Born To Be Wild

Category: Cyber Resilience

  • What We Can Learn From Y2K

    What We Can Learn From Y2K

    Where were you on the evening of December 31st, 1999?

    I was with my family, in a large, cubicle-soaked office block in the dark, wet corners of Reading, United Kingdom. I was nine-years-old and didn’t question any of it solely for the fact I was contempt with the huge office chair I’d perched myself on, the computer games I could play, and the amount of space available for me to burn all the remaining energy I had for that century.

    My father, however, was locked in the data centre of British Telecom (also known as BT). No windows, empty chairs to his left and right, large square monitors draping the walls and an intimidating phone in the middle of the desk. His orders; wait and see.

    My mother waited near the coffee and wine hoping two things: that the world didn’t end, and that the world didn’t end so we could go skiing with the invoice my father was just about to submit for this once-in-a-lifetime 2-hours piece of work.

    I regularly think about that evening. As a young child, I had no idea of the extreme concepts being fed through the media all because of the clocks. Nowadays, the idea that computers would simply stop because of time is like me showing a floppy-disk to a 13-year-old; “that’s the save symbol” they said to me. But, curiously to me, my father was part of that, he was the resource to try fix it if the world was going to end. Him and a few hundred other IT pro’s spread across the globe.

    Last week, I sat down with him to ask him about that night.

    “What even is Y2K?”

    “Ironically, I ended up on a desk, running my own business as a consultant and it was a completely different life to what I was used to while in the Army. A culture-shock actually”.

    Although the internet had been around for five years, many people were still not using it. Only larger enterprises were adopting it for internal communications and sharing capabilities. The idea of cyberthreat was unknown at the time.

    “The threats are always changing. The more stuff we introduce to this world, the more threats we introduce. The word Cyber wasn’t even in the dictionary back then, as far as I was aware”, but Y2K was.

    Y2K, also known as the Year 2000 Problem, Y2K problem, the Millennium bug and the Y2K bug, was a class of computer bugs related to the formatting and storage of calendar data for dates beginning in the year 2000. Alien to the world we know now, the issue was not caused by a hacker or cyberattack, but simply an oversight on production of technology.

    “The basic idea on Y2K was that for convenience, most computers only used two numbers for the date. Why use four numbers when you only need two for the date [the last two digits of the year]. Then they realised, what date is the computer going to think it is when we get to 2000?” said James B. Meigs of Popular Mechanics.

    The problem that the majority of computer systems made in the 90’s were unable to adjust to a new millennium, caused major concerns across the globe. What would the effects be? Would planes fall out of the sky? Would digital banking crash?

    “That was my biggest payday ever as a consultant. I had a couple of systems that had been built back in the 80’s, the date format was not capable of switching over to 2000. It was as simple as someone had not projected that possibility. So, when the clock changed over, it went back to zero and everything would simply stop working”. The system clock would either go back in time to 1900, or continue by adding a 1, making it 11999 – which, as you know, isn’t the correct date to add to invoices and receipts.

    “People were saying planes would drop out the sky and all the rest of it, there were huge concerns. So, I had the job at half-passed-eleven, on the 31st of December to sit in the comms room and wait for the clocks to tick over. I basically stared at the screen…and waited to see what happened. It was probably me and few other thousand IT specialists doing the same thing that night, waiting, seeing what would happen, and uh…nothing happened!”

    Fortunately, the unknown turned out to be nothing more than an over-exaggerated possibility of events. Media attention around something alien to our world for the turn of our new millennium. What was definite though, was the concern of our times. Thousands of organisations were only able to employ people to “see what happens”. No plans or steps were put in place for the worst-case scenario. The seriousness of Business Continuity had taken a major U-Turn to organisations around the world.

     Lesson learnt

    “I had two feelings: one I was really, really disappointed because I wanted all the lights to go out at least, but two, also really happy because I’d made a lot of money for not really doing anything”.

    When events like this occur, no matter their credibility or media hype, lessons can always be learnt. We can still go back eighteen years to that night and revisit the revolutionary changes organisation knew they had to make.

    “Future proof is the keyword. Really, people who are technically savvy enough to understand the coding still need to be prepared. That planning & preparation. Looking back, I can’t remember what I was actually going to do if the lights did go out”.

    “It’s really about us accepting that if the lights are going to go out, what are we going to do about it? And that’s what Business Continuity is all about, that’s what we try to preach; yeah, probably nothing will happen now, but if it does – what are we going to do? Having a plan and knowing it, saying this stuff happens and making sure you don’t ignore it means you’ll be ready to deal with it”.

    “At the stroke of midnight of 2000, elevators may stop. Credit cards and ATMs may cease to function. Aeroplanes and trains may come to a halt” Leonard Nimoy dramatically stated during a National Geographic documentary.

    With tensions growing across the United States, people were literally arming themselves for the worst. President Clinton appoints a crisis management expert to prevent a national meltdown.

