Earlier this month, Banner Health announced a data breach affecting approximately 3.7 million people. Since then, a series of class action lawsuits have been filed against the healthcare provider.
The breach involved two separate attacks, Banner Health said. The first targeted payment cards used at food and beverage outlets across some Banner Health locations. The second targeted patient, insurance, and provider information.
The sensitive healthcare information that was stolen is what sets this case apart from other recent data breach lawsuits, said Michella Kras, of counsel, Hagens Berman Sobol Shapiro. Kras is one of the attorneys working on the Banner data breach case filed by the firm, which she discussed on this week’s Cyber Chat podcast.
Hagens Berman Sobol Shapiro filed the class action lawsuit on behalf of Howard Chen, an Arizona doctor whose information was stolen in the breach.
“Dr. Chen’s personal information was compromised in three different ways: as an employee, insurance customer, and health provider,” the lawsuit states. “Dr. Chen is concerned that as a result of Banner’s conduct, his personal information, provider information, and health information is vulnerable to use by third parties.”
Banner Health has offered one-year of free credit monitoring to those affected by the breach, but that’s not enough, said Kras, who estimated Banner Health may pay $6 per person for the service.
“That’s not much of an incentive for them to change their practices because that’s such a small amount to a company that big,” Kras said. “It needs to be something greater than that to spur them to make changes.”
Listen to the podcast for more on Banner Health, class action lawsuits in general, and what companies can do to limit their liability.
Data breaches and other cyber threats have plagued business over the past decade often resulting in a long and expensive recovery process. Luckily for businesses, cyber-insurance can help alleviate some of the financial burden of these cyber-attacks.
“If you were to Google top ten losses due to data breaches in 2015 you would start off with a low of about $46 million for the Home Depot, move into the hundreds of millions with Anthem and Target, and as you get closer to Epsilon you get into the hundred to a billion mark,” said Larry Bowman, Director at Kane Russell Coleman and Logan PC. “The Veteran’s Administration hack was valued at about $500 million. These totals are for notification costs, response, cleaning up the computer system, implementing changes to increase encryption and security protection in the system. But, this does not take into account the loss of business and revenue.”
We had a chance to speak with Bowman about cyber-insurance: what is it, what it covers, and how threat intelligence fits into the equation. Bowman also provides some insight on the current Wendy’s point-of-sale data breach. Our conversation follows.
To kick things off, can you explain what cyber-insurance is and what exactly it covers?
To explain cyber-insurance, it’s helpful to first start with a brief explanation of traditional insurance and then explain the difference between it and cyber-insurance. Traditionally, insurance is for tangible property – such as if you own a home, business, or rent space. You insure property against the risk of loss, and that property is typically tangible property. So, you’ll see language in first-party property insurance – which is insurance industry lingo for like your homeowner’s policy – that is set up to protect you from that. The core insuring agreement – in exchange for premium money – insures the risk of loss which is usually defined in terms as direct physical loss to tangible property.
Secondly, there is a form of insurance called liability insurance. The industry acronym for it is CGL – commercial general liability insurance. And once again, if you act negligently – you being the insured – and you cause damage to some third party’s tangible property, your liability insurance will indemnify you for your legal obligation, which will then indemnify the people you hurt for the damage that you caused to their property.
Along comes hacking and cybercrime and data breaches. The people who are victimized by these third-party attacks make claims to their property insurance coverage. In most instances, whether it is a claim submitted under a traditional property or liability insurance policy , the courts look at these policies’ language and say there is no coverage because there is no loss to direct tangible property. This doesn’t exist in the virtual world of data and data breaches. There have been some cases where damage has been done to a computer system that looks like it is physical damage. Stuxnet is a great example of how a computer program can damage tangible property. In those cases, traditional policies may cover an insured’s losses. The bottom line is though, with the outlying cases aside, most cases say for there to be property or liability insurance coverage you have to have physical damage to tangible property, and that doesn’t exist when the insured has lost electronic data.
The losses from companies who suffer a data breach and the lack of insurance from the traditional market created a market for cyber-insurance. What has happened over the last few years has been the development of specialty insurance products designed to insure against the losses companies face when their computer systems or data is breached or hacked. These policies operate like traditional property or liability policies. But, there is no longer a requirement to have direct physical loss to tangible property. Cyber-insurance policies cover things like the cost of notifications to people affected by a data breach, the cost of hiring security professionals and lawyers to deal with the situation, and the cost of government compliance. It may or may not cover lost revenues or profits. Of course, the scope of coverage is specific to the policy itself.
