OUR BLOG HAS MOVED

You can now find our blog at www.cqr.com/blog so please pop on over and keep up to date with Information Security News from around the globe.

To click or not to click…………

We recently assisted one of our clients during an information security incident, a server monitoring system had picked up unusual file access activity on one of their network file stores, upon further investigation they discovered that a piece of malware was encrypting files on a user’s network share.

By the time we arrived onsite they had already started to contain the outbreak, taking the infected network drives off line, identifying the user whose network drive was being infected, removing the user’s PC from the network and disabling their network account.

At that time they were in the process of rolling out new anti-malware definitions across the network so they immediately commenced a full network scan using the latest definition files concentrating on the offline network shares.

Investigation of the user’s machine, indicated they have browsed to an external URL minutes before the unusual activity was logged.  The user had received an email, from a reputable postal service reportedly saying the organisation had a parcel that was awaiting payment and delivery, being a member of the accounts payable team, the user clicked on the link that opened a copy of the postal services website.  Unbeknown to the user malicious files were being downloaded initiating the malware infection using the win32 crowti ransomware variant and subsequently starting encrypting of all their files.

The email itself was very well crafted using good English and corporate branding of the postal services company, only upon closer inspection and hovering over a link to unsubscribe did we notice that the link misspelt the word “unsubscribe” as “unsubscrube”.  Checking the email headers revealed the IP Address and checking the registration confirmed the URL was located in Russia.

Whilst the incident was being Triaged the client asked, what they could have done to stop this kind of attack, we recommended they block the IP address in their firewall and block the domain on their SMTP relay but once the cyber criminals move to a different IP address or domain these defences would be useless, enabling smart screen filter as a group policy setting on their browsers could afford them an extra layer of security.

But in hindsight all of these enterprise and perimeter security controls are great but the user decided to click on the link in the email, not maliciously but in the normal duties of their role.  Users are the last line of defence….right?

Correct they are the last line of defence, but far too often organisations treat users just as that last in the line, security/awareness training as just another tick in the box to ensure some form of compliance.  Organisations can have the best of breed technical security controls in place at the perimeter, but these are only as good as the speed and efficiency of the vendor releasing signature or definition files and the IT department’s diligence at deploying updates.  During this incident the infected PC and network drives were disconnected from the network with ten minutes during which time approximately 50K files were encrypted.

The user however is the one constant that is always present and one that the cyber-criminal is relying on to perform an action or act that provides them with the backdoor they need.

Is annual security refresher training enough, when compared to how the security landscape changes in our view no!  Too many organisations use this as a tick box exercise, a cyber-criminal is relying on the end user, this is the mechanism that allows them to not brute force the front door spending 100’s of hours reconnoitring a target company and then trying to push an exploit through the front door.

How many times have you done something you were told not to do, “Don’t walk on the grass!”

“Don’t bite your nails!” humans have individuality and intrigue these are some of the traits that make society the great place it is so why would we curtail it.  You cannot tell someone not to do something, their very inquisitiveness will ask well “what will happen if I….” rather demonstrate through past experience, constantly building security awareness into their daily habits, so that they become accustomed to questioning the norm.

Large organisations have layers of security to protect their important information, with the abundance of social media and on-line interactions “the general public” does not have these controls to protect them, with the internet all around us, we need to make all users of the internet aware of the inherent dangers of its use, many of the day to day natural things we do to protect our homes, cars, handbags/wallets etc, if we applied the same common sense approach to the internet we would make the cyber criminals job that much harder.

End users may well be the last line of defence, providing real life examples of fake, imposter emails will go a long way to help improve security awareness, long gone are the days of the Nigerian 419 badly written scam emails, cyber-criminals content scrap websites to make the html content look real, but end users are the one control you can influence and educate daily providing an important proactive security control, beating any vendor zero day response, ignore them at your peril.

Neil Bray
Senior Security Specialist
www.cqr.com

What is Privacy? OAIC are showing us the way.

When looking for a new home we like to see photos of what the house looks like but for a tenant/home owner are there any rules that govern what photos the real estate agent takes and is there anything you can do if you are unhappy about the photos they have taken.

The OAIC's fifth video in their Privacy series tell us,'Is my real estate agent aloud to take photos in my house?'

