Exploring the Cybersphere – May 2016

This week in our blog, we offer a snapshot of cybersecurity, privacy and data security news of interest to the executive suite. Periodically, we’ll recap insights from the growing cadre of voices in this space as well as lend our own views on the issues that impact executive governance of cyber risk and response.

The race is not always to the swift, but there’s definitely a race to SWIFT
What the Bangladesh SWIFT hack attack teaches about the future of cybersecurity and cyberwar

Cybersecurity headlines this week have been filled with emerging details of the February 2016 cyber theft of 81 million dollars from the Bangladesh central bank’s holdings in the New York Federal Reserve Bank. In a nutshell, highly skilled attackers crafted an intricately customized assortment of malware that ran on the bank’s own computers and issued what appeared to be legitimate SWIFT monetary transfer orders. The software went to great lengths to hide the transactions from bank personnel, from deleting database entries to altering hardcopy paper printouts. What can we learn from this attack about the future of cybersecurity and cyberwarfare?

Why is cybersecurity important to the fintech sector?

Cybersecurity presents a fundamental problem for those on the defence side. While hackers need only identify one point of vulnerability in an organization, banks, companies, governments, and other organizations need to make sure that their entire online platform is guarded against attack. This difference in scale makes cybersecurity a difficult problem for any company. However, the cost of this challenge is felt most acutely by small- to mid-sized organization. While big banks, like Bank of America (NYSE:BAC) and Goldman Sachs (NYSE:GS) have the resources to invest millions of dollars into making sure that all of their angles are covered, smaller institutions just don’t have that option. And so, even if they do invest part of their budget in improving cybersecurity measures, there’s always a risk of leaving an unidentified backdoor undefended. However, what seems like a problem for small banks is actually a problem for everyone in the financial services sector. That’s because today’s banking system is a closely integrated system where almost everybody is connect. For example, CNN Money reports that, back in February of this year, hackers stole $101 million from Bangladesh’s central bank. This was disastrous on its own, but what was even more concerning to the international banking community was the fact that the hackers also gained access to the worldwide interbank communication network SWIFT. A similar hack occurred in May, when hackers targeted a commercial bank in Vietnam. Therefore, although the problem of cybersecurity is felt most acutely by the small banks on the fringes of the international banking community, the repercussions of such breaches can be felt throughout the world.

Victims, victims, everywhere
Nearly three-quarters of firms globally hit by cyber attacks last year

Information security remains one of the most important concerns for data managers, and for very good reason. A new international study reveals that nearly three-quarters of organizations were the victims of a security incident in the past year alone. The International Trends in Cybersecurity report from CompTIA, the nonprofit association for the technology industry, finds that nearly three out of four organizations globally have been plagued by at least one security breach or incident in the past year, with about 60 percent of breaches categorized as serious. The report also reveals that organizations are altering security practices and policies due to greater reliance on cloud computing and mobile technology solutions. More than 1,500 business and technology executives in 12 countries were surveyed. The report includes data from Australia, Brazil, Canada, Germany, India, Japan, Malaysia, Mexico, South Africa, Thailand, the United Arab Emirates (UAE) and the United Kingdom (UK).

Top 2016 cybersecurity reports out from AT&T, Cisco, Dell, Google, IBM, McAfee, Symantec and …

The biggest players in cyber have published their annual security reports for 2016. Each one brings its unique view on cybercrime, and cyber defense strategies. DATA SECURITY AT&T Cybersecurity Insights Report looked inside their giant global communications network and came out with their inaugural Cybersecurity Insights Report towards the end of last year. The report is aimed at helping businesses to secure their own data. “Every company either has been breached or will be breached,” said Ralph de la Vega, president and CEO, AT&T Mobile and Business Solutions, in the report. Takeaway: 458% increase in the number of times hackers searched Internet of Things connections for vulnerabilities

117M hacked LinkedIn logins for sale on dark web

A hacker is attempting to sell the account information of 117 million LinkedIn users stolen as part of a 2012 breach that appears much worse than originally thought.“Yesterday, we became aware of an additional set of data that had just been released,” the company said in a statement Wednesday. “We have no indication that this is as a result of a new security breach.” Around 6.5 million passwords were posted online when the breach occurred in 2012, although LinkedIn never confirmed the scope of the breach. The company rolled out a mandatory password reset for all accounts it believed were compromised. Now, the information for an additional 100 million accounts is for sale on an illegal dark web marketplace for 5 bitcoin, or $2,200, according to Motherboard. Security researchers who have reviewed the data say it is likely legitimate. A LinkedIn spokesman confirmed to Motherboard that the 6.5 million passwords originally released were not necessarily all of the stolen data. “We don’t know how much was taken,” Hani Durzy told the publication.

FDIC cyberattacks included hit on former chairwoman’s computer

The Federal Deposit Insurance Corp. is an independent agency created by Congress to maintain “public confidence in the nation’s financial system.” So says its mission statement. Millions of Americans demonstrate their trust in the agency every time they make a deposit in a U.S. bank where the funds are guaranteed by the FDIC. Yet, while the public’s trust in FDIC is strong, a series of incidents threaten to undermine confidence in the agency’s cybersecurity system. The personal information of American taxpayers has been jeopardized

Cybersecurity in healthcare is in an unhealthy condition
Cybersecurity special report: Ransomware will get worse, hackers targeting whales, medical devices and IoT trigger new vulnerabilities

Cybercriminals have set their sights on healthcare. Ransomware is the new normal. And many providers are approaching security all wrong. CIOs, CISOs, ethical hackers and other experts point the way forward. When it comes to digital security, healthcare provider organizations have the wrong mission and are using outdated approaches, generally failing at securing their organizations from today’s increasingly sophisticated cybercriminals. That’s according to “Hacking Hospitals,” a two-year study by Independent Security Evaluators of 12 healthcare facilities, two healthcare data facilities, two healthcare technology platforms and two medical devices. The study concluded healthcare has two major problems when it comes to digital security: a near-exclusive focus on defending patient records, and measures that target unsophisticated adversaries and blanket attacks. “One of the biggest things we took away from our Anonymous attack was that in the past, I had always thought about cybersecurity related to health IT as safeguarding data ― but our experience made us understand it is more than that,” said Daniel Nigrin, MD, CIO at Boston Children’s Hospital, which was attacked by the hacker group Anonymous in 2014. “These cyberattacks can be disruptive to the routine daily operations of a hospital. One can argue these kinds of attacks are even more significant than the breach of data because at the end of the day we are taking care of patients who are sick, and that has to be Priority No. 1.”

Cyber attacks and negligence lead to rise in medical data breaches

America’s healthcare organizations are being attacked by data thieves, but the industry is not doing nearly enough to deal with the growing threat, according to a new study by the Ponemon Institute.
These breaches are “increasingly costly and frequent, and continue to put patient data at risk,” the report concluded. Key findings: Nearly 90 percent of the healthcare organizations surveyed had a data breach in the past two years; Nearly half (45 percent) had more than five breaches in that time period; The annual cost of dealing with these breaches is estimated to be $6.2 billion. “The industry has not made very much progress since we starting looking at this issue six years ago,” said Dr. Larry Ponemon, founder of the Ponemon Institute. “Many organizations don’t have the resources or the staffing to get the job done right. My prediction is that things are going to get worse before they get better, but they will get better.”

More on how cyber crime pays
HPE report lays bare inner workings of cyber criminal economy

(A Hewlett Packard Enterprise (HPE) report shows business how cyber criminals operate and how to disrupt them at each step of their criminal value chain) The value chain driving cyber crime provides insights into improving enterprise cyber defences, according to a report from Hewlett Packard Enterprise (HPE). You also agree that your personal information may be transferred and processed in the United States, and that you have read and agree to the Terms of Use and the Privacy Policy. The Business of Hacking report explores hacking as a business, assesses the underlying economy driving cyber crime and analyses the motivations behind attacks. The report – based on data and observations from HPE security teams, open source intelligence and other industry reports – analyses the value chain illegal organisations have established to expand their reach and maximise profits. Based on this insight, the report provides actionable recommendations for enterprises to mitigate risk through disrupting cyber criminal groups. Cyber criminals are increasingly using sophisticated management principles in creating and expanding their operations to increase their impact and financial profit, researchers found. These are the core motivations for nearly all attack groups today, the report said, noting that enterprises can use this knowledge to disrupt criminal organisational structures and mitigate risks.

In search of enlightenment
Why CEOs are failing cybersecurity, and how to help them get passing grades

The buzz at yesterday’s inaugural Cyber Investing Summit – held on Wall Street at the New York Stock Exchange – was that most CEOs and board members don’t get cybersecurity. Cybercrime is on the rise — to the tune of $2.1 trillion by 2019, according to Juniper Research. The Verizon 2016 Data Breach Investigations Report (DBIR) states that no location, industry or organization is immune from attack. A DBIR executive summary — described as the C-level guide to what they need to know — is chock full of information that most CEOs will struggle to understand. For instance, ‘the median traffic of a DoS attack is 1.89 million packets per second — that’s like over 113 million people trying to access your server every minute.’ Huh? Make no mistake, Verizon’s report is an invaluable resource and recommended reading for business leaders. A skim through is certain to heighten awareness around cyber risks — even if it leaves a CEO scratching her head trying to figure out what all the technical terms mean — including patching, change monitoring, SLAs for DoS mitigation, CMS plugins, two-factor authentication, tamper evident controls, and all the rest. If CEOs don’t get cybersecurity because it’s too complicated to understand, then what can be done about it?


By Tom Davis, SDI Cyber Risk Practice

SDI #CyberTuesday offers insights and commentary on cyber risk management by SDI’s trusted cybersecurity, privacy and data security experts, skilled practitioners whose decades of experience working for governments and corporations around the world distinguish them as strategists and crisis managers.

May 31, 2016