Monitoring Your Digital Risk Footprint: Q&A with a Former CISO

The digital footprints of many organizations are expanding, and with that expansion comes more avenues of attack for cybercriminals to exploit. The past few years have seen organizations having to manage more devices, more social media channels, and more customer service features — in addition to the increased interconnection and sharing of data with partners, vendors, and various as-a-service tools.

That expanding level of presence is increasing the cyber risk facing organizations, said SurfWatch Labs chief security strategist Adam Meyer. Data breaches and service interruptions now often originate outside of an organization’s walls; nevertheless, it’s the connected organizations that tend to pay the biggest price.

“At the end of the day, if a third-party is supporting a major customer-centric business process, and they have a breach and your customers need to be notified — nine times out of ten it’s not that provider’s brand that’s going to get hammered,” Meyer said on the latest Cyber Chat Podcast. “It’s going to be your brand that has to deliver the bad news.”

That’s why organizations need to ensure that proper due diligence is in place around their whole digital risk footprint, Meyer said. In today’s environment that means having intelligence around events that may occur one or several steps down the digital supply chain — as well having a plan of action in place to respond to those threats as they arise.

On the Cyber Chat Podcast, Meyer discusses a variety of topics related to digital risk management, including:

  • How the digital footprints of organizations have changed over the past couple years.
  • Why IoT devices often bypass proper security management and what actions organizations should take in regards to those devices.
  • The problem of growing supply chains and how one breach can quickly spread to impact dozens of connected organizations.
  • How organizations should respond to the shifting landscape so that they can better manage their cyber risk.

Listen to the full Cyber Chat podcast below:

Weekly Cyber Risk Roundup: More W-2 Breaches and Upcoming GDPR Challenges Organizations

Stolen W-2 information was back in the news this week due to reports of another W-2 breach as well as new data from IRS officials on the threat. The latest breach involves TALX, an Equifax subsidiary that provides online payroll, HR and tax services. KrebsOnSecurity reported that an undisclosed number of customers were affected when malicious actors were able to gain access to employee accounts containing sensitive data.

2017-05-26_ITT.PNG

“TALX believes that the unauthorized third-party(ies) gained access to the accounts primarily by successfully answering personal questions about the affected employees in order to reset the employees’ pins (the password to the online account portal),” wrote an attorney in one breach notification letter. “Because the accesses generally appear legitimate (e.g., successful use of login credentials), TALX cannot confirm forensically exactly which accounts were, in fact, accessed without authorization, although TALX believes that only a small percentage of these potentially affected accounts were actually affected.”

The extent of the fraud perpetrated with the help of hacked TALX accounts is unclear, but that at least five organizations have received letters from Equifax about a series of incidents over the past year, Krebs reported. Those included defense contractor giant Northrop Grumman, staffing firm Allegis Group, Saint-Gobain Corp., Erickson Living, and the University of Louisville. In addition to those companies, an IRS official said that 870 organizations reported receiving a W-2 phishing email over the first four months of 2017, and about 200 of those companies lost data as a result. That was a significant rise from 2016’s numbers, which included about 100 reports and 50 confirmed breaches. The official said that the increase was driven by progress made against identity theft, which has pushed cybercriminals to need more personal data to able to impersonate taxpayers. As a result, there has been a shift towards targeting those in the payroll industry.

2017-05-26_ITTGroup

Other trending cybercrime events from the week include:

  • Men plead guilty to trade secret theft: A Chinese national has pleaded guilty to economic espionage and theft of a trade secret in relation to the theft of proprietary source code from his former employer, an unnamed U.S. company. As a developer, the man had access to a clustered file system developed and marketed by his employer as well as its underlying source code, the DOJ wrote. The man attempted to use the stolen source code to start a large-data storage technology company, according to communication he had with undercover officers. An engineer at a defense contractor has pleaded guilty to selling sensitive satellite information stolen from his employer to a person he believed to be an agent of a Russian intelligence service. In a series of meetings between February and July of 2016, the man sought and received thousands of dollars in cash payments for the trade secrets.
  • New data breaches announced: Williamson County Schools in Tennessee said that approximately 33,000 current and former WCS students had their usernames, encrypted passwords, and email addresses compromised due to a breach at third-party vendor Edmodo, a free classroom tool that allows students and teachers to share files and assignments. A data breach at the Florida Department of Agriculture and Consumer Services has exposed the names of 16,190 concealed weapon licensees as well as the Social Security numbers of 469 individuals. Approximately 3,000 individuals had their information compromised due to unauthorized access to a city computer in Stillwater, Oklahoma. UW Health said that 2,036 patients had their personal information compromised due to an unauthorized individual gaining access to an employee’s email account. The Canada Revenue Agency has fired an employee for improperly accessing the accounts of 1,302 taxpayers. A breach at Blackburn High School led to the theft of personal information of families, and that information was then used to send phishing emails to parents asking them to provide their payment card details.
  • Russia targeted Pentagon employees’ Twitter accounts: Russia sent more than 10,000 phishing messages to Defense Department officials with the goal of getting the officials to click a malicious link and, ultimately, gain control of their devices and Twitter accounts. The efforts took place after the 2016 presidential election and were disclosed in in a March report to U.S. counterintelligence officials investigating Russian interference efforts. The compromised accounts could have been used to spread false information, as has been done in the past by Russian hacking groups.
  • Hacking groups arrested: Twenty members of the Russian hacking group behind the Android Trojan “Cron” have been arrested. The group managed to infect over one million mobile devices and stole approximately $800,000 from Russian banks. Twenty-seven individuals tied to a series of ATM “Black Box” attacks across Europe have been arrested. A “Black Box” attack is a method of ATM jackpotting where criminals gain access to the ATM Top Box usually by drilling holes or melting in order to physically connect an unauthorized device that sends commands directly to the ATM cash dispenser in order to “cash-out” the ATM. Sixteen individuals have been arrested related to the theft of a copy of Baahubali 2 and subsequent ransom attempt from the movie’s producers, Arka Mediaworks Entertainment Ltd.

SurfWatch Labs collected data on many different companies tied to cybercrime over the past week. Some of those “newly seen” targets, meaning they either appeared in SurfWatch Labs’ data for the first time or else reappeared after being absent for several weeks, are shown in the chart below.

2017-05-26_ITTNew

Cyber Risk Trends From the Past Week

2017-05-26_RiskScoresIt is now less than one year until the EU General Data Protection Regulation (GDPR) goes into effect, yet some organizations are either unaware of the upcoming privacy changes or believe they will have issues meeting next year’s deadline, according to recent research.

The GDPR was approved by the EU parliament in April 2016, and the new regulation will be fully enforceable on May 25, 2018. Among the most talked about changes from the upcoming regulation is the increase in potential fines for data breaches. Breached organizations can be fined as much as 4% of their annual global turnover or €20 million, whichever is greater, when it comes to serious violations. Lesser violations are subject to half the maximum penalty — up to €10 million or 2% of turnover. As the NCC Group noted, those new numbers mean that last year’s ICO fines could have been 79 times higher: £69m rather than £880,500 in total.

“TalkTalk’s 2016 fine of £400,000 for security failings that allowed hackers to access customer data would rocket to £59m under GDPR,” The Register noted last month. “Fines given to small and medium-sized enterprises could have been catastrophic. For example, Pharmacy2U’s fine of £130,000 would balloon to £4.4m – a significant proportion of its revenues and potentially enough to put it out of business.”

It is important to note that the new regulations generally apply to any organization that offer of goods or services to individuals in the EU, so the GDPR has global implications. However, a recent study of 500 organizations in the UK, Germany, France, and the U.S. found that 75% of organizations indicated they will struggle to be ready for next year’s deadline. According to the Varonis survey, the top three challenges facing organizations around GDPR include:

  • Article 17 (“Right to be forgotten”), where they must discover and target specific data and automate removal when requested by the consumer
  • Article 30 (Records of processing activities), including identifying personal information on their systems, understanding who has access to it and who is accessing it, and knowing when this data can and should be deleted
  • Article 32 (Security of processing), which means ensuring least privilege access, implementing accountability via data owners, and providing reports that policies and processes

For organizations looking to learn more about preparing for GDPR, ICO has a 12-step guide available.

Weekly Cyber Risk Roundup: WannaCry Updates and Sensitive Leaks Continue

WannaCry remained as the week’s top trending cybercrime target as organizations continued to deal with the fallout from being infected and researchers uncovered more information on the ransomware. On Friday, a Kaspersky Lab researcher tweeted that machines running Windows 7 were the most impacted by WannaCry, accounting for more than 97 percent of total infections observed by the firm. Other firms observed Windows 7 infection rates as low as 67 percent; however, both numbers contradict the initial focus on outdated systems such as Windows XP, which Kaspersky dismissed as having an “insignificant” number of infections.

2017-05-19_ITT.PNG

As Reuters reported, computers running older versions such as Windows XP were individually vulnerable to attack, but they appear incapable of spreading infections and played a far smaller role in last week’s attack.

