- Email: [email protected]
Data breaches reach record levels worldwide
network SECURITY
July 2017 ISSN 1353-4858 March 2019
www.networksecuritynewsletter.com
Featured in this issue:
Micro-segmentation: securing complex cloud environments
T
he datacentre as we know it has undergone a radical transformation. Mission-critical data, applications and workloads are constantly moving among the various installations as traffic levels and processing demands dictate.
This agility is what makes these dynamic infrastructures attractive to
organisations looking for efficiencies and competitive advantage. It is also what makes them scary from a security perspective. Micro-segmentation is an effective way to secure valuable datacentre assets and implement a zero trust model in a hybrid or multi-cloud environment, says Dave Klein of GuardiCore. Full story on page 6…
Is reputational damage worse than a regulator’s fine?
S
uch is the global nature of today’s regulations that most organisations must adhere to them even if they are not physically in the markets covered. This is exposing them to greater compliance risk than ever before.
Data leaks, intentional or unintentional, happen. And when incidents occur, organi-
sations may find themselves having to prove – both to the authorities and their customers – what measures were taken to secure information. This can leave firms struggling to manage the adverse side effects of data leaks, such as damage to customer loyalty, says Jesse Canada of ASG Technologies. Full story on page 11…
Has your wifi left you wide open to cybercrime?
I
T security is now a corporate priority and businesses are investing significant funds into sophisticated firewalls that enable their systems to become effectively inaccessible.
But many of those businesses fail to notice the growing hole in their IT defences that leaves both the business
and its workers exposed – their wifi network. Defective wifi practice, along with an insufficient understanding of the obvious signs of cyberthreats, can unwittingly provide cyber criminals with surreptitious access to sensitive information, explains Greig Schofield of Netmetix. Full story on page 13…
Data breaches reach record levels worldwide
T
here were 12,449 data breaches that compromised user identities in 2018 – a 424% increase compared to the previous year, according to figures just released by identity intelligence firm 4iQ. The US and China between them accounted for nearly half (47%) of these breaches.
At the same time, the average number of records compromised during
each breach, which stood at 216,884 for 2018, was only about a fifth of the figure for the previous year. This may be explained in part by a shift by cyber criminals towards targeting small companies. The report suggests this may be the result of larger firms improving their security while small and medium size businesses remain vulnerable. Continued on page 2...
Contents NEWS Data breaches reach record levels worldwide Firms delay breach reports
1 2
Huawei battles security concerns
3
FEATURES Micro-segmentation: securing complex cloud environments 6 The datacentre has undergone a radical transformation. Mission-critical data, applications and workloads are constantly moving among various installations. This agility is what makes these dynamic infrastructures attractive to organisations looking for efficiencies and competitive advantage. It is also what makes them scary from a security perspective. Micro-segmentation is an effective way to secure valuable datacentre assets and implement a zero trust model in a hybrid or multicloud environment, says Dave Klein of GuardiCore. Is reputational damage worse than a regulator’s fine? 11 Companies today are exposed to greater compliance risk than ever before. And when data leaks happen, as they will, organisations may find themselves having to prove – both to the authorities and customers – what measures were taken to secure information. This can leave firms struggling to manage the adverse side effects of data leaks, such as damage to customer loyalty, says Jesse Canada of ASG Technologies. Has your wifi left you wide open to cybercrime? 13 Businesses are investing significant funds into sophisticated firewalls. But many of them fail to notice the growing hole in their IT defences – their wifi network. Defective wifi practice, along with an insufficient understanding of the obvious signs of cyberthreats, can provide criminals with surreptitious access to valuable information, explains Greig Schofield of Netmetix. The growth of the hide and seek botnet 14 A recently discovered botnet remains live and working even after a device has been reset, making it very persistent and extremely dangerous. Sam Haria of Invinsec takes us through how it works and puts it in the broader context of the threats facing organisations. How to secure your supply chain 18 With hackers finding their attacks on business processes increasingly foiled, they’re looking further afield. Company perimeters no longer end at the firewall. Today’s interconnected world has created many new opportunities and tools for companies, but also more entry points for criminals to try to gain access, especially via the supply chain, says Rory Duncan of Dimension Data. REGULARS ThreatWatch 3 Report Analysis 4 News in brief 5 The Firewall 20 Events 20
ISSN 1353-4858/19 1353-4858/10 © 2019 2011 Elsevier Ltd. All rights reserved This journal and the individual contributions contained in it are protected under copyright by Elsevier Ltd, and the following terms and conditions apply to their use: Photocopying Single photocopies of single articles may be made for personal use as allowed by national copyright laws. Permission of the publisher and payment of a fee is required for all other photocopying, including multiple or systematic copying, copying for advertising or promotional purposes, resale, and all forms of document delivery. Special rates are available for educational institutions that wish to make photocopies for non-profit educational classroom use.
NEWS
Editorial Office: Editorial Office: Elsevier Ltd Elsevier Ltd The Boulevard, Langford Lane, Kidlington, The Boulevard, Langford Lane, Kidlington, Oxford, OX5 1GB, United Kingdom Oxford, OX5 1GB, United Kingdom Fax: +44 (0)1865 843973 Tel: +44 1865 843239 Web: www.networksecuritynewsletter.com Web: www.networksecuritynewsletter.com Publisher: Greg Valero Publishing Director: Bethan Keall E-mail: [email protected] Editor: Steve Mansfield-Devine E-mail: [email protected] E-mail: [email protected] Senior Editor: Sarah Gordon Columnists: Editoral Ian Goslin,Advisory Karen Renaud, International Board: Spence, Colin Tankard Dario Forte, Dave Edward Amoroso, AT&T Bell Laboratories; Fred Cohen, Fred Cohen & Associates; Jon David, The International Editoral Advisory Board: Fortress; Hancock, Communications; Ken Lindup, Dario Bill Forte, EdwardExodus Amoroso, AT&T Bell Laboratories; Consultant at Cylink; Dennis&Longley, Queensland University Fred Cohen, Fred Cohen Associates; Jon David, The ofFortress; Technology; Tim Myers, Novell; Tom Mulhall; Padget Bill Hancock, Exodus Communications; Ken Petterson, Martin Marietta; Schultz, Hightower; Lindup, Consultant at Cylink;Eugene Dennis Longley, Queensland Eugene Spafford, Purdue University; WinnNovell; Schwartau, Inter.Pact University of Technology; Tim Myers, Tom Mulhall;
Padget Petterson, Martin Marietta; Eugene Production Support Manager: Lin Schultz, Lucas Hightower;E-mail: [email protected] Spafford, Purdue University; Winn Schwartau, Inter.Pact Subscription Information Production Support Manager: Lin Lucas An annual subscription Network Security includes 12 E-mail: to [email protected] issues and online access for up to 5 users. Prices: Subscription Information E1112 for all European countries & Iran An annual subscription to Network Security includes 12 US$1244 for all countries except Europe and Japan issues and online access for up to 5 users. ¥147 525 for Japan Subscriptions run for 12 months, from the date (Prices valid until 31 July 2017) payment is received. To subscribe send payment to the address above. Tel: +44 (0)1865 843687/Fax: +44 (0)1865 834971 More information: www.elsevier.com/journals/ Email: [email protected], institutional/network-security/1353-4858 or via www.networksecuritynewsletter.com Subscriptions run for 12 months, from the date payment is Permissions may be sought directly fromatElsevier Global Rights received. Periodicals postage is paid Rahway, NJ 07065, Department, PO Box Oxford OX5 1DX, UK; phone: 1865 USA. Postmaster send800, all USA address corrections to:+44 Network 843830,365 fax: +44 1865 853333, email:NJ [email protected]. You Security, Blair Road, Avenel, 07001, USA
may also contact Global Rights directly through Elsevier’s home page (www.elsevier.com), selecting first ‘Support & contact’, then ‘Copyright Permissions may be sought directly from Elsevier Global Rights & permission’. In the USA, users may clear permissions and make Department, PO Box 800, Oxford OX5 1DX, UK; phone: +44 1865 payments through the Copyright Clearance Center, Inc., 222 843830, fax: +44 1865 853333, email: [email protected]. You Rosewood Drive, Danvers, MA 01923, USA; phone: +1 978 750 may also contact Global Rights directly through Elsevier’s home page 8400, fax: +1 978 750 4744, and in the UK through the Copyright (www.elsevier.com), selecting first ‘Support & contact’, then ‘Copyright Licensing Agency Rapid Clearance Service (CLARCS), 90 Tottenham & permission’. In the USA, users may clear permissions and make Court Road, London W1P 0LP, UK; tel: +44 (0)20 7631 5555; fax: payments through the Copyright Clearance Center, Inc., 222 Rosewood +44 (0)20 7631 5500. Other countries may have a local reproDrive, Danvers, MA 01923, USA; phone: +1 978 750 8400, fax: +1 978 graphic rights agency for payments. 750 4744, and in the UK through the Copyright Licensing Agency Rapid Clearance Service (CLARCS), 90 Tottenham Court Road, London W1P Derivative Works 0LP, UK; tel: +44 (0)20 7631 5555; fax: +44 (0)20 7631 5500. Other Subscribers may reproduce tables of contents or prepare lists countries may have a local reprographic rights agency for payments. of articles including abstracts for internal circulation within their Derivative Works institutions. Permission of the Publisher is required for resale or Subscribers may reproduce tables of contents or prepare lists of artidistribution outside the institution. Permission of the Publisher cles including abstracts for internal circulation within their institutions. is required for all other derivative works, including compilations Permission of the Publisher is required for resale or distribution outside and translations. the institution. Permission of the Publisher is required for all other derivative works, including compilations and translations. Electronic Storage or Usage Electronic Storage or Usage Permission of the Publisher is required to store or use