And the Answer Is…

The solution to the unending challenge of marshalling sufficient cybersecurity defense measures in any organization lies in (pick one)

  1. Artificial intelligence
  2. Cyber intelligence
  3. Employee education
  4. Endpoint security

The astute reader will disregard the pick one instruction and argue that each of these measures is helpful, assuming this reader is familiar with what each category entails. The first three categories are at least somewhat self-explanatory, the last, perhaps a bit less so.  Endpoint security is rapidly gaining favor as a method of protecting networks from access through remote devices such as laptops or smart phones or other mobile devices. Each of those devices is considered an endpoint, and is a potential entry point for a cyber threat. As work habits have changed and organizations have permitted employees to use personal devices to connect to enterprise networks, the threat has grown.

CNBC just reported on a UK based firm using artificial intelligence to swiftly respond to cyber attacks. In the story, they note “Australian cybersecurity company Nuix put out a report where they surveyed about 70 professional hackers and penetration testers at last year’s Defcon — the global hacking and security conference — to understand their perspective on cybersecurity. In the report, about 88 percent of the respondents said they could break through cybersecurity defenses and into the systems they target within 12 hours, while another 81 percent said they could identify and take valuable data within the same time frame even when the breach may not be detected for nearly 100 days on average.

The respondents said traditional countermeasures such as firewalls and antiviruses very rarely slowed them down, but having endpoint security technologies were more effective in stopping the attacks.”

Employee education, creating a culture of security sensitivity and best practices, arguably offers the best bang for the buck. Cyber intelligence, the committed act of learning about the actual threat universe surrounding an organization can offer an excellent return on investment. But if you accept the word of professional hackers and pen testers, endpoint security is well worth a look.

By Tom Davis, SDI Cyber Risk Practice

April 18, 2017

My House Is My Castle, and It’s About to Get Stormed

Does cybersecurity begin at home? It appears the answer is yes, at least for high net wealth individuals, as seen by insurance giant AIG. AIG just announced that it is offering cyber insurance to its high net worth personal lines insurance clients. The insurance product will be offered to policyholders of AIG’s Private Client Group who are victims of threats including cyber extortion and cyber bullying.

What will AIG’s clients get under this insurance? Well, according to an article in Insurance Journal, the insurance will cover expenses related to data restoration, and crisis and reputation management, among other claims. In addition, “AIG’s Private Client Group clients receive supplemental risk mitigation services, including a holistic assessment of devices, home networks, wireless access points and secure online accounts; training services for family members; online monitoring that assesses and tracks the availability of personal information; and a set of cyber assistance tools and resources including assistance from experienced fraud experts, provided by the identity and data defense specialist, CyberScout.”

It would seem that effectively evaluating risk posed to high net wealth individuals would be a bit daunting, but other insurance providers, including Chubb and HSB, are already in the home market, and we can expect that market to grow as smart, connected homes become ever more prevalent. We are introducing risk and becoming both more attractive and potentially vulnerable with each new device we add.

So, should you be looking at cyber insurance for your home? Here are some suggestions courtesy of the Wall Street Journal.

Does a service offer protection beyond what I’m already getting? Individuals who keep most of their money in bank checking or savings accounts and use credit cards generally are at less risk…because banks and credit-card issuers typically offer protection against liability for fraud. People with investment accounts should ask advisers and brokerages whether they offer written guarantees that clients will be made whole after a breach. Just 15% of broker-dealers and 9% of advisers have such written policies, a Securities and Exchange Commission survey found.

How much do I have to lose? For people with several million dollars’ worth of liquid and investible assets, the cost of extra security would be negligible…. But even for those with less money, any loss might feel painful, so people should make sure their funds are protected either by the Federal Deposit Insurance Corp., which protects deposits in checking, savings and money-market accounts, or a written policy from the investment firm.

