Are Third-Party Services Ready for the GDPR?*:
- Third-party scripts are likely to be a major stumbling block for companies seeking to be in compliance with the EU’s new privacy rules.
- The European Union's General Data Protection Regulation (GDPR) is coming, and companies both inside and outside the EU is scrambling to comply with its many rules.
- Among those rules is a requirement for companies that have access to user data to protect it by any means necessary.
- If companies don’t protect it, they will face hefty fines; the EU imposed a $2.7 billion fine on Google in June over what officials said was Google's misuse of its data power.
- Companies are doing everything they can to comply with the EU's cybersecurity rules.
- But there are data issues beyond the control of any organization in the form of the data collected by third-party scripts, which are processed and stored in databases belonging to the third-party script provider.
- Businesses can’t do without these scripts – they provide services users demand such as social media, ecommerce, comment services, advertising, and much more.
- There’s no way of knowing how secure the scripts are; we know there have been numerous examples of third-party scripts being taken over by cyber-crooks to pull off some spectacular hacks.
- Had GDPR been in effect when these types of exploits were going full blast, the sites would likely have been fined, if not prosecuted.
- One potential work-around is having separation – setting up a sort of sandbox between the third party scripts and organizations.
- With sandbox-type solutions, companies can regain control of their websites while retaining the third-party services their users demand, and sites would be able to protect themselves from the unknown threats presented by third-party scripts, ensuring that user data protected.
*Source: Dark Reading, August 04, 2017
Australian Red Cross Data Breach Caused by Third-Party Error*:
- An error by a third-party vendor's employee led to the massive data breach that hit the Australian Red Cross last year.
- The investigation into the breach found that a Precedent Communications worker made a backup copy of the Red Cross' Donate Blood website, but instead of saving it to a secure location on their server placed it in a portion of the server that was publicly accessible.
- The breach, which took place in September 2016, exposed the records of 550,000 prospective blood donors by placing about 1.28 million records on a public facing website.
- Precedent was hired to handle website development and data base management by the Australian Red Cross.
- The investigation uncovered the fact that Precedent did not meet two Australian Privacy Principle requirements, but noted the incident was due to human error and was not malicious in nature.
*Source: SC magazine, August 07, 2017
Spoiler Alert: Hackers are Gunning for Hollywood*:
- The entertainment industry remains in a digital growth spurt and keeping up and protecting its sprawling supply chain has proven difficult.
- There were 37 publicly reported breaches compromising more than 42 million records last year among media and entertainment companies.
- Not only are entertainment companies tasked with protecting an enterprise with sensitive data of all types, they must secure the high-profile content that’s the lifeblood of the industry.
- Spoilers about a new show or film can be used for extortion, profit or just to give an aspiring hacker credibility on the dark web.
- There are key steps that media and entertainment managers can take to protect their content and information.
- Digital Security Background Checks: Before working with third-party vendors, ensure their approach to security meets your standards.
- Stop, Collaborate and Listen: Digital rights and content-management solutions are a great way to share and control how entertainment companies can collaborate on content without putting it at risk of being compromised.
- Be Aware, Be Very Aware: Security awareness training is key to creating a culture of security. Conduct regular training and implement employee-awareness programs to minimize the human factor.
- Being Prepared Isn’t Just for Boy Scouts: With increasingly sophisticated threats and the cost of data breaches soaring, organizations need to focus on creating swift and efficient responses before incidents occur.
- By adopting a holistic, risk-based approach to secure and enable the business – one that includes partners – companies can cultivate a culture of security, so they’re prepared for an attack.
*Source: Variety, August 04, 2017
HBO Hackers Leak Game of Thrones Stars’ Phone Numbers and Addresses*:
- A recent security breach at HBO has led to the personal phone numbers, home addresses, and email addresses of some Game of Thrones actors leaking online.
- Hackers broke into HBO’s systems and reportedly stole 1.5 terabytes of data, including scripts for upcoming Game of Thrones episodes.
- Hackers have released 3.4GB of data, and reports say that they’re demanding that HBO pay an undisclosed ransom to prevent further leaks.
- A month’s worth of emails from HBO’s vice president for film programming, Leslie Cohen, is also part of the latest leak alongside a large number of confidential documents.
- HBO is reviewing what data has leaked as part of an ongoing forensic investigation.
- It seems unlikely that the HBO hackers have obtained copies of actual Game of Thrones episodes, as only scripts for the TV series have surfaced online so far.
*Source: SHRM, August 08, 2017
New Type of Brute Force Attack on Office 365 Accounts*:
- Recently, 48 Office 365 customers experienced exactly a threat where an attacker implemented a new strategy to try to access high-level information.
- The brute force login attack was unique in that it was directed against a few key targets across multiple companies instead of casting a wider net against as many users as possible.
- There were 100,000 failed-login attempts originating from 67 IPs and 12 networks over a period of nearly 7 months.
- The first step of the hackers’ plan involved acquiring corporate usernames and passwords from multiple companies that may be tied to multiple cloud services.
- The attackers tried different email variations derived from the employee name to try to gain access to potentially sensitive information.
- The attackers assumed the users used the same password across multiple accounts, and also assumed the accounts lacked basic security provisions, like multi-factor authentication.
- The attackers staggered their login attempts over the course of several months and they focused on one username at a time, and even then it was only targeted for a few seconds.
- This, along with the use of more than one IP, was intended to avoid triggering any alerts or account lockouts.
- The “slow and low” strategy was carefully crafted and executed, so how was the brute force attack detected?
- Over time and with additional failed login attempts originating from a set of IP addresses, all targeting a handful of Office 365 accounts across multiple organizations, a pattern emerged and elevated the anomalies to actual threats.
- The attack may have been prevented for the most part had the organizations under attack enabled Single Sign-On with Multi-factor Authentication.
- The takeaway here is that it can be very difficult for organizations to fully protect themselves from sophisticated attacks targeting the cloud without having a robust cloud security infrastructure.
*Source: Tripwire, August 09, 2017
TalkTalk Gets £100K Fine After Wipro Fraud*:
- TalkTalk has been on the receiving end of another hefty fine, this time the ICO has demanded £100,000 in response to cybersecurity deficiencies which led to the unlawful access of 21,000 customers’ accounts.
- The ISP was made aware of the problems in 2014 when customers contacted it complaining of receiving tech support scam phone calls from people quoting their TalkTalk account numbers and addresses.
- The ICO found the problem lay with a portal used by staff from outsourcer Wipro to access customer info.
- However, ignoring the best practice of “least privilege” access controls, TalkTalk allowed 40 Wipro employees to access data on between 25,000 and 50,000 customers.
- The Wipro staff were able to log in from any internet-enabled device, view 500 records at a time and conduct “wildcard” searches, allowing them to view and export large volumes of data at a time.
- According to the ICO, TalkTalk had a long period of time in which to tighten security – ensuring the portal could only be accessed from authorized devices, and preventing large-scale access and exporting of the data.
- This isn’t the first fine TalkTalk has been handed; it was on the receiving end of a £400,000 penalty following a major data breach in 2015 which exposed the personal details of over 156,000 customers.
- The ISP is lucky that these two incidents happened when it did, given the GDPR will levy fines of up to €20m when it comes into force next May.
*Source: Info Security, August 11, 2017