phillipdavis

Importance of Supply Chain security

joshua.g.davies@outlook.com (Joshua Davies) — Sun, 26 Jan 2025 19:51:32 GMT

Responding to Supply Chain threats

Another reminder as we start 2025 as to the importance of supply chain security . The Cyber Security Government Strategy (current to 2030) reminds us of the growing risk and importance in keeping close to our supply chain partners. https://www.ncsc.gov.uk/collection/supply-chain . We continue to work with businesses, helping to integrate their supply chain relationships and risk with their Incident Response Plans. It remains critical when hackers and others suggest there is a risk, to investigate and assess quickly and to re assure investors and boards.

As yet unverified. TalkTalk disclosed this week that their Security team was engaged with an investigation within their supply chain. The data may have been stolen from the Ascendon rather than directly from TalkTalk. Colorado based CSG Ascendon have not confirmed a breach has taken place.

A number of websites and forums have posted details where a hacker named ‘b0nd’claimed on Thursday 23 ^rd January 2025 to have access to nearly 19 million customer records, including TalkTalk customers. ‘b0nd” posted on the Breach Forums community, a hacker forum.

TalkTalk have suggested the posts are somewhat exaggerated and have suggested the data does not include financial data, but may be limited to IP addresses, names and addresses. This may well be the case as TalkTalk is the UK’s 5 ^th largest ISP and Telco with somewhere between 3.6-4m customers. TalkTalk continue to investigate, presumably with the support of the National Cyber Security Centre.

Microsoft issued a new warning this week

studio@pistondesign.co.uk (Barry Parker) — Wed, 02 Feb 2022 22:44:46 GMT

Microsoft issued a new warning this week on a variant of the 'Masslogger' Trojan being used to target Discord, NordVPN Microsoft Outlook, Google Chrome, and messenger service credentials.

With numerous studies out there over the last decade on passwords, it's clear they remain a huge risk with many re-using their passwords over and over and across multiple platforms. We are seeing billions of credentials for sale regularly, including in January, the 3bn 'COMB collection' (Compilation Of Many Breaches) posted on the RaidForums site. These downloads, systematically follow breaches over time.

For those determined to keep passwords or phrases in their Identity and Access Management journey it's helpful to consider how to help users manage this so they don't go insane with the sheer volume of unique and complex passwords they have to manage and change regularly. Do we want them to write these down, if so where? do we want them to use online password managers and are these safe? With over 90% of breaches down to 'something we know', perhaps now is the time to change up our security and use intelligence multi factor authentication? Why not take the user out of the equation. If they don't know their password then it becomes more difficult for the fraudster. One of the more rewarding areas for us is helping organisations step up, make that positive change, and reduce their risk by opting out of this reliance on a memory test.

BREACHES AND ENFORCEMENT

This week in the U.S. District Court in Los Angeles, the United States Justice Department lodged charges against three members of units of the Reconnaissance General Bureau (RGB), a military intelligence agency of the Democratic People’s Republic of Korea (DPRK). Those indicted were Jon Chang Hyok (전창혁), 31; Kim Il (김일), 27; and Park Jin Hyok (박진혁), 36.

The charges extend the earlier 2018 indictments following the cyber attack on Sony and the WannaCry ransomware variants that affected, amongst others the UK's National Health Service and a number of global banks. Ransomware attacks grew by 150% last year , and in Q3 by nearly 50%. Costs are likely to exceed $20 billion this year, with new ransomware attacks every 11 seconds.

Kia and Hyundai the South Korean car manufacturers denied they were hit this week with a ransomware attack. Kia described the incident as an “extended systems outage”. Sources are claiming that the DoppelPaymer gang have hit Kia with a ransomware demand totalling $20 million for decryption and not to leak stolen data. Doppelpaymer is interesting as it appears to be one of the first ransomware groups that telephone victims to 'encourage' them to make payment.

In Brazil, São Paulo's Consumer rights agency, Procon, this week determined that Experian's cyber attack which saw 220m personal data records breached may have occurred as a result of company weaknesses rather than an external attack. Procon need that Serasa Experian did not explain how its Data Protection Policy had been technically implemented.

Agence Nationale de la Sécurité des Systèmes d'Information (ANSSI) disclosed this week that the Sandworm group, who are Russian military hackers, were behind a three year attack extensively breaching a number French organisations running the Centreon IT monitoring software. The ANSSI discovered the first victims had been compromised as early as 2017.

ANSSI said the attackers targeted Centreon systems that remained connected to the internet, and can't say yet whether the attacks exploited a Centreon software vulnerability or if the attacker was through admin passwords.

Previously alleged members of the Sandworm Group otherwise known as Unit 74455, currently wanted by the US FBI, all thought to be active members of the Russian Intelligence GRU Directorate.

Jamaican based Amber Group has spoken out following last years exposure of up to 400k records including travellers personal data processed by the Jamaican COVID app and website they built. They have still to comment on allegations that data was retained longer than needed and therefore, not destroyed. Its thought many of the victims were US nationals registering proof of negative tests before flying. It has been reported that cloud storage may have been unprotected.

