Information Technology

A new report examines how an organization’s approach to cyberattack incident and response strategies can have implications for investment in the broader cybersecurity market. On Thursday, financial services and credit rating provider Moody’s published new research, including a survey of financial services, enterprise firms, infrastructure providers, public sector organizations, and government entities.

Out of roughly 5,000 issuers asked to complete the survey, conducted between April 2020 and April 2021, 1,300 responded. According to the researchers, many organizations involved in the market today — including global debt issuers — are increasing their investments in cybersecurity, but their “preparedness levels and defensive capabilities vary widely.”It only takes one successful cyberattack to severely damage an organization’s reputation, finances, and share price. One incident alone can open up a company to scrutiny by shareholders and regulators, and lawsuits are also a factor, whether launched by investors or class-action consumers impacted by a breach. Moody’s researchers say that “cybersecurity governance sets the tone for an issuer’s overall cyber strategy.” The report states:”To date, the cost of cyber events has generally been manageable for issuers we rate and has only rarely resulted in lasting financial harm or reputational damage. However, as the cost of these attacks continues to rise, the importance of cyber preparedness grows.”Out of those surveyed, 93% now have a cybersecurity manager who reports directly to the board. However, their importance in a company varies. 

Managers in financial companies were far more likely to report directly to business leaders (71%) than corporates, infrastructure firms, or public entities, at 61%, 57%, and 50%, respectively. “A direct line to the CEO supports more frequent interactions between the cyber manager and the executive team,” Moody’s noted. “This fosters greater awareness and understanding of cyber risk within an organization and typically translates into more support for an enterprise-wide risk management approach.”In addition, when a breach occurs, disparities in data breach transparency and guidelines “can leave key stakeholders with little information about a matter of growing importance.”Recent high-profile supply chain attacks, including one experienced by Kaseya, have prompted a focus on addressing vulnerabilities and risk factors associated with these types of security incidents. Moody’s expects “this matter to remain a top priority.”However, while survey data shows that basic defense practices appear to be rising, the use of more ‘advanced’ and robust solutions is “lagging.””Our survey results show a strong correlation between the closeness of the reporting structure between the cyber manager and the executive suite, and the amount of budget and resource allocation to cybersecurity,” Moody’s says. “Survey responses also show that more cyber expertise at the board of directors level correlates well with the adoption of more advanced cyber defense practices.”Cybersecurity insurance is now becoming a more common investment in today’s businesses. In the US, standalone cybersecurity insurance is held by roughly 57% of issuer organizations, slightly above those in the EMEA region at 54%. Approximately 41% of those surveyed said they held these insurance policies in other regions. See alsoHave a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Singapore and the US have agreed to expand their economic cooperation to include artificial intelligence (AI) governance and cybersecurity initiatives involving other Asean markets. The two nations also will collaborate on sustainable infrastructure projects. The announcements come on the sidelines of Singapore Prime Minister Lee Hsien Loong’s visit to the United States this week, where he met with US President Joe Biden.  Both countries signed new Memorandums of Understanding (MOUs) to expand bilateral cooperation outlined in the Singapore-US Partnership for Growth and Innovation, which was first signed last October. The partnership agreement aimed to establish “inclusive growth” for both economies and regions, according to Singapore’s Ministry of Trade and Industry (MTI).

It encompasses collaborative efforts in digital economy and smart cities, energy and environmental technologies, advanced manufacturing and supply chain resilience, as well as healthcare. Under the agreement, both nations aim to develop common technical standards and build more “trustworthy and interoperable” systems.This week’s MOUs looked at new areas of cooperation, the Singapore ministry said. First, Singapore’s Infocomm Media Development Authority (IMDA) and the US Department of Commerce (DOC) would jointly develop interoperable AI governance frameworks and drive the adoption of ethical AI. The two government agencies would co-organise mapping exercises, workshops, and various events with participation from both Singapore and US organisations. DOC and MTI also would collaborate on cybersecurity best practices, including regional capacity building efforts on smart nations via the Asean-Singapore Cybersecurity Centre of Excellence. In addition, MTI, Enterprise Singapore, and Singapore’s Economic Development Board would support DOC’s advanced manufacturing trade mission efforts in Singapore as well as other Asian markets, such as Indonesia. These US-led trade missions aimed to promote standards to boost manufacturing resiliency and facilitate new partnerships between Singapore and US private sectors. Minister for Communications and Information and Second Minister for Home Affairs Josephine Teo said: “The digital pillar of the [Singapore-US Partnership for Growth and Innovation] reflects how the bilateral relations between our countries are advancing in emerging areas of cooperation. This will enable inclusive participation by our companies and people in the growing digital economies in our countries and regionally. One practical example of our digital cooperation is on aligning our respective AI governance frameworks. Companies can expect to deploy AI across borders with greater ease, to seize innovation opportunities while managing the risks.”Since it was inked last October, the bilateral economic agreement had established various plans that included regional development of digital trade standards and participation in the Asia-Pacific Economic Cooperation Cross-Border Privacy Rules System, which aimed to facilitate global interoperability between different data privacy regimes.Both nations earlier this week also renewed and expanded their collaboration on infrastructure development, which now would include green and sustainable infrastructure projects in the region. The partnership also would explore new approaches to “mobilise” participation within the private sector, such as via a clean energy roundtable involving businesses from Singapore, the US, and Asia. Singapore and US also agreed to deepen their collaboration in new areas that included renewable energy as well as carbon capture, utilisation, and storage (CCUS). RELATED COVERAGE More

Microsoft has detailed how you should use Windows Update policies to keep your devices updated and secure, from single-user devices right through to kiosks and billboards – and rollercoasters.The tech giant’s first bit of advice for admins using Windows Group Policy to manage enterprise Windows 10 and Windows 11 devices is don’t mess too much with the defaults. 

Admins shouldn’t try too hard to customize device security patching and feature updates because the defaults are “often the best”, according to Microsoft. This focus on defaults keeps users happy and productive, while ensuring devices are patched and up to date. SEE: Windows 11 security: How to protect your home and small business PCsAdmins can use Group Policy to control the timing of updates for Patch Tuesday, emergency patches, and new feature releases of Windows. The default for Windows Update in the enterprise is much like the experience for consumers on Windows PCs. But there are many other ways Windows and Windows Update is used to keep all manner of devices operational when needed and also patched regularly during downtime. The default Windows Update policy is for devices to scan daily, automatically download and install any applicable updates “at a time optimized to reduce interference with usage, and then automatically try to restart when the end user is away,” according to Microsoft senior program manager Aria Carley. “Leverage the defaults!” Carley said. But there are so many use cases for Windows that the defaults can’t cover every scenario. Besides single-user personal Windows devices, there are: multi-user devices; education devices; kiosks and bank ATMs; factory machines, rollercoasters, and critical infrastructure; and Microsoft Teams Rooms devices.While the defaults are a good baseline, Carley offers details about how to use Group Policy to tweak the timing of automatic updates for each use case. She’s also compiled a list of 25 Group Policy settings that admins should not use.  For use cases where Group Policy can be used, admins can specify “the number of days before an update is forced to install” during active hours, when the user may be present. This is applicable to single-user devices that could be connected to the corporate network or used remotely. Microsoft recommends the use of deadlines because of heightened security risks from ransomware and destructive malware. The US Cybersecurity and Infrastructure Security Agency (CISA) is concerned destructive malware may target US organizations due to US sanctions on Russia over its invasion of Ukraine.      Multi-user devices like HoloLens or a PC in a lab or library setting may have set periods in which they are used, such as a building’s opening hours. Updating these at midnight, when staff are away, could be ideal. For education device, admins can ensure Windows update notifications or automatic reboots don’t happen during the school day. To do this while remaining patched, admins can check the new Group Policy box option “Apply only during active hours”. However, this feature is currently only for devices in the Windows Insider Program for Business in the Dev or Beta channels. Microsoft notes: “For those on Windows 10 or Windows 11, version 21H2 devices, we do not recommend configuring this and instead recommend leveraging the default experience.”Another relevant Group Policy setting is “Turn off auto-restart for updates during active hours”, which overrides Microsoft’s default “intelligent active hours” – a measure that is calculated on the devices based on user usage. SEE: How to talk about tech: Five ways to get people interested in your new projectFor things like kiosks, billboards and ATMs, owners may wish for no notifications or auto reboots, and prefer to reboot during ‘low visibility’ hours.  There are four relevant policies for these devices to avoid notifications that would be useless and disruptive to passive users, as well as reboots during typical active hours. Admins have an option to set the update to occur at 3AM daily, the assumed low visibility hour.   There are some devices that you might not think of as needing a Windows Update, but even admins of factory devices, rollercoasters and critical infrastructure also get advice around how to to manage automate update behavior if needed. As Carley notes: “Machines on the factory floor, rollercoasters at amusement parks, and other critical infrastructure can all require updates. Given the criticality of these devices, it is pivotal that they stay secure, stay functional, and are not interrupted in the middle of a task. Often these are some of the devices in the final wave when rolling out an update after everything else has been validated.” Carley adds: “Note: This is one of the only use cases where compliance deadlines are not recommended given automatic updates are never acceptable in this scenario.”

