UK firms hit by attacks every 50 seconds

The business ISP analyzed traffic for its customers during the period and found them to be on the receiving end of 146,491 attempted attacks each, on average. That’s 179% higher than the same period in 2018, when firms faced down 52,596 attacks on average.

IoT devices and file sharing services were most frequently targeted, hit by 17,737 and 10,192 attacks respectively during the quarter.

This chimes somewhat with a FireEye report from last month which revealed a dramatic increase in attacks exploiting file-sharing services to deliver malware via email. From hardly being used in any attacks in Q4 2018, OneDrive was seen in over 60% by Q1, it claimed.

Read entire post UK firms hit by attacks every 50 seconds | Phil Muncaster | InfoSecurity

Lawmakers propose cyber training for congress

A bipartisan bill proposed last week by New York representatives Kathleen Rice (D) and John Katko (R), who co-sponsored the act, requires members of Congress to receive annual cybersecurity and IT training. The Congressional Cybersecurity Training Resolution of 2019 adds to the existing requirement that House employees receive annual training by mandating that the House members themselves also receive cybersecurity and IT training, according to The Hill.

“The chief administrative officer shall carry out an annual information security training program for members (including the delegates and resident commissioner), officers, and employees of the House,” the act states.

“We strongly encourage support for the Congressional Cybersecurity Training Resolution,” said Jack Koziol, CEO and founder at Infosec. “Cyber-criminals are responsible for hundreds of billions of dollars’ worth of damage to the global economy and undermine democracy around the world.”

Read entire post Lawmakers propose cyber training for congress | Kacy Zurkus | InfoSecurity

Cyber resilience vs business resilience

This article is divided in two parts. First, it guides you into thinking about cyber-resilience: What is it about? What are its characteristics and its differences with the more traditional cases of unavailability of information technologies? The second part proposes an exploration of responses through the development of a “Cyber Resilience Plan” integrated with the other plans of the Business Continuity Management System.

The question is no longer when you will be impacted, but how you will react when faced with three major risks:

    • Your data is destroyed or corrupted
    • Your activities suddenly stop
    • Communication is no longer possible
Read entire post Cyber-resilience vs business resilience | PECBInsights

Israel responds to cyber-attack with air strike

The Israel Defense Forces (IDF) claim to have thwarted a cyber-attack from Hamas by targeting the building where Hamas cyber operatives work, according to IDF.

After the alleged cyber-attack, IDF responded with a physical attack in what Forbes contributor Kate O’Flaherty called “a world first.”

According to the commander of the IDF’s cyber division, identified only by his rank and first Hebrew letter of his name, Brigadier General Dalet, this was also the first time that Israel cyber forces had to fend off an attack while they were also under fire, which required both Israeli technology soldiers and the Israeli Air Force, according to The Times of Israel.

Read entire post Israel responds to cyber-attack with air strike | Kazy Zurkus | InfoSecurity

Fake malware tricks radiologists diagnosing cancer

With the use of deep learning, researchers Yisroel Mirsky, Tom Mahler, Ilan Shelef and Yuval Elovici at Cyber Security Labs at Ben-Gurion University demonstrated in a video proof of concept (PoC) that an attacker could fool three expert radiologists by falsifying CT scans, inserting or removing lung cancer, the Washington Post reported.

“In 2018, clinics and hospitals were hit with numerous cyber attacks leading to significant data breaches and interruptions in medical services,”

“In 2018, clinics and hospitals were hit with numerous cyber attacks leading to significant data breaches and interruptions in medical services,” the researchers wrote. “Attackers can alter 3D medical scans to remove existing, or inject non-existing medical conditions. An attacker may do this to remove a political candidate/leader, sabotage/falsify research, perform murder/terrorism, or hold data ransom for money.”

Using a test dummy to highlight the vulnerabilities in picture archiving and communication systems (PACS), researchers demonstrated that 98% of the times they injected or removed solid pulmonary nodules, they were able to fool radiologists and state-of-the-art artificial intelligence (AI).

