Jeff Peters

Podcast: Massive Myspace Hack, Cryptoworm Warnings and Breach Lawsuits Continue

A new episode of the SurfWatch Cyber Risk Roundup has been posted, Episode 72: Massive Myspace Hack, Cryptoworm Warnings and Breach Lawsuits Continue:

This week saw more news about password breaches as 427 million Myspace passwords and 65 million Tumblr passwords were put up for sale on the dark web. Scrum.org announced a potential data breach stemming from a vulnerability in third-party email server software. TeamViewer faced a DDoS attack and what the company claims are false accusations that it suffered a data breach. Australia’s NSW Trainlink halted its online reservation system due to a compromise. Pakistan’s Zameen real estate was hacked and had its entire database allegedly posted online. Trending advisories include warnings of a potential cryptoworm known as ZCrypt, the dormant FrameworkPOS campaign resurfacing, and Kovter malware targeting Fortune 500 companies by escalating from low-level adware to more advanced threats. The FBI also warned of data breach victims being extorted, and there was a vulnerability discovered in the popular WordPress Jetpack plugin. Legal stories include developments in the Anthem, CareFirst and Kroger breach lawsuits as well as warnings from the UK’s IOC and the largest ever arrest of Russian hackers. Finally, one apartment complex found a controversial new way to get Facebook likes.

Listen to the podcast via the player below, or learn more about SurfWatch Labs’ podcasts on our podcast page.

Vulnerability Management: False Confidence, the Remediation Gap and Other Challenges

Organizations believe their vulnerability management programs are more mature than they really are, and the time it takes to remediate vulnerabilities remains an issue for many businesses, according to several reports.

A SANS whitepaper, What Are Their Vulnerabilities?: A SANS Survey on Continuous Monitoring, concluded that security practitioners are overconfident in their current state of continuous monitoring:

… survey results starkly illustrate that we are approaching a dangerous state in which we believe we have appropriately addressed problems, though we have, in fact, not adequately remediated them—therefore unknowingly leaving a window of opportunity open for attackers.

“Each of the questions taken on their own – there’s nothing really major that’s unsound. But looking at those questions together is very interesting,” said David Hoelzer, SANS Fellow Instructor, author of the paper, and founder and CISO of CyberDefense, the parent company of Enclave Forensics.

“More than half of these [organizations] are saying that they are mature or maturing. They say that, but then when we look at the coverage of assets … no one is even willing to say that they are covering 100% of their publicly exposed systems.”

Hoelzer, who was a guest on our vulnerability management podcast last October, said that gap in perception is a cause of concern.

“I would not define what we’re seeing in that report as anything like mature,” he said. “It seems as though our criteria or the bar we’re trying to reach is not high enough.”

Closing the Remediation Gap

One of the biggest challenges around vulnerability management is the time it takes organizations to remediate those vulnerabilities, or the remediation gap.

According to a 2015 Kenna Security report, The Remediation Gap: Why Companies Are Losing the Battle Against Non-targeted Attacks, even “conservative” estimates found that the window of opportunity for many exploits remains significant:

On average, it takes businesses 100-120 days to remediate vulnerabilities.
At 40-60 days, the probability of a vulnerability being exploited reaches over 90 percent – indicating that most successfully exploited vulnerabilities are likely to be exploited in the first 60 days.
The gap between being likely exploited and closing a vulnerability is around 60 days.

“The gap that we’re looking at is getting much bigger, and I think that is happening because attackers are getting really, really good at automated attacks,” said Kenna Security’s senior data scientist Michael Roytman, who was also featured on the podcast.

Old Vulnerabilities, New Problems

According to Roytman, enterprises often have a huge backlog of vulnerabilities. That “security debt” is one of the primary reasons for the remediation gap. In addition, it can be difficult to know which of those vulnerabilities are actually being exploited.

