Cyber security news roundup November 2017

Policy developments:

NHS Digital announced a £20m project to boost its ability to support data security across the NHS. The Security Operations Centre will provide enhanced monitoring of national services across health and care and will also enable NHS Digital to offer specific advice and guidance to local NHS organisations. It will enable NHS Digital to improve its current capabilities in ethical hacking, vulnerability testing and the forensic analysis of malicious software, and will improve its ability to anticipate future vulnerabilities while supporting health and care in remediating current known threats. A survey of 100 NHS IT decision makers by Palo Alto Networks  found that the vast majority of respondents (90%) believed that prioritizing cybersecurity in the NHS would unlock the potential of digitisation to improve patient care. They also agreed that cybersecurity investment could enable substantial savings in the long run (83%), saving £14.8 million nationally each year on average.

The Department for Digital, Culture, Media & Sport launched the £20 million Cyber Discovery programme which invites young people between the ages of 14 and 18 to test their skills in online real-world cyber challenges. The initiative is part of the government’s £1.9 billion investment to transform the UK’s cyber security capability and readiness. The National Cyber Security Centre (NCSC) advised of the application deadline for its CyberFirst £4,000 student bursaries and new degree apprenticeships. The CyberFirst Bursary scheme has run since 2016 to support the best and brightest students taking STEM subjects and, depending on meeting requirements, a chance to work in national security on graduation. The new £18,000 per year Cyber Security Degree Level Apprenticeship will see young people embedded in the NCSC’s parent organisation, GCHQ.

Ciaran Martin, CEO of the NCSC delivered a speech at the Times Tech Summit addressing the growing threats within cyber space from hostile states and criminal activity, as well as the importance of making sure organisations get cyber security basics right. Minister for Digital Matt Hancock spoke at the Cyber Security: Testing France and the UK’s Digital Defences conference, setting out the UK’s approach to cyber security and the importance of working with international partners.

The Council of the European Union General Affairs Council adopted conclusions calling for the strengthening of European cybersecurity and enhancing cyber resilience across the EU, in line with the tasking from the European Council in October 2017 (further background here). The European Commission announced that €36 million of Horizon 2020 funding is available for 2018 for reducing cyber risks in hospitals. Another €60 million will go to trusted connected care services in 2019.

Research & analysis:

Akamai published its Q3 2017 State Of The Internet / Security Report. Web application attacks continued to rise significantly in both the quarter-over-quarter and year-over-year timeframes, while further evaluation of the Mirai botnet and WireX malware attacks suggests that attackers may leverage Internet of things (IoT) and Android devices to build future botnet armies.

Cyber security analytics platform RedSeal released the results of its second annual Resilience Report, based on a survey of 600 UK and US senior IT decision makers. More than half thought  the threat landscape is evolving far faster than their organisation can respond but only 25 percent of respondents’ organisations test their cybersecurity response to a major incident annually, if at all.

SophosLabs published its 2018 Malware Forecast. While ransomware mostly targets Windows computers, SophosLabs recorded an increased amount of crypto-attacks on different devices and operating systems used by Sophos customers worldwide between April and October 2017. The company predicts this trend will continue into 2018, particularly in relation to Android devices, along with continued growth in ransomware as a service (RaaS). The Telegraph reported Sophos’ warning that ransomware attacks are becoming more frequent and increasingly sophisticated, while Computing reported a similar warning from the National Crime Agency. Research by Computing found that 31 per cent of organisations are between "quite likely" and "very likely" to pay up to following a ransomware attack. CSO Online reported that ransomware damage costs are predicted to hit $11.5bn by 2019.

Data privacy and risk management company Egress Software Technologies published research revealing how careless use of email can put companies at risk: a significant number of UK workers have purposefully shared confidential business information outside their organisation (24 per cent), typically to competitors, or new and previous employers. In addition, half of all respondents said they either had or would delete emails from their sent folder if they had sent information somewhere they shouldn’t.

Trend Micro published results from research using Shodan, a publicly available online search engine that catalogues cyber assets or internet-connected devices. In the UK London had the highest number of exposed cyber assets, with a little over 2.5 million. Manchester followed with around 320,000 and Glasgow with around 160,000. That a certain device or system is exposed does not automatically imply that the cyber asset is vulnerable or compromised. However, since an exposed device is searchable and visible to the public, attackers can potentially use such devices to mount an attack.

PhishMe published its 2017 Enterprise Phishing Resiliency and Defence Report, analysing phishing simulation trends from over 1,400 PhishMe customers around the world. Susceptibility rates are declining and reporting rates have climbed six percent in three years. Entertainment, social media and reward/recognition have replaced fear, urgency and curiosity as the key drivers behind successful phishing attacks. Phishing attacks increased 65% worldwide from last year.

New attacks, breaches, threats & vulnerabilities:

Ride sharing company Uber revealed that in October 2016 it became aware that two individuals outside the company had inappropriately accessed user data stored on a third-party cloud-based service. This data breach affected approximately 2.7 million UK user accounts. The National Cyber Security Centre (NCSC) assessed that the stolen information does not pose a direct threat to people or allow direct financial crime, but noted that “companies should always report any cyber attacks to the NCSC immediately. The more information a company shares in a timely manner, the better able we are to support them and prevent others falling victim.” The Information Commissioner’s Office (ICO) announced it is working with the NCSC plus other relevant authorities in the UK and overseas to ensure the data protection interests of UK citizens are upheld. The European Commission is also investigating the breach.

A number of other data breaches were announced this month. Image-sharing website Imgur confirmed that the emails and passwords of 1.7 million users were compromised in 2014. Also see commentaries from BBC News and ZDnet. TEISS and ZDnet reported that Accenture narrowly avoided a massive data breach after it was revealed that the firm stored bundles of sensitive data containing decryption keys and customer information on four cloud servers without protecting them with passwords. Shipbroker Clarkson plc announced it had been “subject to a cybersecurity incident which involved unauthorised access to the Company’s computer systems” warning that “the person or persons behind the incident may release some data”. BBC News also reported that classified Pentagon data was mistakenly left exposed on an unsecured public cloud server and that Morrisons has been found liable for the actions of a former member of its staff who stole the data including salary and bank details of thousands of employees and posted it online.

Which? warned that vulnerabilities in connected toys could pose a child safety risk and is calling for retailers to stop selling toys with proven security issues. Issues identified included insecure Bluetooth connections, meaning no password, PIN code or any other authentication was required gain access to a device in some instances. In addition, very little technical know-how was needed to gain access to the toys to start sharing messages with a child. Which?’s warning was welcomed by the NCSC, while the ICO offered advice on the 12 ways that Christmas shoppers can keep children and data safe when buying smart toys and devices.

BBC News reported that a flaw in the most recent version of Apple’ s MacOS, High Sierra, made it possible to gain entry to the machine without a password, and also access administrator rights. While BBC News later reported that Apple had issued a fix for the problem, Wired reported that installation of further system updates subsequent to the patch could cause the issue to reappear.

Ars Technica reported that a new strain of the Mirai botnet had infected almost 100,000 devices in a matter of days, suggesting that the incident underscores the huge untapped destructive potential of Mirai and other Internet of things (IoT) botnets.

Advice & guidance:

The UK Department of Health published new guidance setting out the steps all health and care organisations will be expected to take in 2017/18 to demonstrate that they are implementing the ten data security standards recommended by the National Data Guardian. Also see commentary from Out-Law.

US-CERT published new advice on securing the Internet of things (IoT) and risks from holiday scams and malware campaigns.

The UK National Cyber Security Centre (NCSC) published a new blog post outlining the guidance it is currently working on, including new guidance on engineering processes, people-centred guidance and new risk management guidance. It also published advice on keeping devices secure in the light of the recent Black Friday sales and a new advisory on two new tools used by the Turla group to target the UK, Neuron and Nautilus designed to operate on Microsoft Windows platforms.

EDUCAUSE and the University Risk Management and Insurance Association (URMIA) published new advice to assist organisations that are considering purchasing cyber liability insurance.