electronically Permission of the Publisher is required to store or use electronically any material contained in this journal, including any article or part of any material contained in this journal, including any article or part of an article. Except as outlined above, no part of this publication may an article. Except as outlined above, no part of this publication may be reproduced, stored in a retrieval system or transmitted in any form be reproduced, stored in a retrieval system or transmitted in any form or by any means, electronic, mechanical, photocopying, recording or or by any means, electronic, mechanical, photocopying, recording or otherwise, without prior written permission of the Publisher. Address otherwise, without prior written permission of the Publisher. Address permissions requests to: Elsevier Science Global Rights Department, permissions requests to: Elsevier Science Global Rights Department, at at the mail, fax and email addresses noted above. the mail, fax and email addresses noted above. Notice Notice No responsibility is assumed by the Publisher for any injury and/or damNo responsibility is assumed by the Publisher for any injury and/ age to persons or property as a matter of products liability, negligence or damage to persons or property as a matter of products liability, or otherwise, or from any use or operation of any methods, products, negligence or otherwise, or from any use or operation of any methinstructions or ideas contained in the material herein. Because of ods, products, instructions or ideas contained in the material herein. rapid advan ces in the medical sciences, in particular, independent Because of rapid advances in the medical sciences, in particular, verification of diagnoses and drug dosages should be made. Although independent verification of diagnoses and drug dosages should be all advertising material is expected to conform to ethical (medical) made. Although all advertising material is expected to conform to standards, inclusion in this publication does not constitute a guarantee ethical (medical) standards, inclusion in this publication does not or endorsement of the quality or value of such product or of the claims constitute a guarantee or endorsement of the quality or value of made of it by its manufacturer. such product or of the claims made of it by its manufacturer.
12987 Pre-press/Printed by Digitally Produced by Mayfield Press (Oxford) Limited Mayfield Press (Oxford) Limited
2
Network Security
...Continued from front page 4iQ uses automated crawling of Internet accessible sources – including social media, deep websites and the dark web – as well as analysis by subject matter experts who authenticate and verify the data. The firm’s analysts saw 3.6 billion new, genuine identity records go into circulation on underground forums and dark web marketplaces in 2018, a 20% higher figure than in 2017. It brings the total number in circulation to 14.9 billion – around double the population of the Earth, suggesting a high level of duplication. There is a busy trade on underground markets for ‘combo lists’ in which breached data is combined into username and password databases. “These lists with clear text passwords from thousands of breaches are being aggregated and repackaged, creating a snowball effect,” says the report. “The data is used to automate brute-forcing of authentication on websites, taking advantage of the fact that people reuse passwords across many sites. A number of open source tools automate the testing of these username and password combinations for ‘account takeover’, a major problem that persists in cyber security today.” Worryingly, the sector most heavily affected is government. The number of identities from government sources that were compromised jumped by 291%. “For the first time, we saw underground brokers actively including citizen data, such as voter databases, as part of their data portfolio,” said Julio Casal, 4iQ’s CTO. The report is available here: https://4iq.com/2019-identity-breachreport/. Meanwhile, the number of records exposed in the US healthcare sector rose to 11.5 million, according to the fifth annual ‘Healthcare Breach Report’ by cloud services firm Bitglass. There was some good news – the actual number of breaches hit a three-year low, at 290. But the quantity of compromised records was more than double compared to the previous year. Using data from the US Department of Health and Human Services’ ‘Wall of Shame’ database, which holds information on breaches involving protected health information (PHI), Bitglass
found that the most common cause of breaches (45.9%) was hacking and incidents resulting from poor IT security. The second-most-common category was unauthorised access and disclosure (35.9%), which often involves insiders. Accidental loss or theft (other than by hacking) makes up most of the rest of the incidents. The report is here: http://bit. ly/2HcGBtV.