Hackers were reportedly close to compromising the supervisory control and data acquisition (SCADA) system of the City of Florida's water treatment plant last week. The FBI is investigating along with regulators across US states following an attempt to exploit desktop sharing software, Team Viewer, and a reliance on shared passwords on Windows 7. The attack was thwarted by an alert employee according to Pinellas County Sheriff Bob Gualtieri and a Massachusetts government alert, though the hackers gained access to the water facility's control systems the attack was quickly discovered.

Are we there yet? Passwords Revealed

studio@pistondesign.co.uk (Barry Parker) — Wed, 02 Feb 2022 22:44:46 GMT

Alison Coleman, Senior consultant for Ireland and UK firm, The Security Consultancy and Pan European firm, Security Knights, spoke again this week about the importance of moving away from passwords;

"The average person has well over a hundred different online accounts or logins. It's difficult for people to keep track of these. In our experience the overwhelming majority of security incidents, including breaches can be attributed to an archaic over reliance on passwords in people's security journey. We should expect more from security than our ability to remember something different, complex and non sequential for each of the hundred or so accounts we all have to remember. We've had passwords for centuries. We think their time is up and it's time for security to be brought up to date and into this century. More than nine in ten breaches are down to passwords. Many of our clients are making 2021 their year to upgrade."

Later in the same week, Microsoft announced at its annual Ignite conference that business customers will soon be able to use biometrics with their Azure Active Directory cloud authentication. Microsoft acknowledge that passwords are a huge and unnecessary risk for organisations and will be encouraging organisations to have users sign into their accounts using facial recognition software like Windows Hello for Business, fingerprint scanners, the Microsoft Authenticator app, or a FIDO 2 (fast identity online) option such as a physical USB key. We think this is excellent news and look forward to the significant reduction in weekly breach reports.

In the news this week.

February 25 - Irish Data Protection Commission (DPC) published their Annual report for 2020 with reprimands and temporary prohibitions on data processing issued against both Waterford and Kerry Councils, reprimands issued to the Child Protection Agency and to Ryan Air.

The DPC fines included four separate fines of €75k, €40k, €50k and €35k against the Child and Family Agency, €65k against the Health Executive, €75k against University College Dublin, & a €450k against Twitter. Nearly 90% of breaches involved unauthorised disclosures with a rise of nearly 400 reported breaches on 2019, at over 6,500 across 2019.

March 2 - North Carolina US, Law enforcement are investigating a ransomware attack that led to a significant outage at medical firm, Allergy Partners. It's not clear as yet whether the $1.75m ransom was in fact paid. The clinic posted a message apologies for the outage, explaining it was due to a cyber attack.

March 4 - Industry report from Chinese internet security firm Qihoo 360. The report alleges 40 high-level overseas hacker groups, including several with suggested associations with Western Intelligence agencies, including the US Central Intelligence Agency, have been targeting Chinese business and public sector.

Qihoo 360, whose founder, Zhou Hongyi, is a leading member of the National Committee of the Chinese People's Political Consultative Conference alleged that China had suffered more than 2,700 advanced cyber attacks since 2019.

March 6 - Brazilian analysis on February's breach of 3.2bn passwords from February established that over 10m Brazilian Internet users passwords were affected, including nearly 70,000 belonging to Government agencies including the National Congress and the Supreme Court.

March 7 - Change up in US Cyber Policy as President Joe Biden announces first summit with Chinese neighbours, Australia, India and Japan in an effort to counter Chinese influence in the Into-Pacific region.

SC Expands into Eastern Europe

studio@pistondesign.co.uk (Barry Parker) — Wed, 02 Feb 2022 22:44:46 GMT

THE SECURITY CONSULTANCY EXPANDS INTO EASTERN EUROPE

Managing Director, Phillip Davies, announced this week the arrival of the firms newest Consulting Partner. Davies said "We are excited that Dragan has joined us. Dragan brings the firm presence and depth in Eastern Europe. He is a real asset to our growing team."

Dragan Loncarski joins this week as The Security Consultancy Practice lead for Eastern Europe and the Adriatic.

Dragan is a Certified Information Security Systems Professional (CISSP) and an established IT professional with experience leading transformation across both public and private sectors. This partnership brings significant Information Technology know how, with Dragan's experience both as a Network and Security Architect. He has led many businesses through technical compliance with a wealth of standards including Payment Card Data Security Standards (PCI DSS).

Dragan has worked extensively across the region said;

"I am pleased to join The Security Consultancy and have already worked on several projects with team members. I look forward to building on our success".

Dragan and Phillip led an engagement recently supporting a European business with a global footprint. The team worked with the client, reviewing the security architecture and mapping the international data flows, developing a high level architecture map to present to external auditors.

The team presented clear advice on data classification, developing a policy and plan for the client before supporting the implementation of data labelling and segregation.

Having gained a deep understanding of the business, the data types and flows, the team designed and developed an incident response plan to ensure the business was ready in the event of cyber attacks, including potential data breaches. The team worked with the business ensuring a team to manage incidents was identified, trained and supported.