Category Archives: Cyber Security

Third parties leave your network open to attacks

Posted on August 28, 2017 | Leave a comment

With the Target example as the high-water mark, enterprises need to worry about the lack of security on the part of third-party providers that have access to internal systems.

Most businesses hire third-party providers to fill in when they lack in-house resources. It is often necessary to allow third-party vendors access to their network. But after Target’s network was breached a few years ago because of an HVAC vendor’s lack of security, the focus continues to be on how to allow third parties access to the network without creating a security hole.

The use of third-party providers is widespread, as are breaches associated with them. Identity risk and lifestyle solution provider SecZetta claims that on average, 40 percent of the workforce make up third parties. A recent survey done by Soha Systems notes that 63 percent of all data breaches can be attributed to a third party. “The increased reliance on third-party employees, coupled with the growing sophistication of hackers, has led to the current identity and access management crisis that most businesses are faced with today — whether they realize it or not,” a SecZetta blog post stated.

Rick Caccia, CMO at Exabeam, explained that the Target breach shined a light on the risks that come with trusted partners. On one hand, they often have access to the most sensitive data and systems within a firm’s environment. On the other, the firm has little insight into the partner’s own security processes and doesn’t really know the partner’s employees or their routines.

David Baker, vice president of operations at Bugcrowd, said “The rule of thumb most CSOs live by is that you only use a third party if they do something better than you. So whether that’s delivering a package or managing your data center, if an outsourced third party does it better, it makes sense to use them. This extends to security.”

For example, a large number of organizations have outsourced their data centers to Amazon Web Services (AWS) not only because the functionality of building the technology on AWS is better than what organizations can achieve on their own, but also because the security offered is better than what companies can build themselves, he said.

“If you use a third party and want to avoid something like what happened with Target, you need to have a process by which you select those third parties, and a big part of that criteria should be security. Security has to be something you can measure that they do better than you,” Baker said.

Markus Jakobsson, chief scientist at Agari, said the one big disadvantage to working with third-party vendors is the loss of control over security. “Not only does each vendor create a new entry point into an organization’s network for cyber criminals to exploit, but it also means every employee for that vendor is now a potential target to breach your brand. Unfortunately, the only way to ensure your company is not exposed to greater risks is by keeping everything in-house. But in today’s digital world, this isn’t a reality.”

Mike McKee, CEO of ObserveIT, said the lack of visibility into what users at third-party providers are doing – accidentally or intentionally – is a huge security risk.

“Every organization must ensure it has identified the outside parties with access to systems and data and have secure procedures in place, strict policies for these users to follow, and effective technology in place to monitor and detect if the third parties are putting their organization at risk,” he said.

It is the cost of doing business that leaves your network vulnerable to third parties, said Yitzhak (Itzik) Vager, vice president of cyber product management and business development at Verint Systems. Manufacturers connect directly to suppliers to manage just-in-time production. Accounting departments connect to external invoicing and receipt systems, and the marketing team has given all types of automated solutions access to the network infrastructure.

“Organizations need to assume that they have been already breached by a third-party leaving a hole in your network, and therefore they need to move to detection and response area solutions that consider the big picture, delivering complete visibility by detecting across the entire network, endpoints and payloads.”

Richard Henderson, Global Security Strategist at Absolute, agrees. ​”In the majority of cases, companies will have no way to learn if those partners have a breach or fall prey to atta​ck. Add to this that regulators (and customers) really don’t care if someone else was responsibl​e and it seems like an unwinnable battle. After the damage is done, organizations are left picking up the pieces and will be the ones called to task and held accountable.”

Carl Herberger, vice president of security solutions at Radware, said that business units are under a lot of pressure to leverage new solutions to speed time-to-market and reduce costs. Typically, security is a secondary consideration.

“Most of these business teams don’t have the skills or knowledge to assess security requirements and can result in partnering with a vendor who may leave the company’s networks open to attack,” Herberger said.

If an enterprise lets a third party onto their network, regardless of the reason, that third party then becomes an integral part of their security perimeter, notes Amir Jerbi, CTO of container security company Aqua Security. “Organizations should therefore vet third parties for their security measures and practices and ensure they are aligned with their own, and furthermore, periodically check and test those practices to verify they are still in compliance. These checks may (and should) cover systems, process and people.”

Alertsec’s CEO Ebba Blitz advises to make sure everyone plays by your rules. If full disk encryption is mandated for your own staff, make sure that your third parties do the same. “All too many third parties log into your network from unknown devices – devices that you don’t manage and can’t control, unless they are enrolled in your network. Make sure data only flows to encrypted devices, whether they are enrolled in your IT infrastructure or not.”

Third-party risk management

The market has pushed forward with third-party risk management programs to answer this dilemma. A program such as this would tell if a third party was located offshore or onshore, use a corporate issued device or a personal device, have had a background check performed, and whether they will be performing a critical function for the organization.