Firms delay breach reports
D
ata from the Information Commissioner’s Office (ICO) has revealed that businesses routinely delayed data breach disclosure and failed to provide important details to the ICO in the year prior to the enactment of the General Data Protection Regulation (GDPR).
The information was published following a Freedom of Information (FOI) request by threat detection firm Redscan. On average, businesses waited three weeks after discovery to report a breach to the ICO, while the worst offending organisation waited 142 days. The vast majority (91%) of reports failed to include important information such as the impact of the breach, recovery process and dates. The FOI also revealed that hackers disproportionately targeted businesses at the weekend, while many reports would be issued to the ICO on a Thursday or Friday – possibly in an attempt to minimise potential media coverage. On average, it took companies 60 days to identify they’d been a victim of a data breach, with one business taking as long as 1,320 days. Less than a quarter of businesses would be compliant with current GDPR requirements. “Data breaches are now an operational reality, but detection and response continue to pose a massive challenge to businesses,” said Mark Nicholls, Redscan’s director of cyber security. “Most companies don’t have the skills, technology or procedures in place to detect breaches when they happen, nor report them in sufficient detail to the ICO. This was a problem before the GDPR and is an even bigger problem
March 2019
July 2017 ISSN 1353-4858 March 2019
www.networksecuritynewsletter.com
Featured in this issue:
Micro-segmentation: securing complex cloud environments
T
he datacentre as we know it has undergone a radical transformation. Mission-critical data, applications and workloads are constantly moving among the various installations as traffic levels and processing demands dictate.
This agility is what makes these dynamic infrastructures attractive to
organisations looking for efficiencies and competitive advantage. It is also what makes them scary from a security perspective. Micro-segmentation is an effective way to secure valuable datacentre assets and implement a zero trust model in a hybrid or multi-cloud environment, says Dave Klein of GuardiCore. Full story on page 6…
Is reputational damage worse than a regulator’s fine?
S
uch is the global nature of today’s regulations that most organisations must adhere to them even if they are not physically in the markets covered. This is exposing them to greater compliance risk than ever before.
Data leaks, intentional or unintentional, happen. And when incidents occur, organi-
sations may find themselves having to prove – both to the authorities and their customers – what measures were taken to secure information. This can leave firms struggling to manage the adverse side effects of data leaks, such as damage to customer loyalty, says Jesse Canada of ASG Technologies. Full story on page 11…
Has your wifi left you wide open to cybercrime?
I
T security is now a corporate priority and businesses are investing significant funds into sophisticated firewalls that enable their systems to become effectively inaccessible.
But many of those businesses fail to notice the growing hole in their IT defences that leaves both the business
and its workers exposed – their wifi network. Defective wifi practice, along with an insufficient understanding of the obvious signs of cyberthreats, can unwittingly provide cyber criminals with surreptitious access to sensitive information, explains Greig Schofield of Netmetix. Full story on page 13…
Data breaches reach record levels worldwide
T
here were 12,449 data breaches that compromised user identities in 2018 – a 424% increase compared to the previous year, according to figures just released by identity intelligence firm 4iQ. The US and China between them accounted for nearly half (47%) of these breaches.
