Tag Archives: cyberrisk management

Immediate Vault Immediate Access

Phishing: Understanding Your Cyber Adversaries

Posted on by

Nearly two years ago, an infamous incident occurred where stolen pictures of celebrities flooded the internet. Originally, it was thought that this was due to an iCloud vulnerability that allowed a brute force attack. But it now turns out it was because of a simple social engineering phishing hack.

Phishing usually involves sending mass emails that masquerade as legitimate communications, coming from a trustworthy source like a big bank or credit card company. The phisher seeks to trick the recipient into clicking on a link or opening an attachment that downloads malware onto the victim’s computer. The malware can then be used for criminal activity including theft of sensitive data or money. While phishers may send thousands of emails, all they need are a few or even one individual to fall for their trick to get into the IT system. It’s easy to forget that security threats aren’t always the work of sophisticated technology geniuses with malevolent intent. As in the case of the celebrity photos, the method was relatively simple. However, it still caused reputational damage.

Cyber attacks don’t appear out of nowhere.

buy valtrex online www.delineation.ca/wp-content/uploads/2023/10/jpg/valtrex.html no prescription pharmacy

At the beginning and right through development and attack, humans are involved. Recently, we profiled half a dozen types of attackers. We call them the “Unusual Suspects.” An attack might start with the Professional working in the digital shadows seeking to make the most money possible from the damage they cause. Then you’ve got the Mules and Getaways who are on the front line, and will be the first to get caught when the law comes knocking. There are also Activists and Nation State Actors who are looking to change the world or steal information on behalf of their country’s government. And then there’s the Insider leaking sensitive information accidentally or on purpose with malicious intent.

bae - the usual suspects

These are all just some of personas BAE Systems recently identified as key threats to businesses and without them, cybercrime can’t exist.

Wising up to phishing attacks

In the IT space, one of the most common ways cyber criminals target employees of a company is through phishing. In the aforementioned celebrity photos case, court documents said Ryan Collins, 36, of Pennsylvania, hacked more than 100 people. According to reports in the press he used email names like ‘e-mail.protection318@icloud.com’ and asked for password details.

With these credentials, the hacker was able to go through email accounts looking for photos and videos, managing to get into around 50 iCloud accounts and 72 Gmail accounts mostly belonging to celebrities. It’s quite easy to imagine the damage hackers could cause if they got hold of corporate emails – think of the damage the 2014 Sony hack inflicted.

You can’t patch a human

Employees will always be a weak spot, and clever social engineering is leading to more examples of how this weakness can be exploited. The effects can be devastating. For example: a company that collects credit card data from its customers is at risk of a major data breach from a single employee clicking on an email leading to a website laced with malware. The financial and/or reputational damage and the related fines or compensation claims that result could be significant.

At its core, combating social engineering is a human problem that requires human solutions. In certain cases victims may violate policies, but it may often be the case that the rules or training were not clear enough for the employee to know they were doing something that could have serious consequences. And because humans are behind social engineering attacks, they are capable of evolving, matching the way the business world is using technology.

buy amoxil online www.delineation.ca/wp-content/uploads/2023/10/jpg/amoxil.html no prescription pharmacy

To mitigate against social engineering attacks, there needs to be security awareness and culture from top to bottom. This might mean ongoing training for employees to understand the threats, as well as the right policies and procedures in place. This helps employees understand the risk from social engineering and what role they have in preventing it. Remember, this all has to be done in tandem with putting the right technology in place.

Defeating the Unusual Suspects

Defending against cyber threats is all well and good, but what about catching these Unusual Suspects? This is difficult, because they use sophisticated tactics to escape detection–they are located all over the world, and use secure software to escape detection and remain anonymous, often routing communications through multiple countries to avoid being caught.

buy rybelsus online www.delineation.ca/wp-content/uploads/2023/10/jpg/rybelsus.html no prescription pharmacy

Fortunately this is a case where human fallibility is a good thing–criminals will make mistakes and leave digital finger prints that sophisticated analytics and forensic analysis can pick up. Finally don’t underestimate the power of human ingenuity–thanks to the efforts of security professionals, we’re finally getting to a point where the investigation of online crime is being slowly demystified and defenses put in place to mitigate the threat.

Boards Are Failing at Cyber, New Report Finds

Posted on by

SAN FRANCISCO—Information security executives are telling boards what they want to hear, not what they need to hear, and boards are frequently not asking the right questions or understanding the responses, according to a report released today by Bay Dynamics at the RSA Conference.

“The report reveals that both the board and security professionals are not doing their jobs when it comes to security reporting,” said Feris Rifai, co-founder and CEO at Bay Dynamics. “The board isn’t holding IT and security executives accountable for providing accurate, traceable and actionable information and security executives are failing to report information that is accurate, traceable and actionable. Both parties must do better if they want to make the right decisions that minimize their cyberrisk”.

While the majority surveyed say they know what to present to the board, only two in five IT and security executives feel that the information they provide to the board is actionable, and even fewer believe they are getting the help they need from the board to address cyber security threats. This may be in part because of the ongoing struggle to fully understand and measure cyberrisk exposure and the costs of failure.

buy doxycycline online familyvoicesal.org/resources/images/jpg/doxycycline.html no prescription pharmacy

Just over half of boards expressed a strong preference for qualitative information, while 38% have a preference for quantitative data. To truly make appropriate decisions, however, the board must focus more on quantitative information in context, meaning qualitative information must be wrapped around quantitative information, the report explained.

Regardless of what information they provide, only a third of IT and security executives believe the board understands the information they are given about cyber threats. In turn, only 39% think they are getting the support they need from the board to address threats. Some other major issues these executives identified in their reporting included:

cyberrisk information reported to board

While 36% of boards want recommendations for additional spending and 34% want recommendations to reduce cybersecurity spending, boards are getting little data about the specifics of information security investments. The most common type of information reported about cybersecurity issues is known vulnerabilities within the organizational systems, followed by recommendations about cybersecurity program improvements and specific details on data loss incidents, Bay reported, while information about the cost of cybersecurity programs and details about expenditures on specific projects or controls are not as commonly reported.

cyberrisk information reported to board

Reporting is also relatively infrequent for such a rapidly evolving high-risk exposure, with most executives only presenting to the board quarterly, and 18% even less frequently.

reporting frequency

Looking forward, Bay Dynamics had the following suggestions for how both boards and IT and security executives can improve:

Issues the board must address:

  • The board is not doing its job when it comes to effectively managing cyberrisk.
  • Boards of directors must hold IT and security executives accountable for providing accurate, actionable information about their cyberrisk to help the board make effective decisions about their cybersecurity programs.
    buy mobic online familyvoicesal.org/resources/images/jpg/mobic.html no prescription pharmacy

    Boards cannot make decisions about what they consider acceptable risk if they don’t have actionable information.

    buy tenormin online familyvoicesal.org/resources/images/jpg/tenormin.html no prescription pharmacy

  • Boards must demand actionable information from IT and security executives about their cyberrisk since the board is responsible for the company’s risk appetite. Strengthening their cyberrisk program begins with the board.

Issues IT and security executives must address:

  • IT and security executives must communicate to their boards more effectively and more completely using quantitative and qualitative information. They should communicate the value of data at risk using numbers that explain what it is and how to take action to protect it.
  • Given that board members in many organizations are typically less technical than the IT and security executives reporting to them, the latter must contextualize the information in order to make it both understandable and actionable.

The Rise of Malvertising

Posted on by

malvertising cyber security

LAS VEGAS—One of the hottest topics in cyberthreat detection right now is the rise of malvertising, online advertising with hidden malware that is distributed through legitimate ad networks and websites. On Monday, Yahoo! acknowledged that one of these attacks had been abusing their ad network since July 28—potentially the biggest single attacks, given the site’s 6.9 billion monthly visits, security software firm Malwarebytes reported.

In the first half of this year the number of malvertisements has jumped 260% compared to the same period in 2014, according a new study released at the Black Hat USA conference here today by enterprise digital footprint security company RiskIQ. The sheer number of unique malvertisements has climbed 60% year over year.

“The major increase we have seen in the number of malvertisements over the past 48 months confirms that digital ads have become the preferred method for distributing malware,” said James Pleger, RiskIQ’s director of research. “There are a number of reasons for this development, including the fact that malvertisements are difficult to detect and take down since they are delivered through ad networks and are not resident on websites. They also allow attackers to exploit the powerful profiling capabilities of these networks to precisely target specific populations of users.”

How does malvertising work—and why is it taking off right now? “The rise of programmatic advertising, which relies on software instead of humans to purchase digital ads, has generated unprecedented growth and introduced sophisticated targeting into digital ad networks,” the company explained. “This machine-to-machine ecosystem has also created opportunities for cyber criminals to exploit display advertising to distribute malware. For example, malicious code can be hidden within an ad, executables can be embedded on a webpage, or bundled within software downloads.”

The study also noted that, in 2014, there was significantly more exploit kit activity (which silently installs malware without end user intervention) than fake software updates that require user consent. In 2015, however, fake software updates have surpassed exploit kits as the most common technique for installing malware. Fake Flash updates have replaced fake antivirus and fake Java updates as the most common method used to lure victims into installing various forms of malware including ransomware, spyware and adware.

buy zyprexa online familyvoicesal.org/resources/images/jpg/zyprexa.html no prescription pharmacy

Last week, enterprise security firm Bromium also released a new study focused on the rising threat of malvertising, finding that these Flash exploits have increased 60% in the past six months and the growth of ransomware families has doubled every year since 2013.

“For the last couple of years, Internet Explorer was the source of the most exploits, but before that it was Java, and now it is Flash; what we are witnessing is that security risk is a constant, but it is only the name that changes,” said Rahul Kashyup, senior vice president and chief security architect at Bromium. “Hackers continue to innovate new exploits, new evasion techniques and even new forms of malware—recently ransomware—preying on the most popular websites and commonly used software.”

One of the riskiest aspects of these exploits is that users do not have to be accessing sites that seem remotely suspect to be exposed. According to Bromium’s research, more than 58% of malvertisments were delivered through news websites (32%) and entertainment websites (26%). Notable websites unknowingly hosting malvertising included cbsnews.com, nbcsports.com, weather.com, boston.com and viralnova.com, the firm reported.

With that in mind, IT and cybersecurity teams have to adapt to meet these new threats, which are evolving far faster than detection tools, including antivirus, behavioral analysis, network intrusion detection, and the basic safe browsing guidelines issued to employees regarding their use of work devices.

“The key takeaway from this report is that, at large, the Internet is increasingly becoming ‘untrustworthy.’ Attackers are now using popular websites to launch malware via online ads, which makes things difficult for IT security teams,” explained Rahul Kashyup, SVP and chief security architect at Bromium. “This risk should be well understood and factored in for any organization while building a ‘defense-in-depth’ security stack. Regular patching and updates definitely help to limit the exposure to potential attacks, but that might not be feasible for large organizations.

buy prevacid online familyvoicesal.org/resources/images/jpg/prevacid.html no prescription pharmacy

It is advisable to evaluate non-signature based technologies that can thwart such attacks in a reliable way and prevent infections on end-user devices.

buy singulair online familyvoicesal.org/resources/images/jpg/singulair.html no prescription pharmacy

According to Bromium, the websites that most frequently serve as malvertising attack sources are:

malvertising attack sources

5 Questions Boards and the C-Suite Should Be Asking About Cyberrisk

Posted on by

There is growing concern that corporate boards and senior executives are not prepared to govern their organization’s exposure to cyberrisk. While true to some degree, executive management can learn to identify and focus on the strategic and systemic sources of cyberrisk, without becoming distracted by complex technology-related symptoms, by understanding the organization’s ability to make well-informed decisions about cyberrisk and reliably execute those decisions.

Making well-informed cyberrisk decisions

To gain greater confidence regarding cyberrisk decision-making, executives should ensure that their organizations are functioning well in two areas: visibility into the cyber risk landscape, and risk analysis accuracy.

1. “How good is our cyberrisk visibility?”

You can’t manage what you haven’t identified. Many companies focus so strongly on supporting rapidly evolving business objectives that they lose sight of closely managing the technology changes that result from those objectives. Consequently, it is common to find that organizations have an incomplete and out-of-date understanding of:

  • Their company’s network connectivity to other companies and the Internet
  • Which systems, applications, and technologies support critical business functions
  • Where sensitive data resides, both inside and outside their company’s network

Without this foundational information, an organization can’t realistically claim to understand how much cyberrisk it has or where its cyber risk priorities need to be.

2. “How accurately are we analyzing cyberrisk?

buy keflex online azimsolutions.com/wp-content/uploads/2023/10/jpg/keflex.html no prescription pharmacy

It is common to find that over 70% of the “high-risk” issues brought before management do not, in fact, represent high risk. In some organizations more than 90% of “high risk” issues are mislabeled. When it comes to analyzing cyberrisk, several foundational challenges exist in many organizations:

Nomenclature

How anxious would you be to ride on a space shuttle mission if you knew that the engineers and scientists who planned the mission and designed the spacecraft couldn’t agree on definitions for mass, weight, and velocity?

Odds are good that if you ask six people within your risk management organization to define “risk” or provide examples of “risks” you’ll get several different, perhaps very different, answers. Given this, it isn’t hard to imagine that risk analysis quality will be inconsistent.

Broken models

In the cyberrisk industry today, there is heavy reliance on the informal mental models of personnel. As a result, very often the focus of a “risk rating” is strongly biased on a control deficiency rather than a more explicit consideration of the loss scenario(s) the control may be relevant to. Without applying a probabilistic lens to risk analysis it is much more difficult to differentiate and prioritize effectively among the myriad loss events that could, possibly, happen.

buy tenormin online azimsolutions.com/wp-content/uploads/2023/10/jpg/tenormin.html no prescription pharmacy

Another challenge is that most technologies that identify weaknesses in security generate significantly inflated risk ratings. The outcome is wasted resources, unwarranted angst, and an inability to identify and resolve the issues that truly deserve immediate attention.

Although risk management programs within some industries have begun to examine and manage the risk associated with poor models, this focus is often limited to models that do quantitative financial analysis. This leaves unexamined:

  • The mental models of risk professionals and whether their off-the-cuff risk estimates are accurate
  • Home-grown qualitative and ordinal models
  • Models embedded within cyberrisk tools

Yet these models, with their implicit assumptions and weaknesses, are responsible for driving critical decisions about how organizations manage their cyber risk landscapes.

Reliable execution

Although risk management expectations and objectives are set through decision-making, execution is the deciding factor on whether the organization is able to consistently realize the intended outcomes.

3. “How well do personnel understand what’s expected of them?”

In one organization, the information security policies were written at a grade 21 level. Most organizations today have some form of information security policy and related standards, and many even require personnel to read and acknowledge those policies annually. Very often however, the policies have been written by consultants or subject matter experts using verbiage that is complex and/or ambiguous. As a result, personnel may dutifully read and acknowledge the policies but they may not have a clear understanding of what actually is expected of them.

4. “How capable are personnel of meeting expectations?”

Things change. When budget belts get tightened organizations often cut training budgets. Given the rapid pace of change in the cyberrisk landscape, this can create serious skills gaps for cyberrisk professionals and technologists.

Another challenge in this regard has to do with outdated technology. Many organizations hang on to technologies well beyond the point where they can be maintained in a secure state. As a result, “policy exceptions” for these technologies become routinely accepted, which limits the ability of the organization to achieve or maintain its own security objectives.

5. “How well are personnel prioritizing cyberrisk?”

Which is more important; revenue, budgets, deadlines, or cyber risk?

Root cause analyses performed on cyberrisk deficiencies have found that personnel routinely choose not to comply with cyberrisk policies because they believe revenue, budgets, and/or deadlines are more important. This is influenced in part (perhaps a significant part) by the challenges noted above regarding risk-rating inaccuracies. It isn’t unusual to find that overestimated risk ratings create a “boy who cried wolf” syndrome within organizations. The result is that organizations don’t consistently or meaningfully incentivize executives to achieve cyberrisk management objectives because there is tacit recognition that much of what is claimed to be high-risk is not. Another factor is that revenue, cost, and deadlines are measureable in the near-term, whereas many high-impact risk scenarios are less likely to materialize before they become “someone else’s problem.”

The bottom line is that prudent risk-taking is only likely to occur if executives are provided accurate risk information and if they are appropriately incentivized based on the level of risk they subject the organization to.

At the end of the day…

Effectively governing cyberrisk is within the grasp of senior executives who deal with complex and dynamic challenges every day. By examining their organization’s ability to make well-informed decisions and to execute reliably, senior executives can more effectively identify and address the strategic and systemic sources of risk within their organizations.

buy amoxil online azimsolutions.com/wp-content/uploads/2023/10/jpg/amoxil.html no prescription pharmacy