For example, attackers continue to exploit old vulnerabilities, as pointed out in the report:

CVE-2010-3055 was exploited 121,000 times in 2014. It allows attackers to run arbitrary code in phpmyadmin via a POST request, and phpmyadmin runs millions of sites worldwide. It’s a CVSS 7.5, which means it’s bound to fly under the radar more often than not. But it shouldn’t.
CVE-2002-0649 is an ancient worm that exploits SQL Server 2000 and Microsoft Desktop Engine 2000. Reading the Wikipedia article on the worm makes it seem like it’s a long forgotten problem, but we witnessed 156,000 successful exploitations in 2014. It’s not new, it’s not hip, it’s not current, so one talks about it – but it’s a significant threat.
CVE-2000-1209 is also not to be forgotten, with 272,000 successful exploitations. It exploits Microsoft SQL Server 2000, SQL Server 7.0, and Data Engine (MSDE) 1.0, including third party packages that use these products such as Tumbleweed Secure Mail (MMS), Compaq Insight Manager, and Visio 2000.

The report concluded: “These vulnerabilities are not new – in fact, they’re extremely old – and yet they perfectly represent the kind of unremediated vulnerabilities that automated attacks attempt to find. They’re the windows that the criminals rattle around and try to pry open.”

“Huge Opportunity” for Threat Intelligence

Integrating threat intelligence into vulnerability management is recent development, Roytman said, as the data available now wasn’t available five or ten years ago. But threat intel can help provide the biggest bang for the buck in terms of deciding which of the potentially thousands of actions an organization should take first.

“What’s surprising to me is the lack of information about what is being exploited,” Roytman said. “Integrating those data sources, disseminating that knowledge, is something that can really shorten the remidation gap, and it was surprising to me to see how many enterprises don’t have that information integrated.”

He added: “We’re kind of at this crossroads where the data is flowing in, but maybe we’re not integrating it into our vulnerability managment practices, and that’s a huge opportunity.”

You can listen to our previous podcast on vulnerability management below for more information:

About the Podcast:
This special episode is all about the challenges and issues around vulnerability management. David Hoelzer – SANS Fellow Instructor, dean of faculty for the SANS Technology Institute, and founder and CISO of CyberDefense, the parent company of Enclave Forensics – discusses the recent SANS survey and whitepaper “What Are Their Vulnerabilities?: A SANS Survey on Continuous Monitoring.” Among the findings is that “we are approaching a dangerous state” where companies believe they are doing better than they are – leaving a window of opportunity for attackers.

Kenna Security’s senior data scientist Michael Roytman also joins the podcast to discuss their recent report, “The Remediation Gap: Why Companies Are Losing the Battle Against Non-targeted Attacks.” The report estimated that most companies take an average of 100-120 days to remediate vulnerabilities. We chat about the state of vulnerability management, the challenges facing organizations, and what businesses can do to improve on that front.

Podcast: Big Names Get Breached, Malware Evolves and Court Questions Data Sharing

A new episode of the SurfWatch Cyber Risk Roundup has been posted, Episode 71: Big Names Get Breached, Malware Evolves and Court Questions Data Sharing:

This week’s trending cybercrime events include breaches at the NBA’s Milwaukee Bucks and the furry site “Fur Affinity,” a two-year cyber-espionage campaign against Swiss military contractor Ruag, payment card skimmers found at Walmart, and DDoS-for-hire services found on the online marketplace Fiverr. Researchers discussed several new types of malware including a stealthy new malware dubbed “Furtim,” a new variant of Cerber ransomware, and changes to DMA Locker – which is being upgraded for a potential “massive” distribution. On the legal front, the transfer of data between the U.S. and the EU continues to be questioned in court, Wells Fargo was ordered to pay a $1.1 million fine related to employee data theft, another W-2-related breach lawsuit was filed, and various individuals were arrested and cybercriminal groups disrupted. Also, people continue to get in trouble by hacking road signs.

Listen to the podcast via the player below, or learn more about SurfWatch Labs’ podcasts on our podcast page.

Top Dark Web Markets: AlphaBay and Stolen Credentials

Dark web markets are constantly changing. The last major shakeup to occur was the disappearance of the Nucleus Market, which has been offline for nearly a month and a half. Since then, the site’s users have flocked to other markets in search of an alternative.

Many of those users have transitioned to AlphaBay, the current king of dark web markets. AlphaBay was the most popular marketplace before Nucleus Market disappeared. Since then it has only grown more popular.

