Archives for July 2016

Exploring the Cybersphere – July 2016

This week in our blog, we offer a snapshot of cybersecurity, privacy and data security news of interest to the executive suite. Periodically, we’ll recap insights from the growing cadre of voices in this space as well as lend our own views on the issues that impact executive governance of cyber risk and response.

As sizzling summer temperatures scorch much of the North American continent I hear the faint echoes of Martha and the Vandella’s 1963 hit “Heat Wave.”  So, for those of you who’ve been “Tossin and Turnin,”  here’s a reminder of “What’s Going On.”

How To Use Threat Intelligence Intelligently
Dark Reading

Sometimes the best threat intelligence strategy is to not bother adopting it at all. “You probably should not be using threat intelligence unless you can act on it,” Jason Trost, vice president of threat research at threat intel firm Anomali, said this week. “If you can’t act on it, it’s probably not worth consuming that data.” Trost, who was a panelist on the Collecting and Using Threat Intelligence Data panel in this week’s Dark Reading Virtual Event, was making a point about one of the biggest problems with the way organizations approach threat intelligence: they often sign up for feeds and services without the resources or mechanisms in place to actually use the resulting information they receive.

It’s Time To Think Of Cybersecurity As A Business Enabler

Last year, CIO, CSO and PricewaterhouseCoopers released a new Global State of Information Security survey, which polled more than 10,000 executives from 127 countries about IT security. The results were a mixed bag, with security incidents up 38% over 2014 but corresponding budgets rising only 24%. The survey reflected broad thinking about how companies are trying to defend themselves from hackers as well as employees, the most often cited sources of security compromises. But despite the continued growth in hacks and other security incidents, there were some important signs that security threats aren’t being taken seriously enough at the executive level. For one, the poll found that only 45% of boards participate in overall security strategy.

Why Old IT Assets Create New Security Problems
CIO Insight

If the daily drumbeat of hacks and cyber-attacks accomplish one thing, it’s raising everyone’s anxiety level about cyber-criminals. Although outside risk is a major cause for concern, much of the potential danger resides within an organization—and this extends beyond insiders who wittingly or unwittingly breach protocols and systems. The culprit? Out-of-date and non-compliant software and hardware assets. This leaves the enterprise door wide open for outside and insider breaches, which take advantage of known flaws in software and assets. The root of the problem? Because legacy software and hardware are no longer supported by a vendor, patches and fixes aren’t available—or aren’t easily fixed.

“It’s All in the Game”
6,000-man North Korean hacker army collects $866 million per year
The Stack

Experts in South Korea estimate that North Korea’s hacker army numbers more than 6,000 people and earns $866 million US per year through online gambling websites and cyber espionage. Officials at a South Korean information security conference yesterday warned that North Korean cyber attacks have progressed from humble origins, and are becoming bigger and more daring. Yu Dong-yeol, the Director of the Korea Institute for Liberal Democracy in Seoul, estimated that the hacker army in North Korea is currently made up of 6,800 trained specialists, 1,700 of whom are categorized as ‘mission personnel’, employed at Bureau 121, the cyberwarfare division of the country’s General Bureau of Reconnaissance. The hackers run online gambling operations in addition to other businesses, including the acquisition of encrypted files which are then sold in cyber-espionage schemes. These cyber schemes earn the North Korean government a combined total close to $1 billion per year.

How Bad is the North Korean Cyber Threat?
Hack Read

A few months ago, United States General Vincent Brooks warned the Senate about the growing threat from North Korean cyber-attacks, saying, “While I would not characterize them as the best in the world, they are among the best in the world, and the best organized.” In the past, the hermit kingdom has been called one of the “least network-ready and most isolated societies on the planet,” but now, it may actually be one of the biggest threats to international cyber security. The country of 25 million people is still technically fighting the civil war that started more than 60 years ago. The regime has been imposed with heavy sanctions, and they do not provide an economy that allows most citizens to obtain the basic necessities to live. Reports say that electricity is sparse, and only lasts a few hours a day…Even the few privileged citizens who can afford consistent electricity and a computer, are forbidden from accessing the Internet. Only tourists and citizens with permission can access the internet, everyone else needs to use the“Kwangmyong” Intranet, which is completely controlled and monitored by the state.

“Another One Bites the Dust”
China hacked the FDIC – and US officials covered it up, report says
CNN Money

China’s spies hacked into computers at the Federal Deposit Insurance Corporation from 2010 until 2013 — and American government officials tried to cover it up, according to a Congressional report. The House of Representative’s Science, Space and Technology Committee released its investigative report on Wednesday. It presents the FDIC’s bank regulators as technologically inept — and deceitful. According to congressional investigators, the Chinese government hacked into 12 computers and 10 backroom servers at the FDIC, including the incredibly sensitive personal computers of the agency’s top officials: the FDIC chairman, his chief of staff, and the general counsel. When congressional investigators tried to review the FDIC’s cybersecurity policy, the agency hid the hack, according to the report.

It Don’t Mean a Thing (If It Ain’t Got That Swing)
The first big Internet of Things security breach is just around the corner
ZD Net

There was a time when the only device you had connected to your network was a PC. Then laptops with a wireless connection came along — then after that, smartphones and tablets.

But the connected revolution hasn’t ended there. Gartner estimates that currently 5.5 million new ‘things’ — devices from toasters and kettles to cars and hospital equipment — are being connected to the internet every single day, and they will total 6.4 billion by the end of the year. That figure is up from 3.8 billion in 2014, and 5 billion in 2015 and is expected to rise to over 20 billion Internet of Things (IoT) devices being connected to the web in 2020.

IOT Insecurity: Pinpointing the Problems
Threat Post

It’s a coin toss whether or not that Internet of Things device you depend on is secure. Those unacceptable 50/50 odds come from a survey by IOActive where technology professionals were asked about the security of connected devices from thermostats, security cameras to alarm systems. Those numbers may be hard to swallow, but recent headlines concerning connected devices, sensors and controls – ranging from SCADA, IoT and M2M – suggests that what might seem like chicken-little opinions about IoT security may not be too far from the reality. A study by HP’s security unit Fortify found that 70 percent of popular consumer IoT devices are easily hackable. When Kaspersky Lab examined industrial controls systems exposed to the Shodan search engine it found seven percent of 172,982 ICS components vulnerable to attack had “critical” issues. “On the IoT continuum we are about 15 percent in,” said Chris Poulin, research strategist, IBM X-Force Security. “A common refrain from the business is ‘I don’t know what I don’t know’ when it comes to IoT security. The industry is evolving. To some extent we are just trying to figure out what’s a real threat and what is fear, uncertainty, and doubt.”

By Tom Davis, SDI Cyber Risk Practice

July 26, 2016

What the Heck is BEC?

SMALL cyber tuesdayBritish Emporium Consultancy? Nope. Business Enterprise Controls? Closer, but no. BEC is the acronym for business email compromise. One of the contributions the era of cyber theft is making is the enrichment of the language. Phishing begot whaling, and on it goes.

A week ago my daughter casually mentioned that her boyfriend, who works as an independent contractor for a technology firm, had his IRS Form W-9 compromised. (The US Internal Revenue Service produces this form so that businesses can get information from vendors hired as independent contractors, including their social security number or taxpayer identification number). How did the compromise happen? The company’s HR director got an email from the company president, who was on vacation, stating he needed all the W-9’s immediately. The HR director promptly sent them. One might ask, as you undoubtedly are asking, why would the president want these forms? That would be the right question, one that, in this instance, did not get asked. This would be a good example of a business email compromise (BEC), a scam in which an attacker pretends to be an executive and sends a realistic-looking email to a colleague requesting a large wire transfer or sensitive company information like intellectual property or HR/payroll information.

Writing in JD Supra Business Advisor, Kathleen Porter set forth how BEC typically works. “BEC hackers and scammers involved are sophisticated—they monitor and study their victims for extended periods. They first identify the individuals at a business in finance, accounting or treasury functions who may send wire transfers. Then, they study the habits of these businesses and the individuals on LinkedIn, Facebook and other social media and wait for the right moment. Familiar BEC scams include emails from (i) a foreign supplier of a business with “new” wire transfer instructions for the next invoice payment, (ii) a traveling executive to a finance employee of the business to request an “urgent” and/or “confidential” wire transfer, (iii) the fraudster using a spoofed email to pose as a legitimate employee, customer or supplier of the business, or (iv) the fraudster posing as the attorney for the business requesting wire transfers relating to transactions or deals that are soon closing.”

BEC schemes are exploding. According to the FBI’s Internet Crime Complaint Center (IC3), $3.1 billion has been lost globally to BEC fraud. The IC3 said it has seen a 1,300 percent increase in losses from BEC attacks since January 2015. Moreover, there are recent cases suggesting that BEC approaches are now being used to deliver malware payloads as well, ratcheting up the threat level.

As it happens, even the newest of fraud schemes can be addressed by age old advice. It may be difficult to challenge an email from a senior corporate executive, but the prudent course remains…trust, but verify.

By Tom Davis, SDI Cyber Risk Practice

July 19, 2016

We Can Rule Out the Hamburglar

Big Data BreachesSome stories are hard to swallow. Take for instance, fast food restaurant chain Wendy’s, which announced in January of this year that it had suffered a breach of unknown magnitude. Wendy’s hired an investigative firm, and in May indicated that about 300 of its 5,800 locations had been affected. Two months later, it appears that statement was a bit off the mark. Now Wendy’s says that 1,025 of its restaurants were affected.

Wendy’s is on record saying the breach began in the fall of 2015, when malware was installed on a Point of Sales system used in a number of its locations, apparently through the use of compromised third-party vendor credentials. Customers who ate at the compromised locations soon found the actual costs for their meals supersized. The perpetrators used the pilfered information to begin draining debit accounts. The president of the National Association of Federal Credit Unions said the Wendy’s breach was hitting credit unions harder than they were hit during the breaches of Home Depot and Target.

The credit unions criticized Wendy’s for responding too slowly to the initial breach, which Wendy’s indicated may have occurred in October 2015. First Choice Federal Credit Union sued Wendy’s in a Federal Court in Pittsburgh, Pennsylvania, claiming the fast-food chain “refused to take steps to adequately protect its computer systems from intrusion.” The suit said that Wendy’s took nearly five months to stop the data breach and that “Wendy’s systematically failed to comply with industry standards and protect payment card and customer data.” The complaint continues…“As a result of Wendy’s data breach, plaintiff and class members have been forced to cancel and reissue payment cards, change or close accounts, notify customers that their cards were compromised, investigate claims of fraudulent activity, refund fraudulent charges, increase fraudulent monitoring on potentially impacted accounts, and take other steps to protect themselves and their customers.” In addition, a class action suit was filed in Florida, claiming in part that “many retailers, banks and card companies responded to recent breaches by adopting technology that helps make transactions more secure, (but) Wendy’s has acknowledged that it did not do so.”

The Credit Union National Association joined the Pennsylvania lawsuit, raising the stakes for Wendy’s even further. It will take a while for the litigation to play out, but it’s a fair assumption that the costs for Wendy’s associated with this breach will be substantial. If the judge agrees that Wendy’s should have both prepared and responded better, we will continue to move from “buyer beware” to buyer and seller beware in cyber jurisprudence.

By Tom Davis, SDI Cyber Risk Practice

July 12, 2016

The Copernicus Effect

cyber chalkboardNearly 500 years ago Nicolaus Copernicus published a theory that turned the world on its head.  He proposed that the sun was as the center of the universe, and that the earth was a planet revolving around the sun. His heliocentric theory met with abundant skepticism, for it flew in the face of accepted scientific and religious beliefs. Copernicus was not the first to advance the theory that the sun was at the center of the universe, but his rigorous modeling made refutation more difficult, and ultimately changed the way we view the universe.

Those who cause us to look at the universe differently provide a great service, even if they do not offer the contribution of a Copernicus. In that vein I give you William H. Saito, Special Advisor to the Cabinet Office for the Government of Japan, and Vice Chairman for Palo Alto Networks Japan. Writing in Forbes, Mr. Saito suggests that far too many corporate executives and boards of directors tend to view cybersecurity as costly, complex, inefficient, and a damper on productivity.  Instead, he advocates seeing cybersecurity as a profit center, in which holistic cyber solutions are used to reduce costs and increase efficiencies.

One point Mr. Saito makes is particularly salient. He notes that cybersecurity cannot be viewed simply as an IT issue. “It’s another form of risk that happens to cut across every organization. It’s also a board issue and a critical priority for management as well as shareholders. That’s an important point to make when it’s shareholder meeting season, as it is now here in Japan. Investors should be asking their companies what their cybersecurity policy is in terms of its defensive position, breach response protocols, resilience and governance and business continuity. They should also be asking how their company is using cybersecurity as an opportunity to enhance resilience, increase productivity and efficiency and what related products or services they are rolling out.”

Looking at cybersecurity as a profit center is an interesting concept.  While it may not have the lasting impact of the heliocentric theory, it does offer a useful reminder that examining our beliefs can lead to progress. There is some evidence that a growing number of corporate executives are seeing cybersecurity as a way to gain competitive advantage, a claim that could turn the world of cyber risk management on its head.

By Tom Davis, SDI Cyber Risk Practice

July 5, 2016