Cyber security news roundup August 2017

Policy developments:

• The Government launched a new consultation on the implementation of the Network and Information Systems (NIS) Directive in the UK from May 2018. The NIS Directive provides legal measures to boost network and information system security in the European Union. The consultation includes proposals for fining organisations which fail to implement effective cyber security measures up to £17 million or 4% of global turnover. The consultation closes on 30th September 2017. Also see commentary from Out-Law.
• The Government announced a new statement of intent in relation to updating and strengthening data protection laws through a new Data Protection Bill, which will bring the European Union’s General Data Protection Regulation (GDPR) into UK law.
• The Government also published proposals for a shared approach on data protection to ensure that personal data can continue to move back and forth between the UK and the EU in the future in a safe, properly regulated way.

Research & analysis:

• The Government announced findings from its Cyber Governance Health Check 2017 and new research with UK registered charities exploring awareness, attitudes and experiences around cyber security. The Cyber Governance Health Check assesses and reports levels of cyber security awareness and preparedness in FTSE 350 companies (the UK’s 350 largest firms). It found that more than two thirds of boards had not received training to deal with a cyber incident (68%) despite more than half saying cyber threats were a top risk to their business (54%). The research into charities found them to be just as susceptible to cyber attacks as businesses, with many staff not well informed about the topic and awareness and knowledge varying considerably across different charities.
• A new report by Lockton, a global independent insurance broker, based on a survey of 200 financial, risk and legal executives at top UK companies, found that many UK businesses underestimate the potential length and severity of a cyber security breach. Only 50% of UK businesses’ boards participate in planning for a cyber attack, with only 26% taking a leading role in planning. Only 26% of firms surveyed said their head of PR or communications was involved in cyber security planning. Only 2% of those surveyed thought a cyber security breach would affect business for more than 10 days.
• Corero Network Security, a provider of real-time DDoS defence solutions published findings from a Freedom of Information (FoI) request to UK revealing that over a third of national critical infrastructure organisations in the UK (39%) have not completed the Government’s 10 steps to cyber security programme.
• Akamai’s Q2 2017 State Of The Internet / Security Report found that distributed denial of service (DDoS) and web application attacks are on the rise; the number of DDoS attacks in Q2 increased by 28% quarter over quarter following three quarters of decline. Akamai suggests that “Mirai, like many other botnets, is now contributing to the commoditization of DDoS”.
• Check Point’s Cyber Attack Trends: Mid-Year Report found that so far in 2017 cyber attacks are occurring at a higher frequency than previous years. It also notes that many prominent attacks use known malware variants that could have been blocked had the proper security measures been deployed.
• Fraud prevention service Cifas released new figures showing that identity fraud has continued to rise at record levels in the first six months of 2017.  A record 89,000 identity frauds were recorded, up 5% from last year. Representing over half of all fraud recorded by the UK’s not-for-profit fraud data sharing organisation, 83% of identity frauds were perpetrated online.
• The University of Bradford officially opened its Cyber Security Interdisciplinary Centre to carry out focused research projects into cyber security issues, the first of which was a joint radicalisation project with West Yorkshire Police.

Attacks & threats:

• PublicTechnology and Out-Law reported on an unsuccessful brute-force cyber attack on the Scottish Parliament involving multiple login attempts. No accounts were compromised and all Holyrood members and employees were urged to make sure their logins were sufficiently secure. The attack was similar to the attack on the Houses of Parliament last month.
• NHS Lanarkshire hospitals and GPs were hit with a ransomware attack forcing operations to be cancelled; see coverage from BBC News.
• Second-hand electronics and video games retailer Cex announced it had been subject to an an online security breach affecting up to two million of its registered website customers; also see coverage from BBC News and the Telegraph. The stolen data includes some personal information such as first name, surname, addresses, email address and phone number if this was supplied. In a small number of instances, it may include encrypted data from expired credit and debit cards up to 2009.
• BBC News reported on a flaw in Instagram’s systems which revealed the phone numbers and email addresses of a number of high profile stars to cyber-attackers. Instagram advised that passwords had not been stolen but warned users to watch for suspicious activity on their accounts. The flaw has now been fixed.
• Malwarebytes reported two new variants of the Locky ransomware observed in a malicious spam campaign. Locky, like numerous other ransomware variants, is usually distributed with the help of spam emails containing a malicious Microsoft Office file or a ZIP attachment containing a malicious script.
• BBC News reported that more than $140,000 (£105,000) worth of bitcoins paid by victims of the WannaCry ransomware outbreak have been removed from their online wallets.
• Forbes and Insurance Business Canada published overviews of the cyber security threats facing higher education institutions, the IT environments of which combine a large amount of high-value information with a wide attack surface.
• MacEwan University in Canada announced it had been the victim of a phishing attack: a series of fraudulent emails convinced university staff to change electronic banking information for one of the university’s major vendors. The fraud resulted in the transfer of $11.8 million to a bank account that staff believed belonged to the vendor. Immediately after discovering the fraud, the university began to pursue criminal and civil actions to trace and recover the funds.  Also see coverage from BBC News.

Advice & guidance:

• The National Cyber Security Centre (NCSC) published new guidance on virtual private networks (VPNs), offering advice for enterprise administrators and risk owners on configuration options and available products.
• The US Department of Justice (DOJ) Criminal Division Cybersecurity Unit has developed a framework to assist organizations interested in creating a formal vulnerability disclosure program.
• Network World published a seven step plan for protecting against ransomware attacks.
• The government published eight principles for those involved in the manufacturing supply chain for autonomous vehicles, with the intention of cutting down on hacking and data theft. Also see commentary from Out-Law.
• Cyberwatching.eu, the European observatory of research and innovation in the field of cybersecurity and privacy, launched its Catalogue of Services which collects together  cybersecurity research and innovation (R&I) activities across the EU.
• BBC News reported that the author of an influential guide to computer passwords Bill Burr now regrets several of the tips he gave, such as regularly changing passwords and substituting numbers and symbols for letters in passwords. Enforcing regular password changes can lead users to select easily deducible replacements and random combinations of words are harder to crack than single words with substitutions. Also see related advice from the National Cyber Security Centre (NCSC).