AlphaBay_May2016_2 — A vendor selling hacked bank account logins on AlphaBay.

A similar surge happened in March 2015 after the administrators of the dark web marketplace Evolution shut down and stole users’ bitcoins in an “exit scam.” In the three days following Evolution’s disappearance, AlphaBay received 18,000 new registrations, said alpha02, a well-known carder and founder of the AlphaBay market. A few months later another major dark web market, Agora, announced it was shutting down due to security issues. Once again, AlphaBay membership surged. By October 2015 AlphaBay announced it had hit 200,000 users and become one of the most popular markets on the dark web.

That growth has continued. In early January there were approximately 12,500 fraud-related listings. Today there are close to 20,000.

How Does AlphaBay Work?

As we noted last month, there are a lot of misconceptions about the dark web, and it is not hard for the average person to find these websites and purchase illicit goods and services. However, the markets are also full of law enforcement, researchers conducting threat intelligence (like SurfWatch Labs), and scammers. As a result, those buying and selling items tend to be concerned about two things: anonymity and security.

Anonymity when purchasing: The combination of tools such as Tor, which helps users anonymously access the markets, and the growth of virtual currencies, which helps users anonymously purchase illegal items, has helped dark web markets such as AlphaBay flourish.
Security among thieves: AlphaBay offers multi-signature escrow to help protect buyers from getting scammed. Money is deposited into a wallet with three people having keys: the buyer, the seller and the market. Two of those keys are needed to approve payment. If the buyer is happy, he or she releases the key and the seller is paid. If there is a dispute, the moderator can approve payment and give the second key to the seller — or deny payment and give the key to the buyer.

In addition, in just the past few months AlphaBay has rolled out mandatory two-factor authentication for vendors as well as a detailed privacy policy — the first dark web market ever to do such a thing, it claims.

Many markets try to emulate the customer-friendly features seen on popular e-commerce sites such as Amazon or eBay. In the case of AlphaBay, there is both a “Vendor Level,” which is based on number of sales and amount sold, and a “Trust Level,” which is based on the level of activity within the community as well as feedback from users. In addition, buyers can view feedback in the forms of reviews and star ratings.

AlphaBayFeedback_edited — Seller ratings on AlphaBay.

The key takeaway for those unfamiliar with these cybercriminal markets is that it is not that different an experience from buying things via the normal web.

What’s for Sale on AlphaBay?

Being the most popular dark web market, AlphaBay offers nearly every type of item or service for sale. Drugs are the most common type of item — as is true of most markets. SurfWatch Labs doesn’t collect data on every listing, instead focusing mainly on cybercrime-related items. Of those, credentials trade is the top trending practice tag over the past 30 days.

2016-05-24_alphabay_practices — Although all types of items are for sale on AlphaBay, credentials trade is the top trending practice tag over the past month, according to SurfWatch Labs.

Credentials trade includes logins for various services and financial institutions. Those credentials can then be used for fraud, as a stepping stone for further attacks, or simply to use legitimate services such as Netflix or Uber for free.

Specific items related to credential theft for sale the past few weeks include …

Credentials to access various credit card accounts or the information to answer associated security questions:

Credentials that can be bought in bulk such as this list of 10,000 German email addresses and passwords:

Credentials for customer accounts at various restaurants and coffee shops, including some that have payment information connected to “auto-reload” the account whenever the balance gets low enough:

Credentials for reward accounts from airlines and other retailers that can be redeemed for various goods and services:

Credentials for hacked websites such as WordPress blogs:

Full profiles — which include names, email, passwords, phone numbers, Social Security numbers, dates of birth and more — basically, everything needed to set up an account, apply for credit or perform other fraudulent actions:

And credentials for many, many more accounts.

Where do all of these stolen credentials come from? They come from data breaches, malware that captures keystrokes, phishing and, as we noted earlier this week, the problem of people continuing to reuse passwords across multiple sites, which allows automated tools to use those giant lists of previously stolen credentials to gain access to other sites.

