Signals Quarterly security assessment - Q3 2017 - CommBank
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
Yuval Illuz
Chief Information Security
and Trust Officer,
Commonwealth Bank
Signals
Quarterly
I
’m proud to present to our valued
clients and partners our ninth edition
of Signals.
Signals aims to empower business
executives with unique insights into the
cyber threat environment and advice on
security the strategies and controls necessary to
ensure a robust defence.
assessment This advisory is an example of our
ongoing program of work to raise the bar
Q3 2017 for cyber security among our clients and
the broader digital economy.
In this issue, we outline a range of new
threats to feed into your threat models –
and also discuss how to feed knowledge
of these threats into a model that helps to
quantify cyber security risk.
We hope and anticipate our analysis will
provide context and confidence for your
security strategy.
Contents Horizon Scan
Upcoming events of interest
3 Editorial 12 Regulatory And Legal 2017 Sydney
Answering the $x million dollar question New laws and legal precedents
relevant to security strategy:
Oct AISA National Conference
10-12
4 Trends And Observations • China, Russia ban anonymity services
The Australian Information Security Association hosts its
Key trends observed during the quarter annual conference for members.
• U.S. Government blocks Kaspersky
• Major cybercrime forums taken down
• Legalistic responses to data breaches fall flat
• Cybercriminals use renewal notice themes for bait 2017 2017 2017
• Poor configuration makes for leaky clouds 13 Better Practice Nov Nov Dec
• Software supply chains targeted The latest advice your technology team 14 15 1
• Breaches stem from flaws in web frameworks should consider when setting security Sydney Sydney Brisbane
policies
• Expired domains and browser plug-ins hijacked
Malware and
14 Phish Eyes Fraud Awareness Workshops
Deep Dives Phishing lures for your security
6 S ecure your cloud email awareness teams to study
Representatives from Commonwealth Bank and the Australian Federal Police will
One in four fraud losses over the past six present a security awareness session for finance executives on the link between
months involved compromise of a cloud- malware infection and payment fraud. Email cyber-outreach@cba.com.au if you
16 Endnotes
hosted email account. Don’t let it happen wish to attend (CBA clients only).
to you.
Canberra
9 A beginner’s guide to 2017
quantifying cyber risk Nov Honeynet Project Workshop 2017
How do you measure cyber security risk, and 15-17 Learn the art of deception at the Honeynet Project Workshop.
what role should directors and executives play
in the process?
This report contains general advice for educational purposes only. Please consult your cyber security team and legal counsel for advice specific to your organisation.
2
Editorial Panel
Contributors
Welcome Brett Winterford
Senior Manager,
Cyber Outreach and Research
Brett Winterford
The $X million
Senior Manager, Cyber Outreach
Fred Thiele
Executive Manager, Cyber Security Portfolio
dollar question What risks does
Tim Peel
Cyber Intelligence Researcher A recent ASX and ASIC study found that 40% of ASX100 my organisation
companies consider cyber security their number one area of
Jessica Woodall risk in 2017, and 80% expect the level of risk to rise over time.1 face, and what level
Manager, Cyber Outreach
We’ve seen a deluge of interest from the boards and of investment is
Reviewers
executives of our clients over the past two years who have
asked us to help them understand how we measure and
appropriate?
mitigate risks to cyber security.
Yuval Illuz
Chief Information Security and Trust Officer We usually begin these conversations by framing cyber Observations made in Signals are made using the
security as an ecosystem issue that impacts the whole confidence matrix and estimative language used by
Arjun Ramachandran
economy, and provide a foundation for them to help the US CIA. Our choice of words is very deliberate
Executive Manager, Cyber Outreach and based on both data and observations we source
understand the threat landscape and how we are choosing
from our own telemetry and a measured degree of
Young Jeong to respond. That tends to drive the conversation to one key confidence in external sources.
Senior Incident Responder question: What risks does my organisation face, and what
Certainty 100%
level of investment is appropriate to manage it?
Kevin Cleary Almost Certain 93% (give or take 6%)
Cyber Intelligence Researcher I typically warn people to avoid holding up what other Probable 75% (give or take 12%)
Even 50% (give or take 10%)
organisations are spending on cyber security as a yardstick.
Unlikely or “improbable” 30% (give or take 10%)
Your peers may offer similar services, be of similar size
Thanks To and be subject to the same regulatory constraints, but
Impossible 0%
Kai Ta decades of technology choices – not to mention the Confidence in our assessments
Cyber Security Services Manager maturity or capability you’ve already developed - necessitate High Confidence – based on high quality information
fundamentally different approaches. from which it is possible to derive a solid judgment.
Boris Dvojakovski Moderate Confidence – based on information from
Cybercrime Researcher In this issue of Signals, we provide a primer to trusted or reliable sources, without the necessary data
conceptualising and measuring cyber security risk. It’s or corroboration to warrant a higher level of confidence.
designed to help those of you starting your security journey Low Confidence – the information is poorly
corroborated, but is otherwise logical and consistent
from scratch. I look forward to sharing more observations
with a source’s motivations.
with you on this subject in the next issue.
This report contains general advice for educational purposes only. Please consult your cyber security team and legal counsel for advice specific to your organisation.
3
Cyber Security: Poor configuration
makes for leaky
By the
Numbers
Trends and Observations
96%
clouds
Key trends observed during the quarter Pushing workloads into public clouds has provided
development teams with far greater agility. From a
security perspective,
public clouds also of China’s 750m
allow for non-security
CHECKLIST internet users connect
professionals to tap
Major cybercrime Cybercriminals into security features
they might not have
• W hile using public cloud frees
developers and third party
on smartphones.ii
forums taken down
US$300
application service providers
use renewal otherwise used. But
conversely, public
from infrastructure constraints,
this mode of deployment often
notice themes cloud dramatically
million:
A globally coordinated law enforcement effort has bypasses mature internal IT
increases an controls that ordinarily would
dismantled two of the world’s largest dark web
markets, Alphabay viii and Hansaix. Criminals used
these online, anonymous bazaars to advertise
for bait organisation’s attack
surface, leaving
less room for error.
check for configuration errors.
