To click or not to click…………

We recently assisted one of our clients during an information security incident, a server monitoring system had picked up unusual file access activity on one of their network file stores, upon further investigation they discovered that a piece of malware was encrypting files on a user’s network share.

By the time we arrived onsite they had already started to contain the outbreak, taking the infected network drives off line, identifying the user whose network drive was being infected, removing the user’s PC from the network and disabling their network account.

At that time they were in the process of rolling out new anti-malware definitions across the network so they immediately commenced a full network scan using the latest definition files concentrating on the offline network shares.

Investigation of the user’s machine, indicated they have browsed to an external URL minutes before the unusual activity was logged.  The user had received an email, from a reputable postal service reportedly saying the organisation had a parcel that was awaiting payment and delivery, being a member of the accounts payable team, the user clicked on the link that opened a copy of the postal services website.  Unbeknown to the user malicious files were being downloaded initiating the malware infection using the win32 crowti ransomware variant and subsequently starting encrypting of all their files.

The email itself was very well crafted using good English and corporate branding of the postal services company, only upon closer inspection and hovering over a link to unsubscribe did we notice that the link misspelt the word “unsubscribe” as “unsubscrube”.  Checking the email headers revealed the IP Address and checking the registration confirmed the URL was located in Russia.

Whilst the incident was being Triaged the client asked, what they could have done to stop this kind of attack, we recommended they block the IP address in their firewall and block the domain on their SMTP relay but once the cyber criminals move to a different IP address or domain these defences would be useless, enabling smart screen filter as a group policy setting on their browsers could afford them an extra layer of security.

But in hindsight all of these enterprise and perimeter security controls are great but the user decided to click on the link in the email, not maliciously but in the normal duties of their role.  Users are the last line of defence….right?

Correct they are the last line of defence, but far too often organisations treat users just as that last in the line, security/awareness training as just another tick in the box to ensure some form of compliance.  Organisations can have the best of breed technical security controls in place at the perimeter, but these are only as good as the speed and efficiency of the vendor releasing signature or definition files and the IT department’s diligence at deploying updates.  During this incident the infected PC and network drives were disconnected from the network with ten minutes during which time approximately 50K files were encrypted.

The user however is the one constant that is always present and one that the cyber-criminal is relying on to perform an action or act that provides them with the backdoor they need.

Is annual security refresher training enough, when compared to how the security landscape changes in our view no!  Too many organisations use this as a tick box exercise, a cyber-criminal is relying on the end user, this is the mechanism that allows them to not brute force the front door spending 100’s of hours reconnoitring a target company and then trying to push an exploit through the front door.

How many times have you done something you were told not to do, “Don’t walk on the grass!”

“Don’t bite your nails!” humans have individuality and intrigue these are some of the traits that make society the great place it is so why would we curtail it.  You cannot tell someone not to do something, their very inquisitiveness will ask well “what will happen if I….” rather demonstrate through past experience, constantly building security awareness into their daily habits, so that they become accustomed to questioning the norm.

Large organisations have layers of security to protect their important information, with the abundance of social media and on-line interactions “the general public” does not have these controls to protect them, with the internet all around us, we need to make all users of the internet aware of the inherent dangers of its use, many of the day to day natural things we do to protect our homes, cars, handbags/wallets etc, if we applied the same common sense approach to the internet we would make the cyber criminals job that much harder.

End users may well be the last line of defence, providing real life examples of fake, imposter emails will go a long way to help improve security awareness, long gone are the days of the Nigerian 419 badly written scam emails, cyber-criminals content scrap websites to make the html content look real, but end users are the one control you can influence and educate daily providing an important proactive security control, beating any vendor zero day response, ignore them at your peril.

Neil Bray
Senior Security Specialist
www.cqr.com

Privacy Awareness Week Day 5: Managing a Breach or Complaint

Business standpoint:

The OAIC has not yet enforced the requirement for businesses to disclose a breach, however they do provide considerable support if you do fall victim to a breach that compromises personal information. You can find further information in this Guide to handling personal information security breaches.

Reporting a breach does not preclude the OAIC from receiving complaints and conducting an investigation of the incident (whether in response to a complaint or on the Commissioner's 'own motion').