“When it comes to the cyber world, vendors must demonstrate that they understand security and have a mature security program in place, including policies and employee training,” noted Asher DeMetz, manager- security consulting at Sungard Availability Services. Any third-party systems connected to the company’s network would need to have a proper business function and owner, and align to the company’s own security program (secure, monitored, controlled).

“The software or hardware would need to be validated with the correct security controls and attestation of security testing, and possibly compliance. If the third party is making configuration changes, these would have to go through proper change-management channels to ensure that they align to the security program and don’t introduce risk into the environment,” DeMetz added.

Risk management involving external actors can be a very challenging activity for a variety of reasons, said Bluelock Director of Engineering Derek Brost. “There are two major factors for consideration. First, is sufficiently involving legal counsel to ensure contractual designation of responsibility, diligence and due care. As a backstop, this should also permit enforcement or litigation related to reclaiming loss or damage if things go awry. Second, is allocating continuous resources for proper control and oversight of external activities in the form of authentication management, timely activity analysis, and especially audit review.”

Unfortunately, businesses commonly involve third parties for cost reduction or “quick fixes,” so an adequate level of investment may not be considered in the budget or overall cost for administering external actors, said Brost. However, like all risk management activities, these costs need to be considered up-front as part of the overall tolerance and loss potential.

Kennet Westby, president and co-founder of Coalfire, said every organization should have a robust third-party vendor management program that is built to support the validation that critical vendors are delivering on their committed services. Part of that vendor management process should be to validate that your vendor has internal security controls. If your vendor management program requires these third parties to operate at an even greater standard than your internal controls, you can actually reduce risk more than if internally managed.

That brings us to identity access management. As SecZetta explained in a blog post, no person or department is in charge of managing non-employee identities (people data) and their relationships at most companies. IT might provide access, but the initial access and managing of non-employee changes is charged to HR or procurement.

This is a challenge, especially in cases where non-employees have greater access to sensitive information than internal employees. If a non-employee is granted access to these sensitive systems for a nine-month period but finishes the job early after six months, there are three months in which the non-employee may still have access to sensitive systems. These are exactly the types of accounts that hackers look for when trying to penetrate systems and steal data, according to SecZetta.

Ryan Stolte, co-founder and CTO at Bay Dynamics, said keeping track of who is doing what is a daunting task. “Instead of trying to boil the ocean, keeping tabs on every user for every vendor, security teams must hone in on those that access the company’s most valued applications and systems.”

Instead of trying to boil the ocean, keeping tabs on every user for every vendor, security teams must hone in on those that access the company’s most valued applications and systems.
Ryan Stolte, co-founder and CTO at Bay Dynamics

Effective vendor risk management begins with identifying your crown jewels and the impact to your organization if those crown jewels were compromised, he said. Then, look at which vendors have access to those crown jewels and continuously monitor not just the vendor users’ activity, but also their team members and fellow users in the larger group. If your security tools flag an unusual behavior coming from a vendor user, it’s important to engage the application owner who governs the application at risk, asking the owner to qualify if the behavior is unusual or business justified. If the behavior is unusual, that threat alert should go to the top of the investigation pile.

“It’s important to consider that often third-party vendors are non-malicious threats. Oftentimes, vendor employees are less conscious than full-time employees of good cyber security hygiene and therefore unintentionally expose your company to risk,” he said.

Viewpost’s CSO Chris Pierson said that having a well-developed vendor assurance program is necessary to oversee, quantify, communicate and mitigate risks. This program should consider the company mission, goals and objectives for the vendor, and provide a review process that looks at all types of risk – cybersecurity, privacy, regulatory/legal, financial, operational and reputational.

All vendor risks should then be scored, owned by the business line executive responsible for the product/service, and depending on level of harm, socialized and even approved by a governance risk committee. “By rating your vendors based on the criticality of the product/service they provide and the risks, the company can more adequately manage these risks, request mitigating controls, or off-board the vendor,” said Pierson.

Rod Murchison, vice president of product management at CrowdStrike, said when it comes to security, being knowledgeable after an event happens is insufficient. “Real-time visibility into the security posture of your network is something every organization should strive to achieve and maintain going forward,” he said.

To mitigate these types of threats, the most sophisticated endpoint security solutions can sense and analyze enough data in real-time to ensure that breaches and intrusions are observed in real-time, he added. “These new solutions leverage advancements in machine learning, artificial intelligence and analytics so organizations can quickly observe and fill unintentional, and sometimes intentional, holes left by third-party organizations.”

With the growing landscape of global privacy regulations, such as the General Data Protection Regulation (GDPR), the ability to control the uses of data throughout its life cycle will be critical. Strong access management controls can help, but often data masking and anonymization need to be implemented to manage access to key data fields, said Focal Point Data Risk’s Data Privacy Practice Leader Eric Dieterich.

What’s the solution?