________________________________________________________________________________ If your neighbour has a security camera and you are concerned about your Privacy the OAIC's latest video gives you some advice on what you can do to apease the situation.

The OAIC's fourth video in their Privacy series tell us,'What can i do about my neighbours security camers?'

________________________________________________________________________________
We all have personal information held by organisations, but how do you access that information, are you able to just ask for it or might you have to pay or wait for an extended period of time, and then what if it is incorrect are you able to make changes where you need to?

The OAIC's third video in their Privacy series tell us,'How do I access my personal information?'

________________________________________________________________________________
If you know that personal information about you has been mishandled what should you do, and how do you go about making a complaint?

The OAIC's second video in their Privacy series tell us, 'How do I make a privacy complaint?'

_________________________________________________________________________________
Following on from PRIVACY AWARENESS WEEK in May 2014 when CQR were partners of the OAIC (The Office of Australia Information Commissioner), the OAIC have released the first a series of 5 video's which are designed to help individuals learn more about PRIVACY and the common concerns they may have.

All of the video's are to be release over the next 2 weeks and we will be here to support the OAIC in spreading the word on PRIVACY.

The first in the series is 'What is Privacy?'

Further information on the changes to the PRIVACY ACT can be found on the OAIC website.

Sarah Taylor
www.cqr.com

Nice filesystem you've got there...

"Nice filesystem you've got there.  Be a shame if anything... happened to it.  Know what I mean?"

It's a stock phrase used by thugs in extortion rackets in countless movies, TV shows, and video games.  It's also exactly the threat that Cryptolocker presents.  Cryptolocker is malware that when activated will encrypt all the files that it can write to, and hold the decryption key hostage.  If you pay the thugs the extortion money before the clock runs out, they give you the key, and you get your files back.  If not, your files are gone for good.

The media love using the countdown timer in Cryptolocker as a background, all the while talking about this new threat, and how the government should be doing something about it.  Except of course that it isn't really new.  It's just the latest way that criminals have found to monetise malware now that the fake-antivirus market is drying up.  And it won't be the last.

Don't get me wrong, it really is a serious problem both for individuals and for business, but it is relatively easy to avoid, and even possible to recover from without paying the criminals, but only if you plan ahead.  Here's the plan:

1.  Patch everything.

Most malware uses known vulnerabilities in operating systems and software applications to take over your computer.  If they are patched, they block the initial attack.

2.  Run current and up to date antivirus on all computers.

If the criminals can't use an unpatched vulnerability, they will try to install the malware by tricking you into clicking on a bad link, or opening a bad attachment.  If you are running a current antivirus solution from any reputable vendor, then the vast majority of this sort of malware will be blocked before it can be run.

3.  Make regular backups and ensure the backups are offline.

Even in the worst case where the malware has encrypted all of your files, the criminals aren't the only place to recover them from if you have a recent backup.  While it's very convenient to keep a USB backup drive connected to keep the copies, if you can write to that drive, then so can the malware.  After you've made a backup, disconnect the backup drive.

4.  Restrict user access to read-only everywhere except where required.

Cryptolocker will encrypt every file on every network fileshare it can write to.  In a business most users should not have full write access to all the corporate data repositories.  Restrict access either at the share level or the filesystem level.

5.  Have a response plan.

When the worst does eventually happen, and all the protective controls fail, having a plan means that you won't make the situation even worse by panicking.

Remember the threat over the next few weeks is no different from the threat over the last few weeks, or months, or years!  The media just has a new bone to chew on, but the defences are exactly the same as they have always been.  Just don't pay the criminals.

Privacy Awareness Week Day 5: Managing a Breach or Complaint

Business standpoint:

The OAIC has not yet enforced the requirement for businesses to disclose a breach, however they do provide considerable support if you do fall victim to a breach that compromises personal information. You can find further information in this Guide to handling personal information security breaches.

Reporting a breach does not preclude the OAIC from receiving complaints and conducting an investigation of the incident (whether in response to a complaint or on the Commissioner's 'own motion').

Make sure that your incident response procedures identify the actions you will need to take if a breach to personal information were to occur.  Consider: 

• Who you should contact, When, How?
• What information will you need to disclose?
• What immediate actions can you take to minimise the impact of the breach?
• Your communications strategy, will you need to contact those affected by the breach? When will you do this? How will you do this?
• How will you manage complains from individuals affected?

