There’s no shortage of cyber news making the headlines, but what does it mean for you?
At CyberCX, we keep a close eye on the news to identify reports of the latest trends, issues and exploits.
Here we present a selection of recent news stories that caught our attention, and the important lessons we can learn to keep secure.
Privacy and Universal Jurisdiction
Australia embraces stronger privacy protections by embracing elements of universal jurisdiction, in line with other global privacy regimes, notably GDPR.
International technology platforms and offshore cloud software providers have been put on notice they must comply with Australian privacy laws, even if they have no local physical presence.
This move comes off the back of a decision by the Australian Privacy Commissioner, Angelene Falk, that Uber failed to protect the personal data of 1.2 million Australian customers due to a cyber breach in 2016. At the time, Uber had no physical presence in Australia and all customer data was handled by Amazon servers located in the United States.
This decision will have implications for any organisation, whether based in Australia or overseas, that uses offshore data facilities. Organisations must still comply with all of Australia’s privacy regulations and failure to do so may result in a range of sanctions by the regulator.
CyberCX offers specialist privacy services. We advise and guide organisations to ensure they achieve and maintain full compliance with all relevant Australian and international privacy regimes. Contact us today to learn more.
Microsoft Warns of New Phishing Campaign
Microsoft is warning Office 365 users and admins to be on the lookout for phishing emails that spoof sender addresses. The malicious campaign targets organisations with convincing emails that use a variety of techniques to bypass phishing detection technologies.
The emails use a combination of legitimate-looking original sender email addresses, spoofed display sender addresses that contain the target usernames and domains, and display names that mimic legitimate services to try and slip through email filters.
Specifically, the latest phishing attempts use Microsoft SharePoint in the display name to entice victims to click the link. The email poses as a “file share” request to access bogus “Staff Reports”, “Bonuses”, “Pricebooks”, and other content hosted in a supposed Excel spreadsheet. It also contains a link that navigates to a phishing page designed to steal user credentials. They also make extensive use of Microsoft branding.
With phishing campaigns becoming increasingly sophisticated and managing to evade detection systems, phishing awareness training has never been more important for your staff. When staff are equipped with the skills to identify potentially malicious email, your organisation will be much better placed to avoid phishing attempts.
Phriendly Phishing, a CyberCX company, offers an extensive range of training solutions covering phishing and a range of other cyber security modules. Contact Phriendly Phishing today for further information.
Director Responsibility for Cyber Security
On 13 July 2021, the Australian Government opened consultation on options for regulatory reforms and voluntary incentives to strengthen the cyber security of Australia’s digital economy.
Among the issues being canvassed are governance standards for large businesses. Feedback is being sought on whether existing frameworks are sufficient, or whether additional measures, either voluntary or mandatory, should be developed.
A voluntary governance standard would describe the responsibilities of large businesses and processes for managing cyber security risk and would support the role of company boards overseeing cyber security risk. Mandatory standards would go further, requiring large businesses to achieve compliance within a specific timeframe.
Among possible future directions, some are suggesting that directors may be held legally responsible for egregious cyber security negligence in their companies, according to Telstra CEO, Andy Penn.
Penn, who is also chair of the Government’s Cyber Security Industry Advisory Committee, says too many Australian organisations remain under-prepared for escalating cyber risks. He backed proposals to strengthen obligations on directors, but said the degree of responsibility should depend on the significance of the company’s products or services.
Importantly, Penn advised that more needs to be done to make corporate leaders aware of cyber security risks in circumstances where malicious cyber criminals were becoming more brazen and sophisticated in targeting governments, businesses and global supply chains.
Many corporate cyber security chiefs struggle to persuade boards of the importance of adequately investing in cyber security. However, it is critical that directors understand the range of cyber security risks their organisation is likely to face, so they can provide appropriate resources to mitigate the risks.
CyberCX offers comprehensive Board and Executive Cyber Literacy training. This suite of courses is designed to enable boards to stay ahead of cyber risks using innovative learning techniques customised to executive leadership. Contact us today to learn more about executive cyber training.
Joint Advisory by AU, US and UK
For the first time, the leading cyber security agencies in Australia, the United States and the United Kingdom issued a joint advisory detailing the major vulnerabilities (CVEs) all affected organisations should immediately patch.
Unsurprisingly, many of the most significant vulnerabilities over the past year involved perimeter-type devices, including unpatched VPNs or cloud-based technologies. With cyber actors looking to exploit publicly known, and often dated software vulnerabilities, keeping up with patching has never been more important.
The multi-national cyber security advisory recommends that organisations apply the available patches for the most widely exploited vulnerabilities and implement a centralised patch management system.
2020 – Most widely exploited vulnerabilities:
| Vendor | CVE |
| Citrix | CVE-2019-19781 |
| Pulse | CVE 2019-11510 |
| Fortinet | CVE 2018-13379 |
| F5 – Big IP | CVE 2020-5902 |
| MobileIron | CVE 2020-15505 |
| Microsoft | CVE-2017-11882 |
| Atlassian | CVE-2019-11580 |
| Drupal | CVE-2018-7600 |
| Telerik | CVE 2019-18935 |
| Microsoft | CVE-2019-0604 |
| Microsoft | CVE-2020-0787 |
| Netlogon | CVE-2020-1472 |
2021 – Most widely exploited vulnerabilities (thus far):
| Vendor | CVE |
| Microsoft Exchange | CVE-2021-26855 |
| Microsoft Exchange | CVE-2021-26857 |
| Microsoft Exchange | CVE-2021-26858 |
| Microsoft Exchange | CVE-2021-27065 |
| Pulse Secure | CVE-2021-22893 |
| Pulse Secure | CVE-2021-22894 |
| Pulse Secure | CVE-2021-22899 |
| Pulse Secure | CVE-2021-22900 |
| Accellion | CVE-2021-27101 |
| Accellion | CVE-2021-27102 |
| Accellion | CVE-2021-27103 |
| Accellion | CVE-2021-27104 |
| VMWare | CVE-2021-21985 |
| Fortinet | CVE-2018-13379 |
| Fortinet | CVE-2020-12812 |
| Fortinet | CVE-2019-5591 |
For a comprehensive explanation of each of these vulnerabilities, along with links to available patches, CLICK HERE.
