We’re all becoming used to our smartphones recognising a face when we take a selfie. Snapchat, for example, can view your face and add effects to it in real time. The new Samsung S8 and iPhone X can both now unlock with a simple scan of the users’ face, as opposed to the previous pin code or fingerprint.

A year or so ago, Mark Zuckerberg was caught with his MacBook covered in tape to avoid both facial recognition and audio. If the most powerful entrepreneur in the world hides his camera, should we be concerned? The answer is yes, we should be.

The reason for being aware of this and being concerned circulates around one golden theme: cyberthreat.

Would-be hackers now have another gateway to your personal details. A good example of how extreme facial recognition has become takes us to the Chinese province of Xinjiang where the township has become a sort of surveillance, Big Brother laboratory.

The basic premises of this ‘experiment’ is for the government to be alerted when individuals venture 300 metres beyond designated ‘safe areas’. These areas make up routes to workplaces, homes, and shopping facilities. However, an invisible zone has been set focusing its attention on the wandering citizens that live there.

“‘Papers, please’ was the symbol of living under tyranny in the past. Now, government officials don’t need to ask,” said Jim Harper, executive vice president of the libertarian Competitive Enterprise Institute.

It seems now that a system of this magnitude is simply an up to date way of controlling people.

It’s unlikely that demographics in New Zealand and Australia are likely to have such extreme measures put in place, however, it doesn’t mean we’re exempt from the technology itself. Far from it.

In London City and Westminster, it is reported that no less than three cameras are watching you at any given time. There is simply no alleyway, Tube station, park, or shop without CCTV and thus creating the worlds largest ecosystem of digital eyes. The point here though is not to be worried unless you’re giving someone else a reason to be worried. These amounts of cameras can actually work in your favour during a serious incident. You should also remember that there is a current population of 8.7 million people in London and it’s unlikely you’re important enough to be the focus…sorry.

Since the attacks in France, Manchester and the Sydney Lindt Café incident, security and police have never been so on edge or operating in such large numbers. Going off the events of the last 24 months, they have a fair reason to be as well. We’re therefore likely to continue to see updates in technology in our own streets. New, extreme and intrusive measures to watch everything that is going on.

Shopping in Westfield this weekend?

A perfect case to be ‘followed’ by someone other than the kids is Westfield shopping malls. If you enter a mall and decide to jump on their free WiFi system, you are prompted to accept the T&Cs, like always. You’ll likely hit accept before you even consider reading the 9,000-word document. That document, however, explains the following:

When you sign up to become a member of the Site, you will provide us with certain personal information. Your personal information may be used for providing you with news, offers and information about the Site, the Scentre Group shopping centres and promotions run by the Scentre Group, as well as for the purposes set out in section 13 of these Terms & Conditions.

In section 13, it reads:

…we may transfer your personal information to others in countries outside Australia.
… Scentre may collect your personal information through your use of the Site or through your contact with Scentre. Any personal data and other information provided by you will be treated by Scentre in accordance with the Online Privacy Policy.

When entering Westfield shopping centres and car parks, customers’ personal information, car licence plate details and images may be collected by Scentre, and Scentre may also collect customers’ personal information and images from third parties

To save you time reading another 8,500 words on the Online Privacy T&Cs, we’ve narrowed down what they’re saying here by digging deeper.

Westfield collects user information on their location in the mall, the shops they enter, time spent within that section, any pages the user open through a browser relevant to that retail outlet and sells this information to both search engines and the outlet itself.

It’s targeted marketing on steroids.

If you’ve ever wondered how and why an unbelievably relevant product you’ve just spoken to your partner about appears on your Facebook feed, it’s because of the above reason, and it’s as simple as that. Westfield has been doing it and your device does it as well.

China is leading by example

There is a reason Xinjiang has become a testing station for such specific, large-scale surveillance centres around where it lies; the region boarders Pakistan and Afghanistan.

As reported in Bloomberg Businessweek, “The country is on track to represent 46 percent of the $17.3 billion global video surveillance market by year-end, and three-quarters of all deep learning-enabled servers for analysing the data, according to Jon Cropley, a senior principal analyst at IHS Markit.”

Similar technology was used during the French attacks of 2015 where gunman and suicide bombers terrified the city. While on lockdown, the authorities used registered images of the offenders (or who they thought to be the offenders) and scanned millions of faces within seconds. The days of watching hours of tape to find a blurry face have long gone and have been replaced by auto-recognition. The exact same technology on the Samsung S8 and the iPhone X.

Due to continued aggressive attacks in the province, last year, Xinjiang called on law enforcement officials to “actively use modern scientific and technological measures” and “safeguard national security and social stability,” the official People’s Daily newspaper reported.

Bloomberg reported ‘the alert project links security cameras to a database of people who have attracted the attention of authorities and tracks their movements within a particular area, their contact said. Police can follow up by intercepting individuals or visiting their homes and questioning their friends and families’.

Despite pushback from America and Europe, China is truly leading the way on mass surveillance with this new technology with their reasons being control of unsecure sections and security.

Freedom vs Safety

The ultimate pushback from a community around facial recognition, extreme CCTV adoption and control over movements is universal; I want my freedom.

So, the question is, do we allow being watched so closely and on a large scale and thus allow opportunities to catch criminals and in extreme cases, terrorists? Or, do we get rid of the technology now and go back to the old days of asking witnesses, looking for a “man in a grey shirt”?

When you swing it that way, it’s obvious which choice to use – so it’s more the concern around security than around the use of personal information. There are literally hundreds of thousands of ways for someone to find your information. As Westfield points out, they can’t guarantee that security, but you accept the risk by joining.

Therefore, we need to be aware of it, understand it and learn how this technology can help us. We then need to understand how to remain resilient in our own daily lives. Making sure that you know ways of losing your personal information.

And if you’ve got a webcam on your laptop, perhaps a bit of tape wouldn’t go amiss?

Contact Us today to learn more

Last week, RiskLogic brought you the news on the GDPR Regulation that will affect any business or persons who hold European data. This new regulation, although positive for its subjects in question, could be a damaging change for businesses who have not implemented effective cybersecurity and data breach procedures.

It’s being predicted that the EU could collect as much as $6 billion in the first year due to many organisations not taking these changes seriously.

An Overview of the Regulation

The regulation will affect anyone holding European data who fails to report a breach within 72 hours, in a detailed report. This may affect:

• A New Zealand or Australian business with an office in the EU.
• An ANZ business whose website targets EU customers, for example by enabling them to order goods or services in a European language (other than English) or enabling payment in Euros.
• An ANZ business whose website mentions customers or users in the EU.
• An ANZ business that tracks individuals in the EU on the internet and uses data processing techniques to profile individuals in order to analyse and predict personal preferences, behaviours and attitudes (largely used for marketing).

The fine for failure to report on a breach could be up to 2% of the business’ annual revenue, or 10,000,000 Euros (whichever is larger).

Using our own Cyber Security Incident Management Procedures program, we’ve compiled our top five steps you should be considering by May 2018. When the regulation becomes law, every organisation will have a responsibility to maintain a higher level of resilience. Above all, you will no longer be subject to just reputational, operational, legal or regulatory impacts, but now also financial.

Tip 1) Acquire a detailed Cyber Security Incident Management Procedure & Plan

RiskLogic’s detailed program on effective cyberattack recovery spans four key steps: Identify, Contain, Eradicate & Recover.

This program will enable you to:

• Provide IT personnel with general and specific procedures for dealing with cyber incidents.
• Provide an escalation path to Executive Management for major cyber incidents that have potential to cause human, financial, legal, reputational and/or strategic impacts.
• Provide IT personnel with preparation lists in order to better prepare them for cyber incidents.
• Provide IT personnel with a process to deal with cyber incidents where a defined process for a specific threat is not included.

The document provides a protocol for dealing with cyber incidents specific to your organisation. It includes assessment tools, key cyber roles and responsibilities, processes for specific threats, mitigation strategies (in general) and for specific key threat areas.

With the likelihood of a data breach stronger than ever, it’s useful to reach out to these documents to follow effective processes unique to your people and the structure of your organisation.

72 hours isn’t a long time to report a large breach to a European Council, it’s worth understanding now if you have the steps in place to do this.

Tip 2) IT Personnel to have Access to General & Specific Cyber Procedures

Your most important asset during a breach is your IT Personnel. For them to do their job to the highest and most effective standard after an attack, your procedures should be used to manage the containment eradication of the attack, and to manage the recovery from the attack. Identify and assess the processes in the Incident Management Plan to make this happen.

