STE WILLIAMS

Tupperware, maker of the plastic food containers beloved of the Western middle classes, has an active and ongoing malware infection on its website that steals credit card data and passes it to criminals.

Infosec firm Malwarebytes, which made the discovery, has gone public with its findings today after alleging Tupperware ignored attempts to alert it and to get the malware removed from its payment processing pages.

“On March 20, Malwarebytes identified a targeted cyberattack against household brand Tupperware and its associated websites that is still active today. We attempted to alert Tupperware immediately after our discovery, but none of our calls or emails were answered,” said Malwarebyes in a statement.

The ruse works through a rogue PNG image file having been planted by criminals who found a way into Tupperware’s website. Using steganography techniques to hide malicious code inside the image file to evade detection, the criminals loaded the near-silent exploit on Tupperware-dot-com around 9 March.

Malwarebytes’ Jerome Segura told The Register: “We understand that businesses have been disrupted in light of the coronavirus crisis, and that employees are working remotely, which accounts for delays. Our decision to go public is to ensure that the problem is being looked at in a timely manner to protect online shoppers.” He added that Malwarebytes also alerted mega card payment org Visa in its efforts to get the compromised site cleansed.

Around a million people a month visit Tupperware-dot-com, according to public web traffic data.

According to Malwarebytes, Tupperware.com, the plastic box purveyor’s own website, was compromised by malicious persons who reprogrammed the site to launch a fake payment details iframe.

Click to enlarge

That iframe pulled its content from deskofhelp[dot]com, which infosec researchers found to be “registered to elbadtoy@yandex[.]ru, an email address with Russian provider Yandex.” They po-facedly noted: “This seems at odds for a payment form on a US-branded website.”

Using the iframe to pay for your boxes of goodness instead puts your payment data through a credit card skimmer, via a cunningly-disguised fake session timeout page that lets the criminals reload the correct payment page. The payment goes through on the second attempt, your data is beamed to the crims, and nobody’s the wiser until your bank account suddenly empties or your credit card slams into its upper limits.

Most disturbing is that the URL for the fake payment page checks out against usual consumer-level defences of checking you really are on tupperware.com and the little HTTPS padlock shows up in the browser address bar.

The Register has asked Tupperware for comment. ®

Sponsored:
Webcast: Why you need managed detection and response

Article source: https://go.theregister.co.uk/feed/www.theregister.co.uk/2020/03/25/tupperware_dot_com_credit_card_skimmer_malwarebytes/

In today’s regulatory and legislative environment, companies and individuals are exposed to lawsuits over security breaches, resulting in significant fines and ending careers.

To err is human, and developers writing code err as often as any other humans. The industry average for programmers, in fact, is as many as 70 errors per 1,000 lines of code. Testing looks for errors and tries to catch as many as possible before a product goes to market.

Before releasing their applications, companies will test functionality, as errors in functionality could result in customer dissatisfaction and be embarrassing for the company. This could have a negative effect on sales and the organization’s market position.

However, testing needs to be done on security issues as well. While releasing a functionally poor application could be embarrassing and bad for sales, releasing a vulnerable application can have far greater consequences. In today’s regulatory and legislative environment, companies, as well as individuals, are exposed to lawsuits over security breaches, resulting not only in significant fines but the end of careers.

It seems that almost every data breach becomes fodder for legal action. In one of the biggest cases in recent years, international hotel chain Marriott faces numerous class-action lawsuits (some are still pending) over a data breach in which information from some 500 million guest records ended up in the hands of hackers. Investigators determined that the 2018 leak was likely due to a remote access Trojan ending up on the server that held the records, which allowed hackers to take control of admin accounts.

The trouble began when Marriott acquired hotel chain Starwood and continued using its reservation system. Between the chaos of trying to get a handle on the Starwood data and the continued use of an old, malware-laden system — and the elimination of the jobs of many of the Starwood IT staff — Marriott was charged with negligence in securing its data, leading to the wave of lawsuits. It’s estimated that the breach, including settlements, legal fees, etc., has cost the company around $30 million in direct costs, in addition to a fine of £99 million imposed by the European Union under GDPR statutes. And that doesn’t include the potential lost revenue due to customers shying away from a chain where customer data has been compromised by hackers multiple times.