    John Koskinen, chair to the President’s Council on Y2K ’98 – ’00 said “10% of the population was fairly confident there was going to be an apocalypse. The president called me one night and said ‘here’s an office, an assistant, don’t let the world stop…’”

    Of course, now, those outcomes seem almost comical. How could the change of two digits cause such havoc and devastation? Regardless of the nature of this scenario, there was still a threat to people and organisations, it was just that no one knew exactly what that was.

    “On the night of 21st December 1999, I was pretty much stood there with a fire extinguisher waiting for the fire to start. Beyond putting the fire out, we didn’t really have a plan! No one really knew what would happen, but we didn’t really plan for the worst-case scenario. Remember, always plan for the worst and hope for the best!”

    The lack of action from most organisation caused years of re-planning and rescoping business continuity for many organisations. If this were to happen again, what would we do to ensure we had the most effective processes in place to fix it?

    “The cost to fix the Y2K across the world has been estimated to be around 300 billion [1]. That was the technical aspect of it” says Quora user Shashank Chidambara. “A few known incidents because of the bug affected a hospital in Sheffield, UK [where their] automated mailing system sent wrong medical reports to mothers about the fetus status. Telecommunication companies worldwide had erroneous billing results on Jan 1st”.

    In all, the enormous hype around the event turned out to be nothing more than just that, however, with so many organisations hoping for the best-case scenario, it was a huge risk.

    We can learn from this event from eighteen years ago even today. Don’t allow possibilities to control the situation, be in control and plan a strategy you know will work. At the very least, make sure you’ve got someone like my father on board, sitting in that dark comms room with his family outside, who are waiting to go skiing.

    Contact Us today to learn more

  • Cyber Response Plans

    Cyber Response Plans

    Understanding Cyberattacks

    According to the World Economic Report, the global risk landscape puts extreme weather events as most likely to occur, finally knocking cyber-attacks of the top spot.

    However, you would be forgiven for thinking that cyber is still at the top, it seems to be in the news daily; weather events aren’t common to all countries.

    Cyber is still a new concept to most of professionals and organisations as in general, many haven’t been personally affected. It is likely that you’ve got a connection with someone who has though, and it’s that that seems to capture people’s attention.

    Regardless if it’s in 4th or 10th place on the report, you should never become complacent that it will never happen to you. No matter how great your IT security measures or your IT team are, it all becomes out of date very quickly in this fast-paced world we live in. Humans have been able to create technology that can put up defences against natural harm a million times quicker than natural evolution can provide us.

    The idea of a Cyber-attack is a global phenomenon and younger than most people’s children. There’s always a hacker somewhere in the world looking to be the next great thing, looking to beat your defences. This is what makes them so dangerous to all organisations, including the Defence Forces.

    Cyber hackers are usually part of an anonymous network where users are provided rewards (whether financial or of a title) to hack certain, challenging environments. There is nothing more powerful behind an attack than someone trying to prove a point.

    Resource on this: Cyber: Not just an IT Issue.

    Planning for the unexpected and accepting that it might just happen to you is critical. You must know what your next challenge could be.

     

    A Structured Cyber response

    A cyber attack can cause disruption to business operations just like any other IT related outage. Loss of power, cut fibre, water leak in the room above your data centre (it still happens) the list goes on. The difference with cyber is it all too often becomes public and the impacts to business reputation increase exponentially. This is often outside the responsibility of the IT team and a strategic response is necessary. Your response team needs to act fast through the following 4 phases:

    • Identify: Is this really a hack, or a system or human error?
    • Contain: stop further damage, isolate the threat.
    • Eradicate: Clean up the problem, backup restores.
    • Recovery: get back to business as usual, repair the reputational damage.

    If you haven’t already got one, we would recommend developing a Cyber Security Incident Management Procedure, which should be used by your Cyber Incident Response Team (CIRT) to response to a cyber event. As a minimum we would recommend that your CIRT is made up of the following roles:

    • CIRT Manager
    • IT Security Technical Lead
    • Communications
    • IT Response & Recovery Coordinator (Infrastructure)
    • IT Response & Recovery Coordinator (Applications & Related data)
    • External:
      • Forensic Analyst
      • Forensic Investigator

    A clear escalation policy should be established in your procedure to provide early warning to your Strategic level response to prepare for likely reputational, financial and legal impacts for a severer cyber-attack.

    The evidence is there, organisations must prepare for a cyber attack and accept that it is now  “not just an IT issue.

    Till next time, Plan, Do, Check and Act….

    Contact Us today to learn more

  • Cybersecurity: Not Just an IT Issue

    Cybersecurity: Not Just an IT Issue

    It seems nowadays that just about everyone has technology making their lives easier (or worse). You can paint a masterpiece with your finger via an app on your phone, and then tag the astronauts on the ISS from your lounge or even become an overnight sensation just by wearing a Star Wars mask. So when do we stop to think (and seriously consider) how vulnerable we are to technology?