Enterprise Software More

Globant has admitted to a data breach after notorious hacking group Lapsus$ allegedly leaked the firm’s source code.

ZDNet Recommends

Globant is an IT and software development giant. Founded in 2003, the company caters to a global customer base and operates Globant X, an innovation incubator. On March 30, Lapsus$ came back from a ‘vacation’ with a new victim pinned in the hacking group’s Telegram chat: Globant. The cybercriminals are alleged to have compromised the tech giant’s system, stealing credentials and intellectual property. Lapsus$ then published a torrent containing approximately 70GB of data, allegedly including source code belonging to their latest victim. In response, Globant said in a statement that a “limited section of our company’s code repository has been subject to unauthorized access.””According to our current analysis, the information that was accessed was limited to certain source code and project-related documentation for a very limited number of clients,” Globant says. “To date, we have not found any evidence that other areas of our infrastructure systems or those of our clients were affected.”Globant added that an investigation is underway and the firm is “taking strict measures to prevent further incidents.”Other high-profile organizations connected to Lapsus$ attacks are Okta and Sitel. First, Okta was the subject of screenshots circulated online by the hacking group on March 22. Okta pointed the finger at Sitel, a third-party Okta subprocessor, as the source of the security incident, which happened in January. Okta said that up to 366 customers might have been impacted by the security breach, adding that the company “made a mistake” in not informing clients sooner. The FBI has now placed Lapsus$ on its Most Wanted list and seeks information on the group’s members. Earlier this month, UK law enforcement arrested seven teenagers, the youngest being 16 years old, who are suspected of being involved in a criminal hacking group. A 16-year-old from Oxford has also been accused of having ties with Lapsus$, but no formal connection has been made to the operation. See alsoHave a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Image: Asha Barbaschow/ZDNet
Australia’s second tranche of cyber laws has passed through both houses of Parliament, meaning entities running “systems of national significance” will soon be beholden to enhanced cybersecurity obligations that could force them to install third-party software. Home Affairs Minister Karen Andrews said the laws would boost the security and resilience of Australia’s critical infrastructure.”Throughout the pandemic, Australia’s critical infrastructure sectors have been regularly targeted by malicious cyber actors seeking to exploit victims for profit, with total disregard for the community and the essential services we all rely on,” Andrews said.”The Bill builds on the Morrison Government’s strong support for our national security agencies announced in Tuesday’s Federal Budget, to make Australia stronger and keep Australians safe in an increasingly uncertain world.Australia’s parliamentary body tasked with reviewing cyber laws threw its support behind these laws last week, saying the laws would create a standardised critical infrastructure framework to make it easier for government and industry to approach cyber attacks in a precautionary fashion.The laws, packaged in the Security Legislation Amendment (Critical Infrastructure Protection) Bill 2022, were initially meant to be part of the initial tranche of cyber laws for critical infrastructure entities that were enshrined last year. They were eventually left out of the first set of laws, however, due to the federal government wanting further consultation from industry on how to co-design a critical infrastructure regulatory framework.Along with enhanced cybersecurity obligations, the critical infrastructure reforms will require critical infrastructure entities to maintain a risk management program for identifying hazards to critical infrastructure assets and the likelihood of them occurring. In addition, entities will have to submit an annual report about the risk management program and if any hazards had a significant impact on critical infrastructure assets.Home Affairs Secretary Mike Pezzullo previously said the costs for running the risk management program, on average, would set entities back a one-off AU$9.7 million payment to set the program up and an annual ongoing cost of AU$3.7 million.  In terms of where the critical infrastructure reforms sit in the big picture, the reforms and the ransomware action plan will act as the federal government’s primary regulatory efforts for bolstering Australia’s cybersecurity posture. It sits separate to the Coalition’s newly proposed AU$9.9 billion cybersecurity program that was announced in the federal Budget, which is primarily focused on providing more resources to the Australian Signals Directorate.RELATED COVERAGE More

