Threat Matrix Consolidation........
Updated: Oct 26, 2018
Australia's Cyber Security Agencies are consolidating to match the threat matrix
This week you'll hear how a supply chain attack could snatch your credit card information right from underneath you, how specialist Surgical Practices are not immune and how the Australian Government is restructuring to counter the cyber security threat…… .
Total Compromises: 974
Top Source Hits: ID Theft Forum (501)
Top PIIs compromised: Domains (973)
Clear Text Passwords (498)
Top Company Size: 11-50
Top Industry: High-Tech & IT
In Other News:
The Australian Cyber Security Centre (ACSC) is the Australian Government’s lead agency on national cyber security. It brings together cyber security capabilities from across the Australian Government to improve the cyber resilience of the Australian community and support the economic and social prosperity of Australia in the digital age.
In July 2018 the ACSC became part of the Australian Signals Directorate which became a statutory agency. Australian Government cyber security expertise from CERT Australia and the Digital Transformation Agency moved into the ACSC.
These changes are part of the government's national security reform package to enhance the cyber security support and services the government provides to industry, government and the community.
BIG STICK FOR GDPR
The General Data Protection Regulation (GDPR) is a legal framework that sets guidelines for the collection and processing of personal information of individuals within the European Union (EU). GDPR came into effect across the EU on May 25, 2018.
Arguably the biggest change to the regulatory landscape of data privacy comes with the extended jurisdiction of the GDPR, as it applies to all companies processing the personal data of data subjects residing in the European Union, regardless of the company’s main facility location.
Previously, territorial applicability of the directive was ambiguous and referred to data process ‘in context of an establishment’. This topic has arisen in a number of high profile court cases. GDPR makes its applicability very clear – it applies to the processing of personal data by controllers and processors in the EU, regardless of whether the processing takes place in the EU or not.
The GDPR also applies to the processing of personal data of subjects in the EU by a controller or processor not established in the EU, where the activities relate to: offering goods or services to EU citizens (irrespective of whether payment is required) and the monitoring of behaviour that takes place within the EU. Non-EU businesses processing the data of EU citizens also have to appoint a representative in the EU.
Organisations in breach of GDPR can be fined up to 4% of annual global turnover or €20 Million (AU$ 32,250,700 - whichever is greater). This is the maximum fine that can be imposed for the most serious infringements e.g. not having sufficient customer consent to process data or violating the core of Privacy by Design concepts.
There is a tiered approach to fines e.g. a company can be fined 2% for not having their records in order (article 28), not notifying the supervising authority and data subject about a breach or not conducting impact assessment. It is important to note that these rules apply to both controllers and processors – meaning ‘clouds’ are not exempt from GDPR enforcement.
HEATHROW AIRPORT SLAMMED
The U.K.'s largest airport has been slammed by the country's privacy watchdog for a series of missteps that led to a USB memory drive containing highly sensitive information being lost in a London street where it was found by a passer by.
The Information Commissioner's Office announced that it was fining Heathrow Airport Limited £120,000 (AU$ 220,433) under the Data Protection Act 1998, which was in effect at the time of the breach.
"Data protection should have been high on Heathrow's agenda. But our investigation found a catalog of shortcomings in corporate standards, training and vision that indicated otherwise," says Steve Eckersley, the ICO's director of investigations. "Data protection is a boardroom issue, and it is imperative that businesses have the policies, procedures and training in place to minimize any vulnerabilities of the personal information that has been entrusted to them."
HACKERS TARGETING EDUCATIONAL INSTITUTIONS - FireEye Report
Education institutions will likely continue to face cyber threats due to the valuable information stored on school networks and the ability for cyber criminals threat to use network infrastructure to launch operations against other targets.
University networks in particular are difficult for administrators to effectively secure, given the network’s size and number of users, as well as the need for internal and external users to access and share information.
We anticipate that the following factors will also influence threat activity towards the sector:
•Involvement in research programs that may have a potentially high economic payoff or support sensitive government research contracts would probably lead to increased targeting from groups in search of related intelligence to benefit their sponsoring government or associated state-owned companies.
• Association with high profile or influential academics or dissidents would likely also result in greater threat activity from groups seeking to gather information that would allow their sponsoring government to monitor that individual’s activity, and gain insight into policy discussions.