    In 1999, New Jersey-resident David L. Smith gave a show-girl in Florida the ultimate gift: a computer virus that bared her name. Using a stolen America Online account, Smith posted a Word document infected with “Melissa” to a discussion group on America Online, purporting it to be a list of usable log-in information to pornography sites. Smith’s virus spread via email, forwarding itself to fifty email accounts in Microsoft Outlook on every infected computer, and which, over time, overloaded email servers and forced companies such as Microsoft, Intel, Lockheed Martin, and Lucent Technologies to shut down their email networks. In the end, Melissa performed viral dances on upwards of one million infected PC’s and caused $80 million dollars in damage.

    A year later in February 2000, Michael Calce, aka “Mafiaboy” singlehandedly took down Yahoo, CNN, eBay, Dell, & Amazon. The first major distributed-denial of service attack (DDoS) responsible for crippling some of the internet’s most popular websites were executed by the hands of a Canadian citizen not old enough to drive. Mafiaboy, 15-year-olds, set out to make a name for himself in February 2000 when he launched “Project Rivolta,” which took down the website of the #1 search engine at the time—and second-most popular website—Yahoo. Thinking it may have been a fluke, he went on to attack the servers of CNN, eBay, Dell, and Amazon in a wave of highly-publicized attacks that were the first to show the world how easily one kid can knock out major websites.

    Now think about if you were Jerry Yang of Yahoo or Satya Nadella and you’ve just been told by your IT team that someone has posted millions of viruses to all customers and personal details are now missing. You ask them, “OK, what can we do about this? Can we get the details back? Can we find out who they are?” The answers, like so many cases, is a resounding no.

    Within an hour, only 10% of Yahoo’s customer base realises they’ve been hacked, however, they’ve now involved the media. Before the executive even made their first-morning coffee and fed the dog, they’re standing in front of world press to explain how the company they run, one of the biggest in the world and most profitable has just been hacked by a kid not even old enough to intern for them.

    OK, yes, you’re probably not running Microsoft right now, but that doesn’t matter. You have a responsibility beyond your IT’s security. Are you ready to action this when it’s time?

    A cyber attack isn’t an if situation, it’s a when. Over the last two years, 70% of crisis events have been IT related. That means 7 out of 10 negative impacts on your business are technology/IT based.

    Further to my post around convincing a CEO to revisit their business continuity, it’s important to look into more specific issues that the leadership team is going to have to deal with. What plans could you set in place that will be effective? What will you do to maintain trust and a high level of service to your customers?

    Technology doesn’t attack organisations, people do. It’s silly mistakes from people that open up business operations within seconds

    Brad Law, NZ Country Manager has given these talks hundreds of times. Dealing with some of the worlds most important sectors, the message is always the same, “the biggest attack vector by a large margin is people and people being careless”.

    “I think the most important thing to impress upon [your staff] when it comes to IT security is that most of the time technology isn’t the issue”

    An attack as serious as the WannaCry cyberattack was a prime example of organisations showing their resilience but also showing that they’d prepared in advance for such an event.

    You can Google the names of the companies affected. This is not a good look for any organisation and could have easily been avoided. The companies computers didn’t infect the organisation, the people who run them did.

     

    For all organisations, it’s imperative that you ensure you’re staying up to date as much as possible. Understand the threats, get to events and seminars on what the possible vulnerabilities may be within your organisation.

    When was the last time you validated and checked your Malware? If it wasn’t within the last 90 days, it’s overdue!

  • The Rise of Virtual Kidnapping

    The Rise of Virtual Kidnapping

    While our feeds have been flooded with news and developments on COVID-19, other disruptive events have subtly moved their way into people’s lives like an unexpected storm.

    It seems like only yesterday celebrities, news outlets and hashtags around the world directed their reach on the Australian bush fires that would cost the country up to $101 billion in property damage and economic loss. 46 million acres of land was burnt, killing at least 34 people, hundreds of millions of wildlife, and billions of vertebrate species. This historical destruction all seems like a bad bonfire now that focus shifts to COVID-19.

    This is not news, and blame should not be put on the general population’s attention span. But professionals, organisations and those in the public space need to strongly consider the extent of other events occurring alongside COVID, because they are!

    This year alone, RiskLogic has supported dozens of clients deal with major cyber-attacks, loss of key staff, natural disasters, supply-chain disruptions, ransomware attacks and disruptive large gatherings and protests to name a few.

    As we round up the year, we will dissect other events in a mini-series dedicated to parallel crisis events, these we will cover:

    • The variety of scams that have appeared and increased during the pandemic
    • An overview of other incidents happening during COVID
    • A discussion on incidents that you would seldom anticipate (like virtual kidnapping)

    At the very least, we hope this provides a break from the bombardment of COVID related updates.

    Virtual kidnapping is happening right now

    Virtual kidnapping is an extortion scam that has historically targeted Chinese international students in Australia.

