Our cyber security products span from our next gen SIEM used in the most secure government and critical infrastructure environments, to automated cyber risk reporting applications for commercial and government organisations of all sizes.
At the weekend, an Australian graphic design company called Canva reported a data breach. At this stage, you’d be forgiven for thinking so what? Yet, this wasn’t just a typical data breach – it’s one of the largest privacy breaches of user information in history, on the league table just behind Equifax’s breach of 2017. In Canva’s case, the hacker claims to have stolen 139 million Canva users’ details, including names, postal addresses, email addresses and 70 million users’ password hashes. So how might this breach affect your business and is there anything you can do to protect yourself from the fallout?
The reality security teams face every day is that their users reuse the same usernames and passwords all over the Internet. It doesn’t matter how many times you tell them to not use their company details outside, some will use their business account when they sign up to external online services; rest assured a fair majority of your users will have signed up to services like Canva with their business email, and a portion of those will have reused their business password.
Canva is one of the biggest technology companies on the planet and its meteoric rise to fame and fortune is a good-news story for the Australian start-up scene, showing that perseverance and a great idea can quickly succeed. However, fame rapidly paints a target on your back and any company operation on this kind of international scale will undoubtedly be in the sights of one or more hackers. As a result, there is a good chance that someone in your business has a Canva account, since it offers free of charge services for anyone wanting to design basic graphics or document templates, such as their Facebook banners or profile pictures.
There are two aspects of this breach that every Australian business needs to consider. If anyone in the organisation has a Canva account (even a personal one), they should change their Canva password immediately. If they have reused that username and password elsewhere, good practice suggests they should also change those passwords (to something different to the new Canva one).
In response to ZDnet informing Canva about the breach, Canva stated, “We securely store all of our passwords using the highest standards (individually salted and hashed with bcrypt) and have no evidence that any of our users’ credentials have been compromised.” Bcrypt is certainly a respected password hashing algorithm, so there are no issues with it being used here and that provides some assurance that users’ accounts are safe, but as good practice users are still urged to log in and change it since things can quickly change in the world of encryption.
More troubling for end users are the private details associated each account, such as email addresses, postal addresses, name, age, etc. which are useful attributes for use in an online identity fraud attack. If the email address the user signed up to Canva with is the same as your organisation’s external DNS domain, then any fraudster has the potential to use social engineering to dupe your IT team into resetting their business password over the phone. In this case, you should be warning your users, as well as your IT team, of this possibility. Security awareness is often the best course of action.
You might think there is little you can do to protect yourself if a hacker has the account details of someone in your business, yet a Security Information and Event Management (SIEM) platform can help in this case.
The core function of a SIEM is to collect security event logs and look for patterns of attack. Furthermore, some SIEM systems also use behavioural analytics, to learn what normal activity looks like, recording patterns of activity over time. They will then alert on anomalies against that baseline.
If a user’s account is stolen or compromised using the afore mentioned social engineering technique, any abnormal behaviour will be detected and reported. In this case, the threat we are trying to protect against could be classified as insider threat, since the account being used is trusted and has a level of internal access and privilege that other legitimate users have.
This is where user behaviour is important. Huntsman Security’s Next Gen SIEM has built-in behavioural profiling, called Behavioural Anomaly Detection (BAD), which learns what normal looks like (both from a user and system point of view). If an attacker takes over a user’s account, they will likely not follow the same patterns of usage as the user, as their motivation is different – their intent is to locate private company information, exfiltrate it and sell it to the highest bidder. This means that normal user accounts logging into, or trying to access, information they would normally not try to access could be an indication that the account is up to no good (and it’s worth investigating).
Security teams can build special detection rules using the SIEM, based on collecting security information from every log source in the enterprise, matching groups of user accounts with targets on your network, and alerting when any user accesses a sensitive system or accesses sensitive company information. For instance, if a user in the commercial team is trying to access IT configuration information, this could be indicative of an attack.
This attack on Canva is just one of a long line of enormous privacy breaches companies all around the world are coming to terms with. The fact is, almost every active Internet user now has their email address appearing in one of these breaches.
Whether you are a cautious person and have different passwords for every account, or reuse the same one everywhere, you are at risk, since in many cases identity fraud is the interim goal before financial gain. Security awareness training should be the first line of defence, since good operational security helps everyone, both at work and at home.
Organisations need to consider the risk of malicious insiders not always being the real user, as account hijacking via social engineering is on the rise. There are things you can do to mitigate these risks, but without some aspect of behavioural monitoring, even in its most basic form, all bets are off once the attacker has access to a user’s credentials.
The UK market has its own regulators, security standards and challenges. And while rulings from SEC in the US or the Australian Prudential Regulation Authority (APRA) in Australia don’t apply to UK companies, for the most part, the observations are undoubtedly relevant and the resulting advice instructive. It would be wrong to think UK financial […]Read more
<<< Part 2a: Australia’s Essential Eight: Beyond Endpoint Control <<< Part 2b: Activating UK NCSC & US NIST Guidelines: Beyond Endpoint Control Part 4: Systematic Measurement of Cyber Controls >>> As much as we invest into cyber security controls, external threats are inevitable. In a recent Notifiable Data Breaches Report from the Office of the […]Read more
Keen campers, scouts and even the Swiss Army know – that a good penknife is indispensable. This simple device has mitigated many a disaster at one point in time or another. Whether it’s to cut through a bit of string, tighten a screw or simply to solve the problem of no bottle opener in the […]Read more
Supply chain risk is an area of cyber security that demands the ongoing attention of every enterprise; because it can make the difference between being resilient or not. It’s no surprise that insurers warn that the vulnerability of supply chains is potentially a systemic risk that can quickly propagate across supply chain dominated industries. Organisations […]Read more
It took a “tripartite cyber assessment” by the Australian Prudential Regulation Authority (APRA) to identify that a sample of financial organisations had inadequate cyber security: poor security control management, a lack of business recovery planning and inadequate 3rd party risk assessment. Why were there gaps? Where is the failure? Clearly the common practice of unsubstantiated […]Read more
The discussion over data-driven vs qualitative cyber security assessment has been going for some time. Nowadays, it is at the top of the priority list for many security and senior executive teams. Managing cyber security has always been a noble ambition but without reliable measurement, the lack of actionable information makes evidence-based management decisions almost […]Read more
Attack Surface Management (ASM) characterises a business’s security risks as the monitoring and risk mitigation of a constantly changing and vulnerable “risk-surface”. Importantly, this attack surface extends to both internal and external assets and services. Some ASM solutions deliver clear visibility across both Internet facing and internal assets. Others do not. Instead, they assess external […]Read more
The UK Government has released its annual “Cyber Security Breaches Survey 2023”. It provides some valuable insights into how cyber security is currently being managed in the UK, by a range of organisations. It also speaks to how current competing economic priorities are impacting the effectiveness of some cyber security management efforts. The full report […]Read more
Solving the mismatch between cyber security reporting and directors’ requirements You are undoubtedly familiar with the headlines; you may have even become in part desensitised to them: ‘Cyber-attacks are increasingly damaging’, or ‘large amounts of personal data are most at risk’. The important take-away, however, is that modern day thieves can easily gain access to […]Read more
A system to address the untrustworthy security environment Zero trust approaches to security have been talked about for a while; but in recent times they have certainly gained more currency. As a model for protecting data and services, the simplicity of the concept is its biggest strength – assume, as a default position, there is […]Read more
Read by directors, executives, and security professionals globally, operating in the most complex of security environments.