Security Service

Hackers Target Unpatched Citrix with Ransomware Attacks

All these attacks are taking place, hackers are scanning the internet for Citrix appliances which were unpatched for the CVE-2019-19781 [1] vulnerability. Vulnerable devices include the Citrix Application Delivery Controller (ADC), Citrix Gateway, and two older versions of Citrix SD-WAN WANOP. The vulnerability was disclosed in mid-December; however, internet-wide attacks began after January 11, when proof-of-concept exploit code was published online and became broadly available to anyone.
Citrix released the final permanent fix for the actively exploited CVE-2019-19781 vulnerability, needed to secure all vulnerable Citrix Application Delivery Controller (ADC), Citrix Gateway, and Citrix SD-WAN WANOP appliances.

The CyberSecOp team has identified attacks scanning multiple client Citrix gateway to take advantage of vulnerabilities in Citrix gateway applications.

Timeline
On January 19, 2020, Citrix released firmware updates for Citrix Application Delivery Controller (ADC) and Citrix Gateway versions 11.1 and 12.0.
On January 22, 2020, Citrix released security updates for vulnerable SD-WAN WANOP appliances.
On January 23, 2020, Citrix released firmware updates for Citrix ADC and Gateway versions 12.1 and 13.0.
On January 24, 2020, Citrix released firmware updates for Citrix ADC and Gateway version 10.5.
A remote, unauthenticated attacker could exploit CVE-2019-19781 to perform arbitrary code execution.[2] This vulnerability has been detected in exploits in the wild.[3]
The Cybersecurity and Infrastructure Agency (CISA) strongly recommends that all users and administrators upgrade their vulnerable appliances as soon as possible.
Timeline of Specific Events

  • December 17, 2019 – Citrix released Security Bulletin CTX267027 with mitigations steps.

  • January 8, 2020 – The CERT Coordination Center (CERT/CC) released Vulnerability Note VU#619785: Citrix Application Delivery Controller and Citrix Gateway Web Server Vulnerability, and CISA releases a Current Activity entry.

  • January 10, 2020 – The National Security Agency (NSA) released a Cybersecurity Advisory on CVE-2019-19781.

  • January 11, 2020 – Citrix released blog post on CVE-2019-19781 with timeline for fixes.

  • January 13, 2020 – CISA released a Current Activity entry describing their utility that enables users and administrators to test whether their Citrix ADC and Citrix Gateway firmware is susceptible to the CVE-2019-19781 vulnerability. 

  • January 16, 2020 – Citrix announced that Citrix SD-WAN WANOP appliance is also vulnerable to CVE-2019-19781.

  • January 19, 2020 – Citrix released firmware updates for Citrix ADC and Citrix Gateway versions 11.1 and 12.0 and blog post on accelerated schedule for fixes.

  • January 22, 2020 – Citrix released security updates for Citrix SD-WAN WANOP release 10.2.6 and 11.0.3.]

  • January 22, 2020 – Citrix and FireEye Mandiant released an indicator of compromise (IOC) scanning tool for CVE-2019-19781.

  • January 23, 2020 – Citrix released firmware updates for Citrix ADC and Citrix Gateway versions 12.1 and 13.0.

  • January 24, 2020 – Citrix released firmware updates for Citrix ADC and Citrix Gateway version 10.5.

Technical Details

Impact

On December 17, 2019, Citrix reported vulnerability CVE-2019-19781. A remote, unauthenticated attacker could exploit this vulnerability to perform arbitrary code execution. This vulnerability has been detected in exploits in the wild.
The vulnerability affects the following appliances:

  • Citrix NetScaler ADC and NetScaler Gateway version 10.5 – all supported builds

  • Citrix ADC and NetScaler Gateway version 11.1 – all supported builds before 11.1.63.15

  • Citrix ADC and NetScaler Gateway version 12.0 – all supported builds before 12.0.63.13

  • Citrix ADC and NetScaler Gateway version 12.1 – all supported builds before 12.1.55.18

  • Citrix ADC and Citrix Gateway version 13.0 – all supported builds before 13.0.47.24

  • Citrix SD-WAN WANOP appliance models 4000-WO, 4100-WO, 5000-WO, and 5100-WO – all supported software release builds before 10.2.6b and 11.0.3b. (Citrix SD-WAN WANOP is vulnerable because it packages Citrix ADC as a load balancer).

What Customers Should Do
Exploits of this issue on unmitigated appliances have been observed in the wild. Citrix strongly urges affected customers to immediately upgrade to a fixed build OR apply the provided mitigation which applies equally to Citrix ADC, Citrix Gateway and Citrix SD-WAN WANOP deployments. Customers who have chosen to immediately apply the mitigation should then upgrade all of their vulnerable appliances to a fixed build of the appliance at their earliest schedule. Subscribe to bulletin alerts at https://support.citrix.com/user/alerts to be notified when the new fixes are available.
The following knowledge base article contains the steps to deploy a responder policy to mitigate the issue in the interim until the system has been updated to a fixed build: CTX267679 - Mitigation steps for CVE-2019-19781
Upon application of the mitigation steps, customers may then verify correctness using the tool published here: CTX269180 - CVE-2019-19781 – Verification Tool
Fixed builds have been released across all supported versions of Citrix ADC and Citrix Gateway. Fixed builds have also been released for Citrix SD-WAN WANOP for the applicable appliance models. Citrix strongly recommends that customers install these updates at their earliest schedule. The fixed builds can be downloaded from https://www.citrix.com/downloads/citrix-adc/ and https://www.citrix.com/downloads/citrix-gateway/ and https://www.citrix.com/downloads/citrix-sd-wan/
 
 If you would like to learn more about CVE-2019-19781 vulnerability & risk mitigation, please contact CyberSecOp at the following support@cybersecop.com 

NSA Reported a Critical Flaw in Microsoft Windows 10

The National Security Agency recently discover a vulnerability in Microsoft’s Windows 10 Operating System, NSA worked with Microsoft to issue patches and publicly raise awareness instead of using the flaw for its intelligence gathering.

On January 14, Microsoft released a set of patches for the Windows platform. While all of the issues addressed in the patch release are serious, this article will discuss one of them: CVE-2020-0601. Above anything else, we urge everyone to take action and patch their systems.

(CVE-2020-0601) affecting Microsoft Windows®1 cryptographic functionality.

The certificate validation vulnerability allows an attacker to undermine how Windows verifies cryptographic trust and can enable remote code execution. The vulnerability affects Windows 10 and Windows Server 2016/2019 as well as applications that rely on Windows for trust functionality. The exploitation of the vulnerability allows attackers to defeat trusted network connections and deliver executable code while appearing as legitimately trusted entities. Examples, where validation of trust may be impacted, include:

  • HTTPS connections

  • Signed files and emails

  • Signed executable code launched as user-mode processes

Vulnerability

CVE-2020-0601 is a serious vulnerability because it can be exploited to undermine Public Key Infrastructure (PKI) trust. PKI is a set of mechanisms that home users, businesses, and governments rely upon in a wide variety of ways. The vulnerability permits an attacker to craft PKI certificates to spoof trusted identifies, such as individuals, web sites, software companies, service providers, or others. Using a forged certificate, the attacker can (under certain conditions) gain the trust of users or services on vulnerable systems, and leverage that trust to compromise them. 

Microsoft explanation of the vulnerability

Microsoft said an attacker could exploit the vulnerability by spoofing a code-signing certificate so it looked like a file came from a trusted source.

Microsoft Windows Crypto API fails to properly validate certificates, which may allow an attacker to spoof the validity of certificate chains. This vulnerability may not seem flashy, but it is a critical issue. Trust mechanisms are the foundations on which the Internet operates.

Microsoft typically releases security and other updates once a month and waited until Tuesday to disclose the flaw and the NSA’s involvement. Microsoft and the NSA both declined to say when the agency privately notified the company.

Mitigation Actions

NSA recommends installing all January 2020 Patch Tuesday patches as soon as possible to effectively mitigate the vulnerability on all Windows 10 and Windows Server 2016/2019 systems. In the event that enterprise-wide, automated patching is not possible, NSA recommends system owners prioritize patching endpoints that provide essential or broadly replied-upon services. Examples include:

  • Windows-based web appliances, web servers, or proxies that perform TLS validation.

