Newsletter January 2022 

The purpose of this newsletter is to update readers on what might be happening in various areas of business related to IT, the provision of some commentary on known cyber security, data breaches and IT and business issues, and some advice on better securing your information assets.

In this Issue:

Overview:

Topic:

The move to “Passwordless” access

We all use passwords; most of us use many passwords. Left to our own devices, we have difficulty inventing new passwords that satisfy the application’s requirements.

Many people (including me) use a password manager like 1Password or LastPass2 to help us.
However, it is still a burden to remember and use them.

As we all know, the role of a password is to protect you and your clients/suppliers, and the information you share and store.

In the world of hacking, it is no surprise that interrogating our systems for passwords (and especially lazy developed ones), is a fruitful pastime for them.

It has been recognised for some time that humans are quite bad at developing and using passwords (walk around your office and see how many passwords you find under mouse mats, on yellow stickies on the computer screen!).

A few years ago, one of my sons (he has his own MSP business) asked me to help him at night to replace docking stations in one of his client’s premises. After completing a number of them, I said to my son; “the users’ passwords are on most of the desks. do you tell them about their security?” He responded, “yes, all the time, they just don’t listen!”.

During one of my own consulting assignments, I asked the IT guys for a list of network devices and the topology of the network. Surprisingly, the list they gave me included the passwords for all the devices; each device had the same password “1234”. Convenient for the network guys but not in the best interest of the organisation.

Inside or outside IT, the problem is the same !!

Well, here is the nut of the problem. Humans can’t be trusted to do the right thing, and in any case, the whole notion of inventing random strings of letters, numbers and symbols is boring!!

Clearly, authentication is still required to protect oneself, and the information we use.

Since we are now a society where our phones are welded to our beings, it makes some sense to use our phones and other portable devices to authenticate access to information or use a device.

So, our devices are trusted more than we are!!  

 This method of authentication might use a few methods including:

• Biometric data
  • The use of fingerprints and facial recognition is fairly common these days as a means of authenticating your access to a device. I must say, I am a little nervous about the use of biometric data as it really is unique to every individual. While I use this technology, I have to trust the security chips embedded in the device and the suppliers promise that it is well and truly encrypted and cannot leave the device. One day….
• Authenticator on device (a form of multi factor authentication)
  • There are a number of these in use. When you are accessing an application, you will be asked to input a code generated in an App on your mobile device. The common ones are supported by Google and Microsoft and are in fairly wide use. This method depends on you having the device with you when you need access.
• SMS response
  • Like the authenticator app, a SMS message may provide a code to enter back into the authenticator code in the application to which you are seeking access. 
• Email response
  • This method is used to verify email accounts when joining new websites and you request a service from them e.g., a newsletter.

So, wherever you can use a passwordless means of authentication, you should consider using it. Where you can’t, consider using a password manager and password generator which will guarantee you have a password that in all your dreams you won’t make up (and remember!).

This brings me to another cyber hygiene matter associated with this move to device dependent authentication.

Three points come readily to mind:

1. Do you know where your device is backed up and how to restore a device from there? This is essential if any of your portable devices are stolen, and you need to restore your apps and data to a new device.
2. Do you know how to locate a lost device using the tools on your portable device? I admit having to use such tools on occasions when accidentally leaving my device somewhere (shopping centre, train station etc).
3. Do you know how to remotely wipe a stolen or lost device so the information does not fall into the wrong hands?

These should be part of your personal cyber practice.

Reports and Statistics:

Publicly available reports worthy of summation are mentioned here with their source Url. Some of these are quite lengthy and will be summarised in the body of the website.

At the end of the year 2021, and the start of 2022, many reports are published summarising one year and anticipating the next. The three mentioned below are in my eyes significant, and I will be commenting on them soon. 

• Global Cybersecurity Outlook 2022 – World Economic Forum
  • This is another excellent report which also looks at the relationship between IT and the Business units in an organisation (an issue I am passionate about!). Look for a summary on the website soon.
  • https://www.weforum.org/reports/global-cybersecurity-outlook-2022
• The Global Risks Report 2022 – World Economic Forum
  • This should be essential reading and consideration by all Directors and Senior Managers. It is however, over 100 pages long and I have given a summary of this report to a group of directors summarising the report. Look for a summary on the website soon.
  • https://www3.weforum.org/docs/WEF_The_Global_Risks_Report_2022.pdf
• 2021 State of Industrial Cybersecurity – Ponemon Institute for Dragos
  • This report looks at the cultural differences and accountability issues between IT and IOT/OT responsibilities. No wonder the misalignment is creating many opportunities for intruders and subsequent business impacts. Look for a summary on the website soon.
  • https://www.dragos.com/resource/2021-state-of-industrial-cybersecurity-ponemon/

Attacks and Threats:

Significant cyberattacks or IT outages will be written up here. Sometimes they might also be written up in Lessons of Life.

