The federal government wants to strengthen Australia’s cybersecurity regulations and has suggested seven areas for policy reform, including the introduction of mandatory governance standards for larger businesses, a code for how personal information is handled, and a system for regulating smart devices.In a bid to “further protect the economy from cybersecurity threats”, the government is proposing [PDF] either a voluntary or mandatory set of governance standards for larger businesses that would “describe the responsibilities and provide support to boards”. While the crux of both options is similar, the mandatory code would require the entities covered to achieve compliance within a specific timeframe. A mandatory code would also see enforcement applied. A voluntary option would not require specific technical controls to be implemented and would rather be treated as a suggestion.The government would prefer the code be voluntary, however, saying “on balance, a mandatory standard may be too costly and onerous given the current state of cybersecurity governance, and in the midst of an economic recovery, compared to the benefits it would provide”.It also flagged there was no existing regulator with the relevant skills, expertise, and resources to develop and administer a mandatory standard.Small businesses, meanwhile, have had a “cyber health check” function suggested. A voluntary cybersecurity health check program would see a small business be awarded a trust mark that they could use in marketing. Businesses applying for the health check would self-assess their own compliance, with a basic level of due diligence provided by government or a third party, the paper poses. It would also expire after 12 months.

This idea was pulled from the UK government’s program called Cyber Essentials.The paper also proposes the creation of an enforceable code under a federal piece of legislation to increase the adoption of cybersecurity standards. It said the Privacy Act has the greatest potential to set broad cybersecurity standards in relation to personal information.”Establishing a code under the Privacy Act could drive the adoption of cybersecurity standards across the economy by creating regulatory incentives for uptake,” it said.This code would specify minimum, rather than best practice approaches, but said it was unrealistic to mandate the Australian Signals Directorate’s Essential Eight through a cybersecurity code.See also: ACSC introduces Essential Eight zero level cyber maturity and aligns levels to tradecraftA cybersecurity code would have some limitations, however, and would only apply to the protection of personal information. A code would also only apply to entities that are covered by the Privacy Act.The government is also considering regulatory approaches to increasing responsible disclosure policies, again posing a voluntary and mandatory option.The voluntary option would see the government release guidance or toolkits for industry on the process of developing and implementing responsible disclosure policies. The mandatory option, it said, could be incorporated into the potential cybersecurity standard for personal information.The paper also discusses the introduction of clear legal remedies for consumers after a cybersecurity incident occurs, as currently there are limited legal options for consumers to seek remedies or compensation.It asks respondents what amendments can be made to the Privacy Act 1988 and Australian Consumer Law to sufficiently cover cybersecurity, as well as what other actions should the government consider.Regulating IoT devices is also proposed. “We believe that one reason that many smart devices are vulnerable is because competition in the market is primarily based on new features and cost,” the paper says. “Unfortunately, consumers often aren’t able to tell the difference between a secure and insecure device, which limits commercial incentives to compete on cybersecurity and leads consumers to unknowingly adopt cybersecurity risk.”In a bid to mitigate this, the government last year released the voluntary Code of Practice: Securing the Internet of Things for Consumers that contains 13 principles, or expectations the government has on manufacturers, about the security of smart products.The discussion paper suggests taking this further and making the code mandatory. The standard would require manufacturers to implement baseline cybersecurity requirements for smart devices.It also believes consumers do not currently have the tools to easily understand whether smart devices are “cyber secure” as there is often a lack of clear, accessible information available to them.Potentially remedying this are proposals that would include the introduction of a voluntary star rating label or a mandatory expiry date label.Details on how the former would take shape are slim, but the discussion paper details similar schemes underway in the UK and Singapore. The Singapore scheme consists of four cybersecurity levels, with each indicating a higher level of security and/or additional security testing.The mandatory expiry date label, meanwhile, would display the length of time that security updates will be provided for the smart device. This kind of label would not require independent security testing, and therefore would be a lower-cost approach compared to a star rating label, the government said. In its “pros and cons” table, the government highlights the expiry date option as its preferred way forward.Submissions on the discussion paper close 27 August 2021.LATEST CYBER FROM CANBERRA More

A sophisticated fraud scheme using compromised emails and advance-payment fraud has been uncovered by authorities. The fraud was run by what Europol describes as a “sophisticated” organised crime group which created fake websites and fake email addresses similar to legitimate ones run by retailers and suppliers. Using these fake accounts, the criminals tricked victims into placing orders for goods and requested payment in advance.However, there never were any goods, so deliveries never took place – instead the stolen money was laundered through Romanian bank accounts controlled by the criminals before being withdrawn at ATMs. The 23 suspects have been charged following simultaneous raids by police in the Netherlands, Romania and Ireland. They’re believed to have defrauded companies in at least 20 countries across Europe and Asia out of a total of €1 million. The group is suspected to have been running for several years, offering fictitious items for sale, such as wooden pellets. But last year the group switched how it operated and offered fictional items relating to the COVID-19 pandemic, including protective equipment. SEE: A winning strategy for cybersecurity (ZDNet special report) Europol’s European Cybercrime Centre (EC3) aided national investigators in the Netherlands, Romania and Ireland, as well as deploying cyber crime experts to help with raids. 