Do I handle valuable financial data or intellectual property? A company executive or the founder of a startup who accesses financial or other sensitive information on a personal device or home computer may be a target. The concern is that hackers may target these types of individuals for their intellectual property or company details, and then make away with personal information while worming through their networks.

Not unlike insurance offerings aimed at the business market, in the end the best value of the home market offerings might lie in the way they offer the ability to strengthen home security defenses and educate people about cybersecurity realities and best practices. Risk reduction is the name of the game.

By Tom Davis, SDI Cyber Risk Practice

April 11, 2017

Dangerous Things?

While a student at Yale, Cole Porter wrote over 300 songs, including the famous Yale fight song Bulldog!Bulldog! ,which Yalies young and old bark out whenever the Yale football team scores. Legend has it Cole Porter wrote the song to commemorate Handsome Dan, the first Yale bulldog mascot. It is the world’s good fortune that Porter’s musical contributions did not peak with Bulldog! Bulldog!. During his illustrious career he authored such hit songs as Night and Day, Anything Goes, I Get a Kick Out of You, In the Still of the Night, and, of course, I’ve Got You Under My Skin.

I’m reminded of this last song by an article I just read (Cyborgs at work: Employees getting implanted with microchips) that looks at a Swedish company that offers to implant its workers with microchips the size of grains of rice that “function as swipe cards to open doors, operate printers, or buy smoothies with a wave of the hand.” How does it work?  The microchips use Near Field Communication (NFC) technology, the same technology used in contactless credit cards or mobile payments. When activated by a reader a few inches away, a small amount of data flows between the two devices via electromagnetic waves, opening the door (literally as well as figuratively) to a number of possibilities.

It turns out these microchip implants have been around for a couple of decades, and for the moment, serve modest purposes. The way most people have come into contact with the concept is through the microchips that have been implanted in pets. But the spillover to humans is gathering steam. A company called Dangerous Things sells the microchips and an injection kit. As if to help support the company’s brand concept, the chips are not injected in doctors’ offices, but rather in tattoo parlors and piercing shops.

Early adapters of the insertable microchip see the risks as minimal, particularly because of the limited transmission range, and many think the future of the technology is rife with possibility.  Of course, those possibilities could include privacy loss and identify theft, and perhaps far more nefarious cyber crimes. This generation of microchips will yield to the next gen, and where the process stops, well, as Porter lyricized, “I’ve got you deep in the heart of me. So deep in my heart that you’re really a part of me.”

By Tom Davis, SDI Cyber Risk Practice

April 4, 2017

Exploring the Cybersphere – March 2017

This week in our blog, we offer a snapshot of cybersecurity, privacy and data security news of interest to the executive suite. Periodically, we’ll recap insights from the growing cadre of voices in this space as well as lend our own views on the issues that impact executive governance of cyber risk and response.

March 28 is historically noteworthy for many reasons. One that stands out: In 1979,  the worst accident in the history of the U.S. nuclear power industry began to unfold on March 28th when a pressure valve in the Unit-2 reactor at Three Mile Island failed to close. People living around Harrisonburg, Pennsylvania fled, as did people living in the nation’s capital.  If the accident didn’t cause full out panic, it certainly induced a general uneasiness (and set the nuclear power industry back for generations). Although no one’s leaving for the exits yet, today a less drastic yet verifiable sense of uneasiness exists in another power industry… the cybersphere.  

Around the cyber world we go…

Exposure of CIA hacking tools renews debate over Americans’ cybersecurity vs. national security

Washington Post

WikiLeaks’ release on Tuesday of a massive cache of data describing CIA hacking tools has renewed a debate over how well the U.S. government balances the protection of Americans’ cybersecurity against the need to protect national security. Some of the tools, the anti-secrecy group said, are based on “zero-day” flaws — or previously unknown software bugs — for targeting iPhone and Android devices. “At a time of increasingly damaging hacking by cybercriminals and governments, it’s essential that U.S. agencies not undermine the security of our digital systems,” said Ben Wizner, director of the American Civil Liberties Union’s Speech, Privacy and Technology Project. “These documents, which appear to be authentic, show that the intelligence community has deliberately maintained vulnerabilities in the most common devices used by hundreds of millions of people.” He added, “Patching security holes immediately, not stockpiling them, is the best way to make everyone’s digital life safer.”

Why America’s current approach to cybersecurity is so dangerous  

It’s almost impossible these days to avoid media coverage of Russia’s role in hacking the 2016 election. So it was in 2015, when news broke that Chinese hackers had breached the U.S. Office of Personnel Management. Likewise for big cyberattacks the year in 2014 (Sony PicturesHome Depot) and the year before that (Target). For the public, it’s usually these kinds of incidents that come to mind when they hear the term “cybersecurity.” They are complex and costly, and cast doubt on the trustworthiness of our major institutions—from government to banks to the electric grid. Yet multiple surveys show that Americans tend to ignore even the most basic security measures with their own digital devices. How to account for our public interest but our personal … well … meh? We should be concerned that, as a society, our minds go mushy when it comes to “digital literacy,” “information security,” “online safety,” or whichever name we choose. In fact, that mushiness is a major reason why America’s current approach to cybersecurity is so dangerous. We’re ignoring the behaviors of the overwhelming majority of actual users, and therefore leaving the largest attack surface undefended.

Russian security officers charged in Yahoo hack

The Justice Department announced charges Wednesday against four suspects in the massive 2014 Yahoo data breach, including two Russian security service officers. According to DOJ allegations, the hackers targeted high-profile government and military officials as well as commercial entities such as investment banks. A grand jury indicted the four men “for computer hacking, economic espionage and other criminal offenses in connection with a conspiracy, beginning in January 2014, to access Yahoo’s network and the contents of webmail accounts,” a Justice Department press release says. A DOJ official noted that the activity continued through 2016, but declined to comment on whether the suspects had any relation to the 2013 hack. Officials also noted that they had no reason to believe the hack was connected to the cyber attack on the Democratic National Convention allegedly carried about Russians.

How China is preparing for cyberwar

The US and China have significant differences on the legitimate uses and preferred shape of cyberspace. The 2011 White House International Strategy for Cyberspace, for example, states that the US will work toward an “open, interoperable, secure, and reliable information and communications infrastructure.” In contrast, Beijing has argued for a norm of cybersovereignty, the idea that states have the right to control their own cyberspace much like they do any other domain or territory. While China has become increasingly more vocal and assertive about how cyberspace should be governed, it has yet to offer any justifications on how and why a state may conduct computer network attacks or espionage. Still, even in the absence of any official Chinese policies, it is possible to identify the motivations of state-backed hackers. Chinese leaders view cyberspace as essential to fostering economic growth, protecting and preserving the rule of the Chinese Communist Party, and maintaining domestic stability and national security.

Which leads to…

Companies increasingly face nation-state cyber attacks

Addressing an exploding number of nation-state cyberattacks is sapping the resources of companies, cybersecurity professionals say. Nation-state attacks on corporate assets used to be infrequent, but now companies sometimes feel like they are on the front lines of a cyberwar, panelists at the Global Cyberspace Cooperation Summit at the University of California, Berkeley said. 

A preview of coming attractions…

Consumer Reports to Grade Products on Cybersecurity

Dark Reading

The non-profit consumer ratings group Consumer Reports plans to evaluate cybersecurity and privacy when ranking products, Reuters says. It is currently working with organizations to create methodologies for doing this. An early draft of standards is available here. This decision was made following a recent increase in cyberattacks on IoT devices, many of which contain vulnerabilities easily exploited by hackers. Researchers believe these attacks are unlikely to cease because manufacturers do not want to spend on securing connected products.

