by Doug Kreitzberg | Jul 24, 2020 | Compliance, Cybersecurity, Data Breach, Regulations
On Wednesday, The New York Department of Financial Services (NYDFS) announced their first ever cybersecurity charges against title insurance company First American for a data breach that exposed hundreds of millions of records containing sensitive information over the course of nearly five years.
The First American data breach initially occurred in October 2014 after an error in an application update left 16 years worth of mortgage title insurance records available to anyone online without authentication. These documents included information such as social security numbers, tax records, bank statements, and drivers license images. The error went undetected until December 2018, when First American conducted a penetration test that discovered the venerability. According to the NYDFS, however, First American did not report the breach and left the documents exposed for another 6 months, until a cybersecurity journalist discovered and published about the breach.
Charges against First American for their role in the data breach is the first time the NYDFS is enforcing the department’s cybersecurity regulations established in 2017. The regulation requires financial organizations with a license to operate in New York to establish and follow a comprehensive cybersecurity policy, provide training for all employees, implement effective access controls, and conduct regular venerability tests in line with a cybersecurity risk assessment.
First American is facing 6 charges, including failing to follow their internal cybersecurity policy, misclassifying the exposed documents as “low” severity, as well as failing to investigate and report the breach in a timely manner.
While the fine for a violation of the regulation is only up to $1,000, the NYDFS considers each exposed document as a separate violation. So, with up to 885 million records potentially exposed, First American could be looking at millions of dollars in fines if the charges stick.
News of the charges should serve as a wake-up call to U.S. organizations unconcerned with cybersecurity regulations. While the U.S. does not have any federal regulations, and there are a number of state regulations that have gone into effect in the past 5 years. This is merely one of what is likely many companies that will face enforcement unless they take steps now to ensure compliance.
by Doug Kreitzberg | Jul 20, 2020 | Cyber Awareness, Cybersecurity
When it comes to cybersecurity practices, there is an overwhelming amount of options available today, which can make it hard for businesses to figure out what they need. It’s easy to think you need newest and most expensive cybersecurity technology with all the bells and whistles to be protected. But the truth is that every business will have different needs and will need to develop cybersecurity practices that suit their specific business goals and strategies. If you don’t align your cybersecurity with your business objectives, chances are all your fancy security practices will end up hindering your business. There are, however, a number of critical cybersecurity practices that every business should consider. Each of these practices are all easy to implement and will leave your business a lot more secure:
1. Patching
One of the most critical cybersecurity practices is also the simplest: updating your applications and operating systems. Software updates aren’t just about adding new features, but in most cases also includes security improvements and patches to any known vulnerabilities. And while it can be tempting to put off updating your applications for another day, it is very important to install these updates as soon as you can. Hackers are constantly looking through popular applications for potential vulnerabilities, so keeping your systems up to date will help ensure the bad guys can’t exploit any weaknesses in the outdated version.
2. Access Control
Another vital component to any cybersecurity policy is controlling access to your networks, systems and data. This includes limiting employee access to areas of your system that aren’t relevant to their work. You also need to ensure that your employees are using passwords that meet certain length and complexity requirements, as well as using multi-factor authentication for all remote logins. This is especially important now that many employees are working from home.
3. Lockdown Mobile and Remote Devices
Whether employees are using company-issued or personal devices, it is important to ensure certain security settings are in place if those devices are used to access your network remotely. This includes ensuring that all devices are using a virtual private network (VPN) to keep internet data anonymous, and malware scanners to detect infected devices. Another big risk with mobile and remote devices is that potential for them to be lost or stolen. It’s therefore important to make sure your devices are encrypted and that you have a system in place that allows you to delete the data from any remote device if it goes missing. This will keep the anyone who finds the device from access any sensitive data it might contain.
4. Back up and Recovery Tests
It is also critical to keep regular backups are your most important networks and most sensitive data. This is especially important to protect yourself against ransomware attacks, where hackers lock you out of your own system. Having a backup may prevent you from having to pay to get your data back. However, it’s not enough to just keep backups, but to regularly test your recovery process. Backups will sometimes be corrupted and If you make a mistake or your backup settings are misconfigured, it’s possible you won’t be able to fully recover your data. Testing your backups regularly will ensure you can get your data back if sometime bad happens.
5. Firewall Configuration
Firewalls are essential for monitoring incoming and outgoing network traffic, and blocking any traffic that doesn’t meet your security standards. It’s often considered your first line of defense, so should be set up with care. The specific configurations you need depends on a number of factors, but overall you should make sure you don’t have any unnecessary open ports and ensure that traffic coming and going from the most critical and sensitive areas of your network have stricter traffic limitations. It’s also very important to change any default account and passwords that come with the firewall. Hackers can cause a lot of damage if they gain administrative access to your firewall, so you want to keep access to it as secure as possible.
6. Security Awareness Training
Last but definitely not least, it is critical that your employees receive security awareness training. Phishing and other social engineering attacks are now the number one cause of data breaches, meaning your employees are your frontline defense against cyber attacks. If your employees don’t know how to spot phish or business email compromise attempts, you leave your system dangerously vulnerable to attack. Simply put, by giving your employees the tools to develop safe online habits, you dramatically increase the security of your organizations.
by Doug Kreitzberg | Jul 6, 2020 | Business Continuity, Cybersecurity, Data Breach
Cybersecurity tools are important for lowering the risk of a data breach. However, if those tools are put in place without considering business outcomes, it can harm organizational goals and even, in some cases, cost lives. In the healthcare industry, for example, steps taken to recover from a data breach can lead to a drop in the quality of care. However, no matter the industry, if cybersecurity tools and businesses goals are not aligned, there will almost always be negative consequences for that business.
A study published last year in the Health Services Research Journal found that after a hospital experienced a data breach there was, on average, an additional 36 deaths from heart attacks per 10,000 patients. One of the main factors that contributes to this is a delay in treatment because of new security policies following a breach. Common tools used after a breach include additional sign-in measures such as multi-factor authentication, or automatic logout after a period of inactivity. So if someone comes into a hospital with chest pain, for example, these extra security measures delay the ability for doctors and nurses to register the patient and access health records. This is especially important to consider now, given that hacks against the healthcare industry have risen since the COVID-19 pandemic began.
Of course, this isn’t to say that there shouldn’t be any additional security measures in place after a breach Instead, the point is that it is important to align cybersecurity processes with overall business goals — even when the stakes aren’t as high as saving a life. The key is to begin with your desired business outcomes and look at the cybersecurity risks that can negatively impact those goals. Then, only once you know your specific risks do you design or apply tools that limit those risks without negatively impacting the business. This requires strong governance and communication between IT and business leadership. Failure to focus on the interplay between cybersecurity and business goals both weakens the security posture and weakens business outcomes. And that’s not a prescription for a healthy strategy.
by Doug Kreitzberg | Jun 29, 2020 | Cybersecurity, ransomware
When you think about different types of cyber attacks, ransomware might not be the first thing to come to your mind. It’s the sort of thing you might expect to see in a movie, but not in real life. The truth is, however, that ransomware is an increasingly common form of cyber attack. Government agencies, for example, are now a prime target for ransomware. However, it’s not just governments that should be worrying. According to one report, ransomware attacks against businesses rose by a whooping 263% in 2019. Business everywhere should therefore ensure they take precautions to prevent a ransomware attack and also have a plan in place if one does happen. To help, here is a list of 5 ransomware tips that all businesses should consider.
Ransomware Tip #1: Back It Up
Perhaps the most crucial way to protect yourself against ransomware is to have a robust and regular backup system in place. Any data that is sensitive or essential to business operations should be backed up on a regular basis. However, you have to be smart about it. Make sure your backups are stored offline or somewhere separate from your other networks. If a hacker gains access to your systems, you want to ensure they won’t be able to reach your backups. You should also regularly test your backups to ensure there is no corruption in the data. That way, if an attack occurs and they encrypt your data, you can be sure you have a backup to avoid paying the ransom.
Ransomware Tip #2: Use Security Awareness Training
Ransomware attackers often gain access to systems by first conducting phishing attacks or other forms of social engineering exploits. The key to the attackers success are employees who are not sufficiently trained in detecting emails that contain malicious links. This is just one of the many reasons more businesses should invest in security awareness training programs. For many forms of cyber attacks, your employees are your first line of defense, so making sure they have the tools needed to spot phishing attacks is a must.
Ransomware Tip #3: Stay Up to Date
Operating systems and software are constantly being updated to patch any known security vulnerabilities, but it can be easy to miss an update or put it off for another day. The problem is that attackers are constantly looking for these vulnerabilities and will prey on anyone who hasn’t updated their systems. Updating software, operating systems, and applications should therefore be a priority. In many cases, you are able to set up your systems to update automatically when a new patch is released.
Ransomware Tip #4: Segment and Limit Access
If an attacker gets into your system, you want to ensure they can’t access everything. It’s therefore important to segment your networks. This essentially just means keeping different elements of your network separate from each other so you can control how information flows from one to the others. This also involves implementing access controls so that users on your network are only able to access what they need for their job. These controls should be regularly evaluated. That way, if an attacker steals one of your user’s credentials, they won’t be able to access your entire network.
Ransomware Tip #5: Plan Your Response
Lastly, when it comes to ransomware, it’s important to not just try and prevent an attack, but also have have a plan in place in case one actually happens. Ransomware response should be included in every organization’s overall incident response plan, and you should have a team dedicated to carrying out the plan if an attack happens. Every organization’s response to a ransomware attack will be different, so response teams should sit down with members of the organization at various levels to ensure everyone is on the same page.
by Doug Kreitzberg | Jun 22, 2020 | Cybersecurity, Disinformation, Phishing
In 1989 the U.S. Postal Service issued new stamps that featured four different kinds of dinosaurs. While the stamps look innocent enough, their release was the source of controversy among paleontologists, and even serves as an example of how misinformation works by making something false appear to be true.
The controversy revolves around the inclusion of the brontosaurus, which, according to scientists at that time, never existed. In 1874, paleontologist O.C. Marsh discovered the bones of what he thought was a new species of dinosaur. He called it the brontosaurus. However, as more scientists discovered similar fossils, they realized that what Marsh had found was in fact a species previous identified as an apatosaurus, which, ironically, is Greek for “deceptive lizard.” Paleontologists were therefore rightly upset to see the brontosaurus included on a stamp with real dinosaurs.
Over 30 year later, however, these stamps may have something to teach us about how disinformation works today. They show how disinformation is not simply about falsehoods — it’s about how those falsehoods are presented so as to seem true.
The stamps help illustrate this in three ways:
1) Authority
One of the ways something can appear to be true is when the information comes from a figure of authority. Because the stamps were officially released by the U.S. government, it gives the information contained on them the appearance of truth. Of course, no one would think the USPS is an authority on dinosaurs, and yet the very position of authority the postal service occupies seems to serve as a guarantee of the truth of what is presented. The appearance of authority, however wrongly placed it is, is often enough for us to believe something to be true.
This is a tactic used by scammers all the time. It’s the reason why you’ve probably gotten a lot of robocalls claiming to be the IRS. Phishing emails also use this tactic by spoofing the ‘from’ field and using logos of businesses and government agencies. We too often assume that, just because information appears to be coming from an authority, it must be true.
2) Truths and a Lie
Another way something false can appears true is by placing what is fake among things that are actually true. The fact that the other stamps in the collection — the tyrannosaurus, the stegosaurus, and the pteranodon — are real gives the brontosaurus the appearance of truth. By placing one piece of false information alongside recognizably true information, that piece of false information starts to look more and more like a truth.
Fake news on social media uses this tactic all the time. Phishing attacks also take advantage of this by replicating certain aspects of legitimate emails. This might include mentioning information in the news, such as COVID-19, or even including things like an unsubscribe link at the end of the email. This tactic works by using legitimate information and elements in an email to cover up what is fake.
3) Anchoring
The US Postal Service did not invent the brontosaurus: in fact, the American Museum of Natural History named a skeleton brontosaurus in 1905. Once a claim is stated as truth, it becomes very hard to dislodge. This was actually the reasoning the US Postal Service used when they were challenged: “Although now recognized by the scientific community as Apatosaurus, the name Brontosaurus was used for the stamp because it is more familiar to the general population.” Anchoring is a key aspect of disinformation, especially with regards to persistency.
Beyond Appearances
Overall, what the brontosaurus stamp shows us is that our ability to discern the true from the false largely depends on how information is presented to us. Scammers and phishers have understood this for a long time. The first step in critically engaging with information online is therefore to recognize that just because something appears true does not, in fact, make it true. Given the continued rise of disinformation, this is a lesson that is more important now than ever. In fact, it is unlikely disinformation will ever become extinct.
by Doug Kreitzberg | Jun 15, 2020 | Cybersecurity, Incidence Response, ransomware
A hacker got into your system, but you spot the problem before the hacker has a chance to carry out an attack. Best case scenario, right? Well, it all depends on what you do next. The government of Florence, Alabama found themselves in this exact situation, but their response is now costing them nearly $300,000. Here’s what happened:
In late May, cybersecurity report Brian Krebs received a tip that hackers known for ransomware attacked gained access to Florence’s IT system. Krebs made numerous attempts to contact city officials before finally receiving a voicemail thanking him for the tip and telling him that the city took care of the issue. However, on June 5th the city announced that a ransomware attack shut down the city’s email system. The city plans on paying the hackers the nearly $300,000 ransom to restore their system.
So, what went wrong? According to city officials, when the attack hit, the IT department was in the middle of securing approval for funds to investigate and stop the attack. Local governments are often slow to act, to be sure, but officials knew about the hacker 10 days before the attack and they still weren’t prepared. The bottom line is, given the rise in ransomware attacks on public institutions, Florence officials needed to have a detailed plan in place before an attack took place. Instead, they scrambled. And, to add insult to injury, hackers accessed to the city’s systems by stealing the Florence IT manager’s credentials through a phishing attack.
How to Beat the Hackers
So, what should you do if you know you’ve been hacked but haven’t yet been attacked? Here are just a few steps you can take:
1. Have a Plan in Place
One of the main reasons Florence was slow to act is because they waited until after the hack to figure out a game plan. Instead, the city needed to have a detailed incident response plan in place. This involves first identifying what types of attacks you are most vulnerable to. Then, you need to create a detailed step-by-step response for each type of attack, and create a team of employees responsible for carrying out each of the steps. You also need to ensure you have contingency funds readily availble to carry out the plan quickly. Finally, it is important to simulate each type of attack so that the team can practice carrying out their response. Overall, the goal of an incident response plan is to deal with potential attacks as quickly and efficiently as possible.
2. Shut Down and Isolate Infected Systems
In order to keep the hackers from accessing other systems, it is important to shut down and isolate infected systems and any devices connected to it. Remove the system from your network. Disconnect the system’s wireless and bluetooth capabilities. Any devices previously connected to the infected systems should be shut down and removed from the network. Along with keeping the hack from spreading, this also limits the hacker’s ability to encrypt or damage the infected systems.
3. Secure Your Backups
Having updated and secure backups are especially important for ransomware attacks. If a hacker encrypts your data, having a recent backup of that data could save you from having to pay the ransom. There are two important caveats, however. First, it’s important that you regular test your backups to ensure your data isn’t corrupted in the backup or restoration process. Second, keeping the copies of your backups secure and offline is essential. Otherwise, it is possible for hackers to gain access to your backups and encrypt of remove them from your systems.
4. When in Doubt, Rebuild
The hard truth is, the most reliable way to shut down a hack before an attack is to completely remove the infected systems and rebuild them from scratch. Of course, the time, resources, and personnel required to do this makes it a difficult pill to swallow for many organizations. However, it is the only way to guarantee that a hack is removed from your systems.
The Bottom Line
Spotting a hack before the attack can give you the leg up on the hackers. But, as the ransomware attack on Florence, Alabama makes clear, knowing that someone accessed into your systems is not enough. You need to have a game plan ready to go and carry it out as fast as possible. Using your time and resources to prepare for an attack now will give you piece of mind, and potentially reduce the cost of a hack later.