Who else can help?

• AUSCERT www.auscert.org.au
• CERT Australia www.cert.gov.au
• Specialist Consultants (such as CQR!)

How do I know I can trust a consultancy such as CQR?

• CREST Australia, assess and certify companies and staff for their proved technical ability 
• Looking for companies that are ISO/IEC 27001 certified, ensures the company is compliant to security standards.
• You can check companies for their certifications through Jas Anz

Personal standpoint:

If you are not happy with the manner in which your personal information is being handled by an organisation you do have some rights that ensure that the organisation reviews your concerns or complaint.

Ensure you write a formal letter detailing what your concerns are directly to the organisation and they will be obliged to manage your concerns in a timely manner.

If you do not get a satisfactory result the OAIC is there to help you.  It is free to lodge a complaint with the OAIC.  You do not need to be represented by a lawyer to make a complaint about your privacy. However, if you do decide to hire a lawyer, you must pay for the lawyer yourself.

The website contains more information about your rights as an individual at: www.oaic.gov.au/privacy/making-a-privacy-complaint

Other posts from Privacy Awareness Week
Privacy Awareness Week, Day 1: What is privacy and changes to the Act 
Privacy Awareness Week Day 2: Protect your privacy online
Privacy Awareness Week Day 3: What you can do to protect your privacy when using mobile phones
Privacy Awareness Week Day 4: Business Obligations: What should I be doing to protect personal information?

Yvonne Sears
Senior Security Specialist

@yvonnesearsCQR

www.cqr.com

Privacy Awareness Week Day 4: Business Obligations: What should I be doing to protect personal information?

Before we can talk about protecting personal information, the first question you must ask is “What personal information do we process throughout the organisation?”

Do you understand:

a) How you collate personal information and when?

b) Why you collect personal information?

c) What sort of information do you collect?

d) Who handles it?

e) Where does it go?

Once you have an understanding of the basics you can begin to define how to control and manage it securely.

The ‘WHAT’ question is an important one, from this you can determine whether your existing security practices are appropriate.  E.g. an application processing simply names and addresses would need far less security than an application that records credit card data or medical data.

Steps to securing personal data:

1 – Identify the information processed

2 – Classify the information (e.g. is it public, confidential or medical)

3 – Value the information in terms of impact of loss.  What impact would it have to an individual or to the organisation if:

a) it was subject to unauthorised access?

b) you could not rely on the information processed?

c) the information was no longer available?

4 – Conduct a risk assessment considering:

a) How you collect the information;

b) How it is processed;

c) The involvement of third party entities;

d) How the information is shared.

5 – Determine the required security controls to help protect personal information.  This will include controls such as:

a) Training and awareness of staff – so they understand what is expected when handling personal information;

b) Documented policies and procedures;

c) Access controls – ensure that technical controls are applied so that only authorised personnel can access the information;

d) Data sharing agreements and contracts with third parties;

e) Data Backup arrangements and recovery plans;

f) Incident management – how will you respond to a breach to personal information?

6 – Conduct a gap analysis.  Identify what security controls you already have in place.

a) Do they help manage the identified risks? 

b) What are the gaps?

c) What can be improved?

7 – Implement change.  Improve the security controls you already have in place and implement the new controls.

Other posts from Privacy Awareness Week
Privacy Awareness Week, Day 1: What is privacy and changes to the Act 
Privacy Awareness Week Day 2: Protect your privacy online
Privacy Awareness Week Day 3: What you can do to protect your privacy when using mobile phones

Yvonne Sears
Senior Security Specialist

@yvonnesearsCQR

www.cqr.com

Privacy Awareness Week Day 2: Protect your privacy online

According to the OAIC 74% of Australians are more concerned about their online privacy than they were five years ago. So what can you do about it?

How often do you check your privacy settings?

Social media sites frequently update their settings and this may occur without your knowledge.  These changes will include changes to the look and feel of their website or how they interact with you or how they manage the security settings.  So it is important to periodically check your own settings and ensure only those you wish to see your information can.

Do you have to provide everything to everyone online!?

For example, consider whether you are happy for personal information such as your birth date to be made publically available.  When signing up for websites or newsletters do they really need your real birthdate or can you give a fake one? Remember who you are protecting.

