Managing Threats & Attacks – Page 17

Boards Push Insurers to Quantify Cyber Risks

Nov 02 2016

By Cameron Abbott and Rebecca Murray

US risk management firm Advisen recently held the Cyber Risk Insights Conference where insurers, brokers, corporate risk managers and CSOs came together to discuss the importance of company CFOs quantifying cybersecurity risks. Panelists included the risk managers of Merck and Time, who both classified cybersecurity risk exposure as a top danger faced by corporations. Time’s risk management department, for example, is working to quantify the company’s exposure to cyber attacks so that it can transfer some of the risks to insurers. However, Time’s director of risk management says culling all cyber-risk-management information together in a meaningfully predictive way is a challenging task.

Furthermore, gaining assistance from insurers about how to quantitatively define cybersecurity risk is also problematic as the insurance industry is only getting started on truly understanding how to forecast cyber losses. Cyber security practice leader for insurance broker Lockton Cos, Ben Beeson has revealed that insurers have only really become aware of the vast extent of loss that can eventuate when handling personal data this year. Keeping up with incredibly evolving and dynamic cybersecurity threats is sure to be an immense challenge for insurers. Read more here.

Data breach penalties could cost U.K. companies £122B in 2018

Oct 18 2016

By Cameron Abbott and Rebecca Murray

U.K. businesses could face up to £122 billion in penalties for data breaches when EU legislation comes into effect in 2018, according the Payment Card Industry Security Standards Council (PCI SSC). The EU’s General Data Protection Regulation (GDPR) will introduce fines for groups of companies of to €20 million or 4% of annual worldwide turnover, significantly higher than the current maximum of £500,000. This means that if data breaches remain at 2015 levels, the fines paid to the European regulator could see a near 90-fold increase, from £1.4 billion in 2015 to £122 billion, the PCI SSC calculated. For large U.K. organisations, this could see regulatory fines for data breaches soar to £70 billion, more than a 130-fold increase, rising to an average of £11 million per organisation. Regulatory fines for SMEs could see a 57-fold increase, rising to £52 billion, averaging £13,000 per SME. Read more at ComputerWeekly.com by clicking here.

Threat from hackers against Internet of Things grows

Oct 17 2016

By Cameron Abbott and Rebecca Murray

New research by Akamai Technologies has revealed that cyber criminals have cracked into as many as two million Internet-of-Things (IoT) devices at homes and businesses. IoT devices are products that connect to the internet, which now include refrigerators, sound systems, televisions and home security systems. In the report, researchers state that “Once malicious users access the web administration console of these device they can then compromise the device’s data and in some cases, take over the machine.” This report sheds much needed light on one of the most under-focused on areas of cyber security. Read the report here.

Australian organisations hit by thousands of significant cyber incidents

Oct 17 2016

By Cameron Abbott and Rebecca Murray

The Australian Cyber Security Centre’s (ACSC) 2016 Threat Report has revealed that Australian businesses and government have been subject to more than 15,000 significant incidents that they know of. Read the report here. They were the first to admit that given reporting is optional they cannot really determine the full impact.

Due to the current reporting regime, the ACSC has had to rely on data from callouts to CERT Australia (the national first responder to cyber incidents) to assess the extent of the problem in the private sector. CERT Australia responded to 14,804 incidents from the private sector from June 2015 to June 2016. Of those callouts, 418 involved systems of national interest and critical infrastructure. The banking, finance, energy and communications sectors were the most heavily targeted.

While the Government has introduced a bill to mandate serious data breach notification that is set to be passed in the near future (find out more about the bill here), until then, we will continue to go mostly unaware of damaging malicious cyber activity launched against Australian organisations because the private sector largely refuses report these incidents.

UK telecoms company handed record fine for data breach

Oct 10 2016

By Cameron Abbott and Rebecca Murray

Major UK telecoms company, TalkTalk has been fined £400,000 for failing to adequately safeguard personal data when they were hacked in October 2015. The Information Commissioner’s Office’s (ICO) investigation revealed that hackers obtained the details of 156,959 customers, including names, addresses, birthdates, phone numbers and email addresses. In over 15,000 cases, hackers even gained access to bank account details and sort codes. The cyber-attack triggered the launch of a committee inquiry into protection of personal data online. You can read the inquiry report here.

After in depth investigation, the ICO found that TalkTalk’s failure to implement even the most basic cyber security measures allowed hackers to easily penetrate its systems causing substantial damage and distress to its customers. See how the investigation unfolded here and read the ICO’s penalty notice here. The ICO identified TalkTalk’s principal errors as failing to actively monitor its own activities and allowing vulnerabilities to go unnoticed, failing to update its database to protect from bugs, failing to respond to two previous attacks on the same webpages and failing to fix a bug in the software for which a fix was readily available.

It would seem regulators are losing patience with organizations that don’t take their security obligations seriously.

