Month: April 2017

The GDPR Impact on Business Practices is Considerable

The GDPR impact on business practices is considerable, as is the cost of GDP compliance. A recent survey conducted by PwC revealed that 77% of large companies are expecting GDPR compliance to cost in excess of $1 million. Due to the considerable GDPR impact on business practices, many companies are already rethinking whether or not to continue doing business in Europe.

Many large multinational companies are well aware of the GDPR impact on business practices and the amount of work GDPR compliance will involve. That is not the case for SMEs, many of which are only just realizing they must comply with GDPR.

GDPR does not just apply to social media sites and global retailers. All businesses, regardless of their size, will be required to comply with the General Data Protection Regulation if they collect or process the personal information of EU citizens.

The definition of personal information is broad and includes online identifiers such as IP addresses. Even online retailers that allow EU citizens to access their websites are required to comply with GDPR.

All businesses will be required to perform a risk analysis to identify potential vulnerabilities to the confidentiality and integrity of stored data. Many large companies already have a swathe of cybersecurity protections to keep sensitive data secure, but most smaller organizations will discover they must implement more robust cybersecurity protections in order to comply with GDPR.

Companies will need to review their policies on data collection. When GDPR comes into effect, companies will need to have a valid reason for collecting personal information. Any data collected must also be limited to the minimum necessary information to perform the purpose for which data are collected.

Doing business in Europe will require privacy protections to be enhanced, new data security measures to be implemented, data collection practices to be changed, and policies and procedures to be updated. Legal teams must then assess GDPR compliance.

The GDPR impact on business practices is likely to be considerable for many companies. The time taken to perform risk analyses, assess policies and procedures, find and implement security solutions and update privacy policies will be considerable. Leaving GDPR compliance to the last minute is likely to see the deadline missed. That could prove to be very costly or even catastrophic for many businesses. Failure to comply with GDPR regulations can result in a fine of €20 million or 4% of global revenue, whichever is the greater. Non-compliance simply isn’t an option.

Software Exploit Attacks Rose by 25% in 2016 with Businesses the Worst Affected

Kaspersky Lab has released new figures showing software exploit attacks increased by almost a quarter in 2016. In total, more than 702 million attempted software exploit attacks were performed; a rise of 24.54% year on year. Corporate users were the worst affected, registering 690,000 attacks in 2016; a rise of 28.35% year on year.

According to the report, 69.8% of software exploit attacks took advantage of flaws in web browsers, Microsoft Windows, Microsoft Office or the Android platform. Software exploit attacks involve malware leveraging flaws in software to run malicious code or install other malware. Last year, the most common exploit took advantage of the Stuxnet vulnerability on unpatched systems.

Software exploits are difficult to identify because they occur silently without alerting the user. Unlike email-based attacks, software exploits require no user interaction. A user must only be convinced to visit a website hosting an exploit kit. A hyperlink can be sent via email or users can be redirected to malicious sites using malvertising. Attacks can occur through general web browsing. Hackers often take advantage of flaws to hijack websites and install exploit kits.

While attacks on companies have increased, attacks on private users fell by around 20% to 4.3 million attacks. This has been attributed to two major exploit kits – Neutrino and Angler – being shut down. Without those exploit kits, criminal groups have lost the ability to spread malware and have had to resort to different tactic to spread malware, with spam email the delivery mechanism of choice.

Exploit kits are expensive to develop and require considerable work, and since software developers are reacting faster and patching vulnerabilities, exploit kits are no longer as profitable for cybercriminals. However, exploits are still being used by sophisticated criminal gangs in targeted attacks aimed at stealing highly sensitive data.

This year has seen an increase in exploit activity using the Rig exploit kit, while last month Checkpoint noted a major rise in software exploit attacks.

Exploit kits may not pose as big a threat as in late 2015, but they are still a significant threat for businesses. Organizations can improve their defenses against software exploits by installing patches promptly and ensuring anti-virus and anti-malware solutions are kept up to date. A web filtering solution should also form part of organizations’ defenses. Web filters prevent end users from visiting, or being redirected to, websites known to host exploit kits.

GDPR Compliance: Is your Organization Prepared?

On May 25, 2018, the General Data Protection Regulation (GDPR) comes into force and GDPR compliance will be mandatory. Now is the time to get prepared. GDPR compliance is likely to require considerable effort and resources. If your organization is not prepared, you may miss the GDPR compliance deadline.

GDPR is a new regulation that will apply to all organizations based in EU member states, as well as those based in non-member states that capture, hold or process the data of EU citizens. GDPR is a replacement of the 1995 EU Data Protection Directive and will address web-based technology that was not widely available in 1995. Use of the cloud for instance.

The new regulation will help to ensure the personal data of EU citizens is protected and the risk of sensitive data being exposed is minimized. The new regulation will also allow EU citizens to have much greater control over the personal data that is collected and stored by organizations, and how those data are used.

How Will GDPR Protect Consumers?

One of the main elements of GDPR is improving the rights of EU citizens with regards to the personal data that is collected, stored and used by organizations. GDPR requires organizations to obtain informed consent from consumers prior to collecting and using their data.  Consumers must be told the reason why data are being collected, how data will be used, and consumers must be told that they can withdraw their consent at any time. A mechanism must be put in place that will allow an organization to delete data when it is no longer required or when consent is withdrawn.

GDPR gives consumers the right to:

  • Find out how their data will be used
  • Discover how data were obtained if informed consent was not provided
  • Access personal data
  • Find out how long data will be stored
  • Correct errors in stored data
  • Move data to a different processor
  • Restrict or prohibit the processing of data
  • Find out with whom data have been or will be shared
  • Have data permanently erased
  • Avoid being evaluated on the basis of automated processing

Organizations must also limit the data collected to the minimum necessary amount for the purpose that has been described to consumers to be performed.

While organizations that have an online presence and actively collect data will have to comply with GDPR – Amazon for example – GDPR will apply to a much broader range of companies. In fact, many companies that do not have an online presence will need to comply with GDPR. GDPR will apply to any company that collects the types of data covered by the GDPR definition of personal information. That includes organizations that store ‘personal data’ of employees in an electronic database.

What Data are Covered by GDPR?

Under GDPR, personal information includes an individual’s name and a host of other identifiers, including online identifiers such as location data, IP addresses, cookies and other “pseudonymous data”. Information such as race and ethnic origin, religious or philosophical beliefs, political opinions, sexual orientation, details of sex life, criminal convictions, trade union membership, health data, biometric data, and genetic data are all covered.

Data Security Standards Necessary for GDPR Compliance

GDPR also covers the protections that must be put in place by organizations to ensure the confidentiality, integrity, and availability of data. That includes stored data and all data that flows through systems or applications.

GDPR compliance requires organizations to conduct a risk/gap analysis to assess potential vulnerabilities in their current systems and processes.

Companies must “implement appropriate technical and organizational measures” to ensure the confidentiality, integrity and availability of data. Those measures should “ensure a level of security appropriate to the risk.”

Companies must adopt a privacy and security-by-design approach, and ensure that controls are implemented during the planning stages, development, implementation, and use of applications and systems. Regular testing and security assessments must also be performed.

Systems must also be implemented that allow data to be recovered and restored in the event of a security incident or technical problem being experienced.

Data Breach Notification Requirements of GDPR

Any organization that experiences a breach of data covered by GDPR must inform their Data Protection Authorities (DPAs) within 72 hours of the breach being discovered. Individuals impacted by a data breach must also be notified, if such a breach has potential to result in identity theft or fraud, discrimination, financial loss, reputation damage, or other significant economic or social disadvantage. Notifications will not be required if stored data are encrypted or are otherwise undecipherable and unusable.

Preparing for GDPR

Many organizations currently lack the necessary systems to ensure GDPR compliance. For instance, many do not have systems that allow them to easily identify consumer data, retrieve it, and delete it as necessary.

Privacy policies will need to be drafted and published to incorporate the new regulation and ensure GDPR compliance. Forms explaining consent to use data will need to be developed and published. Staff will need to be trained on the new rights of individuals. Policies must also be developed – or updated – covering data breach notifications in case personal information is exposed, accessed, or stolen. Additional security solutions will need to be implemented. GDPR compliance will involve considerable cost and resources and ensuring GDPR compliance will take time.

Organizations must therefore start preparing for the introduction of the new regulation. It may be a year before GDPR compliance is necessary, but given the necessary changes, organizations should start planning now. From May next year, GDPR compliance will be mandatory and there will be severe penalties for non-compliance.

What are The Penalties for Non-Compliance with GDPR?

Any organization that fails to comply with GDPR can be fined by their DPAs. DPAs will be given more powers to investigate data breaches and non-compliance. The potential fines for non-compliance with GDPR are considerable.

If an organization does not comply with the GDPR security standards, a fine of up to €10 million can be issued or 2% of global annual turnover, whichever is the greater. The failure to comply with GDPR privacy standards can attract a fine of up to €20 million or 4% of global annual turnover, whichever is the greater.

Fines will be dictated by the extent of the violation or data breach, the number of individuals impacted, and the extent to which the organization has implemented controls and standards to ensure GDPR compliance.

Individuals also have the right to seek compensation if their personal information is misused or stolen, if they have suffered harm as a result. Criminal sanctions may also be applied, such as if data is collected without consent.

Organizations are likely to suffer reputational damage in the event of a data breach, as the EU will be naming and shaming organizations that fail to implement appropriate measures to protect data and prevent data breaches. Details of organizations that have not complied with GDPR will be published and made available to the public.

How Can TitanHQ Help with GDPR Compliance?

TitanHQ offers a range of data security solutions that offer real-time protection against viruses, malware, ransomware and spyware to help organizations effectively manage risk, prevent data breaches, and ensure GDPR compliance.

TitanHQ offers award-winning security solutions to prevent web-based and email-based cyberattacks, in addition to helping organizations protect themselves from insider breaches.

SpamTitan is an advanced email security solution that protects organizations from email-based attacks such as phishing, blocking the most common method of malware and ransomware delivery. SpamTitan detects and blocks 99.97% of spam email, with a range of deployment options to suit the needs of all businesses.

WebTitan offers industry-leading protection against a wide range of web-based threats such as exploit kits, malvertising, phishing websites and drive-by malware downloads.  The solution allows data protection officers to limit the types of websites that can be accessed by employees to minimize risk.

ArcTitan is an easy to use email archiving system that copies all inbound and outbound messages and stores them in an encrypted email archive, preventing loss of data and ensuring emails can be recovered and audited. The solution satisfies GDPR compliance requirements for identifying, retrieving, and deleting individuals’ personal data, when its purpose has been served or consent is withdrawn.

For more information on TitanHQ’s cybersecurity solutions and how they can help with GDPR compliance, contact the TitanHQ team today.

Chipotle Mexican Grill Security Breach: Customers’ Credit Card Numbers Potentially Stolen

A recent Chipotle Mexican Grill security breach has potentially resulted in customers’ credit card details being accessed by unauthorized individuals.

A statement released by the fast casual restaurant chain confirms that unauthorized individuals gained access to its network hosting its payment processing system. The initial findings of its investigation suggest access was first gained on March 24, 2017. Customers who visited its restaurants between March 24 and April 18, have potentially been affected. The investigation into the Chipotle Mexican Grill security breach is continuing to determine how many of the chain’s 2,000+ restaurants have been affected.

Few details about the Chipotle Mexican Grill security breach have been released as the investigation is ongoing, although the threat is now believed to have been blocked.

Chipotle Mexican Grill called in external cybersecurity experts to investigate a potential breach after unusual activity was detected on the network hosting its payment processing system. Law enforcement was alerted, as was its payment processor. Additional security protections have already been installed to bolster cybersecurity defenses in response to the suspected attack. Efforts are continuing to confirm the exact dates of the attack and the restaurants that have been affected.

The Chipotle Mexican Grill security breach is one of many incidents reported by restaurant chains this year. Restaurants are being targeted by cybercriminals due to the high number of credit cards that are processed. If attackers can gain access to restaurant payment processing systems, many thousands of credit card numbers can be stolen.

There are many methods used by cybercriminals to gain a foothold in a network and gain access to payment processing systems.

Typically attacks occur as a result of an employee opening an infected email attachment or visiting a hyperlink in an email that allows malware to be downloaded. Phishing emails are also sent, which aim to get employees to reveal their login credentials. Restaurants can improve their resilience against email-borne attacks by implementing an advanced spam filtering solution.