Make sure that your incident response procedures identify the actions you will need to take if a breach to personal information were to occur.  Consider: 

• Who you should contact, When, How?
• What information will you need to disclose?
• What immediate actions can you take to minimise the impact of the breach?
• Your communications strategy, will you need to contact those affected by the breach? When will you do this? How will you do this?
• How will you manage complains from individuals affected?

Who else can help?

• AUSCERT www.auscert.org.au
• CERT Australia www.cert.gov.au
• Specialist Consultants (such as CQR!)

How do I know I can trust a consultancy such as CQR?

• CREST Australia, assess and certify companies and staff for their proved technical ability 
• Looking for companies that are ISO/IEC 27001 certified, ensures the company is compliant to security standards.
• You can check companies for their certifications through Jas Anz

Personal standpoint:

If you are not happy with the manner in which your personal information is being handled by an organisation you do have some rights that ensure that the organisation reviews your concerns or complaint.

Ensure you write a formal letter detailing what your concerns are directly to the organisation and they will be obliged to manage your concerns in a timely manner.

If you do not get a satisfactory result the OAIC is there to help you.  It is free to lodge a complaint with the OAIC.  You do not need to be represented by a lawyer to make a complaint about your privacy. However, if you do decide to hire a lawyer, you must pay for the lawyer yourself.

The website contains more information about your rights as an individual at: www.oaic.gov.au/privacy/making-a-privacy-complaint

Other posts from Privacy Awareness Week
Privacy Awareness Week, Day 1: What is privacy and changes to the Act 
Privacy Awareness Week Day 2: Protect your privacy online
Privacy Awareness Week Day 3: What you can do to protect your privacy when using mobile phones
Privacy Awareness Week Day 4: Business Obligations: What should I be doing to protect personal information?

Yvonne Sears
Senior Security Specialist

@yvonnesearsCQR

www.cqr.com

Privacy and your organisation, do you understand the rules?

The Australian Privacy Amendment Act 2012 will come in to force on 12^th March 2014 and will introduce significant amendments to the Privacy Act 1998.

The Privacy Act changes will give the Information Commissioner the ability to: 

• Resolve complaints, use external dispute resolution services, conduct investigations and promote compliance;
• Investigate serious breaches (including the right to impose penalties of up to 1.7 Million on businesses);
• Assess the privacy performance of businesses.

Who must comply with the Act?

The Privacy Act protects personal information handled by businesses with an annual turnover of more than $3 million and health service providers of any size.

The Act may also apply to a small business however if they pose a higher risk to privacy, for example, small businesses that hold health information and provide health services or those that:

• trades in personal information
• provides services under a Commonwealth contract
• runs a residential tenancy database
• is related to a larger business
• is a reporting entity under the Anti-Money Laundering and Counter-Terrorism Financing Act.

Other small business operators may choose to opt in to the regime or may be brought into the regime by regulation.

If you’re not sure whether the Privacy Act applies to your business, try the 9 Step Privacy Checklist for Small Business on the Office of the Australian Information Commissioner (OAIC) website.  http://www.oaic.gov.au


How will the changes affect you?

The changes will affect how businesses can:

• Handle and process personal information;
• Use personal information for direct marketing;
• Disclose personal information to people overseas.

Although you may already have a requirement to comply with the Privacy Act you need to be particularly aware of the changes as you will need to change your privacy policies and practices significantly in order to comply with requirements of the Australian Privacy Amendment Act 2012.

A point to note

Each State has its own Privacy legislation and therefore you must understand the legislative restrictions on processing personal data, not only within the State you reside, but of the States you interact with!

NSW for example has the Privacy and Personal Information Protection Act 1998 (NSW) together with the Health Records and Information Privacy Act 2002.  

Private sector company’s should be aware of requirements if they provide services to a NSW government agency.

Private sector health services providers of any size in NSW will have to comply with the Health Records and Information Privacy Act 2002 and also the Commonwealth Privacy Act 1988.

How confident are you in your Privacy practices?
For example, APP11 requires an organisation to take reasonable steps to ensure personal information is protected from “Interference, unauthorised access, modification and disclosure”. 

• How do you provide this assurance?
• Are you able to demonstrate ‘reasonable’ steps have been taken to protect personal data?

