So you’ve been breached: how to avoid the same security mistakes

Suffering a data breach has almost become a rite of passage for many organisations. With such a complex and dynamic array of threats across the digital landscape, it has become nearly impossible to prevent 100 per cent of security incidents and data breaches from occurring. 

For those organisations who have suffered a data breach, the first question is normally: how did this happen? Finding the answer to that question helps to answer an even more important one: how do we prevent this from happening again? 

Unfortunately, the sheer variety of security threats means that protection from one doesn’t necessarily mean protection from another. There are some steps, however, that can help you emerge from a security incident with a more robust and mature security posture. 

Step 1 – Finding out what happened 

Beyond helping you to prevent a similar data breach, your organisation is likely required to report the details of a data breach to regulators. For organisations that hold data on EU citizens, the EU’s General Data Protection Regulations (GDPR) require a breached entity to provide full details of the breach within 72 hours. While New Zealand currently has voluntary notification, the government is pushing forward with legislation that resembles Australia’s Notifiable Data Breaches scheme. 

Of course, this easier said than done when Ponemon research reveals that it takes an average of 197 days to discover a data breach in the first place. In the event of a data breach, your incident response team should set out to understand: 

  • Which datasets were breached? 
  • Who is affected? 
  • Who has access to those datasets? 
  • What protection is in place currently? 

Step 2 – Measuring your current security posture 

Before you can begin implementing new security measures, you need to understand exactly what needs protection. By conducting thorough data discovery and classification processes, you can establish exactly where and how your most sensitive data is being stored. 

From this point, you can begin assessing your current security tools in relation to the level of risk that each data set carries. Some lower risk data won’t require the same level of protection as sensitive customer data for example. 

Step 3  Create an incident response team 

Your ability to recover and respond to a data breach or security incident is almost as important as your ability to prevent a breach. Creating an incident response team will allow you to assign roles and establish a careful process for limiting the damage of future breaches. 

Part of the will involve assessing the necessary skill sets of your current team and identifying skill gaps for recruitment, or for engaging with a managed security services provider. Once assembled, your incident response team can routinely test your incident response plans for a variety of scenarios, enabling you to greatly reduce the fallout from a breach or attack. 

Step 4 – Adopt a zero-trust security posture 

If a breach is inevitable, a zero-trust security posture allows you to assume that no one with data access is 100% trustworthy. Although it may sound draconian, this approach ensures you have security solutions that segment and monitor use access and protect data itself. 

Part of a zero-trust security approach is the need to focus on endpoint security so that every device connecting to your network and applications is protected. While user awareness training is vital for limiting social engineering attacks such as phishing, having inbuilt security features on each device is the only way to stay completely secure. 

For organisations who want to ensure their end users are always secure, particularly with a large remote workforce, HP EliteBooks, powered by Intel® processors, are equipped with the most advanced device security on the market.  

  • HP Sure Sense – Harnesses the power of deep-learning AI to identify and quarantine never-before-seen attacks
  • HP Sure Click – Protect from websites and attachments with malware, with hardware-enforced security
  • HP Sure Start Gen5 – Firmware attacks can completely devastate your PC – stay protected with this self-healing BIOS. 

To understand the full cost of a data breach, download our infographic which is designed to quickly and easily guide you through the key facts and figures around the implications of a breach.

The 5 w’s of phishing

It’s known as one of the oldest and still one of the most prevalent forms of cyberattack. This is because phishing largely relies on a vulnerability we can never completely get rid of: human error.

It deploys the same basic tactic that scammers have been using for decades – faking the identity of an individual or business to get victims to divulge sensitive information, or to send money. Phishing has evolved since the early days of the internet and is now a catch-all term for a variety of attacks.

For you to understand these attacks in all their forms, here is the ‘who, what, where, why and when’ of phishing to help you protect your business.

Who is usually targeted in a phishing attack?

The targets of phishing attacks vary, but the traditional model was to spam as many people with the same scam email and see who took the bait. This has become less effective over the years as we’ve all grown accustomed to spotting scam emails when they appear.