Web-borne attacks are also common. A recent report from Symantec shows web-based attacks have increased in the past year.

If an employee can be convinced to visit a malicious website, or is directed to such a site via a malvertising campaign, malware can be silently downloaded. Exploit kits on malicious websites probe for vulnerabilities in browsers and exploit those vulnerabilities to download malware.

Web-borne attacks can be prevented by ensuring that patches are applied promptly and all vulnerabilities are plugged. However, the number of patches now being released makes it difficult for restaurants to keep up. New zero day vulnerabilities are also constantly being discovered and added to exploit kits.

Many restaurants are improving their defenses against web-based attacks by implementing a web filtering solution. A web filter can be used to carefully control the websites that can be accessed on restaurant computers.

Web filters block all known malicious websites using black lists. As soon as a website is discovered to be hosting an exploit kit, malware, or used for phishing, it is added to blacklists and the site is blocked by the web filter.

A web filter is also an excellent phishing defense. If an employee clicks on a phishing hyperlink in an email, the web filter can block the URL and prevent the user from visiting the site.

There are other important advantages to implementing a web filtering solution for restaurants. The solution can be used to carefully control the websites that customers can access. Restaurants can therefore ensure that customers do not access malicious sites or inappropriate website content such as pornography. Consumers are increasingly seeking restaurants that offer free Wi-Fi, but also those that implement controls to secure their Wi-Fi networks.

If you would like to improve your resilience against cyberattacks and offer your customers secure and safe Internet access, contact the TitanHQ team today and find out more about your options.

New Locky Ransomware Attacks Use Techniques Similar to Dridex Malware Campaigns

Locky is back. The latest Locky ransomware attacks leverage an infection technique used in Dridex malware campaigns.

It has been all quiet on the western front, with Locky ransomware attacks dropping off to a tiny fraction of the number seen in 2016. In the first quarter of 2017, Locky ransomware campaigns all but stopped, with Cerber becoming the biggest ransomware threat.

That could be about to change. Locky has returned, its delivery mechanism has changed, and the crypto ransomware is now even harder to detect.

The latest campaign was detected by Cisco Talos and PhishMe. The Talos team identified a campaign involving around 35,000 spam emails spread over just a few hours. The researchers suggest the emails are being delivered using the Necurs botnet, which has until recently been used to send out stock-related email spam.

New Infection Method Used in Latest Locky Ransomware Attacks

The latest Locky campaign uses a different method of infection. Previous Locky campaigns have used malicious Word macros attached to spam emails. If the email attachment is opened, end users are requested to enable macros to view the content of the document. Enabling macros will allow a script to run that downloads the payload. For the latest campaign, spam emails are used to deliver PDF files.

The change in infection method can be easily explained. Over the past few months, Word macros have been extensively used to infect end users with ransomware. Awareness of the danger of Word macros has been widely reported and companies have been warning their staff about malicious Word documents containing macros.

If an end user is fooled into opening an email attachment that asks them to enable macros, they are now more likely to close the document and raise the alarm. To increase the probability of the end user taking the desired action, the authors have made a change. Macros are still involved, but later in the infection process.

The emails contain little in the way of text, but inform the recipient that the PDF file contains a scanned image or document, a purchase order, or a receipt. PDF files are more trusted and are more likely to be opened. Opening the PDF file will see the user prompted to allow the PDF reader to download an additional file. The second file is a Word document containing a macro that the end user will be prompted to enable.

The rest of the infection process proceeds in a similar fashion to previous Locky ransomware attacks. Enabling the macros will see a Dridex payload downloaded which will then download Locky. Locky will proceed to encrypt a similarly wide range of file types on the infected computer, connected storage devices and mapped network drives.

The ransom payment demanded is 1 Bitcoin – currently around $1,200. This is considerably more that the ransom payments demanded when Locky first arrived on the scene just over a year ago.

One slight change for this campaign is the user is required to install the Tor browser in order to visit the payment site. This change is believed to be due to Tor proxy services being blocked.

Adding the extra step in the infection process is expected to result in more infections. Many users who would not open a Word attachment may be fooled into opening the PDF.

Businesses should raise the alarm and send out warning emails to staff alerting them to the new campaign and advising them to be wary of PDF files in emails.