IT NEWS

About a month ago, The PC Security Channel (TPSC) ran a test to check out the detection capabilities of Malwarebytes. They tested Malwarebytes by executing a repository of 2015 “malicious” files to see how many Malwarebytes would detect.

This YouTube video shows how a script executes the files and Malwarebytes blocks and immediately quarantines the majority of them.

Malwarebytes missed 34 out of those 2015 files, giving us a score of 98.31%. Many vendors would have been proud of that, but being who we are, we wanted to do better. So we asked whether we could have a look at the files we missed, and TPSC was kind enough to offer us that chance.

Two of the missed files were identified as PUPs. PUP is short for Potentially Unwanted Programs. The emphasis here is on Potentially because they live in the grey area of what people might consider to be acceptable. Some PUPs simply don’t meet our detection criteria.

Anyway, back to the review of the malicious files we missed. As you can see in the sheet below (click to expand), after a full review we were left with four malicious files that we missed and the two PUP-related files.

After circling back to TPSC, they graciously agreed with our assessment of the non-malicious files. That brings Malwarebytes’ score up to 99.8 % which is a lot more like what we are used to score in such tests. The four malicious files have all been added to our detections.

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

In 2023, the CL0P ransomware gang broke the scalability barrier and shook the security world with a series of short, automated campaigns, hitting hundreds of unsuspecting targets simultaneously with attacks based on zero-day exploits. The gang’s novel approach challenged a bottleneck that makes it hard to scale ransomware attacks, and other gangs may try to replicate its approach in 2024.

Big game ransomware attacks are devastating but relatively rare compared to other forms of cyberattack. There were about 4,500 known ransomware attacks in 2023, although the true figure is probably twice that. These attacks extorted more than $1 billion in ransoms in 2023, according to blockchain data platform Chainalysis.

The potential riches are enormous and there’s no other form of cybercrime that’s so lucrative, so why aren’t we seeing more attacks? It doesn’t seem to be a lack of targets, in fact the evidence suggests that the gangs are picky about who they attack. The most likely reason is that each attack takes a lot of work. Broadly speaking, an attack requires a team of people that: Breaks in to an internet-connected computer, researches the target to see if they’re worth the effort of an attack, explores their network, elevates their privileges until they’re an all-conquering administrator, steals and stores terabytes of data, attacks security software and backups, positions ransomware, runs it, and then conducts negotiations.

Doing all of this efficiently requires people, tools, infrastructure, expertise, and experience, and that seems to make it a difficult business model to scale up. The number of known ransomware attacks a year is increasing steadily, by tens of percentage points rather than exploding by thousands. This suggests that most of the people who are drawn to this life of crime are probably already doing it, and there isn’t a vast pool of untapped criminal talent waiting in the wings.

Before 2023, cybercrime’s best answer to this scalability problem was Ransomware-as-a-Service (RaaS), which splits the work between vendors that provide the malware and infrastructure, and affiliates that carry out the attacks.

CL0P found another way. It weaponised zero-day vulnerabilities in file transfer software, notably GoAnywhere MFT and MOVEit Transfer, and created automated attacks that plundered data from them. Hundreds of unsuspecting victims were attacked in a pair of short, sharp campaigns lasting a few days, leaving Cl0P as the third most active gang of the year, beating ransomware groups that were active in every month of 2023.

It remains to be seen if other gangs can or will follow CL0P’s lead. The repeated use of zero-days signaled a new level of sophistication for a ransomware gang and it may take a while for its rivals to catch up. However, the likes of LockBit—the most prolific group of them all—don’t want for resources so this is probably a matter of time and will, rather than a fundamental barrier.

There is also a question mark about how successful the attacks were. While automation allowed CL0P to increase its reach, it’s reported that a much lower percentage of victims paid a ransom than normal. However, ransomware incident response firm Coveware believes the group managed to compensate by demanding higher ransoms, earning the gang as much as $100 million.

Because of CL0P’s actions, the shape of ransomware in 2024 is in flux and organisations need to be ready. To learn more about how big game ransomware is evolving, the threat of zero-day ransomware, and how to protect against them, read our 2024 State of Malware report.