Spear phishing involves targeting individuals with specific content related to them, such as an unrequested ‘forgotten password’ email from their favourite online retailer. Attackers may work for weeks in advance to learn as much as they can about their targets before then sending personalised scam emails to trick the individual into revealing confidential information. The most famous spear phishing attack was the targeting of Hillary Clinton’s campaign officials during the 2016 US presidential election.

Whaling takes the fishing puns to its logical conclusion. The ‘whales’ in a phishing context are senior executives and even CEOs. However, the difference here is that the scam emails appear to come from the CEO. This is an effective form of social engineering as employees are incredibly unlikely to deny a request for information from their boss.

What do attackers want?

In the majority of cases, attackers are after financial gains, either directly or indirectly. They may just head straight for credit card details, or they might use access to servers and mail to gather information that can be sold. According to Verizon’s 2019 Data Breach Investigation Report, 88 per cent of phishing attacks are financially motivated and 10 per cent are espionage efforts.

Where do phishing attacks come from?

This is difficult to say definitively. In the early days of phishing emails, they were easy to spot due to their relatively poor use of grammar. Phishing attacks these days are much more sophisticated, and when we consider the enormous budgets behind state-based espionage, an attack can come from literally anywhere in the world. The introduction of phishing kits has also lowered the skill barrier for attackers to spoof website domains for capturing credentials.

Why are phishing attacks still so effective?

Phishing attacks are the most common form of what are broadly known as social engineering attacks. All of these attacks use our own psychology against us, as is the case with baiting, which involves tempting us to click on malware infected media, or scareware, which bombards users with fake threats and alerts until they hand over their credentials. Each scenario is difficult to prevent because people aren’t robots and we’ll always respond to stimuli in very human ways.

When will we ever learn to spot phishing attacks?

The good news is that our awareness is far better than it was in the early days of the internet, when mysterious foreign princes could fool us into handing over our life savings for a lucrative diamond investment opportunity. But there is still a long way to go, particularly when we consider phishing attacks are still the first-choice method of cyber attackers.

All of this demonstrates that cybersecurity awareness training is more essential than ever if we want to keep our organisation’s sensitive data secure, especially our customer data. If our employees don’t have the knowledge or awareness on how to prevent phishing attacks, then no amount of money spent on enterprise security software will change how vulnerable businesses remain.

Datacom can partner with you to help you avoid the potentially catastrophic costs of a phishing attack. Our experienced team is here to help you evolve your people and processes through both targeted and organisation-wide cybersecurity awareness training modules. Speak to us today to discuss how we can help you become more resilient against a growing array of threats.

The A to Z of cybersecurity

New Zealand businesses recorded over four thousand cybersecurity incidents last year, including 53 per cent more scams and fraud reports compared to 2018. This resulted in businesses losing NZ$16.7m.

Cybersecurity is more important than ever. With new forms of attacks appearing every year, and so many security solutions on the market, it can be difficult to keep up with all of the different terms in play.

If you need to know your malware from your ransomware, we’ve put together a glossary of essential terms you need to understand in order to protect your organisation.

Antivirus – A good introduction to both our glossary and the world of cybersecurity. Antivirus software is designed to prevent, detect and remove malware. If your computers aren’t running reputable antivirus software already, then you’ve got real problems.

Botnet – A group of computers or internet-connected devices that are collectively compromised and used to perpetuate DDoS attacks (see below), or to steal data and generally wreak havoc.

Cybersecurity awareness – These are vital training modules that ensure your employees are aware of the many cyber threats to your business, including phishing (see below) and other social engineering attacks.

DDoS (Distributed Denial of Service) – In a DDoS attack, a botnet inundates an application, system, or website with internet traffic, making it impossible to stop the attack simply by blocking a single source. These devastating attacks can bring down even the most well-protected banking and government services.

Encryption key – An assortment of letters, number and symbols that is purposefully created by algorithms to disarrange and rearrange data, so that each key is random and distinctive.