What are some of the problems with the cyber-insurance industry?
There are a couple problems the insurance industry currently faces. First, the industry only has about a decade of experience in covering cyber losses – which isn’t a lot of time in the historical knowledge-base of the insurance industry – that makes pricing policies difficult. However, that is a problem in the process of being solved because the quantifiers are coming up with increasingly better models and formulas to allow an insurance company to set up a policy and price it accordingly. The insurance companies like certainty; they like probability. As time goes by and as data improves, this will be easier and easier to do – within reason.
The second problem is the lack of a consensus standard of care for data protection; although there are numerous proposed standards and guidelines for data protection – such as NIST’s cybersecurity framework. What I am talking about here is that it is nice to know what the rules are. The SEC, FDIC, and FTC have all pronounced in the last couple of years that they think cybersecurity is a board of directors-level issue that requires hands-on knowledge and attention and an effective remedy at the board of high management level. When you fill in the blanks, there are conflicting messages about what a board should do to enable reasonable cyber protections.
At SurfWatch Labs, we believe that robust security features such as firewalls and antivirus software are paramount to a well-rounded cybersecurity strategy. Perhaps just as important, we believe cyber threat intelligence – knowing what threats are out there and knowing how to proceed with security – is just as important. Some of the problems you mentioned with cyber-insurance is a lack of understanding around reasonable cyber protections. Do you believe cyber threat intelligence is a logical step in solving that issue?
As part of the initial application for cyber-insurance a lot of insurance companies will require the company applying for insurance to fill out a detailed form describing what its current cybersecurity policies are. I don’t know if those forms require cyber threat intelligence, but that would be a source of beneficial information. And it may be something that insurance companies should require from insurance applicants.
Are companies utilizing cyber-insurance to protect their assets in case of a data breach?
If you were to Google the amounts spent on cyber-insurance it started out small, but it really started to get off the ground with these well-publicized data breaches. In a few years, this is going to be a multi-billion dollar market. As a matter of fact, I believe it is already up to the billion-dollar mark already, and it is expected to get to about $5 billion by 2020. As the consensus standard gets better defined, using due diligence to protect your company’s assets and customer’s assets is certainly going to be a part of liability cyber-insurance coverage.
I would love to get your take on the current events tied to the Wendy’s data breach. It seems like the number of restaurants affected by point-of-sale malware increases every week.
The loss to Wendy’s is similar to the Target loss. The bad guys have gotten control of point-of-sale information, which means they have people’s credit card information. So what is the exposure to Wendy’s? Wendy’s gets sued by multiple customers who are saying they failed to implement reasonable measures and allowed our payment card information to be obtained by these hackers.
Now, their insurance policy will define what out-of-pocket costs are covered. That’s part of the fun right now is defining what those costs are. Some of those costs are driven by state and federal laws – like notification. If you are a retail company in possession of thousands of credit cards and those cards are obtained by a third-party, you have to notify all of those people about the event.
It’s not just notification costs; it’s everything that is done to investigate the data breach. They might have to pay experts, lawyers, and pay for forensic measures to make sure a breach doesn’t happen again. There may be costs with complying with regulatory action or government investigations. Those are just some of the out-of-pocket costs from the breach. Who knows, maybe people won’t trust Wendy’s anymore with their credit card information and consumers may simply avoid the restaurant.
In late June, reports surfaced of an unnamed Ukrainian bank having $10 million stolen, adding to the growing list of cyber-attacks leveraging SWIFT, the messaging system used by financial institutions around the world.
“At the current moment, dozens of banks (mostly in Ukraine and Russia) have been compromised, from which has been stolen hundreds of millions of dollars,” said the Information Systems Audit and Control Association (ISACA).
These SWIFT-related attacks often require significant time investment from cybercrimnals, but the payouts can be substantial — including an $81 million theft from Bangladesh’s central bank in February.
[ISACA] said that such hacks usually take months to complete. After breaking into a financial institution’s internal networks, hackers will take time to study the bank’s internal processes and controls. Then, using the knowledge and access they have gathered, the hackers will begin to submit fraudulent money orders to webs of offshore companies, allowing them to siphon off millions of dollars.
“The SWIFT case — it’s actually more in line with what’s happening right now, which we call multi-dimensional attacks because it involves many areas,” said ThetaRay CEO Mark Gazit, who was a guest on this week’s Cyber Chat podcast.