Security teams should work with
Estimated losses for
these teams to develop repeatable
and sell illegal goods and services such as drugs Maersk (shipping) from
The CBA Cyber Security Centre has Security researchers architecture patterns for deploying
and weapons alongside user credentials and
credit cards stolen
observed an increasing number of and malicious systems to the cloud securely. [Not]Petya infection.iii
phishing campaigns that warn users actors routinely AWS offers reference material for
US$300
in cybercrime producing architecture patternsxviii.
that a service they (might) subscribe to find vulnerable
campaigns. While CHECKLIST assets using simple
requires renewal or some other form of • Educate developers and partners
the “takedowns” • Disrupting dark web activity requires action to avoid being deactivated. This scans that target
million:
on the distinction between
resulted in arrests of meticulous, time-consuming technique – which relies on appealing configuration errors. configuration settings that allow
site administrators and expensive law enforcement
to the user’s sense of urgency – is In the last quarter authenticated users of your service
and some vendors, investigations. We assert with high to access a data store, versus
used in a wide range of phishing lures. alone, a large number Estimated losses for
buyers and confidence that irrespective of the those that allow all authenticated
Over the last few quarters, we have of organisations were
sellers appear to resounding success of this operation,
found to have failed users of Amazon Web Services TNT Express from [Not]
there will continue to be sufficient seen lures that threaten revocation of
have migrated (over a million users) to access Petya infection
incentive for other markets to take their everything from drivers’ licenses to to secure storage
their business to it. AWS infrastructure can be
place – as occurred after the widely popular cloud services, bank accounts volumes (S3 buckets)
21,000
alternative markets, readily monitored and free tools
heralded Silk Road takedown in 2013. and subscription television services. hosted in Amazon
where in many are available to check services are
Web Services,
cases, they already • Dark web markets are a good source configured correctly xix.
of intelligence for cyber security teams
including Dow
had a strong • C onsider broadening the scope of
CHECKLIST Jonesxii, Groupizexiii,
reputation. to monitor where the wares stolen in your assurance practices. Many customer records were
credential phishing campaigns or other • Teach your staff the various ‘triggers’ used Time Warner xiv,
Verizon , Viacom
xv xvi organisations now complement stolen from UK telco
hacking campaigns are traded. by cybercriminals to tempt a user to open an tightly-scoped penetration testing
attachment or click on a hyperlink. and an organisation TalkTalk via its
• It is probable that some cybercriminal with objective-based testing by
groups will revert to forums with higher • Phishing campaigns often rely on an urgent
that leaked the details “red teams”, who are empowered
outsourcer, Wipro.
of 9,000 US military
£100,000
barrier to entry. While this slows the call-to-action. Consider working with your to proactively search for data left
pace of campaigns in the short-term, marketing teams to help them avoid sending veterans . xvii
unsecured online, including by
it creates fresh challenges for law communications to your customers that third parties. Australian Daniel
enforcement and intelligence analysts appeal to the same triggers, to ensure Grzelak has developed free toolsxx fine was levied on TalkTalk by
when attempting to monitor illegal customers can discern between legitimate for taking a red team approach to UK regulators.iv
activity. and illegitimate communications. services hosted on AWS.
This report contains general advice for educational purposes only. Please consult your cyber security team and legal counsel for advice specific to your organisation.
4
Cyber Security: Expired domains By the
Trends and Observations and browser plug- Numbers
$417
ins hijacked to host
malware
Software supply Breaches stem
chains targeted for from flaws in web
Attackers continue to find creative places to
host malware that circumvent detective security
controls. In recent months, security researchers
million:
online (card not present)
mass compromise frameworks have discovered malware hosted on legitimate
domains that organisations have neglected to renew, credit card fraud in
or have observed attackers hijacking abandoned Australia (2016).v
Most modern web and mobile applications inherit their
83%
Aggressive, well-resourced cyber-attacks continue or unsupported web browser extensions, CMS
to target private organisations in contested territories, key features from web application frameworks and the plugins and themes. More audacious attackers have
raising further concern that some nation-state aligned software libraries and protocols they include. They are compromised the developers of popular browser
actors view industry as a legitimate target during the scaffolding that enables rapid development and extensions in campaigns that impact millions of
periods of increased geopolitical instability. The [Not] deployment of apps – they are typically freely available, users, albeit for a shorter time. These domains and
Petya network worm was initially propagatedxxi by the broadly deployed and maintained by a community of extensions are more likely to be trusted (and less likely
compromise of a serverxxii that distributes software users and enthusiasts. They are also a juicy target for to be blacklisted) of spam is sent during
updates to customers of Ukrainian accounting attackers looking to achieve scale. Security vulnerabilities by automated working hours.vi
software vendor M.E.Docs. The compromised update found in the Apache Struts framework and numerous security tools, CHECKLIST
US$7
resulted in immediate disruption to over 2000 Ukrainian JavaScript frameworksxxvi have demonstrated broad- providing • Organisations with low thresholds
firms and multinationals that do business in the region scale impacts on hundreds of organisations at a time. attackers a for risk must decide whether certain
and ultimately As a case in point, attackers stole 143 million sensitive ready-made types of sites or applications are
led to billions of customer records from US credit monitor Equifax after number of victims adequately resourced from a security
dollars’ worth of CHECKLIST it failed to patch to infect and perspective to remain resilient. Some – price-tag on a new
damage to the a vulnerability in longer window of organisations, for example, choose to family of credential
• E stablish a governance program to CHECKLIST
71
global economy. Apache Struts in a time to do so. block sites built using the WordPress stealing malware.vii
identify and manage risks posed • Monitor closely for disclosure
In August timely mannerxxvii. CMS by default - owing to a litany
by your software supply chain. of vulnerabilities in the web
2017, a similar The breach forced of unsupported plug-ins used in
Commonwealth Bank’s Cyber Outreach application frameworks used by
backdoor was the early retirement these sites – and only whitelist them
team is hosting further workshops on your organisation. Patch or update
detected in a of the company’s on request. Check your logs: what
this topic in early 2018 – talk to your expediently.
software update CIO, CSO and impact would such a decision have
relationship manager to participate.
distributed by CEO. xxviii • Y
our application security program on legitimate access of sites using
• Where practical, evaluate the impact of should ideally be testing and these technologies?
