Cyber Reality Check (Part 2): Why We Are Our Own Worst Enemy

7 Jun

We are too often self-defeating when it comes to cyber security. In part one of this series, we took a hard look at how a lack of ownership and accountability lowers our defenses and increases our risks. In part 2, we take a look at our communications breakdowns, our unwillingness to share, and underestimation of human behavioral change. 

Read Part 1

We don’t realize the core dynamic has changed

Cyber puts us all on the digital front lines. Everyone, every system, and every device is vulnerable. This disrupts the traditional market dynamics of customers, vendor/supplier, and competitors. Long established expectations, tensions, and transactions that created the rules of engagement are being disrupted.

Tried and true business axioms, such as the “customer is always right,” and “the first to market wins,” have shaped how we innovate, communicate, and operate. Cyber security is changing all of that. Cyber attackers are the new player in the market, and they are going after everyone. They exploit our traditional dynamics. Have you ever received a phishing email from someone pretending to be from your bank? The cyber attacker is capitalizing on your trusted relationship. Companies are so busy trying to rush to market that they regularly skip basic cyber security steps. Cyber threats depend on that for their attacks.They hope we don’t share cyber security information or collaborate. They count on that confusion and lag in response time to launch their exploits – more on this later.

The biggest problem is that we don’t realize there is a new dynamic. In the old dynamic, the customer is king, and those who don’t understand that are quickly replaced by those who do. So, when it comes to cyber security, customers naturally have expectations that their vendors/suppliers are fully responsible for protecting them. This is both unrealistic and impractical. The dynamic has shifted from provider-to-consumer to provider-and-consumer vs cyber attackers.

The new cyber world order relies on a much more collaborative relationship between vendors/suppliers and customers. Whether the customer is an individual consumer, or a small, medium, or large enterprise, the dynamic needs to be redrawn. Once a customer purchases a device, service, or even a component, they are accepting responsibility over its cyber security. The provider simply does not have the visibility or control to ensure strong cyber security. This means that it is incumbent on the customer to understand and use cyber security best practices. When a cyber event does occur, the providers and customers need to know how to effectively communicate and collaborate to remediate the incident.… Read the rest

Ransomware’s Real Danger Is Its Business Model – And That’s A Game Changer

25 May

Ransomware has brought the point-of-payment to the point-of-attack. That might not sound like much, but it could reshape the threat environment.

If you stop looking at ransomware through a technology lens, and look at it through a market lens, you’ll begin to see the real innovation, and danger, behind it. It’s not about the data, or the encryption methods, or any of the tactics, techniques, and processes that ransomware uses. Ransomware’s big breakthrough is the fundamental shift in how cyber attackers get paid.

The traditional monetization model involves multiple steps of infiltrating your system, stealing your data, going to the black market, and selling it. The ransomware model makes the process much more efficient. With ransomware, the victim is paying for all those other steps not to happen. It’s not only a faster, much more efficient way to get paid, it’s also more profitable.

Dark web markets act like most markets and eventually end up normalizing prices. Someone comes in cheaper, the market resets at a lower price point, and prices are driven down. Cyber victims, however, do not communicate or collude. What one victim will pay might be very different than another. This market ambiguity favors the exploiter and they will get the most they can out of every victim. This is why in real ransom cases, the ones where they kidnap actual people, most of the negotiations are done through a single insurance broker – Lloyds of London. This way, Lloyds can control the costs, the governance, and the protocols. No such mechanisms exist for the cyber world yet, so we’re on our own.

People are paying the ransoms, which means the model is working. According to IBM, 70% of victims pay the ransom. What’s more, less than 25% of victims report the crime. Cybersecurity Ventures predicts that ransomware market damage costs will exceed $5 billion in 2017, up more than 15X from 2015.

Ransomware is a market-proven, highly efficient, emerging business model. As with any market, that means we’re in for a period of investment, growth, competition, and adaptation.… Read the rest

Cyber Reality Check: Why We Are Our Own Worst Enemy (Part 1)

17 May

Despite continuously rising cyber security threats, we remain our own worst enemy. Below is a candid look at why we continuously fail to address our cyber vulnerabilities and what we can do to change our behavior.

This is part one of a two-part series. See part 2.

We make a hacker’s job easy. From poor passwords, to clicking on suspicious links, to failing to keep our systems patched, we leave the door wide open for cyber threats. Ask a penetration tester, those people you hire to hack your system and tell you how to fix it, and they’ll say that they’re bored. They want a challenge. They’re done by lunch. A tester will roll into your company with a list of default passwords, a simple phishing attack, and a toolset to exploit existing vulnerabilities, and they will own your system before their morning coffee gets cold.

The WannaCry ransomware attack is a good case study for this. Not only was WannaCry one of the largest attacks in history, infecting hundreds of thousands of computers across over 150 countries, but it was also completely preventable.The vulnerability it exploited was not only known, but it had been popularized in the news as one of the vulnerabilities used by the NSA and leaked to WikiLeaks. Microsoft had released a patch for it months before the ransomware was released. You would think that an NSA-level vulnerability would motivate people to run the patch. Alas, they did not, and it was only by luck that a malware tech incidentally triggered a kill switch that slowed it down.

The question then is why. Why don’t we all implement the basic cyber hygiene that would make theses types of attacks obsolete? Are we lazy? Foolish? Irresponsible? Although these are easy answers, they are neither accurate nor helpful.

To get to real answers, we need to take a long look in the mirror. Here are some reasons why we are self-defeating and what we can do about it.

We hope this sparks discussion.

We don’t think it can happen to us

When it comes to cyber security, too many companies have an incredible propensity for self-denial. They convince themselves of excuses such as “We’re not targets” or “I don’t have access to anything a hacker would want” or “Nothing’s happened yet.” With cyber, you are investing in things not to happen, which makes it harder to justify. Additionally, the investment in cyber is unclear, ongoing, and increasing. A lot of executives don’t want to look into cyber security for fear of opening up a costly can of worms. To even look into the cyber Pandora’s Box might make them legally obligated to address cyber issues. Denial is much more cost effective.

What We Can Do: The fact that companies are reticent to take on new expenses that impact their bottom lines isn’t a bad thing. It’s prudent for a company to be cautious about new investments, especially recurring and costly ones. However, the reality is that every company is a target. Hackers are often indiscriminate about who they attack. They are broadening their traditional targets, and they are getting more efficient and automated. There are three levers we can pull to make companies take cyber security more seriously:

  1. Create a market pull: Companies care not only about their bottom line, they are also highly motivated by their top line. If their cyber security maturity directly impacts their sales, they will invest in it. Thus, companies should have much higher expectations of their vendors, suppliers, and partners. They need to make cyber an expressed part of their sales cycle, a key purchasing criteria, and an integrated part of their contracts. As soon as companies cannot bid on a sale or loses opportunities because of cyber security, they will make it a priority.
  2. Hold CEOs accountable: Boards of directors need to make cyber a core priority, and hold the CEO directly accountable for reducing cyber risks. If CEOs know their jobs are on the line, cyber will be a key priority.
  3. Make it real: You can show executives statistics, give them warnings, and even do table-top exercises to show them what could happen. However, there is nothing more compelling than an actual compromise. Some companies do this by launching target phishing attacks on their senior executives, and then reporting the results at their senior meetings. Other companies have been known to create a controlled hack that temporarily shuts down an important system or process. This is not a penetration test where a white hat hacker tries to infiltrate a system but does no real damage. This is a full, live-fire exercise, where a designated system is under attack. This is much tricker to pull off, and involves a number of legal, strategic, and operational hurdles, but it can be very effective. The bottom line is that the threat and impacts of cyber attacks needs to be real for the organization.
Read the rest

Ransomware Is Changing Rapidly: What Executives Need to Know

4 May

Most senior executives have heard of (or experienced) ransomware. They now need to know how it is evolving and what that means for the business. Here is a breakdown of the future of ransomware for your next executive presentation.

Ransomware is all about the money – and there’s plenty of it. In 2016, ransomware cost companies over $1 Billion. As the number of incidents exploded (an increase of 6,000% in 2016), ransomware became a buzzword, and CISOs/CSOs were called in front of senior executives to explain it.

By now, most senior executives are familiar with the basic concept: bad guys hold your data or systems hostage and demand money to release them. (If you want a good, basic overview of ransomware, check out the “No More Ransom” website.) The question now is “what’s next for ransomware and what does that mean for your business?”

The first thing to know is that there is plenty of motivation for ransomware to rapidly evolve. People are paying the ransoms. According to IBM, 70% of business victims paid the hackers to get their data back. That kind of effectiveness is not only driving up the number of attacks (they are expected to double in 2017), but it has also captured the attention, investment, and focus of attackers. This means that ransomware is going to go through a lot of changes, and become a lot more potent, over the next couple of years.

Here’s what to expect:

The Business Model Is Changing

Like any business model, ransomware is adapting to its market demands and conditions. Attackers are getting more formalized, specialized, and effective. For example, they are starting to offer Ransomware-as-a-Service (RaaS). Under this model, hackers provide the platform and the necessary technology to launch a ransomware attack. They then sell this capability, and either take straight payment for the service, or take a share of the profits. This drives down the price of a ransomware attack. (One ransomware package offers a lifetime license for the low price of $39.)

So what?  RaaS lowers the barrier of entry for attackers. You do not have to be technically savvy or invest a lot to launch an attack. This both expands the number of attacks, and diversifies the types of attackers. It allows for attackers to concentrate on developing their ransomware, instead of launching attacks. (See our blog for more information about Hacking-as-a-Service (HaaS).)

Ransomware Is Becoming More User Friendly 

Ransomware hackers have the same problems developers do – those pesky end users. They realized that their victims are not often very technically savvy, which hurt their extortion processes. Users have a hard time buying BitCoins (the preferred cyber currency), can’t figure out TOR (the preferred network), and didn’t understand the interfaces. So, hackers are making their attacks much more user friendly. They provide everything from point-and-click interfaces to support chat lines. F-Scure recently released transcripts from a ransomware support chatline. It is a fascinating read. Here’s an excerpt:… Read the rest

A Handy List of Cyber Stats for Your Next Executive Presentation

24 Apr

Sometimes there’s nothing more compelling than having the right statistic in your executive presentation. Here is a handy list of some compelling statistics I have recently collected.

Depending on the level interest I receive from this post, I can put these out every so often.

Cyber Spending and the Cost of Cyber Crime

  • Security budgets have increased 35X over the past 13 years (Cybersecurity Ventures)
  •  In 2004 the global cybersecurity market was worth $3.5 billion. By the end of 2017 it will be worth $120 billion (Wired)
  • Cybercrime will cost the world in excess of $6 trillion annually by 2021 (Cybersecurity Ventures)
  • The average cost per breach worldwide was $4 million, that figure rose to $7 million in the U.S. (Ponemon Institute)
  • The cyber insurance market rose to $2.5 Billion in 2016 (Forbes)

IoT Cyber Security

  • There are 25 connected devices per 100 inhabitants in the US (Symantec Internet Security Threat Report)
  • Intel predicts there will be up to 200 Billion connected devices by 2020 Microsoft predicts that the number of connected devices will be about 50 Billion by 2020
  • Connected Cars
    • 12 million connected vehicles are on the road today, and 4.5 million of those are 4G LTE connected vehicles (Network World)
    • Reduced rates of collisions and theft thanks to in-vehicle IoT devices could lower insurance premiums by as much as 25% (AT&T)
  • According to AT&T’s “The CEO’s Guide to Securing the Internet of Things
    • 90% of organizations lack full confidence in their IoT security
    • 35% of U.S. manufacturers are using data generated by smart sensors to enhance their manufacturing or operating processes
    • 88% of organizations lack full confidence in the security of their business partners’ connected devices
  •  By 2020 data volumes online will be 50 times greater than today (Microsoft)
Read the rest

Risk is Good: Finding the Business Value of Cyber

11 Apr

Cyber Security Risk, for lack of a better word, is good. It’s the new market equalizer – those who can manage it will have competitive advantages over those who don’t. It’s time to reshape the conversation. 

Apologies to Gordon Gekko, but most companies need to change how they think about cyber risk. Cyber executives often don’t talk about risk, feeling more comfortable focusing on technology, or they frame their risk discussions in terms of dooms-day scenarios and dire consequences. At the same time, the senior executives they’re talking to don’t have a strong understanding of cyber security, and do not easily connect cyber security to their strategy, operations, and success. CISOs end up either talking past executives, or scaring them into decision-making.

As a result, many senior leaders, including Boards of Directors, are getting cyber fatigue. They are growing weary of spending money so things don’t happen, listening to presentations that they do not understand, and stressing about threats they cannot see. Cyber executives are caught between growing accountability and exposure, and a lack of support and understanding (for about executive cyber fatigue, see our blog). Lost in all of this is the business value of cyber risk.

Competitive Advantage

On the company level, cyber security is about managing the risks that impact your operations. If you do this well, you can avoid or minimize the impacts of a breach. This makes a lot of sense, and it’s what many savvy CISOs are telling their senior leadership. However, by only focusing on the individual company, they are leaving out the best part of the story. By taking a broader market perspective, they can show how a great cyber program provides competitive advantages.

