Archives for June 2016

Exploring the Cybersphere – June 2016

This week in our blog, we offer a snapshot of cybersecurity, privacy and data security news of interest to the executive suite. Periodically, we’ll recap insights from the growing cadre of voices in this space as well as lend our own views on the issues that impact executive governance of cyber risk and response.

We’ve reached the summer solstice, a time marked by great festivals in many countries. In bygone years, it was the moment in which bonfires were lit to protect against evil spirits, which were believed to roam when the sun turned southward. Now it’s more of a party, but we still need to protect against the evil cyber spirits, by…

Following the leaders…
Why CEOs need to lead on cybersecurity

“Just because you’re paranoid doesn’t mean they’re not out to get you,” the old line goes, which seems like a fitting way to talk about cybersecurity and leadership. CEOs have the dilemma of rationally thinking about security threats, while recognizing that those threats are very real. In my feature for the latest issue of Associations Now, I wrote about some of the latest cybersecurity threats at associations—including ransomware and exploiting the internet of things—and explored some of the ways organizations have responded. As with most important issues, a proactive approach that anticipates threats is helpful. And one critical element of that, of course, is making sure that top leaders are part of that discussion. Problem is, the CEO often isn’t. An ISACA/RSA Conference survey earlier this year pointed out that while cybersecurity is a concern for an overwhelming majority of boards, only one in seven security chiefs report directly to the CEO. Moreover, respondents see a problem at the top: Fewer than half (43 percent) said their organization’s executive team follows good security practices themselves.

C-suite leadership can cut cyber-attack growth by 50% says new report
Value Walk

A new report published today (June 2nd 2016) by The Economist Intelligence Unit (EIU) highlights the critical role of the C-suite and board in defending their firms against cyber-crime. Data Security: How a proactive C-Suite can reduce cyber-risks for the enterprise, sponsored by Oracle, includes findings from a global survey of 300 C-suite executives conducted in February-March of 2016. A primary driver of success was the adoption of a proactive cyber-defence strategy. The 28% of firms that prioritized this approach were able to cut the growth of cyber-breaches by more than 50%.

Cyber security executives need to step up their game: Here’s why

Board members of large enterprise companies once viewed cyber security threats the same way they saw natural disasters: possible, but unlikely. Those days have changed. According to a new report by cyber risk analytics company Bay Dynamics, based on the results of a nationwide survey conducted by Osterman Research, board members are taking cyber security risks seriously. So seriously, in fact, that 26 percent of those surveyed said cyber risks were their highest priority, a larger percentage than those most concerned with financial, legal, regulatory, or competitive risks. The 125 survey respondents consisted of enterprise executives who serve on the boards of directors of enterprise companies and receive reports about companies’ cyber security programs. Failing to deliver the cyber risk information that board members want, in a way they understand, will not go unnoticed,” said Ryan Stolte, Chief Technology Officer and Co-Founder of Bay Dynamics. And there will be repercussions. 59 percent of board members surveyed said that there is a good chance that one or more IT and security executives who fail to provide useful and actionable information in their reports would lose their jobs.

5 tips for setting up a security advisory board
Dark Reading

Security vendors have had security advisory boards for several years, but ever since the high-profile Target, Sony, and JP Morgan data breaches, other software companies and even mainstream companies are taking a serious look at forming boards of their own. Take data management and data analytics vendor DataGravity, which this week said it has formed a security board mainly as a way to gain expertise across vertical industries such as financial, retail, healthcare, and education, as well as to learn from experts who have done business in Europe.

Into the realm of the CISO…
‘Vendor overload’ adds to CISO burnout
CSO Online

There are multiple reasons for the relatively rapid burnout of Chief Information Security Officers (CISO).They include a combination of pressure and the unrealistic expectation that the CISO should not just lower the risk of major breaches, but prevent them altogether. The modern CISO is also expected to have skills that go well beyond being a technology geek – to understand and “speak the language of business,” and be a strategic participant in business decisions.

Debate continues over where CISOs sit in the C-suite
CSO Online

Pundits scrutinizing senior executive dynamics have opined for years about to whom the CISO should report. Some say the CISO should report to only the CIO because the top security role is inextricably linked to IT. Others say this is a terrible idea because the CISO’s must lock down the corporate network while the CIO is challenged to innovate. A CISO panel convened at the MIT Sloan CIO Symposium last month rekindled this longstanding C-suite debate.

The CISO job market in 2016: Time to jump ship?
Security Intelligence

For CISOs that are even remotely considering switching jobs, the sky appears to be the limit. A quick search of job offers for CISOs returns thousands of results, and there should only be more to come as organizations realize the importance of having a security leader firmly ensconced in the enterprise. This demand is partly due to organizations globally realizing that cybersecurity risks are now a business issue, and having the right person in the organization is paramount for managing those risks. Naturally, the unprecedented demand for CISOs is also fueling a rapid rise in salaries.

What CISOs need to tell the board about cyber risk
Dark Reading

There should be little doubt about cybersecurity’s importance in 2016 given the amount of attention the topic has garnered in the past decade. Board directors and top leadership are under pressure from all sides: from federal and state regulators, from business partners seeking to tackle third-party vendor cyber risks, and from shareholders and their class-action lawyers ready to sue the moment a breach is announced. The SEC’s leadership has been crystal clear about the responsibilities of board directors for proper cybersecurity governance. In his 2015 ABSPE speech, SEC Commissioner Luis A. Aguilar put it very clearly: “In the end, boards have a fiduciary responsibility to ensure that they possess the necessary skills, experience, and judgment to be competent stewards of their companies.”

Defense, Defense…
Mobile workforce exposes businesses to security vulnerabilities
Help Net Security

U.S. business leaders are unprepared for the increased threat to information security that comes with flexible office environments. A Shred-it study shows that leaders are not providing the protocols and training needed to ensure information remains secure in a mobile work environment. With the number of mobile workers in the US expected to reach 105 million by 2020, more workers are using the tools of the modern workforce, including laptops, USBs and cloud storage to connect outside the traditional office environment.

Don’t bite! 9 essential steps to prevent cyberattacks

Hackers never sleep. They also use tech innovations better than many of us. In recent months, we’ve seen criminals take computer systems hostage at hospitals across the U.S., target banks around the world via the SWIFT system, and steal $12.7 million in a massive ATM heist in Japan. As mobile devices proliferate and everything from TVs to cars gets plugged into the Internet, things will only get worse. Fear is changing online behavior. A survey by the U.S. National Telecommunications and Information Administration recently showed that data security worries in the U.S. have curtailed online activity among 45% of households. We need a sea change in our collective thinking to defend ourselves against this onslaught.

Security threats hiding in plain sight
Information Week

Data breaches have become so common that it’s easy to overlook them. There were 781 known data breaches in 2015, according to the Identity Theft Resource Center, enough to read about mistakes being made twice a day if the media chose to write about every incident. Websites like list dozens of breaches affecting high-profile websites. The potential threat posed by insiders is well known, even if employees, contractors, and partners don’t represent the most significant threat vector. According to Verizon’s 2016 Data Breach Investigations Report, 172 data breaches around the world last year were attributable to insiders and privilege misuse out of 2,260 breaches analyzed.

5 ways to protect your network from new graduates
Dark Reading

Graduation season is wrapping up and a new generation is entering the workforce. Youth and a fresh perspective is always appreciated in the enterprise, but what about when these new grads pose a security risk to the network? The graduating class of 2016 was born the same year that Google was founded and were nine years old when the first iPhone was released. Smart technology and access to high-speed internet has been a part of their lives from the get-go, making this group incredibly tech savvy. But, their hyperconnected behavior doesn’t come without its drawbacks.

How to prepare for a data breach
Dark Reading

Organizations are battling with sophisticated, conniving cyber adversaries who are constantly evolving their techniques to steal and profit from their valuable and sensitive information. Since no environment can ever be 100 percent secure, a determined, skilled attacker will eventually penetrate even the most well-protected company’s defenses. Ensuring the right people and processes are in place before a security incident occurs can make a significant difference in how a breach impacts the organization’s operations, reputation, and bottom line. After all, when an organization is under attack, or has suffered a potential breach, time is money. The less resilient the organization, and the slower it is to respond, the longer it will take to bounce back, and the more expensive the loss (and recovery) will be.

Do employers give enough security training?
Help Net Security

More than half of UK office workers say their employers have provided no cyber security awareness training, according to ISACA’s 2016 Cyber Security Perceptions study of more than 2,000 UK consumers online. 36% of respondents say they could not confidently define a phishing attack, and 19% have fallen prey to phishing emails. Additionally when asked to prioritise between a fast Internet connection and a secure one, 1 in 3 chose speed. “It is critically important that we create awareness in cybersecurity and in multiple roles within an organisation,” said Christos Dimitriadis, chair of ISACA’s board of directors. “The human factor is critical when creating cybersecurity capability, and education based on practical guidance is key to reducing the related business risks.”

Spearphishing attacks target boards
CSO Online

With great power comes great responsibility — and also a great big target painted on your head. At least, that’s the case lately with corporate boards of directors and cybercriminals launching spearphishing attacks. ” Since the beginning of the year we have serviced about 350 different clients that have had spearphishing attacks,” said Michael Bruemmer, vice president for data breach resolution at Experian Information Solutions. “About a third were specifically targeted at board members.” Board members get emails asking them for tax information or requesting bank transfers, which they typically forward to the company employee who is responsible and asking them to take care of it.

The best defense is a good offense?
From hunted to hunter
Raytheon Cyber

All over the world, businesses have crafted detailed plans for dealing with a cyber attack. What many have not done is plan to become the hunter rather than the hunted, and prevent attacks before they begin. “There used to be this old concept of defend, detect and respond,” said Dave Amsler, president and founder of Raytheon Foreground Security. “Now it’s detect, isolate and eradicate. You have to proactively hunt for the skilled attacker in your network.” In numerous organizations, IT leaders duck instead of covering their digital assets ahead of any attack, according to a worldwide survey titled “Don’t Wait: The Evolution of Proactive Threat Hunting.”

The Chinese hackers in the back office

BELLEVILLE, Wis. — Drive past the dairy farms, cornfields and horse pastures here and you will eventually arrive at Cate Machine & Welding, a small-town business run by Gene and Lori Cate and their sons. For 46 years, the Cates have welded many things — fertilizer tanks, jet-fighter parts, cheese molds, even a farmer’s broken glasses. And like many small businesses, they have a dusty old computer humming away in the back office. On this one, however, an unusual spy-versus-spy battle is playing out: The machine has been taken over by Chinese hackers. The hackers use it to plan and stage attacks. But unbeknown to them, a Silicon Valley start-up is tracking them here, in real time, watching their every move and, in some cases, blocking their efforts. “When they first told us, we said, ‘No way,’” Mr. Cate said one afternoon recently over pizza and cheese curds, recalling when he first learned the computer server his family used to manage its welding business had been secretly repurposed. “We were totally freaked out,” Ms. Cate said. “We had no idea we could be used as an infiltration unit for Chinese attacks.”

Hunting the hackers: Why threat intelligence isn’t enough
SC Magazine

Threat intelligence: it’s the latest buzzword in the security industry and the shiny new solution coveted by CIO’s. The theory goes that by adopting a proactive stance, and monitoring activity not just on the network but externally too, you’ll have advance warning of an attack. Events or triggers can be spotted that indicate, like ripples on a pond, the approach of a predator, robbing the attacker of the element of surprise and giving the organisation time to raise its guns and throw up the defences. The trouble with this scenario is that big business has been doing this type of monitoring for some time and with some expensive tools… yet attacks are continuing unabated. Anti-virus, intrusion prevention systems (IPS), data loss prevention (DLP), and Security Incident and Event Management (SIEM) systems are all being used to automatically collate and log data and events in a bid to crunch sufficient data to stymie an attack.


By Tom Davis, SDI Cyber Risk Practice

SDI #CyberTuesday offers insights and commentary on cyber risk management by SDI’s trusted cybersecurity, privacy and data security experts, skilled practitioners whose decades of experience working for governments and corporations around the world distinguish them as strategists and crisis managers.

June 28, 2016

What’s CTI Got to Do with the Price of Cheese?

Little Miss MuffetCyber Miss Muffet

Sat on a tuffet,

Eating her curds and whey…

Cheese curds are one of the great delicacies known to humankind. The salty little cheese bits are the quintessential Wisconsin snack. Being from Wisconsin, I have an abiding fondness for cheese curds, an affection I apparently share with Gene Cate, who together with his wife Lori and sons own and operate Cate Welding in Belleville, Wisconsin, a little village nestled just outside the great metropolis of Madison. Another thing I have in common with Mr. Cate is that until recently, neither of us suspected that an old computer server used in Cate’s case to operate the family business, could be infiltrated by Chinese hackers and deployed to attack targets around the world.

Mr. Cate learned from a Silicon Valley-based threat intelligence provider that his server had been weaponized. I learned about it by reading this article in the New York Times: “The Chinese Hackers in the Back Office.” The article reveals how Area 1, a company run by former NSA analysts, came to Belleville to inform the Cates’ that their server had been taken over by a group of Chinese hackers known as the Codoso Group. Area 1 identifies and tracks digital attacks against businesses.

The Cate’s agreed to help Area 1 thwart the Chinese. Area 1 added their server to a network of compromised servers being monitored to gain insights into how Codoso Group operates that could be shared with Area 1’s clients. Over time the Cate’s learned “The Codoso group had used their server to pilfer a law firm’s due diligence on an impending acquisition, a financial services firm’s confidential trading plans, a mobile payment start-up’s proprietary source code, some blueprints and loan applications at a mortgage company.”

What’s interesting about this story is what it tells us about Cyber Threat Intelligence (CTI), an emerging industry in acquiring and selling intelligence about attack groups. Many cyber attacks use similar methods and approaches, with attackers adapting their products in an effort to keep ahead of the antimalware industry and security professionals. It follows that there is an increasing likelihood that some organization or group has encountered the attack before. Cyber Threat Intelligence offers the ability to recognize and act upon known indicators of an attack so that the attacks can be thwarted before they are successful.

Cyber Threat Intelligence is rapidly being adopted in both business and government. Market research company Gartner forecasts the market for threat intelligence will reach $1 billion next year, up from $255 million in 2013. That will buy a lot of cheese curds.


By Tom Davis, SDI Cyber Risk Practice

June 21, 2016

Tax Policy – A Piece of the Cyber Defense Puzzle

CT puzzle.2In 1974, a 30-year-old Hungarian professor who was living with his mother invented what was to become the world’s most popular puzzle. His name? Erno Rubik.  His puzzle? The famous Erno Cube. OK, actually the puzzle bears his last name, the Rubik cube, a puzzle that has been sold to hundreds of millions, and in all likelihood, played by billions.  The puzzle could appear to be maddeningly challenging to those for whom mathematics is a painful exercise. It was originally billed as having over three billion combinations and only one solution. But, solving it has become child’s play, thanks, in part, to devotees who have developed algorithms to make the process readily repeatable. The current listed world record for a single time on a 3×3×3 Rubik’s Cube is 4.90 seconds, faster than you can tie your shoes.

Wouldn’t it be wonderful if we could solve our cybersecurity puzzle so readily? Alas, this particular puzzle is a bit more challenging, given that the nature of the threat is evolving constantly.  However, Robert Knake just posted an interesting piece on Net Politics that propones what could be part of a solution. Fetchingly titled “Cash for Clunkers: Cybersecurity Edition,” the post begins with this: “It has long been a half hope-half joke within the cybersecurity community that the United States’ aging information technology (IT) infrastructure might be more secure than modern IT. Our collective image of hackers as young and somewhat lazy, suggests that when confronted with legacy IT systems, hackers might just decide to move on to more familiar IT environments.”

We have ample examples of breaches that make clear just how forlorn that half hope is, and Knake quickly acknowledges that fact.  But he moves on to argue that we have a systemic problem with legacy systems, and that the focus on cybersecurity too often results in spending decisions that divert money that should be flowing to IT modernization efforts. He has an idea of how government could help. His solution is to develop a tax policy that incentivizes investment in new, more secure IT systems that support critical national infrastructure.

Revising tax policy won’t solve the cybersecurity puzzle in 4.90 seconds. But it could very well make a significant difference in cyber defense over time. Perhaps a wise candidate for office will pick the idea up and run with it. One can only hope.

By Tom Davis, SDI Cyber Risk Practice

June 7, 2016