Friday, 20 June 2014

Nice filesystem you've got there...

"Nice filesystem you've got there.  Be a shame if anything... happened to it.  Know what I mean?"

It's a stock phrase used by thugs in extortion rackets in countless movies, TV shows, and video games.  It's also exactly the threat that Cryptolocker presents.  Cryptolocker is malware that when activated will encrypt all the files that it can write to, and hold the decryption key hostage.  If you pay the thugs the extortion money before the clock runs out, they give you the key, and you get your files back.  If not, your files are gone for good.

The media love using the countdown timer in Cryptolocker as a background, all the while talking about this new threat, and how the government should be doing something about it.  Except of course that it isn't really new.  It's just the latest way that criminals have found to monetise malware now that the fake-antivirus market is drying up.  And it won't be the last.

Don't get me wrong, it really is a serious problem both for individuals and for business, but it is relatively easy to avoid, and even possible to recover from without paying the criminals, but only if you plan ahead.  Here's the plan:

1.  Patch everything.
Most malware uses known vulnerabilities in operating systems and software applications to take over your computer.  If they are patched, they block the initial attack.

2.  Run current and up to date antivirus on all computers.
If the criminals can't use an unpatched vulnerability, they will try to install the malware by tricking you into clicking on a bad link, or opening a bad attachment.  If you are running a current antivirus solution from any reputable vendor, then the vast majority of this sort of malware will be blocked before it can be run.

3.  Make regular backups and ensure the backups are offline.
Even in the worst case where the malware has encrypted all of your files, the criminals aren't the only place to recover them from if you have a recent backup.  While it's very convenient to keep a USB backup drive connected to keep the copies, if you can write to that drive, then so can the malware.  After you've made a backup, disconnect the backup drive.

4.  Restrict user access to read-only everywhere except where required.
Cryptolocker will encrypt every file on every network fileshare it can write to.  In a business most users should not have full write access to all the corporate data repositories.  Restrict access either at the share level or the filesystem level.

5.  Have a response plan.
When the worst does eventually happen, and all the protective controls fail, having a plan means that you won't make the situation even worse by panicking.

Remember the threat over the next few weeks is no different from the threat over the last few weeks, or months, or years!  The media just has a new bone to chew on, but the defences are exactly the same as they have always been.  Just don't pay the criminals.

Friday, 9 May 2014

Privacy Awareness Week Day 5: Managing a Breach or Complaint

Business standpoint:

The OAIC has not yet enforced the requirement for businesses to disclose a breach, however they do provide considerable support if you do fall victim to a breach that compromises personal information. You can find further information in this Guide to handling personal information security breaches.

Reporting a breach does not preclude the OAIC from receiving complaints and conducting an investigation of the incident (whether in response to a complaint or on the Commissioner's 'own motion').

Make sure that your incident response procedures identify the actions you will need to take if a breach to personal information were to occur.  Consider: 
  • Who you should contact, When, How?
  • What information will you need to disclose?
  • What immediate actions can you take to minimise the impact of the breach?
  • Your communications strategy, will you need to contact those affected by the breach? When will you do this? How will you do this?
  • How will you manage complains from individuals affected?

Who else can help?

How do I know I can trust a consultancy such as CQR?
  • CREST Australia, assess and certify companies and staff for their proved technical ability 
  • Looking for companies that are ISO/IEC 27001 certified, ensures the company is compliant to security standards.
  • You can check companies for their certifications through Jas Anz

Personal standpoint:
If you are not happy with the manner in which your personal information is being handled by an organisation you do have some rights that ensure that the organisation reviews your concerns or complaint.

Ensure you write a formal letter detailing what your concerns are directly to the organisation and they will be obliged to manage your concerns in a timely manner.

If you do not get a satisfactory result the OAIC is there to help you.  It is free to lodge a complaint with the OAIC.  You do not need to be represented by a lawyer to make a complaint about your privacy. However, if you do decide to hire a lawyer, you must pay for the lawyer yourself.


Thursday, 8 May 2014

Privacy Awareness Week Day 4: Business Obligations: What should I be doing to protect personal information?