Image: ACT Policing
Australian Federal Police (AFP) Commissioner Reece Kershaw told senators on Thursday morning that additional funding from this year’s Budget would allow his law enforcement agency to start deploying the warrant powers it received in recently passed “hacking” laws shortly. Outlined in the annual federal Budget released on Tuesday night, the Coalition plans to hand over AU$142.2m across four years to the AFP for upping its specialist operational, intelligence, collection, and criminal asset confiscation capabilities, which includes these new warrants. The Surveillance Legislation Amendment (Identify and Disrupt) Bill 2020 was enshrined late last year, giving the AFP the ability to issue three types of warrants. The first of the warrants is a data disruption one, which can be used to prevent “continuation of criminal activity by participants, and be the safest and most expedient option where those participants are in unknown locations or acting under anonymous or false identities”. The second is a network activity warrant that would allow the AFP and ACIC to collect intelligence from devices that are used, or likely to be used, by those subject to the warrant. The last warrant is a hostile account takeover warrant that would allow the agencies to take control of an account for the purposes of locking a person out of the account. Kershaw told senators that the hostile account takeover warrant would primarily be used in child protection in instances where predators refuse to hand over their identity. He added that the funding would hopefully allow the AFP to become better equipped at monitoring how criminals use cryptocurrencies. “The environment is getting more complex with cryptocurrencies so this will help us with identifying where the money and the flows [are] in the Australian system, at least, where we can work with AUSTRAC, Home Affairs, our other partner agencies, the Australian Criminal and Intelligence Commission, and Australian Border Force on dealing with hitting them where it hurts,” Kershaw said. The Department of Home Affairs in recent years has steadily pushed for law enforcement agencies, such as the AFP, to receive more powers. Alongside these new warrants, the AFP gained the ability to request or demand assistance from communications providers to access encrypted communications last year. Last week, the AFP also launched a new AU$89 million cybercrime centre. With the increased powers and resources, Kershaw said the AFP has seized, on average, AU$250 million in criminal assets annually over the past two years. By comparison, the AFP previously seized around AU$60 million worth of criminal assets per year. Given these new capabilities, the AFP is now considering a “stretch target” of seizing AU$1 billion of criminal assets per year. Last night, the Australian Federal Police (AFP) also set up a new taskforce specifically for protecting high-office holders and parliamentarians in the upcoming federal election, which is expected to be held in May. Among its numerous responsibilities, the taskforce will monitor online material that targets these key figures.”Hiding behind a keyboard to issue threats against politicians does not ensure anonymity,” the AFP said. “The AFP has world-leading technology to identify individuals who break the law by harassing, menacing or threatening to kill politicians.” The taskforce, consisting of hundreds of investigators, intelligence officers, and protective security specialists, will conduct its operations in a new “incident coordination centre”.  Related Coverage More

Satellite communications giant Viasat on Wednesday shared new information from its investigation into the February cyberattack that took down service for broadband customers in Ukraine and across Europe. The company confirmed the “multifaceted and deliberate” attack impacted “several thousand” customers in Ukraine and tens of thousands of other fixed broadband customers across Europe. 

