Search

Brian Pennington

A blog about Cyber Security & Compliance

Tag

Malware

Breaches caused by either hacking or malware nearly doubled in relative frequency

Beazley, a leading provider of data breach response insurance, today released its Beazley Breach Insights 2016 findings based on its response to over 2,000 breaches in the past two years. The specialized Beazley Breach Response (BBR) Services unit responded to 60% more data breaches in 2015 compared to 2014, with a concentration of incidents in the healthcare, financial services and higher education sectors.

Key data:

  • Breaches caused by either hacking or malware nearly doubled in relative frequency over the past year. In 2015, 32% of all incidents were caused by hacking or malware vs. 18% in 2014.
  • Unintended disclosure of records – such as a misdirected email – accounted for 24% of all breaches in 2015, which is down from 32% in 2014.
  • The loss of non-electronic physical records accounted for 16% of all breaches in 2015, which is unchanged from 2014.
  • The proportion of breaches involving third party vendors more than tripled over the same period, rising from 6% of breaches in 2014 to 18% of breaches in 2015.

Beazley’s data breach statistics are based on 777 incidents in 2014 and 1,249 in 2015.

We saw a significant rise in incidents caused by hacking or malware in the past year,” said Katherine Keefe, global head of BBR Services. This was especially noticeable in healthcare where the percentage of data breaches caused by hacking or malware more than doubled

Ransomware on the rise in healthcare

Hackers are increasingly employing ransomware to lock up an organization’s data, holding it until a ransom is paid in nearly untraceable Bitcoin. Hollywood Presbyterian Hospital in Los Angeles reported suffering a ransomware attack in February 2016 and ultimately paid the hackers $17,000 in Bitcoin. A year earlier, the FBI had issued an alert warning that ransomware attacks were on the rise.

This trend is borne out by Beazley’s data. Breaches involving ransomware among Beazley clients more than doubled to 43 in 2015 and the trend appears to be accelerating in 2016. Based on figures for the first two months of the year, ransomware attacks are projected to increase by 250% in 2016.

Clearly, new malware programs, including ransomware, are having a big impact, said Paul Nikhinson, privacy breach response services manager for BBR Services. Hacking or malware was the leading cause of data breaches in the healthcare industry in 2015, representing 27% of all breaches, more than physical loss at 20%

Healthcare is a big target for hackers because of the richness of medical records for identity theft and other crimes. In fact, a medical record is worth over 16 times more than a credit card record.”

Higher Education

Higher education also experienced an increase in breaches due to hacking or malware with these accounting for 35% of incidents in 2015, up from 26% in 2015.

Colleges and universities are reporting increased “spear phishing” incidents in which hackers send personalized, legitimate-looking emails with harmful links or attachments. The relatively open nature of campus IT systems, widespread use of social media by students and a lack of the restrictive controls common in many corporate settings make higher education institutions particularly vulnerable to data breaches.

Financial Services

In the financial services sector, hacking or malware was up modestly to 27% of industry data breaches in 2015 versus 23% in 2014. Trojan programs continued to be a popular hacking device.

Advertisements

Are British Businesses over confident about the threat of data breaches?

Ilex International have launched their Breach Confidence Index. The Index is a benchmark survey created to monitor the level of confidence that British businesses have when it comes to security breaches. The Index shows high confidence levels

  • 24% of IT decision makers surveyed very confident
  • 59% fairly confident that their business is protected against a data security breach

The Breach Confidence Index raises major concerns for British businesses. Businesses are not currently required to report security breaches and in many cases, may not even know that they have experienced one. The survey found that 49% said their business has not experienced a security breach. In comparison to actual statistics shared at the 2015 Cyber Symposium, there is a major gap between the perception and reality of security breaches among businesses.

According to the survey the most common weaknesses resulting in a Data Breach were
22% MALWARE VULNERABILITIES
21% EMAIL SECURITY
15% EMPLOYEE EDUCATION
12% CLOUD APPLICATIONS
12% INSIDER THREATS
8% ACCESS CONTROL
8% BYOD OR MOBILE ACCESS
6% NON-COMPLIANCE TO CURRENT REGULATIONS

Weaknesses relating to identity and access management considerably increase as organisations expand their workforce. Some of the most common issues highlighted by large businesses include:

  • 44% insider threats
  • 42% employee education
  • 26% access control
  • 24% BYOD or mobile access

All figures in the Ilex International Breach Confidence Index, unless otherwise stated, are from YouGov Plc. Total sample size was 530 IT Decision Makers. Fieldwork was undertaken between 6th – 12th August 2015. The survey was carried out online.

Payment Card Industry issues new guidance to help organizations respond to data breaches

For any organization connected to the internet, it is not a question of if but when their business will be under attack, according to a recent cybersecurity report from Symantec, which found Canada ranked No. 4 worldwide in terms of ransomware and social media attacks last year. These increasing attacks put customer information, and especially payment data at risk for compromise.

When breaches do occur, response time continues to be a challenge. In more than one quarter of all breaches investigated worldwide in 2014 by Verizon, it took victim organization weeks, or even months, to contain the breaches. It is against this backdrop that global cybersecurity, payment technology and data forensics experts are gathering in Vancouver for the annual PCI North America Community Meeting to address the ongoing challenge of protecting consumer payment information from criminals, and new best practices on how organizations can best prepare for responding to a data breach. 

A data breach now costs organizations an average total of $3.8 million. However, research shows that having an incident response team in place can create significant savings. Developed in collaboration with the Payment Card Industry (PCI) Forensic Investigators (PFI) community, Responding to a Data Breach: A How-to Guide for Incident Management provides merchants and service providers with key recommendations for being prepared to react quickly if a breach is suspected, and specifically what to do contain damage, and facilitate an effective investigation. 