Everyone in your market is facing similar cyber challenges and threats. Think of it as a mine field that every company in your market has to run through. Every company has a choice, and many choose to believe that threats won’t affect them. So, they take no precautions. However, as companies keep getting hit with cyber breaches, this is getting much tougher to justify to leadership.

The other option is for companies to acknowledge that cyber security is a reality, it is part of almost every aspect of operations, it is not optional, and it will only grow in importance. Herein lies a competitive advantage. Those who are better at detecting, deterring, avoiding, responding to and remediating cyber threats can move more quickly. A strong cyber program provides you the efficiency, flexibility, and speed that your competitors don’t  have.

Brand Advantage

Cyber security is an inherent part of your brand, which means that customers are judging you on your cyber security. How they judge you, is up to you. Cyber security and corporate brands are usually talked about in terms of brand protection or the impacts on a brand in the event of a breach. While these are relevant aspects, cyber security is quickly making its way into customer purchasing criteria, brand loyalty, and market leadership perceptions.… Read the rest

Senior Execs Have Cyber Fatigue? What You Have Here Is A Failure to Communicate

4 Apr

Senior leadership takes cyber security seriously – they often just don’t understand it. Here’s advice on how to keep them engaged in cyber. 

Cyber Security has steadily risen to a top tier priority. CISOs are regularly asked to report directly to the Board of Directors, and companies are pouring money into cyber programs. According to Cybersecurity Ventures, security budgets have increased 35X over the past 13 years. (For more on CISOs expanding roles, see our blog on the topic.)

Along with all of this growth, there has been an equal amount of confusion, frustration, and fatigue. Even with increased budgets, security teams are struggling to keep pace with growing threats. With an estimated 3.1 Billion records stolen in 2016, the rise in ransomware, and high profile hacks becoming a list of who’s who (e.g., YahooDNCCIAOMB), the discussion has shifted from “if we get hacked” to “when we get hacked.”

Boards of Directors are starting to lose patience with cyber programs. An Osterman research survey of board members showed that 85% felt that the information from IT and security executives is too technical. Poor communications like this does the one thing that board members hate most – it increases risk. Without the proper information, senior leaders cannot make the correct investment, policy, and strategic decisions about their cyber security. This will not only impact the company, but has direct repercussions for security executives. In the Osterman survey, 59% of respondents said that one or more members of the IT security team would lose their jobs if they did not provide the board with useful or actionable information about the company’s cyber risk.

With so much riding on how you communicate with your senior leadership, you need to make sure that you are not simply reporting to them. Rather, you are informing, educating, and engaging them about how cyber risks, capabilities, and requirements impact the bottom line. Here is some guidance to help you more effectively manage your senior leadership.

Be Business Relevant 

Cyber often gets a bad rap. It’s seen as an inhibitor to operations and an overhead expense. You need to reshape this perception and show how cyber security is a business imperative. The new reality is that cyber is part of almost every aspect of operations. Every connected device, from printers, to manufacturing systems, to mobile devices, to the apps you develop for customers, all have a cyber dimension. A good cyber program will help companies reduce risks, so they can move faster.

Think of it as a car. If you have great brakes, steering, and tires, you can go much faster and out-maneuver your competitors. Cyber works the same way. By reducing the risks in your operations, you gain the speed and flexibility to meet your market demands. Threats and risks are out there. Your cyber program helps you minimize and mange them to free up your operations.… Read the rest

Untangling The CISO’s Dilemma: Expanding Accountability, Shrinking Control

21 Mar

As companies become more connected, CISOs are being squeezed between increasing accountability and decreasing control. Here’s what you can do about it.  

As companies make their way through their digital transformations, and weave technology into every aspect of doing business, CISOs have seen their executive exposure explode. Many CISOs now regularly report to the Board of Directors and cyber security has risen to a top strategic priority. According to Cybersecurity Ventures, security budgets have increased 35X over the past 13 years, and are estimated to grow 12-15 percent year-over-year through 2021.

As fast as the CISOs’ accountability is expanding, their visibility and control are shrinking. Networks have become dynamic, borderless, and ambiguous. Everyone from suppliers and vendors, to customers and contractors can have direct access to your systems and data. CISOs often do not have clear insight into the security practices of these groups, and don’t have the authority to exercise control over them, if they did.

All of this places CISOs in a security catch-22. They assume all the risk and responsibility of a security breach, but don’t have the authority or tools to manage that risk. Although there is no perfect answer to this dilemma, here is some practical guidance.

Map Your “Elastic Attack Surface”

From BYOD, to cloud services, to emerging IoT devices, the composition of your network, vulnerabilities, and exposures are constantly changing. Dark Reading calls this an “Elastic Attack Surface,” and understanding it will help you manage your risk, your security, and your executives. They define six categories that can help you get started mapping your attack surface (see graphic below).

Beyond developing an inventory of assets, you need to consider factors that impact visibility and control over your attack surface. You can use the categories listed below to help identify the assets, systems, and data that impact your network. Be sure to include components that are owned and/or managed by your technology constituencies (e.g, suppliers, contractors, customers). For each element, ask yourselves the questions to gauge your span of control and visibility.

Read the rest

Beyond the Jargon: A Practical Guide to Managing Your Corporate “Crown Jewels”

14 Mar

“Protect your corporate Crown Jewels” seems to be the modern day cyber mantra, but no one provides guidance on how to do it. So, here’s some practical advice.

Ask a room full of executives if they really know what their corporate crown jewels are and how to best protect them and the answer is most likely…”sort of.” It’s easy to get executives to agree that they have corporate crown jewels. It’s much more difficult to have them agree what those crown jewels are and what to do about them.

Consider this: According to the Commission on the Theft of American Intellectual Property, 70% of the value of publicly traded corporations is estimated to be in “intangible assets.” Of these assets, your “Crown Jewels” are your most important. These are the information, functions, and processes that would have a devastating impact if they were stolen, manipulated, delayed, or destroyed. Cyber attackers are getting much more specialized in identifying, stealing, and reselling your most valuable data. (For more on this, see our blog about Data Laundering).

Although highly valuable, your crown jewels only make up a tiny fraction of your overall data. IBM estimates this to be between .01%-2% of your total data. So, finding these needles your ever-growing data haystack may take some time.

Every company has a different opinion of what they consider critical. There are often large disagreements even within a company about what is most important. At first, individual executives may want position their information as the most critical. Then, after they realize that this means more monitoring, restriction, time, and cost, they tend want to point elsewhere for the corporate crown jewels. Also, what a company considers critical will change over time. For example, an SEC filing is highly confidential before it’s released, but not as much after it goes public. With so many factors and opinions, it’s little wonder that companies struggle to define their Crown Jewels.… Read the rest

Data Laundering: The Dirty Business of Stealing and Reselling Your Most Valuable Data

6 Mar

Hackers are stealing your most prized data, cleaning its illegal origins, and reselling it through legitimate channels – a growing threat to your critical operations

Cyber attackers have been going after data for as long as there have been computers to hack. Whether they are stealing, destroying, manipulating, or blocking access to data, hackers know there is money to be made with your information. As cyber criminals become more sophisticated, they are moving up the data food chain, targeting your most critical and valuable information.

Today’s Smash-and-Grab Hacking

The most popular kind of data being targeted now is PII (Personally Identifiable Information), PHI (Personal Health Information), and PCI (Payment Card Industry). Hackers know where to look for this information and what to do with it once they steal it. There are established markets and mechanisms to quickly create fake credit cards, drain your accounts, steal your identity, commit fraud, and a conduct a whole host of other lucrative exploits.

As popular as this data is to steal (last year over 27 million healthcare records were stolen), it has become a high-volume, low value market. On the cyber black market, you can buy a social security number for $1, credit card data for as little as $7, and medical information for $10-$50.

Evolution of the High-End Data Market

Beyond this high volume market, there is a high-end market that targets much more sophisticated and sensitive data. Often called the “crown jewels” of your organization, these are critical secrets that you need to operate and gain a competitive advantage. This market focuses on data such as intellectual property, legal proceedings, financial strategies, and sales bidding information. The right information, in the right hands could easily be worth multi-millions.

Although potentially very lucrative, it can be difficult to operate in the high-end data market. It’s not because the information is well protected. Often, this information is exposed (we’re looking at you, senior executives, with your crown jewels sitting on your laptops). It is because 1) the information is hard to identify and interpret, 2) it is hard to identify a buyer, and 3) it is very high risk. Most cybercriminals can identify PII and PHI, but ask them to interpret a corporate earnings report, or an acquisitions strategy, and they’ll likely run for the hills.

Read the rest