Archives for March 2016

Exploring the Cybersphere- March 2016

cybersphereThis week in our blog, we offer a snapshot of cybersecurity, privacy and data security news of interest to the executive suite. Periodically, we’ll recap insights from the growing cadre of voices in this space as well as lend our own views on the issues that impact executive governance of cyber risk and response.

Many takeaways this month from articles that further our understanding of cybersecurity concerns and issues starting with:

Working on the inside game

The Most Dangerous Insider Cybersecurity Threat – And Five Steps to Conquer It
CSM
If you haven’t dealt with the threat of malicious insiders, you really haven’t figured out how to deal with internal threats to your cybersecurity program. Here’s what I mean. There are three faces of cybersecurity threats from within one’s own organization. Read more: Five steps to develop a successful insider threat program

No Place for TOR in the Secured Workplace
DarkReading
When it comes to corporate security, anonymity does not necessarily ensure protection of one’s private information – nor that of your employer. When does an employee cross the line from taking steps to increase their personal privacy to sacrificing the security of their company and/or their clients? It’s a blurry distinction, but an important one for organizations to be aware of while working to secure their systems. Expectations of privacy vary from person to person, but corporate devices are always under scrutiny. Due to company mandates for mobile software management on corporate laptops and phones, employees have become more creative when it comes to concealing their activities and accessing content that is likely unfit for the workplace. They are increasingly using tools to bypass corporate firewalls to operate anonymously.

This just in…protecting critical infrastructure is, well, critical

Protecting Critical Electric Infrastructure from Today’s Cyber Threats
CSM
A day doesn’t go by without headlines in the press about new cyber threats facing our nation or our allies overseas. It is no secret that the focus of many of these threats is critical infrastructure such as our electric grid, which is essential to the life, health, safety, and economic security of all Americans. The men and women of the electric utility industry take their charge to protect the electric grid from all evolving threats very seriously. Every day they are working to improve the security, reliability, and resiliency of the grid. Yet, the work that is happening behind the scenes is often overlooked. Protecting our critical infrastructure in today’s threat environment is no easy task, since sophisticated cyber threats are constantly adapting and evolving.

DHS: No Evidence of Ukraine Power Grid Hack in US
The Hill
The Department of Homeland Security said the U.S. power grid is not under threat from the historic cyberattack that recently took out a portion of Ukraine’s power grid. The December digital assault, widely believed to be the first example of hackers causing a widespread power outage, put energy companies around the world on edge as U.S. officials flew in to assist with the investigation. The attack “should be, and must be, a wake-up call for those who haven’t already been awakened by this problem and this risk,” Homeland Security Secretary Jeh Johnson said Tuesday at a Senate hearing about his agency’s budget.The DHS concluded the malicious software that downed the grid in Ukraine has not extended to the U.S. for the time being.

Emerging Challenges in Electric Grid Cybersecurity
The Hill
For years, policymakers have been concerned about a catastrophic cyberattack that could disrupt the electric grid, causing widespread power outages and impacting national security, the economy and public safety. As electric utilities and the government grapple with the myriad of cybersecurity challenges affecting critical electric infrastructure, a new challenge has emerged: cyber risk to the thousands of different businesses, vendors and suppliers that make up the electric sector supply chain. Corporations and government agencies alike are increasingly focused on cyber risk to the supply chain because data breaches affecting critical vendors, contractors and other business associates can cause direct harm to the first-party organization. These third-party incidents represent a growing attack trend.

Infrastructure Cyberattacks
The Washington Times
The commander of the U.S. Cyber Command warned last week that he expects a major cyberattack on critical infrastructure in the United States in the future. “It is only a matter of the ‘when,’ not the ‘if’ we’re going to see a nation-state, group or actor engage in destructive behavior against critical infrastructure in the United States,” Adm. Mike Rogers, Cyber Command chief and director of the National Security Agency, warned in a speech March 2. Adm. Rogers’ comments, made during a security conference in San Francisco, came seven weeks after a sophisticated cyberattack on the Ukrainian electrical power grid that disrupted large segments of the country’s power network. The incident was a “very well-crafted attack,” Adm. Rogers noted, and was focused on disrupting electrical power.