NetSarang, a software updates on test systems, prior endorsing software libraries, • Equally, software development teams
South Korean to a broader rollout across production protocols and other components must think carefully about how to
provider systems. of web application frameworks
of remote manage third party resources that
• T he US National Institute of Standards to provide developers greater load onto their web sites. What
administration and Technology has updated its confidence over which versions risks might your organisation face new ransomware families
software usedxxiii overarching frameworkxxv to include to use. if these third party services were
at large firms more advice on managing third party • Smaller firms might assess a
were released in the first
compromised? Do the providers
around the cyber security risk. web application framework of these resources have adequate half of 2017.viii
globe.xxiv
• S trive to work with well-resourced on how quickly and effectively security capability, or are they at least Locky was the most common
suppliers that have demonstrated an the community has historically popular enough that developers have family targeting Australians in
ability to respond to cyber security responded to vulnerability incentive to continue to support and September 2017.
incidents. disclosures with patches. update them?
This report contains general advice for educational purposes only. Please consult your cyber security team and legal counsel for advice specific to your organisation.
5
Deep Dive: Brett Winterford
Senior Manager, Cyber Outreach and Research
Secure your cloud email
Social engineering – coupled with access to your inbox – presents attackers with many paths to profit.
By the Numbers
Top 3 events that lead
T
o a profit-motivated cybercriminal, access to configure appropriate security controls. to fraud losses:
to your email inbox can be as valuable Cybercriminals have seized on this new
1. ‘Spoofing’ an email address to request payment
as your bank account. That sounds opportunity - and the range and sophistication of 2. Unauthorised access to an email inbox
counterintuitive – until you compare the difficulties scams that involve unauthorised access to email 3. Unauthorised access to accounting software
an attacker faces in trying to personally extract accounts has risen dramatically. or bank account
money directly from your bank account, versus
convincing you or the people that you interact
with to make a payment for them.
Leading indicators
One in four fraud losses tracked by CBA’s
One in four
losses involved the compromise of
cybercrime team over the past six months a cloud-based email account.
Image 1: Generic Microsoft Office365 phishing page
Over the last nine months, there has been involved the compromise of a cloud-based email
a steady rise in the number of Australian
businesses that have made payments to
attackers after a compromise of their email
account.
The majority were Microsoft Office 365 cloud
set up to steal user credentials) than Microsoft.
On some of the abuse reporting channels we
monitor, twice as many Office365 and Outlook
10:9
Scammers continue to imitate
account, or that of an entity they do accounts, or consumer-grade Microsoft email Web Access phishing pages were stood up than suppliers or other payment
business with. accounts (Hotmail etc.) used by tradesmen and those imitating Apple services (iCloud, iTunes beneficiaries slightly more often than
other small businesses. This reflects Microsoft’s etc.), and five times as many as phishing sites CFOs and Directors.
Access to a victim’s inbox isn’t the only dominance in the enterprise market. Well over that mimic Google services.
way an attacker can trick victims into make 100 million active users of Office 365 log in
payments, as discussed in previous guidance on each month, and most of these users work for Microsoft has reported a 300 percent increase and passwords) stolen in attacks on other online
‘whaling’xxxi and other forms of Email Payment businesses in the developed world. A further in attacks on user accounts in the first quarter service providers, under the expectation that
Fraudxxxii. Organisations continue to be duped 30 million log-in to Microsoft’s consumer-grade of 2017 compared to the corresponding quarter people often re-use passwords for multiple
into making payments in response to emails that email services each month – and a subset of in 2016, while the number of account sign- services.
impersonate a party to the transaction, either via these are small businesses that haven’t migrated ins attempted from malicious IP addresses
spoofing of a legitimate domain, or registration to Office 365. Microsoft’s main competitor in increased by 44 percent over the same period. The second is by acquiring credentials stolen in
of similar domains and webmail addresses. cloud-based productivity, Google’s G-Suite, has phishing campaigns. Perpetrators of phishing
Education has slowed the growth of these struggled to attract 10% of the business market. The scam(s) campaigns create web sites that mimic the
campaigns, but they still responsible for a large There are two primary ways for profit-motivated branding of legitimate log-in pages (see Image
volume of fraud. Microsoft is subsequently an ideal brand for attackers to access cloud email accounts. 1), and send spam runs that try to convince
attackers to imitate. Over the last four weeks, no legitimate users of those services to enter their
As organisations move their email into cloud- single brand was impersonated more often in The first is “credential stuffing”, in which the credentials. Credentials harvested in phishing
hosted systems for the first time, many neglect credential phishing campaigns (fake web sites attacker attempts to use credentials (usernames runs are often sold to other criminals whose
This report contains general advice for educational purposes only. Please consult your cyber security team and legal counsel for advice specific to your organisation.
6
Deep Dive: Numerous phishing web sites are set up to imitate
Secure your cloud email Microsoft services – as well as banks and other
popular online service providers – on a daily basis
intent is to commit fraud. Numerous phishing
web sites are set up to imitate Microsoft services
What payments are at risk? Strategies for protecting
– as well as banks and other popular online
service providers – on a daily basis. They are
Any payment arranged over email:
• Invoices between suppliers, especially among
your cloud email
tradesman, engineering and construction The most critical defence against business email compromise
typically blacklisted or forced offline within hours, firms, manufacturing and distribution.
but not before a number of users have given is multi-factor authentication (MFA).
• Payments to staff (payroll).
away their credentials. • Beneficiaries of property sales (trust accounts)
or payment of rent.
Multi-factor authentication challenges users to authenticate (prove their identity)
• Beneficiaries from the sale of expensive items
The criminals that run Business Email (vehicles etc.) in more than one channel before they can access a system. They usually must
Compromise scams typically use these stolen • Beneficiaries from settlement of a will. combine something they know (a username and secret password on a web
credentials to log in and search an inbox for • Beneficiaries from tax refunds. interface, for example) via one channel, and confirm with something they have (such
evidence of invoices, purchase orders or as a random set of characters sent to their mobile device, for example) in another.
other documents and messages that relate to
processing of large value payments. The attacker’s aim is (usually) to be the ‘man in the Microsoft and Google both offer multi-factor authentication ‘out-of-the-box’ for
middle’ between buyers and sellers who establish business customers. Provisioning to users is straightforward, as is choosing what
the details of a transaction over email. Attackers will second factor is most appropriate and when users should be presented with a
Who is attacking us? intercept and edit existing invoices to replace the multi-factor challenge.
