Cyber attacks and data breaches are a matter of when, not if.

No single measure is 100% foolproof. A determined attacker will always be able to find their way around your defences, given enough time and resources.

Furthermore, as Vanessa Horton, our cyber incident responder, pointed out in an interview about anti-forensics:

The cyber world is changing all the time, which means we’re playing a bit of a cat-and-mouse game. Basically, as one side improves, so does the other.

In this interview, I pick her brain on cyber incident response more generally, gaining her expert insight into the ‘what’, ‘how’ and ‘why’, along with practical, real-life examples.

About Vanessa Horton

Vanessa holds a degree in computer forensics, as well as a number of cyber security and forensics qualifications.

She’s worked for the police as a digital forensics officer, where she was involved in complex crime cases. Vanessa was also awarded a Diamond Award and an Excellence in Service Delivery Award.

Now, she’s part of our cyber incident response team, helping clients with their cyber security requirements.

In this interview

• Misconceptions
• Protection
• Detection
• Threat types
• Planning
• Training
• Common errors
• Digital forensics
• Incident response process

Cyber incident response misconceptions

What common misconceptions do you see around cyber incident response? Or in your line of work generally?

The big one is the [misplaced] belief that ‘it’s not going to happen to us’. Many organisations believe they won’t suffer a cyber incident, even if other organisations might.

That’s a poor mindset to have because, for one, it’s wrong – everyone will suffer an incident at some point.

But more importantly, this mindset leaves organisations unprepared for when they do suffer that breach, and haven’t got an incident responder on hand to keep the damage to a minimum.

The fact that some big names have ‘been done’ recently shows how nobody’s safe. Not even big cyber threat actors! For example, not so long ago, LockBit [an infamous ransomware gang] got taken down. And various other ransomware groups, including Ragnar Locker and Black Basta, suffered the same fate.

It just goes to show that no one’s above being successfully attacked. That’s just the unfortunate reality.

But if threat actors are being brought down, doesn’t that improve the cyber landscape?

Oh, law enforcement doing its job is definitely a good thing.

However, when you bring one website or gang down, what always happens is that the remaining gang members form a new group.

Law enforcement never catches every single member of the gang when it takes one down. So, the ones who remain are going to take their skills and form new groups.

They might then change their objectives and go after new targets – because they’ll want to establish themselves as that new group.

What do you mean by ‘changing their objectives’?

So, for example, LockBit originally said it wasn’t going to go after hospitals for ethical reasons – perhaps ironic for a criminal gang, but there you go.

Anyway, LockBit changed, and is now going after hospitals.

This adds to my earlier point: you simply don’t know who’s going to be targeted next. And just because one group said it won’t target your industry, doesn’t mean other groups will offer the same courtesy. Plus, you have no way of knowing what any group’s next move will be.

This, by the way, is the type of conversation I often have with clients. It’s how I convince them that they really need that cyber incident response plan, to do tabletop exercises, to train their staff, and so on.

By being open and honest about these things, I can more easily show clients that taking these actions is in their own best interests.

Every organisation should prepare for an incident. They must actively take steps to protect themselves. Because if they don’t, well… We’re all human, and when faced with an unexpected situation like a security incident, you’re going to panic, no matter what.

But by being prepared, you can recover quicker, which makes the company financially better off, as you’ll suffer less disruption. You can also quickly stop the attacker from accessing any further data in your systems, so things don’t get any worse.

Plus, by handling an incident well, stakeholders and the public at large are generally more forgiving, which will obviously serve your reputation well.

Interviewer note: If you did everything you could, people are forgiving about breaches

Louise Brooks, head of consultancy at our sister company DQM GRC, made a similar observation in a recent interview about practical GDPR [General Data Protection Regulation] compliance:

“Organisations must remember that real, living people are behind the vast quantities of information they’re gathering and processing. Those people will be affected if anything goes wrong due to mismanagement of their data.

“However, people are generally open to forgiving organisations when things go wrong if the organisation can demonstrate they treated personal data with the respect that it deserves, and they did the best they can.”

Protection – first steps, simple measures

What are the first steps for organisations to protect themselves?

Before you do anything else, you need to know what you’re defending:

• What are your key assets among your:
  • Data?
  • Systems?
  • Processes?
• Where are those assets?
• What are the risks to them?
• What controls do you already have in place?

Risk assessment and management are critical starting points, as you need to know what you’re working with before you do anything else. But, as my colleague Andrew Pattison likes to say, it’s important to keep these simple.

The key is to identify your biggest risks, then implement appropriate controls to mitigate them.

What are some simple measures every organisation needs?

Very basic controls can get you a long way:

• Strong passwords and MFA [multifactor authentication]
• Anti-malware software
• Secure configuration
• Regular patching
• Firewalls

Not doing these types of things just makes you a more likely target. I don’t like using the word ‘easy’, but that’s what you’re making yourself if you don’t patch or you use passwords like ‘Password123’: an easy target. You’re leaving the door wide open to threat actors.

This also underlines the importance of prevention and detection. Cyber incident response planning doesn’t start with the response – any response is only triggered if you detect abnormalities.

Detection – security monitoring and what is ‘normal’?

How do you detect an anomaly or a suspicious event?

You need to understand your baseline: what’s normal? Because if you can’t answer that, how will you know what is suspicious?

Is it normal if someone logs in from a Russian IP address, for example? And at 1:00 am?

But you don’t need to have someone sit there and monitor all event logs all the time – a security monitoring solution can do that for you, like:

• An IPS [intrusion prevention system];
• An IDS [intrusion detection system]; and/or
• An EDR solution [endpoint detection and response].

You also want systems that log system activity and forward them to a centralised SIEM solution or SOC [security information and event management, security operations centre].

These types of technological solutions are essential to process huge amounts of information [security events like access logs]. But the human aspect is a vital part of detection, too.

For one, a person will have to ‘teach’ your technological solution what constitutes abnormal behaviour. And two, when your tool detects something suspicious, it must alert a human to follow up on it.

Interviewer note: Automating log analysis with AI

Earlier this year, I spoke to information security manager Adam Seamons about network security. Automated security monitoring tools cropped up, as did the role of AI and machine learning in security:

“AI and machine learning have both been used in detecting anomalies and suspicious patterns for some time, and will only continue to be used more. I expect SOCs to become increasingly reliant on AI.

“Getting more specific, log analysis is a key area for AI to automate. An AI tool could do the heavy lifting, sifting through tons of logs and data to detect and then respond to threats far faster than a human could.”

You gave a 1:00 am login as an example. Does a situation like that require an immediate follow-up?

Good question. Many organisations incorrectly believe that they don’t need 24-hour cover – or at least, don’t need to make someone responsible for responding to an out-of-hours alert from an automated tool.

But things are going to happen overnight. Look at it from the threat actor’s point of view. A smart attacker is going to attempt to breach your systems when they’re at their most vulnerable – i.e. when nobody’s looking.

Organisations are prone to forgetting about out-of-hours protection, but that’s precisely when you most need protection. That’s when you’re more likely to get attacked. Threat actors know that’s when defences tend to be down, and monitoring is slack.

What exactly should organisations be monitoring?

Security events. These are just everyday events on your systems or networks – logins, incoming emails, files received, and so on.

So, for example, if you suddenly get someone logging in from Russia, and they weren’t on a business trip there or something, you need to investigate. This means you’re not just tracking the logins themselves, but also certain information about them – locations and IP addresses, login times, files or services accessed, and so on.

Again, you have to know your baseline. What is expected activity? And if it’s unexpected, someone must quickly investigate. If a threat actor did gain access to a user’s account, you want to prevent them from accessing anything else.

Equally, if it’s just someone who’s on holiday in Russia and decided to log in, you can dismiss the security event. But you must establish that in your initial follow-up; you can’t just assume it’s not a security incident.

[The difference between a security event and a security incident is that an event is an everyday occurrence – like users logging in. But some events also signify a security incident: a breach of confidentiality, integrity and/or availability, also known as the ‘CIA triad’.]

To what extent does seasonality play a role in security monitoring? Like weekdays vs weekends, for example, or Black Friday?

Oh, seasonality plays a role, for sure. Black Friday is the perfect example.

If you’re a retailer, you’re going to see way more web traffic than usual. You must be able to handle that. By having more people on call, for example. By double-checking things. You need to plan ahead and assess the risks.

Again, a smart threat actor will target your weakest link, and when you’re at your most vulnerable. So, if they wanted to take your website down, for example, with a DoS attack [denial of service], a day like Black Friday is a prime time to target, when traffic is up anyway, and it’ll take fewer additional requests to flood your servers.

Black Friday is also a great time [from the attacker’s perspective] to cause most harm. If your website isn’t operating that day, you’ll take a massive financial hit in terms of lost sales.

Threat types and risk assessment

DoS attacks aside, what other cyber threats or attack types must organisations consider?

Take your pick:

• DoS
• Phishing
• Ransomware
• DNS poisoning
• Backdoor attacks

Ultimately, a lot of them involve malware, but threat actors can deliver it in many different ways. The more important thing to think about is where and when you’re most vulnerable. Black Friday is one example. The end of your financial year is another, when you’re dealing with tons of confidential information.

You’re not just looking at who might target you and how, but also when you’d suffer the biggest blow. When would the impact of a security incident be at its worst? [I.e. business impact analysis.]

And OK, not every attacker will think that way. But this question is one every organisation should consider, because you want to be operational during your most critical times. Even if the cause of a disruption wasn’t malicious, you don’t want it to happen – and especially not at a time when disruption would be costly.

How can organisations balance the cost of such assessments and measures against the risk of an incident or a disruption?

That’s always the challenge, especially for smaller organisations. Everyone needs to find that balance and make those difficult choices.

To help make them, ask questions like:

• What are your assets and processes?
• What security controls do you already have in place?
• Are you training your staff? Both specialist training and general staff awareness?

I think of this as a gap assessment, which can be against a standard like ISO 27001 or NIST SP 800-53. I’ve found that many organisations particularly like the NIST incident response guidance because it’s so accessible.

Interviewer note: The core principles behind cyber resilience and defence in depth

Vanessa covered the core ideas behind the three broad layers of cyber defence in depth:

1. Prevention
2. Detection
3. Response

The core idea behind prevention is risk assessment. Identify your threats and weaknesses, and where and when your business would most suffer from a cyber incident, then implement measures to mitigate the risks as best you can. Concentrate on the more basic, cost-effective measures – like firewalls and patching – that prevent most common attacks.

The core idea behind detection is that preventive measures can fail. As Vanessa said to me: “They can only do so much.” You can think of the cyber security world as a ‘cat-and-mouse game’ in which the ‘cat’ (attacker) has the upper hand. Besides, there’ll always be zero-day exploits.

