The niner noteworthy stories of 2016 (week 30)

These are the noteworthy stories, in no particular order, that peaked my interest last week.

Cyberangriff legt Luxair-Check-in lahm (Cyberattack puts Luxair check-in lame)

It is one of the many attacks happening daily and the aviation sector is no stranger to this effect. The interesting note in this article states that airlines are “improving their IT” which is certainly not the same as also protecting it against cyber security attacks or other forms of information security mishaps. In general the aviation sector may face different challenges then other sectors, most notably because of it’s fleet of planes are flying computers as well which may pose an interesting and unique risk to this sector. (note: the article is in German and the English translation isn’t that great, though you will get the general idea on what happened).
source: earoTELEGRAPH (in German external link)
translated version by Google Translate (external link)

Techie Held For Hacking Air India Frequent Flyers Accounts

This precisely illustrates why just doing cyber security isn’t good enough. As cyber usually is seen as an internet-based attack, which this in the end indeed is, the start of this scheme is not cyber at all but an internal person working for Air India’s IT department. Though the attack itself is cybercrime for sure, preventing it would have had more to do with people management, screening and maybe even access rights or need-to-know principles on specific IT information inside the company. However with the information this article provides, it is pretty hard to conclude definitively.
source: NDTV (external link)

South China Sea: Vietnam airport screens hacked

A prime example for a new way of information warfare which may very well be impossible, or at least extremely difficult, to defend against. The story however does underline what can happen to systems that are all interconnected, with the rise of the internet of things this will become a more and more pervasive situation. It remains to see what the next target will be, will planes themselves become part of the interconnected world? And if so, what part of the on-board computer systems will become connected?
source: BBC News, Asia section (external link)
also reported here: the Guardian (external link)

Ex-Citibank IT bloke wiped bank’s core routers, will now spend 21 months in the clink

Performance review sparks deletion, 110 offices knackered

And another case of too much privileges, no checks on what employees are doing and certainly full opportunity for a disgruntled employee to wreak havoc on the core routers of the company. Whilst, certainly with these kind of positions, these types of attacks can’t completely be stopped or prevented, this does give a interesting insight in what wil happen if a network administrator misuses access rights. Unfortunately the article says nothing about how quickly the damage was restored, because that would have completed the picture on the resilience of Citibank it’s IT department.
source: the Register (external link)

LastPass zero-day can lead to account compromise

Software bugs aren’t something really new, even in security oriented software. There have been earlier stories on cloud-based password managers with security problems specifically related to their application programming interface (API) and malicious websites exploiting them to gain access to the user’s password databases.
The main question with these services always must be: who has access to my information other then me, myself and I. Mostly this boils down to the question on who actually has the keys to encrypt and decrypt the data stored online. Which, unfortunately, in a lot of cases is very difficult to answer. If not difficult, the answer usually is the cloud provider which immediately shows the weakness of such systems. Since the LastPass attack is browser based, that is probably not the case here.
source: Help Net Security (external link)

Hundreds of Flaws Found in Philips Healthcare Product

So can Philips really be blamed for this? Their response certainly is what you would expect of software vendors but so often not see happening. The most interesting bit in this article is not the flaws themselves but the apparent fact that a lot of healthcare organisations are still running Windows XP on which most flaws were found. Even two years after the end-of-life of the XP operating system, it still is running on a lot of computers apparently also holding sensitive medical information.
Philips might have been abel to fix these flaws in their software earlier, but it’s the certainly the fault of the companies still running the healthcare software on outdated operating systems who are to blame for possible security breaches that may have resulted from these software vulnerabilities. Although if you are still running Windows XP, I doubt any security monitoring is in place to detect any breaches whatsoever.
source: (external link)

Three Quarters of US Firms Have Failed to Detect Breach – Report

Interesting facts, specifically the one on lack of in-house expertise and lack of leadership. Although most notably careless employees ranked the highest, in my opinion that’s only because of the first two factors taken together. It is easily said that the weakest link is sitting between the chair and the keyboard, but it’s mostly because of lack of leadership and an engaging security awareness program that are the main causes for that weakest link. And no, a yearly e-learning module that hardly changes every year won’t do.
source: InfoSecurity Magazine (external link)

24×7 SOCs: The Answer to all Monitoring and Logging Needs?

This is a very good summery on the failures most companies will make when setting up or outsourcing a security operations center (SOC), specifically one that must work 24/7/365.
I will add one more, specifically related to the outsourced SOC, which is the simple fact that the SOC needs to be fully aware of your business processes, critical assets and procedures. Often enough those outsourced SOC’s work for a large set of diverse clients each with their own business models and assets. This directly is one of the major weak points of outsourcing the entire SOC as those people simply don’t know your business well enough to be fully effective in the long run.
source: InfoSecurity Magazine (external link)

When should push come to shove over cybersecurity?

Ah the old arguments pro and con regular password changes in an interestingly written article. The main take-away here is: be sensible on your password policy and, if possible, use multi-factor authentication systems which may make it easier to login as well as more secure. It also may safe significantly on your helpdeks budgets if you can cut because of all password forgotten tickets, specifically after the holiday season, you no longer have to deal with because of easier and more secure login systems. In the end it falls to monitoring to detect any breaches, but if you can help make it easier and more secure for your users to do their job, the monitoring system is their as a second layer of defence incase an earlier one does fail for some reason.
source: CSO Daily Dashboard (external link)