According to Gartner in 2018 information security spending will exceed $96 billion — companies will be purchasing credential management software, infrastructure and network security equipment, information security services, client data protection software.
Learning about new incidents companies agree to increase their costs. Businesses are mostly focused on protection from external threats. WannaCry alerted people to the dangers of cyberattacks: during the first two days of ransomware activity there were hacked more than 200 thousand users from 150 countries. All the attention is drawn to hackers, zero-day vulnerabilities and ransomware, while incidents caused by just one click or just one decision of an employee may be overlooked.
South African financial services company Liberty Holdings got its corporate email compromised. The violators were going to sell the obtained information. They would release the data if they didn’t get paid.
There were a few pointers which made everyone question the breach source: the leak wasn’t reported straight away, the facts confirmed by the Liberty CEO seemed to lack details, the server was fully accessible to those who seized the data. When a leakage happens the source should be a company’s major concern. Hackers are never as informed as insiders are, only the people who cooperate within a particular network know exactly what and where can be accessed. Although hacks are no good news, companies are encouraged to be vocal about an incident, while insider leaks are often skimpily, half-heartedly exposed.
Human factor can trigger different situations and any of them might appear detrimental to an organisation.
Emotions
Joe Sullivan, former Uber cybersecurity chief, used to have an impeccable track record. He participated in the investigation of high profile cyberattacks in USA, worked at Facebook, eBay and PayPal — he’s been chasing and catching criminals all his life. An undetected data theft which happened in 2016 affected his professional reputation. Joe decided that the incident should be withheld even if it would take him collaborating with his own enemies. He paid hackers $100 thousand for keeping silence. 57 million passengers and drivers had no idea their data has been compromised for more than a year.
Vainglory is what led to another real life case. In February, 2017, the photo of the USA President and the Prime Minister Shinzō Abe at the golf club was made by a businessman who was sitting next to them and published by various media. He posted on Facebook the photo commenting that “…it was fascinating to watch the flurry of activity at dinner when the news came that North Korea had launched a missile in the direction of Japan.”
One of the photos depicts club members gathering around the confidential documents. The other photo captures the USA President talking on the phone turning away from Japanese Prime Minister. Here’s the human factor at its best. First of all, the heads of states rushed into discussing the secret issue in front of people. Second of all, smartphones which were used by those standing around could be a direct leakage source.
Negligence
That’s the main reason why many contractors reveal client data.
In 2017 an American telecommunications giant Verizon lost the data of 14 million clients: names, addresses, account data and PIN codes for client verification. The data was uploaded to Amazon by a contractor hired to improve the call center functioning. The specialist forgot to check security settings — a URL with the information could be freely accessed by anyone in the Internet.
Amazon became part of many leakage stories: 198 million registered US voters were exposed in the cloud (the archive didn’t have even a password protection — it was uploaded to the cloud by a company which collected data for Donald Trump’s election campaign); 2.2 million Dow Jones company subscribers got their data compromised; 3 million WWE clients (an American entertainment company known for managing wrestling events) got their data leaked in the Amazon service; Time Warner Cable (the second largest cable network in the USA) got 4 million client records exposed.
Amazon could have introduced some extra control to detect faulty configuration and limit the access to sensitive data without password protection. In November 2017 the service provider presented a solution: the control panel featured a notification warning users that incorrectly configured storage endangered data security. Amazon also applied full data encryption by default.
Self-interest
Some people tend to profit from their status — one of the biggest temptations which cause incidents.
An information security director of North American Association of State and Provincial Lotteries cracked a random number generator. The specialist had been working in the organisation for 10 years before he decided to create a malware and infect computers which managed winning combinations for the lotteries. The “correct” tickets were bought by his brother and friend. The scheme was started in 2005 and was running for 7 years.
Accident
A leak can be accidental — a mere fatigue or automated address selection in the email client. That is what happened to the Pentagon in 2017 — Public Affairs included an email of correspondent for Bloomberg in the mailing list. The journalist informed the Pentagon of the mistake but the email kept coming. The correspondence between the Department of Defense and the Federal Emergency Management Agency employees discussed ways the media covered the scale of Hurricane Maria’s destruction. They were sharing instructions on how to make the news seem positive.
The journalist benefited from the opportunity and equipped an article for Bloomberg Businessweek with some excerpts from the emails which he received accidentally from the Pentagon.
Another unintentional data exposure occurred in Finland. In 2017 a citizen of Oulu received an email revealing some messages sent by local policemen to each other discussing security measures which should be taken during the visit of Vladimir Putin. The email contained a detailed itinerary of Sauli Niinistö and the precise time of Putin’s helicopter arrival.
The Eastern Finland Police Department weren’t silent about the incident and explained the confidential email sent to a random person admitting a human factor to be the cause. The email client suggested contacts from the list of those who were addressed at least once automatically. The citizen of Oulu who received the secret email and the press officer appeared to have similar names.
As digital transformation takes hold, organizations must learn what their cybersecurity risks are – and how best to address them.
Cybersecurity is in the news, but the risks posed by weak and outdated security measures are hardly new. For more than two decades, organizations have struggled to keep pace with rapidly evolving attack technologies.
With the arrival in May of WannaCry, a massive and highly coordinated ransomware attack that left tens of thousands of organizations around the world hoping for the safe restoration of their data, the threat posed by malware creators took an ominous turn. The attack sent an unambiguous wake-up call to organizations worldwide that now is the time to reassess and reinforce existing cybersecurity strategies.
Connectivity Creates Opportunities and Challenges
Emerging technologies, particularly the Internet of Things (IoT), are taking global connectivity to a new level, opening fresh and compelling opportunities for both adopters and, unfortunately, attackers.
Sadik Al-Abdulla, director of security solutions for CDW, says growing connectivity has ushered in a new era of critical security threats. “The same viruses we’ve been fighting for 20 years, now those viruses grow teeth,” he adds, noting that organizations are just beginning to respond to more dangerous cybersecurity adversaries. “Suddenly, just in the last 18 months, with the explosion of ransomware, we’ve seen really substantial support from outside IT to actually start getting these projects done, because there has been real pain experienced.”
IoT poses a significant new challenge, Al-Abdulla observes. “As new devices are connected, they represent both a potential ingress point for an attacker as well as another set of devices that have to be managed,” he says. “Unfortunately, most of the world is trying to achieve the promise provided by IoT projects as rapidly as possible, and they are not including security in the original design, which creates greater weakness that is very, very hard to get back after the fact and correct.”
Al-Abdulla also notes that many organizations are unintentionally raising their security risk by neglecting routine network security tasks. “Every time our assessment team looks at the inside of a network, we find systems that haven’t been patched in 10 years,” he says. “Sometimes, it’s IoT devices.”
Al-Abdulla’s team has observed devices with “a flavor of Linux or Windows embedded” that have not been updated since they left the factory. Security cameras, badge readers, medical devices, thermostats and a variety of other connected technologies all create potential attack gateways.
“All it takes is the wrong guy to click the wrong thing in the wrong part of the network,” says Martin Roesch, vice president and chief architect of the Cisco Security Business Group. “You get mass propagation throughout the environment, and then you have a huge problem.”
“It’s a very complicated world that we live in right now, because the attacker and defense problem is highly asymmetrical,” Roesch adds.
The changing nature of networks and the devices located within them, combined with the fact that organizations keep introducing new software and hardware into their IT environments, make it nearly impossible to keep pace with a new generation of skilled attackers. “It becomes very, very difficult to respond and be effective against the kind of threat environment that we face today because the attackers are highly motivated,” he says.
The Danger of Giving in to Ransomware
Ransomware is like a thug with a gun: “Pay up, or your data gets it!”
Facing such a blunt demand, many organizations simply cave in and hand over whatever amount of money (usually in the form of bitcoin) is necessary to regain their data.
Problem solved? Not necessarily, says Michael Viscuso, co-founder and chief technology officer of endpoint security provider Carbon Black, who sees no easy way out of a ransomware attack. “It’s still surprising to me that people who have paid the ransom think that the game is over,” he says. “The reality is that the attacker has access to your system and is encrypting and decrypting your files whenever he wants to – and charging you every time.”
James Lyne, global head of security research at security technology company Sophos, notes that many ransomware attackers hide code within decrypted data, allowing them to reinfect the host at a future date. “Because if you’ll pay once, you’ll pay twice,” he explains.
Lyne also warns about the emerging threat of “shredware,” malware that encrypts data without requesting a ransom, effectively destroying it. “I bring that up because I’ve had a lot of board advisory meetings recently where people have said, ‘Well surely, we’ll just keep a fund, and if our data is encrypted, we will just pay the cybercriminals,’” he says.
Instead, organizations can take steps to defend themselves against ransomware. These steps include:
Effective backups: IT staff can save themselves trouble and money by implementing regular backup practices to an external location such as a backup service. In the event of a ransomware infection, backup data can get organizations back on their feet quickly.
User training: Most infections are the result of users clicking on links or attachments that are connected to malicious payloads. IT teams can avoid these pitfalls by training users to look out for them.
Deployment of security solutions: Measures such as anti-malware, firewalls and email filters can help detect ransomware and prevent infections.
The Human Factor
While following security best practices is essential to network security, many organizations remain unaware of or pay little attention to, the weakest link in the security chain: people.
It doesn’t make sense to try to solve what is essentially a human problem solely with technical means, says Mike Waters, director of enterprise information security for management consulting firm Booz Allen Hamilton. “We have to create an atmosphere, an environment, where people can tell us what risks they know about, and we can document them and work through it in a deliberative manner,” he adds.
Booz Allen has 25,000 people working for it, Waters says, adding, “I need 25,000 people to defend Booz Allen.” Educating users — and instilling in them just a touch of paranoia, he quips — leads to an alert organization in which users report every suspicious thing they encounter. “Ninety-nine percent of what they report is not bad, but the 1 percent that’s critical can get to us,” he says. “We reinforce that behavior — tell us everything.”
Meet the Evil Entrepreneurs
In much the same way that organizations boost their results through ambition and innovation, cybercriminals also are improving the way they operate. “The bad guys are entrepreneurial,” says Martin Roesch, vice president and chief architect of the Cisco Security Business Group.
Most successful cybercriminals are part of large and well-structured technology organizations. “There’s a team of people setting up infrastructure and hosting facilities; there’s a team of people doing vulnerability research; there’s a team of people doing extraction of data; there’s a team of people building ransomware; there’s a team of people delivering ransomware; there’s a team of people doing vulnerability assessment on the internet; there’s a team of people figuring out how to bypass spam filters,” says Michael Viscuso, co-founder and CTO of Carbon Black.
Roesch says organizations have found it “very difficult to respond and be effective against the kind of threat environment that we face today,” but says security experts within Cisco have specifically targeted cybercrime organizations and achieved some success in shutting them down.
Weighing Risk Against Benefits
Security boils down to measuring risk against anticipated benefits. “One of the fascinating things about risk is that low-level engineers know where the risks are, but they don’t necessarily tell anybody,” Waters says. As an example, he cites Operation Market Garden, a World War II Allied military effort (documented in the book and movie A Bridge Too Far) that was fatally hampered by poor radio communication. “People knew those radios weren’t going to work when they got over there,” Waters says. “They didn’t tell anybody because they didn’t want to rock the boat.”
Once a risk is identified, users and IT professionals must be committed to addressing it, with the support of executives. Across all departments and in all situations, calm person-to-person communication is always a reliable and effective security tool. “If we’re running around with our hair on fire all the time, they don’t want to talk to us,” Waters adds. “We want everybody to be able to talk with us and share their risks, so we know to prioritize and trust them.”
In a perfect world, security professionals would strive to create a risk-free environment. “We want it all down to zero,” Waters says. That’s not possible, however, because some degree of risk is inherent in every action an organization takes. “As challenging as it may seem, there are risks businesses are willing to accept,” Waters adds.
Too much caution blocks or degrades benefits, particularly when security mandates unnecessarily interfere with routine activities. Simply telling people what not to do is rarely effective, particularly if what they’re doing saves time and produces positive results. “We talk about Dropbox and things like that,” Waters says. “If your policies are too restrictive, people will find a way around them.”
First, it was the Ticketfly hack in May. My email was among the 27 million accounts stolen from the events company.
According to the website Have i been pwned?, which monitors data breaches, my personal email has also been found in records stolen from sites like Tumblr and LinkedIn.
By the time the Ticketmaster and PageUp data breach notification emails landed in my inbox weeks later, my attitude had devolved from concern to extreme digital nihilism.
Am I suffering from data-breach fatigue?
Peter Singer, a strategist and senior fellow at New America who writes about cybersecurity, is worried that after all the hacks, data dumps and servers left unprotected, we may be tuning out.
Data breach fatigue
Troy Hunt, who runs Have i been pwned?, has seen the rate and size of data breaches grow since he founded the site in late 2013.
Rather than becoming fatigued, he suggested people simply accept such incidents are now “a normal part of online life”.
“I’m actually finding … that people are judging companies less on the fact they’ve had [a data breach], and more on how they’ve dealt with it,” Mr. Hunt said.
What should I do after a data breach?
Change your account password and get a password manager
Report financial losses to the Australian Cybercrime Online Reporting Network
Check your bank account for unusual charges
If your credit card details have been lost, contact your bank
We don’t yet know much about “data breach fatigue” as ameasurable phenomenon, agreed Cassandra Cross, an online fraud researcher at the Queensland University of Technology.
“I don’t really think we know … whether people are making choices to do things differently, [or] whether they’re just ignoring it,” she said, suggesting more work needs to be done.
Rui Chen, an information systems academic at Iowa State University, investigated consumer attitudes after online security incidents.
In 2015, the US Office of Personnel Management (OPM) lost more than 4.2 million personnel files, among other sensitive documents.
Dr. Chen and his team used sentiment-analysis tools to track the emotional content of 18,764 tweets containing the hashtag #OPMHack.
After events associated with the hack — from the initial breach announcement to the OPM director’s resignation — they saw a large drop-off in reaction.
In other words, Dr. Chen said, “we can see that the public is gradually losing interest in reacting to this news”.
The effects of ‘fatigue’
If people don’t take breaches seriously, they may not follow instructions to protect themselves, such as changing passwords or using credit-monitoring services.
But our understanding of how people do respond is limited.
“One thing could be there are just so many incidents of data breach happening … people consider it typical,” Dr. Chen speculated.
“It’s the norm of this digital world.”
These incidents can also feel quite abstract, Dr. Cross added.
Consider the compromising of more than 359 million MySpace accounts or more than 164 million LinkedIn accounts — these are almost unimaginable numbers.
For victims, there’s also a difference of perception between your details being lost or stolen and actual misuse of that information — in the form of identity theft, for example, which is estimated to cost Australia $2.2 billion each year.
“They’re just one small individual within an entire group, and they don’t feel that they are particularly valuable in terms of a target,” she said.
Real-world effects
New America’s Peter Singer suggested we won’t see decisive action from the government on these issues until breaches begin to have a dramatic impact in the physical world.
Connected devices, from fridges that can be accessed online to driverless cars, will make this more dangerous — and likely.
You might start caring more when a hacker uses stolen credentials to turn your lights on and off remotely.
“I think … what will inevitably happen is some type of bad outcome,” Mr. Singer added.
A badly handled data breach can also dent a company’s reputation.
Take Uber, which initially tried to cover up the exfiltration of the names, email addresses and mobile phone numbers of 57 million users.
Mr. Hunt also sees companies being judged harshly if a breach exposes their poor security posture, such as storing passwords in plain text without cryptographic protection.
On the flip side, he cited the Red Cross Blood Service’s reaction as “the gold standard” after it lost donor information in 2016.
The group was swift to act and tell the public — and was apologetic throughout.
As data breaches continue, Mr. Hunt hopes people will avoid fatigue and take control: get a password manager, make all passwords unique and turn on two-factor authentication.
“These are really basic things that we can all do, and they fundamentally change the impact of a data breach,” he said.
The hacking of medical clinic employee’s email account during travels overseas demonstrates the risks posed to data when workers travel – and the need to mitigate those risks.
Billings Clinic in Montana – which includes a multispecialty group practice with a 304-bed hospital and a Level II trauma center – says in a breach notification statement it became aware on May 14 of “unusual activity” within one of its employee’s email accounts.
The employee was traveling overseas on a medical mission at the time of the hacking incident, according to the statement.
What Happened?
Billing Clinic says it took immediate action to disable access to the email account, launched an investigation to determine what happened and took action to further secure its email system.
“As a result of the forensic investigation, we learned that an unauthorized individual had access to emails and attachments within that one account, some of which included patient information.”
The types of information on 8,400 individuals included in the affected email account include patient name, date of birth, contact information, the medical record number, internal financial control number, diagnosis and limited information about medical services received, the clinic reports.
“Each patient had different types of information, included in the emails, and no one email contained all of these types of information,” the notification statement says.
Earlier Incident
As of July 16, the hacking incident was not the Department of Health and Human Services’ HIPAA Breach Reporting Tool website – commonly called the “wall of shame” – that lists breaches affecting 500 or more individuals.
That breach tally, however, lists a different hacking/IT incident reported in April by Billings Clinic that impacted 949 individuals.
In a notification statement posted on Billings Clinic’s website about the earlier incident, the clinic says that on February 26, it also became aware of unusual activity within its email system, and immediately took action to disable the account.
A Billings Clinic spokesman tells Information Security Media Group that the two breaches were separate incidents, but declined to discuss further details, including the steps the clinic is taking to bolster security in the wake of the breaches.
The spokesman also declined to discuss whether the traveling employee in the latest breach was traveling with a Billings Clinic laptop or other mobile computing devices, or whether the employee had been accessing Billings Clinic’s email system while using a personally owned computing device or smartphone.
Overlooked Risk?
Data breaches occurring during employee travel are a common but often overlooked problem, says Rebecca Herold, president of Simbus, a privacy, and cloud security services firm, and CEO of The Privacy Professor consultancy.
“It is very common for data and devices to be hacked while traveling and for those who were hacked to not even realize it.”
—Consultant Rebecca Herold
“It is very common for data and devices to be hacked while traveling and for those who were hacked to not even realize it,” she says. “People are often unaware of what is going on around them when they are traveling. They are using any charger station they can find, they speak loudly and they use free Wi-Fi,” she says.
Cybercriminals routinely scan free Wi-Fi networks and copy unsecured transmissions, including emails, she says.
“Shoulder surfing is also still very common; it’s a decades-old tactic that still works effectively today. And the skimmers on charging stations are increasing in use. Don’t think that if you are in a frequent flyer lounge that these things do not happen there; they happen in those exclusive lounge areas possibly more than in other places,” she warns.
Cybercriminals often target travelers, Herold says, because “it is easy for them to commit their crimes without getting caught because there is usually no digital evidence created.”
Mac McMillan, CEO of security consultancy CynergisTek, offers a similar assessment: “Any time you travel overseas you may be at greater risk as local cybercriminals will have access to your mobile devices, the locations where you are staying or the ISPs their networks and your traffic is traversing.”
Healthcare entities and other organizations – and their traveling staff members – should review information from the Federal Communications Commission, Department of Homeland Security, and other agencies for tips on securing their computing devices while overseas, McMillan stresses.
“The problem is that most private businesses don’t educate their employees on these risks,” he says. Government agencies “routinely brief employees on foreign travel risks and are always aware that overseas we are potential targets.”
Steps to Take
McMillan advises workers on vacation to “leave the work computer at home. Temporarily suspend access to sensitive apps and work email, and do not permit mail forwarding.”
But if remote access is absolutely required, he says, “employ two-factor authentication on both apps and email, and strong encryption on all devices. Use different passwords or pins when you travel. Do not make online purchases or go to your online banking site. Clear your cache regularly. Turn off auto-join on your Wi-Fi. If traveling for more than a few days, reset your settings. Above all keep your devices with you at all times and shielded from view.”
Keith Fricke, a consultant at tw-Security, notes that some companies issue a laptop specifically for overseas travel that is locked down more than normal and has fewer applications on it.
There have been reports of some private airplane flights having “hidden cameras” in them recording information on the screens of laptops passengers used laptops during the flight, he says. “Stories also exist of hidden cameras in hotels of certain foreign countries or people entering hotel rooms when the occupant left the room for meetings or a meal. The intruder looked for ways to obtain unauthorized access to information,” he notes.
Herold advises organizations to take a number of precautions to reduce the risk of breaches while individuals are traveling.
“Implement policies for employees to not use public Wi-Fi,” she stresses. “Provide secured virtual private network or similar types of solutions for remote access. I carry my own device that I use to establish a private VPN connection. I never use public Wi-Fi, or the Wi-Fi in the hotels or restaurants either.”
Organizations should also require that data be encrypted in transit and in storage, she says. “That way, if someone gets access through a network, the data is not accessible. If they get access to the device, the data is not accessible.”
Herold also advises employers to “provide information security and privacy reminders and awareness communications of other types prior to employee travel so that they have the need to practice safe mobile computing at top of mind.”
The FBI recently noted a decline in ransomware attacks reported to the agency in 2017, at 1,783 compared to 2,673 the previous year. But don’t necessarily read this as good news. The reality is ransomware, like many other cyber-attack types, goes largely under-reported. A Verizon report, based on its analysis of tens of thousands of real-world security incidents, found that ransomware incidents have doubled over the past year.
Ransomware is a class of malware that locks your system and encrypts vital files. Attackers usually demand a cryptocurrency payment to release the files, but there’s no guarantee they will actually do so after receiving payment.
“We used to hear very often it was mostly consumers – but [for those attacks] you’re looking at $75 as a cyber-criminal,” says Theresa Payton, former Whitehouse CIO who’s now president and CEO of Fortalice Solutions. “Why do that when you can go from a mom and pop shop all the way up to the Fortune 50?
“And that’s what they’re doing. They’re hitting all businesses, targeting Any business connected to the internet – and what business isn’t?”
Significant Impact
In 2017 the WannaCry, NotPetya, and BadRabbit strains didn’t just disrupt business processes; they hobbled infrastructure and hurt international brands like FedEx. This took the ransomware threat vector to a “completely new level,” using worms to propagate through systems and impacting 300-400,000 devices worldwide, says Steven Wilson, head of Europol’s EC3 cyber-crime center.
And the rise of off-the-shelf kits that can be bought online for just dollars puts ransomware tools in the hands of anyone with the will to use them.
The organizational impact can be severe, ranging from downtime to reputational damage. One official British report suggested that the public response to WannaCry had even undermined trust in government.
“Just think: your entire customer records database is gone,” says Wilson. “You don’t know who owes you money, who you owe money to, or who you’re going to sell your product to. That’s the reality if ransomware strikes you. Everything is gone.”
Raising Awareness
If there is a positive outcome, it’s that WannaCry raised awareness that ransomware is here to stay: an unfortunate case of “if” and not “when”.Fortunately, there are basic cyber hygiene steps you can introduce to avert potential disaster.
Often it’s the unpredictable human element that’s the weakest link in cyber defense, so awareness training can go a long way.
On the technical side, it’s making sure your systems are up to date and fully patched so that the latest versions of your operating systems are running with trusted anti-malware solutions and the latest definitions.
And if the worst happens, maintain a recovery plan with a full set of backups.
According to Payton, organizations should also consider network segmentation and be introducing kill switches to prevent malware from moving laterally, as WannaCry did.
“Practice for the worst and hope for the best – making sure you’re thinking ahead, practicing that digital disaster, practicing your comms plan,” suggests Payton, adding that organizations should also perform test runs on full restores.
How can the technology community help?
Public and private bodies must work together with vulnerabilities out in the open, collaborating to prevent or mitigate future disasters. NoMoreRansom, for example, pools resources across organizations to provide decryptors for known threats.
