Month: July 2016

Podcast: DNC Fallout Continues, LastPass Exploit Discovered and Bitcoin is Not Real Money

A new episode of the SurfWatch Cyber Risk Roundup has been posted, Episode 77: DNC Fallout Continues, LastPass Exploit Discovered and Bitcoin is Not Real Money:

The fallout from the breach at the Democratic National Committee continued as WikiLeaks published more information and Julian Assange vowed that there was more to come. UK Telecom O2 became the latest company to be victimized by batches of previously exposed credentials. Shapeways, Kimpton Hotels, and Korean online store Interpark all made headlines for data breaches. Cybercrime advisories included researcher Tavis Ormandy warning of flaws in password manager LastPass, NIST advising organizations to move beyond SMS-based two-factor authentication, a flaw in Amazon’s Silk web browser, the KeySniffer flaw affecting wireless keyboards, and news of the Chthonic banking Trojan. On the legal front a Miami judge ruled that bitcoin is not real money, Target shareholders’ derivative lawsuit was dismissed, the University of Mississippi Medical Center was hit with a $2.7 million HIPAA settlement, a breach led to a Minnesota county paying a $1 million settlement, and a former Citibank employee was sentenced to prison. Finally, one internet star asked his followers to hand over their passwords, and they did.

Listen to the podcast via the player below, or learn more about SurfWatch Labs’ podcasts on our podcast page.

Supply Chains and Third Parties Continue to Cause Data Breaches

When putting together our recent Mid-Year 2016 Cyber Risk Report, the SurfWatch Labs team began by trying to answer one crucial question: with numerous cybercrime events across thousands of organizations this year, is there a central theme that emerges from all of that data?

In 2014, the data was dominated by a seemingly endless string of point-of-sale breaches. In 2015, the data highlighted a shift towards stolen personal information and more effective ways for cybercriminals to monetize that information. In 2016, the data so far showcases how cybercrime effects often spread beyond the walls of the victim organization.

“The diversity of cyber threats can seem overwhelming when viewed in isolation,” the report noted. “Collectively, they paint a picture of an increasingly connected cybercrime world. Malicious actors excel on taking one piece of information and leveraging it to perform further attacks, gain more information, and widen their reach. The stories so far in 2016 clearly demonstrate this approach, with numerous cyber incidents tied to previous data breaches.”

In fact, the number of cybercrime targets tied to “third-party” tags spiked the month before we published our report. As we noted in our previous blog, many of these incidents were connected to previous data breaches and the tactic of “credential stuffing” — where automated tools are used to exploit large batches of known user credentials to discover new accounts to take over.

2016-07-27_thirdparty.png
SurfWatch Labs collected data on more industry targets tied to “third-party” data breaches in June than any other month so far in 2016.

On Tuesday another company was added to the growing list of third-party victims after its customer data was discovered being sold on the dark web. This time it was UK telecommunications company O2. Once again, the incident was attributed to credential stuffing.

“We have not suffered a data breach,” O2 said in a statement. “Credential stuffing is a challenge for businesses and can result in many [companies’] customer data being sold on the dark net. We have reported all the details passed to us about the seller to law enforcement and we continue to help with their investigations.”

As the BBC noted, “The data was almost certainly obtained by using usernames and passwords first stolen from gaming website XSplit three years ago.”

o2
Although the company wasn’t directly breached, UK Telecom O2 had customer information for sale on the dark web due to data breaches at other organizations and “credential stuffing.”

That XSplit breach occurred in November 2013 and affected 2,983,472 accounts, according to Have I Been Pwned? The breach led to names, email addresses, usernames and hashed passwords being compromised.

That batch of three-year old credentials appears to be the cause of the current breach of O2 accounts — as malicious actors leveraged that old information in order to gain even more personal information on the victims. In addition to names, email addresses and passwords, the O2 accounts for sale on the dark web include users’ phone numbers and dates of birth.

This is a similar scenario to what happened at LinkedIn, the most discussed company related to cybercrime so far this year. A 2012 data breach exposed more than 100 million user credentials. Over the past few months we’ve seen a variety of companies force password resets or otherwise report data theft due to those four-year-old credentials still being reused by customers or employees.

In short, old data breaches are leading to a surge of fresh attacks. However, credential reuse isn’t the only concrete example of the ripple effect of cybercrime, although it certainly is a major issue. This year has also seen more traditional incidents of supply chain cybercrime — where one partner or vendor is exploited to compromise another organization. In fact, SurfWatch Labs has collected data on “third-party” cybercrime impacting dozens of different industry groups so far in 2016.

2016-07-27_thirdpartygroups
While many industry groups have been impacted by “third-parties” this year, Software and IT Services and Consulting are the top trending groups in SurfWatch Labs’ data.