Of course, AlphaBay offers a plethora of other items for sale unrelated to stolen credentials, and we’ll touch on some of those in the coming week’s as we examine the other dark web markets. Those top markets tend to change due to exit scams, security concerns or law enforcement actions, but for now AlphaBay remains the king of the underground.

Credential Theft and the Problem of Non-Breach ‘Breaches’

Earlier this month, news outlets across the country reported on the latest mammoth list of stolen credentials — 272 million in total.

“It is one of the biggest stashes of stolen credentials to be uncovered since cyber attacks hit major U.S. banks and retailers two years ago,” Reuters reported.

Turns out, the total number of actual accounts affected is much, much less — a representative for Google put the total number of bogus Google accounts at 98% — however, the story does bring a crucial cybersecurity point back to the forefront: stolen credentials and the collateral damage they cause. Companies are continually finding themselves in the news for data breaches that aren’t really breaches at all.

For example, this year we’ve seen:

Spotify had a list of user credentials posted to Pastebin, leading to a spate of articles about the company “denying” a data breach. “Spotify has not been hacked and our user records are secure,” the company repeatedly told reporters and bloggers.
China’s online shopping site Tabao had hackers use a database of previously stolen usernames and passwords to try to access over 20 million active accounts. “Alibaba’s system was never breached,” a spokesperson noted.
Reddit recently had more than 100 subreddits defaced when a hacker went on a spree of taking over moderator accounts. The Register speculated that it was “possible the hacker is testing breached passwords against the accounts to pop weak or reused credentials.”

In nearly every case, along with the negative — and some may argue unfair — breach-related headlines, a spokesperson steps up to say the same thing: we weren’t breached and the theft is likely due to customers reusing credentials that were stolen elsewhere.

Verizon’s recent Data Breach Investigations Report highlighted the issue as well: 63% of confirmed data breaches involved weak, default or stolen passwords. The report authors noted, “The use of stolen, weak or default credentials in breaches is not new, is not bleeding edge, is not glamorous, but boy howdy it works.”

As we repeatedly see, the reuse of stolen credentials puts many companies in the unfavorable position of having to deny a data breach happened — even as customer accounts are getting taken over.

Easy-to-Use Tools

Automated tools have made it easy for cybercriminals to take these massive lists of stolen credentials — such as the list of over 100 million LinkedIn credentials — and test those credentials against popular websites until they find cases of password reuse.

How often does that work? It varies depending on who you ask, but Shape Security recently wrote about its experience examining one of the popular tools used in these “credential stuffing” attacks.

“We have found that most combo lists have a 1% to 2% success rate, meaning that if an attacker purchases a list from a breach on site A (or a combination of site breaches) and then uses Sentry MBA (or another credential stuffing tool) with that list to attack site B, 1% to 2% of the usernames and passwords from site A will work on site B,” wrote Shape Security chief security scientist Xinran Wang.

One percent may not seem like much, but as Wang points out, if an attacker has a list of one million credentials, they may be able to hijack 10,000 accounts on any popular website using these readily available tools.

In some cases, this amounts to a massive number of fraudulent logins. According to Shape Security researchers, over a one week period last December, attackers made five million log-in attempts at the website of a Fortune 100 company using the Sentry MBA tool.

That’s why some of these recent legitimate breaches have been so widely criticized. The companies in question often are not taking into account the potential collateral damage.

Big Breaches and Collateral Damage

Last month security researcher Troy Hunt reported that over seven million user accounts for the Minecraft community “Lifeboat” were compromised. According to Motherboard, Lifeboat didn’t bother telling its users about the potential issue — and how it may affect other accounts with similar credentials.

“When this happened [in] early January we figured the best thing for our players was to quietly force a password reset without letting the hackers know they had limited time to act,” said a Lifeboat representative, not clarifying to Motherboard when pressed why the company never informed its users. “We have not received any reports of anyone being damaged by this.”

But would they know if someone used those stolen credentials to log into someone’s email or social media or bank account?

Likewise, Brian Krebs recently criticized LinkedIn’s handling of its massive breach of user credentials. In 2012, LinkedIn discovered a data breach that it thought affected 6.5 million users. The company contacted those users to force a password reset. However, last week they discovered the breach actually impacted more than 117 accounts.

