Dark Web Markets, Equifax Breach Raise Authentication Concerns

The recent Equifax breach once again has the whole nation talking about cybercrime — and the widespread fraud and identity theft likely to follow in the wake of 143 million compromised consumers. Identity theft is a major concern for individuals, but as SurfWatch Labs chief security strategist Adam Meyer noted, malicious actors spring boarding off of breached information to authenticate as legitimate users is perhaps a more significant concern when it comes to organizations.

Meyer’s thoughts echo the findings of SurfWatch Labs’ recent whitepaper, which found that malicious actors tend to be focused on authentication when it comes to fraud on dark web markets and cybercriminal forums.

Downloaded the full whitepaper, “Fraud and the Dark Web”

The most observed type of dark web fraud in 2017 is account fraud, which has accounted for more than a quarter (25.2%) of all the fraud-related activity observed on the dark web this year. That includes a wide variety of different accounts that can be accessed with stolen customer credentials, including:

  • online accounts for banking and financial services;
  • online store accounts, as both buyers and sellers;
  • accounts tied to monthly subscriptions or other recurring services;
  • accounts related to the growing number of digital cryptocurrencies;
  • and more.

By comparison, credit card fraud, which is what many consumers may associate with the dark web, has only accounted for 16.7% of the activity so far this year.

The focus on this more indirect fraud — the buying, selling, and trading of access to accounts connected to payment information or services — is driven by both the huge growth in the number of online accounts and the weak authentication that so often accompanies those accounts.

The Equifax breach has simply exacerbated those authentication concerns to the point where outlets like Wired and The Verge are writing that we may need a “fundamental reassessment in how, and why, we identify ourselves” and that it may be “time to burn it all down and start over.” SurfWatch Labs analysts, along with many other researchers, have been warning for years that the pool of forever-compromised information is continuing to grow deeper and cause more issues for business unprepared to deal with that reality.

What can organizations do to protect themselves? Unfortunately, that is not a one-size-fits-all answer.

“Collectively, organizations lose billions of dollars to fraud-related cybercrime every year,” the whitepaper noted. “Individually, how each organization should address the problem of fraud can vary greatly depending their unique risk footprints.”

However, there are some general best practices that all businesses should keep in mind when it comes to combating fraud, such as:

  • Continuous monitoring of malicious actors: Dark web markets, paste sites, social media, and other communication channels are often used to leak stolen data and discuss cyber threats. Organizations should have a way to monitor any leaks or threats that may directly affect their customers, employees, or supply chain. In addition, organizations should stay abreast of any changes in the cybercriminal tactics, techniques, and procedures being used by malicious actors so that they can adapt their cyber defenses.
  • Discourage the the use of weak or already compromised passwords: Consumers have a growing number of accounts that are either tied to financial information or able to be easily monetized by cybercriminals, and consumers’ poor password habits are frequently exploited by malicious actors. NIST recommends advising users against passwords that have been previously breached, and in August 2017 security researcher Troy Hunt provided a list of 320 million compromised passwords that organizations can implement to encourage the use of more secure passwords as they see fit.
  • Encourage two-factor authentication: With so much fraud centered on compromised accounts, having an additional layer of authentication can greatly reduce the chances of those accounts being compromised. Organizations may be reluctant to create additional steps in the login process, but there is an expanding number of secondary authentication options available with varying levels of security and usability.
  • Prioritize and take action against the most impactful threats: In 2014, FICO reported that the average duration of a physically compromised ATM or POS device was 36 days. In 2016, that dropped to just 11 days – and the average number of payment cards affected by a single compromise was cut in half. Implementing training and systems to consistently address the most common and impactful threats facing your organization can have a significant impact in reducing fraud.

In addition to our whitepaper on Fraud and the Dark Web, SurfWatch Labs will also be hosting a webinar on Wednesday, September 20 from 1-2 PM ET.

Cyber Fraud: How it Happens and What You Can Do

The webinar will feature a discussion around cyber fraud, including an in-depth examination of the “Anatomy of Fraud,” what intel can be gathered from Dark Web markets and forums, and recommended courses of action to proactively mitigate the risk of fraud as well as how to effectively respond if fraud occurs.

Greater Interconnectivity Means a Greater Level of Presence and in Turn More Risk

Technology advances continue to push boundaries — remember when a phone was just a phone?! More “smart” devices, more interconnectivity between businesses and customers, businesses and suppliers, businesses and partners … all of this speeds transactions and the way business is conducted. Information is shared, items are purchased — all with the click of a button these days.