Microsoft has issued patches for 73 security vulnerabilities in its February 2024 Patch Tuesday. Among these vulnerabilities are two zero-days that are reportedly being used in the wild.

The two zero-day vulnerabilities have already been added to the Cybersecurity & Infrastructure Security Agency’s catalog of  Known Exploited Vulnerabilities, based on evidence of active exploitation. This means that Federal Civilian Executive Branch (FCEB) agencies need to remediate these vulnerabilities by March 5, 2024, in order to protect their devices.

The Common Vulnerabilities and Exposures (CVE) database lists publicly disclosed computer security flaws. The zero-days patched in this round of updates are:

CVE-2024-21351 (CVSS score 7.6 out of 10): a Windows SmartScreen security feature bypass vulnerability. The vulnerability allows a malicious actor to inject code into SmartScreen and potentially gain code execution, which could potentially lead to some data exposure, lack of system availability, or both. An authorized attacker must send the user a malicious file and convince the user to open it.

CVE-2024-21412 (CVSS score 8.1 out of 10): an Internet Shortcut Files security feature bypass vulnerability. An unauthenticated attacker could send the targeted user a specially crafted file that is designed to bypass displayed security checks. However, the attacker would have no way to force a user to view the attacker-controlled content. Instead, the attacker would have to convince them to take action by clicking on the file link.

The bypassed security feature in both cases is the Mark of the Web (MOTW), the technology that ensures Windows pops a warning message when trying to open a file downloaded from the Internet. When a file is downloaded, Windows adds a ZoneId in the form of an Alternate Data Stream to the file which is responsible for the warning message(s).

Another vulnerability worth keeping an eye on is CVE-2024-21413 (CVSS score 9.8 out of 10): a Microsoft Outlook remote code execution (RCE) vulnerability. Successful exploitation of this vulnerability would allow an attacker to bypass the Office Protected View and to gain high privileges, which include read, write, and delete functionality. Microsoft notes that the Preview Pane is an attack vector. The update guide for this vulnerability lists a number of required updates before protection is achieved.

Other vendors

Other vendors have synchronized their periodic updates with Microsoft. Here are few major ones that you may find in your environment.

Adobe has released security updates to address vulnerabilities in several products:

• Adobe Commerce and Magento
• Adobe Substance 3D Painter
• Adobe Acrobat and Reader
• Adobe FrameMaker Publishing Server
• Adobe Audition 
• Adobe Substance 3D Designer

The Android Security Bulletin for February contains details of security vulnerabilities for patch level 2024-02-05 or later.

Ivanti has urged customers to patch yet another critical vulnerability.

SAP has released its February 2024 Patch Day updates.

We don’t just report on vulnerabilities—we identify them, and prioritize action.

Cybersecurity risks should never spread beyond a headline. Keep vulnerabilities in tow by using ThreatDown Vulnerability and Patch Management.

In 2022, we published an article about how photographs of children taken by a stalkerware-type app were found exposed on the internet because of poor cybersecurity practices by the app vendor.

The stalkerware-type app involved, TheTruthSpy, has shown once again that the way in which it handles captured data shows no respect to its customers. And even less for the victims it’s monitoring.

TheTruthSpy markets itself as a tool that can be placed in the hands of employers who want to keep tabs on employees in the workplace, or in the hands of parents who want to look after their kids. But it can just as easily be placed in the hands of stalkers, abusive partners, or someone who just wants to get a leg up in their divorce proceedings.

Stalkerware-type applications like TheTruthSpy typically get installed secretly, by a person with access to the victim’s phone. For that reason, by design, the apps stay hidden from the device owner, while giving the attacker complete access.

Boasting “more than 15 spying features,” it can track a target’s location; reveal their browser history; record their calls; read their SMS messages; spy on their WhatsApp, Facebook, SnapChat and Viber messages; log what they type; and record what they say.