“Inexplicably, LinkedIn’s response to the most recent breach is to repeat the mistake it made with original breach, by once again forcing a password reset for only a subset of its users,” Krebs wrote.

“We did at the time what we thought was in the best interest of our member base as a whole, trying to balance security for those with passwords that were compromised while not disrupting the LinkedIn experience for those who didn’t appear impacted,” LinkedIn spokesman Hani Durzy said in an email to Krebs about the 2012 incident.

But what about the more than 100 million potentially compromised credentials that may have been used for years without users even being aware they may have been stolen?

Looking Forward

There will always be a subset of users that reuse credentials, and those users will always be at increased risk of their accounts being hijacked. Unfortunately for companies, their names are often associated with a data breach or a hack even if it is an event driven largely by a combination of other organizations’ breaches and bad password habits.

Implementing additional layers of security such as two-factor authentication can help protect those customers. Or organizations can follow the lead of proactive companies like Amazon, which recently reset some users passwords after finding a list of leaked credentials online.

“While the list was not Amazon-related, we know that many customers reuse their passwords on multiple websites,” Amazon wrote to impacted users. “Since we believe your email addresses and passwords were on the list, we have assigned a temporary password to your Amazon.com account out of an abundance of caution.”

Until organizations get more proactive or force users to implement more layers of security, with so many stolen credentials available to cybercriminals, expect organizations to continue to make negative headlines due to these “non-breach breaches.”

Podcast: Hackers Get Hacked, SWIFT Attacks and a Ruling from the Supreme Court

A new episode of the SurfWatch Cyber Risk Roundup has been posted, Episode 70: Hackers Get Hacked, SWIFT Attacks and a Ruling from the Supreme Court:

The hacker forum Nulled.io was breached and the sensitive information of its members was made publicly available. SWIFT warned of more attacks against banks at the same time the Anonymous OpIcarus campaign hit more financial sector targets. LinkedIn discovered its 2012 breach was much bigger than previously thought. And a couple of researches upset OkCupid by publishing data on 70,000 of the dating site’s users. This week’s advisories included more developments in the cat-and-mouse game around the CryptXXX ransomware, an alert on an old SAP vulnerability, an Android banking Trojan and click-fraud botnet, and more PayPal phishing scams. This week also saw a highly anticipated Supreme court ruling on a privacy-related class action lawsuit, the continuation of financial institutions lawsuit against Home Depot, and a new lawsuit around a breach of W-2 information at aircraft maintenance company Haeco. A judge also ruled the FBI did not have disclose a vulnerability in the Firefox browser, and the U.S. saw its first conviction in the hack of newswires that generated $100 million in profit. Also, the LinkedIn breach revealed another round of terrible password habits.

Listen to the podcast via the player below, or learn more about SurfWatch Labs podcasts on our podcast page.

What Can We Learn About Social Engineering From Impersonation?

With organizations losing billions of dollars due to business email compromise scams and thousands of employees having their W-2 information sent to criminals each week, it can be easy to think, “How can people be so dumb and keep falling for these same tricks?”

When it comes to socially engineering an employee, most people think of email phishing
— and last week we discussed some ways to defend against those threats — but I think the best way to truly understand those cyber threats is to first remove those technology aspects and look at one of the oldest cons around: impersonation.

I love a good impersonation story. Don a disguise. Create a good backstory. Trick some people into doing something they shouldn’t.

It makes for great drama.

Unsurprisingly, when researching how businesses are being compromised by social engineers, nearly all of my favorite examples involved the tactic. Impersonation stories are important because they highlight how simple and effective techniques can be used to lead to a major compromise at an organization.

For example, Christopher Hadnagy, CEO of Social Engineer, Inc., recounted on our social engineering podcast how two ticket-less fans were able to watch the Super Bowl from $25,000 seats by sneaking into the event with a group of first aid workers and then simply acting “super confident.”

Likewise, Chris Blow, a senior advisor at Rook Security, likes to pretend to be an exterminator to test a company’s security. In one instance, he was thwarted by a well-trained receptionist who noticed the con; however, all he had to do was drive around back and find more “helpful” employees — who then let him into sensitive areas where he could access a variety of valuable information.

