Information Technology

Image: Getty Images
The Auditor-General of Western Australia has handed down her report into the state’s COVID-19 check-in app, SafeWA, revealing that not only did police access its data, but the app had a number of flaws when it was released.WA Health delivered the SafeWA app in November 2020 to carry out COVID contact tracing.In its report [PDF], the Office of the Auditor-General (OAG) said it was concerned about the use of personal information collected through SafeWA for purposes other than COVID contact tracing. In mid-June, the WA government introduced legislation to keep SafeWA information away from law enforcement authorities after it was revealed the police force used it to investigate “two serious crimes”. The public messaging around the app was that it would be used only for COVID contact tracing purposes.See also: Australia’s cops need reminding that chasing criminals isn’t society’s only need”In March 2021, in response to our audit questioning around data access and usage, WA Health revealed it had received requests and policing orders under the Criminal Investigation Act 2006 to produce SafeWA data to the WA Police Force,” the report said. The WA Police Force ordered access to the data on six occasions and requested access on one occasion. The orders were issued by Justices of the Peace after application by the WA Police Force.

The WA Police Force was granted orders to access SafeWA data for matters under investigation, including an assault that resulted in a laceration to the lip, a stabbing, a murder investigation, and a potential quarantine breach.The OAG said WA Health ultimately provided access in response to three of the orders before the passage of the legislation. Applications made to WA Health on December 14, December 24, and March 10 were provided to the cops; applications on February 24, April 1, May 7, and May 27 were not. The SafeWA Privacy Policy, which users are required to agree to prior to use, details that WA Health collects, processes, holds, discloses, and uses personal information of people who access and use the SafeWA mobile application. The OAG said it also states that information on individuals may be disclosed to other entities such as law enforcement, courts, tribunals, or other relevant entities.The information that SafeWA captures includes sensitive personal information such as name, email address, phone number, venue or event visited, time and date, and information about the device used to check-in.  As of 31 May 2021, over 1.9 million individuals and 98,569 venues were registered in the SafeWA application. The total number of check-in scans between December 2020 and May 2021 exceeded 217 million.  In addition to police accessing contact tracing data, shortly after the initial release of SafeWA, the app suffered a system outage due to poor management of changes, with the OAG saying this put the availability of SafeWA at risk.”WA Health has addressed this risk and continues to manage the vendor contract which has required changes as the state’s strategy on the use of SafeWA has evolved,” the report said.The app was delivered by GenVis and is hosted in the Amazon Web Services (AWS) cloud. The total contract value was initially AU$3 million, but it has since risen to AU$6.1 million over three years.    GenVis said it has processes in place to delete check-in data 28 days after collection. Should a member of the public test positive for COVID-19 or qualify as a close contact, WA Health may store a subset of the data relevant to that case indefinitely. The OAG said this is contrary to WA Health’s logging and monitoring standard, which requires retention for at least seven years and where possible, for the lifecycle of the system.Of further concern to the OAG was that WA Health does not monitor SafeWA access logs to identify unauthorised or inappropriate access to SafeWA information.The OAG also raised issues with WA Health and GenVis’ ability to only request, not enforce, that AWS not transfer, store, or process data outside Australia.WA Health uses provider-managed encryption keys for SafeWA, which are stored in the AWS database, instead of self-managed keys where the cloud provider has no visibility or access to them. “WA Health advised us that the current solution is required so that AWS can access keys through software to perform platform maintenance and support the vendor with technical issues,” the report said. “Although the likelihood is low, the cloud provider could be required to disclose SafeWA information to overseas authorities as it is subject to those laws.”See also: Attorney-General urged to produce facts on US law enforcement access to COVIDSafePrior to going live, WA Health identified that SafeWA registration could be completed with an incorrect number or someone else’s phone number, the OAG added. “This was because SafeWA did not fully verify a user’s phone number during the registration process,” it said. “Due to the timing of SafeWA development and WA Health’s need to balance risk with implementation, this issue was only partially resolved prior to going live. The remaining weaknesses could be exploited to register fake accounts and check-ins.”The issue was resolved in February.It was not just the cops that may have accessed contact tracing data, however, with the OAG noting it was concerned also about the limited communication around WA Health’s use of personal information collected by other government entities, including Transperth SmartRider, Police G2G border crossing pass data, and CCTV footage in its contact tracing efforts. During the audit, the OAG also identified that WA Health’s Mothership and Salesforce-based Public Health COVID Unified System (PHOCUS) accesses SafeWA data. “When WA Health receives confirmation of a positive COVID-19 case from a pathology clinic, it uses PHOCUS to collate data relevant to the case from several sources,” the report says”WA Health has not provided enough information to the community about other personal information it accesses to assist its contact tracing efforts.”The Mothership contact tracing application, OAG said, has security weaknesses, including a weak password policy and inconsistent use of multi-factor authentication. The OAG is preparing a separate report focused on the Mothership and PHOCUS.RELATED COVERAGE More

With ransomware attacks increasing, legislations have been mooted as a way to bar companies from paying up and further fuelling such activities. In this second piece of a two-part feature on ransomware, ZDNet looks at how such policies can be difficult to enforce and may result in more dire consequences.  Regulations that compelled victims not to pay up could put these businesses in a precarious position, said Steve Turner, a New York-based Forrester analyst who focuses on security and risk. For one, any debate over whether to pay up would be muted when physical lives were at stake. Turner pointed to ransomware attacks that brought down critical infrastructure systems such as power and healthcare, impacting the likes of US Colonial Pipeline, Ireland’s Health Service Executive, and Germany’s Duesseldorf University Hospital.

The US pipeline operator paid up almost $5 million in ransom, the bulk of which was later recovered by authorities, while the Irish healthcare operator refused to pay and spent weeks struggling to recover from the attack, affecting hundreds of patients. The Duesseldorf hospital’s inability to function also indirectly caused the death of a patient whose treatment was delayed because she had to be rerouted to a hospital further away.   Capgemini’s Southeast Asia head of cybersecurity Hamza Siddique noted that threat actor groups now had such great success in inflicting critical impact on their victims that it left these organisations with few viable options other than to pay up. “Paying the ransom may be the less expensive option for a cash-strapped company than engaging in the painstaking [task of] rebuilding company systems and databases,” Siddique said in an email interview. “Other entities may choose to pay the threat actor in hopes of avoiding the public release of sensitive information, which may lead to bankruptcy or legal issues.” He advised victims to make “informed decisions” on whether to fork out the ransom or embark on the more difficult path of building from scratch. Paying the ransom not only encouraged threat actors to engage in future ransomware attacks, but also provided funds for these groups to act against nations, governments, and foreign policy interests, he noted.

On whether penalties should be imposed on companies that chose to pay the ransom, he said this decision should be made in line with the country’s IT policy and cost-benefit analysis. Foremost, emphasis should be on not paying, Siddique said, adding that this should be the case if the impact on the business was low. However, if the impact could lead to bankruptcy or major legal issues, organisations should be allowed to decide if they wanted to pay the ransom, he said. Acronis’ CISO Kevin Reed noted that in the short-term, regulations that outlawed ransom payment could have significant adverse effects, but in the long-term, might have an overall positive impact. He said in a video interview that cybercriminals were interested mainly in financial gains and if they faced increasing obstacles in their efforts to extract money, they would stop doing it. However, he cautioned, criminals tended to be creative in how they extorted money, moving from one plan to another until they succeeded in their goal. Regulations on cryptocurrency also not fool-proof CYFIRMA CEO and Chairman Kumar Ritesh suggested that regulations should instead focus on virtual currencies, since these were used to orchestrate ransom payments. Cryptocurrency exchanges or trading firms could be mandated to provide information to the relevant authorities so transactions or accounts with the targeted unique identifiers could be blocked or frozen, Ritesh said in a video interview. Without a trading platform on which to complete the transaction, cybercriminals would find it more difficult to convert their virtual currencies into fiat money. Turner noted that there already were regulations governing legitimate cryptocurrency trading platforms such as Coinbase, which included intricate identification processes before transactions were processed.

Such policies that identified movements across these cryptocurrency hubs could help cut down illicit activities conducted by regular scammers who were not very tech-savvy. However, threat actor groups behind the recent massive ransomware attacks were not run-of-the-mill criminals, the Forrester analyst said in a video interview.For one, they would not be trading cryptocurrencies through common digital wallets. They typically had the skillsets to quickly move and launder these currencies, much like any organised crime operation, so these could be “clean” for use in the real-world, he said. Furthermore, Turner added that cybercriminals would simply use alternative payment modes should more regulations be introduced to monitor cryptocurrency transactions or bar companies from paying ransoms. “Attackers will just find another payment mechanism that hasn’t been outlawed,” he said. “It could be something as [innocuous] as Walmart gift cards, as long as it doesn’t enable hackers to be traced and allows companies to pay the ransom. Outlawing [the use of] cryptocurrency will only put ransomware victims in a bad position.” Turner noted, though, that some form of regulations could raise the collective security posture of companies across the board, since there would be stronger motivation to avoid being put in a position where they would be held ransom. Policies needed to ensure vendors continue critical support Regulations also may be necessary to ensure businesses remain protected when vendors cease support for IT products and systems.  For example, Western Digital in June advised users of its My Book Live and My Book Live Duo to unplug their devices from the internet following a series of remote attacks that triggered a factory reset, wiping out all data on the device. The breach was due to a vulnerability that was introduced in April 2011 due to a coding oversight. Launched in 2010, the portable storage devices were issued their final firmware update in 2015, after which Western Digital discontinued support for the products. The storage vendor later provided data recovery services for customers who lost data as a result of the attacks.Siddique noted that organisations today were mostly digital in nature and highly dependent on vendors and suppliers to provide support as well as reliable products over a longer period of time, and even after these systems were discontinued. “It’s imperative that there should be policies in place for a vendor to provide minimum support for discontinued product lines, considering client may not be in position to upgrade their software or may have certain dependency on the old version of the products,” he said. There should be clearly defined policies for such support to be provided for a specific minimum number of years after its market release, he suggested. Vendors also should be expected to provide information on upcoming product releases and ease migration to new products. He said changes could be made in the SLA (service level agreement) and, if it was not viable for vendors to maintain a support team for discontinued products, there should be minimum requirement for such provisions based on the severity of security vulnerabilities. At the very least, Turner noted, vendors that chose to continue to support online services linked to their products, should then also continue to offer support to the actual products. Otherwise, these online services should be disabled, he said, noting that Western Digital should have disabled the remote access or online services for the My Book models when they cut support for the products in 2015. “If there are no eyes on it, someone is going to exploit it,” the analyst said. He added that the optics would not look good for a manufacturer of data storage products to suffer a breach of this scale.  Any potential regulation here could look at requiring vendors to support a product as long as they supported the services that required the product to connect to the internet, he said. However, Reed suggested that such policies, if introduced, should apply only to critical systems such as medical and industrial control systems. He noted that some hospitals today operated MRI (magnetic resonance imaging) machines that ran on old versions of Windows that were no longer supported by Microsoft. And these machines could impact actual lives, he said. While he agreed that software vendors should take more responsibility for their products, he said legislations were not necessary for all sectors. RELATED COVERAGE More

Lulled into complacency, businesses face risks of supply chain attacks even after they have done their due diligence in assessing their third-party suppliers’ security posture before establishing a partnership. In this first piece of a two-part feature on ransomware, ZDNet discusses the need for continuous review of all touchpoints across their supply chain, especially those involving critical systems and data. Enterprises typically would give their third-party suppliers “the keys to their castle” after carrying out the usual checks on the vendor’s track history and systems, according to Steve Turner, a New York-based Forrester analyst who focuses on security and risk. They believed they had done their due diligence before establishing a relationship with the supplier, Turner said, but they failed to understand that they should be conducting reviews on a regular basis, especially with their critical systems suppliers.

“Anyone who has the keys to the castle, we should know them in and out and have ongoing reviews,” he said in a video interview with ZDNet. “These are folks that are helping you generate revenue and, operationally, should be held accountable [to be] on the same level as your internal security posture.”Third-party suppliers should have the ability to deal with irregular activities in their systems and the appropriate security architecture in place to prevent any downstream effects, he added. Capgemini’s Southeast Asia head of cybersecurity Hamza Siddique noted that technical controls and policies established by third-party or supply chain partners did not always match up to their clients’ capabilities. This created another attack surface or easy target on the client’s network and could lead to risks related to operations, compliance, and brand reputation, Siddique said in an email interview.

To better mitigate such risks, he said Capgemini recommends a third-party risk management strategy that pulls best practices from NIST and ISO standards. It encompasses, amongst others, the need to perform regular audits, plan for third-party incident response, and implement restricted and limited access mechanisms. The consulting firm’s service portfolio includes helping its clients build a strategy around detection and analysis as well as containment and recovery. Turner urged the need for regular reassessments of third-party systems or, if this could not be carried out, for organisations to have in place tools and processes to safeguard themselves against any downstream attacks.”There needs to be inherent security controls so if something goes off baseline, these can react to ensure [any potential breach] doesn’t spread. A zero trust architecture delivers on that,” he said. “Suppliers have an inherent trust relationship [with enterprises] and this needs to stop.”Steve Ledzian, FireEye Mandiant’s CTO and Asia-Pacific vice president, acknowledged that it was challenging to prevent supply chain attacks because these looked to abuse an existing level of trust between organisations and their third-party vendors. However, he said there still were opportunities to detect and mitigate such threats since hackers would need to carry out other activities before launching a full attack. For instance, after successfully breaching a network via a third-party vendor, they would need to map out the targeted organisation’s network, identify the systems that held critical data, and figure out the privilege credentials they needed to steal to gain access, before they could move laterally within the network. “Once the hacker is in your network, and you’re in detection mode, you have the opportunity to identify and stop them before they are able to breach your data,” Ledzian said in a video interview, stressing the importance of tools and services that enabled enterprises to quickly detect and respond to potential threats. Their defence strategy against ransomware attacks also should look beyond simply purchasing products and into how systems were configured and architected. The main objective here was to bolster the organisation’s resilience and ability to contain such attacks, he added. Acronis’ CISO Kevin Reed also noted that the majority of attacks today still were neither highly sophisticated nor zero-day attacks. Attackers typically needed time and effort after identifying a vulnerability to develop an exploit for it and to make it work successfully. Reed said in a video interview that hackers usually would take several days to develop a workable exploit and this task was increasingly more difficult with modern software architectures. “So it takes time to weaponise a vulnerability,” he said, adding that even highly skilled hackers would take 72 hours to do so. This meant organisations should act quickly to plug any vulnerabilities or deploy patches before exploits were available.He advocated the need for organisations to assess their suppliers’ security posture, validating and cross-verifying that these third-party vendors had the right processes and systems in place. This might be more challenging for small and midsize businesses (SMBs) that did not have the resources or expertise to do so, he noted. Reed added that these companies typically depended on their managed service providers to fulfil the responsibility. Here, he underscored the need for managed service providers to step up, especially in the wake of the Kaseya attack. Increased partnership between hackers a worrying trendRansomware attacks, though, may be primed to get more sophisticated and deployed more quickly in future, as they are no longer developed by a single hacker. According to Ledzian, cyberattacks increasingly are broken down into different parts and delivered by different threat actors specialised in each piece of the attack. One might be tasked to build the malware, while other affiliates focused on reconnaissance and breaching a network and developing the exploit.  “When you have specialised skillsets, then each component is more competent,” he cautioned.

Global pandemic opening up can of security worms

Caught by the sudden onslaught of COVID-19, most businesses lacked or had inadequate security systems in place to support remote work and now have to deal with a new reality that includes a much wider attack surface and less secured user devices.

Read More

Sherif El-Nabawi, CrowdStrike’s Asia-Pacific Japan vice president of engineering, also highlighted the rise in teamwork amongst cybercriminals and emergence of ransomware-as-a-service. Describing this as an alarming trend, El-Nabawi noted that five or six separate groups specialised in all aspects of a ransomware chain could band together, so a single group no longer needed to develop everything on its own. Such partnerships could entice more threat actor groups to come into play and fuel the entire industry, he said. Ledzian added that ransomware attacks also had evolved to become multi-faceted exploitation, with cybercriminals realising data theft would have a more severe impact on businesses than a service disruption. Having data backups would no longer be sufficient in such instances, as attackers gained greater leverage over businesses concerned about threats to make public confidential data, he said. According to CYFIRMA CEO and Chairman Kumar Ritesh, cybercriminals were moving their target towards young companies and large startups with access to large volumes of personal data, such as developers of “super apps” and mobile apps.He further pointed to increasing focus on OT (operational technology) systems, such as oil and gas and automotive, as well as process manufacturing industries. In particular, Ritesh told ZDNet that there was growing interest in autonomous and connected vehicles, which dashboards enabled users to access their smart home and Internet of Things (IoT) systems. Some of these systems, he noted, lacked basic security features with communication links between car and home systems left unsecured, and at risk of being exploited. Cybercriminals also were shifting focus towards individuals and high-level influencers, such as employees working in their organisation’s product research team or who had privileged credentials that gave them access to critical data and systems, he said. With remote work now the norm amidst the global pandemic, he added that such risks were exacerbated as personal devices that were not adequately secured could be easily breached to give hackers access to a company’s network and its intellectual property. RELATED COVERAGE More

The government of Lazio, Italy took to Facebook this weekend to notify residents of a cyberattack that hit the region’s portal for COVID-19 vaccinations and other IT systems. In a translation of the message posted to the official Lazio government Facebook page, officials said a “powerful” attack had hit the region’s databases on Sunday and that all systems are disabled, including the Salute Lazio portal and the system that managed the COVID-19 vaccine bookings.They added that vaccination operations may experience delays because of the attack. Government officials did not say if it was a ransomware attack. Nicola Zingaretti, president of the Lazio Region, also took to Facebook to let residents know that they still have not identified the people behind the attack but he noted that the attack was “of criminal origin.”Zingaretti explained that the initial attack took place on Saturday night into Sunday morning and that it “blocked almost all of the files in the data center.” “At the moment the system is shut down to allow internal verification and to prevent the spread of the virus introduced with the attack. LazioCrea informs us that health data is safe, as well as financial and budget data,” Zingaretti said. “We are migrating essential services to external clouds to make them operational as soon as possible. 112, 118, Emergency Department, Transfusion Center and Civil Protection are safe and are providing services regularly. The situation is serious and we immediately alerted the Postal Police and the highest levels of the State, which we thank.”

He later told a press conference that the region was facing an attack “of a terrorist nature” and called it a criminal offensive that is “the most serious that has ever occurred” on Italian territory.”The attacks are still taking place. The situation is very serious,” he said, according to ANSA. A source told the news outlet that the cyberattackers gained access to the system using the profile of an administrator. Through the stolen profile, they were able to activate a “crypto-locker” malware that “encrypted the data on the system,” the sources said. CNN reported that local officials have received a ransom demand. Lazio Region president Nicola Zingaretti visits a local hospital after the cyberattack. 
Screenshot of Nicola Zingaretti’s Facebook page
In subsequent messages, Zingaretti touted officials in Lazio that continued the COVID-19 vaccination drive in spite of the attack. He announced that the region reached a milestone of having 70% of the adult population vaccinated. Lazio region’s health manager Alessio D’Amato told Reuters that the attack was “very serious” and that “everything is out.” A state news agency said prosecutors in Rome and other law enforcement bodies are looking into the attack.  The local government used Facebook to update residents about the COVID-19 situation in the region and said that due to the IT systems being down, they were only able to share data about new COVID-19 positive cases, deaths and hospitalizations. Even though most IT systems were offline, some had been restored, including emergency networks, time-dependent networks, and hospital systems. The local government reiterated that the vaccination drives would continue in spite of the attack. “The vaccination campaign won’t stop! Yesterday, 50,000 vaccines were administered, despite the biggest cyberattack suffered. Until August 13th, there are over 500,000 citizens who have their reservation and can go to the administration centers on the date and time indicated above,” government officials wrote on Facebook. “Technicians are working to safely reactivate new bookings as well and no data has been stolen. We’re in constant contact with the commissioner’s structure to ensure vaccination users have a green pass as usual.”In another message, Lazio officials reiterated that the hacker failed to stop the Lazio vaccination campaign.”We will not stop in the face of this attack,” the officials wrote. Throughout the COVID-19 pandemic, cybercriminals routinely attacked hospitals and healthcare facilities with ransomware knowing they would be more likely to pay ransoms due to the need for lifesaving medical technology.Multiple countries, like Ireland and New Zealand, are still in the process of recovering from devastating ransomware attacks that crippled their hospital IT systems for weeks.  More

Technology giant CDW announced the acquisition of cybersecurity company Focal Point Data Risk for an undisclosed amount. Christine Leahy, CEO of CDW, said adding Focal Point’s “array of security consulting, customer workforce skills development and professional services capabilities” would help expand the company’s portfolio and enhance their ability to “address risks posed by malicious cyber threats and cyber workforce shortages, while helping customers successfully navigate shifting data protection laws.””Helping our customers leverage technology to protect their most critical data is core to our mission,” Leahy said.In a statement, Focal Point said it has a variety of customers across “highly regulated and complex” industries such as government, financial services and healthcare. They prioritize identity and access management as well as cloud security and DevSecOps.Focal Point CEO Brian Marlier said the two companies are “well-aligned with shared values and a reputation for exceeding customer expectations.””For our customers and coworkers, joining CDW creates a meaningful opportunity to build a world that is secure by design and protected by default,” Marlier said. “More than ever, our customers need us to mitigate risk as they progress their digital journey.”Another CDW executive, senior vice president Andy Eccles, added that the company was increasingly focused on a cloud-first approach with customers, making it essential that they offer  identity management and data protection services which support the full technology lifecycle.

“With the Focal Point team joining forces with CDW, our intent is clear – to deliver the industry’s best customer experience as we use our unparalleled expertise to protect our customers today and in the future,” Eccles said. 

Tech Earnings More

We all know that one person who means well and has good intentions but doesn’t have the best communication skills. Perhaps, it’s a politician or a world leader that you know. They’ll tell you to do something because it’s for your own good and that if you don’t do it voluntarily, there’s an imminent danger that bad things will happen. 

ZDNet Recommends

For example, if you do not get your COVID-19 vaccine, and you do not wear a mask in public places, with this new Delta variant, you stand a very good chance of becoming infected, possibly very ill with long-standing effects, and maybe become hospitalized and even die.  Also: Windows 11 FAQ And at the very least, even if you don’t become ill, even if you are asymptomatic, you can become an active spreader of something that can potentially harm many other people, possibly those who are close to you. Getting your COVID-19 vaccine is called being proactive. Wearing your mask is acting responsibly. We don’t always like listening to people of authority, especially when we are asked to do something that doesn’t have immediately visible, tangible benefits. Doing things proactively, such as getting a COVID-19 vaccine and wearing a mask, requires having faith in someone being supplied with superior knowledge and expertise, such as a world leader or public health expert. However, as we know, not everyone in a position of authority and possessing subject matter expertise is so polished they can package a message like this and make it palatable to every end-user. 

With its Windows 11 rollout, Microsoft is not entirely different from that unpolished world leader or politician. Its communication skills have left room for improvement related to this significant and critical Windows upgrade. That’s something I think everyone covering this industry can agree on. We know it means well, we know it has the expertise, but people will still challenge it and get all huffy when they are being told that Windows 11 is an essential upgrade related to securing the PC platform from advanced malware threats.  But to take advantage of the new security capabilities that shield you from these threats, your PC hardware needs to be able to support it. And that is not a message people want to hear. Unfortunately, many legacy PCs, regardless of what antivirus solutions they may run and regardless of how functional and how fast they still run their application workloads, are highly vulnerable to these threats. And as they are not eligible for the Windows 11 upgrade, they are effectively immunocompromised. Just like getting a COVID-19 vaccine and wearing a mask is proactive, so are the architectural changes required to upgrade to Windows 11. And in some cases, implementing those is going to need investment in new PC hardware. It will also require investing in further training and, potentially, some new deployment tools. It’s going to cost some money. But as we know, implementing security changes in your large organization, small business, and consumer space is also not easy to sell. Anything that helps ensure business continuity and strengthen security resiliency from a threat that isn’t immediately visible will fall on deaf ears to all but the most cautious and conservative IT organizations, let alone end-users. 

