The Ivanti Threat Thursday Update for September 7, 2017: Equifax Breached, Locky Returns, China Regulates

Greetings. This week, credit reporting giant Equifax gets breached, Locky ransomware attacks resurface, plus new and forthcoming international regulations and their potential effects on your cybersecurity efforts. As always, feel free to share any opinions, reactions, suggestions, or tips. Thanks in advance.

Equifax Breached – Personal Information at Risk for More Than 140 Million People

On September 7, credit reporting company Equifax announced “a cybersecurity incident potentially impacting approximately 143 million U.S. consumers.”

  • “The information accessed primarily includes names, Social Security numbers, birth dates, addresses and, in some instances, driver’s license numbers. In addition, credit card numbers for approximately 209,000 U.S. consumers, and certain dispute documents with personal identifying information for approximately 182,000 U.S. consumers, were accessed.”
  • The company “also identified unauthorized access to limited personal information for certain UK and Canadian residents,” but has so far “found no evidence that personal information of consumers in any other country has been impacted.”
  • The “unauthorized access,” discovered on July 29, “occurred from mid-May through July 2017,” via “a U.S. website application vulnerability.” “The company has found no evidence of unauthorized activity on Equifax’s core consumer or commercial credit reporting databases.”

What We Say: Personally, you and everyone you know should immediately visit https://www.equifaxsecurity2017.com/, to find out if you were likely affected and to enroll in Equifax’s credit monitoring service at no cost. Professionally, you and your team should use this incident to remind your executives that if it can happen to Equifax, it can happen to your enterprise. You must then pursue or accelerate your pursuit of a cybersecurity strategy that enables your enterprise to discover, prevent, detect, and take action to combat and remediate threats and attacks of all types, from anywhere. (See “Infected by Ransomware—Now What?”)

Locky: It’s Baa-ack – Although It Never Really Left

Locky, perhaps the most prolific ransomware seen in 2016, had been relatively rare this year. That changed days ago, when, as ZDNet reported, more than “23 million messages containing Locky were sent in just 24 hours on 28 August, with the attacks spiking in time to hit US workers as they arrived at their desks on Monday morning.”

  • “Millions of emails were sent with subjects such as ‘please print’, ‘documents’ and ‘scans’ in an effort to spread Locky ransomware.”
  • Those who click on the link in the phishing emails download a copy of Lukitus, the latest Locky variant, which then encrypts all their files and presents “a ransom note demanding 0.5 bitcoin ($2,300/£1800) in order to pay for ‘special software’ in the form of a ‘Locky decryptor’ in order to get their files back.”
  • This latest attack was discovered by researchers at email and web security company AppRiver. They describe it as “one of the largest malware campaigns…seen in the latter half of 2017.”
  • A wave of Locky-infected phishing emails has also crested in India. As The Economic Times reported, the Indian Computer Emergency Response Team (iCERT) advised all users to avoid emails with suspicious attachments, and all companies to “deploy anti-spam solutions and update spam block lists.”

What We Say: Malefactors will continue to use cybersecurity attack methods as long as they work. And they will continue to work as long as legitimate users can be duped into clicking on malicious links. To maximize protection at your enterprise, you need to combine comprehensive, multi-layered defenses, rapid, comprehensive remediation, and engaging, frequent user education. (See “Your Threats Are Evolving. Are Your Defenses?” and “User Education for Cybersecurity: Yes, It’s Worth It.”)

Survey: The GDPR is Coming — and the C-Suite is Not Ready…

Cybersecurity solutions vendor Trend Micro announced the results of an online survey of more than 1,100 IT decision makers from businesses in 11 countries, conducted by Opinium Research. Based on the results of that survey, the imminent advent of the United Kingdom’s General Data Protection Regulation (GDPR), scheduled to take effect on May 25, 2018, looms largely unaddressed at many enterprises.

  • 95 percent of respondents know they need to comply with the GDPR, 85 percent have read the GDPR requirements, and 79 percent “are confident their data is secure.”
  • Almost 67 percent of respondents “are unaware of the extent of GDPR fines” for non-compliance. Those fines can be as high as four percent of an enterprise’s annual revenues. Despite this, one in five respondents “claim that a fine ‘wouldn’t bother them.’”
  • 64 percent of respondents “were unaware that a customer’s data of birth constitutes as PII,” the Personally Identifiable Information the GDPR specifically intends to protect. 42 percent wouldn’t classify email marketing databases as PII, 32 percent don’t consider physical addresses and 21 percent don’t see a customer’s email address as PII, either.”
  • “Of those surveyed, 31 percent believe the CEO is responsible for leading GDPR compliance, whereas 27 percent think the CISO and their security team should take the lead. However, only 21 percent of those businesses actually have a senior executive involved in the GDPR process.” 65 percent of respondents have their IT departments leading the charge toward GDPR compliance, “while only 22 percent have a board level or management member involved.”
  • “GDPR mandates that businesses must implement state-of-the-art technologies relative to the risks faced. Despite this, only 34 percent of [respondents] have implemented advanced capabilities to identify intruders, 33 percent have invested in data leak prevention technology and 31 percent have employed encryption technologies.”

What We Say: Your enterprise should view regulations such as the GDPR as floors, not ceilings — minimum requirements, not goals to be achieved. Already modernizing your IT and cybersecurity solutions according to proven guidelines from respected bodies such as the Center for Internet Security (CIS)? Then you have little to fear from the GDPR or any other regulations. If your enterprise is not yet pursuing such a course, consider using the advent of the GDPR and other regulations as motivation and incentive to begin doing so as soon as possible. Modern, proactive, multi-layered protections that enable you to discover, prevent, detect, and take action are the best defenses, against both threats and challenging regulations. (See “Could You Be More GDPR-Ready with Some Course Corrections?” and “Is GDPR More About PR Than Data Protection? Ivanti Chief Technologist EMEA Simon Townsend Responds.”)

Report: China’s New Cybersecurity Law Has Threats of Its Own

While the UK’s GDPR garners increasing attention, another sweeping set of cybersecurity regulations is poised to challenge companies around the world. Threat intelligence solution provider Recorded Future published a post by its Insikt Group research arm. The title of that post? “China’s Cybersecurity Law Gives the Ministry of State Security Unprecedented New Powers Over Foreign Technology.”

According to Insikt Group, China’s new national cybersecurity law gives “broad powers” to the China Information Technology Evaluation Center (CNITSEC), “an office in China’s premier foreign intelligence service, the Ministry of State Security (MSS).” The law empowers CNITSEC and other “network information departments” to conduct “national security reviews” of “technology that foreign companies want to use or sell in the Chinese market.”

The CNITSEC-MSS-Chinese government connection will create two key challenges for companies outside of China, Insikt Group says. It will “possibly allow [the government] to identify vulnerabilities in foreign technologies that China could then exploit in their own intelligence operations.” It will also force non-Chinese companies to choose between “giving their proprietary technology or intellectual property to the MSS and being cut out of the mainland Chinese information technology market, which is projected [by Forrester Research] to reach $242 billion in 2018.”

What We Say: If your company is concerned about protecting “proprietary technology or intellectual property,” your IT, cybersecurity, and legal teams have much work to do. However, whatever business your enterprise pursues, if you want to do business in China, you’ll need the best possible cybersecurity you can manage for full compliance with that country’s new cybersecurity laws. Like the GDPR, China’s law focuses on protection of PII. And as is true about the GDPR, China’s new law provides incentive and motivation for your company to modernize its IT and cybersecurity to maximize its protections of critical, personal, private, and proprietary information. (See “IT Security & Service Management: The Intersection of Safe and Supported.”)

Modernize Your Cybersecurity. Ivanti Can Help.

Your enterprise cannot keep pace with evolving threats or regulations if your cybersecurity can’t deliver defense in depth. Ivanti can help you to control user applications, devices, and admin rights, patch your client and server systems faster and more consistently, combat and remediate malware attacks more effectively, and improve IT reporting and analytics.

Through September, you can get select combinations of Ivanti cybersecurity offerings at discounts of up to 30 percent. Check out the offer details. Get free trials of our patch management solutions. Then, contact Ivanti to begin or accelerate your journey toward more and better cybersecurity. (And let our Patch Tuesday and Threat Thursday updates help you keep pace with those evolving threats, regulations, and technologies.)