This Week... The 2021 CWE Most Important Hardware Weaknesses
View web version  
10 November 2021
SC Media | The CyberSecurity Source
Hackers tried to rob me of $15m. Here’s how I stopped them…
Matthew Day Ransomware is rife. One of the ways to reduce its global proliferation is to openly share stories – but that means owning up to an attack in all its nakedness. It’s not something many companies do. But here – to his credit – is one CIO’s tale.

The phone call came at 4am 
My name’s Matthew Day. As CIO of Langs Building Supplies in Queensland, Australia, I’d been looking forward to a long holiday after 14 months of Covid-blighted operations. 

But then the phone rang. One of my factory supervisors said they couldn’t get into the system: “We’ve been hacked!” 

I jumped out of bed and rushed to the office. I saw the boot loader screen message: “We’ve encrypted all your data. Pay up… or we’ll publish it on the dark web.” 

The hairs on my neck stood up
I realised this was no small ransomware attack. They had scoped our business: hunted us, waited for us to be asleep, and took the shot with sniper gun precision. Worst of all, through our Rubrik zero trust security solution, I could see they had secured elevated access rights.

They demanded $15 million 
They wanted an enormous Bitcoin sum but I was also conscious that the attack would wipe out factory manhours - which could work out just as expensive.  But I don’t negotiate with terrorists. I was never going to have a conversation with these people. 

What’s the worst day I could ever have?
I knew I had to draw on my pre-prepared strategy of ‘what’s the worst day the business could ever have?’ I’d already made sure all our data was backed-up and immutable. I also knew we had a solution that could quickly scan the holes in our system and monitor data packets to see what – and where – was being encrypted. This information was invaluable – it saved us. 

It took 24 hours to clean up the mess

The hacker’s attack vector was a legitimate-looking email that came from a kosher email address in the right format. The one slight off detail was the link in the email. Two weeks later, the hackers had access to Langs’ systems. Our IT analysts spent two days cleaning up the environment, identifying and plugging holes against two waves. 

Don’t believe the hackers 
By this stage, I knew I could recover the data. We had a good counter punch. My main concern was ‘is there any exfiltration of the data?’ I could see from our monitoring systems that there wasn’t. I didn’t need to engage with the hackers despite the continuous email threats they were sending.

My staff didn’t sleep for days
When I began the attack response, I enacted processes at the business level.  I had to get people out of bed… that’s why it’s so important to have good human capital management. You need people who will hit the trenches with you. Investment in your staff pays off in spades because they do what needs to be done.

Find the right partner
Make sure you have partners who care about you. I always bring it back to the chef Nigella Lawson – you can have great products but the real value is in the mixing of the ingredients. Nigella and I can both make a chocolate cake with the  same recipe – but whose cake would you rather eat? You need the right partners with the right skills. And make sure they care about and understand your business.

Education first
We were hacked through social engineering via a trusted supplier. Your employees are your number one protectors. Train your staff to understand that cybersecurity is everybody’s job. In some ways, investing in education is more important than perimeter defenses, like firewalls. 

I don’t live in fear
I have the attitude that it will happen again – that’s the only way you can plan for these things.  And it’s not if,  it’s when. We made mistakes, learned from them and moved on. I don’t live in fear. We mitigate against threats as best we can, while understanding that they exist.
Securing source code: How to get dev ops on side (without them even noticing)
One of the greatest worries to all of us is code validation – what exactly are developers dumping into corporate ecosystems and what can we do about it? How can you make sure new code isn’t leaving the gates flapping on their hinges, without skewering innovation with inertia?

Join us for our webinar on 9th December, SC Media UK and a range of experts explore ways to resolve this tension – why eliminating any user friction is central to shifting security left, how you can implement this and how automated code validation is not only a pathway to a constructive relationship, it’s now also possible.
Save your space!
Have you secured your free place at SC Unlocks: Ransomware?
Join your peers from the likes of The Ministry of Defence, Sky, Microsoft and Willis Towers Watson online at SC Unlocks: Ransomware for FREE on 30th November.
Secure my FREE place!
The 2021 threat landscape: minimising risk and working safely wherever you are
A recent SC Media UK survey, hosted in partnership with WatchGuard, reveals 75% of UK businesses think that remote workers pose a greater IT security risk to their business than office workers. A further 83% of respondents feel that cyber attacks on their business will increase over the next 12 months.

Download this free infographic to explore the findings in more detail and help protect your business.
Read more
Quote of the week…
"We are bringing the full strength of the federal government to… leverage international cooperation to disrupt the ransomware ecosystem and address safe harbours for ransomware criminals."

 US President Joe Biden said, as the Department of Justice announced that it made an indictment on a Ukrainian suspect Yaroslav Vasinskyi and recovered $6 million in ransomware payments from REvil.
The 2021 CWE Most Important Hardware Weaknesses  
1 CWE-1189 Improper Isolation of Shared Resources on System-on-a-Chip (SoC)
2 CWE-1191 On-Chip Debug and Test Interface With Improper Access Control
3 CWE-1231 Improper Prevention of Lock Bit Modification
4 CWE-1233 Security-Sensitive Hardware Controls with Missing Lock Bit Protection
5 CWE-1240 Use of a Cryptographic Primitive with a Risky Implementation
The full CWE 2021 Hardware List aims to drive awareness of common hardware weaknesses through Community Weakness Enumeration (CWE) and educate programmers on how to eliminate important mistakes early in the product lifecycle.

Like what you’ve read? Why not forward this newsletter to a friend? They can sign up for smart weekly cyber insights on the homepage.
© 2021 Haymarket Media Group
Bridge House, 69 London Road, Twickenham , TW1 3SP
This bulletin has been sent to