British Council Students’ Data Exposed in Major Breach

Read Time:2 Minute, 10 Second

British Council Students’ Data Exposed in Major Breach

Hundreds of thousands of British Council students had their personal and login details exposed in a worrying data breach, according to an investigation by Clario researchers.

The team discovered an open Microsoft Azure blob repository indexed by a public search engine that held 144K+ of xmal, json and xls/xlsx files, with no authentication in place. These contained sensitive information about hundreds of thousands of students that had enrolled on British Council courses across the world. This included students’ full names, email addresses, student IDs, notes, student status, enrollment dates and study duration. It is not known how long this information was available online in public.

The breach was discovered on December 5 2021, and Clario informed the British Council as soon as they had confirmed their findings. However, they received no response. After 48 hours, contact was made via Twitter, and Clario engaged in regular communication with the organization via direct messages on the platform.

Two weeks later, on December 21, the British Council issued the following statement: “The British Council takes its responsibilities under the Data Protection Act 2018 and General Data Protection Regulations (GDPR) very seriously. The privacy and security of personal information is paramount.

“Upon becoming aware of this incident, where the data was held by a third-party supplier, the records in question were immediately secured, and we continue to look into the incident in order to ensure that all necessary measures are and remain in place.

“We have reported the incident to the appropriate regulatory authorities and will fully cooperate with any investigation or further actions required.”

Clario stated: “Although they were not responsible for the data breach, errors made by the data provider they decided to work with have exposed these student details. This suggests that they need to be more rigorous in terms of how they select and work with third parties.”

British Council students have been warned that the breach may put them at risk of various scams, such as phishing and identity theft.

The British Council is a non-departmental public organization that aims to connect people in the UK and other countries through culture, education and the English language. In 2019-20, it connected with 80 million people directly and 791 million overall, including online and through broadcasts and publications.

At the end of last year, official data obtained from a Freedom of Information request revealed that the council had fallen victim to two successful ransomware attacks over the past five years, suffering a total of 12 days of downtime as a result.

Read More

What Is IaC and Why Does It Matter to the CISO?

Read Time:6 Minute, 44 Second

Many vendors and security companies are buying or building Infrastructure as Code (IaC) security into their portfolios, and this trend is only expected to continue. Here’s what you need to know.

Infrastructure as code (IaC) is a relatively new phenomenon that is revolutionizing the way organizations manage their infrastructure.

IaC offers many benefits to security leaders, including speed, consistency, accountability, scalability, reduced costs and more, which is why it is emerging as such an integral part of building on the modern cloud.

It’s important for CISOs and DevOps teams to see IaC as the connected link between cloud computing and DevOps success, as it enables businesses to innovate with confidence and strengthens infrastructure management processes.

Understanding how IaC works, its best practices and benefits are all crucial to leveling up your security programs and boosting agile software development. By leveraging IaC as both a strategy and a solution, CISOs and DevOps teams can align security with business goals.

Investing in an IaC strategy boosts the overall productivity of a business while maintaining security posture. This prevents misconfigurations, non-compliance policy violations and other cloud security risks, giving development teams more time to develop, deploy and scale with greater speed, visibility and flexibility. As a vital DevOps practice, IaC is still emerging and evolving within the cloud security realm.

What is Infrastructure as Code (IaC)?

According to Tech Target, infrastructure as code is “an IT practice that codifies and manages underlying IT infrastructure.”

Infrastructure as code emerged as a strategic approach for development teams looking to manage and maintain their infrastructure without the hassle of manually provisioning.

How does IaC work and what problems does it solve?

Managing IT infrastructure is an arduous process. It requires people to physically put the servers in place, configure them and then deploy the application. This time-consuming manual process often results in numerous discrepancies, impedes agility and, ultimately, proves costly for businesses. Corporations are forced to spend a fortune annually on building and maintaining huge data centers and hiring a plethora of engineers and other employees to manually provision the infrastructure.

To combat this, cloud computing was introduced, providing enterprises with a new approach that offered flexibility and scalability. Today, cloud computing is a booming industry, helping organizations accelerate innovation and scale at large.

Given the shift to remote work in light of the COVID-19 pandemic, more and more businesses have chosen to adopt the cloud. Currently, more than 90% of businesses use cloud computing. As a critical solution, it has rapidly changed the way people do business. Infrastructures can now be managed over networks, offering more flexibility and faster deployment for businesses. Additionally, with cloud systems, development teams can improve security, speed and software testing, increase productivity and efficiency, reduce costs and improve delivery.