Volkswagen, Israeli experts to establish automotive cybersecurity company

Sep 16 2016

By Cameron Abbott and Rebecca Murray

The increasing connectivity of modern cars has enhanced the modern driving experience beyond what we could imagine only a few decades ago. However, with increasing connectivity comes an increasing risk. Features such as autonomous and intelligent parking and driving systems have increased the number of interfaces in vehicles and therefore the risk of malicious attack. To demonstrate how easily vehicles can be targeted, last year, two hackers developed a tool that can hijack a Jeep remotely over the internet. You can watch the remote hacking of the Jeep featured by WIRED here.

In response to this growing threat, Volkswagen along with three Israeli experts and their team are jointly establishing an automotive cyber security company. The newly founded CYMOTIVE Technologies will develop advanced cyber security for next generation connected cars. CYMOTIVE has announced that it aims to take an innovative and strategic approach to the significant technological challenges that will face the connected car and the development of the autonomous car in the future.

Bitcoin operators exposed to cyber threats

Sep 01 2016

By Cameron Abbott and Rebecca Murray

Reuters has reported that a third of bitcoin trading platforms have been hacked, and nearly half have closed since they entered the scene 6 years ago. This increasing risk for bitcoin holders is compounded by the fact there is no depositor’s insurance to absorb the loss. That approach heightens cybersecurity risks and also exposes the fact that bitcoin investors have little choice but to do business with under-capitalized exchanges.

This issue was evident when Bitfinex was hacked earlier this month and an estimated $70 million in bitcoin was stolen. The virtual bank’s customers were forced to share the losses resulting in a generalized loss percentage of 36.067%. Read our blog post on this hacking here.

Experts say trading venues acting like banks such as Bitfinex will remain vulnerable. These exchanges act as custodial wallets in which they control users’ digital currencies like banks control customer deposits. However, unlike their brick-and-mortar counterparts, when customers’ bitcoin accounts are hacked, there is currently no third party that can step in to deal with the theft. As a result, these underfunded exchanges require nearly perfect security.

Given this it is not surprising that certain governments around the world are exploring the possibility of central bank issued digital currencies using distributed ledger technology which could compete with the private digital currency systems such as bitcoin. Read more on this here.

Ashley Madison data breach joint findings released

Sep 01 2016

By Cameron Abbott and Rebecca Murray

The Australian Privacy Commissioner, Timothy Pilgrim and The Privacy Commissioner of Canada, Daniel Therrien have released a joint report on the data breach of cheating website Ashley Madison which affected approximately 36 million Ashley Madison user accounts last year. Read our post on the breach here.

Controversially, despite the company not having a physical presence in Australia, the Commissioners found that Ashley Madison’s parent company Avid Life Media (ALM) was regulated as an “APP entity” due to the fact that it carried on business and collected personal information in Australia. This finding was based on the fact that ALM conducted marketing in Australia, targeted Australian residents for its services and collected the personal information of Australians.

ALM agreed to a number of enforceable undertakings to the Commissioner. Amongst other things, ALM has undertaken to augment its security framework, provide extensive security training for staff and cease its practice of retaining the information of users with deleted, deactivated or inactive accounts. Consistent with the trend in undertakings it requires independent verification of certain compliance steps. Find the undertakings here.

It also seeks to address the accuracy of the records, which is a challenge for a cheating website. Letting someone sign up using for example Tony Blair’s email address captured the attention of the regulators. They focused on the interests under Privacy laws of those whose email addresses were falsely added to the sign up. A confirming email with an option to opt out was not considered an adequate measure.

Lawyers potential rich targets for hackers

Aug 30 2016

By Cameron Abbott and Rebecca Murray

As the threat of cybercrime and cyber espionage continues to grow globally, the Law Council of Australia has announced that it will launch a national cyber security information campaign for the legal profession this year. Read the Law Council’s media release here.

The Law Council has been working in partnership with the legal profession, cyber security experts, and government to formulate the information initiative since it nominated cyber security as a key priority at the beginning of the year. Launch of the campaign is expected by the end of 2016.

The president of the Law Council, Stuart Clark, says cyber security is a ‘major problem’ for law firms and the government has an important role to play in raising awareness and providing information about the technology involved. We say, we like teasing large global companies about their security failings … as long as it’s not ours!!

Oracle’s Point-of-Sale division targeted by professional hackers

Aug 17 2016

By Cameron Abbott and Rebecca Murray

Oracle confirmed last week that its security was breached by a Russian organized cybercrime group infamous for hacking retailers and banks. Alarmingly, Oracle’s MICROS point-of-sale credit card payment system was one of the systems targeted in the attack. While the impact of the breach is still being investigated, the attack could have had wide impact. MICROS is one of the top three point-of-sale vendors worldwide and sells point-of-sale systems used at more than 330,000 cash registers globally.

It has been reported that Oracle became aware of the breach after its staff discovered malicious code on the MICROS customer support portal and systems. It is thought that the hackers installed malware on the troubleshooting portal in order to capture customers’ credentials as they logged in. Usernames and passwords could then be used to access customer accounts and remotely control MICROS point-of-sales terminals.

The attack has been linked to crime gang, Carbanak Gang, which has been accused of stealing more than $1 Billion from banks and retailers in the past. These guys clearly know what they are doing.

Catagory:Managing Threats & Attacks