Research by SecureWorks and Trend Micro note bank account details listed for payment, or email
that Business Email Compromise – in which customers from a compromised account advising Instructions for setting up multi-factor authentication
attackers hack an email system as a precursor to of new account details for future payments. If the • For Microsoft Office 365 administratorsxxxiv
tampering with payments – is a mature industry • For Google G-Suite administratorsxxxv
account they hack into belongs to a person with
in West African countries like Nigeria, where
employment prospects are otherwise slim. These purchasing authority, they might simply demand a
criminal networks consist largely of graduates from subordinate make a payment on their behalf. The typical argument against MFA is that it inconveniences users. Both of the major
simple social engineering scams. These actors cloud email service providers offer ways to reduce this friction. Google G-Suite
have grown more patient, and are prepared to users can check a box to “remember verification for the computer”, which sets up
The attackers have proven to be very patient. They
invest in malware (such as remote access trojans)
or in buying access to stolen user credentials from refer to these scams as the “long con” – and will an authentication cookie between the user’s browser and their G-Suite account.
phishing campaigns. While perpetrators are by monitor an inbox for some time while waiting for The cookie expires (and an MFA challenge is presented to the user) every 30 days.
no means limited to West Africa – indicators from a large payout opportunity. Often the attackers Office 365 users can set up passwords for bypassing the second-factor on mobile
many of the attacks we’ve seen (even those that devices, for example, but keep it in place for log-in over the web.
set up mail forwarding rules to automatically send
originate in Asia) are very similar to practices West
African cybercriminal groups are renowned for. messages to the webmail accounts they log into
more regularly. A range of other suggested security controls are outlined on the following page.
This report contains general advice for educational purposes only. Please consult your cyber security team and legal counsel for advice specific to your organisation.
7
Deep Dive: Multi-factor authentication limits attackers More information
• Microsoft’s security best
Secure your cloud email from accessing a service using only a stolen practice for O365
• Google’s security best
username and password practices for G-Suite
• Microsoft’s guide to detection
of an attack
• Microsoft’s guide to triage of a
compromised O365 account
• Google’s guide to detection and
triage of a compromise G-Suite
Strategies for protecting your cloud email account
1: Theft of Credentials 3: Reconnaissance of the inbox
METHOD OF ATTACK ESSENTIAL DEFENCE ADVANCED DEFENCE METHOD OF ATTACK ESSENTIAL DEFENCE ADVANCED DEFENCE
Attackers acquire user 1. Multi-factor authentication limits attackers Consider deploying physical security Attacker sets mail forwarding Consider conditional formatting Microsoft offers additional rules-based and
credentials stolen in phishing from accessing a service using only a tokens for multi-factor authentication on rules to send mail to their own mechanisms that distinguish (through machine learning algorithms to detect and
campaigns. stolen username and password. high-risk workstations. account. colours or alerts) when email is being sent block anomalous mail forwarding behaviour
2. Password Wallets/Managers help users to or received from internal versus external as a premium (paid) service.
create unique and complex passwords domains.
‘Credential stuffing’ – attacker
for every service they use. If users report any strange behaviour in their
tries usernames and
3. Enforce password policies that lock inbox, check if any mail forwarding rules
passwords stolen in other data
a user out for a period of time after a have been applied. While these can usually
breaches to log in to your email
number of failed attempts. be seen in the user interface of Office 365,
account.
administrators should also check under the
Attackers infect a user’s 1. Set web browsers to automatically Talk to your relationship manager about hood using PowerShell commands.
device with malware to steal update and keep operating systems whether NetLock is appropriate for your
credentials. patched. business.
2. Ensure users operate as the least
privileged user (not admin/root).
4: Fraudulent request for payment
3. F
ilter web traffic (via internet security METHOD OF ATTACK ESSENTIAL DEFENCE ADVANCED DEFENCE
software/antivirus.) Whaling attack (attacker Ensure your payments authorisation
4. Implement security awareness programs. impersonates staff with process “assumes compromise”:
purchasing authority and 1. Make use of multiple authorisers for
requests a payment) payments and enforce strict separation of
duties for payments.
2: Unauthorised access to email account
Attacker impersonates a 2. Require large payments or change of
METHOD OF ATTACK ESSENTIAL DEFENCE ADVANCED DEFENCE supplier (or other party to a beneficiary details to be verified via
transaction) and requests a additional checks in multiple channels.
Attacker is able to log-in Use the ‘Conditional Access’ rules offered Microsoft offers additional rules-based and
change of beneficiary details or No payment should be authorised on the
using stolen credentials on an by Microsoft Office365 and Google G-Suite. machine learning algorithms to detect and
submits a new invoice. basis of emails from a single account.
account that is not protected by While their approaches vary, these rules block anomalous log-in behaviour as a
multi-factor authentication. premium (paid) service. 3. E
ducation your treasury and accounts
allow an administrator to set conditions
teams in how to recognise Email
of access according to whether the Google uses a range of machine learning-
Payment Fraud.
user is inside or outside the enterprise based detection into its standard G-Suite
network, whether they are on managed or offering.
unmanaged devices or according to a set of
Attacker is able to log-in Limit the number of accounts that require
using stolen credentials of an
whitelisted IPs addresses, for example.
‘global’ or ‘super user’ administrative 5: Fraudulent payment is made
administrator’s account that is For any combination of these scenarios, access.
rules can be set to accept, deny or force • Contact the CommBiz helpdesk and your relationship manager immediately.
not protected by multi-factor Microsoft offers a premium (paid) privileged
a multi-factor challenge for access to the • Report the matter to the Police.
authentication. access management solution.
inbox. • Use the following guides to triage of compromised accounts provided by Googlexxxvi and Microsoftxxxvii.
This report contains general advice for educational purposes only. Please consult your cyber security team and legal counsel for advice specific to your organisation.
