The ICO changes reporting on cyber incidents
The Information Commissioners Office (ICO) has recently changed the way that it is reporting on cyber incidents to provide a more useful insight in to the different types of issue they are seeing.
The ICO is reporting that between the months of April and June 2016 there were 50 cyber incidents, however these are only those that have been reported. As the new General Data Protection Regulations (GDPR)come into force requiring all incidents involving the loss of personal data to be reported, these figures are set to rise significantly, and so are the fines.
The top three types of cyber incidents:
- Access controls, not applying the correct/or using inadequate security settings resulting in unauthorised personnel being able to view or even extract personal information.
- Unauthorised data transfer (exfiltration)from a data controllers system to another location which was controlled by a hacker.
- Phishing emails which have tricked people into revealing personal information such as user names and passwords. This could be via attachments or website links which often appear authentic, but that either direct you to a hoax website where you are encouraged to enter personal information, or infect your systems and devices with malicious software. The ICO reports that CERT highlighted phishing emails in its annual report:
“… the UK National Computer Emergency Response Team (CERT-UK) report that phishing emails were the number one root cause of cyber incidents during 2015/16. In their predictions for the 2016/17 financial year, they warn about the potential for phishing campaigns to affect corporate networks.”
Vulnerability in code
The ICO has highlighted that vulnerabilities often occur in organisations who have written their own code. This legacy code, as it grows older, and the organisation larger, is not reviewed for vulnerabilities and in this case lead to several website attacks.
“In one case we investigated, an attacker utilised a Cross-Site Scripting (XSS) vulnerability in the code of the organisation’s website in order to ultimately obtain login credentials which allowed them access to members’ details… appropriate measures were not taken to check for vulnerabilities in the code, even as the code grew older and the organisation grew larger…”
The ICO advice is that there is no one single measure that will provide sufficient protection, but by employing several different measures you will create a better defence.
- Writing code using industry standard secure coding practices (e.g. OWASP guidance),
- Carry out regular code reviews,
- Regular security testing such as vulnerability scanning and / or penetration testing
- Maintenance – routine patches and updates
The ICO has issued a guide Protecting personal data in online services: learning from the mistakes of others, For organisations
Distributed Denial of Service (DDoS) attacks
The ICO reported fie incidents of DDoS between April and June 2016. These involved a large amount of traffic being driven to website which overloads it so that it ceases to work. This is often used as a distraction technique to facilitate other attacks in the background.
DDoS is increasingly being used as an extortion technique and can also be used as a distraction tactic in order to execute other attacks. CERT-UK advise that DDoS attacks are a particular problem for the financial sector, and predicts that 2016/17 will see the biggest DDoS attack ever.
Secure encryption for websites
Finally three incidents were reported by the ICO for failing to secure websites used for collection and transfer of personal data with HTTPS secure encryption.
It will be interesting to look at the recommendations from the ICO, especially in light of GDPR, as more and more incidents are reported and whether in the future they will consider using the government backed Cyber Essentials scheme as a base line security measure for all organisations registered with the ICO.
CERT UK annual report highlights that may of the attacks seen last year in the UK could have been prevented
“Crucially, the majority of cyber-attacks in the UK could have been prevented by taking simple steps; following the 10 Steps to Cyber-Security, attaining accreditation with the Cyber Essentials scheme and taking other preventative measures such as patching regularly and educating staff to the dangers.”
Read more from the ICO Data Security incident trends