Vircom provides on-premise and cloud email security solutions for SMBs, with archiving, secure encryption, phishing and spam protection, and more. Vircom’s commitment to security, innovative technology, and industry-leading service levels provides a complete solution designed to ease the burden of managing threats to your organization’s network and messaging infrastructure.
The FBI’s Internet Crime Complaint Center (IC3) has released its 2017 data and it isn’t pretty. BEC and all forms of Phishing caused plenty of damage, a record number of complaints were filed, and the total losses reported were only slightly down from the previous year at just over $1.4 billion. It’s interesting to see the FBI’s data, it informs and confirms much of what we know about the current threat landscape, and there’s plenty more interesting insight from this year’s report.
It is important to start with a caveat – this data is only based on voluntary reporting via IC3.gov, and is an incomplete representation when it comes to both national and global losses due to cyber attack and cyber crime. There’s no measure of how significantly cyber attacks – both successful and not – are under reported, nor of the indirect damages of the attacks. For example, Equifax’s data breach resulted in an estimated $600 million of costs alone. The damage caused by the biggest attacks of 2017 could easily add up to $1.4 billion. There are knock-on effects at play here that should make this FBI report even more concerning to both those in the security industry and to potential targets.
With that in mind here are some of the more interesting takeaways from this report.
Lower Average YoY Cost Per Complaint- But Big 5 Year Increase
IC3 received about 2500 (~ 1%) more complaints in 2017 compared to 2016, yet the reported losses of $1.4 billion were down 2.2% over 2016. This seems low compared to most data we see, including some pessimistic data predicting $9 billion in damage by BEC type attacks in 2018. The $1.4 billion doesn’t appear to register damages beyond calculating what complainants sent or paid to scammers. It’s also worth noting that while complaints were up roughly 15% in 2017 over 2013, the losses were up 85%. In 2013 the average loss reported was roughly $3000. In 2017, it was roughly $4700. That’s well above inflation.
Complaints and Losses as Reported to the IC3 (Image from IC3 Report)
Interestingly, 2 attack vectors are highlighted by the FBI. The first being the W-2 Scam, which involves the gleaning highly confidential tax information from payroll or other sources which is then sold on black markets or used to file fake tax returns. The second is the real estate market, targeted because it contains the 3 key ingredients for a scam to be successful 1) urgency 2) often non-cyber aware stakeholders and 3) large financial transactions.
Ransomware Gets All The Attention, But Not the Money.
Surprisingly, in 2017 they received a seemingly low 1,783 ransomware complaints with losses of over $2.3 million (about $1290 per complaint). Wannacry alone infected 200,000 computers globally (granted there would only be one complaint per company, and not per computer). Estimates place the actual damage from Wannacry between “hundreds of millions” to $4 billion. So, it’s hard to make heads or tails on this one. We would’ve expected a much higher number of ransomware complaints – considering the attention it received in 2017.
Some ideas to explain this discrepancy would include:
If the main goal of reporting is likely the recovery of funds rather than stopping criminals. Someone is going to report a $43,000 BEC, but not hassle with a $300 ransom. Interestingly, the Wannacry ransom was between $300-$600, while the average reported IC3 loss was 2x-4x that. Perhaps this is an explanation of this under-reporting?
It plausible that stronger ransomware protection is deterring more savvy criminals to higher payoff attacks. Informed internet users are less likely to fall victim to ransomware because they will have protection in place. (Note: while informed users can fall for socially engineered attacks at surprising rates, ransomware can be thwarted more easily with the right technology.)
The proliferation of ransomware as a service also inevitably results in more defensible and lower quality attacks.
The Elder Justice Initiative
We don’t focus on this area a lot, as we are focused mostly on the small to medium sized business community, but reading this was a bit concerning. 49,523 Complaints (16%) came from victims over the age of 60 with losses in excess of $342 million, representing over 24% of all losses reported. The Elder Justice Initiative was initiated by Attorney General Sessions to combat fraud on seniors. Hopefully, initiatives such as this will lead to improvements in next years’ numbers.
The 10 Year Age Bracket With the Highest Number of Victims? 30-39 Year Olds!
A bit surprising at first, 45,458 victims who reported a complaint were between 30-39. It decreases until the 60+ which registered 49,523 but encompasses a larger age group. But it’s worth noting that this can be explained perhaps;
The role of reporting on behalf of businesses falls on the (mid level?) IT personnel which skews younger.
Higher rates of internet usage among this group, especially in professional environment, means that while in absolute terms this number is higher, as a ratio of users it could be much smaller.
The greater likelihood that individuals within this age group know how and where to actually report this sort of fraud, or even identify that it’s happened in the first place is another factor (and perhaps very important – considering the above mentions Elder Justice Initiative).
But any surprise stops there. The average loss per complaint is correlated with age. So while 30-39 year olds might have the highest number of victims per decade, the 60+ age group had an average loss at over 2x per complaint.
2017 Victims by age group based on complaints and losses (Image from IC3 report)
Wrapping it up.
