Preparing for Notifiable Data Breach: A Guide to Not Becoming Australia’s Breach Example

As Australians return to work after the holiday season, IT teams across the country will be pushing to make sure they are prepared for the implementation of the Notifiable Data Breach (NDB) amendment, which takes effect on 22 February.

It is important to point out that many businesses have had nearly a whole year in which executives and IT teams should have worked together to ensure their business networks are secure. The Office of the Australian Information Commissioner (OAIC) has worked hard to provide Australian businesses with the support they need to understand the legislation and prepare for the changes. Thus, many CEOs and CIOs will not be surprised by the change in legislation.

Due to the long lead in time of the legislation, it can almost be guaranteed that the first organisation to violate the legislation will be made an example of to the rest of businesses across Australia. On top of that, businesses will surely face reputational damage and the possibility of financial penalties. In order to avoid these punishments, it is important that companies understand who to worry about, be on the lookout for past breaches, and know how best to prepare for the changes coming.

How hackers operate

Understanding how hackers think could make the difference for how an IT team withstands a cyber attack. Generally speaking, the first objective of a hacker is to gain access into a business’s network undetected.

Once inside the network, hackers could lurk for weeks, months and sometimes even years looking for sensitive data and passwords or credentials. They most likely will add backdoors to ensure they have continued access long after the initial breach occurs. The hackers will proceed to add malicious software to the network that sits dormant until they are ready to take action or launch an attack. Sometimes this can be seen in an organisation’s environment in the form of unusual system issues, but more often than not is missed or passed off as a “glitch.” Businesses experiencing this could already be in danger and not even realise it.

Cover Your Past Before Looking to the Future

A common mistake companies make is looking to the future without analysing the past. If a company is going to implement a large — and most likely costly — security system to ensure they do not fall victim to hackers in the future, it is important to know that they have not already fallen victim to a hacker.

Cyber security controls needs to be installed from the ground up to ensure the investment is worthwhile. Investment in cyber security is like any other major purchase; it needs to have a strong foundation in order to be effective. If a business’s network has already been compromised, the security system in place will be for nothing, as organisations can still be breached down the road.

Cyber security 101: Always plan ahead

In order to prevent becoming a victim of cyber crime, it is important that organisations check and re-check for threats. This is especially important leading up to the implementation of the NDB legislation and investing in a top-of-the-line cyber security platform.

As mentioned, threats can stay hidden and dormant for months and often times can be missed in general security scans. It is not uncommon for IT professionals to find threats or backdoors into their organisation’s environment when testing for something completely different. This is why it is vital to test, re-test and test again to ensure all threats have been found and eliminated prior to investing and deploying a security system.

Falling victim to a cyber breach can be devastating to any organisation’s reputation and could further lead to financial implications. With the NDB legislation in effect, the government will be quick to make examples of organisations that fail to adhere to the new legislation.

In order to avoid penalties and other negative news associated with being breached, it is important for businesses to guarantee that they have not already fallen victim to hackers in the past. Then, and only then, can IT teams build a security system that will protect businesses moving forward, knowing a strong foundation is in place. Some general best practices include:

  • Ensure the cyber security strategy is scaled across wired, wireless, cloud and mobile networks, where applicable
  • Leverage next-generation firewalls to mitigate advanced cyber threats
  • Layer cyber security controls with cloud sandboxing, such as Capture ATP
  • Deploy email security controls to help identify and block phishing attempts
  • Map network data to understand what’s most valuable

While, the legislation will be something new to all Australian organisations, it is a step in the right direction for the safety of peoples’ private information.

For more information on common data breaches please visit

Equifax Data Breach: What Can We Learn?

Equifax just rolled into the history books as the victim of one of the most widespread and dangerous data breaches of all time. The breach happened on March 10, 2017, at which time the cyber criminals leveraged the critical remote code execution vulnerability CVE-2017-5638 on Apache Struts2. This attack highlights the value of an Intrusion Prevention System (IPS) and virtual patching security technologies.

SonicWall developed definitions for this vulnerability for our Intrusion Prevention Service and afterward saw a large growth of IPS hits by the beginning of the third week of March 2017. The first lesson we can gain from the data is how quickly hackers rush to exploit a critical vulnerability (see chart below).

Every announcement of this magnitude is like Black Friday for hackers. Also, seeing this one attack highlights how, in 2016, SonicWall blocked over 2.6 trillion IPS attacks on customer systems.

This means if there is a critical patch you either need to install it ASAP or have an automated solution in place that can block related attacks such as IPS (Learn how IPS works) until you can do so. This is the same lesson everyone should have learned years ago, if not since WannaCry. In fact, had people patched after WannaCry, none of us would have heard of NotPetya.

However, many believe that the conventional wisdom of patch and train is ultimately not working. If manual patching of vulnerable systems worked, why would the number of breaches continue to escalate?

A 2016 survey from Black Hat showed that even people who rate themselves as very knowledgeable about IT security can be coerced into clicking phishing links in emails. So, it seems that training alone is not the answer either.

We at SonicWall think there is a better way. We believe in automating as much of the protection as possible — on the network, for email, for mobile users, on Wi-Fi and at the endpoint. That is why we built our automated real-time breach prevention and detection platform. It’s why we believe in cloud-based, zero-day protection, and also why we built the Capture Advanced Threat Protection sandbox service into every element of our platform.