Releasing your personal information is your choice!

8 simple steps for staying safe online

1. When asked for personal information, ask what it will be used for.
2. You don’t need to share everything about yourself on Social Media.
3. Think about the information you want to share.
4. Before you hand over your email address read the website privacy policy and find out how they will use the email address you provide.
5. Check for encryption and use secure payment methods when shopping online. Look for https: connections when transferring confidential information (Banks use these secure communications for example when you log in).  This demonstrates that you have a secure connection with the website.
6. Tick the ‘opt out’ box on forms if you don’t want to receive marketing communications.
7. Set strong passwords, especially for important online accounts such as banking and avoid using the same password for all accounts.
8. Know your privacy rights, visit www.oaic.gov.au

You can find more information on your privacy rights and Privacy Awareness Week from the OAICwebsite

Or for more hints and tips go to www.staysmartonline.gov.au

Other posts from Privacy Awareness Week
Privacy Awareness Week, Day 1: What is privacy and changes to the Act 

Yvonne Sears

Senior Security Specialist

@yvonnesearsCQR

www.cqr.com

Privacy Awareness Week, Day 1: What is privacy and changes to the Act

 This week (5^th -10^th May) is Privacy Awareness Week (PAW) and CQR has partnered with the Office of the Australian Information Commissioner (OAIC) to help promote Privacy Awareness amongst the community.

So what is Privacy?

Privacy is about the protection of an individual’s personal information.  We are all responsible for protecting our own identity and that of others.  Think about it:  We expose or own personal information on a daily basis.  When we use social media, contact our utility companies and shop online we provide a large amount of our own personal data.  You may make the assumption that the person or website you are sharing your information with will take care of it, ensure it is secure and not share it with anyone else.

This to a degree is true and most companies will have a privacy policy in place to demonstrate a level of commitment to protecting your personal information, but this isn't a fool proof solution.

The person who is actually responsible for your personal data at the end of the day is you!  What is the best way to safeguard yourself and look after your own identity?  Have you ever taken the time to think about it?

To help you understand, Australia an independent Government agency responsible for privacy functions that are conferred by the Privacy Act 1988 (Privacy Act) called the Office of the Australian Information Commissioner (OAIC).  The OAIC provides advice and guidance to the public, Businesses and Government agencies on how they are to handle personal information. 

The changes to the Privacy Act on 12^th march 2014 brought about a heightened awareness of the message that we should be protecting our own privacy and together with PAW CQR has put together a program of Blogs covering:

-          How you can protect your privacy online;

-          What you can do to protect your privacy when using mobile apps;

-          Business obligations to privacy; and

-          How to manage breaches to personal information.

We hope that you will keep a keen eye out on blogs, get engaged in conversation and most importantly retweet the messages to colleagues, family and friends to share the importance of Privacy.

You can find more information on your privacy rights and Privacy Awareness Week from the OAICwebsite

Yvonne Sears

Senior Security Specialist

@yvonnesearsCQR

www.cqr.com

CQR is now an approved member of CREST Australia

Within the Information Security world the word Risk is key. Understanding and managing that word can make the greatest of difference to an organisation.

CQR are proud in the fact that they practice what they preach and their risks are checked, managed and improved at every opportunity. And to reinforce the work that they do and the value and the expertise that they have they have now officially become a member of CREST Australia.

Crest is the Council of Registered Ethical Security Testers and in order to become one of their CREST Approved companies each is subjected to auditing and CQR are happy to have passed this process and are now on the list of CREST Approved companies.

To complete the process 3 of CQR’s best security specialists have completed CREST’s demanding CRT examination process and have become certified information security testers. CREST’s CRT exam is based on the applicant’s skills and experience, there is no way to prepare for it except to rely on your own knowledge. One of CQR’s specialists achieved the highest score that has ever seen in the exam, and CQR are very proud of all of their specialists who took part and passed.

All those who pass the examination must be employed by a CREST approved company to be part of CREST Australia.

In achieving approval from CREST this shows that CQR and its security specialists work to the highest of standards and are dedicated to providing the very best of service to their clients.

Sarah Taylor
www.cqr.com

The Heartbleed Bug, gone in a heartbeat.