They Literally Handed Him Their Money

My favorite social engineering story occurred decades before email became popular and everyone learned of the term “phishing.” It was done by conman turned FBI consultant Frank Abagnale, who claims to have duped dozens of individuals into handing him their businesses’ money simply by posing as a security guard.

As the story goes, Abagnale noticed how car rental companies would deposit their money in an airport drop box each night, so he bought a security guard outfit and put a sign over the drop box saying “Out of service, place deposits with security guard on duty.”

According to his autobiography, he stood there amazed as people handed him a total of $62,800.

You may hear that story and wonder why all of those people would trust some random guy with a sign. But is that any different than the cybersecurity pros today who are dumbfounded when a person gives their password to an “IT guy” over the phone? Or when an employee hands over their credentials because an email told them to do so?

Simple, effective scams work, have always worked, and when done in person by a skilled social engineer, can be even more effective.

Defending Against Social Engineering

What can we learn from these impersonators?

For one, social engineering is very effective, which is why the FBI and others are warning of a dramatic increase in business email compromise (BEC) scams. From October 2013 through February 2016, from just this one type of social engineering, there were more than $2.3 billion in losses across 17,600 victims.

Scam artists understand precisely how easy it can be to dupe people, and the same techniques are used in social engineering via phishing and phone. The story above is one of my favorites because Abagnale combines three of those common tactics in one scam: a simple backstory, appearing as though he belongs, and projecting authority.

A Simple Backstory — Whether in person, over the phone or via email, scammers will have all sorts of stories that prey on people’s desire to help. Those handling sensitive information such as W-2 information should always be skeptical about who and why they are sharing that information, but that is often not enough. Having clear policies for employees to fall back and procedures for sharing sensitive information on can help ensure an employee does not get duped due to their desire to be helpful.
Appearing as Though They Belong — As the FBI noted in a BEC warning, it’s important to know the habits of customers, coworkers and vendors and to beware of any significant changes. A person may appear as though they belong by impersonating those who have legitimate access. In some BEC attacks, the malicious actors compromised email accounts and waited for weeks or months to learn the communication habits before attempting their scam. Employees should be encouraged to report any suspicious activity and be continuously trained so that the front line of defense is armed to look out for the latest and most relevant social engineering threats.
Projecting Authority — The impersonation of authority figures is a large reason for the billions of dollars being lost to these social engineering scams. Just because a call or email appears to come from the CEO or other figure, be wary of any attempts to disclose data or gain access. Authenticating important requests through several channels such as both email and phone can help to prevent many social engineering attempts.

People want to be helpful. They tend to trust others. Good social engineers exploit those tendencies. The influx of technology has only expanded the reach of scam artists; the techniques remain the same. If an organization and its employees understand why social engineering works, then it’s much easier to combat some of those common tactics and keep the business safe.

Will Your Internal Sharing of Data Cause a Breach?

On May 4 the United Kingdom’s Information Commissioner’s Office (ICO) announced a £185,000 fine against a health trust for inadvertently publishing the personal details of 6,574 staff members on its website.

Blackpool Teaching Hospitals NHS Foundation Trust is required to post annual equality and diversity metrics. Unfortunately, the published spreadsheets contained “hidden data.” Simply double clicking on the posted tables revealed the sensitive information behind them. This included employees’ names, pay scales, National Insurance numbers and dates of birth as well as other volunteered information such as ‘disabled’ status, ethnicity, religious belief and sexual orientation.

The incident is just one of many examples of data breaches resulting from the inappropriate sharing of data within an organization. In fact, the ICO recently published a guide about how to safely disclose information due to a string of similar incidents.

One of the drivers behind those breaches is business intelligence moving away from a locked-down, data-silo approach and back towards the the freewheeling, self-serving nature of the early 1990s as tools like Tableau empower analysts, said Datawatch chief product officer Jon Pilkington, who was a guest on this week’s Cyber Chat podcast.