The Insecurity of IoT Devices Presents New and Unique Cybersecurity Challenges 

Security experts point to the growing cybersecurity threats from the proliferation of smart, connected devices known as the Internet of Things. For example, last year’s Dyn attacks, initiated by about 100,000 endpoints using IOT devices, was viewed as the largest DDoS attack to date and interrupted service to a number of large websites. “We must wake up to the cyber risks posed by the billions of IOT devices,” said Thomas K. Billington, Chairman and Founder of Billington CyberSecurity, the host of the conference. “The Internet of Things therefore will be a key topic at our International summit.” “The rate at which these connected devices are proliferating is staggering, eluding attempts to harness or tame them within appropriate security protocols. We’ve long accepted the fact that no institution in the cyber age is any stronger than its weakest connected link, and the number of those weak links just got exponentially greater,” pointed out John McClurg, Vice President and Ambassador-At-Large, Cylance

And a caveat – protect yourself…

Cybersecurity in seven minutes

Knowing about cybersecurity risks isn’t the same as protecting against them. For instance, a recent survey from the Pew Research Center found that just 12 percent of Americans use a password manager, and only 3 percent use it regularly – even though that’s how security pros recommend everyone keep track of passwords. It takes time and effort to stay on top of best security practices, so all too often, people cut corners. That’s why we’ve put together a short guide to cybersecurity essentials. It will walk you through some of the most common risks, and the specific ways to protect yourself when it comes to three critical areas: Privacy: How someone else can see what you’re doing online or on your device. Security: How someone can intercept data. Control: How someone can take over your smartphone or computer. These scenarios illustrate the kinds of risks to watch out for, and how to protect yourself.

We Scored High on This Cybersecurity Quiz. How About You?

How much do you know about keeping your data and information safe? A new study from Pew Research Center finds that even amid high profile hacks on businesses and institutions that affect millions, many Americans don’t have a comprehensive understanding about what precautions need to be taken to prevent cybersecurity breaches. And perhaps it is unsurprising, but Pew says that “those with higher levels of education and younger internet users are more likely to answer cybersecurity questions correctly.”

By Tom Davis, SDI Cyber Risk Practice

March 28, 2017

Always Ready, Always There… (and there too?)

Here’s a little piece of obscure history, the longest serving component of the United States armed forces is the Army National Guard. That’s right, the first militia regiments were organized by the General Court of the Massachusetts Bay Colony in 1636. Beginning with the Pequot War in 1637, the Army National Guard has participated in every war or conflict this nation has fought. Now, two members of Congress are advocating a unique Guard role in cyber warfare.

Congressmen Will Hurd, a Texas republican, and Reuben Gallego, an Arizona democrat, are suggesting the U.S. create a Cyber National Guard to access talent that might otherwise not participate in national defense. Congressman Hurd explains his idea thusly, “The federal government could forgive the student loan debt of STEM graduates who agreed to work for a specified number of years in the federal government in cybersecurity jobs at places like SSA or Department of Interior. Furthermore, when those individuals moved on to private sector jobs they would commit one weekend a month and two weeks a year to continued federal service. This would help ensure a cross-pollination of experience between the private and public sectors.”

Israel, which has mandatory military service, offers some insight into the approach. Cyber technology is a key part of the Israeli economy, and the nation has become a global leader in cybersecurity, in part by drawing on expertise and experience gleaned from the country’s elite military intelligence forces.  Much of the innovation in cybersecurity in Israel comes from people who complete their mandatory military service and then turn their cyber warfare expertise to the commercial sector.

The two members of Congress presented their ideas at the South by Southwest (SXSW) festival, a rollicking mix of music, film, and interactive media.  Not everyone was favorably impressed, but the notion of a cyber national guard has touched off a lively debate.  Pro’s and con’s are set forth in this article in csoonlinecom.

By Tom Davis, SDI Cyber Risk Practice

March 21, 2017

Hey, Smalls

In 1973, a book by British economist E.F. Schumaker took the world by storm, challenging conventional western economic theory, and championing the notion that appropriate scale was critical to long term sustainability. The book, “Small Is Beautiful: A Study of Economics as If People Mattered,” was hugely influential, as it mixed philosophy with economics to paint the picture of a far better world where small size could be embraced as a virtue. His message could be summed up in the phrase, “production by the masses, rather than mass production.” It remains the case today that small can be beautiful, but recent guidance from the U.S.  House of Representatives Small Business Committee reminds us that in the cyber world, small also can be quite perilous.

The congressional committee posted advice on how small businesses should prepare for cyber breaches and protect data. What was particularly notable was this chilling reminder, “nearly 60 percent of small companies go out of business following a hack and 71 percent of all cyber assaults occur at businesses with under 100 workers.”

The committee’s finding are consistent with information available from the National Cyber Security Alliance, as reported by David Wither of Tech.Co: “In another cyber security survey of 1,000 small business owners, 85 percent admitted that they believed large enterprises were more targeted than they were. This finding explains why small enterprises continue to pay little attention to Cyber Security. In reality, however, cyber criminals do not discriminate and have no priority targets. They attack any weak security system, whether it is a small business or a large one.”

The Small Business Committee’s advice for small businesses can be found here. For additional information, see these U.S. Small Business Administration’s tips.

To Mr. Schumaker’s estimable phrase, “Small Is Beautiful,” we add the caveat that from a cyber criminal’s perspective, beauty is in the eye of the beholder. One does not wish to be too beautiful a target.

By Tom Davis, SDI Cyber Risk Practice

March 14, 2017

What If “Cyber” Is The Wrong Word?

This week’s post is written by George Platsis, the newest member of SDI’s cyber team. George focuses on human factor vulnerabilities related to cybersecurity, information security, and data security by separating the network and information risk areas.  Here he raises an interesting question.

Often, how you characterize a problem will determine your plan of attack to solve the problem. To illustrate, I often use this example with both clients and friends.

If I were to ask you: “How long can you and your business survive without your computer?” your answer would likely be something along the lines of “I need my computer to do everything!” While I suspect this is most likely true, such a response does very little for your resilience. Should such a case ever arise in your life, you would be left scrambling to find some sort of solution to keep your business operations going.

But what if I were to ask you: “You don’t have your computer for three days, a week, or even two weeks…what do you do?”  By asking the question in this manner, you are undoubtedly forced to look at the problem in a very different way. In fact, you have to look at the problem in a very different way because your survival depends on it.

The word “cyber” means different things to different people. In virtually every training session I put on, one of my first actions is to go around the room and ask people what “cyber” means to them. If I am lucky, perhaps two or three people will have a similar answer, but in most cases, the definitions vary, even when people share similar job titles and roles.

I trust that you see there is a big problem here. “Cyber” is arguably the greatest challenge we face today, yet we cannot come to a consensus as to what “cyber” is.

Let me try to unpack the “cyber” issue a different way, one that I have found to be extremely helpful and have been using recently to help people tackle their challenges. In its current state, I see the “cyber” issue actually being two separate problems, forming one overarching issue.

The first problem is network. I believe “network” as a definition is fairly self-explanatory. I also believe we can all agree that protecting the network is primarily a technical issue that requires specialized skills. Based on industry trends, the argument could also be made that the majority of “cyber solutions” are network-based. But I could also make the case that a network-centric strategy may not be in your best interests.

The second problem is information. I also believe that “information” as a definition is fairly self-explanatory, but I would argue that we do a very poor job protecting information. Protecting information could range from training your staff, to internal policies, to utilizing industry standards, to practices on how to handle sensitive documents, and physical security (though this specific issue can jointly fall into the network category as well).

When you put these two pieces together, I characterize this as a data security issue.

I do not see many “cyber solutions” that properly address the “information side” of this problem. The key to solving any problem is asking the right questions. I am confident that unpacking the problem into two distinct problems– network and information–will lead you to the best solution for your needs.

March 7, 2017

See George’s previous post, How Do We Succeed in the Cyber Security Battle? Episode III – Making the Business Case: Where Does Your Money Go?