8Deep Dive: Fred Thiele
Executive Manager,
Cyber Portfolio, Commonwealth Bank
A beginner’s guide to quantifying cyber risk
Establishing the foundations of a cyber security program
H
istorical records of disruptive events Directors, CEOs and CFOs can play an How do we get started? A generic risk matrix
like floods or power outages provide important role in the process. First, you need to understand the threat. Why
the insurance industry the data would various actors – whether malicious or 5 L M M H S
required to model the likelihood and impact Key concepts otherwise, inside or outside your network
of future events within such a degree of Before we begin, it’s best to agree on some – seek to gain unauthorised access to your 4 L L M H S
accuracy, they can base a business on it. high level concepts. Risk is a measure of data or disrupt your systems? You’ll need
LIKELIHOOD
potential loss if an event were to occur. to get a measure of the threat landscape to
Threats to cyber security, by contrast, ‘Cyber risks’ are a subset of organisational 3 N L M H S
understand what threats have targeted or are
are relatively new phenomena. In our two risks that are caused by a cyber security likely to target your organisation. Signals is a
decades connected to the internet, the threat threat. A cyber security threat is an good place to start! 2 N L M H S
landscape has been anything but predictable. event with the potential to cause harm to
As the volume of vulnerabilities in the an organisation’s information assets by Next, the board and executive need to define 1 N N L M H
technologies we use amass, the capability circumventing confidentiality (via unauthorised and endorse an acceptable level of risk.
of threat actors evolves and the number access and/or disclosure), integrity (via Most organisations use a risk matrix, with 1 2 3 4 5
of high profile security incidents ensues, modification of data) or availability (via likelihood of an event on one axis (expressed IMPACT
uncertainty abounds. The under-resourced destruction or denial-of-service). as probability or %), and impact on the other
CISO measures risk to cyber security with a ■ Negligible ■ Low ■ Medium ■ High ■ Severe
(expressed on a scale of inconsequential or
wet finger in the air. In cyber security, we usually talk of negligible up to severe or critical).
vulnerability to describe specific Once you quantify your risks, you’ll be able to
As boards of Australian organisations grow weaknesses in systems. But when quantifying Determining an acceptable level of risk visualise where you are now and where you
more engaged on cyber security, CISOs risk, we are referring more generally to an is often best arrived at by talking about need to get to.
should anticipate demands for a more organisation’s ‘susceptibility to a threat’. what’s unacceptable. For how long would
rigorous approach to quantifying risk. the organisation accept an inability to serve An invaluable pre-requisite to the exercise
Security controls are countermeasures to customers online? How much money would the is a living register of the organisation’s IT
While there is insufficient public data a threat that attempt to prevent, detect or organisation be prepared to lose each year to and data assets. This might be a hard ask
available to accurately predict low probability, recover from a cyber security event. When we fraud events? Think about risks to customers, in large and complex organisations, but it’s
high impact events, there are numerous remediate an identified risk, we’re reducing its to staff, to brand or reputation. Answering important to at least get a handle on what the
frameworks, models and thought exercises impact to near zero, while when we mitigate a these questions helps to define your ‘risk ‘crown jewels’ are. Organisations that do this
that can help an organisation approximate risk we’re accepting that there will be a residual appetite statement’ – an expression of where the best tend to have benefited from strong
cyber risk, and over time, refine it into risk and that the best we can do is to monitor in that matrix would you feel comfortable to sit, executive support to get everyone on board
something resembling a science. and respond to events to minimise their impact. knowing that not all risks can be remediated. with how critical this register is.
This report contains general advice for educational purposes only. Please consult your cyber security team and legal counsel for advice specific to your organisation.
9Deep Dive: Cyber security professionals can rattle off an
A beginner’s guide to quantifying cyber risk inexhaustible number of ways an organisation can be
attacked, but risk analysis requires structure
With these in hand, the security team have Just about every model attempts to Data quality seek to validate data provided by parties
what they need to start threat modelling. calculate the inherent risk (a measure of risk Cyber security professionals can rattle off an that have skin in the game - such as vendors
before compensating controls) for a range inexhaustible number of ways an organisation of security software – by correlating with
Modelling cyber risk of threat scenarios, using something like the can be attacked, but risk analysis requires independent, trusted sources.)
There are numerous theories on how best following model: Cyber risk = threat (#) x some structure. You can group cyber risks by
to quantify cyber security risk. Most follow vulnerability (%) x impact ($). asset, for example, or by whether the threat The more meticulous you are, the better.
a similar process and are distinguished by scenario would impact the confidentiality, But you will have to accept, at some point,
the level of mathematical detail required to As the table below demonstrates, for any given integrity or availability of data. You might also that until you stand up some semblance of
reach conclusions. (The authors of the most threat scenario, you need to assess (or predict) classify by actor group (insider, third party security capability, your numbers are going to
scientifically rigorous model - Factor Analysis how often you should expect to encounter the partner, external party). Every risk framework include approximations. Even the authors of
of Information Risk (FAIR)xxxviii, for example, threat scenario over a given period of time, tends to include its own taxonomy to follow, the FAIR model, who believe that everything
claim the standard for risk metrics originally what percentage of your systems would be and all aim to consider a broad coverage of can be measured, concede that the main aim
established by NIST is too loosely defined. But vulnerable if the threat were to play out, and an threats. of the exercise is to “reduce management’s
they’d also concede that their work inherits its expected loss your organisation would face if uncertainty about risk” rather than calculate it
foundations from it.) the threat were to play out. As you think through threat scenarios, you’ll with absolute accuracy.
undoubtedly stumble onto those for which you
don’t have the required data to measure. This There are other reasons this game of mental
Cyber risk per threat scenario can be problematic if you are yet to implement gymnastics is valuable. Your initial aim
an incident response or vulnerability might be to quantify your total exposure to
Threat Vulnerability Impact management capability – both of which cyber risk. But it’s an important baseline for
Expressed as A number A percentage A cost provide strong metrics to compare with. other reasons. In an environment with an
Question: How often have you or do you What percentage of your What would be the expected unknowable number of emerging threats,
expect to encounter this threat systems or data would be loss your organisation would
scenario over a given period vulnerable to the threat face if this threat scenario were So to some degree, the initial assessment in quantifying cyber risk can also provide a way
of time? scenario? to play out? an organisation thinking about cyber security of prioritising investment in cyber security
Example: The organisation has detected What percentage of systems What is the estimated cost of for the first time might need to include desktop programs - a subject that demands its own
x malware campaigns each are not yet patched against an infection, taking into account
year that combine that spread known vulnerabilities in the ability of the network worm research. MITRE’s CVE database provides a deep dive.
via SMBv1 and deliver a SMBv1? to spread through vulnerable global view of vulnerability data, the Californian
ransomware payload. systems, the cost of rebuilding
systems and potentially the State register of data breaches is the longest Tracking your progress
costs of managing reputational running register of breach events, and The exercise we’ve described should spare
damage or shareholder value if
the infection were to be known Verizon’s annual data breach investigations directors and business leaders from the
to the public? gory detail of every security threat to the
report also has a long history. (NB: always
This report contains general advice for educational purposes only. Please consult your cyber security team and legal counsel for advice specific to your organisation.