The silver lining to high profile breaches that have occurred is that there is a new sense of urgency that is translating into security vigilance from the top down, forcing businesses to prioritize and make data security business-as-usual,” said PCI SSC General Manager Stephen W. Orfei. “Prevention, detection and response are always going to be the three legs of data protection. Better detection will certainly improve response time and the ability to mitigate attacks, but managing the impact and damage of compromise comes down to preparation, having a plan in place and the right investments in technology, training and partnerships to support it

This guidance is especially important given that in over 95% of breaches it is an external party that informs the compromised organization of the breach,” added PCI SSC International Director Jeremy King. “Knowing what to do, who to contact and how to manage the early stages of the breach is critical

At its annual North America Community Meeting in Vancouver this week, the PCI Security Standards Council will discuss these best practices in the context of today’s threat and breach landscape, along with other standards and resources the industry is developing to help businesses protect their customer payment data. Keynote speaker cybersecurity blogger Brian Krebs will provide insights into the latest attacks and breaches, while PCI Forensic Investigators and authors of the Verizon Data Breach Investigation Report and PCI Compliance Report, will present key findings from their work with breached entities globally. Canadian organizations including City of Calgary, Interac and Rogers will share regional perspectives on implementing payment security technologies and best practices. 

Download a copy of Responding to a Data Breach: A How-to Guide for Incident Management here 

The original PCI SSC press release can be found here.

Cost of Phishing and Value of Employee Training

The Ponemon Institute has presented the results of it’s study the Cost of Phishing and Value of Employee Training sponsored by Wombat Security. The purpose of this research is to understand how training can reduce the financial consequences of phishing in the workplace.

Phishing

The research reveals the majority of costs caused by successful phishing attacks are the result of the loss of employee productivity. Based on the analysis described later in this report, Ponemon extrapolate an average improvement of 64% from six proof of concept training projects. This improvement represents the change in employees who fell prey to phishing scams in the workplace before and after training.

As a result of effective training provided by Wombat, Ponemon estimate a cost savings of $1.8 million or $188.4 per employee/user. If companies paid Wombat’s standard fee of $3.69 per user for a program for up to 10,000 users, Ponemon determine a very substantial net benefit of $184.7 per user, for a remarkable one-year rate of return at 50X.

To determine the cost structure of phishing, Ponemon  surveyed 377 IT and IT security practitioners in organizations in the United States. 39% of respondents are from organizations with 1,000 or more employees who have access to corporate email systems.

The topics covered in this research include the following:

  • The financial consequences of phishing scams
  • The financial impact of phishing on employee productivity
  • The cost to contain malware
  • The cost of malware not contained & the likelihood it will cause a material data breach
  • The cost of business disruption due to phishing
  • The cost to contain credential compromises
  • Potential cost savings from employee training

Phishing scams are costly. Often overlooked is the potential cost to organizations when employees are victimized by phishing scams. Ponemon’s cost analysis includes the cost to contain malware, the cost not contained, loss of productivity, the cost to contain credential compromises and the cost of credential compromises not contained. Based on these costs, the extrapolated total annual cost of phishing for the average-sized organization in Ponemon’s sample totals $3.77 million.

Summarized calculus on the cost of phishing. Estimated cost.
Part 1. The cost to contain malware $208,174
Part 2. The cost of malware not contained $338,098
Part 3. Productivity losses from phishing $1,819,923
Part 4. The cost to contain credential compromises $381,920
Part 5. The cost of credential compromises not contained $1,020,705
Total extrapolated cost $3,768,820

The average total cost to contain malware annually is $1.9 million. The first step in understanding the overall cost is to analyze the six tasks to contain malware infections. Drawing from the empirical findings of an earlier study, Ponemon  were able to derive cost estimates relating to six discrete tasks conducted by companies to contain malware infections in networks, enterprise systems and endpoints. The table below summarizes the annual hours incurred for six tasks by the average-sized organization on an annual basis. The largest tasks incurred to contain malware involve the cleaning and fixing of infected systems and conducting forensic investigations.

Documentation and planning represents the smallest tasks in terms of hours spent each year.

Six tasks to contain malware infections. Estimated hours per annum.

Planning 910
Capturing intelligence 3,806
Evaluating intelligence 2,844
Investigating 10,338
Cleaning & fixing 11,955
Documenting 671
Total hours 30,524

The annual cost to contain malware is based on the hours to resolve the incident. These cost estimates are based on a fully loaded average hourly labor rate for US-based IT security practitioners of $62. As can be seen, the extrapolated total cost to contain malware is $1.89 million.

The adjusted cost of malware containment resulting from phishing scams is $208,174 per annum. The final step in determining the cost of malware containment attributable to phishing is to calculate the percentage of malware incidents unleashed by successful phishing scams.

Response to the survey question, “What percent of all malware infections is caused by successful phishing scams?” The percentage rate of malware infections caused by phishing scams was based on Ponemon’s  independent survey of IT security practitioners. As can be seen, the estimated range is less than 1% to more than 50%. The extrapolated average rate is 11%.

Drawing from the above analysis, Ponemon estimate the cost of malware containment as 11% of the previously calculated total cost of $1.9 million.

Cost of malware not contained

In this section, Ponemon estimate the cost of malware not contained at the device level to be $105.9 million. In other words, this cost occurs because malware evaded traditional defenses such as firewalls, anti-malware software and intrusion prevention systems. In this state Ponemon  assume the malware becomes weaponized for attack.

Following are two attacks caused by weaponized malware:

  1. Data exfiltration (a.k.a. material data breach)
  2. Business disruptions

Ponemon determine a most likely cost using an expected cost framework, which is defined as:

Expected cost = Probable maximum loss (PML) x Likelihood of occurrence [over a 12-month period].

Respondents in Ponemon’s  survey were asked to estimate the probable maximum loss (PML) resulting from a material data breach (i.e., exfiltration) caused by weaponized malware. Ponemon’s research shows the distribution of maximum losses ranging from less than $10 million to more than $500 million.

The extrapolated average PML resulting from data exfiltration is $105.9 million.

What is the likelihood of weaponized malware causing a material data breach? In the context of this research, a material data breach involves the loss or theft of more than 1,000 records. Respondents were asked to estimate the likelihood of this occurring. According to the research the probability distribution ranges from less than .1% to more than 5%. The extrapolated average likelihood of occurrence is 1.9 percent over a 12-month period.

The cost of business disruption due to phishing is $66.9 million. Respondents were asked to estimate the PML resulting from business disruptions caused by weaponized malware. Business disruptions include denial of services, damage to IT infrastructure and revenue losses. The research shows the distribution of maximum losses ranging from less than $10 million to $500 million. The extrapolated average PML resulting from data exfiltration is $66.9 million.

How likely are business disruptions due to weaponized malware? Respondents were asked to estimate the likelihood of material business disruptions caused by weaponized malware. The research shows the probability distribution ranging from less than .1% to more than 5%. The extrapolated average likelihood of occurrence is 1.6% over a 12-month period.

The table below shows the expected cost of malware attacks relating to data exfiltration ($2 million) and disruptions to IT and business processes ($1.1 million). The total amount of $3.1 million is adjusted for the 11% of malware attacks originating from phishing scams, which yields an estimated cost of $338,098 per annum.

Recap for the cost of malware not contained Calculus
Probable maximum loss resulting from data exfiltration $105,900,000
Likelihood of occurrence over the next 12 months 1.90%
Expected value $2,012,100
Probable maximum loss resulting from business disruptions (including denial of services, damage to IT infrastructure and revenue losses) $66,345,000
Likelihood of occurrence over the next 12 months 1.60%
Expected value $1,061,520
Total cost of malware not contained $3,073,620
Percentage rate of malware infections caused by phishing scams 11%
Adjusted total cost attributable to phishing scams $338,098

Employees waste an average of 4.16 hours annually due to phishing scams. As previously discussed, the majority of costs (52%) are due to the decline in employee productivity as a result of being phished. In this section, Ponemon estimate the productivity losses associated with phishing scams experienced by employees during the workday. Drawing upon Ponemon’s  survey research, Ponemon  extrapolated the total hours spent each year by employees/users viewing and possibly responding to phishing emails.

The research shows the distribution of time wasted for the average employee (office worker) due to phishing scams. The range of response is less than 1 hour to more than 25 hours per employee each year.

What is the cost to respond to a credential compromise? In this section, Ponemon estimate the costs incurred by organizations to contain credential compromises that originated from a successful phishing attack, including the theft of cryptographic keys and certificates. Ponemon’s  first step in this analysis is to estimate the total number of compromises expected to occur over the next 12 months. The range of responses includes zero to more than 10 incidents.

How likely will a material data breach occur if the credential compromise is not contained? Respondents were asked to estimate the likelihood of a material data breach caused by credential compromise. Ponemon’s research shows the probability distribution ranging from less than .1% to 5%. The extrapolated average likelihood of occurrence is 4% over a 12-month period.

In this section, Ponemon estimates the potential cost savings that result from employee education that provides actionable advice and raises awareness about phishing and other related topics. As a starting point to this analysis, Ponemon obtained six proof of concept studies completed for six large companies.

These reports provided detailed findings that show the phishing email click rate for employees both before and after training. Ponemon provides the actual improvements experienced by companies, ranging from 26 to 99%, respectively. The average improvement for all six companies is 64%.

As a result of Wombat’s training on phishing that includes mock attacks and follow-up with indepth training, Ponemon estimate a high knowledge retention rate. Based on well-known research, training that focuses on actual practices should result in an average retention rate of approximately 75%. Applying this retention rate against the average improvement shown in the six proof of concept studies, Ponemon  estimate a net long-term improvement in fighting phishing scams of 47.75%.

Proof of concept results Improvement %
Company A 99%
Company B 72%
Company C 54%
Company D 26%
Company E 62%
Company F 69%
Average improvement 64%
Expected diminished learning retention over time (1-75%) 25%
Average net improvement 47.75%

The figures below provides a simple analysis of potential cost savings accruing to organizations that use an effective training approach to mitigating phishing scams. As shown before, Ponemon estimate a total cost of phishing for an average-sized organization at $3.77 million.

Assuming a net improvement of 47.75%, Ponemon estimate a cost savings of $1.80 million or $188.40 per employee/user. At a fee of $3.69 per employee/user, Ponemon determine a very substantial net benefit of $184.71 per user, or a one-year rate of return of 50X.

Calculating net benefit of Wombat training on phishing Calculus
Total cost of phishing $3,768,820
Estimated cost savings assuming net improvement at 47.75% $1,799,612
Extrapolated headcount for the average-sized organization 9,552
Estimated cost savings per employee $188.40
Estimated fee of Wombat training per user $3.69
Estimated net benefit of Wombat training per user $184.71
Estimated one-year rate of return = Net benefit ÷ Fee 50X

Top 5 Strategic Infosec issues in Higher Education

The EDUCAUSE infographic of the Top Five strategic information security issues for Higher Education:-

  1. Developing an effective information security strategy that responds to institutional organization and culture and that elevates information security concerns to institutional leadership.
  2. Ensuring that members of the institutional community (students, faculty, and staff) receive information security education and training.
  3. Developing security policies for mobile, cloud, and digital resources (includes issues of data handling/protection, access control, and end-user awareness).
  4. Using risk-management methodologies to identify and address information security priorities.
  5. Developing, testing, and refining incident response capabilities to respond to information systems/data breaches.

The Infographic is below:-

educause-infographic'

Tor detections jump by more than 1,000%

Vectra Networks announced the results of the second edition of its “Post-Intrusion Report”, a real-world study about threats that evade perimeter defenses and what attackers do once they get inside your network.

Report data was collected over six-months from 40 customer and prospect networks with more than 250,000 hosts, and is compared to results in last year’s report. The new report includes detections of all phases of a cyber attack and exposes trends in malware behavior, attacker communication techniques, internal reconnaissance, lateral movement, and data exfiltration.

According to the report, there was non-linear growth in lateral movement (580%) and reconnaissance (270%) detections that outpaced the 97% increase in overall detections compared to last year. These behaviors are significant as they show signs of targeted attacks that have penetrated the security perimeter.

While command-and-control communication showed the least amount of growth (6%), high-risk Tor and external remote access detections grew significantly. In the new report, Tor detections jumped by more than 1,000% compared to last year and accounted for 14% of all command-and-control traffic, while external remote access shot up by 183% over last year.

The report is the first to study hidden tunnels without decrypting SSL traffic by applying data science to network traffic.

A comparison of hidden tunnels in encrypted traffic vs. clear traffic shows that HTTPS is favored over HTTP for hidden tunnels, indicating an attacker’s preference for encryption to hide their communications.

The increase in lateral movement and reconnaissance detections shows that attempts at pulling off targeted attacks continue to be on the rise,” said Oliver Tavakoli, Vectra Networks CTO. “The attackers’ batting average hasn’t changed much, but more at-bats invariably has translated into more hits

Key findings of the study include:

  • Botnet monetization behavior grew linearly compared to last year’s report. Ad click-fraud was the most commonly observed botnet monetization behavior, representing 85% of all botnet detections.
  • Within the category of lateral movement detections, brute-force attacks accounted for 56%, automated replication accounted for 22% and Kerberos-based attacks accounted for 16%. Although only the third most frequent detection, Kerberos-based attacks grew non-linearly by 400% compared to last year.
  • Of internal reconnaissance detections, port scans represented 53% while darknet scans represented 47%, which is fairly consistent with behavior detected last year.
  • Lateral-movement detections, which track the internal spread of malware and authentication-based attacks such as the use of stolen passwords, led the pack with over 34% of total detections.
  • Command and control detections, which identify a wide range of malicious communication techniques, were close behind with 32% of detections.
  • Botnet monetization detections track the various ways criminals make money from ad click-fraud, spamming behavior, and distributed denial of service (DDoS) attacks. These botnet-related behaviors accounted for 18% of all detections.
  • The reconnaissance category looks for internal reconnaissance performed by an attacker already inside the network and represented 13% of detections.
  • Exfiltration detections look for the actual theft of data. The good news here is that it was by far the least common category of detection at 3%.

The data in the Post-Intrusion Report is based on metadata from Vectra customers and prospects who opted to share detection metrics from their production networks. Vectra identifies active threats by monitoring network traffic on the wire in these environments. Internal host-to-host traffic and traffic to and from the Internet are monitored to ensure visibility and context of all phases of an attack.

The latest report offers a first-hand analysis of active “in situ” network threats that bypass next-generation firewalls, intrusion prevention systems, malware sandboxes, host-based security solutions, and other enterprise defenses. The study includes data from 40 organizations in education, energy, engineering, financial services, government, healthcare, legal, media, retail, services, and technology.

The full report can be found here

Workers Ignoring Known Cyber Risks, Surfing Adult Content and Downloading Unapproved Apps

Blue Coat Systems global survey of 1580 respondents across 11 countries highlights a global trend of employees ignoring cyber risks while at work. Results from the survey found that universally, workers visit inappropriate websites while at work despite typically being fully aware of the risks to their companies.

Blue Coat’s research, conducted by independent research firm Vanson Bourne, found the actions of employees at odds with their awareness of the growing cyber threats facing the workplace. In addition, this risky behaviour can leave both sensitive corporate and personal data open to being stolen and used immediately, stored for future use, or sold into a thriving black market where compromised corporate and personal identities are traded globally.

One source of cyber threats is the practice of phishing. Cyber criminals continuously conduct extensive research on employees’ social profiles to find information that can be used to attack organizations. For example, an attacker may create a seemingly personalized email targeted at an IT administrator for a large enterprise using information found on social media profiles, such as the recipient’s alma mater or favourite sports team. That email may contain malware that is downloaded once the recipient clicks on a link included in the document.

Pornography continues to be one of the most popular methods of hiding malware or malicious content. Even though awareness is high of the threat posed by adult content sites, workers are still visiting these potentially dangerous sites.

The Blue Coat survey found that at 19%, China has the worst record for viewing adult content sites on a work device, with Mexico (10%) and the UK (9%) not far behind. 

Survey Highlights

The majority of global survey participants admitted understanding the obvious cyber threats when downloading email attachments from an unknown sender, or using social media and unapproved apps from corporate networks without permission, but knowing this, did not curb their risk-taking.

Other findings include:

  • 65% of global respondents view using a new application without the IT department’s consent as a serious cyber-security risk to the business, 26% admitted doing so.
  • 37% of respondents in Singapore used new applications without IT’s permission, compared to 33% in the UK and 30% in India and Mexico. On the flip side, Australia and France were the lowest offenders at 14% and 16% respectively; however, any number puts businesses at risk.
  • Obvious behaviours such as opening emails from unverified senders still happen at work. 29% of Chinese employees open email attachments from unverified senders, even though 72% see it as a serious risk. US businesses view the threat even more seriously (80%) and open less unsolicited emails (17%).
  • 41% use social media sites for personal reasons at work, a serious risk to businesses, as cyber criminals hide malware on shortened links and exploit encrypted traffic to deliver payloads.
  • 6% of global respondents still admitted viewing adult content on work devices, China ranked as the worst offender with 19% employees admitting to viewing adult content at work, compared to Australia and Germany, both at 2%

While the majority of employees are aware of cyber security risks, in practice most still take chances,” said Dr. Hugh Thompson, CTO for Blue Coat. “The consumerization of IT and social media carry mixed blessings to enterprises. It is no longer realistic to prevent employees from using them, so businesses need to find ways to support these technology choices while simultaneously mitigating the security risks

The history of mobile threats, 2004 to 2015

Sophos have created this timeline of mobile threats going back to 2004. It’s by no means comprehensive, but it gives you a good idea of how threats have evolved in a short period of time.

sophos-mobile-malware-infographic-700

Mobile Insecurity as an Infographic

IBM Mobile Insecurity

Reducing Cyber Risk; Marine transportation system Cybersecurity standards, liability protection and Cyber Insurance

An article in the Coast Guard Journal of Safety & Security at Sea written by David Dickman, Diz Locaria and Jason Wool Container shipcontains a very interesting article “Reducing Cyber Risk; Marine transportation system cybersecurity standards, liability protection, and cyber insurance”.

An excerpt:

Within our nation’s marine transportation system (MTS), computers, information networks, and telecommunications systems support fundamental port and maritime operations.

While this technology provides great benefits, it also introduces vulnerabilities.

In several recent incidents, bad actors exploited cyber weaknesses within MTS elements with significant repercussions.

Some examples include:

  • Somali pirates have exploited online navigational data to choose which vessel to target for hijack
  • hackers incapacitated a floating oil rig by tilting it and forcing it to shut down
  • malware caused another drilling rig to shut down for 19 days, after bringing systems to a standstill
  • hackers infiltrated computers connected to the Port of Antwerp, located specific containers, made off with
    smuggled drugs, and deleted the records.

The full article can be found in the journal by clicking here.

BlackEnergy malware threat has some cybersecurity experts uneasy

powergridA malicious software dubbed BlackEnergy has intrigued and frightened cybersecurity experts, in part because of its intent and in part because of its origin.

BlackEnergy is designed to target critical energy infrastructure and is believed to have originated with Russian government-sponsored hackers.