Third-party access requires a layered security approach with dynamic contextual access control applied throughout, said Gerry Gebel, vice president of business development at Axiomatics. For example, one layer of security is to dynamically control who can access your network. Another layer would be to control access to APIs, data and other assets once these third parties are on the network.

Caccia advises that third-party access to assets is a perfect scenario for behavioral analytics, where the system baselines normal behavior of users on the network, even with limited knowledge of who those users actually are. “User behavior analytics (UBA) should be table stakes for any firm that works with partners extensively; it’s the best – perhaps only – way to understand and control what once-removed users are doing on your network and with your data,” he said.

Henderson recommended that companies make sure governance policies around vendor management are bolstered and reinforced. This should include policies around regular and random audits of those vendors. Those audits should have the ability to return quantifiable and definable metrics.

Also when it comes to creating and drafting contracts with these vendors, it’s critical that the appropriate sections clearly define the security and privacy obligations expected of the vendor are included.

“I like the idea of inserting data canaries into the record sets that are shared with third parties and then watching for those canaries to pop up in dumps online. You would be amazed at how often data leaks onto the web and shows up in places like pastebin,” Henderson said. “Other things that make me nervous about this problem are quite simply the fact that all the staff, resources, tools and technologies can often be defeated by nothing more than some middle manager somewhere dumping a huge amount of customer data into a spreadsheet then sending it off via email to some previously unknown third party contracted by a business unit to run a bulk email campaign.”

For other enterprises an important lesson is to ensure that third parties have no way to reach those portions of the network, he advised. “Microsegmentation of your environment, as well as many other tools designed to keep traffic from co-mingling, can stop or at the very least, slow down an attacker, giving your security teams valuable time to detect and respond to an incident,” he said.

While it’s not possible to avoid third parties, Javvad Malik, security advocate at AlienVault, said there are many fundamental security practices that can help mitigate the risks. Examples of such would include:

  • Knowing your assets – by understanding your assets, particularly critical ones, it can be easier to determine effectively what systems third parties should have access to and restricting it to those.
  • Monitoring controls – having in place effective monitoring to determine whether third parties are only accessing systems they should and in a manner they should. Behavioral monitoring can help in this regard by highlighting where activity falls outside of normal parameters.
  • Segregation – by segregating networks and assets, one can contain any breaches to one specific area.
  • Assurance – proactively seek out regular assurance that the security controls implemented are working as intended.

Jeremy Koppen, FireEye principal consultant, said there are four security controls that should be discussed regarding third-party access:

  • Assign a unique user account to each vendor user to better monitor each account and identify abnormal activity.
  • Require two-factor authentication for access to applications and resources that could provide direct or indirect access to the internal network. This protects an organization in case the vendor’s user credentials are compromised.
  • Restrict all third-party accounts to only allow access to systems and networks required.
  • Disable all accounts within the environment upon termination of third-party relationship.

In the enterprise application development world, Jerbi sees many companies being caught off guard by third-party use of emerging technologies such as virtual containers. If a company is using containerized applications from a third party, that application should be vetted for container-specific security risks such as vulnerabilities in container images, hard–coded secrets and configuration flaws.

Baker said there are plenty of best practices to look for when choosing a vendor: how transparent is their security? Do they have third-party security testing? Do they share the results of that testing? “In the end, choosing a secure vendor alone won’t necessarily prevent another Target, but it will prevent the third-party firms you work with from being the weak link,” he said.

Leave a comment

Posted in Cyber Security, Data Breach, Hacking, Public Cloud, Security

Tagged ,

PlayStation suffers social media hack, possible data breach

Posted on August 23, 2017 | Leave a comment

PlayStation’s official social media accounts have been temporarily exposed, with the gaming company’s Twitter account showing messages from a hacking group who claim responsibility.

Screenshots of the tweets, posted on the morning of Monday 21 August, suggest that PlayStation Network databases were leaked, but this has neither been confirmed or denied by Sony.

The tweets have now been deleted by PlayStation, which quickly took back control of its social media. The messages, which allegedly came from a hacking group known as OurMine, directed readers to the group’s contact web page and called for PlayStation employees to get in touch.

The group pledges not to share the leaks, stating that it is a security organization.

OurMine is a security hacker group based in Saudi Arabia. According to its website, it is a White Hat group that looks to help companies protect their security by exposing vulnerabilities.

Its website states that the group can ‘help you secure your network, show you all available vulnerabilities, and fix them all.’ It also notes that it has the capability to crack anything from a social media account to an entire network.

While the only confirmed security breach so far has been on PlayStation’s social media accounts, the tweeted threat that database information has also been leaked is likely to worry Sony and its customer base.

It is not the first time that Playstation has suffered a breach. The gaming giant suffered a leak in 2011, in which personal details from 77 million accounts were compromised and caused Sony to turn off the Playstation Network for 23 days.

Following the breach, Sony faced criticism over the way it handled the leak and was slow to warn users.