That alone is bad enough, but the app seems to have a persistent problem with security. In 2022, tech publication TechCrunch discovered that TheTruthSpy and other spyware apps share a common Insecure Direct Object Reference (IDOR) vulnerability, CVE-2022-0732. The publications described the bug as “extremely easy to exploit, and grants unfettered remote access to all of the data collected from a victim’s Android device.”

The bug was never fixed, and yesterday, stalkerware researcher maia arson crimew, revealed that it was stumbled upon again by two different hacking groups.

When members of the two hacking groups looked into TruthSpy last december while searching for stalkerware to hack, they independently stumbled upon the same IDOR vulnerability

The good news is that both groups, SiegedSec and ByteMeCrew, said in a Telegram post that they are not publicly releasing the breached data, given its highly sensitive nature. They provided enough data to enable TechCrunch to verify that it is authentic though, by matching IMEI numbers (numbers that uniquely identify phones) and advertising IDs against a list of previous known-to-be compromised devices.

Which means that by installing TheTruthSpy—and a whole fleet of clone apps including Copy9, MxSpy, iSpyoo, SecondClone, TheSpyApp, ExactSpy, FoneTracker and GuestSpy—you are not just spying on someone, you are also potentially exposing their data for anyone to find.

The data reportedly shows that TheTruthSpy continues to actively spy on large clusters of victims across Europe, India, Indonesia, the United States, the United Kingdom and elsewhere.

Sadly, this is no surprise. According to 2023 research from Malwarebytes, 62 percent of people in the United States and Canada admitted to monitoring their romantic partners online in one form or another, from looking through a spouse’s or significant other’s text messages, to tracking their location, to rifling through their search history, to even installing monitoring software onto their devices.

Removing stalkerware

If you want to know if your phone is or was infected with TheTruthSpy, you can use the lookup tool provided by TechCrunch, which has been updated to include information about the most recent leak.

Malwarebytes, as one of the founding members of the Coalition Against Stalkerware, makes it a priority to detect and remove stalkerware-type apps from your device. It is good to keep in mind however that by removing the stalkerware-type app you will alert the person spying on you that you know the app is there.

Because the apps install under a different name and hide themselves from the user, it can be hard to find and remove them. That is where Malwarebytes for Android can help you.

1. Open Malwarebytes for Android.
2. Open the app’s dashboard
3. Tap Scan now
4. It may take a few minutes to scan your device.

 If malware is detected you can act on it in the following ways:

• Uninstall. The threat will be deleted from your device.
• Ignore Always. The file detection will be added to the Allow List, and excluded from future scans. Legitimate files are sometimes detected as malware. We recommend reviewing scan results and adding files to Ignore Always that you know are safe and want to keep.
• Ignore Once: A file has been detected as a threat, but you are not sure whether to add it to your Allow List or delete. This option will ignore the detection this time only. It will be detected as malware on your next scan.

We don’t just report on phone security—we provide it

Cybersecurity risks should never spread beyond a headline. Keep threats off your iOS devices by downloading Malwarebytes for iOS today.

The Cybersecurity & Infrastructure Security Agency (CISA) has added a vulnerability in Roundcube Webmail to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation. This means that Federal Civilian Executive Branch (FCEB) agencies need to remediate this vulnerability by March 4, 2024, in order to protect their devices against active threats. We urge other Roundcube Webmail users to take this seriously too.

Roundcube is a web-based IMAP email client. Internet Message Access Protocol (IMAP) is used for receiving email. It allows users to access their emails from multiple different devices, and it’s why when you read an email on your laptop it’s marked as “read” on your phone too. Reportedly, there are over 132,000 Roundcube servers accessible over the internet. Most of them situated in the US and China.

The affected versions are Roundcube versions before 1.4.14, 1.5.x before 1.5.4, and 1.6.x before 1.6.3. An update to patch the vulnerability with version 1.6.3 has been available since September 15, 2023. The current version, 1.6.6 at the time of writing, does not have the vulnerability either.

The Common Vulnerabilities and Exposures (CVE) database lists publicly disclosed computer security flaws. The CVE patched in these updates is:

CVE-2023-43770, which is a persistent cross-site scripting (XSS) bug that lets attackers access restricted information.

