Cyber 321: 23rd April 2021

Plain English cybersecurity advice in 3 articles, 2 statistics and 1 action.

This week: A risk and compliance firm suffers a cyber attack due to stolen credentials, resistance is futile when it comes ISO27001, and you need to talk to your teenager about the Facts of (online) Life.

This week’s action: Stop relying on passwords to protect your money, data and identity

THREE ARTICLES

1. A firm that helps companies to identify security risks suffered a security breach due to stolen credentials
   According to TechCrunch, a RegTech SaaS platform (LogicGate) that helps companies to identify and manage their risk and compliance with data protection and security standards suffered a data protection and security breach in February. As detailed by TechCrunch, it arose when “an unauthorized third party obtained credentials to its [..] cloud storage servers storing customer backup files for its flagship platform Risk Cloud”. In response to TechCrunch’s queries about the incident, LogicGate appears to have refused to comment, stating “we believe it’s best to communicate developments directly to our customers”. There is no mention of any breach on their blog or News pages, or on their Twitter feed. I don’t know much about the firm but on their blog, they talk about going through a SOC 2 compliance audit as recently as December 2020. So, I assume they have a reasonable approach to security in general. If this breach arose due to stolen credentials, this was either a blind spot in their controls or a truly sophisticated attack. Their approach to Crisis PR also suggests a blind spot in their incident response planning. But, it’s easy to say these things when I’m not in the middle of the storm.
   Read more: https://techcrunch.com/2021/04/13/logicgate-risk-cloud-data-breach/

2. It’s time to talk to your teenager about the Facts of (Online) Life
   Our children are being targeted online with offers of “easy money”. They may not realise it, but the “easy money” is payment to become a money mule, resulting in criminals using their bank account to launder the proceeds of crime. The first they know about their role in the criminal enterprise is when the police call to their door with an arrest warrant. They need to be aware that offers being made to them on social media or messaging apps are being sent out by serious organised crime gangs. This isn’t a victimless crime. Apart from the original victim of the crime, the money mule may also suffer serious consequences – “Money mules face prison, being on a terrorism watchlist and having their credit rating ruined to the extent that securing a loan or even a phone contract would become impossible. Their involvement would also show up on any Garda vetting conducted on them, and securing visas to go abroad or securing employment would be impacted.”
   Read more: https://www.irishtimes.com/news/crime-and-law/gangs-targeting-young-people-and-their-accounts-to-move-money-garda%C3%AD-warn-1.4508629

3. ISO 27001: Resistance is futile
   It is inevitable that services firms selling to regulated financial services firms will need to be ISO 27001-certified within the next two-to-three years. This sounds like a pretty black-and-white statement, but I’m not the first to say it. This week alone, ISO27001 has come up in conversations that I’ve had with a professional services firm, an IT MSP, a RegTech, and two large regulated FS firms. One services firm told me that without ISO certification, they will not get through the procurement process of global financial firms anymore. And I can see why – For a regulated firm, dealing with suppliers who are certified saves them a lot of legwork when assessing their third-party risk (a growing concern within the industry). When I describe cybersecurity as a ladder, I still tell many firms that they may not need to reach the top of the ladder, at least in the short term – Getting the basics right is the first priority. From there, aligning to something like Cyber Essentials or moving up the tiers of the NIST CSF framework may be sufficient. But depending on who you sell to, ISO27001 may be unavoidable. Make no mistake, ISO 27001 certification takes effort. It is not just about managing cybersecurity risk. It’s about managing all information security risk – Even the risk of a staff member leaving a printed document on a bus. If a firm has not formalised its risk management or information security management approach yet, attaining ISO 27001 certification can be quite a stretch. But it will pay off eventually. Not just in terms of a reduction in information security risk, but also as a potential market differentiator. After all, who wouldn’t like to say “We take security far more seriously than our competitors. And we can prove it”. Get in touch if you want to talk more about 27001.
   Read more: If you’re not sure what ISO27001 actually is, here is a good starting point: https://www.iso.org/isoiec-27001-information-security.html

TWO STATISTICS

1. 99.9%: Microsoft frequently reminds us that 99.9% of attacks on our online accounts can be prevented by using multi-factor authentication (MFA). If the only thing between a bad guy and your account is a password, you are (..deep breath..) not doing enough to protect yourself. Storing important data in an account that is accessible from the internet but does not have MFA is like driving a car without any brakes: It is going to end badly. With MFA, your account is still safe even if someone finds out your password (e.g. by fooling you with a phishing email). Here’s a checklist of the Top 10 accounts to check (in no particular order): Work email account / Personal email account / Dropbox / OneDrive / Online Banking / PayPal / Evernote / OneNote / CRM system / accounting system.
   (Read more: https://www.microsoft.com/security/blog/2019/08/20/one-simple-action-you-can-take-to-prevent-99-9-percent-of-account-attacks/, with commentary at https://www.zdnet.com/article/multi-factor-authentication-use-it-for-all-the-people-that-access-your-network-all-the-time/ )

2. 700: The number of young people in Ireland who Gardaí been identified as money mules in the last 12 months. According to Gardaí, it is like shooting fish in a barrel as they are “very easy to find once Gardaí begin investigating”
   (https://www.irishtimes.com/news/crime-and-law/gangs-targeting-young-people-and-their-accounts-to-move-money-garda%C3%AD-warn-1.4508629)
   

ONE ACTION – If you do only one ‘cybersecurity’ thing this week, do this.

1. Two-Factor Authentication: This is not the first time I’ve mentioned this, and it won’t be the last time. If you have an account that is accessible from the internet and could be valuable to someone else (e.g. to take your money; to view and copy your valuable data; to assume your identity), you MUST protect it with more than a password. You are driving without brakes; You are leaving the front door of your home open; You are walking down a dark alley flashing the cash – Choose whatever analogy you want. But take action. See P number 4 in my guide to the basics.