Another high-profile entertainment breach was under the spotlight recently which saw HBO suffer an attack and the loss of 1.5 terabytes of data, including a script for hit show Game of Thrones.

Leave a comment

Posted in Cyber Security, Data Breach, Hacking, Security

Tagged ,

Hackers are aggressively targeting law firms’ data

Posted on August 3, 2017 | Leave a comment

Behind every splashy headline is a legal industry that’s duking it out – helping to support entrepreneurs and big corporations in a power struggle to dominate their industry. From patent disputes to employment contracts, law firms have a lot of exposure to sensitive information.  Because of their involvement, confidential information is stored on the enterprise systems that law firms use.

This makes them a juicy target for hackers that want to steal consumer information and corporate intelligence.

For an example of this, look no further than the Panama Papers – “…an unprecedented leak of 11.5m files from the database of the world’s fourth biggest offshore law firm, Mossack Fonseca.”

This was devastating, but it is only one example among many. Just a few weeks ago news broke that a ransomware attack was successfully executed against yet another multinational firm – DLA Piper. This ransomware attack left the firm, with estimated revenues of $2.5 billion, completely without access to its own data.

“Law firms are the subject of targeted attacks for one simple reason,” says John Sweeney, President of LogicForce. “Their servers hold incredibly valuable information. That includes businesses’ IP, medical records, bank information, even government secrets. For hackers looking for information they can monetize, there is no better place to start.”

These headlines, buried among the others, make it clear that the legal industry is facing an unprecedented cyber-security challenge. And solving this problem starts with helping firms realize they’ve been victims.

40% of firms did not know they were breached in 2016

The Law Firm Cybersecurity Scorecard includes an array of assessments – from cyber defenses, crisis management procedures, and post-hack responses. The report comes to a chilling conclusion: “…40% of surveyed law firms had experienced a data breach in 2016 and did not know about it.”

Part of the challenge is the skyrocketing cost of cybersecurity. Hiring an in-house team simply isn’t feasible for most firms. Instead they rely on consumer-grade technology that is ill-equipped for the threats they are facing.

The solution, as we’ve seen in many industries, is to outsource cybersecurity to trusted firms that can offer heavy-hitting, managed solutions at an affordable rate. SaaS (Software as a Service) is long overdue in this space, and thankfully it’s becoming more and more available.

An evolving threat matrix

Real-time industry expertise is an important part of the solution – something software alone can’t handle.

Today’s hackers hold a strategic advantage because of the growing numbers of devices and associated vulnerabilities. Every access point is a potential breach. A knowledgeable, sophisticated team can create security solutions specially crafted to meet the challenges that law firms face.

One of the greatest challenges in modern security is the Internet of Things (IoT). Everything from the appliances in the breakroom to the smartphones in the pockets of employees create dynamic networks – communicating information in a way that opens up opportunities to hackers.

The threat goes beyond teams. An individual attorney uses a plethora of electronic devices, all networked together to provide a more streamlined work environment. And human intelligence, served up to hackers through social media, only makes targeted cyber-attacks easier.

Preparing for data breaches

There are things attorneys and other legal professionals can do to start upping their defenses.

  1. The American Bar Association has published a comprehensive guide for law firms – including both methods for preventing and responding to cyber-attacks.
  2. Firm managers need to create a data security plan that speaks to every member of their team. Educate employees on strategies for identifying phishing attacks and other dangerous threats aimed at fooling people into compromising networks.
  3. Engage outside IT security experts and have risk assessments completed on a regular basis. If you can identify vulnerabilities, you can put a plan in place to minimize or eliminate them.
  4. Communicate and enforce a password policy that limits access and requires authorized users to regularly change their credentials.
  5. Conduct a weekly check for patches or other updates to computer security software.
  6. Develop a comprehensive breach response plan. After you’ve been hacked, it will be too late to develop a competent response that protects the Firm’s reputation.

It’s my hope that companies will wake up to the realities of cyberthreats.  I’ve witnessed the horrible pain and anguish that comes from the breach of an unprepared company. If you understand the threat, and then use honest assessment to develop improvements and response plans, you will find that operating in the digital age doesn’t have to be a nightmare.

 

 

Leave a comment

Posted in Cyber Security, Data Breach, Forensic, Hacking, Security

Tagged , , ,

HBO Says It Was Hacked, Some Programming Stolen

Posted on August 1, 2017 | Leave a comment

Hackers claim to have stolen information related to HBO’s Game of Thrones, allegedly including written material from an upcoming episode. HBO has confirmed a hack occurred, but not what information was acquired. Here, Samwell Tarly (John Bradley) sits with some written material of his own. Helen Sloan/courtesy of HBO

HBO says it has been hacked, and that the perpetrators have acquired some programming.

The premium cable channel won’t confirm what materials were acquired in the cyber breach. But the alleged perpetrators claim to have acquired text related to the popular — and famously spoiler-plagued — Game of Thrones.

“Hackers claimed to have obtained 1.5 terabytes of data from the company. So far, an upcoming episode of Ballers and Room 104 have apparently been put online. There is also written material that’s allegedly from next week’s fourth episode of Game of Thrones. More is promised to be ‘coming soon.’ ”

It’s not clear if the hackers do actually have any Game of Thrones material.

NPR’s Eric Deggans reports:
” HBO is so secretive about spoilers involving its hit series Game of Thrones, journalists weren’t even given advance copies of new episodes before the new season began July 16.

“Now HBO has acknowledged that a ‘cyber incident’ resulted in stolen proprietary information, including some programming. … HBO says it is working with law enforcement and cybersecurity firms to investigate the breach.”

HBO has had material prematurely leaked online — including screeners, clips from overseas distributors and a Game of Thrones trailer.  But none of those incidents involved hacking.

“Hacking Hollywood can have significant repercussions,” The Associated Press notes. “Sony struggled in the aftermath of its huge hack in 2014, which leaked employee emails as well as films.”

 

Leave a comment

Posted in Cyber Security, Data Breach, Hacking, Security

Tagged ,

Casino hacked through fish tanks private officer

Posted on July 25, 2017 | Leave a comment

Most people know about phishing — but one casino recently learned about the dangers of actual fish tanks.

Hackers attempted to steal data from a North American casino through a fish tank connected to the internet, according to a report from security firm Darktrace.

Despite extra security precautions set up on the fish tank, hackers still managed to compromise the tank to send data to a device in Finland before the threat was discovered and stopped.

“Someone used the fish tank to get into the network, and once they were in the fish tank, they scanned and found other vulnerabilities and moved laterally to other places in the network,” Justin Fier, director for cyber intelligence and analysis at Darktrace, explained to CNN Tech.

As internet-connected gadgets and appliances become more common, there are more ways for bad guys to gain access to networks and take advantage of insecure devices. The fish tank, for instance, was connected to the internet to automatically feed the fish and keep their environment comfortable — but it became a weak link in a the casino’s security.

The unnamed casino’s rogue fish tank is one of nine unusual threats that Darktrace identified on corporate networks published in a report Thursday.

The report cites examples compiled from Darktrace’s threat detection technology. Darktrace makes security technology that sits on a company’s network and monitors the activity taking place. That could be anything from data transferred between computers or actions taken by a connected coffee maker.

When the technology notices an anomaly — like a device that doesn’t belong or data being sent somewhere it shouldn’t — it alerts the company’s security team.

In another example of an unusual attack, smart drawing pads connected to insecure wifi were used to send data to websites around the world in what’s called a “denial of service” attack. A hacker had scanned the internet looking for vulnerable devices, and exploited them to try and flood other websites with too much traffic.

We’ve seen cybercriminals leverage connected devices for destructive purposes before.

Last year, the Mirai botnet took control of smart home devices, like security cameras, all over the world, effectively turning them into zombie machines directing web traffic to take down popular websites like Netflix and Twitter.

Fier, a former U.S. intelligence contractor, says he anticipates threats coming from more unexpected places. Phishing emails will be one way hackers can get onto systems. But things like insecure fish tanks connected to the internet will be another.

“In the current cyber climate with political and corporate espionage, I think you’re going to start to see attackers, whether nationstate or criminal, having to get more creative in their attack vectors,” Fier said.

Leave a comment

Posted in Cyber Security, Data Breach, Hacking, Security

Tagged ,

Travel Giant Sabre Confirms Its Reservation System Was Hacked

Posted on July 6, 2017 | Leave a comment

Just two months ago, the Sabre Corporation announced that it had hired security firm Mandiant to investigate a possible hacking incident. Now the company has publicly announced the results of that investigation. An unauthorized third party breached Sabre systems and was able to access customer payment data.

That’s not great news, considering the Texas-based company processes reservations for around 100,000 hotels and more than 70 airlines worldwide to the tune of $120 billion. If there is a silver lining, it’s that Sabre says that only the Sabre Hospitality System — which handles bookings for hotels from both consumers and travel agents — data was compromised. A company spokesperson also confirmed to me that “less than 15 percent of the average daily bookings on the SHS reservation system were viewed” while the attackers had access.

An Intercontinental hotel in New York City.

It’s still a very significant breach, especially since both payment card information and reservation details were accessed. In some cases, that included the customer’s name, email address, phone number, and address.

Like most industries, the travel sector has had to deal with a steady rise in cyber attacks in recent years. In 2016, InterContinental Hotels Group reported that more than 1,000 of its properties had been hit with “malicious software designed to siphon customer debit and credit card data,” according to security expert Brian Krebs. Earlier in the year, HEI Hotels & Resorts reported a similar incident at some of its Hyatt, Marriott, Sheraton, and Westin locations.

