Top 3 Actions Every Middle Market Executive Must Take on Cyber Incident Response

Over the last sev­er­al weeks, as sum­mer wrapped up and our kids went back to school, I’ve been talk­ing with a great bunch of mid­dle mar­ket exec­u­tives in the greater Seat­tle-area. These folks fit the pro­file of our poten­tial cus­tomers: They’re cyber risk man­agers. But, rather than sell­ing to them, I’ve been doing research to learn more about their cyber­se­cu­ri­ty needs.

Credit: Horseshoe Bay Resort

Cred­it: Horse­shoe Bay Resort

Some sub­jects come up a lot, like cyber-insur­ance. And the large num­ber of ran­somware attacks. And emails try­ing to get some­one in finance to move a ton of cash on short notice to a dark cor­ner of our plan­et.

Every now and again I hear about a real­ly meaty issue, like whether to turn on full or par­tial encryp­tion for pro­duc­tion data­bas­es. Yet some things I expect (hope?) will come up just don’t.

Like cyber inci­dent response. (Although, a cou­ple exec­u­tives have men­tioned Yahoo’s all-time record-break­ing 500 mil­lion user account com­pro­mise.)

So, I’ve tak­en it upon myself to answer the ques­tion nev­er asked: “Kip, what are the top 3 things I should do at my lev­el to pre­pare for the big cyber­se­cu­ri­ty breach I hope will nev­er come?”

Glad you asked!

  1. Believe it or not, ear­ly detec­tion of a data breach saves you mon­ey. The longer it takes to dis­cov­er a breach, the more it costs to deal with. (Just ask Yahoo, who’s in the mid­dle of being acquired.) So your first step is to ask your man­age­ment team: “How good are we at detect­ing data breach­es?” If any­one answers “Great!” ask them to walk you through how they do it. Right now, very few of us are great at it. But this will give you some idea of where you are.
  2. Cyber­se­cu­ri­ty breach­es are packed with a lot of poten­tial lia­bil­i­ty issues. To reduce your risk, all types of non-rou­tine cyber­se­cu­ri­ty events that involve peo­ple out­side your orga­ni­za­tion should be dis­cussed under attorney/client priv­i­lege. So your next step is to have a con­ver­sa­tion with an out­side attor­ney who spe­cial­izes in cyber­se­cu­ri­ty and ask them for guid­ance.
  3. Unfor­tu­nate­ly, most com­pa­nies find out they’ve suf­fered a data breached by law enforce­ment, the news media, or a cus­tomer. Ouch! The only thing worse than bat­tling a data breach is when some­one else fires the start­ing gun! Maybe that’s why Yahoo sat on their 2014 data breach for two years before telling any­one about it. So your last step is to ask your head of pub­lic rela­tions if they’re ready right now to man­age a data breach that spins out of con­trol before you’ve even had a chance to under­stand what hap­pened.

What’s on your top 3 list?

Three More No-Capex Ways to Detect Network Intruders

I pre­vi­ous­ly out­lined three strate­gies for detect­ing intrud­ers on your net­work with­out the need for a large cap­i­tal expense for spe­cial­ized sys­tems. In fact, you don’t even need a man­aged ser­vice provider.

Currency stacks

Now, as promised, here are three more ways:

  1. Using time stamps and the geolo­ca­tion of the source IP address­es, look for sim­ple irreg­u­lar­i­ties in log-ins and access pat­terns. The most obvi­ous would be an account that is log­ging in from two coun­tries so close togeth­er in time that it’s unlike­ly they are both legit­i­mate. You can access geolo­ca­tion data for free or low cost.
  2. When the HTML response sizes leav­ing your net­work are much larg­er than usu­al, that’s a sign you’ve prob­a­bly been the vic­tim of a SQL injec­tion attack.
  3. Final­ly, watch for out­bound web traf­fic where 30 or 40 brows­er win­dows are open­ing all at once. This kind of behav­ior is more like­ly a sign of an auto­mat­ed ses­sion rather than a human one.

Will you have false pos­i­tives? Yes. But you’ll also under­stand what’s con­sid­ered nor­mal on your net­work much bet­ter than you do today.