10Deep Dive: Commonwealth Bank clients
are invited to attend
A beginner’s guide to quantifying cyber risk
Malware
organisation, but nonetheless deliver a for changes in scope or shifts in the threat
& Fraud 101
An executive overview for finance professionals
reasonably consistent, “10,000 foot view” of landscape.
aggregate risk. It may be beneficial to illustrate Representatives from the Australian Federal Police and Commonwealth
what you’ve measured – preferably in a way You should also assume that the quality Bank’s Digital Protection Group will provide a breakfast briefing for CFOs,
that pinpoints where you’ve started, what of data you’re feeding into your model will accounts and treasury staff and other financial professionals on the
your total inherent risk would have looked like improve as you mature your security capability. current cyber threat landscape.
without your security programs in place, and We’ll dive deeper into this in a future edition of
a decline in your residual risk as new controls Signals. Topics to be explored include:
or programs are delivered. This is something • The tools and tradecraft of profit-motivated cybercriminals targeting
you should return to repeatedly, adjusting Brett Winterford contributed to this report. Australian organisations, including:
〉 Phishing (tricking users into providing credentials to a fake site);
〉 Credential ‘stuffing’ (trying credentials stolen from a user
Buying down risk of one service against their account at another);
〉 Malware campaigns; and
〉 Payment fraud.
Risk
Inherent y program
)
Critical
o ut cy ber securit • How to protect your organisation from these threats.
(with
Best suited to:
Residu Senior business executives and finance professionals
al Risk
RISK RATING
High (with cy
ber sec
urity pro
gram)
This session is offered exclusively to clients
and partners of Commonwealth Bank.
Medium Completion
of milestones • Sydney – November 14
• Melbourne – November 15
• Brisbane – December 1
Low
Email cyber-outreach@cba.com.au
Q1 Q2 Q3 Q4 Q1 Q2 Q3 Q4 if you wish to attend.
TIME
This report contains general advice for educational purposes only. Please consult your cyber security team and legal counsel for advice specific to your organisation.
11Regulatory A public response to a
data breach that prioritises
& Legal legal considerations above
responsibility to affected
New laws and legal precedents customers tends to result in
relevant to security strategy poor reputational and
regulatory outcomes.
China, Russia ban U.S. Government Legalistic responses to
anonymity services blocks Kaspersky data breaches fall flat
(VPN, TOR) The Trump administration has banned the use of Kaspersky One of the world’s largest credit
CHECKLIST
antivirus products in all US Federal Government departments reporting companies, Equifax,
Legislation seeking to ban Virtual Private Networks has withdrawn an attempt to • A public response to a data breach
and agencies, and has given agencies 30 days to remove the
(VPNs) successfully passed through both houses of the reduce its liability to lawsuits that prioritises legal considerations
software. The Department of Homeland Security (DHS) released
after it fell victim to a large above responsibility to customers and
Russian Federal Assembly in July 2017. The Bill achieved an advisory stating: “the risk that the Russian government, affected stakeholders tends to result
unanimous support following a secret briefing held for whether acting on its own or in collaboration with Kaspersky, data breach. After disclosing
in poor reputational and regulatory
the parliamentary members by the head of the FSB could capitalise on access provided by Kaspersky products to that the personal data of 143
outcomes. In response to a data breach
intelligence agency, Alexander Bortnikov, and was signed compromise federal information million Americans - including in 2015, TalkTalk initially played down
into law by President Vladimir Putin just a week later. and information systems social security numbers, birth its severity, then publically claimed
The new law prohibits the use of VPNs and anonymizing directly implicates US national CHECKLIST dates and home addresses – it had no legal obligation to encrypt
services such as TOR that circumvent controls instituted security.” The move follows had been compromised – the its customer’s data. This resulted
• Organisations should consider
by the government to block ‘restricted’ websites. Similar a Senate hearing in May company offered free credit in damning media coverage and a
the level of privilege granted to
laws were introduced in January 2017 by the Chinese where US intelligence chiefs applications in their environments
monitoring to affected users. £100,000 fine from regulators.
Government, which voiced concerns over use during threat modelling, including Victims signing up for this • Organisations that offer online services
now requires its of the company’s products. security software. A recent monitoring were asked to agree to US residents should reconsider
mobile telcos to CHECKLIST Headquartered in Moscow and compromise of the popular CCleaner to terms and conditions under whether a social security number
block VPN apps • E xecutives that use VPN services to founded by former Russian antivirus softwarexxxi - which which they waived their legal should constitute a ‘secret’ for the
on their networks. protect their communications when military intelligence officer Eugene affected at least 700,000 users - is rights to take action against purpose of authenticating a user. It
Web-based VPN travelling to China or Russia should Kaspersky, accusations of state a good illustration of how these risks Equifax over the breach. This wasn’t appropriate before the Equifax
services operating in consult with their security teams, collusion are not new to the might be realised. clause was later swatted breach, and most certainly isn’t now.
China must agree to as should businesses that currently company; but to date they were • As DHS has not (to date) produced down by US lawmakers, and • The UK Government’s National Cyber
not circumvent the use VPN services in these countries. confined to media commentary. evidence to justify their advisory, withdrawn by Equifax – following Security Centre (NCSC) has highlighted
government’s ‘block • The Australian Signals Directorate Kaspersky, in response, have US and Western vendors may face widespread uproar. Class action the secondary risk posed by scammers
list’ or face a similar maintains a useful set of general offered to share their source reciprocal bans on ‘national security’ lawsuits have ensued. who might abuse the details stolen in
fate. advice for travelling overseas with code with the US Government. grounds by Russian or third-party the Equifax breach to craft convincing
electronic devicesxxx. nations. phishing emails.
This report contains general advice for educational purposes only. Please consult your cyber security team and legal counsel for advice specific to your organisation.
12Better Practice: How an organisation deals with vulnerability disclosures is
The latest advice your technology team an important signal to the public about security maturity.
should consider when setting security policies:
Prepare for ransomware Know your adversary
A team at NIST and MITRE have collectively drawn up a comprehensive guide to Imagine if there was one wiki where all the known TTPs (tactics, techniques and
recovering from ransomware and other destructive malware attacksxlii. The top-level procedures) could be summarised to make your threat modelling that little bit easier.
advice: segregate your network and remove unnecessary administrative access BAM! The good people at MITRE have published one. It’s called ATT&CKxlvi and it
to systems to prevent an infection spreading, monitor log data (and consider file looks to be a well-thought out product.
integrity monitoring) for improved detection and triage, and practice backup and
recovery. It’s not too late to be infected with [Not]Petya
The news headlines may have slowed, but we’re still seeing indicators consistent
The end of Flash with the [Not]Petya network worm light up every so often. It’s not too late to read US
Vulnerabilities discovered in Adobe’s Flash media player - once a de facto standard CERT’s revised advicexlvii on how to prevent and remediate these infections.
for multimedia on the web – have been exploited by numerous APT and cybercrime
campaigns. Multiple operating systems – starting with Apple’s iOS in 2010, and Shape a NICEr security team
more recently web browsers, have subsequently stopped supporting Flash content. What are the typical roles and responsibilities of a cyber security team? Cyber
Adobe has finally conceded that Flash has no future and announced that it will no security operations and US tertiary education providers have for the last three years
longer be supported by Adobe by the end of 2020xliii. It is highly probable that most used the NICE cybersecurity workforce framework published by NIST to answer
use of Flash will be phased out much sooner. this question. In August 2017, NIST updated the frameworkxlviii to reflect shifts in
workforce demand.
Find the bugs first…
One of the most critical components of a cyber security capability is establishing
an assurance program where applications and/or infrastructure are tested by
professional “white hat” hackers. The UK National Cyber Security Centre now
provides high-level advice on how your organisation can build the foundations of an
assurance function – a penetration testing team.xliv
... Before somebody else does
Even organisations with strong assurance practices can be surprised by
vulnerabilities discovered in their internet-facing systems by external researchers.
The way in which an organisation deals with these reports is an important signal
to the public about your security maturity. One of the world’s best authorities on
‘coordinated vulnerability disclosure’ is the Computer Emergency Response Team
(CERT) at Carnegie Mellon University, who have published a very comprehensive
guidexlv for both security researchers and defensive teams.
This report contains general advice for educational purposes only. Please consult your cyber security team and legal counsel for advice specific to your organisation.
13Phish Eyes
Recent phishing lures for your security awareness
teams. Report hoax emails to hoax@cba.com.au
A large number of phishing campaigns over the
last quarter impersonated billing notifications from
energy providers, telecommunications companies
and other providers of utility services. Very few of
the major brands in Australia escaped unscathed.
Origin Energy
Origin Energy was impersonated in multiple
malware campaigns between May and late August.
Typically the email arrived with variations on the
subject line “Your Origin electricity bill”. Most arrived subject line “Paperless Bill”, “My Monthly Bill” or
in email inboxes from suspicious sounding domains “Bill Copy”. In earlier campaigns, victims were
that would illicit skepticism from anyone with basic prompted to click a button called “Manage Your
security awareness training. (We did, however, see Bill”, which directed users to legitimate sounding
one crafty campaign from a more creative domain - web sites and asked the user to download a.zip
noreply[at]originofenergy.net.) archive that (again) dropped a JavaScript file onto
the victim’s machine.
These emails lure victims into clicking on a link Typical subject lines included: “View your
called ‘View Bill’, which prompts the user to Most of the AGL-themed campaigns infected
EnergyAustralia Electricity Bill” or “Your Energy
download a .zip archive. Once downloaded, it victims with ransomware – a form of malicious
Australia Gas Bill”.
drops a JavaScript file onto the user machine that software that encrypts the user’s data and offers
downloads the Gozi/Ursnif Trojan, a nasty piece These campaigns also took advantage of a decryption key only if the user pays a large
of malware often used to steal online banking compromised Microsoft OneDrive accounts, also ransom via cryptocurrency. The web address
credentials. attempted to convince victims to download .zip generated from each email was personalised using
archives, and also dropped JavaScript files that the victim’s email address. A smaller number of
For well over a year, these phishing sites have download the Gozi/Ursnif Trojan onto the victim’s campaigns in 2017 dropped various other forms of
been hosted using compromised Microsoft machine. malware – but nothing like the scale of the earlier
OneDrive accounts (the domains typically end in ransomware campaigns.
-my.sharepoint.com). Energy Australia provides online security advice
on its website. Even as these campaigns petered out in early
The folks at Origin Energy have published advice 2017, they resulted in a sustained impact on
to help customers differentiate between real AGL customer trust. AGL customers are now far more
communications and those that impersonate them. These tactics are not new to energy company likely to mistake legitimate marketing campaigns for
AGL. The AGL brand was abused in a long series scams – we saw a number of false positive reports
Energy Australia of malware campaigns for most of the latter half of submitted to scam-watch sites, including the CBA
In June and September 2017, attackers borrowed 2016, and in a smattering of campaigns in 2017. Hoax Mailbox in May 2017.
from the same playbook, developing campaigns
that abused the brand of Energy Australia. These campaigns typically arrived with the AGL provides advice on hoax emails on its website.
This report contains general advice for educational purposes only. Please consult your cyber security team and legal counsel for advice specific to your organisation.
14Phish Eyes
Telstra
Australia’s largest telecommunications company In the same month we detected campaigns that
was also impersonated in numerous campaigns used identical techniques to the Origin Energy
over the last quarter – each using different and EnergyAustralia campaigns mentioned
infrastructure and dropping different forms of above. They arrived with the subject line: ‘Telstra
malware. Bill – Arrival Notification’, directed victims to
malware hosted on a compromised Microsoft
In one July campaign, victims were sent emails OneDrive account (-my.
with subject lines such as “Your Telstra Bill”, and sharepoint.com) and dropped the Gozi/Ursnif
were presented with a fake Telstra Bill. Upon variant of malware.
clicking for more details they were asked to
download an executable file or .zip archive with a Telstra provides advice on email scams on its
legitimate sounding name (usually a date range, website.
such as May-June2017.zip), which on execution
downloads the TrickBot credential stealing
Trojan. This campaign appears to have spoofed
a legitimate Telstra domain - notifications@
in.telstra.com.au
Don’t fall for it
• Avoid downloading .zip or .doc files from emails that purport
to be your service provider.