XSS vulnerabilities occur when input coming into web applications is not validated and/or output to the browser is not properly escaped before being displayed. Persistent, or stored XSS, is a type of vulnerability which occurs when the untrusted or unverified user input is stored on a target server.

This means that a persistent XSS attack is possible when the attacker exploits a vulnerable website or web application to inject malicious code, and this code is stored on a server so it will later automatically be served to other users who visit the web page.

In this case it appears that attackers can send plain text emails to Roundcube users with XSS links in them, but Roundcube does not sanitize the links, and, of course, stores the email, creating persistence.

We don’t just report on vulnerabilities—we identify them, and prioritize action.

Cybersecurity risks should never spread beyond a headline. Keep vulnerabilities in tow by using ThreatDown Vulnerability and Patch Management.

Remote Monitoring & Management (RMM) software, including popular tools like AnyDesk, Atera, and Splashtop, are invaluable for IT administrators today, streamlining tasks and ensuring network integrity from afar. However, these same tools have caught the eye of cybercriminals, who exploit them to infiltrate company networks and pilfer sensitive data.

The modus operandi of these threat actors involves deceiving employees through sophisticated scams and deceptive online advertisements. Unsuspecting employees, misled by these tactics, may inadvertently invite these criminals into their systems. By convincing employees to download and run these seemingly benign RMM applications under the guise of fixing non-existent issues, these fraudsters gain unfettered access to the company’s network.

In this post, we explore a particular phishing scam targeting corporate users via the AnyDesk remote software and how ThreatDown can prevent the misuse of such programs by cybercriminals.

Phishing site hosts remote software

We believe victims are first targeted and then contacted via phishing emails or text messages (smishing) based on their position in the company.

Attackers could trick them by sending them to a typical phishing page or making them download malware, all of which are good options. However, they are instead playing the long game where they can interact with their victims.

Users are directed to newly registered websites that mimic their financial institution. In order to get support, they need to download remote desktop software disguised as a ‘live chat application’.

uk-barclaysliveteam[.]com/corp/AnyDesk.exe
uk-barclaysliveteam[.]com/corp/anydesk.dmg

It’s interesting to note that the downloaded software is not malware. For example, in this instance they are using a legitimate (although outdated) AnyDesk executable which would not be detected as malicious by security products.

Running the program will show a code that you can give to the person trying to assist you. This can allow an attacker to gain control of the machine and perform actions that look like they came directly from the user.

This is one reason why certain banking sites try to can detect if a customer is currently running a remote program, before allowing them to login. However, not all banks have this feature and there are certain cases where threat actors can evade such detection.

There are a number of RMM tools on the market which scammers and criminals will leverage. Ironically, the more popular and simple ones also tend to be the most abused.

AnyDesk recently got in the news for a security breach that allowed the attackers to compromise their production systems. The vendor has since revoked its code signing certificates and is urging customers to update their software.

RMM vendors are aware of the illicit use of their software and regularly remind users about common safety tips. AnyDesk also partnered with fraud fighters such as ScammerPayback to shut down call centers.

Blocking RMM tools with ThreatDown

Free with every ThreatDown Bundle, Application Block can easily protect organizations against the rising trend of legitimate RMM tools being exploited. Organizations can block RMM tools via Application Block by:

• Navigating to the ‘Monitor’ section within their Nebula console.
• Selecting ‘Application Block’
• Enabling the ‘Block RMM’ toggle switch provided by ThreatDown or customizing the list to fit their specific needs.

Saving the configuration to immediately block these RMM tools network-wide.

Adopt a robust defense stance by blocking all unnecessary applications, and for those you must use, the EDR/MDR layers of our ThreatDown Bundles will provide an additional safety net in the event of an infection.

Try ThreatDown bundles today

For IT teams plagued by the triad of complex deployment, scattered tooling, and excessive alert noise, ThreatDown bundles emerge as a superior solution that caters to the needs of today’s security teams.

Discover the difference with ThreatDown Bundles and elevate your organization’s defense against cyber threats. Get in touch for a free trial and experience the benefits of a simplified, yet robust, security framework.

Experience ThreatDown Bundles

On February 9, 2024, the Justice Department announced that an international operation had seized internet domains that were selling information-stealing malware. Federal authorities in Boston seized www.warzone.ws and three related domains, which sold the Warzone RAT malware.

The Warzone RAT malware, a sophisticated Remote Access Trojan (RAT), enabled cybercriminals to browse victims’ file systems, take screenshots, record keystrokes, steal victims’ usernames and passwords, and watch victims through their web cameras, all without their knowledge or permission.

On February 7, 2024, two suspects were arrested in Malta and Nigeria, accused of selling the malware and supporting cybercriminals who used it for malicious purposes.

The operation was led by the FBI, and supported by Europol and the Joint Cybercrime Action Taskforce (J-CAT).

Anyone who is a victim of a Warzone RAT computer intrusion is urged to report it to the FBI via its Warzone RAT Victim Reporting Form.

Signs of infection

There are some know Indicators of Compromise (IOCs) for recent versions of the Warzone RAT (aka AveMaria Stealer):

SHA 256 hashes:

0246d4eb99473ba449b98548167d0767b68b075749a8962d0573851f505689b5

19dba570adb979d9063882d8dd6d880d1f37f25e600cc07097646946ebc947a2

7de4fbda4834453be39c6e20697ab0cde46cf417c953a2f1ba3ab63442d49981

94f836d1cd5bfe8a245a0b66076c86506f53b2fae38ed5da7b2f13cfa07b6cac

b66c5ebef83e48811156c3499b79c798c178d5655d6448403cb070061aba4f4d

dd1fa6cb67aa97468e62afeec6bfa9c1cb52f5acf029ab77a0fdd2e34cd50a21

de492c6384df2afd8c36f3f8ca910d93a21a2981b3c3a80e8a858d643122d488

Warzone RAT is usually spread by emails that use social engineering methods to trick the receiver into downloading and triggering the infection.

General signs that a RAT is active on your system may be:

• A slow computer and seemingly slow internet connection.
• Unknown processes in Task Manager.
• Missing or altered files on your system.
• Unknown entries in the list of installed programs/software.

Prevention

To keep RATs off your systems, the most general rules of security apply:

• Keep your software and internet connected devices updated.
• Only download apps and other software from trusted sources.
• Be careful about which sites you visit and which emails you open.
• Never open unsolicited email attachments.
• Use an up-to-date anti-malware solution.

Malwarebytes and ThreatDown products will detect the Warzone RAT as:

• Trojan.MalPack.PNG.Generic
• Trojan.MalPack.MSIL.Generic
• Generic.Malware.AI.DDS
• Malware.AI.2990474738
• Trojan.MalPack

Our business solutions remove all remnants of ransomware and prevent you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

Question: Who said the sentence below?

“Privacy is at the heart of everything we do.”

Answer: Sundar Pichai, the CEO of Alphabet and its largest subsidiary Google. And if you look at the recent actions Google has announced, you’d be tempted to take his word for it:

• An initiative to let Chrome hide your IP address.
• Strengthening the safeguard measures for Google Workspace customers.
• Changing data retention practices to make auto-delete the default.

But at the same time, Google is under fire because some of its actions seem half-baked. Allegedly Google’s option to “browse privately” is nothing more than a word play.

Let’s be fair. Google makes lots and lots of money by knowing what we are looking for. And to achieve that goal it needs to gather as much information as possible about us. Maybe not specifically about us as a person, but at least about us as a group.

Data are the most coveted currency of our era, and technology giants like Facebook, Google, and Amazon are considered the behemoths of the data gathering industry. If they don’t already, they want to know everything about each and every one of us.

We’re not all equally valued though. Certain milestones in a person’s life prompt major changes in buying patterns, whether that’s becoming a parent, moving home, getting married, buying a car, or going through a divorce. Some of the most personal and secretive troves of data rank as the most expensive.

In a recent blog, privacy company Proton explained how Google is spending millions lobbying and actively fighting against privacy laws that would protect you from online surveillance.

Proton used the expression, “privacy washing” which compares Google’s disparity between actions and words to those of the world’s largest environmental polluters who portray themselves as eco-conscious, known as “green washing.“

According to lobbying reports and other records, Alphabet and its subsidiaries have spent more than $125 million on federal lobbying, campaign contributions, and trade associations since 2019.

This is done under the guise that Google wants regulators to let companies decide themselves what’s good for you and for society. But so far, big tech is consistently letting us down in this regard.

A small but telling example was a recent court case where a judge ruled that car manufacturers collecting users’ text messages and call logs did not meet the Washington Privacy Act’s (WPA) standard that a plaintiff must prove that “his or her business, his or her person, or his or her reputation” has been threatened.

In other words they can steal all the data they want as long as you can’t prove that it doesn’t hurt your business, yourself or your reputation. Does that sound fair to you?

Several US states are going through the process of passing new comprehensive consumer privacy laws, in an attempt to give American citizens more control over their personal data. Privacy advisor IAPP reckons that by 2026, 13 state privacy laws will have taken effect, as newly enacted laws in Delaware, Florida, Indiana, Iowa, Montana, Oregon, Tennessee, and Texas will join California, Colorado, Connecticut, Utah, and Virginia.

The European Union (EU) is a pioneer when it comes to privacy laws, so it’s easy to see why Big Tech has spent so much money (about $30 million in 2021) lobbying European lawmakers to protect their data gathering practices. Google has been among the most aggressive to water down or slow down the expansion of consumer protections through additional regulations — in particular the Digital Markets Act, Digital Services Act, and ePrivacy Regulation. Google happily bragged about stalling the ePrivacy Regulation, which would crack down on tracking cookies.

It’s common for industries to lobby lawmakers on issues affecting their business. But there is a massive disparity in the state-by-state battle over privacy legislation between well-funded, well-organized tech lobbyists and their opposition of relatively scattered consumer advocates and privacy-minded politicians, The Markup has found.

So, Sundar Pichai, we would like you to put your money where your mouth is. And make some real changes to improve our privacy, rather than engage in privacy washing.

We don’t just report on threats – we help safeguard your entire digital identity

Cybersecurity risks should never spread beyond a headline. Protect your and your family’s personal information by using Malwarebytes Identity Theft Protection.

Atomic Stealer, also known as AMOS, is a popular stealer for Mac OS. Back in September, we described how malicious ads were tricking victims into downloading this piece of malware under the disguise of a popular application.

In an interesting new development, AMOS is now being delivered to Mac users via a fake browser update chain tracked as ‘ClearFake’. This may very well be the first time we see one of the main social engineering campaigns, previously reserved for Windows, branch out not only in terms of geolocation but also operating system.

With a growing list of compromised sites at their disposal, the threat actors are able to reach out a wider audience, stealing credentials and files of interest that can be monetized immediately or repurposed for additional attacks.

Discovery

ClearFake is a newer malware campaign that leverages compromised websites to distribute fake browser updates. It was originally discovered by Randy McEoin in August and has since gone through a number of upgrades, including the use of smart contracts to build its redirect mechanism, making it one of the most prevalent and dangerous social engineering schemes.

On November 17, security researcher Ankit Anubhav observed that ClearFake was distributed to Mac users as well with a corresponding payload:

The Safari template mimics the official Apple website and is available in different languages:

Since Google Chrome is also popular on Macs, there is a template for it which closely resembles the one used for Windows users:

Atomic Stealer

The payload is made for for Mac users, a DMG file purporting to be a Safari or Chrome update. Victims are instructed on how to open the file which immediately runs commands after prompting for the administrative password.

Looking at the strings from the malicious application, we can see those commands which include password and file grabbing capabilities:

find-generic-password -ga 'Chrome' | awk '{print $2}' SecKeychainSearchCopyNext:
/Chromium/Chrome /Chromium/Chrome/Local State FileGrabber tell application "Finder"
set desktopFolder to path to desktop folder
set documentsFolder to path to documents folder
set srcFiles to every file of desktopFolder whose name extension is in {"txt", "rtf", "doc", "docx", "xls", "key", "wallet", "jpg", "png", "web3", "dat"}
set docsFiles to every file of documentsFolder whose name extension is in {"txt", "rtf", "doc", "docx", "xls", "key", "wallet", "jpg", "png", "web3", "dat"}

In the same file, we can find the malware’s command and control server where the stolen data is sent to:

Macs need protection too

Fake browser updates have been a common theme for Windows users for years, and yet up until now the threat actors didn’t expand onto MacOS in a consistent way. The popularity of stealers such as AMOS makes it quite easy to adapt the payload to different victims, with minor adjustments.

Because ClearFake has become one of the main social engineering campaigns recently, Mac users should pay particular attention to it. We recommend leveraging web protection tools to block the malicious infrastructure associated with this threat actor.

Malwarebytes users are protected against Atomic Stealer:

Indicators of Compromise

Malicious domains

longlakeweb[.]com
chalomannoakhali[.]com
jaminzaidad[.]com
royaltrustrbc[.]com

AMOS stealer

4cb531bd83a1ebf4061c98f799cdc2922059aff1a49939d427054a556e89f464
be634e786d5d01b91f46efd63e8d71f79b423bfb2d23459e5060a9532b4dcc7b

AMOS C2

194.169.175[.]117

In an advisory aimed at the protection of customers’ personal data, the Australian Cyber Security Centre (ACSC) has emphasized that businesses should only collect personal data from customers that they need in order to operate effectively.

While that may seem like kicking in an open door, it’s really not. It’s relatively easy to decide which personal data you need to have for a new customer. It’s a bit harder to stop there. Many small business use pre-formatted questionnaires that ask for information they don’t actually need for day to day operations, and it’s hard to keep track of data they no longer need.

The advisory, titled Securing Customer Personal Data for Small and Medium Businesses, is written for small and medium businesses, but many larger corporations could benefit from it as well. The guide was written because data breaches against Australian businesses and their customers are increasing in complexity, scale, and impact.

It outlines a few steps businesses can take to organize, minimize, and control the personal data they collect, in order to contain the impact of a data breach. With the growing tendency to do business online, businesses have a responsibility to keep the personal data they collect safe.

The ACSC recommends implementing 10 steps to secure customer personal data:

• Create a register of personal data. Keep an inventory of the types of data you have collected and where they are stored. For example, a register of databases and data assets.
• Limit the personal data you collect. Do not collect data “just in case.” You don’t have to worry about what you don’t have stored.
• Delete unused personal data. Probably the hardest step, it takes policies stipulating how long customers’ personal data should be stored before it is deleted.
• Consolidate personal data repositories. Consolidating customers’ personal data into centralized locations or databases allows businesses to focus on key data repositories and apply enhanced security practices.
• Control access to personal data. Employees should only have access to customers’ personal data that they need in order to do their job.
• Encrypt personal data. Full disk encryption should be applied to devices that access or store customers’ personal data, such as servers, mobile phones and laptops. Customers’ personal data should be protected by encryption when communicated between different devices over the internet. Additionally, businesses may choose to implement file-based encryption to add an extra layer of protection in the event that systems are compromised as part of a cyberattack.
• Backup personal data. Backups are an essential measure to ensure an organization can recover important business data in case of damage, loss or destruction. Backups are also critical in protecting customers’ personal data from common incidents such as ransomware attacks or physical damage to devices.
• Log and monitor access to personal data. Implementing logging and monitoring practices can assist businesses in detecting unauthorized access to customers’ personal data.
• Implement secure Bring Your Own Device (BYOD) practices. Businesses that employ BYOD policies need to have appropriate protections in place to ensure that this is done securely and does not increase the risk of data breaches. It’s important to have a clear policy and rules to enforce it.
• Report data breaches involving personal data. Make sure you are aware of the existing local reporting obligations in case you are the victim of a data breach involving customers’ personal data.

Our business solutions remove all remnants of ransomware and prevent you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.