It is not a secret that many people nowadays do not pay much attention when they surf the web at home or at work. There are new data breaches and exploits on a daily basis and still avoiding to take any precautions may result in a catastrophic consequences. Even the biggest corporations are paying millions of dollars so they can improve their cybersecurity and remain safe. However, if you still believe in some of the cybersecurity myths you may put your own computer or even your whole organization to a huge risk. We from CyberDB have decided to bust some of the top 5 cyber security myths and make it clear for you.
There has been recent focus on alleged Iran cyber activity the past few weeks, spurned on by the publication of a vendor report on Iranian operations. Per the vendor’s findings, not only was Iran likely behind the activity that was targeting government and private sector in the Middle East, it was implementing National Security Agency exploits that were stolen and dumped into the public domain by the Shadow Brokers group in April 2017. As recently as late August 2018, Iran is suspected of trying to launch influence operations ahead of the midterm elections. The conclusion is that Iran is increasingly using asymmetric attacks, particularly via cyberspace, as part of its tool box to conduct retaliatory attacks.
The new reporting comes at a time when Russia’s cyber malfeasance has largely dominated the press, due to its influence operations efforts and election shenanigans, not just in the United States but in other countries as well. Prior to the Russia focus, North Korea was the focal point with its suspected cyber activities targeting cryptocurrency, and the SWIFT banking transactions before that. Iran was propelled onto the scene with Operation Ababil
According to 2017 reporting, Major League Baseball believed that the Boston Red Sox, at the time in first place in the American League East, used the Apple Watch to illicitly steal hand signals from opposing teams. Allegedly, the Apple Watch was used to not only “steal” hand signals from opposing catchers in games using video recording equipment, but transmit the information likely to team trainers. The theft of such information would help determine the type of pitch that was going to be thrown. The recording of signals is strictly forbidden by league rules.
When it comes to targeting billion-dollar sports franchises, many would assume that cyber crime would be the foremost cyber actors behind the scenes. Based on a 2015 report that estimated the professional sports market in North America to have an expected worth of $73.5 billion by 2019, it’s easy to see why. Indeed, there have been several incidents where cyber crime operations have focused on professional sports teams. In April 2016, the National Basketball Association Milwaukee Bucks players had their financial documents (player addresses, Social Security Numbers, and compensation) accidentally leaked due to a team employee falling victim to an e-mail scam. The employee released players’ 2015 IRS W-2 documents to an emailer impersonating the team’s president. Also in 2016, a crippling TeslaCrypt ransomware attack impacted a NASCAR racing team. An estimated $2 million worth of information was potentially lost prompting payment of the ransom to the criminals.
Thus far, there has been no confirmed retaliatory cyber strikes conducted by a victimized government against a suspected aggressor state. There has been some speculation that after the Sony Pictures attack, the United States “knocked” North Korea off the Internet for a brief period of time, although this has never been corroborated. Despite being a cyber power, the United States has demonstrated restraint in punishing against those transgressor states it believes to have been orchestrators of cyber attacks against its interests, preferring to level sanctions as a punitive alternative.
The question that governments ask is how to deter hostile acts in cyberspace? And while an important question to raise, perhaps the reality is that there is no viable answer. There is a reason why international efforts continually fail when trying to gain consensus on cyber norms, Internet governance, and the legalities and criteria of hacking back – there is lack of a fundamental desire to actually find a solution. Governments willing to agree to the standards and principles of any of these issues are stating their willingness to abide by them, and while that may fit the current situation, the dynamism of cyberspace has proven unpredictable. Being cuffed to such an agreement that no longer has relevance while other governments operate without constraints is not an ideal situation. Therefore, without an agreement in place, the status quo remains.
Nowadays the cyber security is essential for individuals, companies, economies, governments and nations as a whole. The reality is that all of them are trying to stay on track against the latest cyberattacks, but there are some countries committing most to cybersecurity.
One of the best ways to determine where most of the cyber attack really come from in real time is by using the map created by Norse.
Another great alternative if you want to find out which are the countries best prepared against cyberattacks is to use the Global Cybersecurity Index (GCI) created by the International Telecommunication Union (ITU). As described by them it is “…a survey that measures the commitment of Member States to cybersecurity in order to raise awareness.” The GCI covers the five pillars of the ITU Global Cybersecurity Agenda (GCA): legal, technical, organizational, capacity building and cooperation.
Recently, the U.S. Federal Trade Commission (FTC) is investigating whether Facebook, Inc. used personal data by an analytics firm associated with the Trump campaign. Specifically, the FTC is trying to determine if the company violated terms of an earlier consent decree when 50 million users’ data was transferred to Cambridge Analytica, a data and media consultancy firm. To date, Cambridge Analytica has been accused of misrepresenting the purpose of some of its data mining, which yielded something like 30 million Facebook profiles it could comb for data. This calls into question how consumer information is shared with other entities, particularly when consent was not provided.
Social Media & GDPR
This revelation has called into question how social media sights harvest the personal information from their platforms. As one article pointed out, “Some large-scale data harvesting and social manipulation is okay until the election. Some of it becomes not okay in retrospect.” This is indeed troubling in a time when personal information is constantly used by malicious actors for monetization purposes or used in support of the conduct of other operations (e.g., social engineering, spam, phishing, credential theft, etc.). A recent report by a content marketing agency revealed that Facebook logins can be sold for USD $5.20. Such access provides a criminal to a compromised individual’s contact list to target other individuals. According to the same report, an individual’s entire online identity – to include personal identifiable information and financial accounts – could be sold for USD $1,200.00. After initially denying the claim, Facebook acknowledged the breach and promised to take action.
