Another day, another data breach

th

Make no mistake the Equifax Data Breach of about 143 million records (approx. 44% of US population) is one of the largest and ‘will be’ the most expensive data breach in the history. Equifax is one of the four largest American credit agencies alongside Experian, Trans Union and Innovis.

The data breach notification by Equifax should remind us that data breaches are inevitable and these breaches will continue to happen and make headlines.

However, the key message of this breach is the reporting firm took over 5 weeks to publicly disclose the data breach, which means that the personal information of 143 million people was exposed for over 2 months before they were made aware of the compromise. (Please Note: The breach occurred sometime in May and was not even detected until late July 2017)

And to no surprise, the stock market didn’t react well! As of Monday 11/09 the company lost about $2 billion in market cap on Friday, tumbling nearly 14%.  (This figure will surely go up)

A proposed class action seeking as much as USD$70 billion in damages nationally to represent 143 million consumers alleges, Equifax didn’t spend enough on protecting data. (Or should we say Equifax did not take reasonable steps to protect information)

With this treasure trove in hand what is the most likely move of the hackers?

  1. They would be already selling this information on the dark web or negotiating with Equifax for a ransom; or
  2. Data mining to see if they can use this data for identify theft. Imagine hackers creating countless new identities out of thin air. You’re not the only one who thinks this is a terrifying scenario!

Whatever the reason for this breach or the attack vector was, organizations that hold more personal data than they need, always carry more risk for themselves and their consumers.

In 2016, Microsoft frames digital growth with its estimate that by 2020 four billion people will be online — twice the number that are online now. They predict 50 billion devices will be connected to the Internet by 2020, and data volumes online will be 50 times greater than today and cybercrime damage costs to hit $6 trillion annually by 2021.

This is the real impact if corporations and individuals who are in-charge of cybersecurity do not understand what are the fundamentals of cybersecurity and the difference between IT Security and Information Security.

The lessons from this breach are simple – A breach in cybersecurity can cost a company both financially and damage to their reputation, so it’s imperative that you invest in cybersecurity that is relative to the data classification that you have.

A good starting point will be to identify how information/data is handled in its entire life cycle: In-Transit, In-Use, At-Rest and Disposal.

If you need any help with how to protect your data, have a chat to us today and find out how Kloud/Telstra can help you overcome your specific data security requirements.

170 Days to Go…

Notifiable Data Breach Scheme starts on 22nd February 2018 — How well are you prepared?

Background

The focus on cyber security is rapidly increasing partly due to recent high-profile security breaches within major organisations and businesses. Evolving levels of sophistication, stealth, and reach of organised cyber-attacks requires more attention than ever before. Coupling cyber concerns with threats organisations face internally, cyber security now resides high on many corporate risk registers as a top concern for executives and business owners.

In response to the increase in cyber threats and activities, organisations require greater visibility and understanding into their current level of maturity. This in turn leads towards a process of strengthening the organisations controls to a more mature state that lends itself to cyber risk reduction.

In February 2017, the Commonwealth government passed the Privacy Amendment (Notifiable Data Breaches) Act 2017, which amended the Privacy Act 1988, making it mandatory for companies and organisations (Government/ Non-Government) to report “eligible data breaches” to the ‘Office of the Australian Information Commissioner’ (OAIC) and any affected, ‘at-risk’ individuals.

The Privacy Act 1998 has been amended to encourage entities to uplift their current security posture to ensure personally identifiable information is protected in its entire ‘data life cycle’ and securely deleted when no longer required.

Overview

The ‘Notifiable Data Breach’ (NDB) scheme applies to most Australian and Norfolk Island Government agencies, all private sector and not-for-profit organisations with an annual turnover of more than $3 million, all private health service providers and some small businesses (collectively called ‘APP entities’). To see if applies your organisations please refer to Privacy Act 1988.

The above entities must take reasonable steps to protect personally identifiable information they hold. This includes but is not limited to protection against malicious actions, such as theft or ‘hacking’, that may arise from internal errors or failure to follow information handling policies that cause accidental loss or disclosure.

In general, if there is a real risk of serious harm as a result of a data breach, the affected individuals and the OAIC should be notified. Some of the key facts from the ‘2017 Cost of Data Breach Study from Ponemon Institute’ and ‘Mandiant’ indicate:

  • It took businesses an average of 191 days to identify the data breach and an average of 66 days to contain the breach1;
  • Data breaches cost companies an average of $139 per compromised record2; and
  • Only 31% of organizations globally discovered IT security compromises through their own resources last year, according to Mandiant.
1, 2 Ponemon Institute© 2017 Cost of Data Breach Study – Australia

High profile security breaches in Australia

When it comes to data security breaches, last year saw 1792 data breaches, which led to almost 1.4 billion data records lost or stolen from organisations globally according to the Gemalto Breach Level Index.