  • Endpoints that host critical infrastructure (e.g. domain controllers, DNS servers, update servers, VPN servers, IPSec negotiation).

Prioritization should also be given to endpoints that have a high risk of exploitation. Examples include:

  • Endpoints directly exposed to the internet.

  • Endpoints regularly used by privileged users.

 Administrators should be prepared to conduct remediation activities since unpatched endpoints may be compromised. Applying patches to all affected endpoints is recommended, when possible, over prioritizing specific classes of endpoints. Other actions can be taken to protect endpoints in addition to installing patches. Network devices and endpoint logging features may prevent or detect some methods of exploitation, but installing all patches is the most effective mitigation.

Cyber Attack Bulleting

1) FBI, DHS issue bulletin warning of potential Iranian cyberattacks.                   

The FBI and Department of Homeland Security (DHS) issued a bulletin to law enforcement groups last week Wednesday warning of the potential for Iran to target the U.S. with cyber attacks in the wake of raised tensions following the death of Iranian General Qassem Soleimani.

2) 73% of black hat hackers said traditional firewall and antivirus security is irrelevant or obsolete.                 According to the same survey, 80% of hackers say “humans are the most responsible for security breaches”.    

3) Traditional perimeter-based security is not enough for cyberattacks.
According to CyberSecOp Data Breach Investigations Report, over half — and trending toward 100% — of recent data breaches were due to compromised credentials.

4. There is a cyber attack every 39 seconds.
 By the time the average person takes a selfie and uploads it to Instagram, the next hacker attack has already taken place.

Ransomware Revenue 2019 - Demand Cost Increases

Ransomware is a type of malware that stops users from accessing their data until a ransomware payment is arranged. The money is usually paid in cryptocurrencies to avoid any kind of detection. Ransomware criminals trick you into clicking on infected links. They usually do this by copying the general look of an email to mask their nefarious intentions. Organizations interviewed by CyberSecOp say they experience data loss and major downtime as the result of a ransomware attack. Both of these outcomes are extremely costly for a business, especially larger ones with hundreds of employees. Significant downtime can result in millions of dollars of lost revenue and decreased consumer trust.

Cybercriminals Career Path is Ransomware

If you were considering becoming a cybercriminal or were perhaps a traditional villain looking to upgrade your skills for the 21st century, I’m sure your business model of choice would be running a ransomware operation. You would, thanks to the simplicity of platforms like Ransomware as a Service and the willingness of victims to pay ransomware fees.

The reason why Ransomware most common attack vector

The main reason for the runaway success of ransomware as a malware attack vector is its effectiveness and ability to generate money for cybercriminals. Anonymous payment services like Bitcoin make ransomware payment simple for victims and risk-free for the ransomware owners. Companies are even starting to keep a Bitcoin ransom ready if they are affected and cannot recover from the attack.

Ransomware big newsmakers

The biggest news-maker for 2019 is the Baltimore City government. The city’s computer system was hit with a ransomware infection in May 2019 that kept the city’s government crippled for over a month. Estimates put the cost to recover at over 18 million dollars, although the cybercriminal behind the ransomware only demanded $76,000 worth of Bitcoin. The attack reportedly impacted vaccine production, ATMs, airports, and hospitals. Just about a year earlier, the Atlanta city government spent over $17 million to recover from a ransomware attack that demanded $52,000 in Bitcoin.

The big tech giants are getting hit by ransomware too

Popular software as a service (SaaS) applications are being targeted by ransomware too. A study involving several multiple service providers found that Dropbox, Office 365, G Suite, Azure, and Amazon Web Services have experienced ransomware attacks in some form.

Ransomware Demand cost increases

At the same time, the average ransomware demands have increased rapidly to $36,000 in the second quarter of 2019. But this number understates the risk as perpetrators have adopted a more sophisticated pricing model which charges larger organizations much higher ransoms to unlock their data. Rivera Beach, FL, for example, had to pay $600,000 to unlock the city records encrypted by a ransomware gang while Korean hosting company Nayana paid $1m to unlock 3,400 hosted websites. Refusing to pay can cost even more as Norwegian aluminum maker Norsk Hydro learned when they spent $58m in the first half of 2019 to remediate the ransomware attack they experienced in March. The company’s Q1 profit also fell 82% due to production downtime caused by the attack. The implications for security professionals of these trends are clear. The time has come to move from a strictly defensive posture vis-à-vis ransomware to a more offensive strategy focused on finding and fixing vulnerabilities that can be exploited by ransomware.

98% of ransomware profits went through the cryptocurrency trading platform BTC

How to Clean Malware From Your Website

Cyberthreats will continue to grow as technology and big data evolve. Whether the motive is to steal money and data or simply wreak havoc, cybercriminals often have a solid return on investment of their time when they attack unprotected and vulnerable websites. They target websites with software that has a malicious intention – also known as malware – and they aren’t slowing down anytime soon.

 Malware can change the appearance of your website, files, and even alter your computer operating system entirely. Cybercriminals gain unauthorized access to these systems by exploiting vulnerabilities found in weak entry points within system software. In fact, malware can cause your website to be flagged and removed from search engines, ultimately resulting in loss of traffic, decreased trust from your consumers or visitors, and a potential negative impact on your bottom line.

 The impacts of malware can often depend on the overall goal of the attacker. Cyber-attacks can range from site defacements to a phishing email, and each has a different agenda. For example, a website defacement can be thought of as online graffiti, and the intention could simply be to make a statement of some kind. If you have an online business or simply have an online presence, there is a good chance you could be faced with malware on your website. To help you prepare, we’ve provided the following simple steps on how to remove malware from your website.

How to Determine if Your Website Has Been Infected By Malware

 Cleaning your website of malware first requires identifying whether the site has been infected. An infected website has the following characteristics:

 ●     Slow loading pages, or slow downloads

●     Advertisements that pop up on the page, and re-pop up or do not go away even after attempting to close them

●     Changes in your website theme or general appearance

●     Spam email flooding your inbox

●     Website comments full of comment spam or advertisements

●     Traffic redirection to other websites resulting in low site traffic on your own page

●     Removal from the general search results on various search engines

 

How to Clean Your Website

Step 1: Back up your site content

 Before starting the malware removal process – always make a backup of your website files and database. This will allow you to restore your website if anything goes awry during the malware removal process such as file corruption. Look for a backup in your file manager or in a local drive as this may come in handy to replace files damaged by malware.   

Step 2: Identify the malware

 

Use the file manager within your web hosting account or download an FTP manager to download and review your website files. This could be a time-consuming process depending on how many pages make up your website, but it’s a critically important step. When you do find files that look suspicious, review the code within the files for clues such as eval, base64, fromCharcode, gzinflate, shell_exec or error_reporting(). 

Step 3: Replace damaged files

 Once malware has been successfully removed by restoring the file from a backup or completely removing the malicious file, try loading your website to ensure you are able to successfully view the content on the page. If your defacement is still visible or you have visible scripting errors on your page you must keep looking for the malware affecting your site. As a best practice, keep a current copy of the clean website files and database as well. This should be kept offsite in the event your website is re-infected.    

Step 4: Enhance your website defense mechanisms

 Removing malware and replacing all of your files can only do so much. If you don’t practice and implement proper cybersecurity protocols, such as keeping your software up-to-date and backing up your content, you’re leaving your online assets vulnerable to another cyber-attack.  As a best practice, you should aim to improve your cyber defenses by implementing a web application firewall (WAF) to block cyber threats before they ever hit your website. In addition, it’s recommended to use a website scanner that can automatically detect and remediate malware and other threats as they happen. 

Step 5: Protect your online accounts

 It’s important to always use strong passwords for every account. Never write your passwords in a notebook or keep them in a spreadsheet online for someone to find. Always use a strong password that includes numbers, letters, and special characters. However, even if you are the only one who knows your password you aren’t doing yourself any favors by using the same strong password over and over for each account. Using a password manager will save you the hassle of remembering a plethora of passwords to logging to your accounts.  

Staying Safe from Malware in the Future

Maintaining a clean and malware-free website is fundamental to the success of any website. And, if the website in question is connected to a business, it could prevent you from potential legal action. Case in point - the recent Equifax and Capital One data breaches have both resulted in class action lawsuits against each company, and new data breaches continue to occur resulting in additional lawsuits.   

