Personal Cyber Health and Hygiene: More Expensive Shoes Don’t Make You Run Faster

This week’s post is written by George Platsis, the newest member of SDI’s cyber team. George focuses on human factor vulnerabilities related to cybersecurity, information security, and data security by separating the network and information risk areas.

It’s January 2nd and you have just finished your latest culinary blowout from the holiday season.  You look down towards your toes and you see something obstructing your view that wasn’t there just three weeks ago.  And of course, you fear walking towards the scale because you already know it’s going to be bad news.

So what do you do?

Sign up for an expensive gym membership and spend $300 on new training gear of course!

Unfortunately, neither of those will make a difference unless you put your best foot forward and start working your own butt off.  Worse, if you do not put that expensive membership and new gear to good use, you are only a few months (weeks?) away from saying, “I wish I didn’t spend all that money for nothing!”

I fear I am about to upset a few people by stating the following: good cyber health and hygiene is a lot like personal health and weight management.  It takes time, effort, and dedication to keep in top form and it is also very easy to go off the rails if you do not watch what you’re doing.  Furthermore, each time you go off the rails it becomes harder and harder to get back to the good form.  And the only real difference between your health and cyberspace is that you can at least upgrade your device or operating system, whereas when it comes to our personal health, we are stuck with the same body and brain for our entire lives.

Wasting your time and money on the latest fad exercise machine or diet will be just that, a waste of time and money, especially if you are not ready to put yourself through the daily grind.  Same goes for cyber tools that promise you a path to the mythical place known as CybersecureLand, a place where you can click on any link without any fear because the magical Fairy Cybermother will protect you and whisk any malicious code back to the depths of Maldorware.

This is uncharacteristic of me, but I will delve into the personal to illustrate my point.  There was a time in my life where I had a slightly different “shape” (okay, more than slightly).  This shape was unhealthy and thankfully I realized that if I were to keep this shape for any prolonged period of time, I would be down the road to a full network malfunction where even a full system reboot would do little for me.  So what did I do?  I said, “George, clean yourself up.”

How did I do this?

1) Cut unnecessary calories (don’t go to bad websites unless you want to feel blah later).

2) Simple rule when it comes to calories and working out: Input/Output (keep an eye on your inbound and outbound traffic, both in type and volume, because variances should worry you).

3) Just get into a routine and stick to it no matter what (this is called automatic updates and patching your system regularly people…it’s boring, it’s mundane, but if you don’t do it, you’re asking for trouble).

4) Don’t go overboard off the top because you’ll overwhelm yourself and walk away (you do not need to be an expert on how to build a cryptographic key; you need to know how to use one).

5) Play the long game (if you expect to go from a sieve to J.J. Watt overnight you are going to find out you are not J.J. Watt…it takes time to get game ready, but that should not stop you from building up to a goal and each little progression does actually make you better).

6) Resist the temptation (easier said than done, but the risks are much higher in cyberspace…one night of fried chicken during a month-long stretch of good behavior will not give you a heart attack, but one wrong click may do just that).

7) If you plan to cheat, be prepared to go double-time during your next workout (you really want to go that website you know you shouldn’t?…fine, but if your data isn’t backed up and you don’t have a clean system and application image to install on your system if things go wrong, you will feel pain).

8) Train, train, train and push your limits so you can build muscle memory (remember that time it was hard to jog for 20 minutes and now you run for 60 minutes like it’s nothing?…that’s how passwords work too…your brain is just a muscle that needs training, meaning that if you work hard, it’s possible for anybody to go from qwerty1234 to H@Uxs$#8218!!47vwq).

9) Trainers are only useful for specialized things, like intense weight training or self-defense (there are certain things you need to be taught, so go to an expert and know your limits…like writing your own cryptographic key).

10) Train your entire body (having a 24 inch bicep, a 46 inch waist, and a 12 inch calf is probably not balanced health management…updating your anti-virus but not installing critical patches is not balanced cyber health).

11) There is no magical exercise machine that does everything (for every technological convenience, like single sign-on services, there is an undetermined, and potentially explosive, cost).

12) It takes time for your metabolism to reset (for most, it is financially unfeasible to uproot your entire network and replace it…this means you are working on legacy systems that take time to upgrade and get up to speed).

13) You are dealing with a system, not a silo (the body is a fascinating and complex machine, meaning that your food intake, exercise output, sleep patterns, mental health, water balance, muscle-to-fat ratio, pH levels, and so on are intertwined, where one impacts the other…network, information, and data systems, in many ways are the same, meaning that if one is out of whack, the others will almost certainly suffer).

14) You need to be your own best motivator (ultimately, it’s all on you and your own decision will decide your fate).

Sometimes you need that super fancy exercise machine, or that aerodynamic gear, or those shoes that weigh only three ounces to reach your goal (which also means you’re probably training for a marathon or the Olympics).  But if you’re not doing that (or defending the nation’s secrets) some basic exercises and practices make a world of difference.

For example, it’s amazing what simple things, like push-ups, sit-ups, crunches, and running, along with a balanced diet can do for your health.  Using encryption, patching your system, turning on regular updates, and backing up your data, along with knowing how to identify phishing and spear-phishing attempts go a long way in your overall cyber health and hygiene.

Ultimately, good health and weight management is a lifestyle change that you need to stick to.  Cyber health and hygiene is no different.  When it came to my own weight loss, it was sober realization and honest assessment that made me say, “George, fix this or you’re going to be in real trouble.”  That was the only motivation I needed.  It wasn’t easy.  In fact, it sucked and was hard, especially at the beginning.  But long-term health trumped the short-term pain.  And that’s the only motivation you should need when it comes to your own cyber health and hygiene.

June 6, 2017

Exploring the Cybersphere – May 2017

This week in our blog, we offer a snapshot of cybersecurity, privacy and data security news of interest to the executive suite. Periodically, we’ll recap insights from the growing cadre of voices in this space as well as lend our own views on the issues that impact executive governance of cyber risk and response.

As May prepares to give way to the promise of the month of June, it’s time to look back at some of the cyber stories that dominated the headlines during the month. The month begins with May Day, a tradition handed down from ancient times, when children dance around maypoles, festooned with flower crowns. The ancient rites celebrated the end of winter, and the dawn of a new season, a time to have hope. Locals could brag about who had the biggest maypole, perhaps the beginning of another practice that lasts to this day. As it happens, May Day is an apt characterization of the month’s cyber events, particularly if said three times in rapid succession.

The Beat Goes On

Cyberattacks involving extortion are on the up, Verizon says

Cyberattacks involving ransomware — in which criminals use malicious software to encrypt a users’ data and then extort money to unencrypt it — increased 50 percent in 2016, according to a report from Verizon Communications Inc. And criminals increasingly shifted from going after individual consumers to attacking vulnerable organizations and businesses, the report said. Government organizations were the most frequent target of these ransomware attacks, followed by health-care businesses and financial services, according to data from security company McAfee Inc., which partnered with Verizon on the report published Thursday. Instances of ransomware attacks have grown along with the market for bitcoin, the digital currency that is most commonly how cybercriminals demand ransoms be paid because of its anonymity. While overall most malware was delivered through infected websites, increasingly criminals were turning to phishing — using fraudulent emails designed to get a user to download attachments or click on links to websites that are infected with malware — to carry out attacks. A fifth of all malware raids began with a phishing email in 2016, while fewer than 1 in 10 did the year before, according to the report.

Cybercriminals breached over a billion accounts last year

Cybercriminals had a very good year in 2016 — and we all paid the price. These digital bandits became more ambitious and more creative and that resulted in a year marked by “extraordinary attacks,” according to the 2017 Internet Security Threat Report from Symantec. “Cyber crime hit the big time in 2016, with higher-profile victims and bigger-than-ever financial rewards,” the report concluded.

And The Beat Goes On

World reels from massive cyberattack that hit nearly 100 countries


Organizations around the world were digging out Saturday from what experts are calling one of the biggest cyberattacks ever. Hospitals, major companies and government offices were hit by a virus that seeks to seize control of computers until the victims pay a ransom. Experts said that even as the spread of the attacks apparently has been stymied, its full ramifications are not yet known because the virus may be lurking still on computers around the world. Cybersecurity firm Avast said it had identified more than 75,000 ransomware attacks in 99 countries on Friday, making it one of the broadest and most damaging cyberattacks in history. Avast said the majority of the attacks targeted Russia, Ukraine and Taiwan. But U.K. hospitals, Chinese universities and global firms like Fedex (FDX) also reported they had come under assault. Security experts said the spread of the ransomware had been inadvertently stopped late Friday. The ransomware was designed to repeatedly contact an unregistered domain in its code. A 22-year-old security researcher in the U.K, who goes by MalwareTech, registered that domain to analyze the attack, but it turned out the ransomware needed it to remain unregistered to keep spreading. “Thus by registering it we inadvertently stopped any subsequent infections,” he told CNNTech. However, a hacker could change the code to remove the domain and try the ransomware attack again.

