Plain English cybersecurity advice in 3 articles, 2 numbers and 1 action.
This week: A report explains why the HSE attack was not sophisticated. The UK’s NCSC explains why the most severe computer vulnerability in years may have identified this week. And I ask why so little of your security budget is invested in improving your defences against more than 80% of attacks.
This week’s action: Security is not just about technology. It’s about humans. Invest in your human defences.
1: HSE ransomware attack: What really happened?
The report on the cyber attack that crippled Ireland’s health service in May 2021 was released last week.
This “simple and unsophisticated” attack will cost €100m+ and potentially exposed a large quantity of our personal data (including sensitive health information) to criminals.
This article from the Irish Independent provides an excellent summary:
“When a health worker returned to their desk and logged in to their computer after the national holiday, they unwittingly opened an email addressed to them. A malicious Microsoft Excel file was attached to the phishing email. The simple and unsophisticated hack [allowed the attackers to] roam through the HSE IT system for another eight weeks. [..] the HSE was easy prey for the criminals [with] a significant number of accounts with high levels of privileges. [The worker’s
computer] had not had antivirus signatures updated for over a year. [..] Suspicious activity was spotted [but ignored]. [..] It is unknown what personal data the hackers might still have. [..] The immediate impact of the attack is costing around €100m, and that does not include future investment.”
Three key takeaways:
- A staff member was fooled into opening an Excel file that contained malware. These things happen. The risk is significantly reduced if staff are trained and tested on a frequent basis, but the risk is never eliminated.
- There was a lack of additional security measures to prevent, detect or isolate the attack in the 8 weeks after this error.
- When security measures that were in place sent alerts about suspicious activities, the humans did not respond.
2: Apache Log4j: Why all the concern?
If you follow cybersecurity news (and who doesn’t?), you will have seen a lot of headlines this week about a recently-discovered vulnerability in Apache Log4j. This article from the UK’s National Cyber Security Centre explains why.
“Almost all software will have some form of ability to log (for development, operational and security purposes), and [Apache] Log4j is a very common component used for this. [..] Last week, a vulnerability was found in Log4j [..] If left unfixed, attackers can break into systems, steal passwords and logins, extract data, and infect networks with malicious software. [..] The vulnerability requires very little expertise to exploit.”
This next line explains why this particular vulnerability is getting so much attention: “It may not be immediately clear that your web servers, web applications, network devices and other software and hardware use Log4j.”
It could be very difficult to identify exactly how each piece of software that you use has implemented its logging capability. This is why “this makes Log4shell potentially the most severe computer vulnerability in years.”
What to do? Gather a list of the software, services and suppliers that you rely on. Seek evidence (through web, email or phone) that each is not exposed to this vulnerability. And where updates have been released to address the vulnerability, get on with the task of installing them.
3: Those convenient QR codes could be malicious
“By pointing your smartphone’s camera at a QR code, you can order food at a restaurant, pay for parking, [..] or several other convenient things. Yet [wherever] people, devices, and money meet, hackers are there with a scam ready to go. Enter the QR code scam. By pointing your smartphone’s camera at a bogus QR code and giving it a scan, hackers can lead people to malicious websites and commit other attacks on their phones. [..] There’s really no way to look at a QR code and determine if it’s legitimate or not, such as by spotting clever misspellings, typos, or adaptations of a legitimate URL. [..] Scammers can use them to open payment apps, add contacts, write a text, or make a phone call when you scan a bogus QR code.“
Bonus: Ninjio, a cybersecurity awareness training platform, talks more about this scam in this month’s training video. If you’re not a Ninjio customer, you can still access the video here until the end of 2021.
The average spend per employee on cybersecurity in 2020, according to a Deloitte survey of (large) US firms, and mentioned at this year’s Cyber Ireland National Conference (a recording is available at https://youtu.be/ZeFZoA3ph6E?t=287).
On average, cybersecurity was allocated 10.9% of a firm’s overall IT budget (up from 10.1% in 2019). This equates to about 0.5% of an “average” organisation’s total revenue.
“85% of breaches [incidents that resulted in the confirmed disclosure of data to an unauthorized party] involved a human element”, according to the authors of the Verizon 2021 Data Breach Investigations Report.
Don’t worry about highly sophisticated attacks. Worry about your staff.
Read more: https://verizon.com/dbir [Page 7. Figure 7.]
1: Consider your investment decisions
85% of breaches involve a human element.
How much of your IT security budget is being invested in effectively reducing the risks associated with ‘the human element’?
What is not effective? Asking them to click Next-Next-Done on a PowerPoint slide deck or CBT course once a year. This is security theatre. It’s a good act and it ticks a box. But it does not effectively reduce the risk.
If you really want to be effective, you need to regularly engage and entertain staff on the topic, and regularly testing them with phishing test emails that mimic what cyber attackers are using right now. You can do it yourself – There are many online services to help you. I’ve mentioned Ninjio already. Cyber Risk Aware and KnowBe4 are two of the many others. Your IT department or IT service provider may have their own preferred solution.
[Sales pitch: If you have better things to do with your time, I can do it for you as a fully-managed service. You could be up-and-running within a week. And if your staff defences do not improve within 3 months, it won’t cost you a thing.]