Cyber Security Expert: The consequences of the Superdrug data breach

With the recent news that Superdrug has been hacked, exposing 200,000 customers’ details, Dr Guy Bunker, SVP of Products at data security company, Clearswift, looks into the statement made by the health and beauty retailer.

Dr Guy Bunker, SVP of Products at Clearswift:

“The first thing to consider as a consequence of this breach is GDPR. Only time will tell but we may see Superdrug fined because of the hack.

“The second is whether the proposed method of the attack – with the attackers finding other ways of obtaining usernames and passwords from somewhere else and then using those to brute force an attack on the Superdrug site – was actually used. Now, Superdrug is claiming that this approach may well be what has been used, in which case it wasn’t them who lost the information, and so implying they are not to blame in any way. Therefore, shouldn’t be fined under GDPR or any other compliance case.

“If the latter is true, brute force based on found credentials, then this type of attack will become increasingly commonplace, and the onus goes back on customers to look after their credentials and not to use the same passwords for multiple sites.

“In this case, by going public Superdrug evidently isn’t paying those who are trying to blackmail them and, by bringing to light the method by which the customer data was obtain, is also showing how it will be difficult for legislators to prove where data might have come from in case of a GDPR claim.”

(127)

Share

Bank of England late on the Fourth Industrial Revolution challenge

The Bank of England’s (BoE) chief economist, Andy Haldane warned that the UK will need a “skills revolution” in order to face the disruption of what is called the Fourth Industrial Revolution. Mr. Haldane underlined the need to reskill as artificial intelligence is making an increasing number of jobs obsolete.

Big Data LDN questioned data expert last year about the impact of the Fourth Industrial Revolution on skills and UK businesses have not been as unprepared as Mr. Haldane thinks, even if there is still a long way to go.

The report’s key finding included:

  • Skills gap saved by self-sufficiency – When asked how they will obtain the skill sets needed for the Fourth Industrial Revolution, 60% will identify and redeploy staff with transferable skills, and only 2% of UK businesses surveyed will outsource.
  • Short-termist ambitions for UK organisations – Four times as many UK organisations (58%) use data to analyse existing customer engagement and loyalty as to develop new products (13%).
    Somewhat prepared – Almost all UK enterprises have a data strategy for the Fourth Industrial Revolution.
  • However, the majority of organisations (48%) have only been recently delivering against it for the last 12 months.
  • Strategic technology on the shopping list for UK businesses – Data Leaders indicated Enterprise Information Management (29%), Self-service data preparation (27%) and Cloud (25%) platforms are the technologies needed to deliver value and business growth in the new revolution.

MP Alan Mak, Chair of the All-Party group on the Fourth Industrial Revolution welcomed the report saying:

“Data will be as important to the British economy in this century as oil was in the previous one, so it is vital that as we prepare for Brexit we invest wisely in the skills and new technologies needed to harness the opportunities of the 4IR.”

Big Data LDN will publish a second Fourth Industrial Revolution report ahead of the event Big Data LDN 2018 will take place on 13th November at Olympia.

(63)

Share

Access the latest cyber security tools and techniques at the ASEAN Cybersecurity Summit 2018

ASEAN Cybersecurity Summit 2018, organized by EC-Council, is a very focused initiative which will bring together 150+ pre-qualified CISOs, CIOs, CTOs, senior information security, risk, forensics, compliance, cyber law and law enforcement professionals from all over the ASEAN region. The summit will focus on “Building a Resilient and Innovative ASEAN”, as well as how to develop a holistic and strategic approach.

The summit will showcase solutions in AR/VR, AI, cloud, cyber-security, data & analytics, IoT, blockchain, robotics and digital payments, exploring the role these technologies play in connecting cities, businesses, citizens and machines. You will have an opportunity to meet representatives from Darktrace- Platinum Partner, Cyberbit- Diamond Partner, Google Cloud- Gold Partner, Ivanti, F-Secure, Security Weaver, Rapid7, BitSight Technologies- Silver Partners, I-Sprint Innovations, Bronze Partner and Horangi, Startup Partner

You will also witness a wide array of speakers from Malaysia, Vietnam, Indonesia, Hong Kong, Cambodia, Thailand, Singapore and Philippines.

