Home Podcasts Videos Guest Posts Q&A My Take Bio Contact
 

GUEST ESSAY: Why the next round of cyber attacks could put many SMBs out of business

By Steve Akridge

In the last year, the news media has been full of stories about vicious cyber breaches on municipal governments.  From Atlanta to Baltimore to school districts in Louisiana, cyber criminals have launched a wave of ransomware attacks on governments across the country.

Related: SMBs struggle to mitigate cyber attacks

As city governments struggle to recover access to their data, hackers are already turning their sites on their next targets: small and medium-sized businesses (SMBs).

A 2018 study by the Ponemon Institute showed that 67 percent of SMBs experienced a cyber attack. Even worse, according to Ponemon, 47 percent of SMBs said they have no understanding of how to protect their companies from cyberattacks.

Most small and medium-sized organizations are highly vulnerable to cyberattacks because they usually don’t have a sufficiently strong information technology infrastructure, limited internal staff, or can’t afford to external consultants to handle data security.

When you realize that 54 percent of organizations that suffer an attack spend about $500,000 to restore their systems and 62 percent of SMBs close their doors after an attack, the damage to the economy becomes very apparent.

New SMB security solution

Unfortunately, most cybersecurity firms focus their attention on large organizations and corporations that can afford to pay their fees – leaving SMBs even more vulnerable to potential cyber criminals. While large corporations can get cyber security insurance and engage legions of consultants, the question is: …more

ROUNDTABLE: Huge Capital One breach shows too little is being done to preserve data privacy

By Byron V. Acohido

Company officials at Capital One Financial Corp ought to have a crystal clear idea of what to expect next — after admitting to have allowed a gargantuan data breach.

Capital One’s mea culpa coincided with the FBI’s early morning raid of a Seattle residence to arrest Paige Thompson. Authorities charged the 33-year-old former Amazon software engineer with masterminding the hack.

Related: Hackers direct botnets to manipulate business logic

Thompson is accused of pilfering sensitive data for 100 million US and 6 million Canadian bank patrons. That includes social security and social insurance numbers, bank account numbers, phone numbers, birth dates, email addresses and self-reported income; in short, just about everything on an identity thief’s wish list.

Just a few days before Capital One’s disclosure,  Equifax rather quietly agreed to pay up to $700 million to settle consumer claims and federal and state investigations into its 2017 data breach that compromised sensitive information of more than 145 million American consumers. Also very recently,  the Federal Trade Commission slammed Facebook with a record $5 billion fine for losing control over massive troves of personal data and mishandling its communications with users.

Sure enough, it didn’t take long (less than 24 hours) for Keven Zosiak, a Stamford, Connecticut resident and Capital One credit card holder, to file a lawsuit  against Capital One for its failure to protect sensitive customer data. Many more lawsuits, as well as federal probes and Congressional hearings, are sure to follow.

Oh, and let’s not forget how Equifax summarily canned five top execs, including Equifax CEO Richard Smith, in the aftermath of its big breach. Not even doing this YouTube video apology was enough to save Smith his job.  It’s going to be interesting to see who Capital One’s board of directors designates to throw under the bus on this one.

Larger lessons

Arguably the most fascinating twist to the Capital One caper is the FBI’s rather quick arrest of Paige Thompson. Arrests in network breaches are rare, indeed. For instance, we know a lot of details about the Equifax breach, thanks to a GAO investigation and report. But no suspects have ever been publicly named.

What’s more, the usual suspects in high-profile breaches – i.e. professional Russian, Eastern European, Chinese and North Korean hacking collectives – appear to be out of the loop with respect to this particular caper. The Capital One breach, it seems to me, vividly highlights the depth and breadth of the Internet underground. Anyone with technical aptitude, diligence and a lack of scruples, such as an out-of-work IT staffer, can engage in criminal activity at a fairly high level. …more

MY TAKE: How state-backed cyber ops have placed the world in a constant-state ‘Cyber Pearl Harbor’

By Byron V. Acohido

Cyber espionage turned a corner this spring when Israeli fighter jets eradicated a building in the Gaza Strip believed to house Hamas cyber operatives carrying out attacks on Israel’s digital systems.

Related: The Golden Age of cyber spying is upon us.

That May 10th  air strike by the Israel Defense Force marked the first use of military force in direct retaliation for cyber spying. This development underscores that we’re in the midst of a new age of cyber espionage.

This comes as no surprise to anyone in the military or intelligence communities. State-sponsored cyber operations have been an integral part of global affairs for decades. And, in fact, cyber ops tradecraft has advanced in sophistication in lock step with our deepening reliance on the commercial Internet.

Here are a few things everyone should know about the current state of government-backed cyber ops.

Russia’s tradecraft

A lot of dots have been connected recently with respect to Russia’s cyber spying, initially thanks to Barack Obama’s leveling of sanctions on Russia for interfering in the 2016 U.S. presidential elections. Among more than two dozen Russians named as co-conspirators by the Obama sanctions were a pair of notorious cyber robbers, Evgeniy Bogachev of Russia and Alexsey Belan of Latvia.

At the time, both were well-known to the FBI as profit-motivated cyber thieves of the highest skill level. Bogachev led a band of criminals that used the Gamover Zeus banking Trojan to steal more than $100 million from banks and businesses worldwide. Then somewhere along the way, Bogachev commenced moonlighting as a cyber spy for the Russian government.

The Obama sanctions helped security analysts and the FBI piece together how Bogachev, around 2010, began running unusual searches on well-placed PCs he controlled, via Gameover Zeus infections. Bogachev’s searches explicitly sought out intelligence of direct strategic benefit to Russia – just prior to Russia making adversarial moves in the Republic of Georgia, the Ukraine and Turkey, respectively.

Meanwhile, details of Alexsey Belan’s Russian-backed escapades came to light in March 2017 when the FBI indicted Belan and three co-conspirators in connection with hacking Yahoo to pilfer more than 500 million email addresses and gain deep access to more than 30 million Yahoo accounts.

The Obama sanctions ultimately linked both Bogachev and Belan to the hack of the Democratic National Committee and several other organizations at the center of the 2016 U.S. presidential elections. The pair were not the first private-sector cybercriminals recruited to serve as Russian assets, and very likely won’t be the last, said Bryson Bort, CEO of security company SCYTHE, a supplier of attack simulation systems.

“Russia explicitly recruits folks already engaged in criminal activities, and once recruited, they are contracted and connected to military organizations for direction and oversight,” Bort told me. “Those activities have criminal end-goals of corporate espionage and theft, but to be clear, they are government-directed.”

Both Bogachev and Belan remain on the FBI’s most wanted cybercriminals list: Bogachev with a $3 million bounty and Belan with a $100,000 bounty. The assumption is that they both reside in Russia under the protection of the Russian government.

“We have not effectively deterred Russia, as a nation, from executing these operations,” Bort said. “So we can expect them to continue to recruit criminal hackers, grow their capabilities, and continue to use them.”

China’s tradecraft

It’s fully expected that Russia’s cyber spying will continue to revolve around spreading propaganda and influencing elections, as well as maneuvering for footholds, in critical infrastructure and financial systems, in order to put Russia into an improved position from which to manipulate global politics of the moment.

By contrast China takes a long view, as explicitly outlined in its Made in China 2025 manifesto. China has been taking methodical steps to transform itself from the source of low-end manufactured goods to the premier supplier of high-end products and services.

…more

NEW TECH: Early adopters find smart ‘Zero Trust’ access improves security without stifling innovation

By Byron V. Acohido

As we approach the close of the second decade of the 21st century, it’s stunning, though perhaps not terribly surprising, that abused logon credentials continue to fuel the never-ending escalation of cyber attacks.

Related: Third-party risks exacerbated by the ‘gig economy’

Dare we anticipate a slowing — and ultimately the reversal – of this trend? Yes, I believe that’s now in order.

I say this because tools that give companies the wherewithal to make granular decisions about any specific access request – and more importantly, to react in just the right measure — are starting to gain notable traction.

For the past four years or so, leading security vendors have been championing the so-called Zero Trust approach to network architectures. All of this evangelizing of a “never trust, always verify” posture has incrementally gained converts among early-adopter enterprises.

PortSys is a US-based supplier of advanced identity and access management (IAM) systems and has been a vocal proponent of Zero Trust.  I recently had the chance to visit with PortSys CEO Michael Oldham, and came away with a better grasp of how Zero Trust is playing out in the marketplace.

He also reinforced a notion espoused by other security vendors I’ve interviewed that Zero Trust is well on its way to being a game changer. Key takeaways from our discussion:

Entrenched challenges

It takes a cascade of logons to interconnect the on-premises and cloud-based systems that enterprises rely on to deliver digital commerce as we’ve come to know and love it. And it remains true that each digital handshake is prone to being maliciously manipulated by a threat actor, be it a criminal in possession of stolen credentials or a disgruntled insider with authorized access.

To be sure, advances have come along in IAM technologies over the past two decades. Yet, high-profile breaches persist. Some 78% of networks were breached in 2018, based on CyberEdge’s poll of IT pros in 17 countries. What’s more, an IBM/Ponemon study pegs the global average cost of a data breach at $3.86 million, and predicts a 28 percent likelihood of a victimized organization sustaining a recurring breach in the next two years.

This has to do with entrenched investments in legacy security systems, such as traditional firewalls and malware detection systems that were originally designed to protect on-premise systems. As remote access, mobile devices and cloud computing …more

GUEST ESSAY: 6 unexpected ways that a cyber attack can negatively impact your business

By Mike James

Cyber crime can be extremely financially damaging to businesses. However, if you believe that money is the only thing that a cyber-attack costs your organization, you would be wrong. In fact, a recent academic analysis identified 57 specific individual negative factors that result from a cyber-attack against a business. Here are six ways, worth considering, that a attack can affect your organization.

SEO rankings

James

There are a number of issues that will occur in the aftermath of a cyber-attack that can have enormously negative consequences for your search engine optimisation (SEO). Hacked sites, for example, will by flagged in the rankings with a warning sign which can put off visitors. It is also worth noting that when a site is hacked it can start receiving bad reviews on Google’s review section – these can both begin to see you dropping in the rankings and losing traffic.

A large number of sites also have their content altered when they suffer a breach, and given the importance of content to the way that your site ranks, this can clearly play a huge role.

Legal and compliance issues

It is not just cyber-criminals that you have to worry about when you are calculating the costs of a cyber-attack. In the modern world of data protection and industry regulators, there are now powers to heavily fine businesses that fail to take adequate steps to protect their customers.

Related: Poll shows SMBs struggle dealing with cyber risks

Under the General Data Protection Regulation (GDPR) for example, regulators now have the power to fine businesses up to €20 million or 4 per cent of annual global turnover (whichever is greater), if they suffer a data breach and have failed to be in compliance with the regulation. This shows you just have expensive the concept is. …more

NEW TECH: A couple of tools that deserve wide use — to preserve the integrity of U.S. elections

By Byron V. Acohido

As the presidential debate season ramps up, the specter of nation-state sponsored hackers wreaking havoc, once more, with U.S. elections, looms all too large.

It’s easy to get discouraged by developments such as  Sen. McConnell recently blocking a bi-partisan bill to fund better election security, as well as the disclosure that his wife, Transportation Security Elaine Chao, has accepted money from voting machine lobbyists.

Related: Why not train employees as phishing cops?

That’s why I was so encouraged to learn about two new tools that empower individual candidates – and local election officials – to take proactive steps to make election tampering much more difficult to successfully pull off. In the current geo-political environment, every forthright step can make a huge difference.

First, there’s a tool called the Rapid Cyber Risk Scorecard. NormShield, the Vienna, VA-based, cybersecurity firm that supplies this service, recently ran scores for all of the 26 declared presidential candidates —  and found the average cyber risk score to be B+.

What this tells me is that the presidential candidates, at least, actually appear to be heeding lessons learned from the hacking John Podesta’s email account – and all of the havoc Russia was able to foment in our 2016 elections. NormShield found that all of the 2020 presidential hopefuls, thus far,  are making sure their campaigns are current on software patching, as well as Domain Name System (DNS) security; and several are doing much more.

My takeaway: other candidates can use this scorecard, which runs assessments of 10 cyber risk categories, as a starting point to harden their campaigns.

Another such service that can do a ton of good was announced last week by Global Cyber Alliance (GCA), in partnership with Craig Newmark Philanthropies and the Center for Internet Security. It’s a free cybersecurity toolkit for elections that gives local election authorities actionable guidance on how to mitigate the most common risks to trustworthy elections.

…more

MY TAKE: Let’s not lose sight of why Iran is pushing back with military, cyber strikes

By Byron V. Acohido

It is not often that I hear details about the cyber ops capabilities of the USA or UK discussed at the cybersecurity conferences I attend.

Related: We’re in the golden age of cyber spying

Despite the hush-hush nature of Western cyber ops, it is axiomatic in technology and intelligence circles that the USA and UK possess deep hacking and digital spying expertise – capabilities which we regularly deploy to optimize our respective positions in global affairs.

Last week, President Trump took an unheard of step: he flexed American cyber ops muscle out in the open. An offensive cyber strike by the U.S. reportedly knocked out computing systems controlling Iranian rocket and missile launchers, thus arresting global attention for several news cycles.

“The digital strike against Iran is a great example of using USCYBERCOM   as a special ops force, clearly projecting US power by going deep behind enemy lines to knock out the adversary’s intelligence and command-and-control apparatus,” observes Phil Neray, VP of Industrial Cybersecurity for CyberX, a Boston-based supplier of IoT and industrial control system security technologies.

Some context is in order. Trump’s cyber strike against Iran is the latest development in tensions that began in May 2018, when Trump scuttled the 2015 Iran nuclear deal – which was the result of 10 years of negotiation between Iran and the United Nations Security Council. The 2015 Iran accord, agreed to by President Obama, set limits on Iran’s nuclear programs in exchange for the lifting of nuclear-related sanctions.

For his own reasons, Trump declared the 2015 Iran accord the “worst deal ever,” and has spent the past year steadily escalating tensions with Iran, for instance, by unilaterally imposing multiple rounds of fresh sanctions.

Iran pushes back

This, of course, has pushed Iran into a corner, and forced Iran to push back. It’s important to keep in mind that Iran, as well as Europe and the U.S., were meeting the terms of the 2015 nuclear deal, prior to Trump scuttling the deal.  Let’s not forget that a  hard-won stability was in place, prior to Trump choosing to stir the pot.

Today, Iran is scrambling for support from whatever quarter it can get it. It’s moves, wise or unwise, are quite clearly are calculated to compel European nations to weigh in on its behalf. However, many of Iran’s chess moves have also translated into fodder for Trump to stir animosity against Iran. …more