The Marriott case is one of many. In another recent example, franchisees who own Snap Fitness outlets are suing the mother company for requiring them to purchase club management software, which turned out to be flawed, subjecting them to ransomware attacks. Because of the bad code that they were forced to utilize, “the franchisees lost all their data and the ability to operate their clubs for 13 days, causing all Snap Fitness franchisees to suffer significant losses of revenues, profits, and club members.”

Lawsuits aren’t confined to dissatisfied tech partners. In a twist, company shareholders are suing support firm Zendesk for what they allege is an attempt to cover up a 2016 security breach. News of that breach only came out in October 2019, and it followed a poor showing in second-quarter financial results for the company. By failing to disclose the breach, investors who bought shares in the firm between 2016 and the revelation of the breach were in essence defrauded, the lawsuit contends, because the revelation of the breach is likely to drive down the price of their shares. Zendesk officials took advantage of the cover-up, the plaintiffs say, to “cash in, selling approximately 409,000 of their personally held Zendesk shares, reaping more than $32.7 million in proceeds.”

The lawsuit was filed recently, but it’s likely to discuss not just the fraud aspects of the allegation, but the nature of the breach — which, as Zendesk is a software firm, may include security holes in its software.

Face it, mistakes are going to happen — and in the DevOps environment, it’s crucial to find those mistakes as early in the development cycle as possible.  

However, many of the mistakes that teams are looking for are the ones that affect program functionality. Searching for mistakes that could lead to breaches and hacker attacks, while even more crucial, often does not get the same priority. A button that does the wrong thing may get complaints from customers, along with a good dose of embarrassment on social media, but it’s unlikely to land the company in a courtroom facing tens of millions of dollars in liability. A security vulnerability that goes undetected, on the other hand, could.

When DevOps teams are reviewing the pipeline, they may want to invite someone from the legal department in to the discussion, just to make sure everyone knows what’s at stake. There is no time like the present to evaluate your DevSecOps, to make sure every effort has been made to find any issues. That’s the differentiator between a negligence suit and no suit at all, and between a bankrupting-sized fine to a slap on the wrist.

Related Content:

• 9 Things Application Security Champions Need to Succeed
• Achieving DevSecOps Requires Cutting Through the Jargon
• Facebook Got Tagged, but Not Hard Enough
• How Enterprises Are Attacking the Cybersecurity Problem

Check out The Edge, Dark Reading’s new section for features, threat data, and in-depth perspectives. Today’s featured story: “Three Ways Your BEC Defense Is Failing How to Do Better.“

Shahar Sperling is the Chief Architect at HCL AppScan. He has had 23 years of experience in professional software development, spending the last 13 years with the AppScan team, developing various products and technologies. View Full Bio

Article source: https://www.darkreading.com/application-security/do-devops-teams-need-a-company-attorney-on-speed-dial/a/d-id/1337360?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Two security awareness advocates from KnowBe4 provide some solid suggestions.

Question: What should I do if someone is impersonating my company in a phishing campaign?

Erich Kron, security awareness advocate, KnowBe4: The Internet, as we know, was not designed for security. Unfortunately, that has left us with some issues. One major issue is the ability to spoof email addresses rather easily.

If your organization is experiencing issues where people are impersonating it when sending phishing emails, ensure your email services are set up to use Sender Policy Framework (SPF) records or DomainKeys Identified Mail (DKIM) and also to use Domain-based Message Authentication, Reporting Conformance (DMARC). These authentication technologies are used to validate that emails come from servers that are authorized to send from your email domain. While this won’t stop the bad actors from trying, it will allow victim email systems to better identify and block these fake messages.

James McQuiggan, security awareness advocate, KnowBe4: If your organization is being impersonated in a phishing campaign, it’s important to reduce the risk to your employees and customers from being scammed through communication of such potential attacks. Either posted on the website, in emails, or text messages, inform them about the potential threat that could be seen via a phishing scam and explain that the organization will never ask for passwords or other sensitive information via a link in email. Another good practice is to teach people to not click on links in emails or text messages unless they are expecting the link. Advise them to use bookmarked websites or get access through a search engine.

Also, be on the lookout for typosquatting or script spoofing, which is where the criminals purchase various domain names of the organization website with transposed letters or use homographic characters. These characters could be from another language, like Cyrillic or Hebrew, and may be difficult to spot in the URL. One solution is to purchase the websites that would contain the transposed or common Cyrillic-lettered websites and redirect them back to the organization’s main page.