In addition, the past week saw a variety of manufacturers issue warnings about WannaCry potentially impacting their products. Siemens warned customers that some of its Healthineers products may be affected by the vulnerabilities exploited by WannaCry, and the Health Information Trust Alliance said that medical devices manufactured by Bayer were also vulnerable. Medical device manufacturer Becton, Dickinson and Company as well as Swiss robotics and automation firm Rockwell Automation and ABB also issued more general WannaCry advisories to their customers.

It is also worth noting that a small portion of WannaCry infections have been successfully decrypted. A French security researcher discovered a flaw in the WannaCry ransomware that allowed him to successfully decrypt several Windows XP computers using a tool called “WannaKey,” and a separate pair of French researchers then adapted the decryption tool to work for Windows 7 computers with a tool called “WannaKiwi.” If users left their computer untouched after the infection and did not reboot, they may be able to access parts of the memory and regenerate a key; however, the researcher warned it won’t work every time even in that situation.

2017-05-19_ITTGroup

Other trending cybercrime events from the week include:

  • Another large point-of-sale breach: A POS breach at Brooks Brothers locations lasted for more than a year and affected more than 300 locations, the company announced. Customers who made purchases at approximately 320 different Brooks Brothers and Brooks Brothers Outlet retail locations in the U.S. and Puerto Rico between April 4, 2016 and March 1, 2017, may have had their payment card data stolen. An unauthorized individual was able to gain access to and install POS malware on the stores’ POS systems, the company said. Online purchases were not impacted.
  • Hollywood targeted by extortionists: The upcoming Pirates of the Caribbean movie has been stolen by hackers who demanded “an enormous” amount of money in ransom to not release the movie. The Hollywood Reporter reported that talent agencies UTA, ICM, and WME have been targeted by hackers attempting to steal sensitive information, and the attacks are so common that their frequency has overwhelmed the FBI’s Los Angeles field office. At least one unnamed Hollywood company has paid a ransom. In addition, TheDarkOverlord said that more of the group’s previously stolen shows from Larson Studios will be released soon since “none of the affected parties has paid the ransom.”
  • Third-party breach leads to source code theft: The app maker Panic said the source code for several of its apps was stolen due to downloading a malware-infested version of HandBrake during a three-day window when that company was compromised and serving up a Trojanized update to its users. The attacker then sent an email demanding a large bitcoin ransom to prevent the release of the source code, but Panic did not pay that ransom. The company is warning its users to beware of any unofficial versions of their apps, as they will likely be versions using the company’s old code but with malware added.
  • Other notable cybercrime news: Zomato announced that 17 million user records were compromised by a grey-hat hacker. The font sharing website DaFont was hacked and the usernames, email addresses, and hashed passwords of 699,464 user accounts were stolen. Bell Canada said that a hacker managed to access the email addresses of approximately 1.9 million customers, and 1,700 customers also had their names and phone numbers accessed. The University of New Mexico Foundation is notifying approximately 23,000 donors, annuitants, foundation employees, and vendors that their personal and financial information may have been compromised. The Clinton County Board of Developmental Disabilities and Walnut Place announced they were the victims of ransomware attacks. The National University of Singapore and the Nanyang Technological University in Singapore were targeted by sophisticated hackers who broke into the school’s IT systems in an attempt to steal sensitive government and research data. A former employee of Carolina Neurosurgery & Spine Associates has been charged with selling the information of more than 150 patients to an identity thief for $10 each. United Airlines said that information regarding its flight deck access security procedures “may have been compromised” and that “some cockpit door access information may have been made public.” However, the possible public release of the security procedures was not due to a hack or data breach, CBS News reported.

SurfWatch Labs collected data on many different companies tied to cybercrime over the past week. Some of those “newly seen” targets, meaning they either appeared in SurfWatch Labs’ data for the first time or else reappeared after being absent for several weeks, are shown in the chart below.

2017-05-19_ITTNew

Cyber Risk Trends From the Past Week

2017-05-19_RiskScoresAs WannaCry continues to dominate cybercrime news, the past week saw even more leaks of government-created malware and promises of additional leaks to come in the future. WikiLeaks has continued to dump files allegedly stolen from the CIA, and TheShadowBrokers group has announced a new monthly service providing various data dumps and exploits to its customers.

WikiLeaks has dumped stolen CIA documents every Friday for the past eight weeks, and the two most recent dumps include:

  • AfterMidnight, which is a malware framework that “allows operators to dynamically load and execute malware payloads on a target machine” and “disguises as a self-persisting Windows Service DLL.”
  • Assassin, which is a malware framework similar to AfterMidnight that “is an automated implant that provides a simple collection platform on remote computers running the Microsoft Windows operating system.”
  • Athena, which “provides remote beacon and loader capabilities on target computers running the Microsoft Windows operating system (from Windows XP to Windows 10).”

In addition to the continuing leaks of sensitive CIA material from WikiLeaks, TheShadowBrokers is using the attention around WannaCry to promote a monthly exploit service that it is launching in June. TheShadowBrokers have previously dumped stolen exploits allegedly developed by the NSA, including the EternalBlue exploit recently leveraged by WannaCry.  “TheShadowBrokers Data Dump of the Month” service provides subscribers with various cybercrime tools and data for a monthly fee. According to TheShadowBrokers rambling blog post, these monthly dumps could include:

  • web browser, router, and handset exploits and tools
  • select items from newer Ops Disks, including newer exploits for Windows 10
  • compromised network data from more SWIFT providers and central banks
  • compromised network data from Russian, Chinese, Iranian, or North Korean nukes and missile programs

The group said that more details will be announced in June. It’s unclear if the group has more sensitive data and exploits they’re willing to publish, or if they are using their fifteen minutes of WannaCry fame in an attempt to generate some income. Either way, WannaCry serves as a reminder that organizations need to monitor the leak of government tools as they can cause serious damage when they fall into the wrong hands.

As WannaCry Spreads, Law Firm Reveals Separate Ransomware Cost Them $700,000

Businesses across the world are still recovering from last Friday’s outbreak of the WannaCry ransomware. On Monday, White House homeland security adviser Tom Bossert said that the ransomware had hit more than 300,000 computers, and security researchers have since detected several new versions of the malware — at least one of which doesn’t have the widely reported “kill switch” built in that has been used to slow the malware’s spread.

Much has been written about the effects of the ransomware on patients at NHS facilities, on downtime at factories, and on disrupted services at numerous other organizations. Various groups have estimated that the potential costs from the WannaCry outbreak may total between several hundred million and $4 billion.

The attention on WannaCry is deserved; however, there is a much smaller piece of ransomware news that emerged last month that highlights the devastating impact ransomware can have on a single organization. In a complaint filed in April against its insurer, the law firm Moses Afonso Ryan Ltd. (MAR) claims that a ransomware infection took more than three months to resolve, costing the firm more than $700,000 in lost billings.

“During the three months that the documents and information of MAR was held captive by the perpetrators of the ransomware attack, the attorneys of the firm were unproductive and unable to work at a reasonable efficiency,” the firm wrote in its complaint. “Year to year billing comparisons reveal a reduction of over $700,000 of billings for the three months of interruption.”

Dispute Over Insurance Policy Coverage

MAR is suing its insurer, Sentinel Insurance Company, claiming that the policy it purchased “is designed to protect MAR against precisely the type of loss it has now incurred as a result of the ransomware attack and interruption of its business.”  

Sentinel countered that it did, in fact, pay $20,000 in damages, but it denied the additional claim for the alleged lost “business income” as it exceeded what Sentinel believes are the limits of the policy.

Like the other insurance-related lawsuits — such as the Fourth Circuit ruling against Travelers Insurance in August 2016 — the dispute appears to revolve around the language of the policy and what specifically the policy covers when it comes to cybercrime.

“Sentinel admits that it has not paid for all of the losses MAR has claimed resulted from the ransomware attack it suffered, as certain of the losses claimed are not covered by the policy,” Sentinel argued in court documents. “The only coverage under the policy for loss or damage caused by a computer virus is under the Computers and Media Endorsement [section], which changes the policy to provide additional coverage [up to $20,000] for certain computer-related losses.”

Three Months to Resolve the Ransomware?

The lawsuit is yet another reminder that organizations need to ensure they know what their insurance policies cover in regards to cyber-attacks, but that is not the only cyber risk management lesson worth noting from the lawsuit. The court documents also revealed that it took several months for MAR to recover from the single ransomware incident — far more than the average of 42 hours that Ponemon found most ransomware victims spend.

2017-05-17_LawFirmRansomware.PNG
The process to recover encrypted documents and recreate lost ones took more than three months, MAR said.