Finally, here are some interesting things DOD is doing

After Major Hack, Pentagon Taps Private Sector for Cybersecurity
NBC News
The U.S. Defense Department plans to hire private contractors to develop a $600-million-plus computer system for a new background check agency being set up after a security breach last year exposed the personal data of nearly 22 million people, a top official told Reuters. The Pentagon plans to meet interested companies and request proposals before Sept. 30, the end of fiscal year 2016, after finalizing requirements for a more flexible and adaptive replacement, said Richard Hale, the Pentagon’s deputy chief information officer for cybersecurity. In an interview with Reuters given late last week, he said the Pentagon hoped to build the new system as quickly as possible, but its progress would be measured by testing and events rather than preset dates.

Cyber Experts Invited to ‘Hack the Pentagon’
The Hill
The Defense Department is inviting “vetted hackers” to test its cybersecurity in a new pilot program called “Hack the Pentagon.” “This innovative project is a demonstration of [Secretary of Defense Ash] Carter’s continued commitment to drive the Pentagon to identify new ways to improve the department’s security measures as our interests in cyberspace evolve,” the Pentagon said in a statement Wednesday announcing the initiative. It’s the first “cyber bug bounty program in the history of the federal government,” and is modeled after similar competitions held by the nation’s biggest companies, the Pentagon said. Hackers are required to register and submit to a background check to participate in the program. It’s not clear if the vetted hackers have to be U.S. citizens.

DoD Issues Cybersecurity Discipline Guidance
Federal Times
The Defense Department recently issued a military-wide cybersecurity discipline implementation plan, a document that aims to hold leaders accountable for cybersecurity up and down the chain of command and report progress and setbacks. The plan was originally issued in October but updated in February and made public on the DoD CIO site in early March. It shares some similarities with the Pentagon’s other large-scale cyber assessment tool, the department’s strategic cybersecurity scorecard that reports service-level compliance directly to the Defense secretary. The difference between the two is that the discipline implementation plan targets tactical-level compliance, and each has different reporting mechanisms – the discipline plan routes users to the Defense Readiness Reporting System to report their status with the requirements.

But apparently not everyone is enlisting in DOD’s efforts

US Tech Firms Bypassing Pentagon to Protect Deals with China, Strategist Says
The Guardian
Silicon Valley companies are shying away from selling cyberwarfare services to the Pentagon to avoid jeopardising their relationship with the Chinese market, a leading geopolitical strategist has suggested. Peter Singer, an author and senior fellow at the New America Foundation thinktank, said the United States and China are engaged in a new cold war – being fought partly in cyberspace – that “could turn hot.” Known tactics in this new cold war include Chinese cyber-spies stealing secrets relating to the US military’s F-35 stealth jet to build a clone warplane. Meanwhile, China has complained that the US takes advantage of its power to “unscrupulously monitor other countries” under the pretense of fighting terrorism.

And, here’s  something DOD probably won’t do

JOHN McAFEE: The US Should Subcontract its Cybersecurity to China
Business Insider
Steve Rogers, the eloquent and polished FBI spokesman whom I had the pleasure of debating on CNN two weeks ago, has been on national TV again – this time alerting the American public that terrorist events equivalent to what just just happened in Brussels, are soon coming to America. Let’s put aside, for the moment, the obvious implications regarding new demands for access into all of our lives for “security reasons”, and let’s look realistically at the true tragedy of this statement.

By Tom Davis, SDI Cyber Risk Practice

SDI #CyberTuesday offers insights and commentary on cyber risk management by SDI’s trusted cybersecurity, privacy and data security experts, skilled practitioners whose decades of experience working for governments and corporations around the world distinguish them as strategists and crisis managers.

March 29, 2016

Judith Whittlesey Named Chair of Food Research & Action Center’s Board of Directors

Food Research
& Action Center

1200 18th Street, NW | Suite 400
Washington, DC 20036
202-986-2200
frac.org

Contact: Sara McGovern, 202-640-1089                            FOR IMMEDIATE RELEASE
smcgovern@frac.org

Judith Whittlesey Named Chair of Food Research & Action Center’s
Board of Directors

WASHINGTON, March 22, 2016–The Food Research and Action Center (FRAC) announced Judith H. Whittlesey, executive vice president of Susan Davis International (SDI), has been named the new Chair of its Board of Directors. She succeeds former Secretary of Agriculture Dan Glickman, who served three years in the role for the national anti-hunger organization.

“Judy has been an incredibly active and passionate Vice Chair of our Board, and we look forward to her ongoing dedication and leadership in her new role as Chair,” said Jim Weill, president of FRAC.  “Her experience and deep knowledge have been – and will continue to be – incredible assets to the Board, to FRAC, and to our network of anti-hunger advocates across the country.”