Before we can talk about protecting personal information, the first question you must ask is “What personal information do we process throughout the organisation?
Do you understand:
a) How you collate personal information and when?
b) Why you collect personal information?
c) What sort of information do you collect?
d) Who handles it?
e) Where does it go?
Once you have an understanding of the basics you can begin to define how to control and manage it securely.

The ‘WHAT’ question is an important one, from this you can determine whether your existing security practices are appropriate.  E.g. an application processing simply names and addresses would need far less security than an application that records credit card data or medical data.

Steps to securing personal data:
1 – Identify the information processed

2 – Classify the information (e.g. is it public, confidential or medical)

3 – Value the information in terms of impact of loss.  What impact would it have to an individual or to the organisation if:
a) it was subject to unauthorised access?
b) you could not rely on the information processed?
c) the information was no longer available?

4 – Conduct a risk assessment considering:
a) How you collect the information;
b) How it is processed;
c) The involvement of third party entities;
d) How the information is shared.

5 – Determine the required security controls to help protect personal information.  This will include controls such as:
a) Training and awareness of staff – so they understand what is expected when handling personal information;
b) Documented policies and procedures;
c) Access controls – ensure that technical controls are applied so that only authorised personnel can access the information;
d) Data sharing agreements and contracts with third parties;
e) Data Backup arrangements and recovery plans;
f) Incident management – how will you respond to a breach to personal information?

6 – Conduct a gap analysis.  Identify what security controls you already have in place.
a) Do they help manage the identified risks? 
b) What are the gaps?
c) What can be improved?

7 – Implement change.  Improve the security controls you already have in place and implement the new controls.

Other posts from Privacy Awareness Week
Privacy Awareness Week, Day 1: What is privacy and changes to the Ac
Privacy Awareness Week Day 2: Protect your privacy online
Privacy Awareness Week Day 3: What you can do to protect your privacy when using mobile phones

Yvonne Sears
Senior Security Specialist
@yvonnesearsCQR
www.cqr.com

Wednesday, 7 May 2014

Privacy Awareness Week Day 3: What you can do to protect your privacy when using mobile phones

We have to remember that mobiles aren't just phones anymore! They store a significant amount of data to make life easier for us, but we must ensure that we don’t make it an easy target for thieves or hackers! 
So…what can we do to protect our personal information on our ‘smart’ phones?

1 - Familiarise yourself with the settings of your phone, understand the key features and enable the security features including setting a password or PIN so that no one else can access your information if your phone is lost or stolen.

2 - Turn off the Bluetooth function when not in use so that your device is only visible when you specifically need other people or devices to see it.  This means that potential hackers cannot connect to it unless they already have your Bluetooth address.

3 - When connecting to the internet, try to use an encrypted network that requires a password.

4 - Check for updates regularly, install as soon as they become available as these often contain important changes that will make your phone more secure.

5 – Keep your phone safe and on your person at all times.

6 – Back up your data regularly.

According to the OAIC 62% of Australians have chosen to not use a mobile app due to privacy concerns.

What can we do to ensure we are kept safe when downloading and using apps?

1 – Download apps from reputable websites and mobile phone apps.
2 – Follow the set up properly and consider the need for an app to access your contacts list or location details.  If in doubt don’t use it!


Other posts from Privacy Awareness Week
Privacy Awareness Week, Day 1: What is privacy and changes to the Ac
Privacy Awareness Week Day 2: Protect your privacy online

Yvonne Sears
Senior Security Specialist
@yvonnesearsCQR
www.cqr.com

Tuesday, 6 May 2014

Privacy Awareness Week Day 2: Protect your privacy online

web banner with border

According to the OAIC 74% of Australians are more concerned about their online privacy than they were five years ago. So what can you do about it?

How often do you check your privacy settings?
Social media sites frequently update their settings and this may occur without your knowledge.  These changes will include changes to the look and feel of their website or how they interact with you or how they manage the security settings.  So it is important to periodically check your own settings and ensure only those you wish to see your information can.

Do you have to provide everything to everyone online!?
For example, consider whether you are happy for personal information such as your birth date to be made publically available.  When signing up for websites or newsletters do they really need your real birthdate or can you give a fake one? Remember who you are protecting.

Releasing your personal information is your choice!

