Cyber-Security

Over the past week, several websites belonging to some of the largest banks in the country have been hacked in what experts are calling one of the "biggest cyber attacks they've ever seen." As this CNN Money article points out, the websites "have all suffered day-long slowdowns and been sporadically unreachable for many customers."

According to security experts, the "denial of service" attacks, which began on Sept. 19, are the largest ever recorded. 

For all businesses, denial of service attacks are a growing and more menacing threat.  Your customers can’t access your website and can’t buy your goods and services. This can be catastrophic to your company. So the question remains: What have you done to protect your business? 

The CNN Money article can be read in its entirety clicking on the link below. 

CNN Money - "Major banks hit with biggest cyberattacks in history"

Homeland Security Today recently published an article that examines Congress' inability to pass "meaningful cybersecurity reform legislation," and what, if anything, President Obama can do to force the issue.

As the article mentions, there's always the possibility that the president could draft an executive order "that would for the first time give federal government the authority to set minimum cybersecurity standards for the owners and operators of critical infrastructure." In the eyes of some in the private sector, however, such a move could be met with mixed reactions.

You can read the Homeland Security Today article in its entirety here, or by clicking on the link below. Full disclosure: The article includes a quote from yours truly.

Homeland Security Today - "As Cyber Threat Grows, President Ponders Executive Action"

This from the ID Experts’ Data Breach Examiner Newsletter:

“Having a social media presence and strategy is becoming as much a business prerequisite as having a web site. The business benefits of social networking are obvious. The customers are already there—more than 150 million Americans, 800 million users worldwide— and they are constantly posting personal information that can be leveraged for pinpoint targeting of information and advertising. Businesses can easily take advantage of the information base, the growing ecosystem of Facebook-based business applications, and the Facebook application development platform. Businesses from multi-nationals to the bakery around the corner are nurturing their social media relationships and figuring out how to turn "friends" into dollars.

However, along with all the excitement about the recent Facebook IPO have come some sober reminders that social networking in general and Facebook in particular poses potentially serious and as-yet undefined risks for businesses entrusted with personal information. Last November, the FTC reached a settlement with Facebook over "unfair and deceptive practices" regarding user privacy. The FTC order stated that Facebook had, in some cases, allowed advertisers to gain personally identifiable information when a Facebook user clicked on an advertisement on his or her Facebook page, and that the company had shared user information with outside application developers despite claims to the contrary to its users. ”

Clearly, companies that are using social media outlets to promote their businesses online need to understand the applications they are using and the risks to their customer’s private information.

Are you using social media to promote your business?  Is your customer’s information secure?

You can read the entire ID Experts’ article, which contains some good mitigation strategies, here.

A new, highly sophisticated computer virus has been discovered.  No one has yet determined what it does but it appears to be related to the Stuxnet virus - the virus that specifically targeted Iran’s nuclear centrifuges.

Stuxnet was noteworthy because it was the first virus created for a specific purpose.  It now appears that Stuxnet will not be alone.

As these types of specifically targeted “designer” viruses become more common, businesses should ask themselves “will I be targeted next?

This from MSNBC.com:

“Security experts have discovered a highly sophisticated computer virus in Iran and other Middle East countries that they believe was deployed at least five years ago to engage in state-sponsored cyber espionage.

Evidence suggest that the virus, dubbed "Flame," may have been built on behalf of the same nation or nations that commissioned the Stuxnet worm that attacked Iran's nuclear program in 2010, according to Kaspersky Lab, the Russian cyber security software maker that claimed responsibility for discovering the virus.

Kaspersky researchers said on Monday they have yet to determine whether Flame had a specific mission like Stuxnet, and declined to say who they think built it.

Iran has accused the United States and Israel of deploying Stuxnet.

Cyber security experts said the discovery publicly demonstrates what experts privy to classified information have long known: that nations have been using pieces of malicious computer code as weapons to promote their security interests for several years.

"This is one of many, many campaigns that happen all the time and never make it into the public domain," said Alexander Klimburg, a cyber security expert at the Austrian Institute for International Affairs.”

You can read the entire article here.

This from Wall Street Journal:

“Concerns about credit-card security heightened Friday after a little-known Atlanta company disclosed it had been hit by hackers, potentially exposing hundreds of thousands of account holders to fraud.

Credit and debit card processor Global Payments has been hit by a security breach that has put some 50,000 cardholders at risk, Andrew Johnson reports on Lunch Break. Photo: Bloomberg News.

The breach at Global Payments, Inc. is the latest in a wave of data attacks that have heightened consumer concerns about identity theft. The card industry has been particularly vulnerable to those concerns amid a slew of big breaches in recent years as more Americans choose to pay with plastic rather than cash.”

The Wall Street Journal went on to say that “Global Payments didn't disclose what type of data had been accessed, but said it had notified ‘appropriate industry parties to allow them to minimize potential cardholder impact.’”

As these types of hacks continue to escalate, every company should ask, “How safe is our data?”

You can read the Wall Street Journal article here (subscription required).

From the Associated Press, as reported by Time.com.

“A sensitive conference call between FBI and British police’s cybercrime investigators was recorded by the very people they were trying to catch, officials and hackers said Friday.

Hacking collective Anonymous published a roughly 15-minute-long recording of a conference call apparently devoted to tracking and prosecuting members of the loosely-knit group.

The FBI said the information “was intended for law enforcement officers only and was illegally obtained.”

“A criminal investigation is under way to identify and hold accountable those responsible,” the bureau said in a statement.

It’s not clear how the hackers got their hands on the recording, which appears to have been edited to bleep out the names of some of the suspects being discussed.”

***

Are your phone calls secure?  What about your email?  Clearly, this story shows that all communications are vulnerable and that precautions should be taken.

What precautions are you taking?

You can read the entire AP/Time article here.

Shawn Henry, the FBI's executive assistant director and top cyber official recently stated in an interview that despite the growing prevalence of cyber crime against companies, most business owners and executives don't think that it will happen to their company.  Henry went on to tell of a company that went out of business after $5 million was looted from its bank accounts and of another business that had over decades worth of research and development valued at over $1 billion stolen, "virtually overnight".

Henry stated that most hackers fit into three broad categories, "namely nation states targeting research and development, intellectual property and corporate strategies of American companies, terrorists who have shown a growing interest in using cyber attacks against critical infrastructure, and organized criminals wielding botnets (or networks of zombie computers) to attack corporate computer networks."

Cyber crime is here and is rapidly growing. What have you done to protect your company? 

You can read more about the interview with Assistant Director Henry here.

As 2011 has come to a close, it may be remembered as the “year of the hack.” Last week, we learned of an attack on Christmas day that compromised an information security firm, supposedly putting at risk information from the Department of Defense and allegedly exposing 90,000 credit card numbers. This is only the latest in a year that has had one profile attack after another. In addition to hacking and data breaches, 2011 also saw a large scale outage from a well-known cloud services provider, disrupting businesses using the service. We have reported on similar incidents since the inception of this blog.

If you think your business is not at risk, think again. Reflect on how central computers and IT have become even to “old fashioned” businesses. I can remember practicing law without a computer in my office. In those days, you relied on a dictaphone or even a legal pad to compose letters and write legal briefs, and, although our assistants had computer terminals for the mainframe, the good old IBM Selectric typewriter was there in case of a computer failure. Lawyers just a few years older than me can remember when there were no computers, and copies of letters were actually produced on carbon paper

Read the rest of this post, after the jump.

As attacks on corporate networks continue to escalate, we are seeing more and more instances of very sophisticated intrusions.  The recent discovery of the breach of the U.S. Chamber of Commerce illustrates that these types of attacks will continue to progress in both their frequency and sophistication.

It is being reported that the U.S. Chamber might not have been the ultimate target but instead was potentially being used as a gateway to the networks of its members.

What are you doing to protect your networks?  What are your trusted business partners doing? 

Here is more on the U.S. Chamber of Commerce attack as reported at TechTarget.com:

Spear phishing attacks likely key in U.S. Chamber of Commerce breach, experts say

Robert Westervelt, News Director
Published: 21 Dec 2011

A targeted attack responsible for the U.S. Chamber of Commerce breach, exploited serious weaknesses in the lobbying group’s security defenses, according to security experts, and could have been a staging ground for attacks on Chamber member organizations.

Investigators have not determined how attackers infiltrated the U.S. Chamber of Commerce, but once in, the attackers stealthily targeted approximately four people involved in the Chamber’s Asian policy affairs, according to a report in the Washington Post.  Experts said that while it’s unclear if spear phishing attacks were involved, they have become the modus operandi of many of the most sophisticated attacks, enabling cybercriminals to gain the initial foothold in an organization’s systems.

“Years ago we used to say people got in through server vulnerabilities, but if we look back at this year of Microsoft vulnerabilities, we see a high majority of them we would classify as client-side bugs,” said Andrew Storms, director of security operations at San Francisco-based vulnerability management vendor nCircle. “Many of these attacks require the user to take some action, but they’re taking advantage of a piece of software that is otherwise silent but the user has activated it.”

The organization learned of the attack from the FBI, and an independent team of forensics investigators said the Chamber’s systems were compromised between November 2009 and May of 2010, though investigators said the attackers may have had network access for more than a year.

You can read the entire TechTarget article here.

The National Institute of Standards and Technology (NIST) recently released a three volume work in progress relating to U.S. government adoption of cloud computing technologies. In the preliminary discussion, the security requirement is noted as “not considered to be fully met at present.” Cloud Providers, and cloud users, should be aware of the development of federal guidelines, as a new federal standard may have a significant effect on cloud computing standards of care. The full three volumes, and related information, may be found at the NIST cloud computing center, and the deadline for comments is December 2, 2011.

While NIST is working on developing federal contracting standards for security, non-governmental entities must also be concerned about security for compliance with data breach laws, in some particular industries for regulatory compliance, and generally for marketing considerations. Despite there being a variety of types of cloud computing customers, “as-a-service” providers often take a one-size-fits-all approach to security. Each such cloud provider generally has a security policy, and that is all it will agree to, regardless of whether it satisfies the individual customer’s particular security needs, in order to keep costs down, and such cloud providers seem hesitant to provide customers with unique services. A more cooperative discussion regarding security of data may be needed, both from a contractual agreement standpoint and a risk management standpoint, and the results of the discussion should be documented with appropriate contractual language.

Typically, outsourcing providers resist granting broad audit rights to its customers, and cloud computing “as-a-service” providers are even more reluctant. To protect the interests in the security of data, cloud users may demand a quality audit of an “as-a-service” provider which would require a significantly more in-depth look into the Cloud Computing Provider’s computer systems and propriety methods. As a customer is relinquishing even more control of its data than under a more traditional service contract, the desire/need for an audit should be greater. These concerns are also compounded if that “as-a-service” provider utilizes a third party hosting company to host the data and process the “as-a-service” provider’s application. In such an instance, customers should consider requiring the right to audit such third party host’s data centers and security systems.

FastCompany.com is reporting that the biometric data of almost every Israeli citizen has been compromised and is now available on the Internet. According to FastCompany.com:

"Authorities in the Middle Eastern country announced the arrest on Monday of a suspect responsible for the massive data theft. He's a contract worker at the Israeli Welfare Ministry who was allegedly engaged in small-scale white collar crimes after-hours and who is accused of stealing Israel's primary national biometric database in 2006. He had access to the database, which is part of the country's population registry, through his office."

The FastCompany.com article went on to say that "[T]he stolen database contained the name, date of birth, national identification number, and family members of 9 million Israelis, living and dead. More alarmingly, the database contained information on the birth parents of hundreds of thousands of adopted Israelis--including children--and detailed health information on individual citizens."

Clearly, as more governments, such as India and Germany, collect more biometric data on their citizens, the security of such information will continue to be an issue.  For corporate America, this breach underscores the need to keep security at the forefront as you collect and use more and more personal information for customers and employees.

You can read the FastCompany.com article by clicking here.

As the eighth annual National Cyber Security Awareness month winds down, a new survey highlights the dangerous disconnect between perception and reality among small business owners about their cyber security efforts. The survey, sponsored by Symantec and the National Cyber Security Alliance, found that more than 80 percent of small business owners believed they were safe from cyber attacks, yet relatively few took steps to eliminate the risks of such attacks by, for example, formalizing an internet security policy or preparing a contingency plan in the event of a data breach. 

Perhaps more troubling, the survey demonstrated that the ill-preparedness of small businesses is not due to a lack of awareness of such risks, or an underestimation of the harm cyber attacks pose to their day-to-day operations. Indeed, two-thirds of the surveyed companies say their company is dependent on the Internet, and many of the companies indicated they deal with sensitive information such as financial records, private customer data and intellectual property. 

Because the media often focuses its attention on the large, sophisticated cyber attacks that disrupt large corporations and result in massive data and privacy breaches, it is easy for small businesses to believe that they are simply not an attractive target for cyber thieves. Yet in many respects smaller businesses represent the “low hanging fruit” for such attacks, since they still deal with sensitive and valuable information. Moreover, given their smaller size, small businesses may stand to lose more from cyber attacks.

Given the ease with which cyber attacks can be launched, and the increased frequency of such attacks, small business owners would do well to re-evaluate their efforts to keep their data safe and secure.

Reuters is reporting that the United States Securities and Exchange Commission has formally asked public companies to disclose cyber attacks against them.  This is the first such request by the SEC to public companies.  The SEC issued guidelines on last Thursday that set forth the new information that all public companies should disclose. This request follows a series of high profile cyber attacks and other internet crimes.

According to the Reuters article, the SEC has asked for very specific information including “examples of estimates that may be affected by cyber incidents includ[ing] estimates of warranty liability, allowances for product returns, capitalized software costs, inventory, litigation and deferred revenue.” 

Clearly, cyber security is becoming a high profile item as evidenced by this recent requirement by the SEC.  All companies, both public and private, should evaluate their cyber security protocols and procedures and adjust them as necessary to deal with the increasing threats.  You can read the rest of the Reuters article here:

http://newsandinsight.thomsonreuters.com/Legal/News/2011/10_-_October/SEC_asks_companies_to_disclose_cyber_attacks/

According to a recent article in Wired Magazine, “Two separate hacker groups whose activities are already known to authorities were behind the serious breach of RSA Security earlier this year and were likely working at the behest of a government, according to new statements from the company’s president.”

The article goes on to state that due to the sophisticated nature of the breach, RSA believes that a nation-state had to be behind the attack. Clearly, the question then becomes “which nation-state”?

I think the takeaway for businesses should be that attacks and the actors are getting more sophisticated in their actions. As such, the security of data, systems and operations should become one of a company’s top IT priorities.

You can read the Wired Magazine article here:
http://www.wired.com/threatlevel/2011/10/two-hacker-groups-breached-rsa/  

According to a recent article that appeared on the “Krebs on Security” bog, a Florida-based financial institution recently fell victim to a $13 million heist, perpetrated by an international cybercrime gang. The cybercriminals in question used ATMs located around the world to cash out stolen pre-paid debit cards.

This crime is proof that cyber security and cyber crime are becoming increasingly sophisticated endeavors. As cyber criminals get smarter, cyber security professionals must work diligently to stay one step ahead of the game.

The entire “Krebs on Security” article can be accessed at the following location: http://krebsonsecurity.com/2011/08/coordinated-atm-heist-nets-thieves-13m/

The Cloud Security Alliance (CSA) has just released their Cloud Controls Matrix, version 1.1.  According to the CSA website, "The Cloud Security Alliance Cloud Controls Matrix (CCM) is specifically designed to provide fundamental security principles to guide cloud vendors and to assist prospective cloud customers in assessing the overall security risk of a cloud provider."

For somewhat sophisticated security professionals, the Matrix is a good starting point for a security assessment framework.

The tool can be found here: https://cloudsecurityalliance.org/research/projects/cloud-controls-matrix-ccm/

This from CNET.com reporting on the new cybercrime study from the Ponemon Institute:

"A new annual study on the cost of cybercrime conducted by the Ponemon Institute has found that the expense of dealing with cybercrime is on the rise from last year.

The study, which was funded by Hewlett-Packard, found that the median cost of cybercrime to the 50 organizations it surveyed was $5.9 million per year, based on a range of $1.5 million to $36.5 million per year. That's up 56 percent from the $3.8 million median found in last year's study, which ranged from $1 million to $53 million per year.

That large median dollar amount for dealing with threats includes detection and investigation, as well as follow-through actions such as containment and recovery.

In terms of dealing with threats, the study found that the average time to address one is 18 days, resulting in an average price tag of $416,000. That's up from an average 14-day period and $250,000 per attack last year. Also up were the number of successful attacks; 72 were counted during the four-week test, marking a 45 percent bump from last year's study."

You can read the complete CNET article here:

http://news.cnet.com/8301-1009_3-20087069-83/study-cybercrime-costs-on-the-rise-from-last-year/#ixzz1TuocwR00

We will also pass along a link to the Ponemon study when it is released.

This from SC Magazine:

"The Canadian intelligence service has singled out cyber attacks as one of the biggest threats facing Canada in its latest annual report.

The Canadian Security Intelligence Service (CSIS), which is responsible for investigating threats to national security, said that politically motivated threats, or attacks against critical information infrastructure, are of particular interest to it.

Foreign states, extremists, criminals and politically motivated individuals top the organisation's list of bad actors that could use Canada's competing infrastructure against it.

Energy, finance and telecommunications are particularly vulnerable, according to the agency." 

Clearly, cyber threats are increasingly appearing on the radar of both governments and private companies.

Have they appeared on your company's radar yet?

You can read the rest of the article here and can read the CSIS Report here.