Thought leadership. Threat analysis. Cybersecurity news and alerts.
Top 7 Cyber Security Tools for Your Business
With so much of our information online, everyone is vulnerable to hackers and cyber-thieves. When it comes to business, a cyber invasion is a constant threat.
Short term loss could be financial, intellectual property theft, data loss, or worse.
The real threat is the long term loss of trust and reputation damage that could take years to repair. If your clients' information is exposed, it will be hard for them to consider it safe to give you their business again.
Protect your business with these 7 cyber security tools.
7 Cyber Security Tools Your Business Must Be Using
In order to protect your business' digital information, you need a variety of cyber security tools in place.
For complete peace of mind, you'll want to work with a trusted cyber security partner. In the mean time, these tools are a great place to start.
1. Malware Scanners
Malware is short for malicious software. It is designed by hackers to gain access to a computer without the owner's knowledge.
You must have specific anti-malware cyber security tools in place to detect any hacker invasion.
There are a variety of malware scanners out there, many even available for free (with limited features).
Protect your business with automatic malware scanners in place.
2. Routine Patching
Patching is the process of installing a piece of software that repairs any security flaws. Updating an app is an example of patching.
Picture your business's digital infrastructure as a house. Each time you add a new application, piece of software, etc. it's like adding a new room to the house.
Software, apps, and the like are built by humans, meaning that there is room for human error. Human error is like an unlocked door or unfinished window in one of the new rooms.
This can leave a welcome mat out to cyber attackers. That's why your security plan needs to include routine assessments and patching.
3. Two-Factor Authentication
Use two-factor authentication to add a difficult-to-hack layer of security to your log in systems.
Examples include a verification code sent to a linked phone number or a piece of information only the user would know.
4. Restrictive Administrative Access
Add an additional security level for your most sensitive information and infrastructure by restricting who can access it.
Click here for more information on how to implement restrictive admin mode.
5. Network Segmentation
Divide your computer network into sub networks to improve security and performance.
This allows you to isolate the most sensitive data to a specific network to limit access and decrease congestion.
6. Vulnerability Scanning
There's no better way to access your security levels than a vulnerability scan.
Try our free vulnerability assessment to find weaknesses in your code and how to remedy them.
7. 24/7 Security Monitoring
Cyber security protection doesn't come in the form of a quick fix.
Continually protect your business' data with a 24/7 security monitoring system in place to catch attacks the minute they happen.
Protect Your Business for Peace of Mind
Cyber security tools are of the utmost importance for businesses and individuals alike.
Questions? Let us know if there is anything we can help you with. Our emergency response team is available 24/7 if you're currently dealing with a cyber attack. Contact us today.
Whole Foods Becomes the Latest Victim of a Cyber Attack
Whole Foods, the supermarket chain recently acquired by Amazon, becomes the latest victim of a cyber attack.
The supermarket chain officially acknowledged that the cyber attack potentially compromised its customers’ credit card details. The data breach, according to Whole Foods, affected only the point of sale system used in taprooms (bars) and restaurants located within some of the Whole Foods stores. As of November 2016, The Mercury News reported that 180 of Whole Foods’ 464 stores had bars and restaurants.
In its official statement, Whole Foods stressed that Whole Foods’ bars and restaurants use a different point of sale system from the company’s supermarket point of sale system. The company said that payment cards used at the supermarket point of sale system were not affected. It added that the Amazon systems, which acquired the supermarket chain last month, don’t connect to the Whole Foods’ bars and restaurants system. As such, transactions on Amazon.com haven’t been affected.
Whole Foods’ public statement didn’t reveal how many customers may have been affected, how many bars and restaurants may have been involved or when the data breach was discovered.
The Whole Foods data breach came just heels after the Sonic Drive-in cyber security breach. The American drive-in fast-food restaurant chain, with over 3,500 restaurants in 45 US states, confirmed that there's been some “unusual activity” on credit cards used at some of its restaurants. Similar to Whole Foods, the company didn’t disclose how many credit cards were potentially affected or when the data breach took place.
Krebs on Security reported that Sonic Drive-In cyber security breach may have impacted millions of credit and debit cards.
“The first hints of a breach at Oklahoma City-based Sonic came last week when I began hearing from sources at multiple financial institutions who noticed a recent pattern of fraudulent transactions on cards that had all previously been used at Sonic,” Krebs on Security wrote.
About 5 million credit and debit card details recently put up for sale on the underground online site Joker’s Stash has been tied to a breach at Sonic Drive-In, according to Krebs on Security.
“I should note that it remains unclear whether Sonic is the only company whose customers’ cards are being sold in this particular batch of five million cards at Joker’s Stash,” Krebs on Security said. “There are some (as yet unconfirmed) indications that perhaps Sonic customer cards are being mixed in with those stolen from other eatery brands that may be compromised by the same attackers.”
Cyber criminals typically steal credit card details from merchants that accept cards by hacking into their point of sale systems.
What is Point of Sale
Point of sale, also known as POS, is a system used by merchants where customers pay for goods or services. The POS system consists of hardware and software. The POS hardware refers to the device used to swipe a credit or debit card and the computer or mobile device attached to it. The POS software refers to the computer program that instructs the hardware what to do with the data it captures.
Through the years, there have been a number of vulnerabilities identified in the POS system. The vulnerability of the POS system was highlighted with the arrest and conviction of Albert Gonzalez, leader of the group that stole more than 90 million card records from retailers.
The Gonzalez group took advantage of the lack of point to point encryption of POS system. If you pay using your credit card at a POS terminal, your credit card data housed in the card’s magnetic stripe is read, passed through a series of systems and networks before reaching the store’s payment processor.
In 2005, credit card details transmitted over a public network from a POS device are required to be encrypted using network-level encryption, for example, the Secure Sockets Layer (SSL). Within the internal network of the store, however, credit card details weren’t required to be encrypted except when stored.
The Gonzalez group took advantage of this lack of point to point encryption at the internal network level by installing network-sniffing tools that allowed him and his group to steal over 90 million card details. As a result of the Gonzalez group’s criminal activities, many stores today use POS system with encryption even at the internal network level.
Through the years though, POS attackers have honed their skills and a number of POS attack methods have been developed. Big companies like Target Corporation succumbed to POS attackers. In May of this year, 47 US states and the District of Columbia have reached a $18.5 million settlement with Target that resolves the states' investigation into the company's 2013 data breach, which affected more than 41 million customer payment card accounts.
How to Prevent POS Attacks?
Customers’ credit card data in the POS system passes through the following:
In each of these stages, customers’ credit card data becomes vulnerable to POS attackers. On the terminal level, attackers can insert hardware like skimmers or firmware to steal credit card details. As data passes from terminal to cash register or cash register to central payment processing server, the data may be stolen using network traffic sniffing tools like the one used by the Gonzales group. From the terminal to the internet exchange, there can be exposure of the encryption key. Credit card details may also be stolen via RAM scrapping malware from the cash register level or at the central payment processing server level.
From terminal to internet exchange, mitigation strategy includes a firewall. At the cash register level or central payment processing server level, mitigating strategy includes endpoint security software. From cash register to central payment processing server, mitigating strategies include data encryption and the use of SSL. From terminal to internet exchange, mitigating strategy includes security information and event management (SIEM).
Network segmentation is also one of the mitigating strategies to counter POS attacks. The network segmentation of the Whole Foods’ bars and restaurants from Whole Foods supermarket and Amazon.com has prevented attacks on the other two Amazon assets. Target, meanwhile, in the 2013 data breach didn’t implement network segmentation.
When you need help protecting your missing critical applications and infrastructure, give us a call to speak with one of our cyber security and compliance experts.
Wall Street’s Top Regulator Discloses Own Data Breach
The US Securities and Exchange Commission (SEC) – Wall Street’s top regulator – is the latest entity that publicly acknowledged that it was a victim of a cyber attack.
SEC Chairman Jay Clayton, who took office in May of this year, admitted that in August 2017, the Commission learned that a hacking incident detected way back in 2016 “may have provided the basis for illicit gain through trading”.
“Cybersecurity is critical to the operations of our markets and the risks are significant and, in many cases, systemic,” said Chairman Clayton. “We must be vigilant. We also must recognize – in both the public and private sectors, including the SEC – that there will be intrusions, and that a key component of cyber risk management is resilience and recovery.”
This recent cyber attack disclosure came just two weeks after the massive data breach at credit monitoring company Equifax, affecting 143 million Americans – almost all of the adults in the US, and affecting 100,000 Canadians and 400,000 UK residents.
This recent SEC hacking incident puts the Commission in an uneasy position given that it’s the government body that’s responsible for enforcing securities laws, issuing rules and regulations and ensuring that securities markets are fair, honest and provide protection for investors. The Commission, in particular, has the power to fine private entities for failing to safeguard customer information.
In June 2016, Morgan Stanley Smith Barney LLC paid a $1 million SEC fine over stolen customer data. The Morgan Stanley case originated from the act of then-employee who accessed and transferred the data of nearly 730,000 accounts to his personal server, which was then eventually hacked by third parties.
The Commission found Morgan Stanley violated Regulation S-P, a regulation that requires registered investment companies, broker-dealers and investment advisers to "adopt written policies and procedures that address administrative, technical, and physical safeguards for the protection of customer records and information." Morgan Stanley agreed to settle the charges without denying or admitting the SEC findings.
In September 2015, a St. Louis-based investment adviser firm paid a $75,000 SEC fine for failing to establish the needed cyber security policies and procedures, resulting in a data breach that compromised the personally identifiable information (PII) of nearly 100,000 individuals, including thousands of the clients of the firm. SEC, in its decision, said the firm “failed to conduct periodic risk assessments, implement a firewall, encrypt PII stored on its server, or maintain a response plan for cybersecurity incidents.”
Patch, Patch, Patch
According to SEC Chairman Clayton, hackers exploited the software vulnerability of the Commission’s corporate filing system known as “EDGAR”, short for electronic data gathering, analysis and retrieval. The software vulnerability was patched after discovery, the SEC Chairman said.
The Commission’s EDGAR system, performs automated collection, validation, indexing, acceptance and forwarding of data submitted by companies and others required to file certain information with the Commission. The system, in particular, receives, stores and transmits nonpublic information, including data which relates to the operations of credit rating agencies, issuers, investment advisers, broker-dealers, clearing agencies, investment companies, municipal advisors, self-regulatory organizations ("SROs") and alternative trading systems ("ATSs").
What is a Patch
A patch is a piece of code that’s added into a software program to fix a defect also known as software bug, including a security vulnerability. Patches are created and released by software creators after defects or security vulnerabilities are discovered. If a patch isn’t applied in a timely manner or if a software creator no longer offers a patch, cyber criminals can exploit a known vulnerability.
The Common Vulnerabilities and Exposures (CVE), an international industry standard, lists and assigns names to all known cyber security vulnerabilities. The United States Computer Emergency Readiness Team (US-CERT) provides an up-to-date list of known vulnerabilities and patches.
“Federal agencies consistently fail to apply critical security patches on their systems in a timely manner, sometimes doing so years after the patch becomes available,” Gregory Wilshusen, Director for Information Security Issues, said in a written statement before the Subcommittee on Research and Technology, Committee on Science, Space, and Technology, House of Representatives in February 2017. “We also consistently identify instances where agencies use software that is no longer supported by their vendors. These shortcomings often place agency systems and information at significant risk of compromise, since many successful cyberattacks exploit known vulnerabilities associated with software products. Using vendor-supported and patched software will help to reduce this risk.”
The 2 major cyber attacks in 2017 – WannaCry and Equifax data breach – exploited known vulnerabilities in computers that were unpatched.
WannaCry ransomware, which affected thousands of computers worldwide in May of this year, exploited the vulnerability in Microsoft Windows. This particular vulnerability could allow remote code execution if an attacker sends specially crafted messages to a Microsoft Server Message Block 1.0 (SMBv1) server.
Microsoft, for its part, released a patch or security update for this known vulnerability in March 2017 – two months before WannaCry was released into the wild.
For the Equifax data breach, the identified cause was the vulnerability in the Apache Struts in the US online dispute portal web application of Equifax. According to Equifax, the data breach happened from May 13, 2017 to July 30, 2017.
The Apache Software Foundation, a not-for-profit corporation that manages and provides patches for Apache Struts, released 4 patches for 4 known vulnerabilities from March 2017 to July 2017.
Even as cyber vulnerabilities are made public and patches are released, many organizations still fall victim to cyber attacks for failing to simply apply the available patches. According to the Apache Software Foundation, majority of the breaches that came to its attention are “caused by failure to update software components that are known to be vulnerable for months or even years.”
Days after the patch for CVE-2017-5638 – a critical vulnerability in Apache Struts that allows attackers to take almost complete control of web servers used by banks and government agencies – was made available to the public, security researchers still noticed a spike of attacks exploiting this vulnerability.
Patching known vulnerabilities in a timely manner is important as cyber criminals are quick to make use of newly published cyber security vulnerabilities, using them to launch cyber attacks within days.
Monitoring and managing vulnerabilities and threats is only effective when done regularly. Identifying security vulnerabilities is an onerous task generally assigned to your company's IT department. We can save you time and money by proactively scanning your infrastructure and networks, helping you prevent a data breach. Connect with us today to learn more and protect your business.
New Bluetooth Malware Puts Billions of Devices at Risk
A new malicious software dubbed as “BlueBorne” puts billions of Bluetooth-enabled devices at risk.
Dr. Jaap Haartsen invented the Bluetooth while working at Ericsson in the 1990s. Bluetooth was named after the 10th-century king of Denmark King Harald Blåtand (blue-tooth in English), who famously united Scandinavia. Just as King Bluetooth united Scandinavia, Dr. Haartsen’s invention unites or connects devices.
Bluetooth is currently the most widely-used protocol for short-range communications. It's used in a wide range of devices, from personal computers to smart phones, consumer electronics devices (smart TVs, printers), medical and health devices, home automation and autonomous cars.
Bluetooth is now licensed, managed and maintained by the Bluetooth Special Interests Group (SIG). Tech giants Google, Microsoft, Apple, Intel and IBM are some of the group members.
How BlueBorne Works
1. BlueBorne attacks devices via Bluetooth.
The security research firm Armis first identified the BlueBorne malware. Researchers at the research firm found that BlueBorne malware specifically exploits the security flaw in Bluetooth-enabled devices running on Windows, Android, pre-version 10 of iOS and Linux operating systems, regardless of the Bluetooth version in use.
This means that every single computer, mobile device or IoT device running on one of the above-mentioned operating systems is at risk. There are currently 2 billion Android users, 500 million Windows 10 users, 1 billion Apple users, and 8 billion IoT users.
Affected devices include all Android phones, tablets and wearables (except those using only Bluetooth Low Energy), all Windows computers since Windows Vista and all Linux devices like Samsung Gear S3, Samsung Smart TVs and Samsung Family Hub.
2. BlueBorne spreads through the air.
BlueBorne is alarming as it operates through the air. Unlike traditional cyber attacks, no action is required from the victim to enable the BlueBorne attack – no need to download a malicious file or click on a link.
Once the malware detects the Bluetooth is active on a device that runs on Windows, Android, pre-version 10 of iOS or Linux operating system, it attacks it despite the fact that the targeted device isn’t paired with the attacker’s device or set on discoverable mode.
“Unlike the common misconception, Bluetooth enabled devices are constantly searching for incoming connections from any devices, and not only those they have been paired with,” Armis said.
To initiate BlueBorne, the attacker must be near the targeted user and the Bluetooth feature of the target user's device must be turned on. Billions of devices are at risk as Bluetooth is turned on by default on many devices. Many users also prefer to turn on Bluetooth most of the time to conveniently connect it to keyboards, headphones and other various IoT devices.
The airborne operation of BlueBorne is problematic in the following ways:
a) Highly Infectious
Spreading from one device to another through the air makes BlueBorne highly infectious since the Bluetooth process enjoys high privileges on all operating systems. Exploiting Bluetooth gives hackers full control over the device.
b) Bypasses Traditional Cyber Security Measures
As BlueBorne is spread through the air, it bypasses traditional cyber security measures. Typical security measures are defenseless against airborne attacks. BlueBorne attackers can bypass secure internal “air-gapped” networks – a security measure that isolates a computer or network and prevents it from establishing an external connection.
"These silent attacks are invisible to traditional security controls and procedures. Companies don't monitor these types of device-to-device connections in their environment, so they can't see these attacks or stop them," Yevgeny Dibrov, CEO of Armis, said in a statement. "The research illustrates the types of threats facing us in this new connected age."
3 Ways BlueBorne Attackers Could Exploit Your Device
1. Take Full Control of Your Device for Criminal Activities
BlueBorne attackers could remotely execute code on your vulnerable device, allowing the attackers to take full control over your device, access corporate networks, systems and data. With full access to your device, hackers could perform criminal activities, including ransomware and data theft.
2. Create Large Botnets Similar to the Mirai Botnet
Mirai botnet uses compromised IoT devices to carry out crippling Distributed Denial of Service attacks (DDoS) attacks. In 2016, crippling DDoS attacks were waged against the website of cyber security blogger Brian Krebs and a French web hosting company. BlueBorne attackers, for instance, could use your compromised device, together with other compromised devices, to execute DDoS against a particular website.
3. Perform Man-in-The-Middle Attack
BlueBorne attackers could perform a man-in-the-middle attack on your device.
Man-in-the-middle attack happens when attackers redirect the communication between two users to the attackers’ computer without the knowledge of the original two users.
“An attacker who successfully exploited this vulnerability could perform a man-in-the-middle attack and force a user's computer to unknowingly route traffic through the attacker's computer,” Microsoft said in its September 12, 2017 security bulletin. “The attacker can then monitor and read the traffic before sending it on to the intended recipient.”
Microsoft calls this Bluetooth vulnerability as "Microsoft Bluetooth Driver Spoofing Vulnerability".
How to Prevent BlueBorne Attacks
1. Turn Bluetooth Off
The safest way to prevent a BlueBorne attack is by turning off the Bluetooth feature on your device. This malware can access your device only when it’s in the active mode. If it’s turned off, the malware can’t successfully infiltrate your device.
2. Update Your Operating System
It’s advisable to keep your operating system up-to-date. Not all operating systems though have patched or issued a security update that fixes BlueBorne vulnerability.
According to Armis, it informed Google about the BlueBorne issue on April 19, 2017. Google released a public security update and security bulletin on September 4th, 2017.
Microsoft was informed by Armis about the BlueBorne issue on April 19, 2017. Microsoft released security updates on July 11, 2017.
Apple was informed about BlueBorne on August 9, 2017. Apple corrected this vulnerability with its latest iOS and tvOS.
Linux was informed by Armis on August 15 and 17, 2017 and on September 5, 2017. As of September 12, 2017, Armis said, Linux hasn't yet issued a public security update to patch the BlueBorne malware.
6 Barriers to Improving Cyber Security for Nonprofits and Charities
Charities and nonprofit organizations aren’t immune to cyber attacks.
In the NetDiligence 2016 Cyber Claims Study (PDF) – a study that provides comprehensive analysis of insurers’ claims on losses sustained from data breaches and other kinds of cyber events – showed that out of the 176 cyber claims submitted for the study, 11% of the claims were from the nonprofit sector.
“Breaches are not just for the Fortune 500 companies anymore," NetDiligence said. "The majority (87%) of claims submitted for this study are for organizations with revenues less than $2B."
The recent "Cyber security among charities" study commissioned by the UK Department for Digital, Culture, Media and Sport and carried out by Ipsos MORI revealed that charitable organizations aren’t considered as off-limits by cyber criminals. Charities interviewed in the study shared that they experienced a wide range of cyber breaches or attacks.
In one case, a charitable organization reported substantial financial loss after the CEO's email was hacked and the malicious hacker sent out a fraudulent message to the charity’s financial manager with the instruction of releasing funds to pay for new equipment.
Another case involved the taking down of the website of a mid-sized organization on numerous occasions. The first attempt to bring the site back took the hosting company 10 days.
In another case, one charity found that its website was injected with a malicious code. Although the organization eliminated the malicious code two years ago, the organization felt the incident had a negative impact on its online reputation as a warning about its website saying it could have been hacked shows up in the Google search results.
The Ipsos MORI study revealed that cyber breach isn’t enough to motivate some charities to enhance cyber security. When breaches such as websites being taken down or staff emails being hacked made no impact on their operations, charities continue “without any changes – highlighting that charities were not necessarily learning from these attacks,” according to the Ipsos MORI study.
Here are the 6 barriers to improving cyber security for nonprofits and charities:
1. Cyber Security Viewed as an Unaffordable Luxury
The study found that some charities consider cyber security as an unaffordable luxury. Some stated that if their budgets increased, they would rather spend the money on other areas such as core service provision and fundraising.
“We need to make sure we are taking the right precautions to safeguard our information … but we have other priorities – difficulties with cash coming in, and a restructure last month,” a £500,000+ annual income, international aid charity said.
2. Cost-Cutting Culture
Many of today’s charities, according to the study, have a strong cultural emphasis on cost-cutting, which makes it difficult or challenging to justify cyber security cost. This emphasis on cost-cutting led some charities to value cost than quality, for instance choosing the cheapest cyber security provider at the expense of sacrificing quality service.
This cost-cutting culture is also evident in charities’ reluctance to upgrade to the latest software or hardware. When the WannaCry ransomware was released to the wild by cyber criminals last May, many nonprofit and charitable organizations fell victims to this malicious software.
A number of UK’s National Health Service (NHS) Trusts – nonprofit organizations that are part of the NHS but have more freedom in how they run their hospital – were affected by WannaCry ransomware for using outdated or unsupported desktop operating systems.
3. Deprioritizing of Some Cyber Risks
The study showed that charities consider loss of funds and loss of personal data (for example donors’ list) to be a major risk as they’re viewed as an existential threat. On the other hand, loss of non-personal data files (for instance data lost to ransom attack especially when the data is backed up) and loss of business (for example a website take down) aren't considered as major cyber risks as they aren’t viewed as an existential threat.
4. Cyber Security Viewed as a Common Sense Issue
The study found that some charities view cyber security as a common sense issue and, therefore, shouldn’t need much thought or investment. Instead of taking pre-emptive action, these charities would simply ask their staff to be sensible and to take a common sense approach.
5. Lack of a Central Office
Some small and mid-sized charities have no central office. This is an offshoot of the cost-cutting culture of nonprofit and charitable organizations. Organizations with no central office allow their staff to use personal devices – opening up susceptibility to breaches via personal devices. These organizations also change their board of trustees every year, resulting in regular change of the base of the organization.
6. Lack of IT Awareness and Skills
The study found that most charities don’t have an internal specialist who has the technical skills to cover cyber security. Hiring an internal IT specialist is seen as unaffordable and unnecessary as the organization views itself not as a target of cyber attacks. Most of these organizations leave the cyber security responsibility to individuals who have existing duties and responsibilities in the organizations, such as fundraising, finances, communications or general operations.
Many of the smaller and long-time running charities are also often run by older trustees, who might lack IT awareness and knowledge. This may limit the organization’s engagement with cyber security professionals or to find people inside the organization who could advocate for the organization’s better cyber security.
In Canada, the implementation of the Digital Privacy Act may spur cyber security awareness among nonprofit and charitable organizations. The law requires “organizations to notify certain individuals and organizations of certain breaches of security safeguards that create a real risk of significant harm and to report them to the Privacy Commissioner.”
An organization that knowingly violates the breach notification requirements may face fines of up to $100,000 per violation. The implementation of the Digital Privacy Act – passed into law on June 18, 2015 – is seen as the country’s first step of bringing its data protection law in line with the rest of the world.
Top 5 Cloud Computing Security Concerns
A Birmingham, Alabama-based healthcare company publicly acknowledged that it was a victim of a recent security breach.
According to the healthcare company, its cloud hosting and server management provider suffered a security breach at its facility. Information which may have been accessed as a result of the security breach at the cloud provider’s facility includes patient's name, address, telephone number, email address, Social Security number, medical record number, patient ID, physician name and health plan/insurance number.
This recent security breach at a cloud provider’s facility shows the vulnerability of some cloud providers.
According to Gartner, Inc., the worldwide cloud services market is projected to grow by 18% in 2017 to total $246.8 billion, from $209.2 billion in 2016.
"While some organizations are still figuring out where cloud actually fits in their overall IT strategy, an effort to cost optimize and bring forth the path to transformation holds strong promise and results for IT outsourcing (ITO) buyers,” Sid Nag, research director at Gartner, said. Nag added that cloud adoption strategies will influence more than 50% of IT outsourcing deals through 2020.
The 2016 Global Cloud Data Security Study conducted by the Ponemon Institute found that 73% of IT professionals said cloud computing applications and platform solutions are important or very important to business operations today. The IT professionals surveyed by Ponemon Institute estimated that 36% of their organizations’ total IT and data processing needs are met by cloud resources.
According to Cloud Security Alliance (PDF), beyond the handful large cloud providers, the reality is that there are tens of thousands of unique cloud providers. Cloud Security Alliance (CSA) is a nonprofit organization that promotes best practices for securing cloud computing.
A January 2016 CSA survey found that only 65% of the survey respondents were confident that the cloud had greater or equal security than internal IT systems. “Cloud provider security is uneven overall, with some providers having excellent security programs and others leaving much to be desired,” the CSA said in its 2016 state of cloud security report.
Here are the top 5 security concerns for cloud-based services:
1. Data Security Breach
The recent data breach at the cloud hosting and server management provider’s facility and the resulting unauthorized access of sensitive data of the Birmingham, Alabama-based healthcare company shows the security vulnerability of cloud providers.
Based on the Ponemon Institute study, the data that organizations move to the cloud is also the information that’s most at risk. Sixty percent of the Ponemon Institute’s 2016 global cloud data security study said it’s more difficult to protect confidential or sensitive information in the cloud.
2. Cloud Account Hijacking
Cloud hijacking refers to the breaking or taking over of a cloud account of an individual or organization. In 2010, Amazon encountered a cross-site scripting bug that allowed attackers to steal user login credentials. In 2014, the cloud hijacking threat called “Man in the Cloud” (PDF) enables an attacker to access synchronization services (such as GoogleDrive and Dropbox) account without compromising the victim’s user name or password.
3. Insider Threat
A malicious insider is defined by the CERT Insider Threat Center as a “current or former employee, contractor, or other business partner who has or had authorized access to an organizations network, system or data and intentionally exceeded or misused that access in a manner that negatively affected the confidentiality, integrity, or availability of the organizations information or information systems”.
In the study "Insider Threats to Cloud Computing: Directions for New Research Challenges", Carnegie Mellon University researchers named 3 types of cloud-related insider threats:
A. Cloud Insider as a Rogue Administrator
According to the Carnegie Mellon University researchers, the threat of rogue administrators is layered differently for a cloud platform compared to a standard enterprise environment, with at least four levels of administrators to consider in the cloud, including hosting company administrators, virtual image administrators, system administrators and application administrators.
B. Insider Who Exploits a Cloud-Related Vulnerability to Steal Information from a Cloud System
According to the Carnegie Mellon University researchers, this second type of cloud-related insider threat refers to an insider within the organization who exploits, whether malicious or accidental, vulnerabilities exposed by the use of cloud services to gain unauthorized access to organization systems or data. An example of this second type of cloud-related insider threat is when an employee of the victim organization is tricked by a malicious outsider into opening a document infected with malicious software.
C. Insider Who Uses Cloud Systems to Carry Out an Attack on an Employer’s Local Resources
This third type of cloud-related insider, according to the Carnegie Mellon University researchers, is different from the previous type of insider as this “third type of insider uses the cloud as the tool to carry out the attack on systems or data targeted that are not necessarily associated with cloud-based systems”. An example of this third type of insider is when an insider who plans to leave the company leverages cloud storage to steal sensitive information to take to a new job with a competitor.
4. Denial of Service Attacks
Another attack path that has been used to adversely affect cloud services is the distributed denial of service (DDoS) attack. A DNS amplification attack is an example of DDoS tactic in which the attacker delivers traffic to a victim and reflects it off to a third party to conceal the origin of the attack.
According to Microsoft, even a small DDoS attack – the size of 30 Mbps – if left unchecked could affect the availability of the cloud service. “Even if the service itself remains available for users, the bandwidth users rely on to get to the service can be starved, resulting in slow, intermittent, or unreliable service, or rendering the service unreachable,” Microsoft said.
5. Malware Injection
In the study “Security Threats on Cloud Computing Vulnerabilities”, East Carolina University researchers found that an attacker can create malicious software and inject it to target cloud service models. “Once the injection is completed, the malicious module is executed as one of the valid instances running in the cloud; then, the hacker can do whatever s/he desires such as eavesdropping, data manipulation, and data theft,” the East Carolina University researchers said.
How Bad Internet Bots Can Hurt Your Business
Over 50% of website visitors aren’t humans. According to Imperva Incapsula, 51.8% of the website traffic in 2016 came from bots, also known as web robots, internet bots or botnets.
What is a Bot
A bot is a computer program that performs automated and repetitive tasks over the internet. Using a bot over the internet enables one to do things fast and on a grand scale.
Imperva Incapsula’s “Bot Traffic Report 2016” examined over 16.7 billion visits to 100,000 randomly-selected websites on the Incapsula network. The report showed that 48.2% of the online traffic in 2016 came from humans, while the 51.8% came from bots. Of the 51.8% bots traffic, 22.9% came from good bots and 28.9% came from bad bots.
The Good Bots
Good bots are software programs that do positive things for your site. Four types of good bots dominate the internet today. These include feed fetchers, search engines, commercial crawlers and monitoring bots.
Feed fetchers are good bots that allow website content to be shown on mobile and web applications. They comprised 12.2% of the bots that crawl the internet today.
Search engine bots refer to good bots that regularly collect information from millions of websites and index the data collected into search result pages. Examples of these search engine bots are those bots from Google, Bing and Baidu. They comprised 6.6% of the bots that crawl the internet today.
Commercial crawlers are good bots that are used for authorized data extractions – typically meant as a digital marketing tool. They comprised 2.9% of the bots that crawl the internet today.
Monitoring bots refer to good bots that monitor the availability of the website and the proper functioning of the different website features. They comprised 1.2% of the bots that crawl the internet today.
The Bad Bots
Bad bots are malicious software programs that can do damage to your site. The four types of bad bots that dominate the internet today are the impersonators, scrapers, spammers and hacker tools.
Impersonators are bad bots that assume false identities to bypass security systems. They are frequently used for Distributed Denial of Service (DDoS) attacks. They comprised 24.3% of the bots that crawl the internet today.
DDoS assaults are carried out by a botnet, referring to a group of hijacked computers – in many cases, Internet of Things (IoT) like CCTV cameras. By taking advantage of the security vulnerabilities of these internet-connected devices, cyber attackers remotely control these hijacked devices (unknown to the owners) and send huge volume of data to a victim website. In September 2016, the website of security blogger Brian Krebs was targeted by a massive DDoS attack, exceeding 620 gigabits per second (Gbps).
If your website is a victim of a DDoS attack, your legitimate human visitors won’t be able to access your website. When your legitimate visitor types your website address into a browser, he or she sends a request to the website's server to view the site. Your site’s server can only process a certain number of requests at once. So, when the DDoS attackers overload your site’s server with huge volume of requests, it can't process the massive requests, resulting in “denial of service” of your legitimate visitors.
When no one can access your website as a result of a DDoS assault, this can result in the following:
1. Revenue Loss
The average cost of downtime is $5,600 per minute, this according to an industry survey.
2. Productivity Loss
If your company is highly dependent on your web presence, a few minutes, hours or days of downtime can mean work stoppage for some of your staff.
DDoS attackers are getting sophisticated. Some DDoS assaults are used as “smokescreen” to hide the real intention, which could be to steal funds, steal customer data or steal intellectual property.
4. Reputation Damage
If your customer can’t access your website or if the DDoS attack resulted to breach of data of your customers, this can hurt your company’s brand.
Hacker tools are malicious bots that look for vulnerable websites that can be exploited for data theft and malware injection. They comprised 2.6% of the bots that crawl the internet today. An example of these hacker tools is the SQL injection.
According to the Open Web Application Security Project, “SQL injection attacks allow attackers to spoof identity, tamper with existing data, cause repudiation issues such as voiding transactions or changing balances, allow the complete disclosure of all data on the system, destroy the data or make it otherwise unavailable, and become administrators of the database server.”
Scrapers are malicious bots used for unauthorized data extraction. These bots collect the entire database of your website, including original content and prices of the products you’re selling. They comprised 1.7% of the bots that crawl the internet today. When attackers scrape your entire website, this can result in a drop of your site’s competitive edge.
Spammers are malicious bots that inject spam links into your website, specifically into forums and comment sections. They comprised 0.3% of the bots that crawl the internet today. This type of malicious bots can cause long-term SEO damage to your website. According to Google, “If a site has been affected by a spam action, it may no longer show up in results on Google.com or on any of Google's partner sites.”
Based on Imperva Incapsula’s Bot Traffic Report 2016, every third website visitor for the last five years was an attack or malicious bot.
“Often, these assaults are the result of cybercriminals casting a wide net with automated attacks targeting thousands of domains at a time,” Imperva Incapsula said. “While these indiscriminate assaults are not nearly as dangerous as targeted attacks, they still have the potential to compromise numerous unprotected websites. Ironically, the owners of these websites tend to ignore the danger of bots the most, wrongfully thinking that their website is too ‘small’ to be attacked.”
Counting the Cost of a Cyber Attack: Litigation Cost
In the last 12 months, Canada has seen high-profile data breach class action lawsuit settlements. These data breach lawsuit settlements highlight the added cost of a cyber attack: cost of defense and a judgment or settlement.
Case #1: Lozanski v. The Home Depot
The Lozanski v. The Home Depot case rose from the data breach at Home Depot of Canada between the period of April 11, 2014 and September 13, 2014. Between this period, Home Depot’s payment card system was hacked by criminal intruders using custom-built malicious software.
After detecting the data breach on September 9, 2014, Home Depot notified the Office of the Privacy Commissioner of Canada, the Office of the Information and Privacy Commissioner of Alberta, the Office of the Information and Privacy Commissioner of British Columbia and the Commission d'accès à l'information du Québec about the data breach.
On September 16, 2014, Home Depot published notices of the data breach in The Globe and Mail and in La Presse. In the newspaper notices, the company confirmed the data breach. In the said newspaper notices, the company announced that it eliminated the malicious software that was responsible for the data breach. It also announced in the same newspaper notices that customers affected by the data breach will get free credit monitoring and identity theft insurance.
On September 21, 2014, Home Depot emailed its more than 500,000 Canadian customers, notifying them that payment card information of some customers might have been compromised. On November 6, 2014, the company also emailed 58,605 Canadian customers, advising them that their email addresses may have been stolen in the data breach.
A class action was filed against Home Depot as a result of the data breach. On April 25, 2016, the parties signed a settlement agreement. The agreement specifies two major points: 1) Home Depot denies any wrongdoing; and 2) The class action members will release their claims against Home Depot.
On August 29, 2016, Justice Perell of the Ontario Superior Court of Justice approved the Home Depot settlement agreement, awarding the data breach victims the total amount of $400,000 and approving the counsel fee of $120,000 despite the following findings:
“The case for Home Depot being culpable was speculative at the outset and ultimately the case was proven to be very weak. The real villains in the piece were the computer hackers, who stole the data. After the data breach was discovered, there was no cover up, and Home Depot responded as a good corporate citizen to remedy the data breach. There is no reason to think that it needed or was deserving of behavior modification.”
Case #2: Drew v. Walmart Canada
Ms. Drew in the Drew v. Walmart Canada case was a client of Walmart’s online photo center website. She provided Walmart’s photo center website her name, address, telephone number and credit card information.
On July 15, 2015 and October 30, 2015, Walmart informed Ms. Drew via email that “third parties” were able to access Walmart’s customers’ personal and financial information. As a result of the data breach, Ms. Drew initiated a class action against Walmart.
While Walmart made no admission of liability, in a settlement agreement, it agreed to the following:
Justice Perell of the Ontario Superior Court of Justice in the decision dated May 30, 2017 approved the above-mentioned costs that Walmart agreed to shoulder in the settlement agreement.
Landmark Case: Jones v. Tsige
While the Jones v. Tsige can’t be categorized as a high profile case, the ruling of this case may have sparked other litigation cases as a result of invasions of privacy. The Jones v. Tsige case, decided by the Ontario Court of Appeal in 2012, resulted in “a number of awards have been made in other cases based on common law and statutory tort claims for invasions of privacy, including situations where there was no economic harm,” lawyer Alex Cameron said in the article "Cybersecurity in Canada: Trends and Legal Risks 2017” published on the Ontario Bar Association website.
In the Jones v. Tsige case, the defendant used her workplace computer to access at least 174 times the private banking records of her spouse's ex-wife. The Ontario Court of Appeal ruled that even if the dependent didn’t publish, distribute or record the private banking records, she’s still liable for “moral” damages amounting to $10,000.
“The defendant committed the tort of intrusion upon seclusion when she repeatedly examined the plaintiff's private bank records,” Ontario Court of Appeal said. “Proof of harm to a recognized economic interest is not an element of the cause of action.”
Imran Ahmad, partner at Miller Thomson LLP, in the paper “Cybersecurity in Canada: What to Expect in 2017” (PDF) wrote, “At common law, Canadian courts, recognizing the rapid pace at which technology is evolving, have been receptive to recognizing new torts advanced resulting in cybersecurity and privacy breaches (e.g., intrusion upon seclusion, disclosure of private facts, etc.) that are being advanced by plaintiffs’ counsel.” Imran added, “We anticipate this trend to continue and to see the existing torts being further tested by the courts.”
Cases under Canada’s Digital Privacy Act
According to privacy lawyers David Fraser and David Wallace, violations under the Digital Privacy Act “once they take effect, can lead to quasi-criminal liability (it’s not a criminal offence but it’s subject to a penalty that’s similar to a criminal offence, although the court procedures are less complicated) for both organizations and for directors personally.”
The Digital Privacy Act amends Canada’s Personal Information and Protection of Electronic Documents Act (PIPEDA). Under the Digital Privacy Act, Canadian organizations are required to notify individuals and organizations of all breaches of security safeguards that create a “real risk of significant harm” and to report the incident to the Office of the Privacy Commissioner of Canada.
UK Organizations Could Face Huge Fines for Poor Cyber Security
Organizations offering essential services in the energy, transport, water, health and digital infrastructure sector play a vital role in our society. Loss of service as a result of an essential organization’s failure to implement effective cyber security measures affects not only the organization itself but the society as a whole.
For this reason, the UK Government proposes that an essential organization that fails to implement effective cyber security measures could be fined as much as £17 million or 4% of its annual global turnover, whichever is higher. The UK Government also proposes similar penalties for loss of data as a result of failure to implement effective cyber security measures.
Under the UK Government’s proposal, organizations are required to do the following:
UK Minister for Digital Matt Hancock said in a statement that the fines would be applied as a last resort. Hancock said that fines won’t apply to organizations that have taken appropriate cyber security measures but still suffered an attack.
“We want the UK to be the safest place in the world to live and be online, with our essential services and infrastructure prepared for the increasing risk of cyber attack and more resilient against other threats such as power failures and environmental hazards,” UK Minister for Digital said.
EU Cyber Laws
The proposal of the UK Government to subject organizations with huge fines for loss of service and loss of data is in line with 2 of EU’s cyber security laws: 1) Security of Network and Information Systems (NIS) Directive; and 2) General Data Protection Regulations (GDPR).
The NIS Directive was adopted by the European Parliament on 6 July 2016. EU’s member states have until 9 May 2018 to adopt the directive into domestic legislation. A few days after the directive was passed by the European Parliament – specifically on 23 June 2016 – the people in the UK voted to leave the European Union.
“Until exit negotiations are concluded, the UK remains a full member of the European Union and all the rights and obligations of EU membership remain in force,” the UK Government said in the document called “NIS Directive: pre-consultation impact assessment” (PDF). “It is the UK Government’s intention that on exit from the European Union this legislation [NIS Directive] will continue to apply in the UK.”
The NIS Directive specifically requires operators of essential services (energy, transport, banking, financial market infrastructures, health, water and digital infrastructure), whether private or public entities, to take the following appropriate cyber security measures:
General Data Protection Regulations (GDPR)
The GDPR was adopted by the European Parliament a few months before the adoption of the NIS Directive in April 2016. Unlike the NIS Directive, the GDPR doesn’t need an enabling legislation from EU member states. This means that this particular EU law will take effect after a two-year transition period, specifically it’ll be in force in May 2018 in all of EU member states.
When the GDPR takes effect in May 2018, organizations in all of EU member states can be fined a maximum €20 million or 4% of annual global turnover, whichever is bigger, for data breach.
The difference between the NIS Directive and the GDPR, according to UK Minister for Digital Matt Hancock, is that the NIS Directive relates to loss of service, while loss of data falls under the GDPR.
According to the “NIS Directive: pre-consultation impact assessment” document, the UK Government said that the GDPR will replace UK’s existing Data Protection Act in May 2018. “It is expected that the GDPR will bring about an improvement to organisations security measures to protect personal data due to the significant fines that can be given for data breaches, and also because guidance will be provided on the level of security required to comply with the regulation,” the UK Government said.
Companies Penalized under UK’s Data Protection Act for Poor Cyber Security
On 5 October 2016, UK’s Information Commissioner’s Office (ICO) issued telecom company TalkTalk a £400,000 fine for cyber security failings that allowed a cyber attacker to access the company’s customer data “with ease”.
The data breach on TalkTalk, which happened between 15 and 21 October 2015 accessed the personal data of 156,959 customers including their names, dates of birth, addresses, phone numbers and email addresses. The TalkTalk attacker was also able to access 15,656 bank account details and sort codes.
The ICO – UK government body that has the power under the Data Protection Act to impose a monetary penalty of up to £500,000 on a UK company for data breach – found that the TalkTalk attacker used a common technique known as SQL injection to access the data. “SQL injection is well understood, defences exist and TalkTalk ought to have known it posed a risk to its data,” the ICO investigation found.
“Yes hacking is wrong, but that is not an excuse for companies to abdicate their security obligations,” ICO Commissioner Elizabeth Denham said. “TalkTalk should and could have done more to safeguard its customer information. It did not and we have taken action.”
On 27 June 2017, Berkshire-based Boomerang Video Ltd was fined £60,000 by the ICO for failing to take basic steps to stop its website from being attacked. The video game rental firm’s website was attacked in 2014 in which 26,331 customer details could be accessed. Similar to the TalkTalk attack, the attacker used the SQL injection to access the data.
Learn more and let us help you become compliant using proven, practical approach.
Small and Medium-Sized Businesses Not Investing in Cyber Security
The rise of global cyber attacks in recent years might have led many to believe that small and medium-sized businesses (SMBs) are investing in cyber security. But the reality is that majority of SMBs aren’t investing in cyber security.
In the study “Canadian Business Speaks Up: An Analysis of the Adoption of Internet-based Technology”, the Canadian Chamber of Commerce found that cyber security threats are underestimated by 64% of Canadian businesses, indicating they’ve no intention of investing in cyber security measures at this time. Eighty-one percent of the respondents of the Canadian Chamber of Commerce study classify themselves as small businesses and 7% classify themselves as medium. The study was conducted between December 2016 and January 2017.
In another paper “Cyber Security in Canada: Practical Solutions to a Growing Problem”, the Canadian Chamber of Commerce said that a “data breach costing $6 million would break many small businesses”.
In the UK, meanwhile, despite the recent global cyber attacks, insurance company Zurich revealed that close to half (49%) of SMEs in this part of the world only intend to spend less than £1,000 on cyber security in the next 12 months, while 22% of SMEs don’t know how much they will spend.
“While recent cyber-attacks have highlighted the importance of cyber security for some of the world’s biggest companies, it’s important to remember that small and medium sized businesses need to protect themselves too,” said Paul Tombs, head of SME Proposition at Zurich. “The results suggest that SMEs are not yet heeding the warnings provided by large attacks on global businesses."
Extent of Cyber Attacks on Small and Medium-Sized Businesses
Symantec’s 2016 global internet security threat report (PDF) showed that cyber criminals are more and more turning their attention to hacking small businesses. The Symantec report showed that spear-phishing attackers gradually targeted small businesses – defined by Symantec as enterprises composed of 1 to 250 employees – from 18% in 2011 to 31% in 2012; 30% in 2013; 34% in 2014 and 43% in 2015.
In the UK, results from the latest Zurich SME Risk Index showed that 875,000 or nearly 16% of SMEs have fallen victim to a cyber attack, costing 21% of the victims over £10,000.
In Canada, 23% of Canadian small business owners were certain they were the victim of a cyber attack in 2016, while another 32% suspected that they might have been breached according to an Ipsos survey (PDF).
Canada’s Digital Privacy Act
"There are a significant number of breaches that never get reported because there's no obligation to report them," Imran Ahmad, a partner at the law firm Miller Thomson – a firm that specializes in cyber security, told CBC News.
This practice of sweeping cyber attacks under the rug will start to change with the upcoming implementation of the Digital Privacy Act (PDF), a Canadian law that was passed in June 2015. The Digital Privacy Act requires organizations “to notify certain individuals and organizations of certain breaches of security safeguards that create a real risk of significant harm and to report them to the Privacy Commissioner”. Failure to report a data breach under this law could result in a fine of up to $100,000.
Matthew Braga of CBC News, in the article "Here's why reports of data breaches will skyrocket this year" wrote, "The hope is that more transparency will lead to better protections and fewer breaches in the long term.”
6 Reasons Why Cyber Criminals Attack Small and Medium-Sized Businesses
Here are 6 reasons why cyber criminals are attracted to small businesses:
1. Less Capable to Handle Cyber Attacks
SMBs are less equipped to manage a cyber attack due to lack of resources.
2. Less Likely to Guard Important Data
SMBs are less likely to protect their important data – intellectual property, personally identifiable information and credit card credentials.
3. Susceptible to Attack Due to Partnership with Large Businesses
The partnership between large businesses and SMBs provides hackers back-channel access to their true target: large businesses.
4. Less Likely to Have Key Security Defenses
According to Cisco, in its 2017 midyear cyber security report, as a result in lesser budget and expertise, SMBs have less key security defenses in place. For instance, only 34% of SMBs reported using email security compared with 45% of large businesses and only 40% use data loss prevention defenses compared with 52% of large businesses.
5. Less Likely to Have Written, Formal Cyber Security Strategies
Large businesses are more likely to have written, formal strategies in place compared to SMBs (66% versus 59%), Cisco reported.
6. Less Likely to Require Vendors to Have ISO Certifications
Large organizations, CISCO noted, are more likely than SMBs to require their vendors to have ISO 27018 certifications (36% versus 30%). ISO 27018 refers to the “commonly accepted control objectives, controls and guidelines for implementing measures to protect Personally Identifiable Information (PII) in accordance with the privacy principles in ISO/IEC 29100 for the public cloud computing environment.”
Ripple Effect of Cyber Attacks on SMBs to Canada’s Economy
In the 2016 Canadian Chamber of Commerce's "Top 10 Barriers to Competitiveness for 2016", the business organization ranked Canada’s vulnerability to cyber crime as the country’s number 2 barrier to global competitiveness. The country’s chamber of commerce said that digital security breaches and cyber theft hinder Canada’s global competitiveness.
Without taking into consideration the value of the data itself, the Canadian Chamber of Commerce said that the country’s internet economy accounted for 3.6% of its $1.83 trillion GDP.
Protecting small businesses, in particular, from cyber attacks is as important as protecting large enterprises, considering that the economy of Canada mostly comprised of small businesses. According to the Canadian Chamber of Commerce, out of the 1.2 million businesses in Canada, 98% have fewer than 100 employees, 55% have fewer than 4 and 75% have fewer than 10 employees. These over a million small enterprises in the country employ 60-80% of all jobs created in Canada and companies with fewer than 100 employees contribute about 51% to Canada’s GDP.
We invite you to connect with us to speak with one of our cyber security experts, and protect your small or medium business today.
Steve E. Driz, I.S.P., ITCP