Archives for February 2017

Exploring the Cybersphere – February 2017

This week in our blog, we offer a snapshot of cybersecurity, privacy and data security news of interest to the executive suite. Periodically, we’ll recap insights from the growing cadre of voices in this space as well as lend our own views on the issues that impact executive governance of cyber risk and response.

For many, February is a month whose primary virtue is that in most years it lasts only 28 days. I suspect, if put to a vote, the overwhelming majority of people in the Northern hemisphere would rather tack the extra day bequeathed to February every four years onto another month, say June, for instance. But February does have some peculiar attractions. For example, on the last Saturday of the month it hosts Open That Bottle Night, started by a husband and wife team of wine critics who wrote an excellent column titled “Tastings” for the Wall Street Journal. A good bottle of wine is useful in putting February in a far better light. Let’s add some music as we look at the stories that made news in the cyber world during the month of February 2017.

Rain Drops Keep Fallin’ On My Head

Shipping industry vulnerable to cyber attacks and GPS jamming

CNBC

The shipping industry is increasingly at risk from cybersecurity attacks and a gap in insurance policies is leaving them vulnerable, industry experts …

Another One Bites The Dust

TalkTalk boss Dido Harding quits 18 months after huge cyber attack

Evening Standard

The boss of TalkTalk is leaving less than 18 months after the broadband giant was hit by one of the most devastating cyberattacks in British corporate …

Whole Lot Of Shakin’ Goin’ On

Attention to cyber-security is becoming daily routine in the C-suite

SC Magazine

“Attackers aren’t bound by borders or country,” he says adding that the key point in fostering better cooperation on cyber-security is this: How do you …

Firms split on who handles aftermath of cyber-attacks

Bbc.com

Large companies are confused about who should be in charge of dealing with the aftermath of cyber-attacks, according to new research.The study by BAE Systems suggests senior managers expect IT staff to deal with data breaches, but technology bosses feel it should be board members. The confusion could make firms more vulnerable to attacks, said BAE. Both camps also had widely different estimates of how much a breach could cost, according to the research. “Both sides seem to think that it’s the other’s responsibility when it comes to a successful breach and that reflects a gap in understanding,” said Dr Adrian Nish, head of the cyber-threat intelligence unit at BAE Systems. The research had responses from 984 IT managers and 221 executives from Fortune 500 companies across the world.

It’s All In The Game

Experts as RSA offer up their best cybersecurity advice

Computerworld.com

Come to the RSA show, and you’ll find plenty of cybersecurity technology. The top vendors from across the industry are here, showing products for fighting ransomware, preventing data breaches and more. But even the best security software is useless if users and businesses aren’t taking the right steps to protect themselves. So we asked experts at the show for their best cybersecurity tips.

Winners and Losers at RSA’s Cyber-Security Extravaganza

Fortune

Five go-go days and nights at the RSA conference in San Francisco showed why cyber-security is the biggest story in tech right now as businesses …

By Tom Davis, SDI Cyber Risk Practice

February 28, 2017

 

Readers Digest The Assault of the Secret Squirrel

Ah the dwindling days of February, when life begins to stir anew across the northern climes. Days grow longer, birds sing stronger, and spring hints at its arrival. Baseball fans revel in the thought of pitchers and catchers reporting, golfers sneak in the odd round and begin to think of the Masters, basketball fans turn their thoughts to season ending tournaments and the upcoming madness of March, and cybersecurity fans eagerly pour over the latest edition of Verizon’s Data Breach Digest.

Within the pages of Verizon’s Data Breach Digest we can devour the story of “The Hot Tamale,” chew on the details of the “Fetid Cheez,” chill on the story of “The Polar Vortex,” and surrender to the tale of “The Golden Fleece.” As one might surmise from the names of the schemes disclosed in Verizon’s report, the authors had some fun in creatively describing actual scenarios drawn from incident investigations conducted by Verizon. Basically, Verizon extrapolates from its data to create a series of scenarios that demonstrate the kinds of incidents organizations must guard against. Verizon’s premise is that there predictable combinations of cyber attack characteristics, and that by preparing for the kinds of incidents it portrays organizations can most effectively use their resources.

This year’s report offers four scenario groupings. They are “The Human Element,” focusing on human-related threat actors or victims, “Conduit Devices,” looking at device misuse or tampering, “Configuration Exploitation,” covering reconfigured or mis-configured settings, and “Malicious Software,” whose name pretty much gives away the threat category.

Here’s a snippet from what the report terms an “Internet of Things (IoT) Calamity, The Panda Monium,” involving an incident at a university campus. “The name servers, responsible for Domain Name System (DNS) lookups, were producing high-volume alerts and showed an abnormal number of subdomains related to seafood. As the servers struggled to keep up, legitimate lookups were being dropped–preventing access to the majority of the internet. While this explained the “slow network” issues, it raised much more concerning questions. From where were these unusual DNS lookups coming? And why were there so many of them? Were students suddenly interested in seafood dinners? Unlikely….

Within hours, I had more feedback than I could handle and began the review process. The firewall analysis identified over 5,000 discrete systems making hundreds of DNS lookups every 15 minutes. Of these, nearly all systems were found to be living on the segment of the network dedicated to our IoT infrastructure. With a massive campus to monitor, everything from light bulbs to vending machines had been connected to the network for ease of management and improved efficiencies. While these IoT systems were supposed to be isolated from the rest of the network, it was clear that they were all configured to use DNS servers in a different subnet.”

The preceding describes a threat of growing magnitude. In fact, the totality of Verizon’s Data Breach Digest offers a useful and interesting look at the cyber threats we face, and is well worth reading. As you read, do be wary of “The Assault of the Secret Squirrel.”

By Tom Davis, SDI Cyber Risk Practice

February 21, 2017

 

Here’s Whose Valentine You Don’t Want to Be

On Valentine’s Day in 1929, several members of Al Capone’s gang dressed as police officers stopped by archrival Bugs Moran’s headquarters on North Clark Street in Chicago, and delivered a Chicago gangster’s version of a valentine. They lined up seven of Moran’s men against a wall, and shot them. The moment became memorialized as the St. Valentine’s Day Massacre. The savage event was huge news, and people devoured stories about the massacre, at a distance, and safely.

Fast forward to this Valentine’s Day, and the news of the moment is the resignation of National Security Advisor Michael T. Flynn. Huge news, people are devouring stories, but perhaps not so safely. For example, the New York Times and Newsmax Media have been victimized by quoting tweets from a fake twitter account purporting to be Flynn’s and discussing his resignation. Why is this a cybersecurity problem? Read on.

Amidst non-stop use of the term “fake news” comes this story from Tech Republic: “Extra, extra! That fake news story might come with malware.” As the story notes, we have a tendency to avidly follow significant news stories, and cyber criminals use that tendency to great advantage, by incorporating either a real-news article or a fake-news article based on breaking news as an email attachment, or placing a banner bordering an article calling attention to it in a way intended to lure potential victims. Once they get your attention they either work to get you to exchange sensitive information or create an opportunity for an attacker to download malware to your system.

James Scott, Senior Fellow at the Institute for Critical Infrastructure Technology, offers an essay that points out “…news was the most common social engineering lure in 2014. Cyber-adversaries capitalized on high-profile natural disasters, global events, celebrity gossip, and buzz-worthy headlines. The Sochi Olympics, the World Cup, the death of Robin Williams, the leak of celebrities’ private photos from the iCloud, and other stories were used by APTs and cybercriminals to spread malware to victim systems via email, watering-hole sites, and malicious advertisements.” Rest assured, news remains a key tool for cyber criminals.

Scott’s essay goes into some detail about what is known about several foreign adversaries who are making great use of fake news, and is well worth reading. Today’s attacks are infinitely more subtle than Al Capone’s, but potentially every bit as deadly.

By Tom Davis, SDI Cyber Risk Practice
February 14, 2017

Gone In .029 Seconds

Some years ago Nicolas Cage starred in a movie titled, “Gone in Sixty Seconds.” Cage played Memphis Raines, a retired master car thief who is forced to return to the car theft business. The title offers some insight into how long it takes Memphis Raines to boost a car. Memphis was a master at stealing cars, but he’d have to improve his time to get into the password hacking business.

SplashData just produced its annual list of worst passwords, and not surprisingly, the two most commonly used passwords are “password” and the ever popular “123456,” I say not surprisingly, because the same passwords have been at the top of the list of worst passwords year in and year out. Apparently, some significant numbers of people believe they are impervious to attack, or are unlikely to be victimized and are willing to accept the risk, or, for some reason, the possibility of being compromised never even occurs to them.

Of course, there are people who see the folly of simply using password, or 123456, so they go the extra inch. SplashData’s sixth annual Worst Passwords report, which is compiled from more than five million passwords leaked during the year, indicates there are three variations of “password” regularly used by people, including “passw0rd” and “password1.” People also throw off would-be attackers by throwing in additional digits, so they use “123456,” or “1234567.” Shockingly, those sophisticated upgrades do not always work.

According to Morgan Slain, CEO of SplashData, Inc., “Making minor modifications to an easily guessable password does not make it secure, and hackers will take advantage of these tendencies. Our hope is that by researching and putting out this list each year, people will realize how risky it is to use these common logins, and they will take steps to strengthen their passwords and use different passwords for different websites.”

Even the best of passwords may not withstand determined attack. But simpler forms of passwords take no time at all. If you are curious, there are several sites that allow a person to check the relative strength of a password. One interesting exercise is to go to Random ize and try out a password. The site calculates the time it would take to crack your password assuming the hacker is using a brute force attack method, which is simply trying every possible combination there could be. Note this is not the fastest method of cracking a password, but it is, well, brutally effective.

For those of you who put the time and effort into developing and using a variety of sophisticated passwords, it’s an imperfect solution but far superior to the baseline alternative. For the rest of us, two words—multi-factor authentication.

By Tom Davis, SDI Cyber Risk Practice

February 7, 2017

active