• Transport of NSW
  • ITNews has reported that an ongoing investigation following a cybersecurity intrusion in Dec,2020 and Jan,2021has reported more data was disclosed than previously reported. The additional individuals (the number was not disclosed) were being notified. This breach also impacted organisations such as “NSW Health, ASIC, SBS and the legal firm Allens” says ITNews. This report is a reminder of the complexity of understanding a breach, and also the time and effort involved. 
  • It is a reminder of considerations which need to be considered in breach insurance contracts, including the lengthy investigation time. Data breaches are not restored overnight.
  • https://www.itnews.com.au/news/tfnsw-finds-more-customers-employees-impacted-by-accellion-breach-574626
• NSW Government – data breach
  • According to Channel 9, location data collected by the NSW Covid-19 registration system has been publicly revealed. A notice on the NSW data website dated October 12, 2021, says: “The COVID Safe Businesses and Organisations dataset has been discontinued. We have identified issues with integrity of the data”.
  • https://www.9news.com.au/national/nsw-news-data-leak-shouldnt-have-happened-premier-dominic-perrottet-says/

Alerts:

• 19^th Jan,2022 From ACSC – Alert status Medium – Direct Quote
  • “The Australian government will NEVER phone you to request access to your computer or request you to purchase cryptocurrencies or gift cards. If you receive a suspicious phone call, take the caller’s details, hang up and contact the company they claim to represent via official communication channels listed on their website. Never call a number provided by the scammer.”
  • https://www.cyber.gov.au/acsc/view-all-content/alerts/phone-and-email-scammers-impersonating-acsc

• 19^th Jan,2022 From ACSC – Alert status High – Direct Quote
  • A vulnerability (CVE-2021-20038) has been identified in SonicWall SMA 100 series appliances. Exploitation of this vulnerability could allow an unauthenticated malicious cyber actor to perform remote code execution. Affected Australian organisations should apply the available patch.
  • SonicWall is a cyber security company.
  • https://www.cyber.gov.au/acsc/view-all-content/alerts/remote-code-execution-vulnerability-present-sonicwall-sma-100-series-appliances

Government Initiatives:

Governments worldwide are initiating major legislation and programs to support the fight against cyberattacks. Initially, this website will be focused on Australia but, resources willing will expand over time to include other countries.

• UK and Australia signed an agreement in Sydney on 20^th Jan,2022 to collaborate on a range of technology issues and cyber security to assist in fighting cybercrime, to encourage the safety and uptake of technology between the countries, resilience in the technology supply chains and to advance the “Women in Cyber” agenda.
  • https://www.foreignminister.gov.au/minister/marise-payne/media-release/statement-uk-australia-cyber-and-critical-technology-partnership

Snippets:

• South Australian Government
  • ITNews has reported that the SA Government has issued a breach of contract notice after details of 80,000 government employees had been disclosed
  • https://www.itnews.com.au/news/south-australian-gov-issues-breach-notice-to-hacked-payroll-provider-574782
• The Federal Security Service of the Russian Federation has announced it has taken down a major cyber-criminal gang responsible for the recent REvil cyber activities
  • From information provided by “competent US authorities”, the FSB has managed to arrest 14 members of the gang. 
  • Assets seized at 25 addresses at the places of residence of 14 members of the organized criminal community: over 426 million rubles (A$ 7.7M), including cryptocurrency, 600 thousand US dollars, 500 thousand euros, as well as computer equipment, crypto wallets used to commit crimes, 20 premium cars purchased with money obtained from crime.
  • Responsible for attacks on Kesaya and Colonial Pipeline, the REvil organisation has been ruthlessly pursued by US authorities over the last year, and inflicted damage on the REvil infrastructure.
  • https://wwwfsbru.translate.goog/fsb/press/message/single.htm!id=10439388@fsbMessage.html
• According to Reuters, cryptocurrency money laundering increased 30% to US$8.6B in the last year. 
• Microsoft has announced they have detected a “large scale multi-phase campaign” targeting accounts and users that do not use MFA (Multi Factor Authentication). 
  • “The first campaign phase involved stealing credentials in target organizations located predominantly in Australia, Singapore, Indonesia, and Thailand. Stolen credentials were then leveraged in the second phase, in which attackers used compromised accounts to expand their foothold within the organization via lateral phishing as well as beyond the network via outbound spam.”
  • https://www.microsoft.com/security/blog/2022/01/26/evolved-phishing-device-registration-trick-adds-to-phishers-toolbox-for-victims-without-mfa/

Changes to Website: