The folks at Davos fear cyber-attacks as much as natural disasters
According to the latest Global Risks Report just brought out by World Economic Forum, leaders fear cyber-attacks on par with economics, environmental and geopolitical concerns. I guess this means we have made it as an industry – watch out Hollywood!
The Global Risks Report 2018 covers more risks than ever, but focuses in particular on four key areas: environmental degradation, cybersecurity breaches, economic strains and geopolitical tensions. And in a new series called “Future Shocks” the report cautions against complacency and highlights the need to prepare for sudden and dramatic disruptions.
It is the first time that cyber-attacks per se have made the Forum’s top five global risks in terms of likelihood since 2014, with data fraud or theft also listed in fourth place this year.
What that shows, as outlined in the latest report, is just how much cyber-risks have intensified, particularly in 2017, both in their prevalence and disruptive potential. Notable examples were the WannaCry attack, which affected 300,000 computers across 150 countries, and NotPetya, which caused quarterly losses of $300m for a number of impacted businesses.
Speaking at the press conference Margareta Drzeniek-Hanouz, head of economic progress, World Economic Forum, said that cyber-risks are affecting society and the economy in “new, broader ways,” impacting not just the corporate sector but also government infrastructures, the geopolitical sphere and society in general.
John Drzik, president, Global Risk and Digital at Marsh, added that, looking forward, the “scale and sophistication of attacks is going to grow” as the cyber-exposure of businesses increases with the proliferation of interconnected devices, widening the attack surface.
Therefore, there is a need for greater investment in cyber-risk management, he added, suggesting “we are still under resourced in the amount of effort put into trying to mitigate this risk.
“Cyber is at or above the scale of natural catastrophes [in terms of financial damage caused] and yet the comparative infrastructure is much smaller in scale.
“This is [also] an environment in which businesses could find a wide number of shocks,” and building resilience needs to be involved in any plans when exploring business opportunities.
Specifically, the report labeled cyberattacks as their third-largest global threat that is most likely to happen in the next five years. This is important for CXOs to be aware of, as the executive summary noted attacks against businesses have almost doubled in the past five years, and they are growing in complexity.
The financial impact of such attacks is also growing. NotPetya, for example, caused losses of $300 million per quarter for some companies, the report said. And some 64% of all malicious emails contained ransomware—a form of malware that demands monetary payment for a release of encrypted data.
According to the experts, you are very correct to fear cyber-attacks. A cyber-attack against a major cloud computing firm could cause as much financial damage as Hurricane Sandy or Hurricane Katrina, the World Economic Forum and risk manager Marsh have warned.
Increasing numbers of businesses and individuals rely on cloud services for their IT, trusting some of the world’s biggest technology companies to offer safe, good value services over the internet.
IoT device security is not just about the devices themselves
By the end of this year, there will be more than eight billion internet of things (IoT) devices connected worldwide, according to analysts Gartner – from electricity meters to smart fridges. While IoT device security is of course essential, the challenge of securing IoT is a task for everyone in the ecosystem.
Every manufacture needs to step up and take ownership of securing their own devices. While that should go without saying, we have to state the obvious – with the plethora of connected devices joined the internet every day, there is currently no way to police this issue – and it will continue to hamper development of B2B IoT.
Beyond IoT device security, vendors and network operators need to be aware of what happens when their devices are compromised and commandeered into the massive botnets we have already begun to see.
Beaming, a UK B2B ISP recently stated that the rise in the implementation of IoT devices is contributing to the rise in cyber-attacks. According to the business provider, attacks on remote devices increased three-fold during the last quarter of 2017, compared with the same period last year.
Beaming has found that 70% of attacks targeting connected devices such as building control systems and networked security cameras. Industry commentators have, for some time, been pointing out some of the flaws in IoT deployment : just last November, a survey from Cradlepoint demonstrated that companies weren’t taking IoT security weaknesses seriously.
Sonia Blizzard, managing director of Beaming, drew attention to the vulnerability of such systems. She said: “2017 was the worst year yet for cyber-attacks on British businesses, whose IT security systems are under constant pressure from hackers and malicious computer scripts seeking to exploit any vulnerability.
“With most attacks targeting relatively simple devices connected to the Internet of Things it is possible many companies are already infected and don’t know about it. Keeping anti-virus software up-to-date is a good first step, but it isn’t enough to combat the growing threat,” she said.
According to Tara Seals from Infosecurity magazine, Bad bots are big – and getting bigger. There was a 37% increase in botnet command-and-control (C&C) listings in 2017, with the majority (68%) of them being hosted on servers run by threat actors.
According to the Spamhaus Botnet Threat Report 2017, the company’s malware division identified and issued Spamhaus Block List (SBL) listings for more than 9,500 botnet C&C servers on 1,122 different networks. In 2017, nearly every seventh SBL listing that Spamhaus issued was for a botnet controller.
Of course, not all botnets are bad bots; but Spamhaus’s Botnet Controller List (BCL), which exclusively lists IP addresses of botnet servers set up and operated by cybercriminals, saw listings increase by more than 40% in one year (and more than 90% since 2014). On average, Spamhaus is issuing between 600 and 700 BCL listings per month.
“Looking forward to 2018, there is no sign that the number of cyber threats will decrease,” Spamhaus noted in its report. “The big increase of IoT threats in 2017 is very likely to continue in 2018. We are sure that securing and protecting IoT devices will be a core topic in 2018.” This will likely correspond with an uptick in DDoS attacks.
“The latest 2017 threat report from Spamhaus shows a notable uptick in detected botnets, compared to 2016,” said Stephanie Weagle, vice president of marketing at DDoS specialist Corero Network Security, via email. “The increase is no surprise, given the recent trend of leveraging poorly secured IoT devices, and is only set to increase given the increasing sophistication with which devices are being compromised and recruited. Combined with new DDoS attack vectors and techniques, such as the recent appearance of so-called pulse-wave attacks, the risk of being hit by a damaging attack for those not properly protected is higher than ever.”
Bottom line – vendors need start taking IoT device security much more serious and operators need to be able to identify and neutralize the impact of compromised IoT devices.
Almost a year ago, following a malware attack on a school in Los Angeles, IT consulting firm recommended heeding a seven-day warning left by the perpetrators and sending a transfer of $28,000 in Bitcoins to avoid permanent loss of data.
The school duly paid and became another victim of a lucrative cybercrime known as ransomware.
So what exactly is ransomware and how does it work?
The Origin and Modus Operandi of Ransomware
Ransomware is malware which denies access to a user’s data and then attempts to extort money from them. The user is often given a time limit in which to pay before the data will be made permanently unavailable.
The first recognised example of a ransomware attack was in 1989. Using a trojan horse (malware hidden within another type of software), Joseph Popp installed a payload which hid users’ files on their hard drive, encrypted the file names and coerced some to make a payment of $189 to the ‘PC Cyborg Corporation’ in order to restore access.
In fact, the use of symmetric cryptography meant that a savvy user could find the decryption key in the trojan itself but many people didn’t know this and paid the money. When Popp was found out, he donated the proceeds to fund AIDS research and the ransomware became known as either PC Cyborg or the AIDS Trojan.
In 1996, a pair of cryptographers from Columbia University, Adam Young and Moti Yung, highlighted the potential dangers of a similar attack. Sure enough, by 2005 various ransomware attacks were using the RSA cryptosystem with the attacker holding the private key necessary to unlock the encrypted data.
Ransom Comes in Many Forms
PC Cyborg demanded payment in ordinary US dollars but there are many other, less traceable, ways in which cybercriminals can extort payment.
One method, used by the distributors of the 2010 WinLock ransomware forced victims to send a $10 SMS text to a special number. This tactic is thought to have netted them around $16 million.
Another Windows-based trojan attack, launched in 2011, conned people into making a long-distance phone call while the 2015 Fusob attack asked for iTunes vouchers!
