It’s happened again. This time the National Lottery was hacked by cybercriminals. The accounts of more than 26,500 lottery players were compromised, according to a recent Infosecurity Magazine article. 1
The company indicated that the core systems hadn’t been affected, and because they don’t hold player’s debit card and bank account details in online accounts, financial transactions were not involved.
Blame it on the Password
However, it was believed that personal information of the players was accessed. That means that it is highly likely that financial crimes will take place. That private information is invaluable to criminals, enabling them to build false profiles and commit a variety of financial crimes.
It is also thought that the email address and password used for the hack may have been stolen from another website. That’s not surprising when 63% of confirmed data breaches involved weak default or stolen passwords, according to Verizon’s recent report2
Brush-Up on Best practices
It’s time to take a quick brush-up on best practices so we can better defend against this prolific cybercrime.
Monitoring
The malicious activity at the National Lottery had been picked up by Camelot’s security-monitoring program. This is a strong endorsement for the value of this cybersecurity defense.
An excellent resource on this topic is a report offered by the SANS Institute.3 As the report explains, “continuous monitoring, when implemented through a log manager or SIEM for log and event collection and correlation, helps organizations separate real events from nonimpact events, as well as locate and contain events.
Continuous monitoring does not imply true, real-time 24 x 7, nonstop monitoring and reporting. Instead, it means implementing monitoring and oversight processes that provide a clear picture of security state at a given time, while also providing a mirror of control effectiveness over time, according to the Sans Institute.
Fore Warned is Fore Armed: Information Sharing
As noted on the White House website: In February, President Obama signed Executive Order 13691 to enhance the ability of organizations to share information about cyber threats with one another.
Sharing information about cyber threats is an essential element of our nation’s approach to cybersecurity. Rapidly sharing threat information allows organizations to take action to discover ongoing cyber-attacks and prevent new incidents. It also enables the entire community to work together to defend against and counter threats. President Obama has encouraged communities of interest, whether based on geography, business sector, or a particular event, to form Information Sharing and Analysis Organizations (ISAO).4
New Guidelines for Password Protection
One thing we know for sure, passwords are an Achilles Heel for cyber security. The process can be simplified, and that is why the National Institute of Standards and Technology has been working on them. They are still in process, but you can find the draft specification for Special Publication 800-63-3: Digital Authentication Guidelines here.5
DEFENDEDGE’s partner Sophos, highlights a few of the changes on their blog post, NIST’s New Password Rules-What you Need to Know”.6 You may be surprised by some of the new guidelines. For example, no more rules demanding you use particular characters and/or combinations. NIST suggests eliminating password hints, and no more expiring passwords.
Better Protection
The more we follow best practices, the more secure our organizations and customers will be.
1Infosecurity-magazine.com, “National Lottery: Over 26,000 Accounts Compromised,” November 30, 2016
2verizonenterprise.com, “2016 Data Breach Investigations Report,” 2016
3SANS Institute, “Continuous Monitoring: What It Is, Why It Is Needed, and How to Use It,” 2016
4whitehouse.gov, ”Promoting Private Sector Cybersecurity Information Sharing,” September 3, 2015
5National Institute of Standards and Technology, “Coming Soon! Digital Authentication Guideline: Public Comment,” 2015
6nakedsecurity.sophos.com, “NIST’s New Password Rules—What You Need to Know,” August 18, 2016