You must take reasonable steps to “implement practices, procedures and systems that ensure compliance with the APPS”.

So how well do you know your information processes?  What personal information do you collect and do you understand its lifecycle within your organisation?  Are you able to answer the following:

• What personal information is collected, where, when, why and by whom?
• What controls do you have at the collection point?
• Do you collect consent?
• How do you record consent?
• Do you understand the purpose(s) for which information is collected?
• How is it kept relevant?
• Where does the information go?
• How is it stored?
• How is it kept up to date?
• What format is data stored? For how long?
• What happens at ‘end-of life’?

If you’re not confident you can answer these questions, we are here to help!

CQR Services


CQR is able to help organisations through the following services:

Service	Overview
Privacy Compliance Jumpstart	We will conduct a Privacy Impact Assessment (PIA), Provide an implementation roadmap and draft a Privacy Policy.
Privacy Impact Assessment (PIA)	We will conduct a series of interviews to understand how you currently use and protect personal information. Provide recommendations on how you can improve your processes to ensure the personal information is: ·         Processed fairly ·         Kept accurate, complete and up to date ·         Kept secure ·         Made available to data subjects
Update to Privacy Policy	We will review and update your Privacy Policy to ensure it captures the requirements of the Australian Privacy Amendment Act 2012.
Third Party Audit	We will conduct an audit on how you manage third party relationships.
Information Security Gap Analysis	We will conduct a series of interviews to understand how you currently protect personal information using ISO 27001 information security standard as the benchmark for compliance.
Privacy Audit	We will conduct an audit on your privacy practices covering: ·         Consent management ·         Subject access requests ·         How you use and protect personal data ·         Defined roles and responsibilities ·         Review of Privacy Policies, Procedures and Guidelines ·         Risk Management

Social Bronze Age

In October 2013 I wrote a blog entitled Stone Aged Security, where I noted that we've been through the journey of Stone Age to Industrial Age twice before, first for civilisation taking 12,000 years, and then again for IT, but this time 200x faster and only taking 60 years, and that we had started the cycle again for the Social Stone Age.

The Social Stone Age (2000-2013) will be looked back on fondly.  It's the age when we discovered social media.  It's the age when we were encouraged to share.  It's the age when we naively assumed that private actually meant private, and that big brother didn't really exist - or at least if they did, they were only watching the bad guys.  It's the age when we weren't having discussions about metadata.

That age is over.  2014 is the start of the Social Bronze Age.  This age is marked by two distinct phase changes in the way that we communicate on the Internet.

The first phase change is that we are moving from a default unencrypted Internet, where we only encrypt that information that we consider to be sensitive, to a default encrypted Internet, where we encrypt everything all the time.  Facebook and Twitter moved from only encrypting logins, to encrypting everything.  Google started encrypting all searches.  This would have happened eventually, but it has really been forced this year by the realisation that the threat model has fundamentally changed.  We are no longer trying to protect ourselves just from cybercriminals, but also from the security services that are recording everything all the time.

The second phase change is that we have moved to a default "in" position for social media.  It is now assumed that everyone has at least one social media account, and that the only people who don’t have one have consciously chosen not to, and they are just a little odd.  Private mailing lists have almost entirely gone, replaced by social media groups.  Moreover social media is replacing e-mail as the normal way that people communicate with each other.

My calculations show that the Social Age is running 2.5x faster than the IT Age, and 500x faster than civilisation!  It's hardly surprising that we really aren't coping that well.  If this trend continues, then here are my predicted dates for the remainder of the Social Age, and some key expectations.

2018: Social Iron Age.  The end of centrally controlled social media, and the end of companies like Facebook and Twitter.  Social media will be peer-to-peer with all the processing, privacy and communication controlled by the users and happening in an app on their phones.  The Internet of things will be real and it will all be IPv6.

2021: Social Middle Age.  The end of e-mail and text based communication.  Everything will be voice controlled, and keyboards will seem quaint.  Real-time language transcription and translation will be practical for everyday use.  Language will no longer be a barrier to communication.

2023: Social Industrial Age.  Avatars will do most of the work for you.  Expect the first real cyber world war.  What we see as science fiction today, will be practical reality, except that we still won't have artificial intelligence, robots or flying cars.

