CyberCX Security Report | March 2021
There’s no shortage of cyber news making the headlines, but what does it mean for you?
At CyberCX, we keep a close eye on the news to identify reports of the latest trends, issues and exploits.
Here we present a selection of recent news stories that caught our attention, and the important lessons we can learn to keep secure.
Grow your business by investing in cyber security
Investing in cyber security can facilitate significant growth by enabling you to make the most of emerging business opportunities. By contrast, failing to meet minimum cyber security standards can see your business miss out on lucrative contracts.
That’s a key message of “Working Securely with Defence,” a new guide for SMEs released by the Defence Department and the Australian Industry Group.
Forty per cent of small and medium businesses vying to win defence contracts are being rejected because of lax cyber security practices.
The Defence Department is encouraging all organisations interested in working with them to consider applying for DISP (Defence Industry Security Program) membership and, in some cases, makes it mandatory to join the program if you are planning to undertake sensitive or classified work.
DISP offers substantial benefits to Defence and industry in streamlining security services and protecting Defence information and assets, as well as industry’s intellectual property.
This new guide aims to assist SMEs navigate the DISP membership process by:
- Providing the pathway for your business to become eligible for classified and sensitive Defence work through participation in the DISP;
- Providing practical guidance, tools and expert advice to help protect Australian organisations from a range of security threats;
- Helping build the competitiveness and security resilience of the Defence industry sector through good security practices; and
- Assuring international investors and partners of industry’s commitment to Defence security.
Contact us for further advice about enhancing your organisation’s cyber posture so you can align with Australian Government security standards.
InfoSec training is a business enabler
Covid-19 has profoundly accelerated digital transformation for many businesses. Whilst much of the focus is on the adoption of new technologies, organisations are increasingly realising that new efforts are required to upskill their teams.
Bendigo and Adelaide Bank said that in the past half year, more than 400 of its employees have been coached in cloud, machine learning, and information security as part of a technology modernisation program of work. Furthermore, the bank enhanced the delivery of staff training to support modern online learning in an increasingly digital environment.
The bank recognises that in order to continue its growth trajectory, it needs to sustainably step up the level of investment in their people’s capabilities. Such investments will enable the bank to increase scale, boost efficiencies and enhance productivity.
It’s a timely reminder that training is about much more than securing your systems and data. It’s an initiative that can lay the groundwork for expanding your business. CyberCX runs a wide range of training initiatives for all levels of staff, from the boardroom to the basement.
Contact us to learn more about our extensive training offerings and how they can benefit your organisation.
Don’t neglect upgrading legacy systems
When it comes to securing your environment, upgrading legacy systems can be one of the most effective actions you can take. After all, many legacy systems contain vulnerabilities that are well known to malicious actors.
In December 2020, customers of cloud solutions provider, Accellion, began experiencing breaches due to a zero-day vulnerability in its legacy file transfer application (FTA). FTA is a 20-year old product that relies on outdated and less-secure technology. The application, which was specifically designed to handle moving large amounts of data, potentially allowed the actor to access a significant amount of information. It was subsequently revealed that compromised data was being used as leverage in extortion attempts.
Although Accellion rolled out a patch to stop the initial breaches, it emerged that additional vulnerabilities were being discovered into January. In total, patches have now been released for four identified zero-days:
- CVE-2021-27101
- CVE-2021-27102
- CVE-2021-27103
- CVE-2021-27104
For three years Accellion had been encouraging clients to replace FTA and adopt its newest platform, Kiteworks. According to the company, Kiteworks is “built on an entirely different code base, using state-of-the-art security architecture, and a segregated, secure development process.”
So, when a third-party supplier in your environment urges you to upgrade to a newer system because of its enhanced security features, our strong recommendation is to heed their advice.
QR codes expose devices to security risks
Since Covid-19 emerged over one year ago, QR codes have become a ubiquitous feature in our lives. Millions of people are now accustomed to scanning the codes every time they enter a café, shop or workplace environment.
However, what many do not realise, is that QR codes can be used to deliver malware to unsuspecting individuals. A malicious QR code can direct a user to a fake website, capture personal data or install malicious software on the smartphone.
The risks are reduced when the QR code needs to be scanned by a Government-issued application, such as the one released by Service NSW. However, not all venues across Australia are using QR codes that are integrated with a Government-issued application.
Recently, a popular Android application called Barcode Scanner was removed from Google Play after it was discovered to have installed ad-pushing malware onto millions of users’ phones. Users began noticing that they were being redirected to random advertisements. Following investigations, it was discovered that obfuscated malicious code had been hidden in an update.
This case highlights the potential risks associated with QR codes and the applications that read them. Common attack vectors may include:
- Adding new contacts to the phone as a prelude to launching spear phishing attacks.
- Initiating phone calls to the attacker, thereby exposing the victim’s phone number.
- Launching smishing attacks by sending malicious text messages to the user’s contacts.
- Accessing the user’s work emails which may result in Business Email Compromise attacks.
- A malicious QR code could allow hackers to automatically send mobile payments and capture the user’s personal financial data.
- Secretly track the user’s geolocation as reconnaissance for a Business Email Compromise attack.
- Follow the user’s social-media accounts, exposing their personal information and contacts.
- Connect the device to a compromised Wi-Fi network, exposing it to ongoing breaches.
Organisations need to be aware of the risks associated with their teams scanning QR codes. This is particularly the case as many employees now use their own devices for work. These devices may run work-related applications that may be vulnerable.
Mobile device security needs to be a priority for all organisations to protect against phishing attacks, device takeovers, man-in-the-middle exploits and malicious application downloads. Make sure you roll-out security measures on every mobile device that accesses business applications and data, including smartphones, laptops and tablets.
Contact us for further assistance securing the mobile devices in use in your environment.