In its monetary penalty notice to Blackpool Teaching Hospitals NHS Foundation Trust, the ICO noted that the trust:

Did not have any procedure governing requests for information around electronic staff records
Did not provide the team with training on the functionality of the Excel spreadsheets
Had no guidance in place for the web services team to check those spreadsheets for hidden data before making them public

“[Analysts] are offloading data from its originating source for the purposes of getting their job done,” Pilkington said, adding that this approach is revealing potential data governance gaps within organizations.

The Big Concern is a Data Breach

Internally sharing data without the proper precautions may result in a highly publicized exposure, said Dan Potter, chief marketing officer at Datawatch, which helps businesses users prepare and analyze data from a variety of sources.

“The big concern, the big risk, is around data breach because now you’ve got data being moved from governed systems — like a database or data warehouse that are well-managed and well-governed and controlled — to something that is now living on the desktop of an analyst and therefore being shared with other people in a non-governed way.”

Take the recent breach at retailer Kiddicare. Earlier this month the company notified nearly 800,000 customers that their names, addresses and telephone numbers may have been stolen after a test website using real customer information was compromised.

However, using real data on a test site tends to be a bad practice, noted security blogger Graham Cluley. As a test site, things are expected to go wrong, and in the case of Kiddicare, they did.

“Unfortunately, time and time again it’s seen that companies can be sloppier about the security of their test sites than their official sites — opening opportunities for data thieves and hackers,” Cluley wrote. “For that reason it’s usually much safer to generate fake data for testing purposes – just in case.”

Importance of Data Masking

Redaction and data masking can provide the best of both worlds: analysts across all departments are free to examine the data they want, and the sensitive information is removed or replaced with innocuous data.

This can help ensure you’re staying compliant with both government regulations and corporate policy. For example, if the employees names and insurance numbers had been masked in the data behind the trust’s equality and diversity metrics, the mistaken disclosure of that information would have been much less significant.

Potter added, “There’s a whole host of other kinds of data that people need to be very, very careful with in making sure that they’re masking it in some way because as you move to self-service analytics it does create more risk.”

Listen to the full conversation with Datawatch for more about business intelligence and data masking.

About the Podcast
In early May Blackpool Teaching Hospitals NHS Foundation Trust was fined £185,000 by the United Kingdom’s Information Commissioner’s Office for inadvertently publishing the personal details of 6,574 staff on its website. And last week retailer Kiddicare announced that 800,000 customers were impacted after a test site using real customer information was compromised by hackers. The incidents highlight a growing problem. Organizations have more data than ever, and that sensitive data is often being shared with other departments or with third parties for a variety of purposes.

On today’s Cyber Chat we talk with Datawatch chief product officer Jon Pilkington and chief marketing officer Dan Potter about business intelligence, the importance of data masking and how businesses can protect their sensitive information when it’s being shared both inside and outside of the organization.

Podcast: More Bank Attacks, New Malware and Walmart Sues Visa

A new episode of the SurfWatch Cyber Risk Roundup has been posted, Episode 69: More Bank Attacks, New Malware and Walmart Sues Visa:

This week’s trending cybercrime events included data breaches at Google, Kiddicare, and InvestBank as well as a ransomware infection that led to YahooMail being temporarily banned from the House of Representatives and a series of Anonymous-led DDoS attacks against banks. Researchers discovered several new mobile threats including RuMMS and Viking Horde Botnet malware. Blogger, PerezHilton and CBS-affilitiated websites were hit with malvertising. A new credit card scam was uncovered in Kuala Lumpur. Legal news includes Walmart suing Visa over chip-and-signature practices, the FTC and FCC partnering to investigate mobile security updates, and updated information on several stories including the Wendy’s data breach and the signing of the Defend Against Trade Secrets Act of 2016. Lastly, a Lego robot can bypass screen pattern security.

Listen to the podcast via the player below, or learn more about SurfWatch Labs podcasts on our podcast page.

Social Engineering – Security’s Big Problem and How to Fight Back

Pick any recent data breach. It could be a high-profile one or one of the many that never make national headlines. If we were to follow the string of events back to the beginning of that compromise, what would we find?

Chances are, it’s an employee getting duped by a cybercriminal.