The long recovery time was due to a variety of reasons, which the law firm outlined in its complaint:

  • In May 2016, a ransomware infection led to all of the documents and information stored on the MAR computer network being disabled and the computer network losing all functionality. MAR then hired security experts to fix the problem, but those experts were unable to gain access to the files.
  • In June 2016, the firm made contact with the attacker and negotiated a 13 bitcoin ransom. It took several days to purchase the bitcoins and pay the extortionist because the firm said they were unaware that new account holders could only purchase 2 bitcoins per day.
  • In July 2016, the firm had to re-establish communication with the attacker after discovering the decryption keys and tools it purchased did not work. A second bitcoin ransom was then negotiated and paid.
  • In August 2016, MAR had to recreate documents after discovering that it could not recover documents saved on a temporary server during the three months of business interruption.

All of this resulted due to a combination of events: an attorney at MAR clicking on an email attachment from an unknown source, a lack of proper backups and incident response plan to address a well-known security issue, and a malicious actor that took advantage of the situation by demanding multiple ransom payments.

MAR is just one example of a business that was unprepared for a ransomware attack, and numerous other organizations are likely experiencing similar issues this week. As Elliptic noted, WannaCry has generated over $80,000 in ransom payments since Friday.

2017-05-17_wannacry

However, organizations that decided to pay the WannaCry ransom were lucky that it only required a $300 or $600 payment depending on how quickly they acted. In addition, multiple researchers have reported that organizations were able to successfully restore their files after payment, even as law enforcement agencies have advised there are no guarantees when dealing with cybercriminals.

This is not the case for many ransomware victims. Some recent ransomware campaigns have been observed charging a full two bitcoin in ransom (around $3,700) for any infections, and some organizations have received targeted ransom demands totaling tens of thousands of dollars — and, in cases like MAR, the decryption keys purchased at those inflated prices may not even work.

Hopefully, WannaCry will help push organizations towards better understanding, preparation, and incident response around ransomware since the problem is not going away any time soon.

Weekly Cyber Risk Roundup: WannaCrypt Spreads and Trump Signs Executive Order

The week’s top cybercrime event was the spread of WannaCrypt ransomware, which managed to infect tens of thousands of computers on Friday. The attack affected NHS hospitals and facilities in England and Scotland, Telefonica and Gas Natural in Spain, FedEx in the U.S., and numerous other organizations — largely across Asia and Europe.

2017-05-12_ITT.PNGBy Saturday researchers reported more than 126,000 detections of the ransomware across 104 countries. The number of infections may have been worse, but the security researcher MalwareTech managed to halt the spread of the malware by purchasing a domain name, which essentially triggered a “kill switch.” MalwareTech explained why the ransomware had this design:

“I believe [the attackers] were trying to query an intentionally unregistered domain which would appear registered in certain sandbox environments, then once they see the domain responding, they know they’re in a sandbox [and] the malware exits to prevent further analysis. This technique isn’t unprecedented and is actually used by the Necurs trojan … however, because WannaCrypt used a single hardcoded domain, my [registration] of it caused all infections globally to believe they were inside a sandbox and exit.”

WannaCrypt leverages an allegedly NSA-derived exploit called “EternalBlue” that was made public by TheShadowBrokers last month. Microsoft has patched the flaw (MS17-010), but Friday’s events made it clear that many organizations have yet to apply that patch. Microsoft also announced that it is taking “the highly unusual step” of providing a security update for Windows XP, Windows 8, and Windows Server 2003 to help protect its customers from the threat. Organizations should patch immediately. As MalwareTech noted on Sunday, the last version of WannaCrypt was stoppable, but the next version will likely remove that flaw.

2017-05-12_ITTGroups

Other trending cybercrime events from the week include:

  • Third-party providers lead to breaches: Hackers managed to gain access to the stem files of Lady Gaga last December by sending spear phishing messages to executives at September Management, a music management business, and Cherrytree Music Company, a management and record company. Debenhams Flowers said that 26,000 website customers had their data compromised due to malware stealing their payment details from Ecomnova, a third-party e-commerce company. The email addresses and usernames of individuals who used the dating website Guardian Soulmates were exposed by a third-party service provider, resulting in members of the site receiving explicit spam emails.
  • Malicious actors sell and leak stolen data: A dark web vendor using the handle “nclay” claims to have 77 million records stolen from social learning platform Edmodo and is attempting to sell them on the dark web for just over $1000. The data allegedly includes usernames, email addresses, and passwords that are hashed with bcrypt and salted. Malicious actors leaked 9GB of internal documents from the campaign staff of France’s President-elect Emmanuel Macron in the days prior to the country’s election. A group known as “TuftsLeaks” published financial information belonging to Tufts University, including department budgets, the salaries of thousands of staff and faculty, and the ID numbers of student employees.
  • Healthcare organizations expose data: Patients of Bronx-Lebanon Hospital Center had their sensitive health and personal information exposed to the internet due to a misconfigured rsync backup managed by IHealth Innovations. The records and files from a number of departments were publicly accessible and viewable, including cardiology, surgery, pulmonology, psychiatry, and neurosurgery. A flaw in the website of True Health Diagnostics allowed users to view the medical records of other patients by modifying a single digit in the PDF link to their own records. Diamond Institute for Infertility and Menopause in New Jersey said that 14,633 patients had their data exposed due to an unknown individual gaining access to the third-party server in February 2017.
  • Other notable cybercrime news: An internet-connected backup drive used by New York University’s Institute for Mathematics and Advanced Supercomputing contained hundreds of pages of documents detailing an advanced code-breaking machine that had never before been described in public. The project was a joint supercomputing initiative administered by NYU, the Department of Defense, and IBM. A California court has found a former private security officer guilty of hacking into the servers of Security Specialists, his former employer, to steal data on customers; delete information such as archived emails, server files, and databases; deface the company website; steal proprietary software; and set up a rival business that used the stolen software. The incident occurred after the employee was fired in 2014 for logging into the payroll database with administrative credentials in order to pad his hours. Confluence Charter Schools is warning parents and staff that a hack of network servers has impacted email, phones, SISFIN, its financial system, and its student information system Infinite Campus and that the “breach has caused some files to be unrecoverable.”

SurfWatch Labs collected data on many different companies tied to cybercrime over the past week. Some of those “newly seen” targets, meaning they either appeared in SurfWatch Labs’ data for the first time or else reappeared after being absent for several weeks, are shown in the chart below.

2017-05-12_ITTNew

Cyber Risk Trends From the Past Week

2017-05-12_RiskScoresOn Thursday, President Donald Trump issued an executive order on strengthening the cybersecurity of federal networks and critical infrastructure. The order includes a variety of mostly reporting requirements designed to protect federal networks, update outdated systems, and direct agency heads to work together “so that we view our federal I.T. as one enterprise network,” said Trump’s homeland security advisor Tom Bossert.

The order also requires  the heads of federal agencies to use The Framework for Improving Critical Infrastructure Cybersecurity developed by the National Institute of Standards and Technology (NIST) to assess and manage their agency’s cyber risk. Each agency must submit a risk management report to the Secretary of Homeland Security and the Director of the Office of Management and Budget (OMB) within 90 days that outlines their plan to implement the framework. The director of OMB and other supporting officials will then have 60 days to review the reports and pass along information to the president regarding a plan to align budgetary needs, policies, guidelines, and standards with the NIST framework. The Obama administration had previously encouraged the private sector to adopt the NIST framework, but government agencies were never required to follow it — until now.

“It is something that we have asked the private sector to implement, and not forced upon ourselves,” Bossert said at the daily White House press briefing on Thursday. “From this point forward, departments and agencies shall practice what we preach and implement that same NIST framework for risk management and risk reduction.”

The order also includes reporting regarding critical infrastructure, which builds upon the order issued by Obama in 2013, and reporting on “strategic options for deterring adversaries and better protecting the American people from cyber threats.”

As many media outlets have reported, the executive order has received a mostly positive response from the cybersecurity community; however, it is largely a continuation of the cybersecurity policy under previous administrations and has received some criticism for being more focused on reporting than actions.

Preparedness & Cyber Risk Reduction Part One: Introduction to the Preparedness Cycle

Bad things happen. Whether we’re dealing with our personal or professional business, life seems to always have a variety of bumps and obstacles that pop up in our path. We should anticipate that these disruptions will arise and prepare ourselves to move through them as successfully and efficiently as possible while minimizing the impacts the disruptions cause. In dealing with the wide spectrum of threats that can cause operational disruptions to our organizations – regardless of whether they are health or natural catastrophes, terrorists or cybercrime – a key part of successfully overcoming the impacts of incidents is taking the time to properly prepare. Preparedness can be defined as a continuous cycle of planning, organizing, training, equipping, exercising, evaluating, and taking corrective actions to support effective incident response.

In today’s cyber threat environment, it seems many organizations are struggling to determine how to mitigate the array of cyber threats and associated risks they are facing. In a fast paced, frequently changing environment, one could be overwhelmed trying to determine how to prepare for and respond to the attacks and incidents that could arise. But alas! There is hope! While the Preparedness Cycle is often thought of in relation to “traditional” threats – hurricanes, explosives and earthquakes, for example – it is just as valid an approach to take in confronting cyber threats and works just as well to reduce the associated risks and impacts of such events.

