Thursday, January 17, 2019

In Other News: Hyatt Will Pay Hackers to Find Security Vulnerabilities

In Other News:Hyatt Will Pay Hackers to Find Security Vulnerabilities
Hyatt Hotels recently launched a bug bounty program dubbed HackerOne, enabling ethical hackers to report security flaws for rewards up to $4,000. Considering recent card-skimming attacks against the hospitality chain, the innovative platform is designed to “tap into the vast expertise of the security research community to accelerate identifying and fixing potential vulnerabilities”. Other organizations that are following suit and using the platform include Google, Twitter, the US Department of Defense, GitHub, and Qualcomm.

What We’re Listening To

What We’re Listening ToKnow Tech TalksThe Continuum PodcastSecurity Now
Defensive Security Podcast 
Small Business, Big Marketing – Australia’s #1 Marketing Show!
TubbTalk – The Podcast for IT ConsultantsRisky BusinessFrankly MSPCHANNELe2e

Australia- First National

Exploit: Leak by “third-party” recruitment agency, Sales Inventory Profile.First National: Real estate network. 
correct severe gaugeRisk to Small Business: 2 = Severe: Gareth Llewellyn, a security researcher at Brass Horn Communications, originally discovered how the CVs of job applicants of First National had been “inadvertently published” online. At least 12 company offices were affected, and the breach has been pinned to a third-party vendor, Sales Inventory Profile. Such a breach can negatively impact the brand reputation of the organization, even though the vulnerability came from a recruiting agency. Yet another example of why it is crucial to evaluate third-party vendors and secure data on all fronts.
correct moderate gaugeIndividual Risk: 2.571 = Moderate: Published CV’s included full names, addresses, phone numbers, date of births, and other personal information. Even without payment information, customers should be weary of unusual transactions.
Customers Impacted: 2,000 job applications.How it Could Affect Your Customers’ Business: Small breaches that expose personal details have consequences that are not easily quantified monetarily but can be catastrophic. Promising employees could choose to work elsewhere, whether or not a third-party was liable for the breach. Businesses must increase the importance they place on database and vendor management in order to protect user privacy and safety.ID Agent to the Rescue: See why Peter Verlezza, Managing Director at SMB Networks uses Dark Web ID and SpotLight ID to monitor real-time domain and login credentials: “I’m already helping to protect my customers with real-time domain monitoring provided by Dark Web ID. By protecting the people who work for those customers with the affordable and government-tested personal identity monitoring SpotLight ID delivers, I know my customer’s business is that much safer from potential breach”.
Risk Levels:1 - 1.5 = Extreme Risk1.51 - 2.49 = Severe Risk2.5 - 3 = Moderate Risk
*The risk score is calculated using a formula that considers a wide range of factors related to the assessed breach.

Australia - Early Warning Network

Exploit: Compromise of login details.Early Warning Network (EWN): Emergency weather alert system of Australia.
correct moderate gaugeRisk to Small Business: 2.555 = Moderate:
Interestingly enough, the hack involved an unauthorized individual posting a spam message with a link to some customers stating that "EWN has been hacked. Your personal data is not safe. Trying to fix the security issues." Yet the system did not store personal information and only a small portion of the database received the alert, which means that there should be limited repercussions for EWN. At the same time, investigations are still ongoing with the Australian Cyber Security Center.
correct moderate gaugeIndividual Risk: 3 = Moderate Fortunately, no sensitive data was compromised since the actual data held in the system was “just ‘white pages’ type data”, as indicated by managing director Kerry Plowright. Nevertheless, the responsible party and their motive has not been identified.
Customers Impacted: None.
How it Could Affect Your Customers’ Business: The absence of personal information exposure is encouraging, but it is still alarming that the system was compromised and a message was sent to customers. As cybersecurity awareness continues to rise in Australia, public perceptions are gravitating towards fear and increased vigilance. Small businesses must partner with security solutions and communicate their commitment to avoiding data breaches in order to attract, convert, and retain customers.ID Agent to the Rescue: See why Peter Verlezza, Managing Director at SMB Networks, uses Dark Web ID and SpotLight ID to monitor real-time domain and login credentials: “I’m already helping to protect my customers with real-time domain monitoring provided by Dark Web ID. By protecting the people who work for those customers with the affordable and government-tested personal identity monitoring SpotLight ID delivers, I know my customer’s business is that much safer from potential breach”.
Risk Levels:1 - 1.5 = Extreme Risk1.51 - 2.49 = Severe Risk2.5 - 3 = Moderate Risk*The risk score is calculated using a formula that considers a wide range of factors related to the assessed breach.

