InfoSec and Compliance – With 20 years of blogging experience, DISC InfoSec blog is dedicated to providing trusted insights and practical solutions for professionals and organizations navigating the evolving cybersecurity landscape. From cutting-edge threats to compliance strategies, this blog is your reliable resource for staying informed and secure. Dive into the content, connect with the community, and elevate your InfoSec expertise!
Jun 12 2019
Researchers discovered two vulnerabilities in Alaris Gateway Workstations that are used to deliver fluid medication. One of them is critical and an attacker could leverage it to take full control of the medical devices connecting to it.
Source: Critical Bug in Infusion System Allows Changing Drug Dose in Medical Pumps
Healthcare privacy and security
Jun 09 2019
Cybercriminal group Carbanak has stolen hundreds of millions of dollars from financial institutions. Here’s a detailed analysis by Bitdefender of an attack on one bank.
Source: From phish to network compromise in two hours: How Carbanak operates
May 29 2019
Extent of the hack is unknown, but Flipboard said hackers had access to its systems for almost nine months.
Source: Flipboard says hackers stole user details | ZDNet
Flipboard confirms database hack, resets all user passwords
May 24 2019
Perceptics confirms intrusion and theft, stays quiet on details
Digital License Plates: Convenience or Privacy Risk?
May 20 2019
A massive database containing contact information of millions of Instagram influencers, celebrities and brand accounts has been found online. The database, hosted by Amazon Web Services, was left exposed and without a password allowing anyone to look inside. At the time of writing, the database had over 49 million records — but was growing by […]
Source: Millions of Instagram influencers had their private contact data scraped and exposed – TechCrunch
May 09 2019
Threat actors are exploiting a Jenkins vulnerability (CVE-2018-1000861) disclosed in 2018 to deliver a cryptocurrency miner using the Kerberods dropper
Follow the numbers in blue to understand each step.
Threat actors are exploiting a Jenkins vulnerability (CVE-2018-1000861) disclosed in 2018 to deliver a cryptocurrency miner using the Kerberods dropper
Source: Hackers exploit Jenkins flaw CVE-2018-1000861 to Kerberods malware
May 06 2019
Reportedly, the unsecured SkyMed database exposed huge records having medical and personal information of US citizens online.
Source: Unsecured SkyMed Database Exposed PII Data Of 137K Individuals
ISO/IEC 27018:2014, 1st Edition: Information technology – Security techniques – Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors
NIST Special Publication 800-122 Guide to Protecting the Confidentiality of Personally Identifiable Information (PII)
Jan 31 2019
Thought Collection #1 was big? Collection #2-5 just dwarfed it
Source: The biggest ever data dump just hit a colossal 2.2 billion accounts
Jan 28 2019
A Chilean Senator has taken to Twitter with alarming news – the company running the country’s ATM network suffered a serious cyberattack.
Source: Attackers used a LinkedIn job ad and Skype call to breach bank’s defences
Jan 22 2019
Data belonging to online casinos found exposed online on unprotected Elastic search instance, it includes info on 108 million bets and user details
Source: Did you win at online casinos? Your data might have had exposed online
Sep 20 2018
Credit rating agency Equifax is to be fined £500,000 by the Information Commissioner’s Office (ICO) after it failed to protect the personal data of 15 million Britons.
A 2017 cyber-attack
The compromised systems were also US-based.
But the ICO ruled Equifax’s UK branch had “failed to take appropriate steps” to protect UK citizens’ data
It added that “multiple failures” meant personal information had been kept longer than necessary and left vulnerable.
Originally, Equifax reported that fewer than 400,000 Britons had had sensitive data exposed in the breach – but it later revealed that the number was nearly 700,000.
A further 14.5 million British records exposed would not have put people at risk, the company added last October.
The ICO, which joined forces with the Financial Conduct Authority
Equifax had also been warned about a critical vulnerability in its systems by the US Department of Homeland Security in March 2017, the ICO revealed.