Inherent in all this productivity goodness is that your digital presence is expanding across many channels that are outside the traditional company boundaries. With this expanding presence comes greater risk. It’s become much harder to have visibility of the level of risk your organization faces across the many digital channels. You of course have physical risks that have been around in the past, but now can be tied into cyber activity. You have cybercriminals (and potentially other types of adversaries) looking to exploit weaknesses for financial or competitive gains.  Social media. Your supply chain. Insider risks (whether malicious or negligent). On and on …

The more connections you have, the more presence you have, the more opportunity that exists for malicious actors. This isn’t to say close your business off from the world. That’s obviously not realistic and not a good way to do business. But there two essential things you can do to minimize this issue:

  1. Get an understanding of your level of presence and the level of risk associated to different areas. Having this intel sets the stage for how to stay on top of your risk and proactively address it.
  2. Identify people, processes and technology to help continuously monitor and manage these risks — so they don’t become larger issues for your business.

Some questions to pose to your organization as a starting point:

  • Who in the organization has accountability for digital risk? Corporate security? Info security? Risk management? Legal? Compliance? Executive suite and/or board level? Brand officer?
  • What about “smart” building devices? Who owns these?
  • What about “smart” devices brought in by your employees? How are these managed? And by whom?
  • How does digital risk play into the organization’s overall risk management process?
  • What processes are in place to limit the risk?
  • What processes are in place to address a threat?

This list isn’t exhaustive, but you get the idea of how you need to think about this issue.

We recently announced a strategic partnership with PlanetRisk to deliver comprehensive cybersecurity and enterprise risk analytics and visualization for Fortune 1000 and government customers. Together we’re hosting a live webinar discussion on How to Mitigate Risk from Your Expanding Digital Presence.

I look forward to seeing you on the webinar. For more information and to sign up for the webinar, visit: http://info.surfwatchlabs.com/Webcast/How-to-Mitigate-Risk-from-Your-Expanding-Digital-Presence/05102017

Do You Know Your Adversary?

Threat intelligence means a lot of different things to different people. Oftentimes organizations think of tactical information that helps defenders in their on-the-network battles with the bad guys. But, as Forrester Research recently noted in their report Achieve Early Success In Threat Intelligence With The Right Collection Strategy:

“Don’t fall into the trap of subscribing to tactical indicator feeds that you can just pump into your security information management and forget about.”

Tactical intel has it’s role and importance, but starting there can lead you down a rathole. To start off, you need to understand the big picture and then from there you need to understand your adversary, specifically:

  • Who is the actor, what is their motivation and intent, capability, and opportunity?
  • What is the threat campaign they are deploying? What is it targeting? How is it being carried out?
  • What are the associated events and supporting evidence that can be used to provide a level of confidence around the seriousness and impact of this threat to your business?
  • How can you reduce the adversary’s opportunity? What are the processes and/or tools to minimize this exposure?

On Wednesday, April 26 at 1pm ET, please join us for a threat intelligence discussion and see a live demonstration of SurfWatch Threat Analyst, which recently received 5 out of 5 stars from SC Magazine. Adam Meyer, our Chief Security Strategist and head of the SurfWatch analyst team (and formerly a CISO with the 2nd largest transportation system in the US) will lead this discussion and demonstration.

Register now at: http://info.surfwatchlabs.com/Webcast/Threat-Intel-Live-Demo/Apr-2017

Webinar: IoT Devices Expanding Digital Footprints, Security Issues

We’ve seen a lot of discussion about the collective threat of the Internet-of-Things, ever since malicious actors proved in October 2016 that they could disrupt whole chunks of the Internet by stringing to together thousands of compromised smart devices and pointing them all at a single target.

The distributed denial-of-service (DDoS) attack against DNS provider Dyn led to a number of popular websites being unavailable throughout the U.S. and elsewhere, including Twitter, Netflix, Reddit, CNN, The New York Times, and many more. There have been other IoT-powered DDoS attacks, both before and after the Dyn attack, but that incident served as a the tipping point in many ways. For years security researchers had been warning of the poor security around insecure Internet-connected devices — from baby monitors to televisions to thermostats to vehicles — and the Dyn attack was the culmination of so many small insecurities being leveraged by malicious actors in a big way.

As I’ve written before, the core pillars of cyber threats are capability, intent, and opportunity. The billions of IoT devices making their way into homes and businesses provide an ample amount of opportunity for attackers, and it was only a matter of time before they exploited that opportunity.

Register for SurfWatch Labs’ webinar:
IoT Devices Expanding Your Level or Presence (and Your Digitital Risk Footprint)
Tuesday, March 28  
1:00 – 2:00 PM (ET)

IoT devices have potentially become the largest digital footprint NOT under proper security management. In addition, many reports have projected the number of Internet-connected devices to double or even triple within the next four years. It’s a concern for businesses, particularly since the devices often lack even basic cybersecurity features, but the issues stemming from IoT devices are not new or unique.