But let’s back up. Threats, risks – what are we talking about? Malware, ransomware, cyberattacks, phishing, whaling (did you say whaling?), espionage, insider threats, denial of service, social media… what am I going to do with all these threats?! Or are they risks?

Let’s start with lexicon. Terms matter. So, let’s start with some basic definitions. I like references because then I can blame someone else for the typos… in 2010, the Department of Homeland Security’s Risk Steering Committee developed the “DHS Risk Lexicon” providing sound definitions for a number of key terms. Let’s look at the two most fundamental: Threats and Risks.

  • Threat is defined as a “natural or man-made occurrence, individual, entity, or action that has or indicates the potential to harm life, information, operations, the environment, and/or property.”
  • Risk is defined as the “potential for an unwanted outcome resulting from an incident, event, or occurrence, as determined by its likelihood and the associated consequences.”

As we try to understand our cyber threat environment, we have to gain an appreciation for the many occurrences, individuals, and entities that have the potential to cause harm. This can be developed in a number of ways and the means by which we gain a sound understanding of the threat environment and how to conduct a risk assessment could be entire blog series’ of their own. For today, we’ll just assume you’re maintaining threat awareness via great resources like SurfWatch Labs’ and Gate 15’s blogs and Twitter feeds … and that you’ve then assessed those threats in relation to your organizational interests and that you’ve developed a prioritized assessment of your risks.

No organization is able to specifically address every threat and risk, nor to address them all as thoroughly as we’d like. By prioritizing our risks, and recognizing that you only have limited time and resources to work with, you can then find ways to “get the most bang for the buck” in determining how to approach preparedness activities. Some risks, you will choose to simply accept. Some will get addressed via insurance. Others will be addressed by using the Preparedness Cycle and a deliberate process of planning, training, organizing and equipping, exercising and evaluating and improving. In the next few installments of this blog series, we’ll take a look at each one of these parts of the Cycle and ways you can progressively reduce your cyber risk via proper preparedness.

Weekly Cyber Risk Roundup: TheDarkOverlord Returns and Multiple Attacks Circumvent 2FA

TheDarkOverlord was back in the news this week due to leaking data from multiple companies after failed extortion attempts. The most prominent leak involved Netflix, which had the first 10 episodes of the fifth season of its show Orange is the New Black leaked after it refused to cave to the actor’s ransom demands. The group also claims to have unreleased shows from ABC, Fox, National Geographic, and IFC. Media outlets reported that the shows appear to have been stolen from post-production studio Larson Studios in late 2016.

2017-05-05_ITT.PNG

It’s unclear exactly how much TheDarkOverlord demanded from Netflix to not release the episodes, but the actor once again framed its response to the failed extortion attempt by trying to appeal to future victims, essentially arguing that paying up will cost them a lot less money than having their data released.

“It didn’t have to be this way, Netflix,” the actor wrote in a post on April 29. “We figured a pragmatic business such as yourselves would see and understand the benefits of cooperating with a reasonable and merciful entity like ourselves. … And to the [other networks]: there’s still time to save yourselves. Our offer(s) are still on the table — for now.”

TheDarkOverlord has not yet released episodes allegedly stolen from other networks. However, three healthcare providers had data dumped by the actor on May 4. Aesthetic Dentistry in New York City and OC Gastrocare in California were both hacked last year by TheDarkOverlord, databreaches.net reported, and their dumps from last week contained 3,496 patient records and 34,100 patient records, respectively. The third dump was the biggest, containing more than 142,000 patient records allegedly stolen from Tampa Bay Surgery Center.

That large dump appears to be tied to a previously undisclosed breach, and TheDarkOverlord tweeted that the “clinic didn’t do anything wrong except annoy us.” That annoyance likely stemmed from the fact that the center did not cave to the group’s ransom demands, just like numerous other organizations targeted over the past year.