How many companies or individuals have we encountered as professionals that run their environments with no or untested backups, haven’t run a complete continuity and DR test in years, and then get burned for it? I mean, how many people did we know that ran with no antivirus or firewall for years before it was built into the foundational IT infrastructure because they didn’t want to pay for it or just felt it was a nuisance? I have dozens of stories as a former IT architect and consultant over my 30-year career to tell for this. It’s tough to sell hardened security or any form of protection as the defining feature to the entire user population. So Windows 11 is also being released with an exciting new user interface to entice them to upgrade, whether by opting-in on hardware that can already accommodate the new OS or upgrading to new PCs. Is this going to cost money to most organizations? Yes. Are a lot of end-user PCs going to need upgrades, costing people money? Yes. Spending money is painful, especially if we are talking about an upgrade to something strictly preventative in nature.  But do you know what is even more painful? A compromise — one which results in reputation loss, such as a publicly visible one that gets your organization on the news, such as a ransomware attack that holds all your IT assets hostage and stops your business cold for days.  Such an attack makes you and your company look stupid for not remediating it when it could have been prevented.  Best case scenario in this situation? Your customers think you’re a bunch of incompetent idiots. Worst case? Business-ending event. The good news is that, like the Pfizer and Moderna COVID-19 vaccines, you can get the first “shot” now. If your hardware supports the new secure boot, virtualization-based security (VBS), and Hypervisor-protected Code Integrity (Memory Integrity/Core Isolation) you can turn it on in Windows 10 today. And when Windows 11 arrives in October or November, get that second shot. And if any of your systems aren’t eligible, replace them. Immediately. Because that’s the proactive and responsible thing to do. More

Have you seen the prompt on your iPhone to update to iOS 14.7.1, but you’ve been putting it off? After all, it doesn’t seem like there’s much to it.

It’s just a bug fix, right? No, this is no ordinary bug fix. Must read: Why you need to update all your iPhones, iPads, and Macs urgently – NOW! I find Apple a bit strange in that it downplays security vulnerabilities. Apple will tell you that an update is important, but in Apple-land, all updates are important. Take the release notes for iOS 14.7.1 as an example: iOS 14.7.1 fixes an issue where iPhone models with Touch ID cannot unlock a paired Apple Watch using the Unlock with iPhone feature. This update also provides important security updates and is recommended for all users. The update is “important” and “recommended.”

But some are more important and recommended than others. And this is one example. Switch over to Apple’s support page that details security fixes, which paints a more serious picture. Few click to go to this page, but it’s worth a visit. This is what it says about iOS 14.7.1 (and iPadOS 14.7.1): IOMobileFrameBuffer Available for: iPhone 6s and later, iPad Pro (all models), iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch (7th generation) Impact: An application may be able to execute arbitrary code with kernel privileges. Apple is aware of a report that this issue may have been actively exploited. Description: A memory corruption issue was addressed with improved memory handling. CVE-2021-30807: an anonymous researcher Let me highlight the key bit for you: “Apple is aware of a report that this issue may have been actively exploited.” In case you don’t know, that’s serious. But it gets better. Security researcher Saar Amar, who discovered this vulnerability several months ago, has detailed this bug and how bad guys can exploit it. You can read the gory details here. The bottom line is that not all bugs are the same, and not all updates are created equally, and while iOS 14.7.1 seems on the face of it to be a small update, it’s incredibly important. So, if your iPhone or iPad is still reminding you to install this update, do it now. Right now. To install the update, go to Settings > General > Software Update and download it from there. More

A lack of business investment means cybersecurity teams are struggling to keep enterprise networks secure at a time when the rise in remote working is providing additional security challenges — and it’s having an impact on their well-being.