Read entire post Fake malware tricks radiologists diagnosing cancer | Kacy Zurkus | InfoSecurity

Study: Over 80% of firms suffer security skills shortages

The majority of security professionals believe it’s getting harder to recruit talent into the industry, according to a new study from Tripwire.

Become a Certified ISO 27001 ISMS Lead Implementer with ContinuityLink

The firm commissioned Dimensional Research to poll over 300 industry professionals back in February, in order to compile its Tripwire 2019 Skills Gap Survey.

Some 85% claimed their IT security department is already understaffed, and just 1% said they can manage all of their organization’s cybersecurity needs with a shortfall in skills. Almost all of those polled (96%) said they’re either currently facing problems recruiting or can see it coming.

Read entire post Over 80% of firms suffer security skills shortages | Phil Muncaster | InfoSecurity

A hacker in a restaurant

This article was originally published by Alexander Sverdlov on LinkedIn –

Day 1

A hacker comes into a restaurant and discovers that the salt shaker on the table can be unscrewed and one can pour anything into it. The hacker goes home and writes an angry letter to the manager of the restaurant: “I, meG@Duc, found a vulnerability in the salt shakers at your restaurant. An attacker can open them and pour poison inside! Take action immediately!”

Day 2

The manager, among other business letters, requests for food deliveries and courier receipts finds the notification letter and shrugs: “Who could even come up with this nonsense?”

Day 5

The hacker comes into the restaurant and pours poison in all the salt shakers. Three hundred people die, the manager is dragged three months in courts to prove the absense of a crime. The hacker writes a letter in the style of “Well, I told you!”.

Day 96

The manager orders his staff to buy specially designed salt shakers with a combination lock. Visitors of the restaurant feel like they are missing something very important in the meaning of life.

Day 97

The hacker discovers that the holes in the salt shakers pass salt in both directions. And not only salt, anything! He writes an angry letter to the manager after pissing in all the salt shakers. Three hundred people stop visiting the restaurant forever, thirty get admitted to the hospital with food poisoning.

The hacker sends an SMS to the restaurant manager: “How are you doing?” The manager is dragged through courts for three months and is released on probation.

The hacker discovers that the holes in the salt shakers pass salt in both directions. And not only salt, anything!

Day 188

The manager vows to no longer work in any kind of food establishment, and to peacefully cut timber in Siberia. Engineers are working on a new one-way valve for a salt shaker. Waitresses in the meantime withdraw all the old salt shakers and distribute the salt by hand.

Day 190

The hacker steals a salt shaker from the restaurant and carefully studies the device at home. He writes an angry letter to the manager: “I, meG@Duc, stole the salt shaker and I find this fact outrageous! Anyone can steal your salt shakers!” The previously fully sober manager goes home and drinks a bottle of vodka.

Day 193

The hacker discovers that all the salt shakers in the restaurant are chained and nailed to the table. He arrives at a hacker conference and reports on his progress, getting a well-deserved reward for the protection of the interests of society and consumers.

Fortunately, the manager never hears anything about it and will not die of alcohol poisoning, for now.

Day 194

As part of a diabolical, genius elaborate operation, BLACKHAT hackers break into the restaurant and pour all the salt from the salt shakers in their pockets. The hacker meG@Duc writes an indignant letter to the manager, alluding to the fact that there is no concern for the visitors in the restaurant as any criminal can deprive honest people from salt in an instant. A salt dispenser with a one-time authorisation is just necessary!

Engineers work in sweat on a new salt shaker, while waitresses hand out salt manually, again. The manager goes on vacation to the Seychelles and has dinner only in his room, avoiding any canteens, restaurants and bars.

Day 200

Visitors of the restaurant find in horror that in order to pour salt, they must go to the waitress, show their passport and get a special 8-digit one-time code to the shaker. For pepper they should repeat the procedure.

Montreal-based UN aviation agency tried to cover up 2016 cyberattack

In November 2016, the Montreal-based International Civil Aviation Organization (ICAO) was hit by the most serious cyberattack in its history, and internal documents obtained by CBC suggest key members of the team that should have prevented the attack tried to cover up how badly it was mishandled.

The cyberattack left not just ICAO vulnerable, but made sitting ducks of its partners

As the United Nations body that sets standards for civil aviation around the world, ICAO is the gateway to everyone in the aviation industry, so an uncontained cyberattack left not just ICAO vulnerable, but made sitting ducks of its partners worldwide.

The documents obtained by CBC suggest the hacker was most likely a member of Emissary Panda, a sophisticated and stealthy espionage group with ties to the Chinese government.

Read entire post Montreal-based UN aviation agency tried to cover up 2016 cyberattack | Debra Arbec | CBC

Three predictions for the future of ISO 37001

This article was originally published by the FCPA blog on 13 February 2019

2018 was an eventful year in ISO 37001’s adoption journey. The Anti-Bribery standard’s flexibility was demonstrated through a variety of first-time (for ISO 37001) public and private sector uses.

The Brazilian and Danish prosecutors’ use of ISO 37001 in bribery settlement agreements, and the Korean Pharmaceutical and Bio-Pharma Manufacturers Association assistance to its 194 members with a phased ISO 37001 adoption approach, for example.

The United States has been slower to appreciate ISO 37001’s value

Brazil, Italy and Peru lead in terms of the number of certified ISO 37001 organisations. The United States, as is normal with ISO standard adoption, has been slower to appreciate ISO 37001’s value.

What to expect concerning ISO 37001 adoption and evolution in 2019?

This question was posed to senior executives within the community that best knows the world of standard certifications (some have been in the field for over a hundred years) – the accredited certifying bodies (CBs) that are performing ISO 37001 Anti-Bribery Management Systems audits on a global basis.

The CBs’ predictions and themes for this year?

Organisations will better understand the symbiotic relationship between ISO 27001 (Information Security Management Systems) and ISO 37001

Bruno Samuel, Executive Director, Sales & Marketing, North America for DNV-GL highlights ISO 37001’s particular value for organisations that have adopted other ISO management system standards. “ISO 37001 uses the same structure for implementation as certain other ISO standards, such as Information Security Management Systems – ISO 27001 or ISO 9001 – Quality Management Systems. This feature allows organisations to easily leverage the work done in other areas and implement an Anti-Bribery Management System which can encompass the entire organisation and integrates with other management systems.

Observation: As with 2018, many U.S. corporate boards in 2019 will apply priority oversight to two organisational risk management areas: anti-bribery and cybersecurity. ISO 27001 certification demand has dramatically increased in recent years, particularly in the government contracting, manufacturing, IT and professional services sectors – as one indicia of cyber preparedness.

Boards (and management teams) of companies that are ISO 27001, ISO 14001 (Environmental Management Systems) or 9001-certified can use the same familiar ISO management system structural “lens” to review and manage anti-bribery activities by adopting ISO 37001.

ISO 37001 will become recognised as a tool for stabilising partner ecosystems

Scott Lane, President at ETHIC Intelligence notes “if organisations can push down certification requirements to their partners, they can pass the costs (and time) associated with screening third parties to the third parties themselves. This will make third parties responsible for representing their commitment to anti-bribery, as a pre-requisite for working with reputable organisations.

David Muil, VP of Global Business Development, Business Assurance at Intertek adds: “Given the nature of what is happening in the industry and things that are coming to light with risk mitigation and brand protection, you are going to see this become a contractual requirement of doing business from organisations. The industry is already seeing it now with governments in some parts of the world who have mandated on their RFQs that you must be compliant to the intent of ISO 37001.

Observation: For cost and general bribery risk management reasons, expect this “shifting” trend to continue in 2019. For companies, this practice is particularly attractive to those with global operations and a large supplier base.

In the public sector, this activity may offer advantages to governmental organisations within countries farther down the TI CPI Index (e.g. lesser-developed countries with abundant natural resource holdings) – making relative improvements to a project anti-bribery environment through enlisting commercial partner commitment to ISO 37001.

The public sector will continue to creatively influence the standard’s adoption.png

The global public sector creatively embraced ISO 37001 in 2018. “Soft” forms of adoption were used in Indonesia, Malaysia, Singapore and Peru; governmental entities in those countries officially recognised the standard and encouraged its adoption. Brazil, Denmark and Singapore used “hard” forms: ISO 37001 certification was required by prosecutors as a condition of bribery allegation settlement.

For governmental entities that are within countries or regions with historically high bribery risk, using ISO 37001 provides distinct advantages. It allows them to project the power of ISO (the globally-respected standards body) and its bribery management system, incorporating both applicable law and leading global anti-bribery practices and procedures.

And as noted by the General Counsel of ISO 37001-certified Alstom, Pierrick Le Goff in ICC Netherlands’ Integrity publication, “[i]n a globalised economy, the ISO 37001 certification can provide a standardised tool for public bodies to assess the quality of the anti-bribery programs of their bidders“.

Observation: For classic “standardisation advantage” reasons (e.g. efficiency, quality, cost-savings, certainty) and building on the momentum from 2018, the public sector will continue to play a significant, if not driving,  role in ISO 37001’s evolution in 2019 and beyond. Over time, certain public sector “suggestions” in some locales and/or sectors may evolve into “recommendations” before finally becoming “requirements”.

OkCupid users victims of credential stuffing

Love is in the air this week, but cyber-criminals are reportedly targeting user accounts on dating sites like OkCupid ahead of Valentine’s Day. Multiple news outlets have reported that OkCupid users say their accounts have been hacked, which the company says is likely the result of credential stuffing.

There has been no security breach at OkCupid. All websites constantly experience account takeover attempts and there haven’t been any increases in account takeovers on OkCupid. There’s no story here,” a spokesperson shared in a statement.

According to the website’s Help page, “Account takeovers… happen because people have accessed your login information. That can happen in a few ways. The simplest, of course, is using a password that’s easy to guess. Another option is because of a breach on another site. If you use the same password on several different sites or services, then your accounts on all of them have the potential to be taken over if one site has a security breach.

Read entire article OkCupid Users Victims of Credential Stuffing | Kacy Zurkus | InfoSecurity

New ISO guidance to reduce the risks of cyber-attacks on machinery

Cyber-attacks or IT malfunctions in manufacturing can pose risks to the safety measures in place, thus having an impact on production and people. New international guidance to identify and address such risks has just been published.

“Smart” manufacturing, or that which takes advantage of Internet and digital technology, allows for seamless production and integration across the entire value chain. It also allows for parameters – such as speed, force and temperature – to be controlled remotely. The benefits are many, including being able to track performance and usage and improved efficiencies, but it also exacerbates the risk of IT security threats.

ISO/TR 22100-4, Safety of machinery – Relationship with ISO 12100 – Part 4: Guidance to machinery manufacturers for consideration of related IT-security (cyber security) aspects, is designed to help machinery manufacturers identify and address IT security threats that can impact on the safety of their product. It complements ISO’s flagship standard for machine safety, ISO 12100, Safety of machinery – General principles for design – Risk assessment and risk reduction, which lays down the fundamentals for risk assessment, hazard analysis and documentational requirements.

Read entire post Smart manufacturing: new ISO guidance to reduce the risks of cyber-attacks on machinery | Clare Naden |

Americans feel fated to fall prey to cybercrime

Only a few days after the Senate Committee on Aging released a new report in which it found that seniors lose an estimated $2.9 billion each year to financial scams, the insolvency services of Nyman Lisbon Paul and the UK’s Driver and Vehicle Licensing Agency (DVLA) have issued scam alerts warning consumers to beware of cyber scams.

Two weeks ago, Infosecurity reported that 60% of consumers in the UK were leaving themselves vulnerable to scams, and today, Nyman Lisbon Paul tweeted a warning that “pension scam victims lost an average of £91,000 to criminals in 2018, Financial Conduct Authority (FCA) research recently revealed. Criminals often use cold-calls and offers of free pension reviews to convince their victims to comply.”

As scams become more commonplace, government agencies, organizations and concerned citizens are taking to social media to caution consumers about the myriad scams to which they could fall victim.

Read entire post Americans Feel Fated to Fall Prey to Cybercrime | Kacy Zurkus | InfoSecurity