There is a hole in the heart of Internet security which has the potential to expose countless encrypted transactions.  It’s been named the Heartbleed Bug.  The bug was accidentally incorporated into OpenSSL in late 2011.  OpenSSL is an open source library that many software developers use to implement SSL/TLS encryption to provide security and privacy for communications over the Internet.

So how does it work?

When you connect to a secure Internet site to access your email, social media account, or Internet banking, the server you connect to will send back what is called a ‘heartbeat’, and just like your heartbeat it is how your computer and the server stay connected whilst you are logged in.  This heartbeat is used so that the server knows that you are still there and wishing to connect to your online account.  Once you log out this heartbeat stops meaning the server then knows that there should no longer be a connection and so your online account is no longer accessible.

The heartbeat is a very small message, but by using the bug an attacker may be able to get access to more of the memory of the web server than it should, and this memory may contain sensitive information useful to an attacker.  This might include usernames and passwords, session keys or even the web server’s private key.

So am I affected and what should I do?

This is a hard question to answer.  If your web site uses an old version of OpenSSL, then they are not affected.  Even if they do use the vulnerable version of OpenSSL, it would require an attacker to be using the bug at exactly the time you are using the site to be able to grab your credentials.  The best we can say is that it’s possible that you have been directly or indirectly affected.  Unfortunately the Heartbleed bug leaves no trace of exploitation, so you are unable to see if it has been used against you.

The best thing for us all to do is change our passwords if our provider tells us that they were exploited.  It might even be a good idea just to change all those old passwords that you’ve been using for years, just in case.  Here are some tips for creating a secure password:

·         Be a minimum of 8 characters long
·         Use upper and lower case letters
·         Substitute numbers or symbols for letters
·         Do not use simple personal information (i.e birthdays, kids names, pet names)
·         If you keep a written copy of your passwords use and encrypted method of accessing them, not a note in your wallet.
·         An easy thing to remember is a phrase, try abbreviating the phrase and using each of the first letters as your password. Using numbers can help make this harder to guess.

The OpenSSL team have created a fix and this is being rolled out across the Internet to correct the bug.

How can I find out if my website is affected?

A useful tool to check the configuration of your Internet provider is https://www.ssllabs.com/ssltest/

I would like more information of Heartbleed and its effects.

Here are some of places to look for more information.

Providing detailed information of Heatbleed and detailed Q&A

The Heartbleed Hit List: The Passwords You Need to Change Right Now
How Heartbleed Works: The Code Behind the Internet'sSecurity Nightmare

Sarah Taylor
www.cqr.com

3 new certified QSA's reporting for duty.

In March, 3 of our Australia based employees became certified as Qualified Security Assessors (QSA’s) which doubles the number of QSA’s working for CQR covering Australia and New Zealand.

CQR have been a QSA company for a number of years and prides itself on having available QSA resources in each of their Australian offices.

Being certified as a QSA means that the PCI Security Standards Council has assessed each candidate to meet the requirements to perform a PCI data security assessment, and are able to validate a client’s adherence to the PCI DSS.

Why comply to PCI DSS?

For vendors who are responsible for the safe handling of cardholder information the PCI Data Security Standard (PCI DSS) is a key part which provides an actionable framework for developing a robust payment card data security process, including prevention, detection and appropriate reaction to security incidents.

Undertaking a PCI Security Standard can seem like a lot of effort, especially for those with smaller organisations, but the benefits out way those doubts. In an environment where data is valuable, showing compliance to PCI DSS lets customers know that your systems are secure and they can trust you with their sensitive payment card information. That trust allows your customers to be happy doing business with you and making confident customers they are more likely to become repeat customers or recommend you to others.

For other organisations doing business with you it shows that you are conscious about security and are active in looking after your data and that of others. Compliance is an everyday process and ensuring that you are up to date and meeting the standards guidelines is just as important. Being compliant can also help with other regulations that are out there.

Being compliant not only gives your customers and business partners confidence and peace of mind but it will also help your company to avoid the negative effects of compromised data, including loss of sales, relationships which can lead on to insurance claims, cancelled accounts, payment card and government fines. None of which any organisation wishes to encounter. This shows that the benefits of having a robust PCI DSS can benefit all organisation who deal with cardholder information.

CQR have proven success in supporting businesses through stages of their PCI journey and having additional PCI QSA’s ensures that the extra skills are available to achieve this.

