SBN

Monthly cyber security review: November 2019

As we enter December, many organisations slow down as they turn their attention to Christmas.

Office parties, secret Santas and discussions of when it’s acceptable to put the tree up start to take precedence over work, as employees kill time hoping not to start any big projects that could ruin the festive fun.

But it’s important not to let this casual mood affect your organisation’s security practices.

Let’s review three recent incidents to help you understand the threats you should be keeping an eye out for.

1. Labour Party hit by two DDoS attacks

With the UK general election nearing, the Labour Party confirmed last week that it was hit by cyber attacks on consecutive days.

The trouble began on Monday, 11 November, with a spokesperson disclosing a “large-scale and sophisticated” attack.

The party assured the public that no sensitive information was compromised, but did say that security procedures had slowed down some of its campaigning activities.

Subsequent reports suggested that it was a DDoS (distributed denial-of-service) attack. This is a type of cyber attack that’s designed to disrupt an organisation’s ability to operate rather than to steal information.

They occur when criminal hackers use a network of compromised computers, known as a botnet, to inundate a target site with traffic. The site is unable to process such a high volume of requests and crashes.

The party was hit by another DDoS attack the next day, spawning rumours that Labour was being targeted by state-sponsored hackers to influence the election.

These rumours intensified when a Labour source claimed that the attacks came from computers in Russia and Brazil.

Labour leader Jeremy Corbyn said the incident was “suspicious” because it occurred during an election campaign.

“If this is a sign of things to come, I feel very nervous about it,” he said.

However, the BBC said these were low-level attacks and not significant enough to be considered a serious threat.

“It was really very everyday, nothing more than what you would expect to see on a regular basis,” a security official told Reuters.

2. Hurricane Dorian to blame for data breach

Not all security incidents are caused by cyber criminals disrupting an organisation’s system. Some are simply acts of God, as Rand Memorial Hospital in the Bahamas learned this month.

The organisation has Hurricane Dorian to blame for losing large amounts of patient data, with heavy wind and rain damaging the premises and destroying records.

In a press conference, Managing Director of the Public Hospitals Authority Catherine Weech said: “We’ve lost a number of the records as a result of the flooding and while we’ve made all efforts to try to salvage some of them, some of it was just not possible.”

Luckily, the organisation stores many of its records off-site, meaning the damage could have been a lot worse.

It’s hard to say exactly how much information was destroyed, because of the extensive property damage. The hospital was shut down following the flooding, which caused blackwater intrusion and subsequent mould overgrowth.

The hospital doesn’t store data digitally, but Weech said that this incident has demonstrated “the importance of having a digitized system for medical records management”.

Of course, such a setup wouldn’t have solved every problem. For one, even hospitals with digital files still rely on paper records for much of their work.

Additionally, the infrastructural damage may well have destroyed the computers and servers that the information was stored on.

Unfortunately, there isn’t a quick fix for this; if your organisation is in a hurricane path, this is a risk you’re inevitably going to face. The same lesson applies to other kinds of weather phenomenon that might be likely to affect you, such as snowstorms or flash floods.

The only way to combat these risks is to make your data mobile. Cloud storage is a godsend, as it means you’re not relying on the physical integrity of your premises to remain functional.

This should ideally be paired with processes that enable employees to work from home in the event of physical damage. You don’t want staff sat in offices that stink of floodwater, or getting stuck in a snowstorm on their way to work.

3. Aide for Democratic presidential hopeful steals personal data

The long and winding road towards the US presidential election began in earnest this month, but trouble has already struck Democratic hopeful Tom Steyer.

Dwane Sims, the deputy state director of Steyer’s campaign, used login credentials that had previously been granted while working for the South Carolina Democratic Party to download data about a presidential rival.

State officials say Sims – who resigned following an internal investigation – was able to download volunteer data from Kamala Harris’ campaign because he created a separate user account to access the database via his personal email.

This might sound like a malicious scheme to gain an advantage over Harris, but Steyer’s campaign insists that it was an accident.

They believe that Sims’ access to voter file information had been restricted due to a payment issue. Once that was resolved, his access to the data was restored at the level it was when he was working for the party rather than in his current role.

Sims began downloading the information, realising his mistake too late.

The Steyer campaign says it didn’t use the information, no longer possesses it and notified Democratic officials as soon as it learned what happened.

However, both the Democratic National Committee and South Carolina Democratic Party deny that this is the case.

Indeed, it doesn’t hold much water when you consider that Sims created an account to access this information using a personal email address.

It’s possible that there was a legitimate reason for doing this, or that Sims did so without thinking it through, but it doesn’t really matter in the grand scheme of things. It was a data breach, and both Sims and Steyer’s party must face the consequences.

This is a good lesson for organisations: intent rarely matters when it comes to security incidents. Whether an employee steals information, abuses it, loses it or accesses it unintentionally, it’s a data breach all the same.

Staff awareness training is essential for mitigating risks like this, but access controls are just as important. They restrict what information employees can view, ensuring that only authorised accounts have permission to view sensitive company information.

Manage your cyber security threats with Vigilant Software

These incidents show that security threats can come in any number of ways – whether it’s a cyber attack, a natural disaster, an employee or something else, like a power failure or physical theft.

It can be tough to manage them all, but Vigilant Software’s CyberComply platform makes things much easier.

Its combination of Cloud-based software enables you to take control of your cyber risk requirements by helping you:

  • Conduct risk assessments;
  • Track regulatory requirements;
  • Map the flow of data through your organisation; and
  • Conduct DPIAs (data protection impact assessments).

Available on a monthly or annual subscription basis, CyberComply ensures that you stay on top of your cyber security needs in a way that suits you.

Find out more >>

The post Monthly cyber security review: November 2019 appeared first on Vigilant Software – Compliance Software Blog.


*** This is a Security Bloggers Network syndicated blog from Vigilant Software – Compliance Software Blog authored by Luke Irwin. Read the original post at: https://www.vigilantsoftware.co.uk/blog/monthly-cyber-security-review-november-2019