2024: The next age starts - the Machine Stone Age.

It's going to be an interesting 10 years.

Autumn is coming, are you prepared?

With the Autumn season just a day away we look to changing our wardrobe for some warmer clothing, preparing our home for the relief of rain and looking forward to making it into the garden and seeing what the summer sun has left for you to revive. It’s a chance for us all to take a break from the long and busy summer and nestle down in our homes ready for winter.

But what are the risks involved, initially you might think that there can’t be much, with looking forward to catching up on some of those books on the book shelf you haven’t had time to start, decorating the dining room because the summer was too hot to even think about it or taking up a new hobby if that’s your thing.

The first big downpour of 2014 left my gutters overflowing and my garden turning into a swimming pool, all of which was unexpected. I didn’t know it was going to rain that hard and we had already cleared out the gutters a few weeks before but with those record breaking 40 degree temperatures in Adelaide that had a big effect on the trees around my house and when the wind picked up they shed all their dry leaves back on to my roof and into my gutters, hence them overflowing and my husband getting soaked to his socks clearing them out and hoping he cleared them before the water got into the roof.

We hear it all too often on the radio and the news of people like you and I having their information hacked and money stolen from their bank accounts, and when we find out it’s happening we go into defence mode and change our passwords and have a rant to the bank until its fixed. But what if it’s your workplace and your office holds the information of others or your organisation is closed down for the day what then? It may not be just you who is affected and it doesn’t take long for someone on a laptop sat in their own home to leave you with a wealth of problems which can’t be fixed with a phone call or a password change. The risk of a cyber-attack isn’t your only threat; losing power to your premises for a long period of time can be just as harmful if you become out of contact or are unable to complete your daily tasks.

Having a disaster recovery plan in place can be a challenging and difficult task but in the event of a breach or natural event it could possibly be your only hope of maintaining service and being able to recover as quickly and efficiently as possible.

So what can I do?

For an organisation who have not taken a great deal of time to consider their disaster recovery CQR can assist any business to analyse a business and look at where experiencing a disruptive event can have an effect on a business through a Business Impact Analysis, this will provide a risk register, business continuity and recovery plans and most importantly enable show if the business can recover within a desired timeframe.

We can provide an independent review of your IT Service Recovery Plans through an IT Service Recovery Technical Review, ensuring that the information therein is adequate to support the recovery processes and that staff are aware of their roles and responsibilities.

In having a Vulnerability Assessment completed CQR have specialist consultants who can carry out technical vulnerability scans that will challenge the resiliency of your network architecture. We will provide you with a vulnerability report outlining the risks and provide recommendations to manage the identified vulnerabilities.

In addition to these services CQR can also provide Exercise / Test Facilitation, Document Development, Review of Business Continuity Gap Analysis against ISO 22301:2012 Business Continuity Standard and Business Continuity Management System (BCMS) Development. All of these services are done through partnering with the organisation and developing a scope to ensure that what is delivered is exactly what is needed in order to prevent the worst happening. 

So before the winter arrives I have my own plan in place to make sure that my gutters no longer get clogged with leaves and debris and that I reduce the risk of my garden becoming flooded again, and that will involve my husband getting back up onto the roof again, but hopefully this time he will be dryer.

Sarah Taylor

www.cqr.com

Managing a Data Breach

If you've ever watched a home renovation show on TV, you'll know that one of the biggest problems is the weather.  Rain in particular is a real pain if you don't yet have a roof, as it leaks everywhere, damages everything and stops work completely.  If you are doing the renovation privately, the best thing to do is patch up the damage, redecorate and tell no-one.  However if there is a TV crew around you don't have that option.

With the impending revisions to the privacy laws, this is exactly the place Australian business is about to find itself.  If you have a breach today the best advice is to patch up the damage, redecorate and tell no-one.  Within a couple of months however it will be as if there is a virtual TV crew around all the time, and businesses won't have a choice about having to admit their failure to protect personal information.

Unsurprisingly, vendors are having a field day promoting the new privacy laws, trying to sell umbrellas, wallpaper and camera blinding equipment.  Personally I think businesses should just build a watertight roof and stop the leaks happening in the first place.