Global cyberattack “highly likely” linked to North Korea group

A top cybersecurity firm say it’s “highly likely” that the biggest cyberattack the world has ever seen is linked to a hacking group affiliated with North Korea. The global ransomware attack known as WannaCry targeted hundreds of thousands of computers in around 150 countries, hitting hospitals, businesses and other organizations. In a blog post late Monday, security researchers at Symantec said the “tools and infrastructure used in the WannaCry ransomware attacks have strong links to Lazarus,” a hacking group that has previously been tied to North Korea. “We have high probability that these two are absolutely connected,” said Vikram Thakur, Symantec’s security response technical director. Lazarus has been linked to the hack on Sony Pictures, for which the U.S. government blamed North Korea, and a wave of attacks on banks around the world, including a major theft from Bangladesh’s central bank.

Drums Keep Pounding A Rhythm To The Brain

Why cyber attacks will continue until prevention becomes a priority

Organizations must rethink their security measures. Focus on training, getting rid of old tech, and overcoming apathy. Some learn best through observation, others only after making a costly mistake. Unfortunately, many businesses have failed to heed the cybersecurity lessons learned from the litany of major attacks over the past few years. Modern cybersecurity threats have evolved far beyond the days where keyloggers and suspicious emails were considered sophisticated threats. They’ve grown to incorporate new attack vectors such as connected devices, as used in the 2016 Dyn distributed denial-of-service attack that disrupted many popular websites. Businesses must also contend with leaked exploits discovered by government intelligence agencies, such as the Vault 7 ikileaks revelations around security flaws in virtually every major operating system and application.It’s time for organizations to rethink their approach to security. Keeping your organization safe must be a full-time commitment, not simply a passing concern following the latest report of a data breach.

AI is the future of cybersecurity, for better and for worse

In the near future, as artificial intelligence (AI) systems become more capable, we will begin to see more automated and increasingly sophisticated social engineering attacks. The rise of AI-enabled cyberattacks is expected to cause an explosion of network penetrations, personal data thefts, and an epidemic-level spread of intelligent computer viruses. Ironically, our best hope to defend against AI-enabled hacking is by using AI. But this is very likely to lead to an AI arms race, the consequences of which may be very troubling in the long term, especially as big government actors join the cyber wars. My research is at the intersection of AI and cybersecurity. In particular, I am researching how we can protect AI systems from bad actors, as well as how we can protect people from failed or malevolent AI. This work falls into a larger framework of AI safety, attempts to create AI that is exceedingly capable but also safe and beneficial. A lot has been written about problems that might arise with the arrival of “true AI,” either as a direct impact of such inventions or because of a programmer’s error. However, intentional malice in design and AI hacking have not been addressed to a sufficient degree in the scientific literature. It’s fair to say that when it comes to dangers from a purposefully unethical intelligence, anything is possible.

Why Is Cybersecurity So Hard?

Harvard Business Review

After nearly 20 years of trying and billions of dollars in investment, why are organizations are still struggling with cybersecurity? In fact, the problem seems to be getting worse, not better. Answering this question requires moving beyond a purely technical examination of cybersecurity. It’s true that the technical challenges are very real; we don’t know how to write bug-free code, for example. But if you look at the challenge more broadly, even if we resolved the technical issues, cybersecurity would remain a hard problem for three reasons:It’s not just a technical problem;The rules of cyberspace are different from the physical world’s; Cybersecurity law, policy, and practice are not yet fully developed. The first reason — that cybersecurity is more than just a technical problem, incorporating aspects of economics, human psychology, and other disciplines — has been explored in other articles in this cybersecurity series. However, the other two reasons also contribute strongly to making cybersecurity difficult, and our approaches must take them into account.

La de da de de, la de da de da

By Tom Davis, SDI Cyber Risk Practice

May 30, 2017


When it Comes to Cyber Deterrence, One Size Fits…One

This week’s post is written by George Platsis, the newest member of SDI’s cyber team. George focuses on human factor vulnerabilities related to cybersecurity, information security, and data security by separating the network and information risk areas.  

