29 November 2018

IRM Weekly Cyber Security Roundup: Cyber-ratings, new spying technique and more

‘Cyber-ratings’ a future game-changer

The Cyber Risk Group, Moody’s, will start rating organisations cyber-attack risk ‘AAA’ to ‘C’ to define their creditworthiness for investors.

They will target sectors that are highly vulnerable to cyber-attack, such as the financial and health care sectors. Assessments will focus on reputational hazard to enable investors to make savvy decisions. It will also allow organisations to quantify cybersecurity incidents into something meaningful. Other organisations such as Fair Isaac already provide cyber risk scores, but Moody’s wants to become the “clear leader”.

You can read more here.

Clever code even snoops on Tor browsing

A new spying technique has been outlined by researchers in the “Robust Website Fingerprinting Through the Cache Occupancy Channel” paper.

In a test, the researchers were able to work out 70-90% of the website pages their targets were visiting thanks to a malicious JavaScript which allows the hacker to spy on open tabs. The researchers claim that the method even works on the Tor browser.

This technique is a “side-channel attack” meaning that the hacker can gather useful information on the victim over time to determine things such as political opinions, shopping habits and health conditions. This knowledge could help facilitate a future phishing attack.

You can read more here.

Does your 2-factor authentication meet the standard?PSD2

The revised Payment Services Directive (PSD2) is a piece of EU legislation improving the original 2009 PSD. The directive aims to increase the efficiency of the European payments market, make payments safe, protect consumers and level the playing field for payment service providers.

The UK’s Financial Conduct Authority (FCA) asks that Financial Institutions (FIs) are required to comply with the PSD2 from 14th September 2019.

The biggest concern for most FIs is that SMS is not a secure way to deliver a one-time password (OTP) and that it needs replacing by a more appropriate method. This could hamper the many organisations who rely on this method of authentication with their customers.

You can read more here.

Wise words on board-level cyber-awareness

AMP, an Australian and New Zealand financial services provider, has spoken of the importance of organisation board members being cyber-aware. They encourage a boardroom to “ask questions and more questions if the answers don’t make sense”.

With the complex nature of cybersecurity, boards are struggling to ensure they understand the risks and can mitigate those risks. Rather than trying to defog obscure dashboards, asking basic questions understood by those with basic cyber knowledge will minimise any confusion.

When breaches are reported in the news, boards should ask “could this happen to us and if so, how could it be fixed?” This proactive approach will create a culture of understanding and ultimately improve the management of cyber risk.

Read more here.

Quick fire updates

NCSC announces it doesn’t always tell firms about discovered vulnerabilities The National Cyber Security Centre has published the official UK process on what they do when they find technical vulnerabilities. In short, the NCSC will usuallychoose to tell the vendor about the vulnerability to get it fixed. However, in some situations, they will keep the vulnerability a secret and develop intelligence capabilities with it to keep the UK security risk to a minimum. You can read more here.

Can you ever rely on IT? On the 23rd November, the Treasury Committee launched an enquiry into the IT failures in the financial services sector. A Specialist Advisor will analyse whether institutions, such as banks, have the capability to avoid and mitigate service disruptions. Read more here.

NIST – Framework, guidance or the law? After an update to the US NIST framework alongside the Trump Administration’s recent executive order on strengthening cybersecurity, many organisations are questioning whether the latest NIST framework is mandatory. The NIST update includes a new section on self-assessment and improved supply-chain risk management advice. With only 30% of US organisations currently using the framework in 2015, this figure is expected to rise to 50% in two years. Read more here.

SamSam ransomware criminals charged – Two Iranian hackers have been charged with collecting an alleged $6 million from 200 victims. Their malicious ransomware targeted cities including Georgia and New Jersey in 2015 with an aim to harm critical infrastructure. They were successful in many ways, including restricting the ability for people to pay water bills. You can read more here.

World Economic Forum’s first cybersecurity Annual Gathering– took place this week in Geneva. The Centre for Cybersecurity members and 140 industry experts addressed challenges including the lack of trust and cooperation which act as barriers to sharing threat intelligence and the universal cyber-skills gap. You can read more here.

To receive this blog direct to your inbox every week, sign up to our newsletter.

If this week’s news has got you thinking about your organisation’s cybersecurity strategy and you want some guidance or support, get in touch with IRM.