And appropriate steps to fix the vulnerability were not taken, according to the ICO.
Because the breach happened before the launch of the EU’s General Data Protection Regulation
And the fine of £500,000 is the highest possible under that law.
“The loss of personal information, particularly where there is the potential for financial fraud, is not only upsetting to customers, it undermines consumer trust in digital commerce
“This is compounded when the company is a global firm whose business relies on personal data.”
An Equifax spokesperson said the firm was “disappointed in the findings and the penalty”.
“As the ICO makes clear in its report, Equifax 
“The criminal cyber-attack
By BBC.com
Mar 30 2014
In South Africa the Protection of Personal information Act (POPI) aims to regulate how companies secure the integrity and confidentiality of their data assets by taking technical and organisational measures to prevent the loss of, and damage and unauthorised access to, personal information. POPI was signed into law on 26th November 2013 but the commencement date is yet to be announced; companies have been given a year to achieve compliance with the Act. Penalties for failing to comply with the Act include prosecution, with possible prison terms of up to 12 months, and fines of up to R10 million. I believe that POPI will make life easier for IT organisations in South Africa.
Data breaches, and the resultant loss of information assets, can lead to huge financial losses for companies as well as the reputational damage and a loss of customer trust. The lack of robust Information Security Management Systems (ISMS) can leave organisations of any size and sector open to data breaches. POPI’s objective is to regulate the way personal information is collected and stored by organizations, which will in turn increase customer confidence in the organizations. The Act will apply to all organizations, regardless of size or sector, whether public or private, including the Government. As a reminder of the importance of data security, the City of Johannesburg suffered a massive data breach in August 2013 which allowed anyone to read citizens’ personal billing information on the Council’s website, including full names, account numbers, addresses, and contact details. Anything could have happened to that information, including targeted phishing attacks, and the production of fake ID books and proof of residence, which could have been used for terrorist purposes.
The major challenge of POPI is that companies will have to change the way they collect and store customer information as soon as possible: organizations have been given only a year to be compliant before the Act is enforced. Given the extent of changing business processes and employees’ attitudes it will be a serious challenge to reach compliance in only a year.
PwC’s “journey of implementation” report found that the majority of organizations in South Africa believe it will take several years to achieve compliance with POPI.
Source: PwC “The journey to implementation”
One way for South African organizations to make compliance with POPI easier would be to implement the international information security standard ISO27001, which sets out the requirements against which an organization’s information security management system can be independently audited and certified. Implementing the standard will help South African businesses fulfil the compliance requirements of any related legislation (including the Protection of Personal Information Act). Moreover, by implementing ISO27001, businesses ensure that they have effective controls in place to manage risk and protect personal information.
IT Governance SA has developed a wide range of ISO27001 books, training and tools to help organisations with weak information security management system, and recommends that companies look at the useful information about ISO27001 available on the company’s website.
Mar 26 2014
Cyber attacks have become a regular occurrence in the last few years; in fact, you can’t turn the news on without some mention of a business suffering an attack. Most attacks are fuelled by criminals looking to steal valuable information, but what type of information is being stolen?
According to a report by Veracode, the top 5 types of information that are stolen are:
Payment Data
No surprises here of course. Card payment data is a very attractive form of information for cyber criminals to steal. Card data provides quick access to money in multiples ways such as siphoning the victims account, using their card for purchases or selling on the black market.
Selling and purchasing card payment data online is terrifyingly easy, so easy in fact that you could have bought several card details in the time it’s taken you to read this far.
Authentication Details
Details that allow authorised access into online systems are very valuable on the black market. Imagine the price tag on login credentials for the email address of a celebrity, or the president of an international bank.
Unfortunately, humans are subjects to bad habits such as using the same password for online accounts. So if cyber criminals manage to get hold of your Facebook password, then they will most likely be able to login to any of your accounts.
Copyrighted Material
Why would a cyber criminal pay for software when they could just steal it? With most websites being vulnerable to attack, a cyber criminal could in theory steal any software they fancy, costing organisations a large sum of money.