ZDNet Recommends

The incident against Viasat’s KA-SAT network took place on Feb. 24, the same day that Russia invaded Ukraine. According to Viasat’s incident summary, a targeted denial of service attack was first detected when high volumes of focused, malicious traffic made it difficult for many modems to remain online. The traffic emanated from several SurfBeam2 and SurfBeam 2+ modems and/or associated customer premise equipment physically located within Ukraine. “We believe the purpose of the attack was to interrupt service,” Viasat said. “There is no evidence that any end-user data was accessed or compromised, nor customer personal equipment (PCs, mobile devices, etc.) was improperly accessed, nor is there any evidence that the KA-SAT satellite itself or its supporting satellite ground infrastructure itself were directly involved, impaired or compromised.”The attack was localized to a single, consumer-oriented partition of the KA-SAT network operated on Viasat’s behalf by a Eutelsat subsidiary, Skylogic. It didn’t impact Viasat’s directly managed mobility or government users on the KA-SAT satellite, nor did it affect users on other Viasat networks.The investigation and forensic analysis of the event identified a ground-based network intrusion by an attacker who gained remote access to the trusted management segment of the KA-SAT network. The attack apparently managed to gain that access by exploiting a misconfiguration in a VPN appliance. The attacker used their network access to execute legitimate, targeted management commands on a large number of residential modems simultaneously.Viasat said that it’s still working with the wholesale distributors of its services to bring their customers back online. Some customer modems promptly received over-the-air updates, while other customers are getting new modems entirely. Viasat has already shipped tens of thousands of replacement modems to distributors, the company said. The California-based company said it’s working with Eutelsat/Skylogic, as well as the cybersecurity firm Mandiant and law enforcement and government agencies, to continue its investigation into the attack. More

Hackers can easily use stolen usernames and passwords to conduct cyber attacks because many online accounts still don’t use two-factor authentication controls designed to help keen them safe.  Two-factor authentication (2FA) – or multi-factor authentication (MFA) as it’s alternatively known – is one of the key methods which individual users and wider organisations can use to help protect their online accounts from being hacked, even if their login credentials have been leaked or stolen. However, according to the DCMS Cyber Security Breaches Survey 2022, only around third of organisations have any requirement for two-factor authentication on user accounts – the figure stands at 37% for businesses and 31% for charities. That means that around two thirds of organisations don’t have any rules around two-factor authentication at all, so employees are unlikely to be using it, leaving their user accounts vulnerable to cyber attacks and hacking. Two-factor authentication creates an additional layer of protection, requiring users to use a text message, app or hardware key to confirm that it’s really them attempting to login to their account. This can help to stop cyber criminals from logging into online accounts with breached or stolen passwords. SEE: Multi-factor authentication: How to enable 2FA to step up your security But with so few users equipping accounts with two-factor authentication, cyber criminals could directly access accounts if they’ve got the login credentials, whether the username and password is stolen using a phishing email, guessed because it’s weak or taken from a previous data dump. Breached accounts, particularly those accessed using Remote Desktop Protocol (RDP), can be used to steal additional information, or be quietly used to move around the network and lay the foundations for a malware or ransomware attack. Two-factor authentication is more widely used in some sectors than it is in others. For example, the DCMS data says there are policies in place in around two thirds of businesses in information and communications, while under one in five businesses within the food and hospitality have rules around it. Other industries with low uptake of two-factor authentication are utilities, production, and manufacturing, where only 28% of businesses have any policies in place. These critical industries are already a tempting target for cyber criminals – particularly ransomware gangs – and the lack of additional protections on accounts leaves them even more vulnerable. At a time when the government is urging organisations to be wary of cybersecurity threats, more needs to be done to ensure that two-factor authentication and other cybersecurity measures, like applying security patches in a timely manner, using strong passwords and keeping anti-virus software up-to-date are in place.  “It is vital that every organisation take cyber security seriously as more and more business is done online and we live in a time of increasing cyber risk,” said Cyber Minister Julia Lopez. “No matter how big or small your organisation is, you need to take steps to improve digital resilience now and follow the free government advice to help keep us all safe online.”  The National Cyber Security Centre (NCSC) also offers advice to businesses and individual users on how to keep accounts secure and how to stay safe online. MORE ON CYBERSECURITY More