In our last ever podcast, we discuss Citrix’s data breach, the GDPR and cookie walls, data breach notification, and Patch Tuesday.
Hello and welcome to the IT Governance podcast for Thursday, 7 March 2019. It’s our last episode, so I suppose I ought to mark the occasion in some way, but, let’s face it, you’re not listening for gimmicky nonsense, so let’s crack on. For the last time, here are this week’s stories.
The software provider Citrix has confirmed that it has suffered a security breach in which “international cyber criminals” gained access to its internal network and “downloaded business documents”.
According to Citrix’s chief security and information officer, Stan Black, the FBI has advised that the attackers used password spraying to gain access – a type of attack that brute-forces a large number of accounts using a relatively small set of common passwords, relying on the fact that many users use weak credentials.
The security company Resecurity claims the attack was carried out as part of “a sophisticated cyberespionage campaign” by the Iranian IRIDIUM group, which “has hit more than 200 government agencies, oil and gas companies and technology companies”.
“Based on our recent analysis,” Resecurity says, the group accessed “at least 6 terabytes of sensitive data stored in the Citrix enterprise network, including e-mail correspondence, files in network shares and other services used for project management and procurement”.
Citrix is yet to share detailed information about the incident, but it has expressed regret at the “impact this incident may have on affected customers”. Approximately 400,000 organisations use its services – including 98% of the Fortune 500.
Obviously, I can’t end this podcast without mentioning the EU GDPR again. One of my favourite data protection authorities (and probably one of yours too), the Dutch Autoroteit Persoonsgegevens, has said that websites “that only give visitors access to their site if they agree to place so-called ‘tracking cookies’ or other similar ways of tracking and recording behaviour through software or other digital methods do not comply with the General Data Protection Regulation”. (I should perhaps say I’m relying on Google Translate. I don’t speak Dutch – as my pronunciation of ‘Persoonsgegevens’ must surely indicate.)
According to Aleid Wolfsen, the chairman of the AP, “If a website asks for permission for tracking cookies and if it is refused access to the website or service is not possible, people give up their personal data under pressure and that is unlawful.”
The AP says that it will therefore “intensify its monitoring in the coming period to see whether the standard is being applied correctly in the interest of protecting privacy”.
Whether there will be any enforcement action remains to be seen, so I wouldn’t hold out hope that cookie walls are going to disappear any time soon, but we live in hope.
One of the things mandated by the EU GDPR is data breach notification. As I’m sure you’re aware, data processors are required to report all breaches of personal data to their data controllers, and data controllers are required to report breaches to their supervisory authority (in the UK that’s the Information Commissioner’s Office) within 72 hours of becoming aware of them – if there is a risk to data subjects’ rights and freedoms. Data subjects themselves must be notified without undue delay if there is a high risk to their rights and freedoms.
Now, a Freedom of Information request has shown just how difficult meeting that 72-hour time limit might be.
According to Computer Weekly, data released by the ICO showed that in the year before the GDPR took effect it took UK businesses an average of three weeks to report a breach to the ICO and “less than a quarter of businesses would be compliant with current GDPR requirements”. One company didn’t inform the ICO for 142 days – approximately 47 times longer than the GDPR allows.
Data breach notification is definitely one of the trickier aspects of GDPR compliance – after all, 72 hours really isn’t long when a data breach catches you unawares and you’re also trying to close any security gaps to stop more data being compromised, establishing the cause of the incident and exactly what happened, and preparing to deal with potential negative media coverage. If you’re concerned that you might not be able to provide the ICO with all the information it requires within the 72-hour deadline, you might be interested in our EU GDPR Data Breach Support Service.
And finally, it was Patch Tuesday this week. Let’s end with some CVE numbers, shall we? Everyone loves a CVE number. This month, Microsoft has issued 64 patches, 17 of which are rated critical.
Two are patches for zero-day vulnerabilities, which are being actively exploited in the wild: CVE-2019-0797 and CVE-2019-0808: both of them elevation of privilege vulnerabilities that exist in Windows when the Win32k component fails to properly handle objects in memory. They could allow attackers to run arbitrary code in kernel mode, enabling them to install programs; view, change or delete data; or create new accounts with full user rights. You know what to do.
Well, that’ll do for this week, for this year and perhaps forever. To be honest, I didn’t expect it to last for more than a couple of months, let alone nearly four years, but, as George Harrison said, all things must pass. Before we go, enormous thanks must go to our producers Jay and Lewis, as, indeed, they must to everyone else who’s filled in so expertly for me over the years while I’ve been away: Scott, Sophie, Michael, Gemma, Camden, Bryony, Paula and anyone else I might’ve forgotten, and to all the listeners who’ve left comments over the years. Oh, and a special mention to James Hilton, surely our most enthusiastic listener.
Whatever your information security needs – whether regulatory compliance, stakeholder reassurance or just greater business efficiency – IT Governance can help your organisation to protect, comply and thrive. Visit our website for more information: itgovernance.co.uk.