So, you want to become aware – as quickly as possible – of when your prevention failed. The key here is to know what ‘normal’ looks like, so you can identify abnormal behaviour, potentially indicating a cyber security incident.

Let’s get deeper into response: the follow-up to when your tools flag up an anomaly.

Cyber incident response plan

What’s the first step in planning your response?

Your cyber incident response plan. No doubt about it.

Incident response planning is such a vital part of having an effective response overall. As I said earlier, we’re human – panic is natural in unexpected situations. Even if you are prepared!

But preparing and documenting a solid response plan – an incident action plan, if you like – ensures that even when under pressure, people do the right things. They make all the right decisions, because they were made ahead of time, outside the heat of the moment.

A good security incident plan should also ensure that your approach is consistent, even if a key person is unavailable.

How can organisations further improve their cyber incident response plan?

Your incident response plan should include a different incident response playbook for different threats. Dealing with malware on your systems requires a different response than, for example, a DoS attack.

Also, test your plan. Tabletop exercises are important – they tell you whether your plans are working as intended. Plus, they make for valuable training for staff! It’s always much easier to do something if it feels familiar.

[Note: Vanessa gave an example of this below.]

Training – specialist skills and when to outsource

What training do staff with incident response roles or responsibilities need?

That depends on the individual’s role in the team.

Cyber incident response isn’t an IT issue, but a business issue requiring input from a wide range of stakeholders.

At a minimum, training should include:

• What constitutes an incident;
• Responsibilities during an incident response;
• Activities for ensuring compliance with legal requirements;
• How, when and to whom an incident should be escalated; and
• How to handle, store and process evidence in a forensically sound manner.

Is that a common issue? Not recognising something as a potential incident?

We do often see that. Different people in an organisation have different opinions on the definition of an incident.

In many situations, differing views are great. But in the context of incident response in cyber security, the organisation needs to ensure a consistent definition and approach, so staff training can cover it clearly.

You need to teach people how to recognise the abnormal stuff. And to put in a security incident report to someone adequately trained. Whoever triages must know both what to look for and how to handle it securely, to ensure the organisation is taking the right actions from the start.

When is it better to have or develop that technical expertise internally, and when is it better to outsource?

It depends on:

• Your organisational size;
• The complexity of your systems; and
• Your internal capabilities.

If you’re a smaller organisation, it’s unlikely you have the internal capability. More complex organisations would probably also benefit from outsourcing all or some of the capabilities – digital forensics, for example.

Using external expertise also means relying on people for whom responding to an incident is an everyday occurrence. They’ll know exactly what actions to take, and won’t allow their skills to become rusty. In fact, they make a point of keeping up with industry news and trends.

That’s completely different from an internal capacity, whose day to day likely involves other tasks. That makes them less comfortable dealing with an exceptional situation like a security breach.

What skills are specific for incident response? That an internal person is unlikely to use day to day?

Again, keeping up with, and having a deep understanding of, the latest threats. That gives them the ability to quickly detect and respond to these threats.

More specialist capabilities include:

• Digital forensics [discussed below];
• Malware analysis; and
• Threat hunting.

These often require expensive training and significant effort to keep up, as the latest approaches keep evolving.

In fact, due to cost, these are often – unfortunately – not conducted in cyber incident response.

This is a mistake. If you don’t understand what happened, how it happened and when it happened, it makes the incident response procedure much more challenging. It’s not enough to just get your business up and running again.

Do you have a real-world example?

We had a client that had been compromised with ransomware. They decided not to pay – which I think is best in most cases – and restored all their services without investigating the root cause.

They got done a second time just two weeks later, by the same threat actor, wiping everything out again. After which they contacted us.

Anyway, it makes the point: you must understand and remediate the initial vulnerabilities before declaring the incident response complete:

• Investigate how the attackers got into the environment.
• Check for back doors and persistence mechanisms, such as scheduled tasks, new users, new processes, and so on.

Ensure you’ve closed your vulnerabilities, or you’ll get done again. Possibly by the same attacker.

Ending up back where you started is hugely disruptive. Not only that – the financial and reputational impacts are massive, too. Journalists love writing about the ones attacked twice in a short period. Akumin at the end of last year is a good example.

Can you share any other real-world examples?

We had a client that kept getting phishing emails, with staff repeatedly falling for them, clicking the links and typing in their credentials. This suggested a fault with their staff training, and that their email filters weren’t robust enough.

In a scenario like that, you want to stop the threat actor gaining further access to anything, but also prevent this from happening over and over again.

It means figuring out the root cause. Getting an answer to why this keeps happening. Which means asking:

1. Why are so many phishing emails coming through? Why aren’t they stopped?
2. Why do staff keep falling for them?

Without addressing these, you’re going to keep suffering the same incident. That’s clearly bad for business – financially, operationally and reputationally.

So, a part of incident response resources should go towards resolving this incident, and part towards future prevention. But, of course, had this organisation invested in better training and filters to begin with, they wouldn’t have had to spend all that money after the fact.

Want to get future interviews – and other blogs – like this straight to your inbox? Subscribe to our free weekly newsletter: the Security Spotlight.

Common incident response errors

What’s the first step when responding to a cyber security incident?

Step one is always to confirm whether the incident is real, and if so, to determine the scope and potential impact.

It’s fine if you can’t answer all questions to start with – that’s normal. But as the investigation progresses, you must keep reevaluating your situation and risks.

You may also have to report the incident, often within just 72 hours, under legal obligations like:

• The GDPR [General Data Protection Regulation];
• The PCI DSS [Payment Card Industry Data Security Standard];
• The NIS Regulations [Network and Information Systems Regulations]; and/or
• DORA [Digital Operational Resilience Act].

What else should organisations do during the first stage of their response?

Isolate the compromised device and/or network segment from the rest of the environment to prevent further damage.

Also, if the device is already on, do not power it off.

I remember an exchange during a tabletop exercise that focused on digital forensics:

• Someone said: “I’ll just power off the machine.”
• I exclaimed: “No, no, no! Stop!”
• Everyone just stared at me. Someone asked, completely puzzled: “Why?”
• I explained that I couldn’t reveal the rest of the scenario to them at that stage, but did say that if they turned off that machine, they’d lose vital evidence.

They were about to lose critical evidence only stored in the RAM [the device’s memory]. Once you power off your machine, you permanently wipe that memory.

You see, some malware only runs in the memory, with very few artifacts stored on the hard drive. That limits what we can discover during any forensic investigation. Sometimes, the memory also stores ransomware decryption keys.

[However, if your device is already powered off, don’t switch it on. That makes changes to the system that could overwrite logs or other evidence.]

A lot of people think they’re doing the right thing by turning off their infected machine, when they should only disconnect it from the network. This comes back to training.

You’ve got to train people, particularly on those stages that happen before an external specialist would come on the scene. A key part of that is to not lose evidence. That’s something staff must be trained to do.

Turning off your machine is very instinctive. It’s the classic IT solution: rebooting your PC solves a lot of problems. But doing the right thing in this scenario isn’t difficult – you just have to know what the ‘right’ thing is. What are some other common errors that are easy to correct with basic awareness?

A common one is people simply deleting phishing emails. They just assume that IT already knows about it, or that someone else will report it.

But no: we all have a part to play in security, and clicking that ‘Report Message’ button in Outlook takes seconds – everyone’s got time to do that. And it may just save your organisation a lot of money.

Another thing is to keep your list of contacts and plans up to date. And to keep copies independent of your connected systems.

This might sound too obvious, but I’ve seen it so many times: people suffer an incident, they can’t get to their files, and then realise that they don’t know who to call, and haven’t got a way of easily finding out.

In short, keep a printed copy of your computer incident response plan, or save the contacts on your phone or something – and keep these copies up to date – so you can get in touch with the right people quickly, should you suffer an ICT disruption.

Digital forensics

Let’s come back to digital forensics. What does that involve?

A digital forensics investigation aims to answer questions like:

• How and when did the threat actors gain access?
• What did the threat actors do once they got into the IT environment?

Any digital forensic investigation should be conducted by someone who is trained to do so, because of the evidence aspect again. Any evidence an investigator uncovers might be used in future prosecutions.

The output of this investigation may also lead to follow-up actions such as malware analysis or threat hunting. That’s proactively looking for undetected threats in the network.

Incident response process

Walk me through the next incident response steps. What happens after you isolate the device and conduct a forensic investigation?

I should point out that device isolation isn’t the only thing you might need to do to contain the incident.

Maybe you need to isolate a critical service while the investigation is ongoing. Or you need to engage with third-party providers, such as Cloud service providers, which could give you access to vital logs or isolate the service for you – things like that.

Those initial stages, like the forensic analysis, will inform how you contain the situation and what the next steps should be.

What’s the next step in the incident response process, after containment?

Eradication and recovery. That can involve replacing or rebuilding compromised systems, which takes time and may impact legacy applications.

That process may include, but definitely isn’t limited to:

• Restoring and securing base systems;
• Restoring data from backups [following verification of integrity]; and
• Scanning for known vulnerabilities.

Also, we test any recovered systems for functionality and security before reintroducing them into the IT environment.

Once reintroduced, we monitor them for a period – ideally, at least a week – to make sure the threat actors haven’t returned.

The indicators of compromise discovered during the investigation help inform us what suspicious activity we’re monitoring for. For example:

• Specific network connections from suspicious IP addresses or domains;
• Running applications and related services; and
• Compromised user accounts.

What’s the next step in the incident response life cycle, after recovery?

Once you’re satisfied that you’ve fully remedied the situation, do a post-incident review:

• What happened?
• How did it happen?
• What was the impact?
• What went well in the response?
• What could have gone smoother?
• How can we improve for next time?

In short, establish and implement the lessons learned. This will only improve your ability to protect against, detect and respond to future cyber security incidents.

Should that sort of information also be shared externally?

Yes! Again, we all have a part to play when it comes to cyber security – not just within an organisation, but also in the wider community.

So, it’s important to contribute to threat intelligence. For example, take the ransomware attack on the British Library last year. It released a report to the public afterwards, which talks about what happened, how it happened and what the Library learned from it.

I love this sort of thing, because it shows so clearly that you’re taking cyber security [and cyber security incident response] seriously. You’re holding yourself accountable and being transparent.

Also, by publishing something like this, you’re helping other people. It shows that you’ve done your best.

Most people find it far easier to trust an organisation being open about what happened and what they’ve done about it, than an organisation trying to cover things up.

Don’t be like 23andMe, only admitting to things when forced to and blaming the victims to boot. It just makes you wonder what’s really going on, and question the company’s respect for its customers. PR is a big part of security incident management, too!

Find out how we can help

We take a pragmatic approach to assessing and managing your incident response needs. We align standards and best practices with your operational and business requirements.

Talk to us today to see how we can help you.

We hope you enjoyed this edition of our ‘Expert Insight’ series. We’ll be back soon, chatting to another expert within GRC International Group.

In the meantime, why not check out our previous interview with Vanessa on anti-forensics?

If you’d like to get our latest interviews and resources straight to your inbox, subscribe to our free Security Spotlight newsletter. Alternatively, explore our full index of interviews here.

The post A Practical Guide to Cyber Incident Response appeared first on IT Governance UK Blog.

Here are all our Q&As to date, grouped by broad topic:

To get new expert insights straight to your inbox, sign up to our weekly newsletter, the Security Spotlight.

Last updated: 24 May 2024. Interviews added: Camden Woollven on privacy and ethical concerns around AI (AI); Kirsten Craig on the APRA (data privacy); Vanessa Horton on cyber incident response (incident response); and Matthew Peers on ISO 27001 and physical security (ISO 27001). 

AI

Camden Woollven on privacy and ethical concerns around AI 

22 May 2024 

Head of AI Camden talks us through the ethical principles for guiding AI development, how those principles relate to data privacy, high-risk domains (such as healthcare), and why AI ethics requires a team effort in this interview. 

Mark James on AI and data protection 

11 April 2024

Privacy consultant Mark talks about the data protection risks of AI, the GDPR’s (General Data Protection Regulation) restrictions around automated decision-making, legal bases for processing personal data via AI systems, and how to address the risks from that type of processing in this interview.

Mark James on voice cloning

23 February 2024

What is voice cloning, what are the associated risks, and what can organisations do to protect themselves? Privacy consultant Mark answers all these questions and more in this interview.

Cyber attacks and data breaches

Leon Teale on the mother of all breaches

24 January 2024

Senior penetration tester Leon talks us through the implications of a historic 26-billion-records leak. Learn why even old credentials can cause a lot of damage, and how you can protect yourself in this interview.

Cyber Essentials

Ashley Brett on Cyber Essentials and ISO 27001

10 May 2024

Cyber security advisor and product evangelist Ashley talks us through some common Cyber Essentials misconceptions, key differences between Cyber Essentials and ISO 27001, the benefits of each, and things to consider if you’re implementing both in this interview.

Ashley Brett on Cyber Essentials solutions

21 February 2024

Cyber security advisor and product evangelist Ashley provides a simple overview of the Cyber Essentials scheme. He also talks us through various Cyber Essentials solutions to help you choose the right one in this interview.

Cyber resilience

Adam Seamons on cyber defence in depth

19 April 2024

What is defence in depth, why is it important and how does it work? Information security manager Adam answers all these questions and more, giving practical, expert insight into defending against malware in multiple layers, with details on the purpose of each, in this interview.

Alan Calder on cyber resilience

24 November 2023

Group CEO Alan gives us a quick overview of his award-winning book: Cyber Resilience – Defence-in-depth principles. He also explains why defence in depth is so important in this interview.

Cyber security

Leon Teale on zero-day exploits

24 April 2024

What are zero-day exploits and who is most at risk? How can we detect zero-day vulnerabilities and attacks, and protect ourselves from them? Plus, how much of an outlier was the MOVEit Transfer breach? We put all these questions and more to senior penetration tester Leon in this interview.

Adam Seamons on zero-trust architecture

5 January 2024

Information security manager Adam gives us a short history lesson about how networks have evolved, and the security consequences of that evolution. In particular, he highlights the risks of Cloud infrastructure and the merits of zero-trust architecture in this interview.

Vanessa Horton on ransomware trends

20 November 2023

Cyber incident responder Vanessa shares recent ransomware trends, why they’re worrying, and what organisations can do about them in this interview.

Leon Teale on secure remote working and VPNs

23 October 2023

Senior penetration tester Leon gives us his top 10 tips for secure remote working. He also talks us through different VPN (virtual private network) technologies in this interview.

Data privacy

Kirsten Craig on the APRA 

17 May 2024 

In the US, expectations are – cautiously – rising that we could see a landmark single federal privacy standard enacted into law: the APRA (American Privacy Rights Act). Data privacy lawyer Kirsten takes us through what it is, its requirements, its interplay with state-specific laws, its scope, and the next steps in this interview.  

Ryan Peeney on records of processing activities

9 May 2024

Records of processing activities, also known as ‘ROPAs’, are an explicit legal requirement in Article 30 of both the UK and EU GDPR. But what exactly are they? Why are they important, and what are their benefits? And how can you create and maintain them? We put all these questions and more to DPO (data protection officer) consultant Ryan in this interview. 

Louise Brooks on practical GDPR compliance

25 April 2024

Numerous misunderstandings surround complying with the GDPR. As a principles- and risk-based law, there aren’t prescribed dos and don’ts – the Regulation simply provides a framework for compliance. Furthermore, compliance can be a business enabler, not a ‘necessary evil’. Head of consultancy at DQM GRC Louise explains further in this interview.

Ola Irukwu on biometric data

11 April 2024

DPO consultant Ola talks us through biometric data – what is it, and how do the GDPR’s principles and requirements apply to it? She also explains the importance of DPIAs (data protection impact assessments) and data protection by design in this interview.

Mark James on data seeding

22 March 2024

Privacy consultant Mark explains what data seeding is, why it’s such an unintrusive measure, and when and how to use it in this interview.

Louise Brooks on staff monitoring

4 March 2024

How much and what type(s) of staff monitoring is too much? How can organisations monitor staff while remaining compliant with privacy laws? Head of consultancy at DQM GRC Louise gives us the answers in this interview.

Alan Calder on maintaining GDPR compliance

16 February 2024

Group CEO Alan takes us through what data privacy and GDPR compliance trends he foresees in 2024. He also gives us his 5 top tips for remaining compliant in this interview.

Andrew Snow on a landmark GDPR ruling

12 January 2024

The ECJ (European Court of Justice) issued a landmark GDPR ruling in December 2023. Data privacy and cyber security trainer Andrew takes us through the details, and explains why this ruling is so important in this interview.

Andrew Snow on the UK–US data bridge

6 November 2023

The UK and US received an adequacy decision enforced in October 2023. Data privacy and cyber security trainer Andrew talks us through the practical implications, how organisations can take advantage, and alternative mechanisms for UK–US data transfers in this interview.

DORA

Andrew Pattison on DORA, how it compares to NIS 2, and how it’ll be regulated

3 May 2024

What is DORA (Digital Operational Resilience Act)? How does it differ – or overlap – with NIS 2 (Network and Information Security Systems Directive)? What are the DORA pillars? How will DORA be regulated? And will non-EU organisations have to comply with it? We put these questions to Andrew, head of GRC (governance, risk and compliance) consultancy at IT Governance Europe, in this interview. 

Andrew Pattison on simplifying DORA compliance with ISO 27001

26 January 2024

ISO 27001 can be used to simplify compliance with DORA. Head of GRC consultancy at IT Governance Europe Andrew explains how in this interview.

Cliff Martin on streamlining DORA compliance

18 December 2023

DORA’s requirements aren’t too dissimilar to that of other legislation and standards. Head of cyber incident response Cliff explains how to streamline DORA compliance in this interview.

Alan Calder on DORA supply chain security

11 December 2023

Group CEO Alan explains why supply chain security – a key DORA pillar – is so important, and how organisations can secure their supply chain in this interview.

Cliff Martin on DORA incident response

28 November 2023

Head of cyber incident response Cliff takes us through DORA’s incident response requirements – another pillar of the Regulation – in this interview.

Andrew Pattison on DORA risk management

13 November 2023

Head of GRC consultancy at IT Governance Europe Andrew explains the most important DORA pillar: ICT risk management. He talks us through the Regulation’s requirements and how organisations can meet them in this interview.

Europrivacy

Alice Turley on the Europrivacy scheme and certification

26 April 2024

What is Europrivacy^/®, who can apply for certification, and what are the benefits? How do the scheme and certification work? And what must applicants consider when choosing a consulting company? Senior privacy and GRC consultant and trainer Alice answers all these questions in this interview.

Incident response

Vanessa Horton on cyber incident response 

24 May 2024 

Cyber incident responder Vanessa gives us a complete, practical overview of cyber incident response. She talks us through common misconceptions and errors, threat types, protection, detection, cyber incident response plans, training, digital forensics and the incident response process. She also covers real-life examples in this interview. 

Vanessa Horton on anti-forensics

2 February 2024

Criminals use anti-forensics techniques to try to remain undetected and/or mask their actions. Cyber incident responder Vanessa explains further, and provides examples of anti-forensics techniques as well as advice for how organisations can protect themselves, in this interview.

ISO 27001

Matthew Peers on ISO 27001 and physical security 

15 May 2024 

When we hear ‘information security’ or ‘ISO 27001’, we usually think ‘cyber security’. However, physical security is also an important aspect of information security. In fact, in ISO 27001:2022, ‘physical’ is one of just four control themes. GRC consultant Matthew explains why, and talks us through physical access control, physical security monitoring, CCTV, and more in this interview. 

Alan Calder on transitioning to ISO 27001:2022 

10 April 2024

Group CEO Alan explains why ISO 27001 and ISO 27002 were updated in 2022. He also talks us through key changes and transition dates, and how to approach your transition project in this interview.

Alan Calder on ISO 27001 and defence in depth

20 March 2024

Group CEO Alan explains how ISO 27001 and defence in depth intersect, and the importance of each. He also talks us through the ISO 27000 family of standards, and how ISO 27001 can help organisations meet their regulatory requirements in this interview.

Alan Calder on the ISO 27001:2022 addendum and ISO 27006 update

15 March 2024

ISO 27006 was recently updated. An ISO 27001:2022 addendum was also recently released. Group CEO Alan gives us the highlights of both updates, as well as an overview of the business benefits and regulatory value of ISO 27001, in this interview.

Andrew Pattison on pragmatic ISO 27001 risk assessments

8 March 2024

ISO 27001 fundamentally takes a risk-based approach. Head of GRC consultancy at IT Governance Europe Andrew gives us his tips on how to keep your risk assessments simple and manageable in this interview.

Alan Calder and a quick overview of ISO 27001

6 March 2024

Group CEO and ISO 27001 pioneer Alan gives us a quick overview of the business benefits of ISO 27001. He also talks us through how the Standard can aid regulatory compliance, and offers tips on risk assessment and continual improvement in this interview.

PCI DSS

Stephen Hancock on PCI DSS SAQ SPoC

30 October 2023

QSA (Qualified Security Assessor) consultant Stephen gives us an overview of the latest PCI DSS SAQ (Payment Card Industry Data Security Standard self-assessment questionnaire): SAQ SPoC (software-based PIN entry on COTS). He explains which organisations qualify and how SPoC solutions work in this interview.

PECR

Louise Brooks on cookie compliance

19 January 2024

Head of consultancy at DQM GRC Louise shares how organisations can improve their cookie banners without hampering their business objectives, and common mistakes around obtaining valid consent, in this interview.