Once your plan has been signed off by Senior Executives and your IT team has been trained, they should be able to easily answer:

• What data was lost or breached and who is the immediate contact to notify?
• How are they notified of the breach of data?
• What personal information does the breach involve?
• What was the cause of the breach?
• What is the extent of the breach?
• How can the breach be contained?

Tip 3) Document Escalation Paths for Major Events

When an event has progressed from an attempted breach to a serious event, your Senior Executives will need to know the details as they occur. Keeping a procedure in place for this will ensure the correct decisions are made from the information coming in.

Tip 4) Identify the Risk Classification

In our programs, we separate risks into five key classifications:

1. A data breach through unauthorized access to customer or sensitive data (including medical information and member level monetary transactions) that may result in information being stolen or disclosed in an unauthorized manner. This would lead to reputational, legal, regulatory, and financial impacts to the organisation.
2. A denial-of-service attack or network interruption from an attacker (e.g. Hacktivist) against either you or a third-party provider that may result in reputational, operational, legal or regulatory impacts to the organisation.
3. Phishing, pharming and drive-by attacks against your employees or third-party providers that may result in financial or reputational impacts to the organisation.
4. Malware or ransomware from an attacker that may result in significant financial, legal or regulatory impacts for the organisation.
5. Corruption or conflict of interest within your organisation by employees or a third party may result in unauthorised payments being performed. This may lead to financial, legal, reputational or regulatory impacts to the organisation.

Once the classification has been determined, it’s time to assess likelihood factors. Your organisation should understand the cause and damage that has occurred. Understand quickly the threat source, motivations and the further capabilities of the hacker.

Summarising the threat source quickly will then help you implement the correct procedures to deal with it. For example, did it come from:

• Employees
• Lone individuals
• Competitors
• Third party providers, contractors, or other inside entities
• Hacktivist
• Organised crime
• State/s sponsored activity
• Employers

Unauthorised access can occur from poor password security from users, password sharing, or accounts being used inappropriately throughout the organisation.

One of the top four key risks in the world today is IT Administrator passwords being used/accessed to create havoc. Gaining access to an administrator password is the fastest route for hackers/criminals. This can have devastating effects on the organisation and can lead from a small incident to a snowballing one affecting the whole organisation.

Tip 5) Know what Your Reporting Channels Are

The internal reporting, communication and structure of your crisis team should be well documented, checked and acted upon during an event. The same should be implemented in your external reporting, especially with the new legislation.

A good starting point is to understand where New Zealand sits right now with regards to processes for reporting breaches. The Privacy Commissioner has a handful of ways to report breaches, and these can be found here: https://privacy.org.nz/news-and-publications/guidance-resources/privacy-breach-guidelines-2/

CERT Australia recommends that businesses report Cyber Incidents. This can be done by:

• Calling the Hotline 1300 172 499 or
• Emailing info@cert.gov.au
• Online via the Australian Cybercrime Online Reporting Network (ACORN) https://www.acorn.gov.au/

Conclusion

These changes come into effect on May 25^th, 2018. This gives organisations only a small timeframe to ensure that their processes are in place. Whether you are directly affected by these changes or not, this is a good excuse to review the processes your IT team has in place.

To put the seriousness of cyber threats in 2018 into perspective, IBM ran a detailed report on the impacts stating that a minor event can last 19.7 minutes with a financial impact of $53,210 per minute. The chances of these smaller events happening are 69% over 24 months.

We’ll be reporting on these numbers and findings from IBM and McAfee in next week’s article.

Contact Us today to learn more

Where were you on the evening of December 31^st, 1999?

I was with my family, in a large, cubicle-soaked office block in the dark, wet corners of Reading, United Kingdom. I was nine-years-old and didn’t question any of it solely for the fact I was contempt with the huge office chair I’d perched myself on, the computer games I could play, and the amount of space available for me to burn all the remaining energy I had for that century.

My father, however, was locked in the data centre of British Telecom (also known as BT). No windows, empty chairs to his left and right, large square monitors draping the walls and an intimidating phone in the middle of the desk. His orders; wait and see.

My mother waited near the coffee and wine hoping two things: that the world didn’t end, and that the world didn’t end so we could go skiing with the invoice my father was just about to submit for this once-in-a-lifetime 2-hours piece of work.

I regularly think about that evening. As a young child, I had no idea of the extreme concepts being fed through the media all because of the clocks. Nowadays, the idea that computers would simply stop because of time is like me showing a floppy-disk to a 13-year-old; “that’s the save symbol” they said to me. But, curiously to me, my father was part of that, he was the resource to try fix it if the world was going to end. Him and a few hundred other IT pro’s spread across the globe.

Last week, I sat down with him to ask him about that night.

“What even is Y2K?”

“Ironically, I ended up on a desk, running my own business as a consultant and it was a completely different life to what I was used to while in the Army. A culture-shock actually”.

Although the internet had been around for five years, many people were still not using it. Only larger enterprises were adopting it for internal communications and sharing capabilities. The idea of cyberthreat was unknown at the time.

“The threats are always changing. The more stuff we introduce to this world, the more threats we introduce. The word Cyber wasn’t even in the dictionary back then, as far as I was aware”, but Y2K was.

Y2K, also known as the Year 2000 Problem, Y2K problem, the Millennium bug and the Y2K bug, was a class of computer bugs related to the formatting and storage of calendar data for dates beginning in the year 2000. Alien to the world we know now, the issue was not caused by a hacker or cyberattack, but simply an oversight on production of technology.

“The basic idea on Y2K was that for convenience, most computers only used two numbers for the date. Why use four numbers when you only need two for the date [the last two digits of the year]. Then they realised, what date is the computer going to think it is when we get to 2000?” said James B. Meigs of Popular Mechanics.

The problem that the majority of computer systems made in the 90’s were unable to adjust to a new millennium, caused major concerns across the globe. What would the effects be? Would planes fall out of the sky? Would digital banking crash?

“That was my biggest payday ever as a consultant. I had a couple of systems that had been built back in the 80’s, the date format was not capable of switching over to 2000. It was as simple as someone had not projected that possibility. So, when the clock changed over, it went back to zero and everything would simply stop working”. The system clock would either go back in time to 1900, or continue by adding a 1, making it 11999 – which, as you know, isn’t the correct date to add to invoices and receipts.

“People were saying planes would drop out the sky and all the rest of it, there were huge concerns. So, I had the job at half-passed-eleven, on the 31^st of December to sit in the comms room and wait for the clocks to tick over. I basically stared at the screen…and waited to see what happened. It was probably me and few other thousand IT specialists doing the same thing that night, waiting, seeing what would happen, and uh…nothing happened!”

Fortunately, the unknown turned out to be nothing more than an over-exaggerated possibility of events. Media attention around something alien to our world for the turn of our new millennium. What was definite though, was the concern of our times. Thousands of organisations were only able to employ people to “see what happens”. No plans or steps were put in place for the worst-case scenario. The seriousness of Business Continuity had taken a major U-Turn to organisations around the world.

 Lesson learnt

“I had two feelings: one I was really, really disappointed because I wanted all the lights to go out at least, but two, also really happy because I’d made a lot of money for not really doing anything”.

When events like this occur, no matter their credibility or media hype, lessons can always be learnt. We can still go back eighteen years to that night and revisit the revolutionary changes organisation knew they had to make.

“Future proof is the keyword. Really, people who are technically savvy enough to understand the coding still need to be prepared. That planning & preparation. Looking back, I can’t remember what I was actually going to do if the lights did go out”.

“It’s really about us accepting that if the lights are going to go out, what are we going to do about it? And that’s what Business Continuity is all about, that’s what we try to preach; yeah, probably nothing will happen now, but if it does – what are we going to do? Having a plan and knowing it, saying this stuff happens and making sure you don’t ignore it means you’ll be ready to deal with it”.

“At the stroke of midnight of 2000, elevators may stop. Credit cards and ATMs may cease to function. Aeroplanes and trains may come to a halt” Leonard Nimoy dramatically stated during a National Geographic documentary.

With tensions growing across the United States, people were literally arming themselves for the worst. President Clinton appoints a crisis management expert to prevent a national meltdown.