On June 6, once Mandiant had concluded its investigation, Sabre began notifying payment card providers, partners, and customers. The company says that it “has enhanced the security around its access credentials and the monitoring of system activity to further detect and prevent unauthorized access.” Sabre has also set up a call center to handle inquiries about the breach.

 

Leave a comment

Posted in Cyber Security, Hacking, Security

Tagged , ,

Network Safety: Experts Weigh In

Posted on July 5, 2017 | 1 comment

If you missed our Cybersecurity Session “Cybersecurity for CEO’s- The Game Has Changed” at The NAA Education Conference, no worries. Our friends at Multi-Housing News have published a great article for you. Special thanks to Sanyu Kyeyune for attending our session and writing the article.

At NAA’s recent conference in Atlanta, panelists shared best practices for keeping vital network information safe from attack.

The panel included Chad Hunt, supervisory special agent with the FBI; Dave McKenna, CEO of ResMan; Frank Santini, cybersecurity attorney of Trenam Law; Jeremy Rasmussen, cybersecurity director of Abacode; and Michael Reese, Chief Information Officer of USA Properties Fund, who moderated the session.

Reese opened the talk by underscoring the commercial real estate industry’s vulnerability to cyber-attacks: “Real estate sits on a goldmine of information, including intellectual property, personally identifiable information—things hackers want to go after.”

Understand Data Value

The cost of stolen information for a single customer can fetch $10-20 on the dark net, but the liability to an organization is $158 or more. This greater figure reflects the cost to recover data, the value of this information to competitors and regulatory fines incurred. Multiply this number by 50,000 customers and the cost amounts to $7.9 million—enough to put some property management firms out of business.

C-suite leaders that understand the total costs of cybersecurity are in better shape to manage a firm’s cyber health. “As a leader, you can’t be afraid to raise the red flag. It’s your responsibility to defend your company and your partners.”

Crafting a risk-based approach helps companies decide on what to defend and how much to spend. This plan should include a guide for CEOs interacting with the media and attorneys working with incident response companies. “There is always a tradeoff between usability and security. That’s why you need to engage with a firm that can bake security into a product from chip to the enterprise level,” Rasmussen warned. “Don’t try to bolt it on at the end.”

Improve Network Visibility

Once the value of data has been quantified, the next step to addressing a company’s cyber health is to ask how secure networks currently are, because on average, noted Rasmussen, by the time a threat has been identified, it has been active for up to 270 days.

A majority of clients lack visibility into their own networks,” Rasmussen explained. “In today’s world, it’s not a matter of if, it’s when. And not only that, but, are they already in?

One of the most common software attacks uses ransomware, which encrypts files—effectively eliminating access to important data—and threatens to delete or publish them until the victim pays an agreed-upon sum. However, organization that already has solid system backups in place can combat ransomware by reverting back to previously stored versions. Along with ransomware, phishing attempts, social engineering, attacks on crucial infrastructure, financial fraud and “zero-day” vulnerability (a hole in security unknown to the vendor, typically identified and exploited by hackers over a short time frame) have emerged as some of the most damaging cybersecurity threats.

For some organizations, the expenses associated with downtime and productivity could be crippling. Therefore, advised McKenna, it is crucial to be proactive ahead of time, rather than after a threat has surfaced, to mitigate the cost of recovering from a cyber-attack. “It still comes down to your people not being victims,” he said. “The technology won’t do it all for you.”

According to Hunt, email is the most common point of entry for a cyber-attacker. Because emailing and phone calls already poke holes into a security system, organizations must be vigilant in managing these activities to avoid a breach. One way to do this is by focusing security training on individuals with elevated privileges, such as system administrators and C-suite users, which are hot targets for hackers.

Know Who to Call

An order of operations might be to call your IT people to stop and contain the threat, contact your attorney to find out what the legal implications are around reporting, call your public relations firm to control the event in the media and then to contact law enforcement,” Rasmussen offered.

Company leadership should also rally IT teams to mandate routine password changes for all users and to require people to upgrade software instead of patching outdated platforms. It is also crucial to keep a list of key personnel to contact when an infiltration occurs. “Locally, the FBI is a good place to start, but you can also call the Secret Service in your area,” Hunt advised. “In either case, develop this personal relationship ahead of time, as local law enforcement has little authority at a corporate level.

He also suggested that if a particular individual within an organization becomes the victim of a cyber-attack, then this person should file a police report to avoid being implicated as a perpetrator. When interacting with local authorities, Hunt added, it is most effective to do so in a controlled, documented manner.

Thirteen years ago, there was much less information-sharing with law enforcement, but now it’s more of a two-way street,” Hunt explained. “The FBI can gather information without necessarily having to open a federal investigation.

Santini encouraged leadership to secure a forensic investigator that will supervise the handling of evidence and assist in documentation—actions that can be helpful in the event of legal repercussions—and to ensure that attorney-client privilege keeps these interactions private.

Rally Vendors

Another important questions that C-suite leaders need to ask themselves is, “What are your partners and their partners doing to ensure cyber safety?

