Special Report: Cyber Risk and Security
The word of the year, so far, with regards to cybersecurity, seems to be “data breach.”
The word of the year, so far, with regards to cybersecurity, seems to be “data breach.” In the first half of 2014, 381 reported breaches led to the exposure of 10,879,404 individual records in the United States, according to a report from the Identity Theft Resource Center. That’s equivalent to 2.1 breaches and 60,107 records exposed per day, and it doesn’t count the breaches that were never reported.
The breaches are taking a toll on consumer confidence in America’s enterprises and their ability to keep sacred information safe and secure. According to NXP Semiconductors N.V., and its “Security Matters: Americans on EMV Chip Cards” survey, while consumer confidence in credit card technologies remains high, Americans continue to demand better solutions that protect identity, personal information and financial data. With recent compromises in security at Target, Neiman Marcus, PF Chang’s and other retailers, Americans are more likely to pay in cash following a security breach at large retailers, the survey said, with the millennial age group (18 – 34 years of age) being the most likely to convert to cash (37 percent). For example, 80 percent of Americans are confident in their financial institution and the security of their financial accounts, as well as the security and protection of their credit/debit cards (73 percent). However, once a security breach at a major store occurs, consumers automatically turn to less convenient forms of payment (64 percent) – such as cash – to complete a purchase.
Respondents were asked a number of questions pertaining to security, confidence in financial institutions and credit cards, purchasing habits, geographic location, gender and general understanding of current magnetic strip and EMV technology. When asked specifically about the underlying technologies of a credit or debit card, Americans responded favorably, with 69 percent stating that EMV chip cards are making their debit and credit card transactions more secure, with only five percent feeling chip cards make their transactions less secure. When asked about the tap and pay feature available on some EMV chip cards, the most common concern expressed was an increased risk of theft (61 percent), followed by 37 percent expressing concerns about being charged incorrectly for purchases.
In addition, the survey found that:
- For purchase preferences, most (38 percent) would prefer a chip and PIN payment method over a chip and signature method (26 percent).
- Confidence in one’s financial institution is also high, as more than seven-in-ten are confident in the security of their financial accounts (80 percent) and their credit/debit cards (73 percent).
- However, Americans are more likely to pay in cash after hearing about security breaches at large retailers. Sixty-four percent say they are more likely to pay in cash.
- Overall, the majority (69 percent) of Americans feel EMV chip cards make their debit or credit card transactions more secure, with three-in-ten believing they are much more secure (28 percent).
A separate survey has found that when shoppers’ information is exposed, not only does it damage the store brand reputation, but it also impacts profitability and productivity throughout the entire organization. The report, “Retail’s Reality: Shopping Behavior After Security Breaches,” said that shoppers who have had their information stolen through a security breach, tell others about their experience, use social media to complain about their experience and comment directly on the retailer’s website.
In addition, 45 percent of shoppers indicated they do not trust retailers to keep their information safe, and when shoppers know that their retailer has experienced a security breach, 12 percent say they have stopped shopping at that retailer, and 36 percent will shop there less frequently.
Cybersecurity Red Flags
Though a great amount of effort has been put in place to ensure safe online communication and transactions, people underestimate the essential level of security and guarded behavior needed while using a computer, tablet or smartphone. They are taking these devices “as is,” but these devices do not automatically include necessary tools or services to protect an online user’s sensitive information.
For years, hacking focused mainly on stealing computing resources to create for example, botnets. Today, the focus has shifted to stealing the most valuable thing the users have – their personal data. Personal data ranges from names and addresses, to logins and passwords, credit card numbers, Social Security numbers and information about where an individual is located and what they are doing. Access to this information not only leads to identity scams but can also jeopardize an individual’s personal safety as well. In order to build a solid cybersecurity system and combat attacks it is important for users to understand common cyber-threats:
- Phishing: Phishing attacks appear in two forms, targeting a large number of individuals or focusing on a specific group. Mass attacks aim to deliver malware via automatic download to users’ devices and often come in the form of USB flash drives or infected websites and emails. Targeted attacks come in the form of tailored emails that are disguised as emails from large corporations. Targeted phishing emails often include corrupted links and ask for personal information or automatic actions.
- Social networks: Posts or links to websites that offer an option to sign up through your social network accounts with the click of a button provides hackers with access to your list of friends and your personal information. What is worse, some malware can be downloaded onto your device without the user’s knowledge. The delivery can take place immediately or with some delay so the victim cannot easily track down the source of the malware.
- Infected websites: Some websites can contain malware that utilizes the security holes in browsers. It is impossible for the user to be aware of all possible threats and without the proper security software, and up-to-date operating system and browsers, people are under constant threat.
- Public Wi-Fi networks: Accessing public Wi-Fi networks leaves individuals vulnerable to hackers as these networks can easily be monitored to obtain private information. By not using an encrypted website when accessing sensitive data, people are simply leaving the door open to hackers.
- User Service Providers: When creating an account, users provide their personal information with good faith in their security. Attacks similar to the Target hack and Heartbleed exemplify a hacker’s option to target third-party maintenance organizations to gain access to users’ personal data.
Here are some tips to keeping your data secure online:
- Use strong passwords; mix numbers, upper and lower case letters and symbols
- Use unique passwords for each site you use or utilize a password management system that can do it for you
- Keep your operating system, security software, browsers etc. up to date
- Be careful when asked to click links that you receive in email or social media messages
- Treat everything you post as if it will be completely public and never be deleted – everything
- Status updates, photos and comments can reveal A LOT about you
- On social networks be selective about who you accept as a friend, and be careful about adding apps, plugins or other extras
- Always enable the passcode lock on your phone and mobile devices
With an understanding of cybersecurity and a couple of tips, individuals can change their behavior and significantly increase the level of their protection online.
About the Author: Larry Bridwell is the Global Security Strategist at password management software provider, Sticky Password.
How Do You Steal $60 Million in 60 Seconds?
The digitalization of our lives has radically changed the way we live, love, work and play. Unfortunately, it also has changed the way criminals perpetrate crimes.
In the ongoing fight against cybercrime, it’s vital to understand your adversary. Modern cyber criminals have evolved from the mafia families of the 50s, the drug cartels of the 1990s and today’s Eastern European criminal syndicates. They hold a significant competitive advantage over companies trying to protect their digital assets and national law enforcement.
Let’s consider how innovative this dark world of crime has become. It is a criminal world which operates the most sophisticated and vertically integrated global network ever conceived, and adversaries have stayed one step ahead of us with every law passed or procedure put in place. This shadowy network hides in plain sight, generates more than $104 billion in illegal revenue each year, and perpetrates 16 cybercrimes per second. This is a world where bank accounts and national secrets are ripped apart and sold to the highest bidder every day.
Cyber criminals are better funded, do not respect national borders and use the anonymity of the Internet to collaborate freely. Two-thirds of cyber criminals are under the age of 24 – as a global industry they understand how individuals and organizations use new digital platforms and they are able to exploit the opportunities offered by the new style of IT – in much the same way commercial businesses do.
So how hard is it to steal $60 million in 60 seconds? For notorious criminals of the past, robbing a bank or hitting a train was your best bet, but it was hard to cover your tracks when having to physically move large sums of cash. Today, cybercrime is a faceless offense where stealth and speed are a criminal’s greatest assets. In addition, traditional and cyber criminals are coming together to execute beautifully orchestrated global crime sprees. Traditional criminals can buy hacking-as-a-service offerings online with free tech support, dashboards to track the performance of malware, and when its job is complete, you just stop paying for it.
For example, a global criminal ring recently hacked into a bank’s network, took control of a handful of pre-paid debit cards and increased the accounts to an unlimited level. Then they sent those details around the world, where well-coordinated gangs walked from ATM to ATM with the magnetic strip information withdrawing handfuls of cash. One gang in New York City hit 2,000 ATMs in a matter of minutes. This crime allowed the perpetrators to walk away with between $45 and $60 million in cash. But the damage wasn’t done at the ATMs; it was done within the bank’s network. Today you don’t steal money; you steal the means of getting the money.
So how do criminals get into our networks? Typically network access comes from either valid credentials or cyber criminals forcing their way into our networks. Once they are in, they take their time to figure out what the critical assets are and capture that data. Eighty percent of data breaches happen at the application layer, and it typically takes 243 days to detect a breach. On average criminals are able to hide inside our networks for upward of eight months, taking their sweet time to understand our systems, applications, customer and employee details, and intellectual property.
Our research shows that we are losing the battle against the adversary. The time it takes us to remediate a cyber-attack has grown from under two weeks in 2010 to more than a month in 2013. The way our industry has handled cybersecurity actually hands a huge advantage to the criminals. We share our security standards and vulnerabilities, but often do not share how the criminals got in, what holes they exploited or what information they were after. We are actually helping adversaries perpetrate the same crimes over and over again across different companies in similar industries around the world. Eighty percent of the average IT budget is spent on creating barriers and building perimeter controls. However, network barriers just don’t exist anymore, and this approach isn’t helping us stop losses from attacks. Criminals are already on the inside and every organization must plan for a significant cyber breach.
To turn the tide on cyber criminals, we must use their own tricks against them. We must target them, and disrupt their business model, manage our risk and extend our capabilities. Our collaboration and innovation must be around real-time visibility, sharing intelligence and understanding what’s happening at a global and local level. At HP, we have realized that one of the best ways to disrupt cyber criminals before they get in is sharing that breach intelligence securely and confidentially among our customer network.
Yes, it is a scary world, but you shouldn’t have to go it alone. After all, the criminals have learned that pooling intelligence leads to great rewards. Let’s take a page from their playbook and share our security intelligence because with an anti-cybercrime intelligence network in place, it will become much harder to steal $60 million in 60 seconds.
About the Author: Andrzej Kawalec is HP Enterprise Security Services’ Chief Technologist and regularly speaks at industry events on cybercrime.
Invert Your Security Priorities…Now
With more than 600 high-profile network breaches in 2013, it is clear that traditional network breach detection and perimeter strengthening systems are ineffective. The emerging technologies of Wi-Fi, mobile payment and cloud services have complicated and undermined common network security protocols.
This current epidemic of large-scale security breaches is owed to numerous factors. The fundamental corporate network architecture and its complexities are at the heart of the problem. Security policy conflicts and shared network resources have created vulnerabilities by placing applications with widely varying security requirements on a common network infrastructure.
The terms “closed” and “private” no longer apply to traditional enterprise networks, and operating under any other belief is reckless and dangerous. The demise of the closed network has been propelled by multiple factors, including cloud services creating more entry points into the network, Wi-Fi network-created complexities, and a permeable network perimeter.
The complexity of any given network creates inherent vulnerabilities. The proliferation of applications, evolution of cloud services and advancement of security threats force problematic practices that breed complexity, including application intermingling and partitioning, multifaceted access controls and manual policy proliferation.
Ultimately, the fundamental network architecture is flawed. Holes are opened in corporate firewalls to let in partners and access cloud services, creating entry and export paths. Recent breaches have demonstrated that once a network is breached, the historic strength of the private backbone becomes its greatest weakness. A compromise on a single point-of-sale system quickly advances to all POS systems on the private network.
It is illogical to invest in a flawed architecture that makes unauthorized entry a probability, detection an improbability and containment an afterthought.
Eric Schmidt, Vice Chairman of Google recently stated at the 2013 Gartner Group Symposium in Orlando, “The tablet…has exposed how inherently insecure the hub and spoke network is. Businesses will have to rip out their current site-to-site networks and replace them with application-specific networks.”
The concept behind this comment is the isolation of applications into dedicated logical networks. Application Defined Networks (ADNs) establish containment as a foundation while enabling simplified detection and discrete defendable perimeters.
Simply put, ADNs provide a network alternative that address the multi-application security and performance dilemma, but also yield tremendous operational and economic benefits. ADN based networks have been used for years by many of the largest multinational corporations such as Google, Shell and ExxonMobil. However, many CIOs are still unaware of ADN availability and/or its real world proven nature.
ADNs are cost-effective and secure enterprise data networks that use virtual network and security components to provide a dedicated, logical network for each application. ADNs deliver customized security and network policies to meet the requirements of specific applications.
ADNs facilitate application specific default routes, physical and logical network segregation, definable network perimeters, granular security policies, and the establishment of universal policy controls.
Additionally, ADNs provide compartmentalization between applications in transit and at the connection end-points. ADNs facilitate an application-to-application (A2A) networking model, which eliminates the fixed path constraints of site-to-site (S2S) networks. ADNs eliminate routing conflicts, contain security bleed and reduce problem-cascade by providing a dedicated, virtual application environment.
A typical retail example of an ADN can include a payment ADN for credit card processing, a corporate network ADN for back office applications and guest Wi-Fi ADN for patrons or mobile payments. All three ADNs operate on a single platform, using a single appliance over a common broadband connection and through a secure private cloud infrastructure. This solution offers dozens of other cloud services on its network and customized, cloud service gateways. The Bring Your Own App (BYOA) functionality of ADN makes it expandable to meet enterprise specific connections.
By tying current open-Internet cloud services into the private enterprise network, ADN reduces security risks and infrastructure costs. The simplicity of ADN eliminates vulnerabilities while improving the enterprise network cost structure.
The economic benefits of ADN utilization are vast, including the reduction of network access and backbone recurring costs, decreased capital expenditures related to new application deployment, condensed resource costs associated with new application deployment, lowered IT staff costs required for network administration and decreased potential for litigation through inherent security improvements.
Increased savings achieved in each of these areas can be significant and will vary based on the business’s specific application and network architecture, access methodology, application expansion plans, network size and use of compliance-based applications such as payment or patient records.
Refocusing security policy investment priorities can yield a safer and less expensive network. ADN technology allows for a simple physical architecture with fewer devices, less device configuration and integration, reduced network administration and a lower burden on IT resources. These proven alternatives to traditional hub and spoke architectures are in use today by numerous leading businesses, proving that network security investments can be effective if prioritized correctly.
About the Author: Greg Tennant joined Cybera in February 2013 bringing more than 22 years of leadership experience. During his career, Tennant operated and sold two separate SaaS-focused companies. He also served as senior vice president of Argus Systems Group, where he launched the company’s secure web appliance division. Tennant also managed the data services businesses and product lines for Intermedia Communications, Convergent Communications, and led the strategic marketing groups for AT&T Paradyne and AT&T Federal Systems Advanced Technologies.
Improving Cyber Insurance and Security with 5 Critical Keys
U.S. retail giant Target had $100 million in cybersecurity coverage (with a $10 million deductible) at the time of its breach last year. That sounds like adequate coverage, and considering the lengths the company had to go to assemble multiple separate policies to reach that level of protection, it is significant. Nonetheless, this coverage will likely fall far short of its final tally of losses, which the company had already estimated at $88 million by May 2014. In addition, Target currently faces more than 90 lawsuits from customers and banks for negligence and compensatory damages associated with the breach.
It is readily apparent that a more mature, sophisticated and robust cyber insurance market is required in order to provide a more practical risk management option to businesses. In 2013, the entire U.S cybersecurity market, measured by gross written premiums, was only $1.3 billion. Estimating the impact of cybercrime is notoriously difficult, but a recent report from the Center for Strategic and International Studies concludes that cybercrime costs businesses worldwide approximately $400 billion annually.
There is broad agreement that the insurance carriers could exert a positive influence on the cybersecurity posture of the entities that they insure. But in order for insurance carriers to incentivize better security practices, they must first determine the nature and extent of the actual risks, and this requires a level of data collection and analysis that no insurance companies are achieving currently.
To build the actuarial expertise that provides their strategic differentiation in their other lines of business, insurance carriers will need to determine several key pieces of information:
- Accurate details of the attack methods and exploits being used by cybercriminals.This should include the types of assets being targeted (server or endpoint, specific business applications, and so on) in order to determine if the organization’s attack surface is vulnerable.
- Details of customers’ information technology (IT) assets and their value to the business.This data can then be matched against the attack methods currently in use by threat actors to determine if the IT assets are actually at risk (for example, an endpoint with no instance of Adobe Air is not at risk from an Adobe Air exploit).
- Effectiveness of the security controls deployed.If an organization is at risk from a particular Java exploit but the IPS deployed is capable of identifying and blocking that exploit, the organization is not at immediate risk.
- Likelihood of the organization being targeted directly by threat actors.Financial institutions, defense organizations and critical infrastructure installations have a higher risk of being targeted by threat actors than small manufacturing concerns.
- Maturity of the organization’s security processes. Whether or not a company employs a chief information security officer (CISO), and the fidelity with which it is tracking assets, are just two key indicators of maturity.
The last two points are well within the wheelhouse of the typical insurance carrier. The first three, however, present new and unique challenges. Traditional threat feeds, security intelligence offerings and penetration testing methodologies provide insufficient data to assess risk accurately, mainly because none of them incorporate knowledge of the effectiveness of the security products deployed within an organization, nor the relevance of threats to a specific organization and its assets.
Focus no longer should be on the 98.5 percent of attacks that security controls currently are detecting and blocking, but rather it should be on the 1.5 percent of attacks that pass unnoticed through existing defenses, and whether those missed attacks are relevant to the organization.
Only by determining whether current threats are targeting specific assets deployed in a customer environment, and then combining that information with the knowledge of which of those threats is capable of bypassing the security controls deployed in that environment, can the real insurance risk be calculated accurately. Over time, this data can be analyzed against claims data, and carriers can begin to customize premium rates based on a more factual understanding of the risk associated with each customer.
NSS Labs Recommendations
- Insurance carriers should adopt the concepts of network resiliency that are inherent in the National Institute of Standards and Technology (NIST) Cybersecurity Framework and being promoted by the Department of Homeland Security (DHS).
- Conditions should be created to enable insurance carriers to make adoption of the CSF an eligibility requirement for insurance.
- Enterprise security teams should reduce focus on the attacks that are detected and blocked by their security controls, and concentrate instead on the much smaller percentage of attacks that are capable of bypassing existing defenses. This requires a shift to a more proactive security strategy rather than one that focuses on log files and past events.
- Cybersecurity premiums need to be based on accurate assessment of the effect of current threats on specific assets deployed in an organization, combined with the ability of those same threats to evade installed security products.
As the volume and value of customer and corporate data continues to increase, so will the need for cyber insurance and both organizations and insurers will need to develop more accurate means of understanding and quantifying the risk to and value of digital assets. For a more in-depth look at the recommendations here, download the full report, Ensuring and Insuring Cyber Resiliency,at www.nsslabs.com/reports/ensuring-and-insuring-cyber-resiliency.
About the Authors: Andrew Braunberg is Research Director for NSS Labs, Bob Walder is Chief Research Officer for NSS Labs and Mike Spanbauer is Managing Director of Research for NSS Labs.
7-Point Action Plan for DDoS
Distributed Denial of Service (DDoS) is no longer just a service provider problem – far from it, in fact. DDoS attacks are what some would consider an epidemic today for all sorts of organizations. Why? The stakes continue to skyrocket. The spotlight continues to shine bright attracting attackers looking for attention for many reasons and motivations. In recent times, attack motivation has been politically or ideologically motivated. Attackers want to make a statement and to make headlines (and to cause many headaches along the way) – quite similarly to the effect a ‘‘sit-in’’ or a strike would have in the ‘‘offline’’ world.
This new breed of attacker targets high-profile organizations in order to ensure his or her grievances will be heard. Few targets are as high profile or mission-critical to the economy as financial services. A case in point is Operation Ababil, a politically motivated DDoS campaign targeted at banking institutions, which started in September of 2012. Led by a group called Cyber Fighters of Izz ad-Din al-Qassam, this campaign has featured multiple waves of attacks, with each growing in sophistication, strength and breadth.
Analysis has shown these hackers study the security defenses of their targets and modify their attack methodology with each wave to better evade the mitigation efforts of financial institutions. No enterprise risk assessment and business continuity plan today is complete without taking into account the risk represented by DDoS attacks.
To mitigate the growing threat of DDoS attacks, CISOs and CSOs should follow this seven-point action plan:
1. The Best Defense Is Purpose-Built
Because of the complexity of DDoS attacks, the optimal solution is an intelligent DDoS mitigation system, deployed on-premise, that can detect and block attacks with multiple dimensions of countermeasures before they escalate. Traditional IPS devices, firewalls and other security products are essential elements of a layered-defense strategy, but they are designed to solve security problems that are fundamentally different from dedicated DDoS detection and mitigation products. IPS devices, for example, block break-in attempts that cause data theft. Meanwhile, a firewall acts as policy enforcer to prevent unauthorized access to data. Because they are solving other security problems, they are stateful and can actually be the first device to go down during a state-exhausting DDoS attack.
2. Defend Upstream
A financial institution will never have enough on-premise bandwidth available to offset an attempted volumetric attack – aimed at flooding its networks with Internet traffic. Here, the best defense will provide protection at the cloud or service-provider level where traffic can be diverted to a mitigation center.
3. Know Who to Contact
It seems shocking that basic contact information is a roadblock to effective mitigation, but it often is. One company suffered 90 minutes of total downtime due to a DDoS attack. The company spent the 45 minutes of that attack trying to get all parties, from internal teams and providers, on a conference call to discuss the mitigation. The total revenue loss was estimated at $1.7M. The damage to the brand was significant as paying customers were not happy about the downtime to the service.
As this example shows, it is imperative that you know who from within the organization, your service provider and your managed security partner is there to help and how to con¬tact them. Without this information, your ability to respond has already been compromised.
4. Develop a Whitelist
If you have a large number of repeat users and important customers, develop a whitelist of their addresses so that their traffic can be passed during an attack even if everything else must be dropped.
5. Draw Up an Incident-Handling Process and Practice!
Insist on a documented process for interactions with any managed security service partners (MSSPs). This will provide a structure for dealing with an incident, when stress levels can be high – enabling a quick response and preventing people from taking risks with security to try and solve a problem. Once an incident response plan is in place, it is important to rehearse so that the response is coordinated – both internally and with service providers to ensure all parties are able to respond quickly and effectively.
6. Beware of Smoke Screens
What appears to be one type of attack may simply be the means to achieve a deeper, more destructive goal. For instance, an identified DDoS attack may be a smoke screen for hackers as they attempt to infiltrate proprietary customer information and intellectual property. In August 2013, it was reported that three banks were plundered during DDoS distractions. An application-layer DDoS attack was used to divert the attention and resources of banks away from fraudulent wire transfers simultaneously occurring. This is by no means unique.
7. Strength in Numbers
Participating in information sharing within the sector and with external parties, such as vendors, ISPs, regulators and law enforcement, will help identify new threats and best practice approaches.
About the Author: Rakesh Shah is Senior Director of Product Marketing & Strategy for Arbor Networks.