Weekly podcast: Reports galore and more cryptojacking

This week, we discuss new reports from Cisco, McAfee and the CSIS, and Big Brother Watch, and hear more about malicious Monero mining.

Hello and welcome to the IT Governance podcast for Friday, 23 February 2018. Here are this week’s stories.

Cyber security reports are a bit like the proverbial London omnibus: you seem to wait for ages, then several come along at once.

Among an abundance of new research published this week is Cisco’s Annual Cybersecurity Report for 2018, which confirms what we’ve long suspected: that security breaches are becoming more severe and are costing businesses more than ever.

According to Cisco, 32% of breaches affected more than half of an organisation’s systems in 2017, up from 15% the previous year.

Moreover, 53% of attacks “resulted in financial damages of more than US$500,000, including, but not limited to, lost revenue, customers, opportunities, and out-of-pocket costs”.

In all industries and across all regions, the greatest obstacle to security was found to be a lack of appropriately trained and skilled personnel.

Further analysis of the financial effects of cyber crime can be found in a report released this week by McAfee and the Center for Strategic and International Studies. The Economic Impact of Cybercrime – No Slowing Down estimates that cyber crime now costs the world almost US$600 billion, or 0.8% of global GDP.

“To put [that] statistic in perspective,” it says, “it amounts to more than the income of almost all but a few countries. When you look at the cost of cybercrime in relation to the worldwide internet economy – $4.2 trillion in 2016 – cybercrime can be viewed as a 14% tax on growth”.

In the UK, online fraud and cybercrime account for nearly half of all crimes – more than 5.5 million offences annually.

Staying with the UK, a report released by the civil liberties and privacy campaign group Big Brother Watch this week reveals that UK local authorities experienced more than 98 million cyber attacks in the last five years – at least 37 per minute.

And although one in four councils actually experienced a data breach between 2013 and 2017, the majority are failing to take action to mitigate the threat of phishing attacks and human error, which account for the majority of incidents: 297 local authorities (75% of them) “do not provide mandatory training in cyber security awareness for staff” and 63 of them (16%) don’t provide any cyber security training at all.

Big Brother Watch criticised this “negligence”, saying that it was “indicative of the low priority afforded to cyber security issues”, and urged “local authorities to review their policies with a view to mitigating the risks of cyber security incidents that threaten the security of citizens’ invaluable data”.

The report also revealed that “25 local authorities experienced losses or breaches of data in the past five years as a result of cyber security incidents. Yet, 56% of councils who failed to protect data from cyber security threats did not even report the incidents.”

This lack of reporting will have to be addressed when the General Data Protection Regulation comes into effect on 25 May: data processors will be required to report breaches of personal data to data controllers, and data controllers will be required to report breaches to the supervisory authority (the Information Commissioner’s Office) within 72 hours of their discovery if there is a risk to data subjects’ rights and freedoms. Data subjects themselves must be notified without undue delay if there is a high risk to their rights and freedoms.

For more information about the GDPR, see our GDPR resource page.

I mentioned last week that, thanks to an infected third-party plug-in, 4,300 websites, many of them belonging to governmental and public bodies, were inadvertently causing their visitors to run the Coinhive script to mine for Monero. I neglected to reveal the sum the criminals managed to mine in the few hours before they were detected.

It was a paltry $24.

And Coinhive has said it isn’t paying out.

Sort of makes you wonder why they bother.

However, others have been more successful at cryptojacking. Check Point has discovered what it says “could potentially become one of the biggest malicious mining operations ever seen”, targeting Jenkins – the popular open-source automation server.

The so-called JenkinsMiner has amassed $3 million worth of Monero (XMR) for its Chinese operators by exploiting a vulnerability in the Jenkins Java deserialization implementation that was patched last April.

According to Check Point, “The miner is capable of running on many platforms and Windows versions, and it seems like most of the victims so far are personal computers.”

Jenkins is estimated to have one million users. If you’re one of them, check you’ve updated to the latest version.

As the Cisco report that I talked about at the start of this podcast said: “There was a time when patching known vulnerabilities within 30 days was considered best practice. Now, waiting that long to remediate could increase [your] risk of being targeted for attack because threat actors are moving faster to release and use active exploits of vulnerabilities.”

Well, that’ll do for this week. Until next time you can keep up with the latest information security news on our blog.

Whatever your information security needs – whether regulatory compliance, stakeholder reassurance or just greater business efficiency – IT Governance can help your organisation to protect, comply and thrive. Visit our website for more information: itgovernance.co.uk