CYBERCRIME AND INDUSTRY #3: HOW CYBERCRIME IS AFFECTING OUR MANUFACTURING INDUSTRY

In the third in our series of articles on cybercrime and industry we will look at how manufacturing is being impacted by the rise of cybercrime. The manufacturing industry is going through a period of fast change. Many industrial systems are being overhauled to bring them into an era of high connectivity. The Internet of Things and automation / robotics are being used as a productivity booster, and a way of bringing the notoriously complicated manufacturing supply chain more closely under control.

The manufacturing sector has some fundamental challenges above and beyond those of the previously discussed sectors, healthcare and financial. This includes protection of intellectual property and corporate espionage / sabotage.

Manufacturing Pain Points

Advanced Persistent Threats (APT) in manufacturing: APT’s play the long game. Cybercriminals use techniques like spear phishing to get malware onto a system, and then use stealth and avoidance techniques to slowly exfiltrate data, such as proprietary information, often over many months. APT’s are a real threat to manufacturing because of the difficulty in detecting the underlying malware. This is down to the ability of the hacker to remotely control the malware (using a ‘command and control’ center) – morphing it to hide it from detection by traditional anti-virus and monitoring techniques. Kaspersky run an APT logbook, and it’s interesting to see how APT’s have become more prevalent over time. Filtering the logbook across manufacturing related industries shows how this area has become an increasing target for APT style attacks.

Intellectual property: Intellectual property (IP) is the mainstay of our manufacturing industry and its theft is a major contributor to economic issues in the USA. According to the IP Commission’s report into IP theft, they found that $hundreds of billions worth of IP was stolen each year from U.S. firms of all sizes. They described the situation as “the greatest transfer of wealth in history”. The loss of IP affects jobs and innovation. The theft is often state sponsored, the IP Commission report pointing to China as being a likely source, but insider threats are also an issue, including supply chain insiders. Verizon found that 46% of IP theft cases start with an employee. The staff member is likely collaborating with cybercriminals to extract the data – the prime driver being financial gain. When insiders are used, access is often through misuse of privileged credentials. But it may not be the system administrator actually behind the breach. Centrify found that in a survey of U.S. IT staff, 52% had shared a login credential with a contractor, and 59% with a fellow worker.

Cyber-espionage: According to Verizon’s “2016 Data Breach Investigations Report” manufacturing is one of the top three industries to suffer from cyber espionage. Cyber espionage is an external threat, sometimes state sponsored, or at least competitor sponsored, where the target is proprietary data and trade secrets. The vector into the manufacturer is most often via a spear phishing email, which is ultimately behind an APT attack (see above). The attackers can then quickly get at the credentials needed to login to the system and implant malware that exfiltrates data back to source. Another method that is gaining ground are drive-by-downloads; This vector is the sneakiest of all and is completely silent, so the user isn’t aware that they have been infected with malware – usually keyloggers which then go on to steal login credentials. Drive by downloads use exploit kits within a website – typically a site that is commonly used by that sector will be infected by the hacker. If the user visits that site, the exploit kit then looks for a vulnerability in a browser or other software application like Adobe Flash. The exploit kit uses this vulnerability to silently install the malware. It literally takes seconds, and you don’t even notice it happening. Once infected user credentials can be stolen, allowing access to the extended network.

Attacks against automation: The fourth industrial revolution is built upon automation and robotics. These devices are primary candidates for cyber attack. In an industry that is heavily reliant on connected and automated components, points of automation-targeted attacks make the industry highly vulnerable. In a report by the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT), they found that in the 12 months from October 2013 there were 245 cyber security incidents, with 32% of those affecting the energy sector and 27% critical manufacturing; of these 55% of them were due to APT’s (see earlier). You can imagine a scenario whereby a hacker has accessed a crucial automation unit, and sends malicious commands to it, causing chaos, resulting in the shutdown of the unit. Similarly critical infrastructures, such as those controlled by power and water suppliers are under increasing threat, including threats of cyber-terrorism. Examples include the 2014 cyber attack against the U.S. federal weather station network (NOAA) and the 2014 German steel mill attack, which caused the failure of multiple automated systems.

As our manufacturing industry becomes ever more interconnected, and the extended supply chain becomes more intrinsically hooked up to the network, the threat surface will become more complex. This brings deep level security issues that need to be addressed at the operating system/platform level. This does not however preclude the need for security training and awareness. The ever-present threat of phishing, especially spear phishing, which often is connected to an APT attack, can be handled through user training programs. The cyber security problems facing manufacturing as they undergo the fourth industrial revolution, need to be handled by a multi-layered approach, from ensuring that the systems manufacturers use are themselves utilizing appropriate safety measures to the awareness of security risk across the extended supply chain.


CYBERCRIME AND INDUSTRY #2: HOW CYBERCRIME IS AFFECTING OUR FINANCIAL SERVICES INDUSTRY

In the second in our series of articles on cybercrime and industry we will look at how the financial services industry is being impacted by the rise of cybercrime. The financial services sector has always been a traditional target for cybercrime. However, as we saw in the previous article, healthcare has taken over the title from financial services as the number one most targeted industry sector. But does this mean the beady eyes of the cybercriminal are no longer focused on financial services? This article will explore the current climate for hacking our financial sector.

Cybercrime and Financial Service

The financial sector is like the perfect package for a hacker. Bank and other financial institutions contain information that spans everything a cybercriminal wants all wrapped up in one place; from your financial details and bank account, to identity data. If you look at some of the breaches in the financial services sector just in 2014 and 2015, you can see that they are some of the most major in history. For example, in 2014 JP Morgan Chase had 83 million bank accounts exposed in a phishing (including Text phishing or SMishing) scam.

Security attacks are perpetrated using several methods. Phishing is still a major issue for the financial sector as it has been now for many years. The Carbanak bank heist, which purportedly has cost around $1 billion so far, began with a phishing email. The email contained a piece of malware that stole login credentials once installed. The fact that access to bank accounts can be potentially compromised from an email shows how integrated banking is in all of our lives. A new variant of this is the targeting of personal accounts that use mobile banking. For instance, an Android-based malware spots what bank a user is navigating to from their smartphone, and overlays a spoof page that looks identical to the mobile banking page. It then steals the credentials used to access the site, which the hacker can then use to access the real mobile banking account.

But phishing isn’t just hitting individuals. Companies are being targeted by a variant known as Business Email Compromise or BES. This technique uses the natural hierarchy of an organization to scam employees. Typically, a company accountant or other similar role, will receive an email from someone high up in the organization, like a CFO or CEO. The email will look exactly like it is from that person is supposed to be from – as the phisher will have done a lot of research into their target. The email will ask that the person make an urgent transfer of money to a supplier who has had to change their bank account for some reason. This scam has already cost around $2.3 billion according to the FBI.

Advanced Persistent Threats which use stealth and the long game to extract information and monies, are also being used against the financial sector. In a recent Financial Sector Cyber Intelligence Group identified APT threat, spear phishing was the way in for the APT actor. The first step in this type of attack is to implant a Command and Control center (C&C) so that hackers could add further malware to the compromised system. A C&C is like the hacker having their finger right inside the pie – they can control malware and update it remotely. APT’s are notoriously difficult to detect as they morph (via the C&C) when any hint of possible detection is observed.

Financial sector attacks are not just about direct access to money anymore. They are also about identity theft and breaching data. The financial sector was ranked third for identity theft last year by the Identity Theft Resource Center. This is because in the world of cybercrime, personal information equates to money. Financial records fetch on average $221 per record- compared to the $30 that a U.S based stolen credit card commands on the dark web.

Denial of Service (DDoS) attacks are also a major threat for the financial sector with DDoS and web app attacks against financial services having increased 31% since 2015, according to the ‘2016 Data Breach Investigations Report’. However, DDoS attacks are less about pulling down websites and more about being a smokescreen to allow hackers to implant malware, which is then used to steal data and login credentials.

Where Should We Concentrate Our Efforts in Controlling Financial Sector Security Threats?

One of the issues in the banking sector is getting the word out to all the stakeholders, including the board, that cybersecurity is a company wide issue, not just a problem for IT. This is a general problem for any sector, but financial services are feeling the impact in a massive way, and right across the ecosystem, from direct attacks, to supply chain breaches as well as business and personal account compromise.

Because the financial sector, more than most, has very close touch points with its customer base, and has an extended supply chain with direct ties into the main company, it is a sweet target. Even with a broad thinking and strategic security plan, and state of the art security tools in place, with such a wide ecosystem, the sector is at risk. PWC in their ‘Global State of Information Security Survey: Financial Services 2016’ stated that third party vendor security assessment and management, is the single biggest challenge of the industry in controlling security threats. PWC points out that industry organizations that use risk based security frameworks to communicate with third party vendors were more successful in controlling security risks within the vendor ecosystem.

Going forward, the increased awareness of threats to the financial sector, brought about to a large degree by the major attacks perpetrated against the industry, will mean that we should all become more vigilant. This should include a generalized education program, not just for those employed within the sector but also the supply chain and customers. The push for a more secure financial services sector needs to be a top down approach. The board must engage in a program of security, which includes frameworks for communicating security information across the supply chain and beyond. As cybercriminals continue to up their game, the financial sector can win the cybersecurity war by upping their game too.


SecurIT awarded as one of the best Security service providers in MT1000

Management Team 1000 has announced the best Dutch B2B Service providers of 2019 based on a study by the Erasmus University, and SecurIT has landed a spot in the top 1000 best service providers of The Netherlands! SecurIT has been awarded the highest Net Promoter Score and the best customer service in the category ‘IT-security’. We are very proud to announce that this also resulted in a second-place overall in IT-security. 

Best business service providers in the Netherlands

In this 3rd edition of the study, more than four thousand business decision-makers were asked about their experiences with service providers. Who has the best products (product leadership), who is the most customer-service and who has the most Operational Excellence? That, combined with NPS, which measures whether people recommend the service to others, provides a fascinating overview. The list is objective to come to Erasmus University and Management Team; it is not about the size of the marketing budget, the turnover, the workforce, but the opinion of the customer. SecurIT scored 5 out of 5 in customer service, 5 out of 5 in NPS, 4 out of 5 in product leadership, and 4 out of 5 in Operational Excellence.

An overview of the different categories

A boost for 2020

With our many years of experience in Identity and Access Management, this national recognition is, of course, the cherry on the cake. We are very thankful for the hard work of our colleagues and the attention of our customers. It gives SecurIT an interesting perspective for 2020!

See the full list of MT1000’s category Security


CYBERCRIME AND INDUSTRY #1: HOW CYBERCRIME IS AFFECTING OUR HEALTHCARE INDUSTRY

This is the first in a series of articles looking at how the cybercrime wave is affecting different industry sectors. This first article will look at our healthcare industry. Healthcare is arguably one of the most information intensive sectors. During any individual interaction with a healthcare service, a multitude of data is created, shared and stored. Electronic health records (EHR) contain enormous amounts of information about us: from personal details, such as name, address and our age, to medical data for past, present and potentially future physical or mental health issues, to financial details. It is a very rich source of information making the healthcare industry a prime target for cybercriminals.

Cybercrime and Healthcare – Levels, Costs and Attack Types

IBM’s X-Force in their 2016 Cyber Security Intelligence Report stated that healthcare is the “most frequently attacked industry”. 2015 it seems has been the year of the healthcare breach. Most of the serious healthcare breaches since 2010, took place in 2015. This included:

·      Anthem: Almost 80 million records breached

·      Premera Blue Cross: 11 million records breached

·      Excellus: 10 million

·      University of California, Los Angeles Health: 4.5 million

·      Medical Informatics Engineering: 3.9 million

Any organization that has a breach that involves 500 or more records has a legislative obligation to inform the Office of Civil Rights under Health and Human Services (OCR). The breach is then posted to a website, jokingly called the ‘wall of shame’ for the world to see. According to the information found at the OCR website, in 2015 over 112 million healthcare records were breached.

All of the above incidents were, according to the OCR site, caused by a “hacking/IT incident” on a “network server”. The likely reason behind the breach was to steal medical records and this is because medial information is valuable. According to a Ponemon study, 2015 Costs of Data Breach, a U.S. medical record is worth, on average, $368 compared to a mean of $217 for other record types. This makes the healthcare industry a very lucrative target for a cybercriminal, who can sell these data on the dark web.  And the data theft doesn’t stop there. Once stolen, personal data is used for social engineering attacks against individuals. It is also used for secondary attacks, like the IRS breach where personal data is used for verification purposes; in the IRS case, to make fraudulent tax claims. Stolen PHI is the gift that keeps on giving.

In 2016 we are seeing a possible change in the tactics used by cybercriminals against healthcare, away from pure data theft, to cyber extortion. There has been a spate of ransomware attacks against healthcare organizations in the U.S.

A recent report by the Health Information Trust Alliance, found that 52% of the healthcare organizations interviewed in the U.S. has been a victim of ransomware.

Healthcare and Legislation

Healthcare is one of the industries that have specific legislation protecting individual data. In the healthcare industry this is known as Protected Health Information or PHI. PHI covers a gamut of data, including personal identifying information (PII) such as name, address, age and so on. It also includes medical data that relates to physical or mental health issues in the past, present or future. It also includes details such as biometrics, device identifiers and DNA. PHI is protected under the Health Insurance Portability and Accountability Act (HIPAA), brought in to protect the security and privacy of health data.

The Health Information Technology for Economic and Clinical Health Act or HITECH, was an act originally introduced to set the framework for electronic health records (EHR). It helps to extend the reach of HIPPA in term of protection of health data. An extension to HITECH, section 13407, which is enforced by the Federal Trade Commission (FTC), has brought the supply chain into focus. This clause specifies that the rules of data protection and privacy covered by HIPPA covered entities, now extend to all third party business associates, including contractors and sub-contractors, that have anything to do with health data handling. This creates a chain of organizations that have strict rules applied to how they must manage the security and privacy of the health data under their remit.

Healthcare Information and Futures

Healthcare is always going to be a prime target for cybercrime because the industry is a data innovator. Data is used as part of its prime objective, to care for us, but also to build better procedures and healthcare outcomes. The healthcare industry is one of the early adopters of Cloud based big data sharing. The Google Genomics project, for example, allows medics and researchers from across the globe to share genetic information.

Healthcare is also embracing disruptive technologies such as mobile and the Internet of Things (IoT). Analysts MarketsandMarkets are predicting the healthcare IoT market to be worth around $163 billion by 2020. IoT devices are being used across the healthcare ecosystem from individual wearable’s relating health data to the Cloud, to medical devices used within a hospital context – the FDA now being fully on-board with the use of IoT devices in a medical context. As for mobile, a study has shown that at least 87% of physicians use a mobile device for work related tasks.

With all of this data being generated across an increasingly diverse and interconnected playing field of devices and Cloud platforms, healthcare is a cybercriminals dream. With HIPPA and now the extended HITECH ruling on third party ownership of data security, it has never been a more important time for the healthcare industry, and its extended supply chain and partners, to step up to the plate and create a healthy cyber security strategy. 


TOP 6 TIPS FOR MANAGING VENDOR RISK

This year has gotten off to a great start… if you’re a cybercriminal. Already threats like ransomware are on the rise, with the FBI’s April blog post on the issue showing the prevalence and success of this type of malware. Of course, if you’re not a cybercriminal then this isn’t such a great start. Cyber security, which was once almost an afterthought, is now a critical part of a business strategy and a board level consideration. As our business and vendor eco-systems become ever more connected, through Internet communications and the ensuing Internet of Things, cybercrime considerations can only become even more of a focus for our businesses. This is why it is of paramount importance to extend your security thinking and strategy out into the reach of your vendor eco-system, as you can guarantee that cybercriminals will take advantage of any chink in your armor. 

With this in mind, let’s look at some approaches to keeping your vendor relationships optimized for security.

Top Tips to Keep Your Vendor Eco-System Secure

Controlling vendor risk management is the key to creating secure vendor eco-systems. It results in an all-round better way to do business as it increases trust and decreases risk. If done well, it can also bring about more collaborative and productive partnerships that can be used as best practices for other relationships. The following tips are a good place to start on the road to a more secure vendor relationship management program. But the main thing to remember is that this is a process and all good processes need feedback from which to improve.

Tip 1:  Don’t reinvent the wheel: Use NIST advice.

Before you set out on creating your own vendor relationship security strategy, you should get to grips with the Cybersecurity Framework developed by the National Institute of Standards and Technology (NIST). The framework outlines a set of guidelines that give you the starting points for creating a robust security strategy. The five main areas it looks at are: Identify, Protect, Detect, Respond, and Recover. You can read more about this on the Atlas blog.

Having a well thought out security strategy in place is the starting point for creating an extended strategy for your vendor eco-system. Your security strategy must reach out to encompass all of your assets, which includes those shared across that eco-system. Setting out your stall in this way lets you have a clear view of your security needs and allows you to move onto the next part of the process of securing your vendor relationships.

Tip 2: Make wise choices. 

Choosing which vendors can become part of your wider eco-system is part of the process of risk management. This process can also encompass security, by adding in security requirements to your vendor due diligence.  Knowing how a vendor handles, for example, the sharing of sensitive documents, can give you a heads up of any issues that may occur down the line. Attending to potential vulnerabilities at the point of entry to a partner program can alleviate future breaches. Having a partner program and vendor enrolment process, which emphasizes security aspects of the relationship, creates an ethos of secure thinking. If a vendor has an issue with this at the start, then they may not be right for your organization going forward.

Tip 3: Communication is king.

One of the driving forces in modern cyber security is collaboration. The U.S. government has brought in the Cyber Intelligence Sharing and Protection Act (CISPA), for the purposes of sharing information between commercial and government organizations around security threats; the idea being that a “problem shared is a problem halved”. Not everyone agrees with the tenets of the act, but the concept of collaboration around security issues is a sound one. Having inter-vendor security collaboration will help you to mitigate risks though a program of education and shared knowledge. Even setting up partner program awareness sessions, covering general security training and compliance requirements can be an important step in ensuring everyone is at the same level of security thinking.

Tip 4: Get authentication right.

We’ve seen from a number of high profile cyber attacks that the root cause has been poor authentication measures. For example, the Target Corp. attack was due to a third party (HVAC) vendor being phished; their username and password used for privileged access to Target’s systems being stolen. If there had been better authentication measures in place this could have been prevented, even if the original vendor had been successfully phished. There are ways authentication can be hardened against phishing attempts. Second factor authentication can be applied to many applications. This can be in the form of an SMS text code, mobile app code, or hardware token code. If user experience is a concern, then you can use adaptive authentication to ‘up the ante’ in terms of authentication requirements. For example, if you detect a login request is coming in from an internal IP address, then you can apply single sign on (SSO), but if it’s from a third-party vendor’s IP address, or other, then you can force the use of second factor, or even further login credentials, like requesting an answer to a personal question.  In any extended system where you have an arms length control, strong authentication should be a serious consideration.

Tip 5: Automation equals  

Don’t go it alone.  Most modern enterprise organizations are dealing with tens of thousands of vendors in their supply chains.  Manual spreadsheet assessments and required documentation sent and received via email worked just fine when there were only a couple of hundred outside vendors to deal with.  As mentioned earlier, supply chains are only getting larger and we are growing more connected over time.  To truly pinpoint risks in the supply chain, you must have an automated system on which to conduct vendor assessments and collect supporting documentation.

Tip 6: Assume there is no perimeter and always innovate around security. 

The world has never been smaller because of the interconnectedness of almost everything. This is being embraced by vendor platforms too, with Cloud delivery being seen as a way of increasing productivity. This takes your security thinking into a new arena of web-based threats.  If you encompass the previous 1-5 tips to begin the process of securing your vendor relationships, and you use the advice from OWASP on the top ten web threats, then you will be well on your way to having a robust overall security strategy for your eco-system, protecting your own organization as well as all of those in your vendor programs.


The Bad ads effecting cybersecurity

One of the most worrying vectors ever in the history of cybersecurity is starting to become the weapon of choice of the cybercriminal. With a 325% increase in attacks according to Cyphort, Malvertising, or malicious ads, is a force to be reckoned with.

What is Malvertising?

Malvertising isn’t new. Using malicious ads as a vector to push out malware has been around as a technique since around 2007.  However, it is becoming even more sinister and successful because of some hacker innovations in the area. The original version of a malvertising campaign relied on user intervention. However, in recent attacks, no user intervention was needed to end up infected with malware. This is the sinister twist in the malicious ad tale that is leaving consumers and businesses alike reeling.

The reason that malvertising is so successful is down to how the cybercriminal plays the system. Ads are served up across Internet sites from centralized ad networks, such as Google AdSense and Media.net. There are many of these types of networks, serving up ads that reach hundreds of millions of users across the Internet. Cybercriminals use these networks to push their malicious ads out across legitimate websites. It is this use of a legitimate and trusted process and website that makes malvertising so difficult to control and spot. As the networks become savvier about spotting infected ads, the cybercriminals are one step ahead. They are known to place clean ads (paying themselves for the service) and once accepted and pushed out across the network, they are then able to use command and control services to infect the ad with malware.

Malicious ads do still occasionally use the click to install method of malware infection. In this case, the malware is activated on clicking the ad. If a vulnerability is present in the user’s browser, or software add-ins like Flash or Java, then the malware runs using that exploit. However, there is an increase in the use of independent exploit kits to perform the infection, as these require no user intervention. In this scenario you have an infection method known as a ‘drive-by-download’ taking place. Drive-by-downloads work by performing a silent redirection from the site hosting the ad, to a spoof site hosting the exploit kit. This redirection is often very fast and hardly noticeable. On the spoof site sits an exploit kit; the Angler exploit kit seems to be a popular choice. In fact, in Cisco’s Midyear Security Report for 2015 they found that 40% of user penetration was caused by the Angler exploit kit. An exploit kit works by finding vulnerabilities in software on your computer, usually browser and browser add-in software; if found, it uses these to install the malware.

The types of malware installed by malvertising attacks are varied, but a spate of ransomware attacks have taken place recently. Other types of malware popular with malvertising cybercriminals are those that steal login credentials.

Examples of the Success of Malvertising

Using legitimate networks to push ads out means that attacks are prevalent on well-known and trusted websites. Here are some examples of recent malvertising attacks:

In an attack, in early 2015, which infected major sites like Huffington Post, a Hugo Boss ad was used as the conduit for malware. This attack didn’t use a redirect to an exploit kit (EK). Instead the kit was packaged up into the ad, which got through the ad network security and out into the wider Internet. The ad based EK utilized Flash vulnerabilities to do its work. Anyone infected ended up with the notorious, ‘ransomware’, on their system, which encrypted all of their files and attempted to extort money to decrypt them.

Also in 2015, Yahoo’s ad network suffered a major malvertising breach. The attack was based on the Angler exploit kit, which used a drive-by-download to infect user’s machines. The Yahoo network receives 6.9 billion monthly visits so had the potential to impact a massive number of end users: a perfect conduit for malware.

In a most recent attack, earlier this year, a major malvertising campaign affected major news sites like the New York Times and again used a redirect to an exploit kit. This time the EK took advantage of vulnerabilities in Microsoft Silverlight. Again ransomware infection was the end result.

Mobiles aren’t immune to malvertising either. According to the Bluecoat’s 2014 Mobile Malware Report, malvertising is the top threat to mobile users. Mobile as a platform for malvertising makes sense in the light of a BI Intelligence report, which shows that mobile advertising is growing faster than other forms of advertising – why would a cybercriminal not take advantage of that?

It is hard to find out accurate figures on just how many successful infections have been made with a malvertising campaign. However, the fact that this mechanism is increasingly being used, and that ransomware is bringing in as much as $325 million per strain, means that cybercriminals will be willing to spend money to make money by placing ads across legitimate networks that people trust.

What Can be Done?

If ad networks are unable to manage the problem and the number of successful attacks seems to point to this, then we need to take steps to protect our computers directly.

All malvertising based exploits are based on finding vulnerabilities in your browser or browser plug-ins. This means there are some things you can do immediately to help reduce the risk:

1.     Make sure all of your browsers and associated software, such as Adobe Flash and Java are up to date.

2.     Instead of patching, remove: Flash and Java have known vulnerabilities, which cybercriminals can exploit. If possible remove software such as Adobe Flash and Java. However this can impact the functionality of some websites so may not be possible. It is also likely that HTML 5, at some point in the future, will be used as a method of inserting malware, so removal of Flash and Java may become a mute point.

3.     Don’t use deprecated software plug-ins such as Microsoft Silverlight as they won’t be supported going forward. Some browsers, such as Chrome have already stopped supporting Silverlight.

4.     Make sure you have a company wide strategy for dealing with this threat, both to prevent infection and to handle the results if you do get infected.


THE GOOD, BAD AND UGLY OF MODERN AUTHENTICATION

Logging into any type of application has to be one of the most talked about topics in security. It sometimes feels like it is the last frontier as far as technology innovation is concerned. Why is this so? Well it is likely because it is the point where the human – computer interface first comes into contact. This creates usability vs. security conundrum which is always hard to resolve. Part of the issue has been ‘password fatigue’ which has been a topic raging in the industry for many years and yet we don’t seem a lot further forward. But this isn’t true, technology in the area of authentication is moving forward. I’ve named this post “The Good, Bad and Ugly…” but in truth, each authentication measure can have a little of each and it really is more about choosing the right one, for the right scenario that counts.

The Password is Dead, Long Live the Password

The first ever type of login option in computing, used by MIT in 1961, was of course the humble password. We have used it almost religiously ever since, for everything, from logging into online banking to offline desktop computer login. It is so successful because it is both easy to program support for username and password access, but its also easy for the user logging in…mainly.

I say mainly because we now find ourselves in a situation whereby both security and usability have been severely compromised. In terms of security, the use of username and password in an Internet connected world has left the password highly vulnerable. Phishing, and in particular spear phishing, has meant that cybercriminals can very easily steal a username and password. Either by sending the phished individual to a spoof site which then tricks the user into revealing their login credentials, or by installing malware which exfiltrates them when they are used.

And then there is the usability aspect. The average user has to use passwords across many multiple sites and counting. Either you use the same or a few similar passwords, which is insecure, or you have to remember a different one for each site. Whichever it isn’t ideal. A report by identity vendors CSID found that amongst U.S. consumers, 61% reused the same password across multiple sites and 46% of them had 5 or more passwords to remember. You can, of course use a password manager, but that brings its own issues.

As an alternative, social and similar platforms, such as Facebook, Twitter, Google, Papal and Amazon, offer federated login which can be used as an alternative to a username and password. There are pros and cons to the use of this type of credential, of course.

And when you bring the password into the Enterprise, usage behavior becomes even more concerning.  Password sharing is one of the most prevalent insider threats. A survey by Centrify into password habits, found that 52% of U.S. based IT administrators had shared their username and password with a contractor and 59% of them with a colleague.

A Multitude of Options with Multiple Factor Authentication

The above username and password issues leads onto how can we improve things without upsetting the apple cart too much, after all, we like passwords, in the main.

If username and password are something we know, we can call this a first factor. If something we have, like a mobile device is also used to login with, alongside username and password, then that becomes a second factor or 2FA. 2FA is becoming more popular for the reason that it allows you to multiply the security needed to login to any system and it can be highly preventative in any phishing attempt.

The types of second factor authentication available are increasing, but the most common are mobile device based apps, or codes set by SMS text. You do also get hardware devices or ‘security tokens, especially in enterprise environments, but these were becoming less attractive as they cost per device and BYOD meant that employees were using smartphones at work, so why not utilize those. However, a recent innovation in security tokens, U2F, has made them more attractive as an option.

Mobile App Based 2FA

Mobile based 2FA apps offer support for the following options:

  • HOTP: A code is sent to the mobile app. This code is hashed. The user enters the code into the application during login, after they have entered their first factor.
  • TOTP: This is also a code but it is time-limited, i.e. It only lasts for a few seconds and must again be entered after a first factor has been entered for login.

One of the issues surrounding mobile code based access is the security; some implementations being more secure than others. The most secure way of using a mobile app based 2FA method is for the app to communicate the code directly to the back end of the application, rather than the user inputting the code into a user interface, which is open to a Man-in-the-Middle attack.

SMS Based 2FA

Mobile phones, including those that aren’t smart, as well as modern landlines, can use SMS based codes to login as a second factor. One of the downsides of using SMS code based 2FA is that it costs the vendor who is sending out the codes as generally this is done via a third party SMS gateway system.

Security Tokens

The security tokens mentioned earlier have been improved in recent years using a new authentication protocol called U2F developed by a consortium of large technology vendors, including Google, and known as the FIDO Alliance. In fact Google have implemented a version of U2F based on a key, which is inserted into a USB port, the user ‘clicking’ a button on the key to sign into web apps. Of course the issue with this is that if you are using an iPad or Smartphone for access there is no USB port.

You’ll Know It’s Me

The next major advance in authentication is the biometric. Anyone with an iPhone 5S or later, will know about their TouchID biometric login system, which uses a fingerprint to open the phone for use. This is probably the most well known type of biometric in common use and certainly it has broken down some of the barriers to biometric acceptance.

One of the earlier barriers to success with biometrics was an alarmingly large rate of false negatives or positives. Advances, such as that seen at Carolinas Healthcare System, which uses the veins in a person’s palm, has seen match rates increase to 99.9% in the last ten years. This is another issue with biometrics that is breaking down to allow a more global uptake of the method.

It looks like biometrics will start to be used more. As we see advances in biometric management, accuracy of biometrics results, and as the spectrum of biometric types increases, then it is a natural way to login and so will be opted for by the user.

Adaptive Authentication

Adaptive authentication is less of an authentication method and more of how you use existing methods, more efficiently, with added security and improved usability. Adaptive authentication allows you to configure policies, which determine the level of authentication required under any given circumstance.  It works by accessing the risk level of a specific access attempt. The best way to describe it is with examples. So, for example, you could set a policy that says that if a user is attempting access from a given IP or IP range, such as you’d get by accessing within the headquarters of an enterprise, then single sign on (SSO) is allowed. Or you could allow access from certain devices within a given geographic location but only using a second factor. Another example could be to increase the requirements of login, even going as far as to ask knowledge based questions, if you don’t meet certain criteria, or there is a pattern of failed login attempts and so on.

Adaptive authentication is a really good method of making the most of what you’ve got and it can really help with resource protection and handling varying levels of risk, especially in an extended supply chain where a variety of people across many jurisdiction require access rights.


A KINGS RANSOM: 4 WAYS TO AVOID BEING INFECTED WITH RANSOMWARE

One of the most nasty and sinister malware threats to come out of the minds of cybercriminals has been the creation of ‘ransomware’.

Ransomware is a type of malware that encrypts data, and then extorts money from the victim. Infection is carried in either an email, as an attachment, or using an exploit kit on a website where the malware will be downloaded and executed. Once infected with ransomware, the files, on your computer, across the network and even on remote file storage like Dropbox, are encrypted. When the malware has done its job, it then is programmed to pop up an onscreen message letting you know that if you pay X amount, within X days, your files will be decrypted. The x amount is usually $500-$1000, but can be much more, and payment is expected in the form of bitcoin; they ask for bitcoin because it is less easily traceable than a traditional money transfer.

Cryptowall is probably the most infamous of all ransomware. Cryptowall is up to version 4 and according the Cyber Threat Alliance the malware had, by version 3, made at least $325 million worldwide from infections. Each version of Cryptowall becomes even more sophisticated than the last. Cryptowall 3 was built to hide from detection and Cryptowall 4 changes filenames so users can’t even find out which files have been encrypted.

Ransomware: The Impact

People are paying the hackers. If you suddenly find all of your data: customer records, intellectual property, documents, flow charts, presentations, accounts, etc. are encrypted and essentially gone, you’ll pay up. The fear that the ransomware hackers instill in people is real. The FBI reported losses in the U.S. alone of around $18 million between 2014 and 2015. And that’s just in payments out. This doesn’t include material losses through lost time and network issues that ensue. And of course there is no guarantee that just because you pay the cybercriminal that they will decrypt your data – we are dealing with a criminal mind here, after all.

The FBI research was from a year ago, but MacAfee in their 2016: Threat Predictions report state that: “Ransomware will remain a major and rapidly growing threat in 2016…. we predict that the rise of ransomware that started in the third quarter of 2014 will continue in 2016. “.

It is hard to read the mind of a cybercriminal into the 2020’s, but the likelihood is that with a successful money-raising venture, like Ransomware, it will only proliferate. The Internet of Things being an area that will likely be utilized by cybercriminals as a means of infection. IoT devices have a very wide security surface to attack and thus far security of the IoT is still far from perfect.

Who Is Being Affected by Ransomware?

Ransomware hackers are targeting rich nations. They need to find companies that can afford to take the risk of paying $000’s to get their data back. The target sector the hackers are after is widespread and getting wider. They are coming after businesses of all sizes, rather than just being a consumer problem.

One of the most insidious ways ransomware is getting onto a network is via ‘malvertising’. Hackers are using the ad placement network and actually paying for infected ads to be served up on legitimate websites. Major websites like the New York Times have run infected ads. The most worrying thing about much of ad-based malware is that it is based on ‘exploit kits’ like ‘Angler’. If you access a site running a malicious ad and you happen to also have a vulnerability in your browser or Flash, then you have a very high likelihood of becoming infected with ransomware without even clicking a mouse. Scary stuff.

U.S. SMB’s are as much a target as their larger cousins because the hackers know that they are a ‘soft target’. Smaller companies are less likely to have a dedicated security team and systems in place to handle such an attack.

And no one is safe, in the past few months several U.S. hospitals have been infected with ransomware and one, the Hollywood Presbyterian Medical Center had to pay out $17,000 in bitcoin to the cybercriminals.

Is There Hope?

You can help prevent a ransomware infection by making sure that:

1.     Your staff is well trained in the way that malware infections work – make them aware of the danger of attachments in emails for unknown sources.

2.     Keep your OS and other software up to date and patched

3.     Keep backups of your data (but be careful not to use certain backup software that synchronizes with your directories as this can also become infected with ransomware)

4.     Have a security strategy in place to deal with the complexities of ransomware prevention and infection

Of course, if you do get infected, one thing is apparent. Even if you pay to have your files decrypted, the chances are that the cybercriminals behind the scam have already exfiltrated any data using remote access and will be selling that data, especially personal information, on the dark web. So simply put, the best way to deal with ransomware is to avoid infection in the first place.


THE BIG PHISH: HOW HACKERS USE OUR BEHAVIOR AGAINST US

A while back a colleague of mine was spear phished. It was really clever how they did it. She was contacted, not through a direct email, but via a message system of a professional group she was a member of. The message purported to be from a ‘worried colleague’. They had seen her profile on the professional group website and had also noticed that a Facebook account had been created using her photo. The Facebook page was real, her professional photo was being used and a variety of less than complimentary Facebook posts were in the timeline.

The person, who sent the phishing email, came across as being ‘a friend’ trying to help out and pointing to the abuses made in my colleagues name. They offered help saying that they’d also been a victim of this sort of identity theft and knew how to counter it. They asked my colleague to email them and they’d show her what to do.

It was a very convincing email. It used some of the oldest tricks in the book; tricks that conmen have used for centuries. It attempted to build a connection with my colleague, to find a common ground. The email was from a trusted source – her professional network. The writer created a scenario shrouded in fear, uncertainty and doubt, to cause my colleague to feel anxious and that her reputation was at risk. The phisher then held out a helping hand to make it all go away. It was a perfect example of highly targeted social engineering, in other words, using normal human behavior to manipulate a person into revealing far too much.

The case above had a happy ending. My colleague is a cyber security professional and recognized the signs of a sophisticated spear phishing attempt. But not everyone is so lucky and human behavior manipulation has become the pivot upon which cyber security attacks are based.

To Err is to Be Human

Social engineering is a technique used to manipulate a behavior. It isn’t new. As mentioned above, conmen and tricksters have been using this in one form or another for centuries. One of the most famous cases of social engineers was Frank Abagnale; the film “Catch Me If You Can” was a portrait of his life as a confidence trickster. Frank used people’s natural need to trust to commit fraud.

Social engineering in the context of cyber crime has been used extensively. One of the most infamous examples was the ‘I Love You’ virus. This was an email born malware infection, which swept the world in 2000. The email contained the subject ILOVEYOU and contained a ‘love letter’ which when opened ran the malicious code and infected the computer. This trick played on our own vanity – how exciting to get a love letter, almost impossible to resist opening it, just in case it was a secret admirer. And that is exactly what happened with the virus infecting about 45 million computers within 2 days of its release into the wild.

Since then, cybercriminals have embraced social engineering and human behavior manipulation turning it into almost an art form. The whole area of phishing is based on this very concept.

The Big Phish: Business Email Compromise

Phishing and its rich cousin, spear phishing, is arguably the most successful cyber security vector ever with 123,972 unique phishing attacks in 2015 (and since then, it has only been increasing). Phishing emails are very cleverly pulled together by the cybercriminal. In the mass mail out, less targeted ‘phishing’ variant, the hacker makes the email look just like a legitimate site, one that you’d enter login credentials; these credentials then being stolen by the hacker behind the spoof site. According to research by APWG Internet Policy Committee into Phishing, PayPal, Apple and TaoBao are the most popular spoofed sites for phishers, with 54% of all spoof sites representing one of the big three.

But the true art of phishing is seen in spear phishing.  Spear phishers have to spend quality time getting to know their target. The emails are crafted to reel in their prey, using full personalization and creating trust and connection between the phisher and the victim. One of the latest scams to be based on the principles of manipulation of human behavior is the Business Email Compromise or BEC. BEC scams have been hitting business, of all sizes, big-time.

A BEC is a form of spear phishing. It has a complicated profile. Firstly, deep reconnaissance is made to identify a business owner, or key employee, that will become the proxy for the phish. This individual then has their email account either spoofed or compromised.  The phisher will then learn as much as they can about their victim and the company they are targeting. They use this information to create highly convincing emails and instructions – using the ‘personality’ of the victim to come across as real. An example of the type of information that is really useful to phishers would be the calendar of the victim- are they away on business on certain days and so on. This allows the phisher to build up a personal profile and so mimic the person more precisely.

Once they have control of the email account, they can then apply email rules to make sure they don’t get detected when they utilize the account. Or, if they spoof the account, they make the email look like it is from that individual. With account control they can then enact their plan, which goes something like this:

1.     Create an email from this key staff member, to ask for a wire transfer of monies to a new creditor.

2.     This email will go to one of the compromised users subordinates. So for example if the CFO’s account is compromised the email might go to the finance controller.

3.     A variation on the above is where the phisher asks Human Resources for ‘employee details’ and thereby stealing identities which they can use for fraudulent tax returns and so on.

There are a number of different tactics being used, based on a compromised business account. Each one of them uses our natural trust system to trick us into performing actions we’d normally be reticent to do. BEC attacks are working.

THE BIG PHISH: HOW HACKERS USE OUR BEHAVIOR AGAINST US 5

Controlling Our Behavior

Phishing is so popular and successful that phishing is moving into other spheres. ‘SmiShing’ is the new phishing; with mobile devices being targeted with SMS based phishing messages – like this one. When checked the ‘Apple’ link goes to a spoof site in Romania where you are requested to enter your Apple login credentials. If you did so, they would be stolen and used to login to the real Apple site. Variants on this attack type also include a SMS message from a bank asking you to call a number to talk about a possible fraud attack on your account. When you do, you are asked for various details including your online banking password – the result being your bank account is cleared out.

There are ways that we can use to counter this abuse of our humanness, but it means being more aware of ourselves, how we react and how cybercriminals operate. Some basic checks include:

  • Caution is the watchword for anyone receiving an email requesting a funds transfer (for example).
  • Do not click directly on a link in an email, but instead, if it refers to an account, go to that account through the browser first.
  • Check email addresses – if you expand the address you may see it has unusual characters or is simply not the name it pretends to be.
  • Build a robust security strategy across the whole organization, taking both technologies and human behavior into account.

Five reasons to prioritize Privileged Access Management as-a-service

Five reasons to prioritize Privileged Access Management as-a-service

Privileged access is the gateway to an organization’s most valuable assets and is at the core of nearly every major security breach. Privileged Access Management (PAM) as-a-Service is a good way for organizations to get their PAM programs up and running faster and easier than ever. If you are reading this, you’re likely familiar with Software-as-a-Service (SaaS) and the benefits that it can bring your organization. We see that organizations are moving more and more of their applications and infrastructure to the cloud for a variety of reasons including: security, cost savings and ease of management. Likewise, in cybersecurity, organizations are starting to turn more and more to Security-as-a-Service to capitalize on the benefits above and marry security with operational ease of use.

After privileged access has been identified as a priority, deciding how to deploy it is the next step. In CyberArk’s Global Advanced Threat Landscape Report: Where Security Accountability Stops and Starts in the Public Cloud, we found that the number 1 reason organizations are moving to the cloud is security.

However, the harsh reality is that no organization can ever fully secure all their applications and infrastructure, whether their data center is on-premises, in the cloud, or hybrid. There is no single solution available in the market today that will prevent every advanced cyber-attack. But prioritizing what matters most first, privileged access, and taking advantage of all the benefits a SaaS solution can provide is increasingly becoming the option of choice for organizations who are embarking on a Privileged Access Management program. Privileged Access Management (PAM) as-a-Service is becoming a popular method for deploying security solutions for a variety of reasons. In this Ebook we’ll discuss five reasons to prioritize PAM as-a-service.

About PAM
About CyberArk


en_USEnglish
nl_NLNederlands en_USEnglish