Context Matters

When it comes to threat detection, there are plenty of security controls out there that can help detect attacks within your network. And while these security controls are certainly useful, they don’t really give you the big picture of what happened. 

Context matters. This is why proper event logging is such an important component of any organization’s cybersecurity posture. Simply stated, event logs create an audit trail of all activity across your networks: from firewall activity, to software updates, to remote access. These logs provide the data necessary to properly analyze your network, and, if an incident occurs, be able to understand the overall context of what happened, how and why  

How Logs Can Help

Threat Identification and Prevent  

In order to know what your network looks like when something goes wrong, you first need to understand what your network looks like when everything is working normally. Using event logs help create a profile of normal network activity in order to keep a baselineOnce you know what normal activity within your network looks like, logging can then help identify any activity outside of this norm. 

By being able to identify unusual activity, event logs can be an invaluable tool in preventing attacks before they actually occurWhen properly utilized, event logs are able to provide early warning signs of an attack and allow organization to respond before the intruders can cause damage.   

Post-Breach Recover and Forensics 

If, despite best efforts, a data breach does occur, event logs continue to be an important resource. After an attack, logs can first and foremost, help organization determine the scope of an attack, assess the damage and isolate the incidentensuring it doesn’t spread to other parts of your network.  

Logs also provide the information necessary to understand how an attack occurred in the first place. By providing the overall context of an incident, event logs help organization understand not only what happened, but how they can prevent similar attacks from happening in the future.  

Managing Logs

Despite the value event logs provide, many organizations neglect to use them. Because logs will create a trail about everything that happens on your network, they can be difficult to store and daunting to manage. While logs don’t need to be kept forever, its important have enough space to maintain log trails for a certain period of timeLogs can take up a lot of space, but if you overwrite them too much, you may lose critical information. 

This is where Security Information and Event Management (SIEM) systems come in. While business should decide on log filtering and storage policies that work for them, SIEM systems can help automate this process to ensure that policy is effectively managed. SIEM systems also help analysis the often overwhelming amount of information event logs provide and even create alerts when it notices a potential problem. 

Combining event logs and SIEM systems goes a long way toward providing organizations the necessary context to understand threats to their networks. Logs can provide tailor-made insight into an organization’s vulnerabilities. What’s more, logs can even help mitigate the regulatory consequences of a breach, by providing evidence that an attack wasn’t a result of company negligence. At the end of the day, when event logs are properly managed, there is no more valuable resource.  

 

The Hole in the Firewall Gang

In our mythology of the American past, towns were terrorized by roving gangs who would rob one town then head to the next.  Welcome to 2019.  New technology.  Old tricks.

Recently, we wrote about a rising trend in ransomware attacks targeting local governments. Since then, news broke that 22 towns in Texas have become the latest victim of these attacks. Investigations are still underway, so information on the exactly causes has yet to be released to the public. However, according to NPR, a mayor of one affected town said the attackers are asking for $2.5 million to unlock government files.  

What sets this apart from the recent onslaught of ransomware news is the highly coordinated nature of these attacks. Texas officials believe the attack to be caused by “one single threat actor,” targeting specific agencies rather than entire government systems.  

Texas governor Greg Abbot classified the attack as a Level 2 Escalated Response — the second-highest level of alert in the state’s emergency response system — indicating that the scope of the incident is beyond what local responders can manageCybersecurity experts from the F.B.I., the Federal Management Agency, and the Teas Military have all been called in to respond.  

One pattern many have noticed is the relatively small size of the towns attacked. Of the 22 towns affected, four of them have a total of 31,000 residents. In many cases, small governments have underfunded IT departments, making it difficult to maintain effective cybersecurity practices. Frequently, ransomware attacks are will target systems based on opportunity. Instead of wasting the effort of cracking systems with strong security systems, attackers will go after those with easy access. Local government’s like those these Texas towns are therefore prime targets for these types of attacks.  

News of thattacks not only show that government ransomware attacks are on the rise, but also an increase in the level of sophisticationIn an article in the New York Times, Allan Liska, the author of a recently report on government ransomware attackssaid that if this turns out to be a new phase — because bad guys love to copycat each other — we’re going to see a continued acceleration of these kinds of attacks.” 

If this news teaches us anything, it’s that public and private business should not waitbut put it place processes now to prevent being the next victim of a ransomware attack. All organizations should make sure that they are testing their backups regularlypatching their systems, and engaging their staff in cyber awareness training.

And rustle up a posse.  Because they are coming.
 

Preparing for the CCPA

Time is running out. The California Consumer Privacy Act (CCPA) goes into effect January 1st 2020, and businesses need to be taking the steps necessary to comply. The new law is widely considered to be the most comprehensive privacy regulation in the U.S. to date and won’t just affect businesses operating within the state of California. Instead, any organization that collects the personal information of California residents might be subject to the new regulation. It’s important that every business reviews the regulation to understand whether they will be required to comply.  

And while the CCPA has many similarities to the E.U.’s General Data Protection Regulation (GDPR)organizations should not assume that compliance with one automatically means compliance with the other. It’s therefore essential that any business potentially affected by California’s new law understand what compliance entails and take steps to put any necessary new systems in place.  

Compliance: The Essentials

Inventory California Data

Really, it’s always a good idea to conduct an inventory of the data collected and processed, but it’s going to be especially important for compliance with the CCPA. Because the regulation gives consumers the right to request information about how their data is used, the first step will be to conduct and maintain a comprehensive inventory of your data. This should include not only what data you’re collecting, but also how it’s collected, where it’s stored, and who it’s shared with.  

It’s important to note that “personal information” covers more than just names and addresses. It also includes, among others, biometric data, geolocations, and internet activityReally, any information that can be linked back to an individual will fall under the scope of the CCPA.  

Develop Systems to Process Consumer Requests

After conducting a throughout inventory of this data, organizations will need to put in place procedures to quickly and accurately processing consumer requests to access this information. Under the CCPA, consumers have the right to request information on what data is being collected and who that information is being shared with. 

The regulation requires organizations to provide at least two methods for requesting this information, including at minimum a toll-free number and a webpage designated for requests. Once a request is made, businesses need to be able to quickly process and fulfill them. The CPPA requires all requested information to be delivered to the consumer within 45 days of the request.  

For most businesses, this will be the toughest aspect of the regulation to put in place. To help, there are a number of automated tools that can assist with processing. We also recommend having someone on staff certified in privacy through the IAPP or have someone on retainer who can assist with the process.  

Introduce an Opt Out Link on the Homepage

Under the CCPA, businesses will need to include a link on their homepage allowing users to opt out of the sale of any personal information. The regulation requires that this link needs to be “clear and conspicuous” and be titled “Do Not Sell My Personal Information.” Consumers also need to be able complete the opt out request without having to create an account.  

Update Privacy Policy

The CCPA will require businesses to update their privacy policy. According to the regulation, privacy policies will now need to include a description of consumer rights under the CCPA as well as a list of the types of personal information the company collects, shares, and sells with other entities. The privacy policy should also include the link to the “Do Not Sell My Personal Information” page. 

Review Overall Cybersecurity Policies and Practices

On a more general level, businesses should also take the time to ensure their cybersecurity policies and procedures are up to snuff. According to the CCPA, if an organization experiences a data breach, they will be considered responsible and be subject to fines if the state deems the organization to have failed to implement and maintain reasonable security procedures and practices.” There will likely be more clarification on what “reasonable security procedures and practices” entails once the regulation goes into effect, but organizations should play it safe and ensure they have a strong cybersecurity system in place to safeguard against potential liability 

Calling for Backup

It’s common knowledge that we should all be backing up our data. It’s important not only in case of system errors, but also in the event of stolen data and other security breaches. But what isn’t talked about as often is testing these backups.  

This is something that Arizona Beverages found out the hard way. Earlier this year, the company found themselves victim to a ransomware attack that wiped information on more than 200 servers and networked computers. But the real trouble began when IT staff realized that their backup systems where misconfigured, effectively making it impossible to recover their data without outside help. Because of the mistake, the company spent hundreds of thousands of dollars on new hardware, software, and recovery services.  

While there is nothing good about suffering a ransomware attack, having backups of your data can severely limit the consequences of the attack — as long those backups actually work. This is why it’s essential to regularly test your backup systems. 

In order to ensure their systems are backed up frequently, organizations will often automate this process. And while this can be useful, it’s important to not just assume that everything is working as expected.  

And there is more to backing up your data then the actual backup process. You want to make sure that not only that you properly backedup targeted data, but that it can be successfully restored. This includes ensuring that no file corruption occurs in the process of backing up and restoring that data. There’s no worse feeling than restoring your data only to find it completely useless.  

How frequently you test your backups should be decided by each organization depending on regulatory constraints, risk-assessment, and business strategy. However, whatever is decided should be incorporated into your cybersecurity policy and carried out consistently 

Nothing keeps IT professionals up at night like the thought of irredeemably losing system data. Not only could months or years’ worth of work vanish in an instant, but it could end up costing tons in regulatory fines and recovery services. 

Simply put: test your backups, sleep easy.  

 

Identity Management 101

Identity management should be considered an essential part of any business’s cybersecurity policy. No, it’s not the process of deleting your old college party photos from Facebook (although that’s not a bad idea). Instead, it’s a way to manage who has access to what information and when 

Misuse of credentials—either intentionally or unintentionally—is a prime vector for security issues. It would certainly be a lot easier to just give every employee access to all of your systems and files but having this sort of “open door policy” exposes your organization to serious risk. The Ponemon Institute’s Cost of Insider Threats report show that privilege misuse is an increasing cause of data breaches and costs organizations an average of $8.76 million. 

To help prevent this, it’s important that any identity management policy a business uses should incorporate the concept of least privilege. This means exactly what it sounds like: every user should be given the least amount of privileges to applications and systems necessary to complete their work. And managing access privileges is not a one-time thingIf a user only needs access to certain information for a short period of time, you want to ensure to restrict that access once they no longer need it.  

Low-Hanging Fruit

Along with employing a least-privilege policy, there are a few more simple steps every business should take when developing identity management practices:  

  1. Make sure that only those who need it have administrator privileges. On top of this, those with administrative privileges should have a separate account to access systems and software which does not require privilege, such as email or, yes, Facebook.
  2. Require users with a greater risk-level to use multi-factor authentication (MFA). This includes those with administrative privileges and users who log-in remotely.  
  3. Remove credentials for anyone who no longer needs access, such as ex-employees and short-term contractors and vendors.  
  4. Require users to create long, complex and unique passwords. There is no need to reset passwords unless they’re forgotten or you suspect they’ve been compromised. Check out NIST’s password guidelines for more information on this.  

Next Steps

While using various technologies throughout an organization streamlines activity, it also creates a more complex user environment, which poses its own security risks. To help mitigate these risks, there are a number of additional steps you can take, such as utilizing Single SignOn (SSO) and Identity Management Systems. 

Single Sign-On allows employees to use one set of credentials to access multiple applications. This may seem counter intuitive but limiting the number of credentials can actually improve security. Often, when users are required to keep multiple passwords, the overall strength of each password goes down, making it easier for credentials to be compromised. Focusing instead on maintain one strong password will help keep your systems more security.  

Lastly, there are identity and access management systems which can help automate this process. Along with managing user access, these systems can monitor user activity and enforce organizational policy on data use and sharing across the board.  

 

Robocalls Might Be in Trouble

You may have forgotten just how terrible looking at your email inbox used to be. Not too long ago, email spam cluttered our inboxes, making it next to impossible to wade through all of our emails and figure out which ones were legitimate and which ones to delete. And while with email this is largely a thing of the past, the problem has carried over into a new medium: our cellphones.  

Pesky phone calls aren’t anything new, but in the last few years the situation has become rather drastic. According to one report, there was a total of 26.3 billion robocalls placed in the U.S. in 2018 — a staggering 46% increase in just one year. And while almost all of these calls are technically illegal, technology has accelerated to such a degree that it’s become extremely difficult for lawmakers and regulatory agencies to keep up.  

Why This is Happening 

It’s an old cliché: technology can be used for good and for bad. But recent advancements in calling services certainly prove this to be true. One of the main causes of the increase in robocalls is what’s called Voice over Internet Protocol (VoIP). Services offered by Skype and Google utilize this technology to help users communicate with one another at low costs. However, bad actors have learned to automate this technology in order to place thousands of calls to anywhere in the world at a rapid pace.  

Alongside VoIP, spammers have also harnessed a technique called “spoofing,” which allows callers to use a fake number when placing a call. You’ve probably learned by now that if you receive a call from a number that looks similar to your own, it’s going to be a robocall. This is because spammers are using spoofing technology to carry out “neighbor spoofs,” a method that replicates your area code and sometimes your exchange number to trick you into picking up.  

And while it’s not too difficult to learn to spot these tricks, spoofing can be used in even more nefarious ways. Because of the ease with which someone can mimic any phone number, spammers can have a call look like it’s coming from a local business or even the IRS. Or worse, if a spammer has gained access to your contact list, they can spoof calls to look like they’re coming from someone you know personally.  

A Reason for Hope? 

According to the FCC, 60% of all complaints filed are related to robocalls. And, given how pervasive the issue is, it can be extremely frustrating that not more is being done to tackle the problem. This month, however, there has finally been some movement from both the FCC and phone carriers to do something about it. 

Earlier this monththe FCC unanimously voted to prohibit foreign callers from spoofing U.S. numbers, telling phone carriers that they have until the end of the year to implement technology to determine the legitimacy of calls. 

The technology they are referring to is called STIR (Secure Telephone Identity Revisited) and SHAKEN (Signature-based Handling of Asserted information using toKENs). In essence, STIR/SHAKEN attaches a certificate of authentication to phone numbers that is then verified by phone companies when a call is placed. Phone carriers can use this technology to add check marks next to verified calls and warn you when a number is unverified. 

AT&T and T-Mobile have since announced plans to implement this technology within the coming months. If you have either carrier you might already be seeing warning such as “SPAM RISK” or “FRAUD ALERT” appear on your screen when you get certain calls.  

Of course, this technology doesn’t actually stop you from receiving robocalls. But maybe — just maybe — we’re moving in the right direction. After all, the decline of spam emails wasn’t because email providers outright blocked spam. As an article in NY Magazine points out, “The key insight that defeated email spam was that it would be nearly impossible to stop email spammers…But it was possible to make it so that the average person never saw that spam.” 

The hope, therefore, is that call verification technology will make the business of robocalls less lucrative, and, overtime, the number of such calls will naturally decrease. Only time will tell how successful this will be, but this certainly seems to be a step in the right direction. When it comes to cybersecurity, there haven’t been a lot of hopeful stories recently, so we’ll take what we can get. 

Bugs in-not-on the Mobile Windshield

These days, our smart phone is literally our life.  Everything we need (or think we need) is in it.  Everything we want to know or do can be done with it.

Of course, it is also a great way for the bad guys to get to you.   You may think you are downloading a “clean app” only to find it’s infected as last month’s news about the 25 million android phones infected with a whatsapp malware illustrates.

But in some cases, even if you are extra careful about downloading apps, your phone may already be infected.  The reason is that the smartphone you buy may already have 100 to 400 preinstalled apps that  were selected by the phone manufacturer.  As noted in a BlackHat presentation, these preinstalled apps have become a target of hackers because its a great way to distribute their malware as far and as fast as possible.  What can this malware do?  It could provide a means for remote access, key-logging or activity monitoring for starters.  Not necessarily what you want when your whole life revolves around your phone.

One key point is that hackers are not just focusing on the end-user, they are focused on embedding their malware through the supply chain, knowing that ultimately it will wind up with the target they are after.  Companies have to thoroughly vet the secure of the technologies they are using to build products and services for their customers.

And, of course, with smartphone users, practice good mobile hygiene by periodically pruning the apps you have on your phone, running anti-virus software (certainly for Android phones), keep the operating system up-to-date, use a password manager and VPN service when you are on the road.  And, like the airplane pre-flight instructions say, take care of your own phone first (but then) assist others — like with your children and their phones.

 

Building Customer Trust Before and After a Breach

There has been a lot of news in the past few years about increased cybersecurity regulations and the potential fines they could impose on companies. From the E.U.’s General Data Protection Act to the California Consumer Privacy Act, the thought of government fines have left many businesses worried. And while it’s certainly something to be concerned about, studies have shown that the biggest cost to organization’s follow a breach isn’t regulatory fines, but loss of customers.  

In fact, according to this year’s Ponemon report, lost business has been the largest source of breach costs for four years running. The report shows that, above all other factors, customer loss accounts 36% of the total cost of a data breach — or an average of $1.42 million in lost business 

Placing more emphasis on customer retention both before and after a data breach will therefore greatly reduce the costs a breach could have on an organization. The Ponemon report shows that where businesses that were able to keep customer turnover below 1% experienced an average total breach cost of $2.8 million, organizations with customer turnover of 4% or more averaged a total cost of $5.7 million.  

And there are a number of different steps an organization can take to help keep customer turnover as low as possible. 

Customer Retention, Before and After a Breach

Before

You don’t want to wait until after a data breach to tell your customers that you prioritize cybersecurity. It will come across as insincere. After all, what reasons have you given to make customers believe it? That’s why placing an emphasis on your commitment to cybersecurity and protecting customer data before a breach is essential. 

A key way to show your commitment is to have a governance structure in place that shows you prioritize cybersecurity. The Ponemon report shows that organizations with an established executive position responsible for ensuring the protection of customer data directly helps to reduce lost business.  

Educating customers about privacy is another great way to build trust. Be upfront with your customers when it comes to how you use their information and why. This can involve having an accessible and clearly written privacy policyinforming customers about your use of cookiesand recommending the use of multifactor identification 

After

In the event a breach does occur, not all hope is lost. Your customers will be rightfully concerned, but making it a priority to show what steps your taking to mitigate the effects of the breach will go a long way toward retaining those customers.  

An important way to show this is first and foremost to promptly notify those effected about the breach. If a breach occurs, you don’t want to look like you were dragging your feet. There is no surer way to lose customer trust than to seem like you’re hiding the fact that customer data was lost.  

After notifying your customers, you also want to provide help for customers that were effectedProviding comprehensive identity theft prevention tools and requiring customers to reset their password are two good ways to do this. In fact, the Ponemon report found that organizations that offered data breach victims identity protection experienced a smaller amount of customer turnover.  

 

After a breach, companies are fond of talking about the how committed they are to protecting customer privacy. But the bottom line is that you want to prove this to your customers. Showing respect for their privacy before a breach occurs and especially afterwards will greatly reduce the impact your company will endure.  

Time is not on our side

Among the many things that Equifax has been criticized for, one of them is the amount of time it took the company to identify, contain and then notify customers about the breach. The breach initially occurred on May 14th but went undetected until in the very end of July. From there, it took the company an additional month to official announce that the breach occurred.  

But the sad truth is Equifax’s response time is actually a lot faster than a lot of other organizations that suffered data breaches. One of the factors that The Ponemon Institute looks at in their annual Cost of a Data Breach Report is what they call the breach lifecycle. The lifecycle of a breach is defined as the time between when a data breach initially occurs and when the breach is finally contained. And the average breach lifecycle is shockingly long. According to the report, the average lifecycle came to a total of 279 days — a combination of 206 days to identify the breach and 73 days to contain it. And the report found that this number grew significantly over the past year, representing an almost 5% increase over 2018’s breach lifecycle of 266 days.  

The impact of a long breach lifecycle for a company is not just a public perception of incompetence, it also dramatically increases the costs experienced. The report found that organizations with a breach lifecycle longer than 200 days saw much higher costs. Breaches that took under 200 days cost an average of $3.34 million, where long breach cycles were found to be 37% or $1.22 million more costly for organizations, for a total average of $4.56 million. Simply put, the faster a data breach can be identified and contained, the lower the costs.  

Shortening the Lifecycle of a Breach

It is therefore pretty apparent that, in the event a breach occurs, organization’s need to be prepared to respond as quickly as possible. Response to a breach involves two basic elements: detection and containment. Here are a few ways organizations can help reduce the length for both.  

Detection

The Ponemon report shows that detecting a breach is by far the largest factor in the length of a breach’s lifecycle. Malicious attacks want to keep their access for as long as possible, so will work to cover their tracks. And breaches caused by errors are often overlooked because, well, if we knew we made a mistake we wouldn’t have made it.  

It’s therefore important to constantly stay vigilant for signs that a breach has occurred. It can be difficult to constantly monitor all systems for any anomalies. Intrusion detection systems (IDS) are helpful here as well as Security Information and Event Management (SIEM) systems which collect system information (logs) and will provide alerts if there is anomalous activity.  It the very least it is important to centralize your logging, conduct regular vulnerability and anti-malware scans of removable devices and regularly check your administrative accounts for unauthorized changes or additions.

And while different types of breaches produce different signs, there are a number of general indications that can help tip off when something is wrong. Repeated system crashes, unusually high system activity, and unapproved configuration changes are all common indications of an attack. It may be nothing, but it’s far better to be overly cautious than to assume everything is fine only to later find out something was wrong after all.  

Containment 

The first step to containing a breach should actually happen before a breach even occurs: implementing an incident response plan and regularly practicing responses to cyber-attacks. The Ponemon report found that organizations with incident response plans and who simulate attacks were able to reduce the cost of a breach $1.23 million.  

The response itself largely depends on the cause of the breach. Whether it’s applying new security patches, updating user credentials, wiping stolen devices or something else, the essential point to is be able to quickly identify how the breach occur and respond accordingly. The time to prepare is before a breach, not after.

An Inside Job

A story came out a few years ago showing that a former employee of an engineering firm continued to access the company’s systems long after leaving. The employee left the firm in 2013 to start his own company, but for two more years he used his old credentials to access and download project proposals, designs and budgetary documents — all with an estimated worth of $425,000. 

This is just one example of a growing threat to businesses: malicious insider attacks. We recently covered the threat of accidental disclosure by employees, but that doesn’t mean there aren’t other inside threats to be concerned about. There are a variety of reasons an employee might intentionally threaten company information. Often, it’s done for personal financial gain but in other cases it can simply be a case of a disgruntled employee.  

According to Ponemon’s 2018 Cost of Insider Threats, criminal or malicious attacks make up for 23% of all inside cybersecurity incidents — a number that continues to rise every year. And, as the above example shows, these attacks can be costly. The report also found that malicious insider attacks cost organizations an average of $607,745 per incident.  

A key contributor to that cost is not just the value of information stolen, but also the amount of time it takes to detect. Because these attacks often use seemingly legitimate access to systems and databases, it can be difficult to discern whether someone is using credentials to access records for work purposes or with ill intent. According to the Ponemon record, it takes an average of 73 days to detect and contain an inside incident.  

Mitigating the Threat

There are, however, a number of steps organizations can take to both prevent insider threats and detect them if they do happen.  

Evaluate Access Controls 

One of the best line of defenses is to constantly evaluate employee permissions and access. Not all employees will need access to all systems, so placing access restrictions depending on the employee’s need is a must.  

And this isn’t something you should do just once. It’s important to regularly update your access controls. An employee might need access to certain databases for a short-term project, or, like in the example above, has left the company. Regularly going through employee permissions and access will ensure that only those who absolutely need your information can access it.  

Implement Data Loss Prevention Software 

Using data loss prevention (DLP) software is an essential way to detect potential malicious activity. DLP tools will classify your data by risk level and organization policy. If the software identifies policy violations (such as moving data off network), it can automatically encrypt effected information, and alert security teams. 

Employee education  

A report conducted by Opinion Matters found that some employees might be taking or sharing information because they believe they own the data they work on. According to the report, only 40% of employees interviewed agreed that data is exclusively owned by the organization and not by teams, departments or individuals.  

Through clear policy and regular training, business need to make a point of educating employees on data ownership. Employees need to be  made aware of their responsibility when it comes to protecting company information.  

Subscribe To Our Newsletter

Join our mailing list to receive the latest tips and news about Cyber Security and Data Privacy

You have successfully Subscribed! Please make sure to check your email to confirm registration.