They say that numbers don’t lie, but they can be manipulated to tell a prettier version of the truth. When looking at the cost of a data breach, most organizations want to see low numbers. The reality is that the total cost of a data breach is both quantifiable and difficult to gauge.
Whether analyzing the numbers on a per stolen record basis or by the average total cost of a data breach, the numbers are lofty according to the 2017 Cost of Data Breach Study: Global Overview released in June by the Ponemon Institute.
Though down from 2016, the average total cost of a data breach of the more than 400 companies that participated in the study is $3.62 million.
The recent Equifax breach, a global information solutions company that organizes, assimilate and analyzes data on consumers and businesses worldwide, and one of the three major credit reporting agencies, exposed the data of approximately 143 million people in the United States. Between May and July, the breach allowed attackers access to the names, Social Security numbers, birth dates, and even driver’s licenses, in addition to 209,000 credit card numbers and dispute details for another 182,000 individuals. According to the company, the attack vector exploited a U.S. website application vulnerability to gain access to certain files. In addition to being a major credit bureau, Equifax is a partner of the Internal Revenue Service (IRS), the centers for Medicaid and Medicare, and the Social Security Administration, all major targets of hostile cyber actors.
More alarming than the breach itself is the fact that details of the breach wasn’t made public until six weeks after it had occurred, and the company hasn’t said why it had waited so long before notifying the public. One possibility is that the company may have been investigating the causes and the extent of the breach, although this is just one speculation. To add insult to injury, it was revealed that three of Equifax’s executives sold company stock prior to the disclosure of the breach. While the company maintains that these individuals were not notified of the Equifax breach prior to the sale, once the breach was made public, Equifax stock value plunged 18 percent, with some estimates predicting further losses.
Unsurprisingly, the culmination of events has outraged an American public whose anger has reached the U.S. government, igniting a bipartisan political response to the breach. The U.S. Senate Finance Committee has pressured Equifax to disclose what happened and why. A 13-question letter covering topics such as details of breach discovery, the company’s victim notification plan, and steps to mitigate consumer impact. The company has until September 28 to answer the questions outlined in the Committee’s letter.
The Equifax breach comes at a time when some significant organizations have failed to safeguard sensitive personal information of citizens. Notable breaches have included the 2015 Anthem breach that surrendered 79 million people’s personal information;
the 2015 Office of Personnel Management (OPM)breach that compromised more than 4 million personnel records of individuals applying for security clearances; and the 2016 IRS breach that exposed the personal information of more than 700,000 individuals.
It is important to underscore that these millions of individuals did not carelessly protect or handle their own data. Rather, it was the inability of these “responsible” organizations that require the information for their business purposes to properly secure it, calling into question the extent of their responsibility, accountability, and consequence. Even after providing potential victims to see if their information might have been compromised, the last six numbers of an individual’s Social Security number – not the last four which is more standard – was required. Providing additional information into a website of an entity that demonstrated its inability to protect what it already had is certainly not reassuring.
Currently, 48 states have laws requiring private or governmental entities to notify individuals of security breaches of information involving personally identifiable information. However, the “time of notification” varies, and in several instances, is defined in vague terms such as “most expeditious.” This is completely unacceptable in today’s cyber reality where the criminal element can operate quickly and monetize stolen information immediately before victims are even aware that they have been compromised. In 2011, the Social Security Administration (SSA) failed to inform thousands of Americans it accidentally released their names, dates of birth and Social Security numbers in an electronic database widely used by U.S. business groups. The SSA essentially ignored established reporting guidelines of the U.S. Privacy Act, which protects personal information of private citizens. Such actions are not only negligent but border on criminal in their own right.
The U.S. public is tired of seeing massive breaches occur without any accountability or consequence levied against those organizations that were trusted and failed to protect the sensitive information of other people. Fines do not send a serious enough message, and CEO firings and/or forced resignations have not made any significant impact in implementing change in cyber security practices. U.S. Congress, long maligned and unpopular according to one tracking service, has the opportunity to demonstrate bipartisanship and pass strict disclosure mandates, along with an appropriate level of grave consequences.
While much attention has been focused on nation state cyber capabilities, the frequency and pace of major breaches like Equifax breach have become white noise that gets a moment’s notice before attention is focused on sexier cyber topics. This has got to change. While the crippling of a U.S. critical infrastructure as a result of a cyber attack can potentially have far reaching impacts, it remains a scenario. What is transpiring is the rampant mass exploitation and misuse of the U.S. public’s personal information, which effects everyone, regardless of political party, economic class, or religious ideology. That seems a call that both sides of the aisle should be able to get behind.
It’s that time of the year when the data breaches are just everywhere. And again, our old friend Yahoo surprises us with another end-of-year-hack. Only this time, it’s not several million, but a Billion compromised accounts.
Unsurprisingly, the healthcare sector continues to be an attractive target as data stolen continues to provide value to a diverse threat actor set. Indeed, criminals and those actors associated with traditional cyber espionage activities have conducted some of the more news garnering incidents over the past few years. What’s more, depending on the actors’ intent, all types of information have been sought after and stolen by these groups and individuals to include financial and insurance-related information, personal identifiable information, and even the health records of patients. The targeting of these different types of data should demonstrate to the healthcare industry that there is no seemingly benign data when it comes to healthcare and that strategies must be designed to safeguard any and all types of data that relate to patients and their care treatments.