The Main Purpose of Cryptocurrency Mixer and/or Splitter Services is Fraud and Money Laundering.

Cryptocurrency mixer and/or splitter services serve no valid “real-world” ethical business use case considering the relevant FinTech and legal options open. Even in the very rare case when you are a refugee fleeing a financially abusive government regime or terrorist organization is seeking to steal your assets while the national currency is failing, like in Venezuela which I wrote about in my 2014 article; that is about political revolution and your personal safety more than anything else. Although cases like this give a valid reason why you might want to mix and/or split your crypto assets – that’s not fully the same use case we’re talking about here with the recent uptick of crypto mixer and/or splitter service use. It’s only fair that we discuss the most likely and common use case, which is trending up, and not the few rare edge cases. This use case would be fraud and money laundering.

The evidence does not support that a regular crypto exchange is the same thing as a mixer and/or splitter service. For definitions sake, I am not defining mixing and/or splitting cryptocurrency as the same thing as selling, buying, or converting it – all of this can be done on one or more of the crypto exchanges which is why they are called exchanges. If they are the same or even considerably similar, then why are people and orgs using the mixer and/or splitter services at all? They use them because they offer a considerable different service. Using a mixer and/or splitter services assumes you have gotten some crypto beforehand, from a separate exchange a step or more before in the daisy chain. This can be done via legal or illegal means. Moreover, why are they paying repeated and hugely excessive fees for these services? The fees are out of line with anything possibly comparable because there is higher compliance and legal risk for the operators of them in that they could get sanctioned like Blender.io and others.

You can still have privacy if that is what you are seeking via a semblance of legal moves such as a trust tied to a separate legal entity, family office entity, converting to real estate, and marriage entity – if you have time to do the paperwork. Legally savvy people have anonymity over their assets often to avoid fraudsters, sales reps, and just privacy for privacies sake – but again still not the same use case. Even when people/orgs use these legal instruments for privacy, they still have compliance reporting and tax obligations – I.E., some disclosure. Keep in mind some disclosure serves to protect you that you in fact own the assets you say you own. Using these legal instruments with the right technical security including an encrypted VPN and multifactor authentication serves to sustain privacy, and you will then not need a crypto mixer and/or splitter.

Yet if you had cryptocurrency and wanted strong privacy to protect your assets, why would you not at least use some of the aforementioned legal instruments or the like? Mostly because any attorney worth anything would be obligated to report this blatant suspected fraud, and would not want to tarnish their name on the filings, etc. Specifically, the attorney would have to see and know where and what entities the crypto was coming from and going to, under what contexts, and that could trigger them to report or refuse to work with them – I.E. a fraudster would want to avoid getting detected.

Specifically, the use of multiple legal entities in different countries in a daisy chain of crypto coin mixing and/or splitting tends to be the pattern for persistent fraud and money laundering. That was the case in the 4.5-billion-dollar crypto theft out of NY and in Blender mixing fraud, and many other cases.

A recent U.S. Treasury press release concerning mixer service money laundering described it this way:

  • “Blended.io (Blender) is a virtual currency mixer that operates on the Bitcoin blockchain and indiscriminately facilitates illicit transactions by obfuscating their origin, destination, and counterparties. Blender receives a variety of transactions and mixes them together before transmitting them to their ultimate destinations. While the purported purpose is to increase privacy, mixers like Blender are commonly used by illicit actors. Blender has helped transfer more than $500 million worth of Bitcoin since its creation in 2017. Blender was used in the laundering process for DPRK’s Axie Infinity heist, processing over $20.5 million in illicit proceeds”.
Fig 1. U.S. Treasury Dept, Blener.io Crypto Mixer Fraud, 2022.

The question we as a society should be thinking about is tech ethics. What design feature crosses the line to enable fraud too much such that it is not pursued? For example, Silk Road crossed the line, selling illegal drugs, extortion, and other crime. Hacker networks cross the line when they breach companies and steal their credit card data and put it for sale on the dark web. Facebook crossed the line when enable bias and undue favor to impact policy outcomes.

Crypto mixer and/or splitter services (not mere crypto exchanges) are about as close to “money laundering as a service” as it gets – relative to anything else technically available excluding the dark web where there are far worse things available technically. Obviously, the developers, product owners, and project managers behind the crypto mixer and/or splitter services like this are serving the fraud and money laundering use case more than anything else. Some semblance of the organized crime rings is very likely giving them money and direction to this end.

If you are for and use mixer and/or splitter services then you run the risk of having your digital assets mixed with dirty digital assets, you have extortion high fees, you have zero customer service, no regulatory protection, no decedent Terms of Service and/or Privacy Policy if any, and you have no guarantee that it will even work the way you think it will.

In fact, you have so much decentralized “so-called” privacy that it could work against you. For example, imagine you pay the high fees to mix and split your crypto multiple times, and then your crypto is stolen by one of the mixing and/or splitting services. This is likely because they know many of their customers are committing fraud and money laundering, yet even if they are not these platforms are associated with that. Therefore, if the platform operators steal their crypto in this process, the victims have little incentive to speak up. Moreover, the mixing and/or splitting service companies have a nice cover to steal it, privacy. They won’t admit that they stole it but will say something like “everything is private and so we can’t see or know but you are responsible for what private assets you have or don’t have”. They will say something like “stealing it is impossible” which is course is a complete lie.

In sum, what reason do you have to trust a crypto mixing and/or splitting service with your digital assets as outlined above as they are hardly incentivized to protect them or you and operate in the shadows of antiquated non-western fintech regulation. So, what really do you get besides likely fraud? What is the business rationale behind using these services as outlined above considering no solid argument or evidence can support it is privacy alone, and what net benefit do you get besides business-enabling money laundering and fraud?

Now there are valid use cases for crypto and blockchain generally and here are five of them:

  1. Innovative tech removing the central bank for peer-to-peer exchange that is faster and more global, especially helping the underbanked countries.
  2. Smart contracts can be built on blockchain.
  3. Blockchain can be used for crowdfunding.
  4. Blockchain can be used for decentralized storage.
  5. The traditional cash and coin supply chain is burdensomely wasteful, costly, dirty, and counterfeiting is a real issue. Why do you need to carry ten dollars in quarters or a wad of twenty-dollar bills or even have that be a nation’s economic backing in today’s tech world?

Here are six tips to identify crypto-related scams:

  1. With most businesses, it should be easy to find out who the key operators are. If you can’t find out who is running a cryptocurrency or exchange via LinkedIn, Medium, Twitter, a website, or the like be very cautious.
  2. Whether in cash or cryptocurrency, any business opportunity promising free money is likely to be fake. If it sounds too good to be true it likely is. Multi-level marketing is one old example of this scam.
  3. Never mix online dating and investment/financial advice. If you meet someone on a dating site or social media app, and then they want to show you how to invest in crypto or they ask you to send them crypto. No matter what sob story and huge return they are claiming it’s a scam (FTC).
  4. Watch out for scammers who pretend to be celebrities who can multiply any cryptocurrency you send them. If you click on an unexpected link they send or send cryptocurrency to a so-called celebrity’s QR code, that money will go straight to a scammer, and it’ll be gone. Celebrities don’t have time to contact random people on social media, but they are easily impersonated (FTC).
  5. Celebrities are however used to pump crypto prices via social media, so they get a windfall, and everyone else takes a hit. Watch out for crypto like Dogecoin which is heavily tied to celebrity pumps with no real-world business value. If you are lucky enough to get ahead, get out then.
  6. Watch out for scammers who make big claims without details, white papers, filings, or explanations at all. No matter what the investment, find out how it works and ask questions about where your money is going. Honest investment managers or advisors want to share that information and will back it up with details in many documents and fillings (FTC).

Jeremy Swenson is a disruptive thinking security entrepreneur, futurist/researcher, and senior management tech risk consultant. Over 17 years he has held progressive roles at many banks, insurance companies, retailers, healthcare orgs, and even governments including being a member of the Federal Reserve Secure Payment Task Force. Organizations relish in his ability to bridge gaps and flesh out hidden risk management solutions while at the same time improving processes. He is a frequent speaker, published writer, podcaster, and even does some pro bono consulting in these areas. As a futurist, his writings on digital currency, the Target data breach, and Google combing Google + video chat with Google Hangouts video chat have been validated by many. He holds an MBA from St. Mary’s University of MN, a MSST (Master of Science in Security Technologies) degree from the University of Minnesota, and a BA in political science from the University of Wisconsin Eau Claire.