Italy- Maire Tecnimont SpA

Exploit: Social engineering and business email compromise (BEC).Maire Tecnimont SpA: Construction engineering company.
correct severe gaugeRisk to Small Business: 2.111 = Severe: This elaborate cyber fraud involved staging a “confidential acquisition” and impersonating the CEO in order to persuade the head of India’s operations to transfer funds amounting to $18.5M. Although it was an isolated incident, such an attack demonstrates the lack of overall awareness surrounding BEC scams and may serve as impetus for other hackers to try infiltrating the company’s networks. Also, it is entirely possible that the hackers were monitoring day-to-day business operations for months in advance to prepare for the sophisticated scheme, which means that there may be other undiscovered breaches at play.
correct moderate gaugeIndividual Risk: = Moderate: No personal information was breached.
Customers Impacted: N/A.How it Could Affect Your Customers’ Business: Increasing awareness of social engineering fraud and BEC is a best practice all organizations should implement. Hackers are growing increasingly sophisticated and convincing in their efforts to fool executives into handing over funds or information, which means that we must counter by incorporating training courses or multi-factor authentication processes to prevent attacks.ID Agent to the Rescue: Backed by ID Agent’s $1 million identity theft restoration policy, SpotLight ID allows MSPs’ clients can proactively protect employees and customers while enhancing their overall cybersecurity awareness. Learn more: https://www.idagent.com/identity-monitoring-programs.
Risk Levels:1 - 1.5 = Extreme Risk1.51 - 2.49 = Severe Risk2.5 - 3 = Moderate Risk*The risk score is calculated using a formula that considers a wide range of factors related to the assessed breach.

Singapore- SingHealth

Exploit: Initial malware infection coupled with a multi-pronged attack.SingHealth: Singapore’s largest group of healthcare institutions.
extreme gaugeRisk to Small Business: 1.444 = ExtremeBesides for the relentless onslaught of articles and news detailing SingHealth’s negligence and lack of “security hygiene”, high-profile members of management were terminated, demoted, and fined. As you can imagine, the long-term implications for employee morale are less than desirable, along with crippling blows to culture, brand, and customer trust.

correct severe gauge                                                   Individual Risk: 2 = Severe: Although the theft initially occurred between a short period of time (June 27, 2018 to July 4, 2018), data stolen included names, NRIC numbers, addresses, gender, race, and dates of birth. Even worse, around 160,000 also had their outpatient prescriptions taken. It is believed that Prime Minister Lee Hsien Loong was a primary target for the hack, but you can expect the data collected to be sold to the highest bidder.
Customers Impacted: 1.5M individuals.How it Could Affect Your Customers’ Business: Aside from the laundry list of penalties for incurring such a breach, an affected organization must continue business as-is while restoring operations. In this case, SingHealth has imposed a “temporary Internet surfing separation” on 28,000 staff’s work computers. With an entirely new set of security processes to manage while avoiding disruptions caused by the breach, customers should begin to see the value in proactively implementing IT protocols and monitoring for stolen credentials.ID Agent to the Rescue: SpotLight ID allows MSPs, Resellers and Channel Partners to deliver comprehensive personal identity protection for clients’ employees and customers, ultimately safeguarding corporate systems. Get started here: https://www.idagent.com/identity-monitoring-programs.
Risk Levels:1 - 1.5 = Extreme Risk1.51 - 2.49 = Severe Risk2.5 - 3 = Moderate Risk*The risk score is calculated using a formula that considers a wide range of factors related to the assessed breach.

Mobile Fraud