As part of Cognosec’s half-year review of 2017, we speak to Neira Jones and question whether organizations have changed their approach to cybersecurity procedures following high profile ransomware attacks. Neira also provides her industry predictions for the next six months.
What are your standout industry news stories for the first half of 2017?
Well, so much to think about! We were all still reeling from the massive Mirai IoT DDoS attack in Q4 2016, but January 2017 didn’t disappoint... We first saw what was dubbed as The Big Asian Leak, where hackers were selling 1 billion user accounts (some in plain-text, some with only MD5 hashes...) stolen from Chinese internet giants, and in the same month, Lloyds Bank suffered a massive DDoS attack that crippled its systems for two days, Washington DC police closed-circuit camera network was hit by hackers in yet another IoT attack, the Hello Kitty database was leaked to the web, affecting 3.3 million fans, the New York Times twitter account was hijacked by hackers announcing imminent Russian missile attack, three Indian banks were the latest victims of fake trades through SWIFT access hacks and a London NHS hospital trust was hit by cyber-attack through phishing scam (perhaps a precursor of things to come...). And as if this wasn’t enough, The Zeus Malware resurfaced As Zbot/Terdot, integrating with legitimate Apps, Satan emerged as new ransomware-as-a-service, and new ransomware Ponzi scheme PopCornTime got victims to collaborate by infecting new users in exchange for their files... On the market side of things, Yahoo were still in the throes of their massive data breach fallout, with a shareholder lawsuit, and Marissa Mayer resigning, and Yahoo rebranding to Altaba; Ashley Madison settled $1.6M FTC & state charges resulting from their 2015 data breach that exposed 36M users; in the UK, Royal Sun Alliance was fined £150K for breach of the Data Protection Act affecting 60K customers through a stolen device.
But it wasn’t all bad news: still in January, HTTPS adoption reached a tipping point, signalling mass adoption; the Mirai author was named as Paras Jha, operator of DDoS protection service @ProTrafSol.
February and March were no less colourful, where, apart from winter clouds, we also saw bleeding ones, with the CloudFlare misconfiguration error that caused leakage of CloudFlare customers’ HTTPS sessions (Uber, OK Cupid, Fitbit and many others) for months. We also had the usual downpour of high profile security events, with the Xbox 360 & PlayStation Portable ISO forums hack where 2.5 Million gamers’ accounts were leaked, the GitLab meltdown, the Intercontinental Hotel Group massive card data breach affecting 12 US hotels, where an Anonymous group took down a fifth of the dark web (oh, the irony!), yet more problems with WordPress, Yahoo issued a new breach warning related to “forged cookies” and Verizon shaved $300M off its offer, the Funimation Entertainment data breach leaked 2.5 Million account details, for the 2nd time in two years, 7.5M US Voter records were put at risk in Georgia, and Home Depot paid another $24 Million for their 2014 data breach...
And cybercriminals didn’t keep still: the Locky ransomware and Kovter Click-Fraud trojan were spotted spreading in the same campaigns and the Crypt0L0cker ransomware back with campaigns targeting Europe, the AKBuilder exploit kit emerged targeting Word documents to spread malware, Mirai got a Windows version (Ouch!), and, in a first, researchers identified malicious macros in Word documents to execute malware on Mac computers, instead of Windows-based machines, and it was revealed that Identity Theft soared in the UK between 2015 and 2016.
Again, we still had some good news in February 2017; Google decided to come down hard on the side of HTTPS with Chrome; SWIFT came down hard on those of its members with less than optimal security practices; NIST released its new Digital Identity Guidelines; the UK government announced that UK data protection legislation will mirror the GDPR and that the NIS Directive will still be implemented (despite Brexit) and launched extra-curricular cyber clubs to inspire & identify tomorrow’s cyber security professionals as well as successfully deploying DMARC; many security firms released decryption tools to fight ransomware; and The Queen officially opened the National Cyber Security Centre.