McKenna emphasized that having a conversation with vendors and suppliers will help reinforce the company priorities, identify the degree of protection already in place and define a plan for handling an intrusion in the future. “You need to know if your vendor will indemnify you for the cost of a breach, if there is a mutual indemnification clause and what level of insurance the vendor requires of its partners,” Santini encouraged. “Make sure you have written agreements with your cloud provider and other suppliers, and negotiate these terms with the help of a lawyer.

Ultimately, it is up to C-level employees to develop vendor relationships, rather than making cybersecurity a grassroots effort led by an IT department. “There needs to be a separation of duties, just like how a company might hire one accounting team for auditing and another for taxes,” said Rasmussen. “Cybersecurity should be handled the same way.

Prioritize Efforts

The panel discussion concluded with a punch list of items to help C-level leaders put a cybersecurity plan into action. Here are some key features:

  • Detection using 24/7 monitoring and incident response to gain immediate feedback on the effect of a network security initiative
  • Implementation of organizational policy/procedures, which requires a cultural shift and buy-in from all members of an organization
  • Add-in of other annual assessments, such as penetration testing, phishing, etc., to improve visibility into a network
  • Engagement of IT teams to support continuous improvement and governance
  • Understanding of “zero-day” threats
  • Encouraging collaboration across all stakeholders

 

 

 

 

 

1 Comment

Posted in Cyber Security, Data Breach, Hacking, Security, Technology

Tagged ,

Latest Ransomware Hackers Didn’t Make WannaCry’s Mistakes: PETYA

Posted on June 28, 2017 | Leave a comment

PETYA RANSOMWARE

The latest sweeping ransomware assault bares some similarity to the WannaCry crisis that struck seven weeks ago. Both spread quickly, and both hit high-profile targets like large multinational companies and critical infrastructure providers. But while WannaCry’s many design flaws caused it to flame out after a few days, this latest ransomware threat doesn’t make the same mistakes.

Originally identified as Petya, a ransomware that first started circulating in 2016, the current attack now appears to be a Petya offshoot, with added refinements such as stronger encryption. Some researchers call this new iteration “NotPetya” or “GoldenEye,” while others still refer to it as Petya. Regardless of the name, it has already hit 2,000 targets, seizing the systems of high-profile victims like Danish shipping giant Maersk, US pharmaceutical company Merck, and multiple private and public institutions in Ukraine.

And while it owes its rapid spread in part to EternalBlue, the same stolen NSA exploit WannaCry leveraged, it lacks several of the traits that made WannaCry—which turned out to be an unfinished North Korean project gone awry—easier to stop.

WannaBreak

“The quality of the code improves from iteration to iteration—this GoldenEye ransomware is pretty solid,” says Bogdan Botezatu, a researcher at the security firm Bitdefender. “We don’t get to catch a break.”

The most important WannaCry pitfall that this current round sidesteps? A kill switch that allowed researchers to neuter the ransomware around the world and drastically reduce the spread. The mechanism was a low-quality, possibly unfinished feature meant to help the ransomware avoid analysis. It backfired spectacularly. So far, GoldenEye shows no signs of containing such a glaring error.

Additionally, WannaCry spread between networks across the internet like a worm, relying almost entirely on EternalBlue to get in and hitting systems that hadn’t yet downloaded Microsoft’s patch for that vulnerability. This new ransomware also targets devices that somehow still aren’t secured against EternalBlue, but can deploy other infection options as well. For example, the attackers seem to be spreading the ransomware through the software update feature of a Ukrainian program called MeDoc, and possibly through Microsoft Word documents laced with malicious macros.

Along with exploiting EternalBlue to gain access when possible, the ransomware can also leverage an additional Shadow Brokers-leaked NSA exploit known as EternalRomance (patched by Microsoft in March) for  remote access. And some researchers have also found unconfirmed evidence that the ransomware may take advantage of yet another tool published by the ShadowBrokers, known as EsteemAudit, that specifically targets computers running Windows XP and Windows Server 2003. Microsoft patched that vulnerability two weeks ago as part of its unprecedented effort to secure its old, unsupported operating systems against leaked NSA exploits.

Once inside the network, the ransomware steals administrative credentials, giving it control over powerful system management tools like Windows PsExec and Windows Management Instrumentation.

“If a system with enough administrative privileges is compromised, it will simply instruct all other PCs it has access to run the malware as well,” says Fabian Wosar, a security researcher at the defense firm Emsisoft, which specializes in malware and ransomware. “That is why a lot of system administrators are freaking out right now.”

Smarts, Not Scale

Because GoldenEye appears to take a more targeted approach to infection, rather than barreling around the internet, it has so far resulted in fewer infections: it has affected 2,000 targets versus the hundreds of thousands that WannaCry hit. But don’t read that as a weakness necessarily. WannaCry’s ability to spread over the internet led to out-of-control infections, and its creators were ill-equipped to handle that volume of potential payments.

In fact, WannaCry hackers proved incapable of tracking payments whatsoever. Attackers had victims send ransoms to one of four set bitcoin addresses, instead of assigning each target a unique address. This made incoming payments difficult to track, and left it to the criminals to figure out which victims (among hundreds of thousands) had paid and should be sent a decryption key.

Payment happens to be GoldenEye’s current weakness as well, though not due to WannaCry-level incompetence. It relies on manual payment validation, meaning that when victims pay the ransom they must email proof of payment to an email address, after which hackers send a decryption key. Not only does a manual system make it harder for attackers to get paid, it can reduce victim faith that paying the ransom will result in decryption.

Also? The hackers’ email provider, Posteo, pulled the plug on their account, making payment confirmation pretty much impossible.

No Easy Fix

This latest round of ransomware appears to be here to stay. The diversity of delivery options means that no single patch can necessarily provide complete protection against it. Still, administrators can take some steps to protect their systems. Analysts agree that while patches don’t solve everything in this situation, they are still crucially important and do offer real defense. “Very, very important to patch,” says MalwareHunter, a researcher with the MalwareHunterTeam analysis group.

Researchers also note that the ransomware runs on boot, meaning that if you can disrupt a system before Windows boots, or if you encounter a “Check Disk” message, you can avoid having your files encrypted by quickly powering down.

Additionally, for the current variant of ransomware, administrators can stop the spread within a network from the Windows Management Instrumentation by blocking the file C:\Windows\perfc.dat from running.

“The problem is, patching is only one method of defense,” says David Kennedy, CEO of threat detection firm Binary Defense. “Credential harvesting and using that for lateral movement was the big impact in this situation.”

All of which provides cold comfort for those already impacted. And based on how many companies ignored the EternalBlue patch, even after the WannaCry threat, it may not end up slowing down the current outbreak at all.

First place to start make sure your systems have the latest patches and updates !!!

Leave a comment

Posted in Cyber Security, Encryption, Hacking, Security

Tagged , ,

CoPilot settles with New York AG for delaying breach notification for over one year

Posted on June 19, 2017 | Leave a comment

This is only the beginning of what will happen in the future.

It took over a year to notify 220,000 individuals of a breach to its website. HHS is determining if it’s a HIPAA-covered business associate.

CoPilot Provider Services has settled with New York for $130,000 in penalties for waiting more than a year to notify its customers of a breach to the company’s website, NY Attorney General Eric Schneiderman announced Thursday.

The attorney general determined the healthcare administrative services and IT provider violated general business law, in its delayed breach notification to its 221,178 customers. CoPilot agreed to the monetary settlement and to reform its notification and legal compliance program.

The breach occurred in October 2015, when an unauthorized individual accessed confidential patient reimbursement data through the administration site. The hacker downloaded data that included names, birthdates, addresses, phone numbers and medical insurance card details.

However, CoPilot waited until January 2017 to begin formally notifying its customers of the breach.

The FBI began investigating the incident in February at CoPilot’s request, focusing on a former employee they believed was responsible.

CoPilot blamed the breach notification delay on the FBI investigation, but law enforcement didn’t say that customer notification would hinder the ongoing investigation and didn’t instruct CoPilot to delay. General business law instructs that companies must provide timely breach notification.

The Department of Health and Human Services is still looking into whether CoPilot is considered a covered business associate under HIPAA.

Thursday’s agreement also states that CoPilot will comply with New York’s consumer protection and data security laws.

“Healthcare services providers have a duty to protect patient records as securely as possible and to provide notice when a breach occurs,” said Schneiderman in a statement. “Waiting over a year to provide notice is unacceptable. My office will continue to hold businesses accountable to their responsibility to protect customers’ private information.”

Leave a comment

Posted in Cyber Security, Data Breach, Hacking, Security

Tagged , ,

Data security – should you care?

Posted on June 15, 2017 | Leave a comment

Daily there are new articles that talk about data breaches, cyber attacks, ransom ware, etc. We all panic when our networks are down for routine maintenance – “I don’t have anything to do!” Imagine a world where everything is driven by data and machines?

Today a data breach can be uncomfortable – personal information is shared with the wrong people. However, in years to come a data breach can mean the difference between life and death. Imagine cruising down the freeway in your autonomous driving car and the system is hacked and your car stops abruptly, but other cars do not. Imagine being on the operating table and having a robot operating on you, the system is breached and instead of taking out your appendix the bad guys makes it remove your spleen or worse – kill you.

In the years to come we all need to get a lot more educated about data security and how to avoid breaches. This applies in both our personal and professional lives. We need to ask questions of organizations we provide data to and consume data from – how well are they performing and how vested are they in keeping us safe.

Data security needs to move into mainstream conversations and be an integral part of any security initiative.

Leave a comment

Posted in Big Data, Cyber Security, Security

Tagged ,