Old breaches led to new breaches as cybercriminals’ ability to use and monetize personal information rose significantly across all industries.
Past cyber-attacks and the tools used to carry them out have led to new breaches, according to key findings in a new mid-year trend report by cyber threat intelligence provider, SurfWatch Labs. In a study of cybercrime events that occurred in the first half of 2016, the stockpile of personal information garnered from old data breaches led to new compromises and lucrative payoffs for cyber criminals.
“When LinkedIn announced in May of this year that their 2012 breach actually impacted 100 million more users than originally thought, other organizations began to see data breaches they attributed to the LinkedIn compromise, widespread password reuse by users and remote access software from services such as GoToMyPC, LogMeIn, and TeamViewer,” said Adam Meyer, chief security strategist, SurfWatch Labs. “Other breached organizations only widened the pool of information available to be stockpiled by bad actors.”
No industry was left untouched, and the tactics used were not new or sophisticated, according to the report that offers a breakdown of industries targeted, the effects of cybercrime and the tactics criminals employed.
SurfWatch Labs collected cyber event activity from thousands of open and Dark Web sources and then categorized, normalized and measured the data for impact based on their CyberFact information model. Highlights from the SurfWatch Labs Cyber Risk Report: 2016 Mid-Year Review include:
• IT and global government were the most targeted industries. Of all the CyberFacts analyzed, the information technology industry was hit the hardest in the first half of 2016. Microsoft was second behind LinkedIn as the top target. After IT, the government sector had the highest number of publicly discussed cybercrime targets, led by a breach at the Commission on Elections in the Philippines.
• The consumer goods sector made up the largest share of industry targets with information bought, sold or otherwise discussed on the dark web.
• Credentials theft is on the rise. Credentials stolen/leaked appeared in 12.7% of the negative CyberFacts in the first half of 2016, up from 8.3% in all of 2015. That rise is driven by massive credential breaches such as LinkedIn, which was the most talked about event over the period.
• Ransomware and extortion are the methods of choice. The first half of 2016 saw a significant spike in ransomware and extortion as researchers, organizations, and government officials scrambled to deal with the growing and costly problem of data or services being held hostage.
“Our research indicates the familiar cadence of ‘we were breached by a sophisticated attack but it has now been contained’ actually contradicts what has really happened so far this year,” said Meyer. “By understanding what the bad guys are up to, we can make better informed forecasts of how cybercrime will impact organizations going forward and therefore what should be done to reduce risk in the future.”
Posts Tagged ‘#hacking’
Old breaches led to new breaches as cybercriminals’ ability to use and monetize personal information rose significantly across all industries.
The federal government and industry have been urged to work together to share information on cyber security threats and attacks to counter the increasing sophistication of cyber adversaries.
According to security vendor Palo Alto Networks’ APAC chief security officer, Sean Duca, the threat landscape in Australia, and around the world, is not abating and those looking to penetrate security are becoming more sophisticated, sharing tools, exploits and attack methods, and automating their processes. “In doing so, they have achieved a clear competitive advantage in cyberspace and are eroding trust in today’s digital age.”
Duca urged the federal government, with industry, to quickly put into action the recommendations for greater cyberthreat information sharing laid out in the government’s new Cyber Security Strategy announced in April.
“Cybersecurity threat information sharing within and across industries and with the public sector must be embraced by everyone. The faster organisations can share information, the better we can serve to protect each other and push the cost back to the adversary.
“Until the public and private sectors truly collaborate to build systemic information sharing partnerships, it’s like we’re combatting our adversaries with technological weapons that have no ammunition.”
According to Duca, cybersecurity provides longevity to a business and can help differentiate the business from its competitors – “for both good and not so good reasons”.
“Organisations, both in the public and private sector, need to have strong cybersecurity fundamentals to provide trust and confidence to citizens, businesses and customers alike.”
Duca says Australian industry can play a valuable role in combatting cybersecurity threats by participating in voluntary cyberthreat information sharing.
He says “operationalising” threat information sharing, both within and across industries, and between the private and public sectors, will dramatically shift the balance of power, close the competitive gap, “and realise exponential leverage against cyber adversaries by driving up the cost of successful attacks”.
Here’s what information Duca says should be shared between the private and public sectors:
• Threat Indicators: forensic artefacts that describe the attacker’s methodology;
• Adversary’s campaign plan: a collection of threat indicators for each link in the cyberattack lifecycle attributed to a specific adversary group;
• Context: additional non-campaign plan intelligence about an adversary group that is helpful for organisations to understand the adversary. This includes things like motivation, country of origin, and typical targets;
• Adversary dossier: campaign plans + context – a collection of threat indicators attributed to a specific adversary campaign or playbook (campaign plans), plus any additional context about the adversary group.
“Our mission should be to share all of the above but, most importantly, an adversary group dossier. Doing so will enhance the assessment of the adversary group’s potential, material impact to the targeted organisation, giving a better opportunity for that organisation to detect and prevent the attack, as well as deter an adversary,” Duca observes.
He cautions that the information (to be shared) itself is important – but it must be actionable, and must arrive in as close to real time as possible.
“As we have observed in some of the largest breaches, the best resourced security teams cannot scale manual responses to automated threats – only through automating prevention and detection can organisations be fast enough to adequately secure networks.”
According to Duca, government and industry must collaboratively build a “robust, automated information sharing architecture”, capable of turning threat indicators into widely distributed security protections in near-real time.
He acknowledges that there is apprehension amongst some Australian organisations that information sharing could negatively impact them and that many feel that that by sharing information that could be classified as sensitive and privileged, “they would be giving the upper hand to their competitors”.
“This sentiment from the business community is valid and should be acknowledged. But, as noted above, we should focus on sharing attack information – not information on who has been breached.”
Some of the other challenges and “perceived barriers” to greater cyberthreat information sharing that Duca maintains should be addressed:
• Privacy: Laws should not unduly prohibit the sharing of personal information that is necessary to identify and prevent attacks. At the same time, the Australian government should ensure that there are responsible privacy protections in place related to cyberthreat information sharing.
• Trust among private sector competitors: Some organisations consider cyberthreat information to be their own proprietary intellectual property (IP) and do not want to share it. We need to reverse this notion. The more one continues to treat this information as IP, and the more it is kept in silos within our own organisations, the greater opportunity the adversary has to strike again. Adversaries share tools, exploits and attack methods – so should we. Everyone should have access to the same body of threat information and collaborate to quickly translate it into security controls to use within their own organisations and their collective customer base.
• Antitrust concerns: There is a fear among some companies that sharing threat information between organisations makes them vulnerable to antitrust violations. The Australian government should clarify that cybersecurity threat information voluntarily shared, or received, by a private entity with another private entity is exempt from antitrust laws.
• Over-classification: The government, in some instances, may “over-classify” cyberthreat information it receives from both internal and external sources. It takes a significant effort — and valuable time — to declassify that same information to share with private companies and the public at large.
It is no longer a question of if a business will be attacked, but when – and how.
There are still many old style fraudsters who forge cheques, submit false invoices for fictional services or seek a “dear friend” who will help them repatriate several million pounds but these are just a reminder of bygone days when a fraud looked like, well, a fraud.
In recent times a fraud is more likely to look like a genuine email from the managing director asking a member of the accounts team to make a payment to what looks like a supplier.
Closer inspection may reveal that the proposed destination of the cash is not quite what it seems.
Perhaps the language is more polite than one would expect from the MD, maybe the email address of the sender isn’t exactly right – although it looks right at first glance.
Any communication regarding the movement of cash should now be subjected to an additional level of scrutiny. Many businesses have already updated their procedures.
Some will not send cash in response to an email request. Many will make a call to the parties involved to check that everything is genuine and that a payment request originates from who it purports to be from.
There has also been a massive escalation of malicious attacks, usually harmless looking emails that invite the recipient to click on what looks like a harmless link.
Clicking the link unleashes a virus that will attack the recipient’s systems, potentially causing major harm to the business.
There are now many hundreds of thousands of cases of computer misuse, hacking and malicious virus attacks reported each year.
Whilst these threats might be conveyed digitally, many need to fool a human being at some point to be effective. Every organisation should therefore run regular training for employees on how to spot fraudulent or malicious activity.
Insurers will increasingly expect this kind of training as a condition of cover. In the current climate, it is arguably negligent to not train staff properly in this regard.
The IoD conducted a survey of business leaders in December 2015 which showed that just under half provided training in cyber security for their staff.
Given the potential for commercial and reputational damage that can result from the cascading effect of a cyber attack, this is an alarmingly low figure. It shows a high degree of misplaced complacency.
Cyber security is a business “hygiene” issue. Suppliers, customers and staff are entitled to expect that a business has the necessary measures and procedures in place.
There is also a rapidly growing market for defined cyber threat insurance.
This used to be carried by a minority of companies but is now something that needs to be in place for the vast majority of businesses, especially bearing in mind that only around one per cent of respondents in the IoD survey thought their business wholly unreliant on the inter- net.
Alongside greater awareness of the threat, the other primary defensive tool in the armoury is software, with good firewalls and analytics that can pick up the bulk of fraudulent or malicious activity
There is no simple solution to the malice and dishonesty that exist in the digital world.
The price of staying ahead of these threats is eternal vigilance, insurance and up-to-date software.
By Jonathan Oxley
The head of the FBI said Wednesday that the government will bring more legal cases over encryption issues in the near future.
Speaking with reporters at FBI headquarters in Washington, FBI Director James Comey specifically said that end-to-end encryption on WhatsApp is affecting the agency’s work in “huge ways.” However, he noted the FBI has no plans to sue Facebook, the app’s parent company.
He also said that since October 2015, the FBI has examined “about 4,000 digital devices” and was unable to unlock “approximately 500.”
The FBI paid gray hat hackers at least $1.3 million for a way to get into the seized iPhone used by Syed Rizwan Farook, the now-dead terrorist involved in the December 2015 attack in San Bernardino, California. At the last minute, the Department of Justice canceled a highly anticipated court hearing over the issue in March 2016.
However, Comey said that the hackers’ identities are so closely held inside the government that even he doesn’t know who they are, according to Reuters.
By Cyrus Farivar
For 10 days in February one hospital’s records hung in limbo. At Hollywood Presbyterian Medical Center in California, a ransomware attack kept health care records in control of anonymous hackers, until hospital officials paid $17,000 to take back their system.
Data ransom attacks are today’s technological version of kidnapping. It’s anonymous, more cost-effective and more appealing to criminal enterprises than taking physical hostages. And it’s the reason health care institutions today are taking steps to ensure security.
As part of an ongoing conversation, health care professionals and government agencies will meet on May 1-11 in Washington D.C. to discuss health data as part of the Health Datapalooza event presented by Health Data Consortium.
At Creighton University, law professor Edward Morse is researching the technological and legal limitations for paying data ransom.
“If you can deny access to patient care records, you shut down hospital operations,” Morse said. “With HIPAA, a patient’s electronic records are protected under law. But, a patient’s medical information is only as strong as an institution’s weakest link.
It can be as simple as a disgruntled employee; someone who is willing to give up a password to a potential hacker, so hospitals are working to increase security and limit the number of employees who can access sensitive data.
Adam Kuenning, attorney with Erickson | Sederstrom and a Creighton law professor, teaches HIPAA privacy and security.
“Patient care comes first for any medical professional,” Kuenning said. “The importance of keeping the information secure, may sometimes be lost while the medical professional is focused on the patient’s care.”
Any HIPAA breach of more than 500 patients must be reported to the media, and the Department of Health and Human Services keeps a record of these cases online. Since 2009, more than 1500 cases have been recorded. For cases affecting less than 500 patients, only a letter sent to affected persons is required.
To ensure HIPAA compliance, HHS is conducting audits healthcare companies, but often carelessness is the root cause of a breach. A frequent problem are laptops and thumb drives with private medical information left in an employee’s car.
“Data that’s not encrypted is being stolen somehow,” Kuenning said. “People are breaking into your office, stealing your computer, your servers when you didn’t encrypt your records that evening.”
In the California hospital case, an outside hacker stole records by taking over the computer system. In these cases, it’s common that patient information isn’t actually stolen; rather, hackers freeze the system, making the records inaccessible to medical personnel who need the information to properly care for the patients.
Last June, President Barack Obama stated while the U.S. government won’t pay ransom for hostages, American families have never “been prosecuted for paying a ransom.” In most health care cases, private ransom payments often go unnoticed. Few cases like Hollywood Presbyterian Hospital are publicized. According to Morse, thousands of attacks are attempted, but it’s unknown how many are successful.
“With this crime, it’s embarrassing to institutions, that their systems aren’t secure,” Morse said.
Payouts to criminal enterprises are relatively inexpensive. The black market values each patient’s record at $50 or $60, Morse found. According to a Ponemon Institute Survey, hackers only earn about $28,000 annually, but Morse notes that this wage could equate to a lot more with hackers coming from developing countries.
Without patient’s records, the hospital reaches a standstill, creating the need to comply and pay ransom.
“If you can pay, you would do it in a New York minute,” Morse said.
As the health care industry becomes more invested in technological innovations, institutions must keep privacy in mind, as a data breach can “ultimately, sully the reputation of an institution,” Morse said.
Source: Creighton University