The security community has seen similar developments over the past 15 years, as I noted in my recent Security Week column, including Virtual Machines becoming the go-to technology in the early 2000s and BYOD beginning to be adopted later in the decade. In both cases, the digital footprints of organizations expanded, and security strategies had to evolve to match those risks. A similar effort needs to be taken in the face of IoT threats.

Take a look at this chart our threat analysts put together highlighting some of the top trending targets associated with IoT cyber threats over the past year. SurfWatch Labs has collected data on everything from cameras, routers and wearable devices to numerous “Other” tags such as home security systems, printers, light bulbs, and more.

SurfWatch Labs has collected data on dozens of different types of IoT devices that can be exploited by malicious actors.

And there continues to be more developments on the IoT front. Over just the past few weeks we’ve seen:

  • CIA exploits tied to smart devices, such as WikiLeaks’ claim that Samsung TVs can be placed in a “fake-off” mode and used as a bug to spy on targets.
  • The discovery of Imeij, a new IoT malware that exploits a vulnerability in devices from AVTech, a surveillance technology company,
  • New reported breaches related to IoT devices, such as CloudPets line of Internet-connected toys, on the heels of a study that revealed 84% of companies have already experienced some sort of IoT breach.

This is a problem that is likely going to get worse in the near future as more of these types of threats move from the periphery of the cybercrime conversation into center stage.

For more information on this threat join Kristi Horton, Senior Risk Analyst with Gate 15 & Real Estate ISAC, and myself, Chief Security Strategist with SurfWatch Labs, for an upcoming discussion around IOT device risks, trends, and best practices for pulling these devices under better control.

Register: IoT Devices Expanding Your Level or Presence (and Your Digitital Risk Footprint)

When it Comes to Cybersecurity, Take a Good Look in the Mirror

Recently, we participated on a webinar panel – What You Need to Know about the FFIEC Cybersecurity Assessment Tool – where audience members were asked the following question:

How would you rate your organizations’ cybersecurity maturity level today?

Possible options (taken directly from the FFIEC CAT) for the attendees were:

  1. Baseline – meets the legal minimum; compliance-driven objectives
  2. Evolving – risk-driven objectives in place; cybersecurity formally assigned and broadened beyond protection of customer info
  3. Intermediate – detailed, formal processes with consistent controls; risk management integrated into business strategies
  4. Advanced – formally assigned throughout the business; automation and continuous improvement
  5. Innovative – cutting edge practice potentially extending beyond firm

Interestingly, a majority of attendees put their organizations’ cybersecurity maturity level at “Evolving”.

There are two ways to look at this:

  1. The pessimist would say that organizations have a long way to go still with protecting information (the regular stream of data breach headlines back this up).
  2. A more positive outlook is that through real self-assessment, understanding where we are and where we need to reach is a good thing.

Many folks who aren’t in cybersecurity and/or don’t follow cyber-related news have an enormous false sense of security. People are too trusting and too curious. Cybercriminals know this and use it to their advantage. So it’s good to see that as security professionals many are taking a good hard look in the mirror and recognizing where we are at. Now the question becomes what do you do/where do you go from here?

Clearly doing the same thing over and over again isn’t working. Cybersecurity is not a technical problem, it’s a business problem in a technical venue. Cybersecurity should and can be viewed in the same way other parts of the business are run.

Another important self-assessment to make is knowing you cannot defend everything perfectly. There simply are not enough resources or budget to do so. Shifting from a reactionary mindset to proactive, data-driven intelligence approach can help you focus on your biggest cyber risk areas.

Look at data, analyze it, understand trends and make decisions. This approach is relied upon to run other areas of the business – it’s what business intelligence is all about. And it can be applied to cyber risk mitigation. The business and IT security sides of the house need to work together and look at cyber from a risk perspective. What are your high value targets (what would a “bad guy” go after and why?)? Then what vulnerabilities and threats are out there that apply to your targets?

Looking at your cybersecurity program and your risk posture through this lens can help you unearth big problems that are coming or identify active threats to your sensitive information and brand. An organization’s appetite for risk is fluid – when all is quiet on the cyber front, there is typically less urgency. That urgency level increases significantly if an organization is breached. But waiting for all hell to break loose isn’t usually a good strategy from a risk management perspective.

In spring, we’re told to change our batteries in the smoke detectors as a precaution. I’d suggest we take a step back and take an honest look in the mirror to see where we’re at from a security perspective and how we can use threat intelligence to drive more effective risk mitigation decisions.