Collateral Damage in Cyber Warfare

Hot on the heels of the infamous WannaCry ransomware attack came the less heralded and seemingly less consequential Petya cyberattack. WannaCry was big and bold, and obviously well named. Petya didn’t seem to measure up, and researchers noted that less than $10,000 was paid in ransom. However, it soon became apparent that Petya was not a ransomware attack, but actually aimed at destroying data. Given that much of the damage associated with Petya focused on Ukraine, suspicion quickly turned to Russia, the assumption being the attack was part of Russia’s ongoing efforts to destabilize Ukraine. Whether the attack actually was carried out by individuals acting on behalf of Russia remains unproven, but what is clear is that, as is the case in all conflicts, there are ancillary casualties.

Take, for example, FedEx, which acquired Dutch shipping company TNT Express for $4.8 billion last year to compete with United Parcel Service Inc. and Deutsche Post AG’s DHL. What seemed like a good aggressive business move now has become a major headache. TNT operations were completely disrupted by the Petya attack, and FedEx now says it has not been able to recover some systems, and may never be able to recover some critical business data.

FedEx just filed its Securities and Exchange Commission (SEC) 10k, and it forecasts material losses. The list of reasons why those losses are mounting is instructive:

⋄ loss of revenue resulting from the operational disruption immediately following the cyber-attack;
⋄ loss of revenue or increased bad debt expense due to the inability to invoice properly;
⋄ loss of revenue due to permanent customer loss;
⋄ remediation costs to restore systems;
⋄ increased operational costs due to contingency plans that remain in place;
⋄ investments in enhanced systems in order to prevent future attacks;
⋄ cost of incentives offered to customers to restore confidence and maintain business relationships;
⋄ reputational damage resulting in the failure to retain or attract customers;
⋄ costs associated with potential litigation or governmental investigations;
⋄ costs associated with any data breach or data loss to third parties that is discovered;
⋄ costs associated with the potential loss of critical business data;
⋄ longer and more costly integration (due to increased expenses and capital spending requirements) of TNT Express and FedEx Express; and
⋄ other consequences of which we are not currently aware but will discover through the remediation process.

Oh, and FedEx also noted it did not have insurance against these losses. Going forward, FedEx may become the poster child for why cyber insurance makes sense.

By Tom Davis, SDI Cyber Risk Practice

July 25, 2017

Cybersecurity Starts With Basics

One undeniable fact: the 2016 elections brought the word “cybersecurity” into the mainstream.  The problem that stemmed from that fact: nobody is actually sure what “cybersecurity” is.  And as a result, we spin our wheels or head off into differing directions.

For all the tech talk, commentary, and promise of some incredible “save you from all cyber threats” solution, lost in the conversation are the cybersecurity basics.  It is a disservice to all when pundits use words, such as hack and leak, interchangeably.  Those who have a more informed understanding of the issue know that these terms having incredibly different meaning.  The same can be said for words such as stolen and copied.  They are not the same and are often confused, even misused.  And how about this one: the difference between authorized access by an unauthorized user and unauthorized access.  The fine nuance between the two can entirely re-characterize the nature of an attack.

I have not conducted a formal study to know how many people know the differences or can spot the nuances, but from informal observation of my own experiences, about 95% of people cannot tell the difference and of the 5% that do, almost all of them have some form of security-type training or professional work experience.  Another informal observation: even those who have the training still cannot always spot the difference.

Why is all of this important?  Because if we cannot get the basics right, chances are everything that follows will be wrong, insufficient, or inadequate.

I start from this premise: we have finite resources.  I do not think anybody serious would disagree with me on this premise.  Therefore, let us be smart about how we use these resources.  And part of being smart is asking the right questions and knowing the basics.

In the middle of serious cybersecurity policy debate, does it make a difference if a Senator asks a witness whether data was stolen or copied?  Yes, it does.  In trying to determine how an attack happened, does it make a difference when the Board asks its IT manager if the source of the attack came from authorized access by an unauthorized user or by unauthorized access?  Yes, it does.

The human brain can only process so much information and the more complex we make the cybersecurity discussion, the increased likelihood of us mucking it up.  Add into the mix a disregard or misunderstanding of the basics and the muck up is almost certain.

What are the basics?  A few are here, from my last #CyberTuesday blog.  Successful cybersecurity relies on personal ownership.  Somebody else does not make you fit; you make yourself fit.  And we are quite poor at personal ownership, with multiple studies showing that human action/error is responsible for 90+% of successful attacks or breaches.

Some more basics include the understanding of terminology and the state of affairs.  We know the difference between somebody kicked down the front door to my house versus somebody stole my house keys and walked in the front door.  If somebody kicked down your front door, chances are you need a stronger door or you may consider putting a gated fence around your house to make it more difficult for a perpetrator to get to your front door.  If somebody stole your house keys you would do a better job to protect your keys.

It is worth asking: would you erect a 30 foot high six foot thick steel perimeter around your property if you lost your front door keys?  No, as that would be resource overkill.  Instead, you would likely change the locks on your doors.  And if your problem is your keys getting stolen, what good exactly does this mega-fortress bring you?  Unless you plan to seal yourself off from the entire world, the mega-fortress will need an access point, say, like a door with a lock.  What happens when you lose your keys again?  Build a mega-mega-fortress that will protect the mega-fortress?

If this is sounding a bit ridiculous, welcome to the world of cybersecurity.  Because so many of the basics are misunderstood, or even outright ignored, many of us are seeing mega-mega-fortresses being erected all over the place.  But we are not exactly sure if they are making anybody more secure.  Part of what we do at SDICyber is to help you understand these basics.  The basics can work miracles, as I point out here with some fellow patriots.

There is no harm in saying that you are unsure of the basics.  Nor should you be embarrassed to ask that question.  That very admission may be the most crucial step to getting you cyber secure.

By George Platsis, SDI Cyber Risk Practice

July 11, 2017

A Phishing Hole

One of the more interesting English language colloquialisms is the phrase “fish or cut bait,” generally used to suggest a decision must be made. It derives from a time in which catching fish with bait often meant dividing responsibilities, with someone fishing while  another was cutting bait up to be used to catch the fish. In an odd way this catchy little phrase now applies to one of the most persistent cybersecurity threats in use—spear phishing.

In the face of determined efforts to educate the population about the use of spear phishing, the number of phishing attacks continues to rise dramatically. Why? Quite simply—they work really, really well.  Leading cybersecurity firm FireEye recently reported that “84% of organizations said a spear-phishing attack successfully penetrated their organization in 2015. The average impact of a successful spear-phishing attack: $1.6 million. Victims saw their stock prices drop 15%.”

English cyber firm Sophos just released a white paper titled, “Don’t Take The Bait,” that takes a look at why phishing attacks are on the rise. They suggest that more people are successfully “phishing” because a cottage industry has grown around the cyber equivalent of cutting bait.  The paper notes that it is ever easier for cyber criminals to acquire sophisticated fishing tools. “An interesting facet of the phishing ecosystem is that there are a large number of actors committing attacks, but only a small number of phishers that are sophisticated enough to write a phishing kit from scratch. Because of this, phishing kits are now widely available for download from dark web forums and marketplaces, and give attackers all the tools they need to create profitable phishing attacks: emails, web page code images, and more.”

The white paper goes on to report that “In fact, attackers don’t even need to know how to create malware or send emails anymore. As-a-service and pay-as-you go solutions permeate most online service technologies, and phishing is no different….”  Among those services, an enterprising person who wishes to phish can use a ransomware service provider who will take a cut of each ransom paid, or a phishing service provider who will guarantee that the user will only be billed for emails actually delivered. The Postal Service should be so efficient.

It is increasingly important that businesses respond to the emphasis on phishing attacks with a countervailing emphasis on education and training, and employ rigorous internal standards to diminish the prospect that an employee might inadvertently send information or money to a cyber criminal. Don’t think more about whether to do so, it’s time to fish or cut bait.

By Tom Davis, SDI Cyber Risk Practice

June 20, 2017

Personal Cyber Health and Hygiene: More Expensive Shoes Don’t Make You Run Faster

This week’s post is written by George Platsis, the newest member of SDI’s cyber team. George focuses on human factor vulnerabilities related to cybersecurity, information security, and data security by separating the network and information risk areas.

It’s January 2nd and you have just finished your latest culinary blowout from the holiday season.  You look down towards your toes and you see something obstructing your view that wasn’t there just three weeks ago.  And of course, you fear walking towards the scale because you already know it’s going to be bad news.

So what do you do?

Sign up for an expensive gym membership and spend $300 on new training gear of course!

Unfortunately, neither of those will make a difference unless you put your best foot forward and start working your own butt off.  Worse, if you do not put that expensive membership and new gear to good use, you are only a few months (weeks?) away from saying, “I wish I didn’t spend all that money for nothing!”

I fear I am about to upset a few people by stating the following: good cyber health and hygiene is a lot like personal health and weight management.  It takes time, effort, and dedication to keep in top form and it is also very easy to go off the rails if you do not watch what you’re doing.  Furthermore, each time you go off the rails it becomes harder and harder to get back to the good form.  And the only real difference between your health and cyberspace is that you can at least upgrade your device or operating system, whereas when it comes to our personal health, we are stuck with the same body and brain for our entire lives.

Wasting your time and money on the latest fad exercise machine or diet will be just that, a waste of time and money, especially if you are not ready to put yourself through the daily grind.  Same goes for cyber tools that promise you a path to the mythical place known as CybersecureLand, a place where you can click on any link without any fear because the magical Fairy Cybermother will protect you and whisk any malicious code back to the depths of Maldorware.

This is uncharacteristic of me, but I will delve into the personal to illustrate my point.  There was a time in my life where I had a slightly different “shape” (okay, more than slightly).  This shape was unhealthy and thankfully I realized that if I were to keep this shape for any prolonged period of time, I would be down the road to a full network malfunction where even a full system reboot would do little for me.  So what did I do?  I said, “George, clean yourself up.”

How did I do this?

1) Cut unnecessary calories (don’t go to bad websites unless you want to feel blah later).

2) Simple rule when it comes to calories and working out: Input/Output (keep an eye on your inbound and outbound traffic, both in type and volume, because variances should worry you).

3) Just get into a routine and stick to it no matter what (this is called automatic updates and patching your system regularly people…it’s boring, it’s mundane, but if you don’t do it, you’re asking for trouble).

4) Don’t go overboard off the top because you’ll overwhelm yourself and walk away (you do not need to be an expert on how to build a cryptographic key; you need to know how to use one).

5) Play the long game (if you expect to go from a sieve to J.J. Watt overnight you are going to find out you are not J.J. Watt…it takes time to get game ready, but that should not stop you from building up to a goal and each little progression does actually make you better).

6) Resist the temptation (easier said than done, but the risks are much higher in cyberspace…one night of fried chicken during a month-long stretch of good behavior will not give you a heart attack, but one wrong click may do just that).

7) If you plan to cheat, be prepared to go double-time during your next workout (you really want to go that website you know you shouldn’t?…fine, but if your data isn’t backed up and you don’t have a clean system and application image to install on your system if things go wrong, you will feel pain).

8) Train, train, train and push your limits so you can build muscle memory (remember that time it was hard to jog for 20 minutes and now you run for 60 minutes like it’s nothing?…that’s how passwords work too…your brain is just a muscle that needs training, meaning that if you work hard, it’s possible for anybody to go from qwerty1234 to H@Uxs$#8218!!47vwq).

9) Trainers are only useful for specialized things, like intense weight training or self-defense (there are certain things you need to be taught, so go to an expert and know your limits…like writing your own cryptographic key).

10) Train your entire body (having a 24 inch bicep, a 46 inch waist, and a 12 inch calf is probably not balanced health management…updating your anti-virus but not installing critical patches is not balanced cyber health).

11) There is no magical exercise machine that does everything (for every technological convenience, like single sign-on services, there is an undetermined, and potentially explosive, cost).

12) It takes time for your metabolism to reset (for most, it is financially unfeasible to uproot your entire network and replace it…this means you are working on legacy systems that take time to upgrade and get up to speed).

13) You are dealing with a system, not a silo (the body is a fascinating and complex machine, meaning that your food intake, exercise output, sleep patterns, mental health, water balance, muscle-to-fat ratio, pH levels, and so on are intertwined, where one impacts the other…network, information, and data systems, in many ways are the same, meaning that if one is out of whack, the others will almost certainly suffer).

14) You need to be your own best motivator (ultimately, it’s all on you and your own decision will decide your fate).

Sometimes you need that super fancy exercise machine, or that aerodynamic gear, or those shoes that weigh only three ounces to reach your goal (which also means you’re probably training for a marathon or the Olympics).  But if you’re not doing that (or defending the nation’s secrets) some basic exercises and practices make a world of difference.

For example, it’s amazing what simple things, like push-ups, sit-ups, crunches, and running, along with a balanced diet can do for your health.  Using encryption, patching your system, turning on regular updates, and backing up your data, along with knowing how to identify phishing and spear-phishing attempts go a long way in your overall cyber health and hygiene.

Ultimately, good health and weight management is a lifestyle change that you need to stick to.  Cyber health and hygiene is no different.  When it came to my own weight loss, it was sober realization and honest assessment that made me say, “George, fix this or you’re going to be in real trouble.”  That was the only motivation I needed.  It wasn’t easy.  In fact, it sucked and was hard, especially at the beginning.  But long-term health trumped the short-term pain.  And that’s the only motivation you should need when it comes to your own cyber health and hygiene.

June 6, 2017

Exploring the Cybersphere – May 2017

This week in our blog, we offer a snapshot of cybersecurity, privacy and data security news of interest to the executive suite. Periodically, we’ll recap insights from the growing cadre of voices in this space as well as lend our own views on the issues that impact executive governance of cyber risk and response.

As May prepares to give way to the promise of the month of June, it’s time to look back at some of the cyber stories that dominated the headlines during the month. The month begins with May Day, a tradition handed down from ancient times, when children dance around maypoles, festooned with flower crowns. The ancient rites celebrated the end of winter, and the dawn of a new season, a time to have hope. Locals could brag about who had the biggest maypole, perhaps the beginning of another practice that lasts to this day. As it happens, May Day is an apt characterization of the month’s cyber events, particularly if said three times in rapid succession.

The Beat Goes On

Cyberattacks involving extortion are on the up, Verizon says

Cyberattacks involving ransomware — in which criminals use malicious software to encrypt a users’ data and then extort money to unencrypt it — increased 50 percent in 2016, according to a report from Verizon Communications Inc. And criminals increasingly shifted from going after individual consumers to attacking vulnerable organizations and businesses, the report said. Government organizations were the most frequent target of these ransomware attacks, followed by health-care businesses and financial services, according to data from security company McAfee Inc., which partnered with Verizon on the report published Thursday. Instances of ransomware attacks have grown along with the market for bitcoin, the digital currency that is most commonly how cybercriminals demand ransoms be paid because of its anonymity. While overall most malware was delivered through infected websites, increasingly criminals were turning to phishing — using fraudulent emails designed to get a user to download attachments or click on links to websites that are infected with malware — to carry out attacks. A fifth of all malware raids began with a phishing email in 2016, while fewer than 1 in 10 did the year before, according to the report.

Cybercriminals breached over a billion accounts last year

Cybercriminals had a very good year in 2016 — and we all paid the price. These digital bandits became more ambitious and more creative and that resulted in a year marked by “extraordinary attacks,” according to the 2017 Internet Security Threat Report from Symantec. “Cyber crime hit the big time in 2016, with higher-profile victims and bigger-than-ever financial rewards,” the report concluded.

And The Beat Goes On

World reels from massive cyberattack that hit nearly 100 countries


Organizations around the world were digging out Saturday from what experts are calling one of the biggest cyberattacks ever. Hospitals, major companies and government offices were hit by a virus that seeks to seize control of computers until the victims pay a ransom. Experts said that even as the spread of the attacks apparently has been stymied, its full ramifications are not yet known because the virus may be lurking still on computers around the world. Cybersecurity firm Avast said it had identified more than 75,000 ransomware attacks in 99 countries on Friday, making it one of the broadest and most damaging cyberattacks in history. Avast said the majority of the attacks targeted Russia, Ukraine and Taiwan. But U.K. hospitals, Chinese universities and global firms like Fedex (FDX) also reported they had come under assault. Security experts said the spread of the ransomware had been inadvertently stopped late Friday. The ransomware was designed to repeatedly contact an unregistered domain in its code. A 22-year-old security researcher in the U.K, who goes by MalwareTech, registered that domain to analyze the attack, but it turned out the ransomware needed it to remain unregistered to keep spreading. “Thus by registering it we inadvertently stopped any subsequent infections,” he told CNNTech. However, a hacker could change the code to remove the domain and try the ransomware attack again.

Global cyberattack “highly likely” linked to North Korea group

A top cybersecurity firm say it’s “highly likely” that the biggest cyberattack the world has ever seen is linked to a hacking group affiliated with North Korea. The global ransomware attack known as WannaCry targeted hundreds of thousands of computers in around 150 countries, hitting hospitals, businesses and other organizations. In a blog post late Monday, security researchers at Symantec said the “tools and infrastructure used in the WannaCry ransomware attacks have strong links to Lazarus,” a hacking group that has previously been tied to North Korea. “We have high probability that these two are absolutely connected,” said Vikram Thakur, Symantec’s security response technical director. Lazarus has been linked to the hack on Sony Pictures, for which the U.S. government blamed North Korea, and a wave of attacks on banks around the world, including a major theft from Bangladesh’s central bank.

Drums Keep Pounding A Rhythm To The Brain

Why cyber attacks will continue until prevention becomes a priority

Organizations must rethink their security measures. Focus on training, getting rid of old tech, and overcoming apathy. Some learn best through observation, others only after making a costly mistake. Unfortunately, many businesses have failed to heed the cybersecurity lessons learned from the litany of major attacks over the past few years. Modern cybersecurity threats have evolved far beyond the days where keyloggers and suspicious emails were considered sophisticated threats. They’ve grown to incorporate new attack vectors such as connected devices, as used in the 2016 Dyn distributed denial-of-service attack that disrupted many popular websites. Businesses must also contend with leaked exploits discovered by government intelligence agencies, such as the Vault 7 ikileaks revelations around security flaws in virtually every major operating system and application.It’s time for organizations to rethink their approach to security. Keeping your organization safe must be a full-time commitment, not simply a passing concern following the latest report of a data breach.

AI is the future of cybersecurity, for better and for worse

In the near future, as artificial intelligence (AI) systems become more capable, we will begin to see more automated and increasingly sophisticated social engineering attacks. The rise of AI-enabled cyberattacks is expected to cause an explosion of network penetrations, personal data thefts, and an epidemic-level spread of intelligent computer viruses. Ironically, our best hope to defend against AI-enabled hacking is by using AI. But this is very likely to lead to an AI arms race, the consequences of which may be very troubling in the long term, especially as big government actors join the cyber wars. My research is at the intersection of AI and cybersecurity. In particular, I am researching how we can protect AI systems from bad actors, as well as how we can protect people from failed or malevolent AI. This work falls into a larger framework of AI safety, attempts to create AI that is exceedingly capable but also safe and beneficial. A lot has been written about problems that might arise with the arrival of “true AI,” either as a direct impact of such inventions or because of a programmer’s error. However, intentional malice in design and AI hacking have not been addressed to a sufficient degree in the scientific literature. It’s fair to say that when it comes to dangers from a purposefully unethical intelligence, anything is possible.

Why Is Cybersecurity So Hard?

Harvard Business Review

After nearly 20 years of trying and billions of dollars in investment, why are organizations are still struggling with cybersecurity? In fact, the problem seems to be getting worse, not better. Answering this question requires moving beyond a purely technical examination of cybersecurity. It’s true that the technical challenges are very real; we don’t know how to write bug-free code, for example. But if you look at the challenge more broadly, even if we resolved the technical issues, cybersecurity would remain a hard problem for three reasons:It’s not just a technical problem;The rules of cyberspace are different from the physical world’s; Cybersecurity law, policy, and practice are not yet fully developed. The first reason — that cybersecurity is more than just a technical problem, incorporating aspects of economics, human psychology, and other disciplines — has been explored in other articles in this cybersecurity series. However, the other two reasons also contribute strongly to making cybersecurity difficult, and our approaches must take them into account.

La de da de de, la de da de da

By Tom Davis, SDI Cyber Risk Practice

May 30, 2017


When it Comes to Cyber Deterrence, One Size Fits…One

This week’s post is written by George Platsis, the newest member of SDI’s cyber team. George focuses on human factor vulnerabilities related to cybersecurity, information security, and data security by separating the network and information risk areas.  

Protecting yourself in cyberspace requires multiple solutions working all together

Be cautious of the cybersecurity vendor that promises you a technical solution that will solve all of your cybersecurity problems. Life, unfortunately, is not that simple and a one-size-fits-all approach is bound to get you in trouble given today’s cyber complexities. Similarly, simply adopting a solution may not be enough. How you implement that solution could be the difference between operating a safer network or, inadvertently, making your network more vulnerable. One such solution is encryption.

In two articles posted on Tripwire, I make the case with Paul Ferrillo of Weil, Gotshal & Manges LLP that encryption and tokenization are good solutions (that are under-utilized from our experience) but that poor implementation of them can be the perfect recipe for your worst nightmares.

Why do such useful technologies come with this big caveat? The reason is because a “big picture” approach to cybersecurity has not really taken hold yet. As I have mentioned in a previous post, I view cybersecurity security in the following manner: network security + information security = data security. The most basic questions, particularly at the board level, may not be getting asked, such as “what are our crown jewels?” or “where do we house our data?”

These are governance issues at their core, not technological ones, meaning that whatever technological steps you take to protect your data, you still may be overlooking the big picture (which will result in a loss of resources and open you up to liability). And because they are governance issues, there is a heavy dose of “human element” challenges associated to them.

If you accept the notion that you cannot achieve 100% security, your strategy should be to make your life as difficult as possible for your adversary. Let them seek out low hanging fruit as opposed to your own crown jewels. The only way to do this is by identifying what matters to you (the governance/human side of this problem) and then employing technological solutions (like encryption and tokenization) in the right places, implementing in a correct manner, and still accept that there are a series of human vulnerability challenges that need to be worked on.

All the encryption in the world does little for you if you have an employee that is a victim of a spear-phishing attack, all of which are getting better and better. Gmail users have been the latest targets with very real looking Google Docs emails coming from trusted sources.

Ultimately, you want your adversary to go elsewhere. I recognize this may come off as a deflection and some would question it as a strategy, but nefarious actors are humans too and they do have a preference for the path of least resistance as well. If your data is a bunch of meaningless garble to them (encryption and tokenization are good steps to make this happen), that is a big win for you and a big frustration for them. These types of actors will probably spend little time trying to attack you if you have taken these sensible steps.

It is the actors that are determined and want your crown jewels that should be keeping you up at night. These actors will undoubtedly focus more on social engineering attacks and good ole fashioned tradecraft to try to get what they want, reinforcing the point that the cybersecurity challenge cannot be looked at through a solely technological lens. Curiosity, fear, and urgency are what these actors use to prey on their targets, so in addition to technological steps, make sure your employees and leadership at trained to spot things that look off.

All these solutions, working in tandem, are what will keep you safest in cyberspace.

May 23, 2017

See George’s previous post: How Do We Succeed in the Cyber Security Battle? Episode III – Making the Business Case: Where Does Your Money Go?

North Korea Again? WannaCry?

“Round up the usual suspects,” a phrase memorably used by Captain Louis Renault, the French prefect of police, to exonerate Rick Blaine of the killing of Nazi Major Strasser in the classic film Casablanca, has been culturally accepted as a way of saying “let’s start with those who most can agree are likely to have been involved in x.” Thus it should come as little surprise that a number of cybersecurity experts are now suggesting that hackers connected to North Korea unleashed the “WannaCry” malware virus that crippled computers around the world over the past weekend.

Of late, North Korea has been most in the news for its penchant for firing off missiles with varying degrees of success, while threatening to do very bad things to whatever country is near or at the top of its current enemies list. But just a couple years ago, U.S. intelligence officials alleged North Korea was behind the cyber attack on Sony Pictures. Admittedly, the fact that the hackers demanded Sony not release a comedy that centered on the assassination of North Korean leader Kim Jong-Un raised suspicions about North Korean involvement, but the more substantial evidence included the use of tools and techniques known to have been used by North Korean hackers in previous attacks on South Korea.

The WannaCry virus locked up over 200,000 computers and spread to more than 150 countries. The estimated losses to those affected run into the billions, largely due to the disruption. Companies in Europe, Russia, and China were particularly affected. Interestingly, at last count the “ransomware” had yielded a relatively paltry $50,000 to the perpetrators, which taken at face value suggests not many people paid the ransom.

The New York Times has a fascinating story about why China seems to have been disproportionately affected by the virus.

Long known as a haven for pirated software, the fact that major Chinese companies, government agencies and universities were disrupted speaks volumes about how widespread the use of pirated software is in China. It might also call into question just how carefully planned was the unleashing of the WannaCry virus. Although the relationship between China and North Korea seems to be a bit testy at the moment, one wonders whether North Korea really would like to be seen as behind an attack doing serious injury to Chinese interests. We’ll need a little more time to determine whether in rounding up the usual suspects we’ve gotten to the bottom of the planning behind the WannaCry virus.

By Tom Davis, SDI Cyber Risk Practice

May 16, 2017

It’s a Guy Thing

Hey guys!  This is a normal salutation, with a most unusual history. It turns out that American usage of the term “guy” traces back to the ill-fated Guido Fawkes. Guido was none other than Guy Fawkes, who now is best remembered as the face that adorns the masks worn by generations of anarchists and dissidents, including, of course, the noteworthy hacktivist group, Anonymous.

Guy Fawkes made his mark about 400 years ago when he participated in a plot to murder King James I. The basic idea was to blow the King to smithereens by touching off barrels of gunpowder stored beneath the House of Lords. Unfortunately for Mr. Fawkes, both he and the gunpowder were discovered in the early hours of November 5, 1605. In relatively short order, after a bit of torture to get at the truth, Guy Fawkes and seven of his co-conspirators were given a taste of English justice. Having been found guilty of attempting to assassinate the King, the following was prescribed: “each of the condemned would be drawn backwards to his death, by a horse, his head near the ground. They were to be “put to death halfway between heaven and earth as unworthy of both.” Their genitals would be cut off and burnt before their eyes, and their bowels and hearts removed. They would then be decapitated, and the dismembered parts of their bodies displayed so that they might become “prey for the fowls of the air.”

That rather ignominious end might have been the last we heard of Guy Fawkes were it not for the fact that an Act of Parliament proclaimed each succeeding November 5th as a day of thanksgiving for the deliverance of the King, and the English chose to celebrate “Guy Fawkes night” by lighting bonfires and tossing effigies of Guy Fawkes into them. In the strange way the world works, the English began referring to the effigies, and other strangely dressed folks, as guy, and Americans adopted the term and use it far more generally. The use of the bonfires offers another twist of irony, for English wits have long toasted Guy Fawkes as “the last man to enter parliament with honest intentions.”

Our Guy Fawkes wearing friends at Anonymous have just released a video warning us to prepare for World War III. Anonymous has a pretty good track record in predicting the impact of DDOS attacks it carries out, but its ability to accurately predict the apocalypse is open to question. However, their allegiance to the wearing of the Guy Fawkes masks is testament to the truth of at least part of their traditional sign off:  “prepare for what comes next. We are Anonymous. We are legion. We do not forgive. We do not forget.”

By Tom Davis, SDI Cyber Risk Practice

May 9, 2017

The Shadow May Have Got it Wrong

In 1937, an American radio series named “The Shadow” made its debut. Its dramatic opening line—“Who knows what evil lurks in the hearts of men? The Shadow knows!”—captured the imagination of the nation and lives on to this day. Lost in the shrouds of time is the line uttered at the close of each episode—-“The weed of crime bears bitter fruit. Crime does not pay…The Shadow knows!” It turns out The Shadow was not particularly prescient when it comes to today’s cyber criminals. It’s a fair bet The Shadow would see the world differently after running into the Shadow Brokers, a group which announced it presence with a series of messages like…

“!!! Attention government sponsors of cyber warfare and those who profit from it !!!!

How much you pay for enemies cyber weapons? Not malware you find in networks. Both sides, RAT+ LP, full state sponsor tool set? We find cyber weapons made by creators of stuxnet, duqu, flame. Kaspersky calls Equation Group. We follow Equation Group traffic. We find Equation Group source range. We hack Equation Group. We find many many Equation Group cyber weapons. You see pictures. We give you some Equation Group files free, you see. This is good proof no? You enjoy!!! You break many things. You find many intrusions. You write many words. But not all, we are auction the best files.”

If you are following this at home, the Equation Group is allegedly tied to the National Security Agency, and is considered highly sophisticated in its hacking capabilities, presumed responsible for, among other things, the Stuxnet virus that crippled Iran’s nuclear program. So, the Shadow Brokers, acting on information from Kaspersky, itself accused of ties to Russian intelligence, offered to sell tools pilfered from an entity believed to have ties to American intelligence. This would make a grand movie plot, but the outcome here has significant real life implications.

The tools being sold and released by the Shadow Brokers are opening up vast new opportunities for cyber criminals. After the latest release by the group, security expert Matthew Hickey said “It is by far the most powerful cache of exploits ever released. It is very significant as it effectively puts cyber weapons in the hands of anyone who downloads it.”

Forbes just ran a piece that looked at how the Shadow Brokers’ leaks have led to real world attacks, and what may be in the offing. The article closed with a timely reminder from security guru Bruce Schneier: “Today’s NSA secrets become tomorrow’s PhD theses and the next day’s hacker tools. As long as we’re all using the same computers, phones, social networking platforms, and computer networks, a vulnerability that allows us to spy also allows us to be spied upon.”

Who knows what evil lurks in the hearts of men? We are, once again, about to find out.

By Tom Davis, SDI Cyber Risk Practice

May 2, 2017

Exploring the Cybersphere – April 2017

This week in our blog, we offer a snapshot of cybersecurity, privacy and data security news of interest to the executive suite. Periodically, we’ll recap insights from the growing cadre of voices in this space as well as lend our own views on the issues that impact executive governance of cyber risk and response.

There is an adage, old, like all adages, that goes, “April showers bring May flowers.” One might add that a more particular benefit for those suffering from allergies is they wash the pollen from the air, offering sweet respite for at least short periods. In furtherance of this line of thought, the April cybersecurity news might fall under the heading “Into each life some rain must fall.”

New frontiers in cyber security: locomotives without wheels, moats, deep learning at the edge

Industry analyst Bob Sorensen recently told us something most IT managers already know deep in their apprehensive hearts: cyber security is in a sorry state (see “Be More Afraid,” Enterprise Tech, Nov. 18, 2016). Security at many companies is somewhat marginalized, an unfavored area that lies outside core IT operations and procedures, a focal point at many companies of ineffectuality and denial that can be characterized as: Don’t just do something, sit there! Part of the problem: cyber security is purely defensive in nature. We don’t want it until we need(ed) it. It doesn’t add to the bottom line, it’s a cost center seen as hindering optimal operations. Corporate boards tell senior managers that, yes, of course cyber security is important, but don’t let it interfere with daily business. Yet everyone grasps the bottom line and reputation risks of poor security….Instead of further bemoaning this state of affairs, let’s look at the bright spots, the best-in-class cyber security practices some companies have adopted and the emerging technologies that leverage big data analytics, machine learning and quantum computing.

Cybersecurity remains an elusive business priority

I’ve been remiss by not blogging earlier this year about ESG’s annual IT spending intentions research. The year 2017 continues to follow a pattern: Cybersecurity is a high business and IT priority for most organizations… Allow me to provide a bit of analysis to this data (after all, I am an industry analyst): 1. There is growing demand for cybersecurity technologies, so 2017 should be another banner year for vendor revenue, VC investment, M&A activity and IPOs. 2. Boards are getting more involved in cybersecurity, which is driving more demand for data and metrics. In other words, executives are willing to spend on cybersecurity, but they want to better understand what they get for their money. Executive reporting tools for cybersecurity will grow precipitously….

Why we should let our walls down when it comes to cybersecurity

With digital threats growing more rampant across the country and from around the world, the idea of building “walls” for cyber defense and protection can seem appealing. But even in this age of hackers relentlessly penetrating our networks, in the information technology security industry, we know that walls don’t work. The truth is that surrounding yourself with impenetrable barricades is akin to sticking your head in the sand. Walls by themselves fail to tackle the root cause of threats, meaning any sense of safety created is artificial. Organizations need to have a holistic security posture that spans their internal network and devices. More importantly, they must anticipate malicious external threats. For protection, traditional IT security systems have for a long time relied on perimeter defenses, such as firewalls, intrusion detection systems and intrusion prevention systems. But that paradigm has changed, as cybercriminals have evolved and cyberattacks have increased in volume and sophistication. In 2015, there were 430 million unique pieces of malware, up 36 percent from the prior year. It’s a number only continuing to explode. Singular perimeter defenses are no longer enough.

IT Getting Defensive

Preventing cyber attacks – this time it’s personal

Security professionals are putting pressure on themselves to secure their organization’s systems according to the findings of a new report. The 2017 Security Pressures Report from managed security specialist Trustwave surveyed over 1,600 security decision makers around the world and finds that while 53 percent of respondents report increased pressure in trying to secure their organization, that pressure is becoming more personal as 24 percent say they put the most pressure on themselves, up from 13 percent last year. The findings also show that pressure from the boardroom and from c-level executives has decreased significantly as it’s shifted to IT professionals themselves. The most feared repercussion of a cyber attack or breach is reputation damage to themselves or their company, ahead of financial damage to the company and termination of employment.

Former White House CIO calls for a cybersecurity reset

The IT community needs a total reset in the way they think about cybersecurity, according to former White House CIO Theresa Payton. “I think back ten years and I realize that we actually haven’t made a single one of your security problems go away, and you need to hold us accountable for that,” Payton said. “Name one. We have reduced risks in the security industry, name a problem we actually made go away for you,” she said. “But I’m really excited because I think we are at a turning point where we’ll have that opportunity.”Payton, who spoke at the Forcepoint Cybersecurity Leadership Forum on Tuesday, described how the government has characterized bringing breach detection times down from over 400 days to a little more than 200 as a win in cybersecurity.“I’ve got to tell you, this does not feel like winning to me,” Payton said.

I’m From the Government and I’m Here to Help

FTC takes over as top cybersecurity enforcer

The Federal Communications Commission’s role as a driver of national cybersecurity policy, promoted by former Chairman Thomas Wheeler, was effectively scrapped last week when Congress passed a measure killing the commission’s 2016 cybersecurity and privacy rules. The move was strongly welcomed by the telecom industry and leaves another alphabet-soup agency — the Federal Trade Commission — as “the cop on the beat” when it comes to cyber. That’s a role the trade commission has long embraced, but it will take a different and perhaps more reactive approach to cybersecurity in comparison with Wheeler’s communications commission. Many telecom industry groups prefer the FTC’s enforcement approach, which is based on guiding principles for cyber best practices, to what they saw as prescriptive rules on cyber spelled out by the recently departed Wheeler team at the FCC.

Congress returns, but the real cybersecurity action is taking place off the Hill

Lawmakers return to Capitol Hill this week with a few cybersecurity items on the agenda for the upcoming legislative work period, while the most significant efforts in the coming months may be taking place at the White House and at the National Institute of Standards and Technology’s campus in suburban Maryland.

By Tom Davis, SDI Cyber Risk Practice

April 25, 2017