How confident are you that passwords are enough to protect your data as a consumer? Michael Nadeau, senior editor at CSO magazine, believes the best thing you can say about using a password for authentication is that it’s better than nothing. High-profile breaches like Equifax, however, have exposed millions of passwords and user IDs, calling into question even that faint praise. Consumers should assume that at least some of their passwords have been compromised. Otherwise, they create a dangerous false sense of security.

If you’re still not convinced about the seriousness of password vulnerabilities, consider these points from the Verizon Data Breach Investigations Report:

• Hacking still accounts for the largest percentage of data breaches.
• Eighty-one percent of hacking-related breaches involved either stolen or weak passwords.

Password-only protection is permanently broken, and any organization relying on it is placing its business and reputation at risk. Even if they avoid a breach, awareness of the shortcomings of password protection is much higher now thanks to Equifax. If that’s how you protect customers’ data, they will think twice about trusting you with it.

Authentication Alternatives

Alternatives like two-factor authentication (2FA), multifactor authentication (MFA), behavioral analytics, and biometrics have been available for some time, but adoption rates are low. The growing threat of breaches and consumer awareness is lowering barriers to implementing these options — primary barriers being user resistance, complexity and ROI.

All these alternatives can be compromised, some more easily than others. Dustin Heywood, senior managing consultant for IBM’s X-Force Red security testing team, shared that all authentication (such as a fingerprint, a face, an iris scan) are broken down into bits and bytes, and they are basically a “shared secret.” Because these shared secrets are stored digitally like a password, it is theoretically possible to steal them. The difference is that it’s harder to do so.

The goal is to make it so difficult to gain access that most cybercriminals will look elsewhere for easier pickings. Many companies use a combination of authentication methods depending on the risk, user considerations and value of the data being protected to reach a reasonable expectation of security.

While consumers might be more accepting of more complex authentication to protect health and financial data due to recent high-profile breaches, not all service providers offer the option. “A lot of banks, because of work that was done quite some time ago, think that having security questions tied to an account is a second factor, which it really isn’t,” says independent security researcher Jessy Irwin. “People want an extra layer of protection, and don’t have the option to turn anything on. They have to go to customer service or an account representative or up a chain to even ask for these features.”

Robert Block, senior vice president at intelligence-based authentication provider SecureAuth, thinks the challenge of implementing stronger authentication is not with the technology. It is about getting decision makers to determine the level of acceptable risk, the number of factors to support and the way to present those factors to the end user.

Whether it is a smartphone or something else, requiring ownership of a device for access limits the damage a cybercriminal can do. Harry Sverdlove, co-founder/CTO of Edgewise Networks, believes the most reliable scheme would require something users know (password, answers to security questions), something they have (smartphone, token device), their location, and something they are (biometrics, behavioral analytics).

If you want your data as a consumer to be better protected, companies need to think beyond passwords. Creating more obstacles for a cybercriminal makes it more likely this individual will move on to another target.

________________________

Ryan Lahti is the managing principal of OrgLeader and author of The Finesse Factor. Stay up to date on Ryan’s STEM organization tweets here: @ryanlahti

(Photo: Password, Pixabay)

What do you do if you are the victim of ransomware? For several years, the FBI has recommended that you do not pay when malicious software is used to encrypt or otherwise hold data hostage until a payment is made (a.k.a. ransomware), according to CSO. This position was forcefully echoed by one of the nation’s highest-profile security bloggers – Brian Krebs – in a recent post.

Unfortunately, this advice has not always been followed. The Ponemon Institute reported in a recent study that 48 percent of businesses victimized by ransomware said they paid.

The reality is that the success of ransomware isn’t just increasing. It’s exploding. According to the FBI, the collective amount of ransoms paid in all of 2015 in the U.S. was $24 million. Gartner shared at its 2016 Security & Risk Summit that ransomware is likely to have netted organized cybercrime more than $1 billion in 2016.