At the same time, the average number of records compromised during
each breach, which stood at 216,884 for 2018, was only about a fifth of the figure for the previous year. This may be explained in part by a shift by cyber criminals towards targeting small companies. The report suggests this may be the result of larger firms improving their security while small and medium size businesses remain vulnerable. Continued on page 2...
Contents NEWS Data breaches reach record levels worldwide Firms delay breach reports
1 2
Huawei battles security concerns
3
FEATURES Micro-segmentation: securing complex cloud environments 6 The datacentre has undergone a radical transformation. Mission-critical data, applications and workloads are constantly moving among various installations. This agility is what makes these dynamic infrastructures attractive to organisations looking for efficiencies and competitive advantage. It is also what makes them scary from a security perspective. Micro-segmentation is an effective way to secure valuable datacentre assets and implement a zero trust model in a hybrid or multicloud environment, says Dave Klein of GuardiCore. Is reputational damage worse than a regulator’s fine? 11 Companies today are exposed to greater compliance risk than ever before. And when data leaks happen, as they will, organisations may find themselves having to prove – both to the authorities and customers – what measures were taken to secure information. This can leave firms struggling to manage the adverse side effects of data leaks, such as damage to customer loyalty, says Jesse Canada of ASG Technologies. Has your wifi left you wide open to cybercrime? 13 Businesses are investing significant funds into sophisticated firewalls. But many of them fail to notice the growing hole in their IT defences – their wifi network. Defective wifi practice, along with an insufficient understanding of the obvious signs of cyberthreats, can provide criminals with surreptitious access to valuable information, explains Greig Schofield of Netmetix. The growth of the hide and seek botnet 14 A recently discovered botnet remains live and working even after a device has been reset, making it very persistent and extremely dangerous. Sam Haria of Invinsec takes us through how it works and puts it in the broader context of the threats facing organisations. How to secure your supply chain 18 With hackers finding their attacks on business processes increasingly foiled, they’re looking further afield. Company perimeters no longer end at the firewall. Today’s interconnected world has created many new opportunities and tools for companies, but also more entry points for criminals to try to gain access, especially via the supply chain, says Rory Duncan of Dimension Data. REGULARS ThreatWatch 3 Report Analysis 4 News in brief 5 The Firewall 20 Events 20
ISSN 1353-4858/19 1353-4858/10 © 2019 2011 Elsevier Ltd. All rights reserved This journal and the individual contributions contained in it are protected under copyright by Elsevier Ltd, and the following terms and conditions apply to their use: Photocopying Single photocopies of single articles may be made for personal use as allowed by national copyright laws. Permission of the publisher and payment of a fee is required for all other photocopying, including multiple or systematic copying, copying for advertising or promotional purposes, resale, and all forms of document delivery. Special rates are available for educational institutions that wish to make photocopies for non-profit educational classroom use.
NEWS
Editorial Office: Editorial Office: Elsevier Ltd Elsevier Ltd The Boulevard, Langford Lane, Kidlington, The Boulevard, Langford Lane, Kidlington, Oxford, OX5 1GB, United Kingdom Oxford, OX5 1GB, United Kingdom Fax: +44 (0)1865 843973 Tel: +44 1865 843239 Web: www.networksecuritynewsletter.com Web: www.networksecuritynewsletter.com Publisher: Greg Valero Publishing Director: Bethan Keall E-mail: [email protected] Editor: Steve Mansfield-Devine E-mail: [email protected] E-mail: [email protected] Senior Editor: Sarah Gordon Columnists: Editoral Ian Goslin,Advisory Karen Renaud, International Board: Spence, Colin Tankard Dario Forte, Dave Edward Amoroso, AT&T Bell Laboratories; Fred Cohen, Fred Cohen & Associates; Jon David, The International Editoral Advisory Board: Fortress; Hancock, Communications; Ken Lindup, Dario Bill Forte, EdwardExodus Amoroso, AT&T Bell Laboratories; Consultant at Cylink; Dennis&Longley, Queensland University Fred Cohen, Fred Cohen Associates; Jon David, The ofFortress; Technology; Tim Myers, Novell; Tom Mulhall; Padget Bill Hancock, Exodus Communications; Ken Petterson, Martin Marietta; Schultz, Hightower; Lindup, Consultant at Cylink;Eugene Dennis Longley, Queensland Eugene Spafford, Purdue University; WinnNovell; Schwartau, Inter.Pact University of Technology; Tim Myers, Tom Mulhall;
Padget Petterson, Martin Marietta; Eugene Production Support Manager: Lin Schultz, Lucas Hightower;E-mail: [email protected] Spafford, Purdue University; Winn Schwartau, Inter.Pact Subscription Information Production Support Manager: Lin Lucas An annual subscription Network Security includes 12 E-mail: to [email protected] issues and online access for up to 5 users. Prices: Subscription Information E1112 for all European countries & Iran An annual subscription to Network Security includes 12 US$1244 for all countries except Europe and Japan issues and online access for up to 5 users. ¥147 525 for Japan Subscriptions run for 12 months, from the date (Prices valid until 31 July 2017) payment is received. To subscribe send payment to the address above. Tel: +44 (0)1865 843687/Fax: +44 (0)1865 834971 More information: www.elsevier.com/journals/ Email: [email protected], institutional/network-security/1353-4858 or via www.networksecuritynewsletter.com Subscriptions run for 12 months, from the date payment is Permissions may be sought directly fromatElsevier Global Rights received. Periodicals postage is paid Rahway, NJ 07065, Department, PO Box Oxford OX5 1DX, UK; phone: 1865 USA. Postmaster send800, all USA address corrections to:+44 Network 843830,365 fax: +44 1865 853333, email:NJ [email protected]. You Security, Blair Road, Avenel, 07001, USA
may also contact Global Rights directly through Elsevier’s home page (www.elsevier.com), selecting first ‘Support & contact’, then ‘Copyright Permissions may be sought directly from Elsevier Global Rights & permission’. In the USA, users may clear permissions and make Department, PO Box 800, Oxford OX5 1DX, UK; phone: +44 1865 payments through the Copyright Clearance Center, Inc., 222 843830, fax: +44 1865 853333, email: [email protected]. You Rosewood Drive, Danvers, MA 01923, USA; phone: +1 978 750 may also contact Global Rights directly through Elsevier’s home page 8400, fax: +1 978 750 4744, and in the UK through the Copyright (www.elsevier.com), selecting first ‘Support & contact’, then ‘Copyright Licensing Agency Rapid Clearance Service (CLARCS), 90 Tottenham & permission’. In the USA, users may clear permissions and make Court Road, London W1P 0LP, UK; tel: +44 (0)20 7631 5555; fax: payments through the Copyright Clearance Center, Inc., 222 Rosewood +44 (0)20 7631 5500. Other countries may have a local reproDrive, Danvers, MA 01923, USA; phone: +1 978 750 8400, fax: +1 978 graphic rights agency for payments. 750 4744, and in the UK through the Copyright Licensing Agency Rapid Clearance Service (CLARCS), 90 Tottenham Court Road, London W1P Derivative Works 0LP, UK; tel: +44 (0)20 7631 5555; fax: +44 (0)20 7631 5500. Other Subscribers may reproduce tables of contents or prepare lists countries may have a local reprographic rights agency for payments. of articles including abstracts for internal circulation within their Derivative Works institutions. Permission of the Publisher is required for resale or Subscribers may reproduce tables of contents or prepare lists of artidistribution outside the institution. Permission of the Publisher cles including abstracts for internal circulation within their institutions. is required for all other derivative works, including compilations Permission of the Publisher is required for resale or distribution outside and translations. the institution. Permission of the Publisher is required for all other derivative works, including compilations and translations. Electronic Storage or Usage Electronic Storage or Usage Permission of the Publisher is required to store or use electronically Permission of the Publisher is required to store or use electronically any material contained in this journal, including any article or part of any material contained in this journal, including any article or part of an article. Except as outlined above, no part of this publication may an article. Except as outlined above, no part of this publication may be reproduced, stored in a retrieval system or transmitted in any form be reproduced, stored in a retrieval system or transmitted in any form or by any means, electronic, mechanical, photocopying, recording or or by any means, electronic, mechanical, photocopying, recording or otherwise, without prior written permission of the Publisher. Address otherwise, without prior written permission of the Publisher. Address permissions requests to: Elsevier Science Global Rights Department, permissions requests to: Elsevier Science Global Rights Department, at at the mail, fax and email addresses noted above. the mail, fax and email addresses noted above. Notice Notice No responsibility is assumed by the Publisher for any injury and/or damNo responsibility is assumed by the Publisher for any injury and/ age to persons or property as a matter of products liability, negligence or damage to persons or property as a matter of products liability, or otherwise, or from any use or operation of any methods, products, negligence or otherwise, or from any use or operation of any methinstructions or ideas contained in the material herein. Because of ods, products, instructions or ideas contained in the material herein. rapid advan ces in the medical sciences, in particular, independent Because of rapid advances in the medical sciences, in particular, verification of diagnoses and drug dosages should be made. Although independent verification of diagnoses and drug dosages should be all advertising material is expected to conform to ethical (medical) made. Although all advertising material is expected to conform to standards, inclusion in this publication does not constitute a guarantee ethical (medical) standards, inclusion in this publication does not or endorsement of the quality or value of such product or of the claims constitute a guarantee or endorsement of the quality or value of made of it by its manufacturer. such product or of the claims made of it by its manufacturer.
