ll need to talk to your cloud service provider about restricting backups to certain geographies. If your cloud service provider can’t do that, look to third-party controls to take necessary precautions.

The GDPR may be a European Union regulation, but its reach covers businesses the world over. It will force companies to strengthen their protections for customer data or face fines. The regulations may not prevent breaches from happening, but they will help minimize the amount and severity of the data that gets exposed, and thus reduce the harm to consumers. Organizations need to hasten their efforts to put measures in place to comply with the new regulations. Doing so won’t just save them money; it’s good for business in general to have strong data protections in place.

Related Content:

• GDPR Compliance: 5 Early Steps to Get Laggards Going
• GDPR: Ready or Not, Here It Comes
• We’re Still Not Ready for GDPR? What is Wrong With Us?

Sanjay Beri brings nearly two decades of innovation, experience, and success in networking and security technology, and a unique business sense, to his role as founder and CEO of Netskope. He has held leadership positions at Juniper Networks, Ingrian Networks, McAfee, and … View Full Bio

Article source: https://www.darkreading.com/cloud/breach-proofing-your-data-in-a-gdpr-world/a/d-id/1330917?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

In the future of digital extortion, ransomware isn’t the only weapon, and database files and servers won’t be the only targets.

When we think of digital extortion, we typically think of ransomware. But cybercriminals now are looking outside ransomware for new ways to shake down organizations.

Cybercriminals have learned that many businesses will pay if a ransomware attack cripples their day-to-day operations. Ransomware drove the spike in digital extortion in 2017 and remains cybercriminals’ weapon of choice, according to a new Trend Micro study “Digital Extortion: A Forward-Looking View.”

But threat actors are exploring new extortion tactics. “Some of the attacks we’ve seen highlight a shift in the model itself,” says Trend Micro chief cybersecurity officer Ed Cabrera. “As we expand our digital footprint, I think it creates an enormous opportunity for attackers to identify areas where they can have immediate impact.”

The criminal extortion framework has been around in the physical world for a long time, he continues. Now, in the digital world, it’s just getting started. Attackers are learning their chances of getting paid increase exponentially if they target certain files, systems, or databases. While ransomware will remain popular, but other types of threats are starting to appear, according to Trend Micro.

Extortion attacks and critical infrastructure

“Going forward, you would be remiss to just focus on files,” says Cabrera. Cybercriminals will begin to leverage the growth of IoT, specifically industrial IoT, to extort money from victims. Businesses that need to be up and running at all times are especially vulnerable.

“Any organization that has real-time services, real-time operations that are impacted, will be targeted,” he continues. Critical manufacturing and healthcare are prime examples, with attacks that target manufacturing plants and robots as well as sensitive files and documents.

These plants and machines typically run on legacy systems and diverse hardware that would be difficult – if not impossible – to patch or upgrade. For attackers seeking old vulnerabilities, these systems are prime targets. Trend Micro’s report highlights supply chain disruption, in which attackers insert logic bombs or Trojans into specific network locations, as one example. Victims will need to pay to find the bugs’ locations so they can disable them.

Digital files, normally targeted in ransomware attacks, are not as well-protected as critical processes. Threat actors want to “peel the onion,” Cabrera says, and get to core infrastructure data that businesses will pay to save. “They’re going to go deeper and deeper into organizations to find those processes … if those are impacted, you know they’re going to pay.”

Social media extortion is another growing threat. One form is the smear campaign, which spreads fake information and demands victims pay in orde to stop it. These campaigns, once more common among celebrities and politicians, have begun to target brands and executives. Once a business’s reputation has been tarnished online, it is difficult to rebuild.

“We live in a reputation economy,” Cabrera points out. “CEOs and board members, especially in this day and age of social, are heightened to the fact that anything they say, good or bad, is taken and can be immediately seen [online].”

Ransomware isn’t going anywhere

“I’d say ransomware isn’t going away; it’s just going to continue to evolve,” says Cabrera.

Security experts across the industry have noted the spike in ransomware, which hit a 90% detection rate for enterprise victims in 2017. More than 50% of businesses were hit with ransomware last year and on average, they were struck twice, reports Sophos.

Ransomware has proven a reliable moneymaker for cybercriminals and financial drain for victims. The median total cost of a ransomware attack was $133,000, Sophos found. This includes ransom, downtime, manpower, device cost, network cost, and opportunity cost. Five percent of the survey’s 2,700 respondents said total ransomware cost ranged from $1.3 million to $6.6 million.

Over the next year, Trend Micro expects ransomware criminals will add new features to their digital weapons by reusing “the old book” of traditional malware techniques. This may include PE (portable executable) infectors and more aggressive delivery tactics to drive the speed and spread of attacks. Analysts also suggest criminals will create systems to minimize their interaction with victims.

The arrival of GDPR will shift cybercriminals’ extortion strategies, Cabrera says. They understand the upcoming changes, and the penalties companies will have to pay if they’re not compliant. He anticipates they’ll use the new rules as leverage to get victims to pay for data.

“They’re just scratching the surface in understanding what motivates organizations,” he explains. “Not only are they fine-tuning the tools they’re using to go after organizations, they’re understanding all the financial aspects … I absolutely believe GDPR will be utilized as a tool to affect the payment of ransom.”

To pay or not to pay?

The question remains: when you’re hit with an extortion attack, should you pay? If your company is at the point where this is your last option, you have failed, Cabrera says.

“Gone are the days where we had ransomware hitting our personal PCs and it was more of a nuisance than an enterprise risk,” he notes. “You should have a pretty robust plan to deal with digital extortion.”

There are many reasons not to pay, but organizations that fail to plan find themselves weighing the pros and cons of payment.

If, or when, they are attacked, businesses need people, processes, and technology in place to mitigate the risk. There is no guarantee you’ll get your data back when it’s taken. Further, even if you do get it back, there is no guarantee it hasn’t been copied or compromised.

“Even if that data has been slightly altered, that could impact operations for weeks or months to come,” Cabrera says.

Related Content:

• Hack Costs Coincheck Cryptocurrency Exchange $530 Million
• DNS Hijacking: The Silent Threat That’s Putting Your Network at Risk
• Former CIA CTO Talks Meltdown and Spectre Cost, Federal Threats
• Endpoint and Mobile Top Security Spending at 57% of Businesses

Kelly Sheridan is Associate Editor at Dark Reading. She started her career in business tech journalism at Insurance Technology and most recently reported for InformationWeek, where she covered Microsoft and business IT. Sheridan earned her BA at Villanova University. View Full Bio

Article source: https://www.darkreading.com/endpoint/digital-extortion-to-expand-beyond-ransomware/d/d-id/1330940?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple