Category: Managing Threats & Attacks

1
Trending: Security as a service
2
A Different Immune System: TGA provides Insight into Cyber Security for Medical Devices
3
Who have you been giving your name and number to? A cautionary tale
4
The battle against phishing
5
Major privacy and security breaches confirmed this week: Westpac, the ANU and Princess Polly targeted
6
Privacy Awareness Week (Online Privacy): credential stuffing attacks are on the rise in Australia
7
Privacy Awareness Week (Data Breaches): Study finds majority of Australian businesses are ill-equipped to handle cybersecurity incidents
8
Scammers are becoming more tech-savvy according to the ACCC’s Targeting Scams report
9
REPORT FINDS MORE THAN HALF OF RANSOMWARE VICTIMS WOULD PAY THE RANSOM
10
Ratings agency starting to factor in Cyber risk profile

Trending: Security as a service

By Cameron Abbott and Karla Hodgson

Remember the time when you first heard about cloud computing and it took you a few moments of quiet contemplation before you wrapped your head around the concept of computing being situated “up there”?  Of course today we aren’t surprised to learn that over 80% of enterprise workloads will be in the cloud by next year and that a new wave of cloud-based security as a service (SECaaS) solutions are rolling in to address the forecasted USD $5.2 trillion per year in cybercrime damage that is expected to impact within the next 5 years.

Based on the software as a service (SaaS) model, SECaaS is a cloud-based managed security service that removes the need for businesses to buy and continually upgrade on-premises hardware and software and keep staff upskilled in the ever-shifting world of cybersecurity risk and protection.

Read More

A Different Immune System: TGA provides Insight into Cyber Security for Medical Devices

By Cameron Abbott, Michelle Aggromito and Max Evans

The Australian Therapeutic Goods Administration (TGA) has published its guidance framework dealing with medical device cyber security for manufacturers and sponsors of medical devices, as well as for consumers, health professionals and other users. This is driven by a number of challenges that regulators face to protect users against cyber security risks, including the alteration of device function, loss to privacy and the alteration of personal health data.

The crux of the framework is based on the TGA view that knowledge is power, in that patients using connected medical devices should be informed about the potential cyber security risks those devices have, and take proactive measures to protect their devices and networks.

Read More

Who have you been giving your name and number to? A cautionary tale

By Cameron Abbott and Allison Wallace

Have you inadvertently given the owners of global, searchable databases of phone numbers and associated names access to your entire contact list?

We suspect that you cannot confidently answer “no”.

In yet another tale of why you should read the terms of use and service of apps and other online products you download or sign-up to use, we’ve recently been exposed to the shock of having your name appear on a complete stranger’s phone, after they’re given your number (but not your name) to call you. We asked the question of how this could happen – and found the answer to be quite alarming.

The Samsung Smart Call function, which is powered by Hiya, boasts that it allows you to “deal with spam the easy way”, by letting you know who is calling you, even if their number is not saved in your contact list. In theory, this is a handy tool, and in the context of robocalls or other unsolicited marketing calls, doesn’t create any privacy issues. But when the database which powers the function contains the names and numbers of (we suspect) millions of private citizens, this becomes quite concerning.

So, how do private numbers (and the names of their associated users) come to be listed in databases such as Hiya? Well, for one, anyone who downloads the Hiya app is given the option to share their contacts. If they do, and your number is saved to their phone, your details will become part of the database. We have no doubt that many who download and use the Hiya app didn’t realise what they were signing up for (or what they were signing up their entire contact list for) – because they didn’t read the terms of use. This also begs the question – are companies like Hiya properly satisfying their privacy obligations merely by asking users to “opt in” to share their contacts?

Hiya is of course not the only “caller ID” app on the market – a quick search of the Apple App store reveals numerous other options for download – including Truecaller, Caller-ID, Sync.ME and CallHelp. In 2018, Hiya reached 50 million active users worldwide, while Truecaller’s website says it has over 130 million daily active users. Those figures of course would barely scrape the surface of the number of names and phone numbers held in their collective databases.

In case you’re wondering how much damage could really be done by a third party having access to your name and phone number – think about all of the things your number is linked to. Your Facebook, your Gmail, maybe even your bank account and credit cards. Information is power – and this is the kind of information that could easily allow hackers to wreak a reasonable amount of havoc. So before you sign-up to a new app, take the time to read the terms of service, because your use could not only be exposing your personal information, but that of your entire contact list.

The battle against phishing

By Cameron Abbott, Michelle Aggromito and Jacqueline Patishman

All over the world, organisations and individuals battle phishing. Even in systems with a high degree of security, phishing is still a risk and human failures to spot and deal with phishing can cause the best of security policies and procedures to become undone.

To fight phishing at the source, the UK’s National Cyber Security Centre (NCSC) recently achieved some success in this space through its use of email verification technology to fight phishing attacks. This technology, called ‘Synthetic DMARC’, works by assigning a DMARC record for all domains attempting to pass-off as gov.uk domains, by analysing and vetting non-existing subdomains against DNS records and building on authentication systems of the past.

Read More

Major privacy and security breaches confirmed this week: Westpac, the ANU and Princess Polly targeted

By Cameron Abbott, Allison Wallace and Rebecca Gill

It’s been a chilly start to winter for three Australian organisations, who’ve this week reported major privacy and security breaches.