In her position at SDI, a public relations and public affairs firm, Whittlesey provides expertise in strategic planning, media relations, institutional positioning, public education and major event design to the firm’s diverse clientele.

Whittlesey has a long track record of overseeing successful campaigns for corporations, federal government agencies, and national non-profit organizations. She previously served on the staff of Vice President Walter Mondale, and subsequently on the campaign and transition staffs of several Democratic Presidential and Vice Presidential candidates. She has been inducted into the National Capital Public Relations Society of America Hall of Fame, selected as a PR News’ Top Women in PR and to Leadership Greater Washington. Whittlesey is a graduate of the University of Oklahoma and is an enrolled member of the Choctaw Nation of Oklahoma.

Glickman has a long history in food and nutrition policy. Prior to serving as Secretary of the U.S. Department of Agriculture, he served 18 years in the U.S. House of Representatives. He also was the Chairman and CEO of the Motion Picture Association of America. Currently, Glickman serves as a Senior Fellow at the Bipartisan Policy Center, a bipartisan think tank where he focuses on public health, national security, and economic policy issues, and as Executive Director of the Congressional Program at The Aspen Institute. He will continue to sit on FRAC’s Board, of which he has been a member since 2001.

“We truly appreciate all that has been accomplished under Dan’s leadership and look forward to his continued contributions now that he has passed the gavel to Judy,” said Weill.

To learn more about FRAC’s efforts to end hunger in America, visit www.FRAC.org.

 # # #

 

This Changes Everything

1Well, changes everything may be a slight exaggeration. But, an FBI raid in early March on Tiversa, a Pittsburgh-based security company, whose business model involves examining filesharing networks and offering to help companies identify when their data has been stolen or leaked, is forcing a hard look at both the business practice and the Federal Trade Commission.

About a year ago, a former Tiversa employee alleged that the company would make up fake accounts of data breaches and then use them to pressure potential clients into buying their services. His testimony came in a case involving a small cancer testing company in Atlanta, Georgia. As reported by CNN Money, the allegation was that the whistleblower testified “he tapped into LabMD’s computers and pulled the medical records. The cybersecurity firm then alerted LabMD it had been hacked. Tiversa offered it emergency “incident response” cybersecurity services. After the lab refused the offer, Tiversa threatened to tip off federal regulators about the “data breach.”

When LabMD still refused, Tiversa let the Federal Trade Commission know about the “hack.”

The FTC went after the lab, giving the company a choice: sign a consent decree (basically a plea deal which means years of audits and a nasty public statement) or fight in court. LabMD CEO Michael Daugherty chose to fight because a plea deal would have tarnished his reputation and killed the business anyway, he said.

Daugherty lost that battle in 2014, having run out of steam. The lawsuit killed LabMD, which was forced to fire its 40 employees last year.”’

Tiversa defended itself and its business practices robustly, and filed suit against the original whistleblower as well as a second former employee. However, in the wake of the FBI raid, Tiversa’s CEO has been put on leave and the company dropped a defamation lawsuit against two people who have publicly claimed the company was operating an extortion racket.

As for the FTC, it’s been reported that based on data provided by Tiversa the FTC sent letters to more than 80 companies warning them that customer data had been made public on filesharing networks, and opened investigations into nine companies identified by Tiversa. LabMD got FTC Chief Administrative Law Judge D. Michael Chappell to dismiss the case against it last November. Judge Chappell called the evidence against the medical company  “unreliable, not credible, and outweighed by credible contrary testimony from Mr. Wallace” (the whistleblower). The FTC is appealing that decision, but the FBI action certainly suggests the possibility that the FTC has a serious problem.

It will take a bit longer for the dust to settle in this rather bizarre set of circumstances. But if Tiversa was guilty of scamming both prospective clients and the FTC, the reverberations from that bombshell will be felt throughout the cybersecurity industry.

By Tom Davis, SDI Cyber Risk Practice
March 22, 2016

Slick Willie Meets the Dark Shadow

Cyber-Attacks-Ahead

What do the Slick Willie, the Boss Hogg, the Bad Tuna and the Dark Shadow have in common with the Snake Bite, the Rabbit Hole, the Alley Cat and the Catch-22? How does the Flea Flicker work? Can you patch the Leaky Boot? The answers to these questions can be found in the latest Data Breach Digest from Verizon. Each year, Verizon reports on cyber investigations conducted on behalf of hundreds of commercial enterprises and government agencies across the globe. The report offers insights about the threat actors behind the attacks, the methods they use, the data they seek, and the victims they target. It’s an unnerving and compelling read.