Protecting yourself in cyberspace requires multiple solutions working all together

Be cautious of the cybersecurity vendor that promises you a technical solution that will solve all of your cybersecurity problems. Life, unfortunately, is not that simple and a one-size-fits-all approach is bound to get you in trouble given today’s cyber complexities. Similarly, simply adopting a solution may not be enough. How you implement that solution could be the difference between operating a safer network or, inadvertently, making your network more vulnerable. One such solution is encryption.

In two articles posted on Tripwire, I make the case with Paul Ferrillo of Weil, Gotshal & Manges LLP that encryption and tokenization are good solutions (that are under-utilized from our experience) but that poor implementation of them can be the perfect recipe for your worst nightmares.

Why do such useful technologies come with this big caveat? The reason is because a “big picture” approach to cybersecurity has not really taken hold yet. As I have mentioned in a previous post, I view cybersecurity security in the following manner: network security + information security = data security. The most basic questions, particularly at the board level, may not be getting asked, such as “what are our crown jewels?” or “where do we house our data?”

These are governance issues at their core, not technological ones, meaning that whatever technological steps you take to protect your data, you still may be overlooking the big picture (which will result in a loss of resources and open you up to liability). And because they are governance issues, there is a heavy dose of “human element” challenges associated to them.

If you accept the notion that you cannot achieve 100% security, your strategy should be to make your life as difficult as possible for your adversary. Let them seek out low hanging fruit as opposed to your own crown jewels. The only way to do this is by identifying what matters to you (the governance/human side of this problem) and then employing technological solutions (like encryption and tokenization) in the right places, implementing in a correct manner, and still accept that there are a series of human vulnerability challenges that need to be worked on.

All the encryption in the world does little for you if you have an employee that is a victim of a spear-phishing attack, all of which are getting better and better. Gmail users have been the latest targets with very real looking Google Docs emails coming from trusted sources.

Ultimately, you want your adversary to go elsewhere. I recognize this may come off as a deflection and some would question it as a strategy, but nefarious actors are humans too and they do have a preference for the path of least resistance as well. If your data is a bunch of meaningless garble to them (encryption and tokenization are good steps to make this happen), that is a big win for you and a big frustration for them. These types of actors will probably spend little time trying to attack you if you have taken these sensible steps.

It is the actors that are determined and want your crown jewels that should be keeping you up at night. These actors will undoubtedly focus more on social engineering attacks and good ole fashioned tradecraft to try to get what they want, reinforcing the point that the cybersecurity challenge cannot be looked at through a solely technological lens. Curiosity, fear, and urgency are what these actors use to prey on their targets, so in addition to technological steps, make sure your employees and leadership at trained to spot things that look off.

All these solutions, working in tandem, are what will keep you safest in cyberspace.

May 23, 2017

See George’s previous post: How Do We Succeed in the Cyber Security Battle? Episode III – Making the Business Case: Where Does Your Money Go?

North Korea Again? WannaCry?

“Round up the usual suspects,” a phrase memorably used by Captain Louis Renault, the French prefect of police, to exonerate Rick Blaine of the killing of Nazi Major Strasser in the classic film Casablanca, has been culturally accepted as a way of saying “let’s start with those who most can agree are likely to have been involved in x.” Thus it should come as little surprise that a number of cybersecurity experts are now suggesting that hackers connected to North Korea unleashed the “WannaCry” malware virus that crippled computers around the world over the past weekend.

Of late, North Korea has been most in the news for its penchant for firing off missiles with varying degrees of success, while threatening to do very bad things to whatever country is near or at the top of its current enemies list. But just a couple years ago, U.S. intelligence officials alleged North Korea was behind the cyber attack on Sony Pictures. Admittedly, the fact that the hackers demanded Sony not release a comedy that centered on the assassination of North Korean leader Kim Jong-Un raised suspicions about North Korean involvement, but the more substantial evidence included the use of tools and techniques known to have been used by North Korean hackers in previous attacks on South Korea.

The WannaCry virus locked up over 200,000 computers and spread to more than 150 countries. The estimated losses to those affected run into the billions, largely due to the disruption. Companies in Europe, Russia, and China were particularly affected. Interestingly, at last count the “ransomware” had yielded a relatively paltry $50,000 to the perpetrators, which taken at face value suggests not many people paid the ransom.

The New York Times has a fascinating story about why China seems to have been disproportionately affected by the virus.

