Les Bell

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories

HWL Ebsworth Breach Affects 65 Australian Government Agencies

Back in May, we reported on the ALPHV/BlackCat breach of law firm HWL Ebsworth, which saw approximately 4 TB (estimates vary) of data exfiltrated - a mix of financial data, employee records and client documentation. In June, the ransomware gang posted 1.45 TB of data to the dark web in an attempt to force the lawyers into paying their extortion demand - a move which saw the firm double down and issue legal threats, including a non-publication order in the NSW Supreme Court to prevent dissemination of any of the data.

At the AFR Cyber Summit yesterday, Australian cybersecurity coordinator Air Marshal Darren Goldie revealed that 65 government agencies were affected:

One of the affected agencies was the National Disability Insurance Agency, and Goldie confirmed that some of its clients' PII, likely including health information, was stolen in the attack, since HWL Ebsworth had represented the agency in appeals cases. However, the affected individuals were contacted directly by the firm before this aspect of the breach was revealed this week.

Taylor, Josh, HWL Ebsworth hack: 65 Australian government agencies affected by cyber-attack, The Guardian, 18 September 2023. Available online at https://www.theguardian.com/australia-news/2023/sep/18/hwl-ebsworth-hack-65-australian-government-agencies-affected-by-cyber-attack.

ASIC Tightens Cybersecurity Governance Demands on Directors

Also speaking at the AFR Summit were the chairman of the Australian Securities and Investment Commission, Joe Longo, and the chairman of the Commonwealth Government's cybersecurity strategy review, Andy Penn.

Penn laid out four key priorities for directors, stating that he hoped government would make these explicit in guidance. Boards should:

• know what data they hold - in other words, have a registry of information assets
• have an inventory of their IT systems
• have a plan to upgrade these systems
• have a response plan to remediate systems and manage fallout in the event of a breach

These are very basic requirements which most large companies can easily meet - the first two from their GRC platforms and risk management processes, the third from proactive patch management and asset lifecycle management, and the last from their incident response and management policies - and the key requirement is to provide this information to boards and provide assurance of their management.

Longo warned that ASIC would take legal action against directors of hacked companies if they were held to to have taken insufficient steps to protect information and critical infrastructure. However, a survey conducted by law firm Herbert Smith Freehills, of 122 senior Australian lawyers, found that two-thirds of respondents said their boards had not given management formal guidance on how to handle cyber extortion demands. And according to ASIC's unreleased research, half of their respondents said they had not identified business critical systems.

Attendees also focused on the tension between demands by regulators to share incident and breach information promptly - both with the regulator and others in the same industry - and the need to withhold information which could be used against them in regulatory action or class actions.

There is also an obvious need for directors to better understand cybersecurity - fortunately, we are already doing our part here, with short courses on cybersecurity governance and information risk management for boards and senior managers.

Bonyhady, Nick, The tougher regime for cyber threats that directors must heed, Australian Financial Review, 18 September 2023. Available online at https://www.afr.com/technology/four-steps-businesses-must-take-to-avoid-cyber-lawsuits-penn-20230918-p5e5j2.

Microsoft's AI Research Team Exposes 38 TB of Private Data

In an embarrassing blunder, Microsoft's AI research team accidentally exposed 38 terabytes of private data, including disk backups of two employees' workstations - revealing secrets, private keys, passwords and over 30,000 internal Teams messages. The blunder occurred while publishing a bucket of open-source training data on GitHub, using an Azure feature called SAS tokens, which allows shareing from Azure Storage accounts. While the access level can be limited to specific files only, in this case the link was configured to share the entire storage account, including that 38TB of private files.

The leak was discovered by researchers at Wiz Research, who work on accidental exposure of cloud-hosted data, scanning the Internet for misconfigured storage containers. Their report provides a full analysis, including the risks of using SAS tokens, and a number of suggested mitigations.

Ben-Sasson, Hillai and Ronny Greenberg, 38TB of data accidentally exposed by Microsoft AI researchers, blog post, 18 September 2023. Available online at https://www.wiz.io/blog/38-terabytes-of-private-data-accidentally-exposed-by-microsoft-ai-researchers.

Upcoming Courses

• SE221 CISSP Fast Track Review, Virtual/Online, 13 - 17 November 2023
• SE221 CISSP Fast Track Review, Sydney, 4 - 8 December 2023

These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.