Hackers Now Have Incredibly Sophisticated Ways to Breach Banks' Defenses*:
- Global banks need to do more to protect themselves from cyber-attacks after a "significant evolution" in the threat level in the last 18 months, according to a report by SWIFT and BAE Systems.
- Hackers are deploying increasingly sophisticated ways of breaching banks’ cyber defenses to launch finely orchestrated attacks.
- Intruders can spend more than a year reconnoitering targets once they have gained access to their computer systems.
- The number of reported cyber-attacks against Financial Conduct Authority regulated companies alone rose to 89 in 2016 from five in 2014.
- A year ago, Tesco Bank, the lending unit of the U.K.’s biggest grocer, suffered an attack in which money was taken from about 20,000 consumer accounts.
- In February 2016 hackers exploited weaknesses in how banks connect to the SWIFT system to steal a record-breaking $81 million from Bangladesh’s central bank.
- Cyber-attacks are at the top of regulators’ concerns in the U.S. as well; the nominee to head the Federal Reserve said that cybersecurity may be the biggest risk that U.S. banks face.
*Source: Bloomberg, November 29, 2017
Shipping Firm Clarksons Braces for Data Leak After Refusing to Pay Hacker*:
- Shipping company Clarksons is bracing for a tranche of private data to be released, after refusing to pay a ransom to a hacker who staged a “criminal attack” on its computer systems.
- The world’s largest shipbroker said it was working with specialist police and contacting customers who may have been affected after a “cybersecurity incident”.
- Shares in Clarksons fell by more than 2% after the announcement, despite the company’s insistence that the hack would not affect its ability to do business.
- The shipbroker arranges charter ships to transport goods, as well as helping shipping companies raise finance and providing services such as logistics and equipment.
- Clarksons is just the latest company to be hit a major cyber-attack, joining a list that includes Uber, Deloitte, Yahoo, and Equifax.
- Since being hacked, Clarksons mentioned it has consulted data security experts and is investing “heavily” to shore up its defences, amid a broader cybersecurity review.
*Source: The Guardian, November 29, 2017
35% of IT Professionals See Themselves as the Biggest Security Risk to Their Company*:
- Departments like HR and finance are often the easiest targets for social engineering and phishing attacks.
- Many IT staffers still consider themselves the biggest risk, whether incidents occur accidentally or intentionally.
- This is largely due to the fact that IT staff often possess higher access rights than those in other departments, making them a prime target for cyber criminals.
- The survey included responses from 222 IT executives, security professionals, auditors, CIOs, and CISOs.
- When asked about security analytics, 47% of respondents said the time and location of login was the most important user data for spotting malicious activity; using corporate devices (41%) and biometrics identification (31%) were also considered.
- In terms of security technology plans, nearly one-fifth of security professionals said they plan to use analytics to track privileged user behavior in the next year, regardless of budget.
- Sysadmins were considered the largest threat within the privileged user network by 42% of IT workers surveyed, followed by C-suite executives.
- While executives do not typically possess high-level IT skills, their credentials are worth more to hackers than any other group in an organization.
- Personal employee data was named the most valuable asset for hackers by 56% of respondents, as it can easily be sold, followed by customer data (50%), and financial information (46%).
- As attacks become more sophisticated, it is not enough to just keep the bad guys out; security teams must continuously monitor what their own users are doing with their access rights.
*Source: Tech Republic, November 30, 2017
Hackers Are Targeting Your Mobile Phone - Here Are 15 Ways to Slow Them Down*:
- Mobile phones have become the new prey of choice for hackers and other nefarious individuals; once compromised, our phones offer easy access to our personal and financial information.
- Despite growing threats to our smartphones, most people still don’t take basic security precautions.
- A 2016 report says $34 million is spent annually on mobile app development while only $2 million is spent on app security.
- Many people use their phone for two-factor identification and password resets, but if a hacker takes control of your phone number they can gain access to your online accounts.
- Apps are another way that hackers can infiltrate your phone – malicious code can be inserted into free versions of popular apps.
- Following are 15 steps that will make you a harder target:
- Immediately change factory passwords on your phone, and avoid settings for auto-login or saving passwords.
- Keep your operating system up-to-date, and back up your phone regularly.
- Use a dedicated email address for authentication and pin number resets (this email address should be different from your personal address, which may be widely known).
- Be cautious about installing apps from unknown sources, especially free versions of popular apps.
- Only download apps from official sources (like the App Store or Google Play).
- Do not access sensitive information while using unsecure public Wi-Fi.
- Use a VPN to create a more secure channel between your smartphone and the internet.
- Set your phone’s lock-screen feature to engage quickly when the phone is not in use.
- Set your phone to auto-erase if too many incorrect logins are attempted.
- Turn off your phone’s Bluetooth feature when not in use.
- Enable the “Find my phone” feature so that you can quickly locate it if it’s lost or stolen.
- Consider installing security software on your phone – but only approved and well-known software (which usually is not free).
- Try not to keep personal information on your phone for too long.
- Turn off your devices when not in use, especially when travelling.
- Install privacy screens for your devices.
- For those of us who travel extensively overseas each year, particularly to China and other countries of economic espionage concern, we recommend using “throwaway” phones, which can be destroyed after each trip.
- Protect yourself by recognizing the threats ahead of time and making the efforts to mitigate them.
*Source: Harvard Business Review, November 30, 2017
5 Ways Users Circumvent Security Measures and How to Prevent It*:
- Experts support locking down sensitive data to keep it out of the wrong hands; on the other hand, companies can go overboard with restrictions making it difficult for workers to do their jobs efficiently.
- So employees find workarounds; it’s a scenario that slows productivity and puts the data itself in jeopardy.
- Cybersecurity teams don’t need to overhaul their operations to achieve a better balance of security measures and usability.
- They can instead start by addressing several common areas where workers tend to sacrifice security for productivity:
- Complex passwords: Organizations should be smart with their password policies and limit the complex requirements to more reasonable levels.
- Sharing passwords: Cybersecurity teams should work with the business to more accurately identify which users need access to which files and then create policies on how to security-enable that shared access.
- Sign-in overload: some workers circumvent frequent log-in requirements by moving data out of secure applications to a spot where they can work more easily. You have to find the right balance between security and convenience – solutions could include using identity management and single sign-on solutions, tokens, and biometrics.
- Data held hostage: Security needs to spend more upfront work on data classification to protect the truly sensitive pieces of information, while removing barriers to the less sensitive information that most workers use for their jobs.
- Cumbersome workflow: Sometimes the design of systems doesn’t easily accommodate the existing day-to-day workflow patterns. Companies need to invest in technologies and system designs that make it easy for workers to follow the rules and, more importantly, automate as much of that as possible.
*Source: CSO Online, November 29, 2017
Apple Fixes Major macOS High Sierra Security Flaw*:
- Apple has released a guide to fix a flaw which allowed anyone to log into macOS High Sierra without needing password.
- The vulnerability allows users of macOS 10.13 to gain admin rights, or log in as root, simply by clicking a login box several times.
- The flaw was first disclosed to the world by a developer via Twitter after the company failed to take action when the flaw was discussed earlier on Apple’s developer forums.
- Apple is reportedly working on a software patch now.
- To exploit the vulnerability, users simply need to bring up the authentication dialog box, type in ‘root’ as a username, leave the password blank, press Enter, then click ‘unlock’ a couple of times.
- Fortunately, the workaround to the flaw appears simple – all users need to do is configure a root password and the flaw will no longer work.
Source: IT Pro Portal, November 29, 2017
E-Privacy Law Stuck as EU Governments Ponder Options, Leaked Paper Shows*:
- The EU’s attempts to update its privacy laws for the digital age are firmly stuck, with a leaked paper showing national governments failing to make headway on almost every aspect.
- The new law, proposed by the European Commission in January, tackles questions such as telecom operators’ responsibility to safeguard private online communications and the rights of companies to harvest the data of people surfing the web to target advertising.
- Estonia, which is chairing the talks on behalf of EU governments as current holder of the EU’s rotating presidency, has acknowledged the poor progress.
- The e-privacy rules, which will apply to all data in transit, need to be consistent with the GDPR in dealing with personal data, where their scopes overlap.
- Governments have also proposed that the e-privacy rules only apply to data in transit, and not how it is dealt with by the applications that send or receive the data.
- Estonian negotiators are wondering whether "regulation is needed at all" concerning online advertising given some of the services emerging on the market that help consumers decide how and when they may be traced.
- Authorities are also wary of "undermining legitimate business models" as a result of overzealous policing of online tracking techniques.
- When it comes to whether communications data can and should be available to law enforcement agencies to help them prevent crime, debate is still wide open.
- Estonian officials also stressed that the note only covers a selection of topics where some progress had been achieved, and that many other areas are also still subject to open discussion.
- The European Parliament has voted to fix its position on the bill, largely endorsing a pro-privacy stance that has angered online advertisers and technology companies, but with a weak mandate after political groups voted against the proposed text.
*Source: Mlex Market Insight, November 14, 2017