Archives for August 2015

Exploring the Cybersphere: August

This week in our blog, we offer a snapshot of cybersecurity, privacy and data security news of interest to the executive suite.  Periodically, we’ll recap insights from the growing cadre of voices in this space as well as lend our own views on the issues that impact executive governance of cyber risk and response.

Many takeaways this month from articles that further our understanding of cybersecurity concerns and issues starting with:

Who’s afraid of the Dark (Web)?

Applying Threat Intelligence and What is the Dark Web?
CSO Online
… With regard to the Dark Web, we learn how it came about with the help of US intelligence agencies, the difference between the Dark Web and the Deep Web, the initial roles to support dissidents, how the dark side developed, legitimate uses, and how threat intelligence can infiltrate the Dark Web to improve intelligence programs. The discussion of threat intelligence includes the application of threat intelligence in a corporate environment …

And excuse me, but is your hat white or black? —

At what point do white hat hackers cross the ethical line?
CSO
In recent months the news of Chris Roberts alleged hacking of an in-flight entertainment system and possibly other parts of the Boeing 737 have sparked a wave of controversy. Public opinion was originally on Roberts’ side, but the recent publication of the FBI affidavit changed that drastically. According to the affidavit, Roberts admitted to doing a live “pen-test” of a plane network in mid-air…

Speaking of being in the dark

Business Resilience Lacking in Most Firms, Finds Accenture
Computer Weekly
Most firms are failing to build business resilience in the face of an increasing onslaught of cyber attacks, a survey by IT services firm Accenture has revealed. Nearly two-thirds of C-suite executives polled said cyber attacks occur daily or weekly, yet only a quarter said…

You, and You, and You, Could be the Weakest Link
#CyberTuesday
In the world of cybersecurity, there is a technique called social engineering which aims to find the weakest link in a company’s defense. The basic premise is that it’s easier to exploit weaknesses in people than technology, although, as we’ve seen, both are eminently doable. Social engineering commonly is referred to as hacking humans–relying on human propensity to trust other people.

A crack in the foundation let’s in some light

Criminal Charges Filed in Massive Alleged Cyber Insider Trading Ring
Forbes
Federal authorities announced criminal charges against a massive alleged insider trading ring that reaped tens of millions of dollars in illicit profits by gaining unauthorized access to – and subsequently trading on – news releases announcing various mergers and acquisitions in numerous industries. The case, which is thought to be the largest of its kind brought to date, may herald a previously-unseen era of hackers seeking to profit off their efforts by coordinating with unscrupulous traders.

And the wattage grows

Companies hope cybersecurity experts in the boardroom can counter hacks
Los Angeles Times
The board of directors at construction and engineering company Parsons Corp. needed to fill a seat two years ago. Naturally, they wanted someone with communication and leadership skills. They also needed someone new: an expert to help them battle computer hackers, cyberthieves, electronic spies, digital vandals and anybody else out to wreak havoc in a connected world.

US allies pledge to fight ISIS in cyberspace
The Hill
Pledging to fight criminals and terrorists in cyberspace with the U.S., two American allies are strengthening their own ties. India and the United Arab Emirates (UAE) this week issued a joint statement vowing to cooperate on bolstering their cyber skills in a region under a growing threat of terrorism from the Islamic State in Iraq and Syria (ISIS)…

The government had its hands full this month

Chinese Spies Targeting Personal Emails of Top Obama Admin Officials: NSA Leak
Washington Times
The personal email accounts of several high-ranking White House officials have been directly targeted by Chinese cyberspies — and some are still actively under attack, according to U.S. intelligence reports. NBC News obtained a classified document from an internal National Security Agency presentation given…

IRS Says Breach of Taxpayer Data Far More Widespread Than It First Thought: 610,000 Taxpayers at Risk
The Washington Post
An attack by hackers who stole sensitive personal information from thousands of taxpayers was far more widespread than the Internal Revenue Service first disclosed, officials said Monday as they released new estimates that 610,000 Americans were affected. The revelation more than doubles the number of estimated victims…

15,000 government emails revealed in Ashley Madison leak
The Hill
Thousands of clients using the affair-oriented Ashley Madison website listed email addresses registered to the White House, top federal agencies and military branches, a data dump by hackers revealed. The detailed data, released Tuesday, will likely put Washington, D.C., on edge. The nation’s capital reportedly has the highest rate of membership for the site of any city

But couldn’t come to a decision on countermeasures —

Senate Punts Cyber Bill after Reaching Deal on Amendments
The Hill
Senators are punting a major cybersecurity bill to at least September after reaching an agreement Wednesday afternoon lining up the initial amendments to be offered. The Cybersecurity Information Sharing Act (CISA), which facilitates the exchange of cyber threat information between companies and the government…

Presidential candidates offered a lot of opinions on cybersecurity

In GOP Debate, Cyber Security is the New National Security
Wired
Defense is a perennial topic in any presidential election season. But during the first Republican debate in Cleveland tonight, the candidates fought not about increasing the number of troops and tanks on the ground, but about how to enhance the country’s cyber security…

That drew some opinion on their opinions —

Let’s School the Presidential hopefuls on Cybersecurity
Wired
In the build up to the 2016 US election, both Democratic and Republican presidential hopefuls are talking about cybersecurity—and specifically state-sponsored hacks. Cybersecurity is the hot-button national security issue on the campaign trail…

And federal contractors got a whiff of what may lie ahead

OMB Weighs In on Cybersecurity: Office of Management and Budget
National Law Review
In the wake of data breaches in the private sector of Target and Sony and the colossal data breaches in the Office of Personnel and Management resulting in the theft of personnel records of more than 21.5 million federal employees and contractors, the Office of Management and Budget (OMB) issued draft guidance on Tuesday to strengthen cybersecurity protections in federal acquisitions…

“The Diplomat” played a card on the China syndrome —

Cyber Attacks: Why Retaliating Against China Is the Wrong Reaction
The Diplomat
The Office of Personnel Management breach – the worst in U.S. history – is a graphic testament to the White House’s ongoing inability to identify and secure its most critical data. In this case, it lost control of incredibly sensitive and detailed information on federal employees in a breach for which China is the “leading suspect,” according to CIA chief James Clapper…

And executives shout out

6 Observations About Cybersecurity Based on Two New Surveys
Forbes.com
Cybersecurity incidents and attacks have become almost daily news, and two new surveys give voice to the executives and cybersecurity professionals struggling to defend their organizations.

Get shouted at —

Consumers May Be the Big Losers When Companies Hide Cybersecurity Problems
The Washington Post
A group of security researchers were prepping for a major reveal in 2013: They planned to disclose at a D.C. cybersecurity conference how a security flaw in luxury vehicles could let bad guys break in without keys and start the cars. But Volkswagen stopped them, winning an injunction in a British court after arguing that publishing a paper…

And hear there’s comfort in numbers

Sisense CEO on Improving Cybersecurity by Applying Big Data Analytics
Forbes
Cybersecurity and big data analytics are two set of technologies that are frequently mentioned by CEOs and CIOs as top investment priorities. But what about marrying the two? Many organizations are not yet there. For example, a recent survey of government cybersecurity professionals found that 86 percent of respondents believe big data analytics could help improve cybersecurity, but only 28 percent are currently fully leveraging big data for security purposes…

____________________

SDI #CyberTuesday offers insights and commentary on cyber risk management by SDI’s trusted cybersecurity, privacy and data security experts, skilled practitioners whose decades of experience working for governments and corporations around the world distinguish them as strategists and crisis managers.

You can view previous blog posts on cyber risk management here.

August 25, 2015

 

Cybersecurity…Fight Index?

cyber Tuesday option 3In our never ending search for good news on the cybersecurity front we ran across this report from the Index of Cybersecurity, which surveys the sentiments of security professionals about the current state of cybersecurity. It comes as no surprise that the report suggests perceptions about security issues are “worsening across the board.”

One of the more interesting findings was that survey respondents identified media and public perception as the fastest growing risk. In all likelihood, that reflects both the unending stream of stories recounting the latest cyber attack as well as the very high profile attack on OPM which dominated headlines and reinforced the belief that China is aggressively attacking the United States and is doing so with a sense of relative impunity. Phishing and social engineering trailed closely behind in the sense of rising threats category, and those threats are also part of the fabric of much of the reporting on the OPM breach and other recent attacks.

It appears there is mounting frustration over the sense that much of the US economy is being treated as a cyber piñata, continually being whacked until its data treasures are spilled. There is a growing chorus of voices urging the United States to act in a way which demonstrates that it is unwilling to accept attacks by foreign governments of a certain magnitude, and will retaliate forcefully. We can expect this consideration to become a more dominant part of American political discourse when Congress returns, and to spill over into the presidential campaign messaging. Stay tuned.

____________________

By Tom Davis, SDI Cyber Risk Practice

SDI #CyberTuesday offers insights and commentary on cyber risk management by SDI’s trusted cybersecurity, privacy and data security experts, skilled practitioners whose decades of experience working for governments and corporations around the world distinguish them as strategists and crisis managers.

You can view previous blog posts on cyber risk management here.

August 18, 2015

Rising Cyber Tide Soaks All Boats

Although there are suggestions the idiom “we are all in the same boat” is a reference to the sinking of the Titanic in 1912, it actually was first used by the ancient Greeks when speaking about the risks that passengers in a small boat at sea had to share.  The phrase certainly has stood the test of time, and aptly and accurately captures the cyber plagued world of today. For example, the Chinese, widely viewed in this country as a leading cyber provocateur, are working hard to shore up their cyber defenses.  As cyber Tuesday option 3recently reported in the Wall Street Journal, “The Chinese have gotten increasingly worried that they do not have the right kind of regulations, protections and responses in place,” said Adam Segal, a China and cybersecurity scholar at the Council on Foreign Relations in New York. “There is a real sense that there needed to be some type of regulatory response to potential attacks.”

Are the Chinese right to be worried? In a word, yes. China is generally perceived to be highly vulnerable to a cyber attack. While the recent spate of attacks on US interests that are being laid on China’s doorstep suggest the Chinese government should be apprehensive about an attack orchestrated by the United States to deter further aggression, the truth is China could be attacked by any number of sources. Interestingly, earlier this year China sought to reduce its list of potential adversaries by signing a mutual non-aggression pact with Russia. Under the pact, the two countries agreed not to hack each other, presumably dedicating their efforts elsewhere.  Whether that pact will hold water over time is a somewhat dubious proposition.

And what of Russia, another source of continuing cyber attacks around the world?  Russia Today recently reported that “A hacking group has sent an open letter to the head of military counterintelligence at the Russia’s Federal Security Service (FSB) to complain about Defense Ministry staff allegedly sidestepping the corporate email system to share top secret information, using public services instead.”  The hackers said the stolen data was for sale, and kindly offered to sell it back to Russian military counterintelligence at a deep discount. Russia clearly has formidable capabilities in the cyber world, but it too has significant vulnerabilities.

We could continue the trip around the world, and doing so would reveal that every nation is vulnerable. Iran, another nation seen as a leading practitioner of cyber mischief, was victimized by the stuxnet virus. European nations fret they may be a decade behind in the cyber race to who knows where. There may be small solace in knowing that we are all in a very leaky boat. But that recognition may at least temper some behavior, and serve the greater good.

____________________

By Tom Davis, SDI Cyber Risk Practice

SDI #CyberTuesday offers insights and commentary on cyber risk management by SDI’s trusted cybersecurity, privacy and data security experts, skilled practitioners whose decades of experience working for governments and corporations around the world distinguish them as strategists and crisis managers.

You can view previous blog posts on cyber risk management here.

August 11, 2015

You, and You, and You, Could Be the Weakest Link.

“There is no patch for humans.”
– Christopher Hadnagy

In August of 2000 a game show named the Weakest Link debuted on BBC. It went on to inspire similar programs in dozens of countries. One of the key concepts involved participants voting to eliminate the contestant who was the weakest player.  The unfortunate person was called in by the host with the memorable phrase, “You are the weakest link,” a modern reference to the old bromide about the weakest link in the chain.

cyber Tuesday option 3In the world of cybersecurity, there is a technique called social engineering which aims to find the weakest link in a company’s defense. The basic premise is that it’s easier to exploit weaknesses in people than technology, although, as we’ve seen, both are eminently doable. Social engineering commonly is referred to as hacking humans–relying on human propensity to trust other people.

How easy is it to compromise security through social engineering?  Allow me to introduce you to The Social Engineering Capture the Flag contest, an event created by Christopher J. Hadnagy in 2009 to demonstrate how social engineering poses a threat to corporate security.  The contest place at Defcon, an unusual security conference that attracts good guys, including representatives from virtually every federal law enforcement agency, not so good guys, and likely, bad guys there to learn what can used to expand their arsenal.

Here’s the way the capture the flag contest works: Each contestant team gets a Fortune 500 company as its target, and is given a list of sensitive information that they are to discover during a live phone call. Each piece of information is a flag, hence the name.

Reporting on the contest, Patrick Howell O’Neill discussed a successful attempt to penetrate Home Depot, writing that the hackers:

” … quickly eked out important technical details about how Home Depot’s computer systems work, as well as loads of other security information—when employees go on break, if keys or cards are used to open locked doors, and how often people get paid—that leave Home Depot vulnerable to a wide range of attacks in both cyberspace and the real world. For 10 minutes, they sweet-talked Sharon and used her as a lever to learn more about Home Depot’s security, or in this case, the lack thereof.

The Schmoozers, a team who hadn’t even met prior to competing, were polite but forceful. They never asked if it was OK to take up Sharon’s time, but just did it, projecting an air of authority that carried them very far, very fast.

Sharon gave up a slew of information: the exact computer models Home Depot used, the software run on them, and the fact that the computers have virtually no malware protection.”

The attack demonstrated the validity of Hadnagy’s belief that social engineering is the single biggest threat corporations face.  Dealing with that reality requires continuing education and dedication to creating awareness and sensitivity throughout the workforce. For more information about social engineering and methods to combat it, read here and here.

____________________

By Tom Davis, SDI Cyber Risk Practice

SDI #CyberTuesday offers insights and commentary on cyber risk management by SDI’s trusted cybersecurity, privacy and data security experts, skilled practitioners whose decades of experience working for governments and corporations around the world distinguish them as strategists and crisis managers.

You can view previous blog posts on cyber risk management here.

August 4, 2015

active