CYBER SECURITY CONSULTING SERVICE AWARDS AND RECOGNITIONS
CyberSecOp's comprehensive managed security services, cyber security consulting, professional services, and data protection technology are recognized as industry-leading threat detection and response solutions by major analyst firms, key media outlets, and others.
So, What Exactly Is the Dark Web, Anyway?
The first time I heard the term ‘Dark Web’ was in the context of a case of misappropriated identity. A close relative of mine had begun receiving all sorts of communications from credit card companies and debt collectors concerning delinquencies that they were completely unfamiliar with. One even included an attempt at collecting back premises rent for an apartment in Dallas, Texas where my relative had never visited in their life. After spending months fighting off financial claims and trying to repair their credit history, my relative contracted a computer security professional to perform a forensic investigation of their home PCs. It was ultimately discovered that some or all of the data breach enabling the identity theft had been the outcome of a fairly sophisticated spear-phishing attack combined with the installation of a key logger agent. The forensics also revealed that much of their Personal Identifying Information had migrated to the Dark Web and was presently freely available to whomever-or whichever entity-might be interested.
Dark Web and how it functions
Dark Web, I thought. Huh. I’ve heard of the Dark Web but don’t know much about what it is or more specifically, how it functioned. Heretofore I’d (wrongly) believed it was composed of a bunch of gamers sharing logins to cloud gaming services along with the ever-present and always thriving market for pornography. My investigatory efforts yielded that the Dark Web is so, so much more, however; and I thought it was important to share my findings to clear up any popular misconceptions of which there is legion. Therefore, I’ve decided to put together a brief post that provides the nuts and bolts of what’s become an increasingly important cog in the global economy for ill-gotten bits and pieces of data and information. It turns out, the Dark Web wasn’t nearly as elemental as I’d initially suspected.
The Dark Web is a collection of thousands of websites that use anonymity tools to hide their IP addresses. While it's most famously been used for black market drug sales and even child pornography, the Dark Web also enables anonymous whistleblowing and protects users from surveillance and censorship. Readers will recall that the Dark Web played an intermediary role in WikiLeaks dissemination of certain confidential U.S. Department of Defense documents related to the conflicts in Iraq and Afghanistan.
Who created the Dark Web and how can it be assessed?
The majority of Dark Web sites use the anonymity software Tor with was created by the U.S. Department of Defense, though a smaller number also uses a similar tool called I2P. Both of those systems encrypt web traffic in layers and bounce it through randomly-chosen computers around the world, each of which removes a single layer of encryption before passing the data on to its next hop in the network. In theory, that prevents any spy—even one who controls one of those computers in the encrypted chain—from matching the traffic’s origin with its destination. In layman’s terms-traffic on the Dark Web is untraceable.
Though the Dark Web is most commonly associated with the sale of drugs, weapons, counterfeit documents, and child pornography, not everything on the Dark Web is quite so “dark.” One of the first high profile Dark Web sites was the Tor hidden service WikiLeaks created to accept leaks from anonymous sources. Even Facebook has launched a Dark Web site aimed at better catering to users who visit the site using Tor to evade surveillance and censorship. The Dark Web is also a vehicle for hackers to buy and sell personal information such as names, addresses, social security numbers, credit card information, etc. The more information they obtain from the unsuspecting victim, the higher the price.
Can Dark Web provide privacy
Just how completely Dark Web users can evade the surveillance of highly-resourced law enforcement and intelligence agencies, however, remains an open question. The FBI and EUROPOL have both launched successful Dark Web investigations aimed at stopping human trafficking, identity theft, and drug smuggling, and in most cases, the agencies were able to identify the threat actor by setting up relays and scripts on websites they frequently visit. It's also possible that the agencies employed sophisticated DNS attacks on TOR servers or used other exploits; then again, it’s also possible they were able to rely on good old Human Intelligence-informants. Everyone seems to have a price.
So in summary, we know that the Dark Web exists, it’s a marketplace for all sorts of data and information exchange, not all of it legal or voluntarily disclosed. The best way to ensure you don’t wind up on the wrong side of information exchange? Secure your information systems, be very, very judicious in responding to emails and if you have any questions or concerns, contact a licensed information technology security professional. The stakes are high, and only getting higher.
Author: Rich Fiore
Moving to the cloud: Efficiency and Reduced Organizational Risk Posture
Moving to the cloud: A Study in Security, Efficiency & Reduced Organizational Risk Posture
A recent Gartner study indicates that cyber crimes are at an all-time high, up 30% year over year. This is and should be of tremendous concern to C-suite executives and boards of directors.
The root cause of cybercrimes varies; however, most organizations will experience vulnerabilities arising from technological gaps due to neglected software patching initiatives, outdated firmware, continued use of hardware beyond manufacturer ‘end of life’ standards, limited resources, limited budgets, multiple new compliances, and of course externalities such as the recent global pandemic.
In efforts to protect against threat actors while simultaneously acknowledging their companies’ limitations, more and more C-suite information security executives are proposing complete moves to cloud-based computing environments along with the ‘shared resource’ model characteristic thereof. This will help ensure information security integrity, reduce or eliminate the threat of bad actors wreaking havoc on the company’s information systems and will allow the organization to achieve its goals with some element of cost-efficiency. To ensure these systems are implemented in the most efficient manner possible, many concerns will turn to Managed Security Services Providers (MSSPs).
1. Lack of resources create an unintended risk appetite
Some specific security challenges organizations face in today’s operating environment, based on experience include: A lack of resources creates an unintended risk appetite leads to organizational dysfunction and job loss. Organizations need to provide their CISO with their own budget, independent of IT, and the CISO needs to report at the same level as the CIO with a direct line to the Board of Directors and should feel comfortable addressing any vulnerabilities that may arise, notwithstanding resource requirements to address them. Recently, we were tasked with performing a security assessment and reporting our results directly to the client’s Chief Information Officer. The Chief Information Officer, in turn, requested that we provide our findings simultaneously, at a joint meeting of the Board of Directors. The Chief Information Security Officer had previously briefed the board on the organization’s information security posture and had suggested that risk levels were at a minimum and that there were no vulnerabilities or deficiencies that could pose mission-critical faults; in this, the CISO had sought to ‘paper over’ problems that had not been budgeted for and instead treated with an ‘it’s your job, you fix it’ mentality, creating a lose-lose proposition. Our findings and report directly contravened what the Board had previously been told, and this led to the firm initiating a comprehensive systems audit which resulted in the dismissal of multiple information technology executives.
2. Cloud Security Competency, Efficiency, and Cost-Effectiveness. As the cloud computing environment becomes mainstream, organizations will realize the competitive benefit of having so many competitors offering similar services. This allows organizations to seek out the best technology and team while adhering to internal resource limits.
3. Application and Network Monitoring
This service is critical for identifying potential risks and attacks from internal and external threats and one of the single largest information security infrastructure areas of investment for companies today. CyberSecOp has seen a volumetric increase in requests for our Security Information and Event Management (SIEM), Managed Detection and Response (MDR), Data Loss Prevention (DLP), Security Operations Center (SOC) and Cloud Access Security Brokers (CASB) services over the last year, which dovetails with broader global market trends. With ransomware and data security breaches at an all-time high, organizations are looking to managed IT security and managed compliance services providers to bridge the resource gap.
4. Data Security Governance Framework
Organizations are utilizing the cloud to aid with compliance, reducing the upfront cost of buying all the necessary security solutions and related resources needed to get them configured and managed; indeed, the focus has switched to using cloud and shared resources provided by managed IT and managed security providers.
5. Enterprise Security Partners
Bringing on an Enterprise Partner enables companies to focus on those factors that promote business growth as opposed to focusing on back-end solutions and internal control structures. In turn, the Enterprise Partner (MSSP) is often able to provide its services at a substantially more cost-efficient and competency structure than if the company had attempted to replicate those services internally; examples of specific areas of favorability are hiring and staffing the function, keeping up with and implementing vulnerability management, leaner staffing levels, and overall cost efficiencies.
