IT Security Updates Issue 5

Western Australia’s Government has found the perfect password management approach, that Air Canada’s hack could impact customers by increasing the risk of ID fraud, Deloitte publish cloud strategies to improve cyber security processes and more …

Western Australian Government’s Internet Security Audit highlights major cyber-security flaw in basic password management approaches

The Auditor General of Western Australia published a damming report into the state of user account security within the public sector. The era of capital letters, 8 characters and some numbers must surely come to an end after this report was made public? The report noted that good practice within password management frameworks was lacking. The myriad of diverse agencies using the Western Australian Government’s systems illustrated the centrality of strong password management systems.

The report stated:

“Over one quarter of the enabled network accounts we looked at had weak passwords at the time of audit. In a number of instances these accounts are used to access critical agency systems and information via remote access without any additional controls. Generally, agencies lacked technical controls to enforce good passwords across networks, applications and databases, and did not have guidance about good practice for password management.”

The report’s conclusion argued that good password management was about trusted engagement between passwords, people and processes – bringing organisations together with a strong focus on collective security. The Auditor General believes strong password management requires (at least) the following:

  1. Uppercase and Lowercase text
  2. Numbers (0 – 9)
  3. Non-alphanumeric characters like !, £, & etc.

By using these standards, the report concluded that businesses and organisations could improve their password management systems dramatically.

Deloitte argues that SMEs need better cloud strategies to improve cloud services control

There is no doubt that the cloud is here – businesses are already embracing the power of the cloud – from MS Office 365 to Amazon Web Services via a myriad of diverse cloud-based applications that have helped enterprise and start-ups alike blossom online. However, Deloitte’s cyber security team have published a report outlining the importance of sound control frameworks when deploying and utilising cloud-based services.

Deloitte provide business leaders with the steps required for a cloud strategy. The services giant argues that the first step is to understand what level of cloud-based service adoption your business requires. Once adoption levels have been agreed, companies are free to explore the diverse service models and the benefits therein available to businesses. Then businesses need to understand the sophistication integrating such cloud-based services within their current technology will require – will there be an initial capital expenditure? Deloitte even outline some key recommendations:

1 – Understand who in the organisation typically initiates the move to the cloud and enlist the support of the executive management and board.

2 – Key decision makers must be clear about the desired benefits of a cloud strategy and considerations must be given to the type of cloud deployment used – public, private or a hybrid of both.

3 – It’s important to select the right cloud service provider (CSP) for the organisation. The service model has to be decided upon. Software-as-a-Service (SaaS), Platform-as-a-Service (PaaS), or Infrastructure-as-a-Service (IaaS).

4 – Understanding and setting the culture in the cloud has to be a priority.

5 – Risk and compliance issues have to be considered. Security in the cloud is generally strong.

Air Canada data breach sees customer passport data leaked

Air Canada, the Canadian flag bearing airline, has suffered a major data breach that could pose a massive ID fraud risk for customers. The breach is down to bad password management approaches, with Air Canada’s own rules and guidelines on password management being named as the main culprit. The lack of a ‘strong’ password framework has allowed a major ID fraud and brand damaging experience to impact the airline.

The company believes the its financial data is secure due to enhanced encryption processes. However, with 1.7 million customers being “locked out” of their accounts, insiders believe a ‘mere’ 20,000 users have been directly impacted. The company has sent a gentle password reminder to all customers.

The breach could see names, email addresses and phone numbers along with passport data accessible in the data breach. The company has released a statement:

‘Air Canada has recommended that its customers “regularly review their financial transactions, be aware of any changes to their credit rating, and contact their financial services provider” if they become aware of unusual activity.’

Zero-Day flaw found in Microsoft Windows Task Scheduler API

According to Threat Post, Windows task scheduler does not check the permission registry when undertaking basic processes. This flaw allows malicious code to alter privileges in a negative way. The flaw was detected within the Advanced Local Procedure Call (ALPC) interface which is a key component of the task scheduler within the 64-bit architecture that supports Windows 10 and Server 2016 respectively. The API within the ALPC does not verify the permission rights which leads to the possibility that malicious actors using rouge code could impact the platform.

Threat Post did point out that the flaw had limitations:

“The flaw does come with limitations – in order to gain elevated privileges, a bad actor would need to be local and exploitation needs prior code execution. Also, the exploit would need modifications to work on OSes other than 64-bit (i.e., 32-bit OS). “Also it hard-codes prnms003 driver, which doesn’t exist on certain versions (e.g. on Windows 7 it can be prnms001).”

Forbes analyses ways organisations can improve employee “buy-in” for cyber security changes

Getting your staff “on-board” can be daunting and challenging. Employees don’t usually like change – especially change that could impact their own workload and their productivity. Therefore, any support that can help navigate this difficult terrain is welcome in the eyes of many small SME owners.

Forbes argues that leaders need to lead by example – which means senior executives and directors need to “own” the training and engagement process. This means that security training needs to accessible and relevant to everyone – at all levels.

After understanding engagement and “owning” this networking stage, leaders need to understand employee resistance and how “buy-in” is predicated on benefit. The adage, “what’s in it for me”, is a relevant start point. Thinking that they’re “just staff that follow orders” misses the point by a country mile. You need to understand resistance in order to create the right narrative to help make change possible.

By giving a heads-up to the change, by owning the training and making the benefits relevant, organisations and their leaders, can successfully gain strong employee “buy-in” by creating a cohesive engaged workforce that puts cyber security front and centre during the working day.

Until next time …