Home Black Hat Deep Tech Essays Fireside Chat My Take News Alerts Q&A RSAC Videocasts About Contact
 

Videocasts

 

VIDEO: Law enforcement’s view of cyber criminals — and what it takes to stop them

By Alan Zeichick

Law enforcement officials play a vital role tracking down and neutralizing cyber criminals. Theirs is a complex, often thankless, mission. Here are some insights shared by two current, and one former,  high-level officials from U.S. law enforcement, who spoke at the NetEvents Global Press & Analyst Summit, in San Jose, Calif., in late September.

Based in San Francisco, M.K. Palmore is a senior manager for the Federal Bureau of Investigation’s Cyber Branch. As an FBI Security Risk Management Executive, Palmore leads teams that help identify threat actors, define attribution and carry out arrests.

Related article: Ransomware requires effective risk-management

Palmore says financially-motivated threat actors account for much of the current level of malicious cyber activity. Nation-state sponsored hackers, ideologically-motivated hacktivists, and insider intruders also are causing significant damage and disruption.

“We’re talking about a global landscape, and the barrier to entry for most financially-motivated cyber-threat actors is extremely low,” Palmore says. “In terms of who is on the other end of the keyboard, we’re typically talking about mostly male threat actors,  between the ages of, say, 14 and 32 years

Dr. Ronald Layton is Deputy Assistant Director of the U.S. Secret Service. Layton observes that the technological sophistication and capabilities of threat actors has increased. “The toolsets that you see today that are widely available would have been highly classified 20 years ago,” Layton says. “Sophistication has gone up exponentially.”

The rapid escalation of ransomware is a telling marker, Layton says; ransomware rose  from the 22nd most popular crime-ware application in 2014, to number five in 2017.

Says Layton: “In 2014, the bad guys would say, ‘I’m going to encrypt your file unless you pay me X amount of dollars in Bitcoin.’ End-users got smarter, and just said, ‘Well, I’m going to back my systems up.’  Now ransomware concentrates on partial or full hard-disk encryption, so backup doesn’t help as much. Sophistication by the threat actors has gone up, … more

VIDEO: How phishers are coming after you — and what you should do about it

By Byron V. Acohido

The current cybersecurity climate makes it hard not to be cautious of phishing attacks. Forget reclaiming lost family fortunes or assisting Nigerian princes, today’s phishing scams are targeted, complex and incredibly prevalent.

It feels like a new, high-profile phishing attack is getting reported every other month. In May, Google Docs users were being targeted with malicious invitations to edit fictional documents. Before that, DocuSign users were sent bogus emails encouraging them to download a Microsoft Word document that installed malicious malware.

Related infographics: Phishers focus on smaller financial institutions

Despite increased awareness for these attacks and “I’d never fall for that” attitudes, Verizon’s 2017 Data Breach Investigations Report showed that 1 in 14 users fell for a phishing scam by clicking on an unidentified link or downloading a suspicious attachment.

I recently sat down with Edric Wyatt, a security analyst with CyberScout, to discuss the evolution of phishing attacks, what attackers are trying to achieve, and how organizations can effectively defend themselves. (Full disclosure: CyberScout underwrites ThirdCertainty.) Here are the key takeaways from our discussion:

Attacks have evolved. Attacks have become far more advanced in recent years. Rather than posing as Nigerian princes, attackers are creating hyper-targeted, hyper-relevant emails that leverage social engineering to encourage users to click. Attackers are spending longer researching organizations to try to get as much information as possible before sending out targeted emails. They know your name, your role and your title and tailor each attack to reflect this. So when you receive 1,000 emails a day, you won’t think twice about clicking one that “seems” normal.

Attacks are just one of many. If you are targeted with a phishing email, you might not be the primary focus. Attackers are targeting multiple individuals within an organization as part of a more advanced attack. The information that you provide by falling for the phishing email might not be the end goal. But anything you provide is … more

VIDEO: Why the NIST framework is so fundamental to network security

By Byron V. Acohido

Put aside the cyber threats, which continue to worsen. All any company decision-maker needs to do is pay heed to the intensifying regulatory environment to understand that network security has become a mission-critical operational issue.

Consider that the Colorado Division of Securities is implementing 90 pages of new rules to clarify what financial “broker-dealers” and investment advisers must do in order to protect information stored electronically.

That’s on top of the New York State Department of Financial Services enforcing new cybersecurity rules for financial services firms that wish to do business in the Empire State. And, of course, Europe is rolling out new privacy rules known as the General Data Protection Regulation, which will affect more than 4,000 U.S. companies doing business in Europe, including many small and midsize businesses.

And let’s not overlook looming compliance standards covering data privacy and security, such as the Payment Card Industry Data Security Standard (PCI DSS) and the Health Insurance Portability and Accountability Act (HIPAA) .

I recently sat down with Edric Wyatt, security analyst at CyberScout to discuss the first step any organization—of any size and in any sector—can take to become more security mature: Get cozy with the National Institute of Standards and Technology’s risk management framework set forth in its NIST 800 series of documents. (Full disclosure: CyberScout underwrites ThirdCertainty.) Here are a few takeaways from our discussion:

NIST is foundational. NIST 800 is composed of Uncle Sam’s own computer security policies, procedures and guidelines, which have been widely implemented in the Department of Homeland Security, the Department of Defense and most big federal agencies. New York state’s new rules for financial firms incorporate the NIST framework, and the U.S. Food and Drug Administration, likewise, refers to the NIST framework in guidance for medical device manufactures.

NIST is proactive. Derived from extensive public and private research, NIST 800 exists as a public service. It lays out cost-effective, proactive steps … more

VIDEO: Why the rising use of biometric authentication is driving states to regulate privacy

By Byron V. Acohido

Using biometrics to verify one’s identity is no longer something you’d expect to see only in a Hollywood depiction of a dystopian future. Biometric identification has been in practical use for a while now, and the technology is getting more sophisticated every day.

As you might expect, privacy concerns have arisen along the way. And now the legal ramifications are getting more complicated.

Washington state last month passed House Bill 1493: pioneering legislation forbidding businesses from obtaining or selling biometric information without the consent of the individual. Gov. Jay Inslee is expected any day to sign the new law, which is directed at concerns about the use of biometric identifiers to commit identity fraud.

I recently sat down with Robert Capps, vice president of business development at NuData, to discuss these developments. Based in Vancouver, British Columbia, NuData supplies systems that help ecommerce companies and banks detect and prevent online identity fraud. It does this by studying nuances of how an individual interacts with his or her computing device, such as how he or she types on, touches and even holds his or her computing device. Here are a few takeaways from our conversation:

Biometric identifiers defined. These are unique physical or behavioral characteristics of individuals, including fingerprints, retinal scans, voiceprints, facial recognition, and even the distinctive way a person walks and moves. Heartbeats can even be used to authenticate users for access not just to secure locations but also in a wide variety of digital services.

Usage becoming commonplace. It’s no longer that unusual for online services to request data referring to your physical traits in lieu of just a username and password. And government agencies are increasingly using biometric identifying technologies to keep places, like airports, secure.

“They’ll use facial recognition, gait analysis—how you walk,” Capps says. “These data points are also used in places like casinos looking for cheats and criminals walking into those facilities. … more

VIDEO: How CIA cyberweapons are increasingly being used to hack banks, credit unions

By Byron V. Acohido

When WikiLeaks released details about the CIA’s arsenal of hacking tools last month, it was like Christmas arrived early for hackers who specialize in cracking into the business networks of financial services companies.

Mandiant, the forensics division of malware detection vendor FireEye, affirmed as much in its M-Trends 2017 report, issued shortly thereafter. The Mandiant report disclosed how cyber criminals have quickly embraced CIA-type tools to juice up their banking system attacks.

I spoke to Bob Thibodeaux, chief information security officer, at Seattle-based DefenseStorm, about this. DefenseStorm provides a security service for community banks and credit unions that monitors network traffic—specifically event log data—for malicious activities.

“What we are seeing with the leak of the CIA’s attack tools are that cyber criminal elements are actually taking advantage of the knowledge of those tools for their attacks,” Thibodeaux told me. “We are seeing them actually using the kinds of tactics that the government actors are using to exploit financial firms, specifically.”

These cutting-edge attacks are showing up in banking systems in southeast Asia, according to Mandiant. But it may be only a matter of time before use of similar tactics, leveraging the CIA leak, spread to banks in other regions. “The attackers are using tools that Windows system administrators would use to actually stay on the network, monitor traffic, figure out how the banking process works, and then steal tens to hundreds to millions of dollars,” Thibodeaux says.

Community banks and credit unions in the United States are likely to be targeted because they are less well-defended than the big multinational banks.

It is all too typical for a small bank or credit union to rely on basic network defense systems, even though malicious probes and communications with criminal command-and-control servers are nonstop.

Unfortunately, it’s not going to get any easier for smaller banks and credit unions to play catch-up, much less neutralize cyber attacks over … more

VIDEO: The implications of privacy rules stiffening in Canada, Europe

By Byron V. Acohido

As a partner at the Canadian law firm Borden Ladner Gervais, Éloïse Gratton advises her clients on legal, practical and ethical ways to protect an individual’s privacy while conducting business nationally and internationally. She has testified before Canada’s House of Commons and other federal bodies and conducted training workshops attended by judges and members of the Parliament.

LastWatchdog sat down with Gratton just after she appeared on a privacy panel at CyberScout’s Privacy XChange Forum. Here’s the gist of that conversation. The text has been edited for clarity and length.

LastWatchdog: Europe and Canada are oriented toward preserving privacy for the individual; in America, not so much. Can you frame how that plays out in global commerce?

Gratton: I would say in Europe and in Canada, we’ve been a little bit ahead on the data-protection front, so we probably have laws that are a little bit more stringent. Yet we’re a little behind on everything that has to do with security-breach notification. In the States, it has been mandatory for quite some time. In Europe, it will be mandatory with the upcoming General Data Protection Regulation in May 2018.

In Canada, there’s one province where, if the breach triggers significant harm for the affected individuals, it’s mandatory to notify. So in Alberta, that has been a legal requirement since 2009. In coming months, this will also become a federal legal requirement to notify upon a security breach taking place. So we’re following the U.S. on this issue.

LastWatchdog: Cyber threats continue to evolve so rapidly; can regulators keep up?

Gratton: Yes, the threat is evolving, so at the end of the day, organizations need to ensure that they are ready for the new threats. We’ve seen it recently in Canada with the Ashley Madison hack. So you have to have a breach-incidence response plan and make sure employees are trained, so that they’ll know exactly what to do. Upon … more

VIDEO: Why cyber insurance is needed to protect intangible assets, i.e. business data

By Byron V. Acohido

More organizations than ever, especially small and medium-size ones, will seek to account for the fast-rising risk of suffering a cyber attack in 2017 by buying a cyber liability policy.

The general state of security of U.S. business networks remains anemic when compared to the vast and growing capabilities of hackers with malicious intent. Companies are beginning to realize the value of offsetting this risk to an insurance carrier—and insurance companies and underwriters recognize a golden goose when they see one.

The fledgling cyber insurance market topped $3 billion in 2015, and ABI estimates the global cyber insurance market is swelling at a clip that will top $10 billion by 2020.

Related: Cyber insurance increasingly includes value-added security services

ThirdCertainty sat down with Tim Francis, cyber insurance enterprise lead at Travelers Bond & Financial Products, and Graeme Newman, chief innovation officer at CFC Underwriting, shortly after the pair spoke on this topic at IDT911’s Privacy XChange Forum 2016 this fall. Here’s their forecast. (IDT911 sponsors ThirdCertainty. This text has been edited for clarity and length.)

3C: Could you frame the emerging cyber insurance market for us?

Newman: The cyber insurance market has been around for 15 or 16 years now, which in insurance terms, is a short period of time, but it’s growing fast. It’s very much U.S. dominated, and it also falls into some specific industry verticals. You get a lot of buyers in the financial services, within retail and within health care. But that’s starting to change.

Francis: Part of what’s driving this shift into different industries, and also smaller-size companies, is the recognition that cyber is not just a product for companies with large amounts of data. A lot of coverages go beyond that to things like business disruption, which could affect any company virtually. For instance, ransomware has nothing to do with the excavation of data.

3C: What are some of the obstacles?

Newman: The … more