Louise Brooks on the ICO’s ultimatum on cookies

4 December 2023

The ICO (Information Commissioner’s Office) gave the UK’s top websites an ultimatum: get your cookies compliant, or risk enforcement action. Head of consultancy at DQM GRC Louise gives her insights into this ICO statement and ICO enforcement more generally, and advice on how organisations can best meet their cookie requirements, in this interview.

Security testing

Leon Teale on the CVSS

9 February 2024

The CVSS (Common Vulnerability Scoring System) is now at v4.0. Senior penetration tester Leon explains what the CVSS is, how it works, when to use it, its limitations, and the key changes introduced in CVSS v4.0 in this interview.

Supply chains

Andrew Pattison on simplifying supply chain risk management

5 April 2024

Head of GRC consultancy at IT Governance Europe Andrew explains the importance of keeping risk assessments and supply chain risk management simple, and how DORA might change how organisations manage risk. He also talks us through considerations around risk when outsourcing, e.g. to a Cloud provider, in this interview.

Training

Soji Ogunjobi on CISM®

4 April 2024

Cyber security specialist and instructor Soji gives us a complete overview of CISM (Certified Information Security Manager), talking us through its topics, intended audience, career opportunities, alternatives, and more in this interview.

Damian Garcia on ransomware elearning

7 February 2024

Head of GRC consultancy at IT Governance Damian recently updated our Ransomware Staff Awareness E-learning Course. He explains why this course is so important, the key topics covered, its top take-aways, and more in this interview.

Miscellaneous

Nicola Day on book formats

22 March 2024

Softcover, PDF eBook or ePub? Publications manager Nicola explains the difference between each to help you choose the right written book format for you in this interview.

Sophie Sayer on the IT Governance partner programme

14 February 2024

Head of channel Sophie talks us through the IT Governance partner programme, and the benefits of partnering with us, in this interview.

Andreas Chrysostomou on audiobooks

10 January 2024

Publishing relations manager Andreas explains the audiobook format – including its pros and cons, how audiobooks are developed, and more – in this interview.

Sam McNicholls-Novoa on CyberComply

20 December 2023

CyberComply is a Cloud-based, end-to-end solution that simplifies compliance with a range of cyber security and data privacy standards and laws. Product marketing manager Sam talks us through some of the software’s benefits and features in this interview.

Get the latest expert insights straight to your inbox

If you like our weekly interviews, you’ll love our free weekly newsletter, the Security Spotlight.

Every Wednesday, you’ll get a 4-minute email with:

• Interviews with our experts, sharing their insights and expertise;
• Industry news, including the latest publicly disclosed data breaches and cyber attacks;
• Our latest research and statistics;
• Free useful resources; and
• Upcoming webinars.

The post Free Expert Insights: Index of Interviews appeared first on IT Governance UK Blog.

When we hear the term ‘information security’ – or, for that matter, ‘ISO 27001’ – our thoughts usually turn straight to cyber security.

However, physical security is also an important aspect of information and data security. In fact, in the 2022 versions of ISO 27001 and ISO 27002, ‘physical’ is one of just four control themes.

As such, the Standards also list explicit physical security controls, which organisations must either implement or justify why they don’t need to in their SoA (Statement of Applicability) to certify against ISO 27001.

Matthew Peers, one of our GRC (governance, risk and compliance) consultants, helps organisations implement the Standard and prepare for ISO 27001 certification.

Before joining IT Governance, Matthew served in the British Army Intelligence Corps for 12 years, providing intelligence and security advice to personnel and their families in the UK and abroad. This included conducting physical security surveys of British Army bases in the south of England.

Just the man to talk to about ISO 27001 and physical security!

In this interview

• Why ‘physical’ is a separate control theme
• Physical (and logical) access controls and visitor policies
• Why physical security monitoring needed a new Annex A control
• The benefits and drawbacks of CCTV as a preventive and detective measure
• Key considerations around building security – even if you’re a small organisation
• How to remotely audit physical security
• Remote-working tips

One of the big changes in the 2022 editions of ISO 27001 and ISO 27002 are the four themes, one of which is physical. Is this an acknowledgement that physical security can be overlooked?

I’d say that the separate category just filters out those controls better.

Since COVID, many organisations operate remotely. So, for the purposes of control selection, many physical security controls can be justifiably excluded if all staff work from home.

Having a separate category for those controls makes this more practical to do.

For the organisations that still have a physical location, what physical security measures must they consider?

They should look at their overall physical security system[s]. That said, one big thing clients often talk me through is their visitor policy: how do they process visitors? How do they make sure visitors only go to the designated areas? And so on.

This fits into a wider conversation around physical access control. Just because someone is an employee, doesn’t mean they should be allowed to go everywhere.

For example, if you have a room that stores sensitive information or equipment, only those who have a need to see or use it should be able to access that room.

Similar principles apply to logical access: organisations must restrict this on a need-to-know basis and by the principle of least privilege [PoLP].

What access controls should organisations implement?

Common logical [cyber/digital] access controls include passwords and MFA [multifactor authentication], firewalls, and network segmentation and segregation. Ideally, you’d apply these in a zero-trust architecture.

For physical security, you can use:

• The simple but effective key and lock;
• A combination lock or PIN pad; or
• Card readers.

You could also use biometric access control, but using biometric data is subject to stricter legal requirements around privacy [under the UK GDPR – General Data Protection Regulation].

What about physical security monitoring?

That’s the only new control introduced in the 2022 Standards for the ‘physical’ theme. Control 7.4: “Premises should be continuously monitored for unauthorized physical access.”

This could be something like CCTV, or a human element – a security guard, whether physically near the door or at the other end of a switchboard.

Alarms are good, too, but they raise questions like who’s going to come in to investigate when it goes off at, say, 4:00 am on a Saturday.

Why was a new, separate control for physical security monitoring needed?

It gives you enhanced peace of mind.

Suppose you own a lot of sensitive equipment and are in an area with a high crime rate [an aspect of environmental security]. You’d want that peace of mind that you’ll become aware of anyone interfering with your equipment.

In this respect, CCTV and other security monitoring act as both preventive measures – i.e. a deterrent – and detective measures. They’ll help detect suspicious activity, but also deter burglars. CCTV won’t stop everyone, but it’ll make at least a few people think twice, knowing their actions will be caught on camera.

In fact, CCTV can work well as a forensic measure, too. If someone does break in, CCTV can help identify the culprit. At the very least, it can inform the police where to dust for fingerprints, as the cameras show which surfaces the burglar has touched.

What are the risks or drawbacks around CCTV?

Cameras aren’t infallible – they can be covered up or out of order, for example.

Then there’s the footage itself – recordings might be overwritten, and you’re only going to keep them for a certain period anyway, if only for the sake of cost.

In addition, you need to be aware of your privacy obligations. Ensure that people know they’re being recorded – e.g. via a clearly visible CCTV notice – and why you’re collecting that data.

[This guide to the GDPR and CCTV in the workplace discusses this in more detail.]

So, control 7.4 in ISO 27001 isn’t accounting for a new phenomenon, but filling in a gap in the old Standard?

Yes, it just brings ISO 27001 up to date. Plus, ISO 27002 provides guidance beyond just installing video monitoring systems and intruder alarms – it also raises points like preventing them from being disabled remotely.

By formalising this as a control, organisations can get clearer guidance on its various aspects. They’ll also be less prone to overlooking things.

[Note: ISO 27002 provides generic guidance on how to implement each control in Annex A of ISO 27001.]

The ‘physical’ theme in ISO 27001:2022 and ISO 27002:2022 contains relatively few controls. Which are the most important?

The controls around building access:

• How will you control access to your physical premises?
• How will you identify who is and isn’t permitted to enter?
• How will you keep unauthorised staff and other people out of restricted areas?

It’s about not overlooking anything. You may, for example, have your HR team in one part of the building to keep sensitive personal information about staff separate from, say, the sales team.

For similar reasons, you’d want to separate finance, too – very few people need access to financial information, so make sure you restrict it on a need-to-know basis.

What you don’t want to do is mix teams. When all finance staff sit together, it doesn’t matter whether one person looks at another’s screen and sees confidential financial data. But you can’t police casual glances from, say, a sales employee sitting next to finance staff.

Again, even vetted staff shouldn’t be seeing information not relevant to their job – particularly where that information is sensitive.

What if you’re a small organisation, with very few staff?

Even when you have different functions sitting in the same small room, you can designate a quiet space for sensitive work.

Or you can position screens in such a way that you can’t see what the person is working on if, for example, you walked into the managing director’s office. If you’re then invited to look at their screen, the director can make sure you can only see what you need to.

What, if any, aspect of physical security do you believe is overlooked?

Actually, organisations do quite a good job at this. Many are very switched on and alert about the physical side – the cyber side is where more problems emerge. That may be due to a lack of experience – we’ve had to think about physical security long before the Internet emerged.

Situations like having multiple organisations within the same tall building are so common. It’s very normal to have, say, a tenth-floor office, with staff given a key card that only gives them access to that floor and the front door of the building.

Or if you have a visitor, they’d call at the front-desk reception, who then sends them to the correct floor and lets you know to buzz them in, or whatever.

Can you remotely audit physical security?

With cameras! An auditee will use something like a camera phone or laptop, then walk and talk the auditor through the process.

So, they’d say something like: ‘I’m standing outside the building. I’m now going to get my key card out and swipe into the building. If I was a guest, I’d call into reception here. I’d press that button, then tell the receptionist who I am and who I’ve come to see.

‘The receptionist then gives me a visitor lanyard, and phones the office. Someone from the office then comes down to show me upstairs.’

Admittedly, you get a better feel for the physical security when you’re there. Not least because you’re the visitor in that scenario.

But the remote camera makes for a good substitute in, say, a lockdown situation. Or when the organisation spans multiple premises. This is a particularly good option for internal audits, rather than certification audits, where the auditor would need a higher level of assurance.

Speaking of remote, even when all staff are home-based, work still involves a physical element, such as their home offices. What can organisations do to address those risks?

A remote working policy is a good place to start. This should cover things like physically securing company equipment. For example:

• Avoid working in public
• Only use secured Wi-Fi networks
• Never leave your equipment unattended in public
• When travelling by car, put the equipment in the car boot
• When travelling by plane, put laptops, etc. in your carry-on luggage

Also, don’t let unauthorised people use the device!

Last November, a Scottish minister let his children use his tablet, running up a massive bill. He’d initially charged the taxpayer for that, but that aside, unauthorised users – family included – mustn’t gain access to company equipment under any circumstances.

What are some other remote-working tips?

Remote working typically involves putting stuff in the Cloud – old-school server and communications rooms are dying off.