As an industry and an individual email security business, we focus our products and the content efforts of this blog on securing businesses. We want to see complaints and losses go down. It’s an interesting catch 22. There’s a greater appetite to spend when there’s a higher threat level, but investing when threat levels are low is the most dollar efficient way to spend. Remediation is so much more expensive than protection. If we see certain threat levels decreasing it means we are winning on that front. When we see the reported losses to the FBI decrease, it can be taken as a sign that we’re doing our job, but given the frequency of attacks and sophisticated scamming tactics we see daily, we know that there is more to the threats than this data shows. Bulk mail, Phishing URLs, Malicious Emails, Sophisticated Spam, Ransomware and many other vectors are still increasingly threatening users, and while technology like ours helps, training and educating users is the final frontier – after all, they are the real target of these attacks.
Warren Buffett has been among the world’s richest individuals for decades now. He’s so far ahead of the curve that it seems to bend because he says it will. Cyber security has been a concern to him for a long while now, and he seems to be using his public visibility to place more emphasis on finding solutions for the issues it presents. When he speaks, people listen and there’s hope that this will include the government.
In his most recent annual general meeting, he did not hesitate to say how underwriting the cyber insurance industry was a fool’s errand. “Cyber is in uncharted territory and it’s going to get a whole lot worse before it gets better”. His estimates were that there’s a 2% chance of a $400 billion “super cat event” happening per year. We aren’t talking your run-of-the-mill $300 ransomware or even $20,000 BEC attack. He’s referring to a catastrophic cyber incident.
The 2% per year chance that there will be a “Cyber Pearl Harbor” is frightening. “There’s a very material risk which did not exist 10 or 15 years ago and will be much more intense as the years go along,” he said. Further worrisome for the cyber security community in general, he’s been consistent on his views over the past 4 or so years. Last year he stated the biggest threat to humanity wasn’t nuclear or conventional WMDs – cyber was the number one problem.
Interestingly, Buffet launched a cyber insurance program back in 2015. Why is the Oracle of Omaha involved in an industry that he says no one understands? His justification was that while the underwriting is a fool’s errand, it is a necessary competitive position in the insurance industry – one the biggest components of his holdings. He, one of the sharpest, most successful and influential business minds of all time, doesn’t want to be a leader in the business of insuring against a cyber attack. He instead wants to avoid being over-exposed to it as much as is possible. He’s more comfortable predicting earthquakes. If that doesn’t put the magnitude (pun intended?) of cyber security risks into perspective, we don’t know what does.
But here’s what this really means to us. Cyber insurance might not be a good business for Warren because the odds of a “Black Swan” type catastrophic event are pretty high. In a nascent industry with only a recent track record against the latest threats, it can be easy for many to naively assume things will only gradually improve without more disruptive change taking hold. The application of machine learning to the massive amount of data generated in the cyber security industry is rapidly improving our ability to defend against the latest threats. The best insurance is in fact protection – along with proactive training of the users within your organization to help them root out the obvious threats and recognize the more subtle and difficult to detect social engineered threats.
How To Measure the Biggest Data Breaches of All Time?
It’s hard to come up with a definitive list of the biggest data breaches. Do we rank them by the size of the breach? Direct financial impact? Indirect social impact? Average cost per victim? Political impact? Notoriety? It is an exercise in futility to rank them all – the variety, nature and impacts of major attacks and breaches are all too different.
Instead, in no particular order, here are what we think are the biggest, most important, and noteworthy data breaches in history or at least since the dawn of the Age of Networks.
The DNC Emails
By: Fancy Bear (Russia, State Sponsored, Wikileaks…Others?) When: 2016 Data Impact: Over 200,000 emails made public Financial Impact: Undetermined Claim to Fame: Influenced the American elections
It was only a single email reset request that was clicked on by John Podesta, but the repercussions likely altered the entire global geo-political landscape for years and decades to come. The emails, numbering over 200,000, gave the public unlimited access to the DNC inner workings, a PR nightmare that reframed the election (and buried Trump’s “Locker Room Talk” video). Would Clinton have won the election if not for the malicious email Podesta clicked? It’s hearsay, but in all likelihood we wouldn’t be discussing Mueller, blackmail, border walls, World War 3, and all the other headlines that have graced us for nearly two years now
By: FBI Charged 2 Russians. Some suspected China. When: 2013 (reported 2016 and 2017) Data Impact: 3 Billion records Financial Impact: $350 million Claim to Fame: Biggest known data breach
The biggest data breach on record, it was initially believed the breach exposed a mere 1 billion records. 10 months later, that number jumped to all of Yahoo!’s records or 3 billion. That is a record that is unlikely to ever be breached again. So few single organizations’ databases can come close to that in size. It also cost Yahoo! a reported $350 million in its sale to Verizon, making it one of the most expensive on record as well (that also doesn’t include other costs – stock price declining, damages, etc.)
By: Unclear When: 2011 (2014) Data Impact: 77 million records affected Financial Impact: $171 million (+ $15M Settlement in 2014) Claim to Fame: One of the biggest in records and financial impact to an individual company. And then they got hacked again a few years later.
Not to be confused with the more recent North Korea response to The Interview, in 2011 the Playstation network was affected, with 77 million records being hacked. This included names, addresses and many credit card numbers (though encrypted and no verified reports of identity theft have been recorded). Sony shutdown the network for a week, without informing users of what happened. While it seems most users were merely inconvenienced, for Sony it was a nightmare that was to be repeated in 2014 when the North Koreans stole records and unreleased materials in retaliation for The Interview. That makes the 2011 attack more notable. Fool me once…
By: Gery Shalon, Joshua Samuel Aaron, and Ziv Orenstein When: 2014 Data Impact: 76 million households and 7 million small businesses Financial Impact: Unclear, post fact investment of $250 million in security Claim to Fame: Biggest Bank Data Breach on record
Banking institutions hold a special place in the security world. Financial institutions should be the fortresses – after all, they have our money. So when the likes of a JP Morgan Chase reports that 90% of it’s records have been compromised, our confidence in the institutions should be shattered. It appeared post fact that the records had not been used directly to malicious ends. But as is the case with many breaches, the data is often used to launch massive targeted phishing campaigns, for which the source of the data is hard to track. It appears that the criminals hoped to use the stolen data to launch their own brokerage. It also seems that using the stolen data, they launched a stock manipulation scheme to net millions.
By: Unknown/Possibly State-Sponsored When: 2017 Data Impact: 148 Million user records Financial Impact: Over $600 Million Claim to Fame: Likely most expensive on record, also the largest breach of data that includes Social Security.
If your data was stolen and you were concerned about monitoring the impact, where would you turn? Credit reporting agencies. Now, what if they were hacked? That was the crazy scenario 2017 presented to us. In the largest breach of personal information on record, Equifax experienced a data breach exposing the records of 148 million users. The data names, address, birthdays, and social security numbers, along with 209,000 credit card numbers and dispute documents containing personal information of 182,000 more people. This isn’t Yahoo! email addresses and passwords, but the keys to commit large scale identity fraud. The full impact of this breach will never be known and will likely reverberate for decades to come.
By: Unclear When: 2016 Data Impact: 412 millions records Financial Impact: Not Reported Claim to Fame: The second hack in a year, blackmail treasure trove, second only to Yahoo in scale
In 2015 Ashley Madison was rocked by a massive data breach of all of it’s 37 million users. It was devastating for all these users who were intent on committing adultery (2 possible suicides have been linked to this hack). So, it is all the more shocking that in 2016 the same thing happened to Adult Friend Finder, except 10 times the size. Worse yet, they had been breached already in 2015 though on a smaller scale (a mere 4 million users’ sexual preferences, sigh). In 2016, 412 million records, user names, passwords and email address, including .gov & .mil domains. While sexual preferences do not appear to be in the data – an email address could be enough to use as blackmail. Worse, the records included 16 million previously deleted accounts!
By: Chinese Nationals (suspected, though not proven to be state-sponsored) When: 2014-2015 Data Impact: 22.1 million records Financial Impact: Undetermined Claim to Fame: Richest data set for attack of this scale
We’ve been using big numbers – 400 million, 3 billion – so 22 million might seem small. With some of these data breaches the amount of quality varies. In Yahoo’s case, of the 3 billion addresses, how many are active or unique users? For Adult Friend Finder, what percent used primary email addresses? Equifax is much graver for that reason.
Though OPM was smaller than Equifax, the data that was breached was highly sensitive and valuable to hackers. J. David Cox, president of the American Federation of Government Employees, said this “…The hackers are now in possession of all personnel data for every federal employee, every federal retiree, and up to one million former federal employees.” It was important enough to introduce a much stronger cyber security focus in the federal government. If this was state sponsored as is suspected, this was a major coup for the Chinese.
This is a sampling of the data breaches we’ve seen, most pretty recent, all in the past decade. Often the most dangerous ones are the ones we don’t hear about. When the breach makes headlines, you can take action, and the data might be too hot for many criminals to do anything with. As well, the bigger the attack the more attention law enforcement puts on the case, and thus increasing the likelihood of catching the criminal and disrupting the data flow. When a breach goes unreported, it can be very different. Even more frightening is how those we trust with our most sensitive data as well as those who monitor it, such as credit agencies and the government, are liable to be victims of breaches- and we haven’t even touched on healthcare data breaches here.
It would be nice to say things are improving, but from the look of breaches as they come out, it’s hard to say that there is an end in sight. Equifax is still very fresh. All of the largest breaches listed above happened in the last decade. Several on this list, as we are seeing, are getting repeatedly hacked and compromising their customers with near-impunity. We hope things are getting better, but if the past decade is any indication we have a long way to go.
We’ve been active in communicating around breaches within particular industries, breach requirements across the 50 states and the effects of GDPR on data retention, breach notification and email security. Now, with Australia’s breach notification requirements in effect, there’s another consideration to add to the fold.
As of February 22nd, 2018, Notifiable Data Breaches (NDB) came into effect. It requires agencies and organizations in Australia, as covered by the Privacy Act, to notify individuals whose personal information is involved in a data breach that is likely to result in “serious harm”, as soon as possible after becoming aware of the breach.
