This week, we discuss new cyber crime statistics released to mark Get Safe Online Day, a handful of zero-day vulnerabilities affecting Windows machines, and the arrest in Prague of a Russian man in connection with a number of high-profile cyber attacks – including the 2012 LinkedIn hack.
Hello and welcome to the slightly delayed IT Governance podcast for Friday, 21 October. Here are this week’s stories.
Tuesday, 18 October was Get Safe Online Day – an initiative run by the public/private advocacy group Get Safe Online. According to National Fraud Intelligence Bureau statistics, fraud including cybercrime cost the UK economy £10.9 billion in 2015/16 – approximately £210 per adult. However, Get Safe Online’s own research, released to mark Get Safe Online Day, found the actual figure to be much greater: an average of £523 per person who reported a crime.
Tony Neate, Get Safe Online’s chief executive, said: “The fact that the UK is losing nearly £11 billion to cyber criminals is frightening and highlights the need for each and every one of us to make sure we are taking our online safety seriously.”
Commander Chris Greany, the Police National Coordinator for Economic Crime, said: “The huge financial loss to cybercrime hides the often harrowing human stories that destroy lives and blights every community in the UK. All of us need to ask ourselves are we doing everything we can to protect ourselves from online criminals. Unfortunately, people still click on links in unsolicited emails and fail to update their security software.”
Cyber security isn’t as difficult – or as expensive – as many organisations think. Around 80% of cyber security incidents actually arise from basic failings such as poor perimeter defences, inadequate access controls and poorly managed administrative privileges, unpatched or end-of-life systems, outdated anti-malware and antivirus software, or a lack of security awareness within an organisation. All of these can be addressed at a cost of hundreds rather than thousands of pounds. The government’s own Cyber Essentials scheme has been designed specifically to help small and medium-sized businesses achieve a basic level of cyber security. If that sounds like something your organisation could do with, you can download a free guide to the scheme from IT Governance >>
As part of its October security bulletins, Microsoft has patched a handful of zero-day vulnerabilities. (Zero-days, in case you don’t know, are security flaws that are actively being exploited by cyber criminals at the time of their discovery by the affected vendors, who have, as the name implies, zero days to patch them.)
Kaspersky, who alerted Microsoft to one remote code execution vulnerability (CVE-2016-3393 if you want to look it up), said in a blog post this week that it was being exploited by the advanced persistent threat (APT) group ‘FruityArmor’ to elevate privileges on victims’ machines. Microsoft explained they could “take control of the affected system [to] install programs; view, change, or delete data; or create new accounts with full user rights” by tricking a user into visiting a malicious website via a link in an email or Instant Messenger message, or opening a specially crafted document.
If your Windows machines haven’t installed the latest batch of patches automatically, we suggest you give them a nudge – and maybe revise your patch management procedures at the same time. It’s also well worth your while providing your staff with a phishing awareness course to mitigate the risk of their clicking on malicious links.
Czech police, in conjunction with the FBI, have arrested a Russian citizen – identified only as Yevgeniy N – over his involvement in a number of high-profile cyber attacks, including the 2012 LinkedIn hack that compromised 117 million users’ accounts. The United States is believed to be seeking the man’s extradition, but no date has been set for a hearing yet.
A spokesman for Russia’s Prague embassy, Alexey Kolmakov, said: “Russia repudiates Washington’s policy of imposing its extraterritorial jurisdiction on all countries. We insist that the detainee is handed over to Russia.”
The Associated Press reported that the arrest took place on 5 October, but that police delayed releasing information about it for “tactical” reasons. “Police spokesman Jozef Bocan said the suspect was arrested in a Prague hotel. After the arrest the suspect collapsed, received first aid treatment and was hospitalized”.
LinkedIn commented: “Following the 2012 breach of LinkedIn member information, we have remained actively involved with the FBI’s case to pursue those responsible. We are thankful for the hard work and dedication of the FBI in its efforts to locate and capture the parties believed to be responsible for this criminal activity.”
As I discussed in a podcast last month, hundreds of millions of account details for LinkedIn, Dropbox, Myspace and Tumblr were all listed for sale on the dark web by the same criminal hacker, who went by the moniker ‘Peace’.
It’s still US National Cyber Security Awareness Month. Week 4’s topic is “Our continuously connected lives: What’s your ‘apptitude’?”
“We are quickly advancing into a world where there is an app for everything. These rapid technological advances – like the Internet of Things – can yield tremendous benefits. Cybersecurity is fundamental to realizing the promise of new and expanded technologies.”
As technologies and threats continue to develop, show your customers and stakeholders that you take cyber security seriously by gaining ISO 27001 certification. There have been over 600 certifications to ISO 27001 in the US, and 24,000 globally – and that number is growing year-on-year. If you want to compete in the international marketplace, get an advantage over your competitors, and use internationally recognised cyber security best practice, then you need ISO 27001 certification.
And don’t forget to check out our book of the month, Insider Threat: A Guide to Understanding, Detecting, and Defending Against the Enemy from Within by Dr Julie Mehan. Every type of organisation is vulnerable to insider abuse, errors or malicious attacks. This book shows how a security culture based on international best practice can help mitigate them.
Head over to our webshop to find out more.
Well, that’s it for this week. Until next time, remember that you can keep up to date with the latest information security news on our blog.
Whatever your cyber security needs – whether regulatory compliance, stakeholder reassurance or just greater business efficiency – IT Governance can help your organisation to protect, comply and thrive. Visit our website for more information: itgovernance.co.uk.