• Take note of the email address you usually receive bills
from. If bills or requests for payment arrive from a new
email address or domain, use your search engine or the
community forums provided by your utility to check its
authenticity.
• Some service providers will notify you of new bills when
you are logged in to their service. If you are unsure about a
bill sent over email, don’t click on anything. Instead, log-in
to your account with the service provider to check if a new
request for payment had been scheduled.
A screenshot of the most recent iteration of Telstra
Bill themes, from September 2017. Telcos and other
utilities advise customers that they will only send
out bills via email that are attached as .pdf files.The
malware in this case was contained in an attached
word document.
This report contains general advice for educational purposes only. Please consult your cyber security team and legal counsel for advice specific to your organisation.
15Footnotes
i: http://www.asx.com.au/documents/investor-relations/ASX-100-Cyber-Health-Check-Report.pdf
ii: https://www.chinainternetwatch.com/whitepaper/china-internet-statistics/
iii: http://investor.maersk.com/releasedetail.cfm?ReleaseID=1037421
iv: https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2017/08/personal-data-belonging-to-up-to-21-000-talktalk-customers-could-have-been-used-for-scams-and-fraud/
v: http://www.apca.com.au/docs/default-source/2017-media-releases/media_release_payments_fraud_03082017.pdf
vi: https://securityintelligence.com/all-in-a-spammers-workweek-where-do-the-busiest-spammers-work-around-the-clock/
vii: https://www.proofpoint.com/us/threat-insight/post/meet-ovidiy-stealer-bringing-credential-theft-masses
viii: https://blogs.technet.microsoft.com/mmpc/2017/09/06/ransomware-1h-2017-review-global-outbreaks-reinforce-the-value-of-security-hygiene/
ix: https://www.justice.gov/opa/pr/alphabay-largest-online-dark-market-shut-down
x: https://www.europol.europa.eu/newsroom/news/massive-blow-to-criminal-dark-web-activities-after-globally-coordinated-operation
xi: http://www.bbc.com/news/technology-40788266
xii: http://www.ox.ac.uk/news/2017-08-08-cybercrime-latest-research-suggests-cybercriminals-are-not-%E2%80%98anonymous%E2%80%99-we-think
xiii: https://www.upguard.com/breaches/cloud-leak-dow-jones
xiv: https://mackeepersecurity.com/post/online-hotel-booking-service-allegedly-exposed-sensitive-data
xv: https://www.scmagazine.com/data-breach-exposes-about-4-million-time-warner-cable-customer-records/article/686592/
xvi: https://www.upguard.com/breaches/verizon-cloud-leak
xvii: https://www.upguard.com/breaches/cloud-leak-viacom
xviii: http://www.tigerswan.com/newsroom/statement-information-breach-talentpen-llcs-cloud-file-hosted-amazon-web-services/
xix: https://aws.amazon.com/security/security-resources/
xx: https://summitroute.com/blog/2017/05/30/free_tools_for_auditing_the_security_of_an_aws_account/
xxi: https://github.com/dagrz/aws_pwn
xxii: https://www.welivesecurity.com/2017/07/04/analysis-of-telebots-cunning-backdoor/
xxiii: http://blog.talosintelligence.com/2017/07/the-medoc-connection.html?m=1
xxiv: https://www.netsarang.com/news/progress_report_of_the_nssock2_dll_backdoor.html
xxv: https://arstechnica.com/information-technology/2017/08/powerful-backdoor-found-in-software-used-by-100-banks-and-energy-cos/
xxvi: https://www.nist.gov/sites/default/files/documents////draft-cybersecurity-framework-v1.11.pdf
xxvii: http://www.zdnet.com/article/an-insecure-mess-how-flawed-javascript-is-turning-web-into-a-hackers-playground/
xxviii: https://blogs.apache.org/foundation/entry/apache-struts-statement-on-equifax
xxix: https://investor.equifax.com/news-and-events/news/2017/09-15-2017-224018832
xxx: https://blogs.apache.org/foundation/entry/apache-struts-statement-on-equifax
xxxi: https://www.commbank.com.au/content/dam/commbank/assets/business/can/business-insights/signals/commbank-signals-q4-2016.pdf
xxxii: https://www.commbank.com.au/content/dam/commbank/assets/business/can/business-insights/signals/commbank-signals-q3-2016.pdf
xxxiii: https://blogs.microsoft.com/microsoftsecure/2017/08/17/microsoft-security-intelligence-report-volume-22-is-now-available/
xxxiv: https://support.office.com/en-us/article/Set-up-multi-factor-authentication-for-Office-365-users-8f0454b2-f51a-4d9c-bcde-2c48e41621c6
xxxv: https://support.google.com/a/answer/175197?hl=en
xxxvi: https://support.google.com/a/answer/2984349?hl=en
xxxvii: https://blogs.technet.microsoft.com/office365security/how-to-fix-a-compromised-hacked-microsoft-office-365-account/
xxxviii: http://www.fairinstitute.org/
xxxix: https://www.ncsc.gov.uk/guidance/summary-risk-methods-and-frameworks
xl: https://www.asd.gov.au/publications/protect/electronic_devices_os_travel.htm
xli: https://www.piriform.com/news/release-announcements/2017/9/18/security-notification-for-ccleaner-v5336162-and-ccleaner-cloud-v1073191-for-32-bit-windows-users
xlii: http://nccoe.nist.gov/publication/1800-11/index.html
xliii: https://blogs.adobe.com/conversations/2017/07/adobe-flash-update.html
xliv: https://www.ncsc.gov.uk/guidance/penetration-testing
xlv: http://resources.sei.cmu.edu/asset_files/SpecialReport/2017_003_001_503340.pdf
xlvi: https://attack.mitre.org/wiki/Main_Page
xlvii: https://www.us-cert.gov/ncas/alerts/TA17-181A
xlviii: http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-181.pdf
16You can also read
