Hacker Fails

Recently, we’ve written a series of articles looking the at various ways the coronavirus intersects with cybersecurity concerns. And while we don’t want to downplay the importance of maintaining cybersecurity practices throughout the crisis, we could all use a little distraction from time to time. So, we decided to have some fun today. And what is more fun than hearing stories about hackers who completely and totally messed up? So, without further ado, we present three major hacker fails to keep your mind off the news for a few minutes.

Hacker Fail #1: The Spy Who Hacked Me (Then Posted it on YouTube)

This should go without saying, but if you’re going to install malware on hospital computers, you probably shouldn’t upload a video of yourself doing it. As it happens, that is exactly what Jesse William McGraw did. McGraw was a night security guard at Northern Central Medical Plaza in Dallas. One night he decided to film a video of himself pretending to be a spy who was infiltrating the premises (with James Bond music and all). Of course, as a security guard, he had access to the entire building and wasn’t actually doing anything illegal. That is, until he started installing malware on a dozen of the hospital’s computers.

Authorities quickly arrested McGraw and discovered he was actually the leader of a hacking group called the Electronik Tribulation Army. For his part, McGraw was sentenced to 9 years in prison and ordered to pay over $30,000 in restitution.

Hacker Fail #2: VPN FML

This story involves one of the most news-worthy cyber-attacks in the past few years: and hack and leak of emails from the Democratic National Committee. The documents were leaked online over the course of few months by a hacker calling himself Guccifer 2.0. While leaking the documents, Guccifer portrayed himself as a lone hacker conducted the attack for the fun of it.

Of course, we know now that this hack was instead conducted by the Russian government, specifically the GRU, Russia’s intelligence agency. As it turned out, tracing the hack back to the GRU didn’t take much work because Guccifer made a very simple mistake: he forgot to turn on his VPN. VPN’s help users stay anonymous online by connecting to the internet using shared IP addresses. Guccifer routinely used a VPN to cover his tracks online, but at one point simply forgot to turn it on before logging onto a social media site. The mistake allowed authorities to trace the hackers location directly back to GRU headquarters.

And the rest, they say, is quite literally history.

Hacker Fail #3: Hoist with his own petard

We saved the stupidest for last. For a while now, a transcript of a chat between hackers has been passed around the internet. In the chat, two rivals hackers were arguing with one another and threatening to attack the other. One of the hackers claimed to be using a program that allowed him to remotely delete a hard drive by simply entering in the target’s IP address. Calling his bluff, the other hacker shared his IP in the chat. However, instead of giving his actually IP, he gave him a loopback address that pointed right back at the would-be hacker’s own computer. So, when he ran the IP address through the program, he ended up wiping out his own hard drive instead of his rival’s.

Subscribe to our blog here:  https://mailchi.mp/90772cbff4db/dpblog

Beyond Compliance

Like the often quoted phrase, “A camel is a horse designed by committee”, compliance regulations often do more to over complicate issues than solve them.  At the same time, companies that just focus on meeting compliance standards can miss addressing the risks the compliance measures were designed to mitigate.

After all, Target Department Stores successfully passed a PCI audit two months before their massive breach in 2013.

Naomi Lefkovitz of the National Institute of Standards and Technology perhaps said it best when discussing privacy risk at a conference last month in Brussels.  “If you do something that upsets your customers from a privacy standpoint and then you tell them  ‘Well I’ve done everything correct under the law’ will they be any more satisfied?  Probably not.  That’s privacy risk in a nutshell.”

When focusing on cybersecurity or data privacy, the key is to understand what your risks are.  In many cases those risks will involve other parties and you need to determine the impact that an incident will have on them when you determine how to and where to take preventive action.

“Focus on your customers and your employees and the business will take care of itself,” is another often quoted phrase.  If you do that as you put together your cybersecurity and data privacy practices, compliance and the rest of the business will take care of itself, as well.

 

Targeted Ransomware Attacks on the Rise

At the end of February, security experts at RSA 2020, a leading cybersecurity conference, warned that an increase in targeted ransomware is likely. These concerns echo a statement released by the FBI in October that ransomware attacks are becoming “more targeted, sophisticated, and costly.”

Ransomware is a form of cyber-attack that hackers use to encrypt information on victims’ systems then demand a ransom before giving the victim back access to their files. In the past, these attacks were aimed primarily at individual consumers. However, in the past 2 years ransomware attacks have dramatically shifted focus toward businesses and institutions, including government agencies. According to a report by Malwarebytes, there was a 263% increase in ransomware targeting organizations in the second quarter of 2019.

Easy Money

So what exactly has led to the increase in ransomware attacks against businesses? Well, while there are a number of factors contributing to this trend, the main answer is money. According to the Malwarebytes report, attackers found that focusing on businesses provides a larger and more consistent return on investment. Not only do hackers expect businesses to have more money than indyuvial consumers, the loss of data can prove more harmful and costly for organizations than a single person. This gives businesses a larger incentive to pay up. What’s more, ProPublica has written a series of articles detailing how insurance companies and other firms offering ransomware solutions often opt to simply pay the ransom rather than work to unlock encrypted files by other means. Hackers are therefore becoming more and more confident their victims will cough up the money.

However, ransomware attackers are also learning they don’t even need the ransom to make money off their attacks. Ransomware-as-a-service (RaaS) is a growing business model on the dark web, where groups will build and sell ransomware kits to those without the technical know-how to carry out an attack on their own. RaaS has therefore made ransomware a more accessible method of attack, contributing to the rise in attacks we have seen in the past few years.  

Protect and Prepare

Given the dramatic rise in ransomware attacks against organizations, every business needs to invest time and energy in protecting against and preparing for the possibility of a ransomware attack.

Protecting yourself from a ransomware attack largely involves getting back to the basics of cybersecurity. Upgrading and patching outdated operating systems and software regularly, using anti-virus and malware protection, and restricting access privileges only to those who need them will all help to decrease the risk of an attack. Regular penetration test and vulnerability scans will show the areas in your systems that need the most protection. Routinely backing up your systems and information and testing those backups is also essential. If a ransomware attacks locks up your files, having a recent backup of your information could be one way to ensure access without paying a ransom.

However, even if you take every possible preventative measure, you can’t just assume you won’t be targeted. Given the dramatic increase in ransomware attacks, it is essential to also plan your response if something ever happens. Incident response teams should therefore understand the response plan and simulate ransomware attacks to ensure preparedness and find ways to strengthen your response should the worst happen.

Are These the Cybersecurity Guidelines “To Which Nobody Can Deny”?

It may seem that when you seen one set of cybersecurity guidelines, you’ve seen……one set of cybersecurity guidelines.  Every vendor, every regulation, every client is looking for something similar, but not quite the same when it comes to cybersecurity.  Maybe there’s some hope, for U.S. businesses, at least, coming from the Securities and Exchange Commission.

At the end of January, the SEC’s Office of Compliance Inspections and Examinations (OCIE) released a report of cybersecurity guidelines based on observations made during “thousands of examinations of broker-dealers, investment advisers, clearing agencies, national securities exchanges and other SEC registrants.” The report details a series of cybersecurity practices within 7 key areas of concentration:

#1 Governance and Risk Management

The report emphasizes the role senior leadership needs to play in defining and implementing cybersecurity strategies for the organization. Board members and other senior leaders should oversee the adoption and regular updating of policies and procedures based on an organization-specific risk assessment as well as establish proper communication channels regarding cyber threats throughout all levels of the organization.

#2 Access Rights and Controls

The report also highlights the need for organizations to limit access to sensitive information only to those who need it for specific and legitimate purposes. The OCIE recommends organizations frequently reevaluate access privileges and implement systems to monitor unauthorized access attempts.

#3 Data Loss Prevention

The OCIE also outlines a number of steps organizations should take towards preventing the loss or exposure of sensitive information. This includes measures such as frequent vulnerability scans, encryption and network segmentation, and insider threat monitoring.

#4 Mobile Security

Organizations should also have policies and monitoring systems in place for the use of mobile devices for business purposes. The OCIE recommends training employees on mobile security as well as requiring the use multi-factor identification for any business applications used on mobile devices.

#5 Incident Response and Resiliency

Developing and testing a response plan for any cybersecurity incidents is also an important area for organizations to concentrate. The OCIE recommends assigning and training specific staff members in incident response, simulating an incident to test response effectiveness, and updating the response plan based on testing.

#6 Vendor Management

Because vendors may have access to an organization’s information, the OCIE also recommends implementing policies to assess and monitor vendors’ security posture. This includes reviewing vendor contracts and implementing a vendor management program.

#7 Training and Awareness

Lastly, the OCIE encourages organizations to provide training in cybersecurity for all employees. Organization leadership should develop the training based on the their specific security policies and use training programs that actively engage employees.

Implications

While the cybersecurity guidelines that the OCIE outlines cannot ensure compliance or prevent liability concerns, many consider the report as a strong and practical roadmap for organizations to consider. In an article for the Legal Intelligencer, Devin Chwastyk laments the legal ambiguity of what is considered “reasonable care” with regards to safeguarding sensitive information and sees the steps outlined in the SEC’s report as offering “practicable (and understandable) advice on how [organizations] might start to try to avoid liability for a data security incident.” The National Law Review also notes that, while the report is aimed at the financial sector, it provides “helpful benchmarks” for a variety of industries. Moreover, given the SEC’s strong focus on cybersecurity in the past few years, there is speculation that this report could help inform regulation enforcement determinations in the future.

2.4 Billion

That’s the number of records that, according to Identity Force, have been accidentally exposed since the beginning of the year.

In other words, someone misconfigured their systems to provide access to unencrypted data or accidentally emailed them to the wrong person.

And that does not include the hundreds of million of records that were exposed on Facebook this year.

Pogo had it right.  I see the enemy and he is us.

 

 

 

 

 

 

Making it Real

I just finished working on a cybersecurity policy for a relatively small dental practice in a large midwestern city.  The practice’s IT consultant with whom I was working was pleased with the results and said that this Practice was now “miles ahead of the other dental practices” in terms of its cybersecurity posture.  That many of the Practice’s competitors had “one or two” pieces of paper to describe their cybersecurity posture which he said was “one or two pages longer than it needed to be” to describe the security they actually had in place.

 I guess we shouldn’t be surprised.  Despite the headlines about data breaches or regulatory fines or lost revenue, cybersecurity for many firms remains an abstraction.  And when you are focused every day on real issues with customers, patients and staff, abstractions come last.

 The way to encourage businesses to focus on either risk or opportunity is to make the abstraction real and to provide an game plan which brings value to all who are involved.

 Making It Real

 In order to “make it real” for the business, you need three things:  1) a compelling (and simply told) story with characters in the story similar to audience; 2) a financial picture of the situation; 3) a happy ending.   Cybersecurity tells a lot of stories, almost all of which are fear-based.  That’s engaging to a point, put often the fear doesn’t seem relevant and it is out of context with the situation.  It’s scary to think Equifax can be breached and 147 million records were exposed, but what does that have to do with my Dental Practice?  If you tell me a story about a ransomware attack on a dental practice which cost the business $500,000 and that I have a 10% chance of experience a $20,000 ransomware loss and a 90% chance of a $1,000,000 loss, I have something to understand.  Then if you tell me that if a do A, B and C I can reduce my probabilities better than half, I see a happy ending.

 Bringing Value

 Someone once told me that the way they view cybersecurity regulation is like a law which states that if a thief breaks into a house and steals stuff, the homeowner is arrested.  Cybersecurity has been framed as a protection against the financial impact a business incurs when bad guys do something to us.  That creates a friction in our mind and pushes us against wanting to invest in something to protect against something that we wouldn’t do ourselves.

Instead, cybersecurity should really be framed in terms of reputation and brand.  It’s part of the care and service that you bring to your customer, the respect that you have for them and the trust you want them to have in you.  Reputational value is a combination of a lot of factors, but in today’s digital age, data privacy is a true (and marketable) benefit.

Telling stories which financial relevance which show the true value of cybersecurity to all stakeholders is difficult.  But if we want to make inroads to cyber protection, we will need to do so.