6. Authentication
Over the past year, we have seen a 70% increase in the adoption of multifactor authentication technologies, including but not limited to ‘password-lite’ cloud-based solutions capable of biometric authentication, geolocation fence authentication, anomaly detection, end-user based risk scoring, and evaluation. Partnering with an Enterprise Security Partner can ensure such technologies are rolled out across all organization information technology platforms in a coordinated and effective manner, with a minimum risk of non-adoption and systemic conflicts.
CyberSecOp provides proven Risk Management and Digital Transformation: As one of the most called on firms for security breach response services per Google Analytics, we have assisted with over 550 incident responses spanning 2019 and 2020. CyberSecOp helps organizations assess their cloud or on-premise environments and implement a security program that provides the safeguards needed in the cloud or on-premises. We also offer incident response and forensics teams to assist with containment, remediation, recovery from ransomware attacks, and other security breaches.
FBI, DHS CISA Publish Top Ten Cybersecurity ‘Hit List’
FBI, DHS CISA Publish Top Ten Cybersecurity ‘Hit List’ for State-Based and Non-State Based threat actors
Recently, two prominent US cybersecurity agencies disclosed, according to their internal metrics, the 10 most commonly exploited software vulnerabilities. The relevant time interval was 2016 through 2019, inclusive, as well as separate guidance listed for 2020.
The report, authored by the Department of Homeland Security Cybersecurity and Infrastructure Security Agency (DHS CISA) and the Federal Bureau of Investigation (FBI), urges organizations in the public and private sector to apply all software patches and updates in order to prevent the most common forms of attacks encountered today.
This includes, but is not limited to, attacks carried out by state-sponsored, non-state, and unattributed threat actors.
US government officials have argued that applying patches could degrade the cyber arsenal of foreign actors targeting US entities, as they'd have to invest resources into developing new exploits, rather than relying on old and tested bugs.
"Exploitation of these vulnerabilities often requires fewer resources as compared with zero-day exploits for which no patches are available," US officials said.
"A concerted campaign to patch these vulnerabilities would introduce friction into foreign adversaries' operational tradecraft and force them to develop or acquire exploits that are costly and less widely effective."
A summary of the FBI and CISA’s ‘Top 10 Vulnerabilities from 2016 through 2019’
OLE - According to U.S. Government technical analysis, malicious cyber actors most often exploited vulnerabilities in Microsoft’s Object Linking and Embedding (OLE) technology. OLE allows documents to contain embedded content from other applications such as spreadsheets. Of the top 10, the three vulnerabilities used most frequently across state-sponsored cyber actors from China, Iran, North Korea, and Russia are related to Microsoft’s OLE technology.
Apache Struts - After OLE the second-most-reported vulnerable technology was a widespread Web framework known as Apache Struts.
Windows Common Controls - As of December 2019, Chinese state cyber actors were frequently exploiting the same Windows OS vulnerability, an exploit in the Windows Common Controls that could allow for remote code execution.
Unpatched Devices - Deploying patches often requires IT security professionals to balance the need to mitigate vulnerabilities with the need for keeping systems running and ensuring installed patches are compatible with other software. This can require a significant investment of effort, particularly when mitigating multiple flaws at the same time. The FBI and CISA noted that this is a vulnerability as many organizations focus on their IT infrastructure as an area for cost-saving measure.
Microsoft and Adobe Flash products - A U.S. industry study released in early 2019 similarly discovered that the flaws malicious cyber actors exploited the most consistently were in Microsoft and Adobe Flash products, probably because of the widespread use of these technologies.
A summary of the FBI and CISA’s top vulnerabilities from 2020
Bugs detected in Citrix VPN appliances, specifically the Citrix Application Delivery Controller (ADC) and Gateway 10.5, 11.1, 12.0, 12.1, and 13.0; allows for directory traversal.
Bugs detected in Pulse Secure VPN servers; specifically, In Pulse Secure Pulse Connect Secure (PCS) 8.2 before 8.2R12.1, 8.3 before 8.3R7.1, and 9.0 before 9.0R3.4, an unauthenticated remote attacker can send a specially crafted URL to perform an arbitrary file reading.
COVID-19 Prompts Increased Ransomware Attacks Against SMBs Healthcare Providers
With the inception of the COVID-19 pandemic, malicious actors are increasingly targeting small hospitals and health centers with ransomware attacks. This is likely because these organizations are more likely to pay the ransom to recover data, as they weigh the perceived cost/benefit to strengthening their IT infrastructure security, or moving part or all of their IT operations to cloud-based solutions.
Cybercriminals tend to specifically target direct patient care facilities such as hospitals, healthcare centers, medical practices and health and wellness centers; although their efforts are certainly not confined to the above-referenced provider classes. The average ransomware demand is in the neighborhood of $60,000; however, simply paying the ransom in no way guarantees that the attacker will remit the decryption key; in fact, quite the opposite may occur; paying a ransom may encourage the attacker to maintain the leverage they enjoy over the target.
The ultimate consequences of ransomware attacks can and often are quite severe, ranging from continued involuntary exploitation of the attacker/victim relationship, to business closure. In some cases, class action lawsuits (dependent on the attack vector and information yield).
As more organizations move employees to work from home, remote staff make it increasingly difficult for IT teams to police computer systems and prevent cyber-attacks. Attackers now have far more access points and endpoints to probe or exploit, with little to no security oversight.
Here at CyberSecOp, we have formulated several countermeasures that healthcare employers should employ to minimize the risk of their networks being penetrated and secure their sensitive information.
Add data storage: After backing up data, the next step is to store data offline, on a different network, or a cloud-based environment.
Maintain a strong information encryption policy: Healthcare data must be encrypted at rest and transit with the highest standards available so that even if cybercriminals acquired it, they would not be able to read it.
Formulate and maintain an Incident Response Plan: Develop and test an incident response plan to help mitigate the impact of certain destructive malware attacks.
Track all data: Security personnel should closely monitor the company’s digital assets within the organization. This is of particular importance now as healthcare facilities’ attack surface expands and becomes more complex with some staff working remotely.
Establish and maintain firewalls: To harden networks and connected equipment, healthcare facilities with devices running open services should place them behind the latest application firewalls. They should also implement proper change management and firewall reviews to ensure proper documentation and optimization of these devices.
Follow the trends: Be aware of current ransomware threats, attack trends, and make sure those trends are socialized and communicated throughout the organization. Awareness is key.
Remote Working And Online Safety Tips
1. Avoid Creating Easy or Common Passwords
Password123 is a big no-no. Hackers have become bolder and have been using password deciphering tools to infiltrate vulnerable accounts. Multi-factor authentication (discussed later in this list) will most likely prevent them from going further, but it is always recommended to create a password with a mix of symbols, numbers, capital letters, and a lengthy number of characters to make it harder to crack. Also, the more frequently you change a password, the better. We also recommend using different passwords for different accounts. If the same password is used for multiple accounts, it becomes easier for hackers to infiltrate multiple accounts.
2 Connect Only to Protected Private WiFi Networks or (VPN) Virtual Private Networks
Always use private, password-protected WiFi networks to connect remotely. Security experts consider signing in to sensitive office networks with public WiFi or unsecured network connections akin to “swimming in shark-infested waters”—it’s only a matter of time before you get bit. Experts recommend consulting a trusted IT provider about setting up a VPN that can minimize the risk to devices and data.
3. Unusual Phrasings in subject lines/body, misspellings, poor-quality images or bad grammar
Although corona-virus-related phishing schemes are currently at an all-time high, the good news is that they aren’t much different from past attempts. Paying extra attention to message details—capitalization, punctuation, paragraph structure, sloppy design/formatting, or any language that seems out of the norm, makes detecting fake ones easier.
4. Don’t download unfamiliar attachments or click on unfamiliar links
In the age of remote work, collaborative OneDrive, Google Docs, or general Cloud sharing is a common way to redirect others to a malicious website. If you aren’t expecting a specific file from a specific sender, don’t open any attachments in an unknown message. This applies to links as well. To check if a link is safe, hover your mouse over the link to confirm the target URL matches what’s written (on a desktop or laptop). For extra precaution, type out the website to avoid being unknowingly redirected.
5. Activate multi-factor authentication (MFA) on every account you can
Many phishing schemes try to get you to re-enter your password for common apps or social media accounts—all in hopes that hackers can steal your password. Using multi-factor authentication can mitigate this since MFA requires something you know (your password) with something you have (a unique code delivered via text message or email).