In fact, one could make the case that social engineering is the single biggest issue facing organizations when it comes to cybersecurity. No matter how big of a fortress you build, all it takes is one employee to open the gate and let the bad guys walk into the heart of a business.

One of my favorite cartoons sums up the issue facing businesses:

With all of the recent W-2 breaches in the news this year, I’ve been thinking once again about the issue of social engineering. What can businesses do? It seems every article I read only points out the problem and then makes vague references to “awareness.”

In 2015 SurfWatch Labs interviewed a variety of people to try to get to the heart of that question, and I think it’s a good idea to revisit that conversation eight months later. After all, it is a problem that will never go away.

Essentially, everyone agrees that a three-pronged approach is the key to limiting the success of cybercriminals using social engineering tactics:

Use technology and tools to limit the exposure to social engineering
Train employees so those social engineering attempts that do get through are less successful
Realize that even the best trained organizations aren’t perfect, so have tools and a response plan in place to limit the potential damage

Let’s briefly expand on the first two points about prevention.

Limiting Exposure to Social Engineering

Technology is getting better at limiting users’ exposure. Take email as an example. In 2006 about 30 percent of an average Hotmail user’s inbox was spam — a huge problem. By 2012 that number was down to 3 percent. In July 2015, Google released its latest numbers, and less than 0.1 percent of the average Gmail inbox was spam.

The less malicious activity that gets through an organization, the less potential there is for an employee to make a mistake. There are several ways an organization can go about this goal, as have been outlined by many groups and organizations dedicated to fighting social engineering such as the Anti-Phishing Working Group.

Some best practices specific to phishing include:

Filtering and endpoint technologies – Filtering technologies are great at catching high-volume, low customization spam. Endpoint solutions can also combat things like malicious attachments.

Blocking images, links, and attachments – Disabling images and links in emails from untrusted senders can help users identify legitimate emails and prevent employees from clicking malicious links. Disabling Microsoft Office macros from Internet-obtained documents can help block a common attack vector that has led to many recent data breaches.

Email authentication – Phishers often forge information to make it appear as if the message originated from a legitimate institution. Email services like Gmail as well as corporate email servers use authentication methods to combat this including Sender Policy Framework, Domain Keys Identified Mail, and Domain-based Message Authentication, Reporting and Conformance.

Web traffic filtering – There are many websites that are known to steal user credentials. These phishing websites are often collected into lists by both commercial vendors and free services like PhishTank. Blocking access to these sites can limit the opportunity for users to fall victim to social engineering.

Some other areas that can be useful in preventing social engineering include:

Authentication – Malicious actors will often impersonate others outside of email, so it is important to have strong ways to authenticate users.

Physical security – Physical security limits the ability for unauthorized individuals to access areas, eavesdrop on conversations, and use baiting (like dropping a malware-loaded USB stick). The organization should have effective physical security controls such as visitor logs, escort requirements, and background checks.

Training Employees and Raising Awareness

Even with security technology in place, employees will still make mistakes. Security company RSA learned this in 2011 when a phishing email targeting four low-level employees was caught by a filter and placed in their junk folders; however, one of the employees enticed by headline — “2011 Recruitment plan.xls” — retrieved it from the folder and opened the attachment, leading to a compromise that cost the company $66.3 million.

That is why training and awareness is often touted as the most important and cost effective step in combating social engineering. According to the 2016 Verizon Data Breach Investigations Report, 30% of phishing messages were opened and 12% went on to click the malicious attachment. And in 2016 phishing is on the rise, according to SurfWatch Labs data. Additionally, a recent Ponemon Institute study examining six proof of concept studies found that phishing training led to employee click rates being reduced between 26-99%.

This lead Ponemon to conclude, “Assuming a net improvement of 47.75%, we estimate a cost savings of $1.80 million or $188.40 per employee [for the average organization].”

Some of the do’s and don’ts of a good security training program include:

Social engineering is one of the biggest cyber threats facing organizations; however, many businesses devote relatively few resources to addressing this problem. Implementing technology and tools to limit the exposure to social engineering and training employees may be the most cost effective way for many organizations to significantly improve their cyber risk.