Who’s Got Our Customer Data?

Your organisation may collect data from customers or clients. And you may share this data with 3rd parties who can provide services such as marketing, analytics, invoicing etc. However, as you collected the data, it’s still your responsibility to keep it secure.

This means that your organisation should be taking the following steps

  • Keeping a record of what data has been shared, and the third parties it has been shared with
  • Ensuring that you have an agreement with each third party setting out the information supplied, the way it will be used, what they will deliver back to you, and how they will keep the data safe
  • Performing due diligence on the third parties that hold your most sensitive data. This usually involves an audit of their security – both of the systems used to transfer, store and process your data, and of general IT security (remote access, patching, training etc)

By making the above part of your procedures, you will significantly reduce the risks to your organisation and your clients.

If you’d like any assistance with reviewing and reducing your IT security risks then please get in touch.

 

 

Communicating after a data breach

As the recent issues around the pre-release of Budget 2019 details have shown, good communication after a security incident is crucial. Poor communication will make the situation much worse.

Treasury appears to have made a few mistakes:

  • They rushed to explain how the data breach happened. They would have been under pressure, with far more media focus than most organisations who suffer a breach. However, it would have been better to say that they were still investigating how the breach happened, rather than jumping to a conclusion that was proved to be wrong
  • They stated that they had seen 2000 attacks on their website. Unfortunately this made them sound naive. Websites and servers connected to the Internet are under constant attack from automated scripts as well as more targeted attacks. Once again  waiting for clearer details before communicating would have been better. It was in fact 2000 searches via the publicly available search function on their website
  • They stated that they had been hacked, and that they had referred the matter to the police. Once again, this was premature. They had not been hacked, the data breach was caused by misconfiguration of IT systems by Treasury, and the police have confirmed that no crime has been committed and they have closed their investigation
  • They provided inaccurate information to government ministers who then relied on it when communicating to the NZ public

The above are additional to the mistake that caused the breach – a misconfiguration of their website (which indexed the cloned website containing the Budget details).

So how can your organisation avoid making these mistakes?

  • Make sure you have an incident response plan. This sets out how to respond to various security incidents (including a data breach), who to communicate to, when to communicate, and issues to watch out for
  • Test your incident response plan using a table top exercise. This involves running through an example incident with the management team, making decisions on actions and communication. It’s best to get an external party to run this exercise for you. It will highlight any gaps in the plan, and ensure that when a security incident does happen, the organisation has practised it’s response and will be more likely to minimise the impact
  • Ensure that there is a focus on securing any confidential or personal data that could be accessed via the Internet. This includes development and test versions of websites and systems, that often have a lower level of security than production or “live” systems. Security review and testing should form part of any major changes, rather than being an annual event

 

If you’d like any help with creating or reviewing an incident response plan,  running a table top exercise, or reviewing the security of your organisation’s systems then please get in touch.

What’s the real risk?

It seem that if you follow cyber security news there are new software vulnerabilities announced every day.  The media tends to report on these without any context, and can even talk up the dangers. This can give the impression that it is too hard to secure you information and systems. And whilst it’s true that new software vulnerabilities are discovered almost every day (and patches issued to address them), it does not mean that criminals will use those vulnerabilities in attacks.

Criminals will only put in the lowest amount of effort or expense required to achieve their aim – which is usually to make money, either through direct means (blackmail, fraud, ransomware or other scams) on indirect (stealing information which can then be sold or used). They will not use an attack that is expensive in time or effort when a simpler one will achieve similar results. There is no need to hack a company’s IT systems via Wi-Fi when sending a phishing email to one of their staff is far easier, more effective and less risky for the criminal.

This doesn’t mean that we shouldn’t install patches to fix vulnerable software. But we should think about whether the cyber security risks we read about actually apply to us, and whether they are likely to happen.