Up to 100,000 Australians’ personal information has been exposed in a hack affecting Westpac Bank. Westpac confirmed on Monday that details of Australian bank customers (not just those of Westpac) were exposed in a cyberattack on real time payments platform PayID. The banking giant says it noted a high volume of PayID lookups in 2019 on a semi-daily basis, which was a result of attackers trying to guess phone numbers, which, if guessed correctly, would give them the name of the account holder to which the number is linked. Despite the hack, Westpac says that no customer bank account details were compromised as a result of this cyberattack. Nevertheless, experts warn that the details accessed could still be used to commit fraud.

Read More

Privacy Awareness Week (Online Privacy): credential stuffing attacks are on the rise in Australia

By Cameron Abbott, Michelle Aggromito and Rebecca Gill

Today’s topic for Privacy Awareness Week is “online privacy”. It is no surprise that online privacy is a key topic of concern for businesses and consumers alike, given recent high-profile privacy breaches. Of particular significance is the issue of credential stuffing, as Australia is now the fifth highest target for credential stuffing attacks according to Akamai’s Credential Stuffing: Attacks and Economies report of April 2019 (Report).

Credential stuffing is a form of cyberattack where account credentials, usually usernames or email addresses and corresponding passwords, are stolen, typically from a previous security breach. The account credential combinations are then used to try and gain access to accounts at other sites via an automated and large-scale web application directed to multiple logins. It relies on individuals using the same password across multiple sites. K&L Gates has previously blogged on a high-profile credential stuffing attack that can be found here.

Read More

Privacy Awareness Week (Data Breaches): Study finds majority of Australian businesses are ill-equipped to handle cybersecurity incidents

By Cameron Abbott, Rob Pulham and Rebecca Gill

It’s Privacy Awareness Week and today’s topic is “data breaches”. With data breaches and responding to cyber attacks becoming an inevitable part of doing business, it’s a timely reminder about the importance of adequately resourcing your IT security areas, and of having comprehensive and well-tested data breach response plans in place, as illustrated by the Fourth Annual Study on The Cyber Resilient Organization (Study), conducted by the Ponemon Institute on behalf of IBM Resilient.

The Study surveyed 3,655 IT and IT security practitioners in 11 countries and regions, including Australia. The results of the Study indicate that a majority of Australian businesses are vulnerable to cyber-attacks due to a lack of skilled personnel and incident response plans.

Read More

Scammers are becoming more tech-savvy according to the ACCC’s Targeting Scams report

By Cameron Abbott and Rebecca Gill

Australian businesses and consumers were duped into paying scammers with nearly half a billion dollars in 2018 according to the ACCC’s Targeting Scams: Report of the ACCC on scam activity 2018 (Report). The Report also highlights the use of sophisticated technology by scammers.

According to the Report, the most financially harmful scam affecting Australian businesses was the ‘business email compromise’ (BEC) scam. This involved a scammer gaining access to a business’s entire email or IT system. The scammer would then impersonate the business and send emails to suppliers and customers of the business, advising changes to payment details.

Read More

REPORT FINDS MORE THAN HALF OF RANSOMWARE VICTIMS WOULD PAY THE RANSOM

By Cameron Abbott, Rob Pulham and Rebecca Gill

Telstra’s 2019 Security Report has found that majority of the respondents who have been victims of ransomware attacks have paid the attackers to unlock files. Many of these respondents successfully retrieved their data after paying the ransom.

Of the 320 Australian respondents, 51 per cent said that they had paid ransomware attackers to regain access to encrypted files. Further, the Report found that 77 per cent of Australian businesses that had paid a ransom were able to retrieve their data after making the payment. Whilst this was the lowest rate of data retrieval post-payment out of the 13 countries in the survey, 79 per cent of the Australian respondents still said that they would pay the ransom again if they had no back-up files available.

Read More

Ratings agency starting to factor in Cyber risk profile

By Cameron Abbott and Wendy Mansell

A recent report released by Moody’s Investors Services has shed some light on which business sectors are most at risk for cyberattacks.

After assessing 35 broad sectors it was concluded that banks, hospitals, security firms and market infrastructure providers face the highest risk. This was based on levels of vulnerability and the potential impact an attack would have.

The key determinative factor for these sectors is that they all rely strongly on technology and the vital role of confidential information in their operations.

The financial repercussions following a cyberattack in each of these sectors is extremely significant when considering the costs of insurance, penalties, consumer impact, potential litigation costs, R&D and technological impact to name a few.

The financial market is so high risk because of the financial and commercial data it holds and ever increasing fact that its services are being offered digitally, across multiple platforms i.e banking mobile/smart watch apps.

On a similar note because medical records are primarily collected and held in electronic form hospitals are very attractive to hackers given the sensitive nature of the data.

While the industries should not be a shock to the reader, it is important for participants in those industries and for suppliers to those participants to realise the risk profile that attaches to them and have procedures in place reflective of those risk levels.  How one manages these risks in now likely to have indirect cost implications when you see ratings agencies like Moody’s assessing these sorts of areas. 

Copyright © 2019, K&L Gates LLP. All Rights Reserved.