So, what can you do to keep yourself safe against these IT weak spots? Here is a list of best practices for staying safe in today’s dynamic, fast-moving threat landscape:

  • Implement automated real-time breach prevention. Deploy SonicWall next-generation firewalls with Gateway Anti-Virus and Intrusion Prevention Services (GAV/IPS) to stop known attacks like those on the critical Apache Struts2 vulnerability. SonicWall’s Deep Learning Algorithm, which learns from over 1 million sensors deployed around the globe, with the ability to push out real-time updates within minutes within GAV/IPS.
  • Use cloud-based sandboxing. Leverage SonicWall Capture ATP, our multi-engine cloud sandbox to discover and stop unknown attacks, such as new ransomware attacks.
  • Inspect TLS/SSL traffic. Because of the rise in malware being encrypted, always deploy SonicWall Deep Packet Inspection of all TLS/SSL (DPI-SSL) traffic. This will enable SonicWall security services to identify and block all known ransomware attacks.
  • Defend against phishing attacks. Implement advanced email security, such as SonicWall Email Security, that leverages malware signatures to block email-borne threats that are often used to deliver malware. It is estimated that 65 percent of all ransomware attacks happen through phishing emails, so this needs to be a major focus when giving security awareness training.
  • Filter malicious content and sources. Customers should activate SonicWall Content Filtering Service to block communication with malicious URLs and domains, which work similar to the way botnet filtering disrupts C&C communication.
  • Never stop patching. Apply the latest patches on all of your systems. Implement policy to ensure it happens and be consistent in verifying it is being followed.
  • Improve attack awareness. Train your users to shut off their computers if they suspect a malware infection. While their machine is likely compromised, this practice well help limit malware from using the endpoint as a launching point into the network.
  • Back up data. It is always a good idea to maintain current backups of all critical data to allow recovery in the event of a ransomware event. For larger organizations, build redundant disaster recovery and business continuity plans to ensure operations are not impacted.

For more information, download 10 Ways to Securely Optimize Your Network.

POS Attacks Persist: Top 5 Defense Strategies to Protect Retail Networks

No one needs reminding that 2014 was one of the most profitable years for cyber-criminals. The timeline graphic below takes us back to memory lane of what happened to large retailers such as Target, Home Depots and others. Despite efforts to comply with the Payment Card Industry – Data Security Standards (PCI-DSS) and other security measures for protecting electronic transactions and consumer data, U.S.-based retailers were hit hard by data breaches last year. Stores continued to be soft targets not just because they were easy victims per se, but more profoundly, due to the availability of good and effective hacking tools and techniques used by the cyber-criminals to successfully attack and compromise payment card infrastructures.

Although the sound of alarming retail breach headlines has been relatively quiet so far in 2015, the bad news is that POS attacks resumed where they left off in 2014. The SonicWall Security Threat Research team has been busy developing countermeasures to defeat newer forms of POS malware that have been found actively spreading in the wild. This is a noticeable development that carried over from the previous year. Cyber-criminals are obviously investing more in the malware economy and research as well as development efforts to create smarter methods of attacks that do greater harm. This is indicative of the Threat Research team’s 2015 Annual Threat Report prediction that more sophisticated POS malware variants are expected and additional attacks will target payment infrastructures throughout 2015, especially smaller regional chains that are more susceptible to attacks.

Debit/credit card payment

SonicWall Security researchers have already developed counter-measures to block several POS bot families including:

  1. Punkey: this Trojan was discovered in April 2015 and has versions for both 32-bit and 64-bit Windows-based POS terminals. Punkey is particularly dangerous not only because it can record payment card data while it’s being processed but it’s also capable of installing a keylogger to capture what employees type on systems including the card verification value (CVV) during a transaction.
  2. NewPosThings.C: this Trojan was also uncovered in April of 2015. NewPosThings.C adds system files and keys to the Windows registry to ensure its permanency upon reboot. It also searches the registry for VNC passwords, scans system memory to gather credit card track data, checks if data is available for transfer to its command and control (C&C) server periodically and sends credit card information in Base64 format to avoid detection.
  3. PoSeidon and POS.UCC: these Trojans were detected in March and February of 2015 respectively. Both exhibit similar behaviors as described in the NewPosThings.C. Trojan.

If you are in retail and still nervous about whether or not you have the proper security measures in place to protect your retail network, SonicWall Security recommends the following five key defense strategies to secure your payment card infrastructure.

  1. Traditional POS applications run on terminals connected to a central computer. Often, the operating system (OS) of this central computer is not kept updated, which can make the POS system as a whole highly vulnerable. It’s important to keep the OS patched and all software updated continually.
  2. Restrict activity on terminals to only POS-related activities (no web browsing) such as permitting data from POS system to advance to another trusted server on a different secured network for payment processing while preventing it from going elsewhere. To do this, keep the POS system isolated from the rest of the network. Separate groups and zones and make sure POS systems can only communicate with valid IP addresses. Communication between these systems should also be controlled and sanctioned only by the firewall via Access Control List (ACLs) to keep attackers who have gained network access from penetrating further and preventing them from siphoning data off to their own servers.
  3. Install a capable next-generation firewall with integrated intrusion prevention system (IPS) and SSL decryption between network segments and in the B2B portal to inspect all network traffic including encrypted connections to protect the network from internal and external attacks.
  4. Adopt a security policy that trusts nothing (networks, resources, etc.) and no one (vendors, franchisees, internal personnel, etc.), and then add explicit exceptions.
  5. Make security training a significant part of employee onboarding and ongoing communications. SonicWall’s recent Global Technology Adoption Index (GTAI) showed that employee security training is lacking in all industries, including retail. An astounding 56% of companies admit that not all of their employees are aware of security rules.

Download this exclusive white paper for additional guidelines on how you can protect your retail network.