12987 Pre-press/Printed by Digitally Produced by Mayfield Press (Oxford) Limited Mayfield Press (Oxford) Limited
2
Network Security
...Continued from front page 4iQ uses automated crawling of Internet accessible sources – including social media, deep websites and the dark web – as well as analysis by subject matter experts who authenticate and verify the data. The firm’s analysts saw 3.6 billion new, genuine identity records go into circulation on underground forums and dark web marketplaces in 2018, a 20% higher figure than in 2017. It brings the total number in circulation to 14.9 billion – around double the population of the Earth, suggesting a high level of duplication. There is a busy trade on underground markets for ‘combo lists’ in which breached data is combined into username and password databases. “These lists with clear text passwords from thousands of breaches are being aggregated and repackaged, creating a snowball effect,” says the report. “The data is used to automate brute-forcing of authentication on websites, taking advantage of the fact that people reuse passwords across many sites. A number of open source tools automate the testing of these username and password combinations for ‘account takeover’, a major problem that persists in cyber security today.” Worryingly, the sector most heavily affected is government. The number of identities from government sources that were compromised jumped by 291%. “For the first time, we saw underground brokers actively including citizen data, such as voter databases, as part of their data portfolio,” said Julio Casal, 4iQ’s CTO. The report is available here: https://4iq.com/2019-identity-breachreport/. Meanwhile, the number of records exposed in the US healthcare sector rose to 11.5 million, according to the fifth annual ‘Healthcare Breach Report’ by cloud services firm Bitglass. There was some good news – the actual number of breaches hit a three-year low, at 290. But the quantity of compromised records was more than double compared to the previous year. Using data from the US Department of Health and Human Services’ ‘Wall of Shame’ database, which holds information on breaches involving protected health information (PHI), Bitglass
found that the most common cause of breaches (45.9%) was hacking and incidents resulting from poor IT security. The second-most-common category was unauthorised access and disclosure (35.9%), which often involves insiders. Accidental loss or theft (other than by hacking) makes up most of the rest of the incidents. The report is here: http://bit. ly/2HcGBtV.
Firms delay breach reports
D
ata from the Information Commissioner’s Office (ICO) has revealed that businesses routinely delayed data breach disclosure and failed to provide important details to the ICO in the year prior to the enactment of the General Data Protection Regulation (GDPR).
The information was published following a Freedom of Information (FOI) request by threat detection firm Redscan. On average, businesses waited three weeks after discovery to report a breach to the ICO, while the worst offending organisation waited 142 days. The vast majority (91%) of reports failed to include important information such as the impact of the breach, recovery process and dates. The FOI also revealed that hackers disproportionately targeted businesses at the weekend, while many reports would be issued to the ICO on a Thursday or Friday – possibly in an attempt to minimise potential media coverage. On average, it took companies 60 days to identify they’d been a victim of a data breach, with one business taking as long as 1,320 days. Less than a quarter of businesses would be compliant with current GDPR requirements. “Data breaches are now an operational reality, but detection and response continue to pose a massive challenge to businesses,” said Mark Nicholls, Redscan’s director of cyber security. “Most companies don’t have the skills, technology or procedures in place to detect breaches when they happen, nor report them in sufficient detail to the ICO. This was a problem before the GDPR and is an even bigger problem
March 2019