2017-05-05_ITTGroup

Other trending cybercrime events from the week include:

  • Payment card breaches continue: Sabre announced that it is investigating a data breach after discovering “unauthorized access to payment information contained in a subset of hotel reservations processed through our Hospitality Solutions SynXis Central Reservations system.” More than 32,000 properties use Sabre’s SynXis reservations system, which is described as an inventory management Software-as-a-Service application. Sabre told customers that the unauthorized access has been “shut off” and that there are not any additional details to share at this time.
  • Numerous ransomware infections reported: An April 22 ransomware infection at electronic health records vendor Greenway Health disrupted services to 400 client organizations using the vendor’s Intergy cloud-hosted platform, and half of those customers were still waiting to have a full EHR services restored on Monday, May 1. Pekin Community High School’s computer systems were infected with ransomware, and the actor demanded $37,000 in order to restore the encrypted files. Ransomware infected the computer systems of Cambrian College in Ontario and demanded a $54,000 payment. The school’s web portals, grade report, and student learning management systems were disrupted, and final grades and spring semester registration had to be postponed for several days. The law firm Moses Afonso Ryan Ltd was infected with ransomware last year that demanded a $25,000 ransom payment, and after paying a negotiated ransom payment the firm then had to renegotiate an additional payment when the first key purchased to decrypt the documents did not work.
  • Large amounts of data exposed: Around 135 million Aadhaar ID numbers and around 100 million bank account numbers have been leaked from four Indian government portals, according to a report released by The Centre for Internet and Society. The four government portals examined in the report include: National Social Assistance Programme, National Rural Employment Guarantee Act, Daily Online Payment Reports under NREGA, and Chandranna Bima Scheme. Data belonging to Alliance Direct Lending Corporation was found publicly available online and as a result at least 550,000 customers have had their personal information exposed. According to MacKeeper, the leaked data contained 124 files (with five to ten thousands records each) that contained financing records broken down by dealerships as well as 20 audio recordings of customers agreeing to auto loans or refinancing of auto loans.
  • Other notable cybercrime news: Retina-X Studios announced that in February 2017 a malicious actor was able to break into a server that held database tables for its Net Orbit, PhoneSheriff, and TeenShield products, and the actor then wiped “any data that he was able to force access to.” According to the company, the actor was able to find a vulnerability in a decompiled and decrypted version of a now-discontinued product in order to achieve the unauthorized access. Grey Eagle Resort & Casino in Calgary has had an additional 1.7 GB of data dumped, and the hackers behind the dump indicated that the data would be uploaded to torrent sites “soon” and that more data dumps would follow in the coming weeks. The casino initially had data released by hackers in January, and the new dump appears to include more data that was stolen prior to the first leak.

SurfWatch Labs collected data on many different companies tied to cybercrime over the past week. Some of those “newly seen” targets, meaning they either appeared in SurfWatch Labs’ data for the first time or else reappeared after being absent for several weeks, are shown in the chart below.

2017-05-05_ITTNew

Cyber Risk Trends From the Past Week

2017-05-05_RiskScoresSeveral recent cybercrime events have proven that although two-factor authentication is an effective way to prevent fraudulent transactions, malicious actors are focusing their efforts on ways to defeat that increasingly popular layer of security.

German newspaper Süddeutsche Zeitung reported that customers of O2-Telefonica had funds removed from their bank accounts due to malicious actors exploiting a flaw in  Signalling System No. 7 (SS7) — which is used by telecom companies around the world use to ensure their networks interoperate — in order to intercept the text message authentication codes sent to customers and then use those codes to successfully steal funds from customers’ bank accounts. The attack was carried out from the network of an unnamed “foreign provider,” and one expert told the German paper that  insider access could be bought for as little as €1000 in order to carry out similar attacks.

The flaw in SS7 has been known since 2014, and in 2015 60 Minutes aired a segment in which researchers demonstrated how U.S. Representative Ted Lieu’s phone messages and conversations could be intercepted. Lieu said the recent theft is yet another example of the insecurity of text-based, two factor authentication:

“Everyone’s accounts protected by text-based two-factor authentication, such as bank accounts, are potentially at risk until the FCC and telecom industry fix the devastating SS7 security flaw. Both the FCC and telecom industry have been aware that hackers can acquire our text messages and phone conversations just knowing our cell phone number. It is unacceptable the FCC and telecom industry have not acted sooner to protect our privacy and financial security. I urge the Republican-controlled Congress to hold immediate hearings on this issue.”

In addition, the UK’s National Fraud & Cyber Crime Reporting Centre is warning that malicious actors are continuing to use “SIM splitting” attacks to take control of victims’ phone numbers, authenticate transactions, and steal money from bank accounts. Like the SS7-based attacks, malicious actors first gain access to the victim’s bank accounts via phishing, malware, or cybercriminal markets — but in this case the actors then successfully report their phone lost or stolen in order to active the SIM card on a new phone and intercept communications. The fraudsters then transfer money from the victim’s account to a parallel business account they opened, and when the bank calls or texts to verify the transactions, they are in control of the victim’s phone number and can confirm the fraudulent transactions. In both cases, malicious actors have proven that they can successfully circumvent two-factor authentication with a little extra legwork.