For example, in June we wrote about several healthcare organizations that were victimized by an actor going by the name “TheDarkOverlord,” who was attempting to sell data stolen from healthcare databases on the dark web. This week two of those healthcare organizations publicly confirmed they were victims. As databreaches.net noted, both cited third-parties as a source of the compromise in their repsective statements.

  • Midwest Orthopedics Group: “… To date, our investigation has determined that on May 4, 2016, a hacker, or hackers, likely gained access into our secured database system through a third party contractor and may have obtained some personal information of our patients …”
  • Athens Orthopedic Clinic: “Athens Orthopedic Clinic recently experienced a data breach due to an external cyber-attack on our electronic medical records using the credentials of a third-party vendor. …”

Various agencies and government groups are taking notice of the trend. The Federal Energy Regulatory Commission recently proposed revisions to the critical infrastructure protection (CIP) Reliability Standards, writing in a press release that “recent malware campaigns targeting supply chain vendors highlight a gap in protection under the [current] CIP.” In addition, the new guidelines from the automotive industry’s ISAC call for more transparent supply chains and increased involvement with third-party researchers. Lastly, Air Force chief information officer Lt. Gen. William Bender noted at a recent forum that the supply chain remains a concern that can span across many different companies.

“It’s not just primary vendors, it’s secondary, tertiary and even further down,” he said.

Having threat intelligence on those various partners, vendors and others who may indirectly affect an organization’s cybersecurity is more important than ever. As SurfWatch Labs’ Mid-Year Risk Report concluded, “The effects of cybercrime continue to ripple outwards – affecting those in the supply chain and beyond.” 

Cyber-Insurance, Threat Intelligence and the Wendy’s Breach: Interview with Larry Bowman

Data breaches and other cyber threats have plagued business over the past decade often resulting in a long and expensive recovery process. Luckily for businesses, cyber-insurance can help alleviate some of the financial burden of these cyber-attacks.

“If you were to Google top ten losses due to data breaches in 2015 you would start off with a low of about $46 million for the Home Depot, move into the hundreds of millions with Anthem and Target, and as you get closer to Epsilon you get into the hundred to a billion mark,” said  Larry Bowman, Director at Kane Russell Coleman and Logan PC. “The Veteran’s Administration hack was valued at about $500 million.  These totals are for notification costs, response, cleaning up the computer system, implementing changes to increase encryption and security protection in the system. But, this does not take into account the loss of business and revenue.”

We had a chance to speak with Bowman about cyber-insurance: what is it, what it covers, and how threat intelligence fits into the equation. Bowman also provides some insight on the current Wendy’s point-of-sale data breach. Our conversation follows.

To kick things off, can you explain what cyber-insurance is and what exactly it covers?

To explain cyber-insurance, it’s helpful to first start with a brief explanationLarry Bowman of traditional insurance and then explain the difference between it and cyber-insurance. Traditionally, insurance is for tangible property – such as if you own a home, business, or rent space. You insure property against the risk of loss, and that property is typically tangible property. So, you’ll see language in first-party property insurance – which is insurance industry lingo for like your homeowner’s policy – that is set up to protect you from that. The core insuring agreement – in exchange for premium money – insures the risk of loss which is usually defined in terms as direct physical loss to tangible property.

Secondly, there is a form of insurance called liability insurance. The industry acronym for it is CGL – commercial general liability insurance. And once again, if you act negligently – you being the insured – and you cause damage to some third party’s tangible property, your liability insurance will indemnify you for your legal obligation, which will then indemnify the people you hurt for the damage that you caused to their property.

Along comes hacking and cybercrime and data breaches. The people who are victimized by these third-party attacks make claims to their property insurance coverage. In most instances, whether it is a claim submitted under a traditional property or liability insurance policy , the courts look at these policies’ language  and say there is no coverage because there is no loss to direct tangible property. This doesn’t exist in the virtual world of data and data breaches. There have been some cases where damage has been done to a computer system that looks like it is physical damage. Stuxnet is a great example of how a computer program can damage tangible property. In those cases, traditional policies may cover an insured’s losses.  The bottom line is though, with the outlying cases aside, most cases say for there to be property or liability insurance coverage you have to have physical damage to tangible property, and that doesn’t exist when the insured has lost electronic data.

The losses from companies who suffer a data breach and the lack of insurance from the traditional market created  a market for cyber-insurance. What has happened over the last few years has been the development of specialty insurance products designed to insure against the losses companies face when their computer systems or data is breached or hacked. These policies operate like traditional property or liability policies. But, there is no longer a requirement to have direct physical loss to tangible property. Cyber-insurance policies cover things like the cost of notifications to people affected by a data breach, the cost of hiring security professionals and lawyers to deal with the situation, and the cost of government compliance. It may or may not cover lost revenues or profits. Of course, the scope of coverage is specific to the policy itself.

What are some of the problems with the cyber-insurance industry?

There are a couple problems the insurance industry currently faces. First, the industry only has about  a decade of experience in covering cyber losses – which isn’t a lot of time in the historical knowledge-base of the insurance industry – that makes pricing policies difficult. However, that is a problem in the process of being solved because the quantifiers are coming up with increasingly better models and formulas to allow an insurance company to set up a policy and price it accordingly. The insurance companies like certainty; they like probability. As time goes by and as data improves, this will be easier and easier to do – within reason.

The second problem is the lack of a consensus standard of care for data protection; although there are numerous proposed standards and guidelines for data protection – such as NIST’s cybersecurity framework.   What I am talking about here is that it is nice to know what the rules are. The SEC, FDIC, and FTC have all pronounced in the last couple of years that they think cybersecurity is a board of directors-level issue that requires hands-on knowledge and attention and an effective remedy at the board of high management level. When you fill in the blanks, there are conflicting messages about what a board should do to enable reasonable cyber protections.

At SurfWatch Labs, we believe that robust security features such as firewalls and antivirus software are paramount to a well-rounded cybersecurity strategy. Perhaps just as important, we believe cyber threat intelligence – knowing what threats are out there and knowing how to proceed with security – is just as important. Some of the problems you mentioned with cyber-insurance is a lack of understanding around reasonable cyber protections. Do you believe cyber threat intelligence is a logical step in solving that issue?

As part of the initial application for cyber-insurance a lot of insurance companies will require the company applying for insurance to fill out a detailed form describing what its current cybersecurity policies are. I don’t know if those forms require cyber threat intelligence, but that would be a source of beneficial information. And it may be something that insurance companies should require from insurance applicants.

Are companies utilizing cyber-insurance to protect their assets in case of a data breach?

If you were to Google the amounts spent on cyber-insurance it started out small, but it really started to get off the ground with these well-publicized data breaches. In a few years, this is going to be a multi-billion dollar market. As a matter of fact, I believe it is already up to the billion-dollar mark already, and it is expected to get to about $5 billion by 2020. As the consensus standard gets better defined, using due diligence to protect your company’s assets and customer’s assets is certainly going to be a part of liability cyber-insurance coverage.

I would love to get your take on the current events tied to the Wendy’s data breach. It seems like the number of restaurants affected by point-of-sale malware increases every week.

The loss to Wendy’s is similar to the Target loss. The bad guys have gotten control of point-of-sale information, which means they have people’s credit card information. So what is the exposure to Wendy’s? Wendy’s gets sued by multiple customers who are saying they failed to implement reasonable measures and allowed our payment card information to be obtained by these hackers.

Now, their insurance policy will define what out-of-pocket costs are covered. That’s part of the fun right now is defining what those costs are. Some of those costs are driven by state and federal laws – like notification. If you are a retail company in possession of thousands of credit cards and those cards are obtained by a third-party, you have to notify all of those people about the event.

It’s not just notification costs; it’s everything that is done to investigate the data breach. They might have to pay experts, lawyers, and pay for forensic measures to make sure a breach doesn’t happen again.  There may be costs with complying with regulatory action or government investigations.  Those are just some of the out-of-pocket costs from the breach. Who knows, maybe people won’t trust Wendy’s anymore with their credit card information and consumers may simply avoid the restaurant.

 

 

Podcast: Pokemon Go Tops Cybercrime Targets, GOP Unveils Cyber Platform and Other Risk Trends

A new episode of the SurfWatch Cyber Risk Roundup has been posted, Episode 76: Pokemon Go Tops Cybercrime Targets, GOP Unveils Cyber Platform and Other Risk Trends:

The popular Pokemon Go was this week’s top trending cybercrime target following several incidents including DDoS attacks that disrupted service. DDoS attacks against the U.S. Congress, Philippines Government and WikiLeaks also made news. Data breach announcements include more than 130 stores being impacted by Cici’s Pizza’s point-of-sale breach, Asiana Airlines having 47,000 documents containing customer information stolen, and 2 million users being impacted by a hack at Ubuntu Forums. On the advisory front, SurfWatch Labs released its Mid-Year 2016 Cyber Trends report, Adobe Flash is back in the news, a Stagefright-like vulnerability is affecting Apple devices, and legitimate remote administration software is being used to spread banking malware. The GOP led the way on the legal side of cybercrime as the party unveiled its official platform, including cyber. Oregon Health & Science University was fined $2.7 million. The Department of Commerce will soon being accepting self-certifications for the EU-U.S. Privacy Shield. The St. Louis Cardinals hacking case wrapped up with a 46-month prison sentence. The alleged operator of Kickass Torrents was also arrested this week. Lastly, Pokemon Go is leading many people to get hurt in strange ways.

Download the Mid-Year 2016 Cyber Trends report from SurfWatch Labs: info.surfwatchlabs.com/cyber-threat-…eport-1h-2016

Listen to the podcast via the player below, or learn more about SurfWatch Labs’ podcasts on our podcast page.

DDoS Attacks Trending Over the Last 30 Days

DDoS attacks are growing in size and sophistication, says a new report from Arbor Networks, and those attacks have continued to impact a variety of organizations over the past few weeks.

According to Arbor networks, a current average-sized DDoS attack is capable of taking down almost any organization’s server at about 1 Gbps. The average attack size in the first half of 2016 was 986 Mbps, which was a 30% increase over 2015. It is project that the average size of a DDoS attack will reach 1.15 Gbps by the end of 2016.

Some highlights from the report include:

  • An average of 124,000 DDoS events per week over the last 18 months.
  • A 73% increase in peak attack size over 2015, to 579 Gbps.
  • 274 attacks over 100 Gbps monitored in the first half of 2016 compared to 223 throughout all of 2015.
  • 46 attacks over 200 Gbps monitored in the first half of 2016 compared to 16 throughout all of 2015.
  • The U.S., France and Great Britain are the top targets for attacks over 10 Gbps.

Lastly, reflection amplification attacks have continued to grow in popularity. The majority of larger DDoS attack utilize this technique by using attack vectors such as DNS servers. Because of this, DNS was the most used protocol in 2016, taking over from NTP and SSDP in 2015, according to the report. The highest recorded reflection amplification attack size during the first half of 2016 was 480 Gbps.

DDoS attacks have been conducted for monetary gain, notoriety, retaliation, and even for personal pleasure.

Trending DDoS Attacks

Over the last couple weeks, many organizations have been targeted with DDoS attacks. The most talked about DDoS attack over the last 30 days is tied to the controversial and very popular Pokemon GO. A group called PoodleCorp claimed credit for the attack, with a motivation very similar to another infamous hacking group called Lizard Squad — they did it for the LULZ.

2016-07-21_DDoS

Not all the recent DDoS attacks were done for the LULZ, as many appear to be out of retaliation for past events. Here is a breakdown of some of the top trending DDoS attacks over the past 30 days.

Pokemon GO Server
On Saturday, July 16 a DDoS attack took down all Pokemon GO servers, which left many players unable to hunt for their Pokemon. The group behind the attack is a newer hacktivist group known as PoodleCorp. The servers were down for several hours before reestablishing a connection for players.

On July 18, the Pokemon servers were hit with another DDoS attack, this time from the group known as OurMine. The group said that “no one will be able to play this game till Pokemon Go contact us on our website to teach them how to protect it!”

On July 20, PoodleCorp announced plans for an upcoming attack against the Pokemon servers that is scheduled for August 1.

MIT
Security researchers have discovered more than 35 DDoS attacks targeting the Massachusetts Institute of Technology (MIT) so far in 2016. The attack vectors used in these campaigns involved devices vulnerable to reflection and amplification attacks and spoofed IP addresses. It appears the bulk of attacks were carried out using booter or stresser services. Stresser services are a concern for organizations and the proliferation of DDoS attacks, as the cost to utilize these services are often extremely low.

Philippines Government Websites
The Filipino government announced this week that 68 separate websites tied to the Philippines government were hit with DDoS attacks. The attacks started July 12 and carried over to the next few days.

It is believed that China is responsible for the attacks as they correspond with a ruling made by the Permanent Court of Arbitration at the Hague in the Netherlands that favored unanimously for the Philippines over China. The ruling was over newly created islands located in the West Philippine Sea that China claimed even though those islands were in Philippines’ maritime territories.

Some of the government websites affected by the DDoS attacks were also defaced, signed with the words “Chinese Government.” There is no actual evidence at this time that China was behind the attacks, but it appears this is likely the case due to the extremely tense international relationship between the two countries.

Steemit
The social network Steemit announced on July 14 that an unknown attacker was able to hack into user accounts and steal the crypto-currency known as Steem Power and Steem Dollars. More than 260 users were affected by the attack, and about $85,000 of the crypto-currency was obtained.

In response to the attacks, Steemit fixed the issue and restored all stolen funds to the users. As soon as the company made this announcement, it was targeted with a DDoS attack. The attack did little to affect the social network, as the company used the attack as an opportunity to take down its servers for maintenance and other upgrades.

WikiLeaks
WikiLeaks servers suffered a DDoS attack last Monday that lasted through Wednesday. The DDoS attack appears to be in response to WikiLeaks’ announcement of an upcoming data dump belonging to Turkey’s biggest political party — AKP (Justice and Development Party).

The cache of data contained 300,000 emails and 500,000 documents that belonged to the party. The announcement came three days after the failed military coup in Turkey which saw the deaths of 208 people.

