Cyber Thoughts

Thursday, May 5, 2016

3rd Party Risk Assessments

In today's business world, IT risk plays an important role. Every business executive understands Risk and the need to balance "risk and reward" effectively; and have a good handle on risks viz., credit risk, operation risk and market risk among others. In many instances this is even strengthened by regulatory requirements. Still most business fail to measure IT Risk appropriately, some entirely fail to incorporate Third party IT risk.

In an era, where cyber-attacks are imminent, it is increasingly important for businesses to understand their IT Risk, and specifically Third Party Risk. According to a recent report by Booz Allen Hamilton, third parties were the number-one security risk to financial services firms in 2015.

Some businesses are making an effort to review their 3rd party agreements, and include cyber security requirements and annual reviews into their contracts, but is this enough?

Third party security risk management requires regular reassessments to ensure security, privacy and compliance is in order. Though most vendors prefer multi-year agreements, but risk assessments should be an annual practice. Maintain a quality IT risk assessment questionnaire to elicit responses from your third parties. As a best practice you should also reassess risk and security posture, whenever the contracts are updated or changed. A key point worthy of mention here is to pay attention to the tone of the responses, rather than just content alone. Your questionnaire should elicit responses and possibly discussions from the service provider and should not be a simple binary "Yes"/"No" checklist.

Now this could be burdensome for many organizations. In such cases, you may be able to lean on MSSPs to engage resources for this effort. Independent third party certifications like SSAE 16, SOC1 and SOC2 or ISO 27001 may be of value too. "SecurityScoreCard.com" is also a good resource. Don't forget to ask for evidence of a recent DR/BCP test, incident response test and Risk Assessment reports. Keeping track of these results and documenting them year over year, will go a long way in helping track the provider’s progress over time.

Communication processes or "who notifies who, of what, when and how" is very important. Lay down clear guidelines about data ownership, breach notifications and subpoenas, and responsibilities of either party. Understand where the hand-offs occur and who are responsible. Prefer titles to names.

Businesses are constantly changing and evolving, so should the relationship with your third parties. Third party due diligence will help maintain a healthy relationship with your third parties, and with a good understanding of security risks, your business can innovate, grow and reach its business goals.

Wednesday, May 4, 2016

CyberSecurity A Priority

When it comes to cyber security, corporate executives are either woefully under prepared or completely ignorant about the potential threats their organization may face due to a cyber-attack. Those who have the will and the requisite technology to prevent such an attack and those who stay up-to-date with the current trends and newer threats, as they emerge, are still equally vulnerable. But how is that exactly? How real is the threat of cyber security for your organization? Let’s begin by looking at the numbers.

What the statistics say

The data on cyber security threats is distressing. And that’s not just due to the innovative nature of the attacks. The real cyber security threat emerges from the lack of preparation by organizations to stave off potential attacks. And this is where we come face-to-face with the stark reality. Many surveys and research reports highlight this lack of preparation, or sometimes even lack of basic understanding of the issue.

Let’s begin with the most recent survey, conducted in April 2016. A staggering 90 percent of the surveyed corporate executives stated that they were unable to comprehend a cyber-security report and were not sufficiently prepared to handle a major attack. Even more surprising was that around 40 percent executives believed they could not be held responsible in case of hacking or loss of customer data.

This, then, leads us to conclude that the biggest cyber security threat to any organization is the failure of the executives to recognize the lack of cyber security as a threat. It’s a troublesome thought, one that quite clearly bothers Dave Damato, chief security officer at Tanium, who conducted the survey. “I think the most shocking statistic was really the fact that the individuals at the top of an organization — executives like CEOs and CIOs, and even board members — didn't feel personally responsible for cyber security or protecting the customer data,” said Damato. “As a result they're handing this off to their techies, and they're really just placing their heads in the sand right now.”

Damato’s words cut to the core of the problem, which is that cyber security is treated as an IT problem. Usually, it is relegated to the dark corners of the office, and the technical staff is left to deal with it. This blatant disregard for securing sensitive customer and financial information, combined with management’s lack of initiative, leads to half-baked cyber security measures, as Trustwave’s State of Risk Report suggests. A majority of the organizations surveyed had partial or no methods at all in place to control and track sensitive data.

The nature of the threats

Apart from the aforementioned problems, the nature of the looming cyber security threats is also disturbing. Each year, cyber attacks grow both in number and destructive capability. Symantec’s Internet Security Threat Report lays out this problem in great detail. According to the report, the company discovered an astounding 430 million new unique pieces of malware in just 2015. This indicated a 36 percent increase from the year before. And this is just the number of threats encountered by one cyber-security company, out of many that are out there.

The report also states that over half a billion of personal records were lost or stolen in 2015. But this is not even the tip of the iceberg. The real problem lies underneath. A lot of companies simply don’t report the data breach. “In 2015, more and more companies chose not to reveal the full extent of the breaches they experienced,” according to the report. “Companies choosing not to report the number of records lost increased by 85 percent.”

What needs to be done?

This is the big question that all organizations need to answer. Yes, cyber security poses a real threat but what can organizations do to prevent security breaches? Fortunately, we have some answers. Here are some of the steps your organization may take in order to prevent cyber security threats.

Better management

The most significant way organizations need to handle cyber security is by getting involved at the top management level. Leaving it for the technical staff to deal with, will not bring you any closer to the solution. In fact, it would do just the opposite. Executives need to step up to the task and take responsibility for their actions.

“Gone are the days when cyber security was considered just an IT issue,” says Stuart R. Levine. “Now, it requires a multi-disciplinary approach for preparedness, oversight and execution. For board members, cyber security preparedness is an enterprise risk management priority, involving both management and the board.”

Employee training

One of the biggest cyber security threats facing your organization is the carelessness of the employees who handle sensitive information. Having weak passwords, losing mobile devices containing sensitive company information, and clicking on suspicious links are some of the actions of the employees that threaten the security of the company.

Therefore, companies need to comprehensively train their employees on cyber security and the proper way to handle company information. By learning to protect themselves online, the employees can also be better prepared to handle company data.

Data encryption and security updates

Data encryption and running patch management programs on potentially vulnerable software are the two of the most basic steps that you can take to prevent cyber-attacks. It is essential not just to encrypt all cloud-based data but to use strong encryption, for instance the AES 256-bit. It is also essential to regularly update and patch all office software to protect them from vulnerability due to latest cyber threat.

Only with a comprehensive approach, focusing on all possible weak points, can your organization ensure maximum cyber security.

Tuesday, May 3, 2016

Bangladesh Bank Heist

Bangladesh Bank hack is one of the biggest bank heists in global financial history. There have been larger scams and scandals, but cyber heists from a single bank, this takes the cake.

The heist of over $80 million sent shock-waves through the global financial system and security experts scrambled to find out how it had happened. Political and administrative authorities played the blame game, as was expected of them. Resignations were offered and statements were issued. It was a complete chaos.

But now, the storm is over and the dust seems to be settling. But as the bigger picture comes into focus, it is becoming clearer as to what exactly went wrong.

How it happened

It all began on one fateful Friday with a printer failure. On 5 February 2016, Jubair Bin Huda, the bank’s joint director for accounts, discovered the printer failure which left him unable to collect the previous day’s transactions, Financial Times reports. The printer failure was just a tip of the iceberg though. Three days later, the bank discovered that the printer was not the only thing that had failed. The magnitude of the theft suggested that the bank’s cyber security system did not fare much better.

The hackers managed to break into the bank’s security system and transferred more than $80 million from the New York Federal Reserve account to multiple bank accounts located in Sri Lanka and Philippines. A significant number of transfer requests, 30 out of 35, were blocked by the Federal Reserve, saving the bank a loss of $850 million. But the five requests that managed to pass through, amounting to more than a 80 million dollars, were devastating enough in their consequences.

Security analysts suggest that they did it by installing a malware on one of bank’s computers which enabled them to spy on the bank’s monetary activities for weeks to observe how money transfers took place.

However, investigators believe that the heist involved hackers utilizing a Remote Access Trojan (RAT). Through this, they were able to secure remote control to the bank’s computers to initiate funds transfer. It may have taken the hackers almost a year of planning and preparations which involved opening multiple accounts in various banks of Philippines and Sri Lanka through fake documentation. It is ironic, though, that despite all the meticulous planning, a typo in a transfer request turned out to be the Achilles heel, and helped uncover the entire operation.

According to BBC, the bank didn't have a firewall and used cheap $10 internet routers. This just made the malicious actors job very easy. Good prevention and detection controls would at least have helped detect the whole operations much sooner.

SWIFT software security

Perhaps the most troubling aspect of the whole episode was that the hackers managed to hack into the SWIFT software. SWIFT, lies at the heart of the global financial system and is a network which connects majority of the world’s financial institutions and enables them to send and receive financial information about financial transactions.

However, It was the bank's systems or controls that were compromised, not the software, according to an independent security consultant, William Murray. "The SWIFT software behaved as it was intended to, but was not operated by the intended person or process. This is a bank problem, not a SWIFT problem."

The major take-away from this is that financial institutions must pay extra attention to ensure the protection of the computers with the SWIFT software installed.

Takeaways

Cyber Security is not an IT problem

It is a business problem. Businesses should view cyber risk on par with operation, regulatory and financial risk. Unfortunately, most organization boards fail to recognize this.

Lutfus Sayeed, an Information Systems professor at California State University, believes that cyber security must be incorporated into any organization’s central business strategy. IT Security must have a seat at the boardroom, at the executive table. It must not be viewed as a specialized function that is detached from the core business processes.

Cyber Security is not a checklist

Security should not be a compliance checklist, regulatory or otherwise. You will never be secure by being compliant. You will always be compliant by practicing good security processes. A learned friend, who was involved with ensuring a major card compliance program is implemented at banks worldwide, reveals, many banks in the east, would just write-off compliance fines and pay them, rather than comply. They consider it more cost-effective.

Bangladesh bank heist, has hopefully driven the point, that cybersecurity cannot be an afterthought. The business impact of poor cybersecurity practices are harsh and real.

Cyber Security needs attention

Cyber Security is a critical business function that needs attention. Organizations that do not have resources to manage cybersecurity should look at Managed Security Service Providers for assistance. There are some benefits to engaging a Managed Security Service provider:

a) They are more economical than investing in personnel, software, hardware and processes yourself

b) They provide round the clock monitoring, which most business can't do themselves. Remember, attackers don't adhere to your work hour schedule, and hence its important to have a team that monitors your system round the clock.

c) They are more efficient at responding to cyber threats. MSSPs, due to the nature of the business they are in, have more threat intelligence, and are able to respond faster than most businesses themselves can.

d) They have dedicated teams to handle cyber threats, and can provide rapid staff augmentation OR send skilled analysts onsite to handle the situation.

Assume Compromise

Always assume your business has been compromised. APTs have been known to exist in businesses IT systems for many years without being detected. It is safe to assume that the Bangladesh Bank Heist perpetrators have been inside, for at least a year, before they pulled off the heist. Threat hunting, an act of assuming compromise, and looking for "bad". It is an exercise worth investing in. Work with your team or your provider in conducting these exercises.

The business impact of poor cybersecurity practices are harsh and real. Don't let your businesses fall victim to cyber threats.

Saturday, April 30, 2016

Platinum malware using Hot Patching since 2009

A group that Microsoft researchers call Platinum has been leveraging a technique known as hot patching to hide it's malware from security products. This group has been effectively using this technique since 2009, and has possibly infected many Asian government, defence and intelligence agencies.

The group has traditionally used spear phishing to target specific organizations and individuals as its main attack vector, following it with exploits for zero-day vulnerabilities to install custom malware. To remain stealth, it launches only a few attack campaigns each year. The custom malware used by this group has self-deletion capabilities and is designed to hide in target's peak traffic, by only operating during target's business hours.

Hotpatching is an obscure feature that was first introduced in Windows Server 2003 and allows dynamic update of system components without the need for a system restart. Hotpatching was removed in Windows 8 and later versions, because it was rarely used. During the 12-year support life of Windows Server 2003, only 10 patches used this technique. The potential use of hotpatching as a stealth way to inject malicious code into running processes was described by security researcher Alex Ionescu at the SyScan security conference in 2013. And it is his technique that the Platinum group uses.

Friday, April 29, 2016

Third Party Risk Assessments

Some businesses are making an effort to review their 3rd party agreements, and include cyber security requirements and annual reviews into their contracts, but is this enough?

Tuesday, April 26, 2016

5 Ways to Avoid a Cryptolocker Crisis

“You are infected. If you want to use your data again, pay us 300USD.”

Cryptolocker — a ransomware developed by cyber criminals that encrypts all the files on the infected computer and demand ransom to provide the user with a decryption key, has infected hundreds and thousands of computers all around the world and has collected up to $30 million in ransom so far. What makes this code highly destructive is that the decryption key, which can be used to regain access to the encrypted files, is available only with the hackers, and once the key is lost, the encrypted data is essentially lost forever.

So, if you don’t want your computer to get infected by this ransomware that can lock all your personal and business files and restrict your access to them until you pay a ransom to the hackers, it is important that you follow the 5 safety tips given below that minimize your vulnerability against Cryptolocker.

1. Backup Everything

There’s no way you can retrieve your data once Cryptolocker has infected your computer. Therefore, create regular backups. Follow the 3-2-1 backup rule to mitigate data loss risk due to Cryptolocker.

The 3-2-1 backup rule suggests you to:

3 — Have three copies of your data

2 — Keep the backups on two different media

1 — Have one offsite backup

Also, make sure that the data present on your portable hard drives and USB flash drives has been backed up too because Cryptolocker can infect your portable data storage devices as well.

2. Cleanup Your Machine

When you have no other choice than to pay off the ransom, make sure that you have taken every possible measure to prevent the spread of this highly virulent infection. Disconnect the internet connection of the infected machine, turn off cloud backup services, and remove any portable storage device connected to the computer. Don’t forget to report the cyber crime to the relevant local or federal authority.

3. Don’t Open Suspicious Emails

No matter how strong the temptation is, never open unsolicited emails or emails that imbibe suspicion or a sense of urgency. If you have accidentally downloaded an attachment that looks dodgy, immediately run an anti-virus program to kill any destructive codes present in it before they damage your computer.

4. Control the Access Rights of Your Employees

The BYOD culture and excessive use and sharing of encrypted data have made networks more vulnerable to different types of ransomware. Review the access rights of your employees and offer only what’s necessary. Also, educate your network users regarding best data handling practices and guide them to contact the IT security personnel if they suspect an infection.

5. Patch to Protect

Cyber criminals are exploiting on the vulnerabilities of Microsoft and Adobe to gain access to the users’ computers and infect them. Therefore, it is advisable that you keep your systems updated with the latest virus definitions and patches.

Using these tips, you can minimize your chances of getting a Cryptolocker infection.