This week, we discuss Norton’s new Cyber Security Insights Report, the inevitability of a category one cyber attack on the UK, unofficial PDFs of Fire and Fury spreading malware, and further fallout from the Spectre and Meltdown CPU vulnerabilities
Hello and welcome to the IT Governance podcast for Friday, 26 January 2018. Here are this week’s stories.
The first major cyber security report of the year has landed. The 2017 Norton Cyber Security Insights Report found that, in the 20 markets it surveyed, 978 million people were affected by cybercrime in 2017, losing a total of US$172 billion between them. 17.4 million British consumers accounted for $6 billion of losses – £4.2 billion – and spent an average of 14.8 hours dealing with the aftermath of cyber crime.
One interesting finding was that respondents are still failing to follow basic security practices: a third of consumers store their passwords insecurely and a fifth use the same password for all of their accounts. And 58% of cyber crime victims shared at least one password with others.
As I’ll never tire of saying, proper password management is fundamental to your and your organisation’s security. If you reuse passwords and one of the services you use is compromised, all of your accounts and the information that can be gleaned from them are at risk.
At the other end of the cyber security scale, the head of the National Cyber Security Centre, Ciaran Martin, told the Guardian that the UK has so far been fortunate to have avoided a major, ‘category one’ cyber attack and that he anticipated such an attack in the next two years.
Speaking ahead of a speech at the Royal United Services Institute on Monday by the chief of the general staff, General Sir Nick Carter, which warned that the UK is lagging behind Russia in terms of its cyber warfare capacity, Martin said: “Some attacks will get through. What you need to do [at that point] is cauterise the damage.”
The worst attack the UK has faced so far is the WannaCry ransomware outbreak last May, but that was classed a category two attack as there was no risk to life. The latest figures show that there were 33 other category two attacks since the NCSC opened, and 762 less severe category three ones.
(If you’re interested in how the NCSC defines its attack categories, I asked its press office for clarification because the information doesn’t appear to be on its website. A category one (C1) attack would be a national emergency, where there is immediate danger to the population; a category two (C2) attack is a significant incident that requires high-level involvement or coordination among government departments and agencies; and a category three (C3) attack is more routine. The risks are low-level, but attacks can be numerous.)
Martin explained that the UK would be taking measures to counteract the growing threat, saying that “Offensive cyber will be an increasing part of the UK’s security toolkit”, but that retaliatory cyber attacks were only part of a range of responses, which included diplomatic pressure – a rather more measured approach than one recently proposed by the US: President Trump’s administration has advocated using nuclear weapons in response to cyber attacks.
Talking of President Trump, pirated PDFs of Michael Wolff’s book Fire and Fury have been found to contain malware. According to The Daily Beast, “Michael Molsner from cybersecurity firm Kaspersky first highlighted the malware on Twitter on Friday. The bundle of files includes the PDF of Fire and Fury, and a Windows executable file”. So, if you do want to read Wolff’s book about the Trump presidency, get yourself a legitimate copy, not a dubious, knock-off one.
Finally, attempts to patch the Spectre and Meltdown CPU vulnerabilities – which affect almost everything with a chip in it – are continuing to cause problems.
One aspect in particular is drawing widespread criticism: how the embargo on information about Meltdown and Spectre – instituted by the chip manufacturers in June 2017 when they discovered them – has affected the patching programmes of other manufacturers and developers, some of which only found out about the vulnerabilities when they were made public on 2 January, a week earlier than the embargo was due to end.
Patches were rushed out, but, as we have seen, were not universally successful – or popular. Indeed, Linux’s creator Linus Torvalds, seldom one to hold back, raged on Sunday that Intel’s approach – making Spectre protection an opt-in feature – was “complete and utter garbage” and ignored a bigger problem: “that the whole hardware interface is literally mis-designed by morons”.
On Wednesday, four members of the US House of Representatives wrote to Apple, Amazon, ARM, Google, Intel and Microsoft, seeking information about the embargo and how the release of information was handled.
They said: “As nearly all modern technology companies are impacted by these vulnerabilities, and less [sic] than ten companies were included in the original June 2017 disclosure, it is reasonable to assume that additional companies have been negatively impacted by the embargo.”
Intel provides a good example of the chaos: having originally said, on 3 January, that performance impacts were “workload-dependent, and, for the average computer user, should not be significant and will be mitigated over time”, Intel was forced to backtrack this week, admitting on 22 January that there were quality issues in their Broadwell and Haswell processors. This prompted the likes of Lenovo, Dell and VMWare to withdraw or delay the release of their updates.
Intel’s executive vice president Navin Shenoy apologised “for any disruption this change in guidance may cause”.
Spectre and Meltdown are both yet to be exploited in the wild.
Well, that’ll do for this week. Until next time you can keep up with the latest information security news on our blog.
Whatever your information security needs – whether regulatory compliance, stakeholder reassurance or just greater business efficiency – IT Governance can help your organisation to protect, comply and thrive. Visit our website for more information: itgovernance.co.uk.