• Perceived role as a highly visible or symbolic target may lead to threat activity from hacktivists or groups seeking to disrupt website or network operations for political purposes.
• Involvement in controversy may lead to threat activity from hacktivists seeking to protest and embarrass the victim organisation through disrupting website access, defacing webpages, or stealing and exposing the organization’s sensitive information.
DATA STOLEN FROM EDUCATIONAL INSTITUTIONS
• Business Communication • Business Documents • Employee Evaluations • Finance Documents • Grant/Scholarship Documents • Industry Research & News • Invoices • Marketing Materials • Meeting Records • Personally Identifiable Information • Programs & Initiatives • Public Newsletter
Threat Focus: Shopper Approved - USA Exploit: Malicious code. Shopper Approved: Utah-based company that provides a review widget for other companies’ websites, that allows customers to post reviews. Risk to Small Business: 2.111 = Severe: This is another attack conducted by one (or more) of the several groups who operate under a similar style, given the term Magecart as a general identifier. Magecart is also responsible for the hacking of Ticketmaster and British Airways. Individual Risk: 2.428 = Severe: Those affected by this breach should cancel their credit cards and enroll in a credit monitoring service. Customers Impacted: Unclear how many customers were affected by this breach, but only sites with the widget code on their checkout pages had credit card information compromised. The incident only lasted 2 days before being discovered, a much shorter span than many of the other Magecart breaches.
How it could effect a SME business: A breach of this kind can often go unknown for a long period of time while the hackers collect valuable user data and credit card information. Even though it is a third party who was breached, it will be your business that takes the PR damage. Risk Levels: 1 - Extreme Risk 2 - Severe Risk 3 - Moderate Risk *The risk score is calculated using a formula that considers a wide range of factors related to the assessed breach.
Threat Focus : Rebound Orthopaedics and Neurosurgery - USA Exploit: Compromised employee credentials. Rebound Orthopedics and Neurosurgery: Vancouver-based orthopedics and neurosurgery practice. Risk to Small Business: 1.555 = Severe: This breach would have a long-lasting effect on customer trust for any business, and in many countries the government will fine an organization heavily for failing to secure health data. Individual Risk: 2.142 = Severe: Health information is valuable data for hackers and useful for identity theft. Those affected by this breach are at a severe risk for insurance fraud and identity theft. Customers Impacted: 2800. How it could effect a SME business: Organizations that store health information are held to a higher standard for securing data due to the sensitive nature of the information and Data Breach Disclosure laws. When an organization fails to keep the data secure, it reflects very poorly on the company and usually results in a fine from the government. Risk Levels: 1 - Extreme Risk 2 - Severe Risk 3 - Moderate Risk *The risk score is calculated using a formula that considers a wide range of factors related to the assessed breach.
E-mail….ware New research from our friends at Cofense has revealed that a whopping 90% of all malware is delivered via email. The team also discovered that the average employee will not go 48 hours without seeing a phishing message. In addition, over half of the phishing messages examined used the word “invoice” in the subject line. A little under a quarter (21%) of the flagged emails also had malicious attachments sent with the phishing message.
Watch out for suspicious emails! All it takes is one employee to fall for a phishing email and an entire organization can be compromised.
Consider having staff to complete a Cyber Awareness training program.
Consider this: When you think about Cyber Security think about the ones you care the most about – your family. If you have children or young adults using Smartphones, Tablets or Laptops consider their vulnerability. Do you want to put their digital selves in the hands of pedophiles, scammers and cyber criminals. The purchase of children’s digital credentials (username/password) is big business on the Dark Web. Check out our inexpensive Individual or Family monitoring service – it’s a ‘no brainer’ for your peace of mind. CLICK HERE FOR PRICING
* Disclaimer: Avantia Corporate Services Pty Ltd provides the content in this publication to the reader for general information only and has compiled the content from a number of sources in the USA and up to 56 other countries who provide cyber breach information to us in real time. Given their international focus and experience in the cyberspace arena we believe their data to be accurate and reliable, however, we give no warranty (implied or otherwise), as to the contents accuracy or fitness for use. No validation or investigation has been performed by Avantia Corporate Services or the Author as to its accuracy or reliability. Readers should conduct their own investigation and come to their own conclusions before taking any action.