The Department of Homeland Security’s Oct. 29 cyberthreat alert was, unfortunately, business as usual for many of the nation’s companies. However, with the potential attack on water, electricity and other features of the nation’s critical infrastructure linked to Russian cyber criminals, security practices within private companies have become the public’s business.

“It’s really a very serious issue and the fact that sometimes it’s very difficult to detect [this type of malware] and sometimes the places that house industrial control systems may or may not follow very consistent, very rigorous, security practices creates a huge problem,” said James Joshi, a University of Pittsburgh associate professor and lead faculty member of the school’s Information Assurance Program.

DHS announced Oct. 29 that several industrial control systems — vendor-issued programs used by private companies to manage internal systems — had been infected by a variant of a Trojan horse malware program called BlackEnergy.

Infected programs such as GE Cimplicity, Siemens WinCC and Advantech/Broadwin WebAccess have been used by companies responsible for portions of the country’s critical infrastructure, including “water, energy, property management and industrial control systems vendors” according to DHS. BlackEnergy shows enough similarities to a malware called Sandworm — which was used during a 2013 Russian cyber-espionage campaign against NATO, the European Union and overseas telecommunication and energy sectors — that DHS believes they could be “part of a broader campaign by the same threat actor.”

So far, there’s no sign anyone has tried to take control of any critical infrastructure systems through BlackEnergy. However, the malware is described as “highly modular” in the DHS alert and could be lurking inside of yet-to-be discovered files and media.

With control of nuclear facilities and the electrical grid at risk, Mr. Joshi said too much is at stake for the nation to treat this like threats of the past.

“I think we should really seriously consider this. We’re talking about critical infrastructure and I think this kind of malware is very difficult to detect, stays around for a long time and someone who is behind these gets control of the system they can do anything to the system that they compromise,” he said.

Local utilities say they are on alert.

Duquesne Light became aware of the BlackEnergy threat more than three weeks ago, according to spokesman Brian Knavish, and has since performed a “targeted analysis” to determine if it has been impacted. The company concluded it wasn’t.

BlackEnergy is a “credible threat,” Mr. Knavish said, but “there are a lot of these and some of them get more attention than others.”

In recent years, the electric utility that serves 584,000 customers Allegheny and Beaver counties has beefed up its cybersecurity staffing and receives information about threats from many varied sources, including Homeland Security, the Federal Bureau of Investigations, and others in the energy industry.

“Any threat is taken very seriously,” he said. “There’s always viruses out there.”

FirstEnergy Corp., the Ohio-based parent of West Penn Power, which also operates a number of power plants in the region and a transmission line business that serves this area, said it too has been made aware of BlackEnergy and works with industry organizations to monitor the threat.

The flow of electricity in Pennsylvania and 12 surrounding states is managed by PJM Interconnection, a Valley Forge-based grid operator that oversees the largest grid in the U.S. A spokesman for PJM, Paula DuPont-Kidd, said the organization knows about the threat, “however, like all cybersecurity threats, we continually monitor and arm ourselves with the best strategies to protect the grid and our market.”

North Shore-based utility Peoples Natural Gas said it doesn’t use any of the software identified as the target of BlackEnergy and did not detect the malware in its network after it became aware of the threat.

Peoples, which has 14,000 miles of pipeline in its network, operates its assets through a standalone system that’s not connected to the Internet, according to spokesman Barry Kukovich. That’s by design.

“This eliminates over 99 percent of these malicious threats,” Mr. Kukovich said.

Josephine Posti, a spokeswoman for Pennsylvania American Water, said the company, which regularly works with Homeland Security and the Environmental Protection Agency to protect the water supply, is aware of the threat and has not been impacted by it.

“There’s no such thing as 100 percent security,” said Scott Aaronson, senior director of national security policy for the Edison Electric Institute in Washington, D.C. “What we’re doing is not risk elimination, it’s risk management.”

BlackEnergy is one of many threats and vulnerabilities monitored by the trade organization on a regular basis. Some are identified by government agencies, some by companies, and others by researchers, he said.

The Institute, which is central to the information exchange between the groups, has been aware of BlackEnergy for about a month, Mr. Aaronson said.

There has never been a cyberattack in the U.S. that has affected the distribution of power, he said, but there are cyberattacks all the time that successfully target the industry’s business units.

“There are two kinds of companies: those that have been attacked and those that don’t know it yet,” Mr. Aaronson said.

The industry has three lines of defense against such attacks, he said. One is standards — electric utilities and the nuclear industry are the only two sectors with mandatory cybersecurity standards enforceable through hefty fines from the Federal Energy Regulatory Commission. Another is the coordination between government and industry groups. The third is incident response.

“You cannot protect everything from everything,” Mr. Aaronson said. “We may not succeed” in preventing a cyberattack, he said. The question is “how do you recover quickly? How do you make sure that any damage that is done is not catastrophic, but is simply a nuisance?”

Companies operating or managing critical infrastructure generally follow a set of standard practices recommended by the National Institute of Technology, said Mr. Joshi. However he added that individual companies may not follow standards as rigorously as they should, particularly those dealing with industrial control systems. He also said security standards at large might need an across-the-board overhaul in a digital environment that’s more connected than ever before.

The potential link to a nation-state raises the stakes even higher, he continued.

“I think we should be scared and take this very seriously because it could be a nation-state issue. But the fact is, once the tools are there they could just leave it out and anyone could do [the attack.]” he said.

DHS spokesman S.Y. Lee confirmed that the department contacted several entities affected by the malware but declined to say how many. He also said the agency believes there are several entities that do not yet know they have been hacked.

The Oct. 29 threat alert included information to detect the malware and mitigation strategies, including keeping control system devices off the Internet, protecting systems and devices with firewalls and monitoring administrator level accounts used by third party vendors.

By Anya Litvak: alitvak@post-gazette.com and Deborah M. Todd / Pittsburgh Post-Gazette. Originally published here.

THE MANY FACES OF HACKERS: The Personas to Defend Against

Many Faces of a Hacker

Infographic from Narus.

Cyber Attacks on U.S. Companies in 2014

The spate of recent data breaches at big-name companies such as JPMorgan Chase, Home Depot, and Target raises questions about the effectiveness of the private sector’s information security.