    The scam targets individuals with threats of deportation, before forcing them to contact their families for significant sums of money. The NSW Police reported 8 cases in the 2018-2019 period, but they believe the real numbers are in their hundreds (with families generally too nervous or ashamed to reach out to foreign authorities). Millions of dollars have been confirmed to have been paid to the culprits; $3.2 million AUD since September 2019.

    While the restriction of travel caused many international students to become somewhat stranded in foreign locations, it is believed this has contributed to a spike in cases.

    What is virtual kidnapping and how does it work?

    Virtual kidnapping is an extortion scheme that tricks victims into paying a ransom for a loved one who they believe is being threatened with violence or death.

    The scam commences with a phone call from someone pretending to be from the Chinese Embassy, asking for personal details – usually pertaining to passports or visa status. The call then escalates to threats, with the victim being accused of participating in criminal activity before being threatened with warrants from a fake international criminal police organisation.

    They are then told the only way to save themselves and their loved ones is to hand over bank account details or significant sums of money.

    The scheme gained traction in 2015 when it spread from Taiwan to Western countries and has rapidly evolved with the spread of technology.

    Recently, we have seen virtual kidnapping attacks occur at several Australian Universities including UNSW and unconfirmed Victorian universities, which have both reported dozens of instances of the scam occurring.

    For Australia, the scam appears to be largely targeting students in NSW and Victoria, with police in both states confirming that victims often do not contact the police after they have been scammed as they often feel ashamed.

    As such, police are unable to confirm accurate numbers of virtual kidnapping victims.

    The kidnappers are purposely targeting Chinese International students and are communicating in Mandarin – making investigators believe that the bulk of attacks are coming from a crime syndicate located on Kinmen Island, off the coast of Taiwan.

    RiskLogic has additionally seen in Australia a rise in students staging the kidnappings themselves to obtain additional money from their families, although we can’t confirm whether this is related.

    Chinese and Taiwanese International students are being targeted because they are far away from home, making it more difficult for their parents to confirm whether they have been kidnapped or not.

    The AFP (Australian Federal Police) had reported 54 confirmed instances of these kidnappings – however they believe that the actual number could have been in the hundreds in 2020.

    Why should this matter to you?

    The AFP believes that hundreds of instances have occurred throughout Australia, Europe, America and Canada, showing that virtual kidnapping can happen anywhere.

    In pre-COVID Australia, international students made up more than a quarter of enrolments at universities, with the approximate number of international students in the country sitting at around 542,054 in 2019.

    Chinese students made up 31% of this number and accordingly were the largest contributing country to Australia’s international student population.

    These international students contributed around $32.2 billion to the Australian economy per year, according to the Australian Bureau of Statistics, with the vast majority being enrolled in universities. The associated fees and living expenses represented Australia’s third largest export (currently behind coal and iron ore) a figure that had increased 22% since 2016.

    Whilst COVID has almost halved the number of International Students currently residing in Australia, the economic impacts of the virus have also seen a significant increased the rate of scams. The AFP therefore reports that the increase in financial demands seen via the scam has increased significantly.

    Despite most virtual kidnapping attacks originating from Taiwan, the reputational damage the attacks cause is targeted directly at Australian Universities and their perceived inability to ensure the safety of Chinese international students.

    The inability of a university to adequately or appropriately manage the virtual kidnapping of one of their students could therefore result in reputational damage to the institution. Leading to significant financial impacts if this reputational damage translates into Chinese students no longer deeming the university safe, and therefore opting for alternate universities.

    For those not in the education space, it is perhaps only a matter of time until these types of threats reach a wider variety of organisations. For more public facing entities, this could be a real risk.

    Furthermore, this incident (that few could have anticipated) should be evidence that the threat landscape is forever changing.

    What is most likely to happen during a kidnapping?

    The AFP reports that the average amount of money handed to kidnappers is $38,000, with a total estimated handover of $10 million occurring in 2018.

    Already in 2020, the NSW Police have confirmed that millions of dollars have been sent. Cases report sums between $20,000 and $500,000 being sent, and even one reaching $2 million.

    This amount of money is significantly higher than the average amount obtained through other types of scams.

    Serious emotional and psychological impacts to the victims and potential reputational damage to the universities can occur.

    What you should do if this occurs to you?

    The AFP suggests that Chinese students in Australia protect themselves by doing the following:

    • If you get cold called by someone making threats about arrest or deportation, it is a scam. Do not send them any money. Instead, hang up the phone immediately and report it to your local police.
    • Never give your personal, credit card or online account details over the phone unless you made the call, and the phone number came from a trusted source.
      – Banks or financial institution will never ask you for your card details, even when you’ve called them. These institutions have access to your personal details once you provide a security check and do not need to ask.
    • If you think you have provided your bank account details to a scammer, contact your bank or financial institution immediately and give them as much detail as possible
      – Top tip: research your bank’s fraud and security phone number and email now. Put this in your phone in case you need to get immediate access (these are often found on the back of your bank cards too).
    • When dealing with uninvited contacts from people or businesses, whether it’s over the phone, by mail, fax, email, in person or on a social networking site, always consider the possibility that the approach may be a scam.
    • You can contact IDCARE(a national identity and cyber support service) for support if you have concerns about your identity being compromised. Contact them via the online form or phone: 1300 432 273.