A global study of cybersecurity professionals by information Systems Security Association (ISSA) and industry analyst firm Enterprise Strategy Group (ESG) warns that this lack of investment, combined with the challenge of additional workloads, is resulting in a skills shortage that’s leading to unfilled jobs and high burnout among information security staff. According to the study, which surveyed over 500 cybersecurity professionals, 57 percent say a shortage of cybersecurity skills has impacted the organisation they work for, while just over ten percent report a significant impact. The effect is an increased workload for information security staff, according to 62 percent of respondents. That’s had a knock-on effect on the mental health of information security staff, 38 percent of whom say they’ve experienced burnout as a result of extra work pressures during what was already a difficult year.  “The impact, especially this past year of the pandemic, has been significant. Teams are expected to do even more as a result of businesses moving to the remote operating model,” says Candy Alexander, board president of ISSA International.  “The risk landscape has shifted dramatically to a more exposed environment and a cyber-war is in full swing with ransomware attacks becoming devastating to many businesses. Cybersecurity professionals are now challenged with keeping up with the latest and greatest threats,” Alexander adds. One of the reasons many cybersecurity staff have struggled is because of the sudden rise of remote working as a result of the global pandemic: 50 percent of respondents say this has led to an increase in stress. 

Greater prevalence of remote working has made some aspects of enterprise network security more difficult, as cybersecurity staff have needed to help employees — many of whom may not have worked from home before — stay safe.   More remote working means greater usage of cloud applications, which has led to increased demand for cybersecurity professionals with skills in cloud computing security . A significant number of organisations are struggling to find the people to fill these gaps. Almost four in ten (39%) of cybersecurity professionals say their organisation is struggling to fill cloud computing security roles. Meanwhile, 30 percent are finding it difficult to fill vacancies in application security, and there’s a similar story when it comes to security analysis and investigation. Basic mistakes The ISSA/ESG report found that many organisations are making basic mistakes in hiring and recruiting cybersecurity professionals. More than three-quarters said it was extremely or somewhat difficult to recruit and hire security professionals, but 38% said their organisation doesn’t offer competitive compensation, while 29% said their HR department doesn’t understand the skills needed for cybersecurity and 25% said that job postings at their organisation tended to be unrealistic. Three-quarters of security professionals said that they were approached by recruiters every month. Part of the issue, the report suggests, is many boardrooms view cybersecurity as a cost — something that needs money spent on it but doesn’t help the bottom line of the business — especially when organisations think about finances in the short-term. It’s likely these boardrooms still see cybersecurity as a technology issue rather than a business issue, which is naïve when high-profile data breaches and ransomware attacks have demonstrated that if cybersecurity isn’t managed correctly, it can have huge consequences for the whole business, not just the IT and cybersecurity teams. “Cybersecurity is seen as a cost centre to the business — something you have to do, but only to a minimal degree, like paying the light bill. We need to shift the conversation to aligning our security programs with the business,” says Alexander.  “Businesses have a tendency to invest in things they see value in. We need to ensure they see the value in our cybersecurity programs — including people, training and technology,” she added.  People and training are a key issue here: technology changes fast and the methods cyber criminals use to break into networks are constantly evolving, so it’s important for organisations not only to hire the right people, but also to invest in training them so they can continue in their jobs by reacting to the latest threats and dealing with new forms of technology.  But that doesn’t start with employers: in order to ensure there are enough people to fill cybesecurity jobs going forward, education and training pathways are needed.  “At a societal level, we have to do more to educate school age children about cybersecurity and career opportunities,” says Jon Oltsik, Senior Principal Analyst and ESG Fellow.  “We need more funding for cybersecurity scholarships. We need more internship and mentoring programs. All of these things are works in progress and there are some worthwhile efforts, but supply is not keeping up with demand and it won’t anytime soon”.  In the meantime, it’s recommended that CISOs are in communication with the board in order to ensure that they’re aware of the needs of cybersecurity and that they are getting appropriate amount of attention and investment. And while issues around the available cybersecurity workforce might continue to be a problem for CISOs for now, there are tools and technologies that can help ease the staff workloads, helping to improve both their wellbeing and the organisation’s cyber defences. “CISOs must make all decisions assuming the impact of the cybersecurity skills shortage. This requires a greater commitment to working with service providers, process automation, and advanced analytics technologies,” says Oltsik.  

MORE ON CYBERSECURITY More