Archives for September 2016

Exploring the Cybersphere – September 2016

cybersphereThis week in our blog, we offer a snapshot of cybersecurity, privacy and data security news of interest to the executive suite. Periodically, we’ll recap insights from the growing cadre of voices in this space as well as lend our own views on the issues that impact executive governance of cyber risk and response.

“Try to remember the kind of September
When life was slow and oh so mellow”

– (from the musical comedy The Fantasticks)

“E.T. Phone home (but use a landline, it’s safer)”

Mobile device infections rose 96 percent in the first half of 2016
Help Net Security

After examining general trends and statistics for malware infections in devices connected through mobile and fixed networks, Nokia found a sharp rise in the occurrence of smartphone malware infections in the first half of the year. Smartphone infections nearly doubled between January and July compared to the latter half of 2015, with smartphones accounting for 78 percent of all mobile network infections. The malware infection rate hit an all-time high in April, with infections striking 1.06 percent of all mobile devices tracked. Devices running Android were the most targeted mobile platform by far, representing 74 percent of all mobile malware infections. “Today attackers are targeting a broader range of applications and platforms, including popular mobile games and new IoT devices, and developing more sophisticated and destructive forms of malware. Nokia’s network-based security solution is the best approach to address this growing threat to all types of devices. It detects and prevents malware activity that device-based solutions may miss,” said Kevin McNamee, head of the Nokia Threat Intelligence Lab.


New Malware Targets Android Banking Apps, Cybersecurity Group Says
Wall Street Journal

Cybersecurity researchers said they have discovered a new type of malicious software that circumvents security features on version 6 of the Android mobile-phone operating system, allowing criminals to infiltrate banking apps and steal credit-card details.

Your Biggest Cybersecurity Weakness Is Your Phone
Harvard Business Review

Executives are wrestling with managing a proliferation of devices, protecting data, securing networks, and training employees to take security seriously. In our Tech Pro Research survey of chief information officers, technology executives, and IT employees, 45% of respondents saw mobile devices as the weak spot in their company’s defenses. (Employee data was cited by 37%, followed by wireless access of networks at 34% and bring-your-own-device efforts at 29%.) Meanwhile, the potential for mobile attacks continues to expand. In JulycomScore reported that half of all digital time was spent on smartphone apps, and 68% percent of time was spent on a mobile device. If mobile security isn’t a problem for your company yet, it will be.

Consider the following recent events:

  • A flaw called “Quadrooter” left more than 900 million Android devices vulnerable to attacks. The code was published online. Google has since patched Android.
  • Pokémon Go became a global phenomenon, but people in regions without the game downloaded it from unauthorized marketplaces, exposing their devices to malicious attacks.
  • Researchers at Binghamton University found that wearable devices and smartwatches can give away PINs and passwords through an algorithm that has 80% accuracy on the first try and 90% after three attempts.

Securing mobile devices is tricky. Android is a fragmented mobile operating system. Security researchers are anticipating more attacks on Apple’s iOS. Employees lose their devices and can be lax with security compliance. Toss in people bringing their own unsupported devices to work and you can see why security executives are stressed.

“Darn those pesky employees…”

The Biggest Cybersecurity Threats Are Inside Your Company
Harvard Business Review

When security breaches make headlines, they tend to be about nefarious actors in another country or the catastrophic failure of technology. These kinds of stories are exciting to read and easier for the hacked company to admit to. But the reality is that no matter the size or the scope of a breach, usually it’s caused by an action, or failure, of someone inside the company. The role that insiders play in the vulnerability of all sizes of corporations is massive and growing. In the 2016 Cyber Security Intelligence Index, IBM found that 60% of all attacks were carried out by insiders. Of these attacks, three-quarters involved malicious intent, and one-quarter involved inadvertent actors. IBM Security research also found that health care, manufacturing, and financial services are the top three industries under attack, due to their personal data, intellectual property and physical inventory, and massive financial assets, respectively. However, while industries and sectors differ substantially in the value and volume of their assets and in the technology infrastructures they have to manage and defend, what all businesses have in common is people — all of whom have the potential to be an insider threat.

Insider Incidents Cost Companies $4.3 Million Per Year On Average
Dark Reading

Careless users and contractors continue to be the biggest source of insider incidents at most organizations. But external attackers posing as legitimate users via stolen credentials can cause far more financial damage, a new survey by the Ponemon Institute shows. Ponemon polled 280 IT and security practitioners from 54 medium- to large organizations between April and July this year. The findings show that nearly four years after Edward Snowden’s famous data leaks, the insider threat remains as intractable as problem as ever for many organizations. The survey, sponsored by security vendor Dtex, reports a total of 874 insider incidents across respondent organizations over the past 12 months. A total of 568 of those incidents were caused by employee or contractor negligence, 191 were tied to malicious employees and criminals, while 85 were caused by outside imposters with stolen credentials.

So much for counter-phishing training: Half of people click anything sent to them
Ars Technica

Security experts often talk about the importance of educating people about the risks of “phishing” e-mails containing links to malicious websites. But sometimes, even awareness isn’t enough. A study by researchers at a university in Germany found that about half of the subjects in a recent experiment clicked on links from strangers in e-mails and Facebook messages—even though most of them claimed to be aware of the risks. The researchers at the Friedrich-Alexander University (FAU) of Erlangen-Nuremberg, Germany, led by FAU Computer Science Department Chair Dr. Zinaida Benenson, revealed the initial results of the study at this month’s Black Hat security conference. Simulated “spear phishing” attacks were sent to 1,700 test subjects—university students—from fake accounts…”The overall results surprised us, as 78 percent of participants stated in the questionnaire that they were aware of the risks of unknown links,” Dr. Benenson said in a FAU posting on the research. “And only 20 percent from the first study and 16 percent from the second study said that they had clicked on the link.” But in fact, of those claiming they were security savvy, “we found that 45 and 25 percent respectively had clicked on the links,” Dr. Benenson said.

“Can’t we all just get along?”

The Cold War is over. The Cyber War has begun.
The Washington Post

Contemplating Russian nuclear threats during the Cold War, the strategist Herman Kahn calibrated a macabre ladder of escalation, with 44 rungs ranging from “Ostensible Crisis” to “Spasm or Insensate War.” In the era of cyberwarfare that’s now dawning, the rules of the game haven’t yet been established with such coldblooded precision. That’s why this period of Russian-American relations is so tricky. The strategic framework that could provide stability hasn’t been set. Russian hackers appear to be pushing the limits. In recent weeks, the apparent targets have included the electronic files of the Democratic National Committee, the private emails of former secretary of state Colin Powell, and personal drug-testing information about top U.S. athletes. The Obama administration is considering how to respond. As in most strategic debates, there’s a split between hawks and doves. But there’s a recognition across the U.S. government that the current situation, in which information is stolen electronically and then leaked to damage and destabilize U.S. targets, is unacceptable. “A line has been crossed. The hard part is knowing how to respond effectively,” argues one U.S. official. Retaliating in kind may not be wise for a country that is far more dependent on its digital infrastructure than is Russia. But unless some clear signal is sent, there’s a danger that malicious hacking and disclosure of information could become the norm.


Cybersecurity is threatening America’s military supremacy
Tech Crunch

The sparsely populated Spratly Islands, a collection of hundreds of islands and reefs spread over roughly 165,000 square miles in the South China Sea, are very quickly becoming the center of one of the most contentious international disputes between world powers since the fall of the Soviet Union. Alarmingly, the use of cyber attacks in this dispute suggests we might already be in the midst of a new Cold War playing out in cyberspace — where America’s advantage is not as clear as it is with conventional armies and navies. The Spratly Islands are of economic and strategic importance. All of the countries in the region — including China, Vietnam and the Philippines — have made competing territorial claims to the region. In recent years, China has become increasingly aggressive in its claim, rapidly building artificial islands while also conducting military operations in the area. Beyond this conventional military buildup, however, are complex and brazen cyber attacks by China that are leaving America and its allies increasingly concerned.

Asia hacking: Cashing in on cyber crime
Financial Times

On a quiet Sunday in May, as dawn was breaking over Tokyo, a 100-strong army of hooded “withdrawal mules” rolled up at convenience stores across Japan and began a bank robbery that the country had never imagined possible. “Heaven”, as Japan is known to this new generation of robber-hackers, had just been ransacked — heralding an era in Asian cyber crime where thieves can turn a hack into cash almost instantly. Exactly three hours, 14,000 ATM cash withdrawals and ¥1.8bn ($18m) of theft later, the gang stopped work and melted away, the only immediate trace being some ill-defined CCTV footage and virtual footprints to credit card data stolen from a bank in South Africa. Cyber security is a growing concern globally but it is creating particular anxiety in Asia after a flurry of attacks affecting Bangladesh, the Philippines, Taiwan, Thailand and Vietnam. Experts say the spike is driven partly by growing political tensions, such as China’s dispute with its neighbors over islands in the South China Sea, but the other key trigger is the attraction of increasingly lucrative, but patchily defended, banks and companies.

Opinion: How the South China Sea fight could go digital
Christian Science Monitor

After The Hague ruled in July against China’s territorial claims in the South China Sea, the world has been watching to see how Beijing will react. While it’s unlikely China will risk starting a war with the US and the West with any kind of physical strike, Beijing may look to its growing capabilities in the virtual realm – cyberspace – as a lower-cost and lower-risk way to achieve its territorial goals, solidifying claims in the East and South China Seas. It’s a strategy that would allow China to operate nonlinearly across physical and virtual domains, taking a page from Russian President Vladimir Putin’s playbook by using measures short of war to establish greater control over nearby states and territories.

Obama warns of cyber ‘arms race’ with Russia

President Barack Obama issued a subtle warning to Russia on Monday, noting that the United States has “more capacity than anybody, both offensively and defensively” when it comes to cyber weapons. The remarks, made to reporters following the G-20 conference in Hangzhou, China, come amid signs of growing Russian interference in the Nov. 8 presidential election. U.S. officials have already pointed fingers at Russia for the recent breach of the Democratic National Committee’s servers, albeit anonymously, and law enforcement and intelligence agencies are reportedly concerned about a broader attempt by the Kremlin to disrupt or undermine the process. The administration has faced pressure to publicly attribute those attacks to Russia, but Obama declined to do so explicitly, citing “specific investigations that are still live and active.”

“If you think the present state of cybersecurity is bleak…”

Quantum computing has the cybersecurity world white-knuckled
Computer World

As quantum computers inch closer to reality, experts are sweating over their potential to render many of today’s cybersecurity technologies useless. Earlier this year the U.S. National Institute of Standards and Technology issued a call for help on the matter, and this week the Global Risk Institute added its voice to the mix. Because of quantum computing, there’s a one-in-seven chance that fundamental public-key cryptography tools used today will be broken by 2026, warned Michele Mosca, co-founder of the University of Waterloo’s Institute for Quantum Computing and special advisor on cybersecurity to the Global Risk Institute. By 2031, that chance jumps to 50 percent, Mosca wrote in a report published Monday.

Data Manipulation: An Imminent Threat
Dark Reading

An approaching cyber storm—one capable of unleashing unprecedented chaos—is looming on the horizon of the United States’ public and private sectors. Although experts warn that attackers are poised to launch sophisticated campaigns designed to manipulate financial, healthcare, and government data beyond recognition, our critical industries remain largely unprepared for these potentially destructive attacks. To date, those capable of conducting malicious cyber operations have been intent upon stealing personal, health, education, and financial information and pilfering the precious intellectual property of leading defense, technology, and manufacturing corporations. Their motive: to spread chaos. At separate events in August, I listened as General Gregory Touhill, just named by the White House as the first federal chief information security officer, and Theresa Payton, a former White House CIO, cautioned that data manipulation attacks are coming. Assuredly, the cyber threat landscape is about to shift dramatically.

“And, finally, who can you trust?”

Is Your Printer About To Launch A Cyber Attack?
Minute Hack

Businesses across the UK are beginning to make significant investments in their security efforts following recent high profile data breaches that have hit businesses at a global level. Many businesses are set up with a printer per desk or team, but owners are unaware that having departmental printers sprinkled throughout an office can be an easy source for a data breach. Unbeknownst to many in an office environment, modern printers now contain a wealth of confidential data, in both electronic and hard copy format, making them vulnerable to attack.


By Tom Davis, SDI Cyber Risk Practice

September 27, 2016

New Cyber Reg May Make Some Senior Execs Uneasy

SMALL cyber tuesday
Uneasy Lies the Head That Wears a Crown
– William Shakespeare
Henry IV. Part II, 1597

Last week, New York Governor Andrew Cuomo issued a proposed cybersecurity regulation for banks and insurers operating in New York. The proposed regulation appears to be the first of its kind in the U.S., but is not likely to be the last. It requires banks, insurance companies, and other financial services institutions regulated by the New York Department of Financial Services to establish and maintain a cybersecurity program designed to protect consumers and ensure safety within New York’s financial services industry.

The proposal is interesting in many aspects. It allows firms to create and enforce their own programs as long as they meet minimum certification standards. It stipulates several functional requirements, stating “The cybersecurity program shall be designed to perform the following core cybersecurity functions:

(1) identify internal and external cyber risks by, at a minimum, identifying the Nonpublic Information stored on the Covered Entity’s Information Systems, the sensitivity of such Nonpublic Information, and how and by whom such Nonpublic Information may be accessed;

(2) use defensive infrastructure and the implementation of policies and procedures to protect the Covered Entity’s Information Systems, and the Nonpublic Information stored on those

Information Systems, from unauthorized access, use or other malicious acts;

(3) detect Cybersecurity Events;

(4) respond to identified or detected Cybersecurity Events to mitigate any negative effects;

(5) recover from Cybersecurity Events and restore normal operations and services; and

(6) fulfill all regulatory reporting obligations.”

The proposed regulations also require annual risk assessments and penetration testing, hiring a chief information security officer (CISO), encryption of all nonpublic information transmitted to a bank or stored by it, identifying and limiting third party risks, restricting access to information, and using multi-factor authentication. Significantly, they also require employee training in cybersecurity to prevent human errors, recognizing the enormous vulnerability associated with this issue.

