Archives for January 2017

Exploring the Cybersphere – January 2017

This week in our blog, we offer a snapshot of cybersecurity, privacy and data security news of interest to the executive suite. Periodically, we’ll recap insights from the growing cadre of voices in this space as well as lend our own views on the issues that impact executive governance of cyber risk and response.

Who among us recalls Nellie Bly’s best seller, “Around the World in Seventy-Two Days?”  I’d guess the answer would be few indeed. We do, however, have context, for the book followed Jules Vernes’ masterful, “Around the World in Eighty Days.”  In honor of Verne’s hero’s Phileas Foggs’ great escapade, today we will go around the world in roughly 80 seconds.

First, to China, where entrepreneurship is on the rise

The SEC charges three Chinese nationals with insider trading related to information that was hacked from two New York law firms

On December 27, 2016, the Securities and Exchange Commission (“SEC”) filed a complaint against three Chinese nationals, alleging that they hacked two New York-based law firms, stole material nonpublic information relating to upcoming mergers and acquisitions, and traded on that stolen information, earning approximately $3 million in illegal profits.

On To Russia, busy as ever…

Report: More cases of Russian cyberattacks come to light 

CBS NEWS – U.S. government officials have been notified of new cases of attempted or potentially successful cyber intrusions, CBS News has learned. Officials would not go into specifics or reveal the number of new cases. But the revelation raises concerns that Russian cyberattacks have been more extensive than originally thought. Since the U.S released a report on election-related cyberattacks on Thursday, a government official said more cases have come to light, CBS News’ Justice and Homeland Security correspondent Jeff Pegues reports. The intelligence information made public last week revealed some of the tools and infrastructure allegedly used by Russian hacking units. Those signatures were flagged over the weekend after officials connected with Vermont’s electric grid confirmed that malware code used in operation “Grizzly Steppe” was found on a Burlington Electric Department laptop.

Then to Italy, where the Pope seems to have faith in his cybersecurity…

People are praising Pope Francis for taking cybersecurity very seriously

He has 10.2 million followers on Twitter, opened an Instagram account last year, has met with tech executives, sold his old iPad for a good price, and addressed mankind’s pervasive use of gadgets in his teachings. You can now add cybersecurity awareness to the range of tech issues Pope Francis has addressed, even if he only inadvertently triggered online chatter about one of the most basic privacy protection techniques in the Internet age. As The Washington Post reports, a photo of Pope Francis taken in 2015, in which he was signing up for the Catholic Church’s 2016 World Youth Day event on an iPad, appears to show a sticker taped over the tablet’s camera. The Post said it has verified the photo as real.

Back in time to revisit lessons drawn from ancient Greece

The cybersecurity dilemma: Where Thucydides meets cyberspace

The great Greek historian Thucydides wrote of the Peloponnesian War, “It was the rise of Athens, and the fear this inspired in Sparta, that caused war to be inevitable.” This statement hints at a broad pattern. As nations rise, and especially as they secure themselves, they in the process threaten other nations who have no choice but to take the threat very seriously. Often, this threatening behavior is unintentional. In the time since the ancient Greeks, international relations scholars have named this idea the “security dilemma” and found it occurring time and again, both in strategic matters and at the operational level of conflict. What about in cybersecurity?

And finally, some advice for executive travelers (courtesy of a former secret service officer)…

A secret service agent’s guide to protecting the C-suite from hackers

Cybersecurity is on the minds of most businesses today, but there’s one area where companies often screw up: failing to protect their key executives when they’re on the move. In today’s environment, there are an abundance of well-funded and sophisticated hacking groups out there, many with nation-state or organized crime affiliations and interests, who are looking for any way possible to defraud or steal information from American business interests. Like any other criminal, hackers look for weaknesses in the security perimeter before they attack — and often, that sweet spot is to be found in the personal security of key company figures. One example is “Darkhotel,” the Korean-speaking hacking group that targeted countless business executives via hotel Wi-Fi from 2010 to 2015.

By Tom Davis, SDI Cyber Risk Practice

January 31, 2017


SEC Playing for Keeps?

The United States Senate convened for the first time on March 4, 1789, which means that on March 4 of 2017 it will celebrate its 228th birthday. Since its inception, more than 1800 people have served as senators, some remembered as political giants, many lost in the shrouds of history. But even those not destined to be remembered as giants of the Senate may have taken actions that ultimately had profound consequences for many Americans.

Note, for example, a letter sent by Virginia Senator Mark Warner asking the Securities and Exchange Commission to investigate whether Yahoo’s senior executives improperly failed to disclose its initial 500-million-customer breach in timely fashion. The issue warranted attention because the SEC, in 2011, issued a “guidance” to companies mandating that they notify the agency if a breach occurred that could have a “material adverse effect on the business.” But the SEC subsequently had failed to act against a single company for non-disclosure of a cyber incident, apparently rendering the guidance meaningless, until now.

Against all odds it appears Senator Warner’s letter was taken to heart and the SEC may have Yahoo in its sights. It is widely thought that the SEC has been looking for the right case to make clear what the guidance it issued really means. A recent Wall Street Journal article points out, “Former SEC lawyers said the Yahoo scenario appears to provide a clearer set of circumstances than past scenarios provided. If the SEC brought a case, it could make clearer to other companies what type of disclosures it views as potentially violating the law in this area. Experts also say such a case could help clarify rules over timing because the guidance doesn’t lay out detailed requirements.”

The legal problems for Yahoo extend well beyond the SEC. In its November 2016 SEC filing, Yahoo said it was cooperating with the SEC, Federal Trade Commission and other federal, state, and foreign governmental officials and agencies including “a number of State Attorneys General, and the U.S. Attorney’s office for the Southern District of New York.” With its pending sale to Verizon in limbo, and subject to multiple investigations and adverse publicity, this is not a good moment for Yahoo’s senior management. But it could get far worse if the SEC does bring an action against Yahoo, for that likely would give rise to additional litigation.  Stay tuned.

By Tom Davis, SDI Cyber Risk Practice

January 24, 2017


Seen This Before?

Who among us has not experienced déjà vu, the eerie experience of feeling you are in a situation where you have already been there and done that, or literally, have already seen something? It is generally agreed that somewhere between two-thirds and all of humanity have had such an experience. If you haven’t, you can refer to the Denzel Washington movie Déjà Vu to get a rough idea of the concept. I point this out because I just went back through the Ponemon Institute’s Fourth Annual Study: Is Your Company Ready for a Big Data Breach?  What is striking about the findings is the sense that we’ve seen this before. To wit:

Companies are not confident dealing with the most serious consequences of a data breach.

Only 41 percent of respondents say their company is able to respond to a data breach involving business confidential information and intellectual property.

Only 27 percent of respondents say they are confident in their ability to minimize the financial and reputational consequences of a material data breach.

To be effective, data breach response plans need senior level involvement.

Most boards of directors, chairmen and CEOs are not actively engaged, and avoid responsibility, in data breach preparedness. Since 2014, participants in this annual research have increasingly asked for more participation and oversight from senior executives, but it does not seem to be happening.

Fifty-seven percent of respondents say their company’s board of directors, chairman and CEO are not informed and involved in plans to deal with a possible data breach.

Only 40 percent of respondents say they want to know ASAP if a material data breach occurs.

About one-third (34 percent of respondents) say the board does understand the specific security threats facing their organization.

Only 26 percent of respondents believe the board is willing to assume responsibility for the successful execution of the incident response plan.

Updating a data breach response plan is a crucial but often missed step.

Most companies have a data breach response plan but it is not regularly reviewed. While 86 percent of respondents say their organizations have a data breach notification plan in place, only 24 percent of respondents say they have a procedure for updating their plan on a yearly basis.

As part of data breach preparedness, employee privacy and data protection awareness programs are critical to reducing the risk of employee negligence.

While more companies are offering these programs, they are often only offered during employee orientation. In 2013, 44 percent of respondents said their organizations had such awareness programs for employees and other stakeholders who have access to sensitive or confidential personal information. In 2016, this increased to 61 percent of respondents.

So where does this leave us? Possibly, that we’re not confident we can deal with the most serious consequences of a data breach, in part because senior management is not taking sufficient responsibility for planning and preparation, incident response plans are not being kept up to date, and we are not doing enough to address the area of greatest vulnerability—our employees. I’m fairly confident this is not a trick of the memory. We can look at Ponemon’s earlier studies and see the same areas called out. No wonder so many people are forecasting 2017 to be a very bad year for cybersecurity.

By Tom Davis, SDI Cyber Risk Practice

January 17, 2017

The Umpire Strikes Back

As we know, in a world staggering under a steady stream of rules and regulations, and despite well founded concern about the growing magnitude of the threat posed by cybersecurity, the United States Congress has yet to adopted broad federal legislation to address the burgeoning cyber threat. Stepping into this breach, 47 states and the District of Columbia have created a mish mash of laws and regulations that at least tell the world someone actually cares.  As others have refused to step up, one federal agency, the Federal Trade Commission (FTC), has leapt into the saddle and volunteered to lead the posse in catching some criminals and making the cyber streets safe for the good citizens of this great land.

The FTC has taken the lead in policing corporate cybersecurity practices. It has brought over 60 cases against companies for unfair or deceptive practices that endanger the personal data of consumers. Its actions have not been without controversy. When we last looked in on the FTC we noted that a U.S. Court of Appeals ruled the FTC did have the authority to regulate cybersecurity practices. Plaintiff Wyndham Worldwide subsequently settled with the FTC and agreed to upgrade its cybersecurity practices. In the aftermath of the court decision it was apparent the FTC would be even more aggressive in pursuing companies that had lax cybersecurity practices.

Last week we got another glimpse of how the FTC sees its authority and mandate. The Commission filed a lawsuit against D-Link Corp, accusing the Taiwan-based manufacturer of failing to take reasonable steps to protect its routers and internet-linked security cameras from hackers. That’s right, the FTC is now going after the Internet of Things (IoT). This suit appears to be a step toward a larger effort to improve the security of internet-connected devices, including routers, webcams, digital video recorders, and other widely used consumer electronics devices.

The lawsuit alleges “thousands of Defendants’ routers and cameras have been vulnerable to attacks that subject consumers’ sensitive personal information and local networks to a significant risk of unauthorized access. In fact, the press has reported that Defendants’ routers and cameras have been vulnerable to a range of such attacks and have been compromised by attackers, including by being made part of large scale networks of computers infected by malicious software, known as ‘botnets.’”

In a cyber land filled with lots of bad guys, someone has to be the good guy. It looks like the FTC aims to fill that role. It has brought other enforcement actions against IoT providers, and likely will bring more. But it’s also taking a more unusual approach. It just invited the public to create a solution that will protect consumers and their homes from IoT security vulnerabilities, and is offering a $25,000 cash reward to whoever comes up with the best solution.

It will pay to continue to keep an eye on the FTC. It appears they intend to use their powers to make a real difference in cybersecurity, which is an interesting and welcome development.

By Tom Davis, SDI Cyber Risk Practice

January 10, 2017

2017, A Dangerous Prediction

Astrologer and physician Michel de Nostradame was born in the south of France in December of 1503. A precocious youth, who demonstrated the benefits of home schooling, he entered the University of Avignon to study medicine at the age of 14. When he got his license to practice, he followed custom and adopted the Latin version of his name…and became Nostradamus. In mid age he turned to the occult, and became famous for his prophecies, which he published in 1555 in a book titled The Prophecies. He is known to have gotten a least one prediction right, accurately forecasting on the night he died that he would not live to see the morning, but is  also credited with predicting such events as the rise of Hitler, both world wars of the last century, and the 9/11 attack on the World Trade Center. As 2017 debuts, we will start with a prediction of our own. In the cyber world, things will get worse before they get better. Here’s one possibility.

Ransomware will rule

The use of ransomware is rapidly rising. Hackers get access to a business or individual’s servers and encrypt the data. The hackers then demand a ransom. Once infected, the victim is faced with a bit of a hobson’s choice, either pay the ransom or lose the files forever. Attacks mushroomed in 2016, with ransomware variants proliferating. The FBI estimated cybercriminals earned over a billion dollars from ransomware during 2016. But that number may rise dramatically this year.

CSO online says cyber experts predict the next level of ransomware will be far worse. It quotes Corey Nachreiner, CTO at WatchGuard Technologies, who sees a worm about to turn. “Nachreiner expects cybercriminals will mix ransomware with a network worm. Years ago, network worms like CodeRed, SQL Slammer, and more recently, Conficker were pretty common. Hackers exploited network vulnerabilities and tricks to make malware automatically spread itself over networks.” Per Nachreiner, “Now, imagine ransomware attached to a network worm. After infecting one victim, it would tirelessly copy itself to every computer on your local network it could reach….Whether or not you want to imagine such a scenario, I guarantee that cyber criminals are already thinking about it.”

Cyber criminals will find diabolical ways to use ransomware in 2017.  For example, a recently discovered piece of ransomware called Popcorn Time, offers victims an alternative to paying up, by rewarding them if they become accomplices by successfully infecting two other devices with the ransomware. Pass it on. 2017 will be a year of living dangerously.

By Tom Davis, SDI Cyber Risk Practice

January 3, 2017