Archives for May 2016

Exploring the Cybersphere – May 2016

This week in our blog, we offer a snapshot of cybersecurity, privacy and data security news of interest to the executive suite. Periodically, we’ll recap insights from the growing cadre of voices in this space as well as lend our own views on the issues that impact executive governance of cyber risk and response.

The race is not always to the swift, but there’s definitely a race to SWIFT
What the Bangladesh SWIFT hack attack teaches about the future of cybersecurity and cyberwar

Cybersecurity headlines this week have been filled with emerging details of the February 2016 cyber theft of 81 million dollars from the Bangladesh central bank’s holdings in the New York Federal Reserve Bank. In a nutshell, highly skilled attackers crafted an intricately customized assortment of malware that ran on the bank’s own computers and issued what appeared to be legitimate SWIFT monetary transfer orders. The software went to great lengths to hide the transactions from bank personnel, from deleting database entries to altering hardcopy paper printouts. What can we learn from this attack about the future of cybersecurity and cyberwarfare?

Why is cybersecurity important to the fintech sector?

Cybersecurity presents a fundamental problem for those on the defence side. While hackers need only identify one point of vulnerability in an organization, banks, companies, governments, and other organizations need to make sure that their entire online platform is guarded against attack. This difference in scale makes cybersecurity a difficult problem for any company. However, the cost of this challenge is felt most acutely by small- to mid-sized organization. While big banks, like Bank of America (NYSE:BAC) and Goldman Sachs (NYSE:GS) have the resources to invest millions of dollars into making sure that all of their angles are covered, smaller institutions just don’t have that option. And so, even if they do invest part of their budget in improving cybersecurity measures, there’s always a risk of leaving an unidentified backdoor undefended. However, what seems like a problem for small banks is actually a problem for everyone in the financial services sector. That’s because today’s banking system is a closely integrated system where almost everybody is connect. For example, CNN Money reports that, back in February of this year, hackers stole $101 million from Bangladesh’s central bank. This was disastrous on its own, but what was even more concerning to the international banking community was the fact that the hackers also gained access to the worldwide interbank communication network SWIFT. A similar hack occurred in May, when hackers targeted a commercial bank in Vietnam. Therefore, although the problem of cybersecurity is felt most acutely by the small banks on the fringes of the international banking community, the repercussions of such breaches can be felt throughout the world.

Victims, victims, everywhere
Nearly three-quarters of firms globally hit by cyber attacks last year

Information security remains one of the most important concerns for data managers, and for very good reason. A new international study reveals that nearly three-quarters of organizations were the victims of a security incident in the past year alone. The International Trends in Cybersecurity report from CompTIA, the nonprofit association for the technology industry, finds that nearly three out of four organizations globally have been plagued by at least one security breach or incident in the past year, with about 60 percent of breaches categorized as serious. The report also reveals that organizations are altering security practices and policies due to greater reliance on cloud computing and mobile technology solutions. More than 1,500 business and technology executives in 12 countries were surveyed. The report includes data from Australia, Brazil, Canada, Germany, India, Japan, Malaysia, Mexico, South Africa, Thailand, the United Arab Emirates (UAE) and the United Kingdom (UK).

Top 2016 cybersecurity reports out from AT&T, Cisco, Dell, Google, IBM, McAfee, Symantec and …

The biggest players in cyber have published their annual security reports for 2016. Each one brings its unique view on cybercrime, and cyber defense strategies. DATA SECURITY AT&T Cybersecurity Insights Report looked inside their giant global communications network and came out with their inaugural Cybersecurity Insights Report towards the end of last year. The report is aimed at helping businesses to secure their own data. “Every company either has been breached or will be breached,” said Ralph de la Vega, president and CEO, AT&T Mobile and Business Solutions, in the report. Takeaway: 458% increase in the number of times hackers searched Internet of Things connections for vulnerabilities

117M hacked LinkedIn logins for sale on dark web

A hacker is attempting to sell the account information of 117 million LinkedIn users stolen as part of a 2012 breach that appears much worse than originally thought.“Yesterday, we became aware of an additional set of data that had just been released,” the company said in a statement Wednesday. “We have no indication that this is as a result of a new security breach.” Around 6.5 million passwords were posted online when the breach occurred in 2012, although LinkedIn never confirmed the scope of the breach. The company rolled out a mandatory password reset for all accounts it believed were compromised. Now, the information for an additional 100 million accounts is for sale on an illegal dark web marketplace for 5 bitcoin, or $2,200, according to Motherboard. Security researchers who have reviewed the data say it is likely legitimate. A LinkedIn spokesman confirmed to Motherboard that the 6.5 million passwords originally released were not necessarily all of the stolen data. “We don’t know how much was taken,” Hani Durzy told the publication.

FDIC cyberattacks included hit on former chairwoman’s computer

The Federal Deposit Insurance Corp. is an independent agency created by Congress to maintain “public confidence in the nation’s financial system.” So says its mission statement. Millions of Americans demonstrate their trust in the agency every time they make a deposit in a U.S. bank where the funds are guaranteed by the FDIC. Yet, while the public’s trust in FDIC is strong, a series of incidents threaten to undermine confidence in the agency’s cybersecurity system. The personal information of American taxpayers has been jeopardized

Cybersecurity in healthcare is in an unhealthy condition
Cybersecurity special report: Ransomware will get worse, hackers targeting whales, medical devices and IoT trigger new vulnerabilities

Cybercriminals have set their sights on healthcare. Ransomware is the new normal. And many providers are approaching security all wrong. CIOs, CISOs, ethical hackers and other experts point the way forward. When it comes to digital security, healthcare provider organizations have the wrong mission and are using outdated approaches, generally failing at securing their organizations from today’s increasingly sophisticated cybercriminals. That’s according to “Hacking Hospitals,” a two-year study by Independent Security Evaluators of 12 healthcare facilities, two healthcare data facilities, two healthcare technology platforms and two medical devices. The study concluded healthcare has two major problems when it comes to digital security: a near-exclusive focus on defending patient records, and measures that target unsophisticated adversaries and blanket attacks. “One of the biggest things we took away from our Anonymous attack was that in the past, I had always thought about cybersecurity related to health IT as safeguarding data ― but our experience made us understand it is more than that,” said Daniel Nigrin, MD, CIO at Boston Children’s Hospital, which was attacked by the hacker group Anonymous in 2014. “These cyberattacks can be disruptive to the routine daily operations of a hospital. One can argue these kinds of attacks are even more significant than the breach of data because at the end of the day we are taking care of patients who are sick, and that has to be Priority No. 1.”

Cyber attacks and negligence lead to rise in medical data breaches

America’s healthcare organizations are being attacked by data thieves, but the industry is not doing nearly enough to deal with the growing threat, according to a new study by the Ponemon Institute.
These breaches are “increasingly costly and frequent, and continue to put patient data at risk,” the report concluded. Key findings: Nearly 90 percent of the healthcare organizations surveyed had a data breach in the past two years; Nearly half (45 percent) had more than five breaches in that time period; The annual cost of dealing with these breaches is estimated to be $6.2 billion. “The industry has not made very much progress since we starting looking at this issue six years ago,” said Dr. Larry Ponemon, founder of the Ponemon Institute. “Many organizations don’t have the resources or the staffing to get the job done right. My prediction is that things are going to get worse before they get better, but they will get better.”

More on how cyber crime pays
HPE report lays bare inner workings of cyber criminal economy

(A Hewlett Packard Enterprise (HPE) report shows business how cyber criminals operate and how to disrupt them at each step of their criminal value chain) The value chain driving cyber crime provides insights into improving enterprise cyber defences, according to a report from Hewlett Packard Enterprise (HPE). You also agree that your personal information may be transferred and processed in the United States, and that you have read and agree to the Terms of Use and the Privacy Policy. The Business of Hacking report explores hacking as a business, assesses the underlying economy driving cyber crime and analyses the motivations behind attacks. The report – based on data and observations from HPE security teams, open source intelligence and other industry reports – analyses the value chain illegal organisations have established to expand their reach and maximise profits. Based on this insight, the report provides actionable recommendations for enterprises to mitigate risk through disrupting cyber criminal groups. Cyber criminals are increasingly using sophisticated management principles in creating and expanding their operations to increase their impact and financial profit, researchers found. These are the core motivations for nearly all attack groups today, the report said, noting that enterprises can use this knowledge to disrupt criminal organisational structures and mitigate risks.

In search of enlightenment
Why CEOs are failing cybersecurity, and how to help them get passing grades

The buzz at yesterday’s inaugural Cyber Investing Summit – held on Wall Street at the New York Stock Exchange – was that most CEOs and board members don’t get cybersecurity. Cybercrime is on the rise — to the tune of $2.1 trillion by 2019, according to Juniper Research. The Verizon 2016 Data Breach Investigations Report (DBIR) states that no location, industry or organization is immune from attack. A DBIR executive summary — described as the C-level guide to what they need to know — is chock full of information that most CEOs will struggle to understand. For instance, ‘the median traffic of a DoS attack is 1.89 million packets per second — that’s like over 113 million people trying to access your server every minute.’ Huh? Make no mistake, Verizon’s report is an invaluable resource and recommended reading for business leaders. A skim through is certain to heighten awareness around cyber risks — even if it leaves a CEO scratching her head trying to figure out what all the technical terms mean — including patching, change monitoring, SLAs for DoS mitigation, CMS plugins, two-factor authentication, tamper evident controls, and all the rest. If CEOs don’t get cybersecurity because it’s too complicated to understand, then what can be done about it?


By Tom Davis, SDI Cyber Risk Practice

SDI #CyberTuesday offers insights and commentary on cyber risk management by SDI’s trusted cybersecurity, privacy and data security experts, skilled practitioners whose decades of experience working for governments and corporations around the world distinguish them as strategists and crisis managers.

May 31, 2016


Internet of Things – Risk and Opportunity

It’s difficult to work in business today without coming across the terms “Big data” and “Internet of Things.” Five years ago McKinsey & Company called big data the next frontier for innovation. The next year, the New York Times upped the ante by declaring this the Age of Big Data. Indeed, we interact today in a system of commerce that is increasingly shaped by big data, and while the rise in this data can be attributed to many sources, perhaps the most profound of these is what has become known as the Internet of Things.

For the uninitiated, big data describes large, complex data sets that are collected from the multitude of technologies we use every day. Typically, the rise in big data is traced to the overall increase in internet usage through computers or smart phones. Every time we visit a website, make an online order, or send an email, that activity is recorded and organized into these large data sets. In recent years the number of internet-connected devices has diversified. Now, everything from household appliances to televisions to our vehicles is network connected through what has broadly been called, an Internet of Things, or IOT.

If big data once primarily originated through our interactions with intangible websites, it’s now increasingly coming from our interactions with tangible objects. For consumers, this data can be packaged and presented in a multitude of ways that profess to add value. For example, pacemakers  that wirelessly connect to online monitoring systems can reduce doctor’s visits and provide faster feedback when problems arise. Egg trays that send a text when you’re running low on eggs add efficiencies to grocery shopping. The span of industries that make up these “smart devices” is truly limitless.

For businesses, the IOT is game-changing. Just as big data helps consumers make more educated decisions, it can also give producers a better understanding of trends in usage. The days of focus groups telling producers what they want is passé. Now, companies can uncover that on their own through this 24/7 system of feedback. Industries aren’t just working more efficiently with the IOT, they are completely transforming.

Take the car insurance industry, which has long used indirect measurements such as general trends within the population to create a risk profile and corresponding policy price for customers. The system is inherently inefficient as these are, at best, educated guesses as to how a person drives. The advent of insurance telematics, which allows insurers to personalize a rate based on the direct measurement of big data that is taken from a customer’s car, promises to change that. Not only would this benefit good drivers who have been paying too much, but it would make the whole industry more efficient.

Just as the IOT has presented businesses with the opportunity to understand consumers in new ways, it also gives communications firms the opportunity to more precisely tailor their messages to consumers.

This big data revolution in communications is occurring in several ways. One is the increase in sophistication of Customer Relationship Management (CRM) systems. When these systems are coupled with programs trained to mine through the mounds of big data that companies are able to compile, companies can approximate individualized messages. Just as insurers no longer have to guess about how to price their rates, communications professionals working with big data no longer have to guess about which message will resonate the most with a general audience because they are capable of giving each consumer their own message.

The technology behind the IOT continues to develop at breakneck speeds, and it’s crucial that communications professionals understand this growing trend. IOT-connected products are already a big industry, with the world’s largest businesses investing heavily in developing them, and consumers increasingly expecting the added features of these smart devices. It’s crucial that clients know and understand this opportunity. As their products and services develop around this trend, communications professionals must also tailor messages that will resonate with the hungry investors and expectant consumers alike.

Of course, along with new opportunities come new concerns. In this case, those concerns center around privacy. Big data gives companies and communications professionals unparalleled access to consumers’ lives. Naturally, consumers will be leery of such access, and legislation and industry standards will continue to evolve to address their privacy issues. Businesses would do well to develop and consistently revise privacy policies cognizant of these standards. Savvy communications professionals will prioritize privacy concerns in their messages to consumers. The fallout from high-profile cyber attacks against Target, Linkedin, and Yahoo, among others, proves that consumers take internet privacy extremely seriously. Any developments in IOT will by necessity be taken with an abundance of caution.

These concerns aside, the development of the IOT most certainly signals a wealth of opportunities for the communications industry. If harnessed correctly and responsibly, it can be used as a powerful tool to connect businesses and consumers in ways never before imagined.

By Jake Thornburgh, SDI Intern 
December 20, 2016

Did the Founding Fathers Anticipate Cyber Attacks?

SMALL cyber tuesday

The nine most terrifying words in the English language are: “’I’m from the government and I’m here to help.'”
President Ronald Reagan

One of the many shopworn bromides President Reagan was fond of uttering was the classic put down that captured the essence of concern about the intrusiveness and effectiveness of big government—“I’m from the government and I’m here to help.”  Pause, Ba Dum CH.  The line played off a longstanding joke about the government, and it worked because, like most good stories, it was rooted in a commonly shared belief about government. In fact, the United States was founded on the premise that the federal government must be subservient to the people. The founders had a shared experience with tyranny, and wanted to be sure the Constitution they wrote limited the federal government’s ability to recreate that experience.  Notably, Patrick Henry warned:  “The Constitution is not an instrument for the government to restrain the people, it is an instrument for the people to restrain the government…” Now that premise is being tested in the cybersecurity arena.

An article in the Wall Street Journal teed up the issue by posing the question: “Should Companies Be Required to Share Information About Cyberattacks?”  Those who favor making disclosure mandatory argue that sharing information about cyber attacks will help protect others from being attacked.  But it can also complicate the process of trying to keep systems secure, and injure the companies’ reputations in the meantime. Conversely, allowing breached companies to work on solutions in secret may fix problems quickly and prevent reputational harm. But keeping attacks secret may also increase the danger for others. At the moment there exists a hodgepodge of state requirements for disclosure, and a murky federal approach that includes SEC requirements for disclosure of material risks and intrusions to investors, as well as encouragement of voluntary sharing of cyber attack information.

Denise Zheng, deputy director and senior fellow in the Strategic Technologies Program at the Center for Strategic and International Studies is a proponent of mandatory sharing.  She argues that “the benefits to society by requiring reporting would outweigh the costs to the individual companies. Requiring not only cyber incidents to be reported but the tactics and techniques used by hackers would create greater transparency, allowing businesses, policy makers and consumers to make more informed decisions about how to manage cyberrisk. It would enable decision makers in companies and government to assess risk as well as progress.”

Taking the opposing view, Andrea Castillo, program manager in the Technology Policy Program at George Mason University’s Mercatus Center, says, “There is much that can be done to improve U.S. cybersecurity without requiring companies to report cyberattacks. The government should first focus on correcting policy missteps from the past. It should promote the use of strong encryption and reform counterproductive laws like the Computer Fraud and Abuse Act that chill security research. Requiring organizations to share information with hack-prone federal agencies under threat of penalty will only add to the current contradictory mess of policies.”

It seems clear to me that disclosure of attacks of some magnitude has to be encouraged and even required. The data clearly has value, and we really are collectively locked into a struggle whose broad implications transcend the concerns of individual companies and impose consequences for the economy, public safety, and national security. The trick is to ensure that we find a way to do so while ensuring the government is both necessarily aided and legitimately constrained.

By Tom Davis, SDI Cyber Risk Practice

May 24, 2016

Naked on Top of the World

SMALL cyber tuesday

I stood high upon a mountaintop

Naked to the world

In front of

Every kind of girl


From Spill the Wine

Eric Burdon


My favorite Eric Burdon song is “The House of the Rising Sun,” done when The Animals were a leading part of the British Invasion  headlined by The Beatles, and featuring the Rolling Stones, the Dave Clark Five, the Kinks, and the Who, among other notable British bands.  When The Animals broke up, Burdon joined War, and Spill the Wine was their first big hit. While the song lacks the power and emotion of The House of the Rising Son, the lyrics offer vivid imagery.  Imagine standing high on a mountaintop, naked to the world. Now set your sites a little lower. You might not be on a mountaintop, but you could, increasingly, be naked to the world.

Sean Owen, director of data science at Cloudera, recently contributed a piece to CrunchNetwork that explores just how much we may be inadvertently revealing of ourselves as our personally identifiable information (PII) is accessed and used. Owen poses the question: “What sharing (of PII) is permitted and who decides where to draw the line on our behalf?”  He then points out “There is a new threat to our ability to control the answer to this question, with which data scientists must now also contend. Surprisingly, this emerging villain is also the hero of the big data age: machine learning.”

Machine learning gives computers the ability to learn without being specifically programmed. It uses algorithms to identify insights in data that is not readily apparent at first blush. It has enormous application to guiding decision-making in an age characterized by an exploding volume of data. However, every upside has a downside.

As Owen notes, even enterprises that carefully share PII may be sharing more than they realize. He cites, as an example, Netflix sharing its viewing data as part of a contest. Owen writes “The data contained no explicit personal information… However, it was quickly cross-referenced with other public data to reliably discover the identity of many people in the data set. Certainly, more was shared than was obvious to anyone, and, in this case, it resulted in a lawsuit.”

There are abundant examples of how intuitive the data mining process gets. A favorite, the story about how Target managed to break the news to a father that his teenaged daughter was pregnant by looking at her purchases. How does that happen? Writing in the New York Times magazine, Charles Duhigg reveals Target assigns a unique code named a “Guest ID” to customers to track everything they buy.  And then, “Also linked to your Guest ID is demographic information like your age, whether you are married and have kids, which part of town you live in, how long it takes you to drive to the store, your estimated salary, whether you’ve moved recently, what credit cards you carry in your wallet and what Web sites you visit. Target can buy data about your ethnicity, job history, the magazines you read, if you’ve ever declared bankruptcy or got divorced, the year you bought (or lost) your house, where you went to college, what kinds of topics you talk about online, whether you prefer certain brands of coffee, paper towels, cereal or applesauce, your political leanings, reading habits, charitable giving and the number of cars you own.”  Target’s research revealed the buying habits of women in their second trimester, and when the teenaged daughter met the profile Target sent her coupons for baby clothes and cribs. Surprise dad.

At the moment there is relatively little a consumer can do to affect the burgeoning PII exchange. But it is useful to a least be aware that it exists. The knowledge gives us a fig leaf of control.

By Tom Davis, SDI Cyber Risk Practice

May 17, 2016

This Means War! (or does it?)

SMALL cyber tuesday

“About four p.m., the enemy’s artillery in front of us ceased firing all of a sudden, and we saw large masses of cavalry advance: not a man present who survived could have forgotten in after life the awful grandeur of that charge. You discovered at a distance what appeared to be an overwhelming, long moving line, which, ever advancing, glittered like a stormy wave of the sea when it catches the sunlight. On they came until they got near enough, whilst the very earth seemed to vibrate beneath the thundering tramp of the mounted host.”

Captain Rees Howell Gronow, Foot Guards

On June 18, 1815, Napoleon Bonaparte led his French army of some 72,000 troops against a 68,000-man allied army commanded by Arthur Wellesley, Duke of Wellington. Wellesley’s forces included Belgian, Dutch and German troops, soon, decisively, to be joined by 50,000 Prussian troops. The battle took place just south of Brussels, near a little village named Waterloo. When the day came to a close Napoleon had suffered a defeat of staggering dimension.  His army was in tatters, having taken roughly 33,000 casualties.

For all the troops engaged in battle that fateful day the savage exchanges in close quarters were, unmistakably, acts of war. Few things are so obviously an act of war as armed warriors in conflict, and we’ve had countless opportunities to further our understanding of what constitutes an act of war. Thus, it’s interesting that some 200 years after Napoleon met his Waterloo, nations are wrestling with how to define whether and how an attack in cyberspace should be seen as an act of war.

U.S. Senator Mike Rounds just introduced the Cyber Act of War Act of 2016, which would require the administration to develop a policy to determine whether a cyber-attack constitutes an act of war. Senator Rounds argues that defining what sorts of cyber attacks constitute an act of war will both deter attacks and allow the Department of Defense to more effectively respond if a particular act meets agreed upon criteria.

In 2011, the Pentagon announced that computer sabotage coming from another country can constitute an act of war, opening the door for the U.S. to respond using traditional military force. But the precise definition of what sort of “sabotage” would be seen as an act of war was left unaddressed. The Obama administration seemingly favors ambiguity on the issue, having learned that drawing a red line in the sand can have a serious downside. The issue has also come before the North Atlantic Treaty Organization, a military alliance that includes the United States. NATO has tried to define what constitutes an act of cyberwarfare but views remain split. Some members argue a cyber act of war must demonstrate a “use of force.”

It will be interesting to observe the debate if Senator Round’s bill moves ahead. Can a cyber attack be an act of war? I would argue the answer clearly is yes. When is it an act of war? That answer is a little more elusive. But it cannot be ignored. The world is very different from the one that existed when Napoleon rose to prominence. But a Waterloo moment in cyberspace would resonate much the way Napoleon’s defeat did centuries ago.

By Tom Davis, SDI Cyber Risk Practice

May 10, 2016

The Board Whisperer?

English writer Nicholas Evans authored best seller, “The Horse Whisperer,” in 1995. The book became a movie directed by Robert Redford who also starred in it along with British actress Kristin Scott Thomas and Scarlet Johansson. As I recall, the movie lasted longer than some Hollywood marriages. But it had its moments. As the name suggests, the story revolves around the ability of Redford’s character to speak to horses. His modus operandi involved learning how horses think and what they need. A similar approach would serve CIOs and CISOs well as they communicate with chief executives and corporate boards.

Writing in SC magazine, Feris Rifai, CEO and co-founder of Bay Dynamics, a provider of cybersecurity risk analytics, provocatively suggests that IT and security executives need to learn to “Speak the board’s language or get fired.”  Rifai asserts that many CISOs engage in a relatively pro forma exercise when reporting data, perhaps unintentionally assuring that the board does not really understand the company’s cyber risk posture. He suggests CISOs provide data with context. “For example, if they spotted a vulnerability with an associated threat to a treasured asset and therefore elevated the company’s level of risk, they should be able to show where the data came from, when it was collected, who was informed at the time, what steps were put in place to remediate it and what the company should do as a whole to prevent it in the future.”

So, how should one whisper to a corporate board? Commenting on a recent survey of corporate boards conducted by Veracode and the New York Stock Exchange, Chris Wysopal, CTO and CISO at Veracode recently said, “Boards want the CISO to give them risk metrics and peer benchmarking. They want to know how they’re doing related to like companies. Those are all good things that are going to help boards understand the true risk of cybersecurity.”

Additional advice was offered by Microsoft CISO Bert Arsenault at the annual RSA Conference in San Francisco. “Be prepared for things the board wants to talk about including, do you have everything you need – “and the answer better be ‘yes,’ or ‘I do, but here’s the things I see coming,” just to make them aware…. Other likely questions include describe the overall security plan and how it will be exercised. More enlightened boards will also want to know about staff security education, and ask about the security culture.

It really doesn’t take extraordinary skills to become an effective board whisperer. It does require understanding both what your audience wants, and what they need. You have to respond to the want, and be sure they understand the “need.”

By Tom Davis, SDI Cyber Risk Practice

May 3, 2016