In Australia, we saw a combined total of 15,899 cyber security incidents reported based on the Australian Cyber Security Centre (ACSC) Threat Report 2016 which included:

  • Threats to Government – Between 1 January 2015 and 30 June 2016, ASD, as part of the ACSC, responded to 1095 cyber security incidents on government systems, which were considered serious enough to warrant operational responses; and
  • Threats to Private Sector – Between July 2015 and June 2016, CERT Australia responded to 14,804 cyber security incidents affecting Australian businesses, 418 of which involved systems of national interest (SNI) and critical infrastructure (CI).

Some of the known ‘publicised’ high profile security incidents in Australia include:

  • Red Cross – 1.28 million blood donor records from 2010 published to a publicly facing website in Oct 2016;
  • Menulog – 1.1 million customer records compromised including names, Phone Numbers, Addresses and Order Histories in 2016;
  • NAB – 60,000 customer records was sent to the wrong website last December;
  • Big W – Personal details of Big W customers leaked online in Nov 2016;
  • David Jones & Kmart – An inherent vulnerability within the online portals of David Jones and Kmart was used to compromise customer records in late 2015; and
  • Telstra – Pacnet an Asian subsidiary of Telstra was compromised in 2015 in an attack affecting thousands of customers including federal government departments/ agencies.

For more information on how prepared Australian organisations (Government/ Private) are to meet the ever-growing cyber security threat, please look at the ACSC Cyber Security Survey 2016.

Does this apply to you & what is personal information?

This scheme applies to entities that have an obligation under Australian Privacy Principles (APP11) of the privacy act to protect Personally Identifiable Information (PII) it holds.

[(s 26W(1) (a)) – ‘Personal information’ (PII) is defined in s 6(1) of the Privacy Act to include information or an opinion about an identified individual, or an individual who is reasonably identifiable, whether the information or opinion is true or not, and whether the information or opinion is recorded in a material form or not].

The term ‘personal information’ encompasses a broad range of information. A number of different types of information are explicitly recognised as constituting personal information under the Privacy Act. The following are all types of personal information:

  • ‘Sensitive information’; (includes information or opinion about an individual’s racial or ethnic origin, political opinion, religious beliefs, sexual orientation or criminal record, provided the information or opinion otherwise meets the definition of personal information)
  • ‘Health information’; (which is also ‘sensitive information’)
  • ‘Credit information’; financial information
  • ‘Employee record’ information; (subject to exemptions) and
  • ‘Tax file number information’.

Although not explicitly recognised as personal information under the Privacy Act, information may be explicitly recognised as personal information under other legislation.

Further, the definition of personal information is not limited to information about an individual’s private or family life, but extends to any information or opinion that is about the individual, from which they are reasonably identifiable. This can include information about an individual’s business or work activities.

  • Example-1. Customer name, phone number and email address are collected by a business or government agency to create a customer contact file. The customer contact file constitutes personal information, as he/she is the subject of the record.
  • Example-2: Information that a ‘person’ was born with foetal alcohol syndrome reveals that his/her biological mother consumed alcohol during her pregnancy. This information may therefore be personal information about ‘person’s mother’ as well as the ‘person’ itself.

For detailed information what constitutes personal information please click here.

Entities covered by the NDB scheme

Australian Government agencies (and the Norfolk Island administration) and all businesses and not-for-profit organisations with an annual turnover more than $3 million have responsibilities under the Privacy Act, subject to some exceptions.

Some small business operators (organisations with a turnover of $3 million or less) are also covered by the Privacy Act including:

  • Private sector health service providers. Organisations providing a health service include:
    • Traditional health service providers, such as private hospitals, day surgeries, medical practitioners, pharmacists and allied health professionals;
    • Complementary therapists, such as naturopaths and chiropractors; and
    • Gyms and weight loss clinics.
  • Childcare centres, private schools and private tertiary educational institutions;
  • Businesses that sell or purchase personal information; and
  • Credit reporting bodies.