Long known as a haven for pirated software, the fact that major Chinese companies, government agencies and universities were disrupted speaks volumes about how widespread the use of pirated software is in China. It might also call into question just how carefully planned was the unleashing of the WannaCry virus. Although the relationship between China and North Korea seems to be a bit testy at the moment, one wonders whether North Korea really would like to be seen as behind an attack doing serious injury to Chinese interests. We’ll need a little more time to determine whether in rounding up the usual suspects we’ve gotten to the bottom of the planning behind the WannaCry virus.

By Tom Davis, SDI Cyber Risk Practice

May 16, 2017

It’s a Guy Thing

Hey guys!  This is a normal salutation, with a most unusual history. It turns out that American usage of the term “guy” traces back to the ill-fated Guido Fawkes. Guido was none other than Guy Fawkes, who now is best remembered as the face that adorns the masks worn by generations of anarchists and dissidents, including, of course, the noteworthy hacktivist group, Anonymous.

Guy Fawkes made his mark about 400 years ago when he participated in a plot to murder King James I. The basic idea was to blow the King to smithereens by touching off barrels of gunpowder stored beneath the House of Lords. Unfortunately for Mr. Fawkes, both he and the gunpowder were discovered in the early hours of November 5, 1605. In relatively short order, after a bit of torture to get at the truth, Guy Fawkes and seven of his co-conspirators were given a taste of English justice. Having been found guilty of attempting to assassinate the King, the following was prescribed: “each of the condemned would be drawn backwards to his death, by a horse, his head near the ground. They were to be “put to death halfway between heaven and earth as unworthy of both.” Their genitals would be cut off and burnt before their eyes, and their bowels and hearts removed. They would then be decapitated, and the dismembered parts of their bodies displayed so that they might become “prey for the fowls of the air.”

That rather ignominious end might have been the last we heard of Guy Fawkes were it not for the fact that an Act of Parliament proclaimed each succeeding November 5th as a day of thanksgiving for the deliverance of the King, and the English chose to celebrate “Guy Fawkes night” by lighting bonfires and tossing effigies of Guy Fawkes into them. In the strange way the world works, the English began referring to the effigies, and other strangely dressed folks, as guy, and Americans adopted the term and use it far more generally. The use of the bonfires offers another twist of irony, for English wits have long toasted Guy Fawkes as “the last man to enter parliament with honest intentions.”

Our Guy Fawkes wearing friends at Anonymous have just released a video warning us to prepare for World War III. Anonymous has a pretty good track record in predicting the impact of DDOS attacks it carries out, but its ability to accurately predict the apocalypse is open to question. However, their allegiance to the wearing of the Guy Fawkes masks is testament to the truth of at least part of their traditional sign off:  “prepare for what comes next. We are Anonymous. We are legion. We do not forgive. We do not forget.”

By Tom Davis, SDI Cyber Risk Practice

May 9, 2017

The Shadow May Have Got it Wrong

In 1937, an American radio series named “The Shadow” made its debut. Its dramatic opening line—“Who knows what evil lurks in the hearts of men? The Shadow knows!”—captured the imagination of the nation and lives on to this day. Lost in the shrouds of time is the line uttered at the close of each episode—-“The weed of crime bears bitter fruit. Crime does not pay…The Shadow knows!” It turns out The Shadow was not particularly prescient when it comes to today’s cyber criminals. It’s a fair bet The Shadow would see the world differently after running into the Shadow Brokers, a group which announced it presence with a series of messages like…

“!!! Attention government sponsors of cyber warfare and those who profit from it !!!!

How much you pay for enemies cyber weapons? Not malware you find in networks. Both sides, RAT+ LP, full state sponsor tool set? We find cyber weapons made by creators of stuxnet, duqu, flame. Kaspersky calls Equation Group. We follow Equation Group traffic. We find Equation Group source range. We hack Equation Group. We find many many Equation Group cyber weapons. You see pictures. We give you some Equation Group files free, you see. This is good proof no? You enjoy!!! You break many things. You find many intrusions. You write many words. But not all, we are auction the best files.”

If you are following this at home, the Equation Group is allegedly tied to the National Security Agency, and is considered highly sophisticated in its hacking capabilities, presumed responsible for, among other things, the Stuxnet virus that crippled Iran’s nuclear program. So, the Shadow Brokers, acting on information from Kaspersky, itself accused of ties to Russian intelligence, offered to sell tools pilfered from an entity believed to have ties to American intelligence. This would make a grand movie plot, but the outcome here has significant real life implications.

