Les Bell

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories

Yet Another Patient Data Breach

The string of highly-publicized breaches of personal health information in Australia has continued, with a pathology lab the latest firm to be hit.

Medlab Pathology has disclosed a breach which compromised the personal information of patients and staff. The breach occurred back in February 2022, and it would be interesting to know whether and at what point the Office of the Australian Information Commissioner was notified as required under the Privacy Amendment (Notifiable Data Breaches) Act 2017.

According to their statement, Medlab engaged external experts, whose investigation "did not reveal any evidence that information stored in our systems had been accessed or downloaded". However, in June Medlab was contacted by the Australian Cyber Security Centre, which had detected the publication of some Medlab data on the dark web, whereupon the firm downloaded the dataset and "spent several months to analyse the data so it could determine what information was included ... and who it belonged to".

The company states, "This process took several months to complete, including locating current contact details for involved individuals ... so that we did not incorrectly notify anyone and cause undue alarm or distress".

That's all well and good, but not disclosing a breach for eight months sounds very much like closing the stable door after the horse has bolted; in particular, the company seems to have tried to avoid making a public disclosure, only to see it forced upon them before they have contacted the affected individuals (which will happen over the coming weeks, according to their statement). There's also an element of wishful thinking; the fact that "external experts" can find no evidence of information exfiltration is emphatically not evidence that no exfiltration occurred.

McGrath, Melinda, Medlab Cyber Incident, public statement, 27 October 2022. Available online at https://medlab.com.au/medlab-cyber-incident.

Medibank Cyber Insurance Comment

While we're on the topic of Australian privacy breaches: media eyes remain focused on Medibank's handling of the other big breach, with more reporting in mainstream media. One comment that caught my eye (no reference for this one, I'm afraid - it was a passing comment in a TV news report): apparently Medibank had not taken out a cyber insurance policy, on the grounds that it was "too expensive".

I'll pass over the fact that an insurance company thinks that cyber insurance does not represent good value. Perhaps it is appropriate for an insurance company to self-insure for this and other risks, provided it has the capital reserves to do this. But it ignores one key benefit provided by many cyber insurance policies: immediate access to incident response, crisis management and crisis communications experts who parachute in to assist or even take charge of incident response.

Fast access to these kinds of resources might well have done a lot to improve Medibank's image over the last few weeks.

GitLab Tightens Supply Chain Security

Source code management company Gitlab is taking concerns about supply chain security to heart, announcing several new security and compliance features and enhancements to assist with this. Among the new features are security policy management, compliance management, events auditing and vulnerability management. Also planned is a dependency management feature which will be able to track vulnerabilities in dependencies.

The enhancements will help developers manage risk by providing increased visibility into security findings and user activities, as well as performing proactive vulnerability scans, including static analysis, secret detection, container scanning, dependency scanning, infrastructure-as-code scanning and coverage-guided fuzz testing. The GutHub platform will also add access to actionable and relevant secure coding guidance.

This is a welcome step in the movement to 'shift left' by emphasizing security earlier in the development process. It is increasingly obvious that trying to deal with security in the operations domain is simply too late.

Dark Reading Staff, GitLab Adds Governance, Software Supply Chain Enhancements, Dark Reading, 27 October 2022. Available online https://www.darkreading.com/dr-tech/gitlab-adds-governance-software-supply-chain-enhancements.

These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.