The attacks shed light on the trend of some cybercriminal groups moving beyond personal information and credit card theft. Instead, they are focusing on the institutions themselves and the potentially massive payouts that come along with a successful attack.
These groups are becoming smarter and often know the inner working of banks, Gazit said.
“If you go to the dark web you can find the set of rules for banks in the United States, and some of the banks will have more than 10,000 rules. They’re all published.”
Growing Problem for Financial Organizations
Customers have an expectation of certain convenience features, and banks have to keep pace with those expectations in order to not lose business. The growing digital footprint makes those financial institutions much more susceptible to cybercrime, which is increasingly automated, Gazit said.
This means that cyber-attacks have more impact throughout organizations.
“It becomes a board issue, a CEO issue, a risk issue. Suddenly, it’s not just an issue that IT guys should deal with somewhere in back office rooms. It’s actually becoming something that relates the very core part of the business.”
On Monday, SWIFT announced that they were engaging with several security companies to assist the community by providing forensic investigations related to SWIFT products as well as providing anonymized intelligence data to help prevent future fraud.
Part of the problem around cybersecurity is that teams may be hampered by their past successes and failures, Gazit said.
“Existing organizations such as financial institutions, utility companies, they still have very good people that have extensive knowledge that is derived from the past, and sometimes past knowledge can be a curse when you try to prepare yourself against new attacks.”
He added, “I think that we’ll see more surprises, more attacks that nobody expected, more crime that people will be very much surprised how it happened or how it could happen.”
For more, listen to the full conversation with ThetaRay’s Mark Gazit about how financial sector attacks are evolving and what needs to be done to stay ahead of cybercriminals.
While cyber-attacks continue to grow and evolve some companies are claiming to be “non-hackable” – and they’re often startups. The problem with this logic is that it is simply incorrect; all companies are potentially vulnerable to being hacked.
“Every organization can be hacked by a clever person with patience. I personally avoid all companies who say they are non-hackable.”
We had the opportunity to speak with Barbera about angel investing, how serious startup companies are taking cybersecurity, and what he is looking for a startup company to have in place in terms of cybersecurity before he invests.
Our edited conversation follows.
As an angel investor, when a startup company tells you that they are “non-hackable,” what is your initial reaction?
So, a cloud storage company comes up and says you can store your files with them. Those files are encrypted, and once it is on their server if it were to ever get hacked, the hacker would receive an encrypted file and it looks like a bunch of junk. That means nothing to me. If the US Army can get hacked, if the CIA can get hacked, so can your little company. Nothing is foolproof, so why are you going around and saying it is? I don’t think they can practice what they preach.
Do you think these startup companies are simply saying what you would want to hear, or are they ignorant and truly believe they are “non-hackable?”
I think there is a lot of ignorance, and I think these companies really believe that they have a product or service that is foolproof. I also think some say it as a marketing technique for non-tech savvy people. If you had a baby boomer generation target market, they don’t know much about IT, or the Internet and how it works. They can barely operate a Facebook account. So when they hear a service is “non-hackable,” they are more likely to use that service. So it might be a marketing technique for some companies.
Years ago, LifeLock had an actor or spokesman put their social security number on a commercial. He got hacked.
[Laughs] Well of course he did.
What is your overall view on how cybersecurity is evolving when you learn about these new companies?
It really changes based on each company’s business model and strategy. So when you have a startup dependent on their budget and their goals, IT and security may or may not be a big part of it. It all depends on what they are doing.
Say you have a small mom-and-pop shop that is selling goods from their brick-and-mortar store that is also selling on their website, their minimal requirement is to be PCI compliant. Their biggest concern is being hacked. In the larger scheme of things, hackers will probably won’t look at a smaller target like a mom-and-pop store. It might not be beneficial to them.
Other companies who do more stuff on the Internet have more of a liability to protect that information, so they need to take it more seriously.
Focusing on cybersecurity, when you are looking to invest in a company, what are you hoping to hear from them when making a decision to invest or not?
If it was anything more than being PCI compliant, I would want them to have an in-house IT specialist that could provide the services needed. If it is a smaller company needing to be PCI compliant, we can outsource that. It really goes toward the organizational services that they are working with. If they are working with people’s finances, then we are going to have to implement advanced security systems. If they are working with names, addresses, and they are PCI compliant, that is a different story. There are different levels, and it really goes back to business models.
What you have to understand is a lot of people – like small business owners – their everyday life is making a sale. On top of that, while they are sweeping they are supposed to do their books, their IT, and their taxes. A lot of people don’t think about [cybersecurity] until it is too late, and that is unfortunate.
I recently had the pleasure of sitting down with Larry Larsen, Director of Cyber Security at Apple Federal Credit Union, to learn about the cybersecurity challenges they face and how threat intelligence fits into their overall approach to risk mitigation.
Larry explained that his primary objective is two-fold: to protect member information and assets, and to protect Apple FCU’s organizational information. With increasing complexity around cyber, he discussed with me the need for threat intelligence to become more apparent. Beyond just blocking threats, he wants to understand what attackers are trying to do so he can prepare as best as possible. And while there are many sources of open source threat information, intelligence takes it a step further by correlating patterns of behavior that the cybersecurity team at Apple Federal Credit Union uses to guide their efforts and anticipate threats before they occur.
When it came to discussing how they use the intel from SurfWatch Labs, Larry said that it has “led to direct changes in Apple FCU’s infrastructure due to emerging threats we would not have known about as quickly if we did not have that pattern analysis and comprehensive picture.”
In this 5 minute clip, you can learn about how strategic and operational threat intelligence are used throughout the organization – beyond just the cyber team – to prepare for impending threats and reduce risk.
One of the cyber challenges that has long faced organizations is the IT skills gap, and as cybercriminals have widened their focus and moved down the food chain to target more small and medium-sized businesses, that problem has become more pronounced. This is particularly true for what Confer founder and VP of products Paul Morville describes as the “IT middle class.”
“You’ve seen this massive acceleration in terms of people who need to worry about security, people who have to acquire talent in that area,” said Morville, who was a guest on this week’s Cyber Chat podcast. “It’s only getting harder.”
That “democratization” of who is being targeted is the biggest driver behind the often-reported skills gap, Morville said. More businesses than ever are in need of security professionals, and there’s just not enough talent to go around.
The Growing IT Middle Class
The numbers back up those assertions. According to a 2015 analysis of Bureau of Labor Statistics numbers, the demand for IT security professionals is expected grow by 53 percent through 2018, and a 2016 ISACA report found that 62 percent of those surveyed stated their organizations have too few information security professionals.
In addition, the ISACA report noted:
Finding talent can take a long time: More than half of organizations require at least three months to fill open cybersecurity positions, and nine percent could not fill the positions at all.
Most applicants do not have adequate skills: Fifty-nine percent of respondents said that less than half of cybersecurity candidates were considered “qualified upon hire,” up from 50 percent a year prior.
Security confidence is down: Only 75 percent of respondents reported that they were comfortable with their security teams’ ability to detect and respond to incidents, down from 87 percent a year prior.
In many ways the problem of the cybersecurity skills gap is defined by this growing IT middle class, as Morville noted:
Currently, the largest organizations — such as mega-banks and the military — have the resources to excel at IT security. … Just one tier down from this elite group, it’s a different story. … Under these circumstances, security teams are forced to rely on security tools that are outdated, siloed and inefficient. These tools allow too many attacks to get through, are often disruptive to users, and offer no post-incident value.
Organizations at the top of their industries devote a lot of resources and manpower towards security, but that drops off “really fast” when you start moving down market, Morville said.
Addressing the Gap
Finding the right candidate can be challenging because — as others have said — security professionals often have to be a chameleon and wear many different hats.
“When you look at a security person, they’re part engineer, they’re part researcher, they’re part operational in nature, they’re partly a police officer,” Morville said. “You can’t go to a university right now and study that. There’s very few programs that are specialized in this area.”
He added, “I think the more we can do in terms of feeding more people with this skill set into the funnel, the better off we’ll be.”
But finding people to stop the bad guys is only half the equation, Morville said. The other half is doing so in a way that frees up resources. That’s where security tools need to improve to make sure they’re helping organizations become more efficient.
“I put a lot of burden back on the security vendor community in terms trying to create products that, as I said, become more of a force multiplier.”
As SurfWatch Labs chief security strategist Adam Meyer wrote, there is a huge difference between being actionable and being practical, and tools and intelligence need to be more practical. This means security tools should help free employees from low-level tasks so that the employees organizations do have can better utilize their time, Morville said.
“Everybody is just always looking for new security people — people to add to the team. It’s hard to find people, and it’s hard to train people, and it’s hard to retain people.”
For more, listen to the full conversation with Confer’s Paul Morville about the skills gap, how it’s affecting the IT middle class, and what security vendors, businesses and others can do to help address the problem.
Many businesses cannot keep up with the plethora of sensitive data that’s being created and shared by their organization, and as a result they may face increasingly stiffer fines as new regulations and laws are passed to protect that data.
That’s according to John Wethington, VP of Americas for Ground Labs, a security company focused on helping organizations monitor their data.
“Simply put, there’s so much data being generated every single day that these organizations — they literally lose track of it,” said Wethington on SurfWatch Labs latest Cyber Chat podcast.
“The data is constantly being moved and shifted around. It’s being put in a variety of different formats, stored in a variety of different locations,” he said. “I think the average individual doesn’t see behind the scenes and understand all the hands that touch their data for a variety of different reasons.”
Do You Know Where Your Data Is?
That lack of insight is leading to data breaches caused by both mistakes within the organization as well as external actors such as cybercriminals and hacktivists.
Although data storage and data use has shifted over the past few years — more cloud services, more sharing, more tools to extract and analyze information — cybersecurity has often lagged behind that shifting approach.
If an organization isn’t closely monitoring that sensitive information, they may be in for a rude awakening, Wethington said.
“Much like a child, you have to constantly keep an eye on them otherwise they’re going to wander off somewhere you’re not going to expect, and the same thing with the data. It’s going to wander off somewhere, you’re not going to expect it to be there, and then you’re going to find yourself in trouble.”
Evolving Regulatory Landscape
That lost data may lead to larger fines and penalties as new regulations such as the EU’s General Data Protection Regulation (GDPR) come into effect and organizations have to deal with issues such as the right to be forgotten.
The GDPR, which goes into full effect in May 2018, comes with a considerable increase in potential monetary fines for those that don’t keep personal information protected: up to 4% of firms’ total worldwide annual turnover.
The global regulatory environment is “rapidly changing” as governments try to create different ways to compel organizations to maintain data security, Wethington said. As a result, organizations are trying to understand what new regulations such as GDPR will mean for them.
He added, “It’s going to be an interesting couple of years ahead of us.”
Listen to the full conversation with Ground Labs John Wethington below:
About the Podcast Throughout 2016 we’ve seen numerous data breaches related to businesses being unable to properly monitor and protect their data. As Ground Labs VP of Americas John Wethington put it, organizations simply cannot keep track of the growing amount of data they have. However, new regulations such as the EU’s General Data Protection Regulation come with stiff penalties for those organizations that do not protect the sensitive data they collect.
On today’s Cyber Chat we talk with Wethington about why businesses are having trouble monitoring that data, how they can improve, and what the future holds for data security.
Cyber threat intelligence offers an in-depth look at the potential threats and attack vectors facing an organization. Each organization is different, and in these differences there are a variety of ways cybercriminals can exploit a company. Security tools such as firewalls and antivirus software protect against several of these threats, but they cannot protect an organization from everything. This is where cyber threat intelligence plays a crucial role.
Threat intel gives an organization the ability to identify threats, understand where any lapses in security have already occurred, and gives direction on how to proceed concerning these vulnerabilities. This is a lot of information for any organization to handle on their own, especially since the cyber landscape continues to change.
“The field is constantly growing and evolving; there is no shortage of cyber information, which means it can be very easy to get overwhelmed with it,” said Aaron Bay, chief analyst at SurfWatch Labs. “We sometimes forget to take a peek at what is going on with the rest of the world.”
Yesterday we talked with Bay about the role of the cyber threat analyst. Today we finish our conversation, and focus on how threat intelligence can help organizations.
Why does a company need to implement threat intelligence on top of their existing security?
Having security tools such as firewalls and antivirus software is critical; you have to have them. If you don’t have these tools, you are already at a disadvantage. These security tools are paramount, but the information derived from them can be overwhelming. From what I have seen, a lot of time companies will simply buy these tools, plug them in and forget about them. From a threat analyst perspective, what we do when we give companies information about threats affecting their industry is show them the known mitigation of the threat. We can only lead the horse to water; we can’t make it drink. But if we can give organizations enough pertinent information where they are asking, “Does my defense actually protect us against this?” that goes a long way.
A lot of the time companies are putting up boundaries to stop threats from getting in, but they might not necessarily know when information gets out. They may be breached, and their information could have been compromised. They could also be attacked at a point they weren’t protecting such as point-of-sale systems. A bank has credit and debit cards, and the bank itself is usually pretty well protected against direct attacks. All of that can be defeated by a skimmer on an ATM. Knowing these attack vectors and knowing this is another way cybercriminals can get to your customers’ data can really help mitigate risks. If we as threat analysts are looking for these attack vectors and alternative methods, then we can help an organizations be better prepared and protected against threats.
Cyber threat intelligence is a relatively new avenue in cybersecurity. Are companies seeing value in this?
Cyber threat intelligence is still a growing field; it is definitely still evolving — as it should be. Threats are evolving, so this field that focuses on these threats is evolving as well. I think, for the most part, everybody is doing the best job that they can. It’s hard for a business to feel like they are getting a return on their investment from IT security in general. When you get that big win, when you catch something that no one else caught, either protecting some data or helping stop something before it became a big deal, then it is easy to see the value of it. For companies, as long as everything is working, the people who make decisions about IT and their infrastructure don’t necessarily want to know what goes into keeping everything running. They just want it to work. If everything is working, it is easy to not respond and spend money on keeping everything running. In their mind, everything is working. It appears that not much has to be done to keep things running, why would they spend more money on it?
How can companies providing cyber threat intelligence improve?
If there is a way to improve our field it is really just to work together as a community to make sure companies understand the value of cyber threat intelligence. I feel like we are doing a good job, but I feel that the industry isn’t ready for the message. These companies are being attacked left and right, and it feels like all we are doing is showing up and telling them they need to be doing security better. To actually translate everything that is going on, distill it and focus it on the company specifically is really the best approach. I am glad that SurfWatch Labs is going down this road. Showing companies why they need to care about this information that is being presented to them is very valuable.
I also think that internally, for our customers, we sit between business operations and the IT department. We aren’t just supporting IT security or just enabling compliance with the various IT regulations a business must adhere to. A Cyber Threat Intel Analyst should be assisting the translation between business units — and the various IT and cyber risks they face — and helping them understand sometimes how two separate threats are actually part of a larger threat against the company. I believe that is when we can really show our value.
For example, let’s say an attacker breaks into a company and steals credentials to the gaming platform that is hosted by that business. The network defense team should detect that and stop it. If a new attack is being used that has never been detected before and no signatures have been created for it yet, it’s possible the attack may go unnoticed. Soon after this undetected attack, separately, your cyber threat intel analyst discovers that someone dumped some credentials to your game on the dark web or is selling them. If that credential dump is only passed on to a third group such as customer service in order to reset accounts, but the network defense team isn’t made aware, then the source of the leak may not be plugged. Or if the developers are not notified, and the vulnerability came from a bug in the software that the company created, then again the problem will still be there.
What are some of the achievements cyber threat intelligence has accomplished. Is it changing the game?
It is changing the game for sure. Some of the big wins cyber threat intelligence has gotten comes from exposing malicious activity in general. When you can find those hidden gems and expose what is going on those are the big wins. Seeing the new carding efforts and all the things that are going into combating organized crime is very rewarding. The big ones are of course things like uncovering STUXNET, and all of the pieces that went along with that. The Mandiant APT1 report I think spawned a whole new movement with regards to CTI, some good some bad, but it got a lot of people to sit up and take notice, and that’s really what we want.
We talked about how new the field of cyber threat intelligence is, but that is also exciting. Being in a field with all of this different stuff going on makes cyber threat intelligence a very exciting field to be a part of and stay focused on. I look forward to the future.
As cybercrime continues to grow and evolve at a rapid pace, organizations are faced with difficult decisions in finding solutions to this problem. Deploying security tools to combat cybercrime is a crucial part of this dilemma, but this brings with it the herculean task of attempting to process massive amounts of data in order to keep up in the game defending against cyber-attacks.
In order to get the most up-to-date and accurate cyber threat intelligence, SurfWatch Labs employs talented analysts with a focus on threat intelligence. These threat analysts are the backbone to a new and developing field of cyber threat intel, providing valuable information to organizations that go well beyond identifying threats.
“Being a threat analyst often requires being a chameleon or wearing many hats,” said Aaron Bay, chief analyst at SurfWatch Labs. “You need to be able to understand the technical side of security, navigate among the various hacker and cybercrime forums on the dark web, understand business risk, and then distill all of that information into valuable intelligence that can be easily understood by business executives. It’s not an easy role, but it is one that is becoming increasingly important to organizations.”
We spoke with Bay to get some insight about the role of a threat analyst and how cyber threat intelligence can benefit organizations.
Tell us a little bit about being a threat intelligence analyst.
Being a threat analyst feels a little bit like a cross between a weatherman, an interpreter and someone trying to find a needle in a haystack. It’s not just about knowing the latest attacks and staying up on the latest jargon. There is a lot of translation that has to take place to get that information to the decision makers in such a way that they can actually make a decision based on it. So being able to speak “cyber” but also being able to translate that to someone who is not a cyber person takes some work as well. Powerful Google-fu is also helpful in this position; even though Google is not the only source, knowing how to find data using it and other tools is invaluable.
Describe your typical day.
My typical day is probably a little bit different than most cyber threat intel analysts. Because SurfWatch Labs focuses on the bigger picture, we aren’t typically gathering the latest signatures from the latest malware or putting together snort rules for all the new bad stuff that’s been detected by various sensors or honey pots.
I spend a lot of time reading blogs, Twitter, various forums and general Web searching. To support SurfWatch Labs’ customers, a lot of my focus is on them: what they’ve said is most important to them, things they want to stay aware of, constantly looking for information that may be of interest to them in general, keeping track of that and reporting it to them, and then getting their feedback on what we’ve told them to tailor our internal processes so that we constantly evolve and stay current with their needs, as well as stay current with the threats out there.
Is being a cyber threat intel analyst mostly about IT security?
Firstly, I think the term IT Security is becoming archaic. When it is used, the person who hears it or uses it has a preconceived notion about what IT Security is. Computers and routers and switches and firewalls and all things traditionally associated with IT security come to mind. But our businesses and our personal lives have become so connected and dependent on technology, that just calling it “IT” seems to leave out things that should be included, but aren’t. I have to say that I am not a fan of the term “cyber” or “cybersecurity,” but I can understand the reason for having a new term that’s a little more ambiguous.
Credit cards used to just be numbers printed on plastic read by zip-zap machines until magnetic strips were created and used to save information in a way that could be read by a computer and transmitted via telephone back to your bank. Forty years later, those are being replaced by sophisticated memory cards that keeps your information encrypted. Do you consider your credit card to be IT? You should. Credit card fraud has been around as long as credit cards, and the more IT we throw at the problem, the more it becomes an IT security problem. I know that banks and organizations like Visa consider this an IT security issue, but most people still do not, I would assume. And that’s just one example.
For a Cyber Threat Intel Analyst to do their job correctly, they need to understand that it really is about IT security, but the scope is usually bigger than most people realize. The analyst needs to be aware of that, but they need to help their employer or customer understand that as well.
What is one of the biggest things to understand about cyber risk?
Typically, cyber threats enter an organization by way of something every user touches: browsing the web, reading their email, opening files, etc. Traditional IT security has been tasked with solving that. But that’s not the only way cyber threats can harm an organization. As soon as you do business with another organization, the scope of your risk increases. You have to send and receive information from them, send and receive money from them. This information is at risk if one organization protects it less than the other. If pieces of the business are outsourced, whatever that is, it’s now at risk to however that third party protects its business or its infrastructure.
Some of this even just comes in the form of what software a business chooses to use for its customer portal, where customers can post questions or the business otherwise interacts with its customers. Any vulnerabilities in that software or where that software is hosted translates to risk to the primary organization. Again, none of this is meant as a reason not to function this way, only as a way to say that these risks need to be understood and monitored. As new threats or attacks or vulnerabilities are discovered, an organization needs to be made aware of them so actions can be made to mitigate or remove them.
What are some cybersecurity trends you are seeing as a threat analyst that are concerning?
The biggest trend I am really starting to see is the continuation of cybercriminals using cyber means to make money. They steal credit card numbers, people’s personal identities, and the profits from these crimes and frequency of attacks continues to grow. Ransomware is now growing. It’s not growing because people think it is funny to do. It’s growing because people are making a lot of money off of these attacks. In these attacks, cybercriminals don’t care about obtaining information from our computer. All they care about is getting you into paying them money to get back your information. This is a scary trend, because it is really working.
Denial-of-service is still going on; people will pay to conduct denial-of-service attacks or pay ransoms to have these attacks stopped. It will be interesting to see what attack shows up next in an effort to make money.
To encapsulate that trend, it is becoming a lot more organized. In years past, the traditional “organized crime” groups were the only ones really making money off of cyber attempts. Today, however, all parts of cybercrime are becoming more accessible, and as it becomes easier a lot more people are going to be doing it.
Along that vein, attacks that produce the most results are of course going to trend. Ransomware as I mentioned, but a lot of businesses are getting better at detecting and eliminating threats … but don’t quite understand or monitor threats coming from their third-party suppliers, so attacks will start to come from that angle.
What is your biggest fear as a threat analyst?