The most popular form of ransom at the moment though seems to be electronic currency with many cybercriminals demanding payment be made in BitCoin. As a decentralised, largely unregulated currency, BitCoin is attractive. It is easy to move around and difficult to trace.
CryptoLocker: A Case Study
BitCoin was the ransom of choice for of the most notorious ransomware attacks to date:
CryptoLocker. Part of the Gameover Zeus botnet, CryptoLocker used a sophisticated encryption method to lock up the victim’s data. Only when a payment had been made would the criminals behind the attack send the private decryption key to restore access.
Although estimates vary wildly, CryptoLocker netted its distributors millions of dollars – perhaps tens of millions – mainly in BitCoins. Fortunately, the FBI eventually cracked Gameover Zeus, intercepted the gang’s database of victims and retrieved the private keys needed to restore the data.
Variations on Ransomware
An important point to note is that not all instances of apparent ransomware are necessarily what they seem to be.
Scareware is a type of malware which displays the kinds of messages used in a ransomware attack but without encrypting files. Some will try and frighten users into taking an action (e.g. clicking a button) which will then install real malware onto their system. A prominent window or screen graphic may prevent the user from navigating away although simply holding the power button until the device shuts down will normally be enough to avoid a problem.
Other ransomware attempts will disrupt the normal functioning of a device (e.g. by referring the Windows shell to itself) to give a false impression of a devastating attack. In reality, the malware may be relatively easy to remove.
As with other types of malware, the most common way ransomware ends up becoming installed on a device is through clicking a link or downloading a file from an unknown source (which may be disguised as a trusted source). The bigger the business, the higher the risk of human error creeping in.
Businesses of all sizes need to sharpen up on their security policies if they don’t want to become the next unwilling financiers of a sophisticated network of international cybercriminals.
Brent Whitfield is the CEO of DCG Technical Solutions Inc. DCG provides the specialist advice and Los Angeles IT security businesses need to remain competitive and productive, despite their often limited IT infrastructure expenditure. Brent has been featured in Fast Company, CNBC, Network Computing, Reuters, and Yahoo Business. DCG was recognized among the Top 10 Fastest Growing MSPs in North America by MSP mentor. Twitter @DCGCloud.
US clearly points the figure at North Korea – Wannacry and bitcoin fueling regime
According to the WP, The Trump administration on Monday evening publicly acknowledged that North Korea was behind the WannaCry computer worm that affected more than 230,000 computers in over 150 countries earlier this year. “The [WannaCry] attack was widespread and cost billions, and North Korea is directly responsible,” Thomas P. Bossert, Trump’s homeland security adviser, said in an op-ed published in the Wall Street Journal on Monday. “We do not make this allegation lightly. It is based on evidence. We are not alone with our findings, either.” Is bitcoin fueling the rogue regime?
According to researchers, a series of recent cyber-attacks has netted North Korean hackers millions of dollars in virtual currencies like bitcoin, with more attacks expected as international sanctions drive the country to seek new sources of cash.
Analysts say the explosive growth in the value of bitcoin makes it and other “cryptocurrencies” an attractive target for North Korea, which has become increasingly isolated under international sanctions imposed over its nuclear weapons and missile programs.
Researchers in South Korea, which hosts some of the world’s busiest virtual currency exchanges and accounts for 15 to 25 percent of world bitcoin trading on any given day, say attacks this year on exchanges like Bithumb, Coinis, and Youbit have the digital fingerprints of hackers from North Korea.
Nearly $7 million of the cryptocurrency that went missing from electronic exchanges over several months was swiped using the same sort of malware used to hack Sony Pictures in 2014, according to a report in the Chosun Ilbo newspaper that cites South Korea’s National Intelligence Service.
The cyber-attacks also involved personal information lifted from 36,000 accounts in June from Bithumb, the world’s busiest electronic currency exchange, the newspaper reported.
Is bitcoin fueling the North Korea’s nuclear weapons program? This question highlights the nexus point of cybercrime and cryptocurrencies. The bitcoin and friends, while undoubtedly an ingenious undertaking, have proven to be a heaven sent for cyber criminals.
Enterprise IT has by no means remained stagnant over the past 20 years. Two of the biggest shifts over the last couple of decades have been the rise of mobility and the move to the cloud. Smartphones and other mobile devices have put some serious computing power in the hands and pockets of folks out in the field, like sales agents and field service engineers.
The cloud has given us cheap, accessible anywhere, anytime storage and Software_as_a_Service (SaaS) has given employees direct and easy access to corporate applications. This evolution has been largely driven by the needs of businesses to be more agile, faster, and more responsive to their customers and employees alike.
As CIOs and IT teams embrace the realization that there will be more everything – more traffic, devices (IoT), locations, applications, and security requirements – this calls for a complete rethink of the WAN. The evolving business reality has propelled meaningful change, and leading companies are taking advantage of this progress, building compelling advantages in a connected world where agility, mobility, and security are now the rule.
Oddly enough, there is one piece of the puzzle that has tenaciously refused to evolve with the changing business needs – the Wide Area Network (WAN). If you are a 90s fan, you’ll be happy to know that the traditional corporate hub and spoke WAN of that era is still alive and well. Back in the day, when the Spice Girls and Boyz II Men dominated the airwaves, MPLS was the WAN service of choice. It was an age where there were a few remote locations that needed to be connected back to a central location, where everyone could get access to corporate applications and funnel information out to the Internet. Fast forward 20 years or so, and everyone has at least one mobile device, many corporate applications are in the cloud, and everyone demands direct Internet access.
While legacy MPLS services provided solid, reliable connectivity for the 90s, in today’s business environment, it is often costly, rather inflexible, takes time to deploy, and can introduce significant latency when businesses are using cloud applications. The good news is, there’s a great alternative, and like many of the other advancements, it’s software driven.
Introducing the software-defined wide area network (SD-WAN)
Bringing the WAN up to speed, so to speak, is critical for network engineers and architects, but fixing it in a way that addresses all the new challenges is crucial for CIOs and IT leaders as well. SD-WAN brings the principles of SDN to the WAN, addressing many of the complex challenges inherent in modernizing it.
SD-WAN is a new way to manage and optimize a WAN. SD-WAN was created to overcome the high bandwidth costs and the rigidity of MPLS services. It does that by incorporating Internet transports (such as Cable, DSL, Fiber, and 4G) into the WAN and forming a virtual overlay across all transports.
The SD-WAN measures the real-time transport quality (latency and packet loss) and uses Policy-based Routing (PbR) to route application-specific traffic over the most appropriate transport.
Secure, global SD-WAN, delivered as a service, provides the core benefits of SD-WAN while enabling secure direct Internet access, SLA-backed connectivity, and seamless extension of the WAN to cloud datacenters and mobile users.
SD-WAN in Action
As of March 2017, Gartner estimated there are over 3,000 SD-WAN deployments, including in more than 100,000 total branches. One leading vendor, Cato Networks, has documented a splendid example of how one business’ needs grew way beyond the capabilities of their MPLS network.
The case study centers on a Dutch company, Alewijnse, which designs, delivers, and integrates engineering electrical systems around the world for the maritime, industrial, and retail sectors. The Dutch company employs 1,000 people spread across 17 locations — 14 in Europe and 3 in the Asia Pacific — with about 800 mobile and field employees.
For decades, Alewijnse relied on MPLS as a principal part of its WAN. A fully meshed, MPLS network connected the company’s Amsterdam datacenter, nine sites in the Netherlands, and a branch office in Romania. Its predictability made MPLS essential for delivering the company’s high-definition video system, and remote desktops using Citrix and the Remote Desktop Protocol (RDP). Three other locations – the largest in Vietnam – established virtual private network (VPN) tunnels across direct Internet access (DIA) connections to the Amsterdam datacenter.
Increasingly, though, MPLS was not addressing Alewijnse’s business requirements. Users complained about poor Internet and cloud performance – and for good reason. Applications were starved for bandwidth, as they were backhauled across 10 Mbs MPLS connections to the Internet breakout in Alewijnse’s datacenter. Internet traffic was driving up MPLS costs. According to Willem-Jan Herckenrath, manager of ICT at Alewijnse, cloud applications, and Internet usage accounted for about 50 percent of MPLS bandwidth to the datacenter.
In the initial phase, Herckenrath and his team connected the offices in the Netherlands, Romania, and Vietnam into Cato using high-quality, Internet last mile. In the final phase, Herckenrath connected the remaining offices to the Internet and the cloud SD-WAN.
Alewijnse is no longer dependent on MPLS services, plus they managed to reduce their monthly costs by 25% and received 10-times more bandwidth. Equally important, Alewijnse’s IT team has all the control, visibility, and flexibility they need to deliver mission-critical services and applications.
In addition, SD-WAN can eliminate other network appliances such as UTMs, Firewalls, and WAN optimization appliances simply by moving those services to the cloud too.
We are putting together all the cyber security predictions for the coming year
Yes, it’s that time of the year again, already! The who’s who of cyber are putting out their cyber security predictions for the 2018 and we are collating them all for you. We will endeavor to update this entry as new predicts come to light, feel free to reach out if we are missing something.
What you need to worry about in 2018 – Cyber Security Predictions
In no particular order, here we go..
Cyber security predictions 2018 – Forrester
Governments will no longer be the sole providers of reliable, verified identities
The Equifax breach demonstrated that no single entity—including any government—can safeguard identity data and provide trusted and reliable identity verification for a large number of consumers, especially as customers increasingly engage with businesses through digital channels.
More IoT attacks will be motivated by financial gain than chaos
The Mirai botnet that hit in late 2016 demonstrated how hackers can use a botnet army of compromised IoT devices to launch a massive DDoS attack. IoT-based attacks will likely continue to grow in 2018
Cybercriminals will use ransomware to shut down point of sale systems
Many merchants have updated their payment systems to use end-to-end encryption and prevent criminals from obtaining credit card data from point of sale (POS) systems. This has led criminals to turn to ransomware as a means of monetizing an attack, as opposed to stealing and selling data.
Cybercriminals will attempt to undermine the integrity of US 2018 midterm elections
The US has not addressed the systemic vulnerabilities that can be found in its voting systems, which depend on software to cast votes, count them, verify them, and report them, the report stated.
Firms too aggressively hunting insider threats will face lawsuits and GDPR fines
It’s become easier for firms to monitor employees and their activities as a means to thwart malicious insiders, employees making mistakes, or an attacker with compromised employee credentials. However, employees may find this to be an invasion of privacy. In September, the European Court of Human Rights ruled that companies must inform employees in advance if their work email accounts are going to be monitored.
More cyber security predictions from Forester Here
Cyber security predictions 2018 – McAfee Labs
An adversarial machine learning “arms race” will develop between defenders and attackers.
Machine learning can process massive quantities of data and perform operations at great scale to detect and correct known vulnerabilities, suspicious behavior, and zero-day attacks. But adversaries will certainly employ machine learning themselves to support their attacks, learning from defensive responses, seeking to disrupt detection models, and exploiting newly discovered vulnerabilities faster than defenders can patch them.
Ransomware will pivot from traditional extortion to new targets, technologies, and objectives.
The profitability of traditional ransomware campaigns will continue to decline as vendor defenses, user education, and industry strategies improve to counter them. Attackers will adjust to target less traditional, more profitable ransomware targets, including high net-worth individuals, connected devices, and businesses.
Serverless apps will save time and reduce costs, but they will also increase attack surfaces for organizations implementing them.
Serverless apps are vulnerable to attacks exploiting privilege escalation and application dependencies. They are also vulnerable to attacks on data in transit across a network, and potentially to brute-force denial of service attacks, in which the serverless architecture fails to scale and incurs expensive service disruptions.
More cyber security predictions from McAfee Labs Here
Cyber security predictions 2018 – Gartner
Skills and organization for cybersecurity continue to change
With a zero percent unemployment rate, security skill sets are scarce. The industry needs and will continue to need new kinds of skills as cybersecurity evolves in areas such as data classes and data governance. It’s a problem that security experts have avoided, but the reality is that in the next three to five years, enterprises will generate more data than they ever have before
Cloud security becomes a top priority for many
As the cloud environment reaches maturity, it’s becoming a security target and it will start having security problems. It’s possible cloud will fall victim to a tragedy of the commons wherein a shared cloud service becomes unstable and unsecure based on increased demands by companies. When it comes to cloud, security experts will need to decide who they can trust and who they can’t.
Shift your focus from protection and prevention
A dedicated, well-financed actor who is after something in your enterprise is going to get it, even if they use the weakest link–people–to do so. This means adapting your security setup to focus on detection, response, and remediation. That’s where the cybersecurity fight is today. In the future it will most likely move to prediction of what’s coming before anything happens.
Crime-as-a-service (CaaS) will expand available tools and services
2017 has seen a “huge increase in cybercrime, particularly crime-as-a-service.” The ISF predicts that process will continue in 2018, with criminal organizations further diversifying into new markets and commodifying their activities at a global level. Some organizations will have roots in existing criminal structures, the ISF says, while others will emerge that are focused solely on cybercrime.
The internet of things (IoT) will further add unmanaged risks
Organizations are increasingly adopting IoT devices, but most IoT devices are not secure by design. Additionally, the ISF warns there will be an increasing lack of transparency in the rapidly evolving IoT ecosystem, with vague terms and conditions that allow organizations to use personal data in ways customers did not intend. On the enterprise side, it will be problematic for organizations to know what information is leaving their networks or what data is being secretly captured and transmitted by devices like smartphones and smart TVs.
Regulation will add to the complexity of critical asset management.
Regulation adds complexity, and the sweeping European Union General Data Protection Regulation (GDPR) will come online in early 2018, adding another layer of complexity to critical asset management.
SF notes the additional resources required to address the obligations of GDPR are likely to increase compliance and data management costs, and to pull attention and investment away from other activities.
Uber hack affecting 57 million people quiet for more than a year!
Uber have had their share of worries of late, most of them their own making. The hackers, the company told Bloomberg News, found the data on an Amazon cloud server used by the firm. To keep the Uber hack a secret, the company paid the hackers a ransom of $100,000.
“None of this should have happened, and I will not make excuses for it,” Uber’s chief executive, Dara Khosrowshahi, said in a statement acknowledging the breach and cover-up. “While I can’t erase the past, I can commit on behalf of every Uber employee that we will learn from our mistakes.”
Hackers stole personal data including names, email addresses and phone numbers, as well as the names and driver’s license numbers of about 600,000 drivers in the United States. The company said more sensitive information, such as location data, credit card numbers, bank account numbers, social security numbers, and birth dates, had not been compromised.
The Uber hack is one of the larger breaches to have been disclosed, albeit late, by a major firm, but should you be worried?
The company’s failure to disclose the breach was “amateur hour”, said Chris Hoofnagle of the Berkeley Center for Law and Technology. “The only way one can have direct liability under security breach notification statutes is to not give notice. Thus, it makes little sense to cover up a breach.”
Under California state law, for example, companies are required to notify state residents of any breach of unencrypted personal information, and must inform the attorney general if more than 500 residents are affected by a single breach.
“The hack and the cover-up is typical Uber only caring about themselves,” said Robert Judge, an Uber driver in Pittsburgh, who said he had yet to receive any communication from the company. “I found out through the media. Uber doesn’t get out in front of things, they hide them.”
As part of the cyberattack, the names and driver license numbers of around 600,000 drivers were accessed, according to Uber. 57 million Uber users also had their information exposed, including names, emails, and mobile phone numbers, the company said in a blog post. Uber said other personal information, including trip details or credit card information, was not accessed.
According to Bloomberg, Uber’s then-CEO Travis Kalanick first learned of the incident in November 2016, when Uber was finalizing a settlement with the Federal Trade Commission for privacy violations. The company instead chose to pay the hackers $100,000 to delete the information and stay quiet about the incident, the report said.
As a result, Uber’s new CEO Dara Khosrowshahi has reportedly asked for the resignation of Uber’s Chief Security Officer, Joe Sullivan, and a lawyer who reported to him.
Malicious actors are targeting critical infrastructure
Just like global warning, this fact cannot be overcome by burying your head in the sand. Some rather malevolent groups out there are targeting critical infrastructure and we are not doing enough to prepare.
Two years on from the Ukrainian power grid hack, where hackers got control of Ukraine’s power grid, plunging thousands of homes and establishments in dark for hours. We are no more prepared today to tackle hacker groups targeting critical infrastructure.
The Ukrainian power grid is just one example of the rising number of critical facilities and industrial networks coming under attack across a wide range of industries. Many of these attacks are not specifically targeted at industrial networks, explains Galina Antova, CEO of OT security supplier Claroty. “The industrial networks have been affected by some of the ransomware attacks out there. They were not necessarily targeting the industrial networks, but ended up impacting the industrial networks nonetheless.”
WannaCry, a particularly virulent strain of ransomware—software that encrypts victims’ networks and holds them for ransom—caused widespread harm when it struck in May. Older networks—many of which are industrial networks—are particularly vulnerable to attack. Chocolate maker Mondelez International was one of several manufacturers reporting revenue lost to ransomware in 2017.
Part of what has made these attacks so effective is that cyber criminals now have access to more sophisticated tools than ever before, Antova says. “It’s the first time in history that non-nation-state actors have access to nation-state capabilities,” she says. Following an August 2016 attack on the U.S. National Security Agency (NSA), hackers have distributed tools developed by the spy agency through the digital underground. “Now you’ve got the ultimate weapon; you’ve got a nation-state weapon.”
FERC Proposes Updates to Critical Infrastructure Protection Standards for Cybersecurity
The Federal Energy Regulatory Commission (FERC) published a notice of proposed rulemaking (NPRM), suggesting updates to the Critical Infrastructure Protection (CIP) Reliability Standard governing cybersecurity management controls for bulk electric system (BES) assets, called CIP-003. The CIP program is a collection of standards designed to address the security of the bulk power system.
“Over the last decade NERC CIP regulations have helped propel cybersecurity programs for large scale power producers forward. The move to expand to low impact operators is therefore not a surprise, and should be welcomed. Edgard Capdevielle, CEO at Nozomi Networks commented..
“That said, it’s a common adage in the industry that regulations alone do not ensure cybersecurity, but what it does is ensure the issue is elevated which generates awareness amongst top management. In tandem, guidelines can also fuel the basics of a cybersecurity program and many power producers have used these regulations as a foundation for their own cybersecurity programs.
“In recent years we have seen grid security surge forward, perhaps in spite of regulation, as resilience is recognized as essential to all those operating the grid. Fortunately for power system operators of all sizes, new technology innovations are giving operators the tools to rapidly identify and mitigate cybersecurity threats to the systems that operate power generation and distribution.”
President Trump’s nominee to lead the Department of Homeland Security, Kirstjen Nielsen, testified Wednesday that cyberattacks are the greatest threat to U.S. national security, and would be the organization’s primary focus if she were confirmed to lead the department.
“Each aspect of the department’s mission is important and as has been mentioned, there are many,” Nielsen told the Senate Homeland Security Committee Wednesday morning. “I believe one of the most significant for our nation’s future is cybersecurity and the overall security and resilience of our nation’s critical infrastructure.”
Many countries are looking to take the lead from the US, but so far there has not been a coordinated response to state-sponsored or others targeting critical infrastructure. Maybe that is about to change?
Authorities are investigating a massive Malaysian data breach with personal information from at least 12 Malaysian mobile operators
Reuters reported today that Malaysia is investigating an alleged attempt to sell the data of more than 46 million mobile phone subscribers online. The massive Malaysian data appears to be one of the largest leaks of customer data in Asia.
Cybersecurity researchers said the leaked data was extensive enough to allow criminals to create fraudulent identities to make online purchases.
Justin Lie, CEO of Cashshield, a Singapore-based anti-fraud company, compared the Malaysian case in its “degree of complexity” to the cyber attack on U.S. credit-scoring agency Equifax Inc, which said in September that cyber criminals had stolen sensitive information from 145.5 million people.
Malaysian data breach – Stolen data
The scale of this is quite astonishing! The individual was trying to sell a huge amount of private customer information from at least 12 Malaysian mobile operators:
A huge amount of personal data was also stolen from Jobstreet.com and the:
Malaysian Medical Council
Malaysian Medical Association
Academy of Medicine Malaysia
Malaysian Housing Loan Applications
Malaysian Dental Association
National Specialist Register of Malaysia
This Malaysian data breach it truly gigantic in perspective. It is believed that the entire country – Malaysia has a population of 32 million – might have been affected by the breach, as well as foreigners who were on temporary pre-paid mobile phone numbers.
Under Malaysian law, service providers are required to keep customers’ personal data secure, so there will probably be legal repercussions.
Dr Mazlan Ismail, the chief operating officer of the MCMC, told the Malay Mail Online that it had met with all of the country’s telecommunications companies to work out how the data breach had occurred.
“This is to ensure that they understand what is happening now, especially when the police, through the Commercial Crime Investigation Department, visit them to investigate,” said Dr Ismail.
“Communications services cannot escape the security aspects, [service providers] must work together, and safety features are important to gain the trust of consumers.”
Equifax breach cost will go well into the hundreds of millions
While it’s too soon to tell what the ultimate Equifax breach cost will be, Wall Street has already rendered its initial verdict: $4 billion. That’s how much stock market value Equifax has lost since the credit bureau revealed last week that it was hacked, compromising the personal information of about 143 million people.
Since Friday morning, Equifax shares are down more than 20%, as investors brace for lawsuits, lost business, and increased regulations. “The breach compromises Equifax’s reputation as a trusted steward of consumer data, and will create a near-term business disruption,” said SunTrust analyst Andrew Jeffrey. And don’t forget the actual costs related to responding to the crisis and cleaning up the mess that Equifax faces. For instance, the credit bureau has already agreed to give every American access to its TrustedID Premier credit monitoring and identity theft protection free of charge for 12 months.
If you haven’t heard of Equifax’s recent data breach, you have not been paying attention. On September 7, 2017, Equifax, one of America’s three big credit reporting agencies, announced a data breach that compromised the Personally Identifiable Information (“PII”) of 143 million Americans, 200,000 credit card numbers, and the personal data of hundreds of thousands of Canadian and U.K. citizens. This article will not delve into the various instances of bungling, potential insider trading, potential fraud, and overall incompetence that has plagued Equifax during this debacle, or the specifics of the Equifax breach, as that has been well-documented elsewhere.
The main question that must be answered is: “How much Equifax will have to pay as a result of lawsuits (consumer & government), increased cybersecurity personnel, hardware, and software, and ongoing regulatory and monitoring costs?”.
The price Equifax will pay for the black hat attack it revealed last week, which compromised the names, birth dates, Social Security numbers, addresses, and in some cases driver’s license numbers of 143 million US consumers, will be high. Although the exact figure won’t be known until after the dust has settled — perhaps a year or more down the road — a look at a recent study conducted by the independent research group Ponemon Institute for IBM indicates the company’s bottom line is in for quite a hit.
For 2017’s annual Cost of Data Breach Study, Ponemon interviewed 419 companies in 13 countries (63 of them in the US) that had experienced a breach in the previous year. Among those attacks, the biggest one resulted in 99,500 records compromised — orders of magnitude smaller that the Equifax breach.
The study found that in the US the average total cost of a data breach is $7.35 million, a 5 percent increase since last year. Globally, the number was $3.62 million, representing a 10 percent decrease. The difference largely has to do with a strong US dollar, according to Ponemon. Breaches taking place within the US also cost more on a per-record-compromised basis, with US firms paying $225 (a 2 percent increase over last year), and firms outside the US paying $141 (an 11.4 percent decrease).