Medical Records
Thieves could sell your stolen personal health information on the Internet black market, use your credentials to obtain medical services and devices for themselves and others, or bill insurance companies for phantom services in your name.
Medical ID theft is worse than financial identity theft, because there are fewer legal protections for consumers. Many victims are forced to pay out of pocket for health services obtained by the thieves, or risk losing their insurance and/or ruining their credit ratings.
Classified Information
Depending on how you define classified, this could include information such as your organisation’s top secret product idea or the code for your security door. Either way, if it’s labelled classified then you don’t want it to be in the hands of cyber criminals.
Protecting this information
There is a high chance that the five forms of information listed above can be found on your organisation’s network, so what are you doing to protect it?
Data Security Breaches: Notification Law
Jul 21 2011
Information Security Breaches: Avoidance and Treatment based on ISO27001
If you are running a business, you learn to expect the unexpected. Even if you have taken all the right precautions, your company might still find itself confronted with an information security breach. How would your business cope then?
There are lots of books that will tell you what to do to prevent an information security breach. This book is different. It tells you what you have to do if a security breach occurs.
Security breaches sometimes occur because computers containing sensitive information are not returned to their owners. NATO laptops have been spotted in flea markets, and US government computers were put up for sale on Ebay. Security breaches may also be the result of data theft. A bad apple in your company may be tempted to sell your confidential data to a rival firm.
If something happens, your company needs to be ready to take prompt and decisive action to resolve the issue. This book tells you the plans and procedures you need to put in place to tackle an information security breach should it occur. In particular, the book gives you clear guidance on how to treat an information security breach in accordance with ISO27001.
If a breach occurs, the evidence needs to be secured professionally. You need to know the rules on evidence gathering, and you need to be capable of isolating the suspect laptops right from the start. If you want your company to respond rapidly to an information security breach, you need to make sure that the responsibilities and roles in your company are clearly defined.
Benefits to business include:
Recover faster
An information security breach can have crippling consequences. However, with the right emergency measures in place, you will be able to recover quickly from the incident and resume normal operations.
Preserve customer confidence
An information security breach can result in loss of records and disruption to service. This can do serious damage to your relationship with your customers. It is vital for you to be prepared for an information security breach, so that if it ever happens you can preserve customer confidence.
Assist the investigation
Uncovering the root causes of an information security breach requires detective work. If an information security breach occurs, the investigators will need to be able to identify the problem. You can help them to do that by keeping proper records.
Catch the criminals
In the event of data theft, you will want to be in a position to act promptly and decisively. So you should set up an incident management system. This will mean that in the event of data theft, the police will have a greater chance of getting hold of the incriminating evidence they need to secure a conviction.
As Michael Krausz warns, “It is the prudence of management that decides on a company’s fate once a serious incident occurs, not only the size.”
What others are saying about this book …
‘…I recommend this pocket guide to anyone implementing ISO27001, and indeed to anyone who is concerned about the risks of security breaches, and who wants to know how best to prepare their organization for the unpleasant events that are bound to happen from time to time…’
Willi Kraml, Global Information Security Officer
‘…The author thankfully narrows down some important vocabulary to a practical usage in real life situations. The book gives what it advertises: a quick pocket guide to avoidance and treatment of security breaches with references to ISO27001…’
Sascha-A Beyer, Senior Manager
‘…Michael Krausz has created a valuable tool for both professional as well as less knowledgeable persons in respect to the ISO27001 Standard… Written in plain English, this handbook is easy to follow even by a novice in the Information Technology Field. Therefore “Information Secuirty Breaches” is a must within the ‘tool box’ of anyone who deals with IT issues on an every-day basis…’
Werner Preining, Interpool Security Ltd
‘Michael Krauz did a good job. His pocket guide is small enough to be read in only a few minutes, yet is packed full of valuable information presented in a structured way. The case studies especially help to understand the topic. As former CIO of a large company I can recommend it.’