 

Phil Kernick @philkernick

www.cqr.com

 

Bitcoin Mining your Passwords

Many people have invested in high-end GPUs to perform Bitcoin mining.  But even with Bitcoins trading above US$1000, it's no longer cost-effective or plausible to find a new one.  So other than gaming, what can all this GPU power be directed at?  Password cracking is an obvious choice.

Almost exactly a year ago in my blog on Information Security Themes for 2013, I said:

"Passwords suck.  Passphrases are just long passwords, and they also suck.  Every two factor scheme out there really sucks – mostly because I have so many different tokens that I have to carry around depending on what I want access to."

And I was right.  In 2013 we've seen password dumps and cracking that make 2012 look trivial.  This problem is not getting better, and with all the excess GPU capacity, it's getting even easier for anyone and everyone to crack passwords.  There are certainly cryptographic solutions being developed, such is PBKDF2 (if you still trust RSA) to do key stretching, but they can't be retrofitted into existing systems, and the existing systems and all their juicy data will be around for a very long time.

So where are we at the beginning of 2014?  Same place we were last year, and my advice hasn't changed.  Instead of trying to authenticate the user, we need to instead authenticate the transaction.  And that is still a hard problem that our backward looking way of thinking makes even more difficult to address.

CQR Insights: Organisation compliance with New Privacy Laws

From 12 March 2014, the Federal Government’s new privacy laws will introduce a new set of Australian Privacy Principles. The reforms introduce new enforcement powers and remedies for investigations that the Commissioner commences on their own initiative. The Commissioner will be able to make a determination, accept written undertakings that will be enforceable through the courts, or apply for civil penalty orders which can range from $340,000 for individuals and up to $1.7 million for companies.   

Mandatory reporting of data breaches is not part of the new laws (yet) but clearly the new enforcement powers and remedies for investigations is putting everyone on notice as regards the protection of personal information.

How will the new the privacy laws impact your organisation?  Well it is really all about managing risk.

An article by  Alec Christie, partner at DLA Piper in The Australian suggests companies undertake a “mini privacy audit”.

http://www.theaustralian.com.au/technology/companies-not-ready-for-privacy-laws/story-e6frgakx-1226782545881

I have put together a list of ten questions to ask yourself:

1.       Do you manage a register of risks relating to your  critical business systems  that store and use personal information?

2.       Do you have procedures for staff & contractor access control to these systems – granting, revoking and privilege levels?

3.       Do you know where personal data is stored?

4.       Do you have a procedure for the removal or de-identifying  personal data from databases and archive systems where this information is no longer required?

5.       Do you have change control procedures for  network, system and application changes which may impact business systems holding personal information?

6.       Does your organisation have an Information security policy and associated procedures?

7.       Does your organisation have a resource who is responsible for information security management?

8.       Do you have procedures for managing and applying operating system and application  patches and  upgrades?

9.       As highlighted in the Privacy Commissioner’s recent AAPT breach investigation (link below), do you have service level agreements in place with third party providers  regarding responsibilities for  protecting personal information and importantly a  means of monitoring compliance?

10.   Do you perform annual vulnerability assessments of internet  infrastructure and applications?

If you answered  yes to all of these questions then you are probably doing ok.

What help does CQR  offer for  the new privacy laws?

As part of our ISMS/ISO27001 business practice we have a  packaged program which runs over a 4-week timeframe where we work with a client to:

1.       Identify business systems that are in scope;

2.       Perform a gap analysis against existing information security procedures and processes;

3.       Highlight risks and maturity of controls in place;

4.       Rate the adequacy of existing procedures;

5.       Provide a draft implementation plan of  activities to effectively manage the risks associated with your information assets.

As part of our technical services CQR can perform vulnerability assessments of your internet facing  infrastructure and services.

AAPT’s data breach investigation which gives some insights into where things can go wrong.

http://www.oaic.gov.au/news-and-events/media-releases/privacy-media-releases/aapt-breached-privacy-act

If you would like further information on how CQR can assist with getting inline with the new privacy laws then contact CQR at www.cqr.com or enquiries@cqr.com

 

Greg Starkey
Business Development Manager, Government & Commercial
www.cqr.com