The colorfully named Slick Willie and Boss Hogg are two of 18 data breach scenarios Verizon chose to include in the report based on their prevalence and/or lethality. Reading them offers a great illustration of how breaches actually work. For example, take this case study of corporate espionage which Verizon dubbed the Hyper Click. Verizon says a customer contacted them because a primary competitor located on another continent had introduced a new piece of large construction equipment that looked like an exact copy of a model recently developed by the customer. Verizon’s investigation determined that design blueprints had been stolen, and that the likely perpetrators were a Chinese hacking group long suspected of being state funded. Intelligence suggested the attackers had performed similar attacks and provided the stolen intellectual property to Chinese companies that were state owned, operated, or supported.

How, exactly, did the theft happen? From the report: “The threat actors had done their homework, as they identified the one key employee who would likely have access to the data they wanted—the chief design engineer for the project. The threat actors then established contact with the engineer through a LinkedIn profile under the guise of a recruiter with attractive employment positions, and began sending emails containing fictitious employment opportunities. One of those emails contained an attachment that had a malware file embedded in the document.” The engineer was looking for a job, opened that attachment, and the rest is history.

If you have responsibility for contributing to cybersecurity at your firm, I urge you to read the Verizon report. As Verizon points out, a small number of breach scenarios comprise the vast majority of incidents they investigate. Their data suggest that over the past three years, 12 scenarios account for over 60 percent of their investigations. If you don’t want to be victimized by Bad Tuna or caught in a Catch-22, assess your security in light of the 18 scenarios, and adjust as necessary.

By Tom Davis, SDI Cyber Risk Practice
March 15, 2016

Cyber Thieves Checking Out with Your Hotel Check-Ins

cyber image 1

Last thing I remember, I was
Running for the door
I had to find the passage back
To the place I was before
“Relax,” said the night man,
“We are programmed to receive.
You can check-out any time you like,
But you can never leave.”

Iconic American rock band The Eagles released “Hotel California” in 1976 and it rocketed to the top of the music charts. Many Eagles fans consider Hotel California to be the band’s single best song. The lyrics describe a strange, disturbing existence in which those who check in to the Hotel California become caught in a web from which they may never escape. Forty years later, it appears The Eagles may have seen the future, in which hotel guests run the risk of being caught in a web spun by cyber thieves.

As noted travel author Peter Greenberg recently wrote, “Cyber thieves love hotels—and not just the front desk. They target hotel spas, parking facilities, and anywhere there’s either WiFi or the opportunity for a credit card transaction.”

Some recent examples of the love cyber thieves have for hotels would include a major attack on Hyatt Hotels last year that targeted about 250 locations worldwide, nearly 100 of those in the United States. Just before Hyatt reported its breach, Starwood, a hotel chain that includes such brands as W Hotels, Sheraton, Westin and Le Meridien, reported 54 of its locations had been hit by malware designed to steal customers’ credit card information. In September 2015, Hilton Worldwide reported a possible breach at several of its properties, including the company’s flagship Hilton locations as well as Embassy Suites, Doubletree, Hampton Inn and Suites, and Waldorf Astoria Hotels & Resorts. In October, the Trump Hotel Collection confirmed a breach that affected customers at Trump SoHo New York, Trump National Doral, Trump International New York, Trump International Chicago, Trump International Waikiki, Trump International Hotel & Tower Las Vegas, and Trump International Toronto. Other victims included the Mandarin Oriental hotels in the U.S. and Europe and hotel management firm White Lodging Properties whose breach affected the Marriott and Starwood brand families.

The obvious question—what is it about hotels that make them particularly vulnerable—was asked and answered by Mark Bower, HPE Security global director of product management for enterprise data security, in a recent article in Business Travel News. Bower said the type of point-of-sale (POS) systems used at hotels is part of the problem. “These are often integrated POS environments running applications in an environment that is not as secure as modern hardened payment terminals designed to capture payment data and implement encryption independent from the POS itself,” said Bower. Moreover, the same article quotes Shaun Murphy, founder and CEO of SNDR, a message- and file-sharing app, as saying “If you call a hotel to make a reservation, they manually type in your card information and leave your credit card on file…Your personal details are stored in so many different systems, there are so many more ways for malware to have access to them.”

Hotels deal with a high volume of payment card transactions and have significant employee turnover. They are ripe targets for attack, and business travelers are well served to think you can check in any time, but remember, your data may quickly leave.

By Tom Davis, SDI Cyber Risk Practice
March 8, 2016

Women’s History Month: Celebrating the Achievements of Women in Military

Democratic Leader Nancy Pelosi kicked off Women’s History Month with her annual reception at Statuary Hall in the U.S. Capitol, honoring women veterans for their service, and SDI’s long time friend and client Brigadier General Wilma L. Vaught, U.S. Air Force, Retired, one of the most decorated military women in American history. SDI has been proud to work with General Vaught over the last 20 years to build, dedicate and support the Women’s Memorial. Built at the entrance to Arlington Cemetery, the Women’s Memorial is dedicated to the service of women in the military since the Revolutionary War through today. SDI Chairman Susan Davis and Executive Vice President Judy Whittlesey had the privilege of attending the exceptional Women’s History event, with special guests First Lady Michelle Obama and Dr. Jill Biden. General Vaught’s remarks were a stunning reminder of the challenges and the barriers that women have faced in their quest to serve their country.

Throughout the month on our Facebook and Twitter pages we’re paying tribute to women veterans and those currently serving who have played and continue to play an influential role in military history. These women broke barriers, made a difference, and by their words and examples became a source of inspiration, making it possible for other women to succeed.

Susan Davis International is proud of its decades of experience working with the Defense Department and entire military community, nonprofit organizations that focus on military outreach, and corporations that offer support to the military market segment, and most especially proud of our work supporting the women who are and have served in defense of our freedom.

Knaves Are After a King’s Ransom

There are times in which March really does blow in like a lion. Take, for example, March 1, 1932. On that day, Charles Augustus Lindbergh, Jr., 20-month-old son of famous American aviator Charles Lindbergh, was kidnapped, beginning one of the most infamous criminal cases in American history. During the search of the Lindbergh home a ransom note demanding $50,000 was found. The note was the first of many.

FBI Director J. Edgar Hoover entered the case, announcing the FBI would support the New Jersey State Police in investigating the kidnapping. As a point of interest, the Superintendent of the New Jersey State Police at the time was Colonel H. Norman Schwarzkopf. If the name sounds familiar, it’s because H. Norman was the father of H. Norman Schwarzkopf Jr., perhaps better known as “Stormin Norman,” commander of coalition forces during the Persian Gulf War.

Sadly, the Lindbergh kidnapping ended tragically for the child. Some 18 months after the kidnapping an arrest was made, due largely to tracing the $20 gold notes used to pay the ransom.

The practice of ransom goes back countless centuries. According to Plutarch, in 75 BC, Julius Caesar was captured by Sicilian pirates. He was said to have told the pirates that the ransom they were demanding was far too small, he was worth much more. Whatever the fact of its origins it’s clear that we have entered a far more sophisticated era. Now, cyber criminals employ ransomware to extort money from victims around the world. In one recent notorious example, two weeks ago Hollywood Presbyterian Hospital paid $17,000 in ransom to regain control of its network, which had been held captive for 10 days, essentially paralyzing their system and disrupting their ability to do business. Ransomware is a type of malware which disables the functionality of a computer by restricting access to it in some way. Then, it demands a ransom.

Writing in Digital Trends, Chris Stobing described the experience of being victimized by ransomware thusly, “You wake up one day, rub the sleep out of your eyes, and boot up your laptop. Expecting to see a Twitter feed or Facebook profile, instead you’re greeted with a big red image, demanding that if you don’t pay $200 to an unknown party in the next 24-hours, everything you know and love on your computer will be erased, and gone forever.”

The FBI has warned that the use of ransomware is rapidly rising. Similar warnings abound. Last fall the Federal Financial Institutions Examination Council warned financial institutions about the increasing “frequency and severity of cyber attacks involving extortion.” One of the significant challenges associated with ransomware is that the ransom is not paid in traceable $20 gold certificates. Payment generally is made through digital currency Bitcoin or a form of electronic currency transfer.

The best way to guard against being victimized is to have good security software and to follow good security practices. Here’s hoping your March is a breeze.

By Tom Davis, SDI Cyber Risk Practice
March 1, 2016

active