8 simple steps for staying safe online
  1. When asked for personal information, ask what it will be used for.
  2. You don’t need to share everything about yourself on Social Media.
  3. Think about the information you want to share.
  4. Before you hand over your email address read the website privacy policy and find out how they will use the email address you provide.
  5. Check for encryption and use secure payment methods when shopping online. Look for https: connections when transferring confidential information (Banks use these secure communications for example when you log in).  This demonstrates that you have a secure connection with the website.
  6. Tick the ‘opt out’ box on forms if you don’t want to receive marketing communications.
  7. Set strong passwords, especially for important online accounts such as banking and avoid using the same password for all accounts.
  8. Know your privacy rights, visit www.oaic.gov.au

You can find more information on your privacy rights and Privacy Awareness Week from the OAICwebsite
Or for more hints and tips go to www.staysmartonline.gov.au

Other posts from Privacy Awareness Week
Privacy Awareness Week, Day 1: What is privacy and changes to the Ac

Yvonne Sears
Senior Security Specialist
@yvonnesearsCQR
www.cqr.com

Monday, 5 May 2014

Privacy Awareness Week, Day 1: What is privacy and changes to the Act

web banner with border

 This week (5th -10th May) is Privacy Awareness Week (PAW) and CQR has partnered with the Office of the Australian Information Commissioner (OAIC) to help promote Privacy Awareness amongst the community.

So what is Privacy?
Privacy is about the protection of an individual’s personal information.  We are all responsible for protecting our own identity and that of others.  Think about it:  We expose or own personal information on a daily basis.  When we use social media, contact our utility companies and shop online we provide a large amount of our own personal data.  You may make the assumption that the person or website you are sharing your information with will take care of it, ensure it is secure and not share it with anyone else.
This to a degree is true and most companies will have a privacy policy in place to demonstrate a level of commitment to protecting your personal information, but this isn't a fool proof solution.

The person who is actually responsible for your personal data at the end of the day is you!  What is the best way to safeguard yourself and look after your own identity?  Have you ever taken the time to think about it?

To help you understand, Australia an independent Government agency responsible for privacy functions that are conferred by the Privacy Act 1988 (Privacy Act) called the Office of the Australian Information Commissioner (OAIC).  The OAIC provides advice and guidance to the public, Businesses and Government agencies on how they are to handle personal information. 

The changes to the Privacy Act on 12th march 2014 brought about a heightened awareness of the message that we should be protecting our own privacy and together with PAW CQR has put together a program of Blogs covering:
-          How you can protect your privacy online;
-          What you can do to protect your privacy when using mobile apps;
-          Business obligations to privacy; and
-          How to manage breaches to personal information.

We hope that you will keep a keen eye out on blogs, get engaged in conversation and most importantly retweet the messages to colleagues, family and friends to share the importance of Privacy.


You can find more information on your privacy rights and Privacy Awareness Week from the OAICwebsite

Yvonne Sears
Senior Security Specialist
@yvonnesearsCQR
www.cqr.com

Thursday, 17 April 2014

CQR is now an approved member of CREST Australia

Within the Information Security world the word Risk is key. Understanding and managing that word can make the greatest of difference to an organisation.

CQR are proud in the fact that they practice what they preach and their risks are checked, managed and improved at every opportunity. And to reinforce the work that they do and the value and the expertise that they have they have now officially become a member of CREST Australia.

Crest is the Council of Registered Ethical Security Testers and in order to become one of their CREST Approved companies each is subjected to auditing and CQR are happy to have passed this process and are now on the list of CREST Approved companies.

To complete the process 3 of CQR’s best security specialists have completed CREST’s demanding CRT examination process and have become certified information security testers. CREST’s CRT exam is based on the applicant’s skills and experience, there is no way to prepare for it except to rely on your own knowledge. One of CQR’s specialists achieved the highest score that has ever seen in the exam, and CQR are very proud of all of their specialists who took part and passed.

All those who pass the examination must be employed by a CREST approved company to be part of CREST Australia.

In achieving approval from CREST this shows that CQR and its security specialists work to the highest of standards and are dedicated to providing the very best of service to their clients.

Sarah Taylor
www.cqr.com