The problem is likely worse than the findings. The FBI said many victims don’t report it, “for a number of reasons, including concerns over not knowing where and to whom to report; not feeling their loss warrants law enforcement attention; concerns over privacy, business reputation, or regulatory data breach reporting requirements; or embarrassment.”

The reasons for ransomware’s attractiveness to cyber criminals are not complicated. It doesn’t take all that much expertise – it has been widely reported that it is easy for so-called “script kiddies” to buy or lease the malware on the Dark Web.

A ransomware attack is potentially more damaging than a data breach, especially to a business. No organization wants its data stolen, but it can continue to function after it discovers a breach. If all of its data are encrypted and it doesn’t have a backup, it can’t function.

As a white paper by the Institute for Critical Infrastructure Technology (ICIT) noted, the ransom demanded is generally not a crippling amount. For individuals, it tends to be a few hundred dollars in Bitcoin. “From law enforcement’s perspective, a home burglary results in greater loss than a singular ransomware attack,” the report said, which means law enforcement will rarely devote “significant resources” to investigating it.

According to a recent U.S. Government report, there have been approximately 4,000 ransomware attacks per day in 2016– a dramatic increase over the 1,000 attacks per day reported in 2015. Compared to today’s payment of about 2 Bitcoins or $670 daily, the report estimates the average ransom will substantially increase to be $300,000 per day.

According to ICIT, Joseph Bonavolonta, the Boston-based head of the FBI’s CYBER and Counterintelligence Program, got into trouble with Sen. Ron Wyden (D-Ore.) in October 2015 when he said, “To be honest, we often advise people just to pay the ransom.”

After Wyden complained, the FBI “clarified” that its position was, “only to pay the ransom if mitigation steps failed and the only other option was to lose the files.” Those factors, which all contribute to the success rate of ransomware attacks, are some of the same reasons victims are motivated to pay – they are desperate to recover their files, and they can afford the price more easily than they can afford to lose their files.

Of course, there is plenty of logic behind the FBI’s arguments as well. The primary one is that paying simply makes the problem greater – the more criminals make, the more they will attack.

The bureau and others also note that there is no guarantee that criminals will produce an encryption key once the ransom is paid, or get rid of the malware on the device, meaning a victim could get victimized again.

Krebs said victims do have options, even if they don’t have a current backup. He recommended contacting two websites – No More Ransom and Bleeping Computer – which provide free solutions to at least some ransomware variants.

Krebs said No More Ransom, which is backed by security firms and cybersecurity organizations in 22 countries, had saved 6,000 victims of ransomware more than $2 million by December 2016.

But that statistic, say other experts, shows that while it is a laudable initiative, it is unlikely to slow the explosive growth of ransomware – $2 million is barely a rounding error in the total being collected by cyber criminals.

Stu Sjouwerman, CEO of KnowBe4 explained that the decision not to pay is not always that easy. He said it comes down to a cost/benefit calculation. “It becomes a no-brainer if you are faced with a failed backup and more than a month of lost data that could shut you down.”

Ed Cabrera, chief cybersecurity officer at Trend Micro, also noted the divide between what should happen and what does happen. “The consensus is clear that paying ‘should’ never be an option,” he said. “However, as companies fail to plan, they are planning to fail when it comes to ransomware attacks. This is obviously a very lucrative business in the Deep Web and is only going to continue evolving to different file types and systems that are very important to companies and consumers.”

Given the previous statistics, it is apparent that many organizations are failing to plan. CSO sees this as puzzling, because ways to prevent ransomware are reasonably straightforward and widely publicized, including on the FBI website. The most important thing is to back up data regularly, and secure the backups – don’t leave them connected to the computers and networks they are backing up – so they can’t also be infected by an attack.

Krebs has his own Three Rules of Online Security:

1. If you didn’t go looking for it, don’t install it.
2. If you installed it, update it.
3. If you no longer need it (or, if it’s become too big of a security risk) get rid of it.

Ransomware is an increasing risk. If your organization has not already taken precautions, it is at least worth putting it on the agenda for your next security meeting.

_________

Ryan Lahti is the founder and managing principal of OrgLeader, LLC. Stay up to date on Ryan’s STEM-based organization tweets here: @ryanlahti

(Photo: Cryptolocker ransomware, Flickr)

More than 90 percent of corporate executives say they can’t read a cybersecurity report and are not prepared to handle a major attack according to a report from Nasdaq and Tanium — an endpoint security and systems management vendor out of Emeryville, California. The report, which can be seen in a CNBC video, highlights a training opportunity for CEOs on cybersecurity.

In a recent Forbes article, Steve Morgan reiterates the fact that cybercrime is on the rise, but a lot of information about it is geared more toward those in the information security field. For example, the Verizon 2016 Data Breach Investigations Report (DBIR) states that no location, industry or organization is immune from attack. A DBIR executive summary — described as the C-level guide to what they need to know — is full of information that will sound convoluted to most CEOs. For instance, “the median traffic of a DoS attack is 1.89 million packets per second — that’s like over 113 million people trying to access your server every minute.”

Make no mistake, Verizon’s report is an invaluable resource and recommended reading for business leaders. A skim through is certain to heighten awareness around cyber risks — even if it leaves a CEO scratching her head trying to figure out what all the technical terms mean — including patching, change monitoring, SLAs for DoS mitigation, CMS plugins, two-factor authentication, tamper evident controls, and all the rest.

Amjed Saffarini, CEO of Cybervista (a cybersecurity training company), spoke at the Cyber Investing Summit and explained that C-suite executives and board members need to be educated on cybersecurity or the cyber damage will only get worse. While CEOs may be receptive to the notion of learning about cyber, their biggest challenges are setting aside the learning time and finding training programs geared specifically to their needs.

Saffarini said that he knew absolutely nothing about cybersecurity a year ago. Now he’s a subject matter expert on cyber workforce issues. Saffarini said there are two main ingredients for educating CEOs whether it’s a Cybervista program or something else. First, everything needs to be broken down into plain language and business terms that resonate with a CEO. Second, it needs to be delivered in bite-sized chunks — 15 or 20 minutes at a time — so it can realistically be worked into a CEO’s busy schedule.

As CEOs become more savvy on cybersecurity topics, it will help to drive home the point that cybersecurity is a key element in corporate risk management. Furthermore, sound cybersecurity will involve an investment of money in addition to time. As Brad Egeland explains in a CIO article, you need to fund security, not just put someone “on it.” If someone wants your data bad enough, they are likely to get it. Nonetheless, you need to do what you can to protect it for the sake of the business as well as the peace of mind of employees, executives and shareholders alike.

CEOs do not have to be cybersecurity experts. They need to be more cybersecurity enlightened. The first step is adjusting cybersecurity education to better fit the needs of CEOs.

Related posts:

Cybersecurity in the Boardroom

———–

Ryan Lahti is the founder and managing principal of OrgLeader, LLC. Stay up to date on Ryan’s STEM-based organization tweets here: @ryanlahti

(Photo: Cybersecurity, Flickr)

In 2016, information security continues to be a critical topic for organizations of all types to address. In its 2016 Annual Security Report that discusses cybersecurity trends and threat intelligence, Cisco drives this point home. The report points out that only 45 percent of organizations worldwide are confident in their security measures as today’s cyber attackers are more persistent in launching increasingly sophisticated campaigns. Although a large percentage of organizations appear to question their security capabilities, 92 percent of the executives agree that regulators and investors will expect companies to manage cybersecurity risk exposure which should place it high on their priority lists.

The Cisco report further identifies key factors that are contributing to the risk exposure. The factors include:

Aging infrastructure: Between 2014 and 2015, the number of organizations that said their security infrastructure was up-to-date dropped by 10 percent. The survey discovered that 92 percent of Internet devices are running known vulnerabilities. Thirty-one percent of all devices analyzed are no longer supported or maintained by the vendor.

Shifting server activity: Online criminals have shifted to compromised servers, such as those for WordPress, to support their attacks, leveraging social media platforms for nefarious purposes. For example, the number of WordPress domains used by criminals grew 221 percent between February and October 2015.

Browser-based data leakage: While often viewed by security teams as a low-level threat, malicious browser extensions have been a potential source of major data leaks, affecting more than 85 percent of organizations. Adware, malvertising, and even common websites or obituary columns have led to breaches for those who do not regularly update their software.

While many organizations focus their attention on the security of customer data, IT security firm Sophos explains in its report, The State of Encryption Today, that employee, company and cloud data are not protected to the same degree. After surveying 1700 IT decision makers in the U.S., Canada, India, Australia, Japan and Malayasia, Sophos made some eye-opening discoveries.

Thirty-one percent of the companies surveyed that store employee data admit that employee bank details are not always encrypted. Forty-three percent of the companies holding sensitive employee HR files don’t always encrypt them, and nearly half of those that store employee healthcare information (47 percent) fail to consistently encrypt these records.

“Data breaches happen to large and small companies every day, and the last line of defense against that breach turning into a corporate crisis is a comprehensive data encryption policy,” commented Dan Schiappa, senior vice president and general manager of Enduser Security at Sophos. “While it is the customer data breaches that hit the headlines, companies have the same obligation to protect sensitive employee data, and they should not overlook it.”

Company data remains at risk as well. Nearly one-third (30 percent) of all organizations surveyed fail to always encrypt their own corporate financial information, and nearly half (41 percent) inconsistently encrypt files containing valuable intellectual property.

Cloud data security is also an issue. More than eight in ten companies (84 percent) expressed concern about the safety of data stored in the cloud. Nonetheless, while 80 percent are using the cloud for storage, only 39 percent encrypt all files stored in the cloud.

Companies can do more to ensure information security, but so can employees. Even something as simple as passwords still need some work. SplashData announced the 2015 edition of its annual Worst Passwords List that highlights the insecure password habits of Internet users, and “123456” and “password” once again are the most commonly used passwords. These passwords have held the top positions since SplashData’s first list in 2011. Although some new and longer passwords made their debut, the longer passwords are so simple that it makes their extra length virtually worthless as a security measure.

Given the findings from Cisco, Sophos and SplashData, it is clear that information security is an ongoing challenge for which all stakeholders from companies to employees can make improvements. Hopefully, the remainder of 2016 will bring more focused efforts to do so.

———–

Ryan Lahti is the founder and managing principal of OrgLeader, LLC. Stay up to date on Ryan’s STEM-based organization tweets here: @ryanlahti

(Photo: Dollar Photo Club)

If your company uses cloud applications such as Box, Google Drive or Dropbox to make data available to multiple users and devices, then you should be aware of Man in the Cloud (MITC) cyber attacks. Imperva, a cyber security company based in northern California, described MITC as a new type of attack in its August Hacker Intelligence Initiative Report.

As SecurityWeek and PCMag point out, MITC attackers can easily use Box or one of the other file synchronization services to control communication, gain remote access or extract data in a much simpler way. Attackers don’t have to steal a user’s account credentials or compromise the cloud provider’s servers. The attackers just have to access the file synchronization information on the user’s device which is usually stored in a file, registry or credential manager. According to experts, this information can easily be accessed and decrypted by attackers. The attackers can then synchronize their own devices with the victim’s account by copying the victim’s synchronization information to the right place on the attackers’ system.

Incidentally, an MITC attack is different from attacks identified by similar names such as Man in the Middle (MITM) and Man in the Browser (MITB) attacks. An MITM attack is one in which the attacker secretly intercepts and relays messages between two parties who believe they are communicating directly with each other. It’s a form of eavesdropping, but the entire conversation is controlled by the attacker who even has the ability to modify the content of each message.

An MITB attack involves stealing login credentials, account numbers, and various other types of financial information. The attack combines the use of Trojan horses with a unique phishing approach that captures data as the user enters it. The user is completely unaware of that the data is being hijacked, because he or she is interacting with a legitimate site.

Since MITC attacks are the newest forms of cyber threats, Imperva recommends that organizations protect themselves from MITC attacks in two ways. First, monitor access and usage of cloud services across the enterprise. Second, utilize controls such as data activity monitoring and file activity monitoring around business data resources to recognize abnormal and abusive access to critical data.

———–

Ryan Lahti is the founder and managing principal of OrgLeader, LLC. Stay up to date on Ryan’s STEM-based organization tweets here: @ryanlahti

(Photo: Michelin Man in the Sky, Flickr)

How much attention should be paid to the Internet of Things (IoT)? Some recent events in the last three months provide a compelling answer. Earlier this week, Forbes reported that global software developer SAP announced a list of new partnerships in order to get more involved in IoT. TechCrunch shared news today that Amazon acquired 2lemetry, a startup based in Denver that has created a platform to track and manage IP-enabled machines and other connected devices.

Since IoT refers to devices that can be web-connected (e.g., thermostats, fitness bracelets, garage doors, refrigerators, TVs, industrial machinery and building alarm systems) even Congress has taken notice. In February, USA Today explained how two tech-savvy members of Congress (Reps. Darrell Issa and Suzan DelBene) formed a new Congressional Caucus on IoT to educate their colleagues while a bipartisan group of four senators had the Senate’s first-ever hearing on the topic.

The Federal Trade Commission has calculated that the number of Internet-connected devices currently exceeds 25 billion worldwide. This number is expected to double in the next five years. Samsung CEO BK Yoon shared in January how his company will contribute to this number. At the 2015 International Consumer Electronics Show, he promised that all Samsung TVs and products will be web-connected in five years.

While IoT benefits businesses and consumers in terms of convenience and efficiency, it also presents risks to security and threats to privacy. According to a 2014 HP report, Internet of Things Research Study, 70 percent of devices have vulnerabilities that would allow a cyber attacker to access valid user accounts. Furthermore, CIO magazine identified what it believes to be the three biggest IoT privacy/security challenges:

1) Unlawful surveillance/invasion of privacy

• Internet-connected modules installed on various devices (e.g., toys, cars, and home appliances) can be used for unlawful surveillance according to the InfoSec Institute.

2) Threats to enterprise data and network security

• Any device with built-in network connectivity creates a backdoor connection risk that could be exploited for the unauthorized transfer of sensitive information by a cyber attacker according to Lumeta.

3) Lack of a sound, comprehensive way to manage all IoT devices

• The current state of IoT lacks a set of standards for application program interfaces (APIs) which are the building blocks of IoT and critical for managing the variety of web-connected devices according to Brivo Labs.

Given all of this information, IoT should be on your radar and garner more of your attention over time. This includes your attention as a business person and a consumer.

———–

Ryan Lahti is the founder and managing principal of OrgLeader, LLC. Stay up to date on Ryan’s STEM-based organization tweets here: @ryanlahti

(Photo: Wearable Technology, Flickr)

Does the U.S. really need a cyber intelligence center to be able to more effectively handle cyberthreats and digital breaches to business and industry as well as government agencies? The Obama administration believes that the country does. According to Reuters, Lisa Monaco, White House advisor for homeland security and counterterrorism, explained that “we need to develop the same muscle memory in the government response to cyberthreats as we have for terrorist incidents.”

While federal task forces currently investigate hacking networks, no one government entity is accountable for coordinating and sharing cyberthreat data collected by the National Security Agency, the Pentagon, the FBI, Homeland Security and other federal agencies. Under the domain of the Director of National Intelligence, the proposed Cyber Threat Intelligence Integration Center would fill this void. It will be modeled on the National Counterterrorism Center launched after the 9/11 attacks in response to criticism of U.S. intelligence and law enforcement agencies who failed to share information that could have helped to prevent them.

In recent years, a number of cyber attacks have impacted the government and U.S. companies. This includes Home Depot Inc., Target Corp., Anthem Inc., JPMorgan Chase, Bank of America and the White House’s computer network. The attack that Monaco called a “game changer” was the attack on Sony Pictures that the FBI publicly accused North Korea of launching. This attack was especially troubling, because hackers incapacitated computers, stole crucial data and pressured the studio to stop the release of a film that took a comedic look at North Korean leader, Kim Jong-un. According to the Los Angeles Times, recent attacks have also come from servers in Syria, Iran, Russia and China.

Skeptics of the proposed cyber intelligence center such as Melissa Hathaway (president of Hathaway Global Strategies and former White House cybersecurity coordinator) suggest that creating a new agency is not needed when the government already has existing agencies that monitor and analyze cyberthreat information. In a Washington Post article, Hathaway recommends that existing agencies be held accountable and forced to become more efficient.

Others believe that a greater focus on cyberthreats by the Obama administration is needed. Richard Clarke, a former White House counterterrorism official, believes it’s a good idea that is long overdue. Scott Larson, a former FBI cybercrime investigator who now operates a cybersecurity company in Minnesota, sees the U.S. in an intellectual arms race that requires it to act.

Given the preceding viewpoints as well as the pace of cyber attacks increasing fivefold since 2009 based on Los Angeles Times research, the U.S. does need to be more proactive in its response to cyberthreats. In doing so, the creation of a new agency makes sense as long as it clearly provides needed resources in an efficient, coordinated manner thereby preventing an increase in bureaucracy.

———–

Ryan Lahti is the founder and managing principal of OrgLeader, LLC. Stay up to date on Ryan’s STEM-based organization tweets here: @ryanlahti

(Photo: Cyber Attacks in Real Time, Flickr)

Regardless of size and industry, companies with an IT infrastructure connected to the Internet possess this vulnerability. The boards that have recognized the impact of this vulnerability have been more involved in laying the foundation to address it. At Kellogg’s, the board regularly discusses cybersecurity at its meetings to deal with concerns that hackers might find a way to steal intellectual property for Kellogg’s cereals and snack foods. In anticipation of this issue, Kellogg’s board set up a security group and hired its first chief information security officer back in 2012.

In addition to Kellogg’s, other notable companies are taking action to shore up cyber defenses. According to the Wall Street Journal, Exxon Mobile regularly tests employees to determine if they respond to phishing emails. Delta Air Lines even added a board member who possesses expertise in IT security. These actions align with the research of Enterprise Strategy Group that found 69% of security professionals report boards and executive management are more engaged in cybersecurity awareness and strategy than they were two years ago. Although this finding is encouraging, it is not sufficient to completely allay concerns. Given the potential consequences of cybersecurity breaches, this increase in engagement needs to continue to be a regular part of boardroom and executive team agendas. For more information, see the Fortune magazine interview with Cisco’s chief security officer.

———–

Ryan Lahti is the founder and managing principal of OrgLeader, LLC. Stay up to date on Ryan’s STEM-based organization tweets here: @ryanlahti

The report highlights that information security is more difficult because of three changes taking place in organizations:

• Increased complexity of IT infrastructure due to greater network connections and use of cloud, mobile and virtualization technology
• Problems effectively reducing exposure as cyber attacks increase
• Decreased capacity to manage endpoints resulting from an increase in network-enabled device usage at work

These three changes help explain why more than 60% of the respondents in the study indicated that they had been breached last year. One finding that was even more concerning is 20% of the organizations admitted to doing nothing to evaluate the security of their mobile devices in between quarterly or annual network vulnerability scans. Based on these findings, clearly NAC is needed sooner rather than later.

If you would like to read the full report, click on this link: 2014 Cyberthreat Defense Report