Involving a Cloud service provider means you’re sharing the risk. Your data might be managed and secured by the provider, but you remain responsible for that data, legally speaking.

So, ask questions like:

• What assurances can the provider give around security?
• How will I make sure I can retrieve the data in the Cloud at any time?
• What third-party suppliers does your provider use, where are they based, and how do you know you can trust them?

Under ISO 27001:2022, supply chain management stretches across multiple controls:

• 5.19: Information security in supplier relationships
• 5.20: Addressing information security within supplier agreements
• 5.21: Managing information security in the ICT supply chain
• 5.22: Monitoring, review and change management of supplier services
• 5.23: Information security for use of Cloud services [another new control]

That signals its importance to overall information security. If your supply chain isn’t secure, nor are you.

Note: To learn more about how to simplify supply chain risk management, check out this interview with Andrew Pattison, head of GRC consultancy at IT Governance Europe.

Looking to improve staff awareness around physical security?

Our 45-minute Physical Security Staff Awareness E-learning Course may be just the thing.

This engaging course teaches staff what physical security is, and how they can contribute to keeping their workplace and your assets secure. It also addresses the threats posed by remote working.

More interested in general information security awareness training for staff? Check out our Information Security Staff Awareness Elearning Suite.

We hope you enjoyed this edition of our ‘Expert Insight’ series. We’ll be back soon, chatting to another expert with GRC International Group.

In the meantime, why not check out our interview with Group CEO Alan Calder about transitioning to ISO 27001:2022?

Alternatively, explore our full index of interviews here.

The post ISO 27001 and Physical Security appeared first on IT Governance UK Blog.

Welcome to this week’s global round-up of the biggest and most interesting news stories.

At the end of each month, these incidents – and any others that we find – will be used to inform our monthly analysis of data breaches and cyber attacks.

Publicly disclosed data breaches and cyber attacks: in the spotlight

More than 6 million accounts compromised from streaming service MovieBoxPro

MovieBoxPro, a streaming service of “questionable legality”, suffered a data scraping incident on 15 April 2024, according to Have I Been Pwned.

Data scraping is a typically automated process that extracts information from websites, allowing criminals to compile data sets containing personal information.

The data breached included usernames and email addresses.

Reportedly, the vulnerability has now been mitigated.

Data breached: 6,009,014 accounts.

A further 381,000 New York City public school students affected by 2022 data breach

In January 2022, personal data from around 820,000 New York City public school students, both current and former, was breached.

It emerged this week, according to the New York City Department of Education, that data from a further 381,000 students was also compromised in this incident.

Data breached: 1,201,000 people’s data.

At least 191 Australian organisations affected by ZircoDATA ransomware attack

The ransomware group BlackBasta listed Australia-based ZircoDATA as a victim in February, allegedly exfiltrating 395 GB of data.

This week, it turns out at least 191 further Australian organisations, including government entities, were affected by this breach, highlighting the risks of supply chain attacks. Apparently, the data belongs to tens of thousands of Australians.

Data breached: 395 GB.

Publicly disclosed data breaches and cyber attacks: full list

This week, we found 9,038,475 records known to be compromised, and 258 organisations suffering a newly disclosed incident. 253 of them are known to have had data exfiltrated, exposed or otherwise breached. None definitely haven’t had data breached.

We also found 11 organisations providing a significant update on a previously disclosed incident.

Note 1: ‘New’/‘Update’ in the first column refers to whether this breach was first publicly disclosed this week, or whether a significant update was released this week. The updated data point is italicised in the table.

Note 2: For incidents where we only know the file size of the data breached, we use the formula 1 MB = 1 record. Given that we can’t know the exact numbers, as it depends on the types of records included (e.g. pictures and medical histories are considerably larger files than just names and addresses), we err on the side of caution by using this formula. We believe that this underestimates the records breached in most cases, but it is more accurate than not providing a number at all. To learn more about our research methodology, click here.

AI

noyb files complaint against OpenAI for not correcting inaccurate information

The non-profit noyb filed a complaint against OpenAI with the Austrian data watchdog for failing to meet a key GDPR requirement: that personal data is accurate, and that data subjects have full access to that data along with source information.

noyb says: “OpenAI openly admits that it is unable to correct incorrect information on ChatGPT. Furthermore, the company cannot say where the data comes from or what data ChatGPT stores about individual people. The company is well aware of this problem, but doesn’t seem to care.”

Also this week, a group of US newspapers sued OpenAI and Microsoft for misusing their reporters’ writing to train their AI systems.

ICO publishes its response to regulating AI consultation

With the ICO (Information Commissioner’s Office) consultation on “Regulating AI: the ICO’s strategic approach – a response to the DSIT Secretary of State” now closed, the UK regulator has published its response.

New publications by DHS and NIST to help ensure safety and security of AI systems, as instructed by EO 14110

The US Department of Homeland Security has developed safety and security guidelines for critical infrastructure operators, as tasked by Executive Order 14110: “Safe, Secure, and Trustworthy Development and Use of Artificial Intelligence”.

Also this week, NIST released four draft publications “intended to help improve the safety, security and trustworthiness of [AI] systems”.

Enforcement

New UK laws for IoT device security

The UK government has published new laws, mandating Internet-connected smart devices to meet a minimum security standard. Most notably, it’s banning bad default passwords on IoT (Internet of Things) devices, becoming the first country to do so.

Group CEO Alan Calder commented:

It’ll certainly improve the long-term robustness of the UK’s cyber security infrastructure – but that’ll only be gradual, because it only applies to new devices.

The laws don’t apply retrospectively to the millions of inadequately protected smart devices already in service – and which are replaced over decades rather than months.

So, there won’t be any immediate benefit in terms of reduction in data breaches – progress on that front will continue to depend on better-educated consumers!

FCC fines four wireless carriers $196 million

The US Federal Communications Commission has fined four large US wireless carriers – AT&T, Sprint, T-Mobile and Verizon – $196 million for illegally sharing access to customers’ location data.

Unrelated, AT&T also recently suffered a large data breach, affecting more than 51 million customers’ data.

Three new GDPR fines

The ICO issued a £7,500 fine under the UK GDPR to Central Young Men’s Christian Association for failing to use Bcc, thereby revealing HIV status.

Under the EU GDPR, the Czech supervisory authority issued a €13.9 million fine for violating Articles 6 and 13. Meanwhile, the Greek authority issued the Hellenic Post a fine of 1% of the most recent global annual turnover for violating Articles 5(1)(f) and 32.

Other news

Security research team finds nearly 3 million Docker Hub repositories host malicious content

JFrog and Docker partnered for security research, finding that nearly 3 million Docker Hub repositories – almost 20% of all public repositories – host malicious content.

ICO and Ofcom publish statement on collaboration on regulating online services

Two UK regulators, the ICO and Ofcom (the UK’s communications regulator) have published a joint statement on “the regulation of online services where online safety and data protection intersect” to ensure “a coherent approach to regulation”.

New guidance

New NCSC guidance: AMS (Advanced Mobile Solutions)

The UK NCSC (National Cyber Security Centre) has published new guidance, called ‘AMS’ or ‘Advanced Mobile Solutions’. This risk model, along with “a set of architecture patterns and associated technologies” allows “high-threat organisations to stay connected ‘on the go’.”

Recently published reports

• Bitsight: A Global View of the CISA KEV Catalog: Prevalence and Remediation
• Cloudflare: Q1 2024 Internet disruption summary
• Corvus: Q1 Ransomware Report
• Cyber Threat Alliance: 2024 Cyber Threats to NGOs
• Sophos: The State of Ransomware 2024
• Verizon: 2024 Data Breach Investigations Report
• VulnCheck: State of Exploitation – A Peek into the Last Decade of Vulnerability Exploitation
• World Economic Forum: Cyber Readiness in Latin American Public Sectors: Lessons from the Frontline

That’s it for this week’s round-up. We hope you found it useful.

We’ll be back next week with the biggest and most interesting news stories, all rounded up in one place.

In the meantime, if you missed it, check out last week’s round-up. Alternatively, you can view our full archive.

Security Spotlight

To get news of the latest data breaches and cyber attacks straight to your inbox, subscribe to our weekly newsletter: the Security Spotlight.

Every Wednesday, you’ll get a 4-minute email with:

• Industry news, including this weekly round-up;
• Our latest research and statistics;
• Interviews with our experts, sharing their insights and expertise;
• Free useful resources; and
• Upcoming webinars.

The post 6,009,014 MovieBoxPro Accounts Breached in Another Data Scraping Incident appeared first on IT Governance UK Blog.

Welcome to this week’s global round-up of the biggest and most interesting news stories.

At the end of each month, these incidents – and any others that we find – will be used to inform our monthly analysis of data breaches and cyber attacks.

Publicly disclosed data breaches and cyber attacks: in the spotlight

Criminal hackers threaten to leak World-Check screening database

A criminal group known as GhostR claims to have stolen 5.3 million records from World-Check, a database used to screen potential customers for links to illegal activity and government sanctions.

Compromised data includes names, passport numbers, Social Security numbers, online crypto account identifiers and bank account numbers.

A spokesman for the London Stock Exchange Group, which maintains the database, confirmed the data was illegally obtained from a third party and didn’t dispute the amount of data stolen. GhostR says it obtained the records from a Singapore-based company with access to the database.

Data breached: 5,300,000 records.

Almost 1.5 million accounts compromised in Le Slip Français data breach

The French underwear manufacturer Le Slip Français has suffered a data breach. The alleged perpetrator, who goes by the name ShopifyGUY, claims to have obtained more than 1.5 million emails, including 690,000 sets of customer details comprising email addresses, names, postal addresses, phone numbers and purchase data.

ShopifyGUY is the same person who posted the Giant Tiger data last week. According to Troy Hunt of the data breach notification service HIBP (Have I Been Pwned), “it looks like they’re finding @Shopify keys somewhere then just dumping all the data. I’m told the JSON format these breaches all appear in is consistent with that, so it stands to reason that’s the common vector for all these breaches”.

Hunt has added 1,495,127 Le Slip Français accounts to the HIBP database.

Data breached: 1,495,127 accounts.

Mobile Guardian app hacked, compromising Singaporean parent and teacher data

The names and email addresses of parents and teachers from 5 primary and 122 secondary schools in Singapore have been compromised after a mobile app was hacked. Mobile Guardian, which is used to help parents manage their children’s device usage, was hacked on 19 April, according to the Singaporean Ministry of Education.

Mobile Guardian, which is based in the UK, said that its investigations detected unauthorised access to its systems via an administrative account on its management portal. Account records from the US were also accessed.

Data breached: unknown.

Publicly disclosed data breaches and cyber attacks: full list

This week, we found 16,482,365 records known to be compromised, and 241 organisations suffering a newly disclosed incident. 227 of them are known to have had data exfiltrated, exposed or otherwise breached. Only 6 definitely haven’t had data breached.

We also found 8 organisations providing a significant update on a previously disclosed incident.

Note 1: ‘New’/‘Update’ in the first column refers to whether this breach was first publicly disclosed this week, or whether a significant update was released this week. The updated data point is italicised in the table.

Note 2: For incidents where we only know the file size of the data breached, we use the formula 1 MB = 1 record. Given that we can’t know the exact numbers, as it depends on the types of records included (e.g. pictures and medical histories are considerably larger files than just names and addresses), we err on the side of caution by using this formula. We believe that this underestimates the records breached in most cases, but it is more accurate than not providing a number at all. To learn more about our research methodology, click here.

AI

NSA published guidance on strengthening the security of AI systems

The US National Security Agency has published a cyber security information sheet entitled Deploying AI Systems Securely: Best Practices for Deploying Secure and Resilient AI Systems. The guidance was designed for national security purposes, but can be applied by anyone bringing AI capabilities into a managed environment.

Protect AI releases April 2024 vulnerability report

Protect AI has published its latest monthly report into security vulnerabilities affecting AI systems. This month contains 48 vulnerabilities, up 220% from the 15 it identified in November 2023.

Enforcement

Proposed FTC order will fine Cerebral, Inc. $7 million and restrict its use of sensitive data

Cerebral, Inc. has agreed to an FTC order that will prohibit it from using or disclosing sensitive consumer data for advertising purposes. Under the proposed order, the company will be required to pay more than $7 million for violating its customers’ privacy rights.

International law enforcement operation disrupts LabHost phishing-as-a-service platform

A law enforcement operation involving 19 countries has disrupted LabHost, one of the world’s largest phishing-as-a-service platforms. 37 suspects have been arrested and the LabHost platform has been shut down.

Other news

ENISA will not create vulnerability database

Hans de Vries, the new chief cybersecurity and operational officer of ENISA, the EU Agency for Cybersecurity, has confirmed that his agency will not create a database of security vulnerabilities, as proposed by the EU Cyber Resilience Act.

NCSC CAF (Cyber Assessment Framework) 3.2 published

The National Cyber Security Centre has published version 3.2 of its Cyber Assessment Framework. Significant changes have been made to sections covering remote access, privileged operations, user access levels and the use of multifactor authentication.

CREST launches new cyber threat intelligence guide

CREST has published a new guide: What is Cyber Threat Intelligence and How is it Used? It provides accessible advice on the theory and practice of CTI products and services, outlining key concepts and principles underpinning CTI, along with the ways organisations can use CTI to predict, prevent, detect and respond to potential cyber security threats and reduce cyber risk.

NATO to launch new cyber centre

Acknowledging that “cyberspace is contested at all times”, NATO will create a new cyber centre at its military headquarters in Mons, Belgium. James Appathurai, NATO’s deputy assistant secretary general for innovation, hybrid and cyber, said the new centre would be modelled on the UK’s NCSC.

HHS patches security after cyber attack

Following a cyber attack on the US Department of Health and Human Services last year, in which criminals stole $7.5 million, the Department is removing HHS Login from its grantee payment system.

EDPB sets out priorities for 2024–2027

The EDPB (European Data Protection Board) has adopted its strategy for 2024–2027, which is based around four pillars:

1. Enhancing harmonisation and promoting compliance.
2. Reinforcing a common enforcement culture and effective cooperation.
3. Safeguarding data protection in the developing digital and cross-regulatory landscape.
4. Contributing to the global dialogue on data protection.

The Board’s chair, Anu Talus, said: “The new strategy takes the existing vision in a new direction in order to respond to the data protection needs of today, and the ever evolving digital landscape. The strategy is the result of a collaborative effort, involving all EU data protection authorities (DPAs) and sets out common priorities for the years to come.”

EDPB publishes opinion on Meta’s ‘pay or OK’ model

The EDPB has published its opinion on Meta’s proposed ‘pay or consent’ model, which aims to charge users a monthly fee to use its platforms without targeted advertising. Louise Brooks, from IT Governance’s sister company DQM GRC, observes:

“The opinion finds that Meta’s proposed ‘pay or consent’ model isn’t compliant with the EU GDPR, but it doesn’t go so far as to rule it out as an option completely. It’s important at this stage to understand that EDPB opinions are not legally binding.

“However, the opinion was requested by supervisory authorities for the purpose of active cases under consideration for enforcement action, so the outcome of those cases will add context and detail to the interpretation of, and potential future reliance upon, the opinion.

“From a UK perspective, we know the ICO is actively monitoring the European debate on this issue as it confirmed the same at the DMA’s recent annual conference, so it remains to be seen how the EDPB’s opinion might be used or interpreted here.

“The debate certainly isn’t over, and we probably need to wait for case law to proceed before we can really start seeing the wood for the trees and understand the ramifications.

“Nevertheless, any sensible large online platforms would do well to model alternatives and consider the impact any precedents set by enforcement actions that don’t support their business models might have.”

ICO publishes guidance to improve transparency in health and social care

The ICO (Information Commissioner’s Office) has published new guidance to provide regulatory certainty on how health and social care organisations should handle sensitive information while keeping people properly informed.

Recently published reports

• ANY.RUN: Malware Trends Report: Q1, 2024
• Check Point: Microsoft and Google Top the List in Q1 2024 Phishing Attacks: Check Point Research Highlights a Surge in Cyber Threats
• Cloudflare: DDoS threat report for 2024 Q1
• CyberEdge: Cyberthreat Defense Report
• CYE: Inadequacies in Breach Insurance Coverage: A Data-Driven Gap Analysis
• Dr. Web: Doctor Web’s review of virus activity on mobile devices in 2023
• Food and Ag-ISAC: Farm-To-Table Ransomware Realities
• GuidePoint: Q1 2024 Ransomware Report
• Imperva: 2024 Imperva Bad Bot Report
• Kroll: The State of Cyber Defense: Diagnosing Cyber Threats in Healthcare
• Pentera: The State of Pentesting 2024
• Red Canary: Intelligence Insights: April 2024
• The Record: Ransomware Tracker

Key dates

29 April 2024 – UK Product Security and Telecommunications Infrastructure Act 2022 comes into effect

The UK’s consumer connectable product security regime comes into effect on 29 April 2024. Businesses in the supply chains of these products need to be compliant with the legislation from that date.

30 April 2024 – ISO/IEC 27001:2013 certification unavailable

Certification bodies must stop offering (re)certification to ISO 27001:2013 by 30 April. The new iteration of the Standard, ISO 27001:2022, isn’t significantly different from ISO 27001:2013, but there are some notable changes. Learn more about complying with ISO 27001:2022.

That’s it for this week’s round-up. We hope you found it useful.

We’ll be back next week with the biggest and most interesting news stories, all rounded up in one place.

In the meantime, if you missed it, check out last week’s round-up. Alternatively, you can view our full archive.

Security Spotlight

To get news of the latest data breaches and cyber attacks straight to your inbox, subscribe to our weekly newsletter: the Security Spotlight.

Every Wednesday, you’ll get a 4-minute email with:

• Industry news, including this weekly round-up;
• Our latest research and statistics;
• Interviews with our experts, sharing their insights and expertise;
• Free useful resources; and
• Upcoming webinars.

The post The Week in Cyber Security and Data Privacy: 15 – 21 April 2024 appeared first on IT Governance UK Blog.

Welcome to this week’s global round-up of the biggest and most interesting news stories.

At the end of each month, these incidents – and any others that we find – will be used to inform our monthly analysis of data breaches and cyber attacks.

Update on last week’s story about the alleged US EPA (Environmental Protection Agency) breach: it appears the data was already publicly available. We’ve therefore removed this entry from our incident log.

Publicly disclosed data breaches and cyber attacks: in the spotlight

AT&T confirms more than 50 million customers affected by March data breach

On 17 March, a threat actor known as Major Nelson listed more than 70 million data records on a dark web forum, claiming it to be data originally exfiltrated from AT&T by a threat actor known as ShinyHunters in 2021. AT&T said the data did not come from its systems.

Now, the company has confirmed that more than 50 million people’s data was in fact included in the 17 March data leak. Compromised data included full names, email addresses, postal addresses, phone numbers, Social Security numbers, dates of birth, AT&T account numbers and AT&T passcodes. According to AT&T’s investigation, the data appears to be from June 2019 or earlier.

Data breached: 51,226,382 people’s data.

Giant Tiger confirms data breach via third party

The Canadian retail chain Giant Tiger has reported that one of its vendors has suffered a cyber attack, affecting nearly 3 million Giant Tiger customer data records. Compromised data included customers’ names, postal addresses, email addresses, phone numbers and purchase data, all of which was leaked online.

The data breach notification website Have I Been Pwned added the data to its database on 12 April, confirming that 46% of the records were already in its database.

Data breached: 2,842,669 records.

Cyber attack causes Traverse City Area Public Schools to cancel classes

TCAPS (Traverse City Area Public Schools) in Michigan cancelled classes on 1 and 2 April because of what it described as “network disruption that impacted the functionality and access of certain systems”.

On 14 April, a threat actor known as Medusa claimed to have stolen 1.2 TB of data from TCAPS, demanding a ransom of $500,000.

Data breached: 1.2 TB.

Publicly disclosed data breaches and cyber attacks: full list

This week, we found 7,531,492 records known to be compromised, and 124 organisations suffering a newly disclosed incident. 105 of them are known to have had data exfiltrated, exposed or otherwise breached. Only 3 definitely haven’t had data breached.

We also found 24 organisations providing a significant update on a previously disclosed incident.

Note 1: ‘New’/‘Update’ in the first column refers to whether this breach was first publicly disclosed this week, or whether a significant update was released this week. The updated data point is italicised in the table.

Note 2: For incidents where we only know the file size of the data breached, we use the formula 1 MB = 1 record. Given that we can’t know the exact numbers, as it depends on the types of records included (e.g. pictures and medical histories are considerably larger files than just names and addresses), we err on the side of caution by using this formula. We believe that this underestimates the records breached in most cases, but it is more accurate than not providing a number at all. To learn more about our research methodology, click here.

AI

AI-written PowerShell script used in malicious email campaigns

Bleeping Computer reports that a threat actor is using a PowerShell script “likely” created with ChatGPT or a similar AI model to spread the Rhadamanthys information stealer via email. The security company Proofpoint attributed the attack to a threat actor tracked as TA547, also known as Scully Spider.

ICO seeks views on generative AI models’ accuracy         

The ICO (Information Commissioner’s Office) has launched a consultation on how data protection law applies to generative AI, particularly in relation to its accuracy. The Information Commissioner, John Edwards, commented: “In a world where misinformation is growing, we cannot allow misuse of generative AI to erode trust in the truth. Organisations developing and deploying generative AI must comply with data protection law – including our expectations on accuracy of personal information.” The consultation is open until 5 pm on 10 May 2024.