According to FBI Director James Comey

There are two kinds of big companies in the United States. There are those who’ve been hacked…and those who don’t know they’ve been hacked

A recent survey by the Ponemon Institute showed the average cost of cyber crime for U.S. retail stores more than doubled from 2013 to an annual average of $8.6 million per company in 2014. The annual average cost per company of successful cyber attacks increased to $20.8 million in financial services, $14.5 million in the technology sector, and $12.7 million in communications industries.

This paper lists known cyber attacks on private U.S. companies since the beginning of 2014. (A companion paper discussed cyber breaches in the federal government.) By its very nature, a list of this sort is incomplete. The scope of many attacks is not fully known. For example, in July, the U.S. Computer Emergency Readiness Team issued an advisory that more than 1,000 U.S. businesses have been affected by the Backoff malware, which targets point-of-sale (POS) systems used by most retail industries. These attacks targeted administrative and customer data and, in some cases, financial data.

This list includes only cyber attacks that have been made known to the public. Most companies encounter multiple cyber attacks every day, many unknown to the public and many unknown to the companies themselves.

The data breaches below are listed chronologically by month of public notice.

January

  • Target (retail). In January, Target announced an additional 70 million individuals’ contact information was taken during the December 2013 breach, in which 40 million customer’s credit and debit card information was stolen.
  • Neiman Marcus (retail). Between July and October 2013, the credit card information of 350,000 individuals was stolen, and more than 9,000 of the credit cards have been used fraudulently since the attack. Sophisticated code written by the hackers allowed them to move through company computers, undetected by company employees for months.
  • Michaels (retail). Between May 2013 and January 2014, the payment cards of 2.6 million Michaels customers were affected. Attackers targeted the Michaels POS system to gain access to their systems.
  • Yahoo! Mail (communications). The e-mail service for 273 million users was reportedly hacked in January, although the specific number of accounts affected was not released.

April

  • Aaron Brothers (retail). The credit and debit card information for roughly 400,000 customers of Aaron Brothers, a subsidiary of Michaels, was compromised by the same POS system malware.
  • AT&T (communications). For two weeks AT&T was hacked from the inside by personnel who accessed user information, including social security information.

May

  • eBay (retail). Cyber attacks in late February and early March led to the compromise of eBay employee log-ins, allowing access to the contact and log-in information for 233 million eBay customers. eBay issued a statement asking all users to change their passwords.
  • Five Chinese hackers indicted. Five Chinese nationals were indicted for computer hacking and economic espionage of U.S. companies between 2006 and 2014. The targeted companies included Westinghouse Electric (energy and utilities), U.S. subsidiaries of SolarWorld AG (industrial), United States Steel (industrial), Allegheny Technologies (technology), United Steel Workers Union (services), and Alcoa (industrial).
  • Unnamed public works (energy and utilities). According to the Department of Homeland Security, an unnamed public utility’s control systems were accessed by hackers through a brute-force attack on employee’s log-in passwords.

June

  • Feedly (communications). Feedly’s 15 million users were temporarily affected by three distributed denial-of-service attacks.
  • Evernote (technology). In the same week as the Feedly cyber attack, Evernote and its 100 million users faced a similar denial-of-service attack.
  • P.F. Chang’s China Bistro (restaurant). Between September 2013 and June 2014, credit and debit card information from 33 P.F. Chang’s restaurants was compromised and reportedly sold online.

August

  • U.S. Investigations Services (services). U.S. Investigations Services, a subcontractor for federal employee background checks, suffered a data breach in August, which led to the theft of employee personnel information. Although no specific origin of attack was reported, the company believes the attack was state-sponsored.
  • Community Health Services (health care). At Community Health Service (CHS), the personal data for 4.5 million patients were compromised between April and June. CHS warns that any patient who visited any of its 206 hospital locations over the past five years may have had his or her data compromised. The sophisticated malware used in the attack reportedly originated in China. The FBI warns that other health care firms may also have been attacked.
  • UPS (services). Between January and August, customer information from more than 60 UPS stores was compromised, including financial data, reportedly as a result of the Backoff malware attacks.
  • Defense Industries (defense). Su Bin, a 49-year-old Chinese national, was indicted for hacking defense companies such as Boeing. Between 2009 and 2013, Bin reportedly worked with two other hackers in an attempt to steal manufacturing plans for defense programs, such as the F-35 and F-22 fighter jets.

September

  • Home Depot (retail). Cyber criminals reportedly used malware to compromise the credit card information for roughly 56 million shoppers in Home Depot’s 2,000 U.S. and Canadian outlets.
  • Google (communications). Reportedly, 5 million Gmail usernames and passwords were compromised. About 100,000 were released on a Russian forum site.
  • Apple iCloud (technology). Hackers reportedly used passwords hacked with brute-force tactics and third-party applications to access Apple user’s online data storage, leading to the subsequent posting of celebrities’ private photos online. It is uncertain whether users or Apple were at fault for the attack.
  • Goodwill Industries International (retail). Between February 2013 and August 2014, information for roughly 868,000 credit and debit cards was reportedly stolen from 330 Goodwill stores. Malware infected the chain store through infected third-party vendors.
  • SuperValu (retail). SuperValu was attacked between June and July, and suffered another malware attack between late August and September. The first theft included customer and payment card information from some of its Cub Foods, Farm Fresh, Shop ‘n Save, and Shoppers stores. The second attack reportedly involved only payment card data.
  • Bartell Hotels (hotel). The information for up to 55,000 customers was reportedly stolen between February and May.
  • U.S. Transportation Command contractors (transportation). A Senate report revealed that networks of the U.S. Transportation Command’s contractors were successfully breached 50 times between June 2012 and May 2013. At least 20 of the breaches were attributed to attacks originating from China.

October

  • J.P. Morgan Chase (financial). An attack in June was not noticed until August. The contact information for 76 million households and 7 million small businesses was compromised. The hackers may have originated in Russia and may have ties to the Russian government.
  • Dairy Queen International (restaurant). Credit and debit card information from 395 Dairy Queen and Orange Julius stores was compromised by the Backoff malware.
  • Snapsave (communications). Reportedly, the photos of 200,000 users were hacked from Snapsave, a third-party app for saving photos from Snapchat, an instant photo-sharing app.

Securing Information

As cyber attacks on retail, technology, and industrial companies increase so does the importance of cybersecurity. From brute-force attacks on networks to malware compromising credit card information to disgruntled employees sabotaging their companies’ networks from the inside, companies and their customers need to secure their data. To improve the private sector’s ability to defend itself, Congress should:

  • Create a safe legal environment for sharing information. As the leaders of technological growth, private companies are in most ways at the forefront of cyber security. Much like government agencies, companies must share information that concerns cyber threats and attack among themselves and with appropriate private-public organizations. Congress needs to create a safe environment in which companies can voluntarily share information without fear of legal or regulatory backlash.
  • Work with international partners. As with the Backoff malware attacks, attacks can affect hundreds if not thousands of individual networks. These infected networks can then infect companies outside the U.S. and vice versa. U.S. and foreign companies and governments need to work together to increase overall cybersecurity and to enable action against individual cyber criminals and known state-sponsored cyber aggressors.
  • Encourage cyber insurance. Successful cyber attacks are inevitable because no security is perfect. With the number of breaches growing daily, a cybersecurity insurance market is developing to mitigate the cost of breaches. Congress and the Administration should encourage the proper allocation of liability and the establishment of a cyber insurance system to mitigate faulty cyber practices and human error.

Conclusion

The recent increases in the rate and the severity of cyber attacks on U.S. companies indicate a clear threat to businesses and customers. As businesses come to terms with the increasing threat of hackers, instituting the right policies is critical to harnessing the power of the private sector. In a cyber environment with ever-changing risks and threats, the government needs to do more to support the private sector in establishing sound cybersecurity while not creating regulations that hinder businesses more than help them.

Riley Walters is a Research Assistant in the Asian Studies Center, of the Kathryn and Shelby Cullom Davis Institute for National Security and Foreign Policy, at The Heritage Foundation.

The original research article can be found here.

NQ-Mobile-Mobile-Malware

Point of Sale Malware and the 7 stages of an attack.

Point of Sales Malware

Hospitality Industry alerted by the U.S. Secret Service on the threat of Keyloggers

The U.S. Secret Service has issued an advisory to the hospitality industry to be on alert for keyloggers on the computers in the business center. Whether your hotel received this advice or not, this is something that will undoubtedly affect your business in the near future. We’ve put together this brief guide on reacting to the advisory.

What happened?

  • According to the advisory issued by the Department of Homeland Security/Secret Services, (which can be found on osac.gov) Task force agents arrested a group of suspects that had installed keylogger software on computers in various hotel business centers.

The suspects were able to obtain large amounts of information including other guests’ personally identifiable information (PII), log in credentials to banks, retirement, and personal webmail accounts, as well as other sensitive data flowing through the business center’s computers

What is a keylogger?

How to check if a business center has been compromised

  • Physically inspect your keyboards and computers and their connections to ensure no unknown devices are present
  • Investigate active processes on the machine to determine if they are making malicious outbound communications that would be sending out the data collected by the keylogger
  • Perform a hash analysis of all files on the drive to see if they match any known malicious hash values

What to do if you have a compromised business center?

  • Remove or disconnect the computer from the network but leave the computer on and running
  • Engage a security consultant to determine the scope of the potential compromise to determine the best approach to remediate

What should you tell your compromised customers?

  • In accordance with state and industry breach rules, inform them of the facts
  • Let them know the steps you’ve taken to ensure it won’t happen again

How can you protect your business center?

  • Application and process whitelisting
  • Disable unused USB ports
  • Configure firewalls to block outbound connections to known malicious sites

Overall, the impact of this issue can be devastating to a business. Performing some or all of the proactive actions listed here can be critical to identifying these issues in your environment. In a perfect world, these proactive checks will find no evidence of intrusion or compromise. In that case, your business would be able to prove ‘due diligence’ in the face of this advisory, and could quell any customer concerns before they arose.

Written by Dan Fritsche, Practice Director, Coalfire Labs. The original post is here.

Top Concerns for 2014 from Today’s CISOs

According to Cisco’s 2014 Annual Security Report Top Concerns for 2014 from Today’s CISOs

As chief information security officers (CISOs) survey today’s threat landscape, they are faced with growing pressure to protect terabytes of data, meet stiff compliance regulations, and evaluate risks of working with third-party vendors and doing it all with shrinking budgets and lean IT teams. CISOs have more tasks than ever and sophisticated, complex threats to manage.

Principal security strategists for Cisco security services, who advise CISOs on security approaches for their organizations, offer this list of the most pressing concerns and challenges for 2014:-

Managing Compliance

The most pervasive concern among CISOs may be the need to protect data that resides throughout an increasingly porous network, while expending precious resources on compliance. Compliance alone is not equal to being secure it is simply a minimum baseline focusing on the needs of a special regulated environment. Security, meanwhile, is an all-encompassing approach that covers all business activities.

Trusting the Cloud

CISOs must make decisions on how to manage information safely with the finite budgets and time they are allotted. For example, the cloud has become a cost-effective and agile way to manage ever-growing storehouses of data, but it raises more worries for CISOs. Chief executive officers and boards of directors see the cloud as a panacea for eliminating costly hardware. They want the benefits of offloading data to the cloud, and expect the CISO to make it happen securely and quickly.

Trusting Vendors

As with the cloud, organizations tap into vendors to provide specialized solutions. The cost model for going with third parties makes sense. However, these vendors are high value targets for criminals, who know that third-party defences may not be as strong.

Bouncing Back from Security Breaches

All organizations should assume they’ve been hacked, or at least agree that it’s not a question of if they will be targeted for an attack, but when. Recent hacks such as Operation Night Dragon, the RSA breach, and the Shamoon attack against a large oil and gas company in 2012 are on the minds of many CISOs.

The three key findings from the Cisco 2014 Annual Security Report

1. Attacks against infrastructure are targeting significant resources across the Internet.

  • Malicious exploits are gaining access to web hosting servers, name servers, and data centers. This suggests the forming of überbots that seek high-reputation and resource-rich assets.
  • Buffer errors are a leading threat, at 21% of the Common Weakness Enumeration (CWE) threat categories.
  • Malware encounters are shifting toward electronics manufacturing and the agriculture and mining industries at about 6x the average encounter rate across industry verticals.

2. Malicious actors are using trusted applications to exploit gaps in perimeter security.

  • Spam continues its downward trend, although the proportion of maliciously intended spam remains constant.
  • Java comprises 91% of web exploits; 76% of companies using Cisco Web Security services are running Java 6, an end-of-life, unsupported version.
  • “Watering hole” attacks are targeting specific industry-related websites to deliver malware.

3. Investigations of multinational companies show evidence of internal compromise. Suspicious traffic is emanating from their networks and attempting to connect to questionable sites (100% of companies are calling malicious malware hosts).

  • Indicators of compromise suggest network penetrations may be undetected over long periods.
  • Threat alerts grew 14% year over year; new alerts (not updated alerts) are on the rise.
  • 99% of all mobile malware in 2013 targeted Android devices. Android users also have the highest encounter rate (71%) with all forms of web-delivered malware.

Cisco Security can be found here.

Top 10 Tips for Cyber Resilience in businesses

The dramatic increase in both the sophistication and frequency of cyber risks and attacks on businesses has profoundly changed the security threat landscape. Gone are the benign days of the Anna Kournikova virus or the “I Love You” bug. Today cyber risks and threats can lead to breaches of sensitive data, harming consumers, businesses and governments of all sizes. But there is a way to stay ahead of these risks by crafting an effective security strategy, and being cyber resilient.

Cyber resilience is not just about installing point products into your IT environment but rather it is about understanding a broader set of business and technical challenges. These include understanding the risks in an increasingly connected cyber world and in particular the risks facing an organisation with rapidly evolving technologies such as mobile, cloud, virtual, big data, and social; as well as increasing dependence on the Internet to conduct business.

Many businesses currently don’t have holistic IT security practices and technologies in place to deal with all of these new challenges. Breaches can and will happen. How businesses prepare for a breach is just as important as how they respond to one. Organisations should consider the following measures to mitigate the risk of an attack and become cyber resilient:

  1. Make security personal to your business – understand your business and how security can be built into your IT practices
  2. Baseline your security regularly – analyse your state of readiness, so that you can interpret the symptoms that can lead to a security incident
  3. Get executive and board engagement – cyber resilience starts at the top of the organisation
  4. Have a plan – security incidents happen every day. Develop a plan that addresses how businesses identify the important incidents and ensure they remain up and running no matter what
  5. Education – from board to new hire, it’s essential that everyone understands that they are responsible and accountable. All employees need to know what part they play in the bigger picture
  6. Do the basics well – leverage government and industry guidelines. This includes aspects such as patching and good user-level access management
  7. Plan for today and scale for the future – for example, BYOD is here to stay. Don’t just apply quick fixes; align your IT to a longer-term strategy
  8. Start small, but think big – Information protection is a long-term project, but organisations need to start where they will add the most business value and then expand where there is further, long-term value. For example, the supply chain and how an organisation interacts with its wider network of vendors and partners. The key is to think big but have a maturity plan, which must be linked to strategic business value and growth
  9. Be accountable – understand what the regulatory, legislative and peer-to-peer controls are that the business needs to adhere to. Make sure there is a clearly defined owner for each of these and an executive sponsor
  10. Don’t wait for it to happen – test your processes, procedures and people regularly. Make sure the business has clearly defined lifecycles that reflect changes in business strategy, technology use and culture. Make sure the strategy is current and effective for the business and the risks.

For an organisation to be cyber resilient there needs to be in place a strategy that adapts to the ever changing cyber security landscape. This strategy should not only make your organisation cyber resilient but it should be designed to make security your competitive advantage.

Written by Brenton Smith, Managing Director & VP Pacific at Symantec and original posted here.

Zurich Insurance identifies the “Seven cyber risks that threaten systemic shock”

A recent Zurich Cyber Risk Report argues that cyber-risk management professionals need to look beyond their internal information technology safeguards to interconnected risks which can build up relating to:-

  • Counterparties
  • Outsourced suppliers
  • Supply chains
  • Disruptive technologies
  • Upstream infrastructure
  • External shocks

Zurich warns that a build-up in these risks could create a failure on a similar scale to the 2008 financial crisis. Such interconnected risks are compounded when a company outsources the management of its servers, information technology and cyber security to focus on its core activities.

Little information may be known about the third party’s information security or business continuity safeguards and it may also in turn outsource activities to other companies.

The report calls for organisations to incorporate the best ideas from financial governance such as creating a G20+20 Cyber Stability Board to enhance cyber risk management and identifying and improving the governance of G-SIIOs (Global Significantly Important Internet Organisations).

Axel Lehmann, Group Chief Risk Officer and Regional Chairman Europe at Zurich Insurance Group, said: “The internet is the most complex system humanity has ever devised. Although it has been incredibly resilient for the past few decades, the risk is that the complexity which has made cyberspace relatively risk-free can and likely will backfire.

“Organizations are unknowingly exposed to risks outside their organization, having outsourced, interconnected or exposed themselves to an increasingly complex and unknowable web of networks.

“Few people truly understand their own computers or the internet, or the cloud to which they connect, just as few truly understood the financial system as a whole or the parts to which they are most directly exposed

Zurich’s Seven Cyber Risks are:-

Description Examples
Internal IT enterprise Risk associated with the cumulative set of an organization’s (mostly internal) IT Hardware; software; servers; and related people and processes
Counterparties and partners Risk from dependence on, or direct interconnection (usually non-contractual) with an outside organization University research partnerships; relationship between competing/cooperating banks; corporate joint ventures; industry associations
Outsourced and contract Risk usually from a contractual relationship with external suppliers of services, HR, legal or IT and cloud provider IT and cloud providers; HR, legal, accounting, and consultancy; contract manufacturing
Supply chain Both risks to supply chains for the IT sector and cyber risks to traditional supply chains and logistics Exposure to a single country; counterfeit or tampered products; risks of disrupted supply chain
Disruptive technologies Risks from unseen effects of or disruptions either to or from new technologies, either those already existing but poorly understood, or those due soon Internet of things; smart grid; embedded medical devices; driverless cars; the largely automatic digital economy
Upstream infrastructure Risks from disruptions to infrastructure relied on by economies and societies, especially electricity, financial systems, and telecommunications Internet infrastructure like internet exchange points, and submarine cables; some key companies and protocols used to run the internet (BGP and Domain Name System); internet governance
External shocks Risks from incidents outside the system, outside of the control of most organizations and likely to cascade Major international conflicts; malware pandemic

Create a free website or blog at WordPress.com.

Up ↑

%d bloggers like this: