This week, we discuss the password security repercussions of the recent mega breaches and a ransomware attack on the University of Calgary, and give cyber security advice to SMEs.
Hello and welcome to the IT Governance podcast for Friday, 10th June. Here are this week’s stories.
Last week, I discussed a series of years-old data breaches that are beginning to affect hundreds of millions of users of MySpace, LinkedIn and Tumblr as their account details – my own included, I have to admit, courtesy of a Tumblr account I briefly held a few years ago – were put up for sale on the dark web. Now, I’m cautious enough to use a password manager and have unique passwords for my online accounts so I reckon I’m OK, but others might not be. That’s why a lot of companies that haven’t been breached are now resetting their customers’ passwords, as security researcher Brian Krebs reports.
Netflix and Facebook, among others, regularly sift through databases of breached credentials, looking for email and password combinations that match their customers’. They then, sensibly, reset their passwords as a precaution. However, not all companies have the time or resources to take such precautionary measures.
If you share your information or reuse the same credentials to sign into numerous accounts, you’re not alone: according to a survey conducted by LastPass earlier this year, 59% of people reuse passwords for multiple logins. The problem is that a single data breach could jeopardise the security of all of them. In an enterprise context, if your staff are in the habit of reusing passwords, your network could be at risk. If you’re a manager, make sure you train your staff to be aware of the risks, and ensure you have proper access management policies to ensure the only people who can access your networks and systems are the ones who should.
The University of Calgary has become the latest institution to succumb to ransomware – a type of malware that encrypts unsuspecting users’ files until they pay a fee, usually in Bitcoin, for the decryption key. The university’s vice-president of finance and services, Linda Dalgetty, said on Wednesday that the university paid C$20,000 to regain control of critical systems after the 28 May attack affected more than 100 university computers.
Ransomware is a huge problem right now. Infoblox’s DNS Threat Index for Q1 2016 reports a 3,500% increase in ransomware domains in the first quarter of 2016 compared with the last quarter of 2015, “propelling it to account for 60 percent of the entire malware category”, and Nyxbone, a site that analyses ransomware, categorises nearly 130 current ransomware variants.
Ransomware, like many other forms of malware, commonly spreads via exploit kits that rely on phishing attacks and drive-by downloads on compromised websites. What’s particularly worrying for corporations is the fact that a single careless mouse-click by any unsuspecting user is all it takes to render your whole system unusable. The lesson to be learned is that staff awareness training is essential. Better still, an information security management system that addresses people, processes and technology will help prevent ransomware infections.
A couple of weeks ago I asked what you wanted this podcast to cover. Somewhat disappointingly, we’ve had no responses this week.
Fortunately, our regular correspondent Mr Madeupname has emailed us: “Dear Podcast,” he writes, “could you tell me more about the basic measures I need to take to secure my business, Madeup Industries, against cyber attacks?”
Well, Mr Madeupname, I’m glad you asked. Your first port of call should be the government’s Cyber Essentials scheme. This certification scheme sets out five security controls that could prevent around 80% of cyber attacks. Cyber Essentials is exactly that, though: the essentials, the place to start. From here, you can upgrade to a fully functioning information security management system (or ISMS), as set out in the international standard for information security management, ISO 27001. (All of the Cyber Essentials controls are included in ISO 27001 and you’ve probably got others implemented already without realising it.) And once you’ve got this in place, you can consider adding other elements such as business continuity to create a posture of cyber resilience. All ISO management system standards are fully integrable, enabling you to create an integrated management system. Head over to our main site for more information.
Well, that’s it for this week. Don’t forget to comment below, telling us a bit about yourself and what you want to hear more of – otherwise Mr Madeupname will once again be providing suggestions.
Until next time, remember that you can keep up to date with the latest information security news on our blog. And whatever your cyber security needs – whether regulatory compliance, stakeholder reassurance or just greater business efficiency – IT Governance can help your organisation to protect, comply and thrive. Visit our website for more information: itgovernance.co.uk.