    The Scamwatch website has information about scams in Chinese languages.

    Further resources and instances in the news

    • Families have lost millions of dollars in a virtual kidnapping scam targeting Chinese students in Australia

    A 2020 update on the instances of virtual kidnapping scams as they increase in frequency and seriousness ➜ Read more

    • Australian university students preyed on by terrifying kidnapping scam 

    An article looking at the impact that the virtual kidnapping can have on parents of the victims and concentrating on the history of the scam and its origin in Taiwan. The article goes on to confirm that the advantage of these scammers targeting victims in Australia is that the distance between the victim and their family increases the difficulty in confirming that the victim is actually safe and well, and that no charges have been laid against them by the Chinese Government ➜ Read more

    • Student loses $500,000 in phone scam that’s still active

    A report on one Chinese student in Australia who transferred $500,000 to virtual kidnapping scammers. The victim was eventually found by the Australian Ferderal Police 10 days after she was first contacted by the scammers ➜  Read more

    • AFP Scam Warning for Virtual Kidnapping ➜  Read more

    Subscribe to our newsletter to get content like this direct to your inbox.

  • Sensitive Data: The true cost of whatsapp

    Sensitive Data: The true cost of whatsapp

    With over 1.5 billion users, Facebook-owned WhatsApp is the world’s most popular messaging app. WhatsApp, which uses the internet to instantly transmit text, videos, images and even documents as attachments, is free, easy and convenient. Users can communicate with individuals and groups using any kind of mobile device to chat, set up meetings or appointments, manage orders and deliveries, and transmit product and marketing messages.

    But is WhatsApp an asset or a liability in the workplace? Multi-national companies like Continental, Deutsche Bank and Goldman Sachs are so concerned about the risks, they have actually banned employees from using free messaging systems like WhatsApp and Snapchat.

    End-to-end encryption and the illusion of safety

    WhatsApp’s end-to-end encryption protocol is a key attraction for many users. End-to-end encryption means data and information is converted to code (encrypted) throughout the entire transmittal phases so that only the communicating users can read the messages. Not even telecom and internet providers, or WhatsApp itself, can access the messages.

    ‘This encryption protocol can give users a false sense of security and privacy,’ says Daniel Muchow, RiskLogic’s Head of Cyber Consulting. ‘Even though the encrypted information is deleted at that point from the WhatsApp server, the information or data may remain on the recipient’s device indefinitely.’

    Penetrating the impenetrable

    With so much emphasis on end-to-end encryption, it’s easy to overlook the fact that not all information WhatsApp collects is inaccessible or private. ‘WhatsApp stores contact details and address books which may contain confidential corporate and customer data,’ confirms Mr Muchow. ‘For organisations, this raises serious privacy concerns.’ WhatsApp may also retain data about who has communicated with whom and when this communication took place.

    While the end-to-end encryption process offered by WhatsApp might sound watertight, attackers and scammers can and do intercept and manipulate messages to create and spread misinformation from what appear to be trusted sources. On investigating the app, Check Point Research found several vulnerabilities including the ability for an attacker to use the ‘quote’ feature in a group conversation to change the identity of the sender, even if that person is not a member of the group. They can also alter the text of someone else’s reply, or send a private message to another group participant disguised as a public message for all, so when the targeted individual responds, it’s visible to everyone in the conversation.

    Handing the control of corporate information to employees

    There is another immediate challenge for organisations. Employers have obligations to their clients about storing information and need to be able to monitor, manage and archive transmitted information appropriately. This level of organisational visibility and communication management is not possible with messaging apps like WhatsApp.

    Unlike corporate email, which is transmitted via the employer’s server, there is no way for employers to track communications, or remotely access or delete messages transmitted by WhatsApp. ‘This lack of transparency gives employees enormous control of company information,’ says Mr Muchow. ‘If the device is lost or stolen, business data and content may be gone forever or used in a damaging way.’
    Inappropriately sharing information can also have serious consequences. For example, a former UK Jefferies bank investment managing director was recently fined £40,000 by the Financial Conduct Authority for sharing confidential client information over WhatsApp because he wanted to “impress” recipients.

    When a free service costs more than it’s worth

    If the communication system is down or there are technical issues, organisations need access to immediate support at any time of day or night. This 24-hour support by dedicated personnel is not available with free messaging apps like WhatsApp but may be critical for an organisation to maintain business continuity.

    While WhatsApp and other free messaging services may be attractive to users, there is a serious hidden potential cost to employers. The lack of control and transparency of these free messaging services not only poses financial risk, but may result in a serious privacy breach and reputational damage.

    For advice setting up a secure and resilient messaging service in your organisation and increase your cyber security response preparedness, contact RiskLogic today.

  • Digital Threat Environment: OAIC Notifiable Data Breaches

    Digital Threat Environment: OAIC Notifiable Data Breaches

    Quarterly Statistics Report – October – December 2018

    The quarterly report released by the Office of the Australian Information Commissioner (OAIC) reports on notifications received by the Federal Government entity under the Notifiable Data Breaches (NDB) scheme. Under this scheme, a notifiable data breach is any breach in which the personal information of an individual that was being held by an organisation is either lost or subjected to unauthorised access or disclosure which results in serious harm to the individual.

     

    Key Report Takeaways:

    The following key points were outlined in the OAIC Quarterly Statistics Report from October – December 2018:

    • During this period, 262 notifications of breaches were reported to OAIC – the highest number of notifications since the scheme was introduced in February 2018.
    • Of these breaches, 33% were due to human error, 64% were due to malicious or criminal attacks and 3% were due to system faults.
    • 60% of these breaches involved the personal information of 100 individuals or fewer.
    • OAIC reported that the majority of the malicious or criminal attacks were largely the result of exploiting vulnerabilities involving a human factor, such as phishing emails or disclosing passwords.

    How could this impact your organisation?

    Reputational: A data breach of any size would attract strong media coverage and create significant reputational and political damage. A cyber-attack could also damage employees confidence around the protection of their personal information and detract future employees from wanting to work there.

    Legal: Legally, your organisation has an obligation under legislation such as Australia’s Notifiable Data Breach and the European Union’s General Data Protection Regulation (GDPR) to report any significant data breaches that have impacted customers and their personal information. Following this reporting and dependent on the scale of the breach and any fault that has been found to lie with the organisation, your business may be subjected to a number of legal ramifications including significant fines.

    Financial: Globally, cyber-attacks are believed to have accounted for the loss of approximately $600 billion USD, with the Asia Pacific region alone losing an estimated $171 billion to cyber-crime in 2018. The Australian Government estimates that the average cyber-attack would cost a business approximately $276,323. As such a breach of this magnitude would be significant for any organisation. Whilst this estimate encompasses the aspects of the actual cyber-attack, it doesn’t factor in the additional longer-term financial repercussions such as loss of business as a result of reputational damage.

    What can you do to safeguard your organisation against these breach attacks?

    Microsoft has reported that from January to December 2018, email phishing attacks increased by 250%. Considering the immense financial, reputational and legal impacts that these breaches may have on an organisation, it is imperative that the appropriate safeguards are in place to mitigate any breach.

    Recent reports indicate 91% of all cyber-attacks are now conducted via email, confirming that human error is one of the key reasons for these attacks. One activity you can undertake to counter potential attacks is to raise employee awareness around cyber attacks, security and the risks that these attacks carry with them. Our article on phishing attacks and how to spot them is a great place for your employees to start this awareness around cyber and it’s impacts.

    By educating staff of the dangers of phishing emails, social engineering and malicious human targeted attacks, you will simultaneously improve the confidence of your staff when dealing with possible cyber-attacks and thereby increase the chances of them spotting something so the relevant staff can be alerted. This will greatly reduce the chance of staff being caught by one of these attacks and suffering the ramifications these attacks can carry.

  • Phishing Scams

    Phishing Scams

    Have you ever received a phishing email?

    Odds are you probably have (and might not even know it). These type of cyber attacks are easy to do, are increasing in their difficulty to spot and are very successful – current statistics list 91% of all cyber attacks starting with an email. That’s why it is important you and your staff know how to spot a potential phishing attack.

    What is a phishing attack?

    Phishing emails are targeted online scams used by cyber criminals to attack an organisation (via their employees) to gain access to information and sensitive data. These attacks are incredibly common, with 83% of organisations recently reporting that they were the victim of an attempted phishing attack.

    These emails may:

    • Contain malware carried in an attachment such as a PDF or file download.
    • Ask you to click on a link, taking you to a questionable website.
    • Be masquerading as a legitimate organisation requesting confirmation of sensitive data or a password change.

    Phishing attacks come in all shapes and sizes – the most common being a mass-scale phishing attack in which the cyber criminals send out mass, non-specific phishing attacks hoping to trick a number of people into revealing sensitive information or data.

     

    How could this impact your organisation?

    Cyber attacks or phishing and breaches can have extremely detrimental effects on organisations. If you were to suffer one of these attacks, they could expect to face severe reputational, legal and financial effects that impacts the organisation both at the time of the attack and for years to come.

    How do you spot one?

    The best thing any organisation can do to prevent a phishing attack from impacting them is to build staff awareness around identifying and stopping phishing emails. Following staff awareness training, nearly 60% of organisations saw an increase in employee’s ability to detect and stop phishing attacks from impacting their company.