There is one additional requirement that bears watching. The proposed cyber regulations contain a requirement that either the board of directors or a senior officer certify that the company is in compliance with the regulations. That requirement would appear to open these individuals up to liability charges if an incident occurs and the company is found to have failed to meet the regulatory standards. It will be most interesting to see who actually ends up signing the certifications, and just how rigorous compliance efforts become before submissions are due.

By Tom Davis, SDI Cyber Risk Practice
September 20, 2016

Pegasus Wings Its Way Around the World

safe_share_padlock“But when Perseus had cut off the head of Medousa (Medusa) there sprang from her blood stout-hearted Khrysaor (Chrysaor) and the horse Pegasos so named from the springs (pegai) of Okeanos (Oceanus), where he was born.”
– Hesiod, Theogony 280 ff (trans. Evelyn-White) (Greek epic C8th or C7th B.C.)

The famous winged horse Pegasus, thundering stallion of Zeus, is a transcendent figure in Greek mythology.  What may be slightly less known is that Pegasus was commemorated as the constellation of stars bearing the same name. Its rising marks the arrival of spring and, in Greece, of seasonal thunderstorms. Thus, it is ironic that Pegasus is now raining on Apple’s parade.

Apple users have long felt, with some justification, that their Apple products, and particularly their iPhones, were safer than alternative products. But a recent attack had laid bare Apple’s vulnerabilities and jolted the Apple community. According to a report by Lookout, a San Francisco based security company that participated in discovering and addressing the Pegasus exploit, “This Pegasus is professionally developed and highly advanced in its use of zero-day vulnerabilities, code obfuscation, and encryption. It uses sophisticated function hooking to subvert OS- and application-layer security in voice/audio calls and apps including Gmail, Facebook, WhatsApp, Facetime, Viber, WeChat, Telegram, Apple’s built-in messaging and email apps, and others. It steals the victim’s contact list and GPS location, as well as personal, Wi-Fi, and router passwords stored on the device.”

Mike Murray, research lead at Lookout, was quoted in Fortune as saying “This changes mobile. For the first time, iOS is vulnerable—people can no longer rely on ‘Apple will protect me.’” Fortune reports “He added that Pegasus is notable because most of the big security scares involving mobile have until now been theoretical—whenever someone has discovered a major vulnerability, there typically is little evidence the exploit was widely used for nefarious purposes.”

This Apple exploit should serve as a reminder to all of us that the smart phones we carry actually are very powerful computers, and our increasing reliance on them carries with it a risk that requires attention to good practices that will help mitigate that risk. Here’s an interesting look at the issue courtesy of Risk Management magazine.

If there’s a sunny note to end on, it may be this. I’ve seen estimates that around 2 percent of U.S. smartphones may be infected with malware, in sharp contrast to estimates of up to 40 percent of smartphones infected in Russia and China. This is a good race to trail in rather than lead.

By Tom Davis, SDI Cyber Risk Practice
September 13, 2016

Cyber Theft is on a SWIFT Pace

global business data“I returned, and saw under the sun, that the race is not to the swift…”
-Ecclesiastes 9:11
King James Version

With apologies, it appears there is a race to the SWIFT underway, as cybercriminals target the global financial messaging system. Brussels based SWIFT (Society for Worldwide Interbank Financial Telecommunication), a member owned cooperative, operates a network used by financial organizations to process transactions. Its messaging platform is used by 11,000 banks and other institutions around the world, processes billions of dollars of transactions daily, and is a critical part of the global financial system.
SWIFT has been beset with security breaches. In a widely publicized sequence, theft of $12 million from Ecuador’s Banco del Austro in 2015 was followed by the theft of $81 million from the Bangladesh Central Bank in February 2016. But that may have been the tip of the iceberg. It appears several other attacks have occurred, and the targeting of SWIFT continues.

Reuters just reported that SWIFT sent a private letter to clients that “disclosed new hacking attacks on its member banks as it pressured them to comply with security procedures instituted after February’s high-profile $81 million heist at Bangladesh Bank.”  The letter suggests the attacks were of an advanced nature, targeted to vulnerabilities in obsolete systems at local client premises, and said the attacks are expected to continue. SWIFT imposed a deadline of Nov. 19 for compliance with new security requirements for its members, and, interestingly, threatened to report non-complying firms to regulators if they fail to adopt the required security features.

The biggest concern associated with the attacks on SWIFT is the danger they pose to the stability of the global financial system. SWIFT’s threat to publicly shame firms that do not comply with its enhanced security requirements makes clear how seriously SWIFT takes this problem. It behooves all of us to pay attention to the next chapter in this story.

By Tom Davis, SDI Cyber Risk Practice
September 6, 2016