Have We Normalized Theft?

When did cyberattacks truly begin to concern us?  Was it the Morris worm of 1988?  One would have wished it was, but clearly this is not the case.  How about the 2008 cyberattack on USCENTCOM?  That worm, likely injected into the DoD system through a single USB key, took about 14 months to clean up by some estimates.  Fast forward nine years, Equifax.  145 million records stolen.  Have we learned yet?  I wish I could say “okay, this time we will do something about it!” but I am not too optimistic.


Because I feel we have slipped into a dangerous area: we have allowed the normalization of data theft.  And today, data theft means anything from personally identifiable information to R&D/intellectual property to good old fashioned money.  My feeling is that because we don’t “feel” data the same way we would, oh a stack of $20s, we don’t really appreciate what is being lost.

Let’s try to put this into perspective.  If in fact 145 million records were stolen from Equifax, what would that look like in a “smash-and-grab” operation?  For simplicity, let’s assume one record is one page.  The average thickness of paper is 0.1 mm (0.0039 inches).  How high would the paper stack in this case?  Well, those 565,500,000 inches equate to about the distance from New York to Manila (over the Pacific), give or take a few hundred miles.*

To think that somebody could perform a break-and-enter like this (and get away with it) sounds so preposterous, this idea wouldn’t even make into a B-movie script.  But when all these “pieces of information” are digitized into a bunch of zeros and ones, well, you can fit all that information into the palm of your hands.

And that’s what gives me heartburn because we are doing such a poor job understanding what is being stolen.  We spend billions of dollars innovating, labor for years, and all these valuable resources could be gone, poof, like that because somebody missed patching a system or left a terminal unprotected or clicked a link they shouldn’t have.  This is asymmetry of galactic proportions.

So back to my point about normalizing theft: I think because we can’t “feel” the pain, we don’t give this issue the attention it deserves.  If I was a nefarious actor and I was able to siphon $5 a month from your bank account, would you care?  Before you answer … would you notice?  What if I was able to make this siphoning as some sort of “fee” or common every day purchase?  You may not give it that much thought and let it slide.  Now let me do that to a million people.  And let me do that to a different million people every week.  How does $260 million a year sound to you?

Does this sound like a tenable business model for an economy to survive?  Nope.  But that’s what we are dealing with when we normalize theft.

Sure, some may say “but we have services to protect us.”  Okay, but those services cost money, $10 a month, let’s say.  That’s $120 a year per individual.  To protect the 52 million people that would have gotten ripped off in the earlier scenario, that’s a hit of $6.24 billion dollars annually.  That’s $6.24 billion dollars that could have gone into paying rent, buying a meal, helping a local foundation, or go towards tuition or medication.

Lost in so much of the cybersecurity conversation is that protection rarely offers a return on investment.  Protection is a tax on business and a tax on individuals.  So unless we start “feeling” this theft on a more personal level and take the steps to properly educate ourselves of the human dimension, we are going to run out of money to invest in protection real fast.  People are generally not good at understanding risk and we often have farmed out that risk to somebody else (insurers, public officials, you name it).  But even this model is becoming too expensive.  So it’s time we take a closer look at ourselves and see if we are part of the problem by having allowed data theft to be normalized.  We shouldn’t be so passive about it.  We should be outraged, because this is a slow strategic bleed of national strength and stability.

By George Platsis, SDI Cyber Risk Practice

October 3, 2017

* Correction: “I’m tempted to say what’s a few extra zero’s among friends, but am forced to heed my own counsel…when you make a mistake, own it: it’s actually 565,500 inches, which is closer to 9 miles, more like New York to Hoboken and back…but that’s still a lot!”

A New Shakespearean Tragedy?

Once more unto the breach, dear friends, once more;
Or close the wall up with our English dead.


In Shakespeare’s retelling of the life of King Henry V, he has the king urging his brave soldiers forward once more, hurling themselves against the French army in the early stages of what became the decisive battle of Agincourt.  The line has survived to become a common exhortation for giving something another try. One notes that King Henry did offer the alternative of dying in the gap of the wall, but the essential idea is to flow through the breach to victory.

Today we are dealing with a breach in which the flow is outbound, and there is no victory in sight.  The massive date breach suffered by Equifax has exposed the personal identifying information of over 143 million people. The attackers took people’s names, Social Security numbers, birth dates, addresses and, in some instances, driver’s license numbers. They also stole credit card numbers for about 209,000.  The breach is rightly seen as a monumental failing on the part of Equifax, and the repercussions are mounting rapidly.

