IT Security News Blast 04-16-2018

Cyber Risk Assessment for InfoSec Budget

Understanding Risk Assessment for InfoSec Budgeting
Last month,  Critical Informatics founder Mike Hamilton moderated a panel discussion in downtown Seattle, reinforcing a practical methodology to establish common ground and build a case for IT Security investments. Comprised of regional Information Security leaders in legal, actuarial consulting, health insurance, and education, our panel explored the process and practicality of applying this methodology. Read on to learn what the experts had to say about their use of risk assessment to secure executive buy-in for investments that reduce the risk of IT security events leading to expensive outcomes.

Survey says: Many breaches accomplished in less than an hour
Penetration testers and hackers are having little problem breaching the perimeter and quickly locating critical data with 12 percent saying they can get into a system in less than an hour and despite learning their company is vulnerable some firms still opt to do nothing to improve security. […] Some of the better-performing sectors, the survey found, are aviation, law enforcement and law firms and state and municipal governments also tested well with less than 8 percent of the researchers saying they could breach these perimeters in less than an hour.

Data-driven analysis of healthcare cyber risk insurance claims
With the specific healthcare sector analysis, there are several points of interest. The first relates to organizational size. Here the analysis indicates that most of the recent insurance claims made related to small or mid- sized healthcare organizations. A second area of importance is with the relatively higher size of insurance related payouts for healthcare. Although healthcare claims comprised only 17 percent of claims in 2017, these claims represented 28 percent of total breach costs, to the tune of $229 million.

3 Things That Healthcare Must Understand About Cybersecurity
Three important facts about cybersecurity in 2018 underscore how the healthcare industry’s approach to cybersecurity has been transformed in the last few years.
1. Cybersecurity is now a team sport.
2. Boards have to be “on board” for cybersecurity efforts to be effective
3. Compliance is necessary, but not sufficient, to protect from today’s cyberthreats.

Practices Face Challenges in Hiring Qualified Cybersecurity Personnel
[Almost] three-quarters said their organizations were too short staffed to protect against future breaches. The respondents said staffing was the biggest challenge in ensuring security of health information. Only half had a dedicated chief information security officer (CISO). HIPAA does not require health care organizations to have somebody in this position, but an individual who sets and manages an organization’s security plan is a must for larger organizations.

Types of cyber-security threats you should look out for in 2018
Over the past five years, nearly 10 billion records have been lost, stolen or exposed, with an average of five million records compromised every day. Of the 1,765 data breach incidents in 2017, identity theft represented the leading type of data breach, accounting for 69% of all data breaches. Malicious outsiders remained the number one cybersecurity threat last year at 72% of all breach incidents.  Companies in the healthcare, financial services, and retail sectors were the primary targets for breaches previous year.

Three biggest cyber threats faced by financial institutions today & how to avoid them
According to cybersecurity solutions provider Check Point Software Technologies, the financial sector currently faces a total of cyber threats from three main areas, namely: The SWIFT network, consumer banking malware, and information theft. In its recently-published 2018 Security Report, Check Point uses Far Eastern International Bank’s Oct 2017 US$60 million (S$78.7 million) cyber theft as a prime example of how proprietary banking systems are still vulnerable to SWIFT attacks.

Effects of Cyber Breaches on Corporate Bottom Line: Viewpoint
[There] hadn’t been a systematic analysis of the effects of cyber attacks on a company’s sales, market valuation and other metrics. A recent study does just that, though imperfectly. Using events reported as cyber-breaches in the nonprofit Privacy Rights Clearinghouse, a team of economists from Singapore, Cyprus, Hong Kong and the U.S. examined which firms are at highest risk of attack and what the consequences are. […] However, to the extent that what affects the financial picture is not the attack itself but rather its disclosure, the methodology works well. For example, the impact on stock market valuation is likely tied to disclosure (and the authors have verified that disclosed events are included in their data).

Open Banking: Tremendous Opportunity for Consumers, New Security Challenges for Financial Institutions
For this reason, the initiative comes with a new set of security standards. However, these mandates deal mostly with authentication, transaction monitoring and API security, and largely ignore the security of the devices from which transactions originate. This is problematic because compromising mobile devices is a popular activity among cybercriminals. By capturing large volumes of devices, threat actors can raise their profile and increase their ability to either attack devices directly or use them to launch distributed denial-of-service (DDoS) campaigns.

Syria news latest: Russia ‘could launch cyber warfare within weeks’ after US-led military action, expert warns
Despite admitting that the “immediate risk of a wider war” has been avoided for now, he warned that sources of potential conflict are still very much active on the ground in Syria. He wrote in the Sunday Telegraph: “Bad relations could easily encourage a reckless Russian freebooter, prompted and paid by Iran, to try his luck getting revenge on the pockets of US and British forces operating in eastern Syria.

China Could Retaliate Through Cybersecurity
[If] negotiations break down, and we enter a period of extended hostility, retaliation from Beijing will go beyond retaliatory tariffs. The Chinese government has other — more opaque and unwritten — channels to employ against US firms with significant assets in China’s market. Specifically, China’s cybersecurity law can be used as a form of “backdoor” trade retaliation by opening up a number of informal tools to hurt US firms in China.

NATO and others struggle with cyber attribution and legal and military responses
“The allies now find themselves in a sort of ‘Article Four-and-a-half’ situation today, caught between crisis consultation and how to react to an attack,” said a senior allied official, referring to articles 4 and 5 of NATO’s founding Washington Treaty that govern crisis consultation procedures with other allies and activation of collective defence, respectively.

U.S. Cyber Command chief calls for debate around hacking unit’s authorities
Such a shift in policy may allow Cyber Command to offer more protection to private companies, including those that own and operate what the U.S. government considers “critical infrastructure.” When it comes to offensive measures, the shift could also open the door for soldiers to hack a much wider array of targets; beyond the Middle East, where the military is already engaged in firefights.

Colorado’s Election Systems Are Being Hacked…on Purpose, by the Feds
Colorado’s election systems have been under attack by cyber intruders. Networks are being poked and prodded in an attempt to bypass security measures, access control systems and manipulate or extract data.  […] Colorado is one of seven states participating in the exercise, along with nearly 1,000 other “players” across the nation that range from law enforcement agencies to transportation and manufacturing networks.

Cops Around the Country Can Now Unlock iPhones, Records Show
Police forces and federal agencies around the country have bought relatively cheap tools to unlock up-to-date iPhones and bypass their encryption, according to a Motherboard investigation based on several caches of internal agency documents, online records, and conversations with law enforcement officials. […] “It demonstrates that even state and local police do have access to this data in many situations,” Matthew Green, an assistant professor and cryptographer at the Johns Hopkins Information Security Institute, told Motherboard in a Twitter message. “This seems to contradict what the FBI is saying about their inability to access these phones.”

Oath’s new privacy policy allows it to scan your Yahoo and AOL mail for targeted advertising
Oath confirmed to CNet that it rolled out a unified privacy policy to its AOL and Yahoo brands. The updated policy (spotted by Jason Kint) states that the company “analyzes and stores all communications content, including email content from incoming and outgoing mail,” which will allow it to “deliver, personalize and develop relevant features, content, advertising and Services.” The policy also states that the company can “analyze your content and other information (including emails, instant messages, posts photos, attachments, and other communications),” and it singles out messaging from financial institutions, saying that it “may analyze user content around certain interactions with financial institutions.”

Jobs in cybersecurity are exploding: Why are women locked out?
Attracting and retaining qualified workers to the field — especially women — has become a critical issue across sectors, from banking to health care, aviation and government. “Can we staff up fast enough to be able to protect the power systems of the United States, the weapons systems, the financial systems?  […]  “If we block entry for women, we’re blocking 50 to 70 percent of the talent,” he said. “When I walk into a high school Cisco Networking class, I’ll see 30 boys and one girl. Girls are being told loudly: ‘You are not invited.’”

Cybersecurity Will Become A War Between Machines
Those who have to defend themselves can see the models of behavior with the help of AI programs, which are able to analyze vast amounts of data by themselves. The attackers identify weaknesses and manage attacks on a much larger scale, automating them in a previously unthinkable way. This is made possible also by the increasingly widespread practice of the collaboration between bad guys.

“Privacy is not for sale,” Telegram founder says after being banned in Russia
The watchdog said Russian authorities needed the ability to decrypt messages sent by potential terrorists and that Telegram had missed an April 4 deadline to turn over keys that would make that possible. At today’s hearing, which was scheduled only 24 hours earlier, the court granted the request after just 18 minutes of deliberation, The New York Times reported. Telegram lawyers skipped the hearing in protest. […] “At Telegram, we have the luxury of not caring about revenue streams or ad sales,” Durov, a Russian who fled the country in 2014, wrote. “Privacy is not for sale, and human rights should not be compromised out of fear or greed.”

SMASHINGCOCONUT malware looks a lot like malware used by North Korea in Sony attack
DHS described the malware as a “32-bit Microsoft Windows-based wiper malware capable of rendering a Windows-based system inoperable if run using administrator privileges,” according to Foreign Policy, which obtained a copy of the note. After the malware installs, a cyber actor must insert a command line argument to execute it and from there the malware deletes all files as well as writes over the master boot data record, replacing it with hard-coded data. Additionally, it turns its venom on the bootable and non-bootable partitions on the hard drive, deleting them all.



Critical Informatics and the Critical Informatics logo are the trademarks of Critical Informatics, Inc. All other brand names, trademarks, service marks and copyrights are the property of their respective owners.  © 2017 Critical Informatics, Inc. All rights reserved.