Weekly CyberTip: Update your security policies regularly
As we see in today’s news from the U.K., problems can arise when IT policies don’t evolve with the times. Reflect on your own security framework: you should conduct a documented review of your IT policies at least once a year. Consider any new processes, technologies, or regulatory requirements that may have emerged since the previous. Consider recent or impending organizational changes and new work arrangements or new third-party arrangements. Consider the changing threat landscape and how it could affect you. Ensuring your policies are up to date can reduce confusion, maintain compliance, and mitigate risk.
LastPass discloses data breach
On August 25, LastPass – a password manager service with over 25 million users worldwide – disclosed that they had suffered a data breach involving source code and proprietary technical information. In a blog post, LastPass CEO Karim Toubba explained that, after detecting unusual network activity in their development environment two weeks earlier, LastPass launched an investigation that confirmed the breach. “[A]n unauthorized party gained access to portions of the LastPass development environment through a single compromised developer account,” advised the notice.
There is no evidence to suggest that user passwords or other sensitive data were disclosed in the incident. “We utilize an industry standard Zero Knowledge architecture that ensures LastPass can never know or gain access to our customers’ Master Password,” LastPass explained in its notice. “In response to the incident, we have deployed containment and mitigation measures, and engaged a leading cybersecurity and forensics firm… While our investigation is ongoing, we have achieved a state of containment, implemented additional enhanced security measures, and see no further evidence of unauthorized activity.”
LastPass also specifically emphasized there was no compromise of their production environments. They do not recommend any action by users or administrators as a result of the incident, but reminded customers to follow best practices around setup and configuration of their password managers
U.K. cyber community urges updates to Computer Misuse Act
Under the banner “CyberUp”, a group of cybersecurity experts in the U.K. have issued an open letter to the incoming Prime Minister to rewrite a law dating back to the 1990s that they say is hindering their efforts to defend against hackers.
The open letter – posted September 5, just shortly before Liz Truss was named PM – features signatories such as the Internet Services Providers’ Association; Ciaran Martin, a former CEO of the UK’s National Cyber Security Centre (NCSC); and representatives from a score of UK-based cybersecurity firms and interests.
Under the current Computer Misuse Act, any individual faces the risk of prosecution if they attempt to access a computer or computer material without authorization. Originally, the act sought to criminalize cyber attacks; however, it now has a chilling effect on “white hat” entities conducting routine scans of the Internet to ethically hunt for vulnerabilities before they are exploited, as well as making it illegal to scan leaked documents on the dark web to provide breach information to potential victims.
The open letter suggests widespread concerns over the lack of protections in the Act for legitimate cyber activity, and points to the current climate of heightened cyber threat as a reason to act quickly by reforming the Computer Misuse Act to include a statutory defense. Quoting statistics from a government survey, the letter points out: “The 2022 DCMS cyber security breaches survey found that 39% of businesses reported a cyber security breach or attack. Extrapolating those figures to the UK’s business population as a whole, last year, 2.3 million businesses were a victim of a computer misuse offence.” The letter also references the “increased cyber threat posed by our adversaries not least following Russia’s invasion of Ukraine,” as a significant concern.
Waterloo Region District School Board continues cyber incident investigation as classes begin
The Waterloo Region District School Board (WRDSB) is continuing its investigation into a cyber attack in July that compromised the information of staff and students in the area.
The board posted the results of their initial findings in an August blog post, but has since provided few details of the investigation and the potential impacts on the school year, attempting to maintain business as usual despite the disruption. The most recent blog post acknowledging the incident conceded that class assignments would not be available for students until the first day of school on September 6, instead of through the board’s School-Day portal.
Reporting by the CBC on September 6 reveals some of the confusion and concern that remains in the community in the wake of the breach. The board is reportedly reviewing its security practices and data retention policies in response to the incident.