The summit will bridge the gap between the leading security solution providers and security professionals by bringing them on the same pedestal. All this, with one objective and that is to make ASEAN resilient to cyber-attacks and become the ‘next gen cyber-fortress’.

Event website url: https://ciso.eccouncil.org/portfolio/asean-cyber-security-summit/

Where: Singapore Marriott Tang Plaza Hotel, Singapore

When: 17th August 2018

 

For Media inquiries contact,

Mr. Rakesh Acharya

Marketing Manager- Global Events

Email: rakesh.acharya@eccouncil.org

Hand phone: +91 7977828905

(80)

Share

Counter-Fraud Standards and Profession

Protecting public services and fighting economic crime.

Original Source: https://www.gov.uk/government/groups/counter-fraud-standards-and-profession

About the Government Counter Fraud Profession

The GCFP is a structure for counter fraud specialists working in central government. It aims to bring the counter fraud community together under a common set of standards and develop that community as they protect public services and fight economic crime. As part of this new and active community, members will not only gain recognition and credibility for their specialist skill set, but also have access to the standards, guidance and products to help members develop their own career – not just with a focus on investigation, but now with a move towards new areas of risk assessment, prevention and the use of data analytics.

By helping organisations across the public sector see what skills, knowledge and experience is needed to effectively prevent and tackle fraud, the GCFP puts the HM Government in a much stronger position to deal with the challenges presented by fraud, bribery and corruption; and enhances the UK’s reputation as a global leader in this field.

What does the GCFP do?

The GCFP is transforming the public sector counter fraud activity, making the UK public sector better at identifying, preventing and recovering losses from fraud and other economic crime. Its impact will reach across the public sector, benefiting individuals and the organisations they work for.

Across the Civil Service

Raises the profile of counter fraud activity and the complex, evolving skill sets required to do it.

Across all central government organisations

Sets consistent counter fraud standards across the government.

For each organisation

Provides the transparency needed to identify skilled staff and tackle fraud effectively.

For individuals

Empowers a new community of counter fraud specialists; giving them recognition and credibility.

What do I do now?

If you work in counter fraud, this is your Profession. We don’t want you to sit there in silence, get involved.

If you’re already or soon to be a member, find out how you can get involved in developing the community, through its events, tools and communications.

If there is no current route into the Profession for your discipline, get in touch, and help to develop one. We want you to shape this Profession.

I’m a civil servant, but I don’t work in counter fraud

Take another look at the counter fraud training for all staff, and for managers, available on Civil Service Learning.

If you’re thinking about developing a career in counter fraud

If you want to register your interest in the GCFP, you will be able to complete a registration form (see useful information) and submit it to our inbox (see contact details). This is currently under development and will be available soon.

(71)

Share

RED AND BLUE TEAM FUNCTIONALITY – DOES OUTSOURCING DIGITAL FORENSICS MAKE SENSE?

FADI ABU ZUHRI

INTRODUCTION
Red teams are external units that evaluate the effectiveness of a security program. It is achieved by simulating the behavior and methods of possible attackers in the most convincing manner. Blue teams are integrated security groups that protect the organization from real attackers and the Red Teams. Since many security teams are not constantly attacked, most Blue Teams should be separated from established standard security groups (Miessler, 2016).

Red Team and Blue Team exercises were named after similar military experiences. The concept is that a group of security experts (the Red Team) is attacking an object, and the other group (the Blue Team) is protecting them. Initially, the exercises were ran by the army for military training. They have also been utilized to assess the physical security of high value assets, such as nuclear facilities.

According to Hargreaves and Chamberlain (2018), Red Teams have been hired to replicate the behavior and methods of the attackers in the most realistic possible way. For instance, this group may attempt to enter a commercial building by acting as a distribution controller in order to configure the device to facilitate public access. On the other hand, the Blue Team is responsible for defending against these attacks, and functions as the internal security team. The Red Team is generally security goal oriented and tries to secretly verify the company’s own defense. The team involves well-trained and technically competent security experts, whose goal is to ascertain and take advantage of security vulnerabilities in the system (CybeRisk, 2018).

Miessler (2016) argues that, excluding complex threats in the real world, the exercise will be very realistic. Red Team is not limited to IT tools and advanced technology to penetrate systems and buildings. It can include writing a personal malware and developing new methods, just as spiteful hackers do. Everything is allowed including social engineering and psychological manipulation to achieve their goals. If they need to mask their entry by posing as the courier to connect the USB device to a computer, so be it. The Blue Team is usually the company’s Director of Security at the Security Operation Center (SOC). SOC is made up of very qualified
analysts who protect and improve the security of the organization 24×7.

Drinkwater and Zurkus (2017) point out that the Blue Team must determine, defend and weaken the Red Team. The attack simulation is intended to improve their capabilities by organizing them for dangerous attacks in the real world. Blue Team will identify and defuse the most demanding attacks and carefully monitor contemporary and evolving threats to the active protection of the company.

SHOULD DIGITAL FORENSICS BE OUTSOURCED WITHIN GOVERNMENTS AND/
OR FEDERAL INSTITUTIONS
Digital Forensics operates as part of the Blue Team, since it works as part of the SOC or the Computer Security Incident Response Team (CSIRT). Generally, not everything is included, but it has the background of the Security Operations Center. Digital Forensics requires tools to check deleted files in hard disks, memory, browser caches and Windows registry (Paganini, 2016).

There are two sides to the argument; one says outsource all you can for whatever resources and competences needed. The other says do not outsource critical functions which compromise your most valuable assets.

ARGUMENTS FOR OUTSOURCING
Evans (2016) points out that computer forensic reviews are generally performed inadequately in many medium and large institutions. Even though the current trend includes computer forensics as an integral discipline of an extensive information security program, there are several institutions with limited capability for computer forensics.

Devlin (2018) argues that if the institution has conflicting legal requirements or cannot provide a permanent source of support for this resource, it is reasonable to transfer it to a third party. Outsourcing solutions must be based on the required IT skills and, of course, on cost analysis. The organization must also determine the scope and possibility of the possible outsourcing contract, as well as the internal resources needed to attain the required capacity level.

Devlin (2018) indicates that there are four main reasons for this inconvenience: computer forensic examinations and their assistance activities are very costly, complex and technically complex with possible legal consequences; new tools and methods with constant updates are usually required to adapt to new technologies and threat models; it may be hard to validate the establishment and maintenance of a legal laboratory that will continue the process of collecting all the notches and is based on the burden of proof; and the protection of this capacity requires the development and formation of a large number of people.

The lack of specialists, such as digital forensic investigators, is a real problem. The analysis of any digital data is annoying and time-consuming, even with the aid of a specialized software. Digital forensics requires the analysis of multiple digital devices and the numbers can run into tens and hundreds, but there are not sufficient investigators to perform the necessary analysis. Digital forensic experts also have to deal with situations where they are limited in the number of hours that can be spent watching each hard drive. For each machine, it may take several days for proper legal work, requiring compliance to various standards and regulations, when dealing with a continuous flow of data entering the lab. Thus, their research work suffers (CYFOR, 2018).

ARGUMENTS AGAINST OUTSOURCING   

There would be a number of instances that an organization would be compelled to seek the services of forensic experts in-house (Digital Discovery, 2011). While there are advantages of seeking the services of forensic experts in-house, there maybe valid reasons that could limit federal institutions and government organizations from seeking these services. These situations include circumstances such as when the organizations are involved in legal law suits, where the organizations deals with classified materials, and even circumstances where the organizations experience frequent intrusions (Obbayi, 2018). Chain of custody can be compromised where the
transfer of digital evidence is not documented, something that is more likely when digital forensics is outsourced. According to Devlin (2018), the one key advantage of seeking forensic experts in-house is the fact that it will go a long way in saving money. But saving cost is not a good enough reason to outsource your most critical functions.

Federal and government bodies have massive amounts of sensitive data that needs to be kept secret at any cost (Comtact, 2017). Devlin (2018) point out that choosing an in-house cyber security expert to secure critical data is a natural option. Many times it is difficult to ensure that the outsourced party is really as good as they claim to be. Furthermore, forensic experts in-house could play a continuance role in assisting to detect and investigate cases of fraud, asset misappropriation, abusing and misusing the system, and other forms of non-compliance.