6. Confirm the sender's email address
It’s easy for a hacker to mimic someone’s display or contact name—always double-check to confirm what shows up with the actual email address the message was sent from to make sure the sender is who he or she is claiming to be.
7. Do not respond to email correspondence from any financial institution
This goes for any communications via email or phone. You will not be prompted to sign in to your account or receive a call from your financial institution asking for your PIN or other personal information. In fact, most updates are sent with a 'do-not reply' email handle. Most official communications from financial firms are usually sent via snail mail. To ensure you are in contact with an actual representative of the firm, call the number on the back of your card or the phone number provided on your financial statements.
We hope you find these tips helpful.
Safe remote working and browsing!
- The CyberSecOp Team
Hackers Taking Advantage of Covid19 to attack major industries
With the unprecedented events of the past few months and no end in sight to the COVID-19 pandemic, hackers are leveraging the related chaos as a means of targeting, hi-jacking, infiltrating, and generally creating havoc among major industries around the globe.
The suddenness of the global governmental response combined with the rapid shift to remote work solutions has created a haphazard environment for many businesses that simply do not have the time to implement due diligence and information security controls. Unfortunately, the smart bad guys are taking advantage.
In California’s’ Bay Area, two school districts have become recent victims of breaches that exploited the unexpected thrust to online learning. Video conferencing sessions were hacked and infiltrated by uninvited guests; hundreds of online learning passwords were inadvertently exposed to public consumption. School administrators were left scrambling and ultimately had to ban all usage of video conferencing until proper security measures were implemented.
Hospitals and medical facilities are reeling from the virus spread, and hackers are paying no solace to this industry as they hammer away with targeted phishing campaigns and other website-based attacks. The World Health Organization (WHO) has reported several unsuccessful attacks against their network, with one geared around impersonating the WHO email system. Hammersmith Medicines Research (HMR) a UK based research team tasked with creating a Covid19 vaccine, unfortunately, did fall victim to a cyber-attack, as malicious actors were able to access and then post medical data from thousands of patients.
Education and healthcare are not the only sectors being infiltrated. Financial firms are being hit with targeted phishing attacks called whale or spear-phishing - Using Covid19 as the backdrop. Attackers are creating very specific, sophisticated emails that create a sense of urgency and ultimately increase the odds of the recipient becoming a victim.
It is an important time to ensure that your business leaders are setting an example by exhibiting best practice security behaviors that will ultimately set the tone and trickle down the entire organization. Top management commitment, effective strong policies that are communicated to the entire organization, and a measurable security awareness along with a sound risk management framework; are just some of the layers in security that will decrease the attack surface of any business.
CyberSecOp offers a full suite of cyber-security solutions that include:
Full Security Assessments
Gap Analysis
Policy Creation
Security Awareness Training and Measurement
24/7 Security Operations Center (SOC)
Ransomware Response
Penetration Testing
Vulnerability Scanning and Management
Forensics
VISO (Virtual Information Security Officer)
9 Most Important Cyber Security Tips
Teleworking during the Coronavirus outbreak? While working from home can help slow the spread of the virus, it brings new challenges: juggling work while kids are home from school; learning new software and conferencing programs; and managing paper files at home. As you’re getting your work-at-home systems set up, here are some tips for protecting your devices and personal information.
The internet has become a space riddled with malicious links of trojans, and viruses. Data breaches are becoming more frequent, and unsuspecting users are more vulnerable than ever before.
1. Start with cybersecurity basics. Keep your security software up to date. Use passwords on all your devices and apps. Make sure the passwords are long, strong and unique: at least 12 characters that are a mix of numbers, symbols and capital and lowercase letters.
2. Connect Only to Protected Private WiFi Networks or (VPN) Virtual Private Networks
Always use private, password-protected WiFi networks to work from home. Security experts consider signing in to sensitive office networks with public WiFi or unsecured network connections akin to “swimming in shark-infested waters”—it’s only a matter of time before you get bit. Experts recommend consulting a trusted IT provider about setting up a VPN that can minimize the risk to devices and data.
3. Dispose of sensitive data securely. Don’t just throw it in the trash or recycling bin. Shred it. Paperwork you no longer need can be treasure to identity thieves if it includes personal information about customers or employees.
4. Unusual phrasings in subject lines/body, misspellings, or bad grammar
Although corona-virus-related phishing schemes are currently at an all-time high, the good news is that they aren’t much different from past attempts. Paying extra attention to message details—capitalization, punctuation, paragraph structure, sloppy design/formatting, or any language that seems out of the norm, makes detecting fake ones easier.
5. Don’t download unfamiliar attachments or click on unfamiliar links
In the age of remote work, collaborative OneDrive, Google Docs, or general Cloud sharing is a common way to redirect others to a malicious website. If you aren’t expecting a specific file from a specific sender, don’t open any attachments in an unknown message. This applies to links as well. To check if a link is safe, hover your mouse over the link to confirm the target URL matches what’s written (on a desktop or laptop). For extra precaution, type out the website to avoid being unknowingly redirected.
6. Activate multi-factor authentication (MFA) on every account you can
Many phishing schemes try to get you to re-enter your password for common apps or social media accounts—all in hopes that hackers can steal your password. Using multi-factor authentication can mitigate this since MFA requires something you know (your password) with something you have (a unique code delivered via text message or email).
7. Confirm the sender's email address
It’s easy for a hacker to mimic someone’s display or contact name—always double check to confirm what shows up with the actual email address the message was sent from to make sure the sender is who he or she is claiming to be.
8. Do not respond to email correspondence from any financial institution
This goes for any communications via email or phone. You will not be prompted to sign into your account or receive a call from your financial institution asking for your PIN or other personal information. In fact, most updates are sent with a 'do-not reply' email handle. Most official communications from financial firms are usually sent via snail mail. To ensure you are in contact with an actual representative of the firm, call the number on the back of your card or the phone number provided on your financial statements.
9. Follow your employer’s security practices. Your home is now an extension of your office. So, follow the protocols that your employer has implemented.
Employees Work From Home [COVID-19]
With the recent developments in COVID-19, many organizations are transitioning to a work-from-home model, but with no fool-proof way of tracking employees' work, they may experience a loss in productivity. Additional concerns related to data movement have put privacy and security at risk since most home users' networks are not secure. That's what CyberSecOp specializes in - employee tracking in distributed environments.
User Activity Monitoring to prevent insider threats
User Behavioral Analytics monitors productivity and use results for process optimization with the ultimate goal to increase productivity and reduce or eliminate insider threats
CyberSecOp's DLP is effective in protecting against data breaches, data leaks, and IP theft
You can have an effective remote workforce and still be in control with the ability to see user activity, live screen monitoring to automated alerts/scheduling, and more. See CyberSecOp.com for a trial.
CyberSecOp caters to small businesses, enterprises, government organizations, and everything in between. We provide cloud and on-premise deployments available at your request.
What is a Data Breach?
A data breach is the unauthorized access, use, disclosure, or theft of sensitive, confidential, or personal information. Data breaches can occur when cybercriminals gain access to a system or database and steal or expose the information stored there. They can also occur when information is accidentally or improperly disclosed by an individual or organization.
Data breaches can have serious consequences, including financial losses, reputational damage, and legal liabilities. They can also have serious impacts on individuals whose information is compromised, including identity theft and other forms of fraud.
There are several ways that data breaches can occur, including through cyber attacks, such as hacking and ransomware, and through physical means, such as the loss or theft of a device containing sensitive information. To prevent data breaches, it is important for individuals and organizations to implement strong security measures, such as using strong passwords, regularly updating software and operating systems, and implementing controls to prevent unauthorized access to sensitive information.
data breach laws
There are various laws that protect against data breaches and provide consequences for individuals and organizations that fail to protect sensitive information. These laws vary by jurisdiction, but some common examples include:
The General Data Protection Regulation (GDPR) is a data protection law that applies to organizations in the European Union (EU) and European Economic Area (EEA). It requires organizations to protect personal data and to report certain types of data breaches to authorities and individuals affected by the breach.
The Health Insurance Portability and Accountability Act (HIPAA) is a law that applies to the healthcare industry in the United States. It requires organizations that handle protected health information (PHI) to implement safeguards to protect the privacy and security of PHI.
The Payment Card Industry Data Security Standard (PCI DSS) is a set of security standards that apply to organizations that handle payment card information. It requires organizations to implement measures to protect against data breaches and to report certain types of data breaches to authorities and card issuers.
In addition to these laws, many countries have their own data protection laws that apply to the collection, use, and storage of personal information. It is important for organizations to be aware of and comply with these laws to protect against data breaches and the potential consequences of such breaches.
Prevent Data Breach
There are several steps that individuals and organizations can take to prevent data breaches and protect sensitive information:
Use strong, unique passwords: Use strong, unique passwords for all accounts and devices, and regularly update them. Avoid using the same password for multiple accounts.
Enable two-factor authentication: Enable two-factor authentication, which requires the use of a second form of authentication in addition to a password, for all accounts and devices.
Keep software and operating systems up to date: Regularly update software and operating systems to ensure that the latest security patches are installed.
Use a firewall: Use a firewall to block incoming connections from known malicious sources.
Use antivirus software: Use antivirus software to identify and block malware, including ransomware.
Implement access controls: Implement controls to prevent unauthorized access to sensitive information, such as by requiring users to authenticate before accessing certain data or systems.
Regularly back up data: Regularly back up data and store it in a secure location to minimize the impact of a data breach.
Train employees: Train employees on the importance of data security and best practices for protecting sensitive information.
By implementing these measures, individuals and organizations can significantly reduce their risk of suffering a data breach and the potential consequences of such a breach.
Board Oversight of Cybersecurity Risk
Why CISOs and Boards Should Work Together to Improve Cybersecurity
Corporate board members often ask management specific questions that stop short of demanding metrics, It is this lack of measurable criteria which often hinder the effectiveness of cyber-security efforts.
First and foremost, it is imperative for the board to appreciate the impact that information security can have on the business. Boards should treat security as a top business risk as well as a top business opportunity. Major security events can have a significant impact on revenue, brand, and can lead to catastrophic results.
Board oversight of cyber-security has increased over the years. Even board members without technical expertise have had to become rapidly acquainted with IT risk and security concepts. In recent years, frameworks and best practices have emerged to help boards get a grip on their organizations’ cyber-security posture.
Specific Areas of Focus:
Improved emergency response times and evacuation management with real-time tracking of personnel movements around your site.
Information related to how the organization manages cyber-security, security awareness, and the enterprise risk management (ERM) program.
Actively monitor workers within a zone, on local or remote sites.
Ensure blast zones have been cleared before explosives are detonated.
Monitor the movement of people to a muster area during an evacuation.
Ensure the security control room is aware of workers who are alone on remote sites.
Monitor personnel who remain within a high security area at the end of a working day or shift.
Breach Response Protocol
Corporate boards should receive regular reports from executives about the company’s cyber-security risks, management review processes, overall health, and readiness to respond to an incident. Best practices include quarterly reports from firm leaders and more frequent reporting if needed.
Company leaders should carry out incident response plan tabletop exercises annually at a minimum. Board members should expect reports on the test outcomes. Details about how the plan will be updated are based on the test results.
Third-Party Risk
Regulators are increasingly targeting third-party risk. Wide-reaching laws like GDPR, industry-specific regulations such as the New York Department of Financial Services (NYDFS) Cyber-security Regulation and NERC CIP-013 in the utilities industry, provide specific requirements for managing third-party risk.
User-Related Risk
Human error can expose an organization to a wide array of cyber-attacks.. Business leaders commonly state that employee negligence is the most common cause of data breaches. Phishing for example, was implicated in 32% of data breaches in 2018. In addition, poor password practices, connecting to public Wi-Fi from company devices, and sharing files that contain malware are all examples of employee errors that could translate into huge costs for any organization.
In terms of board qualifications, 41% of companies reported highlighting cybersecurity expertise as an area of focus for new board directors. But when it came to interactions with management, only 34% of organizations mentioned the frequency of board reports, with just 11% reporting briefing the board annually or quarterly.
Recommendations for Boards of Directors
Questions to ask:
Has responsibility for cyber-security been formally assigned at management level (e.g., CISO) and on the board itself (e.g., audit committee)?
Is the board getting regular briefings on the organization’s strategy regarding cyber-security risks and cyber resilience?
How engaged is the board in reviewing the organization’s cyber-risk management program and security-related investments?
How has the organization (i.e., management) fared in recent tabletop exercises or simulations? Are directors taking part in such activities?
Vinny La Rocca
CEO
CyberSecOp.com
Hackers Target Unpatched Citrix with Ransomware Attacks
All these attacks are taking place, hackers are scanning the internet for Citrix appliances which were unpatched for the CVE-2019-19781 [1] vulnerability. Vulnerable devices include the Citrix Application Delivery Controller (ADC), Citrix Gateway, and two older versions of Citrix SD-WAN WANOP. The vulnerability was disclosed in mid-December; however, internet-wide attacks began after January 11, when proof-of-concept exploit code was published online and became broadly available to anyone.
Citrix released the final permanent fix for the actively exploited CVE-2019-19781 vulnerability, needed to secure all vulnerable Citrix Application Delivery Controller (ADC), Citrix Gateway, and Citrix SD-WAN WANOP appliances.
The CyberSecOp team has identified attacks scanning multiple client Citrix gateway to take advantage of vulnerabilities in Citrix gateway applications.
Timeline
On January 19, 2020, Citrix released firmware updates for Citrix Application Delivery Controller (ADC) and Citrix Gateway versions 11.1 and 12.0.
On January 22, 2020, Citrix released security updates for vulnerable SD-WAN WANOP appliances.
On January 23, 2020, Citrix released firmware updates for Citrix ADC and Gateway versions 12.1 and 13.0.
On January 24, 2020, Citrix released firmware updates for Citrix ADC and Gateway version 10.5.
A remote, unauthenticated attacker could exploit CVE-2019-19781 to perform arbitrary code execution.[2] This vulnerability has been detected in exploits in the wild.[3]
The Cybersecurity and Infrastructure Agency (CISA) strongly recommends that all users and administrators upgrade their vulnerable appliances as soon as possible.
Timeline of Specific Events
December 17, 2019 – Citrix released Security Bulletin CTX267027 with mitigations steps.
January 8, 2020 – The CERT Coordination Center (CERT/CC) released Vulnerability Note VU#619785: Citrix Application Delivery Controller and Citrix Gateway Web Server Vulnerability, and CISA releases a Current Activity entry.
January 10, 2020 – The National Security Agency (NSA) released a Cybersecurity Advisory on CVE-2019-19781.
January 11, 2020 – Citrix released blog post on CVE-2019-19781 with timeline for fixes.
January 13, 2020 – CISA released a Current Activity entry describing their utility that enables users and administrators to test whether their Citrix ADC and Citrix Gateway firmware is susceptible to the CVE-2019-19781 vulnerability.
January 16, 2020 – Citrix announced that Citrix SD-WAN WANOP appliance is also vulnerable to CVE-2019-19781.
January 19, 2020 – Citrix released firmware updates for Citrix ADC and Citrix Gateway versions 11.1 and 12.0 and blog post on accelerated schedule for fixes.
January 22, 2020 – Citrix released security updates for Citrix SD-WAN WANOP release 10.2.6 and 11.0.3.]
January 22, 2020 – Citrix and FireEye Mandiant released an indicator of compromise (IOC) scanning tool for CVE-2019-19781.
January 23, 2020 – Citrix released firmware updates for Citrix ADC and Citrix Gateway versions 12.1 and 13.0.
January 24, 2020 – Citrix released firmware updates for Citrix ADC and Citrix Gateway version 10.5.
Technical Details
Impact
On December 17, 2019, Citrix reported vulnerability CVE-2019-19781. A remote, unauthenticated attacker could exploit this vulnerability to perform arbitrary code execution. This vulnerability has been detected in exploits in the wild.
The vulnerability affects the following appliances:
Citrix NetScaler ADC and NetScaler Gateway version 10.5 – all supported builds
Citrix ADC and NetScaler Gateway version 11.1 – all supported builds before 11.1.63.15
Citrix ADC and NetScaler Gateway version 12.0 – all supported builds before 12.0.63.13
Citrix ADC and NetScaler Gateway version 12.1 – all supported builds before 12.1.55.18
Citrix ADC and Citrix Gateway version 13.0 – all supported builds before 13.0.47.24
Citrix SD-WAN WANOP appliance models 4000-WO, 4100-WO, 5000-WO, and 5100-WO – all supported software release builds before 10.2.6b and 11.0.3b. (Citrix SD-WAN WANOP is vulnerable because it packages Citrix ADC as a load balancer).
What Customers Should Do
Exploits of this issue on unmitigated appliances have been observed in the wild. Citrix strongly urges affected customers to immediately upgrade to a fixed build OR apply the provided mitigation which applies equally to Citrix ADC, Citrix Gateway and Citrix SD-WAN WANOP deployments. Customers who have chosen to immediately apply the mitigation should then upgrade all of their vulnerable appliances to a fixed build of the appliance at their earliest schedule. Subscribe to bulletin alerts at https://support.citrix.com/user/alerts to be notified when the new fixes are available.
The following knowledge base article contains the steps to deploy a responder policy to mitigate the issue in the interim until the system has been updated to a fixed build: CTX267679 - Mitigation steps for CVE-2019-19781
Upon application of the mitigation steps, customers may then verify correctness using the tool published here: CTX269180 - CVE-2019-19781 – Verification Tool
Fixed builds have been released across all supported versions of Citrix ADC and Citrix Gateway. Fixed builds have also been released for Citrix SD-WAN WANOP for the applicable appliance models. Citrix strongly recommends that customers install these updates at their earliest schedule. The fixed builds can be downloaded from https://www.citrix.com/downloads/citrix-adc/ and https://www.citrix.com/downloads/citrix-gateway/ and https://www.citrix.com/downloads/citrix-sd-wan/
If you would like to learn more about CVE-2019-19781 vulnerability & risk mitigation, please contact CyberSecOp at the following support@cybersecop.com
NSA Reported a Critical Flaw in Microsoft Windows 10
The National Security Agency recently discover a vulnerability in Microsoft’s Windows 10 Operating System, NSA worked with Microsoft to issue patches and publicly raise awareness instead of using the flaw for its intelligence gathering.
On January 14, Microsoft released a set of patches for the Windows platform. While all of the issues addressed in the patch release are serious, this article will discuss one of them: CVE-2020-0601. Above anything else, we urge everyone to take action and patch their systems.
(CVE-2020-0601) affecting Microsoft Windows®1 cryptographic functionality.
The certificate validation vulnerability allows an attacker to undermine how Windows verifies cryptographic trust and can enable remote code execution. The vulnerability affects Windows 10 and Windows Server 2016/2019 as well as applications that rely on Windows for trust functionality. The exploitation of the vulnerability allows attackers to defeat trusted network connections and deliver executable code while appearing as legitimately trusted entities. Examples, where validation of trust may be impacted, include:
HTTPS connections
Signed files and emails
Signed executable code launched as user-mode processes
Vulnerability
CVE-2020-0601 is a serious vulnerability because it can be exploited to undermine Public Key Infrastructure (PKI) trust. PKI is a set of mechanisms that home users, businesses, and governments rely upon in a wide variety of ways. The vulnerability permits an attacker to craft PKI certificates to spoof trusted identifies, such as individuals, web sites, software companies, service providers, or others. Using a forged certificate, the attacker can (under certain conditions) gain the trust of users or services on vulnerable systems, and leverage that trust to compromise them.
Microsoft explanation of the vulnerability
Microsoft said an attacker could exploit the vulnerability by spoofing a code-signing certificate so it looked like a file came from a trusted source.
Microsoft Windows Crypto API fails to properly validate certificates, which may allow an attacker to spoof the validity of certificate chains. This vulnerability may not seem flashy, but it is a critical issue. Trust mechanisms are the foundations on which the Internet operates.
Microsoft typically releases security and other updates once a month and waited until Tuesday to disclose the flaw and the NSA’s involvement. Microsoft and the NSA both declined to say when the agency privately notified the company.
Mitigation Actions
NSA recommends installing all January 2020 Patch Tuesday patches as soon as possible to effectively mitigate the vulnerability on all Windows 10 and Windows Server 2016/2019 systems. In the event that enterprise-wide, automated patching is not possible, NSA recommends system owners prioritize patching endpoints that provide essential or broadly replied-upon services. Examples include:
Windows-based web appliances, web servers, or proxies that perform TLS validation.
Endpoints that host critical infrastructure (e.g. domain controllers, DNS servers, update servers, VPN servers, IPSec negotiation).
Prioritization should also be given to endpoints that have a high risk of exploitation. Examples include:
Endpoints directly exposed to the internet.
Endpoints regularly used by privileged users.
Administrators should be prepared to conduct remediation activities since unpatched endpoints may be compromised. Applying patches to all affected endpoints is recommended, when possible, over prioritizing specific classes of endpoints. Other actions can be taken to protect endpoints in addition to installing patches. Network devices and endpoint logging features may prevent or detect some methods of exploitation, but installing all patches is the most effective mitigation.
Cyber Attack Bulleting
1) FBI, DHS issue bulletin warning of potential Iranian cyberattacks.
The FBI and Department of Homeland Security (DHS) issued a bulletin to law enforcement groups last week Wednesday warning of the potential for Iran to target the U.S. with cyber attacks in the wake of raised tensions following the death of Iranian General Qassem Soleimani.
2) 73% of black hat hackers said traditional firewall and antivirus security is irrelevant or obsolete. According to the same survey, 80% of hackers say “humans are the most responsible for security breaches”.
3) Traditional perimeter-based security is not enough for cyberattacks.
According to CyberSecOp Data Breach Investigations Report, over half — and trending toward 100% — of recent data breaches were due to compromised credentials.
4. There is a cyber attack every 39 seconds.
By the time the average person takes a selfie and uploads it to Instagram, the next hacker attack has already taken place.
Ransomware Revenue 2019 - Demand Cost Increases
Ransomware is a type of malware that stops users from accessing their data until a ransomware payment is arranged. The money is usually paid in cryptocurrencies to avoid any kind of detection. Ransomware criminals trick you into clicking on infected links. They usually do this by copying the general look of an email to mask their nefarious intentions. Organizations interviewed by CyberSecOp say they experience data loss and major downtime as the result of a ransomware attack. Both of these outcomes are extremely costly for a business, especially larger ones with hundreds of employees. Significant downtime can result in millions of dollars of lost revenue and decreased consumer trust.
Cybercriminals Career Path is Ransomware
If you were considering becoming a cybercriminal or were perhaps a traditional villain looking to upgrade your skills for the 21st century, I’m sure your business model of choice would be running a ransomware operation. You would, thanks to the simplicity of platforms like Ransomware as a Service and the willingness of victims to pay ransomware fees.
The reason why Ransomware most common attack vector
The main reason for the runaway success of ransomware as a malware attack vector is its effectiveness and ability to generate money for cybercriminals. Anonymous payment services like Bitcoin make ransomware payment simple for victims and risk-free for the ransomware owners. Companies are even starting to keep a Bitcoin ransom ready if they are affected and cannot recover from the attack.
Ransomware big newsmakers
The biggest news-maker for 2019 is the Baltimore City government. The city’s computer system was hit with a ransomware infection in May 2019 that kept the city’s government crippled for over a month. Estimates put the cost to recover at over 18 million dollars, although the cybercriminal behind the ransomware only demanded $76,000 worth of Bitcoin. The attack reportedly impacted vaccine production, ATMs, airports, and hospitals. Just about a year earlier, the Atlanta city government spent over $17 million to recover from a ransomware attack that demanded $52,000 in Bitcoin.
The big tech giants are getting hit by ransomware too
Popular software as a service (SaaS) applications are being targeted by ransomware too. A study involving several multiple service providers found that Dropbox, Office 365, G Suite, Azure, and Amazon Web Services have experienced ransomware attacks in some form.
Ransomware Demand cost increases
At the same time, the average ransomware demands have increased rapidly to $36,000 in the second quarter of 2019. But this number understates the risk as perpetrators have adopted a more sophisticated pricing model which charges larger organizations much higher ransoms to unlock their data. Rivera Beach, FL, for example, had to pay $600,000 to unlock the city records encrypted by a ransomware gang while Korean hosting company Nayana paid $1m to unlock 3,400 hosted websites. Refusing to pay can cost even more as Norwegian aluminum maker Norsk Hydro learned when they spent $58m in the first half of 2019 to remediate the ransomware attack they experienced in March. The company’s Q1 profit also fell 82% due to production downtime caused by the attack. The implications for security professionals of these trends are clear. The time has come to move from a strictly defensive posture vis-à-vis ransomware to a more offensive strategy focused on finding and fixing vulnerabilities that can be exploited by ransomware.
98% of ransomware profits went through the cryptocurrency trading platform BTC
Windows 7 Support Ends January 14, 2020
Windows 7 is due to reach End Of Life (EOL) on 14 January 2020, but a large number of the world's computers, most in corporate environments, are still running the nine-year-old system.
Microsoft ended mainstream support for Windows 7 in January 2015, with extended support running till 14 January 2020. Businesses that fail to migrate in time will be saddled with high fees for further support from Microsoft.
This End of Life means no more bug-fixes, security patches or new functionality, making any user - personal or enterprise - significantly more susceptible to malware attacks. Just as it did with Windows XP, Microsoft will continue to offer support for those Windows 7 users still reluctant to upgrade to its Windows 10 OS, but at the significant monetary expense. Using an outdated operating system also makes your computer particularly vulnerable to cyber-attacks, including but not limited to phishing and ransomware exploits.
If you would like to learn more about Windows 7 End of Life risk mitigation, please contact CyberSecOp at the following support@cybersecop.com
Get protected with CyberSecOp, data breach protection for organizations that uses cloud or on-premises solution. CyberSecOp assists organizations with Cyber Security Incident, Ransomware Remediation, Privacy regulations, NIST, ISO 27001, GDPR, HIPAA, PCI, PII, and cyber insurance policies that require you to identify and protect (PII/PCI/PHI). Don’t risk regulatory fines. Stay compliant with CyberSecOp Security Compliance and Cyber Incident Response Services
FBI, DHS, DFS, & NFA Information Security Alert
There is a current heightened risk of cyber attacks from the Iranian Government, which has vowed to retaliate against the United States for the death of Qassem Soleimani. Given Iranian capabilities and history, U.S. entities should prepare for the increased possibility of cyber-attacks.
What is most concerning about Iran's cyber-attack history, is that it particularly targets the U.S. financial services industry. In June 2019, the U.S. government advised that it observed a “recent rise in malicious cyber activity directed at United States industries and government agencies by Iranian regime actors and proxies,” Iranian attackers are increasingly using highly destructive attacks that delete or encrypt data.
Dept. of Financial Services (DFS), Dept. Of Homeland Security (DHS), and the Federal Bureau of Investigation (FBI) strongly recommend that all U.S. entities heighten their vigilance against cyber attacks. All entities should be prepared to respond quickly to any suspected cyber incidents. Historically, Iranian-sponsored hackers have primarily relied on common hacking tactics such as email phishing, credential stuffing, password spraying, and the targeting of unpatched devices.
DFS, DHS, and the FBI recommend that all entities ensure all vulnerabilities are patched/remediated (especially publicly disclosed vulnerabilities). It is also important to ensure that employees are adequately trained to deal with phishing attacks; implementation of multi-factor authentication; disaster recovery plans are reviewed and updated, and prompt response to further alerts from the government or other reliable sources is provided. It is particularly important to ensure that any alerts or incidents are given a prompt response (even outside of regular business hours). Iranian hackers are known to prefer attacking over the weekends and at night - precisely because they know that weekday staff may not be available to respond immediately.
Cyber Security Bulletin
1) FBI, DHS issue bulletin warning of potential Iranian cyberattacks.
The FBI and Department of Homeland Security (DHS) issued a bulletin to law enforcement groups last week Wednesday warning of the potential for Iran to target the U.S. with cyberattacks in the wake of raised tensions following the death of Iranian General Qassem Soleimani.
2) 73% of black hat hackers said traditional firewall and antivirus security is irrelevant or obsolete.
According to the same survey, 80% of hackers say “humans are the most responsible for security breaches”.
3) Traditional perimeter-based security is not enough for cyberattacks.
According to Verizon’s Data Breach Investigations Report, over half — and trending toward 100% — of recent data breaches were due to compromised credentials.
4. There is a cyber attack every 39 seconds.
By the time the average person takes a selfie and uploads it to Instagram, the next hacker attack has already taken place.
For more information or if you have any concerns over heightening cybersecurity at your firm, please contact us at Support@cybersecop.com
Do you need help with DFARS NIST 800-171 Compliance
Maintain government contract award eligibility by demonstrating compliance with NIST SP 800-171 for Department of Defense (DoD) Federal Acquisition Regulations Supplement (DFARS) requirements. Federal government mandates and NIST SP 800-171 compliance can be time-consuming and confusing for your internal staff. CyberSecOp NIST-based compliance service takes the burden off your business operation, we will handle all your NIST compliance issues.
If you are a DoD Prime or Subcontractor and have questions about the DoD’s Compliance Guidance and how to develop the required SSP(s) and POA&M(s), We are a qualified Managed Security Services specializes in DFARS Compliance we can help you meet compliance. As a DFARS/NIST SP 800-171 consultant who has provided compliance solutions for DoD contractors all over the United States, we’re happy to point you in the right direction Call us today 866-973-2677.
DoD contractors must comply with DFARS Clause 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting, which requires contractors to implement the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 Rev. 1, “Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations”. These cybersecurity requirements for Primes and Subcontractors are no longer voluntary and DoD audits, coupled with the Cybersecurity Maturity Model Certification (CMMC) will require compliance prior to bidding a DoD contract
NIST 800-171 ASSESSMENT & PENETRATION TEST
NIST 800-171 Penetration Testing, Risk Assessments, and Compliance Gap Assessments, tailored to your company and designed to help you validate compliance with DFARS, ITAR, and NIST 800-171.
A risk assessment will evaluate the effectiveness of your entire security program. As well as, test your internal and external defenses using real-world attack scenarios.
Gap analysis: CyberSecOp’s advisory team will conduct a compliance analysis of current information systems against NIST SP 800-171. Findings include current compliance posture, identification and verification of organization security boundaries, system policies and procedures status, We work with your technical teams to help develop a plan to meet your continuous monitoring requirements and help you stay on top of your 30-60-90 day patch cycles.
DFARS NIST 800-171 Compliance Managed Security Services
Documented, actionable annual compliance assessments against all NIST 800-171 security requirements.
System Security Plans (SSP) & Addendums.
Documented Plans of Action & Milestones (POA&Ms) with dedicated program management leadership to close non-compliant control gaps and achieve full compliance
Third-party risk management to document and validate the security of your subcontractors, suppliers, and vendors and demonstrate compliance with DFARS 252.204-7012 Safeguarding Covered Defense Information and Cyber Incident Reporting.
24x7x365 Security Operations Center (SOC)
Dedicated engineering support for the implementation of all 110 security controls including Multi-Factor Authentication, Incident Response and more.
Centralized 24x7x365 Security Operations Center (SOC) capabilities including: SIEM, Network IDS, Host IDS, File Integrity Monitoring, Vulnerability Assessment, Real-time Security Intelligence including correlation directives, IDS signatures, NIDS signatures, and Asset fingerprints and a full suite of compliance reporting including HIPAA, NIST 800-171, SOC 2, GDPR and PCI DSS and more because we understand that you have many compliance requirements to satisfy.
Cyber incident detection and reporting
Cyber incident detection and reporting aligned DFARS 252.204-7012 Safeguarding Covered Defense Information and Cyber Incident Reporting requirements. From identifying compromised computers, servers, specific data, and user accounts through remediation and reporting CyberSecOp ensures you mitigate threats and maintain compliance.
Cloud Computing Services compliant with DFARS 252.239-7010 requirements to implement and maintain administrative, technical, and physical safeguards and controls with the security level and services required in accordance with the Cloud Computing Security Requirements Guide (SRG).
NIST SP 800-171 states that nonfederal contractors or subcontractors that collect, store, or transmit covered defense information (CDI) or controlled unclassified information (CUI) on nonfederal systems to the federal government will need to comply with NIST SP 800-171 by December 31, 2017, or risk losing government contracts. All prime contractors and their subcontractors must comply. Call us today 866-973-2677.
Popular Ransomware & Largest Data Breaches
Our data breach incident response team works with clients to build a timely, comprehensive & compliant response plan to mitigate data loss. They have done some research and came up with the following. The Incident response team assist clients with data breach response plan, which provides a roadmap your organization can follow in the event a data breach is discovered.
Largest data breaches?
LinkedIn | 117 million
Cybercriminals absconded with email addresses and encrypted passwords for 117 million LinkedIn users in this 2012 data breach. The passwords were encrypted, right? No big deal. Unfortunately, LinkedIn used that darn SHA1 encryption we talked about earlier. And if you have any doubts that your stolen passwords are being decrypted, CyberSecOp News reported on hacked LinkedIn accounts being used in an InMail phishing campaign. These InMail messages contained malicious URLs that linked to a website spoofed to look like a Google Docs login page by which cybercriminals harvested Google usernames and passwords. Still better than that temp-to-perm ditch-digging job recruiters keep sending you.
eBay | 145 million
In early 2014, cybercriminals clicked “Steal It Now” when they broke into the network of the popular online auction site and pinched the passwords, email addresses, birth dates, and physical addresses for 145 million users. One positive takeaway, financial information from sister site PayPal was stored separately from user information in a practice known as network segmentation (more on that later). This had the effect of limiting the attack and prevent criminals from getting to the really sensitive payment info.
Equifax | 145.5 million
The credit reporting company Equifax took a hard hit to their own “credit” score, at least in the eyes of American consumers, when the company announced they had experienced a data breach back in 2017. All of this could have been avoided if Equifax just kept their software up-to-date. Instead, hackers were able to take advantage of a well-known software bug and hack into the underlying software supporting the Equifax website. What makes the Equifax data breach so awful is not the size, though considerable; rather, it’s the value of the information stolen. The perpetrators made off with the names, birthdates, Social Security numbers, addresses, and drivers license numbers for 145.5 million Americans. Add to that approximately 200,000 credit card numbers and you get one of the worst data breaches in terms of sensitivity of the compromised data.
Under Armour | 150 million
Sports apparel company Under Armour’s slogan is “Protect This House.” Apparently, they didn’t take their own advice when their diet and exercise app MyFitnessPal was hacked in February of 2018. In the attack, cybercriminals managed to steal the usernames, emails and encrypted passwords for 150 million users. Under Armour did well to announce the data breach within a week of its discovery. On the flip side, the company used weak SHA1 encryption on some of the stolen passwords, meaning criminals could crack the passwords and reuse them on other popular websites.
Exactis | 340 million
The Exactis data breach is a little different in the sense that there’s no proof cybercriminals stole any data. However, the cybersecurity researcher who discovered the “data breach” believes that criminals did. Speaking with Wired, Vinny Troia said, “I’d be surprised if someone else didn't already have this.” Exactis, a Florida-based marketing firm, had records for 340 million Americans (that’s every single US citizen) stored on an unsecure server. Any cybercriminal could have found the data using a special search engine called Shodan that lets users find Internet-connected devices. While the breach did not include data like credit card and Social Security numbers it did include detailed lifestyle information, like religion and hobbies, that could be used in phishing attacks.
Myspace | 360 million
Remember Myspace? The social networking site that came before Facebook? If you had a Myspace account and you reuse passwords from site-to-site, you may be at risk. Cybercriminals stole data on 360 million pre-2013 Myspace users. This may not seem like a big deal, but the stolen passwords used that weak SHA1 encryption we keep talking about. As mentioned previously, criminals can try and reuse your old passwords on other popular sites in a credential stuffing attack.
AdultFriendFinder | 412 million
You’d think a site like AdultFriendFinder, billed as the “World’s Largest Sex and Swinger Community,” would know to use protection. Instead cybercriminals penetrated the site’s defenses and stole usernames, encrypted passwords, emails, date of last visit, and membership status for 412 million accounts. A previous data breach at AdultFriendFinder, affecting 4 million users, included sexual preference and whether or not the user was looking for an extramarital affair. Yikes.
Yahoo | 500 million
Yahoo? More like oh no! Yahoo makes its first appearance on our countdown with the 2014 attack on the former Internet tech giant. At its height during the dot-com boom years, Yahoo was one of the most visited sites on the web. This huge attack surface caught the attention of various bad actors. In the attack, cybercriminals made off with the personal information for as many as 500 million Yahoo users. In 2017, the US Department of Justice filed charges against four Russian nationals in connection with the Yahoo attack, two of whom were Russian government officials. To date, only one of the Russians has seen the inside of a jail cell.
Marriott International | 500 million
Just like housekeeping, hackers ignored the “Do Not Disturb Sign” and caught the world’s largest hotel company Marriott International in a compromising situation. The 2014 Starwood-Marriott attack wasn’t discovered until September of 2018. During the intervening years cybercriminals had unrestricted access to the personal information of 500 million Starwood-Marriott customers—anyone who ever booked a reservation at a Starwood property—including names, mailing addresses, phone numbers, email addresses, passport numbers, and dates of birth.
Yahoo—again | 3 billion
Yahoo has the embarrassing distinction of being the only company to make our list of biggest data breaches twice. To add insult to injury, Yahoo also takes the top spot. In August of 2013, cybercriminals stole data on every Yahoo user in the world—all three billion of them. The sheer size of the data breach is difficult to fathom. Over one-third of the world’s population was affected. When the attack was first revealed in 2016, Yahoo claimed only one billion of its users were affected by the data breach, later changing the figure to “all Yahoo user accounts” less than a year later. The timing couldn’t have been worse. At the time Yahoo revealed the updated data breach numbers, the company was in negotiations to be acquired by Verizon. News of the data breach allowed Verizon to scoop up Yahoo at a fire sale price. Yahoo was acquired by Verizon in 2017.
Popular Ransomware:
Ryuk: Ryuk the new ransomware in town that’s very carefully targeting enterprise and businesses. Say hello to Ryuk. In the first two weeks after its August debut, the ransomware has made their cyber attackers over $640,000 USD. By contrast, SamSam has taken about three years to make its author about $6 million USD.
Dharma: Dharma ransomware appeared as early as 2006, and has continued to this day with regular updates. Because of the continuous evolution of this ransomware, free decryptors for previous malware versions were released by Kaspersky and Eset. Unfortunately, files encrypted with the new variants of Dharma ransomware are not currently decryptable for free as was the case for the older variants.
LeChiffre: "Le Chiffre", which comes from the French noun "chiffrement" meaning "encryption", is the main villain from James Bond's Casino Royale novel who kidnaps Bond's love interest to lure him into a trap and steal his money. Unlike other variants, hackers must run LeChiffre manually on the compromised system. Cyber criminals automatically scan networks in search of poorly secured remote desktops, logging into them remotely and manually running an instance of the virus.
Locky: Locky's approach is similar to many other types of ransomware. The malware is spread in an email message disguised as an invoice. When opened, the invoice is scrambled and the victim is instructed to enable macros to read the document. When macros are enabled, Locky begins encrypting a large array of file types using AES encryption.
NotPetya: Initial reports categorized NotPetya as a variant of Petya, a strain of ransomware first seen in 2016. However, researchers now believe NotPetya is instead a malware known as a wiper with a sole purpose of destroying data instead of obtaining a ransom.
Petya: Unlike some other types of ransomware, Petya encrypts entire computer systems. Petya overwrites the master boot record, rendering the operating system unbootable.
Spider: A form of ransomware spread via spam emails across Europe. Spider ransomware is hidden in Microsoft Word documents that install the malware on a victim’s computer when downloaded. The Word document, which is disguised as a debt collection notice, contains malicious macros. When these macros are executed, the ransomware begins to download and encrypt the victim's data.
TeslaCrypt: TeslaCrypt is another new type of ransomware on the scene. Like most of the other examples here, it uses an AES algorithm to encrypt files. It's typically distributed via the Angler exploit kit specifically attacking Adobe vulnerabilities. Once a vulnerability is exploited, TeslaCrypt installs itself in the Microsoft temp folder.
TorrentLocker: TorrentLocker is typically distributed through spam email campaigns and is geographically targeted with email messages delivered to specific regions. TorrentLocker is often referred to as CryptoLocker, and it uses an AES algorithm to encrypt file types. In addition to encoding files, it also collects email addresses from the victim’s address book to spread malware beyond the initially infected computer—this is unique to TorrentLocker.
WannaCry: WannaCry is a widespread ransomware campaign that is affecting organizations across the globe. The ransomware hit over 125,000 organizations in over 150 countries. The ransomware strain is also known as WCry or WanaCrypt0r and currently affects Windows machines through a Microsoft exploit known as EternalBlue.
ZCryptor: ZCryptor is a self-propagating malware strain that exhibits worm-like behavior, encrypting files and also infecting external drives and flash drives so it can be distributed to other computers.
SamSam: SamSam ransomware is a custom infection used in targeted attacks, often deployed using a wide range of exploits or brute-force tactics. Based on our own run-ins with the infection, we’ve observed that attacks were made on targets via vulnerable JBoss, and RDP host servers during a previous wave of SamSam attacks in 2016 and 2017.
KeyPass: KeyPass ransomware first appeared on 8 August and so far has spread to hundreds of victims in more than 20 countries around the world via fake software installers which download the ransomware onto the victim's PC.
New York Information Security and Breach Law (SHIELD Act)
New York has joined the expanding list of states and countries to put in place a law that protects private information, empowering protection of data, and information security for operation that utilized PII information provided by New York residence. On July 26, 2019, Gov. Andrew Cuomo signed into law the Stop Hacks and Improve Electronic Data Security Act (SHIELD Act).
BILL NUMBER: S5575B Stop Hacks and Improve Electronic Data Security Act
BILL NUMBER: S5575B New York's data breach notification law requires an organization to implement necessary safeguards to protect data and provide notification in the event of a breach. This bill broadens the scope of information covered under the notification law and updates the notification requirements when there has been a breach of data. It also broadens the definition of a data breach to include an unauthorized person gaining access to information. It also requires reasonable data security, provides standards tailored to the size of a business, and provides protection from liability for certain entities. This act shall be known and may be cited as the "Stop Hacks and Improve Electronic Data Security Act (SHIELD Act)”
Does it apply to your business?
SHIELD Act will apply to any person or business that owns or licenses personal private data in electronic form, regardless if the person or business operates in New York. For example, a person or business may have physical operations in New Jersey, but if that office has employees and customers that reside in New York, they will be subject to the Act and its requirements. Like many recent privacy laws, such as the California Consumer Privacy Act (CCPA) and the European Union’s General Data Protection Regulation (GDPR), it is becoming clear that physical boundaries will not restrict the reach of these laws and any future laws to be adopted by other states and countries.
What is private information?
is any piece of personal information that can be used to identify an individual and includes, but is not limited to, the following:
Full name
Home address
Email address
Social security number
Passport number
Driver’s license number
Credit card numbers
Date of birth
Telephone number
Data Security Solutions
Security policy for third-party service providers, “The organization must document written procedures and policies to ensure third-party risk management programs protect information systems and non-public information.”
Key provisions of these policies apply to the financial institution’s systems, including:
Written policies and procedures designed to protect users from risks posed by third-party service providers
The identification and risk assessment of third-party service providers
Minimum cybersecurity practices required of third parties
The evaluation of third-party cybersecurity practices through due diligence
Periodic risk-based assessments
Additionally, policies and procedures pertaining to third-party service providers are required to include relevant guidelines for due diligence as well as contractual protections, addressing:
Access controls, including multi-factor authentication
Encryption
Notifications to be provided to the primary organization in response to a cybersecurity event
·Representations and warranties for a third party’s cybersecurity policies and procedures
CyberSecOp drives leadership in data security solutions
New is asking organization to assess their security risks, and then develop policies for data governance, classification, access controls, system monitoring, and incident response and recovery. The regulation calls for companies to implement, at a minimum, specific controls in these areas (see the next section) that are typically part of compliance standards.
Risk Assessments – Conducted periodically and will be used to assess “confidentiality, integrity, security and availability of the IT infrastructure and PII.
Audit Trail – Designed to record and respond to cybersecurity events. The records will have to be maintained for five years.
Limitations on Data Retention – Develop policies and procedures for the “secure disposal” of PII that is “no longer necessary for business operations or for other legitimate business purposes”
Access Privileges – Limit access privileges to PII and periodically review those privileges.
Incident Response Plan – Develop a written plan to document internal processes for responding to cyber security events, including communication plans, roles and responsibilities, and necessary remediation of controls as needed
Organization must be able to:
Identify: Develop the organizational understanding to manage cybersecurity risk to systems, assets, data, and capabilities.
Protect: Employ defense infrastructure to safeguard against those threats.
Detect: Implement the appropriate activities to identify the occurrence of a cybersecurity event.
Respond: Take appropriate action to mitigate all detected cybersecurity events.
Recover: Restore any capabilities or services that were impaired due to a cybersecurity event.
Breach and Who to Notify?
The SHIELD Act substantially changes the definition of a breach. Prior to the SHIELD Act, the definition of a breach was restricted to the unauthorized acquisition of private information. The SHIELD Act expands the definition to also include unauthorized access to private information. The inclusion of unauthorized access to private information will result in a substantial increase in the number of businesses that will be required to report a breach.
Security Breach Notification
Should a breach occur, you will need to notify the impacted individuals as well as: the New York State Attorney General, the Department of State, and the Division of State Police. If the breach impacts more than 5,000 New York residents, consumer reporting agencies must also be notified. If you are already subject to HIPAA, GLBA, or the NY DFS 500 Cyber Regulation, duplicate notifications to the individual is not required.
The SHIELD Act significantly amends New York's data breach notification law and data protection requirements. On July 25, 2019, New York Governor Andrew Cuomo signed into law the Stop Hacks and Improve Electronic Data Security Act ("SHIELD Act") amending New York's data breach notification law.
Connecticut Insurance Data and Information Security
Connecticut ACT Concerning Insurance Data and Information Security
Section 230 of the Connecticut budget bill is called the “Insurance Data Security Law”; Connecticut now requires registered entities to have Information security and Cyber security program similar to New York’s Department of Financial Services (NYDFS). Section 230 became effective as of October 1, 2019, and the information security program must be implemented by no later than October 1, 2020. The purpose of this section 230 is to establish standards for data and information security for persons licensed and required to be licensed by the Insurance Commissioner, require licensees to notify the commissioner following cybersecurity events,d require the commissioner to investigate such possibilities.
The requirements include the implementation and maintenance of a Written Information Security Program (WISP) based upon a risk assessment as well as administrative, technical and physical safeguards to protect non-public information: Board of Directors oversight, policies, procedures, and precautions, risk management program included risk assessment, risk evaluation, risk mitigation of internal and external systems, and third parties vendor/suppliers, cybersecurity awareness training, encryption of data in transit and at rest, multifactor authentication, and continuous monitoring to identify unauthorized access to, or unauthorized alteration, destruction, disclosure, misuse or transmission of, nonpublic information. Speak with an expert.
Section 230 affects Insurance Companies, and third parties Auto Insurance
· Life Insurance
· Business Insurance
· Recreational Insurance
· Umbrella Insurance
· Financial Insurance
· Health & Long Term Care Insurance
· Flood Insurance
· Health Insurance
· Homeowners Insurance
· Insurance company’s suppliers
Breach & Cyber Event Notification
Cybersecurity event, the notification must be made to the Commissioner within three business days. Suppose an insurance licensee notifies an individual under the Connecticut breach notification law. In that case, the insurer must inform not only the individuals but also the Connecticut Attorney General and the Insurance Commissioner and has a “continuing obligation to update and supplement such information.”
Enforcement of Section 230
The enforcement provisions allow the Commissioner permission to “suspend revoke or refuse to reissue or renew any license, certificate of registration or authorization to operate” … and state that the Commissioner can impose a civil penalty of not more than fifty thousand dollars for each violation of the provision of this section.
The bill also requires insurance licensees to offer 24 months of credit monitoring to affected individuals in a data breach, which is consistent with the Connecticut data breach notification law.