In April and May 2017, we continued on trend, with the usual smattering of security (or lack thereof) events, a few retail, healthcare and hospitality data breaches, IoT scare stories and insider threat mishaps, but the news was of course dominated by the global Wannacry ransomware attack, especially with the massive impact on the NHS. Verizon reiterated, in their Data Breach Investigation Report, that sloppiness still causes most data breaches.
But we also had the comforting news in April of the No More Ransom initiative getting even more members and decryption tools, which is a good thing and the accidental hero that found the Wannacry kill switch. And of course, regulations of all kind also made a regular appearance, with the GDPR but also the 2nd Payment Services Directive (PSD2) and the lack of preparedness that businesses seem to exhibit.
Finally in June, we saw the OneLogin password manager data breach (quis custodiet ipsos custodies), the personal details of nearly 200 Million us citizens exposed, and Anthem paying $115M in the largest data breach settlement in history. And as this wasn’t enough, whilst still dealing with the effect of Wannacry, we had the double whammy of Fireball, and more importantly our second massive ransomware attack of the year with Petya (or NotPetya?), and to add insult to injury, we learned that Britain’s newest warship, HMS Queen Elizabeth, is currently running Windows XP...
So all in all, the first half of 2017 was a sad state of affairs...
With various cyber security news stories hitting the headlines over the last few months, do you think organizations have changed their approach to their cyber security procedures?
With all the scary headlines, it is undeniable that cyber security is getting more attention at Board level, and that is compounded by the regulatory and compliance risks we all face in 2018. Are organisations more prepared? Industry statistics state otherwise and panic will set in at the end of this year, that is if a major healthcare or IoT attack doesn’t injure people or claim lives first...
What are your industry predictions for the remainder of 2017?
Given the success of the massive attacks we have experienced in H1 2017, I wouldn’t be surprised to see more attacks on that scale.
Could you provide 5 cyber security tips that an organization should implement / act on in the next six months?
I would say that first of all, organisations need to know themselves and understand what is at risk. We live in the information age, and information is money, which is attractive to criminals. Protecting information assets is crucial, and understanding what information an organisation holds is the first step in establishing an information security strategy. Next will be to conduct a risk assessment in view of establishing a risk posture, taking into account all aspects of people, process and technology. Next, automation and partnerships will be key in addressing security and compliance requirements.
How can Cognosec’s services help organizations achieve cyber resilience?
With their thorough understanding of business operations, risk management and extensive partner network, Cognosec can help organisations address these challenges.
More than 20 years in financial services and technology made Neira believe in change through innovation & partnerships. She is regularly invited to advise organisations of all sizes on payments, fintech, regtech, cybercrime, information security, regulations (e.g. PSD2, GDPR, AML) and digital innovation. She always strive to demystify the hype surrounding current issues and also enjoys her work as an expert witness. She likes engaging on social media and regularly addresses global audiences as a keynote speaker or chair person.
She is a Non-Executive Director for Nasdaq listed cyber security firm Cognosec and Chairman for payments innovator Comcarde. She also chairs the Advisory Board for mobile innovator Ensygnia and is a partner for the international Global Cyber Alliance. She is an Advisor and Ambassador for the Emerging Payments Association and is on the Thomsons Reuters UK’s top 30 social influencers in risk, compliance and regtech #TRRiskUK30 2017, on the Jax Finance Top 20 Social Influencers In Fintech 2017, the Richtopia Top 100 Blockchain Insiders List and the Innotribe Femtech Leaders List. Tripwire nominated her “Top Influencer in Security To Follow on Twitter” in January 2015, CEOWorld Magazine nominated her Top Chief Security Officer to Follow on Twitter in April 2014, she is the Merchant Payments Ecosystem Acquiring Personality of the Year 2013, the SC Magazine Information Security Person of the Year 2012 and is an InfoSecurity Europe Hall of Fame alumni since 2011, as well as being voted to the Top 10 Most Influential People in Information Security by SC Magazine & ISC2 in 2010. She has previously served on the PCI SSC Board of Advisors for four years, is a Fellow of the British Computer Society and worked for Barclaycard, Santander, Abbey National, Oracle Corp. and Unisys.