Plain English Cyber in 3 articles, 2 numbers and 1 action.
This week: 58% of cyber incidents start with a phishing email. Plus: North Face, LastPass, and Uber: 3 breaches; many lessons.
This week’s action: On the internet, we’re all Capricorns.
If you’d prefer to listen to Cyber 3-2-1: This week’s episode is accessible from https://www.codeinmotion.ie/podcast or wherever you get your podcasts.
1: North Face website breach reveals the birthdates of 200,000 customers
What? Teiss recently reported on a recent breach of the website of North Face, a clothing brand, which resulted in the details of 200,000 customers being accessed by the bad guys. It appears the breach occurred when the bad guys ran a credential stuffing attack on the website. As teiss explains, a credential stuffing attack is “a cybersecurity attack where the attacker uses account authentication credentials, like email addresses/usernames and passwords, to gain unauthorized access to accounts. These credentials are frequently obtained from another source, like a breach at another company.”
So what? Such attacks are very common and there are a few things that could be asked of North Face – For example, the attack seemed to happen over the course of 3 weeks (from July 26 until August 19). Was there anything they could have done to block or spot the attack sooner? But what really caught my attention was the personal data that North Face stored on the site. Included in the data was each customer’s date of birth. This is where cybersecurity moves into the broader area of data protection, and the requirement for data minimisation. Why would North Face need a customer’s date of birth? And did they consider whether the benefit of storing this information was worth the risk of the data being exposed to an attacker?
2: LastPass breach – Still nothing to see here
What? Following on from last week’s news of a breach at LastPass, Naked Security recently discussed the data breach report issued by the company. The conclusion sums it up: “We think it’s reasonable to say that our early assumptions were correct, and that although this is an embarrassing incident for LastPass, and might reveal trade secrets that the company considered part of its shareholder value, this hack can be thought of as LastPass’s own problem to deal with, because no customer passwords were reached, let alone cracked, in this attack”.
So what? To maintain our sanity and to ensure we aren’t chasing our tails, we sometimes need to make reasonable assumptions about emerging events so we don’t get distracted from addressing the more important and known security gaps in our defences. Don’t let news headlines about the unknown distract you from fixing the known.
3: Uber breach – Lots to see here
What? The Washington Post recently reported on a cyber attack on Uber. It appears that this global behemoth was breached by an 18 year old who says he broke in for fun. The attacker shared screenshots of the system access that they were able to obtain after fooling a staff member into revealing their login credentials. “Security experts said the screenshots included proof that the hacker had access to highly privileged security accounts, which would provide wide authority inside the company [..] They also said that the company appeared to have blundered by including passwords in programs used for accessing [systems], such as Amazon Web Services, so the hacker did not need to break into more exclusive internal accounts or try to guess”. Uber would only state that “We have no evidence that the incident involved access to sensitive user data (like trip history)”.
So what? A couple of interesting elements to this one. It is common for the victim of a cyber attack to state that there is no evidence that customer data was accessed. Absence of evidence does not mean evidence of absence. Just because they can’t find evidence that data was accessed does not necessarily mean it was not accessed. This is very different from stating categorically that no data was accessed or could have been accessed, as we saw in the LastPass statement last week. Keep this in mind when you hear similar statements in future. The other interesting element is how one account enabled the hacker to gain access to multiple systems within Uber. We all probably have certain accounts that could be used to gain access to multiple systems – For example, your email account, as it could be used to complete ‘Password Reset’ requests for many other systems. It’s important to identify your critical accounts and to make sure it’s not easy for an attacker to gain access to them. For example, multi-Factor Authentication makes it far more difficult for an attacker.
What? The percentage of cyber incidents that start with a phishing email, according to Coalition (a US cyber insurance provider) and reported recently by Help Net Security (via NCSC).
So what? According to this insurance provider, over half of all cyber incidents succeed because of a phishing email. You must ensure you are investing sufficient time and money to reduce the number of these emails that land into your staff members’ inboxes and to reduce the likelihood that a staff member could be fooled by such an email.
What? This is the average size of the insurance claim when a small business gets hit by a cyber attack, according to the same report by Coalition. This is an increase of 58% compared to the same period in 2021. According to the Head of Claims in Coalition, this is no surprise as “Small businesses are especially vulnerable because they often lack resources”.
So what? When you think about the cost of a cyber attack, it is common to focus on the size of the ransomware demand or the value of the fake invoice that a staff member was fooled into paying. However, there are many other tangible costs – e.g. the business disruption while systems are restored; the cost of legal and PR advice; the internal staff time diverted to handle the incident (time that should have been used for more valuable business activities). There are also the intangible costs that are not included in the insurance claim but cause the most damage – e.g. the longer term reputational damage to the business and to the professional reputations of each member of the management team. You also cannot underestimate the stress experienced by everyone during an incident, which persists for some time after the incident is over. It takes time for everyone to recover.
1: On the internet, we’re all Capricorns.
What? As I mentioned earlier about the North Face attack, many websites ask us for an excessive amount of personal data. Date of birth seems to be a favourite, apparently so ‘we can send you a special something to celebrate your big day’. That special something usually turns out to be an email begging you to come back and spend some money.
So what? Just because you are asked for personal information does not mean you have to provide it. Ask yourself what the value of revealing this information is, and whether it’s worth the risk of revealing it. For example, if you have to use a site that requires you to enter your date of birth for no valuable reason, I recommend that you use a fake one. That way, a data breach does not make it easier for the attacker to gather important personal information about you. How do you remember your fake date of birth? Pick one and stick to it. January 1st is the obvious one, but I believe there are over 300 to choose from.