Contact CQR today to see how we can help you achieve compliance today.

Sarah Taylor
www.cqr.com

Privacy and your organisation, do you understand the rules?

The Australian Privacy Amendment Act 2012 will come in to force on 12^th March 2014 and will introduce significant amendments to the Privacy Act 1998.

The Privacy Act changes will give the Information Commissioner the ability to: 

• Resolve complaints, use external dispute resolution services, conduct investigations and promote compliance;
• Investigate serious breaches (including the right to impose penalties of up to 1.7 Million on businesses);
• Assess the privacy performance of businesses.

Who must comply with the Act?

The Privacy Act protects personal information handled by businesses with an annual turnover of more than $3 million and health service providers of any size.

The Act may also apply to a small business however if they pose a higher risk to privacy, for example, small businesses that hold health information and provide health services or those that:

• trades in personal information
• provides services under a Commonwealth contract
• runs a residential tenancy database
• is related to a larger business
• is a reporting entity under the Anti-Money Laundering and Counter-Terrorism Financing Act.

Other small business operators may choose to opt in to the regime or may be brought into the regime by regulation.

If you’re not sure whether the Privacy Act applies to your business, try the 9 Step Privacy Checklist for Small Business on the Office of the Australian Information Commissioner (OAIC) website.  http://www.oaic.gov.au


How will the changes affect you?

The changes will affect how businesses can:

• Handle and process personal information;
• Use personal information for direct marketing;
• Disclose personal information to people overseas.

Although you may already have a requirement to comply with the Privacy Act you need to be particularly aware of the changes as you will need to change your privacy policies and practices significantly in order to comply with requirements of the Australian Privacy Amendment Act 2012.

A point to note

Each State has its own Privacy legislation and therefore you must understand the legislative restrictions on processing personal data, not only within the State you reside, but of the States you interact with!

NSW for example has the Privacy and Personal Information Protection Act 1998 (NSW) together with the Health Records and Information Privacy Act 2002.  

Private sector company’s should be aware of requirements if they provide services to a NSW government agency.

Private sector health services providers of any size in NSW will have to comply with the Health Records and Information Privacy Act 2002 and also the Commonwealth Privacy Act 1988.

How confident are you in your Privacy practices?
For example, APP11 requires an organisation to take reasonable steps to ensure personal information is protected from “Interference, unauthorised access, modification and disclosure”. 

• How do you provide this assurance?
• Are you able to demonstrate ‘reasonable’ steps have been taken to protect personal data?

You must take reasonable steps to “implement practices, procedures and systems that ensure compliance with the APPS”.

So how well do you know your information processes?  What personal information do you collect and do you understand its lifecycle within your organisation?  Are you able to answer the following:

• What personal information is collected, where, when, why and by whom?
• What controls do you have at the collection point?
• Do you collect consent?
• How do you record consent?
• Do you understand the purpose(s) for which information is collected?
• How is it kept relevant?
• Where does the information go?
• How is it stored?
• How is it kept up to date?
• What format is data stored? For how long?
• What happens at ‘end-of life’?

If you’re not confident you can answer these questions, we are here to help!

CQR Services


CQR is able to help organisations through the following services:

Service	Overview
Privacy Compliance Jumpstart	We will conduct a Privacy Impact Assessment (PIA), Provide an implementation roadmap and draft a Privacy Policy.
Privacy Impact Assessment (PIA)	We will conduct a series of interviews to understand how you currently use and protect personal information. Provide recommendations on how you can improve your processes to ensure the personal information is: ·         Processed fairly ·         Kept accurate, complete and up to date ·         Kept secure ·         Made available to data subjects
Update to Privacy Policy	We will review and update your Privacy Policy to ensure it captures the requirements of the Australian Privacy Amendment Act 2012.
Third Party Audit	We will conduct an audit on how you manage third party relationships.
Information Security Gap Analysis	We will conduct a series of interviews to understand how you currently protect personal information using ISO 27001 information security standard as the benchmark for compliance.
Privacy Audit	We will conduct an audit on your privacy practices covering: ·         Consent management ·         Subject access requests ·         How you use and protect personal data ·         Defined roles and responsibilities ·         Review of Privacy Policies, Procedures and Guidelines ·         Risk Management