Thought leadership. threat analysis, news and alerts.
Ransomware Victims Have Paid $25 Million in the Span of 2 Years, Google-Led Study Shows
Since 2016, ransomware victims have paid over $25 million to cyber criminals, this according to a new Google-led study – with inputs from the University of California San Diego (UCSD), New York University (NYU) and Chainalysis researchers.
Google researchers – Elie Bursztein, Kylie McRoberts, Luca Invernizzi – in the study called “Tracking desktop ransomware payments end to end” found that over the period of 2 years, ransomware criminals have earned a total of $25,253,505.
"A niche term just two years ago, ransomware has rapidly risen to fame in the last year, infecting hundreds of thousands of users, locking their documents, and demanding hefty ransoms to get them back,” Bursztein, McRoberts and Invernizzi said. “In doing so, it has become one of the largest cybercrime revenue sources, with heavy reliance on Bitcoins and Tor to confound the money trail.”
According to Google, since 2016, there has been an 877% increase in the search queries of the keyword “ransomware” – the term used to refer to a malware that encrypts victims’ computers and demands a ransom payment for the key to unlock the computer.
The top 10 ransomware earners, according to the Google-led study, are Locky ransomware (with a total $7.8 million earning), followed by Cerber ($6.9 million), CryptoLocker ($2 million), CryptXXX ($1.9 million), SamSam ($1.9 million), CrytoWall ($1.2 million), AINamrood ($1.2 million), TorrentLocker ($1 million), Spora ($0.8 million) and CoinVault ($0.2 million).
According to the study, a ransomware goes through the following process:
Aside from being the top grossing ransomware since 2016, the Google-led study cited Locky as one of the notable ransomware for being the first ransomware to earn $1 million per month.
The Google-led study said Locky brought “ransoms to the masses”. This ransomware first appeared in February 2016. According to Symantec, cyber criminals aggressively spread this malware by using compromised websites and massive spam campaigns. This malware encrypts files on victims’ computers and demands ransom payment.
Allen Stefanek, president and CEO, Hollywood Presbyterian Medical Center, publicly admitted that as a result of Locky ransomware attack, the hospital paid 40 bitcoins – equivalent to nearly $17,000. “The quickest and most efficient way to restore our systems and administrative functions was to pay the ransom and obtain the decryption key,” Stefanek said. “In the best interest of restoring normal operations, we did this.”
This ransomware is another notable ransomware cited by the study for its consistent income of $200,000 per month for over a year. This malware first appeared in February 2016.
According to Kaspersky Lab, this ransomware, also dubbed as a “multipurpose malware”, when executed via email attachment, encrypts files and demands money for their safe return. This ransomware, according to Kaspersky Lab, also infects computers for other purposes such as for a distributed denial of service (DDoS) attack or as a spambot.
Wipeware vs. Ransomware
Worthy to note is that the Google-led study didn’t include WannaCry and NotPetya (also known as Petya) as part of the top 10 top highest grossing ransomware in the past two years. WannaCry was only ranked 11th, with a total of $0.1 million earning.
The Google-led study classified WannaCry and NotPetya as ransomware “impostors”. The study found that even if WannaCry and NotPetya victims pay ransom, they still couldn’t unlock their computers. "Wipeware pretending to be ransomware is on the rise." the researchers noted.
Matt Suiche from Comae Technologies, who concluded that NotPetya is a wiper, not a ransomware, explained the difference between a wiper and ransomware:
"The goal of a wiper is to destroy and damage. The goal of a ransomware is to make money. Different intent. Different motive. Different narrative. A ransomware has the ability to restore its modification such as (restoring the MBR like in the 2016 Petya, or decrypting files if the victim pays) – a wiper would simply destroy and exclude possibilities of restoration."
WannaCry first appeared last May 12; NotPetya first appeared last June 27. While WannaCry affected hundreds of thousands of computers around the world, NotPetya only affected tens of thousands of computers worldwide. The glaring similarity between WannaCry and NotPetya is how they affected major government institutions and big companies.
WannaCry disrupted the operations of UK’s National Health Service, Renault's assembly plant in Slovenia, U.S. express delivery company FedEx and Spanish telecommunications company Telefonica. NotPetya, meanwhile, disrupted the operations of the Chernobyl nuclear plant, Danish shipping firm Maersk, U.S.-based pharmaceutical company Merck, Cadbury and Oreo-maker Mondelez and Russian oil and gas giant Rosneft.
How to Protect Your Organization from Ransomware and Wipeware
Here are 4 tips on how to protect your organization from ransomware and wipeware:
1. Backup Your Data
According to the Google-led study, ransomware criminals were able to inflict significant damage to their victims as only 37% of computer users backup their data.
In today’s digital world, organizations’ effectively operate because of data availability. Given the importance of data in your organization, this important commodity should be protected at all cost.
When it comes to data backup, having one backup file may not be enough to safeguard your organization’s data. The United States Computer Emergency Readiness Team (US-CERT) recommends organizations to follow the “3-2-1 rule”:
2. Keep Your Operating System and Other Software Updated
Microsoft’s Windows 10 update, for instance, can help detect the latest batch of Cerber ransomware.
3. Disable Loading of Macros in Office Programs
“To help prevent malicious files from running macros that might download malware automatically, we recommend you change your settings to disable all except digitally signed macros,” Microsoft said.
4. Think before You Click
Refrain from opening emails from senders you don’t recognize. Don't click or open the following attachments:
Vulnerable IoT Devices Used to Carry out DDoS Attacks
A Briton man admitted in court this week that he carried out a cyber attack on Deutsche Telekom last year. He claimed that he was paid $10,000 by a competitor of the telecom company to do the job.
In November last year, Deutsche Telekom publicly acknowledged that internet access of its nearly 1 million customers was disrupted as a result of a cyber attack. “We saw attacks from the Mirai botnet that targeted customer routers globally,” Telekom Thomas Tschersich, head of IT security at Deutsche, said in a video message posted on Twitter. “The attack led to the devices crashing.”
DDoS, IoT and Botnets Explained
Distributed Denial of Service attacks (DDoS) is one of the most significant cyber threats to businesses today. In a DDoS attack, a cyber criminal infects hundreds of thousands of computers or Internet of Things (IoT) devices with a malicious software and turned them without the knowledge of their owners into “botnet”, also known as “zombie army”, that’s capable of launching powerful DDoS attacks against a particular website or email.
The attack is “distributed”, according to the United States Computer Emergency Readiness Team (US-CERT), because the attacker is using multiple computers to launch the denial of service attack.
Vulnerability of IoT Devices
IoT devices, which include webcams, routers, CCTV cameras and smart TVs, are emerging devices that are connected to one another via the internet. “IoT devices are particularly susceptible to malware, so protecting these devices and connected hardware is critical to protect systems and networks,” US-CERT said.
According to Symantec, IoT devices are being targeted due to the following reasons:
1. Poor Security
Many of today’s IoT devices use default usernames and default passwords, making it easy for cyber criminals to infect the device with malware. In addition, the Universal Plug and Play (UPnP) – a feature that opens a port on a router to allow it to be accessible to the internet – makes it an easy target for cyber criminals.
2. Processing Power Limitations
Many IoT devices use basic operating systems. This means that a lot of these devices don’t have advanced security features. Most of these devices are simply plugged in and owners don’t bother to apply security updates.
IoT Botnets: Zombie Armies of Cyber Criminals
Cisco, in its 2017 midyear cyber security report, cited 3 common features of IoT botnets:
1. Fast and Easy Setup
The setup can be completed within an hour.
2. Rapid Distribution
Cyber criminals can have a botnet of more than 100,000 infected IoT devices in just 24 hours. This rapid distribution results in exponential growth in the size of the botnet.
3. Low Detection Rate
It’s hard to get samples of an IoT botnet as the malicious code survives in the device’s memory. Once the infected device is restarted, this botnet is wiped out.
In late 2016, IoT devices have been used by the Mirai botnet to carry out crippling DDoS attacks.
In September 2016, Mirai botnet was used to carry out a DDoS attack – the size of 665 Gbps – on the website of cyber security blogger Brian Krebs. On the same month, shortly after the attack on Krebs’ website, Mirai was used to attack the web hosting operation of the French company OVH at a bigger attack size of 1-TBps. On September 30, 2016, the attacker known as “Anna-senpai” publicly released the source code of Mirai.
In October last year, Mirai waged its biggest attack on DynDNS – a DNS provider that’s used by a number of major websites. The DDoS attack on DynDNS caused an outage on hundreds of popular websites including PayPal, Twitter and Spotify.
"We can confirm, with the help of analysis from Flashpoint and Akamai, that one source of the traffic for the attacks were devices infected by the Mirai botnet,” DynDNS said in a statement. “We observed 10s of millions of discrete IP addresses associated with the Mirai botnet that were part of the attack."
In November last year, Mirai once again tried to infect IoT devices, this time the routers of Deutsche Telekom. The telecom company said that internet access of over 900,000 customers – out of its 20 million customers – was disrupted.
“The attack attempted to infect routers with a malware [Mirai] but failed which caused crashes or restrictions for four to five percent of all routers,” the telecom company said. “This led to a restricted use of Deutsche Telekom services for affected customers.”
According to Cisco, Mirai works by connecting to an IoT device using over 60 factory default usernames and passwords. Once the device is infected, it locks itself against additional botnets. The malware then sends the compromised IP and credentials to a centralized ScanListen service. After which, the infected device then helps in harvesting new bots, producing a self-replicating pattern.
According to Imperva Incapsula, unique IP addresses which hosted Mirai-infected devices were mostly CCTV cameras. Other Mirai-compromised IoT devices included DVRs and routers. Incapsula added that IP addresses of Mirai-infected devices were seen in 164 countries, appearing even in remote locations such as Somalia, Tajikistan and Montenegro.
DDoS against Small Businesses
DDoS attacks aren’t limited to big companies. Sucuri reported about a DDoS attack that went on for days on the website of a small brick and mortar company. Similar to Mirai, the attacker uses infected CCTV cameras to launch a DDoS attack on the site of this small company. According to Sucuri, the attacker used compromised CCTV cameras from 105 countries.
How to Prevent the Spread of IoT Botnets
“With over a quarter billion CCTV cameras around the world alone, as well as the continued growth of other IoT devices, basic security practices … should become the new norm,” Imperva Incapsula said.
Basic security practices to prevent the spread of IoT botnets include:
Effects of Petya Cyber Attack Still Linger
Even as weeks have passed since the Petya ransomware attack, its negative effects still linger.
Operational and Financial Costs of Petya Cyber Attack
At the height of Petya’s global attack last June 27, Nuance – a company that offers transcription service to doctors – publicly acknowledged that certain systems within its network were affected by the global malware incident.
Bloomberg reported that nearly four weeks after the ransomware attack, many doctors still can’t use Nuance's transcription service. According to Bloomberg, hospital systems, including Beth Israel Deaconess in Boston, still can’t use Nuance’s transcription platform – one that allows doctors to dictate notes from a telephone. This forces doctors to revert to the old ways of making notes using a pen and paper. The company told Reuters that it expects within two weeks to have its transcription platform service restored to substantially all clients.
Nearly 50% of Nuance’s $1.95 billion in revenue in 2016 came from its health-care and transcription business, Bloomberg reported. As a result of the malware attack, Nuance expects an adjusted 3rd quarter revenue of $494 million to $498 million, short of the $509.8 million revenue that analysts expect, Reuters reported.
TNT Express, a small-package ground delivery and freight transportation company acquired by FedEx in May 2016, is another company that experienced disruption in its operation even after weeks of the Petya ransomware attack. FedEx publicly acknowledged last June 28 that TNT’s worldwide operations were significantly affected by the Petya cyber attack. According to FedEx, as of July 17, all TNT hubs, depots and facilities are operational. FedEx, however, said that customers are still experiencing widespread service and invoicing delays as a significant portion of TNT’s operations and customer service functions reverted to manual processes.
“We cannot estimate when TNT services will be fully restored,” FedEx said in a statement. The courier company added, “Given the recent timing and magnitude of the attack, in addition to our initial focus on restoring TNT operations and customer service functions, we are still evaluating the financial impact of the attack, but it is likely that it will be material.”
FedEx further said that while the company can’t yet quantify the amounts, it has experienced loss of revenue as a result of decreased volumes at TNT, remediation of affected systems and incremental costs associated with the implementation of contingency plans. FedEx added that it doesn’t have cyber or other insurance in place to cover the cost of the attack.
While FedEx still can’t quantify the cost of Petya cyber attack, other multinational companies like Saint-Gobain, Reckitt Benckiser Group and Mondelēz International were able to put a price on the June 27th ransomware attack.
Saint-Gobain, a French multinational corporation that produces a variety of construction and high-performance materials, said that based on its preliminary assessment, Petya’s financial effect on the company’s first half sales is limited to about 1%.
Reckitt Benckiser Group, a British multinational consumer goods company, for its part, said in a statement that Petya’s disruption meant that the company’s revenue growth in the second quarter would be down by 2%. Reckitt’s act of putting a price on cyber attack is a revelation in itself, Bloomberg said, as the company has just spent $18 billion in cash in acquiring baby formula producer Mead Johnson Nutrition Co.
For its part, Mondelēz International, a snacking company with 2016 net revenues of almost $26 billion, in a statement said, “Our preliminary estimate of the revenue impact of this event is a negative 300 basis points on our second quarter growth rate.”
“Any time there is a cyberattack and a company is exposed to that threat, that presents both reputational risk as well as the risk from disruption,” Bloomberg Intelligence analyst Mandeep Singh said. “Since a lot of the deals get signed toward the end of the quarter, the timing of it could have impacted certain deal closures.”
Secondary Effects of Cyber Attacks
Cyber attacks result in a number of potentially significant secondary effects. The following are 4 of the secondary effects of cyber attacks:
1. Property Damage and Loss of Life
Cyber attack may affect life-critical functions or databases. Affected remote surgery may result in loss of life; critical SCADA alarm systems may damage properties.
2. Reputational loss
Companies may voluntarily acknowledge or acknowledge out of necessity cyber attacks – when pressured by social media revelations from customers, third party revelation or as a disclosure requirement by certain governments. The practice of companies of sending apology notes to clients may have a negative effect on the company’s reputation.
When customers can’t access your company’s site or when your automated processes are disrupted, this automatically impacts the company. Stock prices are typically volatile after a cyber attack. Nuance shares, according to Bloomberg, have dropped almost 8 percent since June 27, when Petya ransomware attack began.
3. Litigation Cost
When a cyber attack disrupts your services and this, in turn, causes the disruption of the services of your customers, these may lead to a costly litigation. In the case of data breach, affected customers may sue your company for the breach. Ruby Corp., formerly known as Avid Life Media – the parent company of the dating site Ashley Madison, said that it will pay $11.2 million to settle a case brought on behalf of nearly 37 million Ashley Madison users whose personal details were exposed in a July 2015 data breach, CNBC reported.
4. Cost of Additional Security Controls
Another consequence of a cyber attack is the cost of additional security controls. The data breach on Ashley Madison prompted Ruby Corp. to spend millions of dollars to improve user privacy and security, according to CNBC. After a data breach, affected companies typically don’t just patch the specific vulnerability, they implement additional security controls such as:
Cyber risk is becoming more and more of a reality for many businesses in the 21st century. In the World Economic Forum’s Global Risks Report 2016, cyber attack was ranked in 11th position in both likelihood and impact.
Our team can help your business evaluate the cyber risks and recommend cyber defence strategy. Connect with us today and protect your business.
Global Cyber Attacks Could Be as Costly as Major Hurricanes
Hurricane Katrina and Sandy are two of the costliest hurricanes in the past three decades. The total damage from Katrina is estimated at $156 billion and $69 billion from Sandy. Lloyd's of London estimates that economic losses from global cyber attacks have the potential to be as big as those caused by major hurricanes.
2 Potential Cyber Attack Scenarios
Lloyd’s report called “Counting the cost: Cyber exposure decoded” showed two global cyber attack scenarios that could have the potential economic impact:
1. Cloud Service Provider Hack
According to Lloyd’s, the average losses in the cloud service disruption scenario could be $53.1 billion for an extreme event and could go as high as $121.4 billion.
2. Cyber Attacks on Mass Software
For the mass software vulnerability scenario, according to Lloyd’s, the losses could range from $9.7 billion for a large event to US$28.7 billion for an extreme event.
“This report gives a real sense of the scale of damage a cyber-attack could cause the global economy,” said Inga Beale, CEO of Lloyd’s. “Just like some of the worst natural catastrophes, cyber events can cause a severe impact on businesses and economies ….”
Vulnerability of Cloud Service
“The Cloud” is the process of accessing data, computer resources and software over the web. It’s used as a substitute for accessing data from a local computer. Although cloud, also known as network-based computing, dates back in the 1960s, it was only in the early 2000s that its popularity soared as small and medium-sized businesses adopted this new method of accessing data.
In the second quarter of 2016, Synergy Research Group found that Amazon cornered 31% of the cloud infrastructure services market, followed by Microsoft (11%), IBM (7%), Google (5%), Next 20 including Alibaba and Oracle (26%) and others (20%). More than 90% of the over 2,000 cyber security professionals surveyed in McAfee’s “Building Trust in a Cloudy Sky” report stated that they were using some type of cloud service in their organization.
In February this year, Amazon’s cloud services suffered a costly outage. According to Amazon a typo caused the outage. Amazon said in a statement:
“The Amazon Simple Storage Service (S3) team was debugging an issue causing the S3 billing system to progress more slowly than expected. At 9:37AM PST, an authorized S3 team member using an established playbook executed a command which was intended to remove a small number of servers for one of the S3 subsystems that is used by the S3 billing process. Unfortunately, one of the inputs to the command was entered incorrectly and a larger set of servers was removed than intended.”
Amazons’ February 2017 outage cost companies in the S&P 500 index $150 million according to Cyence.
According to Lloyd’s, cloud infrastructure services like Amazon, Microsoft, IBM and Google rely upon a common cloud infrastructure. If a major security flaw were found in this common cloud infrastructure, cloud customers of these cloud services could suffer from a breach, Lloyd’s said.
Vulnerability of Mass Software
In April 2017, the hacker group known as ShadowBrokers published on the internet a compilation of hacking tools that was believed to be used by the National Security Agency (NSA). These publicly released hacking tools could give anyone with technical knowledge the capability to exploit certain computers running Microsoft Windows.
In March 2017, a month before the alleged NSA hacking tools were released to the wild, Microsoft released a free patch or security update for Windows 10. Microsoft, however, didn’t release free security updates for Windows XP, Windows 8 and Windows Server 2003. The company only released free patches for these old Windows operating systems at the height of WannaCry – a ransomware that affected more than 300,000 computers in 150 countries in May this year.
6 Trends that Contribute to Cyber Vulnerability
Lloyd’s report identified these 6 trends that cause further cyber vulnerability:
1. Old Software
Old software refers to software that’s abandoned by its maker. It also refers to software that’s patched by its maker but the end users fail to update the software. Failing to install a security update leaves a computer user vulnerable to hacks. This happened to WannaCry. Users of Windows 10 succumbed to the ransomware attack for failing to install Microsoft’s March 2017 free patch. Users of Microsoft’s older operating systems (Windows XP, Windows 8, and Windows Server 2003) also fell victim to WannaCry as Microsoft only released the free patch for these older Windows operating system after WannaCry spread around the world last May 12th.
2. The Number of Software Developers
The number of people developing software has grown substantially over the past 30 years. Each software programmer could potentially add vulnerability to the system whether unintentionally through human error or intentionally. Proprietary software, for instance, is developed by different teams and outsourced contractors who are spread across the globe. Linux Kernel – an open source software project which started in August 1991 – has over 13,500 developers as of August 2016.
3. Volume of Software
More programmers mean more codes are being developed each day. “More code means the potential for more errors and therefore greater vulnerability,” Lloyd’s said. A typical new car, for instance, has about 100 million lines of code.
4. Open Source Software
While the open source movement has resulted in unprecedented digital innovations, it has opened new digital vulnerabilities. Lloyd’s said, “Any errors in the primary code could then be copied unwittingly into subsequent iterations.” Most open source software don’t go through the same level of security scrutiny as custom-developed software.
5. Multi-layered Software
In multi-layered software, a new code is written over an existing code. Most programmers today work on maintaining existing codes, rather than creating new codes. Multi-layered software, Lloyd’s said, “makes software testing and correction very difficult and resource intensive.”
6. “Generated” Software
In generated software, the code is written by a computer program, instead of being written by human programmers. Lloyd’s said, “Code can be produced through automated processes that can be modified for malicious intent.”
Not understanding your technology vulnerabilities is no longer an option. Assess it today to gain a valuable insight, and take an immediate action to addresses the gaps. Connect with us today and speak with our vulnerability assessment and management experts.
Insider Data Breach: An Enemy Within
Last week, an international health insurance company publicly acknowledged that one of its employees stole information that affected records of 547,000 customers.
The affected company said that while the stolen records didn’t include financial or medical data, records including names, dates of birth, nationalities, contact and administrative details were stolen. The company said that the employee responsible was fired immediately after the breach was discovered and is taking appropriate legal action.
DataBreaches.net first reported the data breach of this international health insurance company when a vendor calling himself or herself on the dark web as “MoZeal” claimed that he or she has over 1 million records for sale.
When contacted about the pricing, according to DataBreaches.net, MoZeal allegedly replied:
"Thanks for your inquiry bro, but before i start talking about pricing i would just like to clarify that this medical database is the only unique db if not only one on the entire dark web market with over 1million entries and over 122 countries as a whole not to mention its come straight from one of the world class health insurance companies. so you can imagine the information is very sensitive but also exclusive."
The international health insurance company disputed the 1 million records claim, and said in a statement, “Our thorough investigation established that 108,000 policies, covering 547,000 customers, had been copied and removed. The disparity in numbers claimed and those taken, relates to duplicate copies of some records.”
This latest data breach incident shows the weakest link in cyber security: insider.
Who is an Insider
An “insider” can be anyone who has physical or remote access to your company's confidential data. Although an insider often refers to your employee, your business partner, client or maintenance contractor who has access to your company's confidential data can also be considered as an insider.
An insider can either be a malicious insider or an inadvertent insider. An inadvertent insider can be an employee who was tricked to download a malware-laden document which then gives cyber criminals access to a company’s confidential information. A malicious insider refers to anyone who snoop files, steal information, and those who appeared to have knowingly violated the law.
Extent of Insider Data Breach
IBM’s global threat intelligence report found that over 200 million financial services records were breached in 2016. Fifty-eight percent of the data breach in 2016 in the financial services sector was a result of insider attacks, while outsider attacks were only 42%. Of the 58% insider attacks, 5% of which were made by malicious insiders and 53% were made by inadvertent insiders.
The IBM report also found that in 2016 the healthcare sector was more affected by insider attacks (71%) than outsider attacks (29%). Out of the 71% insider attacks, 25% of which were malicious insider attacks and 46% were inadvertent insider attacks.
For its part, Protenus reported that 43% of the 2016 U.S. health data breaches – total of 192 incidents – were the handiwork of insiders. Of the 192 insider breaches, 99 of these incidents were a result of inadvertent insiders, 91 incidents were a result of malicious insiders, and in 2 incidents there was insufficient information to determine whether the incidents should be considered as inadvertent or malicious.
Health Data Malicious Insider Breaches Take 607 Days to Discover
According to Protenus, in 2016, the average days for healthcare organizations to discover they had a health data breach was 233 days. The most troubling part of breach discovery, according to Protenus, is in cases of malicious insiders in which the average discovery period was 607 days – more than double the typical data breach discovery period.
Protenus gives two explanations why it takes so long to discover a breach:
1. Limited Budgets and Resources
With limited budgets and resources, not all organizations will be able to detect breaches in an automated and precise manner.
3. Reactive Approach to Data Breach
Many organizations have taken a reactive approach to data breach – only worrying about breaches once they are brought to their attention by the affected party or third party like the media.
“Insiders are a very real risk to the security of patient data,” Protenus said. “The high number of breach incidents, and the fact that these small-scale breaches can often go undetected, make these breaches especially devastating.”
How to Prevent Insider Data Breach
Here are two ways to prevent insider data breach:
1. Educate Employees
According to IBM, the reality that the cyber insider attacks targeting the healthcare and financial service sectors were largely the result of inadvertent insiders may be due to these industries having a greater susceptibility to phishing attacks.
Phishing attack happens when cyber criminals try to trick you into sharing personal or work-related information online. Cyber criminals typically use email, ads, or sites that appear similar to sites you already use as common phishing methods. An email that appears like it’s from your bank requesting that you confirm your bank account number is an example of phishing.
One way to prevent inadvertent insider attacks is by educating employees – through in-person instruction, video, webinars – about phishing and how to avoid becoming a victim.
2. Automation and Preventative Controls
To prevent data breaches both from malicious and inadvertent insiders, it pays to invest in automated data breach detection tool. If an organization only depends on one or two persons to detect data breach, it will take some significant time before the breach can be discovered. With automation, the threat can be detected immediately and in a precise manner.
“We predict that 2017 will be the Year of Insider Breach Awareness, with organizations realizing that this constant and significant problem has gone unaddressed for too long, with the focus for the last couple of years being more about catching up on external threats,” Protenus said.
While the great majority of our business partners, employees, clients and contractors pose no threat, it pays to be proactive in detecting data breaches. While it takes only a few minutes to steal data, it can take months and years to recover data and rebuild positive business reputation.
When you need to protect your data against the insider threats, and don't have in-house expertise, please contact us and we will be happy to help.
How Data Breach Can Impact Your Business
Digitalization has changed the business landscape. This new business landscape also creates opportunities for cyber criminals. Cyber security has hugged the headlines in the past two months with an alarming number of high-profile data breaches. What kind of harm does data breach really do to your business?
What is Data Breach
Data breach is an incident in which company’s confidential data – including customers’ confidential data – is potentially viewed, stolen or used by an unauthorized person. A data breach can be caused by malicious or criminal attack, system glitch or human error. The "2017 Cost of Data Breach Study" by Ponemon Institute found that 47% of the root cause of data breach is malicious or criminal attack, followed by human error (28%) and system glitch (25%).
The business function that’s most likely to be affected by a data breach is the operation. Cisco in its 2017 Annual Cyber Security Report revealed that 45 percent of the cyber outages lasted from 1 to 8 hours; 15 percent lasted 9 to 16 hours, and 11 percent lasted 17 to 24 hours.
Financial Cost of Data Breach
Data breach comes with the following incidental costs:
I. Detection and escalation costs
II. Notification costs
III. Post data breach response costs
According to the Ponemon Institute 2017 cost of data breach study, the average cost for each lost or stolen record containing sensitive and confidential information is $141. The average total cost of data breach per incident is $3.62 million according to Ponemon Institute. The study also found that detection and escalation costs are highest in Canada; notification and post data breach response costs are highest in the United States.
The faster the data breach is identified and contained, the lower the costs.
Ponemon Institute study showed that there’s a relation between how fast an organization identifies and contains data breach incidents and the financial aftermaths. The study showed that security complexity and the deployment of disruptive technologies such as access to cloud-based applications and the use of mobile devices, including bring your own device (BYOD) and mobile apps, increase the complexity of identifying and containing data breaches.
Massive cloud migration at the time of the data breach increases the cost.
The Ponemon Institute study found that cloud migration – the process of transferring data from onsite computers to the cloud or transferring data from one cloud environment to another – at the time of the data breach was shown to increase the cost by $14 per record, increasing the average cost for each lost or stolen record from $141 to an adjusted average cost of $155.
The more churn, the higher the total cost of data breach.
Churn is the number of customers who discontinue their subscriptions to your business service within a given period. The Ponemon Institute study showed that businesses that experienced less than a one percent loss of existing customers had an average total data breach cost of $2.6 million, while companies that experienced a churn rate greater than four percent had an average cost of $5.1 million.
Reputational Cost of Data Breaches
While it’s easy to pin down financial cost of data breaches, reputational cost of data breaches is difficult to determine. Reputational cost can be measured by churn rate. But reputational cost is more than churn rate.
Forbes Insights in the whitepaper “Fallout: The Reputational Impact of IT Risk” wrote, “Reputation has always been a thorny thing to value in dollar terms.”
A 2012 IBM study found that reputational damage as a result of data breach could last for months, while major breaches could last for years. If your customer can’t access your company website or application today, you don’t only lose one sale, but risk of ruining your company’s reputation.
“You will be held accountable for what you did or didn’t do in the months and years leading up to a crisis,” said Prof. Daniel Diermeier, the IBM Professor of Regulation and Competitive Practice at the Department of Managerial Economics and Decision Sciences at the Kellogg School of Management. “You are only as good as the decisions you made when you put your systems in place.”
“The disruption from human error, system outage or loss of data, even a minor disruption can have a significant impact on your reputation,” said Laurence Guihard-Joly, General Manager of Business Continuity & Resiliency Services at IBM Global Technology Services. “A cost, first, but also a real impact on whether people will choose your service.”
Forty-nine percent of the security professionals surveyed in Cisco’s 2017 Annual Cyber Security Report revealed that their organization has had to manage public scrutiny after a data breach. The days of quietly dealing with data breaches may be long gone, according to Cisco, with 49% of those organizations surveyed said that they disclosed the data breach voluntarily, and 31% were forced to manage public scrutiny after the data breach was made public by a third-party. Cisco said there are just too many regulators, media and social media users who’ll expose the data breach.
Data Breaches Drive Cyber Security Improvement
Thirty-eight percent of the security professionals surveyed by Cisco reported that data breach drove improvements in security threat defense, policies and procedures. In particular:
“Organizations that have not yet suffered a breach of their networks due to attackers may be relieved they’ve escaped. However, this confidence is probably misplaced,” Cisco said. “Given the attackers’ range of ability and tactics, the question isn’t if a security breach will happen, but when.”
Give us a call today, and prevent a data breach.
Why Lack of Qualified Cyber Security Workforce is a Critical Vulnerability for Many Businesses
There’s WannaCry. There’s Petya. There’s NotPetya. These cyber threats have hugged the headlines in the past few days. There’s one cyber threat that remains as a critical vulnerability for many businesses: lack of qualified cyber security workforce.
Cyber Attacks Outpace Cyber Defense
According to Symantec, 430 million new unique pieces of malware were discovered in 2015. At the close of 2015, Symantec added, 191 million records were exposed as a result of cyber attacks.
“Attacks outpace defense, and one reason for this is the lack of an adequate cyber security workforce,” said the Center for Strategic and International Studies in its study called “Hacking the Skills Shortage: A study of the international shortage in cyber security skills”.
A report from Frost & Sullivan and ISC² found that by 2020, more than 1.5 million global cyber security positions will be unfilled. Frost & Sullivan and ISC² revealed that 45 percent of hiring managers reported that they’re struggling to fill additional information security positions despite the increase of security spending across the board for technology, rising average annual salaries and high rates of job satisfaction.
Five years ago, cyber threat wasn’t part of the top 10 risks (it only ranked 12th) prioritized by corporate boards according to Lloyds’ 2011 annual risk survey.
Corporate attitude towards cyber security has drastically changed in recent years. A Forbes report found that four financial institutions – J.P. Morgan Chase & Co., Bank of America, Citigroup, and Wells Fargo – spent more than $1.5 billion on cyber security in 2015. In a live interview on Bloomberg in 2015, Bank of America CEO Brian Moynihan said that cyber security is the bank’s only business unit with no budget limit.
In 2017, PwC’s global CEO survey found that cyber threat is the top five risks on CEOs’ minds, behind only to availability of key skills, volatile energy costs and changing consumer behavior.
Delay of Hiring Cyber Security Workforce Leaves Businesses Vulnerable to Cyber Attacks
The 2017 state of cyber security survey by ISACA (Information Systems Audit and Control Association) found it takes six months or longer to fill priority cyber security and information security positions in more than 1 in 4 companies around the globe.
“When positions go unfilled, organizations have a higher exposure to potential cyber attacks. It’s a race against the clock,” said Christos Dimitriadis, ISACA board chair.
For its part, the Center for Strategic and International Studies said, “The continued skills shortage creates tangible risks to organizations.” In the study conducted by the center, 1 in 4 respondents said their organizations have lost proprietary data as a result of their inability to maintain adequate cyber security staff.
Lack of Qualified Applicants
The ISACA report showed that compared to other corporate job openings, which garner 60 to 250 applicants, cyber security opening receives fewer applicants.
Fifty-nine percent of the organizations surveyed by ISACA reported that for each cyber security opening, they only receive at least 5 applicants, and only 13 percent receive 20 or more applicants. Sixteen percent of North American respondents in the ISACA survey indicated that cyber security opening receives at least 20 applicants.
Compounding the problem of lack of applicants for cyber security opening is the problem of qualified applicants. ISACA board chair said, “As enterprises invest more resources to protect data, the challenge they face is finding top-flight security practitioners who have the skills needed to do the job.”
Sixty-four percent of the respondents of the ISACA survey said half or less of their applicants for cyber security position are qualified, while 35 percent of the survey respondents said that less than 25 percent of applicants are qualified.
When asked to identify the most important attributes of a qualified applicant, respondents of the ISACA survey ranked practical verification or hands-on experience as the most important; reference/personal endorsement is ranked second; certifications is ranked third; formal education is ranked fourth; and specific training is ranked fifth.
Making things worse is the “security fatigue” of non-cyber security personnel. The National Institute of Standards and Technology (NIST) defined security fatigue as a “weariness or reluctance to deal with computer security”.
A NIST study found that a majority of computer users experienced security fatigue that often results in risky computing behavior in the workplace and in their personal lives.
“The finding that the general public is suffering from security fatigue is important because it has implications in the workplace and in people’s everyday life,” cognitive psychologist and co-author of the NIST study Brian Stanton said.
“Years ago, you had one password to keep up with at work,” computer scientist and co-author of the NIST study Mary Theofanos said. “Now people are being asked to remember 25 or 30. We haven’t really thought about cyber security expanding and what it has done to people.”
The NIST study found that security fatigue results to feelings of resignation and loss of control. This weariness or reluctance to deal with computer security, the NIST study found, can lead to choosing the easiest option among alternatives, behaving impulsively, and failing to follow security rules.
How to Remedy the Cyber Security Workforce Shortfall
Here are three recommendations on how to remedy the cyber security workforce shortfall:
1. Accept Non-Traditional Sources of Education
The Center for Strategic and International Studies study suggested that hiring managers should put less emphasis on degree requirements especially for entry-level cyber security positions, and instead place greater emphasis on hands-on experience and professional certifications.
2. Diversify the Cyber Security Workforce
A number of studies have shown that women and minorities are underrepresented in the field of cyber security. Opening this field to women and minorities will diversify the cyber security workforce and will also expand the talent pool.
The Center for Strategic and International Studies study revealed that organizations are looking to automate cyber security functions to offset the skills shortage. Cyber security automation generates efficiencies. Efficient processes allow cyber security personnel to focus their talent and time on cyber threats that need human intervention.
Here is why Petya is not a Typical Ransomware
This week, another ransomware called “Petya” attacked major companies around the globe.
Petya attacked the computers at the Chernobyl nuclear plant, forcing workers to manually monitor the plant’s radiation. The ransomware also attacked the computers of major global companies including Russian oil and gas giant Rosneft, Cadbury and Oreo-maker Mondelez, British advertising giant WPP, Danish shipping firm Maersk, U.S.-based pharmaceutical company Merck, real estate subsidiary of French bank BNP Paribas and multinational law firm DLA Piper.
Microsoft, in a blog post, said that than 70% of the computers attacked by Petya were in Ukraine, while computers in other countries were also affected in significantly lower volumes. Microsoft added that the majority of Petya infections were observed in Windows 7 computers.
How Does Petya Spread and Infect Computers
Cyber security firms Kaspersky Lab and Symantec, and even Microsoft confirmed that Petya ransomware uses the Eternal Blue – a Microsoft Windows’ exploit believed to be originally developed for the use of the U.S. National Security Agency (NSA). The Eternal Blue is the same exploit used in WannaCry – another ransomware that affected hundreds of thousands of computers worldwide less than two months ago.
“Similar to WannaCry, Petya uses the Eternal Blue exploit as one of the means to propagate itself,” Symantec said. “However it also uses classic SMB network spreading techniques, meaning that it can spread within organizations, even if they’ve patched against Eternal Blue.”
In addition to exploiting Microsoft Window’s vulnerability, Symantec said this latest ransomware spreads by acquiring usernames and passwords and spreading across network shares. According to Symantec, the Petya ransomware that started propagating last June 27 is a variant of an original Petya – a malware known to be in existence since 2016 – that not just encrypt files, it also overwrites and encrypts the master boot record (MBR).
Kaspersky Lab, for its part, said that this latest ransomware is significantly different from all earlier known versions of Petya, as such the cyber security firm calls it “ExPetr” or “NotPetya”.
In the new Petya – the term we use here as the world media adopted this name – cyber criminals demand from each of their victims to pay $300 in bitcoins to recover files. The following ransom note is displayed on the victim’s infected computer:
Cyber criminals behind the Petra ransomware attack use an email from the German email provider Posteo as a means to contact their victims. Upon learning that its email platform was used by cyber criminals, Posteo blocked the email account used by the Petra perpetrators on the same day that the ransomware was released to the wild.
As a result of Posteo’s email blockade, Petra’s victims will have no way to contact the people behind the latest ransomware attack. The Posteo’s email was supposed to be a venue where the victims would contact the blackmailers, telling them whether they’ve sent the bitcoins and from which they would receive decryption keys.
A complete technical analysis is available from the US-CERT, published on July 1, 2107.
Wiper vs Ransomware
According to Kaspersky Lab, even without the email blockade, there’s still no way that victims can recover their files as the ransomware was designed in such a way that it’s impossible for victims to recover their data. To decrypt files, cyber criminals need the installation ID. Kaspersky Lab said other ransomware such as the old Petya, Mischa and GoldenEye have installation ID for file recovery.
In the new Petya, even the cyber criminals themselves can’t decrypt the victims’ files. The installation key shown in the new Petya ransom note, Kaspersky Lab said, is just a random gibberish, “which means that the threat actor could not extract the necessary information needed for decryption.”
According to Symantec, the encryption performed by Petya is twofold:
“Either it was a sophisticated actor who knew what they were doing – except screwed up horribly on the part where they actually get paid or it wasn’t about the ransom in the first place,” said Nicholas Weaver, a researcher at the International Computer Science Institute and a lecturer at the University of California, Berkeley, told the New York Times.
“They are no longer collecting a ransom [referring to the new Petra ransomware],” Justin Harvey, managing director of global incident response at Accenture Security, told the New York Times. “They are just being destructive.”
If the main motive of the ransomware is money, Harvey said, cyber criminals typically set up multiple avenues to collect funds from their victims. The recent ransomware attack uses a single email address and a single bitcoin wallet for electronic payments.
How to Prevent Ransomware Attacks
Here are some of the ways to prevent ransomware attacks like the new Petya:
1. Use the latest operating system and make sure that most current updates are installed
It’s worthy to note that according to Microsoft, most of the Petya victims use Windows 7. Microsoft said that Windows 10 and its new streamlined operating system Windows 10 S block this type of attack by default.
2. Back up your data
Early this month, Nayana, a web hosting company in South Korea, agreed to pay more than $1 million to ransomware criminals to unlock its servers. This is believed to be the biggest ransomware payout on record. Backing up your data either offline or in the cloud protects your business from ransomware attacks. Cyber criminals will have no leverage on your business if you can easily retrieve your data somewhere else.
Businesses must backups and most importantly test the backups by performing test restores. Home users could protect their data by subscribing to one of many cloud storage and file sharing services.
Since the most important thing to protect your data against ransomware is to make sure that the operating system are always up to date, always ask your IT department to demonstrate that they have a solid vulnerability and patch management solution to keep the information safe.
Connect with us today, and our experts will answer your questions.
Steve E. Driz