Cybersecurity Blog
Thought leadership. Threat analysis. Cybersecurity news and alerts.
Global Cyber Attacks Could Be as Costly as Major Hurricanes
Hurricane Katrina and Sandy are two of the costliest hurricanes in the past three decades. The total damage from Katrina is estimated at $156 billion and $69 billion from Sandy. Lloyd's of London estimates that economic losses from global cyber attacks have the potential to be as big as those caused by major hurricanes.
2 Potential Cyber Attack Scenarios
Lloyd’s report called “Counting the cost: Cyber exposure decoded” showed two global cyber attack scenarios that could have the potential economic impact:
1. Cloud Service Provider Hack According to Lloyd’s, the average losses in the cloud service disruption scenario could be $53.1 billion for an extreme event and could go as high as $121.4 billion. 2. Cyber Attacks on Mass Software For the mass software vulnerability scenario, according to Lloyd’s, the losses could range from $9.7 billion for a large event to US$28.7 billion for an extreme event. “This report gives a real sense of the scale of damage a cyber-attack could cause the global economy,” said Inga Beale, CEO of Lloyd’s. “Just like some of the worst natural catastrophes, cyber events can cause a severe impact on businesses and economies ….” Vulnerability of Cloud Service
“The Cloud” is the process of accessing data, computer resources and software over the web. It’s used as a substitute for accessing data from a local computer. Although cloud, also known as network-based computing, dates back in the 1960s, it was only in the early 2000s that its popularity soared as small and medium-sized businesses adopted this new method of accessing data.
In the second quarter of 2016, Synergy Research Group found that Amazon cornered 31% of the cloud infrastructure services market, followed by Microsoft (11%), IBM (7%), Google (5%), Next 20 including Alibaba and Oracle (26%) and others (20%). More than 90% of the over 2,000 cyber security professionals surveyed in McAfee’s “Building Trust in a Cloudy Sky” report stated that they were using some type of cloud service in their organization. In February this year, Amazon’s cloud services suffered a costly outage. According to Amazon a typo caused the outage. Amazon said in a statement: “The Amazon Simple Storage Service (S3) team was debugging an issue causing the S3 billing system to progress more slowly than expected. At 9:37AM PST, an authorized S3 team member using an established playbook executed a command which was intended to remove a small number of servers for one of the S3 subsystems that is used by the S3 billing process. Unfortunately, one of the inputs to the command was entered incorrectly and a larger set of servers was removed than intended.” Amazons’ February 2017 outage cost companies in the S&P 500 index $150 million according to Cyence. According to Lloyd’s, cloud infrastructure services like Amazon, Microsoft, IBM and Google rely upon a common cloud infrastructure. If a major security flaw were found in this common cloud infrastructure, cloud customers of these cloud services could suffer from a breach, Lloyd’s said. Vulnerability of Mass Software
In April 2017, the hacker group known as ShadowBrokers published on the internet a compilation of hacking tools that was believed to be used by the National Security Agency (NSA). These publicly released hacking tools could give anyone with technical knowledge the capability to exploit certain computers running Microsoft Windows.
In March 2017, a month before the alleged NSA hacking tools were released to the wild, Microsoft released a free patch or security update for Windows 10. Microsoft, however, didn’t release free security updates for Windows XP, Windows 8 and Windows Server 2003. The company only released free patches for these old Windows operating systems at the height of WannaCry – a ransomware that affected more than 300,000 computers in 150 countries in May this year. 6 Trends that Contribute to Cyber Vulnerability
Lloyd’s report identified these 6 trends that cause further cyber vulnerability:
1. Old Software Old software refers to software that’s abandoned by its maker. It also refers to software that’s patched by its maker but the end users fail to update the software. Failing to install a security update leaves a computer user vulnerable to hacks. This happened to WannaCry. Users of Windows 10 succumbed to the ransomware attack for failing to install Microsoft’s March 2017 free patch. Users of Microsoft’s older operating systems (Windows XP, Windows 8, and Windows Server 2003) also fell victim to WannaCry as Microsoft only released the free patch for these older Windows operating system after WannaCry spread around the world last May 12th. 2. The Number of Software Developers The number of people developing software has grown substantially over the past 30 years. Each software programmer could potentially add vulnerability to the system whether unintentionally through human error or intentionally. Proprietary software, for instance, is developed by different teams and outsourced contractors who are spread across the globe. Linux Kernel – an open source software project which started in August 1991 – has over 13,500 developers as of August 2016. 3. Volume of Software More programmers mean more codes are being developed each day. “More code means the potential for more errors and therefore greater vulnerability,” Lloyd’s said. A typical new car, for instance, has about 100 million lines of code. 4. Open Source Software While the open source movement has resulted in unprecedented digital innovations, it has opened new digital vulnerabilities. Lloyd’s said, “Any errors in the primary code could then be copied unwittingly into subsequent iterations.” Most open source software don’t go through the same level of security scrutiny as custom-developed software. 5. Multi-layered Software In multi-layered software, a new code is written over an existing code. Most programmers today work on maintaining existing codes, rather than creating new codes. Multi-layered software, Lloyd’s said, “makes software testing and correction very difficult and resource intensive.” 6. “Generated” Software In generated software, the code is written by a computer program, instead of being written by human programmers. Lloyd’s said, “Code can be produced through automated processes that can be modified for malicious intent.” Not understanding your technology vulnerabilities is no longer an option. Assess it today to gain a valuable insight, and take an immediate action to addresses the gaps. Connect with us today and speak with our vulnerability assessment and management experts. 7/7/2017 Why Lack of Qualified Cyber Security Workforce is a Critical Vulnerability for Many BusinessesWhy Lack of Qualified Cyber Security Workforce is a Critical Vulnerability for Many Businesses
There’s WannaCry. There’s Petya. There’s NotPetya. These cyber threats have hugged the headlines in the past few days. There’s one cyber threat that remains as a critical vulnerability for many businesses: lack of qualified cyber security workforce.
Cyber Attacks Outpace Cyber Defense
According to Symantec, 430 million new unique pieces of malware were discovered in 2015. At the close of 2015, Symantec added, 191 million records were exposed as a result of cyber attacks.
“Attacks outpace defense, and one reason for this is the lack of an adequate cyber security workforce,” said the Center for Strategic and International Studies in its study called “Hacking the Skills Shortage: A study of the international shortage in cyber security skills”. A report from Frost & Sullivan and ISC² found that by 2020, more than 1.5 million global cyber security positions will be unfilled. Frost & Sullivan and ISC² revealed that 45 percent of hiring managers reported that they’re struggling to fill additional information security positions despite the increase of security spending across the board for technology, rising average annual salaries and high rates of job satisfaction. Five years ago, cyber threat wasn’t part of the top 10 risks (it only ranked 12th) prioritized by corporate boards according to Lloyds’ 2011 annual risk survey. Corporate attitude towards cyber security has drastically changed in recent years. A Forbes report found that four financial institutions – J.P. Morgan Chase & Co., Bank of America, Citigroup, and Wells Fargo – spent more than $1.5 billion on cyber security in 2015. In a live interview on Bloomberg in 2015, Bank of America CEO Brian Moynihan said that cyber security is the bank’s only business unit with no budget limit. In 2017, PwC’s global CEO survey found that cyber threat is the top five risks on CEOs’ minds, behind only to availability of key skills, volatile energy costs and changing consumer behavior. Delay of Hiring Cyber Security Workforce Leaves Businesses Vulnerable to Cyber Attacks The 2017 state of cyber security survey by ISACA (Information Systems Audit and Control Association) found it takes six months or longer to fill priority cyber security and information security positions in more than 1 in 4 companies around the globe. “When positions go unfilled, organizations have a higher exposure to potential cyber attacks. It’s a race against the clock,” said Christos Dimitriadis, ISACA board chair. For its part, the Center for Strategic and International Studies said, “The continued skills shortage creates tangible risks to organizations.” In the study conducted by the center, 1 in 4 respondents said their organizations have lost proprietary data as a result of their inability to maintain adequate cyber security staff. Lack of Qualified Applicants
The ISACA report showed that compared to other corporate job openings, which garner 60 to 250 applicants, cyber security opening receives fewer applicants.
Fifty-nine percent of the organizations surveyed by ISACA reported that for each cyber security opening, they only receive at least 5 applicants, and only 13 percent receive 20 or more applicants. Sixteen percent of North American respondents in the ISACA survey indicated that cyber security opening receives at least 20 applicants. Compounding the problem of lack of applicants for cyber security opening is the problem of qualified applicants. ISACA board chair said, “As enterprises invest more resources to protect data, the challenge they face is finding top-flight security practitioners who have the skills needed to do the job.” Sixty-four percent of the respondents of the ISACA survey said half or less of their applicants for cyber security position are qualified, while 35 percent of the survey respondents said that less than 25 percent of applicants are qualified. When asked to identify the most important attributes of a qualified applicant, respondents of the ISACA survey ranked practical verification or hands-on experience as the most important; reference/personal endorsement is ranked second; certifications is ranked third; formal education is ranked fourth; and specific training is ranked fifth. Security Fatigue
Making things worse is the “security fatigue” of non-cyber security personnel. The National Institute of Standards and Technology (NIST) defined security fatigue as a “weariness or reluctance to deal with computer security”.
A NIST study found that a majority of computer users experienced security fatigue that often results in risky computing behavior in the workplace and in their personal lives. “The finding that the general public is suffering from security fatigue is important because it has implications in the workplace and in people’s everyday life,” cognitive psychologist and co-author of the NIST study Brian Stanton said. “Years ago, you had one password to keep up with at work,” computer scientist and co-author of the NIST study Mary Theofanos said. “Now people are being asked to remember 25 or 30. We haven’t really thought about cyber security expanding and what it has done to people.” The NIST study found that security fatigue results to feelings of resignation and loss of control. This weariness or reluctance to deal with computer security, the NIST study found, can lead to choosing the easiest option among alternatives, behaving impulsively, and failing to follow security rules. How to Remedy the Cyber Security Workforce Shortfall
Here are three recommendations on how to remedy the cyber security workforce shortfall:
1. Accept Non-Traditional Sources of Education The Center for Strategic and International Studies study suggested that hiring managers should put less emphasis on degree requirements especially for entry-level cyber security positions, and instead place greater emphasis on hands-on experience and professional certifications. 2. Diversify the Cyber Security Workforce A number of studies have shown that women and minorities are underrepresented in the field of cyber security. Opening this field to women and minorities will diversify the cyber security workforce and will also expand the talent pool. 3. Automate The Center for Strategic and International Studies study revealed that organizations are looking to automate cyber security functions to offset the skills shortage. Cyber security automation generates efficiencies. Efficient processes allow cyber security personnel to focus their talent and time on cyber threats that need human intervention. How to improve healthcare cyber securityScope of Hacking Health Care Records
The hacking of health care records at the NHS and HPMC aren’t isolated cases. Prior to the widely published WannaCry ransomware attack, other cyber attacks had already wreaked havoc in the health care industry. Protenus reported that in 2016, the U.S. health care industry suffered one breach per day, affecting more than 27 million patient records.
For the month of April 2017 alone, the U.S. Department of Health and Human Services, Office for Civil Rights reported 12 hacking incidents on hospitals and medical doctors’ offices, affecting 171,564 patient records. The biggest hacking incident last month that was reported to the U.S. Department of Health and Human Services happened at Harrisburg Gastroenterology Health Care Center, affecting 93,323 patient records. The patient information potentially accessed at Harrisburg Gastroenterology includes names of patients, demographic information, social security numbers, health insurance information, diagnostic information and clinical information. Last May 18th, Neeley-Nemeth Barton Oaks Dental Group reported to the U.S. Department of Health and Human Services that its computer system was hacked, affecting 17,090 patient records. Symantec's Global Ransomware and Business Special Report showed that from January 2015 to April 2016, Canada ranked third (16%) in terms of ransomware infections, next only to the United States (23%) and "Other Regions" (19%). Verizon’s 2017 Data Breach Investigations Report showed that breaches in healthcare organizations came second (15%), next to data breaches in financial organizations (24%). In 2017, ransomware was ranked by Verizon as the number five most commonly used crimeware. “For the attacker, holding files for ransom is fast, low risk and easily monetizable – especially with Bitcoin to collect anonymous payment,” the Verizon report said. 5 Reasons Why Hacking of Health Care Records is Skyrocketing
Hospitals and medical doctors’ offices have become targets for ransomware attacks due to the following reasons:
1. Medical Records are Irreplaceable Medical doctors’ offices and hospitals have irreplaceable digital documents that increase every hour, from appointments with patients to viewing imaging. 2. Willingness to Pay Compared to other sectors, the medical sector appears to be more than willing to pay ransom for the fast recovery of their data. 3. Confidential Nature of the Documents Medical doctors’ offices and hospitals’ records carry with them an abundance of confidential information about patients such as social security details, insurance details, birth dates, addresses, medical history and current medical situation. These confidential data can be sold to other opportunistic individuals or organizations at $10 per patient – an amount 10 times higher than what criminals earn from selling credit card details. 4. Loss of Reputation Hacking exposes organizations their weakness. As such, many hospitals and medical doctors’ offices would rather pay and keep quiet than face the consequence of loss of reputation. 5. Vulnerable Software Many medical doctors’ offices and hospitals use proprietary software. Cyber criminals exploit the vulnerabilities of these proprietary software solutions. In the case of the NHS WannaCry ransomware attack, the vulnerability of the operating system Windows XP was exploited. At the height of the WannaCry attack, NHS confirmed that 4.7% of the organizations’ computers still use Windows XP – an operating system released by Microsoft in 2001. 3 Effective Ways to Prevent Cyber Attacks on Medical Doctors’ Offices
Below are 3 preventive measures to stop cyber criminals from getting hold of your patients’ confidential data:
1. Backup data One of the effective means to prevent cyber attacks, specifically ransomware attacks, is by backing up your data. Ransomware attackers have an advantage over their victims by encrypting valuable computer files and preventing victims to access these valuable files. If you’ve backup copies, it would be easy to bring back these files. It’s important to make sure that these backup files are properly protected. Storing them offline is one alternative so that cyber criminals can’t access them. Another option is to use cloud services. These cloud services keep previous versions of files, enabling you to roll back to the unencrypted form. 2. Exercise digital hygiene Preventing cyber attacks on medical doctors’ offices is similar to other disease prevention: hygiene is essential. In the medical office set-up, digital hygiene refers to maintaining one’s computer hardware and software solutions as secured as possible. Examples of digital hygiene include updating your hardware systems, installing the latest patches or software security updates, and not clicking unfamiliar links or files in emails. Hundreds of thousands, if not millions, of computers were unharmed by WannaCry ransomware by simply using the latest operating system and installing the latest patch or security update. 3. Contain the infection Containing a malware is much like containing an infectious disease outbreak. In such a case, a rapid response such as isolating the infected computers can make a difference. Many ransomwares like WannaCry have a worm component that’s capable of spreading itself within computer networks without the need for user interaction. In handling the WannaCry ransomware attack, Spain’s Computer Emergency Response Team CCN-CERT, for instance, recommended isolating from the network or turning off as appropriate computers without support or patch. Contact us today if you want to protect your hospital or medical office from cyber attacks. How to Create a Cyber Security CultureIn this world of frequent hacks and attempted hacks, it is more important than ever to foster a cyber security culture in your business. Unfortunately, this is easier said than done. Keep reading to learn more about how to create a cyber security culture among your employees. Remember the BasicsThere are a few basic cyber security measures that every business should be taking, including the following: Strong PasswordsIt seems simple, but a strong password is an important step in protecting against a cyber attack. Make sure that you and all your employees are using long passwords that include a mix of capital and lowercase letters, numbers, and special characters. Update Your Software RegularlyMost software has some glitches in it, no matter how long it's been on the market. While these glitches often aren't even noticeable, they can sometimes make you more vulnerable. Stay one step ahead of potential attackers and keep your software up to date. This is especially important for programs like antivirus scanners and your firewall. Limit AccessNot every employee needs access to every part of your computer network. Limiting access to sensitive data to only those who need to work with it is another simple way that you can create a cyber security culture in your workplace. With access limited, everything is not automatically made available to someone who hacks into one employee's account. Let Your Employees Know Why They Should Protect ThemselvesYou understand the importance of cyber security, but your employees might not. If your employees think your security policies are excessive or unnecessary, they aren't likely to follow them. Make sure you're teaching your employees the importance of cyber security. There are a few ways you can accomplish this: Help Them Find Their MotivationIt's important to find what motivates your employees to protect their information. Talk to them about potential security issues and the implications of a security breach. For example, do they want to protect their families and their personal finances? Making things more personal will help motivate employees to follow through with your cyber security measures. Discuss The Benefits Of Cyber SecurityIn addition to personal motivation, talk to your employees about how increased cyber security helps the company as a whole. Remind your staff that a lack of cyber security may reflect badly on your company. Your customers or clients want to know that their information is safe. They might take their business elsewhere if they think your employees and the company as a whole do not care about security. Keep It SimpleIt's important not to overload your employees with information. Rather than bombarding them with new programs and policies, start small and figure out which behaviors you want to promote first. Over time, as your employees get comfortable with initial security measures, you can take things a bit further. If they feel overwhelmed or frustrated by a deluge of information, employees are more likely to resist the changes. How Do You Create A Cyber Security Culture?What do you think of our list of tips for creating a cyber security culture? What other steps would you take? Let us know in the comments below! You can also contact us today to learn more about how to protect your business.
What to do When Your Company Suffers a Security BreachInsider and outsider threats are becoming more and more of a problem, as our reliance on technology increases. According to the Verizon data breach report, ransomware cyber attacks increased by 16%. At the same time, 30% of email phishing messages were opened without suspicion. Not to mention, it only took hackers a couple of minutes to infiltrate a system (in 93% of attacks). Within 28 minutes (or less), data exfiltration had been a success in most attacks. As the Target security breach proves, it doesn't matter how large or small your business is. Cyber security attacks don't discriminate. Read on to learn what to do when your company has suffered a security breach. How you react and recover from the breach will determine how extensive the financial and legal repercussions are. Having a response plan is necessaryAn effective response plan minimizes damage. Every employee knows what their task(s) is/are. And, because this plan has been practiced several times, they know what to do. IT starts analyzing the data that's been exfiltrated. PR begins drafting a statement to the media outlets. A designated employee (or employees) contact the appropriate law enforcement. And the US Computer Emergency Readiness Team (US-CERT) or its equivalent elsewhere is notified. Overall, a formal incident response plan decreases panic and puts your team into action during this stressful time. What if you don't have a response plan?So you don't have a response plan in place. Or your response plan isn't as extensive as it should be. However, you have no time. You just suffered a security breach. What do you do? You're not alone. This report indicates that only 25% of respondents have a response plan that's across the entire enterprise. Meaning 75% of respondents either don't have a response plan. Or their's doesn't have extensive coverage. That said, you still have options. Be as transparent as possibleA security breach puts your business reputation at stake. If the breach isn't handled professionally, you could lose several customers. To prevent this, go public about the situation and what steps you're taking to mitigate the breach. This shows to current and potential customers that your business is honest and is doing everything it can to mitigate the damage. If the hackers exfiltrated personal customer information, let your customers know...IMMEDIATELY. That way, they can call their banks and cancel their credit cards if needed, before the fraud is committed. Talk to a lawyerThere will be a backlash after a breach. Customers may sue you for damages. You and the hacker(s) may go to court to handle damages and get justice for the breach. In any case, contacting a lawyer right away is mandatory. He or she will know more about cyber law than you do. And what steps you need to take to protect your business from lawsuits. Learn from the security breachIdentify how the hackers gained entry. And work to patch up those vulnerabilities. Conduct penetration testing several times per year to see if those vulnerabilities have been taken care of. Also, put a response plan in place and practice it. For more cybersecurity information, contact us. The Importance of Cybersecurity ProgramsCybersecurity seems to be a word no one wants to discuss, whether it be an individual or a company. Maybe because no one thinks they are going to get hacked until it happens to them. However, getting "hacked" seems to be becoming more and more common nowadays. It's about time we take control before it's too late. Especially owning a business, you must put having the right cybersecurity programs in place at the top of your priority list. No matter what type of business you run, you are bound to be working with some sort of sensitive information. And, the last thing you want to deal with is getting it stolen and having your customers lose their trust in you. Cybersecurity programs need to be a crucial part of your business. Let's find out why you need to be protected and the importance behind them. Hackers don't discriminateThe first thing to know is that no matter what the information may be, nothing is safe. So, if you run a doctor's office, personal and health records are at risk and if you run a boutique agency, your client's payment and personal records are at risk. Cyber criminals will try to get at anything that makes them money. This could be in the form of a data breach or stolen credit card information. Since we use technology for almost everything these days, everyone's information is out there and hackers know this. All customer data is at riskNot having the proper cybersecurity programs intact could affect your business both internally and externally. It could hurt both your business and your customers. Your employee's information could be compromised, but so could your customers which is getting into much bigger problems. Most hackers look for personal information that leads to identity theft, ransomware, data breaches, and malware. Nothing is going to hurt your business more than having precise personal information like this stolen. Hiring a cybersecurity services firm is the first stepThe first step in putting cyber attacks to a halt is hiring a cybersecurity consultant or company depending on how big your company is. This investment is going to pay off in the long run and cybersecurity is only going to become more of an issue as our world continues to run online. Make sure your cybersecurity services company has industry expertise and a proven track record. This entity will set up your cybersecurity strategy unique to your business. Implement cybersecurity programs into your cultureOnce you have a cybersecurity service or consulting team established, it's time to get your employees on board. It's important to sit down with everyone in the company to let them know the cybersecurity programs that are being implemented and how to abide by them. You should also inform them on basic best practices like not sharing passwords or personal information, making your passwords unique for every platform, and not clicking on links or attachments from unknown emails. There are 556 million victims of cyber crime every year and over 1.5 million victims per day. Don't be the individual or business that adds to this statistic. Taking the precautionary steps by investing in cybersecurity programs is crucial to your business and your clients. Don't be naive enough to think cyber criminals won't find you. Are you interested in partnering with a firm that will manage your cybersecurity programs and infrastructure and prevent breaches before they occur? The Driz Group will help you get there. Are the Biggest Cyber Security Risks Your Employees?It's true - studies show that within businesses, the biggest cyber security risks come from those employed. What can you do to protect your business? Read on.We all want to believe that our employees are honest, hardworking people who would do nothing to hurt our company. But the truth is, whether, by malice or accident, the biggest cyber security risks are almost always going to be your employees, and it’s getting increasingly difficult to ignore the string of high-profile cyber-attacks that are now a regular occurrence. Here’s what you can do about it. 1. Develop responsive IT structures and teamsOne of the most common complaints about IT security and employees is that IT moves too slowly for them to do their jobs effectively. Particularly with millennials and digital natives enter the workforce and their familiarity with cloud-based computing, the temptation is to install and use secure company resources and do work with insecure tools, devices, products, and services. What’s more, staff members (who, remember just want to do their job AND are under pressure to do more less using IT) often feel that the approvals process with the IT staff is just too slow. The result? It becomes impossible for IT to even know where their resource should be spent, let alone the most efficient way to spend them. Fortunately, there’s a solution that can work wonders. A lot of cloud applications are, in fact, secure enough to mitigate any cyber security risks. The only problem is that IT needs to know about them ahead of time. So the best way to help yourself is to make sure that your IT team is fully integrated and extremely responsive to new application requests. If you have more time and resources available, it pays to build your IT infrastructure so that you can support at least some cloud SaaS products, so you can say yes at least some of the time. 2. Explain the cyber security risks associated with common behaviorsDid you know that many workers use the same password for everything? OR write down their passwords and stick them in a notebook, on their computers or (worse) store them in a Word file on their computer? And this sort of behavior that creates cyber security risks isn’t exactly difficult to understand. Workers are busy, and they don’t want to spend time doing stuff like double logins or to change their passwords all the time (or trying to remember what their passwords are!) But if IT teams make an effort to explain why and create awareness about the very real risk of cyber security risks, then people are a lot more likely to comply with more stringent security requirements. Remember: even though you can dictate security policy, it’s a lot more effective if everyone is actually on board rather than just going through the motions. 3. Focus your security energy where it’s needed mostFinally, the best thing you can do for your security and the keeping your network secure from your employees is to focus your energy where it’s most needed. Building MORE security around set pieces of your network and letting most of the network stay at a more functional level will increase your safety and reduce the friction between the IT teams and employees. This compromise means that you get a high level of security, and they get to do their jobs faster and easier. Getting your team to take cyber security risks seriously doesn’t have to be an uphill battle. By making small changes, you can shift how your employees think about security, and thus make your whole network safer.
|
AuthorSteve E. Driz, I.S.P., ITCP Archives
April 2024
Categories
All
|
7/20/2017
0 Comments