Home Podcasts Videos Guest Posts Q&A My Take Bio Contact
 

Best Practices

 

ROUNDTABLE: Huge Capital One breach shows too little is being done to preserve data privacy

By Byron V. Acohido

Company officials at Capital One Financial Corp ought to have a crystal clear idea of what to expect next — after admitting to have allowed a gargantuan data breach.

Capital One’s mea culpa coincided with the FBI’s early morning raid of a Seattle residence to arrest Paige Thompson. Authorities charged the 33-year-old former Amazon software engineer with masterminding the hack.

Related: Hackers direct botnets to manipulate business logic

Thompson is accused of pilfering sensitive data for 100 million US and 6 million Canadian bank patrons. That includes social security and social insurance numbers, bank account numbers, phone numbers, birth dates, email addresses and self-reported income; in short, just about everything on an identity thief’s wish list.

Just a few days before Capital One’s disclosure,  Equifax rather quietly agreed to pay up to $700 million to settle consumer claims and federal and state investigations into its 2017 data breach that compromised sensitive information of more than 145 million American consumers. Also very recently,  the Federal Trade Commission slammed Facebook with a record $5 billion fine for losing control over massive troves of personal data and mishandling its communications with users.

Sure enough, it didn’t take long (less than 24 hours) for Keven Zosiak, a Stamford, Connecticut resident and Capital One credit card holder, to file a lawsuit  against Capital One for its failure to protect sensitive customer data. Many more lawsuits, as well as federal probes and Congressional hearings, are sure to follow.

Oh, and let’s not forget how Equifax summarily canned five top execs, including Equifax CEO Richard Smith, in the aftermath of its big breach. Not even doing this YouTube video apology was enough to save Smith his job.  It’s going to be interesting to see who Capital One’s board of directors designates to throw under the bus on this one.

Larger lessons

Arguably the most fascinating twist to the Capital One caper is the FBI’s rather quick arrest of Paige Thompson. Arrests in network breaches are rare, indeed. For instance, we know a lot of details about the Equifax breach, thanks to a GAO investigation and report. But no suspects have ever been publicly named.

What’s more, the usual suspects in high-profile breaches – i.e. professional Russian, Eastern European, Chinese and North Korean hacking collectives – appear to be out of the loop with respect to this particular caper. The Capital One breach, it seems to me, vividly highlights the depth and breadth of the Internet underground. Anyone with technical aptitude, diligence and a lack of scruples, such as an out-of-work IT staffer, can engage in criminal activity at a fairly high level. …more

NEW TECH: Early adopters find smart ‘Zero Trust’ access improves security without stifling innovation

By Byron V. Acohido

As we approach the close of the second decade of the 21st century, it’s stunning, though perhaps not terribly surprising, that abused logon credentials continue to fuel the never-ending escalation of cyber attacks.

Related: Third-party risks exacerbated by the ‘gig economy’

Dare we anticipate a slowing — and ultimately the reversal – of this trend? Yes, I believe that’s now in order.

I say this because tools that give companies the wherewithal to make granular decisions about any specific access request – and more importantly, to react in just the right measure — are starting to gain notable traction.

For the past four years or so, leading security vendors have been championing the so-called Zero Trust approach to network architectures. All of this evangelizing of a “never trust, always verify” posture has incrementally gained converts among early-adopter enterprises.

PortSys is a US-based supplier of advanced identity and access management (IAM) systems and has been a vocal proponent of Zero Trust.  I recently had the chance to visit with PortSys CEO Michael Oldham, and came away with a better grasp of how Zero Trust is playing out in the marketplace.

He also reinforced a notion espoused by other security vendors I’ve interviewed that Zero Trust is well on its way to being a game changer. Key takeaways from our discussion:

Entrenched challenges

It takes a cascade of logons to interconnect the on-premises and cloud-based systems that enterprises rely on to deliver digital commerce as we’ve come to know and love it. And it remains true that each digital handshake is prone to being maliciously manipulated by a threat actor, be it a criminal in possession of stolen credentials or a disgruntled insider with authorized access.

To be sure, advances have come along in IAM technologies over the past two decades. Yet, high-profile breaches persist. Some 78% of networks were breached in 2018, based on CyberEdge’s poll of IT pros in 17 countries. What’s more, an IBM/Ponemon study pegs the global average cost of a data breach at $3.86 million, and predicts a 28 percent likelihood of a victimized organization sustaining a recurring breach in the next two years.

This has to do with entrenched investments in legacy security systems, such as traditional firewalls and malware detection systems that were originally designed to protect on-premise systems. As remote access, mobile devices and cloud computing …more

GUEST ESSAY: 6 unexpected ways that a cyber attack can negatively impact your business

By Mike James

Cyber crime can be extremely financially damaging to businesses. However, if you believe that money is the only thing that a cyber-attack costs your organization, you would be wrong. In fact, a recent academic analysis identified 57 specific individual negative factors that result from a cyber-attack against a business. Here are six ways, worth considering, that a attack can affect your organization.

SEO rankings

James

There are a number of issues that will occur in the aftermath of a cyber-attack that can have enormously negative consequences for your search engine optimisation (SEO). Hacked sites, for example, will by flagged in the rankings with a warning sign which can put off visitors. It is also worth noting that when a site is hacked it can start receiving bad reviews on Google’s review section – these can both begin to see you dropping in the rankings and losing traffic.

A large number of sites also have their content altered when they suffer a breach, and given the importance of content to the way that your site ranks, this can clearly play a huge role.

Legal and compliance issues

It is not just cyber-criminals that you have to worry about when you are calculating the costs of a cyber-attack. In the modern world of data protection and industry regulators, there are now powers to heavily fine businesses that fail to take adequate steps to protect their customers.

Related: Poll shows SMBs struggle dealing with cyber risks

Under the General Data Protection Regulation (GDPR) for example, regulators now have the power to fine businesses up to €20 million or 4 per cent of annual global turnover (whichever is greater), if they suffer a data breach and have failed to be in compliance with the regulation. This shows you just have expensive the concept is. …more

BEST PRACTICES: Do you know the last time you were socially engineered?

By Byron V. Acohido

This spring marked the 20th anniversary of the Melissa email virus, which spread around the globe, setting the stage for social engineering to become what it is today.

The Melissa malware arrived embedded in a Word doc attached to an email message that enticingly asserted, “Here’s the document you requested . . . don’t show anyone else;-).” Clicking on the Word doc activated a macro that silently executed instructions to send a copy of the email, including another infected attachment, to the first 50 people listed as Outlook contacts.

What’s happened since Melissa? Unfortunately, despite steady advances in malware detection and intrusion prevention systems – and much effort put into training employees – social engineering, most often in the form of phishing or spear phishing, remains the highly effective go-to trigger for many types of hacks.

Related: Defusing weaponized documents

Irrefutable evidence comes from Microsoft. Over the past 20 years, Microsoft’s flagship products, the Windows operating system and Office productivity suite, have been the prime target of cybercriminals. To its credit, the software giant has poured vast resources into beefing up security. And it has been a model corporate citizen when it comes to gathering and sharing invaluable intelligence about what the bad guys are up to.

Threat actors fully grasp that humans will forever remain the weak link in any digital network. Social engineering gives them a foot in the door, whether it’s to your smart home or the business network of the company that employs you.

Attack themes

A broad, general attack will look much like Melissa. The attacker will blast out waves of email with plausible subject lines, and also craft messages that make them look very much like they’re coming from someone you might have done business with, such as a shipping company, online retailer or even your bank.

Some common ones in regular rotation include: a court notice to appear; an IRS refund notice; a job offer from CareerBuilder; tracking notices from FedEx and UPS; a DropBox link notice; an Apple Store security alert; or a Facebook messaging notice.

…more

BEST PRACTICES: The case for ‘adaptive MFA’ in our perimeter-less digital environment

By Byron V. Acohido

One of the catch phrases I overheard at RSA 2019 that jumped out at me was this: “The internet is the new corporate network.”

Related: ‘Machine identities’ now readily available in the Dark Net

Think about how far we’ve come since 1999, when the Y2K scare alarmed many, until today, with hybrid cloud networks the norm. There’s no question the benefits of accelerating digital transformation are astounding.

Yet the flip side is that legacy security approaches never envisioned perimeter-less computing. The result, not surprisingly, has been a demonstrative lag in transitioning to security systems that strike the right balance between protection and productivity.

Take authentication, for example. Threat actors are taking great advantage of the lag in upgrading authentication. The good news is that innovation to close the gap is taking place. Tel Aviv-based security vendor Silverfort is playing in this space, and has found good success pioneering a new approach for securing authentication in the perimeterless world.

Founded in 2016 by cryptography experts from the Israeli Intelligence Corps’ elite 8200 cyber unit, Silverfort is backed by leading investors in cybersecurity technologies.

I had the chance to catch up with Dana Tamir, Silverfort’s vice president of market strategy, at RSA 2019. For a full drill down of the interview, please listen to the accompanying podcast. Here are the key takeaways:

Eroding effectiveness

Compromised credentials continue to be the cause of many of today’s data breaches. The use of multi-factor authentication, or MFA, can help protect credentials, but even those solutions have lost much of their effectiveness. The problem is that most MFA solutions are designed for specific systems, rather than today’s more dynamic environments. Traditional MFA may have hit its limitations due to dissolving perimeters.

In the past, Tamir explained, you had a solid perimeter around your network, with one entry point and you added the MFA to that single entry for the extra layer of protection. But that single-entry perimeter doesn’t exist today. We don’t even have a real perimeter anymore. …more

GUEST ESSAY: How stealth, persistence allowed Wipro attacker to plunder supply chain

By Chris Gerritz

The recent network breach of Wipro, a prominent outsourcing company based in India, serves as a stunning reminder that digital transformation cuts two ways.

Our rising dependence on business systems that leverage cloud services and the gig economy to accomplish high-velocity innovation has led to a rise in productivity. However, the flip side is that we’ve also created fresh attack vectors at a rapid rate – exposures that are not being adequately addressed.

Related: Marriott suffers massive breach

We now know, thanks to reporting from cybersecurity blogger Brian Krebs, that the Wipro hack was a multi-month intrusion and likely the work of a nation-state backed threat actor. What’s more, the attackers reportedly were able to use Wipro as a jumping off point to infiltrate the networks of at least a dozen of Wipro’s customers.

Wipro issued a media statement, via its Economic Times division, acknowledging “potentially abnormal activity in a few employee accounts on our network due to an advanced phishing campaign . . . Upon learning of the incident, we promptly began an investigation, identified the affected users and took remedial steps to contain and mitigate any potential impact.”

Wipro did not provide many additional details. However, one has to wonder whether, beyond its customers, …more

BEST PRACTICES: Mock phishing attacks prep employees to avoid being socially engineered

By Byron V. Acohido

Defending a company network is a dynamic, multi-faceted challenge that continues to rise in complexity, year after year after year.

Related: Why diversity in training is a good thing.

Yet there is a single point of failure common to just about all network break-ins: humans.

Social engineering, especially phishing, continues to trigger the vast majority of breach attempts. Despite billions of dollars spent on the latest, greatest antivirus suites, firewalls and intrusion detection systems, enterprises continue to suffer breaches that can be traced back to the actions of a single, unsuspecting employee.

In 2015, penetration tester Oliver Münchow was asked by a Swiss bank to come up with a better way to test and educate bank employees so that passwords never left the network perimeter. He came up with a new approach to testing and training the bank’s employees – and the basis for a new company, LucySecurity.

Lucy’s’s software allows companies to easily set-up customizable mock attacks to test employees’ readiness to avoid phishing, ransomware and other attacks with a social engineering component. I had the chance at RSA 2019 to sit down with Lucy CEO Colin Bastable, to discuss the wider context. You can listen to the full interview via the accompanying podcast. Here are key takeaways: …more