Providing a myriad of benefits for businesses and cloud users alike, cloud computing continues to be an essential pillar of digital transformation. However, it does pose some serious security risks.

Cybercriminals looking to steal sensitive data and other pertinent information could potentially breach the cloud server, wreaking havoc on businesses and their customers. In 2021, more than 40 billion records were exposed, as a result of cloud-based data breaches. Just last year, social media giant Facebook had 533 million records exposed from users in 106 countries, according to Business Insider.

Additionally, infrastructure misconfigurations caused by human error can provide pathways for cybercriminals to launch attacks. Misconfigurations can expose networks and cause configuration drifts.

Therefore, a solution is needed which allows developers to manage their infrastructure through automation, while minimizing potential new security risks. This is where infrastructure as code comes in.

IaC involves using software tools to automate specific tasks through a version control system. This means that your infrastructure can be written and described in code, and this code can be executed to make changes to your infrastructure. In IaC, there are two approaches to writing the code:

Declarative approach. This is often the preferred approach of the two because of the flexibility it offers, this approach involves users only defining the end or “desired” state. Meanwhile, the tool or platform being used takes care of the steps needed to achieve the end result.

Imperative approach. This approach involves users specifying the specific commands needed to achieve the end or “desired” state. In this approach, the platform or tools do not deviate from those specific commands.

By adopting an IaC approach, organizations can accelerate innovation and build products that efficiently meet their customers’ needs in a timely and seamless manner. However, the speed at which development teams are rapidly pushing out new products and features is outpacing security. Therefore, it is critical that the security pace keeps up. More specifically, CISOs, who are responsible for the security of an enterprise, need a security solution that enables DevOps teams to continue production while applying security practices to reduce cyber risks and misconfigurations. And IaC provides the mechanism to do it.

Five benefits of IaC

Leveraging IaC as both a strategy and solution can help you achieve your security goals, as it provides several benefits for your business, including speed, scalability, consistency, accountability and reduced costs.

Speed. The most important benefit of IaC is speed. One of the CISO’s primary responsibilities is to protect the enterprise while simultaneously driving growth. By adopting an IaC security solution, productivity can get a boost, allowing for quick turnarounds, enabling businesses to meet customer’s requests and needs. Instead of spending time manually provisioning and increasing the likelihood of misconfigurations due to human error, development teams can quickly provision and configure infrastructure, speeding up the entire software development lifecycle, all while minimizing security risks by adopting IaC security.
Scalability. When demand for products or services increases, businesses need to be able to scale quickly and efficiently. The same applies to security. As businesses continue to grow and evolve, so, too, must their security processes evolve. New security tools and technologies will be used to accelerate innovation and CISOs are responsible for evaluating and consolidating these tools. By employing IaC tools, development teams can build environments to test new applications and get products or new features to the market faster with security embedded throughout the entire process.
Consistency. Generally, CISOs are responsible for ensuring security policies are being met. Therefore, they must ensure that documentation is up to date as outlined in the policies. By adopting IaC, CISOs can eliminate the documentation process because all the infrastructure is defined as code. IaC increases consistency and significantly reduces errors that often happen because of manual misconfigurations. It minimizes the potential for configuration drift and reduces the risk of cyberattacks that might occur because of manual provisioning.
Accountability. IaC enables CISOs to track any changes that have been made to any source code file. You no longer have to guess which person made a change and when they made that change throughout the software development lifecycle. Thus, making it easier for CISOs and security leaders to hold DevOps teams accountable for changes.
Reduced costs. IaC significantly reduces the cost of infrastructure management. Businesses can save money on hardware and equipment and the costs of hiring people to operate the hardware and equipment and building or renting the physical space to store it. Additionally, by employing cloud computing with IaC, businesses can reduce security risks, which, in turn, can save a fortune on “recovery costs” from a data breach or other form of cyberattack.

Conclusion

At Tenable, we recognize the value of embracing IaC as a way for organizations to innovate in the cloud with confidence. We deliver an integrated, end-to-end security solution to help organizations better protect their cloud environments. It provides a complete picture of cyber risks across the modern attack surface, with unified visibility into code, configurations, assets and workloads. Learn more about Tenable.cs and how our platform enables DevSecOps with integrated controls for development and runtime workflows, focused on IaC.

Learn More

Read the blog: Introducing Tenable.cs: Full Lifecycle, Cloud Native Security

Download the whitepaper: Using Auto Remediation to Achieve DevSecOps

Read More

UK/US data protection claim highlights ambiguity of GDPR’s geographic scope

Read Time:29 Second

A decision by the UK Court of Appeal to allow a claim for contravention of the European Union’s General Data Protection Regulation (GDPR) to be served against US defendants has raised questions over the territorial limits of the regulations. The case emphasizes the broad geographic applicability of both the EU GDPR and the UK GDPR and the interpretations that exist. The UK Court of Appeal suggested that the UK’s independent information rights authority, the Information Commissioner’s Office (ICO), should assist in the case.

To read this article in full, please click here

Read More

Alpha-Omega Project takes a human-centered approach to open-source software security

Read Time:21 Second

The Log4j vulnerability crisis that erupted in late-2021 heightened the security world’s awareness of supply chain risks in free and universally deployed open-source software. Following an intense holiday season push by admins and cybersecurity professionals to track and remediate the Log4j flaw, the White House held a meeting of industry leaders to discuss improving open source software security.

To read this article in full, please click here

Read More

Quantum computing brings new security risks: How to protect yourself

Read Time:6 Minute, 28 Second

This blog was written by an independent guest blogger.

Although commercial quantum computing may still be decades away, government agencies and industry experts agree that now is the time to prepare your cybersecurity landscape for the future. The power of quantum computing brings security complexities that we are only beginning to understand.

Even now, our cybersecurity climate is getting hotter. The average cost of a data breach reached an all-time high in 2021, and the attack vector grows larger by the minute. There has been a significant increase in the number of connected devices used to access business email and intranet since more organizations have transitioned to remote and hybrid work models.

With quantum computing looming in the not-so-distant future, the way that we think about encryption will need to evolve. Most of our current online privacy protocols utilize cryptography to maintain privacy and data integrity. However, the complex math behind creating encryption keys is no match for the power of quantum computers.

Although IBM hopes to make a 1,000-qubit machine by 2023, widespread adoption of quantum computing is still decades away. Take advantage of this time to develop the cybersecurity infrastructure that your organization needs to prepare for the future of quantum computing.

What is quantum computing?

Quantum computing focuses on developing computer technology based on principles that describe how particles and energy react at the atomic and subatomic levels. Today’s computers encode information in 1’s and 0’s. Quantum computing says that information can be encoded simultaneously in more than one place.

While the science is a bit muddy for those who are not quantum theory experts, we can all agree that quantum computing is faster than any other computing technology. In fact, the quantum computer that is in development at Google is 158 million times faster than the world’s fastest computer today.

Digital transformation has already spurred an increase in demand for web designers and developers, and web development is one of the fastest-growing career fields in the United States right now. In the future, quantum computing has the potential to contribute to finance, military intelligence, pharmaceutical development, aerospace engineering, nuclear power, 3D printing, and so much more.

What are the security risks?

The most significant impending security risks associated with switching over to quantum computers are related to cryptographic encryption. The global internet economy relies on cryptography as the foundation for a secure network. The complex algorithms used to create public and private keys to decrypt encrypted data do not hold up in a quantum environment.

The basic idea behind cryptographic encryption is that anyone who wishes to read an encrypted file must have the key, or code, to unlock it. The longer the key, the longer it takes for a computer to crack, and the more secure your files are.

To put this in perspective, it took a group of 300,000 people and four years of work to crack a 64-bit key in 2002. With 128-bit key encryption, it could take trillions of years to find a matching key.

Recently, the NIST raised the industry standard for key length protocol from 128 bits to 256 bits to increase security and prepare users for the future of quantum computing.

But cryptography is only one piece of the puzzle. Even if you implement the most secure encryption and signing practices, it won’t stop someone from opening a malicious file attachment or clicking on a misleading link. Software flaws, misuse of access, and other human-related problems could cost companies an unfathomable fortune in the quantum age.

How to protect yourself

Several technologies such as 5G, machine learning AI, and quantum computing have made huge advancements toward digitization. But, often, new technology rolls out before all of the kinks have been discovered and resolved. You could say that we are experiencing this problem with legacy cybersecurity systems.

Since the theory behind quantum computing will make our current encryption protocols obsolete, organizations should focus on creating a unified cybersecurity ecosystem to monitor the network, discover vulnerabilities, and mitigate security issues.

Here are a few things companies can do to protect themselves from future risks:

Adopt industry security standards

COVID-19 forced the world to find new ways to communicate, work, and conduct business, with most people finding their “new normal” by using digital online tools and connected devices. This influx of new internet users increased digital deployments, and the advent of the remote work movement caused security vulnerabilities for businesses and consumers to rise significantly. 

The NIST’s new industry standards say that the encryption strength of your keys should be at least 128 bits for low-impact data, 192 bits for moderate-impact data, and 256 bits for high-impact information.

In addition, achieving ISO compliance also helps protect your organization by requiring cybersecurity tools for asset discovery, vulnerability assessment, continuous security monitoring, and event reporting.

Implement Zero Trust

Meeting industry security standards, mandated or not, will help you with the technical side of cybersecurity, but implementing zero-trust authentication protocols can help to reduce risks associated with human error.

Scammers are clever, and they tend to use social engineering tactics to build trust with their intended victims so that it is easier to exploit them for their credentials, money, or data. Phishing and spoofing attacks are popular forms of social engineering where an attacker pretends to be a trusted user to infect a network with malware or get their hands on high-level login information.

Phishing and spoofing attacks can be highly covert. In fact, a whopping 30% of phishing emails and SMS messages get opened by targeted users. Another 12% of those users click on the malicious attachment or link.

Zero-trust protocols help reduce the impact of phishing and other social engineering attacks by delegating privileges based on necessity instead of position in a company. This protects crucial data from leaking out in case credentials are breached since no one individual is trusted with “the keys to the kingdom,” so to speak.

Deploy automated tools

Many cybersecurity protection procedures are meant to diffuse the impact that human error can have on an organization. Manually scanning your network, mitigating vulnerabilities, and responding to data breaches opens the door to more mistakes as well as putting a limit on productivity.

That’s why organizations at the cutting edge of security choose to deploy automated tools to help them maintain the integrity of their network. Not only do automated tools work at higher speeds, but they can also analyze data with incredible detail within a timeframe that humans can’t match.

A recent study about cybersecurity adoption reported that 95% of businesses have already automated some cybersecurity processes. The report also highlighted that 98% plan to automate even more of their manual security processes in the upcoming year. This also implies that businesses that don’t automate their security protocols could lag behind.

Implement managed threat detection

Transitioning to a quantum-resistant cybersecurity plan sounds intimidating, which is why it can be helpful to have skilled experts on your side. The best way to ensure that your cybersecurity ecosystem remains intact is to implement managed threat detection through a trusted company. A managed threat detection and response service can help you arm your business with high-quality security tools and provide continuous monitoring and response support when you need it the most.

Wrapping up

Quantum computing will change everything from apps to internet search, web development, cybersecurity, and beyond. It’s wise to stay one step ahead of current technology trends so that when new features are released, your organization is already equipped with the knowledge and tools it needs to weather the dawning of a new age.

Read More

Data Leak Exposes IDs of Airport Security Workers

Read Time:1 Minute, 32 Second

Data Leak Exposes IDs of Airport Security Workers

A cloud misconfiguration at a leading security services multinational has exposed the details of countless airport staff across South America, according to a new report.

A team at AV comparison site Safety Detectives found an Amazon Web Services S3 bucket wide open without any authentication required to view the contents. After notifying the owner, Swedish security giant Securitas, on October 28 2021, the firm secured the database a few days later on November 2.

Inside the 3TB trove, the researchers found personally identifiable information (PII) on Securitas and airport employees dating back to November 2018.

At least four airports across Peru (Aeropuerto Internacional Jorge Chávez) and Colombia (El Dorado International Airport, Alfonso Bonilla Aragón International Airport, and José María Córdova International Airport) are impacted.

Safety Detectives is not sure exactly how many workers are affected, but claimed the S3 bucket contained around 1.5 million files.

These include photos of ID cards featuring full names, occupations and national ID numbers, as well as other miscellaneous photos of employees, planes, luggage and more. The bucket was apparently live and being updated at the time of its discovery.

If found by threat actors, the database could have enabled not only follow-on identity fraud and scams, but far more serious criminal acts, Safety Detectives warned.

“Photos of IDs and employees could allow criminals to impersonate various members of staff – employees that can gain access to restricted areas of the airport, such as luggage-loading areas and even planes,” it said.

“Criminals could even use leaked data to create counterfeit ID cards and badges. A criminal could further strengthen their appearance as a legitimate employee by downloading leaked mobile apps.”

Colombia in particular has a history not only of serious organized crime but also guerrilla warfare groups plotting to destabilize the country.

Read More

FBI: Olympic Athletes Should Leave Devices at Home

Read Time:1 Minute, 42 Second

FBI: Olympic Athletes Should Leave Devices at Home

US law enforcers are urging participants at the Beijing Winter Olympics to leave their devices at home after warning of potential state-backed and cybercrime activity at the event.

An FBI alert issued yesterday claimed it was aware of no specific threat to the games but urged “partners” to remain vigilant.

While strict Communist Party COVID restrictions mean no foreign spectators will be allowed to attend the Olympics or Paralympics, athletes could be targeted, the Feds warned.

“The FBI urges all athletes to keep their personal cell phones at home and use a temporary phone while at the games. The National Olympic Committees in some Western countries are also advising their athletes to leave personal devices at home or use temporary phones due to cybersecurity concerns at the games,” the notice read.

“The use of new digital infrastructure and mobile applications, such as digital wallets or applications that track COVID testing or vaccination status, could also increase the opportunity for cyber actors to steal personal information or install tracking tools, malicious code, or malware. Athletes will be required to use the smartphone app, MY2022, which will be used to track the athletes’ health and travel data.”

Alongside the potential for Chinese agents to spy on participants and other attendees, the FBI warned of the risk of disruption by third parties, who could target broadcasters, hotel networks, transport providers, ticketing services, event security and other Olympic support functions.

It cited the last event in Pyeongchang, South Korea, four years ago where Russian state actors managed to cause significant disruption to the official website and media center.

However, the reality is that few hostile nations will want to spoil China’s party, given the potential geopolitical repercussions, and Beijing will be marshaling all of its resources to keep cybercrime actors at bay.

That said, the FBI has released a set of recommended best practices for organizations and individuals with a presence at the event to mitigate network, remote working, ransomware and social engineering threats.

Read More

CISA Tells Organizations to Patch CVEs Dating Back to 2014

Read Time:2 Minute, 10 Second

CISA Tells Organizations to Patch CVEs Dating Back to 2014

The US government has added eight more vulnerabilities to its growing list of CVEs that must be patched by federal agencies, including some that first appeared eight years ago.

The Cybersecurity and Infrastructure Security Agency (CISA) first launched its Known Exploited Vulnerabilities Catalog in November 2021 as part of a government effort to enhance cyber-resilience.

The Binding Operational Directive (BOD) 22-01 that enabled it applies only to civilian federal agencies, but all organizations are encouraged to monitor the list on an ongoing basis as part of best practice security efforts.

The latest eight additions to the catalog include two that must be patched by February 11: a memory corruption vulnerability in Apple’s IOMobileFrameBuffer (CVE-2022-22587) and a stack-based buffer overflow bug SonicWall SMA 100 appliances (CVE-2021-20038).

Interestingly, while two of the remaining six CVEs were first discovered and published to the National Vulnerability Database (NVD) in 2020, four come from several years earlier.

These include two arbitrary code execution vulnerabilities in the GNU’s Bourne Again Shell (Bash) Unix shell and command language, from 2014 (CVE-2014-7169 and CVE-2014-6271).

Also, from 2014 is an Internet Explorer use-after-free bug (CVE-2014-1776).

The final CVE on the new list is a privilege escalation vulnerability in Intel’s Active Management Technology (AMT), Small Business Technology (SBT), and Standard Manageability offerings. It was first published back in 2017.

Aside from the Apple and SonicWall flaws, all those on the list must be patched by July 28 2022.

Their inclusion in the catalog is proof again that threat actors often favor older CVEs that have been forgotten about rather than spending the time and resource researching zero-days.

Yaniv Bar-Dayan, CEO and co-founder at Vulcan Cyber, argued that IT teams find it increasingly difficult to stay on top of a mounting patch-load, never mind fixing bugs from several years ago.

“We have a couple of options. Either we hire more people to remediate vulnerabilities and mitigate risk. Or we can be more efficient with the people, resources and tools we already have,” he added.

“The only way the cybersecurity industry will be able to reduce an increasingly concerning accumulation of risk and associated cyber-debt will be through a risk-based approach to vulnerability prioritization and a well-orchestrated approach to risk mitigation. It isn’t easy, but it is possible if leaders make cyber-hygiene and risk management a priority.”

CISA now has over 350 vulnerabilities in its “must-patch” catalog.

Read More

News, Advisories and much more

Exit mobile version