2.4 Billion

That’s the number of records that, according to Identity Force, have been accidentally exposed since the beginning of the year.

In other words, someone misconfigured their systems to provide access to unencrypted data or accidentally emailed them to the wrong person.

And that does not include the hundreds of million of records that were exposed on Facebook this year.

Pogo had it right.  I see the enemy and he is us.

 

 

 

 

 

 

Making it Real

I just finished working on a cybersecurity policy for a relatively small dental practice in a large midwestern city.  The practice’s IT consultant with whom I was working was pleased with the results and said that this Practice was now “miles ahead of the other dental practices” in terms of its cybersecurity posture.  That many of the Practice’s competitors had “one or two” pieces of paper to describe their cybersecurity posture which he said was “one or two pages longer than it needed to be” to describe the security they actually had in place.

 I guess we shouldn’t be surprised.  Despite the headlines about data breaches or regulatory fines or lost revenue, cybersecurity for many firms remains an abstraction.  And when you are focused every day on real issues with customers, patients and staff, abstractions come last.

 The way to encourage businesses to focus on either risk or opportunity is to make the abstraction real and to provide an game plan which brings value to all who are involved.

 Making It Real

 In order to “make it real” for the business, you need three things:  1) a compelling (and simply told) story with characters in the story similar to audience; 2) a financial picture of the situation; 3) a happy ending.   Cybersecurity tells a lot of stories, almost all of which are fear-based.  That’s engaging to a point, put often the fear doesn’t seem relevant and it is out of context with the situation.  It’s scary to think Equifax can be breached and 147 million records were exposed, but what does that have to do with my Dental Practice?  If you tell me a story about a ransomware attack on a dental practice which cost the business $500,000 and that I have a 10% chance of experience a $20,000 ransomware loss and a 90% chance of a $1,000,000 loss, I have something to understand.  Then if you tell me that if a do A, B and C I can reduce my probabilities better than half, I see a happy ending.

 Bringing Value

 Someone once told me that the way they view cybersecurity regulation is like a law which states that if a thief breaks into a house and steals stuff, the homeowner is arrested.  Cybersecurity has been framed as a protection against the financial impact a business incurs when bad guys do something to us.  That creates a friction in our mind and pushes us against wanting to invest in something to protect against something that we wouldn’t do ourselves.

Instead, cybersecurity should really be framed in terms of reputation and brand.  It’s part of the care and service that you bring to your customer, the respect that you have for them and the trust you want them to have in you.  Reputational value is a combination of a lot of factors, but in today’s digital age, data privacy is a true (and marketable) benefit.

Telling stories which financial relevance which show the true value of cybersecurity to all stakeholders is difficult.  But if we want to make inroads to cyber protection, we will need to do so.

 

 

 

 

 

 

 

iPhone Hack Serves as a Wake-Up Call for Users

Last week, Google’s counterespionage group Threat Analysis Group (TAG) published findings of malware attack that targeted iPhones for “at least two years.” The hack consisted of what is known as a watering-hole attack, where hackers install malware onto specific websites and visitors of those sites unknowingly download the malware to their device. Once installed, hackers were able to monitor user activity and export sensitive information such as passwords, contacts, messages (including encrypted conversation through apps like WhatsApp), and location data.  

Google’s TAG team discovered the attack this past January. They notified Apple of the issue on the 1st of February and Apple released a security update seven days later that brought an end to the vulnerability. However, while the updated removed the malware from infected iPhones, any information taken by the attackers remains in their hands.  

Despite the in-depth look at the attack that Google released, information on who was behind the attack, what websites were infected, and whose data was stolen have not been verified by either Google or Apple. However, since Google’s report, a number of news sources have started to fill in the pieces. Because of the highly sophisticated nature of the attack, many quickly speculated the attack was nation-state backed. Then, over the weekend TechCrunch released an article with sources claiming the attack infected websites designed to target China’s Uyghur minority. A day later Forbes confirmed TechCrunchreportalso reporting the attack targeted Android and Windows users too. Google and Apple, for their part, have not confirmed these reports.  

Unanswered Questions 

News of the attack has raised a lot of questions. Among them, why are we just learning about all this now? While Apple did make note of the exploits in their February update announcement, the language used was such that the scope of the attack was completely unknown until now. While it is always important to apply updates to any device as quickly as possible, it’s possible that without understanding the severity of the attack, many users could have left themselves exposed by putting off the update for another day. 

Another reason this news is so important is that Apple is often considered to have some of the most advanced cybersecurity defenses out there. Because of the perception that Apple products — and iPhones in particular — are safe from attack, user’s may not properly understand the risks posed. As Ian Beer, author of the Google report, says, “real users make risk decisions based on the public perception of the security of these devices. The reality remains that security protections will never eliminate the risk of attack if you’re being targeted. 

While this news doesn’t mean iPhone users should go throw their phones away, it does serve as a wake-up call. No matter the device, all users need to take steps to ensure their information is remaining protected, the least of which by updating devices quickly. Because, as Beer states, for this one campaign that we’ve seen, there are almost certainly others that are yet to be seen.”  

Context Matters

When it comes to threat detection, there are plenty of security controls out there that can help detect attacks within your network. And while these security controls are certainly useful, they don’t really give you the big picture of what happened. 

Context matters. This is why proper event logging is such an important component of any organization’s cybersecurity posture. Simply stated, event logs create an audit trail of all activity across your networks: from firewall activity, to software updates, to remote access. These logs provide the data necessary to properly analyze your network, and, if an incident occurs, be able to understand the overall context of what happened, how and why  

How Logs Can Help

Threat Identification and Prevent  

In order to know what your network looks like when something goes wrong, you first need to understand what your network looks like when everything is working normally. Using event logs help create a profile of normal network activity in order to keep a baselineOnce you know what normal activity within your network looks like, logging can then help identify any activity outside of this norm. 

By being able to identify unusual activity, event logs can be an invaluable tool in preventing attacks before they actually occurWhen properly utilized, event logs are able to provide early warning signs of an attack and allow organization to respond before the intruders can cause damage.   

Post-Breach Recover and Forensics 

If, despite best efforts, a data breach does occur, event logs continue to be an important resource. After an attack, logs can first and foremost, help organization determine the scope of an attack, assess the damage and isolate the incidentensuring it doesn’t spread to other parts of your network.  

Logs also provide the information necessary to understand how an attack occurred in the first place. By providing the overall context of an incident, event logs help organization understand not only what happened, but how they can prevent similar attacks from happening in the future.  

Managing Logs

Despite the value event logs provide, many organizations neglect to use them. Because logs will create a trail about everything that happens on your network, they can be difficult to store and daunting to manage. While logs don’t need to be kept forever, its important have enough space to maintain log trails for a certain period of timeLogs can take up a lot of space, but if you overwrite them too much, you may lose critical information. 

This is where Security Information and Event Management (SIEM) systems come in. While business should decide on log filtering and storage policies that work for them, SIEM systems can help automate this process to ensure that policy is effectively managed. SIEM systems also help analysis the often overwhelming amount of information event logs provide and even create alerts when it notices a potential problem. 

Combining event logs and SIEM systems goes a long way toward providing organizations the necessary context to understand threats to their networks. Logs can provide tailor-made insight into an organization’s vulnerabilities. What’s more, logs can even help mitigate the regulatory consequences of a breach, by providing evidence that an attack wasn’t a result of company negligence. At the end of the day, when event logs are properly managed, there is no more valuable resource.  

 

The Hole in the Firewall Gang

In our mythology of the American past, towns were terrorized by roving gangs who would rob one town then head to the next.  Welcome to 2019.  New technology.  Old tricks.

Recently, we wrote about a rising trend in ransomware attacks targeting local governments. Since then, news broke that 22 towns in Texas have become the latest victim of these attacks. Investigations are still underway, so information on the exactly causes has yet to be released to the public. However, according to NPR, a mayor of one affected town said the attackers are asking for $2.5 million to unlock government files.  

What sets this apart from the recent onslaught of ransomware news is the highly coordinated nature of these attacks. Texas officials believe the attack to be caused by “one single threat actor,” targeting specific agencies rather than entire government systems.  

Texas governor Greg Abbot classified the attack as a Level 2 Escalated Response — the second-highest level of alert in the state’s emergency response system — indicating that the scope of the incident is beyond what local responders can manageCybersecurity experts from the F.B.I., the Federal Management Agency, and the Teas Military have all been called in to respond.  

One pattern many have noticed is the relatively small size of the towns attacked. Of the 22 towns affected, four of them have a total of 31,000 residents. In many cases, small governments have underfunded IT departments, making it difficult to maintain effective cybersecurity practices. Frequently, ransomware attacks are will target systems based on opportunity. Instead of wasting the effort of cracking systems with strong security systems, attackers will go after those with easy access. Local government’s like those these Texas towns are therefore prime targets for these types of attacks.  

News of thattacks not only show that government ransomware attacks are on the rise, but also an increase in the level of sophisticationIn an article in the New York Times, Allan Liska, the author of a recently report on government ransomware attackssaid that if this turns out to be a new phase — because bad guys love to copycat each other — we’re going to see a continued acceleration of these kinds of attacks.” 

If this news teaches us anything, it’s that public and private business should not waitbut put it place processes now to prevent being the next victim of a ransomware attack. All organizations should make sure that they are testing their backups regularlypatching their systems, and engaging their staff in cyber awareness training.

And rustle up a posse.  Because they are coming.
 

Calling for Backup

It’s common knowledge that we should all be backing up our data. It’s important not only in case of system errors, but also in the event of stolen data and other security breaches. But what isn’t talked about as often is testing these backups.  

This is something that Arizona Beverages found out the hard way. Earlier this year, the company found themselves victim to a ransomware attack that wiped information on more than 200 servers and networked computers. But the real trouble began when IT staff realized that their backup systems where misconfigured, effectively making it impossible to recover their data without outside help. Because of the mistake, the company spent hundreds of thousands of dollars on new hardware, software, and recovery services.  

While there is nothing good about suffering a ransomware attack, having backups of your data can severely limit the consequences of the attack — as long those backups actually work. This is why it’s essential to regularly test your backup systems. 

In order to ensure their systems are backed up frequently, organizations will often automate this process. And while this can be useful, it’s important to not just assume that everything is working as expected.  

And there is more to backing up your data then the actual backup process. You want to make sure that not only that you properly backedup targeted data, but that it can be successfully restored. This includes ensuring that no file corruption occurs in the process of backing up and restoring that data. There’s no worse feeling than restoring your data only to find it completely useless.  

How frequently you test your backups should be decided by each organization depending on regulatory constraints, risk-assessment, and business strategy. However, whatever is decided should be incorporated into your cybersecurity policy and carried out consistently 

Nothing keeps IT professionals up at night like the thought of irredeemably losing system data. Not only could months or years’ worth of work vanish in an instant, but it could end up costing tons in regulatory fines and recovery services. 

Simply put: test your backups, sleep easy.