Firewall – A firewall acts as a defence for your device. Depending on your security settings, firewalls manage and assess what information your device receives, and filters and blocks suspicious attempts from other users through apps to access your device.

Hacktivist – These are attackers who hack or force their way into computers and networks, often for political or disruptive reasons. ‘Anonymous’ is the most well-known hacktivist group for their DDoS attacks on governments and other large organisations.

Insider threats – Whether your employees intend to be or not, from the CEO all the way down, each member of staff can be considered an insider threat to your organisation’s security. Cybersecurity awareness and user monitoring are essential to maintain your company’s safety.

Keylogger – A malicious tool that records what is typed (a keystroke) on a keyboard. Keyloggers are used to capture passwords, secret question responses, and any other sensitive information.

Logic bomb – This is a nasty piece of code in a virus or piece of malware that will set off a malicious function in software when certain conditions are met, such as beginning to delete important files.

Malware – A catch-all term for any type of code that has been designed specifically to cause harm in a system. This includes viruses, spyware, trojan horses, logic bombs and ransomware, among many others.

NIST framework – The US Government’s National Institute of Standards and Technology. The NIST framework is considered cybersecurity best-practice, including its model which promotes the need to ‘identify, detect, protect, respond and recover’.

Phishing – One of the oldest tricks in the cybersecurity handbook. Phishing involves fraudulently claiming to be an individual or business in order to gain sensitive information or financial gain. These attacks are a common form of social engineering and are usually carried out via phishing emails.

Quarantine – A function of your antivirus software that involves storing files that may contain malware in isolation for either further examination or deletion.

Ransomware – An increasingly popular form of malware that holds data or applications hostage on computers through advanced encryption. A demand for payment is then sent before attackers will release control of the captured data.

SIEM (Security Information and Event Management) – A group of systems, software and managed services that provide real-time analysis of security alerts generated by applications and network hardware, while automatically identifying systems that are out of compliance with security policies.

Trojan horse – A common form of malware where a malicious payload is imbedded inside a seemingly normal file. When this file is opened, the malicious threat is automatically unleashed into the system.

UEBA – User and entity behaviour analytics is a growing field of software that monitors user activity data and analyses using threat intelligence to identify behaviours that could be malicious. These applications are implemented to lower the risk of insider threats.

Virus – A well-known form of malware that attaches itself to a host file as a parasite. When this file is accessed, the virus is activated and it begins to infect other objects. The majority are engineered to infect the Windows operating system (OS), and some viruses are also designed to ensure they are impossible to detect 

Worm – Similar to viruses in that they’re a form of malware that focuses on replication and distribution, however worms are different as they’re a self-contained malicious program. While not necessarily malicious themselves, a worm can be designed to spread other types of malware.

Zero-day vulnerability – These are previously unknown bugs or flaws in software that provide a potential backdoor entrance for attackers. By targeting these flaws, attackers can release devastating malware before the flaw can be patched.

With so much to learn about cybersecurity, you need a partner to help you stay one step ahead of the threats your organisation faces. Datacom can help you create a robust cybersecurity strategy that includes security management (via SIEM), phishing solutions, cybersecurity awareness training, and vulnerability assessments. Contact us today to learn how we can help you evolve your people, processes and technology to become more resilient.

5 tips to staying safe and secure when video conferencing from home

As the New Zealand Herald reported, Zoom has some serious security issues in its Windows client that can be “used for limited remote code execution and, worse.”

And for many of us this means about the same as E=MC2. What does this mean for us non-cybersecurity folks working from home during the COVID-19 lockdown? And how can you explain that to your mum, eh?

Here are our top five tips about working from home, video conferencing and staying safe.

1. Don’t talk to strangers

Businesses tend to use video conferencing solutions that allow anyone with a valid company email to join freely. If this sounds like your place of work, then stick to that. It means anyone from outside the company can’t join your discussions.

Some video conference solutions allow you to dial in from a mobile phone number as an alternative way in – if you see an unknown number pop-up on your chat, challenge them to make sure there aren’t any lurkers.

But for the rest of us, make sure the platform you’re using has an option to set an entry password that you can share separately with all attendees. That way you won’t have any random stranger suddenly pop-up in the middle of a shared lunch. Take advantage of the waiting room feature if it exists. You can vet and approve unexpected attendees prior to them potentially wreaking havoc.

Of course, there are those platforms that actively encourage people to drop in – Houseparty is one good example where you can issue an open invitation to anyone in your address book. If you are using these services, be aware that people you might not want on the call can join in. While that is unlikely to be problematic for your children’s schooling, Aunty Jean might think she’s joining a family dinner and a boozy flat game of virtual Truth or Dare might not be her cup of tea.

2. Do you even know what a .bz2 file is?

It’s simple. If you don’t know what a file is and if you don’t know how or what to use to view it, do not click on it, do not open it, and do not share it. If someone sends you a weird link over a video conference session, double-check that it is a real thing they’ve actually sent to you and not something that will hijack your computer. If you think dealing with tech support is hard work in the office, when you’re working remotely it’s doubly difficult. If the person is known to you, but there are attachments, check with them first – and not by email! Their account might have been hacked.

And of course, if you do need to share a file with your colleagues, then use file encryption, encrypted email, or whatever your company uses for secure file sharing. Emailing databases about the place is not considered smart, and certainly is not good practice.

3. Big brother may not be watching, but your housemate might be listening

Chances are your partner or flatmates find your work calls boring but you might not realise that your voice carries to the neighbours. Always consider who else is around when you’re on that conference call, especially if you’re working with sensitive information. Someone might be recording the call without your knowledge or just interested to find out about that big company deal you’re helping put together.

The lesson here is watch what you say. Check the participant list. Consider alternative communication channels for highly confidential conversations. The same applies for screensharing. Close your documents and shut down any irrelevant applications. And in the interests of not driving your family and flatmates nuts with your calls, get a good quality headset rather than shouting at your laptop. Trust me on that one.

4. You know what they say about repetition…

It might be boring, but it pays off. And so does accessing any system or application with more than one type of login.

Hopefully, your company has already introduced multi-factor authentication (MFA), which will require you to check your phone for a code before logging in to any vital system. But in case they haven’t, many platforms allow you to enable MFA yourself. This reduces the chances of someone using your stolen credentials to hack your account and again, wreak havoc. Again, if you think having to change all your credit card details and passwords is a pain when you’re able to move about the city, it’s doubly difficult when we’re all in lockdown, so avoid giving the bad guys access to your details.

5. If it smells funny, don’t sniff

Just because we are talking about video conferencing, doesn’t mean emails suddenly aren’t relevant. If you receive any unexpected emails or an expected email that seems ever so slightly off, don’t click on any links or open any files. Notify your IT team and delete the email. Always check before following those important orders you received from ‘YourCEO@gmail.com’, or similar that arrived in the dead of night, and need you to urgently pay an invoice or similar. It might be from your boss, but equally it might not.

Most importantly, remember to strike a balance between risk and benefit.  Good cybersecurity is not about stopping business activity, but about using appropriate tools for appropriate tasks.  Houseparty is a great tool for remote classrooms, but not for executive communications. And finally, find a way to incorporate the norm into the new norm. Have fun with your calls, be kind to your colleagues, and screenshot the awkwardly frozen faces. Most certainly report back to your entire team when a colleague spontaneously decides to flash during your team catch up call. When we all get to back to the office, it’ll be good to have a little something up your sleeve for your next performance review.

Follow David Eaton, Associate Director, Cybersecurity at Datacom, on LinkedIn.

Tackling Cyber Safety in Your School 1:1 Program

Cyber security is a crucial component of a school 1:1 or technology program. Yet, many schools aren’t equipped to tackle this area in a way that incorporates the needs and concerns of parents, teachers, kids and other stakeholders. We spoke with Peter Geale, CMO ofNetbox Blue, a provider of advanced security protection for schools’ networks and data, on new cyber security threats, cyber bullying and how to continually educate all of your school’s populations on appropriate online use.