Christian H Leeb, Holistic Business Development
About the author: Michael Krausz is an IT expert and experienced professional investigator. He has investigated over a hundred cases of information security breaches. Many of these cases have concerned forms of white-collar crime. Michael Krausz studied physics, computer science and law at the University of Technology in Vienna, and at Vienna and Webster universities. He has delivered over 5000 hours of professional and academic training and has provided services in eleven countries to date.
Don’t let your organisation fall victim to a security incident … download your copy today!
Information Security Breaches: Avoidance and Treatment based on ISO27001
Jun 15 2011
“Tango down – cia.gov – for the lulz,” the group, which had earlier claimed responsibility for hacking into the websites of the U.S. Senate, Sony, Nintendo and Fox News, wrote on its Twitter feed.
“While some people think this is a fun game that can also help point out corporate security weaknesses, the truth is that companies and innocent customers are – in the worst cases – having their personal data exposed,” Sophos senior technology consultant Graham Cluley said.
“There are responsible ways to inform a business that its website is insecure, or it has not properly protected its data – you don’t have to put innocent people at risk. What’s disturbing is that so many internet users appear to support LulzSec as it continues to recklessly break the law.”
http://www.youtube.com/watch?v=AozrqppyEf0
Cyber War: The Next Threat to National Security and What to Do About It
Jun 14 2011
Image via Wikipedia
US Senate Hacked! “We Don’t Like The U.S. Government Very Much” LULZ Security
The video states some reasons in significant rise of hack attack by Lulz Security on US information assets including critical assets (US senate) which is a growing threat to national security.
Leon Penetta warned in last week hearing that next Pearl Harbor might very well be a cyber attack which may affect power grid, financial system or government system.
“The Computer systems of exective branch agencies and the congress were probed or attacked on an average of 1.8 billion times per month last year” Sen. Susan Collins (R-ME)
http://www.youtube.com/watch?v=aFD3W6LhO04
Cyber War: The Next Threat to National Security and What to Do About It
Jun 09 2011
Image via Wikipedia
“Citigroup says it has discovered a security breach in which a hacker accessed personal information from hundreds of thousands of accounts.
Citigroup said the breach occurred last month and affected about 200,000 customers.”
“During routine monitoring, we recently discovered unauthorized access to Citi’s account online,” said Citigroup, in a prepared statement. “A limited number — roughly 1 percent – of Citi bankcard customers’ accounting information (such as name, account number and contact information including email address) was viewed.”
According to its annual report, Citigroup has about 21 million credit card accounts in North America, where the breach occurred.
The statement went on to say that the customers’ Social Security numbers, dates of birth, card expiration dates and card security codes “were not compromised.”
Well the routine monitoring discovered the Citi Group incident which clearly shows that intrusion was not discovered during the incident but after the incident had happened.
Cyber intrusion cost will increase and depend upon how late the incident was detected. The organizations should change their corporate strategy to more proactive approach where they can maintain, monitor and improve security controls based on the current value of the information asset.
If you’re a Citibank customer, we suggest you take a look at your account and immediately report any irregularities.
Stopping Identity Theft: 10 Easy Steps to Security
http://www.youtube.com/watch?v=KH0zno_6d9M
Jun 05 2011
LONDON — Nearly 180 passwords belonging to members of an Atlanta-based FBI partner organization have been stolen and leaked to the Internet, the group confirmed yesterday.
The logins belonged to the local chapter of InfraGard, a public-private partnership devoted to sharing information about threats to US physical and Internet infrastructure, the chapter’s president said.
“Someone did compromise the website,’’ Paul Farley, president of the InfraGard Atlanta Members Alliance, said in an e-mail exchange. “We do not at this time know how the attack occurred or the method used to reveal the passwords.’’
Copies of the passwords — which appear to include users from the US Army, cybersecurity organizations, and major communications companies — were posted to the Internet by online hacking collective Lulz Security, which has claimed credit for a string of attacks in the past week.