Exploring the Cybersphere – February 2017

This week in our blog, we offer a snapshot of cybersecurity, privacy and data security news of interest to the executive suite. Periodically, we’ll recap insights from the growing cadre of voices in this space as well as lend our own views on the issues that impact executive governance of cyber risk and response.

For many, February is a month whose primary virtue is that in most years it lasts only 28 days. I suspect, if put to a vote, the overwhelming majority of people in the Northern hemisphere would rather tack the extra day bequeathed to February every four years onto another month, say June, for instance. But February does have some peculiar attractions. For example, on the last Saturday of the month it hosts Open That Bottle Night, started by a husband and wife team of wine critics who wrote an excellent column titled “Tastings” for the Wall Street Journal. A good bottle of wine is useful in putting February in a far better light. Let’s add some music as we look at the stories that made news in the cyber world during the month of February 2017.

Rain Drops Keep Fallin’ On My Head

Shipping industry vulnerable to cyber attacks and GPS jamming


The shipping industry is increasingly at risk from cybersecurity attacks and a gap in insurance policies is leaving them vulnerable, industry experts …

Another One Bites The Dust

TalkTalk boss Dido Harding quits 18 months after huge cyber attack

Evening Standard

The boss of TalkTalk is leaving less than 18 months after the broadband giant was hit by one of the most devastating cyberattacks in British corporate …

Whole Lot Of Shakin’ Goin’ On

Attention to cyber-security is becoming daily routine in the C-suite

SC Magazine

“Attackers aren’t bound by borders or country,” he says adding that the key point in fostering better cooperation on cyber-security is this: How do you …

Firms split on who handles aftermath of cyber-attacks

Large companies are confused about who should be in charge of dealing with the aftermath of cyber-attacks, according to new research.The study by BAE Systems suggests senior managers expect IT staff to deal with data breaches, but technology bosses feel it should be board members. The confusion could make firms more vulnerable to attacks, said BAE. Both camps also had widely different estimates of how much a breach could cost, according to the research. “Both sides seem to think that it’s the other’s responsibility when it comes to a successful breach and that reflects a gap in understanding,” said Dr Adrian Nish, head of the cyber-threat intelligence unit at BAE Systems. The research had responses from 984 IT managers and 221 executives from Fortune 500 companies across the world.

It’s All In The Game

Experts as RSA offer up their best cybersecurity advice

Come to the RSA show, and you’ll find plenty of cybersecurity technology. The top vendors from across the industry are here, showing products for fighting ransomware, preventing data breaches and more. But even the best security software is useless if users and businesses aren’t taking the right steps to protect themselves. So we asked experts at the show for their best cybersecurity tips.

Winners and Losers at RSA’s Cyber-Security Extravaganza


Five go-go days and nights at the RSA conference in San Francisco showed why cyber-security is the biggest story in tech right now as businesses …

By Tom Davis, SDI Cyber Risk Practice

February 28, 2017


Readers Digest The Assault of the Secret Squirrel

Ah the dwindling days of February, when life begins to stir anew across the northern climes. Days grow longer, birds sing stronger, and spring hints at its arrival. Baseball fans revel in the thought of pitchers and catchers reporting, golfers sneak in the odd round and begin to think of the Masters, basketball fans turn their thoughts to season ending tournaments and the upcoming madness of March, and cybersecurity fans eagerly pour over the latest edition of Verizon’s Data Breach Digest.

Within the pages of Verizon’s Data Breach Digest we can devour the story of “The Hot Tamale,” chew on the details of the “Fetid Cheez,” chill on the story of “The Polar Vortex,” and surrender to the tale of “The Golden Fleece.” As one might surmise from the names of the schemes disclosed in Verizon’s report, the authors had some fun in creatively describing actual scenarios drawn from incident investigations conducted by Verizon. Basically, Verizon extrapolates from its data to create a series of scenarios that demonstrate the kinds of incidents organizations must guard against. Verizon’s premise is that there predictable combinations of cyber attack characteristics, and that by preparing for the kinds of incidents it portrays organizations can most effectively use their resources.

