This week in our blog, we offer a snapshot of cybersecurity, privacy and data security news of interest to the executive suite. Periodically, we’ll recap insights from the growing cadre of voices in this space as well as lend our own views on the issues that impact executive governance of cyber risk and response.
“Try to remember the kind of September
When life was slow and oh so mellow”
– (from the musical comedy The Fantasticks)
“E.T. Phone home (but use a landline, it’s safer)”
Mobile device infections rose 96 percent in the first half of 2016
Help Net Security
After examining general trends and statistics for malware infections in devices connected through mobile and fixed networks, Nokia found a sharp rise in the occurrence of smartphone malware infections in the first half of the year. Smartphone infections nearly doubled between January and July compared to the latter half of 2015, with smartphones accounting for 78 percent of all mobile network infections. The malware infection rate hit an all-time high in April, with infections striking 1.06 percent of all mobile devices tracked. Devices running Android were the most targeted mobile platform by far, representing 74 percent of all mobile malware infections. “Today attackers are targeting a broader range of applications and platforms, including popular mobile games and new IoT devices, and developing more sophisticated and destructive forms of malware. Nokia’s network-based security solution is the best approach to address this growing threat to all types of devices. It detects and prevents malware activity that device-based solutions may miss,” said Kevin McNamee, head of the Nokia Threat Intelligence Lab.
New Malware Targets Android Banking Apps, Cybersecurity Group Says
Wall Street Journal
Cybersecurity researchers said they have discovered a new type of malicious software that circumvents security features on version 6 of the Android mobile-phone operating system, allowing criminals to infiltrate banking apps and steal credit-card details.
Your Biggest Cybersecurity Weakness Is Your Phone
Harvard Business Review
Executives are wrestling with managing a proliferation of devices, protecting data, securing networks, and training employees to take security seriously. In our Tech Pro Research survey of chief information officers, technology executives, and IT employees, 45% of respondents saw mobile devices as the weak spot in their company’s defenses. (Employee data was cited by 37%, followed by wireless access of networks at 34% and bring-your-own-device efforts at 29%.) Meanwhile, the potential for mobile attacks continues to expand. In JulycomScore reported that half of all digital time was spent on smartphone apps, and 68% percent of time was spent on a mobile device. If mobile security isn’t a problem for your company yet, it will be.
Consider the following recent events:
- A flaw called “Quadrooter” left more than 900 million Android devices vulnerable to attacks. The code was published online. Google has since patched Android.
- Pokémon Go became a global phenomenon, but people in regions without the game downloaded it from unauthorized marketplaces, exposing their devices to malicious attacks.
- Researchers at Binghamton University found that wearable devices and smartwatches can give away PINs and passwords through an algorithm that has 80% accuracy on the first try and 90% after three attempts.
Securing mobile devices is tricky. Android is a fragmented mobile operating system. Security researchers are anticipating more attacks on Apple’s iOS. Employees lose their devices and can be lax with security compliance. Toss in people bringing their own unsupported devices to work and you can see why security executives are stressed.
“Darn those pesky employees…”
The Biggest Cybersecurity Threats Are Inside Your Company
Harvard Business Review
When security breaches make headlines, they tend to be about nefarious actors in another country or the catastrophic failure of technology. These kinds of stories are exciting to read and easier for the hacked company to admit to. But the reality is that no matter the size or the scope of a breach, usually it’s caused by an action, or failure, of someone inside the company. The role that insiders play in the vulnerability of all sizes of corporations is massive and growing. In the 2016 Cyber Security Intelligence Index, IBM found that 60% of all attacks were carried out by insiders. Of these attacks, three-quarters involved malicious intent, and one-quarter involved inadvertent actors. IBM Security research also found that health care, manufacturing, and financial services are the top three industries under attack, due to their personal data, intellectual property and physical inventory, and massive financial assets, respectively. However, while industries and sectors differ substantially in the value and volume of their assets and in the technology infrastructures they have to manage and defend, what all businesses have in common is people — all of whom have the potential to be an insider threat.
Insider Incidents Cost Companies $4.3 Million Per Year On Average
Careless users and contractors continue to be the biggest source of insider incidents at most organizations. But external attackers posing as legitimate users via stolen credentials can cause far more financial damage, a new survey by the Ponemon Institute shows. Ponemon polled 280 IT and security practitioners from 54 medium- to large organizations between April and July this year. The findings show that nearly four years after Edward Snowden’s famous data leaks, the insider threat remains as intractable as problem as ever for many organizations. The survey, sponsored by security vendor Dtex, reports a total of 874 insider incidents across respondent organizations over the past 12 months. A total of 568 of those incidents were caused by employee or contractor negligence, 191 were tied to malicious employees and criminals, while 85 were caused by outside imposters with stolen credentials.
So much for counter-phishing training: Half of people click anything sent to them
Security experts often talk about the importance of educating people about the risks of “phishing” e-mails containing links to malicious websites. But sometimes, even awareness isn’t enough. A study by researchers at a university in Germany found that about half of the subjects in a recent experiment clicked on links from strangers in e-mails and Facebook messages—even though most of them claimed to be aware of the risks. The researchers at the Friedrich-Alexander University (FAU) of Erlangen-Nuremberg, Germany, led by FAU Computer Science Department Chair Dr. Zinaida Benenson, revealed the initial results of the study at this month’s Black Hat security conference. Simulated “spear phishing” attacks were sent to 1,700 test subjects—university students—from fake accounts…”The overall results surprised us, as 78 percent of participants stated in the questionnaire that they were aware of the risks of unknown links,” Dr. Benenson said in a FAU posting on the research. “And only 20 percent from the first study and 16 percent from the second study said that they had clicked on the link.” But in fact, of those claiming they were security savvy, “we found that 45 and 25 percent respectively had clicked on the links,” Dr. Benenson said.
“Can’t we all just get along?”
The Cold War is over. The Cyber War has begun.
The Washington Post
Contemplating Russian nuclear threats during the Cold War, the strategist Herman Kahn calibrated a macabre ladder of escalation, with 44 rungs ranging from “Ostensible Crisis” to “Spasm or Insensate War.” In the era of cyberwarfare that’s now dawning, the rules of the game haven’t yet been established with such coldblooded precision. That’s why this period of Russian-American relations is so tricky. The strategic framework that could provide stability hasn’t been set. Russian hackers appear to be pushing the limits. In recent weeks, the apparent targets have included the electronic files of the Democratic National Committee, the private emails of former secretary of state Colin Powell, and personal drug-testing information about top U.S. athletes. The Obama administration is considering how to respond. As in most strategic debates, there’s a split between hawks and doves. But there’s a recognition across the U.S. government that the current situation, in which information is stolen electronically and then leaked to damage and destabilize U.S. targets, is unacceptable. “A line has been crossed. The hard part is knowing how to respond effectively,” argues one U.S. official. Retaliating in kind may not be wise for a country that is far more dependent on its digital infrastructure than is Russia. But unless some clear signal is sent, there’s a danger that malicious hacking and disclosure of information could become the norm.
Cybersecurity is threatening America’s military supremacy
The sparsely populated Spratly Islands, a collection of hundreds of islands and reefs spread over roughly 165,000 square miles in the South China Sea, are very quickly becoming the center of one of the most contentious international disputes between world powers since the fall of the Soviet Union. Alarmingly, the use of cyber attacks in this dispute suggests we might already be in the midst of a new Cold War playing out in cyberspace — where America’s advantage is not as clear as it is with conventional armies and navies. The Spratly Islands are of economic and strategic importance. All of the countries in the region — including China, Vietnam and the Philippines — have made competing territorial claims to the region. In recent years, China has become increasingly aggressive in its claim, rapidly building artificial islands while also conducting military operations in the area. Beyond this conventional military buildup, however, are complex and brazen cyber attacks by China that are leaving America and its allies increasingly concerned.
Asia hacking: Cashing in on cyber crime
On a quiet Sunday in May, as dawn was breaking over Tokyo, a 100-strong army of hooded “withdrawal mules” rolled up at convenience stores across Japan and began a bank robbery that the country had never imagined possible. “Heaven”, as Japan is known to this new generation of robber-hackers, had just been ransacked — heralding an era in Asian cyber crime where thieves can turn a hack into cash almost instantly. Exactly three hours, 14,000 ATM cash withdrawals and ¥1.8bn ($18m) of theft later, the gang stopped work and melted away, the only immediate trace being some ill-defined CCTV footage and virtual footprints to credit card data stolen from a bank in South Africa. Cyber security is a growing concern globally but it is creating particular anxiety in Asia after a flurry of attacks affecting Bangladesh, the Philippines, Taiwan, Thailand and Vietnam. Experts say the spike is driven partly by growing political tensions, such as China’s dispute with its neighbors over islands in the South China Sea, but the other key trigger is the attraction of increasingly lucrative, but patchily defended, banks and companies.
Opinion: How the South China Sea fight could go digital
Christian Science Monitor
After The Hague ruled in July against China’s territorial claims in the South China Sea, the world has been watching to see how Beijing will react. While it’s unlikely China will risk starting a war with the US and the West with any kind of physical strike, Beijing may look to its growing capabilities in the virtual realm – cyberspace – as a lower-cost and lower-risk way to achieve its territorial goals, solidifying claims in the East and South China Seas. It’s a strategy that would allow China to operate nonlinearly across physical and virtual domains, taking a page from Russian President Vladimir Putin’s playbook by using measures short of war to establish greater control over nearby states and territories.
Obama warns of cyber ‘arms race’ with Russia
President Barack Obama issued a subtle warning to Russia on Monday, noting that the United States has “more capacity than anybody, both offensively and defensively” when it comes to cyber weapons. The remarks, made to reporters following the G-20 conference in Hangzhou, China, come amid signs of growing Russian interference in the Nov. 8 presidential election. U.S. officials have already pointed fingers at Russia for the recent breach of the Democratic National Committee’s servers, albeit anonymously, and law enforcement and intelligence agencies are reportedly concerned about a broader attempt by the Kremlin to disrupt or undermine the process. The administration has faced pressure to publicly attribute those attacks to Russia, but Obama declined to do so explicitly, citing “specific investigations that are still live and active.”
“If you think the present state of cybersecurity is bleak…”
Quantum computing has the cybersecurity world white-knuckled
As quantum computers inch closer to reality, experts are sweating over their potential to render many of today’s cybersecurity technologies useless. Earlier this year the U.S. National Institute of Standards and Technology issued a call for help on the matter, and this week the Global Risk Institute added its voice to the mix. Because of quantum computing, there’s a one-in-seven chance that fundamental public-key cryptography tools used today will be broken by 2026, warned Michele Mosca, co-founder of the University of Waterloo’s Institute for Quantum Computing and special advisor on cybersecurity to the Global Risk Institute. By 2031, that chance jumps to 50 percent, Mosca wrote in a report published Monday.
Data Manipulation: An Imminent Threat
An approaching cyber storm—one capable of unleashing unprecedented chaos—is looming on the horizon of the United States’ public and private sectors. Although experts warn that attackers are poised to launch sophisticated campaigns designed to manipulate financial, healthcare, and government data beyond recognition, our critical industries remain largely unprepared for these potentially destructive attacks. To date, those capable of conducting malicious cyber operations have been intent upon stealing personal, health, education, and financial information and pilfering the precious intellectual property of leading defense, technology, and manufacturing corporations. Their motive: to spread chaos. At separate events in August, I listened as General Gregory Touhill, just named by the White House as the first federal chief information security officer, and Theresa Payton, a former White House CIO, cautioned that data manipulation attacks are coming. Assuredly, the cyber threat landscape is about to shift dramatically.
“And, finally, who can you trust?”
Is Your Printer About To Launch A Cyber Attack?
Businesses across the UK are beginning to make significant investments in their security efforts following recent high profile data breaches that have hit businesses at a global level. Many businesses are set up with a printer per desk or team, but owners are unaware that having departmental printers sprinkled throughout an office can be an easy source for a data breach. Unbeknownst to many in an office environment, modern printers now contain a wealth of confidential data, in both electronic and hard copy format, making them vulnerable to attack.
By Tom Davis, SDI Cyber Risk Practice
September 27, 2016