Enforcement

European Parliament votes to enhance EU GDPR enforcement

MEPs have voted in favour of amendments to the EU GDPR (General Data Protection Regulation) that strengthen the Regulation’s enforcement. The amendments change the role of the supervisory authorities and remove some of their obligations to share the findings of their investigations.

Police investigating LockBit ransomware gang seek 200 suspected criminals

Police have matched some 200 LockBit affiliates’ pseudonyms to their real identities. A police spokesperson, who asked to remain anonymous, told Bloomberg that they “now have a clear idea of LockBit’s hierarchy and its most influential members, who they plan to pursue”.

Other news

Hunters International demands $10 million ransom from Hoya Corporation

Last week, we listed a security incident affecting several of Hoya Corporation’s divisions. It now transpires that the cyber attack was carried out by the Hunters International ransomware group, which has demanded a $10 million ransom from the Japanese optical instrument manufacturer. Hunters claims to have stolen 2 TB of data from the company, which it is threatening to release if its demands are not met.

NIST releases online courses for SP 800-53, SP 800-53A and SP 800-53B

NIST (National Institute of Standards and Technology) has released self-guided online courses on three of its standards: SP (Special Publication) 800-53, SP 800-53A and SP 800-53B.

All three courses are introductory, offering a “high-level overview of foundational security and privacy risk management concepts” based on these standards.

91,000 LG smart TVs vulnerable to attack

Bitdefender has discovered four security vulnerabilities affecting multiple versions of LG Electronics WebOS – the operating system used in its smart TVs. According to Bleeping Computer, the vulnerabilities “enable varying degrees of unauthorized access and control over affected models, including authorization bypasses, privilege escalation, and command injection”.

USDoD attempting to sell 2.9 billion data records from UK, US and Canada

A threat actor known as USDoD has listed a 4 TB database apparently containing 2.9 billion rows of data on a dark web forum. Given the scale of the database, we await verification before adding it to our listings.

Recently published reports

• Adyen: Index global fraud
• Bruce et al: World Cybercrime Index
• Check Point: Shifting Attack Landscapes and Sectors in Q1 2024 with a 28% increase in cyber attacks globally
• Cyberint: Q1 2024 Ransomware Report
• D3 Security: In The Wild 2024
• DTEX Systems: 2024 Insider Risk Investigations Report
• EDPS (European Data Protection Supervisor): Annual Report 2023: adaptability in a changing world
• IDTC (Identity Theft Resource Center): Q1 Data Breach Analysis
• IMF (International Monetary Fund): April 2024 Global Financial Stability Report
• NORMA Cyber: Annual Threat Assessment 2024
• Pinpoint Search Group: Cyber Security Vendor Funding Report – Q4, 2023
• Recorded Future: 2023 Annual Report

Key date

30 April 2024 – ISO/IEC 27001:2013 certification unavailable

Certification bodies must stop offering (re)certification to ISO 27001:2013 by 30 April. The new iteration of the Standard, ISO 27001:2022, isn’t significantly different from ISO 27001:2013, but there are some notable changes. Learn more about complying with ISO 27001:2022.

That’s it for this week’s round-up. We hope you found it useful.

We’ll be back next week with the biggest and most interesting news stories, all rounded up in one place.

In the meantime, if you missed it, check out last week’s round-up. Alternatively, you can view our full archive.

Security Spotlight

To get news of the latest data breaches and cyber attacks straight to your inbox, subscribe to our weekly newsletter: the Security Spotlight.

Every Wednesday, you’ll get a 4-minute email with:

• Industry news, including this weekly round-up;
• Our latest research and statistics;
• Interviews with our experts, sharing their insights and expertise;
• Free useful resources; and
• Upcoming webinars.

The post The Week in Cyber Security and Data Privacy: 8 – 14 April 2024 appeared first on IT Governance UK Blog.

Welcome to this week’s global round-up of the biggest and most interesting news stories.

At the end of each month, these incidents – and any others that we find – will be used to inform our monthly analysis of data breaches and cyber attacks.

Publicly disclosed data breaches and cyber attacks: in the spotlight

Misconfigured Google Firebase instances expose almost 125 million user records

On 10 January, a security researcher known as ‘MrBruh’ reported on vulnerabilities in the AI hiring system Chattr.ai, which is used by many US fast food chains.

According to MrBruh, attackers could register profiles with full privileges by exploiting misconfigurations in Google Firebase – a Cloud-based mobile application platform.

This gave them access to names, phone numbers, emails, plaintext passwords, branch locations, confidential messages and shift information for Chattr employees, franchisee managers and job applicants.

MrBruh, alongside two other researchers who go by the names ‘Logykk’ and ‘xyzeva’/’Eva’, then scanned more than 5 million domains for personally identifiable information exposed via other misconfigured Firebase instances.

They discovered 916 misconfigured websites, exposing 124,605,664 million users’ records, including names, emails, phone numbers, passwords and financial data.

The researchers then alerted all affected organisations, sending 842 emails over 13 days. Only 24% of site owners fixed the misconfiguration.

Data breached: 124,605,664 records.

Multiple Indian brands affected by Gamooga misconfiguration

A misconfigured Apache Kafka broker belonging to the Indian marketing analytics company Gamooga exposed sensitive data relating to numerous organisations in India for over a year, “including banking service providers, insurance agencies, e-commerce stores, entertainment apps, and educational institutions”.

At least 1 million customers of well-known brands, including Swiggy, Redbus, Nykaa, BigBasket, TataMotors, ICICIPruLife and Axis Direct, are known to be affected, but the actual scale of the breach is potentially vast: Gamooga claims to track more than 1 billion users – two thirds of India’s population, or one eighth of the world’s.

Publicly accessible information included names, dates of birth, phone numbers, email addresses, IP addresses, purchase history, insurance information, payment information, and more.

Data breached: at least 1 million people’s data.

Chinese APT group compromises 70 organisations, including 48 government agencies

The Chinese advanced persistent threat group Earth Krahang is known to have targeted at least 116 organisations in 45 countries, and has successfully breached 70 organisations in 23 countries. These include 48 government agencies, 10 of which are foreign affairs ministries.

According to Trend Micro, which has been tracking the group since early 2022, the group “exploits public-facing servers and sends spear phishing emails to deliver previously unseen backdoors”.

It then uses “its malicious access to government infrastructure to attack other government entities, abusing the infrastructure to host malicious payloads, proxy attack traffic, and send spear-phishing emails to government-related targets using compromised government email accounts”.

Data breached: unknown.

Publicly disclosed data breaches and cyber attacks: full list

This week, we found 134,503,937 records known to be compromised, and 1,091 organisations suffering a newly disclosed incident. 916 of those incidents are linked to Google Firebase misconfigurations, as explained above.

This week, 1,076 organisations are known to have had data exfiltrated, exposed or otherwise breached. Only 5 definitely haven’t had data breached.

We also found 6 organisations providing a significant update on a previously disclosed incident.

Note 1: ‘New’/‘Update’ in the first column refers to whether this breach was first publicly disclosed this week, or whether a significant update was released this week. The updated data point is italicised in the table.

Note 2: For incidents where we only know the file size of the data breached, we use the formula 1 MB = 1 record. Given that we can’t know the exact numbers, as it depends on the types of records included (e.g. pictures and medical histories are considerably larger files than just names and addresses), we err on the side of caution by using this formula. We believe that this underestimates the records breached in most cases, but it is more accurate than not providing a number at all.

AI

Microsoft research finds 87% of UK organisations vulnerable to cyber attacks in the age of AI

A new report by Microsoft, in collaboration with Dr Chris Brauer of Goldsmiths, University of London classed 87% of UK organisations as vulnerable to cyber attacks. Mission Critical: Unlocking the UK AI Opportunity Through Cybersecurity states that the UK must cement its position as a “cybersecurity superpower” in order to realise its ambition of becoming a global “AI superpower”.

Google VLOGGER generates video from photos, raising security concerns

Google researchers have unveiled VLOGGER, an AI model that can generate photorealistic videos of people from photographs and audio samples. However, security professionals have expressed concern about the technology’s potential misuse to create deepfakes that could be used for social engineering attacks.

Enforcement

Nemesis Market darknet marketplace shut down

The Office of the Public Prosecutor General in Frankfurt am Main – Central Office for Combating Cybercrime – and the German Federal Criminal Police Office have seized the server infrastructure of the darknet marketplace Nemesis Market, along with €94,000 in cryptocurrency.

US House of Representatives passes bill to block sale of US data to foreign adversaries

The House of Representatives has unanimously voted in favour of a bill to block data brokers from selling US citizens’ data to foreign adversaries.

“Today’s overwhelming vote sends a clear message that we will not allow our adversaries to undermine American national security and individual privacy by purchasing people’s personally identifiable sensitive information from data brokers,” said House Energy and Commerce Committee leaders Cathy McMorris Rodgers and Frank Pallone in a joint statement. 

Other news

UK accuses China of two malicious cyber campaigns

The UK’s deputy prime minister, Oliver Dowden, has officially blamed the 2021–22 attacks on the UK’s Electoral Commission and parliamentarians on “China state-affiliated actors”.

ICO publishes new fining guidance

The UK’s data protection authority, the ICO (Information Commissioner’s Office), has published new data protection fining guidance, setting out how it calculates fines.

The ICO’s director of legal service, Tim Capel, said: “We believe the guidance will provide certainty and clarity for organisations. It shows how we reach one of our most important decisions as a regulator by explaining when, how and why we would issue a fine for a breach of the UK General Data Protection Regulation or Data Protection Act 2018.”

ISACA® qualification chosen by NCSC as part of GovAssure

ISACA’s® CISA (Certified Information Security Auditor) qualification has been chosen by the NCSC as an industry-leading standard and qualifying criterion for companies licensed to conduct assurance reviews of government organisations, as part of its new cyber assurance regime for government systems, GovAssure.

Recently published reports

• Akamai: Lurking in the Shadows: Attack Trends Shine Light on API Threats
• Cado Security: H2 2023 Cloud Threat Findings Report
• Horizon3.ai: 2023 Year in Review
• Imprivata/Ponemon Institute: Unlocking the cost of chaos: The state of enterprise mobility in life- and mission-critical industries
• Kaspersky ICS CERT: Threat landscape for industrial automation systems: H2 2023
• KELA Research: A deep dive into Akira and Black Basta negotiations
• Proofpoint: The 2024 Data Loss Landscape
• Recorded Future: 2023 Annual Report

Key dates

21 March 2024 – Old EU Standard Contractual Clauses expired

If you transfer data using old EU standard contractual clauses issued under the Data Protection Directive 1995, the deadline to replace them was 21 March 2024. The ICO website provides further information.

