Evalian Information Security News

Information Security News & Resources April 2019

By Georgina Donovan - April 23rd, 2019 Posted in Information Security, News & Resources

Here is our bi-monthly information security news and resources blog, providing some of the news items and interesting resources you may have missed, together with links to 3rd party sites which provide more information.

Information Security News & Resources

Online Survey reveals most hacked passwords

A survey by the National Cyber Security Centre (NCSC) leads UK government to highlight the “importance of using strong passwords at home and at work”, amid a “growing global threat from cyber attacks”. Suffice to say the report highlights some embarrassingly bad passwords. Remember, use unique passwords for different services rather than the same password for every application.

Further survey results can be found in this article

EU Parliament approves Cyber Security Act

On March 12, the European parliament agreed on the Cyber Security Act (proposed by the European Union agency for Cyber Security) the aim of which is to ensure enhanced cyber security and increased trust from consumers in the security of digital products and systems.

In the next decade, dependence on digital and interconnected products and systems (ICT products) including the IoT (Internet of Things) is set to explode, increasing the potential for cyber-attacks to interfere with everyday activities and increase the risk for SME’s and non-technical end users.

As well as providing guidelines and implementing what will be a European cyber security certification framework, the Act aims to improve co-operation, cyber resilience and incident response across borders at a member state level and ensure manufacturers of ICT products build security into their products (Security by Design), raise awareness and educate end users on cyber hygiene.

The Cyber Security Act can be found here.

ASUS users targeted by ‘one of the biggest supply chain attacks ever’

Hackers have infiltrated ASUS servers and delivered malicious software to customers through seemingly legitimate software updates. Kaspersky Lab discovered the hack in January 2019 but it is thought to have taken place between June and November 2018. Although it is known to have affected 70,000 users so far, it appears that it was designed to specifically target 600 machines.

Further details can be found here.

Supply chain security is an area of increasing importance. Remember to include supplier risks in your risk assessment and management activities. Contacts with key suppliers should ideally include security obligations and we recommend 2nd party auditing of suppliers with access to your systems and data.

Magento issues security fix following exposed vulnerability to card skimming attacks

On March 26th Magento issued an advisory to its users of the Magento 2 release to update to a patched version immediately following the discovery of an SQL injection vulnerability in its code. It’s been reported that up to 300,000 eCommerce sites could have been at risk of card skimming activity.

Vulnerability management and patching remain critical activities for business of all sizes. We advise implementing systematic scanning or reviews of critical systems (or those holding personal data) and continuous patching as well as hardening, in line with vendor recommendations.

Find full details here.

Toyota have suffered a second cyber-attack in five weeks.

This malicious attack has resulted in a data breach of possibly 3.1 million users highlighting failings on both cyber security and data handling.

More details can be found here.

Norsk Hydro still counting the costs after cyber-attack

One of the world’s largest aluminium producers is the latest victim in a wave of cyber-attacks on manufacturing which also include Hexion and Momentive.

Full article can be found here.

Employee mistakes pose greatest threat to data security

According to the most recent Global Encryption Trends Study carried out by NCipher in conjunction with the Ponemon Institute, employee mistakes pose the greatest threat to sensitive data.

Employee error is the largest cause of data breaches that we see in our data protection clients. Continual awareness training is advised as well as formal procedures for encrypting, or at least password protecting, sensitive data before sending or sharing it.

The full study can be downloaded here.

Information Security Resources

Recent third-party resources we liked include:

The top five human errors that impact data security by ITproportal.com

Staying with the theme of human error, this article reiterates the need for continual cyber security training. We bang this drum time and again. Start with formal training on induction and annual refresher training and complement with formal and informal ongoing awareness training. Think ‘ABC’ – awareness, behaviour and culture when building your awareness programme. We can help with security awareness training, including full managed training programmes.

You can access the article here.

Cyber-attacks to watch for in 2019 by zdnet.com

This article summarises a newly released report from global consulting firm Booz Allen which highlights 8 key threats to look for. It’s big picture stuff, but worth a read when you have a few minutes.

You can read the article here

10 Steps to Cyber Security by the National Cyber Security Centre (NCSC)

We can’t recommend ’10 Steps’ enough. If you’ve passed Cyber Essentials and don’t know where to go next, then 10 steps is your best bet. Get the fundamentals in place and apply good governance. Remember, governance isn’t red tape – its purpose is to align your security strategy with your business strategy.

10 Steps is a great guide for developing your cyber security framework, used by the majority of FTSE350 companies.

The guide is available here

Need help or want to chat?

If you need help with Information Security, then we’d love to hear from you and we promise no hard sell. You can contact us here.

Get in touch