Here’s a quick list of the areas that you should focus on:

  • Phishing emails are still a very effective way of attacking companies – make sure your staff have training, test their awareness, and turn on any anti-phishing protection you many have (e.g. some firewalls check for malicious websites when staff click on email links)
  • Payment policies – criminals love tricking people into paying money to the wrong account, or paying a fictitious invoice. Make sure you have good payment policies to guard against fraud –  especially if you handle money for clients
  • Remote email – criminals will get password from users (via phishing emails) and use them to log into email remotely. They’ll then send out phishing emails from this account, or use it to commit fraud. Two factor authentication can stop criminals accessing remote email, even if they have the user’s password
  • Remote access – criminals will log into remote access servers/PCs using passwords they have obtained, or will launch a brute force attack to guess the password. Once they have access, they may install ransomware on the network or launch other attacks. Once again two factor authentication will help, as will scanning the servers for vulnerabilities and addressing them
  • Website / web applications – criminals will try to gain access to websites that hold or process valuable information e.g. credit card details, personal information. They will either sell this information, or use it to launch other attacks (personal information can be used to gain access to accounts or to create better phishing emails). Performing a security review of your website/web application will help.

 

If you’d like more information on how we can help you review and reduce your risk, then please get in touch – simon@securestrategy.co.nz

 

 

Board expectations for cyber security

As we all come back from the Christmas break and gear up for another year of activity, it’s timely for boards to consider the state of cyber security in the organisations they are responsible for. Here is a simple checklist which should help to give some surety that the management team have the right procedures and protective measures in place.

  1. Is there a regular report on cyber security that is presented to the board?  Does it contain enough information to allow board members to understand the current risks and to see that progress is being made to reduce them?
  2. Does the organisation undertaken annual cyber security reviews? Have the risks raised been evaluated and addressed? Not addressing identified risks can invalidate cyber insurance cover, and may have other  negative impacts (as well as the obvious risk of a cyber security incident).
  3. Is there a plan in place to improve overall cyber security? This is often less about addressing specific risks and more about ensuring that there are the right internal policies, procedures and standards in place to minimise the chance of risks and incidents appearing. There are various  good practice frameworks that can be used in this area.
  4. Is the organisation compliant with external standards? Various industries will have different standards they need to comply with, and some standards will have an impact on cyber security. For example, complying with AML/CFT means that far more personal data (driving license, passport details etc) may be stored. This data needs to be secured. And there may be some standards that need to be complied with but have been missed – e.g. PCIDSS if the organisation takes credit/debit card payments.
  5. Has the security of suppliers/partners been considered? Third parties can be given remote access to support systems or data (usually client or staff data) can be passed to them for processing. Has the organisation considered the privacy and security implications, have they set expectations with the third parties, and how are they being monitored?

 

If you’d like some assistance in this area then please contact simon.thomas@securestrategy.co.nz

 

Multi-factor authentication made easy

Multi-factor authentication made easy

It’s multi-factor not multi-app

Many of you will I hope have implemented multi-factor authentication (MFA) when using remote access. If you haven’t then please see my article here and then get your IT team to set it up. The majority of MFA (or two-factor) implementations will use an app on a smartphone and will ask the user to press approve or to enter a code shown on the screen (but not an SMS). Due to the widespread use of Office 365, you may be using the Microsoft Authenticator app. But if you have tried to set up MFA for cloud based applications such as Xero, WordPress, RealMe and MailChimp you will see that they ask you to use Google Authenticator. So you could end up with two authenticator apps for different web sites or services.

One app to rule them all

But you can in fact use one app. Both the Microsoft and Google Authenticator apps are based on the OTP (one time passcode) standard. So if you see a cloud service asking for Google Authenticator, you can scan the QR code with Microsoft Authenticator and it will work. I have logins for Azure, 365, MailChimp, Xero, RealMe, Buffer and two different WordPress sites set up on my Microsoft Authenticator app.

Using Microsoft sites with Google Authenticator takes a bit more work. When asked what mobile device you would want to install the app on, choose Other. You will then see the QR code that you can scan with Google Authenticator.