Do you have any low-cost, yet auto­mat­ed, strate­gies for net­work intru­sion detec­tion?

Three No-Capex Ways to Detect Network Intruders

Orga­ni­za­tions can do a good job of detect­ing intrud­ers who have infest­ed their data net­work with­out buy­ing and oper­at­ing an expen­sive com­mer­cial net­work intru­sion detec­tion sys­tem. You don’t even have to hire an out­side man­aged net­work secu­ri­ty provider. Check out these three pow­er­ful strate­gies for deal­ing with this cyber risk:

capex

  1. The first strat­e­gy is pos­si­bly the most pow­er­ful: Use your exist­ing admin­is­tra­tive tools to pro­duce a dai­ly report that shows all mem­ber­ship changes to all admin­is­tra­tive groups for the past 24 hours. Then assign some­one to val­i­date every change. This will tell you if some­one tries to “sneak in” through a priv­i­lege esca­la­tion.
  2. One sign that an attack­er is “bed­ding down” in your net­work to con­duct long-term sur­veil­lance is the unex­pect­ed patch­ing of sys­tems. Why? An attack­er does­n’t want anoth­er attack­er break­ing in and mess­ing up his inside access to your data net­work! So watch your vul­ner­a­bil­i­ty scans for sys­tems that don’t need a patch you nev­er pushed.
  3. To detect the stag­ing of data for exfil­tra­tion, mon­i­tor your crit­i­cal data­bas­es for sud­den, unex­plained swells in read activ­i­ty. In addi­tion, mon­i­tor all filesys­tems for large quan­ti­ties of data sud­den­ly or grad­u­al­ly appear­ing in the wrong places.

With each of these tips, I’m sure you’ll get a few false pos­i­tives. And, you’ll have to climb a learn­ing curve that keeps chang­ing as the activ­i­ty of your orga­ni­za­tion trans­forms over time. A new prod­uct launch will cause per­ma­nent changes in what’s con­sid­ered “nor­mal” on your net­work.

These are just the first three on my list. Next week I’ll give you three more. See you then!

Wi-Fi Security During Business Trips & Conferences

Although it’s often easy to use pub­lic Wi-Fi when you’re trav­el­ing, it’s also easy for some­one to eaves­drop on your Inter­net ses­sions, even with Wi-Fi encryp­tion enabled.

eavesdropping1

For exam­ple, the free net­work man­age­ment tool Wire­shark has a built-in func­tion that auto­mat­i­cal­ly decrypts net­work traf­fic as long as you input the Wi-Fi pass­word, which is typ­i­cal­ly post­ed on a sign for every­one to see.

Why do peo­ple want to view Wi-Fi traf­fic? The moti­va­tions are sim­i­lar to why peo­ple attack com­put­ers in gen­er­al: To steal mon­ey or steal secrets (e.g., pass­words, social secu­ri­ty num­bers, pend­ing busi­ness deals) that can be sold for mon­ey. Oth­ers with polit­i­cal agen­das also steal data to fur­ther their cause.

Wher­ev­er you are, avoid pub­lic Wi-Fi in favor of a portable hot spot. Often, you can acti­vate one on your mobile phone if you have that fea­ture from your car­ri­er. If you have no oth­er choic­es and must be online, turn on a vir­tu­al pri­vate net­work (VPN) as soon as you can after con­nect­ing to some­one else’s Wi-Fi. If your com­pa­ny does­n’t have a VPN, you can get one your­self, often for free, from a provider such as the high­ly rat­ed CyberGhost VPN.

Final thought: Just because Star­bucks, or some oth­er trust­ed brand, offers free Wi-Fi does­n’t mean their Wi-Fi is as trust­wor­thy as their paid prod­ucts and ser­vices. Data thieves count on this con­fu­sion in the minds of con­sumers to steal data from every­where they can!

4 Reasons Why Cybersecurity Depends On Relationships

Ever won­der why cyber­se­cu­ri­ty is so hard for peo­ple to get right? And, why are cyber­se­cu­ri­ty lead­ers fail­ing to con­vince peo­ple to work more secure­ly? We can learn some great lessons by study­ing the spread of med­ical and oth­er tech­nolo­gies and then apply those lessons to cyber­se­cu­ri­ty tech­nolo­gies we know make a dif­fer­ence, such as pass­word man­agers.

For exam­ple, anes­the­sia (specif­i­cal­ly, chlo­ro­form) was in world-wide use less than a year from its intro­duc­tion in 1846. In con­trast, anti­sep­tics, which were pro­mot­ed in the 1860s, took over twen­ty years to become estab­lished in most oper­at­ing rooms. Why the dif­fer­ence?

Dr_Atul_Gawande

Dr. Atul Gawande: “We yearn for fric­tion­less, tech­no­log­i­cal solu­tions. But peo­ple talk­ing to peo­ple is still the way that norms and stan­dards change.”

Here’s why: The spread of all new ideas about what’s good and how things should be is depen­dent on peo­ple talk­ing to each oth­er. Everett Rogers, who is best known for intro­duc­ing the term ear­ly adopter, tells us that “Every change requires effort, and the deci­sion to make that effort is a social process.” In oth­er words, new ideas are spread and adopt­ed pri­mar­i­ly through rela­tion­ships.

I’ve learned this les­son the hard way. Only after wast­ing $30,000 of my bud­get and a good chunk of polit­i­cal cap­i­tal try­ing to imple­ment a new, home­grown cyber­se­cu­ri­ty tool did I real­ize my lack of the right rela­tion­ships had doomed me almost from the start. Based on what I learned from my fail­ure, I take a dras­ti­cal­ly dif­fer­ent approach to intro­duc­ing change these days. My approach is more rela­tion­ship-dri­ven, which is what you should do as well, so that your change efforts will be more suc­cess­ful.

Back to anes­the­sia ver­sus anti­sep­tics. The New York­er pub­lished an arti­cle by Atul Gawande: Slow Ideas. You may remem­ber one of his well-received books, The Check­list Man­i­festo. (Save your­self some time and mon­ey: read the arti­cle upon which the book was based.)

Slow Ideas describes and pro­motes Atul’s Bet­ter Birth project. It’s an exper­i­men­tal approach to reduc­ing the rate of death among moth­ers and babies dur­ing and short­ly after child­birth in poor­er coun­tries. And, along the way, Atul also answers the ques­tion about anes­the­sia ver­sus anti­sep­tics.

It’s a fas­ci­nat­ing sto­ry that’s well worth read­ing on it’s own mer­its. But it also pro­vides keen insight on the strug­gle to cre­ate new norms, which any cyber­se­cu­ri­ty leader look­ing to pro­mote change should appre­ci­ate.

From read­ing Dr. Gawande’s arti­cle, I’ve iden­ti­fied four rea­sons why you should lead all your change efforts by first using your rela­tion­ships:

  1. Tech­nol­o­gy alone won’t get the job done. Dr. Gawande describes see­ing unused incu­ba­tors pushed into dark cor­ners, bro­ken due to lack of spare parts or switched off due to a lack of elec­tric­i­ty. As tech­no­log­i­cal­ly advanced as the units were, drop­ping them off in under­de­vel­oped coun­tries and then mak­ing no arrange­ments for inte­grat­ing them into local life speaks to the lack of rela­tion­ships.
  2. Requests, incen­tives, and penal­ties only work up to a point. Mere­ly request­ing a change will win over a cer­tain per­cent­age of the audi­ence, but prob­a­bly not as many as you want­ed. Study­ing the tax code of any coun­try will reveal incen­tives are hard to get right. Peo­ple have a way of max­i­miz­ing incen­tives for them­selves, often to the detri­ment of the stat­ed goals, and in ways the authors nev­er imag­ined.
  3. Research has shown rela­tion­ships are the most effec­tive way to bring about change. We can intro­duce a new idea to peo­ple. But, peo­ple fol­low the lead of oth­er peo­ple they know and trust when they decide whether to take it up. Everett Rogers wrote: “Every change requires effort, and the deci­sion to make that effort is a social process.”
  4. Real-world expe­ri­ences. In his arti­cle, Dr. Gawande tells a sto­ry about how drug mak­ers per­suade stub­born doc­tors to pre­scribe new med­i­cines: “Evi­dence is not remote­ly enough, how­ev­er strong a case you may have. You must also apply ‘the rule of sev­en touch­es.’ Per­son­al­ly ‘touch’ the doc­tors sev­en times, and they will come to know you; if they know you, they might trust you; and, if they trust you, they will change. Human inter­ac­tion is the key force in over­com­ing resis­tance and speed­ing change.”

I encour­age you to read the arti­cle for your­self. It’s per­sua­sive and very inspi­ra­tional. And, you’ll find out why anes­the­sia got into the oper­at­ing room faster than anti­sep­tics.

Have I con­vinced you that rela­tion­ships are the best method for improv­ing cyber­se­cu­ri­ty? If not, why not? Do you know a bet­ter way?

Two Daily Actions To Contain Data Breach Costs

A sin­gle data breach can cost your com­pa­ny a lot of mon­ey. How much? Based on the Net­Dili­gence 2015 Cyber Claims Study of actu­al insur­ance claims data, we know the aver­age cost of a large com­pa­ny data breach is US$4.8 mil­lion.

Want to min­i­mize the cost? Quick­ly iden­ti­fy the data breach.

How do I know that’s the best way? And, how do you do it quick­ly?

Here’s the first answer: Check out this data in the IBM/Ponemon 2015 Cost of Data Breach Study. This graph from page 22 of their report shows the rela­tion­ship between the mean time to iden­ti­fy a data breach and total aver­age cost:

Screenshot 2016-05-14 08.25.19

That’s a very clear con­nec­tion, don’t you think?

OK, so how can you quick­ly detect a data breach with­out spend­ing a ton of CapEx for a fan­cy intru­sion detec­tion sys­tem and then a ton of OpEx to run the thing?

Here’s how: Have your serv­er admin­is­tra­tion teams run these two dai­ly checks:

  1. Dis­cov­er when­ev­er some­one becomes a priv­i­leged user by ver­i­fy­ing all new accounts that have been added to any admin­is­tra­tor or root groups
  2. Iden­ti­fy data being staged for exfil­tra­tion by notic­ing when large amounts of data sud­den­ly show up in unusu­al places

With both these checks, the large major­i­ty of the work can be auto­mat­ed. The way you do it is use exist­ing serv­er man­age­ment tools to com­pare and high­light the major dif­fer­ences between today’s and yes­ter­day’s snap­shot of (1) all your admin/root group mem­bers and (2) the per­cent­age of free serv­er disk space.

The man­u­al work is track­ing down why those changes hap­pened and mak­ing sure it’s a legit busi­ness rea­son. This will take some sleuthing at first to know who to call and what con­sti­tutes nor­mal changes. But with­in a month you will set­tle down into a pro­duc­tive rou­tine.

What oth­er sim­ple tech­niques have you used to detect data breach­es?

How Much Should You Pay For Cyber Insurance?

The cyber insur­ance mar­ket is boom­ing. Seems like every­one wants to get a pol­i­cy to trans­fer risk. And why not? Insur­ance is a use­ful risk man­age­ment tool in so many oth­er sit­u­a­tions: Gen­er­al lia­bil­i­ty, prop­er­ty dam­age, errors and omis­sions, etc. The ques­tion on every­one’s mind is: How much for a cyber pol­i­cy?

InsurancePolicy

How big is the mar­ket get­ting? Accord­ing to David Brad­ford, co-founder and chief strat­e­gy offi­cer at Advisens, an advi­sor to the insur­ance indus­try:

The mar­ket for cyber insur­ance in 2015 was $2.5 bil­lion. For 2020 it’s esti­mat­ed any­where between $5 bil­lion and $10 bil­lion. By com­par­i­son, work­ers’ com­pen­sa­tion insur­ance is a $55 bil­lion mar­ket.

Brad­ford says this is rough­ly what you can expect to pay for a year of cov­er­age:

  • For com­pa­nies with less than $500 mil­lion in rev­enue, poli­cies with lim­its of between $1 mil­lion and $5 mil­lion cost between $2,000 and $5,000.
  • For com­pa­nies with more than $500 mil­lion in rev­enue, for a pol­i­cy with lim­its of $5 mil­lion to $20 mil­lion, pre­mi­ums will range from $100,000 to $500,000.

There’s a big caveat, though: Even though about 60 com­pa­nies are writ­ing cyber insur­ance poli­cies today, in my expe­ri­ence many are mak­ing it up as they go along. Terms, con­di­tions, cov­er­ages, exclu­sions, and risk assess­ments are all over the place. Unlike a com­mer­cial fire pol­i­cy, there’s almost no stan­dard­iza­tion.

Insur­ance com­pa­nies aren’t even in agree­ment about what fac­tors indi­cate a decreased risk of pol­i­cy hold­er fil­ing a claim. And that can trans­late to high­er (or low­er) pre­mi­ums than required to cov­er the risks. At this point, it’s rea­son­able to won­der if your claim will be paid at all. The lit­i­ga­tion over cyber cov­er­ages is just get­ting start­ed.

If you want to go for­ward with buy­ing a pol­i­cy, get your­self a reli­able bro­ker and get ready to do some seri­ous com­par­a­tive shop­ping. Buy­er beware!

Boeing Supplier Lost $54 Million to CEO Fraud

Did you know that Busi­ness Email Com­pro­mise (BEC), also known as CEO Fraud, is still a threat? And, it’s not just the stolen mon­ey that caus­es exec­u­tive headaches. It can dam­age your stock price and rep­u­ta­tion with major cus­tomers. And, in the case of FACC, it cost the CFO, Min­fen Gu, her job.

FACC-12-00x_Jobs4You.indd

Here’s what Com­put­er Week­ly said about the fraud, announced on Jan­u­ary 19th:

A $54m cyber fraud against Austria’s FACC has sent the air­craft supplier’s share price reel­ing. The company’s share price fell near­ly 17% in response to news of the company’s loss, which is one of the great­est loss­es to date caused by cyber fraud, accord­ing to Bloomberg. The loss report­ed by the sup­pli­er to com­pa­nies such as Boe­ing and Air­bus is way above the aver­age cost of the worst breach­es in the UK of between$1.9m and $4.4m, report­ed by Price­wa­ter­house­C­oop­ers (PWC) in 2015.

So, how do you pre­vent these attacks from suc­ceed­ing?

In my expe­ri­ence, most com­pa­nies are over spend­ing on tech­nol­o­gy to pre­vent data and mon­ey theft while down­play­ing the peo­ple, process, and man­age­ment aspects. As with FACC, the recent theft of W‑2 infor­ma­tion from Mon­eytree was suc­cess­ful most­ly because of weak inter­nal process­es and poor­ly trained peo­ple. And there’s a lot you can do in these areas for lit­tle or no added expense.

Train­ing peo­ple to detect and resist attempts to trick them into send­ing mon­ey (or sen­si­tive data) to crim­i­nals is a top action every­one should be tak­ing right now. A good approach is to com­bine a strong inter­nal com­mu­ni­ca­tions cam­paign in con­junc­tion with a soft­ware-as-a-ser­vice anti-phish­ing test­ing ser­vice, such as PhishMe or one of its com­peti­tors. Expect to pay about $20 per user, per year.

On that note, orga­ni­za­tions need to make sure their man­age­ment team ful­ly sup­ports their cyber­se­cu­ri­ty pro­gram, espe­cial­ly first line super­vi­sors. Why? When peo­ple hear about their respon­si­bil­i­ty to pre­vent cyber crime, their first ques­tion will be “is this for real?” and then they will won­der “how will this affect me?” Their super­vi­sor will either encour­age peo­ple to join the pro­gram, or kill it, depend­ing on how they answer.

Final­ly, peo­ple have to feel safe to respect­ful­ly chal­lenge any sus­pi­cious requests. Oth­er­wise, they will be stuck between the fear of being fired for not imme­di­ate­ly com­ply­ing with the request and the fear of mak­ing a big mis­take.

What else would you do to pro­tect your orga­ni­za­tion from CEO Fraud?

You Need A New Strategy on Malware

IT secu­ri­ty firm Web­root just released their 2016 Threat Brief. One of the high­lights was that:

…97 per­cent of the mal­ware encoun­tered by its user base in 2015 was unique.

That means hack­ers are rely­ing almost exclu­sive­ly on mal­ware that is con­stant­ly cre­at­ing new vari­ants to avoid detec­tion by sig­na­ture based anti-virus tools.

Source: Wikipedia

Source: Wikipedia

Web­root said the num­ber of mal­ware fam­i­ly vari­ants sky­rock­et­ed from 14,000 in 2014 to 130,000 in 2015. Sim­i­lar­ly, the num­ber of observed fam­i­ly vari­ants of adware, spy­ware and oth­er unwant­ed non-mal­ware apps jumped from 1,000 in 2014 to 90,000 in 2015. 

This sug­gests attack­ers are mak­ing their code:

…more dif­fi­cult to detect, using poly­mor­phic dis­tri­b­u­tion mod­els and rapid new vari­ant gen­er­a­tion to cir­cum­vent tra­di­tion­al detec­tion meth­ods…

Mean­ing, the bad guys are work­ing real­ly hard to bypass end­point secu­ri­ty prod­ucts to phish, social engi­neer, and oth­er­wise exploit your end-user.

What’s the big take­away? Detect­ing mal­ware on your end­points is almost a lost bat­tle. It’s still worth doing, but your best next move is to get very good at detect­ing the con­se­quences of bad infec­tions: The attempt­ed theft of mon­ey or data BEFORE it gets tak­en.

Ask your­self: What are the indi­ca­tors of com­pro­mise? How can I detect them? Am I ready to respond at a moments notice?

If you don’t have these answers, you need to get them. Soon.

Bank Lost $75 Million to CEO Fraud

Another big Busi­ness Email Com­pro­mise (BEC, also known as “CEO Fraud”) was recent­ly announced: Belgian Bank Los­es €70 Mil­lion to Clas­sic CEO Fraud Social Engi­neer­ing Trick

Bel­gian Bank Cre­lan has announced that it was the vic­tim of a fraud cam­paign and lost over €70 mil­lion ($75.8 mil­lion) in the process. [In the attack] the sender tries to pose as a busi­ness part­ner or even some­one from the com­pa­ny itself, ask­ing the recip­i­ent to trans­fer mon­ey to a desired account to final­ize an urgent busi­ness trans­ac­tion. The email uses legit­i­mate graph­ics and a looka­like domain name, try­ing to fool dis­traught employ­ees and have them trans­fer the mon­ey with­out dou­ble-check­ing with some­body from inside the com­pa­ny first.

This is on top of the $46 mil­lion that was defraud­ed from Ubiq­ui­ti Net­works through the same exploit about nine months ago.

Here’s an exam­ple of what a real BEC attempt looks like (thanks to Tom Kemp, CEO of Cen­tri­fy Cor­po­ra­tion):

BEC

The way to pro­tect your orga­ni­za­tion is by strength­en­ing your peo­ple, process, and tech­nolo­gies. The Inter­net Crime Com­plaint Cen­ter (IC3) offers this list of action, which I think is very good:

  • Peo­ple: Know the habits of your cus­tomers, includ­ing the details of, rea­sons behind, and amount of pay­ments.
  • Process:
    • Ver­i­fy changes in ven­dor pay­ment loca­tion by adding addi­tion­al two-fac­tor authen­ti­ca­tion such as hav­ing a sec­ondary sign- off by com­pa­ny per­son­nel.
    • Con­firm requests for trans­fers of funds. When using phone ver­i­fi­ca­tion as part of the two-fac­tor authen­ti­ca­tion, use pre­vi­ous­ly known num­bers, not the num­bers pro­vid­ed in the e‑mail request.
    • Care­ful­ly scru­ti­nize all e‑mail requests for trans­fer of funds to deter­mine if the requests are out of the ordi­nary.
  • Tech­nol­o­gy:
    • Cre­ate intru­sion detec­tion sys­tem rules that flag e‑mails with exten­sions that are sim­i­lar to com­pa­ny e‑mail. For exam­ple, legit­i­mate e‑mail of abc_company.com would flag fraud­u­lent e‑mail of abc-company.com.
    • Reg­is­ter all com­pa­ny domains that are slight­ly dif­fer­ent than the actu­al com­pa­ny domain.

Any rea­son to not make these changes? Would you add any oth­ers?