    Despite their prevalence, phishing emails can be easy to spot if your staff know what to look for. There are five key red flags that employees should pay attention to when reviewing emails:

    1. Request for personal information – If the email you have received appears to be from a legitimate source but is requesting information that the known organisation wouldn’t typically request, there is a high probability you are being targeted by a phishing attack. For example, your bank requesting that you confirm your account details and pin number via email.
    2. Unknown or questionable senders – If the email you have received is from an unknown sender, or a name you don’t recognise, and they are requesting that you download an attachment, click on a link or submit personal information to them, it could be a phishing attempt. Similarly, if the email is not personalised but instead begins with a phrase such as ‘Dear Customer’ there is a high chance it is a phishing attempt.
    3. Spelling and grammatical errors – If you have received correspondence from a well-known organisation, however their email contains a number of spelling and grammatical errors there is a high chance it is a phishing attack.
    4. Misleading URLs or domain names – When reviewing emails that appear suspicious, one way to confirm if they are a phishing attempt is to confirm that the URL listed aligns with the hyperlink provided. If you hover over a URL without clicking, the embedded hyperlink will appear – if the hyperlink within is different to the shown URL there is a high probability this is a phishing attack.
    5. Demanding or alarming wording – Emails that contain phrases such as ‘Urgent Action Required!’ or ‘Your account has been hacked!’ are phishing attacks designed to illicit an immediate response from the recipient. These attacks capitalise on the recipient’s anxiety upon receiving these messages and the likelihood of them responding and providing personal information.
  • Data Security

    Data Security

    The internet as we know it has evolved dramatically from its inception 28 years ago, from basic text-based pages to image and video filled screens that are incorporated into almost every aspect of people’s day to day lives. With an estimated 56.1% of the population currently having internet access, we’ve seen it become an ever evolving and changing function that is now integrated into our daily lives – altering the way we communicate, shop, conduct business and even find love.

    However, this constantly adapting system has also changed the way people conduct crime. Consequently, we need to ensure that we are doing everything we can to mitigate against cyber-crime on our systems when surfing online.

    Australian regulations and schemes
    In their most recent report on Notifiable Data Breaches, the Office of the Australian Information Commissioner reported that the most prevalent form of cyber-crime currently impacting Australians are malicious attacks. These attacks, they confirmed, often target vulnerabilities in relation to human error. With technology now occupying almost every aspect of people’s lives, it is imperative employees know the safe and secure ways in which they should be using the internet. Awareness is critical. Simply clicking a link in an email can open the door for malware, compromising the organisation’s security network and exposing client data.

    Under the Australian Privacy Act 1988, the Notifiable Data Breaches scheme was introduced in February 2018. This scheme includes an obligation for organisations to notify individuals whose personal information is involved in a data breach. The notification must include recommendations on what the steps the individual can take to protect their data. The Australian Information Commissioner must also be notified of these data breaches. Failure to adhere to these obligations could result in hefty fines being imposed on the organisation.

    Further regulations are placed on APRA-regulated entities with the introduction of the APRA Standard CPS 234 – information security, which came into effect on 1st July, 2019. In addition to the notification of data breaches, these entities need to ensure they have policy frameworks in place – such as Business ContinuityCrisis Management and Incident Management plans. These plans need to be commensurate with the size of the organisation, exercised and reviewed annually.

    How could this impact your organisation
    If exposed to a cyber-attack, your organisation could face serious issues impacting almost every aspect of the business:

    Human – A cyber-attack could result in the loss or exposure of significant confidential data and information, some of which may impact your employees. A breach could see employees reluctant to provide confidential information or, in severe cases, could see employees leave the organisation.

    Reputational – A cyber-attack on the organisation could affect ongoing relationships with customers and key stakeholders whose confidential data and intellectual property may have been accessed in a hack. The threat of customer information being lost or stolen due to a perceived fault on your organisation’s lack of cyber security could clients and prospects reluctant to continue engaging with you.

    Operational – In many instances, a cyber-attack will target specific systems and programs that are used by an organisation. These attacks can significantly impact the functionality of systems and programs that your organisation relies on, thereby interrupting critical business functions and impacting operations.

    Legal and Financial – organisations are required to report any notifiable data breaches to the OAIC within 30 days of the breach being discovered. Failure to comply with these reporting guidelines could result in a fine of up to $1.8 million. Furthermore, if an investigation is conducted and your organisation is found to have not taken adequate steps to mediate the risk of a breach, you may face additional fines and penalties.

    What can you do to mitigate cyber attacks?
    Awareness is critical. These six simple steps can ensure that the internet is being access safely:

    1. When browsing webpages, ensure that the site has a web address commencing with ‘https’ and that there is a padlock on the left side of the browser address bar.
    2. Make sure the URL is correct if you follow a link from another webpage or email.
    3. Only conduct banking, shopping or payment of bills on a trusted network – like at home, or through your mobile data. Don’t conduct these activities on a public network like in a café or airport.
    4. Don’t post highly personal information on public sites. Also ensure that your social media accounts have appropriate levels of privacy settings. Personal information shared publicly can be used to steal an individual’s identity or give unwanted people access to private accounts.
    5. Remain wary of unreputable sites and possible phishing attempts sent via pop-up advertisements or emails.
    6. Do not click on links in emails from unknown senders
  • The very public and never ending Baltimore ransomware attack

    The very public and never ending Baltimore ransomware attack

    In May 2019, the US City of Baltimore fell victim (for the second time in 12 months) to a ransomware attack which paralysed part of its computer network. As at 20 June 2019, these systems are still reportedly disabled. The success of this attack is an important reminder about the need to have robust recovery plans and a resilient backup strategy in place.

