A new episode of the SurfWatch Cyber Risk Roundup has been posted, Episode 70: Hackers Get Hacked, SWIFT Attacks and a Ruling from the Supreme Court:
The hacker forum Nulled.io was breached and the sensitive information of its members was made publicly available. SWIFT warned of more attacks against banks at the same time the Anonymous OpIcarus campaign hit more financial sector targets. LinkedIn discovered its 2012 breach was much bigger than previously thought. And a couple of researches upset OkCupid by publishing data on 70,000 of the dating site’s users. This week’s advisories included more developments in the cat-and-mouse game around the CryptXXX ransomware, an alert on an old SAP vulnerability, an Android banking Trojan and click-fraud botnet, and more PayPal phishing scams. This week also saw a highly anticipated Supreme court ruling on a privacy-related class action lawsuit, the continuation of financial institutions lawsuit against Home Depot, and a new lawsuit around a breach of W-2 information at aircraft maintenance company Haeco. A judge also ruled the FBI did not have disclose a vulnerability in the Firefox browser, and the U.S. saw its first conviction in the hack of newswires that generated $100 million in profit. Also, the LinkedIn breach revealed another round of terrible password habits.
Listen to the podcast via the player below, or learn more about SurfWatch Labs podcasts on our podcast page.
Ransomware is making all the headlines so far in 2016. This threat has become so mainstream it has caused both the FBI and US-CERT to issue ransomware alerts, with the healthcare sector being mentioned in both.
On March 31, 2016, the United States Computer Emergency Readiness Team (US-CERT) issued a ransomware warning concerning the Locky and Samas ransomware variants – both of which have been used to target hospitals and other healthcare targets.
On April 29, 2016, the FBI wrote a post warning of the rise in ransomware threats, saying that ransomware attacks were prevalent in 2015 and will continue to grow in 2016.
“Ransomware attacks are not only proliferating, they’re becoming more sophisticated,” the FBI post read. “Several years ago, ransomware was normally delivered through spam emails, but because email systems got better at filtering out spam, cyber criminals turned to spear phishing emails targeting specific individuals.”
However, when you look at the biggest data breaches in healthcare, are ransomware attacks really deserving of all the headlines?
Despite Ransomware Trend, Healthcare Most Impacted By Data Loss
SurfWatch Labs has collected data on 141 healthcare cybercrime targets so far in 2016, and the ransomware attacks against Hollywood Presbyterian Medical Center and Medstar Health have been the top two most discussed industry targets to date.
Ransomware attacks such as the ones against Hollywood Presbyterian Medical Center and MedStar Health have dominated the discussion around healthcare sector cybercrime in 2016.
Both Hollywood Presbyterian Medical Center and MedStar health made huge headlines this year after being victimized with ransomware. Hollywood Presbyterian paid the ransom demand to get their data back. Medstar Health was able to get their systems operational without paying a ransom.
While infected assets leads the way in terms of chatter around healthcare sector cybercrime effects this year – largely due the high level of ransomware discussion – stolen or leaked personal information and data are leading the way when looking at the total number of distinct healthcare targets being impacted by cybercrime so far this year.
Although not receiving the most discussion (CyberFacts), the stolen personal information and stolen data tags are associated with the highest number of healthcare targets impacted by cybercrime in 2016.
Similarly, while malware dominates the chatter around healthcare sector cybercrime practices, unauthorized access is the top trending practice category in terms of the actual number of affected targets.
Malware is leading the way in terms of discussion for the Healthcare sector in 2016; however, unauthorized access was the leading practice used in attacks against healthcare by total number of industry targets.
While everyone is talking about malware – more specifically, ransomware – affecting healthcare targets, if we dig deeper into that top practice category it’s clear that the old-fashioned, tried-and-true methods used by cybercriminals are causing the most damage in the healthcare sector in 2016.
Physical theft was the top trending unauthorized access practice tag to date in the healthcare sector.
Criminals Are Still Seeking Healthcare Data
While it is still important for hospitals and healthcare companies to worry about the threat of ransomware, as SurfWatch Labs’ data shows, ransomware attacks are just the tip of the iceberg when it comes to cyber threats facing the healthcare industry.