CONCLUSION
The Red Team is under the organization’s radar, while it targets its objectives without any limitation of time or resource. The Blue Team, on the other hand, needs to operate within organizational boundaries while being ever ready to defend against any attack. While they may be saving the organization against numerous attacks, one incident of security breach is enough to tarnish their image.

In the world cup, the game is not about how many balls the goalkeeper has defended, and no-one will remember this; it is about how many balls the goalkeeper missed, and this is what everyone will remember.

On another note, people will always remember the doctor whose negligence cost someone’s life, but conveniently forget the thousand lives the doctor saved in his or her lifetime. This just highlights the tremendous pressure the Blue Team works under, every day of the year and especially the role that forensic experts in-house could play.

The courts place immense value to the integrity of digital evidence. Therefore, one cannot understate the importance of documenting the collection, examination, storage and transfer of digital evidence by competent people. Organizations need to assess the risk of outsourcing digital forensics aligned with these requirements.

The oft-quoted reason for outsourcing digital forensics is the lack of internal expertise, or to simply save money. Imagine if the hospital you visit does not have its own doctors, and shares all your medical information with an external consultant who prescribes your treatment. Would you go to such a hospital to save a few hundred dollars?

REFERENCES
1. Comtact. (2017). Pros and cons of outsourcing your Cyber Security – In-house, MSSP, or Virtual SOC? Retrieved July 13, 2018, from http://www.comtact.co.uk/blog/pros-andcons-of-outsourcing-your-cyber-security-in-house-mssp-or-virtual-soc

2. CybeRisk. (2018). The Red, Blue and Purple team and what’s between them. Retrieved from: . Retrieved July 13, 2018, from https://www.cyberisk.biz/red-blue-purple-team/

3. CYFOR. (2018). Police should be outsourcing to digital evidence specialists. Retrieved July 12, 2018, from https://cyfor.co.uk/police-should-be-outsourcing-to-digital-evidencespecialists/

4. Devlin, H. (2018). Police outsource digital forensic work to unaccredited labs. Retrieved July 15, 2018, from https://www.theguardian.com/uk-news/2018/feb/12/policeoutsource-digital-forensic-work-to-unaccredited-labs

5. Digital Discovery. (2011). Why Out-Source Computer Forensics? Retrieved July 13, 2018, from http://www.digitaldiscoveryesi.com/Blog/Why%20Out-Source%20Computer%20Forensics?/

6. Drinkwater, D., & Zurkus, K. (2017). (2017). Red team versus blue team: How to run an effective simulation. Retrieved July 13, 2018, from
https://www.csoonline.com/article/2122440/disaster-recovery/emergency-preparednessred-team-versus-blue-team-how-to-run-an-effective-simulation.html

7. Evans, B. (2016, January 29). Should you outsource computer forensic? Retrieved July 14, 2018, from https://www.healthdatamanagement.com/opinion/should-you-outsourceyour-computer-forensic-investigations

8. Hargreaves, A., & Chamberlain, J. (2018). The roles of Red, Blue and Purple teams.Retrieved July 12, 2018, from https://www.itlab.com/blog/understanding-the-roles-ofred-blue-and-purple-security-teams

9. Miessler, D. (2016). The Difference between Red, Blue, and Purple Teams. Retrieved from:. Retrieved July 14, 2018, from https://danielmiessler.com/study/red-blue-purpleteams/

10. Obbayi, L. (2018). Computer Forensics: Chain of Custody. Retrieved July 13, 2018, from InfoSec Institute:
https://resources.infosecinstitute.com/category/computerforensics/introduction/areas-ofstudy/legal-and-ethical-principles/chain-of-custody-in-computer-forensics/

11. Paganini, P. (2016). Cyber security: Red team, Blue team and Purple team. Retrieved July 13, 2018, from https://securityaffairs.co/wordpress/49624/hacking/cyber-red-teamblue-team.html