31 March 2024 – PCI DSS v4.0 transitioning deadline

Version 3.2.1 of the PCI DSS (Payment Card Industry Data Security Standard) is being retired on 31 March, to be replaced by version 4.0 of the Standard. There are more than 50 new requirements in PCI DSS v4.0. You can find out more about them on the PCI Security Standards Council’s website.

30 April 2024 – ISO/IEC 27001:2013 certification unavailable

Certification bodies must stop offering (re)certification to ISO 27001:2013 by 30 April. The new iteration of the Standard, ISO 27001:2022, isn’t significantly different from ISO 27001:2013, but there are some notable changes. Learn more about complying with ISO 27001:2022.

That’s it for this week’s round-up. We hope you found it useful.

We’ll be back next week Tuesday with the biggest and most interesting news stories, all rounded up in one place. Until then, have a good Easter.

In the meantime, if you missed it, check out last week’s round-up. Alternatively, you can view our full archive.

Security Spotlight

To get news of the latest data breaches and cyber attacks straight to your inbox, subscribe to our weekly newsletter: the Security Spotlight.

Every Wednesday, you’ll get a 4-minute email with:

• Industry news, including this weekly round-up;
• Our latest research and statistics;
• Interviews with our experts, sharing their insights and expertise;
• Free useful resources; and
• Upcoming webinars.

The post The Week in Cyber Security and Data Privacy: 18 – 24 March 2024 appeared first on IT Governance UK Blog.

Welcome to this week’s global round-up of the biggest and most interesting news stories.

At the end of each month, these incidents – and any others that we find – will be used to inform our monthly analysis of data breaches and cyber attacks.

Publicly disclosed data breaches and cyber attacks: in the spotlight

73,481,539 records from alleged AT&T breach offered for sale

A threat actor known as MajorNelson has listed more than 70 million data records on a dark web forum, claiming it to be data originally exfiltrated from AT&T by a threat actor known as ShinyHunters in 2021.

The data includes names, addresses and mobile phone numbers, as well as encrypted birth dates and Social Security numbers.

AT&T has denied the breach since 2021. However, numerous researchers, including Dark Web Informer and vx-underground, have confirmed that the data does indeed relate to AT&T customers.

Data breached: 73,481,539 records.

France Travail and Cap Emploi breach affects 43 million

The French data protection authority, the CNIL, reports that the unemployment agencies France Travail (formerly Pôle emploi) and Cap Emploi have suffered a cyber attack that led to the exposure of 43 million people’s data.

According to France Travail, the breached data includes names, dates of birth, email and postal addresses, telephone numbers, social security numbers and France Travail identifiers. Passwords and bank details were not affected.

Last August, Pôle emploi suffered a data breach affecting 10 million people. At the time, the security firm Emsisoft attributed it to May 2023’s MOVEit Transfer breach, but removed the agency from its list of MOVEit victims the following month. It’s not known whether this breach relates to the MOVEit one.

Data breached: 43 million people’s data.

HIBP adds almost 3.3 million ClickASnap records to its database

In October 2022, ClickASnap announced that it had suffered a data breach on 24 September of that year, in which user emails were stolen from a database.

Have I Been Pwned has now added 3,262,980 records to its database, including email addresses, names, passwords, physical addresses, purchases, social media profiles and usernames.

Data breached: 3,262,980 records.

Publicly disclosed data breaches and cyber attacks: full list

This week, we found 65,583,602 records known to be compromised, and 127 organisations suffering a newly disclosed incident. 79 of them are known to have had data exfiltrated, exposed or otherwise breached. Only 37 definitely haven’t had data breached.

We also found 11 organisations providing a significant update on a previously disclosed incident.

Note 1: ‘New’/‘Update’ in the first column refers to whether this breach was first publicly disclosed this week, or whether a significant update was released this week. The updated data point is italicised in the table.

Note 2: For incidents where we only know the file size of the data breached, we use the formula 1 MB = 1 record. Given that we can’t know the exact numbers, as it depends on the types of records included (e.g. pictures and medical histories are considerably larger files than just names and addresses), we err on the side of caution by using this formula. We believe that this underestimates the records breached in most cases, but it is more accurate than not providing a number at all.

AI

MEPs adopt Artificial Intelligence Act

The European Parliament has endorsed the EU Artificial Intelligence Act, with 523 MEPs voting in favour and 46 against the Act. There were 49 abstentions.

The Act “aims to protect fundamental rights, democracy, the rule of law and environmental sustainability from high-risk AI, while boosting innovation and establishing Europe as a leader in the field”. It also “establishes obligations for AI based on its potential risks and level of impact”.

Garante launches investigation info Open AI’s Sora

Italy’s data protection authority, the Garante per la Protezione dei Dati Personali, has announced that it is investigating Open AI following the launch of a new AI model called Sora, which is capable of creating videos from short textual instructions. The Garante is considering the possible implications Sora could have on the processing of EU residents’ personal data.

Enforcement

European Commission’s use of Microsoft 365 infringes data protection law

The EDPS (European Data Protection Supervisor) has announced that it has found the European Commission’s use of Microsoft 365 infringed several data protection provisions that apply to EUIs (EU institutions, bodies, offices and agencies), including ensuring that personal data transferred outside the EEA is subject to appropriate safeguards.

LockBit associate pleads guilty to cyber extortion

Mikhail Vasiliev, a hacker awaiting extradition from Canada to the US on cyber crime charges, has pleaded guilty to eight counts of cyber extortion, mischief and weapons charges. Vasiliev was arrested over a year ago for committing crimes in connection with the LockBit ransomware group.

Justice officials say Vasiliev took tens of millions of dollars in ransom payments from at least 1,000 ransomware attacks.

Meanwhile, LockBit’s purported leader has vowed to continue its ransomware attacks, despite the massive law enforcement operation that disrupted the group earlier this year.

Polish supervisory authority issues two €24,000 fines for data breach notification failures

Poland’s data protection authority, the UODO (Urząd Ochrony Danych Osobowych), fined two organisations last year for failing to notify it of personal data breaches.

According to the EDPB (European Data Protection Board), the UODO fined an insurance company €24,000 in October 2023 after an unauthorised recipient received an email that was sent in error. The email’s attachment contained personal data belonging to an insurance claimant.

The UODO also fined the District Court in Krakow the same amount in December 2023 after it sent a package containing personal data to the Minister of Foreign Affairs, which arrived damaged and incomplete. The Court, which was the data controller in this instance, failed to notify the supervisory authority of the breach.

Other news

noyb complains that Swedish data broker uses legal loophole to evade GDPR

The privacy rights campaign group noyb has filed a complaint against one of Sweden’s largest data brokers, MrKoll. Noyb argues that MrKroll’s use of a media licence unfairly exempts it from its obligations under the GDPR (General Data Protection Regulation), depriving “people of their fundamental right to privacy and [exposing] their most intimate data to the internet”.

ICO publishes view on DPDI Bill

The ICO (Information Commissioner’s Office) has published its view on the government’s DPDI (Data Protection and Digital Information Bill) as it reaches the Lords committee stage. The Bill aims to reform data protection law in the UK.

Browsers add extra protection to help secure users

Google has announced that Chrome will now use real-time Safe Browsing protections to show warnings when users visit potentially unsafe websites.

And Microsoft has announced that new security protections in Edge and other Chromium-based browsers will prevent criminal hackers from using an exploit in a Renderer Process to escape the Renderer sandbox. This will prevent “attackers from using an exploit to enable the Mojo JavaScript bindings (MojoJS) for their site context within the Renderer”.

Key dates

31 March 2024 – PCI DSS v4.0 transitioning deadline 

Version 3.2.1 of the PCI DSS (Payment Card Industry Data Security Standard) is being retired on 31 March, to be replaced by version 4.0 of the Standard. There are more than 50 new requirements in PCI DSS v4.0. You can find out more about them on the PCI Security Standards Council’s website.

30 April 2024 – ISO/IEC 27001:2013 certification unavailable

Certification bodies must stop offering (re)certification to ISO 27001:2013 by 30 April. The new iteration of the Standard, ISO 27001:2022, isn’t significantly different from ISO 27001:2013, but there are some notable changes. Learn more about complying with ISO 27001:2022.

That’s it for this week’s round-up. We hope you found it useful.

We’ll be back next week with the biggest and most interesting news stories, all rounded up in one place.

In the meantime, if you missed it, check out last week’s round-up. Alternatively, you can view our full archive.

Security Spotlight

To get news of the latest data breaches and cyber attacks straight to your inbox, subscribe to our weekly newsletter: the Security Spotlight.

Every Wednesday, you’ll get a 4-minute email with:

• Industry news, including this weekly round-up;
• Our latest research and statistics;
• Interviews with our experts, sharing their insights and expertise;
• Free useful resources; and
• Upcoming webinars.

The post The Week in Cyber Security and Data Privacy: 11 – 17 March 2024 appeared first on IT Governance UK Blog.

Welcome to this week’s global round-up of the biggest and most interesting news stories.

At the end of each month, these incidents – and any others that we find – will be used to inform our monthly analysis of data breaches and cyber attacks.

Publicly disclosed data breaches and cyber attacks: in the spotlight

loanDepot reports an extra 324,071 victims

In January, the mortgage lender loanDepot announced in an SEC filing that an unauthorised third party had gained access to the sensitive personal information of about 16.6 million individuals in its systems.

In a new breach notification to the Maine Attorney General this week, it reported that an extra 324,071 individuals were affected. The breached data includes names, addresses, emails, phone numbers, dates of birth, and financial account and Social Security numbers.

Data breached: 16,924,071 individuals’ data.

The Colorado Department of Health Care Policy & Financing reports a further 473,936 victims

Last October, the Colorado Department of Health Care Policy & Financing notified the Maine Attorney General of a breach affecting 4,187,732 people. The incident was caused by the MOVEit Transfer vulnerability.

This week, the Department informed the Maine regulator that an additional 474,936 individuals were impacted. The breached data may include names, Social Security numbers and health insurance information.

Data breached: 4,662,668 individuals’ data.

2,350,236 individuals’ health data compromised in American Vision Partners breach

Medical Management Resource Group, L.L.C. (doing business as American Vision Partners), an eye care practitioner with more than 100 eye care centres across the US, reported a data breach affecting 2,350,236 people.

For all individuals, the breached data included names, contact details, dates of birth and medical information. For some victims, the stolen data also included Social Security numbers and health insurance information.

Data breached: 2,350,236 individuals’ data.

Publicly disclosed data breaches and cyber attacks: full list

This week, we found 18,267,244 records known to be compromised, and 94 organisations suffering a newly disclosed incident. 86 of them are known to have had data exfiltrated, exposed or otherwise breached. None definitely haven’t had data breached.

We also found 4 organisations providing a significant update on a previously disclosed incident.