The DDoS attack prevented WikiLeaks from posting the information. As of July 20, WikiLeaks servers were back online and the data was released.

U.S. Congress Websites
The U.S. Congress website along with two adjacent websites — the U.S. Library of Congress and the U.S. Copyright Office — were the victims of a DDoS attack that lasted for three days. The attack started with the Library of Congress website on the evening of July 17 and slowly enveloped the other websites over the next couple of days.

As of Wednesday the websites are up and running normally. It is not known who is behind the attack or what the motivation for the attack was.

Brazil
A Rio court in Brazil was the target of a DDoS attack perpetrated by Anonymous. The attack took place on Tuesday and only lasted a few hours. Anonymous attacked the Rio court for its decision to block the controversial Whatsapp throughout Brazil. The decision told ISPs to block the app, and Brazil’s five major ISP operators — Claro, Nextel, Oi, TIM, and Vivo — all complied with the order.

The tensions between WhatsApp and Brazil go back to February 2015 when Whatsapp was unable to help Brazilian law enforcement by decrypting messages sent over the social network. Brazilian courts have fined and temporarily banned Whatsapp, arrested a Vice President for Facebook Latin America for being linked with the social network, and now a permanent ban is put in place. However, due to the Anonymous DDoS attack the Brazil court lifted the ban on Whatsapp.

 

Cybercrime is Increasingly Interconnected, Says New SurfWatch Labs Report

The first half of 2016 is over, and SurfWatch Labs analysts have spent the past few weeks sifting through the huge amount of cybercrime data we collected — totaling tens of thousands of CyberFacts across more than 3,400 industry targets — in order to identify threat intelligence trends to include in our mid-year 2016 report.

“If anything,” the report notes, “the stories behind these breaches seem to contradict the increasingly familiar spin that follows most incidents: ‘We were the victim of a sophisticated attack. The incident has been contained.'”

Download the full Mid-Year 2016 Cyber Trends Report

To the contrary, the data behind the year’s many incidents indicates many cyber-attacks are neither sophisticated nor isolated.

For example, this year’s top trending cybercrime target was LinkedIn. In May 2016 LinkedIn announced that a 2012 breach, which was believed to have been contained four years ago by resetting passwords on impacted accounts, was much larger than originally thought. An additional 100 million members were affected. Since that announcement, reports continue to surface of secondary organizations having their data stolen due to a combination of those now exposed LinkedIn passwords, widespread password reuse among employees, and remote access software from services such as GoToMyPC, LogMeIn, and TeamViewer.

To make matters worse, LinkedIn was just one of several massive credential dumps to make headlines — not to mention the numerous high-profile breaches affecting personal information or other sensitive data.

Trending Industry Targets Tied to Cybercrime in 1H 2016

ITT_BarChart.png
SurfWatch Labs collected data on 3,488 industry targets tied to cybercrime in the first half of 2016. Of those, 1,934 industry targets were observed being discussed on the traditional web and 1,775 were observed on the dark web.

Malicious actors excel at taking one piece of information and leveraging it to perform further attacks, gain more information, and widen their reach. As we noted in May, this has led to many companies making headlines for data breaches — even though a breach may not have occurred. For example:

  • Music service Spotify had a list of user credentials posted to Pastebin that were collected from other data breaches. This led to a series of articles about the company “denying” a data breach.
  • China’s online shopping site Tabao had hackers use a database of previously stolen usernames and passwords to try to access over 20 million active accounts.
  • GitHub, Carbonite, Twitter, and more have all forced password resets for users after large-scale targeting of user accounts or lists of user credentials appeared on the dark web.
  • Other unnamed companies have confirmed to media outlets that sensitive information has been stolen recently due to password reuse attacks.

SurfWatch Labs’ data paints a picture of an increasingly connected cybercrime world where malicious actors leverage past successes to create new victims. The pool of compromised information widens; the effects of cybercrime ripple outwards.

However, those effects are largely dependent on industry sector and the types of information or resources that are attractive to different individuals, hacktivists, cybercriminal groups, and other malicious actors. SurfWatch Labs’ data so far this year reflects that fact.

Updated_Effect_Heatmap2
Infected/exploited assets, service interruption and data stolen/leaked were the top trending effect categories overall in the first half of 2016, based on the percentage of CyberFacts that contained those tags.

For example, SurfWatch Labs report identifies infected/exploited assets as the top effect category overall, although it only appeared in 14% of entertainment and government-related CyberFacts. In those sectors, the majority of discussion was around account hijacks (37%) and service interruption (33%), respectively, as actors targeted social media accounts with large followings or hacktivists utilized defacement and DDoS attacks to spread their messages.

Similarly, the healthcare sector saw increased chatter around the financial loss and data altered/destroyed categories due to several high-profile ransomware attacks and warnings from various bodies about potential extortion attacks.

Other interesting data points and trends from the report include:

  • IT, global government, and consumer goods were the most targeted industries. Of all the CyberFacts analyzed, the information technology industry was hit the hardest in the first half of 2016. Microsoft was second behind LinkedIn as the top target. After IT, the government sector had the highest number of publicly discussed cybercrime targets, led by a breach at the Commission on Elections in the Philippines. The consumer goods sector made up the largest share of industry targets with information bought, sold, or otherwise discussed on the dark web.
  • Employee data is being targeted more often. Some organizations reported falling victim to scams targeting data such as W-2 information even though they were able to successfully identify and avoid other more traditional wire fraud scams. Malicious actors may be trying to take advantage of these “softer” targets in the human resources, bookkeeping, or auditing departments by performing attacks that are not as easily recognizable as large-dollar wire fraud attempts.
  • Point-of-sale chatter remains relatively low. Point-of-sale breaches are not making as many headlines, but breaches so far this year have proven that for many organizations the associated costs are as high or higher than they have ever been.
  • Ransomware and extortion threats continue to grow. The first half of 2016 saw a spike in ransomware and extortion-related tags as researchers, organizations, and government officials tried to deal with the growing and costly problem of data or services being held hostage for ransom.

For more threat intelligence trends, download the full Mid-Year 2016 Cyber Trends Report from SurfWatch Labs.

Costs of Data Breaches Rising, But Its Not All Bad News

It should come as no surprise, but data breaches are costly for organizations. Each stolen record containing sensitive or confidential information costs an organization an average of $158, according to the 2016 Ponemon Cost of Data Breach Study released last month. That price more than doubles to $355 when looking at a highly regulated industry such as healthcare.

Those costs add up. The final tally for an average breach is now a whopping $4 million. That’s up from the $3.79 million last year and a 29 percent in total costs since 2013.

Clearly, data breaches have a significant impact on business. In fact, the biggest financial consequence often comes in the form of lost customers, according to Ponemon. The findings confirm what others surveys have recently reported: consumers are increasingly unforgiving when it comes to data breaches, particularly younger generations.

A FICO survey found that 29 percent of millennials will close all accounts with a bank after a fraud incident. Not only will they take away their own business, a significant percentage will actively campaign against others using the bank. A quarter will turn to social media with negative posts, and more than a fifth will actively discourage their friends families from using the services.

Can the C-Suite Make a Difference?

It’s not all bad news when it comes to cybercrime-related research though. In fact, The Economist Intelligence Unit recently found that certain types of organizations are having at least some success when it comes to fighting against the tidal wave of cyber-attacks. Making cybersecurity a priority at the top of an organization can have a significant impact on cyber risk.

According to the survey:

  • A proactive strategy backed by an engaged C-suite and board of directors reduced the growth of cyber-attacks and breaches by 53% over comparable firms.
  • This includes a 60% slower growth in hacking, a 47% slower growth in ransomware, and a 40% slower growth in malware attacks than their less successful counterparts.
  • Successful firms were also 56% more likely to maintain a standing board committee on cybersecurity.

Unfortunately, many organizations are either overwhelmed with low-level data and tasks, or they are unable to clearly articulate relevant threats to those executives. This leaves them more vulnerable to the various cyber threats facing their organizations — and the potential costs and other fallout associated with those incidents.

That’s why it’s crucial that those in the C-suite and on the board of directors have strategic threat intelligence — including dark web data on the cybercriminals themselves — provided in a clear, concise and ongoing manner. It is possible to stem the tide of cyber-attacks with a combination of the proper leadership, expertise and tools, but all too often those organizations are operating without a crucial piece of the puzzle — the high-level threat intelligence to help guide those decisions.

Taking Action with Threat Intelligence

Much has been written about the cybersecurity knowledge gap in the C-suite; however, that issue runs both ways. Earlier this year, ISACA released its State of Cybersecurity: Implications for 2016 report, and they found that respondents “overwhelmingly reported that the largest [skills] gap exists in cybersecurity and information security practitioners’ ability to understand the business.”

This is a crucial problem as security experts continue to hammer home the point that cybersecurity is no longer an IT problem, but a business one. Cybersecurity employees understanding business concerns and business executives understanding cybersecurity concerns isn’t just an aspiration, it’s a necessity for properly managing cyber risk.

That collaboration and understanding is at the heart of effective cyber threat intelligence.

Effective threat intelligence empowers those in the C-suite and board of directors with relevant and easy-to-comprehend information about the most important cyber threats impacting their business, their competitors and their supply chain. Effective threat intelligence also serves as a guidepost for those in IT to ensure that tactical defenses and resources are aligned with the most pressing business concerns.

In short, threat intelligence is a key component in getting away from the never-ending game of whackamole that results from blindly chasing down the latest headline-grabbing cyber threats and instead operating with a more thoughtful, harmonious and strategic approach. It’s applying the same combination of technical analysis and business insight that are commonplace in other key areas of the organization in order to achieve the biggest return on your cybersecurity investment.

It’s no wonder then that those organizations are seeing the best results when it comes to reducing their overall cyber risk.

More Financial Institutions Fall Victim to SWIFT Attacks

In late June, reports surfaced of an unnamed Ukrainian bank having $10 million stolen, adding to the growing list of cyber-attacks leveraging SWIFT, the messaging system used by financial institutions around the world.

“At the current moment, dozens of banks (mostly in Ukraine and Russia) have been compromised, from which has been stolen hundreds of millions of dollars,” said the Information Systems Audit and Control Association (ISACA).

These SWIFT-related attacks often require significant time investment from cybercrimnals, but the payouts can be substantial —  including an $81 million theft from Bangladesh’s central bank in February.

According to the Kyiv Post:

[ISACA] said that such hacks usually take months to complete. After breaking into a financial institution’s internal networks, hackers will take time to study the bank’s internal processes and controls. Then, using the knowledge and access they have gathered, the hackers will begin to submit fraudulent money orders to webs of offshore companies, allowing them to siphon off millions of dollars.

“The SWIFT case — it’s actually more in line with what’s happening right now, which we call multi-dimensional attacks because it involves many areas,” said ThetaRay CEO Mark Gazit, who was a guest on this week’s Cyber Chat podcast.

The attacks shed light on the trend of some cybercriminal groups moving beyond personal information and credit card theft. Instead, they are focusing on the institutions themselves and the potentially massive payouts that come along with a successful attack.

These groups are becoming smarter and often know the inner working of banks, Gazit said.

“If you go to the dark web you can find the set of rules for banks in the United States, and some of the banks will have more than 10,000 rules. They’re all published.”

Growing Problem for Financial Organizations

Customers have an expectation of certain convenience features, and banks have to keep pace with those expectations in order to not lose business. The growing digital footprint makes those financial institutions much more susceptible to cybercrime, which is increasingly automated, Gazit said.

This means that cyber-attacks have more impact throughout organizations.

“It becomes a board issue, a CEO issue, a risk issue. Suddenly, it’s not just an issue that IT guys should deal with somewhere in back office rooms. It’s actually becoming something that relates the very core part of the business.”

On Monday, SWIFT announced that they were engaging with several security companies to assist the community by providing forensic investigations related to SWIFT products as well as providing anonymized intelligence data to help prevent future fraud.

Part of the problem around cybersecurity is that teams may be hampered by their past successes and failures, Gazit said.

“Existing organizations such as financial institutions, utility companies, they still have very good people that have extensive knowledge that is derived from the past, and sometimes past knowledge can be a curse when you try to prepare yourself against new attacks.”

He added, “I think that we’ll see more surprises, more attacks that nobody expected, more crime that people will be very much surprised how it happened or how it could happen.”

For more, listen to the full conversation with ThetaRay’s Mark Gazit about how financial sector attacks are evolving and what needs to be done to stay ahead of cybercriminals.

 

Startup Companies Claiming To Be “Non-Hackable”: Interview With Angel Investor Michael Barbera

While cyber-attacks continue to grow and evolve some companies are claiming to be “non-hackable” – and they’re often startups. The problem with this logic is that it is simply incorrect; all companies are potentially vulnerable to being hacked.

“Every organization can be hacked by a clever person with patience. I personally avoid all companies who say they are non-hackable.”

We had the opportunity to speak with Barbera about angel investing, how serious startup companies are taking cybersecurity, and what he is looking for a startup company to have in place in terms of cybersecurity before he invests.

Our edited conversation follows.

As an angel investor, when a startup company tells you that they are “non-hackable,” what is your initial reaction?

So, a cloud storage company comes up and says you can store your files with them. Those files are encrypted, and once it is on their server if it were to ever get hacked, the hacker would receive an encrypted file and it looks like a bunch of junk. That means nothing to me. If the US Army can get hacked, if the CIA can get hacked, so can your little company. Nothing is foolproof, so why are you going around and saying it is? I don’t think they can practice what they preach.

Do you think these startup companies are simply saying what you would want to hear, or are they ignorant and truly believe they are “non-hackable?”

I think there is a lot of ignorance, and I think these companies really believe that they have a product or service that is foolproof. I also think some say it as a marketing technique for non-tech savvy people. If you had a baby boomer generation target market, they don’t know much about IT, or the Internet and how it works. They can barely operate a Facebook account. So when they hear a service is “non-hackable,” they are more likely to use that service. So it might be a marketing technique for some companies.

Years ago, LifeLock had an actor or spokesman put their social security number on a commercial. He got hacked.

[Laughs] Well of course he did.

What is your overall view on how cybersecurity is evolving when you learn about these new companies?

It really changes based on each company’s business model and strategy. So when you have a startup dependent on their budget and their goals, IT and security may or may not be a big part of it. It all depends on what they are doing.

Say you have a small mom-and-pop shop that is selling goods from their brick-and-mortar store that is also selling on their website, their minimal requirement is to be PCI compliant. Their biggest concern is being hacked. In the larger scheme of things, hackers will probably won’t look at a smaller target like a mom-and-pop store. It might not be beneficial to them.

Other companies who do more stuff on the Internet have more of a liability to protect that information, so they need to take it more seriously.

Focusing on cybersecurity, when you are looking to invest in a company, what are you hoping to hear from them when making a decision to invest or not?

If it was anything more than being PCI compliant, I would want them to have an in-house IT specialist that could provide the services needed. If it is a smaller company needing to be PCI compliant, we can outsource that. It really goes toward the organizational services that they are working with. If they are working with people’s finances, then we are going to have to implement advanced security systems. If they are working with names, addresses, and they are PCI compliant, that is a different story. There are different levels, and it really goes back to business models.

What you have to understand is a lot of people – like small business owners – their everyday life is making a sale. On top of that, while they are sweeping they are supposed to do their books, their IT, and their taxes. A lot of people don’t think about [cybersecurity] until it is too late, and that is unfortunate.

Cybersecurity Rant – Security Marketers Misusing Terms

Let me start off by saying that I am a marketer. I’ve been in the cybersecurity space for roughly 10 years with multiple companies focusing on different aspects that can be bucketed under the following segments of the market: endpoint security, network security and threat intelligence. In every segment there are buzzwords that seem to take on a life of their own.

In threat intelligence there are a few that really do us a disservice. The two that I want to pick on are “real-time” and “actionable.” Let’s dissect these:

“Real-time” Threat Intelligence

When I see this, to me it’s like nails on a chalkboard because “real-time” and “threat intelligence” cannot possibly go hand in hand. Threat intelligence requires analysis … by humans who have the expertise to do so. This does not and cannot happen in “real-time.” You can certainly get real-time information, but information and intelligence are not one in the same.

As my colleague Adam Meyer wrote in an article titled “Setting the Record Straight on Cyber Threat Intelligence,” information is unfiltered and unevaluated, available from many sources, and can be accurate/false, misleading and/or incomplete. Additionally, it may or may not be relevant to your business. The beauty of cyber threat intelligence is transforming all of that information into meaningful insights that drive better decision-making. That transformation process can be discussed in its own blog or collection of blogs, but the point I’m trying to make is that none of this is in “real-time.” I’m comfortable with near real-time because timeliness is an important attribute of intel … along with accuracy and relevancy.

“Actionable” Threat Intelligence

The word actionable isn’t bad, it’s just that we’ve overused it to the point it no longer means anything. Too many vendors equate information with actionable threat intelligence, but again, these are very different. A lot of information for you to research certainly creates lots of action, but is it actionable? To me, “actionable” means a decision can be made without requiring much, if any, additional research and analysis. If it is refined, final, actionable threat intelligence, all that prep work has been done and now you can make a sound risk management decision.

When I first joined SurfWatch Labs I had a friend who worked for an e-commerce business take me through a “day in the life” of how his company used threat intelligence. They took in a feed of low-level, tactical data and fed that into their SIEM, which spit out hundreds of alerts per day. The company had a team of analysts that would research each alert (which I was told could take as little as 20 minutes and sometimes up to a full day) and try to understand if they needed to worry about it and if so, how to deal with it. Every day this team of analysts had a lot of actions to take regarding their threat-related data. Just a few types of questions they needed to be able to answer:

  • What was the actual threat?
  • Was it relevant to their business and infrastructure?
  • What was the potential impact? Did it impact sensitive information/systems?
  • If it was relevant and important, then what steps and tools were necessary to mitigate this risk before it was too late?

Again, the information they received required lots of actions, but I would argue it wasn’t actionable intelligence at that point. Actionable intelligence takes that information and then runs analysis and correlation against the business profile where at the end there is a decision point and a method for addressing the risk. If you look at all the companies throwing around the term “actionable” I bet the majority provide an aspect of intelligence or a step in the direction of intelligence, but do not actually provide “actionable” intelligence.

Ok so why am I ranting about this? The above are just two of the more obvious examples where vendors are actively confusing the market and doing a disservice to customers trying to understand what threat intelligence is, what type of intelligence is right for them, and how to use it. Threat intelligence is not tangible like a firewall or some whiz-bang appliance, but if properly understood it can be extremely valuable to directing a cybersecurity program and reducing an organization’s overall risk footprint.