Thought leadership. threat analysis, news and alerts.
Combating the Most Common Cyber Security Risks
Hard as it may be to believe, government agencies have been found to have some of the worst cyber-security systems in the United States.
Agencies at federal, state, and local agencies were all ranked below other industries (retail, transportation etc.) in a study on U.S. cyber-security. Even NASA, considered one of the most technologically-innovative institutions in the country (if not the world), was flagged for its high vulnerability.
The U.S. Department of State was another weak performer, struggling to protect their systems from outside threats with an unsuitable set-up.
The point? If one of the most powerful governments in the world is failing to keep sensitive data out of criminals’ hands, they are risking the security of countless people on a daily basis. They cannot afford to be so lax.
The same is true of your own business, albeit on a smaller scale: allowing your enterprise to be vulnerable in today’s world is dangerous for your employees and clients alike.
What cyber threats are you most susceptible to, and how can you protect against them?
What is it?
We’ve all heard of malware, but do we know what it actually is?
This applies to various incarnations of dangerous software that can cause all manner of chaos in your computer, delivered as a virus or ransomware (in which you are ordered to pay in order to regain access to your system).
The malware can actually take over your computer, monitor your activities without your awareness, or even transfer critical information to another user with the utmost discretion.
How can you prevent it?
Make sure you use unique passwords and educate your employees to do the same. Only share sensitive data on a site which is clearly secure, with ‘https’ in their URL.
You should never download any files sent by a sender you don’t trust or recognize, and make sure data is backed up to disconnected hardware on a regular basis. This enables you to restore vital information in the event of a malware attack, without needing to pay or sacrificing critical data.
What is it?
You know to never open an attachment in an email from an unknown sender, or to be wary of telltale bad grammar. These are sure signs of a phishing scam, but some cyber-criminals are more advanced.
They may pose as someone else – such as a friend, a bank etc. – and encourage you to follow a link or open an attachment. The email may look legitimate but will contain harmful malware that could pose a serious risk to your entire business.
How can you prevent it?
The most obvious technique: be sure before you click. If there is anything remotely suspicious or odd about the email, don’t follow a link or open an attachment.
If an email from a bank or other trusted organization asks for confidential information, contact them through another channel to confirm this (though they will generally never ask for sensitive data through email anyway).
Anti-phishing toolbars can be installed on your browser, which will notify you if you enter a known phishing website. Use desktop and network firewalls to protect your system from any malicious programs, and pay attention when your browser informs you that a site is ‘not secure’ (lacking the ‘https’ in its URL bar).
SQL Injection Attack
What is it?
SQL (Structured Query Language) is a language allowing for communication between databases, and countless servers use it to manage critical data. An SQL injection is an attack aimed at these types of servers, employing malicious coding to extract data from them which would otherwise remain private.
If the server under attack carries access information (usernames, passwords), financial details (credit cards etc.), or any other highly-sensitive data, the criminal responsible will be able to access some or all of it.
How can you prevent it?
All sensitive data contained within a database should be encrypted. Passwords, financial records, and anything else which could leave your business vulnerable must be protected.
Also, don’t store such sensitive information if you don’t need it currently, and are unlikely to in the future. Leaving data that carries real value to linger in your databases could lead to problems – all of which can be avoided simply by wiping useless information.
Implement Web Application Firewall as it will automatically block and prevent SQL injection attacks.
Cross-Site Scripting (XSS)
What is it?
During an XSS attack, the cyber-criminal injects malicious code right into your website with an aim to go after your visitors through their browser.
These attacks can cause severe damage to your reputation, as your site would be responsible for endangering visitors’ sensitive data.
This is worsened if they are customers purchasing from you or providing their personal details. As a result, you might not even realize your site is infected until customers start tracing suspicious activity back to their activities on your domain.
How can you prevent it?
While web application firewall will block XSS attacks, you need to pay attention to the way in which your site accepts input data, to minimize malicious code passing through. This might mean using a number of filters in place, such as a web app firewall, that reduces the risk of an XSS attack significantly.
Another step, though somewhat more complex, is to use an alternative rendering format to raw HTML, to reject entries that might be malicious. Markdown or BBCode are alternatives to raw HTML that may help to protect against XSS attacks.
Cyber-security threats are constantly evolving, as criminals continue to find weaknesses in security protocols and exploit them. By keeping your security systems up to date and, staying abreast of the latest risks, you can maximize your business’s resistance to threats.
Never be complacent about your business’s cyber-security precautions: you should always be willing to explore new systems and processes for the good of your entire enterprise.
When you have questions concerning cybersecurity threats, get in touch with our team and we will be happy to help.
Dangers of Cyberattacks as a Result of Source Code Leak
This past week, someone posted the source code of Apple iPhone operating system iOS on GitHub – a repository of open source code.
There was confusion at first as to whether the code was real or not. Apple indirectly confirmed that the code was real by filing a DMCA legal notice demanding GitHub to remove the source code. DMCA, which stands for Digital Millennium Copyright Act, is a takedown request that empowers owners of copyrighted material who believe their rights under U.S. copyright law have been infringed.
The iPhone source code called “iBoot” published on GitHub, Apple said "is responsible for ensuring trusted boot operation of Apple's iOS software." The company added, “The ‘iBoot’ source code is proprietary and it includes Apple's copyright notice. It is not open-source.”
Jonathan Levin, the author of a series of books on iOS and Mac OSX internals, told Lorenzo Franceschi-Bicchierai of Motherboard that the iBoot source code publication is the “biggest leak” in Apple's history.
A source code is a collection of computer instructions that’s written by a programmer when developing a software program. A software can either be open source or non-open source.
With an open source code, anyone can inspect or modify the code. With a non-open source code, the source code is hidden from the public and as such, only the software maker can make changes to the code.
Non-Open Source Code Leak
Apple and Microsoft are examples of companies that keep their products’ source code hidden from the public.
While most companies don’t allow outsiders to view and make modifications on their source code, they allow security researchers, also known as ethical hackers, to review their software, find security vulnerabilities and report this directly to the company to receive monetary reward, also called bounty.
Apple, through its bounty program, pays a maximum of $200,000 to someone who directly reports bugs or security vulnerabilities to the company.
Despite the takedown of the iPhone source code on GitHub, the source code has already made its way to dark web sites.
Access to non-open source code like the iBoot gives hackers a better chance of finding security vulnerabilities that could lead to cyberattacks.
EternalBlue Source Code Leak
On April 15, 2017, a hacker group calling itself the “Shadow Brokers” leaked the source of code of a number of hacking tools believed to be developed by the U.S. National Security Agency (NSA).
The source code of EternalBlue is one of those leaked by the hacker group. EternalBlue could allow remote code execution if a cyberattacker sends specially crafted messages to a Microsoft Server Message Block 1.0 (SMBv1) server.
The EternalBlue source code leak spawned devastating cyberattacks, the most notable of which was the WannaCry cyberattack. In May 2016, hundreds of thousands of computers around the world were infected with WannaCry, a malware that encrypts computer files, prevents users from accessing files and asks for ransom payment in the form of Bitcoin for the release of the decryption key to unlock the affected computer.
Adylkuzz is another malware that uses the EternalBlue source code. The purpose of Adylkuzz malware is to mine the cryptocurrency Monero. Similar to cryptocurrency Bitcoin, a Monero coin needs to be mined – a process by which a transaction is verified, added to the public ledger, known as the blockchain, and a means before a coin is released.
While cryptocurrency mining of Bitcoin can only be done on powerful computers, mining Monero can be done on regular computers and even on smartphones.
The Adylkuzz malware installs the Monero cryptocurrency miner called “cpuminer” on infected computers. Once the cpuminer is installed in a compromised computer, Monero cryptocurrency mining is conducted without the knowledge of the user. Cryptocurrency mining operation, however, will exhaust your computer CPU, resulting in slow performance.
Open Source Code Leak
With an open source code, anyone can inspect or modify the code. An open source is also known as a collaborative code. There are benefits in allowing other programmers to inspect and modify a source code. It’s a known fact that there’s not one software with a perfect source code. Allowing programmers to inspect and modify a source code can enhance and improve the code in the long run.
Linux is an example of an open source software. It’s an operating system similar to Windows and iOS. The difference between Linux and other operating systems is that it’s open source. The Linux source code is free and available to the public to view and, for users with the necessary skills, to contribute to the enhancement of the code.
While the publication of an open source code, on one hand, can be beneficial to society similar to the positive contribution of Linux, publication of an open source code with malicious intent can be detrimental to society.
Mirai Source Code Leak
The publication of the Mirai source code is an example of how a publication of a malicious open source code can be detrimental to society.
On September 30, 2016, a HackForum user by the name of “Anna-senpai” posted the source code of the malicious software called “Mirai”. The Mirai was responsible for the distributed denial of service (DDoS) attack on the website of cybersecurity journalist Brian Krebs on September 20, 2016.
On December 13, 2017, Paras Jha pleaded guilty in creating the Mirai and for conducting a series of DDoS attacks on the networks of Rutgers University between November 2014 to September 2016, which resulted in shutting down Rutgers University’s central authentication server – a gateway portal through which students, staff and faculty deliver assignments and assessments.
According to the U.S. Department of Justice, hundreds of thousands of IoT devices such as wireless cameras and routers were infected with the Mirai malware and were used "to conduct a number of powerful distributed denial-of-service, or ‘DDOS’ attacks, which occur when multiple computers, acting in unison, flood the Internet connection of a targeted computer or computers".
According to Imperva Incapsula, Mirai-infected IoT devices were spotted in 164 countries, appearing even in remote locations like Montenegro, Tajikistan and Somalia.
The publication of the Mirai spawned other DDoS attacks, the most notable of which was the attack on Dyn, a domain name service (DNS) provider which many websites rely upon. The DDoS attacks against Dyn resulted in temporarily shutting down popular websites like Amazon, Twitter, Netflix and even GitHub.
Dyn, in a statement, said, “We are able to confirm that a significant volume of attack traffic originated from Mirai-based botnets.” The company said that 100,000 IoT devices were infected with the Mirai malware to attack its DNS infrastructure.
In December 2017, the source code of the malware called “Satori”, a variant or new version of Mirai, was leaked on Pastebin. This Mirai variant particularly infects Huawei home router model HG532.
While the original Mirai malware infects IoT devices by using default usernames and passwords, Satori doesn’t need usernames and passwords. Security researchers at Qihoo 360 Netlab said, “The bot [Satori] itself now does NOT rely on loader/scanner mechanism to perform remote planting, instead, bot itself performs the scan activity. This worm-like behavior is quite significant.”
Security researchers at NewSky Security said that with the release of the full working code of the Mirai variant Satori, “we expect its usage in more cases by script kiddies and copy-paste botnet masters.”
Cybersecurity Best Practices
Here are some security best practices to protect your organization’s computers from the dangers of cyberattacks as a result of source code leak:
1. Use Supported Software
Supported software refers to a software whereby security updates are regularly issued by the software vendor.
Many fell victim to WannaCry for using Windows operating systems that Microsoft – the software vendor – no longer supports or no longer issues security updates.
A patch, also known as security update, is a piece of software code added to an existing source code that fixes security vulnerabilities.
WannaCry could have been prevented by simple patching or installing of the security update issued by Microsoft on March 14, 2017 – a month before the hacker group leaked the EternalBlue source code. Microsoft’s March 14, 2017 security update patches or fixes the security vulnerability exploited by EternalBlue. This security update was issued to supported Windows operating systems.
3. Use Latest Software Version
Many leaked source code are typically source code of older software version. Software vendors normally fix security vulnerabilities found in older software versions with the latest software version.
Interesting to note that Windows 10 proved to be resilient against Petya ransomware attack unleashed more than a month after the WannaCry attack. Similar to WannaCry, Petya exploited security vulnerabilities exploited by EternalBlue and EternalRomance – two hacking tools believed to be developed by the NSA and leaked by the hacker group Shadow Brokers.
4. Practice Network Segmentation
There are instances that security updates can’t be installed right away. One way to prevent or minimize the effects of a cyberattack is through network segmentation – a process of dividing computer network into subnetworks. With network segmentation, cyberattack on one subnetwork won’t affect the other subnetworks.
5. Have the Right DDoS Protection
Cybercriminals today don’t necessarily create their own attack tools. Some simply copy leaked source code. This is the case of DDoS-for-hire groups, a bunch of cybercriminals that offer DDoS service for a fee. There are available tools that effectively counter these DDoS attacks. Connect with us today and protect your business.
'Secure' Wi-Fi Standard Has Serious Security Flaws
Researchers from the University of Leuven in Belgium have discovered a series of serious wi-fi security flaws that essentially eliminate wi-fi privacy.
These series of wi-fi vulnerabilities collectively dubbed as “Krack”, short for key reinstallation attacks, can access data that was previously presumed to be safely encrypted. Krack attackers can steal wi-fi passwords, chat messages, emails, photos and other sensitive information. It’s also possible, depending on device use and the network configuration, for Krack attackers to inject malicious software like ransomware into websites.
The University of Leuven researchers, in their paper entitled “Key Reinstallation Attacks: Forcing Nonce Reuse in WPA2” (PDF) said that “every Wi-Fi device is vulnerable” to Krack attacks.
"The weaknesses are in the Wi-Fi standard itself, and not in individual products or implementations,” lead researcher Mathy Vanhoef said.
Wi-Fi Alliance, a non-profit organization that promotes wi-fi technology and certifies wi-fi products, said, “Recently published research identified vulnerabilities in some Wi-Fi devices where those devices reinstall network encryption keys under certain conditions, disabling replay protection and significantly reducing the security of encryption.”
For its part, the International Consortium for Advancement of Cybersecurity on the Internet (ICASI), in a statement said, “Depending on the specific device configuration, successful exploitation of these vulnerabilities could allow unauthenticated attackers to perform packet replay, decrypt wireless packets, and to potentially forge or inject packets into a wireless network.”
ICASI members include Amazon, Cisco Systems, IBM, Intel Corporation, Juniper Networks, Microsoft Corporation and Oracle Corporation.
How Krack Works
For Krack to work, the attacker must be within the range of a victim. As proof-of-concept, lead researcher Vanhoef executed Krack attacks against wi-fi devices. Vanhoef was able to show that Krack not just steals login credentials – including email addresses and passwords – but all data that the victim transmits or sends was decrypted.
It’s also doable for Krack attackers, depending on the network setup and the device being used, to decrypt, not just data sent over wi-fi but also data sent towards the victim, for instance, the content of a website.
“Although websites or apps may use HTTPS as an additional layer of protection, we warn that this extra protection can (still) be bypassed in a worrying number of situations,” Vanhoef said. “For example, HTTPS was previously bypassed in non-browser software, in Apple's iOS and OS X, in Android apps, in Android apps again, in banking apps, and even in VPN apps.”
Krack is able to decrypt not just data sent over wi-fi but also data sent towards the victim by exploiting the vulnerabilities in the 4-way handshake of the Wi-Fi Protected Access 2 (WPA2) protocol.
The 4-way handshake is a 14-year-old technology that supposedly ensures wi-fi privacy by installing a fresh and unique encryption key that’ll be used to encrypt all subsequent traffic every time a device joins a protected wi-fi network.
Instead of installing a fresh and unique encryption key, Krack tricks the device into reinstalling an already-in-use encryption key. This is done by manipulating and replaying handshake messages. The researchers also found that Krack similarly exploits other wi-fi handshakes, including PeerKey handshake, the group key handshake and the Fast BSS Transition (FT) handshake.
As mentioned, Krack is a series of wi-fi vulnerabilities. This means that not just one wi-fi vulnerability is exploited by Krack. The Common Vulnerabilities and Exposures (CVE) – a dictionary of common names for publicly known cyber security vulnerabilities – list the following specific vulnerabilities related to Krack:
According to Wi-Fi Alliance, there’s no evidence that Krack has been exploited maliciously in the wild.
How to Prevent Krack Attacks
To prevent Krack attacks, make sure to update your wi-fi device as soon as patch or security update becomes available. A security update ensures that an encryption key is only installed once, preventing Krack attacks.
Password change of your wi-fi network won’t stop Krack attacks. The only remedy is to apply the patch or security update of your wi-fi device as soon as it becomes available. It’s also important to update your router’s firmware. While it’s important to patch or apply the latest security updates of your wi-fi and router, it also pays to change the wi-fi password as a precaution.
According to Vanhoef, they notified wi-fi manufacturers about the Krack issue on July 14, 2017. They also notified the Computer Emergency Response Team Coordination Center (CERT/CC) – the world’s first computer emergency response team for internet security incidents. CERT/CC, in turn, issued a broad notification to wi-fi manufacturers on August 28, 2017 about this issue.
“We have released a security update to address this issue,” Microsoft spokesperson told The Verge. “Customers who apply the update, or have automatic updates enabled, will be protected. We continue to encourage customers to turn on automatic updates to help ensure they are protected.”
Windows updates released last October 10, according to Microsoft, addressed this issue. The company said it “withheld disclosure until other vendors could develop and release updates”.
“Wi-Fi Alliance now requires testing for this vulnerability within our global certification lab network and has provided a vulnerability detection tool for use by any Wi-Fi Alliance member,” the alliance said. “Wi-Fi Alliance is also broadly communicating details on this vulnerability and remedies to device vendors and encouraging them to work with their solution providers to rapidly integrate any necessary patches.”
Cryptocurrency Mining Malware: A Credible Threat
Over the course of three months this year, cyber criminals pocketed over $63,000 by secretly infecting the computers of strangers with a cryptocurrency mining malware.
According to ESET, attackers were able to infect strangers’ computers with cryptocurrency mining malware by exploiting a known vulnerability code-named “CVE-2017-7269” in Windows Server 2003 – a server operating system released by Microsoft in 2003.
This particular cryptocurrency mining malware was seen in the wild on May 26, 2017. “Since then, it has been appearing in waves, on a weekly or less frequent basis, which implies that the attacker scans the internet for vulnerable machines,” ESET said.
The attackers were able to earn such significant amount in just 3 months by creating a botnet – a network of several hundred of unpatched computers infected with the crypto mining malware and remotely controlled by cyber criminals to mine the cryptocurrency Monero.
Microsoft ended its regular update support for Windows Server 2003 in July 2015. Since May 12 of this year, to prevent another cyber attack – the scale of WannaCry ransomware, the company has since released security updates for Windows Server 2003. On June 13, 2017, Microsoft issued a patch or security update to fix the CVE-2017-7269 vulnerability.
What is Cryptocurrency Mining?
Cryptocurrency is the alternative currency in the digital world. In July of this year, the Australian Government recognized cryptocurrency as a legal payment method. In April of this year, Japan legitimized Bitcoin as a legal payment method. Bitcoin isn’t the only cryptocurrency. According to Trend Micro, as of July 2017, there were over 700 cryptocurrencies used and traded online, Monero being one of them.
Cyber criminals have turned to Monero as this cryptocurrency markets itself as an anonymous and untraceable cryptocurrency. Aside from anonymity, cyber criminals turned to Monero as this cryptocurrency can be mined using ordinary CPUs, unlike Bitcoin which requires a specialized hardware.
“Cryptocurrencies are created (and secured) through cryptographic algorithms that are maintained and confirmed in a process called mining, where a network of computers or specialized hardware such as application-specific integrated circuits (ASICs) process and validate the transactions,” Trend Micro describes cryptocurrency mining. “The process incentivizes the miners who run the network with the cryptocurrency.”
The actual process of cryptocurrency mining is legal. One just needs to use one’s own computer. One can use another computer to mine cryptocurrency, provided that the computer owner consents that his or her computer will be used for mining cryptocurrency.
Illicit Cryptocurrency Mining
The growth of cryptocurrency market has also led to the growth in cases where cryptocurrency mining malware are installed without the knowledge or consent of the computer owners.
According to Kaspersky Lab, in 2013, its products were able to deter 205,000 cryptocurrency mining malware infections; 701,000 infections in 2014; and in the first eight months of 2017, a total of 1.65 million infections.
According to IBM, unauthorized embedding of cryptocurrency mining tools grew sixfold in the eight-month period between January and August 2017.
In 2014, Harvard’s supercomputer cluster called “Odyssey” was used to illegally mine Dogecoins, another digital currency. Also, in 2014, the National Science Foundation (NSF), a US government-backed organization, revealed that NSF-funded computers were used to illegally mine Bitcoins. In February of this year, one of the US Federal Reserve’s servers was used to illegally mine Bitcoins.
Crypto mining malware is propagated or spread by exploiting the vulnerabilities of unpatched Microsoft operating system, as reported by ESET. Kaspersky Lab, for its part, observed the spread of this malware via adware installers that are spread using social engineering. Other attack methods include:
“Virtually any attack vector that involves injecting executable code could turn a targeted system into a virtual coin miner for the attacker,” IBM said.
In 2014, advertisements on Yahoo's homepage were infected with malware aimed at mining Bitcoins.
The following are this year’s notable cryptocurrency mining malware, in addition to the one reported by ESET:
This malware exploited EternalBlue, the same security flaw that WannaCry ransomware exploited.
This malware exploited the security flaw in the interoperability software suite Samba.
This malware, a Linux Trojan, targets Raspberry Pi devices.
All these malware infected devices and machines and turned them into Monero-mining botnets. Aside from Monero, another cryptocurrency Zcash is also being used by cyber criminals in concealed crypto mining for its anonymity promise.
Dangers of Crypto Mining Malware
Crypto mining malware impacts the performance of an infected computer. Mining activity eats the resources of infected computers. It reduces the performance of the infected computer. It increases the wear and tear. It also increases power consumption.
Crypto mining malware’s ill-effects go beyond the performance and power cost. It could also trigger web and network-based attacks.
“These malware can threaten the availability, integrity, and security of a network or system, which can potentially result in disruptions to an enterprise’s mission-critical operations,” Trend Micro said. “Information theft and system hijacking are also daunting repercussions. These attacks can also be the conduit from which additional malware are delivered.”
How to Prevent Cryptocurrency Mining Malware Intrusion
There’s no one-stop solution to prevent cryptocurrency mining malware intrusion into your organization’s computers as there are so many intrusion possibilities.
Here are some of the ways to prevent cryptocurrency mining malware intrusion:
1. Keep all software up-to-date
Timely apply patches or security updates. A timely security update, for instance, of Windows Server 2003 could have prevented the cryptocurrency mining malware as reported by ESET.
2. Change default login and password
Over the first three quarters of 2016, Trend Micro reported, that it detected a Bitcoin-mining zombie army from home routers and IP cameras. These IoT devices were compromised for the simple reason that owners didn’t change the default login and password.
3. Enable the firewall of IoT devices (home routers, IP cameras)
4. Take precaution against unsolicited emails, links, attachments or files from websites, questionable third-party software or applications
5. Build a cyber security-conscious staff through education and role-based training
New Bluetooth Malware Puts Billions of Devices at Risk
A new malicious software dubbed as “BlueBorne” puts billions of Bluetooth-enabled devices at risk.
Dr. Jaap Haartsen invented the Bluetooth while working at Ericsson in the 1990s. Bluetooth was named after the 10th-century king of Denmark King Harald Blåtand (blue-tooth in English), who famously united Scandinavia. Just as King Bluetooth united Scandinavia, Dr. Haartsen’s invention unites or connects devices.
Bluetooth is currently the most widely-used protocol for short-range communications. It's used in a wide range of devices, from personal computers to smart phones, consumer electronics devices (smart TVs, printers), medical and health devices, home automation and autonomous cars.
Bluetooth is now licensed, managed and maintained by the Bluetooth Special Interests Group (SIG). Tech giants Google, Microsoft, Apple, Intel and IBM are some of the group members.
How BlueBorne Works
1. BlueBorne attacks devices via Bluetooth.
The security research firm Armis first identified the BlueBorne malware. Researchers at the research firm found that BlueBorne malware specifically exploits the security flaw in Bluetooth-enabled devices running on Windows, Android, pre-version 10 of iOS and Linux operating systems, regardless of the Bluetooth version in use.
This means that every single computer, mobile device or IoT device running on one of the above-mentioned operating systems is at risk. There are currently 2 billion Android users, 500 million Windows 10 users, 1 billion Apple users, and 8 billion IoT users.
Affected devices include all Android phones, tablets and wearables (except those using only Bluetooth Low Energy), all Windows computers since Windows Vista and all Linux devices like Samsung Gear S3, Samsung Smart TVs and Samsung Family Hub.
2. BlueBorne spreads through the air.
BlueBorne is alarming as it operates through the air. Unlike traditional cyber attacks, no action is required from the victim to enable the BlueBorne attack – no need to download a malicious file or click on a link.
Once the malware detects the Bluetooth is active on a device that runs on Windows, Android, pre-version 10 of iOS or Linux operating system, it attacks it despite the fact that the targeted device isn’t paired with the attacker’s device or set on discoverable mode.
“Unlike the common misconception, Bluetooth enabled devices are constantly searching for incoming connections from any devices, and not only those they have been paired with,” Armis said.
To initiate BlueBorne, the attacker must be near the targeted user and the Bluetooth feature of the target user's device must be turned on. Billions of devices are at risk as Bluetooth is turned on by default on many devices. Many users also prefer to turn on Bluetooth most of the time to conveniently connect it to keyboards, headphones and other various IoT devices.
The airborne operation of BlueBorne is problematic in the following ways:
a) Highly Infectious
Spreading from one device to another through the air makes BlueBorne highly infectious since the Bluetooth process enjoys high privileges on all operating systems. Exploiting Bluetooth gives hackers full control over the device.
b) Bypasses Traditional Cyber Security Measures
As BlueBorne is spread through the air, it bypasses traditional cyber security measures. Typical security measures are defenseless against airborne attacks. BlueBorne attackers can bypass secure internal “air-gapped” networks – a security measure that isolates a computer or network and prevents it from establishing an external connection.
"These silent attacks are invisible to traditional security controls and procedures. Companies don't monitor these types of device-to-device connections in their environment, so they can't see these attacks or stop them," Yevgeny Dibrov, CEO of Armis, said in a statement. "The research illustrates the types of threats facing us in this new connected age."
3 Ways BlueBorne Attackers Could Exploit Your Device
1. Take Full Control of Your Device for Criminal Activities
BlueBorne attackers could remotely execute code on your vulnerable device, allowing the attackers to take full control over your device, access corporate networks, systems and data. With full access to your device, hackers could perform criminal activities, including ransomware and data theft.
2. Create Large Botnets Similar to the Mirai Botnet
Mirai botnet uses compromised IoT devices to carry out crippling Distributed Denial of Service attacks (DDoS) attacks. In 2016, crippling DDoS attacks were waged against the website of cyber security blogger Brian Krebs and a French web hosting company. BlueBorne attackers, for instance, could use your compromised device, together with other compromised devices, to execute DDoS against a particular website.
3. Perform Man-in-The-Middle Attack
BlueBorne attackers could perform a man-in-the-middle attack on your device.
Man-in-the-middle attack happens when attackers redirect the communication between two users to the attackers’ computer without the knowledge of the original two users.
“An attacker who successfully exploited this vulnerability could perform a man-in-the-middle attack and force a user's computer to unknowingly route traffic through the attacker's computer,” Microsoft said in its September 12, 2017 security bulletin. “The attacker can then monitor and read the traffic before sending it on to the intended recipient.”
Microsoft calls this Bluetooth vulnerability as "Microsoft Bluetooth Driver Spoofing Vulnerability".
How to Prevent BlueBorne Attacks
1. Turn Bluetooth Off
The safest way to prevent a BlueBorne attack is by turning off the Bluetooth feature on your device. This malware can access your device only when it’s in the active mode. If it’s turned off, the malware can’t successfully infiltrate your device.
2. Update Your Operating System
It’s advisable to keep your operating system up-to-date. Not all operating systems though have patched or issued a security update that fixes BlueBorne vulnerability.
According to Armis, it informed Google about the BlueBorne issue on April 19, 2017. Google released a public security update and security bulletin on September 4th, 2017.
Microsoft was informed by Armis about the BlueBorne issue on April 19, 2017. Microsoft released security updates on July 11, 2017.
Apple was informed about BlueBorne on August 9, 2017. Apple corrected this vulnerability with its latest iOS and tvOS.
Linux was informed by Armis on August 15 and 17, 2017 and on September 5, 2017. As of September 12, 2017, Armis said, Linux hasn't yet issued a public security update to patch the BlueBorne malware.
Canadian University Loses $11.8 Million to BEC Scammers
An Edmonton, Alberta-based university publicly acknowledged that it was a victim of a recent cyber attack.
According to the Alberta-based university, a series of bogus emails tricked university staff into changing the electronic banking information for one of the university’s major supplier. This resulted in the money transfer worth $11.8 million to a bank account that the university staff believed belonged to the supplier.
The university traced over $11.4 million of the money to bank accounts in Canada and Hong Kong. According to the university, the traced bank accounts have been frozen and the university is working with its legal counsel in Montreal and Hong Kong to pursue civil action to recover the money. The remaining balance of these accounts is, however, unknown at this time.
“There is never a good time for something like this to happen but as our students come back to start the new academic year, we want to assure them and the community that our IT systems were not compromised during this incident,” the university spokesperson said.
The incident that occurred at the Alberta-based university is an example of the cyber attack called business email compromise (BEC).
What is a Business Email Compromise (BEC)
BEC is a cyber attack that targets organizations that have regular dealings with foreign suppliers and regularly perform wire transfer payments.
According to the FBI’s Internet Crime Complaint Center (IC3), from October 2013 to December 2016, a total of 40,203 BEC incidents were reported worldwide, with the total financial loss amounting to $5.3 billion. The IC3 said that the scam has been reported in 131 countries, with victims ranging from non-profit organizations to small businesses and large corporations. These businesses offer a variety of goods and services, signifying that no specific sector is targeted more than another. Tech giants Google and Facebook succumbed to BEC scams.
"Ransomware has been drawing much of the attention in the security world lately,” Cisco 2017 Midyear Cybersecurity Report (PDF) said. “However, a threat that’s not nearly as high-profile is raking in far more for its creators than ransomware: Business email compromise, or BEC."
According to the FBI’s Internet Crime Complaint Center, some of the organizations affected by BEC reported being a victim of ransomware attack before the BEC incident.
How BEC Works
BEC is an elaborate deception scheme.
First, attackers study the organization they want to target.
Attackers spend weeks and even months to study the organization’s suppliers, billing systems, top executive or CEO’s writing style and his or her travel schedule.
Attackers get the above-mentioned information from public online resources such as social media accounts and by using malicious software that’s capable of infiltrating the organization’s networks, gain access to passwords, financial account information and email threads relating to billing and invoices.
Second, attackers establish a relationship with a target employee.
When the time is right, for instance, when the CEO isn’t in his or her office, BEC scammers contact a specific employee – bookkeeper, accountant, controller or chief financial officer – in an organization who’s responsible for directly transferring money to suppliers.
Attackers exploit the target employee through email spoofing, phishing email and telephone calls.
A spoofing tool is also used by the attackers to direct email replies to a different account that the attackers control. At this stage, the target employee is tricked into thinking that he or she is corresponding with the organization’s CEO.
Third, attackers send instructions for money transfer.
For this third stage, attackers further deceive the target employee, for instance, by convincing the employee that the supplier has a new bank account number and instruct the employee to send payment to this new account. Attackers may also send a bogus email from a CEO to release the money to the new bank account.
Fourth, money sent is drained to different accounts.
In this fourth stage, money is sent to “money mules” in different parts of the world. Some of these accounts are difficult to trace. If the scam isn’t uncovered in time, it may be hard to recover the money.
How to Prevent BEC Scams
Here are some of the ways to prevent BEC scams:
1. Verify the authenticity of the money transfer request.
“The best way to avoid being exploited is to verify the authenticity of requests to send money by walking into the CEO’s office or speaking to him or her directly on the phone,” said FBI Special Agent Martin Licciardo.
Also, confirm the money transfer request by calling the supplier with the previously known company numbers, not the one provided in the email request. In the case of the Alberta-based university, based on the preliminary assessment of the university’s internal audit group, the BEC scammers were able to succeed in deceiving the university staff as “controls around the process of changing vendor banking information were inadequate”.
2. Use an email intrusion detection system.
This automated system can flag emails with extensions that are similar to your organization’s email. For example, an intrusion detection system for legitimate email of xyz-corporation.com can flag bogus emails from xyz_corporation.com.
Small and Medium-Sized Businesses Not Investing in Cyber Security
The rise of global cyber attacks in recent years might have led many to believe that small and medium-sized businesses (SMBs) are investing in cyber security. But the reality is that majority of SMBs aren’t investing in cyber security.
In the study “Canadian Business Speaks Up: An Analysis of the Adoption of Internet-based Technology”, the Canadian Chamber of Commerce found that cyber security threats are underestimated by 64% of Canadian businesses, indicating they’ve no intention of investing in cyber security measures at this time. Eighty-one percent of the respondents of the Canadian Chamber of Commerce study classify themselves as small businesses and 7% classify themselves as medium. The study was conducted between December 2016 and January 2017.
In another paper “Cyber Security in Canada: Practical Solutions to a Growing Problem”, the Canadian Chamber of Commerce said that a “data breach costing $6 million would break many small businesses”.
In the UK, meanwhile, despite the recent global cyber attacks, insurance company Zurich revealed that close to half (49%) of SMEs in this part of the world only intend to spend less than £1,000 on cyber security in the next 12 months, while 22% of SMEs don’t know how much they will spend.
“While recent cyber-attacks have highlighted the importance of cyber security for some of the world’s biggest companies, it’s important to remember that small and medium sized businesses need to protect themselves too,” said Paul Tombs, head of SME Proposition at Zurich. “The results suggest that SMEs are not yet heeding the warnings provided by large attacks on global businesses."
Extent of Cyber Attacks on Small and Medium-Sized Businesses
Symantec’s 2016 global internet security threat report (PDF) showed that cyber criminals are more and more turning their attention to hacking small businesses. The Symantec report showed that spear-phishing attackers gradually targeted small businesses – defined by Symantec as enterprises composed of 1 to 250 employees – from 18% in 2011 to 31% in 2012; 30% in 2013; 34% in 2014 and 43% in 2015.
In the UK, results from the latest Zurich SME Risk Index showed that 875,000 or nearly 16% of SMEs have fallen victim to a cyber attack, costing 21% of the victims over £10,000.
In Canada, 23% of Canadian small business owners were certain they were the victim of a cyber attack in 2016, while another 32% suspected that they might have been breached according to an Ipsos survey (PDF).
Canada’s Digital Privacy Act
"There are a significant number of breaches that never get reported because there's no obligation to report them," Imran Ahmad, a partner at the law firm Miller Thomson – a firm that specializes in cyber security, told CBC News.
This practice of sweeping cyber attacks under the rug will start to change with the upcoming implementation of the Digital Privacy Act (PDF), a Canadian law that was passed in June 2015. The Digital Privacy Act requires organizations “to notify certain individuals and organizations of certain breaches of security safeguards that create a real risk of significant harm and to report them to the Privacy Commissioner”. Failure to report a data breach under this law could result in a fine of up to $100,000.
Matthew Braga of CBC News, in the article "Here's why reports of data breaches will skyrocket this year" wrote, "The hope is that more transparency will lead to better protections and fewer breaches in the long term.”
6 Reasons Why Cyber Criminals Attack Small and Medium-Sized Businesses
Here are 6 reasons why cyber criminals are attracted to small businesses:
1. Less Capable to Handle Cyber Attacks
SMBs are less equipped to manage a cyber attack due to lack of resources.
2. Less Likely to Guard Important Data
SMBs are less likely to protect their important data – intellectual property, personally identifiable information and credit card credentials.
3. Susceptible to Attack Due to Partnership with Large Businesses
The partnership between large businesses and SMBs provides hackers back-channel access to their true target: large businesses.
4. Less Likely to Have Key Security Defenses
According to Cisco, in its 2017 midyear cyber security report, as a result in lesser budget and expertise, SMBs have less key security defenses in place. For instance, only 34% of SMBs reported using email security compared with 45% of large businesses and only 40% use data loss prevention defenses compared with 52% of large businesses.
5. Less Likely to Have Written, Formal Cyber Security Strategies
Large businesses are more likely to have written, formal strategies in place compared to SMBs (66% versus 59%), Cisco reported.
6. Less Likely to Require Vendors to Have ISO Certifications
Large organizations, CISCO noted, are more likely than SMBs to require their vendors to have ISO 27018 certifications (36% versus 30%). ISO 27018 refers to the “commonly accepted control objectives, controls and guidelines for implementing measures to protect Personally Identifiable Information (PII) in accordance with the privacy principles in ISO/IEC 29100 for the public cloud computing environment.”
Ripple Effect of Cyber Attacks on SMBs to Canada’s Economy
In the 2016 Canadian Chamber of Commerce's "Top 10 Barriers to Competitiveness for 2016", the business organization ranked Canada’s vulnerability to cyber crime as the country’s number 2 barrier to global competitiveness. The country’s chamber of commerce said that digital security breaches and cyber theft hinder Canada’s global competitiveness.
Without taking into consideration the value of the data itself, the Canadian Chamber of Commerce said that the country’s internet economy accounted for 3.6% of its $1.83 trillion GDP.
Protecting small businesses, in particular, from cyber attacks is as important as protecting large enterprises, considering that the economy of Canada mostly comprised of small businesses. According to the Canadian Chamber of Commerce, out of the 1.2 million businesses in Canada, 98% have fewer than 100 employees, 55% have fewer than 4 and 75% have fewer than 10 employees. These over a million small enterprises in the country employ 60-80% of all jobs created in Canada and companies with fewer than 100 employees contribute about 51% to Canada’s GDP.
We invite you to connect with us to speak with one of our cyber security experts, and protect your small or medium business today.
Why Lack of Qualified Cyber Security Workforce is a Critical Vulnerability for Many Businesses
There’s WannaCry. There’s Petya. There’s NotPetya. These cyber threats have hugged the headlines in the past few days. There’s one cyber threat that remains as a critical vulnerability for many businesses: lack of qualified cyber security workforce.
Cyber Attacks Outpace Cyber Defense
According to Symantec, 430 million new unique pieces of malware were discovered in 2015. At the close of 2015, Symantec added, 191 million records were exposed as a result of cyber attacks.
“Attacks outpace defense, and one reason for this is the lack of an adequate cyber security workforce,” said the Center for Strategic and International Studies in its study called “Hacking the Skills Shortage: A study of the international shortage in cyber security skills”.
A report from Frost & Sullivan and ISC² found that by 2020, more than 1.5 million global cyber security positions will be unfilled. Frost & Sullivan and ISC² revealed that 45 percent of hiring managers reported that they’re struggling to fill additional information security positions despite the increase of security spending across the board for technology, rising average annual salaries and high rates of job satisfaction.
Five years ago, cyber threat wasn’t part of the top 10 risks (it only ranked 12th) prioritized by corporate boards according to Lloyds’ 2011 annual risk survey.
Corporate attitude towards cyber security has drastically changed in recent years. A Forbes report found that four financial institutions – J.P. Morgan Chase & Co., Bank of America, Citigroup, and Wells Fargo – spent more than $1.5 billion on cyber security in 2015. In a live interview on Bloomberg in 2015, Bank of America CEO Brian Moynihan said that cyber security is the bank’s only business unit with no budget limit.
In 2017, PwC’s global CEO survey found that cyber threat is the top five risks on CEOs’ minds, behind only to availability of key skills, volatile energy costs and changing consumer behavior.
Delay of Hiring Cyber Security Workforce Leaves Businesses Vulnerable to Cyber Attacks
The 2017 state of cyber security survey by ISACA (Information Systems Audit and Control Association) found it takes six months or longer to fill priority cyber security and information security positions in more than 1 in 4 companies around the globe.
“When positions go unfilled, organizations have a higher exposure to potential cyber attacks. It’s a race against the clock,” said Christos Dimitriadis, ISACA board chair.
For its part, the Center for Strategic and International Studies said, “The continued skills shortage creates tangible risks to organizations.” In the study conducted by the center, 1 in 4 respondents said their organizations have lost proprietary data as a result of their inability to maintain adequate cyber security staff.
Lack of Qualified Applicants
The ISACA report showed that compared to other corporate job openings, which garner 60 to 250 applicants, cyber security opening receives fewer applicants.
Fifty-nine percent of the organizations surveyed by ISACA reported that for each cyber security opening, they only receive at least 5 applicants, and only 13 percent receive 20 or more applicants. Sixteen percent of North American respondents in the ISACA survey indicated that cyber security opening receives at least 20 applicants.
Compounding the problem of lack of applicants for cyber security opening is the problem of qualified applicants. ISACA board chair said, “As enterprises invest more resources to protect data, the challenge they face is finding top-flight security practitioners who have the skills needed to do the job.”
Sixty-four percent of the respondents of the ISACA survey said half or less of their applicants for cyber security position are qualified, while 35 percent of the survey respondents said that less than 25 percent of applicants are qualified.
When asked to identify the most important attributes of a qualified applicant, respondents of the ISACA survey ranked practical verification or hands-on experience as the most important; reference/personal endorsement is ranked second; certifications is ranked third; formal education is ranked fourth; and specific training is ranked fifth.
Making things worse is the “security fatigue” of non-cyber security personnel. The National Institute of Standards and Technology (NIST) defined security fatigue as a “weariness or reluctance to deal with computer security”.
A NIST study found that a majority of computer users experienced security fatigue that often results in risky computing behavior in the workplace and in their personal lives.
“The finding that the general public is suffering from security fatigue is important because it has implications in the workplace and in people’s everyday life,” cognitive psychologist and co-author of the NIST study Brian Stanton said.
“Years ago, you had one password to keep up with at work,” computer scientist and co-author of the NIST study Mary Theofanos said. “Now people are being asked to remember 25 or 30. We haven’t really thought about cyber security expanding and what it has done to people.”
The NIST study found that security fatigue results to feelings of resignation and loss of control. This weariness or reluctance to deal with computer security, the NIST study found, can lead to choosing the easiest option among alternatives, behaving impulsively, and failing to follow security rules.
How to Remedy the Cyber Security Workforce Shortfall
Here are three recommendations on how to remedy the cyber security workforce shortfall:
1. Accept Non-Traditional Sources of Education
The Center for Strategic and International Studies study suggested that hiring managers should put less emphasis on degree requirements especially for entry-level cyber security positions, and instead place greater emphasis on hands-on experience and professional certifications.
2. Diversify the Cyber Security Workforce
A number of studies have shown that women and minorities are underrepresented in the field of cyber security. Opening this field to women and minorities will diversify the cyber security workforce and will also expand the talent pool.
The Center for Strategic and International Studies study revealed that organizations are looking to automate cyber security functions to offset the skills shortage. Cyber security automation generates efficiencies. Efficient processes allow cyber security personnel to focus their talent and time on cyber threats that need human intervention.
Here is why Petya is not a Typical Ransomware
This week, another ransomware called “Petya” attacked major companies around the globe.
Petya attacked the computers at the Chernobyl nuclear plant, forcing workers to manually monitor the plant’s radiation. The ransomware also attacked the computers of major global companies including Russian oil and gas giant Rosneft, Cadbury and Oreo-maker Mondelez, British advertising giant WPP, Danish shipping firm Maersk, U.S.-based pharmaceutical company Merck, real estate subsidiary of French bank BNP Paribas and multinational law firm DLA Piper.
Microsoft, in a blog post, said that than 70% of the computers attacked by Petya were in Ukraine, while computers in other countries were also affected in significantly lower volumes. Microsoft added that the majority of Petya infections were observed in Windows 7 computers.
How Does Petya Spread and Infect Computers
Cyber security firms Kaspersky Lab and Symantec, and even Microsoft confirmed that Petya ransomware uses the Eternal Blue – a Microsoft Windows’ exploit believed to be originally developed for the use of the U.S. National Security Agency (NSA). The Eternal Blue is the same exploit used in WannaCry – another ransomware that affected hundreds of thousands of computers worldwide less than two months ago.
“Similar to WannaCry, Petya uses the Eternal Blue exploit as one of the means to propagate itself,” Symantec said. “However it also uses classic SMB network spreading techniques, meaning that it can spread within organizations, even if they’ve patched against Eternal Blue.”
In addition to exploiting Microsoft Window’s vulnerability, Symantec said this latest ransomware spreads by acquiring usernames and passwords and spreading across network shares. According to Symantec, the Petya ransomware that started propagating last June 27 is a variant of an original Petya – a malware known to be in existence since 2016 – that not just encrypt files, it also overwrites and encrypts the master boot record (MBR).
Kaspersky Lab, for its part, said that this latest ransomware is significantly different from all earlier known versions of Petya, as such the cyber security firm calls it “ExPetr” or “NotPetya”.
In the new Petya – the term we use here as the world media adopted this name – cyber criminals demand from each of their victims to pay $300 in bitcoins to recover files. The following ransom note is displayed on the victim’s infected computer:
Cyber criminals behind the Petra ransomware attack use an email from the German email provider Posteo as a means to contact their victims. Upon learning that its email platform was used by cyber criminals, Posteo blocked the email account used by the Petra perpetrators on the same day that the ransomware was released to the wild.
As a result of Posteo’s email blockade, Petra’s victims will have no way to contact the people behind the latest ransomware attack. The Posteo’s email was supposed to be a venue where the victims would contact the blackmailers, telling them whether they’ve sent the bitcoins and from which they would receive decryption keys.
A complete technical analysis is available from the US-CERT, published on July 1, 2107.
Wiper vs Ransomware
According to Kaspersky Lab, even without the email blockade, there’s still no way that victims can recover their files as the ransomware was designed in such a way that it’s impossible for victims to recover their data. To decrypt files, cyber criminals need the installation ID. Kaspersky Lab said other ransomware such as the old Petya, Mischa and GoldenEye have installation ID for file recovery.
In the new Petya, even the cyber criminals themselves can’t decrypt the victims’ files. The installation key shown in the new Petya ransom note, Kaspersky Lab said, is just a random gibberish, “which means that the threat actor could not extract the necessary information needed for decryption.”
According to Symantec, the encryption performed by Petya is twofold:
“Either it was a sophisticated actor who knew what they were doing – except screwed up horribly on the part where they actually get paid or it wasn’t about the ransom in the first place,” said Nicholas Weaver, a researcher at the International Computer Science Institute and a lecturer at the University of California, Berkeley, told the New York Times.
“They are no longer collecting a ransom [referring to the new Petra ransomware],” Justin Harvey, managing director of global incident response at Accenture Security, told the New York Times. “They are just being destructive.”
If the main motive of the ransomware is money, Harvey said, cyber criminals typically set up multiple avenues to collect funds from their victims. The recent ransomware attack uses a single email address and a single bitcoin wallet for electronic payments.
How to Prevent Ransomware Attacks
Here are some of the ways to prevent ransomware attacks like the new Petya:
1. Use the latest operating system and make sure that most current updates are installed
It’s worthy to note that according to Microsoft, most of the Petya victims use Windows 7. Microsoft said that Windows 10 and its new streamlined operating system Windows 10 S block this type of attack by default.
2. Back up your data
Early this month, Nayana, a web hosting company in South Korea, agreed to pay more than $1 million to ransomware criminals to unlock its servers. This is believed to be the biggest ransomware payout on record. Backing up your data either offline or in the cloud protects your business from ransomware attacks. Cyber criminals will have no leverage on your business if you can easily retrieve your data somewhere else.
Businesses must backups and most importantly test the backups by performing test restores. Home users could protect their data by subscribing to one of many cloud storage and file sharing services.
Since the most important thing to protect your data against ransomware is to make sure that the operating system are always up to date, always ask your IT department to demonstrate that they have a solid vulnerability and patch management solution to keep the information safe.
Connect with us today, and our experts will answer your questions.
7 Steps to Prioritize Cyber Security Threats
Today’s businesses are under constant threat of cyber attacks. The recent WannaCry ransomware attack, which affected major businesses and institutions around the world, showed the importance of prioritizing cyber security threat remediation.
Here are 7 steps on how to prioritize cyber security threat remediation within your organization:
Step 1. Involve Business Stakeholders in the Process
Cyber security threat remediation is often left to the “IT people”. Business stakeholders, which include those in the senior management positions and those possessing unique perspectives, experiences and skills that IT may not possess, are invaluable in prioritizing cyber security threat remediation.
A survey conducted by Info-Tech Research Group showed that organizations that were able to engage business stakeholders in cyber threat identification were 79% more successful in identifying all threats compared to organizations where business stakeholders’ participation was minimal. Another Info-Tech survey found that 97% of organizations that involved business stakeholders in the cyber risk assessment process reported success.
It’s beneficial to involve business stakeholders as they can put forward perspectives that IT departments may have overlooked, and they can bolster IT’s knowledge regarding particular risks and their overall effect on the organization.
Step 2: Identify Cyber Security Threats
In identifying cyber security threats, determine the threat categories, threat scenarios and threat events.
Threat categories are advanced groupings that label threats relating to major IT functions. The following are some of the identified categories:
After identifying the threat categories, identify the threat scenarios or common situations for each category. For instance, in the data risk category, threat scenarios could be data theft, data integrity, data confidentiality and data availability.
Threat events refer to specific vulnerabilities under a particular threat scenario. An example of threat event under data integrity includes data recovery/loss within system.
Step 3: Determine the Threshold for Acceptable and Unacceptable Risk
Establish a threshold that sets what comprises as an acceptable and unacceptable risk for the organization. This threshold should be in a concrete dollar value, and should be based on the ability of the organization to absorb financial losses and its tolerance towards risk. For instance, an organization's threshold could be $100,000. A cyber threat costing below $100,000 is acceptable, while above $100,000 is an unacceptable threat.
Step 4: Create a Financial Impact Assessment Scale
Cyber threat has a corresponding financial consequence. It’s difficult for senior management to make intelligent decisions about cyber security threats if they don’t know what their financial impact will be. For each identified threat event, it’s critical to create a scale to assess the financial impact. Typically, financial risk impacts are assessed on a scale of 1 to 5 or low to extreme. Make sure that that the unacceptable risk threshold is reflected in the scale. Let’s say,
In the financial impact assessment, include project overruns and service outages. For instance, a cyber security project that runs for 20 days, with 8 employees, average cost of $300 per day and a total estimated cost of $48,000, falls under the low impact scale. Another example is a service outage that runs for 4 hours, with $10K loss of revenue per hour and an estimated cost of $40,000, falls under the low impact scale.
Step 5: Create a Probability Scale
For every threat event, create a scale to assess the probability that the event will happen over a given period of time. Make sure that the probability scale has the same number of levels as the financial impact scale. Let’s say,
Step 6: Threat Severity Level Assessment
For all threat events, assess the severity level. To calculate the severity level of each threat event, multiply the financial impact cost with the probability of occurrence. A threat event with a probable financial impact cost of $250K or "high" multiplied with the probability of occurrence which is 10% or "low" generates a $25K or "medium" threat severity level.
Step 7: Determine the Proximity of the Threat Event
Over a period of time, the financial impact and probability of occurrence of a threat event often fluctuate. The relationship between threat severity and time is called threat proximity. These fluctuations are every so often unpredictable. Some threat events are, however, predictable. The risk severity of losing key personnel is constant. The risk severity of data breach leading up to new product launch is confined at a particular point in time. The risk of severity of project overrun after staff layoffs either increases or decreases after a particular point in time.
In determining the proximity of the risk event, focus on “high” and “extreme” threats. Describe the proximity of these high and extreme threats. For instance, for a particular threat event, the threat proximity can be described in this way: “The probability of this threat event will fall when the new budget for the IT department is released.”
So what’s the difference between threat severity and threat proximity? The threat proximity description notifies senior management about the urgency of a cyber threat event and the importance of timely implementation of risk responses, while threat severity notifies senior management about the relative importance of each threat event.
Cyber Security Threat Remediation Equals Cost Effectiveness
Threat identification and prioritizing these threats demand time and money. But the time and money spent on these security risk management tasks can mean the difference between staying on budget and spending too much.
When your organization needs help with assessing and prioritizing cyber security threats, give us a call and we will be happy to help.
Steve E. Driz, I.S.P., ITCP