John Koskinen, chair to the President’s Council on Y2K ’98 – ’00 said “10% of the population was fairly confident there was going to be an apocalypse. The president called me one night and said ‘here’s an office, an assistant, don’t let the world stop…’”

Of course, now, those outcomes seem almost comical. How could the change of two digits cause such havoc and devastation? Regardless of the nature of this scenario, there was still a threat to people and organisations, it was just that no one knew exactly what that was.

“On the night of 21^st December 1999, I was pretty much stood there with a fire extinguisher waiting for the fire to start. Beyond putting the fire out, we didn’t really have a plan! No one really knew what would happen, but we didn’t really plan for the worst-case scenario. Remember, always plan for the worst and hope for the best!”

The lack of action from most organisation caused years of re-planning and rescoping business continuity for many organisations. If this were to happen again, what would we do to ensure we had the most effective processes in place to fix it?

“The cost to fix the Y2K across the world has been estimated to be around 300 billion [1]. That was the technical aspect of it” says Quora user Shashank Chidambara. “A few known incidents because of the bug affected a hospital in Sheffield, UK [where their] automated mailing system sent wrong medical reports to mothers about the fetus status. Telecommunication companies worldwide had erroneous billing results on Jan 1^st”.

In all, the enormous hype around the event turned out to be nothing more than just that, however, with so many organisations hoping for the best-case scenario, it was a huge risk.

We can learn from this event from eighteen years ago even today. Don’t allow possibilities to control the situation, be in control and plan a strategy you know will work. At the very least, make sure you’ve got someone like my father on board, sitting in that dark comms room with his family outside, who are waiting to go skiing.

Contact Us today to learn more

Understanding Cyberattacks

According to the World Economic Report, the global risk landscape puts extreme weather events as most likely to occur, finally knocking cyber-attacks of the top spot.

However, you would be forgiven for thinking that cyber is still at the top, it seems to be in the news daily; weather events aren’t common to all countries.

Cyber is still a new concept to most of professionals and organisations as in general, many haven’t been personally affected. It is likely that you’ve got a connection with someone who has though, and it’s that that seems to capture people’s attention.

Regardless if it’s in 4^th or 10^th place on the report, you should never become complacent that it will never happen to you. No matter how great your IT security measures or your IT team are, it all becomes out of date very quickly in this fast-paced world we live in. Humans have been able to create technology that can put up defences against natural harm a million times quicker than natural evolution can provide us.

The idea of a Cyber-attack is a global phenomenon and younger than most people’s children. There’s always a hacker somewhere in the world looking to be the next great thing, looking to beat your defences. This is what makes them so dangerous to all organisations, including the Defence Forces.

Cyber hackers are usually part of an anonymous network where users are provided rewards (whether financial or of a title) to hack certain, challenging environments. There is nothing more powerful behind an attack than someone trying to prove a point.

Resource on this: Cyber: Not just an IT Issue.

Planning for the unexpected and accepting that it might just happen to you is critical. You must know what your next challenge could be.

A Structured Cyber response

A cyber attack can cause disruption to business operations just like any other IT related outage. Loss of power, cut fibre, water leak in the room above your data centre (it still happens) the list goes on. The difference with cyber is it all too often becomes public and the impacts to business reputation increase exponentially. This is often outside the responsibility of the IT team and a strategic response is necessary. Your response team needs to act fast through the following 4 phases:

• Identify: Is this really a hack, or a system or human error?
• Contain: stop further damage, isolate the threat.
• Eradicate: Clean up the problem, backup restores.
• Recovery: get back to business as usual, repair the reputational damage.

If you haven’t already got one, we would recommend developing a Cyber Security Incident Management Procedure, which should be used by your Cyber Incident Response Team (CIRT) to response to a cyber event. As a minimum we would recommend that your CIRT is made up of the following roles:

• CIRT Manager
• IT Security Technical Lead
• Communications
• IT Response & Recovery Coordinator (Infrastructure)
• IT Response & Recovery Coordinator (Applications & Related data)
• External:
  • Forensic Analyst
  • Forensic Investigator

A clear escalation policy should be established in your procedure to provide early warning to your Strategic level response to prepare for likely reputational, financial and legal impacts for a severer cyber-attack.

The evidence is there, organisations must prepare for a cyber attack and accept that it is now  “not just an IT issue.

Till next time, Plan, Do, Check and Act….

Contact Us today to learn more