learn more
<https://castlehalldiligence.com>
shutterstock_490960141-1

Industry News: ESG5

Know Your Breach: Adobe

The target: Adobe, an American computer software company.

The take: 7.5 million customer accounts which contained email addresses, account creation dates, subscription status, country and payment details.

The attack vector: A misconfigured Elasticsearch cloud database was left online without any password protection. This information could easily be used to launch sophisticated, targeted phishing attacks to trick users into giving further sensitive details.

When provisioning new systems or types of systems, care must be taken to ensure that appropriate and proportionate security measures are implemented, either by automated scanning or by manual review. Adopting (and validating) robust controls to technological tools employed is critical to secure operations. 

Read more...

Financial Services Must Ensure Sufficient Cybersecurity to Cope with the Growing Speed of Change

2019-11-29

Yahoo Finance: At a time when trust has become central to the customer experience, KPMG cyber security practice leaders have told a roundtable that they believe financial services firms are demonstrating a commitment to trust through their cyber agendas. They said that amidst accelerating technological disruption, actively managing customer trust is presenting new revenue opportunities and challenges for financial institutions.

Read more...

Crypto-Related Fraud and Theft Resulted in $4.4B Loss in 2019

2019-11-27

Cointelegraph: In its “Cryptocurrency Anti-Money Laundering Report, 2019 Q3,” security research firm CipherTrace delved into the 120 most popular cryptocurrency exchanges’ compliance with Know Your Customer (KYC) and Anti-Money Laundering (AML) requirements and analyzed patterns in crypto-related crimes.

Read more...

Cybersecurity Firm Buguroo Raises $11M to Build on Its Success in Europe and Latin America, Now Sets Its Sights on Global Expansion

2019-11-26

Cision: Madrid-based cybersecurity firm buguroo has secured $11 million in Series A funding to bring its Deep Learning based online fraud detection and prevention technology, combining behavioral biometrics, malware detection and device assessment, to more financial services customers.

Read more...

Cyberattack Potential Puts Pressure on Record Keepers

2019-11-25

Pensions & Investments: Record keepers are under pressure from retirement plan trustees and regulators to protect participant data in the U.K. after several companies such as Tesco PLC and British Airways PLC became targets of cyberattacks.

Read more...

Dell to Explore Sale of RSA Cybersecurity Unit

2019-11-25

Bloomberg: Dell Technologies Inc. is exploring a sale of RSA Security, a cybersecurity business it hopes could fetch at least $1 billion, including debt, according to people familiar with the matter.

Read more...

Renewed Calls for Dedicated Australian Cyber Minister and Cyber Leadership

2019-11-25

ZDNet: The Australian government should reinstate the position of Minister for Cybersecurity, according to multiple public submissions to the review of the nation's Cyber Security Strategy 2020.

Read more...

Asia-Pacific Cyber Security Market to Touch $48 Bn by 2025, Says Expert

2019-11-24

The Hindu: An industry-oriented workshop on ‘Cyber security technologies and applications’ organised at the Indian Institute of Information Technology (IIIT Sri City) gave a fresh outlook on the emerging opportunities in the sector as well as future global applications.

Read more...

Know Your Breach: Macy’s

The target: Macy’s, an American department store chain.

The take: First and last names, physical addresses, ZIP codes, email addresses, payment card numbers, card security codes and expiration dates.

The attack vector: The attackers used card skimming code, colloquially termed as Magecart, to inject a malicious script into two pages on Macy’s website, the wallet and checkout page. Tampering with the scripts on the retailer’s website allowed attackers to ‘skim’ sensitive information as it was entered by customers and forward it to their own systems.

Any webpage where sensitive information is entered by the user is a prime target for hackers. Ensuring robust standards around critical nodes such as these are key for strong security practices.

Read more...

US Cybersecurity Firm Posts £1m Loss for Belfast Operation After Surge in Wage Bill

2019-11-21

The Irish News: The Northern Ireland division of US cybersecurity firm Proofpoint lost £1million last year on the back of a significant increase in salary costs, a new report produced by the company has shown.

Read more...

Financial Advisors Need to Put Cybersecurity Plans to the Test

2019-11-20

CNBC: Scott Van Den Berg, president of Century Management Financial Advisors, has added cybersecurity to the firm’s insurance coverage.

Read more...

Buyout Groups Behind on Cybersecurity Assessment – Report

2019-11-19

Private Equity News: Private equity firms know the importance of cybersecurity. But their awareness has not translated into widespread implementation, leaving many vulnerable to data breaches that have the potential to slash the value of their investments.

Read more...

Exclusive: UK's Labour Sticks to 'Basic' $20 Cyber defense After Attacks, Emails Show

2019-11-19

Reuters: Britain’s opposition Labour Party was using a $20-a-month “basic security” service to protect its website when hackers attempted to force it offline and temporarily slowed down online campaigning, according to internal emails seen by Reuters.

Read more...

The Countries That are Going to Emerge as Major Threats in the 2020s

2019-11-19

ZDNet: Cyber espionage has been going on pretty much since the dawn of the web, with Russia, China, Iran and North Korea generally seen as the countries most likely to be engaging in cyber-espionage campaigns against Western targets.

Read more...

Vista Equity Partners Acquires Majority Interest in Sonatype

2019-11-18

Private Equity Wire: The partnership with Vista will allow Sonatype to further fast-track growth and enhance its Nexus product portfolio. Several of Sonatype’s existing investors will retain a stake in the company.

Read more...

U.S. Investors Focus on Cybersecurity as Data Concerns Deepen

2019-11-15

WSJ: How good a company is at cybersecurity is joining factors such as greenhouse-gas emissions and directors’ pay when it comes to investors evaluating whether or not to buy in.

Read more...

Know Your Breach: InfoTrax

The target: InfoTrax, a Utah-based provider of IT systems for the Direct Sales industry.

The take: 1 million user records including Social Security Numbers, payment card information, bank account information, user names and passwords.

The attack vector: A vulnerability in InfoTrax’s public facing website allowed the attacker to upload malicious code, which allowed remote control of the company’s website and servers. Inadequate security monitoring practices gave the attacker unrestricted, and undetected, access to 17 different systems over a period of two years. InfoTrax was only alerted when one of its servers ran out of storage space.

Robust monitoring standards are critical to detect not only intrusions, but any and all unusual activity that can indicate if IT systems have been compromised.

Read more...

Global Collaboration Stressed to Stave Off Cyber-attacks

2019-11-14

Tribune: Security experts have cautioned nations that major cyber-attacks may happen around the globe in the near future, which may force governments and private sector to seek international help in an effort to take back control of their systems from hackers.

Read more...

Why Cyber-Risk Is a C-Suite Issue

2019-11-12

DARKReading: In a global study of more than 2,200 organizations across 22 different countries, NTT Security's 2019 Risk:Value research found that cyberattacks (43%), data loss or theft (37%), and attacks on critical infrastructure (35%) — aimed particularly at telecoms and energy networks — concern respondents the most.

Read more...

Bank of Canada Unveils Tool to Help Sound Financial Institutions Endure Liquidity Shocks

2019-11-12

Reuters: Under the Standing Term Liquidity Facility (STLF), eligible provincially and federally regulated members of Payments Canada challenged by idiosyncratic shocks like natural disasters, system failures, and cyber attacks would be given access to central bank liquidity for a 30-day term, renewable at the Bank of Canada’s discretion.

Read more...

Notorious Hackers Claim Responsibility for Labour Cyber Attacks and Threaten to Target Corbyn's Family

2019-11-12

Independent: Lizard Squad, which has previously targeted singer Taylor Swift and video game companies said that it used a distributed denial of service (DDoS) tool in an attempt to knock the party's digital platforms offline.

Read more...

The Global Cybersecurity Market was Valued at USD 118.78 Billion in 2018, and is Expected to Reach USD 267.73 Billion by 2024

2019-11-11

Cision: The global cybersecurity market was valued at USD 118.78 billion in 2018, and is expected to reach USD 267.73 billion by 2024, registering a CAGR of 14.5%, during the period of 2019-2024. The rise in trend for IoT, BYOD, AI and machine learning in cybersecurity is increasing. For instance, machine learning provides advantages in outlier detection, much to the benefit of cybersecurity. Machines can handle billions of security events in a single day, providing clarity around a system's activity and flagging anything unusual for human review. 

Read more...

More Data Breaches: Aussie Banks to Cop New Warning

2019-11-11

Channel News: Australian banks have received a warning from the nation‘s peak financial regulator to improve their poor “cyber hygiene”, following revelations that there have been some 36 significant data breaches in just four months.

Read more...

Cybersecurity Firm ForeScout to Explore Potential Sale

2019-11-11

Bloomberg: Cybersecurity company ForeScout Technologies Inc. is exploring strategic options, including a possible sale, after activist investors built a stake, according to people familiar with the matter.

Read more...

Know Your Breach: First American

The target: First American Financial Corp, a Fortune 500 real estate title insurance giant

The take: 885 million files, including records of wire transactions with bank account numbers, bank statements, mortgage records, tax documents, Social Security numbers and driver’s licenses.

The attack vector: FA’s webserver used a system of assigning sensitive documents unique web links – however, incrementing the id number in the link returned other, unrelated documents for any user accessing the site via web, with no authentication necessary.

‘Security by obscurity’ has no place in the 21st century – it is altogether insufficient to rely on the presumed inability of an attacker to locate sensitive resources left exposed to the public web. Any data which is not for public consumption must be protected with a secure authentication system to ensure that it can only be accessed by the intended audience.

Read more...

How Investors Can Better Gauge Corporates’ Cyber Risks

2019-11-07

AsianInvestor: A lack of adequate cyber security can have a huge impact on investment performance, so asset owners should take action to minimise such risks within their portfolio companies, says a new report by two British pension funds, with clear implications for their peers elsewhere.

*Full article will require sign-in registration

Read more...

North Korean Hackers Allegedly Targeted Indian Space Agency

2019-11-07

ITPro: At least five critical Indian government agencies have been reportedly targeted by North Korean hackers in recent months, including its atomic regulatory board and space agency.

Read more...

Drawbridge Partners Expands Cybersecurity Offering

2019-11-07

Hedgeweek: DrawbridgeConnect-R continuously analyses a firm’s vulnerabilities – rather than providing a mere point in time vulnerability assessment – and helps firms identify, prioritise and remediate organizational cybersecurity weaknesses that leave data at risk.

Read more...

Most Organizations Plan to Increase Their Cybersecurity Budgets in 2020

2019-11-06

Help Net Security: With the perpetually shifting threat landscape, most organizations (over 90%) believe that the cyber threat landscape will stay the same or worsen in 2020, according to FireEye.

Read more...

After Brexit, Europe Wants Cybersecurity Pact with UK

2019-11-06

ZDNet: The UK's twice-delayed departure from the European Union is still dependent on an exit deal being agreed by Parliament. Once this is done, the country currently has until the end of 2020 to agree on its future relationship with Europe.

Read more...

Super Fund Merger Mania Could Risk Members’ Data

2019-11-05

InvestorDaily: The white paper, Keeping Our Money Safe: Data and Security of Payments in 2020 and Beyond, from InPayTech has forecast pay-tech vendors catering to the super sector will need to be aware of evolving customer experiences and expectations around data security. 

Read more...

Companies Should Disclose Cybersecurity Risk Management Efforts

2019-11-04

Help Net Security: Research finds that when one company experiences a cybersecurity breach, other companies in the same field also become less attractive to investors. However, companies that are open about their cybersecurity risk management fare significantly better than peers that don’t disclose their cybersecurity efforts.

Read more...

Know Your Breach: SingHealth

The target: SingHealth, Singapore’s largest group of healthcare organizations.

The take: 1.5 million patient records which included: names, prescriptions, medical records, government registration numbers, addresses and dates of birth.

The attack vector: The source of the breach according to early reports was a phishing campaign, however, security researcher’s leading hypothesis was that the attack originated through SingHealth’s failure to keep their software updated. The company used an open source penetration testing application called Ruler. However, they ignored an available patch for Ruler which addressed a known vulnerability, and which led to the hackers gaining access.

Regular and rigorous attention to security updates must be applied to ensure maximum safety of a company’s IT systems – especially where it pertains to tools used to assess the security of internal systems and the effectiveness of technical controls.

Read more...