Several attack vectors are present in the healthcare industry. Phishing and social engineering attempts are still the primary cybersecurity threat concerning healthcare facilities, with stolen laptops and flash drives also creating a severe issue protecting data.
W-2 data breaches have made several headlines this year, affecting organizations throughout all sectors – including healthcare. Healthcare companies Main Line Health, York Hospital, E Clinical Works, Endologix, Care.com, CareCentrix, and Magnolia Health Corporation all suffered W-2 data breaches in 2016 that stemmed from a simple phishing email.
The verdict is in; ransomware isn’t going anywhere and will continue to trend throughout 2016. However, we can’t forget about the old-fashioned methods used by hackers since the dawn of the Internet when it comes to protecting organizations from cybercrime. Ransomware has become popular due to its ease of execution and potential to make a quick buck, but the valuable data stored throughout the healthcare sector is still the holy grail for cybercriminals looking for a bigger score.
With organizations losing billions of dollars due to business email compromise scams and thousands of employees having their W-2 information sent to criminals each week, it can be easy to think, “How can people be so dumb and keep falling for these same tricks?”
When it comes to socially engineering an employee, most people think of email phishing
— and last week we discussed some ways to defend against those threats — but I think the best way to truly understand those cyber threats is to first remove those technology aspects and look at one of the oldest cons around: impersonation.
I love a good impersonation story. Don a disguise. Create a good backstory. Trick some people into doing something they shouldn’t.
It makes for great drama.
Unsurprisingly, when researching how businesses are being compromised by social engineers, nearly all of my favorite examples involved the tactic. Impersonation stories are important because they highlight how simple and effective techniques can be used to lead to a major compromise at an organization.
For example, Christopher Hadnagy, CEO of Social Engineer, Inc., recounted on our social engineering podcast how two ticket-less fans were able to watch the Super Bowl from $25,000 seats by sneaking into the event with a group of first aid workers and then simply acting “super confident.”
Likewise, Chris Blow, a senior advisor at Rook Security, likes to pretend to be an exterminator to test a company’s security. In one instance, he was thwarted by a well-trained receptionist who noticed the con; however, all he had to do was drive around back and find more “helpful” employees — who then let him into sensitive areas where he could access a variety of valuable information.
They Literally Handed Him Their Money
My favorite social engineering story occurred decades before email became popular and everyone learned of the term “phishing.” It was done by conman turned FBI consultant Frank Abagnale, who claims to have duped dozens of individuals into handing him their businesses’ money simply by posing as a security guard.
As the story goes, Abagnale noticed how car rental companies would deposit their money in an airport drop box each night, so he bought a security guard outfit and put a sign over the drop box saying “Out of service, place deposits with security guard on duty.”
According to his autobiography, he stood there amazed as people handed him a total of $62,800.
You may hear that story and wonder why all of those people would trust some random guy with a sign. But is that any different than the cybersecurity pros today who are dumbfounded when a person gives their password to an “IT guy” over the phone? Or when an employee hands over their credentials because an email told them to do so?
Simple, effective scams work, have always worked, and when done in person by a skilled social engineer, can be even more effective.
Defending Against Social Engineering
What can we learn from these impersonators?
For one, social engineering is very effective, which is why the FBI and others are warning of a dramatic increase in business email compromise (BEC) scams. From October 2013 through February 2016, from just this one type of social engineering, there were more than $2.3 billion in losses across 17,600 victims.
Scam artists understand precisely how easy it can be to dupe people, and the same techniques are used in social engineering via phishing and phone. The story above is one of my favorites because Abagnale combines three of those common tactics in one scam: a simple backstory, appearing as though he belongs, and projecting authority.
A Simple Backstory — Whether in person, over the phone or via email, scammers will have all sorts of stories that prey on people’s desire to help. Those handling sensitive information such as W-2 information should always be skeptical about who and why they are sharing that information, but that is often not enough. Having clear policies for employees to fall back and procedures for sharing sensitive information on can help ensure an employee does not get duped due to their desire to be helpful.
Appearing as Though They Belong — As the FBI noted in a BEC warning, it’s important to know the habits of customers, coworkers and vendors and to beware of any significant changes. A person may appear as though they belong by impersonating those who have legitimate access. In some BEC attacks, the malicious actors compromised email accounts and waited for weeks or months to learn the communication habits before attempting their scam. Employees should be encouraged to report any suspicious activity and be continuously trained so that the front line of defense is armed to look out for the latest and most relevant social engineering threats.
Projecting Authority —The impersonation of authority figures is a large reason for the billions of dollars being lost to these social engineering scams. Just because a call or email appears to come from the CEO or other figure, be wary of any attempts to disclose data or gain access. Authenticating important requests through several channels such as both email and phone can help to prevent many social engineering attempts.
People want to be helpful. They tend to trust others. Good social engineers exploit those tendencies. The influx of technology has only expanded the reach of scam artists; the techniques remain the same. If an organization and its employees understand why social engineering works, then it’s much easier to combat some of those common tactics and keep the business safe.
On May 4 the United Kingdom’s Information Commissioner’s Office (ICO) announced a £185,000 fine against a health trust for inadvertently publishing the personal details of 6,574 staff members on its website.
Blackpool Teaching Hospitals NHS Foundation Trust is required to post annual equality and diversity metrics. Unfortunately, the published spreadsheets contained “hidden data.” Simply double clicking on the posted tables revealed the sensitive information behind them. This included employees’ names, pay scales, National Insurance numbers and dates of birth as well as other volunteered information such as ‘disabled’ status, ethnicity, religious belief and sexual orientation.
The incident is just one of many examples of data breaches resulting from the inappropriate sharing of data within an organization. In fact, the ICO recently published a guide about how to safely disclose information due to a string of similar incidents.
One of the drivers behind those breaches is business intelligence moving away from a locked-down, data-silo approach and back towards the the freewheeling, self-serving nature of the early 1990s as tools like Tableau empower analysts, said Datawatch chief product officer Jon Pilkington, who was a guest on this week’s Cyber Chat podcast.
In its monetary penalty notice to Blackpool Teaching Hospitals NHS Foundation Trust, the ICO noted that the trust:
Did not have any procedure governing requests for information around electronic staff records
Did not provide the team with training on the functionality of the Excel spreadsheets
Had no guidance in place for the web services team to check those spreadsheets for hidden data before making them public
“[Analysts] are offloading data from its originating source for the purposes of getting their job done,” Pilkington said, adding that this approach is revealing potential data governance gaps within organizations.
The Big Concern is a Data Breach
Internally sharing data without the proper precautions may result in a highly publicized exposure, said Dan Potter, chief marketing officer at Datawatch, which helps businesses users prepare and analyze data from a variety of sources.
“The big concern, the big risk, is around data breach because now you’ve got data being moved from governed systems — like a database or data warehouse that are well-managed and well-governed and controlled — to something that is now living on the desktop of an analyst and therefore being shared with other people in a non-governed way.”
Take the recent breach at retailer Kiddicare. Earlier this month the company notified nearly 800,000 customers that their names, addresses and telephone numbers may have been stolen after a test website using real customer information was compromised.
However, using real data on a test site tends to be a bad practice, noted security blogger Graham Cluley. As a test site, things are expected to go wrong, and in the case of Kiddicare, they did.
“Unfortunately, time and time again it’s seen that companies can be sloppier about the security of their test sites than their official sites — opening opportunities for data thieves and hackers,” Cluley wrote. “For that reason it’s usually much safer to generate fake data for testing purposes – just in case.”
Importance of Data Masking
Redaction and data masking can provide the best of both worlds: analysts across all departments are free to examine the data they want, and the sensitive information is removed or replaced with innocuous data.
This can help ensure you’re staying compliant with both government regulations and corporate policy. For example, if the employees names and insurance numbers had been masked in the data behind the trust’s equality and diversity metrics, the mistaken disclosure of that information would have been much less significant.
Potter added, “There’s a whole host of other kinds of data that people need to be very, very careful with in making sure that they’re masking it in some way because as you move to self-service analytics it does create more risk.”
Listen to the full conversation with Datawatch for more about business intelligence and data masking.
About the Podcast In early May Blackpool Teaching Hospitals NHS Foundation Trust was fined £185,000 by the United Kingdom’s Information Commissioner’s Office for inadvertently publishing the personal details of 6,574 staff on its website. And last week retailer Kiddicare announced that 800,000 customers were impacted after a test site using real customer information was compromised by hackers. The incidents highlight a growing problem. Organizations have more data than ever, and that sensitive data is often being shared with other departments or with third parties for a variety of purposes.
On today’s Cyber Chat we talk with Datawatch chief product officer Jon Pilkington and chief marketing officer Dan Potter about business intelligence, the importance of data masking and how businesses can protect their sensitive information when it’s being shared both inside and outside of the organization.
Over the past year, the number two Dark Web market in terms of activity was Nucleus. As of late 2015, this market had more than 25,000 vendor listings, but on April 13 of this year, Nucleus disappeared.
While it’s not the first time Nucleus has been down and it’s not uncommon for Dark Web markets to go offline, we are now one month into this “downtime.” As recently as May 8 there are still more than 5000 Bitcoins in the Nucleus wallet (a value of more than $2.25M USD). Here are some possible explanations:
Exit Scam? There is a lot of talk from Nucleus Market buyers and sellers of an “exit scam.” Exit scams occur when the marketplace vendor wants out of the game and closes up shop, but doesn’t tell users and continues to accept payments in Bitcoin. If this is case, the owner of Nucleus Market may have pulled off quite the heist. However, there is a substantial quantity of bitcoins associated with the Nucleus Market and they continue to build each day. Since the market went offline there have been no withdrawals from the Nucleus wallet; however, there has been continuous deposits. Is the owner planning to grab that money and run? Or not?
Hacked? Another possibility is that Nucleus was hacked and subsequently brought down. Legit business aren’t the only ones being victimized. There is some speculation that an actor who goes by the handle “theDmaster” exacted revenge on the market after he was kicked out. If this occurred, it’s possible that a) the access to the Bitcoins has been blocked as part of the attack or b) that the owners of Nucleus are in fact trying to get the market back up and running and thus have not run off with the Bitcoins.
Busted? It’s also possible the Nucleus market was busted by law enforcement and/or the site’s owners are in hiding. The alleged administrators of Nucleus recently posted a comment about Interpol seizing their servers and that they were now working with Dream Market (another dark web marketplace) but this could just as easily be a plug from competitor Dream Market in the hopes of winning Nucleus market customers.
Investigations will of course continue into Nucleus Market but how does what we know now impact dark web trade?
Before its disappearance from the Dark Web, Nucleus market was one of the top places to go for:
Drugs and paraphernalia
Fraud related activity (such as payment card information, stolen accounts)
Guides & tutorials (How to card; Get rich quick schemes; Black Hat SEO; Drug manufacturing)
Services (such as hacking for hire, fraud related services)
Counterfeits (i.e. money, apparel, tickets, etc.)
Digital goods, media piracy
Electronics
Erotica
Jewelry
Lab supplies
Weapons
Nucleus vendors now need to get their wares ready for sale on other markets. There has been significant buyer and vendor chatter about moving to AlphaBay, Dream Market, Hansa, Oasis, Valhala, Acropolis and new markets such as LEO. If they do, these vendors must re-establish street cred on the markets where they set up shop. It may also take time for buyers to find their preferred vendors.
What does this mean for you?
First, recognize there is no honor among thieves. Second, and more importantly, this highlights the “intelligence challenge” of dark web surveillance as markets and vendors disappear and sometimes reappear. By tracking the commodities being sold on the black markets, organizations can gauge the underground market economy and get an idea of what commodities are being actively sold, what prices they are being sold for, and how much volume they are moving. No different than a legitimate business, you can get a sense of what commodities are the top desired items and therefore gain an understanding of what the future targets may be. Most importantly, you will know if you look similar to those targets.
When markets such as Nucleus cease operations, the actors who were operating in that area will quickly scatter to new locations and start anew. From an intelligence perspective this creates an instance where past history measurements lose some steam and causes a moment of chaos until the market places begin to settle down.
While the Nucleus Market going offline is most impactful to the users who lost their money, it does illustrate the need for continuous monitoring of the black markets to understand the potential fraud footprint and how it shifts. For organizations that have to continuously battle a large fraud footprint, it is critical to maintain situational awareness of the ebb and flow of market change.
A new episode of the SurfWatch Cyber Risk Roundup has been posted, Episode 69: More Bank Attacks, New Malware and Walmart Sues Visa:
This week’s trending cybercrime events included data breaches at Google, Kiddicare, and InvestBank as well as a ransomware infection that led to YahooMail being temporarily banned from the House of Representatives and a series of Anonymous-led DDoS attacks against banks. Researchers discovered several new mobile threats including RuMMS and Viking Horde Botnet malware. Blogger, PerezHilton and CBS-affilitiated websites were hit with malvertising. A new credit card scam was uncovered in Kuala Lumpur. Legal news includes Walmart suing Visa over chip-and-signature practices, the FTC and FCC partnering to investigate mobile security updates, and updated information on several stories including the Wendy’s data breach and the signing of the Defend Against Trade Secrets Act of 2016. Lastly, a Lego robot can bypass screen pattern security.
Listen to the podcast via the player below, or learn more about SurfWatch Labs podcasts on our podcast page.
Over the last couple weeks, several critical infrastructure cyber-events made headlines in the Industrials, Energy, and Utilities industries. Some of these targets include the German Gundremmingen nuclear reactor, the Lansing Board of Water and Light (BWL), and the Canadian gold mining firm Goldcorp. While none of these cyber-attacks resulted in chaos, they did demonstrate weaknesses within these companies.
The chart above shows the top trending targets in Critical Infrastructure YTD in 2016. In this chart, “Critical Infrastructure” includes data from the Industrials, Utilities, and Energy Sectors.
W-2 and tax-related data breaches have been trending in 2016 – this trend is also occurring in critical infrastructure. In 2016, many top trending critical infrastructure targets have suffered such a breach, including:
Alpha Payroll Services
Whiting-Turner Contracting Company
ADP
Michels Corporation
Equifax
SWIFT was the software compromised in the Central Bank of Bangladesh cyber heist. As a result, business support services was the top trending industry group affected in critical infrastructure so far in 2016.
The industry group “Business Support Services” is the top trending tag so far in 2016.
The Critical Infrastructure Cyber Threat
Attacks against critical infrastructure have occurred in the U.S.; however, these attacks have never lead to the doomsday scenario many of us fear, such as disabling power to cities or truly compromising a nuclear reactor. Most critical infrastructure attacks in the U.S. involve the loss of user data, not a takeover of key operating capabilities.
A critical infrastructure takeover has occurred in another country. In 2015, a cyber group named Sandworm Team launched an attack against the Ukrainian Power Authority. Using the infamous BlackEnergy malware, the group was able to successfully shut down power for 700,000 people over a two hour period – the first known power outage caused by a cyber-attack. The Sandworm team has attacked U.S. critical infrastructure in the past, forcing ICS-Cert to issue an alert in 2014 addressing the threat.
Promote information sharing with U.S. private sector
Clearly define roles of key officials involved with critical infrastructure security
Commit to providing assistance in the event of a data breach
Create a framework to reduce cyber risk to critical infrastructure
Promote innovation, research, and development of enhanced cybersecurity measures
As a result, the Department of Homeland Security (DHS) launched the Critical Infrastructure Cyber Community Voluntary Program. The goal of this program is to help enhance critical infrastructure cybersecurity and to promote the adoption of the National Institute of Standards and Technology’s Cybersecurity Framework.
Our country’s critical infrastructure suffers from the same vulnerabilities as other sectors. Valuable information is kept on databases and people are used as a bridge to that information. While the threat of a doomsday attack against our nation’s critical infrastructure remains a serious threat, traditional cybercrime is still driven by profit motive. Those in charge of critical infrastructure security not only have to be prepared for threats attempting to cause physical harm to our nation, they must also prepare for the theft of personal information, which seems to be the current trend.
Pick any recent data breach. It could be a high-profile one or one of the many that never make national headlines. If we were to follow the string of events back to the beginning of that compromise, what would we find?
Chances are, it’s an employee getting duped by a cybercriminal.
In fact, one could make the case that social engineering is the single biggest issue facing organizations when it comes to cybersecurity. No matter how big of a fortress you build, all it takes is one employee to open the gate and let the bad guys walk into the heart of a business.
One of my favorite cartoons sums up the issue facing businesses:
With all of the recent W-2 breaches in the news this year, I’ve been thinking once again about the issue of social engineering. What can businesses do? It seems every article I read only points out the problem and then makes vague references to “awareness.”
In 2015 SurfWatch Labs interviewed a variety of people to try to get to the heart of that question, and I think it’s a good idea to revisit that conversation eight months later. After all, it is a problem that will never go away.
Essentially, everyone agrees that a three-pronged approach is the key to limiting the success of cybercriminals using social engineering tactics:
Use technology and tools to limit the exposure to social engineering
Train employees so those social engineering attempts that do get through are less successful
Realize that even the best trained organizations aren’t perfect, so have tools and a response plan in place to limit the potential damage
Let’s briefly expand on the first two points about prevention.
Limiting Exposure to Social Engineering
Technology is getting better at limiting users’ exposure. Take email as an example. In 2006 about 30 percent of an average Hotmail user’s inbox was spam — a huge problem. By 2012 that number was down to 3 percent. In July 2015, Google released its latest numbers, and less than 0.1 percent of the average Gmail inbox was spam.
The less malicious activity that gets through an organization, the less potential there is for an employee to make a mistake. There are several ways an organization can go about this goal, as have been outlined by many groups and organizations dedicated to fighting social engineering such as the Anti-Phishing Working Group.
Some best practices specific to phishing include:
Filtering and endpoint technologies – Filtering technologies are great at catching high-volume, low customization spam. Endpoint solutions can also combat things like malicious attachments.
Blocking images, links, and attachments – Disabling images and links in emails from untrusted senders can help users identify legitimate emails and prevent employees from clicking malicious links. Disabling Microsoft Office macros from Internet-obtained documents can help block a common attack vector that has led to many recent data breaches.
Web traffic filtering – There are many websites that are known to steal user credentials. These phishing websites are often collected into lists by both commercial vendors and free services like PhishTank. Blocking access to these sites can limit the opportunity for users to fall victim to social engineering.
Some other areas that can be useful in preventing social engineering include:
Authentication – Malicious actors will often impersonate others outside of email, so it is important to have strong ways to authenticate users.
Physical security – Physical security limits the ability for unauthorized individuals to access areas, eavesdrop on conversations, and use baiting (like dropping a malware-loaded USB stick). The organization should have effective physical security controls such as visitor logs, escort requirements, and background checks.
Training Employees and Raising Awareness
Even with security technology in place, employees will still make mistakes. Security company RSA learned this in 2011 when a phishing email targeting four low-level employees was caught by a filter and placed in their junk folders; however, one of the employees enticed by headline — “2011 Recruitment plan.xls” — retrieved it from the folder and opened the attachment, leading to a compromise that cost the company $66.3 million.
That is why training and awareness is often touted as the most important and cost effective step in combating social engineering. According to the 2016 Verizon Data Breach Investigations Report, 30% of phishing messages were opened and 12% went on to click the malicious attachment. And in 2016 phishing is on the rise, according to SurfWatch Labs data. Additionally, a recent Ponemon Institute study examining six proof of concept studies found that phishing training led to employee click rates being reduced between 26-99%.
This lead Ponemon to conclude, “Assuming a net improvement of 47.75%, we estimate a cost savings of $1.80 million or $188.40 per employee [for the average organization].”
Some of the do’s and don’ts of a good security training program include:
Social engineering is one of the biggest cyber threats facing organizations; however, many businesses devote relatively few resources to addressing this problem. Implementing technology and tools to limit the exposure to social engineering and training employees may be the most cost effective way for many organizations to significantly improve their cyber risk.
As cyber incidents proliferate, security experts continue to stress the importance of cyber risk strategy starting at the top of organizations. However, a recent report surveying more than 1,500 non-executive directors, C-level executives, Chief Information Officers, and Chief Information Security Officers found that some organizations still have a big knowledge gap when it comes to cyber threats.
Only 10% of high vulnerable respondents agree that they are regularly updated about pertinent cybersecurity threats
More than 90% of high vulnerable board members say they can’t interpret a cybersecurity report
Only 9% of high vulnerable board members said their systems were regularly updated in response to new cyberthreats
Many of these organizations are concerned about potential cybercrime. All of them are likely doing something to combat cyber risks. But they’re not getting updated on important threats, they cannot understand the updates that do come through, and as a result they do nothing.
That led me to wonder if we’ve all gotten stuck in the same methods of looking at the same things in the same way day after day without ever taking a breath and a step back and asking, “Wait, why am I doing this?”
The Penny Test
There was a fascinating story on the news awhile back about people getting wrongfully convicted based on faulty eyewitness testimony.
In fact, according to the Innocence Project, “Eyewitness misidentification is the single greatest cause of wrongful convictions nationwide, playing a role in 72% of convictions overturned through DNA testing.”
However, the point wasn’t that eyewitnesses are being careless or that they are just plain ignorant, it’s that without having the whole picture — the complete context of the situation — it’s natural to make a simple mistake that can cost a person decades of his or her life.
To illustrate, let’s do a variation of the Penny Test using a six person “lineup” to see if you can identify the “real” penny.
Which penny is correct?
If you’re like most people, you’ll eliminate a few possibilities, narrowing it down to a couple of choices. Then, over time — and along with other factors that may reinforce your decision — you grow more certain that, yes, that penny you’ve chosen is definitely the right one.
But here’s the problem with the story I’ve given you: it’s incomplete. I failed to mention the possibility that the correct version of the penny might not be there at all.
That’s one of the problems with the human mind, it wants to pick something, and it’s one of the many problems that can arise from eyewitness identification.
All of the pennies were wrong.
Cybersecurity Blind Spots
That lack of context can also be a real problem when it comes to managing cyber risk. Without having the whole picture, it’s natural to invest in the wrong areas or to make a mistake that leaves an organization vulnerable to cyber-attack.
This is what many of the recent studies and surveys have been reinforcing. The IT team is wasting their time elbows deep in low-level data and investigating red flags, never having a chance to think about or act on a high-level strategy. Executives don’t even know what aspects of their company are at risk, so they’re fumbling around in the dark and relying on vendors for the answers.
The problem with that? They’re biased.
Just as the cops in the world of traditional crime may lead a subject towards a certain perpetrator (“We thought it may have been number three too.”), a vendor may lead you towards their biases — regardless of the true risk profile and needs of your business.
When you’re assessing cyber risk, remember that one option is always “none of the above.” The answer might be something else entirely.
Understanding Complete Context
Many organizations have these cyber blind spots. For example, most organizations don’t assess the security of third-party partners or their supply chain, yet we’ve seen dozens of data breaches that begin from these very avenues.
If relevant cyber threat information is available, it often doesn’t make its way to those with the ability to actually make changes. And if it does get passed along, those executives may be unable to interpret the technical language of the threats. And if they do know and understand the threats, it may end up that those threats are no longer as relevant; there may be newer, more pressing cyber risks.
That’s why nearly every cybersecurity best practice guide or cyber risk management program beings with the same thing: context. Clear away as many of those blinds spots as possible.
Remember the Penny Test. Just because you are doing something doesn’t mean it’s the best use of resources. The real threat might still be out there, and without having complete context around your cyber risks, you may miss it.
A new episode of the SurfWatch Cyber Risk Roundup has been posted, Episode 68: New Attacks, Massive Leaks and Setting Data Breach Records:
Details on more than 7 million user accounts for Minecraft community Lifeboat were compromised. A German nuclear plant discovered malware on its systems. A ransomware attack hit the Lansing Board of Water and Light. Huge amounts of data were leaked from Canadian gold-mining firm Goldcorp and the Kenya Ministry of Defense. Trending advisories include vulnerabilities in Android, increased extortion and ransomware activity, and massive dumps of user credentials being leaked from several sources. On the legal side, the New York Attorney General announced the state is on pace for a record number of data breach notices this year, a new version of PCI DSS was released, and a hacker claims to have accessed Hillary Clinton’s email server. Finally, a 10-year-old boy won a $10,000 bug bounty.
Listen to the podcast via the player below, or learn more about SurfWatch Labs podcasts on our podcast page.
SurfWatch Labs, Inc. 