In a statement, Lulz Security also claimed to have used one of the passwords to steal nearly 1,000 work and personal e-mails from the chief executive of Wilmington, Del.,-based Unveillance. Lulz Security claimed it was acting in response to a recent report that the Pentagon was considering whether to classify some cyberattacks as acts of war.
The FBI said yesterday steps were being taken to mitigate the damage.
Kingpin: How One Hacker Took Over the Billion-Dollar Cybercrime Underground
May 27 2011
LONDON: Unknown hackers have broken into the security networks of Lockheed Martin Corp (LMT.N) and several other US military contractors, a source with direct knowledge of the attacks told this news agency.
They breached security systems designed to keep out intruders by creating duplicates to “SecurID” electronic keys from EMC Corp’s (EMC.N) RSA security division, said the person who was not authorized to publicly discuss the matter.
It was not immediately clear what kind of data, if any, was stolen by the hackers. But the networks of Lockheed and other military contractors contain sensitive data on future weapons systems as well as military technology currently used in battles in Iraq and Afghanistan.
Weapons makers are the latest companies to be breached through sophisticated attacks that have pierced the defenses of huge corporations including Sony (SNE.N), Google Inc (GOOG.O) and EMC Corp (EMC.N). Security experts say that it is virtually impossible for any company or government agency to build a security network that hackers will be unable to penetrate.
The Pentagon, which has about 85,000 military personnel and civilians working on cyber security issues worldwide, said it also uses a limited number of the RSA electronic security keys, but declined to say how many for security reasons.
The hackers learned how to copy the security keys with data stolen from RSA during a sophisticated attack that EMC disclosed in March, according to the source.
EMC declined to comment on the matter, as did executives at major defense contractors.
Lockheed, which employs 126,000 people worldwide and had $45.8 billion in revenue last year, said it does not discuss specific threats or responses as a matter of principle, but regularly took actions to counter threats and ensure security. (Reuters)
Managing Information Security Breaches
Pentagon: Hack attacks can be act of war
May 27 2011
Managing Information Security Breaches
Even when organisations take precautions, they may still be at risk of a data breach. Information security incidents do not just affect small businesses; major companies and government departments suffer from them as well.
A strategic framework
Managing Information Security Breaches sets out a strategic framework for handling this kind of emergency. It focuses on the treatment of severe breaches and on how to re-establish safety and security once the breach has occurred. These recommendations support the controls for the treatment of breaches specified under ISO27001:2005.
Top priorities
The actions you take in response to a data breach can have a significant impact on your company’s future. Michael Krausz explains what your top priorities should be the moment you realise a breach has occurred. This book is essential reading for security officers, IT managers and company directors.
Read this guide and learn how to …
The author uses cases he has investigated to illustrate the various causes of a breach, ranging from the chance theft of a laptop at an airport to more systematic forms of data theft by criminal networks. By analysing situations companies have experienced in real life, the case studies can give you a unique insight into the best way for your organisation to avoid a data breach.
If something did go wrong, how would you handle it? Even if you have done everything possible to prevent a data breach, you still need to know what to do, should one occur. This book offers advice on the strategies and tactics to apply in order to identify the source of the leak, keep the damage to a minimum, and recover as swiftly as possible.
If your company ever experiences an information security incident, then the way your customers see you will depend on how you react. This book tells you the key steps you need to take to hold on to the goodwill of your customers if a data breach occurs. The book also offers advice on what to do if you discover defamatory material about your business on YouTube or on forum sites.
Information security breaches are committed, often by ambitious or embittered employees. This book looks at ways to reduce the risk of staff selling product designs or customer data to your competitors for personal gain.
“Information security is a key Board responsibility. In today’s information economy, the confidentiality, availability and integrity of corporate information assets and intellectual property are more important for the long-term success of organisations than traditional, physical, tangible assets. This book is essential reading for security officers, IT managers and company directors to ensure they are prepared for, and can effectively manage, an information security breach, should it occur”.
