Paris Calling…..Faut-il répondre?

Paris Calling…..Faut-il répondre?

This week, Canada announced that, along with Microsoft and the Alliance for Securing Democracy, they will be leading an initiative to counter election interference as outlined in the Paris Call for Trust and Security in Cyberspace. The Paris Call is an international agreement outlining steps to establish universal norms for cybersecurity and privacy. The agreement has now been signed by over 550 entities, including 95 countries and hundreds of nonprofits, universities, and corporations. Nations such as Russia, China, and Israel did not sign the agreement, but one country’s absence is particularly notable—the U.S.

While the Paris Call is largely symbolic, with no legally-binding standards, it does outline 9 principles that the agreement commits to uphold and promote. Among these principles are the protection of individuals and infrastructure from cyber attack, the defense of intellectual property, and the defense of election from interference.

Non-Government Entities are Governing Cybersecurity Norms

Despite the U.S.’s absence from the agreement, many of the United States’ largest tech companies signed the agreement, such as IBM, Facebook, and Google. In addition, Microsoft says it worked especially close with the French government to write the Paris Call. The inclusion of private organizations in the agreement is a sign of the increasing importance of non-governmental entities in shaping and enforcing cybersecurity practices. The fact that Microsoft—and not the U.S.—is taking a lead on the agreement’s principle to counter election inference is a particularly strong example of how private companies are shaping the relationship between technology and democracy.

A Flawed Step, But a Step Nonetheless

Some organizations that signed the agreement, however, remain wary of private influence and how it might affect some of the principles of the Paris Call. Access Now, a non-profit dedicated to a free and open internet, raised concerns about how the agreement might give too much authority to private companies. One of the agreement’s principles, for example, encourages stakeholders to cooperate to address cyber criminality, which Access Now worries could be interpreted as a relaxing of judicial standards that would allow for an “informal exchange of data” between companies and government agencies. The non-profit also worries the principle concerning the protection of intellectual property could lead to a “heavy-handed approach,” by both private and public entities, “that could limit the flow of information online and risk freedom of expression and the right to privacy.”

On the opposite side, others have argued that the principles are more fluff than substance, fairy tales without specificity and accountability.

That being said, Paris Call is at the very least an acknowledgment that, similar to climate change, our global reliance on technology requires policy coordination on a global scale, involving not only nations, but the technology companies that are helping define our future, as well.  After all, it’s hard to imagine solving any global issue without a coordinated technology supporting us.  Paris Call may not be the right answer, but we probably should pick up and be part of the conversation.

Hacks Against Healthcare Industry on the Rise

Hackers are continuing to use the coronavirus crisis for personal profit. We recently wrote about the increase in malicious sites and phishing campaigns impersonating the World Health Organization and other healthcare companies. But now hackers appear to be turning their sights to the healthcare sector itself. Here are two notable cases from the past few weeks.

WHO Malware Attempt

Earlier this week, the World Health Organization confirmed hackers attempted to steal credentials from their employees. On March 13th a group of hackers launched a malicious site imitating the WHO’s internal email system. Luckily, the attempted attack was caught early and did not succeed in gaining access to the WHO’s systems. However, this is just one of many attempts being made to hack into the WHO. The chief information security officer for the organization Flavio Aggio told Reuters that hacking attempts and impersonations have doubled since the coronavirus outbreak.

Similar attempted hacks against other healthcare organizations are popping up every day. Costin Raiu, head of global research and analysis at Kaspersky, told Reuters that “any information about cures or tests or vaccines relating to coronavirus would be priceless and the priority of any intelligence organization of an affected country.”

Ransomware Attack Against HMR

Unlike the attack on the WHO, a recent ransomware attack was successful in stealing information from a UK-based medical company, Hammersmith Medicines Research (HMR). The company, which performs clinical trials of tests and vaccines, discovered an attack in progress on March 14th. While they were successful of restoring their systems, ransomware group called Maze took responsibility. On March 21st, Maze dumped the medical information of thousands of previous patients and threatened to release more documents unless HMR paid a ransom. HMR has not disclosed how the attack occurred, but have stated that they will not pay the ransom.

Four days after the initial attack, Maze released a statement saying they would not target medical organization during the coronavirus pandemic. Yet, this did not stop them from publicizing the stolen medical information a week later. After the attack gained publicity, Maze changed their tune. The group removed all of the stolen files from their website, but blamed the healthcare industry for their lack of security procedures: “We want to show that the system is unreliable. The cyber security is weak. The people who should care about the security of information are unreliable. We want to show that nobody cares about the users,” Maze said.

Conclusion

 Times of crisis and confusion are a hacker’s delight. The staggering increase of hacks against the healthcare industry only help prove that.  The key to mitigating these threats is to ensure that security configurations are set to industry best practices, continuously scan your networks, lock down or close open ports, secure or (preferably) remove Remote Desktop Protocol, and require Multi-Factor authentication for any remote access.  And certainly, make sure you are testing your incidence response plan.

Subscribe to our blog here:  https://mailchi.mp/90772cbff4db/dpblog

Cyber Resiliency is the New Cyber Security

Here is the bottom line: when it comes to cyber threats, wshould of course take steps to protect ourselves and our businesses from attacks. However, we also need to prepare ourselves for the very real possibility that, at some point, someone will get into our systemsThat’s why many cyber experts are beginning to use the new term “cyber resiliency.”  

The concept of cyber resiliency stems from an understanding that the cyber threat landscape is so diverse that it’s important to make sure you can withstand and not simply prevent attacks. The overall goal of a cyber resilient system is therefore to maintain essential operating functions even when it is under attack. 

The Basics of Cyber Resiliency 

In the fall, the National Institute of Standards and Technology (NIST) released a cyber resiliency engineering framework that provides detailed steps organization can take to minimize the impact of attacks. However, the overall framework can be broken down into four basic goals: 

1. Anticipate 

According to the NIST framework, the first goal of cyber resiliency includes preventative measures often included in cyber security policies. However, anticipating a cyber threat goes beyond prevention by also focusing on preparing for an attack. This includes having an incident response plan in place, as well as changing your system often in order to preempt attacks.

2. Withstand  

Withstanding a cyber attack should involve steps taken to limit the overall damage an attack has, even if you haven’t detected the attack yetIn general, this involves deflecting the attack to areas that can take the most damage without disrupting day to day activitiesYou should also be prepared to entirely remove and replace systems that are badly damaged. 

3. Recover 

Before an attack even happens, you should know exactly how you plan to recover if one ever happens. This should primarily involve being prepared to revert your systems back to the state they were in before the attack. Recovery strategies will therefore depend heavily on having good backups of your system that you test regularly

4. Adapt 

At bottom, adaption means understanding that if the threat landscape continues to change, so do your security policies and systems. You should constantly be looking for new vulnerabilities within your system as well as new forms of cyber threats.  If an attack does happen, you should also be willing to take a hard look at how it happened and make changes accordingly.  

Leaders are best equipped to drive cyber resiliency efforts 

It is important to understand that these four cyber resiliency goals were designed to encourage communication between leadership-level business risk management strategies and the rest of the organizationWe’ve written before about the importance of proper governance and business leadership when it comes to cyber security and the same goes for cyber resiliency.  

Because many executives don’t come from a background in cyber security, it may seem to make the most sense to leave the responsibility to the IT department or someone trained security. However, cyber resiliency is as much a function of culture as anything: how we govern, organize, and communicate about cyber threats are all necessary considerations for putting cyber resilient policies into action.  

That’s why Accenture Security’s 2019 State of Cyber Resiliency Report emphasizes the three skills business leaders have that make them essential to any cyber resiliency policy:  

Scaling

The report found that leaders who scaled technologies and security systems across all levels of the organization were far more effective at both preventing attacks and discovering attacks already in place.  

 

Training 

 

Offering comprehensive security training across all levels of the organization also proved to be an effective method for protecting and maintaining system during cyber attacksBusiness leaders are therefore key for investing in and maintaining robust training programs.  

 

Collaborating 

 

Perhaps the most important skill a business leader brings to cyber resiliency is the ability to collaborate. Putting in place a cyber resiliency policy requires cooperation and communication between all levels and aspects of the business. By bringing different groups together and keeping everyone on the same page, organizations can be confident their policies and practices are as effective as possible.  

The Take Away

At its root, cyber resiliency involves preparing all aspects of an organization so that any potential cyber threat has a minimal impact on business operations. This involves well-informed risk management strategies, effective communication and training for employees, updated intrusion detection systemsand a strong incidence response plan that is tested and revised regularly. Cyber resiliency takes a village but depends first and foremost on leadership team that takes the task seriously. 

Cyber Awareness 4 mins at a time

Last week we announced our new Behavior-Designed Cyber Awareness ProgramOne part of that program will be a structured phish simulation campaigns; another part of the program is series of courses on a broad range of topics related to digital awareness, appropriate security practices, and behavioral biases which impact susceptibility to phishing emails and other forms of social engineering. Each course contains a number of micro-lessons designed to take only a few minutes — typically around 4 minutes — to complete. The intent of each course, in addition to the phish simulations that will run concurrently, is to give participants the tools they need to recognize and modify their online behavior in order to maintain a safer and healthier digital presence.  

Soon we will be rolling out the entire program, but for now we want to offer a sneak peak of what’s to come. Right now we are offering a free preview of a course on phishing attacks and how to spot them. If you want to try it out click here and enroll now for free 

And, if you haven’t already, you can check out a review of our new program published as a part of the Stanford Peace Tech Lab. 

GDPR — Large Fines — Larger Confusion?