Writing on the Gartner Blog Network, John Wheeler calls the breach a game changer for cybersecurity.   Among his predictions, Equifax will cease to exist. “In the last 4 business days since the company disclosed the data breach Equifax has suffered a $5.3 billion loss in market capitalization which represents almost a third of the company’s total value. When considering an estimate of the potential costs associated with the data breach (based on the 2017 IBM/Ponemon Institute Cost of Data Breach Study), Equifax faces a potential loss of $20.2 billion which currently exceeds their total market value by $8.3 billion. Also, the company currently faces more than 23 class actions lawsuits with at least one seeking more than $70 billion in damages. The death spiral will soon take on greater momentum when executives are required to testify before Congress and criminally investigated for potential insider trading related to the delayed disclosure of the data breach. Equifax will ultimately be acquired out of bankruptcy by one of the remaining two credit reporting companies – TransUnion or Experian.”

The “delayed disclosure” noted by Wheeler is extremely problematic. Equifax said it first detected suspicious behavior on July 29. It appears the breach dates back to May of this year, and some reports suggest it may have happened even earlier. Even if one accepts the July 29 date as the first instance in which Equifax became aware of the breach, several weeks went by before customers were made aware. The delay triggered outrage, and credit reporting companies have few friends, so the fury goes on unabated.

The fallout continues. Equifax’s Chief Information Officer and Chief Security Officer “retired,” and its CEO stepped down. More heads will likely roll. Forty states are investigating how Equifax handled the breach. Other regulatory agencies are launching investigations, and there is a real possibility that this breach will lead to significant change in law and regulation.

Once more, out through the breach.

By Tom Davis, SDI Cyber Risk Practice

September 26, 2017

Do You Trust Your Network?


The question seems simple enough, doesn’t it? But have you asked the question? My feeling is that not enough people actually do. Of course, a natural response may be: isn’t that a question for my IT department to answer?

Yes and no (more on that in a moment). And I promise I am not trying to play word games, but words and their meanings matter, and am therefore placing particular focus on the word trust. Trust is different than confidence. Trust is different than transparency. Trust has a much more “personal” element than the others. And so much of what we do in the world today is based on trust.

There are times where confidence may be appropriate. For example, “I am confident in Joe’s abilities, but I do not trust he will finish the job.” And there are times where transparency may be appropriate, such as, “blockchain technologies offer transparency, but I do not trust them to serve as the backbone for a currency.”

Notice where I am going? These terms are not interchangeable. Somebody can be “transparent” with you but it is quite possible you do not trust them at all. Conversely, somebody who is not wholly transparent with you may earn your trust.

And trust is a funny thing because it guides so many of actions. Simple example:

“Would you do business with Bob?”
“No. I know he has a solid track record, but something about him I just don’t trust.”

“Would you do business with Sally?”
“Yes. I know she doesn’t have the track record of Bob, but something about her that just makes me feel she’s the right person to do business with.”

In other words, we are dealing with emotion and rational action may be taking a back seat.

So let’s get back to the IT department. I am not asking: do you trust your IT department? Rather, I am asking: do you trust your network? There is a difference. It’s huge. And if you don’t see it as being huge, your cybersecurity nightmares may only be in their opening act.

If you have 20 minutes, there is a 2010 podcast worth listening to by Brian Snow, who was the technical director of information assurance at the National Security Agency. It can be found here and special thanks to my fellow #CyberAvenger Chris Veltsos for pointing out this podcast. At around the 16 minute mark, Brian Snow talks about the “trust bubble” and that while “trust” is “widely used” it is also complicated and poorly understood.

Our world operates with so much going on in the background that we seldom give thought to how complicated things can be. Therefore, the only way we can operate and conduct business is when we have levels of transparency, confidence, and trust. For example, I am confident my ISP will provide reliable service so I can get my professional work done, but I do not trust my ISP when they say they are “best service provider” or “the fastest network” or that they will “have 99.9999% uptime” or whatever else you can think of (nor do I think they make their billing particularly transparent but that is unrelated to network reliability). In other words, I’m keeping my expectations in check.

In fact, I try to keep my expectations so “in check” that I expect my services to go down from time to time because that’s just life! Bad connection, server times out, bandwidth issues, and yes, even potential DDoS attacks and hacks! I expect all of these to happen because my trust in network capabilities can only go so far. Sure, I can invest more capital and overhead, but I do not have a printing press for money, so this solution is untenable over time. You need to use your resources wisely and because my trust in network capabilities can only go so far, I do things like: regularly patch, update, have offline backups, back up devices, have alternate connectivity means, and – get ready for it – even plan for total shutdown (and sometimes the plan is “no way to do work today, find something else to do”).

In summary, I simply do not trust network reliability to be as reliable as the sun coming up from the east every morning. And keep your expectations in check: there are very very few operations that can justify the need (and cost) for 100% uptime (and even those are susceptible to the freak event that shuts them down).

As for social engineering attacks, shame on me if I get suckered into them. I don’t have the expectation that my network should protect me from them. Remember, a social engineering attack is going after YOU FIRST before the actors execute their following intent.

Side commentary: WOW! Some of these social engineering attacks are getting really sophisticated and I am impressed. One of the best I have seen in the last few months is the attacker faking that you are the initiator of the conversation and the attacker is “replying” to your original query. Be careful before you click “reply” because sometimes all the attacker wants you to do is just that, click reply, and scoop up an e-mail address, a device ID, an OS version, message headers, or the basic information on your signature line. All these information leaks can come back to haunt you.

But back to my original question: do you trust your network? If your trust in network reliability is rooted in the trust you have for your IT department, I have a car I want to sell you. I do not say this as a knock against your IT department, but if we can be perfectly candid for a moment, if your IT department has full trust in your network reliability, you should be concerned. Granted, the IT department can be confident about the network, but usually when you are confident, it means that you have done some sort of honest and thorough assessment of the situation.

Therefore, if your IT department says to you, “we’re confident we do not have any malware on our network” ask how they came to that conclusion. If instead they say, “we do not have any malware on our network, honest, trust us!” then raise an eyebrow and get your hands dirty, because you have work to do.

By George Platsis, SDI Cyber Risk Practice
September 12, 2017



Cybersecurity Valuation and Your Organization

Cybersecurity is everywhere. Everybody is talking about it. Everybody is worried about it. And everybody thinks they need to do something about it.

The problem is that everywhere we look, we get this general feeling that we are failing. One report suggests that only 1 in 5 organizations are “very mature” in adoption of the NIST Cybersecurity Framework. GDPR is around the corner (May 2018) but some estimates show only 25% of EU countries are ready for it. Good luck to the rest when those astronomically heavy fines kick in.  And how long until so many non-New York State entities are forced to follow the NY Department of Financial Services new cybersecurity regulations, just so they can keep doing business in NY? The transitional period for covered entities ends on August 28th, 2017, so you better be ready!

So fine, we get that there are regulations and statutes and frameworks, all of which need to be followed or adhered to. But there is a much more basic question that does not necessarily get asked: do you, as an organization, value cybersecurity? I am quite certain most will say “yes” but, do you value cybersecurity in the sense that it is a “nice to have” type thing or do you value it as “I need this or my life will be over” type thing?

I believe one of the greatest challenges we face when trying to address our cybersecurity issues is that we have done a poor job valuing our assets. Normally, we would hire an appraiser or an insurance company to assist with this task, in the traditional brick-and-mortar sense.  If a sale were more complex, such as the valuation of goodwill, we would bring in a legal or financial firm that specializes in mergers and acquisitions. Could these firms help you when performing valuations? Perhaps they could, but these firms are still trying to get their own heads wrapped around the entire cybersecurity problem.

Ultimately, you should be able to “put a price” on your organization. In the brick-and-mortar model, it is pretty easy.  I have building X, market value is Y, and replacement value is Z if something goes wrong in case of flood, fire, or whatever other “tangible” crisis you could face. Not only could you put a price on these issues, you could estimate recovery times, and possibly even have a rolodex of contractors or service providers that could help you out. And perhaps most importantly, you could budget for this tangible crisis. All this is pretty straight forward stuff.  Have insurance, keep an operating line of credit handy, make sure you keep your debt leverage levels in check, have some cash on hand (also known as the “rainy day” fund for most of us).

Do we do any of these things for cybersecurity related issues?2

My feeling is that we do not because we have not valuated our assets from a cybersecurity perspective. We do not know what the true cost of a damaging social media campaign could be. We do not know what the true cost of massive intellectual property theft is. And we do not know what the true cost of network downtime is.


I have a couple of theories why, in no particular order:

1) This is hard to do and when things are hard to do, we like to avoid them.

2) We do not know where to start.  How many of us actually can put a dollar figure on the goodwill value of our firm?

3) We still think cybersecurity is a technical issue, so leave it to IT to figure out.  (This would be a big mistake by the way.)

4) We do not have a true appreciation of how much we really rely on technology.

I could go on, but I think this is a good enough list to start with.  Your question now could be: okay, stop telling me problems and start giving me solutions!

Here is my first and perhaps most important solution: put a number on what you value even if that number has to be arbitrary, especially those intangible things, like client records, intellectual property, goodwill, and brand.


Because it gives you a starting point. If I think the goodwill value of my business is worth $100,000, I will not spend $100,001 on cybersecurity measures. But if I think the goodwill value of my business is worth $10,000,000 then perhaps spending $500,000 on cybersecurity measures seems like a good idea, whatever these measures are (technical fixes, employee training, system upgrades, crisis communication plans, social media response teams, you name it).  

If you think your client rolodex (which is all digitized now) is worth gold because it took your firm 30 years to build up that network, treat that rolodex as though it belongs in Fort Knox. If the reason you are able to charge a significant premium above your competitors is because you have brand value built over years of interpersonal relationships with your stakeholders, protect the band like it is the most important thing in the world to you.

But put a number on it! The value of “the number” is that you can at least start to budget what you are willing to spend, especially when you are not sure where to start.

Like I noted, this isn’t easy, but it’s necessary. And it will be an important first step to help you with your own cybersecurity challenges.

By George Platsis, SDI Cyber Risk Practice

August 22, 2017

Collateral Damage in Cyber Warfare

Hot on the heels of the infamous WannaCry ransomware attack came the less heralded and seemingly less consequential Petya cyberattack. WannaCry was big and bold, and obviously well named. Petya didn’t seem to measure up, and researchers noted that less than $10,000 was paid in ransom. However, it soon became apparent that Petya was not a ransomware attack, but actually aimed at destroying data. Given that much of the damage associated with Petya focused on Ukraine, suspicion quickly turned to Russia, the assumption being the attack was part of Russia’s ongoing efforts to destabilize Ukraine. Whether the attack actually was carried out by individuals acting on behalf of Russia remains unproven, but what is clear is that, as is the case in all conflicts, there are ancillary casualties.

Take, for example, FedEx, which acquired Dutch shipping company TNT Express for $4.8 billion last year to compete with United Parcel Service Inc. and Deutsche Post AG’s DHL. What seemed like a good aggressive business move now has become a major headache. TNT operations were completely disrupted by the Petya attack, and FedEx now says it has not been able to recover some systems, and may never be able to recover some critical business data.

FedEx just filed its Securities and Exchange Commission (SEC) 10k, and it forecasts material losses. The list of reasons why those losses are mounting is instructive:

⋄ loss of revenue resulting from the operational disruption immediately following the cyber-attack;
⋄ loss of revenue or increased bad debt expense due to the inability to invoice properly;
⋄ loss of revenue due to permanent customer loss;
⋄ remediation costs to restore systems;
⋄ increased operational costs due to contingency plans that remain in place;
⋄ investments in enhanced systems in order to prevent future attacks;
⋄ cost of incentives offered to customers to restore confidence and maintain business relationships;
⋄ reputational damage resulting in the failure to retain or attract customers;
⋄ costs associated with potential litigation or governmental investigations;
⋄ costs associated with any data breach or data loss to third parties that is discovered;
⋄ costs associated with the potential loss of critical business data;
⋄ longer and more costly integration (due to increased expenses and capital spending requirements) of TNT Express and FedEx Express; and
⋄ other consequences of which we are not currently aware but will discover through the remediation process.

Oh, and FedEx also noted it did not have insurance against these losses. Going forward, FedEx may become the poster child for why cyber insurance makes sense.

By Tom Davis, SDI Cyber Risk Practice

July 25, 2017

Cybersecurity Starts With Basics

One undeniable fact: the 2016 elections brought the word “cybersecurity” into the mainstream.  The problem that stemmed from that fact: nobody is actually sure what “cybersecurity” is.  And as a result, we spin our wheels or head off into differing directions.

For all the tech talk, commentary, and promise of some incredible “save you from all cyber threats” solution, lost in the conversation are the cybersecurity basics.  It is a disservice to all when pundits use words, such as hack and leak, interchangeably.  Those who have a more informed understanding of the issue know that these terms having incredibly different meaning.  The same can be said for words such as stolen and copied.  They are not the same and are often confused, even misused.  And how about this one: the difference between authorized access by an unauthorized user and unauthorized access.  The fine nuance between the two can entirely re-characterize the nature of an attack.

I have not conducted a formal study to know how many people know the differences or can spot the nuances, but from informal observation of my own experiences, about 95% of people cannot tell the difference and of the 5% that do, almost all of them have some form of security-type training or professional work experience.  Another informal observation: even those who have the training still cannot always spot the difference.

Why is all of this important?  Because if we cannot get the basics right, chances are everything that follows will be wrong, insufficient, or inadequate.

I start from this premise: we have finite resources.  I do not think anybody serious would disagree with me on this premise.  Therefore, let us be smart about how we use these resources.  And part of being smart is asking the right questions and knowing the basics.

In the middle of serious cybersecurity policy debate, does it make a difference if a Senator asks a witness whether data was stolen or copied?  Yes, it does.  In trying to determine how an attack happened, does it make a difference when the Board asks its IT manager if the source of the attack came from authorized access by an unauthorized user or by unauthorized access?  Yes, it does.

The human brain can only process so much information and the more complex we make the cybersecurity discussion, the increased likelihood of us mucking it up.  Add into the mix a disregard or misunderstanding of the basics and the muck up is almost certain.

What are the basics?  A few are here, from my last #CyberTuesday blog.  Successful cybersecurity relies on personal ownership.  Somebody else does not make you fit; you make yourself fit.  And we are quite poor at personal ownership, with multiple studies showing that human action/error is responsible for 90+% of successful attacks or breaches.

Some more basics include the understanding of terminology and the state of affairs.  We know the difference between somebody kicked down the front door to my house versus somebody stole my house keys and walked in the front door.  If somebody kicked down your front door, chances are you need a stronger door or you may consider putting a gated fence around your house to make it more difficult for a perpetrator to get to your front door.  If somebody stole your house keys you would do a better job to protect your keys.

It is worth asking: would you erect a 30 foot high six foot thick steel perimeter around your property if you lost your front door keys?  No, as that would be resource overkill.  Instead, you would likely change the locks on your doors.  And if your problem is your keys getting stolen, what good exactly does this mega-fortress bring you?  Unless you plan to seal yourself off from the entire world, the mega-fortress will need an access point, say, like a door with a lock.  What happens when you lose your keys again?  Build a mega-mega-fortress that will protect the mega-fortress?

If this is sounding a bit ridiculous, welcome to the world of cybersecurity.  Because so many of the basics are misunderstood, or even outright ignored, many of us are seeing mega-mega-fortresses being erected all over the place.  But we are not exactly sure if they are making anybody more secure.  Part of what we do at SDICyber is to help you understand these basics.  The basics can work miracles, as I point out here with some fellow patriots.

There is no harm in saying that you are unsure of the basics.  Nor should you be embarrassed to ask that question.  That very admission may be the most crucial step to getting you cyber secure.

By George Platsis, SDI Cyber Risk Practice

July 11, 2017

A Phishing Hole

One of the more interesting English language colloquialisms is the phrase “fish or cut bait,” generally used to suggest a decision must be made. It derives from a time in which catching fish with bait often meant dividing responsibilities, with someone fishing while  another was cutting bait up to be used to catch the fish. In an odd way this catchy little phrase now applies to one of the most persistent cybersecurity threats in use—spear phishing.

In the face of determined efforts to educate the population about the use of spear phishing, the number of phishing attacks continues to rise dramatically. Why? Quite simply—they work really, really well.  Leading cybersecurity firm FireEye recently reported that “84% of organizations said a spear-phishing attack successfully penetrated their organization in 2015. The average impact of a successful spear-phishing attack: $1.6 million. Victims saw their stock prices drop 15%.”

English cyber firm Sophos just released a white paper titled, “Don’t Take The Bait,” that takes a look at why phishing attacks are on the rise. They suggest that more people are successfully “phishing” because a cottage industry has grown around the cyber equivalent of cutting bait.  The paper notes that it is ever easier for cyber criminals to acquire sophisticated fishing tools. “An interesting facet of the phishing ecosystem is that there are a large number of actors committing attacks, but only a small number of phishers that are sophisticated enough to write a phishing kit from scratch. Because of this, phishing kits are now widely available for download from dark web forums and marketplaces, and give attackers all the tools they need to create profitable phishing attacks: emails, web page code images, and more.”

The white paper goes on to report that “In fact, attackers don’t even need to know how to create malware or send emails anymore. As-a-service and pay-as-you go solutions permeate most online service technologies, and phishing is no different….”  Among those services, an enterprising person who wishes to phish can use a ransomware service provider who will take a cut of each ransom paid, or a phishing service provider who will guarantee that the user will only be billed for emails actually delivered. The Postal Service should be so efficient.

It is increasingly important that businesses respond to the emphasis on phishing attacks with a countervailing emphasis on education and training, and employ rigorous internal standards to diminish the prospect that an employee might inadvertently send information or money to a cyber criminal. Don’t think more about whether to do so, it’s time to fish or cut bait.

By Tom Davis, SDI Cyber Risk Practice

June 20, 2017

Personal Cyber Health and Hygiene: More Expensive Shoes Don’t Make You Run Faster

This week’s post is written by George Platsis, the newest member of SDI’s cyber team. George focuses on human factor vulnerabilities related to cybersecurity, information security, and data security by separating the network and information risk areas.

It’s January 2nd and you have just finished your latest culinary blowout from the holiday season.  You look down towards your toes and you see something obstructing your view that wasn’t there just three weeks ago.  And of course, you fear walking towards the scale because you already know it’s going to be bad news.

So what do you do?

Sign up for an expensive gym membership and spend $300 on new training gear of course!

Unfortunately, neither of those will make a difference unless you put your best foot forward and start working your own butt off.  Worse, if you do not put that expensive membership and new gear to good use, you are only a few months (weeks?) away from saying, “I wish I didn’t spend all that money for nothing!”

I fear I am about to upset a few people by stating the following: good cyber health and hygiene is a lot like personal health and weight management.  It takes time, effort, and dedication to keep in top form and it is also very easy to go off the rails if you do not watch what you’re doing.  Furthermore, each time you go off the rails it becomes harder and harder to get back to the good form.  And the only real difference between your health and cyberspace is that you can at least upgrade your device or operating system, whereas when it comes to our personal health, we are stuck with the same body and brain for our entire lives.

Wasting your time and money on the latest fad exercise machine or diet will be just that, a waste of time and money, especially if you are not ready to put yourself through the daily grind.  Same goes for cyber tools that promise you a path to the mythical place known as CybersecureLand, a place where you can click on any link without any fear because the magical Fairy Cybermother will protect you and whisk any malicious code back to the depths of Maldorware.

This is uncharacteristic of me, but I will delve into the personal to illustrate my point.  There was a time in my life where I had a slightly different “shape” (okay, more than slightly).  This shape was unhealthy and thankfully I realized that if I were to keep this shape for any prolonged period of time, I would be down the road to a full network malfunction where even a full system reboot would do little for me.  So what did I do?  I said, “George, clean yourself up.”

How did I do this?

1) Cut unnecessary calories (don’t go to bad websites unless you want to feel blah later).

2) Simple rule when it comes to calories and working out: Input/Output (keep an eye on your inbound and outbound traffic, both in type and volume, because variances should worry you).

3) Just get into a routine and stick to it no matter what (this is called automatic updates and patching your system regularly people…it’s boring, it’s mundane, but if you don’t do it, you’re asking for trouble).

4) Don’t go overboard off the top because you’ll overwhelm yourself and walk away (you do not need to be an expert on how to build a cryptographic key; you need to know how to use one).

5) Play the long game (if you expect to go from a sieve to J.J. Watt overnight you are going to find out you are not J.J. Watt…it takes time to get game ready, but that should not stop you from building up to a goal and each little progression does actually make you better).

6) Resist the temptation (easier said than done, but the risks are much higher in cyberspace…one night of fried chicken during a month-long stretch of good behavior will not give you a heart attack, but one wrong click may do just that).

7) If you plan to cheat, be prepared to go double-time during your next workout (you really want to go that website you know you shouldn’t?…fine, but if your data isn’t backed up and you don’t have a clean system and application image to install on your system if things go wrong, you will feel pain).

8) Train, train, train and push your limits so you can build muscle memory (remember that time it was hard to jog for 20 minutes and now you run for 60 minutes like it’s nothing?…that’s how passwords work too…your brain is just a muscle that needs training, meaning that if you work hard, it’s possible for anybody to go from qwerty1234 to H@Uxs$#8218!!47vwq).

9) Trainers are only useful for specialized things, like intense weight training or self-defense (there are certain things you need to be taught, so go to an expert and know your limits…like writing your own cryptographic key).

10) Train your entire body (having a 24 inch bicep, a 46 inch waist, and a 12 inch calf is probably not balanced health management…updating your anti-virus but not installing critical patches is not balanced cyber health).

11) There is no magical exercise machine that does everything (for every technological convenience, like single sign-on services, there is an undetermined, and potentially explosive, cost).

12) It takes time for your metabolism to reset (for most, it is financially unfeasible to uproot your entire network and replace it…this means you are working on legacy systems that take time to upgrade and get up to speed).

13) You are dealing with a system, not a silo (the body is a fascinating and complex machine, meaning that your food intake, exercise output, sleep patterns, mental health, water balance, muscle-to-fat ratio, pH levels, and so on are intertwined, where one impacts the other…network, information, and data systems, in many ways are the same, meaning that if one is out of whack, the others will almost certainly suffer).

14) You need to be your own best motivator (ultimately, it’s all on you and your own decision will decide your fate).

Sometimes you need that super fancy exercise machine, or that aerodynamic gear, or those shoes that weigh only three ounces to reach your goal (which also means you’re probably training for a marathon or the Olympics).  But if you’re not doing that (or defending the nation’s secrets) some basic exercises and practices make a world of difference.

For example, it’s amazing what simple things, like push-ups, sit-ups, crunches, and running, along with a balanced diet can do for your health.  Using encryption, patching your system, turning on regular updates, and backing up your data, along with knowing how to identify phishing and spear-phishing attempts go a long way in your overall cyber health and hygiene.

Ultimately, good health and weight management is a lifestyle change that you need to stick to.  Cyber health and hygiene is no different.  When it came to my own weight loss, it was sober realization and honest assessment that made me say, “George, fix this or you’re going to be in real trouble.”  That was the only motivation I needed.  It wasn’t easy.  In fact, it sucked and was hard, especially at the beginning.  But long-term health trumped the short-term pain.  And that’s the only motivation you should need when it comes to your own cyber health and hygiene.

June 6, 2017

Exploring the Cybersphere – May 2017

This week in our blog, we offer a snapshot of cybersecurity, privacy and data security news of interest to the executive suite. Periodically, we’ll recap insights from the growing cadre of voices in this space as well as lend our own views on the issues that impact executive governance of cyber risk and response.

As May prepares to give way to the promise of the month of June, it’s time to look back at some of the cyber stories that dominated the headlines during the month. The month begins with May Day, a tradition handed down from ancient times, when children dance around maypoles, festooned with flower crowns. The ancient rites celebrated the end of winter, and the dawn of a new season, a time to have hope. Locals could brag about who had the biggest maypole, perhaps the beginning of another practice that lasts to this day. As it happens, May Day is an apt characterization of the month’s cyber events, particularly if said three times in rapid succession.

The Beat Goes On

Cyberattacks involving extortion are on the up, Verizon says 


Cyberattacks involving ransomware — in which criminals use malicious software to encrypt a users’ data and then extort money to unencrypt it — increased 50 percent in 2016, according to a report from Verizon Communications Inc. And criminals increasingly shifted from going after individual consumers to attacking vulnerable organizations and businesses, the report said. Government organizations were the most frequent target of these ransomware attacks, followed by health-care businesses and financial services, according to data from security company McAfee Inc., which partnered with Verizon on the report published Thursday. Instances of ransomware attacks have grown along with the market for bitcoin, the digital currency that is most commonly how cybercriminals demand ransoms be paid because of its anonymity. While overall most malware was delivered through infected websites, increasingly criminals were turning to phishing — using fraudulent emails designed to get a user to download attachments or click on links to websites that are infected with malware — to carry out attacks. A fifth of all malware raids began with a phishing email in 2016, while fewer than 1 in 10 did the year before, according to the report.

Cybercriminals breached over a billion accounts last year


Cybercriminals had a very good year in 2016 — and we all paid the price. These digital bandits became more ambitious and more creative and that resulted in a year marked by “extraordinary attacks,” according to the 2017 Internet Security Threat Report from Symantec. “Cyber crime hit the big time in 2016, with higher-profile victims and bigger-than-ever financial rewards,” the report concluded.

And The Beat Goes On

World reels from massive cyberattack that hit nearly 100 countries


Organizations around the world were digging out Saturday from what experts are calling one of the biggest cyberattacks ever. Hospitals, major companies and government offices were hit by a virus that seeks to seize control of computers until the victims pay a ransom. Experts said that even as the spread of the attacks apparently has been stymied, its full ramifications are not yet known because the virus may be lurking still on computers around the world. Cybersecurity firm Avast said it had identified more than 75,000 ransomware attacks in 99 countries on Friday, making it one of the broadest and most damaging cyberattacks in history. Avast said the majority of the attacks targeted Russia, Ukraine and Taiwan. But U.K. hospitals, Chinese universities and global firms like Fedex (FDX) also reported they had come under assault. Security experts said the spread of the ransomware had been inadvertently stopped late Friday. The ransomware was designed to repeatedly contact an unregistered domain in its code. A 22-year-old security researcher in the U.K, who goes by MalwareTech, registered that domain to analyze the attack, but it turned out the ransomware needed it to remain unregistered to keep spreading. “Thus by registering it we inadvertently stopped any subsequent infections,” he told CNNTech. However, a hacker could change the code to remove the domain and try the ransomware attack again.

Global cyberattack “highly likely” linked to North Korea group


A top cybersecurity firm say it’s “highly likely” that the biggest cyberattack the world has ever seen is linked to a hacking group affiliated with North Korea. The global ransomware attack known as WannaCry targeted hundreds of thousands of computers in around 150 countries, hitting hospitals, businesses and other organizations. In a blog post late Monday, security researchers at Symantec said the “tools and infrastructure used in the WannaCry ransomware attacks have strong links to Lazarus,” a hacking group that has previously been tied to North Korea. “We have high probability that these two are absolutely connected,” said Vikram Thakur, Symantec’s security response technical director. Lazarus has been linked to the hack on Sony Pictures, for which the U.S. government blamed North Korea, and a wave of attacks on banks around the world, including a major theft from Bangladesh’s central bank.

Drums Keep Pounding A Rhythm To The Brain

Why cyber attacks will continue until prevention becomes a priority 


Organizations must rethink their security measures. Focus on training, getting rid of old tech, and overcoming apathy. Some learn best through observation, others only after making a costly mistake. Unfortunately, many businesses have failed to heed the cybersecurity lessons learned from the litany of major attacks over the past few years. Modern cybersecurity threats have evolved far beyond the days where keyloggers and suspicious emails were considered sophisticated threats. They’ve grown to incorporate new attack vectors such as connected devices, as used in the 2016 Dyn distributed denial-of-service attack that disrupted many popular websites. Businesses must also contend with leaked exploits discovered by government intelligence agencies, such as the Vault 7 ikileaks revelations around security flaws in virtually every major operating system and application.It’s time for organizations to rethink their approach to security. Keeping your organization safe must be a full-time commitment, not simply a passing concern following the latest report of a data breach.

AI is the future of cybersecurity, for better and for worse


In the near future, as artificial intelligence (AI) systems become more capable, we will begin to see more automated and increasingly sophisticated social engineering attacks. The rise of AI-enabled cyberattacks is expected to cause an explosion of network penetrations, personal data thefts, and an epidemic-level spread of intelligent computer viruses. Ironically, our best hope to defend against AI-enabled hacking is by using AI. But this is very likely to lead to an AI arms race, the consequences of which may be very troubling in the long term, especially as big government actors join the cyber wars. My research is at the intersection of AI and cybersecurity. In particular, I am researching how we can protect AI systems from bad actors, as well as how we can protect people from failed or malevolent AI. This work falls into a larger framework of AI safety, attempts to create AI that is exceedingly capable but also safe and beneficial. A lot has been written about problems that might arise with the arrival of “true AI,” either as a direct impact of such inventions or because of a programmer’s error. However, intentional malice in design and AI hacking have not been addressed to a sufficient degree in the scientific literature. It’s fair to say that when it comes to dangers from a purposefully unethical intelligence, anything is possible.

Why Is Cybersecurity So Hard?

Harvard Business Review

After nearly 20 years of trying and billions of dollars in investment, why are organizations are still struggling with cybersecurity? In fact, the problem seems to be getting worse, not better. Answering this question requires moving beyond a purely technical examination of cybersecurity. It’s true that the technical challenges are very real; we don’t know how to write bug-free code, for example. But if you look at the challenge more broadly, even if we resolved the technical issues, cybersecurity would remain a hard problem for three reasons:It’s not just a technical problem;The rules of cyberspace are different from the physical world’s; Cybersecurity law, policy, and practice are not yet fully developed. The first reason — that cybersecurity is more than just a technical problem, incorporating aspects of economics, human psychology, and other disciplines — has been explored in other articles in this cybersecurity series. However, the other two reasons also contribute strongly to making cybersecurity difficult, and our approaches must take them into account.

La de da de de, la de da de da

By Tom Davis, SDI Cyber Risk Practice

May 30, 2017


When it Comes to Cyber Deterrence, One Size Fits…One

This week’s post is written by George Platsis, the newest member of SDI’s cyber team. George focuses on human factor vulnerabilities related to cybersecurity, information security, and data security by separating the network and information risk areas.  

Protecting yourself in cyberspace requires multiple solutions working all together

Be cautious of the cybersecurity vendor that promises you a technical solution that will solve all of your cybersecurity problems. Life, unfortunately, is not that simple and a one-size-fits-all approach is bound to get you in trouble given today’s cyber complexities. Similarly, simply adopting a solution may not be enough. How you implement that solution could be the difference between operating a safer network or, inadvertently, making your network more vulnerable. One such solution is encryption.

In two articles posted on Tripwire, I make the case with Paul Ferrillo of Weil, Gotshal & Manges LLP that encryption and tokenization are good solutions (that are under-utilized from our experience) but that poor implementation of them can be the perfect recipe for your worst nightmares.

Why do such useful technologies come with this big caveat? The reason is because a “big picture” approach to cybersecurity has not really taken hold yet. As I have mentioned in a previous post, I view cybersecurity security in the following manner: network security + information security = data security. The most basic questions, particularly at the board level, may not be getting asked, such as “what are our crown jewels?” or “where do we house our data?”

These are governance issues at their core, not technological ones, meaning that whatever technological steps you take to protect your data, you still may be overlooking the big picture (which will result in a loss of resources and open you up to liability). And because they are governance issues, there is a heavy dose of “human element” challenges associated to them.

If you accept the notion that you cannot achieve 100% security, your strategy should be to make your life as difficult as possible for your adversary. Let them seek out low hanging fruit as opposed to your own crown jewels. The only way to do this is by identifying what matters to you (the governance/human side of this problem) and then employing technological solutions (like encryption and tokenization) in the right places, implementing in a correct manner, and still accept that there are a series of human vulnerability challenges that need to be worked on.

All the encryption in the world does little for you if you have an employee that is a victim of a spear-phishing attack, all of which are getting better and better. Gmail users have been the latest targets with very real looking Google Docs emails coming from trusted sources.

Ultimately, you want your adversary to go elsewhere. I recognize this may come off as a deflection and some would question it as a strategy, but nefarious actors are humans too and they do have a preference for the path of least resistance as well. If your data is a bunch of meaningless garble to them (encryption and tokenization are good steps to make this happen), that is a big win for you and a big frustration for them. These types of actors will probably spend little time trying to attack you if you have taken these sensible steps.

It is the actors that are determined and want your crown jewels that should be keeping you up at night. These actors will undoubtedly focus more on social engineering attacks and good ole fashioned tradecraft to try to get what they want, reinforcing the point that the cybersecurity challenge cannot be looked at through a solely technological lens. Curiosity, fear, and urgency are what these actors use to prey on their targets, so in addition to technological steps, make sure your employees and leadership at trained to spot things that look off.

All these solutions, working in tandem, are what will keep you safest in cyberspace.

May 23, 2017

See George’s previous post: How Do We Succeed in the Cyber Security Battle? Episode III – Making the Business Case: Where Does Your Money Go?