    Baltimore was just one of the big US cities to be hit with the ransomware attack. Others include Atlanta, Georgia, San Antonio and Texas. Even smaller cities like Greenville, North Carolina and Allentown, Pennsylvania were targeted.

    Although Baltimore immediately notified the FBI and took systems offline to keep the ransomware from spreading, the malware had already taken down voice mail, email, a parking fines database, and a system used to pay water bills, property taxes and vehicle citations. Hackers had reportedly demanded 3 bitcoins (nearly $24,000USD) to unlock each system or a total of 13 bitcoins (nearly $102,000USD) to unlock them all. Despite the costs and months of work that will be required to reverse the damage, Baltimore Mayor – Bernard Young, has told a news conference “I’m not considering” paying it and is also encouraging other cities “not to pay either”. To date, Baltimore has incurred an estimated $18.2 million in losses as the city tried to restore services and servers.

    How did Baltimore communicate during the crisis?

    In spite of the attack, business had to continue and recovery processes implemented. As government emails were offline, officials turned to Google as an alternative communication channel and created bulk Gmail accounts. Unfortunately, the creation of multiple accounts within a short period of time from the same network triggered a response from Google – the new accounts were consequently flagged as spam and shut down.

    Tim Archer, Head of Communications at RiskLogic, highlights the importance of setting up alternative communication channels well and truly in advance. “Organisations need to consider an independent cloud-based communications tool” and keep an “offline database available so you can still reach out to people when systems are down”, he advises.

    To add fuel to the fire, the hacker has also chosen to communicate with the council very publicly via Twitter, causing significant public pressure and damaging the reputation of the city. Many Baltimore locals and council peers have publicly weighed in on the organisation’s lack of “Cyber hygiene” and stance on the ransom demand.

    Should Baltimore have paid the ransom?

    There is no guarantee that hackers will honour their end of the bargain if the ransom is paid. Even if the hacker unlocks the system, victims may find that they cannot always recover all their data.

    A better response is to be prepared for, and have contingency plans in place to mitigate the negative impacts of such attacks.

    How common are ransomware attacks?

    Ransomware attacks are growing significantly and becoming more sophisticated all around the world. In the first half of 2019, security researchers are already tracking over 1100 ransomware variants preying on unsuspecting web users.

    “Organisations need to shift their mindset to thinking that anything is possible if you’re connected to the internet” says Daniel Muchow – Head of Cyber Consulting at RiskLogic. “A common blind spot is thinking that it can’t or won’t happen to us”, he adds.

    Daniel also states, “The scale and velocity of a cyber crisis cannot be underestimated, and organisations should have cross functional plans that are regularly updated and exercised”. Daniel advises that these plans (ie Cyber Incident Response, IT Disaster Recovery, Business Continuity and Communications plans) should be exercised at least twice a year “with your systems offline” and “it is important that exercises and plans consider all possible scenarios, factoring in the potential operational impacts to critical business functions.”

    For advice or to review your cyber hygiene, connect with us today.

  • Deepfake voice generation now being used by cyber scammers

    Deepfake voice generation now being used by cyber scammers

    Remember the scene in Terminator 2 where Arnold Schwartzenegger (playing the good cyborg) mimics John Connor’s voice on the phone to talk to his mum (who was being mimicked by the bad cyborg)?

    Well science fiction appears to have become science fact, with the emergence of a new fraud in Germany involving deepfake voice generation.

    The Wall Street Journal has reported a case where a scammer called the CEO of an energy company and impersonated the CEO of the parent company, duping him into urgently transferring €220,000.

    The case has highlighted how AI can now be used to machine learn from existing audio files to accurately mimic someone’s voice, right down to their accent and tone.

    For CEOs and media spokespeople who are regularly on TV and radio, it is especially disconcerting.

    The company has not been named, but their insurer, Euler Hermes Group SA, has outlined the details.

    As our Head of Cyber Security Daniel Muchow says “if you don’t expect it, you should suspect it”.

    “We have seen plenty of examples of this via email, where CFOs are targeted by their ‘boss’ to urgently transfer a critical payment, but this takes it to the next level,” he said.
    “There is no end to how far hackers will go to convince you or your staff to hand over company money.”

    “While some of them target the biggest businesses with the deepest pockets, others target businesses that may have less sophisticated checks and balances in place.”

    “The big lesson here is, if a payment is urgent or out of the ordinary, take two minutes to pick up the phone and check it out.”

    If you want to discuss your level of Cyber response preparedness, contact RiskLogic to find out how.