Cloud Security Roundup: China’s Data Protection Law, Microsoft Teams Security Threats, and More
Each month, we bring you some of the most compelling cloud and Salesforce security-related stories from the last four weeks. In this post, we discuss zero trust, risky employee behaviors, hackers’ new target for data theft, and more.
Security researchers recently discovered a phishing scheme that’s compromising the login credentials of thousands of Microsoft users. Victims are targeted via a phishing email indicating they’ve missed activity in the Microsoft Teams instant messaging platform. After clicking a link in the email, unsuspecting users are directed to a fake login page where hackers harvest their login credentials.
“The email is sent from the display name, ‘There’s new activity in Teams’, making it appear like an automated notification from Microsoft Teams,” said researchers. “Because Microsoft Teams is an instant messaging service, recipients of this notification might be more apt to click on it so that they can respond quickly to whatever message they think they may have missed based on the notification.”
New research shows that hackers are now targeting customer loyalty programs for sensitive, personal information. Using credential stuffing attacks – where large lists of stolen login information are used to access protected databases – hackers steal customer data from retail, travel, and hospitality organizations and cash in by selling the stolen data, holding it for ransom, or using it for identity theft.
The research revealed that more than 100 billion credential stuffing attacks occurred between July 2018 and June 2020, with 41% of the attacks focused on the retail, travel, and hospitality industries.
To reduce the impact of credential stuffing attacks, experts recommend using multi-factor authentication and establishing the principle of least privilege, where users can only access the data necessary to complete their work and no more.
“Criminals are not picky — anything that can be accessed can be used in some way. This is why credential stuffing has become so popular over the past few years. These days, retail and loyalty profiles contain a smorgasbord of personal information, and in some cases financial information too. All of this data can be collected, sold, and traded or even compiled for extensive profiles that can later be used for crimes such as identity theft.”
– Steve Ragan, Security Researcher, Akamai
China recently unveiled a draft law on personal data protection. The draft law marks significant progress for increased data privacy in the country with the most online users. In addition to data protection principles such as transparency, fairness, and data minimization, the draft offers provisions for how the government handles personal information and the duties of personal information handlers. The draft’s definition of sensitive personal data includes race, ethnicity, religion, biometric data, medical and financial data, and personal trajectory. Violations of the law could face fines of 50 million yuan ($7.4 million) or five percent of the past year’s turnover.
Similar to how GDPR and CCPA protect EU and California citizens, China’s law would apply to individuals or entities that process personal information of Chinese citizens, regardless of the location of processing. Legal experts and observers hope that the law will remediate the long-standing disruption some organizations have caused by illegally collecting, using, and trading personal information for profit.
A new research report highlights the threat risky employee behaviors pose to an organization, particularly when using company-issued devices. Despite 96% of respondents knowing that email and online links can potentially cause harm and 64% receiving cybersecurity awareness training, almost half (45%) of employees admitted to opening emails that they felt were suspicious. Even more concerning, another 45% didn’t report suspicious emails to IT or security for review.
“Security professionals need to ensure their organization isn’t growing more exposed as threats evolve to better target the unsuspecting. With everyone’s home becoming their new office, classroom and place of residence, it’s not really a surprise that employees are using their company-issued devices for personal use. However, this is also a big opportunity for threat actors to target victims in new ways. We’ve seen attacks become more aggressive and the attack surface has expanded due to the new ‘WFH’ or hybrid work environments.”
– Josh Douglas, VP of Threat Intelligence, Mimecast
According to their new report, security research firm Forrester is predicting a rise in the prevalence of insider threats in 2021. Specifically, the report highlights an expected increase in data breaches caused by privileged insiders with access to protected data, whether caused accidentally or intentionally.
Forrester suggests that three factors will contribute to the wave of internal threats:
- The rapid shift to remote work due to COVID-19
- Employees’ job insecurity
- Increased ease of moving stolen company data
The report surmises that confirmed insider incidents will increase as organizations become better at identifying and attributing security and privacy incidents to the actual perpetrators – insiders. Forrester advises the audience to keep the human element in mind during efforts to mitigate threats.
“Leading CISOs will put a greater focus on insider threat defense while emphasizing improved employee experience — not treating users like machines — to avoid turning employees into malicious insiders. Considerations for employees’ privacy, company culture, and local standards for lawful, fair, and acceptable labor practices are key to the success of your insider threat program.”
– Forrester Research, Predictions 2021
The COVID-19 pandemic has dispersed teams across many networks and locations, leading to skyrocketing numbers of security vulnerabilities. In response to the heightened threats, a survey shows that 60% of technology professionals at organizations worldwide are doubling down on zero trust projects. In a nutshell, zero trust boils down to “trust nothing, verify everything.” Regardless of whether they’re inside or outside a network, until a user or application verifies their identity, zero trust does not permit them to access data.
The survey also found that 45% of zero trust projects are interdisciplinary, involving both security and networking teams. Nearly half (48%) of these teams collaborate by coordinating access security controls, coordinating access security controls across different systems, while 41% assess access security control requirements, and 40% define access requirements according to the user, role, data, and application.