The future

The use of multi-factor authentication is growing, especially as on-premise software such as MYOB becomes cloud-based. And many organisations, especially government departments, are making MFA compulsory for their online services. Using  a mobile app as the second form of authentication (in addition to your password) means that you can log in even when you don’t have cellphone reception (the code the app shows you does not depend on a signal). And using one app rather than two makes it even easier.

If you’d like to understand why you should be using MFA to secure your data and operations, and the other cyber security risks you should consider and minimise,  then please get in touch.

0 comments on “Cyber Insurance – check the fine print”

Cyber Insurance – check the fine print

Cyber Insurance - check the fine print

Why should my business have an  Independent Security Review

When we provide Independent Security Reviews for clients, the first thing we do is sit down with them to understand their business, what type of information they hold, where they store it, what type of financial processes they have, and how they interact with their clients.

We use this information to perform a threat modelling exercise, where we think about how a criminal could attack the business, what effort would be required, and what the return would be.

The result is a list of threats, based on real-world data (what attacks are actually happening to other companies) and on their relevance to the client (do they have information, systems and processes that are vulnerable to this type of attack).

The Threat Model

The threat model determines where we test and probe, and where we ask further questions, both of the client and of their IT company. And we use it when we look at how ready the client is to respond to a successful attack, and whether they could limit the damage caused.

For many clients the only response plan they have in place is a cyber insurance policy.  There is more that a company should do in terms of planning for a cyber security incident, and we provide recommendations in that area.

Issues with policies

We review the cyber insurance policy against the threat model, to see if the client is really getting the protection they think they are. And we find in the majority of instances that they are not, and that their cyber insurance policy excludes a major risk that they think would be covered.

This omission included those policies that only covered malware that was specifically written for the client (unless you are Sony this is unlikely to happen), and ones that only cover online fraud if the criminal has hacked into the client’s system and made the bank transfer themselves. But in fact the  majority of online fraud happens as a result of criminals persuading staff to pay funds to the wrong bank account.

What should I do next

If you’d like to understand what your real risks are, how to minimise them, and how to limit the damage of a cyber security incident, then please get in touch.

 

Privacy Update – May 2018

Privacy Update - May 2018

2018 is going to be an interesting year for privacy, both in NZ and internationally. There are three main reasons.

Australia – Mandatory Reporting of Data Breaches

This came into effect on the 22 February 2018. If you have a business entity in Australia with an annual turnover of  over $3m then you will fall under the Privacy Act and the new Notifiable Data Breaches amendment. If you suffer a data breach that  “is likely to result in serious harm to any of the individuals to whom the information relates”, then you must notify the Australian Privacy Commissioner and the affected individuals as soon as practicably possible. The amendment defines a data breach, serious harm, and also qualifies what remedial steps a business could take to remove the risk to individuals, which would mean that they no longer had to notify the breach.

Europe – General Data Protection Regulation

This comes into effect on the 25 May 2018. It provides protection for people residing in the EU. Businesses in NZ will fall into the scope of GDPR if they

  • have a business entity in the EU
  • provide services (paid or free) to people residing in the EU
  • market to people residing in the EU (including profiling them using web technologies)

It does not apply if someone from the EU is able to access your website – you have to be targeting your services to them. And it does not apply to EU citizens residing outside of the EU – so no need to ask your clients about their citizenship in order to comply with GDPR. Travel and tourism companies are likely to need to comply, as will Internet startups who market their services to the EU. As the law is new, it will take a while for any ambiguities to be ironed out.

New Zealand – Update to the Privacy Act

After a couple of reviews over the past two decades, our Privacy Act is finally getting an update. Submissions close on the 24 May 2018. Currently included in the draft Bill is mandatory reporting of data breaches, and it’s likely that other requirements will be strengthened to keep our laws close to the level provided by GDRP (though perhaps not as stringent). NZ currently has “adequacy” status with the EU, which means that personal information can be transferred to NZ without businesses having to take additional measures. We will want to maintain this status (only 12 countries have this).

Summary

You’ve probably seen new privacy policies being issued by a lot of organisations. They’ve taken the time to review and update their terms, prompted by GDPR. Even if you’re not doing business in Australia or Europe, its worth reviewing the personal data you collect and hold, how you are securing it, and whether your privacy policy reflects this.

If you’d like to discuss this area in more detail, please get in touch.

Protecting your reputation

Protecting your reputation

Email phishing remains a constant problem for businesses. Whilst implementing an email anti-spam/anti-virus solution can cut down on the amount of phishing emails your staff might receive, some will still slip through.

This leaves your staff as the last line of defence. They need to know how to spot phishing emails – by looking at the address it was sent from, the wording etc. Our new online training course can help with this and has a lesson dedicated to email security.

The majority of phishing emails are sent from addresses that are:

  • random (simon@123xx.wsdf.com)
  • throwaway (simon@gmail.com)
  • have one or more letters changed (simon@xer0.com)

Staff can spot these with some training – especially if the wording in the email causes suspicion.

But some emails are sent from an address that looks genuine – simon@xero.com for example.

There are a couple of ways this can happen:

  • criminals gain access to a staff member’s email account
  • criminals spoof the email domain

These phishing emails can be very hard to spot – especially if they have been received from a trusted business partner. I’ve seen a number of phishing emails received by my clients that appear to come from suppliers. They were from people in organisations the clients trusted, and so they clicked the links. When it was discovered that they were phishing emails, it caused some concern about the security measures in place at the business partner, and whether the client’s information was safe with them.

Whilst receiving phishing emails is a constant risk, you certainly don’t want to be in the position of appearing to have sent them (or to have actually send them because an email account has been hacked). That would certainly damage your reputation.

Thankfully there are ways that you can protect both your business and your clients from these types of emails. Before I go into what you can do, I’ll quickly explain the technologies involved.

  • Two factor authentication – most people should know what this is (I’ve written about previously). Its main use is to protect remote access to email accounts, remote desktop servers and web applications. Once you enter a correct username and password, you need to enter a code from your mobile phone (or click an app)
  • Sender Policy Framework (SPF) – this lists the email servers that are authorised to send email on your behalf
  • Domain Keys Identified Mail (DKIM) – this adds a secret encrypted key to the email to prove it came from your business (or someone you have authorised – MailChimp for example)
  • Domain-based Message Authentication, Reporting and Conformance (DMARC) – this tells the receiving email server what to do if an email it receives fails the SPF or DKIM checks – either report it to you (monitor mode), put it in the recipient’s junk folder (quarantine), or block it entirely (reject)

Many organisations use DMARC, DKIM and SPF to authenticate the emails they send – including BNZ, Xero , PayPal, ANZ, Westpac and IRD

Emails you receive 

  • Make sure your email server is set to check and  act on DMARC rules for the emails it receives (most email servers do this)
  • Make sure your suppliers / trusted partners have implemented two factor authentication for remote access to their email. This should form part of the security standard you ask them to agree to.
  • Make sure your suppliers / trusted partners have implemented SPF, DKIM and DMARC for the emails they send out. Once again this should form part of the  supplier security standard

Emails you send

  • Make sure you have implemented two factor authentication for remote access to your email (do this for any remote desktop servers as well). This is really becoming an essential part of IT security for a business
  • Implement SPF, DKIM and DMARC for the emails you send out. You need to make sure you have thought about all of the parties who send email on your behalf – including marketing programs, scan to email devices etc. You should set DMARC in report mode for the first month, which will allow you to see if there are any emails that would fail the checks, and why. Once you are happy that genuine email would get through, then set DMARC to reject mode

Implementing the above is not hard and significantly reduces both the risk to your business reputation and the risks from your suppliers.

If you’d like to discuss this area in more detail, please get in touch.

Securing Credit Card Payments

Whether you are an online retailer who has taken credit card payments for years, or a business who has started to take credit card payments as a way for clients to pay their bills, there are a few important things you should consider.

Any business taking credit card payments will have signed a merchant agreement with their bank. One of the terms of that merchant agreement is that the business needs to comply with the Payment Card Industry Data Security Standards (PCIDSS). These cover the security measures required to keep credit card information secure.

Here are links to the PCI DSS pages of the major banks

BNZ

ANZ

Westpac

KiwiBank

Many businesses will not realise that they have this contractual obligation. Even if you use a 3rd party payment gateway, you still need to confirm that the rest of your website is secure. Criminals can compromise your website so that credit card details are stolen whilst clients believe they are being entered into the secure payment gateway.

If criminals do manage to steal the credit card details of your clients, the penalties from your bank can include:

  • Fines of up to USD 500,000
  • A mandatory review of your security (at your cost)
  • Removal of your ability to take credit card payments

And your reputation with your clients will obviously suffer. This can have a far greater impact. You may have implemented security measures in other parts of your business, but the loss of credit card data will make clients question whether you can be trusted with the rest of their information.

To avoid this outcome, businesses need to do the following:

  • Make sure your website is secure
  • Make sure that any other methods of taking credit card payments are secure (for example over the phone or in person)
  • Make sure that credit card information is stored securely (it’s best not to store it at all)
  • Complete an annual Self Assessment Questionnaire (see below) stating that you have taken steps to secure your website
  • Run vulnerability scans of the website each quarter to prove that it is is still secure

Our PCI DSS Compliance Service is a cost-effective way for you to meet your obligations and reduce the risk to your clients and your business.

We work with you and your web developer to complete the Self Assessment Questionnaire.  If there are areas where you are non-compliant we will provide recommendations to bring you up to the required standard.  And we scan your website every month to look for vulnerabilities that could be used by criminals. If the scans show issues we advise you and your web developers and provide recommendations on how to resolve them.

If you’d like to discuss this service in more detail, please get in touch.

 

 

 

 

 

 

1 comment on “What Equifax did wrong”

What Equifax did wrong

Much has been written about Equifax’s poor response to their data breach. But how did they get breached in the first place, and what would have limited the damage?

On the 6th of March 2017 Apache announced a bug in Struts, which is software used in web servers. The following day, a proof of concept was publicly released to the Internet showing how the bug could be used. Three days later (the 10th) Equifax was hacked via the Struts bug. The hackers then install code on a number of servers which they can use to transfer data out of the company.

A patch for the bug had been issued within days of its discovery. Equifax patch their vulnerable servers on the 30th of June (including the ones that had been compromised) but do not notice anything wrong.

On the 29th of July Equifax discover they have been hacked and on the 30th of July they boot the hackers out of their servers. They don’t disclose the breach until the 7th of September, with senior executives selling large quantities of shares in the intervening period (something the SEC is investigating). When they do disclose the breach, they bungle the communication and try to get affected customers to sign away their rights to sue.

But back to the time of the hack. I’m sure that if you are responsible for IT infrastructure you will know how difficult it can be to patch servers. And four days is not a lot of time to do so. What else would have helped prevent the hack, or limited the damage?

  • Security Information and Event Management (SIEM) – these types of logging and alerting solutions look for suspicious events in log files and raise alerts to the IT team that a server may have been compromised
  • File Integrity Monitoring – often integrated with SIEM solutions, this would have raised an alert if a critical system or web configuration file had been changed
  • Network monitoring – the hackers moved a large amount of data from Equifax systems to the Internet. This would have shown up, either in the firewall logs or in the server logs, if it had been monitored and if an alert had been raised
  • Asset management – some of the information the hackers took came from legacy databases that had not been decommissioned. These should have been identified and removed as part of a regular review
  • Access restrictions – the compromised web servers were sitting in a DMZ. Good access restrictions.may have reduced the ability of the hackers to  use compromised web servers to take information from internal databases
  • Honeytokens – these can be made to look like files or be implanted in databases. When a hacker opens the file or queries the database, an alert is sent to the IT team

If your organisation has data that it needs to protect, we would suggest that you start by understanding your assets (where they are, how they can be accessed) and your risks (how valuable are they to others, what would be the impact if they were stolen). With this understanding, you can use a framework such as the CIS Controls to ensure that you are putting the right measures in place and that any investment you make, whether in time or money, is creating the most reduction in risk.