This May marked the oneyear anniversary of the EU’s General Data Protection Regulation (GDPR), perhaps the strictest set of privacy laws to date. The regulation includes landmark consumer rights when it comes to data privacy, including right of access, broadened consent requirements, and the right to be forgotten. Since going into effect, the GDPR has caused a huge debate among business and cybersecurity experts. Where some herald it as a new dawn for consumer privacy, others consider it too big a burden for businesses.

So, one year in, how have things played out so far?  

Breach Notification 

Before the GDPR, the EU had no overarching laws requiring companies to report data breaches. Instead, it was up to individual member states to enact such lawsSince the GDPR, however, things have changed. According to the DLA Piper GDPR Data Breach Survey, nearly 60,000 breaches were reported between May 2018 and February 2019. These breaches ranged from minor, such as emails sent to the wrong person, to massive data dumps effecting millions of people.  

Fines Imposed

The DLA Piper report also shows that 91 fines were imposed under the GDPRAccording to the European Data Protection board, combined fines totaled £55,955,871. However, this number can be misleading. Included in that total is the £50 million fine imposed on Google this January.  

Since those reports, however, there have been a number of even larger fines levied against companies. Just this month, the UK’s ICO proposed £183.39m fine against British Airways and a £99.2m fine against Marriott International for past data breaches.  

Business Still Confused

At the same time, businesses (primarily mid-size companies)  who want to comply but don’t have the resources of the large firms are having a difficult time keep up with the regulations and mapping out the right procedures to stay compliant.  Just today, MSN published an article about a researcher convinced one in four companies to give him data on his fiancee (with her permission) to show that GDPR compliance attempts can actually lead to breaches in and of themselves.

Takeaway

This year has shown that, when it comes to consumer privacy, the GDPR is taking its role seriously and businesses are uneven in their ability to comply. But it’s still early days. French regulator Mathias Moulin emphasized in February that this “should be considered a transition year,” as lawmakers continue to nail down certain details of the new law and tie up loose ends.   

While it seems the number of breaches reported and fines imposed will continue to increase, one of the big questions in the coming years will exactly effective these fines are in changing the culture around data privacy. Time will tell. 

A Pineapple Walks into a Coffee Shop: Cyber Protection on the Road

Vacations are a time to kick back and forget about the worries of everyday life. But that doesn’t mean you should forget about what cybersecurity risks you’re exposed to. In fact, traveling can present unique cybersecurity risks. Whether you’re at the beach or even just at your local coffee shop, carrying sensitive information on the go can open you up to additional vulnerabilities.  

Here are some tips to keep in mind when traveling

Backup data and update your software before you go

Packing shouldn’t be the only thing you do when preparing to travel. Before you go, be sure to back up your data and update the software on your devices.  

There is a lot to keep track of when you travel, and sometimes things get lost. Creating a backup of important information will ensure you can recover anything important on that iPad you left in the seat pocket of the airplane.  

Checking for any software updates on your devices is also essential. Keeping your systems and apps up to date will ensure you have latest security patches and help defend against malware attacks.  

Be careful about using public wi-fi

Whether at the airport, hotel, or coffee shop, public Wi-Fi might not be as secure as your connection at home or in the office.  These can be good spots for hackers with “pineapples” — wifi devices which intercept traffic and can perform “man-in-the-middle” attacks where you connect to the pineapple thinking you are connecting to the public wifi and the pineapple logs all your traffic (keystrokes, websites visited, login info, etc).

If you have to use vulnerable connection, avoid accessing sensitive accounts or anything containing personal information. Only use sites that begin with “https://” when online shopping or banking. Using your mobile network connection is generally more secure than using a public wireless network. However, your best bet for any public Wi-Fi is to use a Virtual Private Network (VPN). VPN’s will hide your IP address and reroute your connection through a private server.  

Disable auto-connect

Often, your devices will automatically scan and connect to available networks or other devices. This could lead you to unintentionally connect to an unsecure network, which bad guys with pineapples can use to gain access to your devicesMake sure to turn this feature off on all devices and always double check that you’re only connected to devices and networks you trust. 

Don’t use public computers

Using public computers at a hotel work center or an internet café can pose some serious risks. You can’t be sure the computers are up to date and have proper security software installedThere have been a number of cases where public computers contain malware that logs your keystrokes. This can be used to steal passwords, card numbers, and any other sensitive data you might enter into the computer.  

Lock and guard devices

We often think about information getting stolen by someone who remotely hacks into our device. But it’s also possible for this to happen if someone steals the device itself. Along with keeping a close eye on your belongings, make sure you use password protection, fingerprint authentication, or other types locks for all your devices. This will help prevent someone from accessing sensitive information in the event your device gets stolen.  

Scan for malware when you get home

Even if you follow all these tips, you can’t always be 100% certain that you weren’t exposed to some sort of attack. After you get home, use an anti-virus software to run a full scan of your device to ensure there isn’t anything fishy lurking anywhere.