The truth is, if you are running a website of any kind, you owe it to your visitors to have security measures in place. Just a few of the things you can do include, but are not limited to:

●     Installing a web application firewall (WAF) to protect your website and web applications from harmful traffic (such as cybercriminals and bad bots), and other cyber threats

●     Use a malware scanner to automatically check your website for malicious software and cyber threats that can harm your website

●     Update your website often, and keep a clean backup of all data and files at all times, so that in the event of infection you can install the clean copy and get back online faster

●     Use a password manager to securely manage the logins for all of your online accounts

 

Conclusion 

Malware can be dangerous for any website, and removing it is vital for the safety and protection of both the website owner, and its visitors. Therefore, understanding what malware is and how to remove it is the first step towards ensuring a malware-free site. Hopefully, the above information has inspired you to keep an eye on your website and ensure your business is protected from cybercriminals.

CyberSecOp and Coronet announce partnership

CyberSecOp and Coronet announce partnership

 Bringing Coronet’s AI and cloud technology extends CyberSecOp capability to protect lean IT and SMB companies.

 Stamford, CT – September 18, 2019 – CyberSecOp, a Cyber Security consulting firm based in Stamford, CT announced today its partnership with Coronet, the world leader in security as-as-service powered by AI and cloud. 

Coronet, which provides security for cloud applications, BYOD and communications over public networks, brings enterprise grade security to companies of any size.

With Coronet’s AI platform, CyberSecOp will identify and remediate SaaS vulnerabilities, malware and ransomware spread through cloud services, malicious behavior by employees, and control access to SaaS based on the security posture of the device and network the user is using.

 “We were very impressed with Coronet’s ability to identify and remediate risks. Most of our customers are moving to cloud platforms such as Office 365, Dropbox, Salesforce, and Slack to name a few. Practically all of our customers adopted a BYOD strategy.” Said Jeffery Walker CISO of CyberSecOp. “These cost and convenience driven advances leave organizations extremely exposed from a cybersecurity and regulatory perspective, and Coronet helps us protect our customers against these threats.”

 Coronet’s platform not only protects against cyber threats, but identifies PII, PCI, and PHI regulatory violations in files that are stored in cloud services or sent through them. As regulators become more aggressive, with fines and penalties skyrocketing, Coronet’s ability to identify potential violations eliminates such regulatory exposure.

 “We are very excited to have CyberSecOp join the Coronet family. We are very impressed with the caliber of talent that we saw at CyberSecOp, and know that Coronet in their hands would alleviate many risks and concerns their customers currently experience.”

  About CyberSecOp

CyberSecOp Security Consulting Services is a leading provider in managed security and compliance services, providing clients with a comprehensive security team, with a board-level cyber security consultant to drive organization strategic planning. The CyberSecOp team will provide strategic leadership, security strategy, compliance, & corporate security consulting, aligning your GRC activities to business performance drivers. To explore our security solutions and services, visit us at www.cybersecop.com or follow us at @CyberSecOp on social media.

  

About Coronet

Coronet is a world leader in providing organizations of every size with security for their cloud applications, bring-your-own-devices, and communications over public networks. With over 2.5 million users, Coronet's platform uses AI to detect and mitigate threats, eliminating the need for a security team to chase down security events. Provided as a subscription service, with nothing to install on premises, Coronet brings enterprise grade cyber security to organizations of any size, at an affordable price, eliminating the complexity and laborious nature of traditional security platforms. To learn more about Coronet, visit us at www.coro.net or follow @coronetworks on social media.

5G Network Pros & Cons : Do you have the need for Speed

5G network:

The evolution of 5G networks is causing concern when it comes to monitoring individuals for law enforcement agencies, their tools which currently work with 4G technology can’t be utilized on the 5G network. The plan was to have 5G network roll out by 2020, 2020 was supposed to be the year when we all would be using 5G networks for our various communications devices and applications, but at this moment only two major city has limited use of the 5G technology.

5G network Pros & Cons : Do you have the need for Speed

Pros of having 5G network

5G is going to be a big deal one of these days, delivering faster speeds, lower latency and better experiences.

  • High resolution and bi-directional large bandwidth shaping, with the ability to connect and share data with others.

  • Remove the wire and bring all technology to gather all on one network

  • One network to support, which is more effective and efficient.

  • Technology to facilitate subscriber supervision tools for the quick action.

  • Provide a huge broadcasting data (in Gigabit), which will support more than 60,000 connections.

  • Easily manageable over previous generations.

  • Build with security in mind

  • Remote Medical Treatment  

Cons of having 5G network

 Law enforcement 5G network concerns

Law enforcement agencies claim they will be unable to monitor criminals, but Edward Snowden made it clear with the documents he had release that law enforcement don’t only monitor criminals, they take advantage of all citizen privacy. They themselves perform criminal activity against citizens.

5G network makes it difficult to stand with law enforcement agencies, but at the same time we understand the need to protect and serve to ensure public safety. The ability to monitor criminals "is one of the most important investigative tools that law enforcement and services have.

Nationwide 5G network concerns

The problem is much bigger than just challenges faced by law enforcement agencies. We need to understand the threats to personal and corporate data, to do so it is important to understand that there is already some controversy as to who is supplying the actual infrastructure for 5G: namely, Huawei, and why should one be concerned about Huawei? Huawei is alleged ties to the government of China. Okay, and what does that has to do with personal and corporate data? Well if the owned the infrastructure all data can be monitoring and send to other government agency, or supporting vendors, this data could include sensitive data, intellectual property, nation secrets and potential military data.

 Cybercrime 5G network concerns

5G has 200 times more access points for hackers than existing networks, experts warn. Charles Eagan, BlackBerry Ltd.’s chief technology officer, agreed the network complexity and the expanded physical attack surfaces present a challenge for securing 5G networks.

With 5G network more system will stay continuously, giving attackers more possible of finding a vulnerable system to compromised at anytime, systems on wireless network are not patch/updated frequently.

 Years of 5G hype will soon has giving way to 5G reality. Verizon has turned on 5G service for smartphones in select cities and announced which ones will be getting high-speed service next. Sprint flips the switch on its own 5G network, and AT&T and T-Mobile are both making progress in building out the next-generation wireless network. Are you ready for speed? Do you have the need for Speed.

Benefits of Mobile device management (MDM)

Mobile device management (MDM) is a type of security software used by an IT department to monitor, manage and secure employees' mobile devices that are deployed across multiple mobile service providers and across multiple mobile operating systems being used in the organization. Mobile device management (MDM) capabilities give you the fundamental visibility and IT controls needed to secure, manage, and monitor any corporate or employee owned mobile device or laptops that accesses business critical data.

Mobile device management (MDM) solution provides immediate, on-device threat protection, protecting against device, app and network threats even when the device is offline.d:

  • Detect the attack immediately

  • Notify the device user through mobile clients and enterprise admin through centralized console

  • Take preventive actions to protect company data through custom compliance actions

Administrators can use our capabilities to find all the devices that have the vulnerable versions of WhatsApp on them and assign compliance actions to only those devices, while not affecting the productivity of users running updated version of the compromised app.

Benefits of Mobile device management (MDM)

More control and security

An effective MDM system guarantees the protection of company data, e-mails, and confidential documents. If a device is lost or stolen, the administrator can easily lock, disconnect, or lock the mobile device. SIM cards can also be blocked for employees’ mobile devices and if somebody tries to transfer the SIM to another device they will need a PUK code.

MDM offers better control over their devices. For example, a company’s sales employee will not have to register and configure all devices used by their sales agents. Instead, you can configure the device and use the security software automatically. Certain tools and applications can also be sent to agent devices. If you want the app to be configured at start-up or if you want an automatic application or replacement updates throughout the enterprise, you can easily do it manually without having to call the device.

Powerful and Highly Efficient Management

Practically, mobile devices can distract employees. If organizations want to limit or prohibit the use of certain apps on their devices and avoid unnecessary data costs, IT managers can block YouTube, Facebook, or other social media apps. Take, for example, the company’s rescue services. As drivers need to focus on the road, some companies use MDM to prevent them from using other apps than the transport app and Waze or Google Maps while driving. This not only ensures operational efficiency, but also security

Increased flexibility

Working from anywhere with a mobile device gives access to relevant files anytime, anywhere and in any situation. Some tools gives you that luxury, for example, the vendors of the company do not need to download the resources separately from different portals. The centralized MDM system enables more efficient distribution of business documents, such as training forms and learning materials, accessible only to authorized individuals.

Find the right MDM solution

As the businesses focus on productivity, efficiency, and security, and with more and more companies choosing BYOD (Bring your own device), MDM is ready to respond to feature requests that help them take control of the device while providing their employees with freedom, security, and productivity.

Why You Need a Cybersecurity Management Program

Many organization’s cybersecurity teams (or information security teams as they used to be known) continue to struggle to communicate cybersecurity issues to senior leadership. Likewise, senior management also struggles to effectively articulate cybersecurity strategy to technical cybersecurity personnel. It is as though two parts of the same organization speak foreign languages to one another, and each party has a very limited, or no, knowledge of the other party’s language. However, it does not have to be like this.

Why so many organizations struggle with Cyber Security

Failure to communicate issues is most often revealed in grassroots cybersecurity initiatives that have evolved into corporate cybersecurity programs. Typically, this resulted from an enterprise in startup mode implementing solutions to address specific technical challenges. Unfortunately, many organizations continue to employ a similar approach to secure much larger and more complex environments against threats that outmatch the capabilities of their original solutions. No longer simply a technical solution, cybersecurity management has become a business function in today’s industry. As a business function, a greater level of integration with other business units requires a greater level of transparency and performance reporting. The evolution of grassroots cybersecurity programs rarely results in the kind of mature cybersecurity solutions that are aligned with, and address business needs. And why should they? The initial programs were designed to solve technical challenges, such as preventing virus outbreak or infection, stopping cyber attackers from compromising or stealing valuable information. Such initial cybersecurity efforts were neither designed as business functions nor defined in business terms.

CyberSecOp Comprehensive Security Program - Going beyond compliance

Cyber Security Program Key Success Factors

The following key success factors are common to many successful cybersecurity programs. The programs:

  • Support and drive strong governance attitudes and actions

  • Are designed, developed, and implemented in a similar way to other business functions

  • Adopt a standard framework approach, usable for an extended period of many years with little or no changes to that framework

  • Are measureable in terms of their effectiveness

Organizations and executives that drive successful cybersecurity programs do so in the same manner as other successful business initiatives. Executives succeed at this not because of industry pressure, but because each aims to improve their organization. Having identified the opportunity, executives evaluate whether the initiative poses additional risks to their organizations and decide whether to accept this additional risk or not. After accepting such risk, executive sponsors continue to evaluate initiatives toward implementation. Even when initiatives are operational, executives still employ strong governance methods, including internal audit teams, to manage and monitor the effectiveness and efficiency of these initiatives. This business approach has become institutionalized across most enterprise units with the exception of IT and cybersecurity. Key stakeholders in IT and cybersecurity often claim that cybersecurity management programs are too technical, only internal facing, or too complex, to properly develop and implement using this approach.

The truth is if these same IT and cybersecurity groups adopted a common framework and designed their cybersecurity management programs based on said framework, cybersecurity management would truly become just a standard business function in their enterprises. Unfortunately, the cybersecurity world does not agree on a standard cybersecurity framework across all countries, industries, and states. Analysis of the commonalities and differences between these standard frameworks show that it is possible to create a universal cybersecurity management framework to address all countries, industries, and states. Such a framework is not firmly associated with any particular cybersecurity standard and can be adapted during implementation to address any specific security standard that organizations using it wishes to follow. This paper introduces a cybersecurity management framework where it is apparent that a successful approach is not too technical, addresses both internal and external concerns, and is not overly complex to implement, operationalize, and manage over the long term.

CyberSecOp Cyber Security Management - Aligning businesses with security

Cybersecurity Management Framework

The design of the CyberSecOP cybersecurity management framework (CMF) assumes cybersecurity management is a business function.

The framework, as a business function, is comprised of three discrete pillars with each subsequent layer unfolding increasing levels of specificity as follows:

The Executive Management (Strategy) Pillar directs Governance and Planning initiatives that drive the framework forward to operation.

The Executive Management Pillar requires people to identify why cybersecurity is needed, consider the business issues, and then define, document, and publish the direction the required cybersecurity program will adopt.

The Operations Pillar that defines what the cybersecurity program must address to comply with the requirements specified in the strategy, what supporting functions are needed, and what level of reporting/ governance monitoring should be provided. These needs are supported through the security intelligence, IT and Cybersecurity Assurance and IT Risk Management operations sub-pillars.

  • The Operations Pillar requires definitions of documented operational standards, processes, procedures, and other collateral that specify what operators should do and how they should do it.

    • The Tactical (Technology) Pillar defines how required cybersecurity controls mandated in the Operations and Executive Management pillars will be applied to the systems, networks and applications used by the organization and how evidence will be provided to management that the security controls implemented actually address the specific requirements and that they perform their job as expected.

    • The security controls in the Tactical pillar, whether requiring technology or not, are responsible for securing all aspects of an enterprise computing environment, continuously monitoring the environment for security events, collecting and analyzing captured events, and reporting defined security metrics, some of which are provided to the SLT.

Addressing Cybersecurity Challenges

Although addressing cybersecurity challenges with just three pillars is perfectly possible, adopting and using it in that way is difficult and potentially open to error or misinterpretation. To minimize these issues, these macro-level pillars must be divided into more manageable chunks. The CyberSecOp LocPar subdivides its three macro pillars into seven discrete focus areas:

  • Executive Management: Key decisions and accountability required to drive the program

  • IT Risk Management: Reducing risk exposure to the organization to a level acceptable to the SLT and Board of Directors.

  • Cybersecurity Intelligence: Required to provide the cybersecurity and IT teams with appropriate information to achieve and surpass IT Risk Management goals.

  • IT and Cybersecurity Assurance: Required to provide evidence to management and especially the SLT that their investments in cybersecurity are delivering the benefits they expected.

  • Secure Network: Required to support secure, on demand access to information to authorized personnel no matter where it is located within, or external to, the organization.

  • Secure Systems: Required to provide controlled access to applications, data and devices according to the identity of the requesting party. This focus area also includes how data is protected, whether at rest, or in transit.

  • Secure Applications: Required to control access to data and other networks, systems and applications according to the identity of the requesting party. For internally developed applications, requirements extend to how the application was designed, developed and managed throughout the whole development lifecycle.

Summary

Development, implementation, and maintenance of a cybersecurity management program for an organization is no small undertaking. However, the overall value that organizations achieve through development and implementation of such programs includes reduced instances of successful cyber attacks. Moreover, a cybersecurity management program provides organizations with a means to reduce a successful attack’s impact on the bottom line due to its programmatic predefined approach for identifying and responding to cybersecurity incidents. Read more about cybersecurity management programs and CyberSecOp Cybersecurity Services at https://www.cybersecop.com/

What is Cybersecurity Risk Management

Cyber Risk Management is the next evolution in enterprise technology risk and security for organizations that increasingly rely on digital processes to run their business. Risk management is a concept that has been around as long as companies have had assets to protect. The simplest example may be insurance. Life, health, auto and other insurance are all designed to help a person protect against losses. Risk management also extends to physical devices, such doors and locks to protect homes and autos, vaults to protect money and precious jewels, and police, fire and security to protect against other physical risks.

What is cybersecurity risk management?

Rather than doors, locks and vaults, IT departments rely on a combination of strategies, technologies and user education to protect an enterprise against cybersecurity attacks that can compromise systems, steal data and other valuable company information, and damage an enterprise’s reputation. As the volume and severity of cyber attacks grow, the need for cybersecurity risk management grows with it.

Cybersecurity risk management takes the idea of real world risk management and applies it to the cyber world. It involves identifying your risks and vulnerabilities and applying administrative actions and comprehensive solutions to make sure your organization is adequately protected.

Setting up your risk management system

Before setting up a cybersecurity risk management system, the enterprise needs to determine what assets it needs to protect and place a priority on. As the National Institute of Standards and Technology (NIST) points out in its Framework for Improving Critical Infrastructure Cybersecurity, there is no one-size-fits all solution. Different organizations have different technology infrastructures and different potential risks. Some organizations such as financial services firms and healthcare organizations, have regulatory concerns in addition to business concerns that need to be addressed in a cybersecurity risk management system. Cybersecurity should follow a layered approach, with additional protections for the most important assets, such as corporate and customer data. Remember that reputational harm from a breach can do more damage than the breach itself.

Risk management with CyberSecOp

  • Identity Services

Identity services help companies manage the explosion of digital identities and access to critical resources, both internal and cloud-based. In this age of digital transformation, the spheres of the individual’s life―as a professional, consumer, and private citizen―are interlinked in a complex digital structure, like a piece of fabric. The growing ability to piece together a digital picture of a person’s life and identity carries both risk and opportunity.

Wherever an organization is on its journey, we can help them achieve efficiencies, reduce risk, and evolve to support the changing needs of the digital business. With 20 years of identity management experience across the major industries, we offer field-tested accelerators and methods that are scalable and adaptive to each client’s specific set of business requirements.

  • Data Protection
    Data Protection services help implement capabilities and technologies to protect sensitive data. As infrastructure and applications become more virtualized and adaptive, new cybersecurity gaps can be created as fast as old ones have been addressed, making the prevention of data breaches more difficult than ever. By prioritizing preventative and detective defenses around highly sensitive data, security teams can help reduce data loss and risk when attackers get past network, application, and infrastructure controls.

    Leveraging these principles and an understanding of each client’s risk profile, CyberSecOp helps organizations design, implement, and manage capabilities to help better protect sensitive information across the end-to-end data lifecycle, and at an organization’s last line of defense.

  • Application Security 
    In the era of digital transformation, application portfolios are becoming exponentially more diverse—and support a growing community of users. As the application “surface area” expands, so does cyber risk. Amid the change, one thing remains constant: applications are the lifeline of the business—and need to be a front line of cyber defense. It’s an important time for organizations to reexamine their approaches to application security.

    Improving application security requires technical attention to individual applications, but also a broad framework across the application portfolio—from custom-developed to commercial off-the-shelf (COTS) applications and whether managed on-premise, on a mobile platform, in the cloud, or in a hybrid environment. It also requires the flexibility to support varying and often coexisting system methodology processes from waterfall, to agile, to DevOps in order to address application-related cyber risk at the pace of the organization’s digital evolution.

    CyberSecOp’s application security services help organizations to design and implement security mechanisms across the system development methodology that can flex to your operational requirements to drive value through IT while also protecting your application portfolio against the changing cyber threat landscape.

  • Infrastructure Security
    Infrastructure Security services focus on developing advanced protection of core systems and devices. Today’s critical business drivers—the need to digitally transform, modernize the supply chain, enhance customer experience, increase agility, reduce costs, etc.—are driving a major shift in technology priorities. This shift includes increasing focus on cloud adoption, the Internet of Things (IoT), hybrid computing, software-defined networks (SDN), robotic process automation (RPA), blockchain, artificial intelligence, and more. The infrastructure supporting it has become highly virtualized and automated—and the traditional means of securing infrastructure fall short.

    CyberSecOp helps organizations move toward a modernized, risk-focused agile defense approach. While the basic infrastructure domains—physical facilities, networks, systems and storage, and endpoints—that need to be protected remain the same, the means to secure them must evolve. By providing assessment, strategy, architecture, implementation, and operational management assistance across the four infrastructure domains, we help clients face our brave new world with a transformed, agile defense capability.


Choosing A Managed Detection & Response Provider

Why Managed Detection & Response Provider may be the right move

Companies outsourcing security need Managed Detection & Response providers (MDR) more than ever to improve cyber resilience. With the security landscape growing more complex, and the costs of maintaining adequate in-house security teams high, it makes sense for many companies to outsource the tasks of threat hunting and response to ensure that they can promptly identify potential threats and react swiftly to mitigate damages. Managed Detection & Response providers often integrate tools such as Endpoint Detection & Response and other solutions to detect threats, analyze risk, and correlate threat data to pinpoint patterns that could indicate a larger attack.

How to choose the right Manged Detection & Response Provider

Smart moves: you’re making them. How do we know? For one, you’re investigating ways to close the gaps in your threat detection and incident response. Which makes sense, given that assembling the talent and tech to thoroughly thwart attackers requires more than most organizations can commit to. Even smarter, you’re checking out Managed Detection and Response (MDR) Services, an increasingly popular solution which combines expertise and tools to provide monitoring and alerting, as well as remote incident investigation and response that can help you detect and remediate threats.

9 things to look our for when choosing a Managed Detection & Response Provider

  1. Your Managed Detection & Response Provider should combine numerous data inputs from security detection tools, threat intel feeds, third party data sources, and the IT asset database to identify not only where there is a threat but its risk compared to others in the queue.

  2. Assess your company's present and future technology needs and initiatives. Qualify, quantify and communicate those needs throughout your company. Is the Managed Detection & Response Provider able to address your range of needs?

  3. Technology strategies should encompass people and processes as part of the organization's mission and strategies. Do they offer ongoing employee training as part of their service?

  4. Does the Managed Detection & Response Provider continuously assess your organization's performance for meeting objectives? You want a partner that focuses on continuous evaluation and improvement of your objectives.

  5. Review your company's goals and mission. Ensure they are clear and concise and can be communicated to all organizational stakeholders as well as your new IT partner.

  6. Perform annual policy and process reviews to assess organization's readiness for external reviews and incident response.

  7. Identify and create teams within your organization to define current challenges and align initiatives to those challenges.

  8. Through playbooks and pre-defined workflows, you can quickly assess and begin to remediate security incidents based on best practices. Ask a Managed Detection & Response Provider if they include such materials as part of their package.

  9. CIOs/CISOs should have unprecedented transparency to all aspects of the security environment. Through dashboards and visualization techniques, CIOs/CISOs will be more easily able to communicate with Managed Detection & Response Providers which vulnerabilities and threats exist and the risks of inaction.


What is Regulatory Compliance & Services?

What is Compliance

Compliance means conforming to a rule, such as a specification, policy, standard or law. Regulatory compliance describes the goal that organizations aspire to achieve in their efforts to ensure that they are aware of and take steps to comply with relevant laws, policies, and regulations.

Business and Compliance

When it comes to a business and corporate management, compliance refers to the company obeying all of the legal laws and regulations in regards to how they manage the business, their staff, and their treatment towards their consumers. The concept of compliance is to make sure that corporations act responsibly.

The pressure to comply with constantly changing regulatory, third-party, and internal guidelines can be overwhelming. Being unprepared to manage risks yet meet mandates can lead to economic consequences and legal liabilities. Both can contribute to a significant financial impact and hurt to your reputation, which could prove even more damaging. You may be exposed to threats you’re not yet familiar with that could be putting your company’s reputation at risk—and even jeopardizing its future.Many major companies within the United States are subject to some type of security regulation.

Complying to regulatory compliance

Regulations that contain information security requirements are intended to improve the information security level of organizations within that industry and many organizations would welcome such information. The difficulty comes in determining which regulations apply and in interpreting the requirements of the regulation. The regulations are not written in a way that is easily understood by the average business person so many times a security professional is needed to understand the requirements and how to best implement them. Professionals have experience implementing systems, policies, and procedures to satisfy the requirements of the regulation and enhance the security of your organization and some have obtained credentials such as (CyberSecOp Information Security Practitioner) that signify their understanding of the regulations. Often the requirements are given in general terms leaving the company to determine how to best satisfy the requirements.

For those organizations without a robust security department, we provide a Virtual CISO offering with expertise in the following:

  • ISO 27001/27002

  • NIST & NIST Cybersecurity

  • GDPR

  • CCPA

  • FedRamp

  • NY DFS Requirements 23 NYCRR 500

  • FFIEC Handbook

  • FERPA

  • HIPAA/HITECH

  • Hi-Trust

  • PCI-DSS

CCPA Data Privacy - California Consumer Privacy Act (CCPA)

CCPA Data Privacy

The California Consumer Privacy Act of 2018 (CCPA) into effect. This new consumer privacy law comes post Europe’s General Data Protection Regulation (GDPR) and, for some, is seen as a smaller version – without the option to opt-out of data collection all-together that the GDPR has.

CCPA is a consumer privacy law that will be coming into effect on January 1, 2020. The bill – which is aggressive for American privacy policy standards – will put guidelines on personal information collection and post-data-acquisition data usage by businesses.

Come 2020, the California Consumer Privacy Act (“CCPA”) may significantly impact businesses’ data practices, with new and burdensome compliance obligations such as “sale” opt-out requirements and, in certain circumstances, restrictions on tiered pricing and service levels. The breadth of personal information covered by the CCPA, going beyond what is typically covered by U.S. privacy laws, will complicate compliance and business operations.

Who need to comply with CCPA

Companies, especially those outside of California, may wonder whether they are subject to the CCPA. CCPA applies to for-profit entities that (1) have greater than $25 million in gross annual revenues; (2) annually handle personal information of 50,000 or more consumers, households, or devices; or (3) derive 50% or more of annual revenue from selling personal information. These criteria will result in a wide swath of businesses being subject to the CCPA. For example, a website might only need 137 unique visitors from California per day to reach the threshold of 50,000 consumers. That website’s collection of data through cookies may be captured by the CCPA’s broad definition of personal information. And given the third criterion focused on revenue percentage, even very small businesses that regularly exchange data, for example in the online ecosystem, might be captured if their activities are deemed to be a “sale” under the CCPA.

CCPA PRIVACY OVERSIGHT

The CCPA will impose substantial compliance obligations on all businesses that handle personal information of California consumers. Such obligations may pose particular challenges for the ever increasing array of businesses that leverage consumer data for analytics, profiling, advertising, and other monetization activities, particularly as the compliance requirements are not easily gleaned from the statutory language. Addressing these challenges will require creative, thoughtful approaches and may potentially involve industry-wide coordination to develop and advance practical solutions.

CyberSecOp CCPA privacy consultants incorporates your CCPA compliance requirements, powered by a unique combination of deep privacy expertise developed over two decades, proven methodologies refined through tens of thousands of engagements, and powerful technology operating at scale for 20 years.

WHAT DO SECURITY CONSULTANTS DO?

WHAT DO SECURITY CONSULTANTS DO?

Security consults deal with various threats to physical and computer security. Security threats come in many forms such as computer hackers, terrorists, and attacks on physical assets. There are specializations for security consultants of building security, natural and man-made disaster prevention, or with computer security issues.

Some of the roles security consultants may do for companies or private individuals are installing physical protections of video surveillance and alarm systems. Physical security risks are issues for many companies and security consultants may determine physical security risks such as threats of violence in the workplace, the stability of a building during tornadoes, earthquakes, fires, or other natural disasters, and development of evacuation plans for personnel during emergencies. Security consultants also may advise on building maintenance issues.

What services does a security consultants provide?

Security consultants can also help to incorporate security changes at all levels of the company. Based upon the security audit that’s conducted, a security consultant, if allowed to, can implement various new security measures and procedures throughout the company, which can include security related to:

  • Analyzing areas that are currently exposed and if they have had their security compromised in the past;

  • Performing a gap analysis in order to determine if any areas of a company’s current security does not meet accepted industry standards;

  • Gauging the work environment through performing interviews with important personnel and company employees;

  • Providing a list of recommendations based upon found security vulnerabilities, which includes security measures that should be incorporated.

  • Policies and procedures;

  • Electronic surveillance and alarm systems;

  • Security personnel.

A security consultant will work closely with management for the purposes of transparent communication and to make sure that any security changes that are implemented are done so within the allotted budget. The degree to which a security consultant can incorporate security changes depends largely upon this, in addition to the management’s instructions.

CyberSecOp Security Services has been providing expert security consulting services for decades. Make sure to contact us today to ask about our advanced security consulting services, which will be personalized to your company’s particular needs.

HHS voluntary healthcare cybersecurity practices

The Department of Health and Human Services has released voluntary cybersecurity practices to the healthcare industry to move organizations “towards consistency” in mitigating cyber threats.

According to HHS, the four-volume publication guides “cost-effective methods that a range of healthcare organizations at every size and resource level can use to reduce cybersecurity risks.” It is meant to raise awareness of cyber threats and provide vetted practices.

“Cybersecurity is everyone’s responsibility—it is the responsibility of every organization working in healthcare and public health,” says HHS Acting Chief Information Security Officer Janet Vogel. “In all of our efforts, we must recognize and leverage the value of partnerships among government and industry stakeholders to tackle the shared problems collaboratively.”

HHS Headquarters in Washington, D.C.

Mandated by the Cybersecurity Act of 2015, HHS convened more than 150 cyber and healthcare experts from government and industry to develop the recommended practices as part of the Healthcare and Public Health Sector Critical Infrastructure Security and Resilience Public-Private Partnership.

“The healthcare industry is truly a varied digital ecosystem—we heard loud and clear through this process that providers need actionable and practical advice, tailored to their needs, to manage modern cyber threats,” says Erik Decker, industry co-lead and chief information security and privacy officer at the University of Chicago Medicine. “That is exactly what this resource delivers; recommendations stratified by the organization's size, written for both the clinician and the IT subject matter expert.”

In addition to the main document, which lays out the five most relevant and current threats to the industry, the publication also recommends ten cybersecurity practices to help mitigate these threats. It also includes two technical volumes geared for IT and security professionals: Technical Volume 1 focuses on cybersecurity practices for small healthcare organizations. In contrast, Technical Volume 2 focuses on techniques for medium and large healthcare organizations.

Microsoft's Emergency Internet Explorer Patch - Kills Lenovo Laptops

Only a few days ago, Microsoft released an emergency Internet Explorer patch bundled in a cumulative update. The patch was rolled out to fix the zero-day vulnerability in Internet Explorer first discovered by a

However, it seems like the patch is creating more problems than fixing them. Out of many known issues, as mentioned by Microsoft in the changelog, one can be regarded as a more severe issue since it is leaving many Lenovo laptops unbootable after installing the patch.

Microsoft mentions that the issue is only affecting Windows 10 users who have a Lenovo laptop that has less than 8 GB RAM. On the other hand, few sources tell that the issue has only affected PC’s that are still on the 1607 version, or Windows 10 Anviersary Update (2016). 

Considering only enterprise PCs have the ability to delay updates, they are most likely have been affected by the unbootable issue.

If you have installed the latest “KB4467691” cumulative update on your PC, and are facing the same issue, here are some steps that Microsoft wants you to follow —

Restart the affected machine using UEFI. After this, disable Secure Boot and then perform restart.

If BitLocker is enabled on your computer, you may have to go through BitLocker recovery after Secure Boot has been disabled.

MSSP Cybersecurity & Managed Detection and Response

MSSP Cybersecurity & Managed Detection and Response

Managed detection and response enables a proactive approach to security with its ability to detect and fully analyze threats and promptly respond to incidents.  CyberSecOp Threat intelligence is one of the key aspects our security consultants used to help organizations make decisions on how to combat threats. Through managed detection and response, organizations can take advantage of the threat intelligence capabilities of security experts.

How Managed Detection and Response Provides Effective Threat Intelligence

  • Capture full visibility across your entire IT environment

  • Detect the most advanced threats (known and unknown) designed to bypass your traditional perimeter security controls, even when no malware is used

  • Expose threat actors currently hiding in your environment

  • Gain 24x7 monitoring by an advanced team of security experts that are specially trained to analyze advanced threats, determine the severity of any incidents and provide actionable guidance to remediate

  • Quickly elevate the alerts that matter most so you can focus limited resources where it matters most

Managed Detection and Response Service

Managed Detection and Response (MDR) is an all-encompassing cybersecurity service used to detect and respond to cyber-attacks. Using the best of signature, behavioral and anomaly detection capabilities, along with forensic investigation tools and threat intelligence, human analysts hunt, investigate and respond to known and unknown cyber threats in real time 24x7x365. Get Managed Detection and Response Services for your business www.cybersecop.com.

Cyber Insurance - Is a must have - you will need it

Cyber Insurance - Is a must have - you will need it.

It’s every healthcare organization’s nightmare to get the call that their data has been breached or hacked. As a result, many have turned to cyber insurance to protect assets and business operations.

As cyber policies and carriers lack a universal policy, there’s an even greater worst case scenario: An organization is breached, and the policy doesn’t cover what the leaders thought it did. Now, not only is the healthcare provider strapped with the burden of the breach, it wasted money on a useless cyber insurance policy.

To get a better grasp on how to choose the right policy, Healthcare IT News asked attorney Matthew Fisher, partner with Mirick O’Connell, and Jane Harper, Henry Ford Health System’s director of privacy and security risk management, to outline the biggest policy mistakes -- and how to avoid them.

Mistake #1: Rushing the process

When buying a policy, a carrier will provide a questionnaire that will evaluate your organization’s security posture, program, tools and policies. The biggest mistake is to rush the pre-policy process to see the rates and what the carrier will cover, explained Fisher.

Organizations need to be conservative with how they answer the questions, as “it could be a ground for denial, if you don’t have the policies you said you have in place,” said Fisher. “You have to make sure you’re not unintentionally misleading the insurance company when it comes to coverage.”

Often these questionnaires attempt to create a black and white policy and “it can be tough to answer correctly,” explained Fisher.

“Your ability to be as transparent and truthful upfront is critical to the nonpayment discussion,” said Harper. “If you tell the insurance company that you have everything in place and are compliant, if you tell them that and then you have an issue, and you weren’t truthful, it ends up being a legal battle.”

“When you submit your checklist that they have you fill out, meet with the underwriter to make sure you understand what you’ve documented,” she added. “You also need the copy that was provided to the insurance company because it will come back into play when you submit the final documents.”

For example, if you say you have a specific control in place, and you actually don’t, Harper explained that can create a situation where “they thought they had an understanding of something, but they didn’t.”

“Be honest, transparent and accurate -- because they can deny your policy if you were inaccurate or misleading in your responses,” she said.

Mistake #2: Lax, incomplete risk assessment

It’s easier to prevent a misleading or false statement to an underwriter, when an organization has a strong assessment and inventory of the processes and tools on the system. But far too often, hospitals “don’t know everything about the control environment,” explained Harper.

“When you talk about protecting an system and preventing a cyber incident, you have to have a good understanding of the organization’s overall control environment,” Harper said. “It’s key, as the longer it takes you to identify that you’ve had an incident, it leads to more exposure and the longer it takes to recover.”

But it’s also important to remember to update this inventory or assessment when buying new tools, merging with other organizations, hiring new staff and the like, Harper explained.

“Think about all of the activities and operations that happen,” she said. “And every three years, you’re updating a cybersecurity checklist -- that may not be frequent enough.”

For example, Harper explained that an organization filling out the policy questionnaire may have all of the right elements in place. But if another tool was purchased and the controls weren’t updated or the control was removed and the underwriter was not notified, there could be a problem.

“If those controls played into how the underwriter rated you: that can be key,” said Harper. “Think about your own home: you get additional discounts when you have a burglar alarm. So if you get one, and let them know, you may get a lower rate…  But if you no longer have that control, you have to tell the carrier.”

“It’s the same kind of practice that we want to get into when we get into cyber insurance for our organization,” she added.

Mistake #3: Failing to involve the right people

Many organizations understand that security needs to exist outside of the IT team. In the same vein, it’s crucial when buying a cyber insurance policy that the same mentality is applied to make sure all of your bases are covered.

“Make sure you are talking to the right individuals,” Harper said. “The appropriate key stakeholders are not only involved with the evaluation process - how many patients, how much data, etc. -- but also the responses to the questions the policy is going to ask.”

“Risk folks typically talk about it as it relates to patients,” she continued. “Those folks are key, but in addition, you need your privacy and security risk professionals, security officers, IT leader, your key business leaders/owners and those driving the data. It’s key.”

Also crucial? Making sure the facilities team is involved, as there can sometimes be a cyber incident based on a physical issue. Harper explained that “often people tend to focus on things like electronic PHI, but there’s physical PHI. If there’s a break in at a warehouse and data is stolen, OCR considers that a breach.”

Mistake #4: Failing to understand coverage

Far too often organizations make large assumptions as to just what cyber insurance will cover. Fisher explained that these leaders are often shocked to learn that they did not receive the full spectrum of coverage they wanted.

“Relying on blind faith on those terms, or what the broker or agent is telling you is a major mistake,” said Fisher. “It’s always up to up to you to go into something with eyes fully wide open to make sure you know what you’re actually buying.”

Harper took it a step further and laid to rest a common misconception when it comes to coverage: “Insurance will not cover fines and penalties associated with noncompliance. If you’re not complaint, and you didn’t do risk assessments, cyber insurance won’t protect you from that, so don’t expect it.”

Ransomware Business Impacts, Ransomware Business Cost

Projecting the overall cost of a ransomware attack can be tricky for security executives considering the many factors that can come into play when responding to and recovering from one. Information from numerous previous incidents show the costs go well beyond any demanded ransom amount and the costs associated with cleaning infected systems.

Ransomware is defined as a form of malicious software that is designed to restrict users from accessing their computers or files stored on computers till they pay a ransom to cybercriminals. Ransomware typically operates via the crypto virology mechanism, using symmetric as well as asymmetric encryption to prevent users from performing managed file transfer or accessing particular files or directories. Cybercriminals use ransomware to lock files from being used assuming that those files have extremely crucial information stored in them and the users are compelled to pay the ransom in order to regain access.

Ransomware History

It’s been said that Ransomware was introduced as an AIDS Trojan in 1989 when Harvard-educated biologist Joseph L. Popp sent 20,000 compromised diskettes named “AIDS Information – Introductory Diskettes” to attendees of the internal AIDS conference organized by the World Health Organization. The Trojan worked by encrypting the file names on the customers’ computer and hiding directories. The victims were asked to pay $189 to PC Cyborg Corp. at a mailbox in Panama.

From 2006 and on, cybercriminals have become more active and started using asymmetric RSA encryption. They launched the Archiveus Trojan that encrypted the files of the My Documents directory. Victims were promised access to the 30-digit password only if they decided to purchase from an online pharmacy.

After 2012, ransomware started spreading worldwide, infecting systems and transforming into more sophisticated forms to promote easier attack delivery as the years rolled by. In Q3, about 60,000 new ransomware was discovered, which doubled to over 200,000 in Q3 of 2012.

The first version of CryptoLocker appeared in September 2013 and the first copycat software called Locker was introduced in December of that year.

Ransomware has been creatively defined by the U.S. Department of Justice as a new model of cybercrime with a potential to cause impacts on a global scale. Stats indicate that the use of ransomware is on a steady rise and according to Veeam, businesses had to pay $11.7 on average in 2017 due to ransomware attacks. Alarmingly, the annual ransomware-induced costs, including the ransom and the damages caused by ransomware attacks, are most likely to shoot beyond $11.5 billion by 2019.


Ransomware Business Impacts Can Be Worrisome

Ransomware can cause tremendous impacts that can disrupt business operations and lead to data loss. The impacts of ransomware attacks include:

  • Loss or destruction of crucial information

  • Business downtime

  • Productivity loss

  • Business disruption in the post-attack period

  • Damage of hostage systems, data, and files

  • Loss of reputation of the victimized company

You will be surprised to know that apart from the ransom, the cost of downtime due to restricted system access can bring major consequences. As a matter of fact, losses due to downtime may cost tens of thousands of dollars daily.

As ransomware continues to become more and more widespread, companies will need to revise their annual cybersecurity goals and focus on the appropriate implementation of ransomware resilience and recovery plans and commit adequate funds for cybersecurity resources in their IT budgets.

Consider the following examples. The Erie County Medical Center (ECMC) in Buffalo, NY, last July estimated it spent $10 million responding to an attack involving a $30,000 ransom demand. About half the amount went toward IT services, software, and other recovery-related costs. The other half stemmed from staff overtime, costs related to lost revenues, and other indirect costs. ECMC officials estimated the medical center would need to spend hundreds of thousands of dollars more on upgrading technology and employee awareness training.

Public records show that the City of Atlanta spent almost $5 million just in procuring emergency IT services following a March 2018 ransomware attack that crippled essential city services for days. The costs included those associated with third-party incident response services, crisis communication, augmenting support staff and subject matter expert consulting services.

In Colorado, Gov. John Hickenlooper had to set aside $2 million from the state disaster emergency fund after ransomware infected some 2,000 Windows systems at CDOT, the state department of transportation, this February. In less than eight weeks, CDOT officials spent more than half that amount just returning systems to normal from the attack.

Not surprisingly, industry estimates relating to ransomware damages have soared recently. Cybersecurity Ventures, which pegged ransomware costs at $325 million in 2015, last year estimated damages at $5 billion in 2017 and predicted it would exceed $11.5 billion in 2019.

For security executives trying to prepare a total ransomware cost estimate, the key is not to get fixated on the ransom amount itself. Even if you end up paying it to recover your data—something that most security analysts advocate against—the actual costs of the attack in most cases will end up being greater.


Risk Facing Financial Services

Risk Facing Financial Services

Financial services institutions have changed significantly over the last decade – from utilizing technology in new ways to stay competitive and drive efficiencies, to adapting business practices in light of the global financial crisis and recent narrow interest margin markets.

As these businesses evolve, they’re faced with a new range of exposures that can result in significant and lasting commercial costs, and traditional exposures come to light in a different context. Crime has also changed for these businesses, with a growing number of attacks against financial institutions taking place online and through digital means.

To better understand this changing landscape, we’ve outlined the top risks facing financial institutions today:

 

Social engineering and funds transfer fraud

Financial Services .jpg

Some of the most frequent cyber claims made by businesses in the past year involved funds transfer fraud and some form of social engineering. Funds transfer fraud is often carried about by criminals leveraging fraudulent emails or phone calls to request the transfer of funds from a legitimate account to their own. In some cases, fraudsters will pose as a senior executive appearing to give urgent instructions to a junior employee. While financial institutions have greater control processes, including separation of responsibilities, both banks and their clients are at risk of falling victim to these types of attacks, and as long as they continue to prove successful, we expect this threat to grow in both frequency and severity. Financial institutions should consider employee training on these newer forms of fraud, including how to identify phishing emails. Banks should also be concerned about their customers’ susceptibility to social engineering fraud, and should consider education campaigns where relevant.

 Adherence to post-crisis regulation

Following the mortgage crisis in 2007-2008 and the subsequent global financial crisis, the regulatory burden for banks has increased significantly. This brings additional costs when meeting these new requirements, along with higher potential penalties if an institution fails to comply. In many instances, resultant fines and penalties following regulatory failures are uninsured or uninsurable. Financial institutions should seek cover where regulatory enquiry costs and expenses are covered.

 Falling prey to predatory banking

Financial institutions have found themselves in a narrow interest margin environment, which means the pressure on banks to generate revenue from non-interest earnings is intense. In some cases, the desire to drive revenue through new or existing products has led to instances of selling inappropriate products to consumers, resulting in significant consumer claims. Institutions must ensure that their products are suitable and that they meet the needs of the consumer and the consumer’s expectations. It’s also important for institutions to ensure their remuneration policies do not inadvertently encourage the miss-selling of products. The fallout from consumer protection scandals can be costly not only from a legal and regulatory standpoint, but also in terms of damage to the brand.

 Reputational damage

Predatory banking is only one type of behavior that can bring reputational harm to financial institutions. Large institutions can suffer backlash for a variety of misdeeds made public, for instance the failure in anti-money laundering controls by Wells Fargo or HSBC, who were hammered in the media for their behavior. On a smaller scale, for regional and community-based institutions, the power of social media can mean that reputational damage spreads far faster than ever before.

 Systemic instability

Nearly a decade later, the effects of the global financial crisis are still being felt by financial institutions around the world. Recent concerns over Deutsche Bank’s operational cut backs and stock price decline have shown there is still uncertainty around the performance of even the biggest financial organizations. Additionally, recent instability in Europe – particularly in Italy and Spain, as well as the still incomplete negotiation – could have effect elsewhere, including the US, where European headquartered institutions such as Deutsche Bank, Barclays and HSBC are systemically significant institutions.

 Challenger banks and new technology

The traditional banking model is increasingly challenged by newcomers trying to use technology to replace existing processes and disrupt the status quo. In the UK and Europe, challenger banks are gaining steam and traction among younger generations and early adopters. In the US, there are few online-only challenger banks, but there is increasing competition from payment processors, online non-bank lenders and other providers who are edging their way towards areas conventionally controlled by banks. The risk for traditional institutions will not only be economic, but they will also need to provide more services to their clients to ensure they are competitive and relevant, and they may need to reassess their cyber exposure as they put more systems online.

 

Cybersecurity Future and Artificial Intelligence (AI)

As businesses struggle to combat increasingly sophisticated cybersecurity attacks, the severity of which is exacerbated by both the vanishing IT perimeters in today’s mobile and IoT era, coupled with an acute shortage of skilled security professionals, IT security teams need both a new approach and powerful new tools to protect data and other high-value assets. Increasingly, they are looking to artificial intelligence (AI) as a key weapon to win the battle against stealthy threats inside their IT infrastructures, according to a new global research study conducted by the Ponemon Institute on behalf of Aruba, a Hewlett Packard Enterprise company (NYSE:HPE).

The Ponemon Institute study, entitled “Closing the IT Security Gap with Automation & AI in the Era of IoT,” surveyed 4,000 security and IT professionals across the Americas, Europe and Asia to understand what makes security deficiencies so hard to fix, and what types of technologies and processes are needed to stay a step ahead of bad actors within the new threat landscape.

The research revealed that in the quest to protect data and other high-value assets, security systems incorporating machine learning and other AI-based technologies are essential for detecting and stopping attacks that target users and IoT devices. The majority of respondents agree that security products with AI functionality will help to:

  • Reduce false alerts (68 percent)

  • Increase their team’s effectiveness (63 percent)

  • Provide greater investigation efficiencies (60 percent)

  • Advance their ability to more quickly discover and respond to stealthy attacks that have evaded perimeter defense systems (56 percent)

Twenty-five percent of respondents said they currently use some form of an AI-based security solution, with another 26 percent stating they plan on deploying these types of products within the next 12 months.

Current Security Tools are not Enough

“Despite massive investments in cybersecurity programs, our research found most businesses are still unable to stop advanced, targeted attacks – with 45 percent believing they are not realizing the full value of their defense arsenal, which ranges from 10 to 75 security solutions,” said Larry Ponemon, chairman, Ponemon Institute. “The situation has become a ‘perfect storm,’ with nearly half of respondents saying it’s very difficult to protect complex and dynamically changing attack surfaces, especially given the current lack of security staff with the necessary skills and expertise to battle today’s persistent, sophisticated, highly trained, and well-financed attackers. Against this backdrop, AI-based security tools, which can automate tasks and free up IT personnel to manage other aspects of a security program, were viewed as critical for helping businesses keep up with increasing threat levels.”

IoT and Cloud Adds Significant Risk

Ponemon researchers found that the majority of IT security teams believe that a key gap in their company’s overall security strategy is their inability to identify attacks that use IoT devices as the point of entry. In fact, more than three-quarters of respondents believe their IoT devices are not secure, with 60 percent stating even simple IoT devices pose a threat. Two-thirds of respondents admitted they have little or no ability to protect their “things” from attacks. Continuous monitoring of network traffic, closed-loop detection and response systems, and detecting behavioral anomalies among peer groups of IoT devices, were cited as the most effective approaches to better protect their environments.

Even the ownership model for IoT security presents potential risk. When asked who inside their organization was responsible for IoT security, responses ranged from the CIO, CISO, CTO, and line-of-business leaders, with no majority consensus. Only 33 percent identified the CIO, with no other executive or functional group achieving response totals above 20 percent. Surprisingly, “No Function” was the third-highest answer (15 percent).

Survey results also highlighted the importance of visibility and the ability to define which resources that people and IoT devices can access, with 63 percent of respondents stating network access control is an important element of their company’s overall security strategy and critical for reducing the reach of inside exploits. Also cited as important was having detailed information about applications (71 percent), endpoints (69 percent), cloud (64 percent), and networks (63 percent), with more than half saying they currently deploy network access control solutions for enabling visibility and control across both wired and wireless networks.

Additionally, more than half of respondents said it’s hard to protect expanding and blurring IT perimeters resulting from requirements to concurrently support IoT, BYOD, mobile, and cloud initiatives (55%).

“Partnering with the Ponemon Institute helps us to improve customer experiences by better understanding security teams’ challenges, and then arming them with advanced solutions that enable quick identification and responses to an ever-changing threat landscape,” said Larry Lunetta, vice president of security solutions marketing for Aruba. “The insight gained from this study enables us to continually improve our ability to provide an enterprise wired and wireless network security framework with an integrated and more comprehensive approach for gaining back visibility and control.”