For more information about your responsibilities under the Privacy Act click here

Steps Entities Can Take

The reasonable steps entities should take to ensure the security of personal information will depend on their circumstances, including the following:

  • The nature of the entity holding the personal information;
  • The amount and sensitivity of the personal information held;
  • The possible adverse consequences for an individual;
  • The information handling practices of the entity holding the information;
  • The practicability of implementing the security measure, including the time and cost involved; and
  • Whether a security measure is itself privacy invasive.

The circumstances outlined above, will influence the reasonable steps that an organisation should take to destroy or de-identify/ classify personal information.

It is important that entities take reasonable steps to protect information they hold as a data breach could have very significant impact on their reputation and ongoing business operations.

The OIAC provides guidance on responsible steps organisations can undertake here.

Where to begin

A good starting point will be to look at the Privacy management framework (Framework) which provides steps the OAIC expects you to take to meet your ongoing compliance obligations under APP 1.2.

Below are some of the steps Entities can take to increase the security posture and comply with the Australian Privacy Principles (APP11)

  • Step 1: Entities can embed a culture of privacy and compliance by:
    • Treating Personal Information as valuable; (the first step is to classify unstructured data)
    • Assigning accountabilities to an individual to manage privacy;
    • Adopting Privacy by design principles in all projects and decisions;
    • Develop and implement privacy management plans that aligns with business objectives and privacy obligations; and
    • Implement a reporting structure and capture non–compliance incidents.
  • Step 2: Entities can establish a robust and effective privacy practices, procedures & systems by:
    • Keep information up to date irrespective of its physical location or third parties;
    • Develop and maintain a clearly articulated and up to date privacy policy which aligns with your privacy obligations; (This includes all information security polices as most of the information security policies are interlinked so it’s very important to have an up to date set of information security policies)
    • Develop and maintain processes to ensure you are handling personal information in accordance with your privacy obligations; (This includes how information is handled in its entire life-cycle: In-Transit, In-Use and At-Rest)
    • Perform a risk assessment to identify, assess and manage privacy risks across the business;
    • Undertake Privacy Impact Assessments (PIA) to make sure you are compliant with the privacy laws; and
    • Develop a data breach response process or a Security Incident Response Plan (SIRP) which will guide/ assist you to respond effectively in case of a data breach.
  • Step 3: Evaluate your privacy practices, procedures and systems (assurance)
    As security is a continuous improvement process, it is important to ensure all your practices, procedures, processes and systems are working effectively. Assurance activities should include:
    • Monitoring, review and measurement of all your privacy and compliance obligations against your privacy management framework; and
    • Risk assessments of third-party service providers and contractors;
  • Step 4: Enhance your response to privacy issues/ concerns
    • Use the results from Step 3 to update/ enhance and uplift your security and privacy risk profile, which includes your people, process and technology areas; and
    • Monitor and address new security risks and threats by implementing good system hygiene. A good starting point will be to implement recommendations from the Australian Signals Directorate, Australian Cyber Security Centre and CERT Australia, which provides mitigation strategies to help organisations mitigate cyber security incidents.

Whilst, the introduction of the new legislation is a good opportunity to evaluate and measure your organisation’s compliance with the Privacy Act provisions. It is also a good starting point for all organisations to continually assess the known state of risk from the ever-changing cyber threat landscape, by developing a maturity model, which can aid in further instances of cyber risk reduction.

If you need any help with the above recommendations, have a chat to us today and find out how Kloud/Telstra can help you overcome your specific NDB security/privacy obligations.

Another global ransomware attack is fast spreading !!!

With the events that have escalated since last night here, is a quick summary and initial response from Kloud on how organisations can take proactive steps to mitigate the current situation. Please feel free to distribute internally as you see fit.

 Background

A new wave of powerful cyber-attack (Petya – as referred to in the blue comments below) hit Europe on Tuesday in a possible reprise of a widespread ransomware assault in May that affected 150 countries.  As reported this ransomware demands are targeting the government and key infrastructure systems all over the world.

Those behind the attack appeared to have exploited the same type of hacking tool used in the WannaCry ransomware attack that infected hundreds of thousands of computers in May 2017 before a British researcher created a ‘kill-switch’. This is a different variant to the old WannaCry ransomware, however this nasty piece of ransomware works very differently from any other known variants due to the following:

  • Petya uses the NSA Eternalblue exploit but also spreads in internal networks with WMIC and PSEXEC. In some cases fully patched systems can also get hit with this exploit;
  • Unlike other traditional ransomware, Petya does not encrypt files on a targeted system one by one;
  • Instead, Petya reboots victims computers and encrypts the hard drive’s master file table (MFT) and renders the master boot record (MBR) inoperable, restricting access to the full system by seizing information about file names, sizes, and location on the physical disk; and
  • Petya ransomware replaces the computer’s MBR with its own malicious code that displays the ransom note and leaves computers unable to boot.

The priority is to apply emergency patches and ensure you are up to date.

Make sure users across the business do not click on links and attachments from people or email addresses they do not recognise.

How is it spreading?

Like most of the ransomware attacks ‘Petya’ ransomware is exploiting SMBv1 EternalBlue exploit, just like WannaCry, and taking advantage of unpatched Windows machines.

Petya ransomware is successful in spreading because it combines both a client-side attack (CVE-2017-0199) and a network based threat (MS17-010)

EternalBlue is a Windows SMB exploit leaked by the infamous hacking group Shadow Brokers in its April 2017 data dump, who claimed to have stolen it from the US intelligence agency NSA, along with other Windows exploits.

What assets are at risk?

All unpatched computer systems and all users who do not practice safe online behaviour.

 What is the impact?

The nature of the attack itself is not new. Ransomware spreads by emails with malicious links or attachments have been increasing in recent years.

This ransomware attack follows a relatively typical formula:

  • Locks all the data on a computer system;
  • Provides instructions on what to do next, which includes a demand of ransom; (Typically US$300 ransom in bitcoins)
  • Demand includes paying ransom in a defined period of time otherwise the demand increases, leading to complete destruction of data; and
  • Uses RSA-2048 bit encryption, which makes decryption of data extremely difficult. (next to impossible in most cases)

Typically, these types of attacks do not involve the theft of information, but rather focus on generating cash by preventing critical business operations until the ransom is paid, or the system is rebuilt from unaffected backups.

This attack involving ransomware known as ‘NotPetya’, also referred to as ‘Petya’ or ‘Petwrap’ spreads rapidly, exploiting a weakness in unpatched versions of Microsoft Windows (Windows SMB1 vulnerability).

 Immediate Steps if compromised…

Petya ransomware encrypts systems after rebooting the computer. So if your system is infected with Petya ransomware and it tries to restart, just do not power it back on.

“If machine reboots and you see a message to restart, power off immediately! This is the encryption process. If you do not power on, files are fine.” <Use a LiveCD or external machine to recover files>

 Steps to mitigate the risk…

We need to act fast. Organisations need to ensure staff are made aware of the risk, reiterating additional precautionary measures, whilst simultaneously ensuring that IT systems are protected including:

  • Prioritise patching systems immediately which are performing critical business functions or holding critical data first;
  • Immediately patch Windows machines in the environment (post proper testing). The patch for the weakness identified was released in March 2017 as part of MS17-010 / CVE-2017-01;
  • Disable the unsecured, 30-year-old SMBv1 file-sharing protocol on your Windows systems and servers;
  •  Since Petya Ransomware is also taking advantage of WMIC and PSEXEC tools to infect fully-patched Windows computers, you are also advised to disable WMIC (Windows Management Instrumentation Command-line)
  • Companies should forward a cyber security alert and communications to their employees (education is the Key) requesting them to be vigilant at this time of heightened risk and reminding them to;
    • Not open emails from unknown sources.
    • Be wary of unsolicited emails that demand immediate action.
    • Not click on links or download email attachments sent from unknown users or which seem suspicious.
    • Clearly defined actions for reporting incidents.
  •  Antivirus vendors have been working to release signatures in order protect systems. Organisations should ensure that all systems are running current AV DAT signatures. Focus should be on maintaining currency;
  • Maintain up-to-date backups of files and regularly verify that the backups can be restored. Priority should be on ensuring systems performing critical business functions or holding critical data are verified first;
  • Monitor your network, system, media and logs for any malicious software, possible ex-filtration of data, abnormal behaviour or unauthorised network connections;
  • Practice safe online behaviour; and
  • Report all incidents to your (IT) helpdesk or Security Operations team immediately.

These attacks happen quickly and unexpectedly. You also need to act swiftly to close any vulnerabilities in your systems.

AND

What to if you believe you have been attacked by “Petya” and need assistance?

Under new mandatory breach reporting laws organisations may have obligations to report this breach to the privacy commissioner (section 26WA).

If you or anyone in the business would like to discuss the impact of this attack or other security related matters, we are here to help.

Please do not hesitate to contact us for any assistance.