Tag: Cybersecurity

They say that numbers don’t lie, but they can be manipulated to tell a prettier version of the truth. When looking at the cost of a data breach, most organizations want to see low numbers. The reality is that the total cost of a data breach is both quantifiable and difficult to gauge.

Whether analyzing the numbers on a per stolen record basis or by the average total cost of a data breach, the numbers are lofty according to the 2017 Cost of Data Breach Study: Global Overview released in June by the Ponemon Institute.

Though down from 2016, the average total cost of a data breach of the more than 400 companies that participated in the study is $3.62 million.

Kaspersky Lab widened the net in its survey of the cost of a cyberattack and found that from the 5,000 participants, the total impact of a breach for a North American enterprise comes it at only $1.3 million—about a a third what the Ponemon study reported.

That’s quite a gap that on the surface has North American enterprises benefiting from geography, but they reported have suffered the most breaches with the highest loss of records. Overall, each breach is not only growing larger but more costly as well.

Piecing the price together

Understanding the bigger picture of the overall cost of a breach involves more than numbers. Here are a few additional pieces to consider when piecing together the bigger puzzle of the total cost of a breach:

  • A data breach results in broken trust. Customer loyalty is at the heart of most organizations. Without customers, there really is no business. When the customer’s trust is broken, the business suffers a loss in both profits and shares. It’s one that might be difficult to quantify immediately, but the overall impact can be quite significant.
  • Size does matter. When most people think about the recent Equifax breach, it’s the sheer number of stolen records that sounds most alarming. To say we’ve been breached is an unfortunate result of doing business in today’s digital world. Having to confess that more than 143 million records were stolen might be hard to come back from.
  • Time is money. By the time most breaches are detected, the malicious actors have been in the network for some time—anywhere from 30 days to more than a year. The longer they are able to linger undetected, the greater the damage.
  • More than a penny for your thoughts. No one likes to be the bearer of bad news, but in the aftermath of a breach, victims need to be notified. Often times, the costs of responding to a breach include the price of counsel, law enforcement, identity protection services for victims and other customer service communications. Add to that the public relations investment needed to sustain the court of public opinion.
  • What you can’t put a price on. Tied into the overall cost—or loss—in the aftermath of a breach is the reality that people will lose their jobs. There’s no real ‘cost’ in an employee resigning, but there are expenses incurred by the enterprise like the $4 million in pension benefits that the former Equifax CEO will collect.
  • Why things start to add up. The greatest cost to companies that have been breached result from having to either pay internal staff more money for the time it will take to respond to the attack or to hire outside help, like forensic investigators.

Self driving cars have effectively transitioned from an incredible-but-far-off-possibility to a changing market with world wide growth. Still, connected cars are vulnerable to attack.

Charlie Miller and Chris Valasek have been pushing the automotive industry to  make security a top priority for years. In 2015, the researchers hacked in a Jeep, and in 2017, there is now a growing automotive cybersecurity market.

Growing at over 9% of CAGR, the automotive cybersecurity market has extended across the globe to include Europe, North America, Asia, and the Middle East and Africa. As the industry grows, so too will new legislation impact the trajectory of the markets, according to the 2017 Global Automotive Cyber Security Market Report.

Continue reading

The collision of the USS John McCain (naval destroyer) and an oil tanker near Singapore is the recent incident in a series of four naval mishaps in 2017 alone that have plagued the U.S. Navy.  Ten U.S. sailors were initially lost at sea, some whose bodies have since been recovered.

USS_John_S._McCain_(DDG-56) after the collision

 

Are all incidents connected?

There has been much speculation as the cause of the latest accident, with some believing more than “human error” to be the root of the issue.  The other three incidents included the USS Antietam (guided missile cruiser) running aground of the coast of Japan in January, the collision of the USS Champlain (cruiser) and a South Korean fishing vessel, and the crash between the USS Fitzgerald (destroyer) and a container ship in June.  All of the vessels are part of the U.S. Pacific Fleet, and three of them are part of the U.S. 7th Fleet, the largest of the U.S. Navy’s forward-deployed fleets.  Cruisers and destroyers carry theater ballistic missile interceptors, long-range Tomahawk land attack missiles, and anti-aircraft missiles.

Could Cyber be the cause?

While the cause remains unknown at this time, there is strong speculation that cyber malfeasance may have been the catalyst.  One top U.S. Navy admiral tweeted that the Navy will conduct a thorough investigation, including a review into the possibility of “cyber intrusion or sabotage.”  Indeed in the USS Fitzgerald incident, there is strong suspicion that hostile cyber attack may have prevented the radars and systems in place from identifying the other ship.  As one news source pointed out, under standard protocol, the Fitzgerald’s captain should have been awakened and summoned to the bridge to assure a safe passage long before the ships could come near each other.

Maritime cyber security concerns have garnered attention as of late. In June 2016

 

Cyber threats to Global Shipping

Danish shipping giant Maersk was victimized by the global Petya cyberattack outages, which impacted container shipping, port and tug boat operations, oil and gas production, drilling services, and oil tankers.  Damage estimates have ranged from USD $200-$300 million to the company. The Maritime Safety Committee of the International Maritime Organization adopted a resolution that established guidelines for cyber risk management for commercial shipping sector.   In another incident, pirates broke into a shipping firms computer systems, allowing them to see which vessels were transporting the cargo they wanted to seize.

Are military vessels at risk too?

While this issue has mostly focused on civilian vessels, the events plaguing the U.S. Navy demonstrate how military naval assets can potentially be targeted by malfeasant actors, particularly those supporting a nation state’s interests.  Stealthy espionage operations have been traditionally leveraged by these actors seeking to steal information, maintain access, and generally monitor target systems.  However, the 2010 Stuxnet and a series of wiper malware incidents have revealed how suspected state actors can become more destructive in cyberspace if their intent changes from spying to punishing.

 

There is some evidence that some nation-states have been experimenting with the targeting of naval vessels via the digital domain.  According to a June 2017 report from a security company, 20 ships near the Russian Black Sea coast indicated that their Global Positioning System (GPS) location to be inland at Gelendzhyk Airport.  Such GPS anomalies can certainly be interpreted as Russia testing security measures and its capabilities by spoofing GPS that could be leveraged against opposing targets in the event of a military conflict (It should be noted that the U.S. military uses encrypted signals for geolocation of vessels, rather than commercial GPS).

Conclusion

Regardless if these series of incidents were coincidences or the result of purposeful targeting, it potentially demonstrates how valuable military assets can be targeted in the cyber domain.  Effective cyber attacks do not necessarily have to be ones that seek to destroy or even disrupt the function of information systems.  Disinformation and deception are useful tools that when operationalized properly can create specific effects. If surreptitious access can be obtained, manipulating data rather than erasing it can prove more advantageous.  The clandestine nature of such attacks and the timing of their execution not only accomplish intended objectives, but provide a level of obfuscation and plausible deniability for the attackers.

 

A more thorough investigation of the USS John McCain will hopefully yield findings that will determine the cause of the tragedy.  But the fact that maritime vessels – including those of the U.S. Navy – are on hostile actors’ target lists cannot be understated.  With 320,000 active duty personnel and 274 ships (of which more than 20 percent are deployed across the world at one time), ensuring the integrity of systems and logistics is crucial to the success of its mission.  Acknowledging its security situation and where there needs to be improvements is a step in the right direction but there needs to be a comprehensive strategy from the top down to start to address these existing shortcomings before they become a real problem.  If they haven’t already.

 

This is a guest post written by Emilio Iasiello.

 

In late July 2017, hackers referring to themselves as “31337” initiated a campaign that posted sensitive personal data on Pastebin, an online bulletin board where hostile actors have been observed dumping sensitive information for public consumption.  The group released a 32 MB file titled “Mandiant Leak: Op. #LeakTheAnalyst,”claiming that the data was taken from a senior threat intelligence analyst at a well-known computer security vendor.  The company has asserted that none of its internal networks were penetrated by the hackers, although three corporate documents and two customers were exposed via the victim’s personal social media accounts.

Dump posted on Pastebin

The threat analyst’s online credentials had been released into the wild as a result of eight data breaches of third parties that had occurred previously.  Any evidence of corporate compromise, such as screen grabs that purposefully intimated a network breach was manufactured, according to a company statement.  Regardless, according to news reports, company stock felt an immediate impact, dropping 5 percent after the incident was made public.

Private security companies have gained prominence for their efforts in detecting and identifying hostile cyber activity, particularly those perpetuated by suspected nation state or state-affiliated actors.  Notably, another private company – and not the Federal Bureau of Investigation or the Department of Homeland Security – led the mitigation and remediation efforts after the 2016 breach into the Democratic National Committee networks.  Indeed, law enforcement and private sector companies are proving to be a positive collaboration.  Private sector companies have the resources and connections to proactively report criminal activity and support investigations with digital forensics and malware reverse-engineering.  In several instances, both groups have joined forces in an effort to disrupt cybercriminal businesses with ransomware connections.

However, this recent incident is notable as it is one of the first instances where hostile actors have deliberately targeted security and intelligence analysts at private security firms with the intent of revealing their identities for further damage.  In its post advertising the LeakTheAnalyst Op, the group’s motivation is rooted in revenge.

 

“In the #LeakTheAnalyst operation we say ****

the consequence let’s track them on Facebook,

Linked-in, Tweeter, etc. let’s go after everything

they’ve got, let’s go after their countries, let’s

trash their reputation in the field. If during your

stealth operation you pwned an analyst, target

him and leak his personal and professional data,

as a side job of course.”

 

In essence, it may be a harbinger of things to come where hostile cyber actors are seeking to turn the tables on their white hat counterparts.

 

From a larger perspective, companies must consider the negative ramifications of the doxing of their employees and how that potentially affects company branding.  Take for instance the unfortunate events surrounding DigiNotar.  In 2011, DigiNotar’s system was tricked into issuing more than 500 fraudulent digital certificates for top Internet companies. This caused such severe damage to the company’s image and business that confidence was unrecoverable. The company ultimately went bankrupt.

 

While the group intimates that more doxes are to follow, there is some skepticism that the group will or even has the skill set required to conduct more sophisticated attacks to exploit systems and retrieve more sensitive information.  The fact that it appears the group gave off the false impression that it had compromised the company’s networks certainly suggests they may have limited capabilities in this capacity.

 

While the incident demonstrates that even security professionals are subject to targeting and victimization, the greater concern is whether this will be an isolated incident or the beginning of something more serious.  Media attention given to private sector computer security firms in exposing advanced persistent threat (APT) actors or cybercriminals operating in the dark web has certainly gotten the attention of these groups and individuals.  With the recent targeting, it now has placed them in the cross-hairs of at least some of these same entities.

 

It is uncertain if the publicity this incident has generated will entice other more skilled hostile actors – such as APT-affiliated or nationalistic actors – to join in the crusade.  Several suspected APT actors have been “outed” by private security companies, and ongoing coverage has negatively highlighted the activities of patriotic hackers (e.g., the distributed denial-of-service attackers observed against Estonia in 2007, and against U.S. banks during Operation Ababil), and recently, those of Russian Internet trolls during the 2016 U.S. Presidential election.  Where aggrieved unsophisticated hackers pose at most a modest threat, a more motivated and advanced actor set seeking revenge on the very organizations that have established their reputations from their exposure is a different adversary altogether.  Attacking brand image and eroding public confidence puts security company solvency at risk.

 

A bugle has inadvertently been sounded; it remains to be seen if that call is answered.

 

This is a guest post written by Emilio Iasiello.

 

On June 27, 2017, the Cyberspace Administration of China (CAC) released its National Cyber Threat Response Plan to help bolster its cyber security posture.  According to news sources citing a document posted on the CAC website, the Plan includes a four-tier color-coded warning system that ranked the severity of cyber attacks Red (the highest level), Orange, Yellow, or Blue (the lowest level).

Continue reading

On May 11, the U.S. President’s Executive Order (EO) “Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure” was finally signed.  This long awaited EO comes on the heels of leaked earlier versions throughout the first part of 2017.  Each subsequent leaked iteration – a draft was published by the Washington Post in January, a revision was published by the Lawfare Blog in February, and the most comprehensive iteration was leaked in early May and also published by the Lawfare Blog.

Continue reading

3 non-technical positions in high demand in the cybersecurity industry

We keep hearing about the widening skills gap ravaging the Cybersecurity industry. Lack of qualified personnel is slowing its growth and affecting the security level of the customers. But most people outside the industry see these statistics and shrug. The cybersecurity industry is perceived as a very small, elitist segment of the tech market. Even to point of it being a niche industry.

Continue reading

RSAC 2017- more of the same, but some interesting trends emerge

RSAC 2017 is behind us. It has been bigger, noisier and more crowded than any cybersecurity event in history. It’s so big, it’s overwhelming. And if you consider the off-site meetings, mini-conferences, meetups and parties you can forgive an average visitor if he or she feels kind of fuzzy afterward. Vendors don’t have it easy, either. With more than 700 companies and organizations presenting, trying to stand out or simply gauge the competition is extremely difficult.

Continue reading

The Cyber Coordinator: Let the Dog Bite

Former New York Mayor Rudy Giuliani has been tapped to be the President’s new “cyber security czar.”  The appointment has been met with trepidation among those in the information security business who point out Mr. Giuliani’s lack of expertise in anything cyber-related, despite being Chair of the Cybersecurity, Privacy and Crisis Management Practice at a Miami-based law firm and advising companies on information security since 2002.  In fact, critics cite recent reporting revealing that passwords used by Giuliani and 13 other top staff members have been leaked in mass breaches of websites like LinkedIn, MySpace, and others between 2012 and 2016.

Continue reading