The tools being sold and released by the Shadow Brokers are opening up vast new opportunities for cyber criminals. After the latest release by the group, security expert Matthew Hickey said “It is by far the most powerful cache of exploits ever released. It is very significant as it effectively puts cyber weapons in the hands of anyone who downloads it.”

Forbes just ran a piece that looked at how the Shadow Brokers’ leaks have led to real world attacks, and what may be in the offing. The article closed with a timely reminder from security guru Bruce Schneier: “Today’s NSA secrets become tomorrow’s PhD theses and the next day’s hacker tools. As long as we’re all using the same computers, phones, social networking platforms, and computer networks, a vulnerability that allows us to spy also allows us to be spied upon.”

Who knows what evil lurks in the hearts of men? We are, once again, about to find out.

By Tom Davis, SDI Cyber Risk Practice

May 2, 2017

Exploring the Cybersphere – April 2017

This week in our blog, we offer a snapshot of cybersecurity, privacy and data security news of interest to the executive suite. Periodically, we’ll recap insights from the growing cadre of voices in this space as well as lend our own views on the issues that impact executive governance of cyber risk and response.

There is an adage, old, like all adages, that goes, “April showers bring May flowers.” One might add that a more particular benefit for those suffering from allergies is they wash the pollen from the air, offering sweet respite for at least short periods. In furtherance of this line of thought, the April cybersecurity news might fall under the heading “Into each life some rain must fall.”

New frontiers in cyber security: locomotives without wheels, moats, deep learning at the edge

Industry analyst Bob Sorensen recently told us something most IT managers already know deep in their apprehensive hearts: cyber security is in a sorry state (see “Be More Afraid,” Enterprise Tech, Nov. 18, 2016). Security at many companies is somewhat marginalized, an unfavored area that lies outside core IT operations and procedures, a focal point at many companies of ineffectuality and denial that can be characterized as: Don’t just do something, sit there! Part of the problem: cyber security is purely defensive in nature. We don’t want it until we need(ed) it. It doesn’t add to the bottom line, it’s a cost center seen as hindering optimal operations. Corporate boards tell senior managers that, yes, of course cyber security is important, but don’t let it interfere with daily business. Yet everyone grasps the bottom line and reputation risks of poor security….Instead of further bemoaning this state of affairs, let’s look at the bright spots, the best-in-class cyber security practices some companies have adopted and the emerging technologies that leverage big data analytics, machine learning and quantum computing.

Cybersecurity remains an elusive business priority

I’ve been remiss by not blogging earlier this year about ESG’s annual IT spending intentions research. The year 2017 continues to follow a pattern: Cybersecurity is a high business and IT priority for most organizations… Allow me to provide a bit of analysis to this data (after all, I am an industry analyst): 1. There is growing demand for cybersecurity technologies, so 2017 should be another banner year for vendor revenue, VC investment, M&A activity and IPOs. 2. Boards are getting more involved in cybersecurity, which is driving more demand for data and metrics. In other words, executives are willing to spend on cybersecurity, but they want to better understand what they get for their money. Executive reporting tools for cybersecurity will grow precipitously….

Why we should let our walls down when it comes to cybersecurity

With digital threats growing more rampant across the country and from around the world, the idea of building “walls” for cyber defense and protection can seem appealing. But even in this age of hackers relentlessly penetrating our networks, in the information technology security industry, we know that walls don’t work. The truth is that surrounding yourself with impenetrable barricades is akin to sticking your head in the sand. Walls by themselves fail to tackle the root cause of threats, meaning any sense of safety created is artificial. Organizations need to have a holistic security posture that spans their internal network and devices. More importantly, they must anticipate malicious external threats. For protection, traditional IT security systems have for a long time relied on perimeter defenses, such as firewalls, intrusion detection systems and intrusion prevention systems. But that paradigm has changed, as cybercriminals have evolved and cyberattacks have increased in volume and sophistication. In 2015, there were 430 million unique pieces of malware, up 36 percent from the prior year. It’s a number only continuing to explode. Singular perimeter defenses are no longer enough.

IT Getting Defensive

Preventing cyber attacks – this time it’s personal

Security professionals are putting pressure on themselves to secure their organization’s systems according to the findings of a new report. The 2017 Security Pressures Report from managed security specialist Trustwave surveyed over 1,600 security decision makers around the world and finds that while 53 percent of respondents report increased pressure in trying to secure their organization, that pressure is becoming more personal as 24 percent say they put the most pressure on themselves, up from 13 percent last year. The findings also show that pressure from the boardroom and from c-level executives has decreased significantly as it’s shifted to IT professionals themselves. The most feared repercussion of a cyber attack or breach is reputation damage to themselves or their company, ahead of financial damage to the company and termination of employment.

Former White House CIO calls for a cybersecurity reset

The IT community needs a total reset in the way they think about cybersecurity, according to former White House CIO Theresa Payton. “I think back ten years and I realize that we actually haven’t made a single one of your security problems go away, and you need to hold us accountable for that,” Payton said. “Name one. We have reduced risks in the security industry, name a problem we actually made go away for you,” she said. “But I’m really excited because I think we are at a turning point where we’ll have that opportunity.”Payton, who spoke at the Forcepoint Cybersecurity Leadership Forum on Tuesday, described how the government has characterized bringing breach detection times down from over 400 days to a little more than 200 as a win in cybersecurity.“I’ve got to tell you, this does not feel like winning to me,” Payton said.

I’m From the Government and I’m Here to Help

FTC takes over as top cybersecurity enforcer

The Federal Communications Commission’s role as a driver of national cybersecurity policy, promoted by former Chairman Thomas Wheeler, was effectively scrapped last week when Congress passed a measure killing the commission’s 2016 cybersecurity and privacy rules. The move was strongly welcomed by the telecom industry and leaves another alphabet-soup agency — the Federal Trade Commission — as “the cop on the beat” when it comes to cyber. That’s a role the trade commission has long embraced, but it will take a different and perhaps more reactive approach to cybersecurity in comparison with Wheeler’s communications commission. Many telecom industry groups prefer the FTC’s enforcement approach, which is based on guiding principles for cyber best practices, to what they saw as prescriptive rules on cyber spelled out by the recently departed Wheeler team at the FCC.

Congress returns, but the real cybersecurity action is taking place off the Hill

Lawmakers return to Capitol Hill this week with a few cybersecurity items on the agenda for the upcoming legislative work period, while the most significant efforts in the coming months may be taking place at the White House and at the National Institute of Standards and Technology’s campus in suburban Maryland.

By Tom Davis, SDI Cyber Risk Practice

April 25, 2017

And the Answer Is…

The solution to the unending challenge of marshalling sufficient cybersecurity defense measures in any organization lies in (pick one)

  1. Artificial intelligence
  2. Cyber intelligence
  3. Employee education
  4. Endpoint security

The astute reader will disregard the pick one instruction and argue that each of these measures is helpful, assuming this reader is familiar with what each category entails. The first three categories are at least somewhat self-explanatory, the last, perhaps a bit less so.  Endpoint security is rapidly gaining favor as a method of protecting networks from access through remote devices such as laptops or smart phones or other mobile devices. Each of those devices is considered an endpoint, and is a potential entry point for a cyber threat. As work habits have changed and organizations have permitted employees to use personal devices to connect to enterprise networks, the threat has grown.

CNBC just reported on a UK based firm using artificial intelligence to swiftly respond to cyber attacks. In the story, they note “Australian cybersecurity company Nuix put out a report where they surveyed about 70 professional hackers and penetration testers at last year’s Defcon — the global hacking and security conference — to understand their perspective on cybersecurity. In the report, about 88 percent of the respondents said they could break through cybersecurity defenses and into the systems they target within 12 hours, while another 81 percent said they could identify and take valuable data within the same time frame even when the breach may not be detected for nearly 100 days on average.

The respondents said traditional countermeasures such as firewalls and antiviruses very rarely slowed them down, but having endpoint security technologies were more effective in stopping the attacks.”

Employee education, creating a culture of security sensitivity and best practices, arguably offers the best bang for the buck. Cyber intelligence, the committed act of learning about the actual threat universe surrounding an organization can offer an excellent return on investment. But if you accept the word of professional hackers and pen testers, endpoint security is well worth a look.

By Tom Davis, SDI Cyber Risk Practice

April 18, 2017

My House Is My Castle, and It’s About to Get Stormed

Does cybersecurity begin at home? It appears the answer is yes, at least for high net wealth individuals, as seen by insurance giant AIG. AIG just announced that it is offering cyber insurance to its high net worth personal lines insurance clients. The insurance product will be offered to policyholders of AIG’s Private Client Group who are victims of threats including cyber extortion and cyber bullying.

What will AIG’s clients get under this insurance? Well, according to an article in Insurance Journal, the insurance will cover expenses related to data restoration, and crisis and reputation management, among other claims. In addition, “AIG’s Private Client Group clients receive supplemental risk mitigation services, including a holistic assessment of devices, home networks, wireless access points and secure online accounts; training services for family members; online monitoring that assesses and tracks the availability of personal information; and a set of cyber assistance tools and resources including assistance from experienced fraud experts, provided by the identity and data defense specialist, CyberScout.”

It would seem that effectively evaluating risk posed to high net wealth individuals would be a bit daunting, but other insurance providers, including Chubb and HSB, are already in the home market, and we can expect that market to grow as smart, connected homes become ever more prevalent. We are introducing risk and becoming both more attractive and potentially vulnerable with each new device we add.

So, should you be looking at cyber insurance for your home? Here are some suggestions courtesy of the Wall Street Journal.

Does a service offer protection beyond what I’m already getting? Individuals who keep most of their money in bank checking or savings accounts and use credit cards generally are at less risk…because banks and credit-card issuers typically offer protection against liability for fraud. People with investment accounts should ask advisers and brokerages whether they offer written guarantees that clients will be made whole after a breach. Just 15% of broker-dealers and 9% of advisers have such written policies, a Securities and Exchange Commission survey found.

How much do I have to lose? For people with several million dollars’ worth of liquid and investible assets, the cost of extra security would be negligible…. But even for those with less money, any loss might feel painful, so people should make sure their funds are protected either by the Federal Deposit Insurance Corp., which protects deposits in checking, savings and money-market accounts, or a written policy from the investment firm.

Do I handle valuable financial data or intellectual property? A company executive or the founder of a startup who accesses financial or other sensitive information on a personal device or home computer may be a target. The concern is that hackers may target these types of individuals for their intellectual property or company details, and then make away with personal information while worming through their networks.

Not unlike insurance offerings aimed at the business market, in the end the best value of the home market offerings might lie in the way they offer the ability to strengthen home security defenses and educate people about cybersecurity realities and best practices. Risk reduction is the name of the game.

By Tom Davis, SDI Cyber Risk Practice

April 11, 2017

Dangerous Things?

While a student at Yale, Cole Porter wrote over 300 songs, including the famous Yale fight song Bulldog!Bulldog! ,which Yalies young and old bark out whenever the Yale football team scores. Legend has it Cole Porter wrote the song to commemorate Handsome Dan, the first Yale bulldog mascot. It is the world’s good fortune that Porter’s musical contributions did not peak with Bulldog! Bulldog!. During his illustrious career he authored such hit songs as Night and Day, Anything Goes, I Get a Kick Out of You, In the Still of the Night, and, of course, I’ve Got You Under My Skin.

I’m reminded of this last song by an article I just read (Cyborgs at work: Employees getting implanted with microchips) that looks at a Swedish company that offers to implant its workers with microchips the size of grains of rice that “function as swipe cards to open doors, operate printers, or buy smoothies with a wave of the hand.” How does it work?  The microchips use Near Field Communication (NFC) technology, the same technology used in contactless credit cards or mobile payments. When activated by a reader a few inches away, a small amount of data flows between the two devices via electromagnetic waves, opening the door (literally as well as figuratively) to a number of possibilities.

It turns out these microchip implants have been around for a couple of decades, and for the moment, serve modest purposes. The way most people have come into contact with the concept is through the microchips that have been implanted in pets. But the spillover to humans is gathering steam. A company called Dangerous Things sells the microchips and an injection kit. As if to help support the company’s brand concept, the chips are not injected in doctors’ offices, but rather in tattoo parlors and piercing shops.

Early adapters of the insertable microchip see the risks as minimal, particularly because of the limited transmission range, and many think the future of the technology is rife with possibility.  Of course, those possibilities could include privacy loss and identify theft, and perhaps far more nefarious cyber crimes. This generation of microchips will yield to the next gen, and where the process stops, well, as Porter lyricized, “I’ve got you deep in the heart of me. So deep in my heart that you’re really a part of me.”

By Tom Davis, SDI Cyber Risk Practice

April 4, 2017