This year’s report offers four scenario groupings. They are “The Human Element,” focusing on human-related threat actors or victims, “Conduit Devices,” looking at device misuse or tampering, “Configuration Exploitation,” covering reconfigured or mis-configured settings, and “Malicious Software,” whose name pretty much gives away the threat category.

Here’s a snippet from what the report terms an “Internet of Things (IoT) Calamity, The Panda Monium,” involving an incident at a university campus. “The name servers, responsible for Domain Name System (DNS) lookups, were producing high-volume alerts and showed an abnormal number of subdomains related to seafood. As the servers struggled to keep up, legitimate lookups were being dropped–preventing access to the majority of the internet. While this explained the “slow network” issues, it raised much more concerning questions. From where were these unusual DNS lookups coming? And why were there so many of them? Were students suddenly interested in seafood dinners? Unlikely….

Within hours, I had more feedback than I could handle and began the review process. The firewall analysis identified over 5,000 discrete systems making hundreds of DNS lookups every 15 minutes. Of these, nearly all systems were found to be living on the segment of the network dedicated to our IoT infrastructure. With a massive campus to monitor, everything from light bulbs to vending machines had been connected to the network for ease of management and improved efficiencies. While these IoT systems were supposed to be isolated from the rest of the network, it was clear that they were all configured to use DNS servers in a different subnet.”

The preceding describes a threat of growing magnitude. In fact, the totality of Verizon’s Data Breach Digest offers a useful and interesting look at the cyber threats we face, and is well worth reading. As you read, do be wary of “The Assault of the Secret Squirrel.”

By Tom Davis, SDI Cyber Risk Practice

February 21, 2017


Here’s Whose Valentine You Don’t Want to Be

On Valentine’s Day in 1929, several members of Al Capone’s gang dressed as police officers stopped by archrival Bugs Moran’s headquarters on North Clark Street in Chicago, and delivered a Chicago gangster’s version of a valentine. They lined up seven of Moran’s men against a wall, and shot them. The moment became memorialized as the St. Valentine’s Day Massacre. The savage event was huge news, and people devoured stories about the massacre, at a distance, and safely.

Fast forward to this Valentine’s Day, and the news of the moment is the resignation of National Security Advisor Michael T. Flynn. Huge news, people are devouring stories, but perhaps not so safely. For example, the New York Times and Newsmax Media have been victimized by quoting tweets from a fake twitter account purporting to be Flynn’s and discussing his resignation. Why is this a cybersecurity problem? Read on.

Amidst non-stop use of the term “fake news” comes this story from Tech Republic: “Extra, extra! That fake news story might come with malware.” As the story notes, we have a tendency to avidly follow significant news stories, and cyber criminals use that tendency to great advantage, by incorporating either a real-news article or a fake-news article based on breaking news as an email attachment, or placing a banner bordering an article calling attention to it in a way intended to lure potential victims. Once they get your attention they either work to get you to exchange sensitive information or create an opportunity for an attacker to download malware to your system.

James Scott, Senior Fellow at the Institute for Critical Infrastructure Technology, offers an essay that points out “…news was the most common social engineering lure in 2014. Cyber-adversaries capitalized on high-profile natural disasters, global events, celebrity gossip, and buzz-worthy headlines. The Sochi Olympics, the World Cup, the death of Robin Williams, the leak of celebrities’ private photos from the iCloud, and other stories were used by APTs and cybercriminals to spread malware to victim systems via email, watering-hole sites, and malicious advertisements.” Rest assured, news remains a key tool for cyber criminals.

Scott’s essay goes into some detail about what is known about several foreign adversaries who are making great use of fake news, and is well worth reading. Today’s attacks are infinitely more subtle than Al Capone’s, but potentially every bit as deadly.

By Tom Davis, SDI Cyber Risk Practice
February 14, 2017