12. Stackpole, B. (2016). Why (and when) outsourcing security makes sense. Retrieved July 13, 2018, from https://www.cio.com/article/3120650/security/why-and-whenoutsourcing-security-makes-sense.html

(682)

Share

The Need for Effective Third-Party Risk Management in Financial Services

Written by Tom Turner, CEO, BitSight
In the last few years we have seen the frequency and severity of third-party cyberattacks against global financial institutions continue to increase. One of the biggest reported attacks against financial organisations occurred in early 2016, when $81 million was taken from accounts at Bangladesh Bank. Unknown hackers used SWIFT credentials of Bangladesh Central Bank employees to send more than three dozen fraudulent money transfer requests to the Federal Reserve Bank of New York asking the bank to transfer millions of the Bangladesh Bank’s funds to bank accounts in the Philippines, Sri Lanka and other parts of Asia. The Bangladesh Bank managed to halt $850 million in other transactions, and a typo made by the hackers raised suspicions that prevented them from stealing the full $1 billion they were after.
Landscape
The Financial Conduct Authority (FCA) reported 69 attacks in 2017 compared to 38 reported in 2016, a rise of more than 80% in the last year. We saw two main trends last year. First, there was a continuation of cyberattacks targeting systems running SWIFT — a fundamental part of the world’s financial ecosystem. Because SWIFT software is unified and used by almost all the major players in the financial market, attackers were able to use malware to manipulate applications responsible for cross-border transactions, making it possible to withdraw money from any financial organisation in the world. Victims of these attacks included several banks in more than 10 countries around the world. Second, we saw the range of financial organisations that cybercriminals have been trying to penetrate expand significantly. Different cybercriminal groups attacked bank infrastructure, e-money systems, cryptocurrency exchanges and capital management funds. Their main goal was to withdraw very large sums of money.
With the evolving risk landscape and the challenges of new potential risks including third party risks, companies within financial services need a set of management procedures and a framework for identifying, assessing and mitigating the risks these challenges present. Effective risk management offers sound judgement in making decisions about what is the appropriate resource allocation to minimise and mitigate risk exposure.
Risk management lifecycle
The basic principle of a risk management lifecycle is to mitigate risk, transfer risk and accept/monitor risk. This involves identification, assessment, treatment, monitoring and reporting.
In order to mitigate risk, an organisation must measure cyber risk performance and incentivise critical third-party vendors to address security issues through vendor collaboration.
In terms of identification, you can’t manage your risks if you don’t know what they are, or if they exist. The first step is to uncover the risks and define them in a detailed, structured format. You need to identify the potential events that would most influence your ability to achieve your objectives, then define them and assign ownership.
Once the risks are identified they need to be examined in terms of likelihood and impact, also known as assessment. It is important to assess the probability of a risk, and its consequences. This will help identify which risks are priorities and require the most attention. You need to have some way of comparing risks relative to each other and deciding which are acceptable and which require further management. In this way you establish your organisation’s risk appetite.
To transfer risk, an organisation is advised to influence vendors to purchase cyber insurance to transfer risk in the event of a cyber event.
Once the risk has been assessed, an approach for treatment of each risk must now be defined. After assessment, some risks may require no action, to only be continuously monitored, but those that are seen as not acceptable will require an action or mitigation plan to prevent, reduce, or transfer that risk.
To accept and monitor risk, the organisation must understand potential security gaps and may need to accept certain risks due to business drivers or resource scarcity.
Once the risk is identified, assessed and a treatment process defined, it must be continuously monitored. Risk is evolutionary and can always change. The review process is essential for proactive risk management.
Reporting at each stage is a core part of driving decision-making in effective risk management. Therefore, the reporting framework should be defined at an early point in the risk management process, by focusing on report content, format and frequency of production.
Managing with risk transfer
Risk transfer is a strategy that enterprises are considering more and more. It mitigates potential risks and complies with cyber security standards. As cybercrime rises, an insurer’s view of cybersecurity has changed from being a pure IT risk to one that requires board-level attention. Insurance is now viewed as fundamental in offsetting the effects of a cyberattack on a financial institution. However, insurers will want to know that appropriate and audited measures are in place to prevent an attack in the first place and respond correctly when cybersecurity does fail. An organisation’s risk management responsibility now extends down the supply chain and insurers will want to know the organisation’s strategies to monitor and mitigate third party vendor risk.
Simplifying risk management and the transfer of risk can also be accomplished by measuring your organisation’s security rating. This is a similar approach to credit ratings for calculating risk. Ratings provide insight into the security posture of third parties as well as your own organisation. The measurement of ratings offers cost saving, transparency, validation and governance to organisations willing to undertake this model.
The benefits of security ratings will be as critical as credit ratings and other factors considered in business partnership decisions in the very near future. The ratings model within risk management can help organisations collaborate and have productive data-driven conversations with regards to risk and security, where they may not have been able to previously.
Long term potential
This year we will see a continuation of third-party cyberattacks targeting systems running SWIFT, allowing attackers to use malware in financial institutions to manipulate applications responsible for cross-border transactions across the world. Banks generally have more robust cyber defences than other sectors, because of the sensitive nature of their industry and to meet regulatory requirements. However, once breached, financial services organisations’ greatest fear is copycat attacks. This is where an effective risk management strategy can enable better cost management and risk visibility related to business operational activities. This leads to better management of market place, competitive and economic conditions, and increases leverage and consolidation of different risk management functions.

(40)

Share

Cyber Security Incidents: Insider Threat falls in UK (to 65%) and Germany (to 75%) post GDPR, but US risk increases (to 80%)

New research by data security company, Clearswift, has shown that year on year cyber security incidents from those within the organisation, as a percentage of all incidents, have fallen in the UK and Germany, two countries currently now under the ruling of GDPR. However, in the United States, a country outside of the direct jurisdiction, threats are on the rise.

The research surveyed 400 senior IT decision makers in organisations of more than 1,000 employees across the UK, Germany, and the US. The data has revealed that when looking at the true insider threat, which takes into account inadvertent and malicious threats from the extended enterprise – employees, customers, suppliers, and ex-employees – this number sits at 65% in the UK, down from 73% in 2017. Similarly, senior IT decision makers in Germany also saw a drop to 75%, down from 80% the previous year. US respondents actually saw a rise in the insider threat up to 80%, a number rising from 72% in 2017.

Direct threats from an employee within the business – inadvertent or malicious – now make up 38%, of incidents. This has halted the rising threat evident in 2017 and 2015 showing 42% and 39% respectively. Threats from ex-employees account for 13% of all cyber security incidents, highlighting a clear need for better processes when employees part ways.

“Although there’s a slight decrease in numbers in the EMEA region, the results once again highlight the insider threat as being the chief source of cyber security incidents. Three quarters of incidents are still coming from within the business and its extended enterprise, far greater than the threat from external hackers. Businesses need to shift the focus inwards”, said Dr Guy Bunker, SVP Products at Clearswift.

“I think at the very least what GDPR has done is ensure firms have a better view of where critical data sits within their business and highlighted to employees that data security is an issue that is now of critical importance, which may be why we’ve seen a drop in the insider threat across EU countries. If a firm understands where the critical information within the business is held and how it is flowing in and out of the network, then it is best placed to manage and protect it from the multitude of threat vectors we’re seeing today.”

Although internal threats pose the biggest threat to most organisations, employers believe that the majority (62%) of incidents are accidental or inadvertent rather than deliberate in intent; a number that is slightly down on 2017 (65%).

The insider threat was slightly less for companies with over 3,000 employees (36%), as opposed to those with between 1,000 – 3,000 employees. This is a possible indication of more robust internal processes and checkpoints at larger businesses.

Bunker added, “Organisations need to have a process for tracking the flow of information in the business and have a clear view on who is accessing it and when. Businesses need to also ensure that employees ‘buy into’ the idea that data security is now a critical issue for the business. Educating them on the value of data, on different forms of data, what is shareable and what’s not, is crucial to a successful cyber security strategy.

“Having said that, mistakes can still happen and technology can act as both the first and last line of defence. In particular, Adaptive Data Loss Prevention solutions can automatically remove sensitive data and malicious content as it passes through a company network.”

(55)

Share