Related Articles:

• KnowBe4 Report Finds 37.9% of Untrained End Users Will Fail a Phishing Test
• Attack Surface, Vulnerabilities Increase as Orgs Respond to COVID-19 Crisis
• Phishing Today, Deepfakes Tomorrow: Training Employees to Spot This Emerging Threat
• State of Cybersecurity Incident Response
• How Enterprises Are Attacking the Cybersecurity Problem – 2019

 

The Edge is Dark Reading’s home for features, threat data and in-depth perspectives on cybersecurity. View Full Bio

Article source: https://www.darkreading.com/edge/theedge/what-should-i-do-if-someone-is-impersonating-my-company-in-a-phishing-campaign/b/d-id/1337407?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Malicious code was found hidden inside graphics files on the storage container maker’s e-commerce website.

Tupperware famously locks in food’s freshness, but hackers could not be locked out of the company’s e-commerce site. The primary Tupperware site, along with several localized versions, were compromised by digital credit card skimmer disguised inside an image file.

Researchers at Malwarebytes Labs discovered the malicious code when they noticed an anomaly in an iframe container. While the researchers say they don’t know what the infection vector was, the malicious campaign is ongoing and, at press time, still active.

The researchers note several details in the malicious code that indicate attackers less polished in their craft than other well-known criminal gangs are involved.

“This does indeed sound like the work of a new cybergang that has not scaled operations yet,” Mounir Hahad, head of Juniper Threat Labs at Juniper Networks, told Dark Reading. “The domain name they chose to register was not customized to blend into their target victim’s normal website operations, and based on DNS resolution telemetry, it does not seem to have reached any meaningful scale. Nonetheless, this may be the blueprint of future similar attacks on other websites.”

Read more here.

Check out The Edge, Dark Reading’s new section for features, threat data, and in-depth perspectives. Today’s featured story: “What Should I Do If Someone Is Impersonating My Company in a Phishing Campaign?“

Dark Reading’s Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Article source: https://www.darkreading.com/attacks-breaches/tupperware-hit-by-card-skimmer-attack/d/d-id/1337409?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Thousands of COVID-19 scam and malware sites are being pumped out on a daily basis: people going online to put up coronavirus scam sites or to sell counterfeit surgical masks; fake self-testing kits for HIV and glucose monitoring; and/or bogus antiviral meds, chloroquine (that’s fish-tank cleaner to me and you, and regardless of what you might have heard, please don’t take it – at least one man has already died), Vitamin C or other food supplements.

Law enforcement around the globe is fighting the good fight to limit how many people’s brains these burrs hook their barbs into.

Crack-down

On Friday, the pandemic-afflicted state of New York, governed by COVID-19 savvy lawmakers, let it be known to domain registrars that it’s high time they cracked down on this health-threatening trend.

The office of New York Attorney General Letitia James sent letters – here’s one sent to GoDaddy – to six of the internet’s largest domain name registrars, asking them how they plan to protect New Yorkers and others across the country from these scams by making it tougher to register a domain that’s likely to be selling snake oil, inflicting malware or setting up whatever other trap the crooks have been rushing to put into place.

The letter was penned by the AG Office’s Kim A. Berger, Chief of the Bureau of Internet and Technology.

New York has already taken action to shut these guys down, Berger noted. For example, earlier this month, the AG ordered conspiracy theorist Alex Jones to stop peddling fake coronavirus cures.

Berger’s question, also put to Dynadot, Name.com, Namecheap, and others: So what are you doing to stop these scammers?

Berger wants to talk to the registrars about taking these steps to stop bad actors:

1. The use of automated and human review of domain name registration and traffic patterns to identify fraud.
2. Human review of complaints from the public and law enforcement about fraudulent or illegal use of coronavirus domains, including creating special channels for such complaints.
3. Revising terms of service to reserve aggressive enforcement for the illegal use of coronavirus domains.
4. De-registration of the domains cited in the articles identified above that were registered [with a given registrar], and any holds in place on registering new domains related to coronavirus, or similar blockers that prevent rapid registration of coronavirus-related domains.

ZDNet reached out to six registrars. Namecheap’s CEO, Richard Kirkendall, said in an email that his company has been working with authorities to “proactively prevent, and take down any fraudulent or abusive domains or websites related to COVID19 or the Coronavirus.”

For example, Namecheap is banning scammy terms from its available domain name search tool, to prevent them from being registered. It’s also blocking customers from registering coronavirus scammy-looking domains.

It shouldn’t come as a surprise that Namecheap has been on the forefront of tackling this problem, given that it has the dubious honor of having hosted the first COVID-19 scam site that the US Department of Justice cracked down on.

Europol on Saturday announced that a global operation to target trafficking in counterfeit medicines – named Operation Pangea – has resulted in the seizure of nearly 34,000 counterfeit surgical masks.

Involving 90 countries worldwide, the operation took place between 3 and 10 March and led to the seizure of €13 million (USD $14m, £11.9m) worth of potentially dangerous drugs. Law enforcement officers also coordinated by Interpol took down about 2,500 links to websites, social media, online marketplaces, and ads. Police also arrested 121 COVID-19 scam suspects and took down 37 organized crime groups.

Europol says that the operation, which is ongoing, revealed a “worrying increase” in unauthorized antiviral medications and the antimalarial chloroquine.

Back in February, the World Health Organization (WHO) dubbed the ongoing flood of misinformation and scams an “infodemic.” From its 2 February situation report:

The 2019-nCoV outbreak and response has been accompanied by a massive ‘infodemic’ – an over-abundance of information, some accurate and some not – that makes it hard for people to find trustworthy sources and reliable guidance when they need it.

WHO has been working hard to bust myths. To find out what’s real and what’s garbage, tune in to their channels on Weibo, Twitter, Facebook, Instagram, LinkedIn, Pinterest and its website.

---

Latest Naked Security podcast

LISTEN NOW

Click-and-drag on the soundwaves below to skip to any point in the podcast. You can also listen directly on Soundcloud.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/ZG2FjgbWDzs/

A cyberattack that targeted the World Health Organization (WHO) is probably just the tip of the iceberg according to experts reacting to the news this week.

Reuters first broke the news that a hacking group had targeted WHO, which is the UN agency responsible for international public health. It has played a central role in the monitoring and mitigation of the COVID-19 pandemic in recent weeks.

WHO reportedly noticed the hacking attempt in mid-March. It involved an email front end hosted on a phishing domain that tried to lure the agency’s employees into logging handing over their login credentials.

According to Reuters sources, the attack likely came from Darkhotel, a group that according to MITRE has been active since at least 2004. The group, believed to be based in Southeast Asia, got its name by targeting high-value individuals as they travelled around the world by tracking their hotel bookings via compromised hotel web apps.

Experts aren’t surprised that nation-state actors would target WHO. Lance Spitzner, a certified instructor at cybersecurity training company SANS, tried to put the incident in perspective, telling us:

When you read about it, all the bad guy did was set up a phishing website that emulated the World Health Organization’s internal mail server to harvest logins and passwords.

Phishing attacks like this happen early on in the cyber kill chain, and the attackers reportedly failed. However, that doesn’t mean others won’t be more successful, warned Spitzner, who cited WHO as an important target because of the COVID-19 crisis. He said:

Every nation-state out there is going to want to know the latest and greatest on the coronavirus for political reasons, maybe military reasons or economic reasons. So I would be absolutely shocked if there were not about five nation states that are already in its network.

This isn’t the first health organisation that has suffered attacks during the health crisis. Mid-March also saw a DDoS attack on the US Department of Health and Human Services, along with a social media campaign spreading fake news about the health issue.

According to WHO officials talking to Reuters, the number of attempted cyberattacks against the agency has more than doubled recently. Phishing attacks have also targeted the public to distribute viruses and gather passwords. Earlier this month, the agency issued an advisory warning that criminals would try to impersonate it.

---

Latest Naked Security podcast

LISTEN NOW

Click-and-drag on the soundwaves below to skip to any point in the podcast. You can also listen directly on Soundcloud.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/KDfhrh62Bd8/

Folding@Home, a distributed computing project that’s using its might to battle COVID-19, is now twice as fast as Summit, the world’s fastest supercomputer. In fact, it now has more brawn than the world’s top seven supercomputers – combined.

Folding@home’s director, Dr. Greg Bowman, told Twitter on Friday that the project’s now working with about 470 petaFLOPS in its quest to help scientists better understand how the virus’s proteins fold and bind and to hence be able to find a way to block them from attaching to human cells:

Amazing! @foldingathome now has over 470 petaFLOPS of compute power. To put that in perspective, that’s more than 2… twitter.com/i/web/status/1…

—
Greg Bowman (@drGregBowman) March 20, 2020

Earlier this month, Oak Ridge National Laboratory (ORNL) announced that IBM’s Summit had joined the coronavirus fight and that it had already found 77 promising small-molecule drug compounds that can be tested for experimental use.

A distributed computing project like Folding@Home works by borrowing PC-owning donors’ idle CPU and GPU cycles. Since February, the community has been working on the computationally heavy work of figuring out how the virus’s proteins bind to cells.

It’s all about blocking those spikes on the outer surface of the virus.

Infection in both COVID-19 (2019-nCoV) and its close cousin, the SARS coronavirus (SARS-CoV), first happens in the lungs when a protein on the surface of the virus binds to a receptor protein on a lung cell.

You’ve seen those little spikes in depictions of the coronavirus: they’re the red prongs that surround the virus, looking like a corona and hence giving the disease its name. They’re called the spike protein, or ACE2. One way to stop the infection is to block the spike protein from binding to the receptor cell. One such therapeutic antibody has already been developed for SARS-CoV, but in order to develop something similar for COVID-19, scientists need to better understand the structure of the virus’s spike protein and how it binds to the human ACE2 receptor to gain viral entry into human cells.

In late February, when the outbreak was picking up steam, the Folding@Home project asked for volunteers to donate their computers’ unused computational power to help accelerate the open science effort to develop new life-saving therapies, as part of an open science collaboration of multiple laboratories around the world.

Folding@Home says there’s been a roughly 1,200% increase in contributors, with 400,000 new members signing up in the past two weeks.

Got a spare computer collecting dust somewhere? It might well be time to dust that soldier off and commission it in the battle. Folding@Home is still looking for help and horsepower, and you can find out how to contribute here.

A disclaimer: this project has, understandably, been swamped by eager participants. Please do bear with them: they’re doing the best they can, the project said, but there might be a bit of downtime as they set up simulations:

These calculations are enormous and every little bit helps! Each simulation you run is like buying a lottery ticket. The more tickets we buy, the better our chances of hitting the jackpot.

Usually, your computer will never be idle, but we’ve had such an enthusiastic response to our COVID-19 work that you will see some intermittent downtime as we sprint to setup more simulations. Please be patient with us! There is a lot of valuable science to be done, and we’re getting it running as quickly as we can.

May you tread a carpet of four-leaf clovers in this lottery, Folding@Home.

---

Latest Naked Security podcast

LISTEN NOW

Click-and-drag on the soundwaves below to skip to any point in the podcast. You can also listen directly on Soundcloud.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/vLOwRxBupMc/

Cybercriminals are exploiting two unpatched zero-day flaws affecting all supported versions of Windows, Microsoft has warned.

The Remote Code Execution (RCE) vulnerabilities affect Adobe Type Manager (ATM) Library, the part of Windows that manages PostScript Type 1 fonts.

For now, there are no CVE identifiers and the only confirmed details are in Microsoft’s warning:

Microsoft is aware of limited targeted attacks that could leverage un-patched vulnerabilities in the Adobe Type Manager Library and is providing the following guidance to help reduce customer risk until the security update is released.

Attackers could exploit the flaw by persuading users to open a malicious document. Importantly, however, the same danger would arise even if users viewed that document using the Windows Explorer file manager preview pane.

The latter is significant because, for now, there’s no software fix, which could be as far away as the next Patch Tuesday update, scheduled for 14 April 2020:

Microsoft is aware of this vulnerability and working on a fix. Updates that address security vulnerabilities in Microsoft software are typically released on Update Tuesday, the second Tuesday of each month.

Until then, the only countermeasure is to use one of the recommended workarounds, which involves disabling Explorer’s preview and details pane.

This can be achieved as follows:

1. Open Windows Explorer, click Organize, and then click Layout.
2. Clear both the Details pane and Preview pane menu options.
3. Click Organize, and then click Folder and search options.
4. Click the View tab.
5. Under Advanced settings, check the Always show icons, never thumbnails box.
6. Close all open instances of Windows Explorer for the change to take effect.

Disabling the WebClient service should also block the most likely attack route, Microsoft said:

1. Click Start, click Run (or press the Windows Key and R on the keyboard), type Services.msc and then click OK.
2. Right-click WebClient service and select Properties.
3. Change the Startup type to Automatic. If the service is not running, click Start.
4. Click OK and exit the management application.

Renaming atmfd.dll was another mitigation for versions of Windows before Windows 10 1709, with instructions on how to do this for different older versions covered in the advisory.

This workaround might affect OpenType fonts which although not part of Windows are used by some third-party applications.

The affected versions of Windows include 32-bit and 64-bit versions of Windows 10 (1607, 1709, 1803, 1809, 1903, 1909), Windows 8.1, Windows 7, and Windows Servers 2008, 2012, 2016 and 2019, including Server Core installations.

Importantly, Windows 7 users whose installations lack an Extended Security Updates (ESU) agreement won’t receive patches for these flaws (Windows 7 reached end of life on 14 January 2020).

Why is Microsoft patching Adobe Type Manager?

The short answer is because this vulnerability has nothing to do with Adobe – despite its name, ATM has long been part of Windows itself, and is maintained by Microsoft under a license agreement that presumably requires it to name-check Adobe.

This is the third time in a matter of weeks Microsoft has faced having to patch a Windows zero day after running into some timing problems over patching.

February’s Patch Tuesday saw a fix for an Internet Explorer flaw (CVE-2020-0674), a zero-day which had been exploited in “limited attacks” dating back to January.

And earlier this month, Microsoft scrambled to patch the ‘SMBGhost’ vulnerability (CVE-2020-0796), news of which leaked accidentally into the public domain.

---

Latest Naked Security podcast

LISTEN NOW

Click-and-drag on the soundwaves below to skip to any point in the podcast. You can also listen directly on Soundcloud.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/L2vSutIYO6Q/

Updated A UK housing association blurted 3,500 people’s sensitive personal data as part of a bungled “please update your contact details” email exercise, The Register has been told.

Watford Community Housing (WCH) sent the email on the night of 23 March to people it thought were its tenants. The email included a spreadsheet with 3,544 rows that included people’s names, addresses, dates of birth, religion, sexual orientation, ethnic origin and disability status.

Reg reader Alain Williams, who received the data at about 6pm that day, told us that while he wasn’t a WCH tenant himself and was initially confused about why he was on the mailing list at all, he does volunteer with a local group supported by WCH.

In emails seen by The Register, the trust realised its mistake and sent a second email out at 10pm on 23 March apologising and urging recipients to “please delete the email”.

A statement on the association website said:

We are aware that an email was sent out which contained personal information about some of our customers. We will now be urgently contacting those affected in order to ensure that they are protected as far as possible and we are taking advice about what other steps we may need to take in this situation, including engagement with the Information Commissioner’s Office.

We have contacted WCH to ask how this happened and what measures they’re taking to fix the harm caused. We’ll update this article if it responds.

It is not known whether any of WCH’s tenants are subject to witness protection orders in court proceedings or are fleeing abusive domestic partners.

Our reader Alain, a Watford resident, said he’d alerted his local councillor about the data blab last night and was told that Watford’s mayor had been having words with the housing associations chief exec about the breach.

Legally speaking, disclosing sensitive personal data to third parties without permission or legal justification is a breach of the Data Protection Act 2018 and is punishable by a fine. It appears that WCH has recognised this and is speaking to the ICO, which is the standard thing that data controllers are supposed to do under these circumstances.

While the data disclosure is obviously a very bad thing, so far WCH’s initial response appears to be proceeding along the right lines.

WCH is far from the only organisation to fall victim to such blunders. A couple of years ago West Ham FC emailed every single one of its away season ticket holders in a CC-not-BCC snafu, while no less than the government’s official inquiry into child sexual abuse was fined £200,000 after the ICO ruled that it had emailed 90 people with each other’s details in error – revealing the identities of potential victims of child sexual abuse.

Further afield, extremist terrorist organisation the Afghan Taliban managed to endanger journalists and NGO workers’ lives back in 2012 when one of their spokesmen committed the old CC-not-BCC blunder. ®

Updated at 13:32 on 25 March 2020 to add:

Tina Barnard, chief executive of Watford Community Housing, got in touch to say:

“We apologise unreservedly for this breach and share our customers’ concerns. We take our responsibilities with customer information extremely seriously and this was the result of human error.

“In line with our commitment to being transparent, we have moved quickly to inform the ICO and we will work closely with the Information Commissioner as required. We will also carry out a full review of our processes to ensure this could not happen again.

“We are taking a variety of steps to assess the potential impact on those affected by the breach, including identifying any safeguarding concerns, and we are contacting our customers to provide information, guidance and support. Anyone with concerns should email [email protected] and we will contact them.”

Sponsored:
Webcast: Why you need managed detection and response

Article source: https://go.theregister.co.uk/feed/www.theregister.co.uk/2020/03/25/watford_community_housing_data_breach/

What comes after you’ve empowered your remote workforce in the wake of the coronavirus pandemic? Dealing with a large portion of that workforce getting sick at the same time.

Business continuity planning (or resiliency) consists of preparing for how to operate if we lose our technology, facilities, or people. During the COVID-19 pandemic, so far, we are mostly dealing with losing our facility and having to have employees work remotely. What could come next? How do we prepare to deal with a large portion of our workforce getting sick at the same time and requiring isolation?

Generally, the solution for the loss of personnel is cross-training and documentation, but many companies function on tribal knowledge and relationships. This can work fine when everything is normal, but when we start to lose key resources (those human routers that know how to connect to critical institutional knowledge), we need documented processes to reference.

Once you identify the folks who are the only ones who know how to keep a key technology or process running, you need to determine if you can get someone cross-trained and then use that training to document the function. If cross-training will not work, then the individual will have to automate or document everything needed to ensure continuity of operations. I have found this to be one of the hardest challenges but, considering the current pandemic, would say now is the time to pull your critical human and technology resources off of current operations, before you have to develop a crisis management plan instead.

Support phone trees for key functions are vital. It is important to know who the experts are for different key functions. This could include third parties and vendors. While I reference the classic fallback system of phones, today we can also use technology to minimize the impact to an isolated team. To do so, you will need to ensure application access, video teleconferencing capabilities, and collaboration tools with capabilities such as chat or document sharing. However, remember that collaboration tools are only useful if folks know whom to reach out to for support and information.

Map Out Staffing Depth for SLAs
Next, you need to determine your regulatory and contractual service-level agreements (SLAs) and map out the staffing depth you have in order to support them. For areas where you have risk, you need to determine what the criteria is for action. Ask yourself: If we lose 10%, can we still meet our SLAs? What if we lose 50%? What are the impacts, and do we have a plan for acceptable recovery? I will note there are formulas for business impact analysis (BIA) and return to operations (RTO) that can be leveraged here. Depending on the ability of the team to support cross-functional capabilities, you may want to develop a prioritized list of functions you will maintain.

Another option to consider is determining which of your vendors offer service support and making sure you have agreements in place to use them if needed. Having staffing augmentation available is a key lever to be able to pull if needed to keep systems running. 

Along the same lines, if you have not checked in with your suppliers and asked for their business continuity plans, the time to do so is now! You need to understand how mature their capabilities are and be ready to develop options if they fail.

If you don’t currently have anyone certified in business continuity, it’s a good time to get some of the team trained. Generally, the training is around both business continuity and disaster recovery. A pandemic doesn’t really require disaster recovery, which focuses on returning the core technology or facility to operational capacity. If you follow ISO-27000 for security, there is an ISO-22301-certified business continuity manager (CBCM) course that would complement it. If you want more general certifications, there are a number of them run by different training organizations.

The bottom line is that while we are dealing with the challenge of remote workers, now is the time to conduct some exercises on how to fight through the loss of staff. 

Related Content:

• Security Lessons We’ve Learned (So Far) from COVID-19
• Privacy in a Pandemic: What You Can (and Can’t) Ask Employees
• Working from Home? These Tips Can Help You Adapt

Check out The Edge, Dark Reading’s new section for features, threat data, and in-depth perspectives. Today’s featured story: “Three Ways Your BEC Defense Is Failing How to Do Better.“

Steve Winterfeld is the Advisory CISO at Akamai. Steve is focused on being the voice of the customer for Akamai’s security vision and helping CISOs solve their most pressing issues. He brings experience with Zero Trust Security Architectures, and integrating multiple tools … View Full Bio

Article source: https://www.darkreading.com/risk/covid-19-getting-ready-for-the-next-business-continuity-challenge/a/d-id/1337340?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple