Archives for May 2017

Exploring the Cybersphere – May 2017

This week in our blog, we offer a snapshot of cybersecurity, privacy and data security news of interest to the executive suite. Periodically, we’ll recap insights from the growing cadre of voices in this space as well as lend our own views on the issues that impact executive governance of cyber risk and response.

As May prepares to give way to the promise of the month of June, it’s time to look back at some of the cyber stories that dominated the headlines during the month. The month begins with May Day, a tradition handed down from ancient times, when children dance around maypoles, festooned with flower crowns. The ancient rites celebrated the end of winter, and the dawn of a new season, a time to have hope. Locals could brag about who had the biggest maypole, perhaps the beginning of another practice that lasts to this day. As it happens, May Day is an apt characterization of the month’s cyber events, particularly if said three times in rapid succession.

The Beat Goes On

Cyberattacks involving extortion are on the up, Verizon says

Cyberattacks involving ransomware — in which criminals use malicious software to encrypt a users’ data and then extort money to unencrypt it — increased 50 percent in 2016, according to a report from Verizon Communications Inc. And criminals increasingly shifted from going after individual consumers to attacking vulnerable organizations and businesses, the report said. Government organizations were the most frequent target of these ransomware attacks, followed by health-care businesses and financial services, according to data from security company McAfee Inc., which partnered with Verizon on the report published Thursday. Instances of ransomware attacks have grown along with the market for bitcoin, the digital currency that is most commonly how cybercriminals demand ransoms be paid because of its anonymity. While overall most malware was delivered through infected websites, increasingly criminals were turning to phishing — using fraudulent emails designed to get a user to download attachments or click on links to websites that are infected with malware — to carry out attacks. A fifth of all malware raids began with a phishing email in 2016, while fewer than 1 in 10 did the year before, according to the report.

Cybercriminals breached over a billion accounts last year

Cybercriminals had a very good year in 2016 — and we all paid the price. These digital bandits became more ambitious and more creative and that resulted in a year marked by “extraordinary attacks,” according to the 2017 Internet Security Threat Report from Symantec. “Cyber crime hit the big time in 2016, with higher-profile victims and bigger-than-ever financial rewards,” the report concluded.

And The Beat Goes On

World reels from massive cyberattack that hit nearly 100 countries


Organizations around the world were digging out Saturday from what experts are calling one of the biggest cyberattacks ever. Hospitals, major companies and government offices were hit by a virus that seeks to seize control of computers until the victims pay a ransom. Experts said that even as the spread of the attacks apparently has been stymied, its full ramifications are not yet known because the virus may be lurking still on computers around the world. Cybersecurity firm Avast said it had identified more than 75,000 ransomware attacks in 99 countries on Friday, making it one of the broadest and most damaging cyberattacks in history. Avast said the majority of the attacks targeted Russia, Ukraine and Taiwan. But U.K. hospitals, Chinese universities and global firms like Fedex (FDX) also reported they had come under assault. Security experts said the spread of the ransomware had been inadvertently stopped late Friday. The ransomware was designed to repeatedly contact an unregistered domain in its code. A 22-year-old security researcher in the U.K, who goes by MalwareTech, registered that domain to analyze the attack, but it turned out the ransomware needed it to remain unregistered to keep spreading. “Thus by registering it we inadvertently stopped any subsequent infections,” he told CNNTech. However, a hacker could change the code to remove the domain and try the ransomware attack again.

Global cyberattack “highly likely” linked to North Korea group

A top cybersecurity firm say it’s “highly likely” that the biggest cyberattack the world has ever seen is linked to a hacking group affiliated with North Korea. The global ransomware attack known as WannaCry targeted hundreds of thousands of computers in around 150 countries, hitting hospitals, businesses and other organizations. In a blog post late Monday, security researchers at Symantec said the “tools and infrastructure used in the WannaCry ransomware attacks have strong links to Lazarus,” a hacking group that has previously been tied to North Korea. “We have high probability that these two are absolutely connected,” said Vikram Thakur, Symantec’s security response technical director. Lazarus has been linked to the hack on Sony Pictures, for which the U.S. government blamed North Korea, and a wave of attacks on banks around the world, including a major theft from Bangladesh’s central bank.

Drums Keep Pounding A Rhythm To The Brain

Why cyber attacks will continue until prevention becomes a priority

Organizations must rethink their security measures. Focus on training, getting rid of old tech, and overcoming apathy. Some learn best through observation, others only after making a costly mistake. Unfortunately, many businesses have failed to heed the cybersecurity lessons learned from the litany of major attacks over the past few years. Modern cybersecurity threats have evolved far beyond the days where keyloggers and suspicious emails were considered sophisticated threats. They’ve grown to incorporate new attack vectors such as connected devices, as used in the 2016 Dyn distributed denial-of-service attack that disrupted many popular websites. Businesses must also contend with leaked exploits discovered by government intelligence agencies, such as the Vault 7 ikileaks revelations around security flaws in virtually every major operating system and application.It’s time for organizations to rethink their approach to security. Keeping your organization safe must be a full-time commitment, not simply a passing concern following the latest report of a data breach.

AI is the future of cybersecurity, for better and for worse

In the near future, as artificial intelligence (AI) systems become more capable, we will begin to see more automated and increasingly sophisticated social engineering attacks. The rise of AI-enabled cyberattacks is expected to cause an explosion of network penetrations, personal data thefts, and an epidemic-level spread of intelligent computer viruses. Ironically, our best hope to defend against AI-enabled hacking is by using AI. But this is very likely to lead to an AI arms race, the consequences of which may be very troubling in the long term, especially as big government actors join the cyber wars. My research is at the intersection of AI and cybersecurity. In particular, I am researching how we can protect AI systems from bad actors, as well as how we can protect people from failed or malevolent AI. This work falls into a larger framework of AI safety, attempts to create AI that is exceedingly capable but also safe and beneficial. A lot has been written about problems that might arise with the arrival of “true AI,” either as a direct impact of such inventions or because of a programmer’s error. However, intentional malice in design and AI hacking have not been addressed to a sufficient degree in the scientific literature. It’s fair to say that when it comes to dangers from a purposefully unethical intelligence, anything is possible.

Why Is Cybersecurity So Hard?

Harvard Business Review

After nearly 20 years of trying and billions of dollars in investment, why are organizations are still struggling with cybersecurity? In fact, the problem seems to be getting worse, not better. Answering this question requires moving beyond a purely technical examination of cybersecurity. It’s true that the technical challenges are very real; we don’t know how to write bug-free code, for example. But if you look at the challenge more broadly, even if we resolved the technical issues, cybersecurity would remain a hard problem for three reasons:It’s not just a technical problem;The rules of cyberspace are different from the physical world’s; Cybersecurity law, policy, and practice are not yet fully developed. The first reason — that cybersecurity is more than just a technical problem, incorporating aspects of economics, human psychology, and other disciplines — has been explored in other articles in this cybersecurity series. However, the other two reasons also contribute strongly to making cybersecurity difficult, and our approaches must take them into account.

La de da de de, la de da de da

By Tom Davis, SDI Cyber Risk Practice

May 30, 2017


On the 29th, We Remember the 36th

Their story must be remembered, their legacy passed along.

The 36th Infantry Division was organized at Camp Bowie, Texas, on July 18, 1917. Formed from units of the Texas and Oklahoma National Guard, it began its storied history in the Meuse-Argonne Offensive, which led to the ending of World War I.  The attack was the largest in military history, involving 1.2 million American soldiers. The battle became the bloodiest operation of World War I for the American Expeditionary Force. 28,000 German soldiers died during the battle, and over 26,000 American soldiers lost their lives. It was a crucial part of The Hundred Day Offensive that led directly to the signing of the Armistice on November 11, 1918, and indirectly to the creation of Armistice Day.  The division suffered 2,584 casualties, including 466 killed in action. It was a remarkable first chapter in the story to be written by the 36th Infantry Division.

Inactivated in June of 1919, the division was again called to duty on November 25, 1940. It began its combat tour by landing in French North Africa in 1943, but its real baptism by fire came when it spearheaded the allied assault on Salerno, Italy, during Operation Avalanche. The 36th repulsed several German counterattacks, suffering over 4,000 casualties during the fight. It went on to attack the Bernhard line, enduring six weeks of intense combat. At one point, while attacking across the Gari River, in 48 hours the 36th sustained 1,681 casualties, including 143 killed, 663 wounded, and 875 missing, out of almost 6,000 men who took part. The devastation wrought by this attack created great controversy and led to a Congressional investigation after the war ended. But the 36th was not finished.

Members of the 36th Infantry Division cross the Moselle River during WWII.

The division participated in the assault on the Anzio beachhead on May 22, then drove north and finally entered Rome on June 5, 1944. The celebration was short lived. By August the 36th found itself in France. It steadily advanced in the face of stiff German opposition, suffering substantial casualties. By December of 1944, the division had moved into Germany, advancing north along the Rhine River. As the war wound down, it helped secure parts of the infamous Dachau concentration camp. In a quirky bit of history, members of the 36th fought alongside German soldiers to defend against a Waffen SS attack, the only time German and American forces fought side-by-side during World War II.

After 400 days of combat, and nearly 20,000 battle casualties, the 36th came back to the United States in 1945.  It was returned to the Texas National Guard in December, 1945, bringing to a close another chapter in its history. A half century later it would be born again, to participate in Operation Iraqi Freedom.  The Fighting 36th lives on.

The 36th Infantry Division, born at the site named for one of the nation’s most tragic war heroes, exemplifies generations of Americans who have given much in defense of this nation. Their story must be remembered, their legacy passed along. On this Memorial Day, we pay tribute to all those who have given their lives while serving in our armed forces. As the haunting notes of Taps echoes across cemeteries throughout the nation, take a moment to reflect.

By Tom Davis, Vice President, SDI

May 29, 2017

When it Comes to Cyber Deterrence, One Size Fits…One

This week’s post is written by George Platsis, the newest member of SDI’s cyber team. George focuses on human factor vulnerabilities related to cybersecurity, information security, and data security by separating the network and information risk areas.  

Protecting yourself in cyberspace requires multiple solutions working all together

Be cautious of the cybersecurity vendor that promises you a technical solution that will solve all of your cybersecurity problems. Life, unfortunately, is not that simple and a one-size-fits-all approach is bound to get you in trouble given today’s cyber complexities. Similarly, simply adopting a solution may not be enough. How you implement that solution could be the difference between operating a safer network or, inadvertently, making your network more vulnerable. One such solution is encryption.

In two articles posted on Tripwire, I make the case with Paul Ferrillo of Weil, Gotshal & Manges LLP that encryption and tokenization are good solutions (that are under-utilized from our experience) but that poor implementation of them can be the perfect recipe for your worst nightmares.

Why do such useful technologies come with this big caveat? The reason is because a “big picture” approach to cybersecurity has not really taken hold yet. As I have mentioned in a previous post, I view cybersecurity security in the following manner: network security + information security = data security. The most basic questions, particularly at the board level, may not be getting asked, such as “what are our crown jewels?” or “where do we house our data?”

These are governance issues at their core, not technological ones, meaning that whatever technological steps you take to protect your data, you still may be overlooking the big picture (which will result in a loss of resources and open you up to liability). And because they are governance issues, there is a heavy dose of “human element” challenges associated to them.

If you accept the notion that you cannot achieve 100% security, your strategy should be to make your life as difficult as possible for your adversary. Let them seek out low hanging fruit as opposed to your own crown jewels. The only way to do this is by identifying what matters to you (the governance/human side of this problem) and then employing technological solutions (like encryption and tokenization) in the right places, implementing in a correct manner, and still accept that there are a series of human vulnerability challenges that need to be worked on.

All the encryption in the world does little for you if you have an employee that is a victim of a spear-phishing attack, all of which are getting better and better. Gmail users have been the latest targets with very real looking Google Docs emails coming from trusted sources.

Ultimately, you want your adversary to go elsewhere. I recognize this may come off as a deflection and some would question it as a strategy, but nefarious actors are humans too and they do have a preference for the path of least resistance as well. If your data is a bunch of meaningless garble to them (encryption and tokenization are good steps to make this happen), that is a big win for you and a big frustration for them. These types of actors will probably spend little time trying to attack you if you have taken these sensible steps.

It is the actors that are determined and want your crown jewels that should be keeping you up at night. These actors will undoubtedly focus more on social engineering attacks and good ole fashioned tradecraft to try to get what they want, reinforcing the point that the cybersecurity challenge cannot be looked at through a solely technological lens. Curiosity, fear, and urgency are what these actors use to prey on their targets, so in addition to technological steps, make sure your employees and leadership at trained to spot things that look off.

All these solutions, working in tandem, are what will keep you safest in cyberspace.

May 23, 2017

See George’s previous post: How Do We Succeed in the Cyber Security Battle? Episode III – Making the Business Case: Where Does Your Money Go?

North Korea Again? WannaCry?

“Round up the usual suspects,” a phrase memorably used by Captain Louis Renault, the French prefect of police, to exonerate Rick Blaine of the killing of Nazi Major Strasser in the classic film Casablanca, has been culturally accepted as a way of saying “let’s start with those who most can agree are likely to have been involved in x.” Thus it should come as little surprise that a number of cybersecurity experts are now suggesting that hackers connected to North Korea unleashed the “WannaCry” malware virus that crippled computers around the world over the past weekend.

Of late, North Korea has been most in the news for its penchant for firing off missiles with varying degrees of success, while threatening to do very bad things to whatever country is near or at the top of its current enemies list. But just a couple years ago, U.S. intelligence officials alleged North Korea was behind the cyber attack on Sony Pictures. Admittedly, the fact that the hackers demanded Sony not release a comedy that centered on the assassination of North Korean leader Kim Jong-Un raised suspicions about North Korean involvement, but the more substantial evidence included the use of tools and techniques known to have been used by North Korean hackers in previous attacks on South Korea.

The WannaCry virus locked up over 200,000 computers and spread to more than 150 countries. The estimated losses to those affected run into the billions, largely due to the disruption. Companies in Europe, Russia, and China were particularly affected. Interestingly, at last count the “ransomware” had yielded a relatively paltry $50,000 to the perpetrators, which taken at face value suggests not many people paid the ransom.

The New York Times has a fascinating story about why China seems to have been disproportionately affected by the virus.

Long known as a haven for pirated software, the fact that major Chinese companies, government agencies and universities were disrupted speaks volumes about how widespread the use of pirated software is in China. It might also call into question just how carefully planned was the unleashing of the WannaCry virus. Although the relationship between China and North Korea seems to be a bit testy at the moment, one wonders whether North Korea really would like to be seen as behind an attack doing serious injury to Chinese interests. We’ll need a little more time to determine whether in rounding up the usual suspects we’ve gotten to the bottom of the planning behind the WannaCry virus.

By Tom Davis, SDI Cyber Risk Practice

May 16, 2017

It’s a Guy Thing

Hey guys!  This is a normal salutation, with a most unusual history. It turns out that American usage of the term “guy” traces back to the ill-fated Guido Fawkes. Guido was none other than Guy Fawkes, who now is best remembered as the face that adorns the masks worn by generations of anarchists and dissidents, including, of course, the noteworthy hacktivist group, Anonymous.