As we’ve discussed in previous articles, harm standards can often be ambiguous. Australia implementing NDB as a standard at the national level means there is less ambiguity and room for interpretation about what constitutes a justifiable data breach notification. Data breach notifications aren’t necessarily required unless a standard of harm has been met, but often authorities don’t provide clear rules to follow that help determine what makes up serious harm to users, customers or consumers.
The Australian government has thus laid out a significant number of guidelines that permit a step-by-step understanding of what can be legally considered a “data breach” and how to determine whether that breach is likely to cause “serious harm” and thus justifies a notification.
Essentially, these guidelines are pretty familiar to the data breach world. Sensitive information is considered to justify notification if there is a possibility that malicious actors could obtain the information and use it to inflict harm or defraud the individual OR be used to circumvent any related security technology or methodology.
According to Australia’s NDB the following kinds information would be considered sensitive:
Information about an individual’s health;
Documents commonly used for identity fraud (including a Medicare card, driver’s license or passport details);
Any combination of types of personal information that allows more to be inferred about an individual than may already be known.
Generally speaking, the sensitivity of the victims’ information, the size of the breach, the circumstances of the breach, the length of time by which the information could be accessed and more, are all criteria used to determine whether a breach notification is required. This extends to the potential harm that may result from the breach, which could include but is not limited to:
Significant financial loss by the individual
Threat’s to an individual’s physical safety
Loss of business or employment opportunities
Humiliation, damage to reputation or relationships
Any form of bullying or marginalization
Beyond notification, organizations are expected to remediate any data losses while also providing for better protection thereafter, whether it is through data encryption, limited access or other means. Solutions like Secure Email Encryption can be critical in these circumstances, while general email protection can also provide more blanket coverage against the risks of a data breach and the subsequent drama of notification and remediation.
As we can see, Australia is joining an international group of nations implementing federal data security policies (like the EU, Canada and others). It is likely only a matter of time before the US follows suite. There are important ramifications to these breach notification regulations. How do you think data protection may evolve to affect international business (no matter the size)?
Urgent requests for payment have always been effective on unsuspecting victims. With all the resources about individual professional lives and organizational structures available online (think: LinkedIn), it’s only become cheaper for the scammer to research their next victim and execute an attack.
Targeted Phishing scams are engineered to capitalize on 3 weak points to take advantage of victims:
Familiarity: By impersonating a vendor, partner, or colleague, (and even at the domain level) the cue acts as a shortcut, establishing less skepticism.
Inattention: Assuming the target makes dozens of decisions a day with possibly a hundred emails a day, the victim likely doesn’t have time to over-analyze every email.
Urgency: Making the payment or fulfilment an immediate need, requiring immediate and rapid action, creates an environment where the victim will act more rapidly and miss important cues.
The structural elements of email further enable phishing. The ability to send lookalike domains, spoof email addresses (especially “header from”) and mismatch reply-to addresses are increasingly becoming headaches for conventional email filters. This is especially crucial when depending on the study, anywhere from 10-25% of your colleagues will click a link in a malicious email.
The Inadequacy of Conventional Email Filtering
Most email filtering that is currently utilized by your average small or medium sized business doesn’t address these issues well enough to weed out malicious emails. DMARC is growing in prominence, but it is designed to stop broader attacks, not the targeted attacks that are thoroughly researched and directed at a victim.
Worse, once the attackers gain access to a compromised account within whitelisted domains or organizations, especially on O365 and other cloud services, the damage can be extensive. A single compromised account can easily result in the discovery of the accounts that authorize financial transactions. Changing wiring instructions can then be a cinch.
A conventional spam filter looks to score emails and recognize waves of spam or malicious content. However with highly targeted phishing, given the often one-off nature of the email, it can be easier for scammers to breach conventional security. Top this off with malicious attachments and URLs that deliver malware, ransomware, zero-day exploits or simply fake invoices, and one can see how easy it is to catch a user in an unsuspecting state of mind.
Socially Engineered to Beat Your Conventional Security
Multi-factor authentication (MFA) has been a failsafe in the industry for a long time. However, scammers are learning to beat MFA systems. One example is by setting up a phone number and confirming the transaction or even making the call preemptively. If an employee is uninformed, this can often be enough to secure confidence in the transaction. There’s an opportunity to improve awareness and training, which can dramatically reduce the effectiveness of many attack verticals – but given the realities of the workplace, a social engineered attack might be much for your average employee to recognize.
Beyond Conventional Spam Filtering
The first consideration of a better spam filtering has to be one that addresses the evolution of attacks. Defending against attacks once they’ve been executed is the epitome of inadequacy. An effective spam filter recognizes threats in real time and prevents delivery. It uses machine learning to identify trends across billions of emails, and anything remotely suspicious is flagged before it gets to your servers.
It is not a set and forget, but requires that IT specialist are regularly monitoring email flows ensuring the bad stays out. This is across the whole security system. You need multi-layered security. Attachment defense, url defense, spam filtering, anti-virus and all packaged in a way that is intuitive to manage.
Find a solution that addresses the specific attacks that are projected to grow over the next few years, and please remind all your employees – if it’s too good to be true, it probably is!
As old as the open internet itself, ransomware made some notable headlines in 2017. WannaCry, NotPetya and Bad Rabbit all led the news cycle, and many companies were hit hard. As one of our leading trends to watch for 2018, we expect ransomware to make headlines again. The growth of cryptocurrencies, RaaS (ransomware as a service) and a continually growing underground economy could make for a perfect storm. That said, there are ways to protect yourself from ransomware and preventing it from becoming an issue.
Tips for Ransomware Protection:
Ensure you have the right software
You need to have the proper cyber security software to protect you across all potential entry points. This means you’ll need email security with features like time-of-click URL protection, endpoint protection or basic anti-virus, a general web security suite and whatever else may be relevant to your organization. Anti-virus software alone can be insufficient in detecting a ransomware payload. It will often identify the most advanced malicious software only after it is too late.
Cyber security starts with email security
A cyber security strategy without email protection leaves your network vulnerable. Spam protection is a must, but the volume of messages with malicious links that can pass traditional gateway scans is increasing, and more and more of these malicious links are directed to hosted malware (and ransomware) downloads as a result. Your main consideration is to ensure that your not only filters for spam but includes phishing protection as well as protection from malicious URLs and attachments.
Keep offline backups…verified
Backups should be made daily or with sufficient frequency that if for any reason a restoration is needed no important data will be lost. These backups should not be accessible via any network without authorization. Do regular backup checks: Ensure the integrity of your backup on a regular, scheduled basis – don’t let a corrupt backup can provide a false sense of security.
Cloud backups of important documents
Along with offline backups, using cloud based servers such as Google Drive or OneDrive can provide a failsafe for important documents that can provide peace of mind. Ransomware works when users are scared to lose the information they have on their device or network, but with every failsafe added, even if ransomware makes it through, it doesn’t pose a threat to your users and key operations.
Test your systems periodically
Do periodical penetration testing to spot vulnerabilities – before someone else does the job for you. Have a look at this /r/sysadmin thread for a few good pointers on running a ransomware simulation and for tools you can use.
Provide user access only to areas they need to do their job. This way, if ransomware does infect one piece, you can still operate and restore from a backup more easily. Segments can generally be done by role requirements, or based on the general cyber awareness of specific user groups (think of the normal difference between sales and IT support).
Handle email attachments with care
Ransomware artists love to deliver via email attachments. One easy step to prevent against this is to block all EXE and DMG files delivered via email, while advanced attachment defense solutions can provide a master-layer of security with up-to-the-minute intelligence and protection.
Enable malicious link protection
Whether in emails or while browsing, URL defense and protection is an important element in a complete ransomware prevention strategy, particularly since malicious URLs as a use for ransomware delivery is expanding (as mentioned above).
Focus on training and awareness
Above all, and we say this so often, a well trained and aware workforce is the most important form of prevention. Strong Password practices and actually using them, along with being able to recognize a phishing email, not clicking through spam links, reporting and deleting emails with malicious attachments and recognizing spoofing are just a few good starting points. If one message hits home it should be: teach your teams to be skeptics.
The multi-layer approach
A good anti-virus without email protection, nor the reverse, is as effective as when both are combined. The greater the number of layers, the odds of ransomware taking hold dramatically decrease.
Do your browsers have ad-blockers?
Using an adblocker as a browser extension will prevent a big chunk of “malvertising” – a means often used as an entry for Ransomware.
Institute a software approval process
Make it impossible for a user to install any kind of software without validation that it does in fact fulfill your organization’s security requirements.
Have a BYOD policy
If a user can connect their own devices to a work network, the same stringent policies must be in place across all BYOD devices. The threats from mobile ransomware are growing. People don’t look at their phones with the same skepticism as they computers.
If you aren’t going to pay…
According to most, paying a ransom is not advisable. The FBI for example “doesn’t support paying a ransom in response to a ransomware attack”. Payment doesn’t guarantee you won’t be a repeat victim, and often ransomware simply deletes data instead of encrypting it. Paying also, more broadly, encourages increased criminal activity. There are also decryptors available, though not available for all forms of ransomware.
On the positive side, most breaches are avoidable, and easily at that. The above list is quite comprehensive, but even focussing on a few of the above can be sufficient in ransomware prevention. There is a small part the end-users need to do – primarily awareness and good passwords. On the IT side, patches, permissions, and using the right security technology are fundamentals, with a business continuity plan in place for worst-case scenarios. These steps alone would stop many of the simpler ransomware attacks.
Addressing what happens once you’ve been a victim of hacking is not only more complicated, but also much more expensive. The costs aren’t just the ransom, but potential legal issues, data breach disclosures, press nightmare, loss of reputation, loss of productivity, overhauling IT strategies and system restoration.
Your best bet to protect yourself from ransomware? A little prevention goes a long way.
Ransomware - Email Security Threats - YouTube
There aren’t many sites that tackle ransomware as well as No More Ransom.
A bunch of eye-opening ransomware stats compiled by Comparitech.
In October 2010, STOP.THINK.CONNECT. (STC) was launched by the Department of Homeland Security. This initiative aimed to promote simple steps that people can take to increase their safety and security online. The aim was to create a coalition of private companies, nonprofits and government, led by the National Cyber Security Alliance (NCSA) and the Anti-Phishing Working Group.
Today, Vircom is very proud to have joined the over 850 partners that are a part of the STC partner program. We are dedicated to improving cyber security through two primary means: 1) Our core and 2) content, resources and support that informs and educates every person that comes into contact with our products. We’ve been working to educate and improve the security status of organizations of all sizes for more than two decades. That STC provides a wide range of resources to develop extensive public awareness, along with possessing the authority to drive a positive discourse around cyber security, makes us excited to be a partner.
The STC is focused on 6 pillars:
Lock Down Your Login: We usually discuss login protection from the perspective of a strong password. STC takes it further, suggesting you protect your login by the strongest authentication tools available – this could be biometrics, security keys or a unique one-time code through an app on your mobile device. Strong usernames and passwords are a must but may not always be enough to protect key accounts like email and banking.
Keep a Clean Machine: Keep all software on internet-connected devices –including PCs, smartphones and tablets – up to date to reduce risk of infection from Malware. We would also add that you ensure you have the right protective technology
Personal Information is Like Money. Value It. Protect It.: Information about you, such as purchase history or location, has value to cyber criminals. Be thoughtful about who gets that information, to who you allow permissions and how it’s collected and accessed by apps and websites. With the recent news coming out of Facebook, it’s as relevant as ever.
When in Doubt, Throw it Out: Cybercriminals often use links to try to steal your personal information. Links are increasingly becoming a tool that malicious actors are using for phishing. Even if you know the source, if something looks suspicious, delete it. Email attachments are a common means to install ransomware or often can be used as means to launch a BEC attack.
Share With Care: Think before posting about yourself and others online. Consider what a post reveals, who might see it and how it could be perceived now and in the future. This isn’t only about the data, but the difficulty in scrubbing that painfully embarrassing picture from the internet.
Own Your Online Presence: Set the privacy and security settings on websites to your comfort level for information sharing. It’s OK to limit how and with whom you share Information (actually, it’s probably recommended – especially if you might be a prime target for the likes of BEC).
Nearly a decade since the STC was launched there are still many frightening trends we are watching. Are people more aware today than a decade ago? It’s hard to say empirically, especially considering that 1) many more people (and businesses) have come online since then 2) The criminals are always trying to stay just ahead of the victims.
Spearing, Whaling, Angling, BEC, CEO Fraud – they’re all phishing by any other name. Phishing has evolved and so have the names to go with it. What isn’t really changing is that the attacks tend to play on human emotions and desires. Here are a few phishing examples and the motivations taken advantage of by “phishers” in getting people to click.
Wishful Thinking: The Prince Scam
Likely the original email scam, and this is one phishing example that has unfortunately become synonymous with Nigeria, The Prince scam or 419 spreads a wide net with the aim of luring in the one unsuspecting, lonely and perhaps gambling email user. The wishful thinker would gullibly follow along and send a down payment so that they would free up a much larger amount.
Lonely Man: The Sexy Subject Line
Preying off human tendencies, “A beautiful woman wants to talk to you” is often enough to get a victim’s attention. While it may be harmless to open this email, things go wrong as soon as an email is clicked. Spyware, ransomware, data theft…you name it, it’s possible here.
Fear of Bureaucracy: The Tax Scam
The tax scam continues to grow in popularity with scammers, as the payoffs are huge. There are different forms of scams. There’s the large scale, non-targeted attack often requesting users update information in one way or another (often to receive their refunds). There’s a more sinister one though, such as the W-2 that allows criminals to gain huge volumes of rich employee data in one swoop. 870 Organizations reported receiving a W-2 phishing email, 200 of which lost data to this scam. The fear and dread of bureaucracy can cause us to panic.
Urgent Action: The Paypal Scams
Many scams use the urgent action strategy to get users to provide highly confidential information. Often using spoofing or look-alike domains the email will be formatted how you might expect, and the differences, specifically the sender and reply to domain will be only so slightly different. The urgent action Paypal scam will say something like “until you do (blank) your account will be suspended”. With urgency, as seen in many scams, the victim will feel pressure to act and not consider whether the email is legitimate. And with Paypal, we are talking about easy access to money for the scammer.
Routine Action: The Gmail (or other) Password Reset
Who can forget the Fancy Bear DNC attack? It’s no stretch to say it altered the course of history – ok, short term history. Using a similar spoofing strategy as a Paypal, it ironically will tell you that because it appears a malicious attempt to access your account was made, you need to reset your password. The rest, as we say, is history.
Unfamiliar User Interface: The Netflix Phish
A slightly different take on the previous templates, it’s probably most effective because of brand trust, but also as it is unassuming. Most of our experience with Netflix admin is set and forget. We get a bill every month but rarely even need to login. So, having no extensive relationship with it, and therefore less likely to spot irregularities (call it the “Blink” factor) when the email requests we login to reset our password or billing info, we are less likely to think critically. Once we’ve passed that stage of the phish, and the phisher has gotten its foot through the door, getting more info such as updated credit card information is unfortunately met with little resistance.
A truly frightening examples of a phishing scam, the Business Email Compromise (BEC or CEO Fraud) takes advantage of a high pressure and fast paced work environment combined with our trust in authority. The scam requests immediate action and looks to be coming from someone with authority to request it, such as a supplier, lawyer, manager, or CEO. Given the routine nature of these requests in many businesses, it is often given only a cursory glance. It is often backed up with phone calls, and advanced social engineering strategies.
“Who Would’ve Thought”: The Invoice as a Malicious Attachment
A phishing attack delivered through an attachment? Most people aren’t aware that this should be a concern. But it’s all too easy. Once the file is downloaded, a malicious code can be installed on your computer and get all kinds of sensitive information. This can install a zero-day exploit, keylogger or all kinds of sinister threats.
Playing on Desperation: The “Find My iPhone” Trick
Besides a still all too common belief that Apple products don’t get viruses, this one is interesting because it takes advantage of people in a vulnerable state. The scenario (with many similar situations) is essentially in a desperate search to recover your iPhone you try any website that promises to deliver. The same can apply to recovering deleted files or most under researched downloads from non-secure sites.
Here is a 7 item quick list to spot a phishing email:
It isn’t an email in a template or format you’ve received before
It requests an action you’ve never done before
It asks for confidential information (no legitimate company would do that in an email).
The domain is looks like an official domain, but has a weird modifier
It doesn’t have the brand name in the email address.
Spelling mistakes are a sure giveaway (scammers might not have English as a first language, and rarely will have proofreaders!)
On March 1st 2018, Alabama became the last state to require that businesses notify their customers when their data has been breached (within 45 days of its occurence). Only a few days before that, South Dakota’s State Senate made it second-to-last in passing Bill No. 62, unanimously requiring breach notifications to customers and the attorney general’s office (also within 45 days).
While the establishment of data breach notification laws and their ratification across the United States has come through a long and winding road, now that it is nearly complete (South Dakota’s law has not been signed into law), the landscape of different data breach requirements that exist across the country is complicated and fragmented. While federal data breach disclosures have not been required across all businesses and industries by the US government to the level of GDPR for organizations operating in the EU, there are still broad implications for US businesses in state-by-state disclosure requirements. At the very least, all states have breach notification laws to be aware of.
Here are a few of them and how they vary depending differing state regulation.
The Information Covered by Breach Notification Law:
For an incident to be considered a data breach, all states require the incident to include the loss of, at minimum, a first name or first initial and last name, along with any of:
A Social Security number,
A driver’s license number
A state issued ID,
Private banking related information.
Personal information would not include what would be generally considered publicly available. These are the very basics. On a state-by-state level, information such as passwords with login names, taxpayer ID numbers, medical information, passport numbers, biometric data and others can all be enough to require data breach notifications. Those are further elaborated in the helpful data breach chart produced by Baker Law.
Notice Requirement to Attorney General or State Agencies:
It is important to read a state-by-state description of process. In many states, notifying the Attorney General is required before reaching out to affected users.
Was Harm Done:
If, after an analysis of the impact of the breach, it is determined that no harm was done, most states don’t require notification. The Harm Standard is a tricky one, and the onus is on the breached company to prove that the data breach will not result in harm to those affected. Still, in several states, like California and Texas, companies are required to notify affected parties. Note that it is also unclear if you are required to notify the regulatory body or attorney general before or after conducting the analysis.
Length in Reporting to Customers or Regulatory Bodies:
Across the board, reporting is required in the most expedient time possible. Public agencies in Idaho have 24 hours to inform the Attorney General on becoming aware of a breach. Otherwise, reporting lengths appear to be similar to those of customers. In terms of maximums for those impacted, the range is generally between 30-90 days maximum, with a median of around 45. That is of course – those that have them. Otherwise, the default is to expediency and without unreasonable delay. These laws also generally have a disclaimer that they need to be consistent with law enforcement needs (for example, reporting to customers can or should be delayed in cases where it would impact an ongoing investigation).
Customer Notice Format:
Generally, variable forms of written, telephone or email notifications are required to customers often with eSign in digital cases, for authenticity. Some states, such as New York, require tangible physical notice unless the customer has elected to receive the notice electronically (with records being kept). If by telephone, some states require proof that the customer was contacted successfully.
Other Interesting State by State Differences Include:
It seems roughly 20 states will allow for private legal action if data breach notification rules are violated. These range from a maximum of $5000 in damages in North Carolina to Oregon, where the state can act rather than private civil action being taken.
From what we gather, if your customer records are encrypted (and the hacker did not obtain a key) you are protected from these breach data notification regulations. In California, Delaware, and Iowa among others, there’s an added stipulation that if it’s possible that the key has been obtained, the safe harbor no longer applies.
How you inform regulatory bodies can vary on a state-by-state basis, ranging from mail to online forms to even a fax. The information requested varies as well.
It can be confusing to say the least, and the last thing a company wants to deal with is a liability risk of this size, but addressing data breaches promptly is the first step to rectifying any damage they can cause. It may also give some respite from any legal nightmares, in which 40 states (and a couple territories) have their own unique protocols.
The point of all this, however, is not to give legal advice – we are not lawyers after all. First and foremost, the above should make the heavy cost of a data breach clear, well beyond the notification requirements a breach entails. While the lead source for data breaches is usually either human error or email or… both at once, preventive measures should be taken to hedge against this risk.
The second point is that a more comprehensive approach to regulating not only data breach disclosure but also cyber security measures and responses across the board (even at the federal level) would streamline enforcement and perhaps reduce the confusion or misreporting faced by the likes of Equifax and Uber. With GDPR coming into effect Across the EU, and Canada likely adopting PIPEDA in the Spring of 2018, the US is rapidly falling behind on this front.
Until more comprehensive federal policies are introduced, your best bet is to implement a stronger awareness and training program, make sure you are using leading email and cyber security technology, encrypting data in transmission and, if all else may fail, keep a good lawyer on retainer.
Disclaimer: We are not lawyers nor legal experts, any and all information contained in this post should not be taken as legal advice – please consult with a lawyer regarding any legal matters pertaining to data breaches or other issues.
Besides Gates and his crashing Windows, these things called passwords were created. Oh so many. Passwords are perhaps the worst joke of all.Fair warning – this post will be an attempt at bringing together a few funny tech jokes, one liners, zingers, gifs and an eecard. Some are old. Might even offend you. Hopefully one of them makes you laugh.
In the beginning…
Ok, trivia time. Did you know that the first computer dates back to Adam and Eve? It was an Apple with limited memory.
Just one byte.
And then everything crashed.
Well actually, IT people predate Adam and Eve. Perhaps some of these tech jokes do as well.
While there is not a lot of evidence that IT people predate them, there is this irrefutable anecdote about a doctor, a civil engineer and a programmer who are discussing whose profession is the oldest.
“Surely medicine is the oldest profession,” says the doctor, “God took a rib from Adam and created Eve. This clearly means surgery and medicine were involved”
The civil engineer breaks in: “But before that He built the heavens and the earth from chaos. Now that’s civil engineering to me if I’ve ever heard it.”
The programmer thinks a bit and then says: “And who do you think created chaos?”
Not Very Long Afterwards…
Things were pretty bad in the tech world for a while. There was fire to discover, wheels to be turned, energy drinks to be brewed and Windows to deal with. There was this one time nearly 6000 or so years after Adam and Eve, where Bill Gates is having a drink with the CEO of GM.
“If automotive technology had kept pace with computer technology over the past few decades,” boasts Gates, “you would now be driving a V-32, at 10,000 miles per hour. There would also be cars that that weigh 30 pounds and get 1000 miles to a gallon of gas. The sticker prices of a new car would also be under $50.”
“Sure,” says the GM CEO. “But would you really want to drive a car that crashes 4 times a day?”
To Ensure Chaos
Besides Gates and his crashing Windows, these things called passwords were created. Oh so many. Passwords are perhaps the worst joke of all.
But still better than your colleague using “incorrect” as a password… just because he gets reminded every time he gets it wrong: “Your password is incorrect”.
Besides Password Help, What Else Do We Do?
Nothing quite sums up the work we IT Admins are doing now do as much as this:
Or Maybe this (especially the finance people)
<generic lightbulb jokes>
Q: How many programmers does it take to change a light bulb?
A: None, that’s a hardware problem.
Q: How many prolog programmers does it take to change a light bulb?
Q: How many Microsoft programmers does it take to change a light bulb?
A: None, they declare darkness to be the new standard.
</generic lightbulb jokes>
No One Would Argue We Aren’t Curious
Like the computer programmer who was crossing a road one day when a frog called out to him and said, “If you kiss me, I’ll turn into a beautiful princess.”
He bent over, picked up the frog, and put it in his pocket.
The frog spoke up again and said, “If you kiss me and turn me back into a beautiful princess, I will tell everyone how smart and brave you are and how you are my hero” The man took the frog out of his pocket, smiled at it, and returned it to his pocket.
The frog spoke up again and said, “If you kiss me and turn me back into a beautiful princess, I will be your loving companion for an entire week.”
The man took the frog out of his pocket, smiled at it, and returned it to his pocket.
The frog then cried out, “If you kiss me and turn me back into a princess, I’ll stay with you for a year and do ANYTHING you want.”
Again the man took the frog out, smiled at it, and put it back into his pocket.
Finally, the frog asked, “What is the matter? I’ve told you I’m a beautiful princess, that I’ll stay with you for a year and do anything you want. Why won’t you kiss me?”
The man said, “Look, I’m a computer programmer. I don’t have time for a girlfriend, but a talking frog is cool.”