My biggest fear is people not taking this information seriously or people not thinking it is useful information. I am fearful that people view this information as no big deal, viewing it as just another report and moving on. I hope that companies feel this information is useful, and it is taken seriously instead of thinking they don’t need the information anymore. Some of that could be that an organization doesn’t quite have a mature enough cybersecurity program so it can’t properly digest and protect against what an analyst may be telling them. The failure of the analyst to correctly translate risks and threats and trends into something meaningful could also contribute to the message being lost.
In the next post, Aaron shares his thoughts about how cyber threat intelligence can help your organization.
On May 4 the United Kingdom’s Information Commissioner’s Office (ICO) announced a £185,000 fine against a health trust for inadvertently publishing the personal details of 6,574 staff members on its website.
Blackpool Teaching Hospitals NHS Foundation Trust is required to post annual equality and diversity metrics. Unfortunately, the published spreadsheets contained “hidden data.” Simply double clicking on the posted tables revealed the sensitive information behind them. This included employees’ names, pay scales, National Insurance numbers and dates of birth as well as other volunteered information such as ‘disabled’ status, ethnicity, religious belief and sexual orientation.
The incident is just one of many examples of data breaches resulting from the inappropriate sharing of data within an organization. In fact, the ICO recently published a guide about how to safely disclose information due to a string of similar incidents.
One of the drivers behind those breaches is business intelligence moving away from a locked-down, data-silo approach and back towards the the freewheeling, self-serving nature of the early 1990s as tools like Tableau empower analysts, said Datawatch chief product officer Jon Pilkington, who was a guest on this week’s Cyber Chat podcast.
In its monetary penalty notice to Blackpool Teaching Hospitals NHS Foundation Trust, the ICO noted that the trust:
Did not have any procedure governing requests for information around electronic staff records
Did not provide the team with training on the functionality of the Excel spreadsheets
Had no guidance in place for the web services team to check those spreadsheets for hidden data before making them public
“[Analysts] are offloading data from its originating source for the purposes of getting their job done,” Pilkington said, adding that this approach is revealing potential data governance gaps within organizations.
The Big Concern is a Data Breach
Internally sharing data without the proper precautions may result in a highly publicized exposure, said Dan Potter, chief marketing officer at Datawatch, which helps businesses users prepare and analyze data from a variety of sources.
“The big concern, the big risk, is around data breach because now you’ve got data being moved from governed systems — like a database or data warehouse that are well-managed and well-governed and controlled — to something that is now living on the desktop of an analyst and therefore being shared with other people in a non-governed way.”
Take the recent breach at retailer Kiddicare. Earlier this month the company notified nearly 800,000 customers that their names, addresses and telephone numbers may have been stolen after a test website using real customer information was compromised.
However, using real data on a test site tends to be a bad practice, noted security blogger Graham Cluley. As a test site, things are expected to go wrong, and in the case of Kiddicare, they did.
“Unfortunately, time and time again it’s seen that companies can be sloppier about the security of their test sites than their official sites — opening opportunities for data thieves and hackers,” Cluley wrote. “For that reason it’s usually much safer to generate fake data for testing purposes – just in case.”
Importance of Data Masking
Redaction and data masking can provide the best of both worlds: analysts across all departments are free to examine the data they want, and the sensitive information is removed or replaced with innocuous data.
This can help ensure you’re staying compliant with both government regulations and corporate policy. For example, if the employees names and insurance numbers had been masked in the data behind the trust’s equality and diversity metrics, the mistaken disclosure of that information would have been much less significant.
Potter added, “There’s a whole host of other kinds of data that people need to be very, very careful with in making sure that they’re masking it in some way because as you move to self-service analytics it does create more risk.”
Listen to the full conversation with Datawatch for more about business intelligence and data masking.
About the Podcast In early May Blackpool Teaching Hospitals NHS Foundation Trust was fined £185,000 by the United Kingdom’s Information Commissioner’s Office for inadvertently publishing the personal details of 6,574 staff on its website. And last week retailer Kiddicare announced that 800,000 customers were impacted after a test site using real customer information was compromised by hackers. The incidents highlight a growing problem. Organizations have more data than ever, and that sensitive data is often being shared with other departments or with third parties for a variety of purposes.
On today’s Cyber Chat we talk with Datawatch chief product officer Jon Pilkington and chief marketing officer Dan Potter about business intelligence, the importance of data masking and how businesses can protect their sensitive information when it’s being shared both inside and outside of the organization.