Month: August 2019

(53)

(55)

The Kazakhstan government is taking measures to force citizens to trust its own root, in the name of enabling the widespread persecution of dissidents, journalists, and human rights advocates. Google, Mozilla and Apple are taking action against the government of Kazakhstan’s efforts to launch a surveillance operation against its own citizens by blocking the certificate that allowed it to monitor the encrypted internet activity of any users who installed it.

Commenting on this, Tim Callan, Senior Fellow, Sectigo, says

“This attempted attack by Kazakhstan against its own citizens was the first of its kind, but had it succeeded we could have expected other governments to employ the same tactic against their people as well. This threat could have been addressed only at the browser level, and it forced browsers into new territory when considering how to manage their trusted root stores. By taking this stand, Google, Apple and Mozilla join major internet services in declaring they are not simply neutral technology providers but instead have a social responsibility for how their technology offerings are used.”

(71)

(94)

One year on from the introduction of the General Data Protection Regulation (GDPR) and it is becoming clear that when it comes to Data Subject Access Requests (DSAR), organisations are confused regarding a desire to balance the rights of an individual with the needs of an organisation, John Potts (Head of DPO DSAR and Breach Support) GRCI Law, outlines the essential processes that companies must put in place to avoid falling foul of DSAR breach.

GDPR Misunderstanding

While subject access requests were in place under the Data Protection Act 1998 (DPA), growing personal data awareness has resulted in a significant spike in DSAR activity – and there is a degree of resentment regarding the way individuals are now using these new data rights. However, whether a business feels the DSAR is justified is in the main irrelevant: it is the law. Companies have a legal requirement to comply with a DSAR within one month – or face the wrath of the Information Commissioner’s Office (ICO), and a potential enforcement action which could mean a fine, it will always impact on the reputation of the organisation.

This deadline applies for any DSAR, whether it is created internally or externally. Indeed, a significant proportion of the rise in DSARs is in support of employee grievance and tribunals. Many employment lawyers will now typically file a DSAR for the relevant period(s), as part of any case – whether it is an employee fighting dismissal or filing a complaint against a colleague. Companies, therefore, need to recognise that in such cases these individuals know exactly what information the DSAR should include, whether that is an email trail or meeting notes. Don’t fall into the trap of overlooking the DSAR simply because a tribunal is underway: the right process must be in place to respond to every DSAR irrespective of who makes the request or why.

As such, it is essential to put in place a process for immediately recognising a DSAR. Individuals can make requests via any medium, from Twitter to email and letter. Fail to respond within the deadline, for whatever reason, and the individual can raise a complaint with the ICO, which will then investigate. In addition to ensuring DSARs are not overlooked for any reason, a company also needs a smooth escalation process and at least one individual trained to respond to the DSAR.

Exemptions and Third Party Data

While the majority of DSARs are simple, organisations will face some that raise questions. The way third party data is handled, for example, can be a minefield. Many companies believe it is simply a case of going through all the relevant data and redacting any names other than that of the individual that has made the request. That is not the case.

For example, if ten people were in a meeting and one of those makes a DSAR, there is no point redacting the names of those other nine individuals – everyone knows they were in the meeting. However, this approach cannot be applied to CCTV records, for example. An individual may accept the existence of CCTV in a nightclub, but that does not provide implicit agreement that their presence can be shared in a response to someone’s DSAR. Or take a police custody suite: even if faces are redacted, background conversations could infringe individual rights. When it comes to third party data, DSARs will have to be considered on a case by case basis, there is no blanket response.

Furthermore, there are a number of exemptions that can be applied to DSAR, including Legal Professional Privilege (LPP) for information exchanged between an individual and legal representative, as well as information relating to company finances or national security. The ICO will look at each exemption on a case by case basis and it is therefore essential to ensure each DSAR is annotated with the relevant exemption.

Conclusion

Failure to respond quickly to a DSAR is not going to automatically incur the huge fines associated with data theft. However, it is still a breach of GDPR and the ICO is not going to go easy on organisations that fail to put in place the right processes. DSARs are becoming a fact of life for every organisation; individuals know their rights and, as the rise in employee grievance inspired DSARs reveals, they are actively looking to use the new legislation to support their cause.

For any organisation process is key: monitor all incoming communication channels for DSARs and escalate quickly, the clock starts when the company receives the request. Put in place good professional support for any complex cases that may require exemption or redaction. And, critically, think hard about data retention strategies. The whole aim of GDPR is to make companies consider their data resources and move away from storing data for the sake of it. Only retain data that is relevant and you have a lawful reason for processing put in a place a retention policy with strong methods for recording, extracting and redacting if needed.

(81)

Written by Josh Lefkowitz, CEO, Flashpoint

It’s hard to overstate the impact of financial fraud. It is pervasive, destructive, and distressing for victims. It erodes trust in business and society, and exposes organisations to high levels of regulatory, reputational, and financial risk. According to UK Finance, in 2018, £1.2 billion was stolen through fraud and scams. That stolen money may be used to fund illegal activity that further damages society.

The problem is large and growing. Payment card-related fraud has seen a huge surge in the UK in the past year. Incidents of card-not-present (CNP) fraud grew 49% between 2017 and 2018, while card ID theft rose by an incredible 119%. This isn’t just a problem for card issuers and banks. Much of the data stolen to carry out this fraud has been taken via breaches of third parties. We’ve seen high-profile examples at retailers, transport, and utility companies.

Fraud teams face a herculean task to identify fraud risk, track incidents, and predict where future risk will emerge. Big data gleaned from internal systems offers a vast hunting ground in which to detect evidence of fraud that has already taken place, but its sheer volume adds to the “needle-in-a-haystack” challenge. It’s tough for teams to know where to direct their efforts. External datasets provide crucial context about where threats are emerging, and help teams understand how these vectors will be used by the criminal community. Let’s look at what we consider to be the must-have external datasets for fraud teams.

Visibility of Card Shop data

Given the huge scale of payment card-related fraud it’s not surprising that there is a sophisticated underground industry fuelling the surge. In fact, in the case of CNP fraud, the illicit economy has matured to a degree that stolen data has become a commodity that can simply be sold and bought in a deep & dark web (DDW) marketplace.

Card shops are platforms where previously stolen card data is offered for sale. One of the most (in)famous is Joker’s Stash, but that’s just one of many underground platforms with links to stolen payment card data providers. This data includes sets of payment card numbers that are often packaged together with the information needed to validate transactions such as CVV codes, expiry dates, cardholder names and addresses. Buying stolen data means the fraudster doesn’t need the skills and risk appetite required to steal it, so the barriers to entry for this type of crime are lowered. Selling the data also means the actor who originally stole it can extract maximum profit from their theft.

Stolen card data is typically listed on card shops by its Bank Identification Number (BIN). This specifies the bank that issued the payment card. Fraudsters use this information to refine their tactics by analysing the security measures in place at that institution and adopting strategies to work around them.

Visibility of the data for sale in card shops can alert bank fraud teams to the compromised cards associated with their institution that are in the wild. However, further intelligence and context is needed to fully understand the threat immediacy and severity.

For example, some card shops are more reputable than others. Some are well-respected among the criminal community, with direct links to data thieves and confident enough in their product to even offer money-back guarantees if it doesn’t do the job. Finding compromised card data here is likely to indicate a recent breach and immediate risk. Less reputable card shops simply copy data from other marketplaces, with no regard to how recent or valid it is – they just want to make a quick buck. Finding data here does not necessarily mean a new breach has occurred. If fraud teams are not aware of this, they could waste time investigating a slew of cards that have already been cancelled.

Deep and dark web intelligence

While card shops are the go-to source for buying stolen payment card data, they’re not the only source for datasets that should interest fraud teams. DDW forums are also a mine of valuable information – if you know where to look.

These types of illicit forums are where cybercriminals share tips and discuss tactics on how to evade security protocols, as well as rate the various card shops. Analysing the chatter here can allow fraud teams to identify the card shops they need to prioritise, spot new tactics, and adjust their fraud prevention measures accordingly.

Intelligence from DDW forums can also be linked to internal data to uncover chains of activity associated with fraud. For example, in the case of account takeover activity, chatter might indicate that a mass phishing campaign is underway by a particular group. If this can be linked to the discovery of customer addresses for sale on a dark web marketplace, that raises the risk and teams should look for evidence of unusual activity patterns around the accounts related to those email addresses.

Encrypted chat platforms

With the takedown of various Dark Web sites, threat actors are moving illicit activities to other online venues that facilitate cybercrime. One such venue are encrypted chat platforms, like Telegram and Discord, among others. Threat actors are using these platforms to communicate more securely and to share mirrors, which are sites that contain nearly identical information to a DDW site, but hosted on different platforms.

In the case of card shops, DDW forums, and encrypted chat platforms, fraud teams are cautioned against attempting to access them first-hand. Doing this safely requires in-depth experience in navigating cybercrime communities. Many are invite-only and password protected, meaning only an intelligence agent with a trusted persona in the community will be able to gain access. Retrieving compromised data from card shops also usually requires a purchase, meaning the agent must procure cryptocurrency and engage directly with threat actors. This is a high-risk activity that is out of scope of most fraud teams. At this point we recommended that teams seek the guidance and assistance of trusted experts.

Information-sharing communities

Another key resource for fraud teams is cyber threat intelligence information-sharing communities. These are the defensive counterpart of DDW forums. They aim to alter the balance of power, which currently favours cybercriminals, by enabling a safe environment for information exchange on the latest attack types, vectors, and tactics experienced by targeted organisations.

Intelligence sharing communities have taken some time to gain traction, due to companies’ reluctance to admit that they have been attacked and reveal the methods which have highlighted weaknesses. However, realisation of the sheer scale of the threat is leading more businesses to engage with information-sharing communities and they should be a pillar of fraud team activity.

The right datasets deliver

With any intelligence programme, the value of the analysis is only as good as the data from which it is derived. Business risk intelligence (BRI) provides fraud teams across all industry sectors visibility into must-have external datasets that provide essential context around the indicators of compromise that may be uncovered in internal data analysis. While internal data provides visibility into current and past activity, external data derived from card shops, DDW forums, encrypted chat platforms, and information-sharing communities, can shine a spotlight on emerging risks and help teams sift the “haystack” more effectively to proactively identify and prevent fraud.

(74)

The Collaborative Alliance for Cybersecurity today confirmed its participation in the design and delivery of the new UK Cyber Security Council on behalf of the Department for Digital, Culture, Media & Sport (DCMS). The Alliance, with the Institution of Engineering and Technology (IET) nominated as lead organisation, was selected following a competitive grant competition by DCMS.

The Alliance is a consortium of cyber security organisations that represent a substantial part of the cyber security community in the UK. Its members include:

The Council will work in partnership with the National Cyber Security Centre (NCSC), be developed with broad representation and be tasked to support the Government’s National Cyber Security Skills Strategy by providing recognition across the practicing community, while enhancing standards and thought leadership for the future. The aim is to have first programmes operational in 2021, with the development phase of the work serving to align relevant investments that are currently being made by Alliance members, a consortium of 16 cyber security organisations that represent a substantial part of the cyber security community in the UK.

“We welcome the announcement from DCMS to recognise IET as the lead organisation to build the UK Cyber Security Council. The Alliance is committed to delivering the Council for the betterment of the wider industry. This announcement represents a concrete step in advancing the UKs current leadership position for technology innovation and resilience on the global stage. We are already building on strong foundations that come from the extensive experience available from the stakeholder communities we represent and will continue to catalyse initiative across not just the practicing community, but also business and society as a whole,” said Ian Glover, president of Alliance member CREST.

About the Collaborative Alliance for Cybersecurity

The Collaborative Alliance for Cybersecurity brings stakeholders together in the interest of advancing a healthy cybersecurity workforce for the UK, from the development of professional recognition to the collaboration around acknowledged priorities to move this workforce forward. The Alliance was formally established in July 2018 by independent, non-profit organisations, several of whom operate under a Royal Charter granted through the Privy Council, and some of whom are able to grant chartered status within their discipline. The Alliance harnesses a broad perspective on professional priorities drawn from its members involvement in academia, advocacy, certification, and professional development.

(44)

The legal sector presents the perfect playground for cyber attackers, with sensitive data waiting to be exploited and the reputations of law firms waiting to be destroyed. Diversion fraud, spear phishing, phishing and social engineering are all very real threats currently facing law firms. To combat these threats, law firms need to move away from placing the burden of spotting cyber attacks on employees, and instead use sophisticated detection engines and threat intelligence sources to transform their email security and threat protection.

Repeating past mistakes

While no business wants to risk damaging their reputation, it is particularly critical for the legal sector. Law firms only have one chance to protect their reputation before clients lose confidence and take their business elsewhere. From intellectual property to personal data, the value of information held by law firms is high, making them a big target for any cyber criminal. In reality, though well-protected FTSE 100 companies are tempting prey, their legal representatives provide equally rich rewards and are, unfortunately, likely to be easier to breach.

Companies are increasingly aware of cyber threats, but many in the legal sector are still focusing their defence efforts on their employees, which isn’t a good place to start. Commonly heard phrases such as ‘users are the weak link in cyber security’ are prompting rigid user training programmes, in the hope they will give employees the skills they need to spot a potential cyber attack, saving the firm from the resulting repercussions.

With other messages highlighting that over 70% of cyber attacks start with email, it’s easy to see why companies start to believe that user training is the best approach to take – especially when law firms have been scarred by past incidents of email-based diversion fraud, where clients have transferred payments to criminals rather than law firms. That’s a situation no law firm wants to be in.

Realistically, companies cannot risk their business reputation and base their security posture on the assumption that employees will never make a mistake; especially employees who are up against the clock. Fraudulent emails are sophisticatedly designed to fool users, so how can a company assume that no user will ever act on a fraudulent email that landed in their inbox?

Risking liability

Relying on users to spot malicious emails is not a strategic approach. Of course, it’s still important for users to be aware of security issues, but they cannot be expected to identify malicious emails without being given sufficient information. This simply sets users up to fail.

On top of this, there are also liability concerns. While the majority of diversion fraud emails have followed the impersonation model, where a criminal masquerades as the law firm to entice a client to send funds to alternative bank details, firms must also consider business email compromise, where the law firm is compromised and the email actually comes from the firm’s own system. In the former case, the client/law firm relationship is strained, to say the least, but the law firm is not liable. For the latter, however, a law firm would be liable and would be likely to incur the associated costs, as well as facing the consequences of reputational damage.

Removing the burden

Phishing, spear phishing, social engineering and diversion fraud cannot be ignored by law firms – these threats are very real and won’t disappear any time soon. Whether it’s hard-pressed solicitors or administrative staff, law firms cannot expect employees to carry the weight of identifying these threats, essentially plugging the gaps in unsuitable cyber security strategies. Having users as the first line of your defence is flawed, and arguably even lazy. Law firms need to treat email as the serious cyber security risk that it is, and put appropriate security measures in place.

Email security and threat protection can be transformed by the use of multiple sophisticated detection engines and threat intelligence sources. Fraud detection and content checking in real time automatically highlight phishing and social engineering techniques; removing the burden from users and leaving technology to do its job. Furthermore, technology enables potentially concerning emails – such as those attempting to harvest credentials, mislead users or spread malicious elements – to be automatically flagged, meaning users can make quick, informed and confident decisions as to whether the email should be trusted.

With such sophisticated technology available and a growing threat landscape that shows no sign of slowing down, there is no need for – and no excuse for – putting the burden on users when it comes to mitigating email compromise. It’s time for law firms to make a change and appropriately protect themselves from incoming cyber attacks.

Andy Pearch, Head of IA Services, CORVID

(100)

The protection of sensitive data in line with regulations, both for banks and other financial services organisations, is currently a big challenge. The way these organisations operate has changed dramatically in recent years, due mostly to the fact that financial institutions are not only heavily regulated by data privacy requirements, but they are also under mounting pressure to be open to consumers and businesses about how they are protecting their data from potential breaches.

The increasing expectations of consumers means that banks and financial institutions are trying to achieve a balancing act: how can they protect data privacy, while at the same time remaining transparent about how data is being protected? However, it doesn’t have to be a play-off between meeting these customer expectations and meeting cyber security and compliance requirements: banks and financial services organisations can utilise technology to the fullest extent while still protecting data.

The balancing act

To achieve this balance, banks and financial services organisations need to take control of their security posture and assume the entire network is vulnerable to the possibility of a cyber-attack. Robust encryption and controlled security policies should be a central part of an organisation’s cyber security strategy. Through generating and defining policies, network policy enforcement allows organisations to ensure that only authorised applications and users are communicating with one another, while enabling them to meet their own governance, security and compliance requirements.

Rather than waiting for a cyber-attack to happen, new technology tools are now available to gain a deeper understanding of policy deployment and analyse every application that tries to communicate across the network, all the while monitoring all traffic and limiting the pathways potential threats can travel.

Conclusion

Banks and financial services organisations should not have to worry about keeping data secure and protected. Adopting new ways of thinking about how these organisations can strengthen the protection of data requires well-defined policies, strict key assignments and authorisation of who sends and receives data. But, most importantly, the ability to enforce policies to better monitor and observe applications and suspicious activity on the network will require sophisticated technology and tools that are currently available today.

Simon Hill, Legal & Compliance, Certes Networks

(51)

Since the Internet has matured, society has become more interconnected, as have the devices used to enhance everyday lives. This has led to the emergence of the so-called “Internet of Things” (IoT), in which autonomous devices as well as people are now interconnected in and across private, public, and industrial spaces. IoT technologies are invading all application domains including services relevant to emergency situations with a scope wider than IoT connectivity and communication systems. To address this topic, the ETSI Special Committee EMTEL (emergency communications) has just released a report,ETSI TR 103 582, studying use cases and communications involving IoT devices in the provision of emergency situations and providing recommendations on standardization requirements that could enhance the safety of these communications. The report was prepared by a group of experts possessing a mix of both IoT and emergency communications competencies.

ETSI TR 103 582 considers communications involving IoT devices in all types of emergency situations, such as emergency calling, mission critical communications, Public Warning System communications and adds a new emergency communications domain identified as automated emergency response, where IoT devices can act after receiving a trigger to prevent hazardous situations. A set of eight exemplary use cases illustrate how such communications can be used to provide additional/enhanced information for communicating parties involved in such situations. For example, they cover the case where a smoke detector in a rubbish container sends an emergency message in the event of a fire, sending potentially in parallel a real-time emergency video. Another case could also be that an IoT device turns off immediately a gas tap or slows down a high-speed train when it receives an earthquake public warning (automated response).

ETSI TR 103 582 also helps prepare the potential standardization requirements enabling a safe operation of these communications. The use cases are analyzed from the point of view of potential failures putting safety at risk. Potential means to prevent these points of failure are identified, the impact of these use cases on existing or future standards is assessed and recommendations for requirements against EMTEL existing specifications for each domain are provided. Other IoT standardization stakeholders also receive suggestions to revise their specifications in order to support the emergency communications requirements.

“The ETSI Report prepares the requirements for communications involving IoT devices in all types of emergency situations”, says Michelle Wetterwald, an expert from the ETSI EMTEL committee. “It also leverages from benefits of IoT with data gathering without human interaction, objectivity of IoT data, fast and fail-safe information sharing, translation of human languages not required, real-time data transmission and operation in dangerous environments.”

(48)