Q: Beyond the typical online threats and cyber safety issues affecting schools, such as bullying and inappropriate images and web sites, is there anything new or unique you are seeing?

A: There are, and often they revolve around specific web sites. For instance, there’s Ask.fm, which by its nature is rather insidious in that it encourages anonymous questions. People can post hurtful things: ‘Why are you so ugly?’ ‘Why would anyone ever be your friend?’ In the past, kids would create a fake account and harass people that way. Thankfully, Facebook’s number of phantom Facebook profiles has dropped dramatically over the last few years.

Security experts will tell you that the biggest risks come from people from within — in other words, people you know. Kids won’t often pick on people they don’t know.

Q: In your opinion, do schools perceive that they have a duty of care to protect students from cyber bullying just as they do for in-person bullying?

A: There’s no question, they certainly do perceive that they have a duty of care. What happens on Facebook on the weekend comes to school on Monday. Teachers know they are dealing with issues. Teachers recognise the impact this is having on educational outcomes. That’s why they are getting involved, not because they want to spy on or control kids’ lives but because it’s affecting day-to-day life. School laptop or 1:1 programs legally require the school to consider online activity that impacts learning as part of their duty of care.

Q: How do you recommend schools come up with a security strategy around 1:1 device use and behaviour online both inside and outside of school?

A: It’s actually not that difficult. The key thing is they don’t try to do it by themselves. Learn from other schools. Most schools are part of a wider group, such as an independent schools association. Even if they are not, most schools post policies on the Internet that you can refer to. Look around and see what’s available publicly.

Early on, absolutely engage all the stakeholders. Not just the school employees, but parents, kids and the organisation the school belongs to. What’s happened in the past is that the IT manager has put together policies and they are not necessarily the right person as they might look at issues from a purely technical perspective and not the holistic approach necessary for a comprehensive use policy. Once the policy is out there, make sure it’s well-taught and make sure it’s monitored.

Q: How do we make sure children have a broad range of ongoing support, education and encouragement in order to make sound decisions online?

A: Broadly, one of the things schools try to do is create a community full stop. The good news is that some types of activities they are doing include engaging with parents — providing info to parents. These are the trends we see happening. For instance, the school shares a message saying, ‘A recent publication in education shows 75 per cent of all issues in respect to social media are on Facebook. Here are some of the areas we think might cause issues down the track.’ Then schools pass this on to parents. This happens a lot in primary school. It happens less in high schools. It needs to happen more in the high school because kids are getting more access to technology.

Q: Some peers and even adults might not be setting a great example for kids in terms of acceptable online use. How do you talk to kids and parents about this, about where kids can find a role model?

A: Earlier in 2013, Professor Donna Cross from Edith Cowan University came out with a statement that said today schools need to be involved and actually using and modelling good Facebook behaviour — if we’re not doing it, it’s like teaching kids how to swim in the classroom versus in a swimming pool. They are only going to get ordinary learning, they are not going to know how to swim. Parents also need to demonstrate positive use of the technology.

Q: What is your advice for engaging parents on issues of cyber safety?

A: There are lots of good opinions on this. For instance, making sure computers are used in public places, no computers in the bedroom and, if they are, only for a limited period of time. It should be viewed in a similar way that parents set boundaries — the same boundaries that exist offline. Kids are going to places online that parents don’t know about, to online playgrounds you don’t know, and they are going to do this in their room or on their mobile phone. Just as these boundaries exist in the physical world, they should be in the online world.

Schools can make sure parents are reminded about technology on an ongoing basis in a newsletter and online forums. Give the parents more understanding and, if they do know nothing, teach them. Make sure the parents are at least informed and know what the boundaries are and support their boundaries at home.

Additional resources to use include:

The Easy Guide to Socialising Online

Who’s chatting to your kids? 

ThinkUKnow Australia

Cyber Bullying in Australian Schools: The Question of Negligence and Liability