Business Email Compromise attacks are one of the most lucrative forms of cyber crime for internet fraudsters – in 2019, the FBI listed BEC as the cyber crime with the highest amount of reported losses, accounting for $1.77 billion. Overall, it costs businesses much more than ransomware. To help prevent falling victim to Business Email Compromise attacks, Europol recommends that people should be wary of unsolicited contact from a seemingly senior official, or requests which don’t follow the usual company procedures – especially if the request is supposedly urgent or confidential. Organisations can also create barriers against falling victim to BEC by ensuring that wire transfers are subject to approval from multiple people to help increase the chance of fraud being spotted. MORE ON CYBERSECURITY More

Image: Google
Google’s Threat Analysis Group has detailed a group it has labelled as Exotic Lily that breached a target and sold off the gained access.The preferred method for gaining targets is spear phishing, with the group sending around 5,000 emails a day, and setting up similar domains with different TLDs — such as using example.co for example.com users — in an effort to fool those on the receiving end. It also began with fake personas, but recently started ripping publicly available data from sites like RocketReach and CrunchBase to impersonate users. The group also used public file-sharing sites including TransferNow, TransferXL, WeTransfer, or OneDrive to pass payloads onto users and make it harder for defenders to detect, since the sites are legitimate. “Investigating this group’s activity, we determined they are an initial access broker who appear to be working with the Russian cyber crime gang known as Fin12 (Mandiant, FireEye) / Wizard Spider (CrowdStrike),” Google said. “Exotic Lily is a resourceful, financially motivated group whose activities appear to be closely linked with data exfiltration and deployment of human-operated ransomware such as Conti and Diavol.” The group also appears to maintain a high degree of work-life balance, as Google said the activity it has seen is typical of a 9 to 5 job in eastern or central Europe, with little activity on weekend. Although the group has relationships with ransomware gangs, Google said Exotic Lily is a separate entity that is only interested in access, with other groups doing the ransomware operations. Off the back of its discovery, Google said it would have additional Gmail warning for emails originating from website contact forms, improve its spoofing identification, and adjust the reputation of email file sharing notifications. Related Coverage More

According to analyst firm IDC, overall security spending is expected to reach nearly $1 billion in Brazil this year, an increase of 10% in relation to 2020.

Government

Of that total, spending on security solutions will reach $860 million, the analyst said, with cloud security becoming a key area of focus for Brazilian IT decision-makers. According to IDC, 2022 will see firms dealing with an increasing number of cyberattacks, a trend that has gathered pace since the start of the COVID-19 pandemic. The research added that managed detection and response (MDR) services will continue to gain ground as the demand for skilled professionals intensifies.The shortage of information security skills is one of the most significant issues facing Brazilian IT organizations, mentioned by 40% of the businesses polled by IDC. In addition, 57% said they will rely on external help to manage and operate environments with modern cybersecurity solutions due to the shortage of professionals to boost internal teams.With over 33 million intrusion attempts in 2021, Brazil is only behind the US, Germany and the UK in terms of ransomware attacks, according to a cyber threats report released by SonicWall. In 2020, Brazil ranked ninth in the same ranking, with 3,8 million ransomware attacks. Also: Investment in data privacy in Brazil falls below global averageAccording to the SonicWall report, Brazil also stands out in terms of malware attacks, which have increased over 61% in 2021, with 210 million attacks in 2021, compared to approximately 130 million seen in the prior year.

According to a separate study released in December 2021 by PwC, the vast majority of Brazilian companies plan to boost their cybersecurity budgets in 2022. The study noted the increase in cyberattacks against local organizations was among the key concerns of senior decision-makers. The study suggests that 45% of Brazilian companies estimate an increase of 10% or more in investments in data security, compared to 26% worldwide. Only 14% of Brazilian leaders expressed the same levels of concern in relation to cybersecurity in 2020, against 8% worldwide. In 2021, 50% of the companies polled by PwC claimed to have allocated up to 10% of their technology budget to security-related actions. More

Getty Images/Andriy Onufriyenko Safety is one of the biggest worries surrounding the rapid growth of generative artificial intelligence models. A seven-page complaint filed by whistleblowers and obtained by The Washington Post regarding OpenAI’s safety practices has only heightened these concerns. As a result, OpenAI is now sharing an update on its safety initiatives with the public. […] More