Cybersecurity Blog
Thought leadership. Threat analysis. Cybersecurity news and alerts.
How to Prevent Accidental Database LeaksFlorida-based marketing and data aggregation firm Exactis is the latest organization that accidentally leaked critical database online. Security researcher Vinny Troia disclosed to Wiredthat early this month, Exactis exposed nearly 340 million records, 230 million of which pertain to U.S. consumers, while 110 million on business contacts. "It seems like this is a database with pretty much every US citizen in it," Troia told Wired. "I don’t know where the data is coming from, but it’s one of the most comprehensive collections I’ve ever seen.” The close to 2 terabytes of data exposed by Exactis didn’t contain credit card information or Social Security numbers. It, however, revealed highly personal information, including phone numbers, home addresses, email addresses, religion, age, gender of the person's children, and interests like plus-size apparel and scuba diving. Wired confirmed the authenticity of the data exposed by Exactis, commenting that in some cases the information is inaccurate or outdated. Prior to his disclosure to Wired, Troia said he contacted both Exactis and the FBI about his discovery. He said Exactis has since protected the data so that it's no longer accessible to the public. The number of data unintentionally exposed by Exactis exceeds that of the 2017's Equifax breach of nearly 148 million consumer’s data. The difference though is that in the case of Exactis, victims aren’t even aware that they’re part of the company’s database. Past Incidents of Accidental Database LeaksWhile the Exactis data may have been the largest accidental database leak, in the past few years, reports about accidental database leaks have come up again and again. Another security researcher Chris Vickery discovered a number of accidental database leaks. In December 2015, Vickery discovered that the database that housed 3.3 million Hello Kittyaccounts was exposed as a result of a misconfigured MongoDB (a free and open-source cross-platform document-oriented database program) installation. In April 2016, Vickery discovered that voter registration details of 93.4 million Mexican citizenswere exposed via publicly accessible database hosted on an Amazon cloud server. In January 2017, Vickery also discovered that an Ontario-based plastic surgery clinicleaked thousands of customer’s medical records online via unprotected remote synchronization (rsync), a service which allows synchronization of files between two computers or servers over the internet. In October 2017, Redlockresearchers reported that attackers infiltrated the Kubernotes (open-source platform designed by Google to automate deploying, scaling and operating application containers) console of Aviva, a British multinational insurance company, after the company failed to secure it with a password. One of Aviva’s Kubernetes pod contained credentials to the company’s Amazon Web Service Inc. account. According to Redlock, this enabled the attackers to steal the cloud compute resources of Aviva for cryptocurrency mining, in particular, mining the cryptocurrency Bitcoin. In February 2018, Redlockresearchers reported that attackers similarly infiltrated the Kubernotes console of Tesla after the company failed to secure it with a password. One of Tesla’s Kubernetes pod contained credentials to Telsa’s Amazon Web Service Inc. account. Redlock said this enabled the attackers to steal the cloud compute resources of Tesla to mine the cryptocurrency Monero quietly in the background. Accidental Leaks DiscoveryAccording to Troia, he discovered the exposed Exactis’ database by simply using Shodan, an alternative search engine used by researchers and security professionals. Troia said he used Shodan to search for all ElasticSearch databases visible on publicly accessible servers with American IP addresses. This search query resulted in about 7,000 results, Exactis database being one of them, unprotected by any firewall. ElasticSearch is a document-oriented database that's designed to be easily searched over the internet. For his part, Vickery told ZDNet that he finds accidental database leaks via Shodan as well. There’s, however, no stopping for malicious hackers to use tools like Shodan to discover accidental database leaks. It’s a challenge then for ethical hackers like Troia and Vickery to discover and report to the concerned organizations regarding accidental database leaks before malicious hackers do. "I’m not the first person to think of scraping ElasticSearch servers," Troia said in the case of Exactis’ accidental data leak. "I’d be surprised if someone else didn't already have this." Data Leak PreventionHere are some of the security best practices in preventing accidental database leaks: 1. Monitor Firewall TrafficA firewall is your first line of defense in preventing accidental database leaks. A firewall, which can be a hardware, software or both, monitors incoming and outgoing network traffic. It decides based on a defined set of security rules whether to allow or block specific traffic. For instance, a firewall can be configured to block data from certain locations or applications while allowing relevant data in. RedLock reported that while firewall is one of the industry’s best practices, “85% of resources were found to have no firewall restrictions on any outbound traffic”. While firewall is a good first line of defense, it can’t be the cure-all remedy in preventing accidental database leaks. 2. Monitor ConfigurationsProper configuration is critical in preventing accidental database leaks. Configuration refers to the “Settings” menu in any software. A simple configuration monitoring could have prevented the Tesla breach. 3. Monitor Suspicious User BehaviorAs shown by the above-mentioned examples, it’s not uncommon to find accidental database leaks in public cloud environments. Your organization needs to detect accidental database leaks as soon as possible before the bad guys do. Monitoring has to go beyond geo-location or time-based anomalies but also monitoring event-based anomalies such as unusual volume of traffic or unusual volume of downloaded data. When you team needs help, our team of experts is a phone call away. Contact ustoday and stay safe! 
2 Canadian Banks, BMO & CIBC’s Simplii Financial, Disclose Data BreachesTwo Canadian banks, Bank of Montreal (BMO) and Canadian Imperial Bank of Commerce-owned Simplii Financial, have disclosed early this week that cyber criminals may have stolen sensitive data of their combined 90,000 customers. BMO is Canada’s 4thlargest bank, while the Canadian Imperial Bank of Commerce (CIBC) is the country’s 5thlargest bank. A spokesman for Bank of Montreal told Reutersthat nearly 50,000 of the bank’s 8 million customers across Canada were hacked.CIBC’s Simplii Financial, meanwhile, disclosed that fraudsters may have stolen certain personal and account information for nearly 40,000 of its customers. According to CBC, a group of cyber criminals who claimed to have stolen sensitive data from the 2 banks sent an email to media outlets across Canada last Monday. The attackers said that stolen data would be sold to criminals if the banks don’t pay a $1-million ransom to be paid in the cryptocurrency Ripple by 11:59 p.m. Monday. The attackers claimed that they’ve harvested personally identifiable information from customers of the 2 banks, including social insurance number, date of birth, address and phone number. To prove the veracity of the email, the sender shared the identifying information of two Canadians, one for each bank. When CBC contacted those 2 individuals, they confirmed the veracity of the identifying information. The ransom deadline has already passed. When contacted by CBC about whether any ransom had been paid, Bank of Montreal said, "Our practice is not to make payments to fraudsters." Simplii, for its part, said that it’s "continuing to work with cybersecurity experts, law enforcement and others to protect our Simplii clients' data and interests." The HowThe attacks on BMO and Simplii are noteworthy as both were disclosed on the same day by the 2 financial institutions and both were attacked by the same cyber criminals using the same method. The email sent out by the group who claimed to have stolen data from BMO and Simplii Financial explained in detail how the data breaches on the 2 financial organizations were carried out. According to the email sender, bank accounts from the BMO and Simplii Financial were breached by using the Luhn algorithm – a set of mathematical rules that’ll help to calculate an answer to a problem, in this case, generate the card numbers. Using the generated card numbers, the attackers then posed as authentic customers who had forgotten their password. The group said the generated card numbers allowed them to reset the backup security questions and answers and reset the passwords. “They were giving too much permission to half-authenticated account which enabled us to grab all these information,” the email said. In Simplii Financial's official statement, the organization advised customers to always "use a complex password and pin (eg. not 12345)”. This statement is indicative that the bank isn’t using 2-factor authentication. BMO, meanwhile, offers 2-factor authentication. A customer at Simplii Financial told The Globe and Mailthat he was unable to log in to his account and the safety questions to recover his password had been changed. In a study, Newcastle Universityresearchers found that it only takes seconds to guess a bank account number by using the first six digits (which tell you the bank and card type) and the Luhn’s algorithm. One of the original purposes of the Luhn’s algorithm is for the websites to immediately identify invalid card numbers. "As an example, suppose one's credit card number is 5377223617291234. Here, the ‘4’ is the check digit. This digit can be determined solely from the digits that precede it through what is called the Luhn Algorithm,” the Oxford Math Centerexplains Luhn Algorithm. “If when entering this credit card number, one accidentally types a ‘7’ where the right-most "1" should be (i.e., 5377223617297234), the check digit produced from the first 15 digits, in accordance with the Luhn Algorithm, will now disagree with ‘4’ on the end – flagging this as an invalid credit card number.” PreventionIf you’ve an account in either BMO or Simplii Financial, it’s important to monitor your account for signs of unusual activity. Both banks are offering free credit monitoring and guarantee a 100% reimbursement for any unauthorized transaction. The recent data breaches at BMO and Simplii Financial could’ve prevented by data encryption. Organizations, especially those in the financial sector, are required to safeguard personally identifiable information of their clients. One of the ways of safeguarding sensitive information is by encrypting the data. Encryption changes the data into something incomprehensible, rendering the data useless to the attackers without the secret code. “The banks involved in claims of a potential data breach acted swiftly in response, launched full-scale investigations and took immediate action to enhance online security measures to protect customers," the Canadian Bankers Association told Bloomberg. “When you’re dealing with financial information, you should have the highest level of privacy protection possible,” Dr. Ann Cavoukian, former privacy commissioner of Ontario and a distinguished expert-in-residence who leads Ryerson University’s Privacy by Design Centre, told the Financial Post. “This is a real eye-opener. The question that that begs is why weren’t you engaging in those measures all along?” 
Top 5 Cybersecurity Predictions in 2018It’s the yearend. It’s the time of the year when we look back at the salient events that made a great impact in the cybersecurity world, and make predictions of what the new year will bring. Here are the top 5 cybersecurity predictions for 2018: 1. Cryptocurrency MiningThe growth of cryptocurrency this year is unprecedented, with the total value of close to 500 billion US dollars as of December 24, 2017. While Bitcoin is the most dominant cryptocurrency in the market, other cryptocurrencies have soared as well. Cryptocurrency Monero, for instance, has a total market cap of $5.1 billion as of December 24, 2017, with one coin of Monero valued close to $335. “Mining” is needed for many cryptocurrency coins like Bitcoin and Monero to be processed and released. In the past, Bitcoin could be mined using ordinary computers. Today, Bitcoin can only be mined using specific and high-powered computers, leaving the mining to big companies. Other cryptocurrencies, however, can be mined using ordinary computers. Monero, in particular, can be mined using ordinary computers and even using smartphones. The people who mine cryptocurrencies called “miners” are given a fair share of the coin value for the computer use. Unscrupulous individuals who want to earn more money from cryptocurrency mining, meanwhile, are scouring the internet looking for vulnerable computers and smartphones to install malicious software (malware) capable of mining cryptocurrency like Monero. Adylkuzz cryptocurrency malware, which was released into the wild in May 2017, infects computers using Microsoft operating system that fail to install Microsoft’s March 14, 2017 security update. Other cryptocurrency malware that proliferated this year includes Coinhive, Digmine and Loapi. Coinhive is distributed via compromised websites, Digmine via Facebook Messenger and Loapi via online advertising campaigns. Cryptocurrency mining malware eats up most of the computing power of servers, desktops, laptops and smartphones. This results in the slow performance of computers. The Loapi malware, in particular, is so powerful that it can even melt an Android phone. “Although attacks that attempt to embed crypto-mining malware are currently unsophisticated, we expect to see an increase in the sophistication of attacks as word gets out that this is a lucrative enterprise,” Imperva Incapsula said in the article "Top Five Trends IT Security Pros Need to Think About Going into 2018”. “We also expect these attacks to target higher-traffic websites, since the potential to profit increases greatly with higher numbers of concurrent site visitors.” 2. Business DisruptionIn 2017, the world saw the devastation brought about by ransomware and distributed denial-of-service (DDoS) attacks. Ransomware is a type of malware that restricts user access to the infected computer until a ransom is paid to unlock it. Two of the notable ransomware this year, WannaCry and NotPetya, are essentially not ransomware in the sense that the code of these two malware were written in such a way that even the attackers themselves can’t unlock the infected computers. Whether this was intentional or not, only the attackers know. But in this sense, these two malware are considered as “wiper” – meant to bring business disruption. “The WannaCry and NotPetya ransomware outbreaks foreshadow a trend of ransomware being applied in new ways, in pursuit of new objectives, becoming less about traditional ransomware extortion and more about outright system sabotage, disruption, and damage,” researchers at McAfee said. Another malware that brought widespread business disruption in 2017 was the Mirai botnet, a malware that infected close to 100,000 IoT devices, turned them into robots and launched DDoS attack that brought down the managed DNS platform of Dyn, which in effect, temporarily brought down 80 widely used websites like Amazon, Twitter, Tumblr, Reddit, Spotify and Netflix. According to Imperva Incapsula, attackers in the upcoming year will probably adopt new business disruption techniques. Examples of these disruptive techniques include modifying computer configuration to cause software errors, system restarts, causing software crashes, disruption of corporate email or other infrastructure and shutting down an internal network (point-of-sale systems, web app to a database, communication between endpoints, etc.). 3. Breach by InsidersThe 2017 Cost of Data Breach Study (PDF) conducted by Ponemon and commissioned by IBM showed that 47% of data breaches were caused by malicious insiders and outsiders’ criminal attacks, 25% were due to negligent employees or contractors (human factor) and 28% were due to system glitches. According to Imperva Incapsula, illegal cryptocurrency mining operations in corporate servers are on the rise, set up by insiders or “employees with high-level network privileges and the technical skills needed to turn their company’s computing infrastructure into a currency mint.” 4. Artificial Intelligence (AI) as a Double-Edged SwordIn 2018, AI is expected to be used by cybercriminals as a means to speed up the process of finding security vulnerabilities in commercial products like operating systems and other widely used software. On the other hand, AI is expected to be used by cyberdefenders to improve cybersecurity. “Unfortunately, machines will work for anyone, fueling an arms race in machine-supported actions from defenders and attackers,” researchers at McAfee said. “Human-machine teaming has tremendous potential to swing the advantage back to the defenders, and our job during the next few years is to make that happen. To do that, we will have to protect machine detection and correction models from disruption, while continuing to advance our defensive capabilities faster than our adversaries can ramp up their attacks.” 5. GDPRIn 2018, one thing is for sure: General Data Protection Regulation (GDPR) will be enforced on May 25, 2018. GDPR is a European Union (EU) law that has an “extra-territorial” reach. Businesses that process personal data or monitor the online behavior of EU residents are still covered under this law even if they aren’t based in any of EU countries. Salient features of the law include consent requirement, right to be forgotten, transparency requirement, cybersecurity measures and data breach notification. “In the corporate world, McAfee predicts that the May 2018 implementation of the European Union’s General Data Protection Regulation (GDPR) could play an important role in setting ground rules on the handling of both consumer data and user-generated content in the years to come,” researchers at McAfee said. Happy 2018, and Stay Safe!
Whole Foods Market. Stock photo.
Whole Foods Becomes the Latest Victim of a Cyber Attack
Whole Foods, the supermarket chain recently acquired by Amazon, becomes the latest victim of a cyber attack.
The supermarket chain officially acknowledged that the cyber attack potentially compromised its customers’ credit card details. The data breach, according to Whole Foods, affected only the point of sale system used in taprooms (bars) and restaurants located within some of the Whole Foods stores. As of November 2016, The Mercury News reported that 180 of Whole Foods’ 464 stores had bars and restaurants. In its official statement, Whole Foods stressed that Whole Foods’ bars and restaurants use a different point of sale system from the company’s supermarket point of sale system. The company said that payment cards used at the supermarket point of sale system were not affected. It added that the Amazon systems, which acquired the supermarket chain last month, don’t connect to the Whole Foods’ bars and restaurants system. As such, transactions on Amazon.com haven’t been affected. Whole Foods’ public statement didn’t reveal how many customers may have been affected, how many bars and restaurants may have been involved or when the data breach was discovered. The Whole Foods data breach came just heels after the Sonic Drive-in cyber security breach. The American drive-in fast-food restaurant chain, with over 3,500 restaurants in 45 US states, confirmed that there's been some “unusual activity” on credit cards used at some of its restaurants. Similar to Whole Foods, the company didn’t disclose how many credit cards were potentially affected or when the data breach took place. Krebs on Security reported that Sonic Drive-In cyber security breach may have impacted millions of credit and debit cards. “The first hints of a breach at Oklahoma City-based Sonic came last week when I began hearing from sources at multiple financial institutions who noticed a recent pattern of fraudulent transactions on cards that had all previously been used at Sonic,” Krebs on Security wrote. About 5 million credit and debit card details recently put up for sale on the underground online site Joker’s Stash has been tied to a breach at Sonic Drive-In, according to Krebs on Security. “I should note that it remains unclear whether Sonic is the only company whose customers’ cards are being sold in this particular batch of five million cards at Joker’s Stash,” Krebs on Security said. “There are some (as yet unconfirmed) indications that perhaps Sonic customer cards are being mixed in with those stolen from other eatery brands that may be compromised by the same attackers.” Cyber criminals typically steal credit card details from merchants that accept cards by hacking into their point of sale systems. What is Point of Sale
Point of sale, also known as POS, is a system used by merchants where customers pay for goods or services. The POS system consists of hardware and software. The POS hardware refers to the device used to swipe a credit or debit card and the computer or mobile device attached to it. The POS software refers to the computer program that instructs the hardware what to do with the data it captures.
Through the years, there have been a number of vulnerabilities identified in the POS system. The vulnerability of the POS system was highlighted with the arrest and conviction of Albert Gonzalez, leader of the group that stole more than 90 million card records from retailers. The Gonzalez group took advantage of the lack of point to point encryption of POS system. If you pay using your credit card at a POS terminal, your credit card data housed in the card’s magnetic stripe is read, passed through a series of systems and networks before reaching the store’s payment processor. In 2005, credit card details transmitted over a public network from a POS device are required to be encrypted using network-level encryption, for example, the Secure Sockets Layer (SSL). Within the internal network of the store, however, credit card details weren’t required to be encrypted except when stored. The Gonzalez group took advantage of this lack of point to point encryption at the internal network level by installing network-sniffing tools that allowed him and his group to steal over 90 million card details. As a result of the Gonzalez group’s criminal activities, many stores today use POS system with encryption even at the internal network level. Through the years though, POS attackers have honed their skills and a number of POS attack methods have been developed. Big companies like Target Corporation succumbed to POS attackers. In May of this year, 47 US states and the District of Columbia have reached a $18.5 million settlement with Target that resolves the states' investigation into the company's 2013 data breach, which affected more than 41 million customer payment card accounts. How to Prevent POS Attacks?
Customers’ credit card data in the POS system passes through the following:
In each of these stages, customers’ credit card data becomes vulnerable to POS attackers. On the terminal level, attackers can insert hardware like skimmers or firmware to steal credit card details. As data passes from terminal to cash register or cash register to central payment processing server, the data may be stolen using network traffic sniffing tools like the one used by the Gonzales group. From the terminal to the internet exchange, there can be exposure of the encryption key. Credit card details may also be stolen via RAM scrapping malware from the cash register level or at the central payment processing server level. From terminal to internet exchange, mitigation strategy includes a firewall. At the cash register level or central payment processing server level, mitigating strategy includes endpoint security software. From cash register to central payment processing server, mitigating strategies include data encryption and the use of SSL. From terminal to internet exchange, mitigating strategy includes security information and event management (SIEM). Network segmentation is also one of the mitigating strategies to counter POS attacks. The network segmentation of the Whole Foods’ bars and restaurants from Whole Foods supermarket and Amazon.com has prevented attacks on the other two Amazon assets. Target, meanwhile, in the 2013 data breach didn’t implement network segmentation. When you need help protecting your missing critical applications and infrastructure, give us a call to speak with one of our cyber security and compliance experts. 
Major Accounting Firm Deloitte Admits It Suffered Cyber Attack
Deloitte, one of the world’s “big four” accountancy firms, admitted that it suffered a cyber attack. The company, however, downplayed the cyber attack saying that "only very few clients were impacted" and "no disruption" to client businesses happened.
Deloitte’s clients include 80% of the Fortune 500 companies and more than 6,000 private and middle market companies. British news outlet The Guardian and cyber security journalist Brian Krebs have come out with a different take on Deloitte’s cyber attack. Sources told the British news outlet that an estimated 5 million emails have been accessed by the hackers in the Deloitte cyber attack. A source close to the Deloitte cyber attack investigation, meanwhile, told Krebs that the Deloitte hacking incident involved the compromise of all administrator accounts at the company as well as the company’s entire internal email system. “In addition to emails, the Guardian understands the hackers had potential access to usernames, passwords, IP addresses, architectural diagrams for businesses and health information,” Nick Hopkins of The Guardian wrote. “Some emails had attachments with sensitive security and design details.” The Guardian reported that Deloitte discovered the hack in March of this year but the hackers may have had access to the company’s systems since October or November 2016. This hacking period was confirmed by Krebs who said that the Deloitte hacking dates back to at least the fall of 2016. “Deloitte has sought to downplay the incident, saying it impacted ‘very few’ clients,” Brian Krebs wrote. “But according to a source close to the investigation, the breach dates back to at least the fall of 2016, and involves the compromise of all administrator accounts at the company as well as Deloitte’s entire internal email system.” “As part of the review, Deloitte has been in contact with the very few clients impacted and notified governmental authorities and regulators,” Deloitte said in a statement. “The review has enabled us to understand what information was at risk and what the hacker actually did, and demonstrated that no disruption has occurred to client businesses, to Deloitte’s ability to continue to serve clients, or to consumers. A source told Krebs that Deloitte “does not yet know precisely when the intrusion occurred, or for how long the hackers were inside of its systems.” Cause of the Cyber Attack
Sometime in October 2016, Deloitte may have sense that something was wrong as the company sent out an email to all its employees in the US calling for a mandatory password reset. The notice includes an advice to pick complex passwords and a warning that employees who fail to change their passwords or personal identification numbers (PINs) by Oct. 17, 2016 wouldn’t be able to access email or other Deloitte applications.
According to The Guardian, Deloitte’s global email server was compromised through an “administrator’s account” – an account that has unrestricted access to all aspects of the email server. The administrator’s account required only a single password and didn’t have 2-step verification, sources of The Guardian said. By relying only on a password – single factor authentication, Deloitte’s email system became highly vulnerable to cyber attack. Hackers nowadays find is easy to hack emails using only a single factor of authentication or a password due to the following reasons:
Prior to the massive hack at Equifax where personal identifiable information like names, Social Security numbers, birth dates, addresses of 143 million Americans, 100,000 Canadians and 400,000 UK residents were stolen, Equifax was a victim of an earlier hacking incident. On May 15 of this year, the Counsel for TALX Corporation – a wholly owned subsidiary of Equifax – informed the Attorney General of New Hampshire about a hacking incident that harvested W-2 tax forms of the employees of the corporate clients of TALX. According to the Counsel for TALX, hackers gained access to the website of TALX and harvested W-2 tax forms of customers by successfully answering personal questions used to reset “PlNs” or passwords to access the website. “Because the accesses generally appear legitimate (e.g., successful use of login credentials), TALX cannot confirm forensically exactly which accounts were, in fact, accessed without authorization, although TALX believes that only a small percentage of these potentially affected accounts were actually affected,” the Counsel for TALX said. “It’s pretty unbelievable that a company like Equifax would only protect such sensitive data with just a PIN,” Avivah Litan, a fraud analyst with Gartner, told Krebs, in reaction to the TALX-Equifax data breach. “That’s so 1990s.” What is a 2-Step Verification
Many companies like Google, Facebook and Apple have adopted the 2-step verification, also known as two-factor authentication.
The 2-step verification is one of the security measures to help keep bad guys out. An example of the 2-step verification is that of Gmail where you'll be asked to enter your password as usual. In addition to the password, you'll be asked for something else. A code will be sent to your smartphone via text, voice call or mobile app. You can sign in using this code. You can also sign in using a USB security key – a small device that connects to your computer. Can the 2-step verification totally keep the bad guys away? The two-factor authentication offers more protection than logging into an email account without it. This added layer of security can stop certain group of hackers. It can’t, however, stop other sophisticated cyber attacks. The USB security key is considered as more secure compared to the code sent via smartphone. There’s, however, the danger of this device being lost or stolen. Cyber criminals, in the past, have infected mobile devices to steal 2-step verification security codes. Your organization’s entire internal email system could be full of sensitive information. Protecting your company’s email system goes beyond a password – single factor authentication. Email security also goes beyond the two-factor authentication. Contact us today if you need further protection for your organization’s internal email system. 
Wall Street’s Top Regulator Discloses Own Data Breach
The US Securities and Exchange Commission (SEC) – Wall Street’s top regulator – is the latest entity that publicly acknowledged that it was a victim of a cyber attack.
SEC Chairman Jay Clayton, who took office in May of this year, admitted that in August 2017, the Commission learned that a hacking incident detected way back in 2016 “may have provided the basis for illicit gain through trading”. “Cybersecurity is critical to the operations of our markets and the risks are significant and, in many cases, systemic,” said Chairman Clayton. “We must be vigilant. We also must recognize – in both the public and private sectors, including the SEC – that there will be intrusions, and that a key component of cyber risk management is resilience and recovery.” This recent cyber attack disclosure came just two weeks after the massive data breach at credit monitoring company Equifax, affecting 143 million Americans – almost all of the adults in the US, and affecting 100,000 Canadians and 400,000 UK residents. This recent SEC hacking incident puts the Commission in an uneasy position given that it’s the government body that’s responsible for enforcing securities laws, issuing rules and regulations and ensuring that securities markets are fair, honest and provide protection for investors. The Commission, in particular, has the power to fine private entities for failing to safeguard customer information. In June 2016, Morgan Stanley Smith Barney LLC paid a $1 million SEC fine over stolen customer data. The Morgan Stanley case originated from the act of then-employee who accessed and transferred the data of nearly 730,000 accounts to his personal server, which was then eventually hacked by third parties. The Commission found Morgan Stanley violated Regulation S-P, a regulation that requires registered investment companies, broker-dealers and investment advisers to "adopt written policies and procedures that address administrative, technical, and physical safeguards for the protection of customer records and information." Morgan Stanley agreed to settle the charges without denying or admitting the SEC findings. In September 2015, a St. Louis-based investment adviser firm paid a $75,000 SEC fine for failing to establish the needed cyber security policies and procedures, resulting in a data breach that compromised the personally identifiable information (PII) of nearly 100,000 individuals, including thousands of the clients of the firm. SEC, in its decision, said the firm “failed to conduct periodic risk assessments, implement a firewall, encrypt PII stored on its server, or maintain a response plan for cybersecurity incidents.” Patch, Patch, Patch
According to SEC Chairman Clayton, hackers exploited the software vulnerability of the Commission’s corporate filing system known as “EDGAR”, short for electronic data gathering, analysis and retrieval. The software vulnerability was patched after discovery, the SEC Chairman said.
The Commission’s EDGAR system, performs automated collection, validation, indexing, acceptance and forwarding of data submitted by companies and others required to file certain information with the Commission. The system, in particular, receives, stores and transmits nonpublic information, including data which relates to the operations of credit rating agencies, issuers, investment advisers, broker-dealers, clearing agencies, investment companies, municipal advisors, self-regulatory organizations ("SROs") and alternative trading systems ("ATSs"). What is a Patch
A patch is a piece of code that’s added into a software program to fix a defect also known as software bug, including a security vulnerability. Patches are created and released by software creators after defects or security vulnerabilities are discovered. If a patch isn’t applied in a timely manner or if a software creator no longer offers a patch, cyber criminals can exploit a known vulnerability.
The Common Vulnerabilities and Exposures (CVE), an international industry standard, lists and assigns names to all known cyber security vulnerabilities. The United States Computer Emergency Readiness Team (US-CERT) provides an up-to-date list of known vulnerabilities and patches. “Federal agencies consistently fail to apply critical security patches on their systems in a timely manner, sometimes doing so years after the patch becomes available,” Gregory Wilshusen, Director for Information Security Issues, said in a written statement before the Subcommittee on Research and Technology, Committee on Science, Space, and Technology, House of Representatives in February 2017. “We also consistently identify instances where agencies use software that is no longer supported by their vendors. These shortcomings often place agency systems and information at significant risk of compromise, since many successful cyberattacks exploit known vulnerabilities associated with software products. Using vendor-supported and patched software will help to reduce this risk.” The 2 major cyber attacks in 2017 – WannaCry and Equifax data breach – exploited known vulnerabilities in computers that were unpatched. WannaCry ransomware, which affected thousands of computers worldwide in May of this year, exploited the vulnerability in Microsoft Windows. This particular vulnerability could allow remote code execution if an attacker sends specially crafted messages to a Microsoft Server Message Block 1.0 (SMBv1) server. Microsoft, for its part, released a patch or security update for this known vulnerability in March 2017 – two months before WannaCry was released into the wild. For the Equifax data breach, the identified cause was the vulnerability in the Apache Struts in the US online dispute portal web application of Equifax. According to Equifax, the data breach happened from May 13, 2017 to July 30, 2017. The Apache Software Foundation, a not-for-profit corporation that manages and provides patches for Apache Struts, released 4 patches for 4 known vulnerabilities from March 2017 to July 2017. Even as cyber vulnerabilities are made public and patches are released, many organizations still fall victim to cyber attacks for failing to simply apply the available patches. According to the Apache Software Foundation, majority of the breaches that came to its attention are “caused by failure to update software components that are known to be vulnerable for months or even years.” Days after the patch for CVE-2017-5638 – a critical vulnerability in Apache Struts that allows attackers to take almost complete control of web servers used by banks and government agencies – was made available to the public, security researchers still noticed a spike of attacks exploiting this vulnerability. Patching known vulnerabilities in a timely manner is important as cyber criminals are quick to make use of newly published cyber security vulnerabilities, using them to launch cyber attacks within days. Monitoring and managing vulnerabilities and threats is only effective when done regularly. Identifying security vulnerabilities is an onerous task generally assigned to your company's IT department. We can save you time and money by proactively scanning your infrastructure and networks, helping you prevent a data breach. Connect with us today to learn more and protect your business. 
Image: Apache Struts
Apache Struts Vulnerability: There’s More to It Than Patching
Equifax claimed in its latest announcement that the vulnerability in the Apache Struts in its US online dispute portal web application caused the massive data breach affecting 143 million Americans – almost all of the adults in the US.
What is Apache Struts?
Apache Struts is an open-source framework for developing web applications in the Java programming language. It’s used by a significant number of organizations for developing publicly-accessible web applications like airline booking systems and internet banking applications.
The Apache Software Foundation, a not-for-profit corporation, manages, provides organizational, legal and financial support for the Apache open-source software projects, including Apache Struts. According to Equifax, the data breach that harvested names, Social Security numbers, birth dates, addresses and, in some instances, driver’s license numbers of 143 million US citizens occurred from May 13, 2017 to July 30, 2017. During this period, hackers also accessed credit card numbers for nearly 209,000 US customers, certain dispute materials with personal identifying information for almost 182,000 US customers and personal information for certain Canadian and UK residents. From March 2017 to September 2017, security researchers have identified several critical vulnerabilities in Apache Struts. These include:
Notable Apache Struts Vulnerability #1: CVE-2017-5638
CVE-2017-5638 is a remote code execution vulnerability in Apache Struts that particularly affects the Jakarta Multipart parser. Hackers exploiting this vulnerability can attack a web application, take full control of the web server and inject it with commands of their choice.
Nick Biasini, threat researcher at Cisco Talos, said they observed and blocked several attacks exploiting this vulnerability in Apache Struts. According to Biasini, one type of attack exploiting this vulnerability initially stops the firewall protecting the server and ultimately downloads and executes malware of their choice. Notable Apache Struts Vulnerability #2: CVE-2017-9805
CVE-2017-9805 is another critical remote code execution vulnerability in Apache Struts. All web apps using the popular REST plugin of Apache Struts are particularly vulnerable. Security researchers at lgtm discovered this vulnerability. If this vulnerability is exploited, hackers can run malicious code on the app server, either take full control of the machine or launch further attacks.
“This vulnerability poses a huge risk, because the framework is typically used for designing publicly-accessible web applications,” Man Yue Mo, one of the lgtm security researchers who discovered this vulnerability, said. “Struts is used in several airline booking systems as well as a number of financial institutions who use it in internet banking applications. On top of that, it is incredibly easy for an attacker to exploit this weakness: all you need is a web browser.” Citing analyst Fintan Ryan at RedMonk, lgtm noted that at least 65% of the Fortune 100 companies are actively using web apps built with the Apache Struts framework. Common Patching Versus Web App Patching
All of the above-mentioned vulnerabilities in Apache Struts have already been patched by the Apache Software Foundation. Many organizations, however, still haven’t patched their vulnerable web apps.
While most vulnerability fixes require only downloading a patch, installing it and rebooting a machine, fixing an Apache Struts vulnerability is different as it needs each web app to be recompiled using a patched version. In fixing an Apache Struts vulnerability, the web app code will have to be changed as opposed to just applying the vendor patch. In addition to the complexity of patching a web app, organizations also have problems in getting trusted and skilled personnel to patch the web apps since most of the original web app developers have moved on to other projects or to other companies. The time element between waiting for the right personnel to patch the web app and waiting for the code modification is critical. One of the preventive measures that your organization can use is virtual patching. “Instead of leaving a web application exposed to attack while attempting to modify the code after discovering a vulnerability, virtual patching actively protects web apps from attacks, reducing the window of exposure and decreasing the cost of emergency fix cycles until you’re able to patch them,” Imperva said. Additional Preventive Measures
The Apache Software Foundation said in a statement, “We are sorry to hear news that Equifax suffered from a security breach and information disclosure incident that was potentially carried out by exploiting a vulnerability in the Apache Struts Web Framework.”
The not-for-profit organization, however, said that majority of the breaches that came to the organization’s attention are “caused by failure to update software components that are known to be vulnerable for months or even years.” The Apache Software Foundation offers the following additional recommendations to prevent data breaches arising from Apache Struts vulnerabilities: “1. Understand which supporting frameworks and libraries are used in your software products and in which versions. Keep track of security announcements affecting this products and versions. “2. Establish a process to quickly roll out a security fix release of your software product once supporting frameworks or libraries needs to be updated for security reasons. Best is to think in terms of hours or a few days, not weeks or months. “3. Any complex software contains flaws. Don't build your security policy on the assumption that supporting software products are flawless, especially in terms of security vulnerabilities. “4. Establish security layers. It is good software engineering practice to have individually secured layers behind a public-facing presentation layer such as the Apache Struts framework. A breach into the presentation layer should never empower access to significant or even all back-end information resources. “5. Establish monitoring for unusual access patterns to your public Web resources. Nowadays there are a lot of open source and commercial products available to detect such patterns and give alerts. We recommend such monitoring as good operations practice for business critical Web-based services.” 
Insider Data Breach: An Enemy Within
Last week, an international health insurance company publicly acknowledged that one of its employees stole information that affected records of 547,000 customers.
The affected company said that while the stolen records didn’t include financial or medical data, records including names, dates of birth, nationalities, contact and administrative details were stolen. The company said that the employee responsible was fired immediately after the breach was discovered and is taking appropriate legal action. DataBreaches.net first reported the data breach of this international health insurance company when a vendor calling himself or herself on the dark web as “MoZeal” claimed that he or she has over 1 million records for sale. When contacted about the pricing, according to DataBreaches.net, MoZeal allegedly replied: "Thanks for your inquiry bro, but before i start talking about pricing i would just like to clarify that this medical database is the only unique db if not only one on the entire dark web market with over 1million entries and over 122 countries as a whole not to mention its come straight from one of the world class health insurance companies. so you can imagine the information is very sensitive but also exclusive." The international health insurance company disputed the 1 million records claim, and said in a statement, “Our thorough investigation established that 108,000 policies, covering 547,000 customers, had been copied and removed. The disparity in numbers claimed and those taken, relates to duplicate copies of some records.” This latest data breach incident shows the weakest link in cyber security: insider. Who is an Insider
An “insider” can be anyone who has physical or remote access to your company's confidential data. Although an insider often refers to your employee, your business partner, client or maintenance contractor who has access to your company's confidential data can also be considered as an insider.
An insider can either be a malicious insider or an inadvertent insider. An inadvertent insider can be an employee who was tricked to download a malware-laden document which then gives cyber criminals access to a company’s confidential information. A malicious insider refers to anyone who snoop files, steal information, and those who appeared to have knowingly violated the law. Extent of Insider Data Breach
IBM’s global threat intelligence report found that over 200 million financial services records were breached in 2016. Fifty-eight percent of the data breach in 2016 in the financial services sector was a result of insider attacks, while outsider attacks were only 42%. Of the 58% insider attacks, 5% of which were made by malicious insiders and 53% were made by inadvertent insiders.
The IBM report also found that in 2016 the healthcare sector was more affected by insider attacks (71%) than outsider attacks (29%). Out of the 71% insider attacks, 25% of which were malicious insider attacks and 46% were inadvertent insider attacks. For its part, Protenus reported that 43% of the 2016 U.S. health data breaches – total of 192 incidents – were the handiwork of insiders. Of the 192 insider breaches, 99 of these incidents were a result of inadvertent insiders, 91 incidents were a result of malicious insiders, and in 2 incidents there was insufficient information to determine whether the incidents should be considered as inadvertent or malicious. Health Data Malicious Insider Breaches Take 607 Days to Discover
According to Protenus, in 2016, the average days for healthcare organizations to discover they had a health data breach was 233 days. The most troubling part of breach discovery, according to Protenus, is in cases of malicious insiders in which the average discovery period was 607 days – more than double the typical data breach discovery period.
Protenus gives two explanations why it takes so long to discover a breach: 1. Limited Budgets and Resources With limited budgets and resources, not all organizations will be able to detect breaches in an automated and precise manner. 3. Reactive Approach to Data Breach Many organizations have taken a reactive approach to data breach – only worrying about breaches once they are brought to their attention by the affected party or third party like the media. “Insiders are a very real risk to the security of patient data,” Protenus said. “The high number of breach incidents, and the fact that these small-scale breaches can often go undetected, make these breaches especially devastating.” How to Prevent Insider Data Breach
Here are two ways to prevent insider data breach:
1. Educate Employees According to IBM, the reality that the cyber insider attacks targeting the healthcare and financial service sectors were largely the result of inadvertent insiders may be due to these industries having a greater susceptibility to phishing attacks. Phishing attack happens when cyber criminals try to trick you into sharing personal or work-related information online. Cyber criminals typically use email, ads, or sites that appear similar to sites you already use as common phishing methods. An email that appears like it’s from your bank requesting that you confirm your bank account number is an example of phishing. One way to prevent inadvertent insider attacks is by educating employees – through in-person instruction, video, webinars – about phishing and how to avoid becoming a victim. 2. Automation and Preventative Controls To prevent data breaches both from malicious and inadvertent insiders, it pays to invest in automated data breach detection tool. If an organization only depends on one or two persons to detect data breach, it will take some significant time before the breach can be discovered. With automation, the threat can be detected immediately and in a precise manner. “We predict that 2017 will be the Year of Insider Breach Awareness, with organizations realizing that this constant and significant problem has gone unaddressed for too long, with the focus for the last couple of years being more about catching up on external threats,” Protenus said. While the great majority of our business partners, employees, clients and contractors pose no threat, it pays to be proactive in detecting data breaches. While it takes only a few minutes to steal data, it can take months and years to recover data and rebuild positive business reputation.
When you need to protect your data against the insider threats, and don't have in-house expertise, please contact us and we will be happy to help.
How Data Breach Can Impact Your Business
Digitalization has changed the business landscape. This new business landscape also creates opportunities for cyber criminals. Cyber security has hugged the headlines in the past two months with an alarming number of high-profile data breaches. What kind of harm does data breach really do to your business?
What is Data Breach
Data breach is an incident in which company’s confidential data – including customers’ confidential data – is potentially viewed, stolen or used by an unauthorized person. A data breach can be caused by malicious or criminal attack, system glitch or human error. The "2017 Cost of Data Breach Study" by Ponemon Institute found that 47% of the root cause of data breach is malicious or criminal attack, followed by human error (28%) and system glitch (25%).
The business function that’s most likely to be affected by a data breach is the operation. Cisco in its 2017 Annual Cyber Security Report revealed that 45 percent of the cyber outages lasted from 1 to 8 hours; 15 percent lasted 9 to 16 hours, and 11 percent lasted 17 to 24 hours. Financial Cost of Data Breach
Data breach comes with the following incidental costs:
I. Detection and escalation costs
II. Notification costs
III. Post data breach response costs
According to the Ponemon Institute 2017 cost of data breach study, the average cost for each lost or stolen record containing sensitive and confidential information is $141. The average total cost of data breach per incident is $3.62 million according to Ponemon Institute. The study also found that detection and escalation costs are highest in Canada; notification and post data breach response costs are highest in the United States. The faster the data breach is identified and contained, the lower the costs.
Ponemon Institute study showed that there’s a relation between how fast an organization identifies and contains data breach incidents and the financial aftermaths. The study showed that security complexity and the deployment of disruptive technologies such as access to cloud-based applications and the use of mobile devices, including bring your own device (BYOD) and mobile apps, increase the complexity of identifying and containing data breaches.
Massive cloud migration at the time of the data breach increases the cost.
The Ponemon Institute study found that cloud migration – the process of transferring data from onsite computers to the cloud or transferring data from one cloud environment to another – at the time of the data breach was shown to increase the cost by $14 per record, increasing the average cost for each lost or stolen record from $141 to an adjusted average cost of $155.
The more churn, the higher the total cost of data breach.
Churn is the number of customers who discontinue their subscriptions to your business service within a given period. The Ponemon Institute study showed that businesses that experienced less than a one percent loss of existing customers had an average total data breach cost of $2.6 million, while companies that experienced a churn rate greater than four percent had an average cost of $5.1 million.
Reputational Cost of Data Breaches
While it’s easy to pin down financial cost of data breaches, reputational cost of data breaches is difficult to determine. Reputational cost can be measured by churn rate. But reputational cost is more than churn rate.
Forbes Insights in the whitepaper “Fallout: The Reputational Impact of IT Risk” wrote, “Reputation has always been a thorny thing to value in dollar terms.” A 2012 IBM study found that reputational damage as a result of data breach could last for months, while major breaches could last for years. If your customer can’t access your company website or application today, you don’t only lose one sale, but risk of ruining your company’s reputation. “You will be held accountable for what you did or didn’t do in the months and years leading up to a crisis,” said Prof. Daniel Diermeier, the IBM Professor of Regulation and Competitive Practice at the Department of Managerial Economics and Decision Sciences at the Kellogg School of Management. “You are only as good as the decisions you made when you put your systems in place.” “The disruption from human error, system outage or loss of data, even a minor disruption can have a significant impact on your reputation,” said Laurence Guihard-Joly, General Manager of Business Continuity & Resiliency Services at IBM Global Technology Services. “A cost, first, but also a real impact on whether people will choose your service.” Forty-nine percent of the security professionals surveyed in Cisco’s 2017 Annual Cyber Security Report revealed that their organization has had to manage public scrutiny after a data breach. The days of quietly dealing with data breaches may be long gone, according to Cisco, with 49% of those organizations surveyed said that they disclosed the data breach voluntarily, and 31% were forced to manage public scrutiny after the data breach was made public by a third-party. Cisco said there are just too many regulators, media and social media users who’ll expose the data breach. Data Breaches Drive Cyber Security Improvement
Thirty-eight percent of the security professionals surveyed by Cisco reported that data breach drove improvements in security threat defense, policies and procedures. In particular:
“Organizations that have not yet suffered a breach of their networks due to attackers may be relieved they’ve escaped. However, this confidence is probably misplaced,” Cisco said. “Given the attackers’ range of ability and tactics, the question isn’t if a security breach will happen, but when.” Give us a call today, and prevent a data breach. 
How to improve healthcare cyber securityScope of Hacking Health Care Records
The hacking of health care records at the NHS and HPMC aren’t isolated cases. Prior to the widely published WannaCry ransomware attack, other cyber attacks had already wreaked havoc in the health care industry. Protenus reported that in 2016, the U.S. health care industry suffered one breach per day, affecting more than 27 million patient records.
For the month of April 2017 alone, the U.S. Department of Health and Human Services, Office for Civil Rights reported 12 hacking incidents on hospitals and medical doctors’ offices, affecting 171,564 patient records. The biggest hacking incident last month that was reported to the U.S. Department of Health and Human Services happened at Harrisburg Gastroenterology Health Care Center, affecting 93,323 patient records. The patient information potentially accessed at Harrisburg Gastroenterology includes names of patients, demographic information, social security numbers, health insurance information, diagnostic information and clinical information. Last May 18th, Neeley-Nemeth Barton Oaks Dental Group reported to the U.S. Department of Health and Human Services that its computer system was hacked, affecting 17,090 patient records. Symantec's Global Ransomware and Business Special Report showed that from January 2015 to April 2016, Canada ranked third (16%) in terms of ransomware infections, next only to the United States (23%) and "Other Regions" (19%). Verizon’s 2017 Data Breach Investigations Report showed that breaches in healthcare organizations came second (15%), next to data breaches in financial organizations (24%). In 2017, ransomware was ranked by Verizon as the number five most commonly used crimeware. “For the attacker, holding files for ransom is fast, low risk and easily monetizable – especially with Bitcoin to collect anonymous payment,” the Verizon report said. 5 Reasons Why Hacking of Health Care Records is Skyrocketing
Hospitals and medical doctors’ offices have become targets for ransomware attacks due to the following reasons:
1. Medical Records are Irreplaceable Medical doctors’ offices and hospitals have irreplaceable digital documents that increase every hour, from appointments with patients to viewing imaging. 2. Willingness to Pay Compared to other sectors, the medical sector appears to be more than willing to pay ransom for the fast recovery of their data. 3. Confidential Nature of the Documents Medical doctors’ offices and hospitals’ records carry with them an abundance of confidential information about patients such as social security details, insurance details, birth dates, addresses, medical history and current medical situation. These confidential data can be sold to other opportunistic individuals or organizations at $10 per patient – an amount 10 times higher than what criminals earn from selling credit card details. 4. Loss of Reputation Hacking exposes organizations their weakness. As such, many hospitals and medical doctors’ offices would rather pay and keep quiet than face the consequence of loss of reputation. 5. Vulnerable Software Many medical doctors’ offices and hospitals use proprietary software. Cyber criminals exploit the vulnerabilities of these proprietary software solutions. In the case of the NHS WannaCry ransomware attack, the vulnerability of the operating system Windows XP was exploited. At the height of the WannaCry attack, NHS confirmed that 4.7% of the organizations’ computers still use Windows XP – an operating system released by Microsoft in 2001. 3 Effective Ways to Prevent Cyber Attacks on Medical Doctors’ Offices
Below are 3 preventive measures to stop cyber criminals from getting hold of your patients’ confidential data:
1. Backup data One of the effective means to prevent cyber attacks, specifically ransomware attacks, is by backing up your data. Ransomware attackers have an advantage over their victims by encrypting valuable computer files and preventing victims to access these valuable files. If you’ve backup copies, it would be easy to bring back these files. It’s important to make sure that these backup files are properly protected. Storing them offline is one alternative so that cyber criminals can’t access them. Another option is to use cloud services. These cloud services keep previous versions of files, enabling you to roll back to the unencrypted form. 2. Exercise digital hygiene Preventing cyber attacks on medical doctors’ offices is similar to other disease prevention: hygiene is essential. In the medical office set-up, digital hygiene refers to maintaining one’s computer hardware and software solutions as secured as possible. Examples of digital hygiene include updating your hardware systems, installing the latest patches or software security updates, and not clicking unfamiliar links or files in emails. Hundreds of thousands, if not millions, of computers were unharmed by WannaCry ransomware by simply using the latest operating system and installing the latest patch or security update. 3. Contain the infection Containing a malware is much like containing an infectious disease outbreak. In such a case, a rapid response such as isolating the infected computers can make a difference. Many ransomwares like WannaCry have a worm component that’s capable of spreading itself within computer networks without the need for user interaction. In handling the WannaCry ransomware attack, Spain’s Computer Emergency Response Team CCN-CERT, for instance, recommended isolating from the network or turning off as appropriate computers without support or patch. Contact us today if you want to protect your hospital or medical office from cyber attacks. |
6/30/2018
0 Comments