Guy Fawkes made his mark about 400 years ago when he participated in a plot to murder King James I. The basic idea was to blow the King to smithereens by touching off barrels of gunpowder stored beneath the House of Lords. Unfortunately for Mr. Fawkes, both he and the gunpowder were discovered in the early hours of November 5, 1605. In relatively short order, after a bit of torture to get at the truth, Guy Fawkes and seven of his co-conspirators were given a taste of English justice. Having been found guilty of attempting to assassinate the King, the following was prescribed: “each of the condemned would be drawn backwards to his death, by a horse, his head near the ground. They were to be “put to death halfway between heaven and earth as unworthy of both.” Their genitals would be cut off and burnt before their eyes, and their bowels and hearts removed. They would then be decapitated, and the dismembered parts of their bodies displayed so that they might become “prey for the fowls of the air.”

That rather ignominious end might have been the last we heard of Guy Fawkes were it not for the fact that an Act of Parliament proclaimed each succeeding November 5th as a day of thanksgiving for the deliverance of the King, and the English chose to celebrate “Guy Fawkes night” by lighting bonfires and tossing effigies of Guy Fawkes into them. In the strange way the world works, the English began referring to the effigies, and other strangely dressed folks, as guy, and Americans adopted the term and use it far more generally. The use of the bonfires offers another twist of irony, for English wits have long toasted Guy Fawkes as “the last man to enter parliament with honest intentions.”

Our Guy Fawkes wearing friends at Anonymous have just released a video warning us to prepare for World War III. Anonymous has a pretty good track record in predicting the impact of DDOS attacks it carries out, but its ability to accurately predict the apocalypse is open to question. However, their allegiance to the wearing of the Guy Fawkes masks is testament to the truth of at least part of their traditional sign off:  “prepare for what comes next. We are Anonymous. We are legion. We do not forgive. We do not forget.”

By Tom Davis, SDI Cyber Risk Practice

May 9, 2017

The Shadow May Have Got it Wrong

In 1937, an American radio series named “The Shadow” made its debut. Its dramatic opening line—“Who knows what evil lurks in the hearts of men? The Shadow knows!”—captured the imagination of the nation and lives on to this day. Lost in the shrouds of time is the line uttered at the close of each episode—-“The weed of crime bears bitter fruit. Crime does not pay…The Shadow knows!” It turns out The Shadow was not particularly prescient when it comes to today’s cyber criminals. It’s a fair bet The Shadow would see the world differently after running into the Shadow Brokers, a group which announced it presence with a series of messages like…

“!!! Attention government sponsors of cyber warfare and those who profit from it !!!!

How much you pay for enemies cyber weapons? Not malware you find in networks. Both sides, RAT+ LP, full state sponsor tool set? We find cyber weapons made by creators of stuxnet, duqu, flame. Kaspersky calls Equation Group. We follow Equation Group traffic. We find Equation Group source range. We hack Equation Group. We find many many Equation Group cyber weapons. You see pictures. We give you some Equation Group files free, you see. This is good proof no? You enjoy!!! You break many things. You find many intrusions. You write many words. But not all, we are auction the best files.”

If you are following this at home, the Equation Group is allegedly tied to the National Security Agency, and is considered highly sophisticated in its hacking capabilities, presumed responsible for, among other things, the Stuxnet virus that crippled Iran’s nuclear program. So, the Shadow Brokers, acting on information from Kaspersky, itself accused of ties to Russian intelligence, offered to sell tools pilfered from an entity believed to have ties to American intelligence. This would make a grand movie plot, but the outcome here has significant real life implications.

The tools being sold and released by the Shadow Brokers are opening up vast new opportunities for cyber criminals. After the latest release by the group, security expert Matthew Hickey said “It is by far the most powerful cache of exploits ever released. It is very significant as it effectively puts cyber weapons in the hands of anyone who downloads it.”

Forbes just ran a piece that looked at how the Shadow Brokers’ leaks have led to real world attacks, and what may be in the offing. The article closed with a timely reminder from security guru Bruce Schneier: “Today’s NSA secrets become tomorrow’s PhD theses and the next day’s hacker tools. As long as we’re all using the same computers, phones, social networking platforms, and computer networks, a vulnerability that allows us to spy also allows us to be spied upon.”

Who knows what evil lurks in the hearts of men? We are, once again, about to find out.

By Tom Davis, SDI Cyber Risk Practice

May 2, 2017