Top 16 Ways SMBs Can Mitigate Cyber Risks and Threats.

Fig. 1. Stock Cyber Brain Graphic, 2022.
  1. Sign up for DHS CISA e-mail alerts specific to your company and industry needs and review the alerts:
    1. Sign up here.
    2. Use the free DHS developed CSET (Cybersecurity Evaluation Tool) to assess your security posture – High, Med, or Low. CSET is downloadable here.
  2. Educate Employees About Cyber Threats and Hold Them Accountable:
    1. Educate your employees about online threats and how to protect your business’s data, including safe use of social networking sites. Depending on the nature of your business, employees might be introducing competitors to sensitive details about your firm’s internal business.
    2. Employees should be informed about how to post online in a way that does not reveal any trade secrets to the public or competing businesses. 
    3. Use games with training and hold everyone accountable to security policies and procedures.
    4. This needs to be embedded in the culture of your company.
    5. Register for free DHS cyber training here.
    6. Use the free DHS SMB cyber resource toolkit.
  3. Protect Against Viruses, Spyware, and Other Malicious Code:
    1. Make sure each of your business’s computers are equipped with antivirus software and antispyware and updated regularly. Such software is readily available online from a variety of vendors. All software vendors regularly provide patches and updates to their products to correct security problems and improve functionality. Configure all software to install updates automatically. Especially watch freeware which contains malvertising.
  4. Secure Your Networks:
    1. Safeguard your Internet connection by using a firewall and encrypting information. If you have a Wi-Fi network, make sure it is secure and hidden. To hide your Wi-Fi network, set up your wireless access point or router so it does not broadcast the network name, known as the Service Set Identifier (SSID).
    2. Have a secure strong password to protect access to the router (xeeityyg18695845%&*&RELxu78IGO) — example.
    3. Lastly, use a VPN (virtual private network).
  5. Control Physical Access to Computers and Network Components:
    1. Prevent access or use of business computers by unauthorized individuals. Laptops can be particularly easy targets for theft or can be lost, so lock them up when unattended. Make sure a separate user account is created for each employee and require strong passwords.
    2. Administrative privileges should only be given to trusted IT staff and key personnel.
  6. Create A Mobile Device Protection Plan:
    1. Require users to password-protect their devices, encrypt their data, and install security apps to prevent criminals from stealing information while the phone is on public networks.
    2. Use a containerization application to separate personal data from company data.
    3. Be sure to set reporting procedures for lost or stolen equipment.
  7. Protect All Pages on Your Public-Facing Webpages, Not Just the Checkout and Sign-Up Pages:
    1. Make sure submission forms can block spam and can block code execution (cross-side scripting attacks).
  8. Establish Security Practices and Policies to Protect Sensitive Information:
    1. Establish policies on how employees should handle and protect personally identifiable information and other sensitive data. Clearly outline the consequences of violating your business’s cybersecurity policies and who is accountable.
  9. Base Your Security Strategy Significantly on the NIST Cybersecurity Framework 1.1: Identify, Detect Defend, Respond, and Recover:
    1. The NIST Cybersecurity Framework Small Business Resources are linked here.
No alt text provided for this image
Fig. 2. NIST Cyber Security Framework Sub Tasks, NIST, 2022:
  1. Require Employees to Use Strong Passwords and to Change Them Often:
    1. Consider implementing multifactor authentication that requires additional information beyond a password to gain entry. Check with your vendors that handle sensitive data, especially financial institutions, to see if they offer multifactor authentication for your account. Smart card plus passcode for example.
  2. Employ Best Practices on Payment Cards:
    1. Work with your banks or card processors to ensure the most trusted and validated tools and anti-fraud services are being used. You may also have additional security obligations related to agreements with your bank or processor. Isolate payment systems from other, less secure programs and do not use the same computer to process payments and surf the Internet. 
    2. Outsource some or all of it and know where your risk responsibility ends.
  3. Make Backup Copies of Important Business Data and Use Encryption When Possible:
    1. Regularly backup the data on all computers. Critical data includes word processing documents, electronic spreadsheets, databases, financial files, human resources files, and accounts receivable/payable files. Backup data automatically if possible, or at least weekly, and store the copies either offsite or on the cloud. 
    2. Having all key files backed up via the 3-2-1 rule — three copies of files in two different media forms with one offsite — thus reducing ransomware attack damage.
  4.  Make Sure Your Vendors Have the Required Security Compliance Attestations and Insurance:
    1. SOC 2, PCI, and HIPAA for example.
    2. Cyber/data breach insurance should be separate from general business liability, and you should know the exclusions and sub-limits.
  5. Use A Password Management Tool and Strong Passwords:
    1. Another way to stay safe is by setting passwords that are longer, complex, and thus hard to guess. Additionally, they can be stored and encrypted for safekeeping using a well-regarded password vault and management tool. This tool can also help you to set strong passwords and can auto-fill them with each login — if you select that option. Yet using just the password vaulting tool is all that is recommended. Doing these two things makes it difficult for hackers to steal passwords or access your accounts.
  6. Use Only Whitelisted Sites Not Blacklisted Ones or Ones Found Via the Dark Web:
    1. Use only approved whitelisted platforms and sites that do not expose you to data leakages or intrusion on your privacy. Whitelisting is the practice of explicitly allowing some identified websites access to a particular privilege, service, or access. Backlisting is blocking certain sites or privileges. If a site does not assure your privacy, do not even sign up let alone participate.
  7. Mimic Your Likely Threats with a Threat Modeling Methodology that works for your Industry:
    1. PASTA, VAST, and FAIR are just a few.

Five Cyber-Tech Trends of 2021 and What it Means for 2022.

Minneapolis 01/08/22

By Jeremy Swenson

Intro:

Every year I like to research and commentate on the most impactful security technology and business happenings from the prior year. This year is unique since the pandemic and mass resignation/gig economy continues to be a large part of the catalyst for most of these trends. All these trends are likely to significantly impact small businesses, government, education, high tech, and large enterprise in big and small ways.

Fig. 1. Facebook Whistle Blower and Disinformation Mashup (Getty & Stock Mashup, 2021).

Summary:

The pandemic continues to be a big part of the catalyst for digital transformation in tech automation, identity and access management (IAM), big data, collaboration tools, artificial intelligence (AI), and increasingly the supply chain. Disinformation efforts morphed and grew last year challenging data and culture. This requires us to put more attention on knowing and monitoring our own social media baselines. We no longer have the same office due to mass work from home (WFH) and the mass resignation/gig economy. This infers increased automated zero-trust policies and tools for IAM with less physical badge access required. The security perimeter is now more defined by data analytics than physical/digital boundaries.

The importance of supply chain cyber security was elevated by the Biden Administration’s Executive Order 1407 in response to hacks including SolarWinds and Colonial Pipeline. Education and awareness around the review and removal of non-essential mobile apps grows as a top priority as mobile apps multiply. All the while, data breaches, and ransomware reach an all-time high while costing more to mitigate.

1) Disinformation Efforts Accelerate Challenging Data and Culture:

Disinformation has not slowed down any in 2021 due to sustained advancements in communications technologies, the growth of large social media networks, and the “appification” of everything thereby increasing the ease and capability of disinformation. Disinformation is defined as incorrect information intended to mislead or disrupt, especially propaganda issued by a government organization to a rival power or the media. For example, governments creating digital hate mobs to smear key activists or journalists, suppress dissent, undermine political opponents, spread lies, and control public opinion (Shelly Banjo; Bloomberg, 05/18/2019).

Today’s disinformation war is largely digital via platforms like Facebook, Twitter, Instagram, Reddit, WhatsApp, Yelp, Tik-tok, SMS text messages, and many other lesser-known apps. Yet even state-sponsored and private news organizations are increasingly the weapon of choice, creating a false sense of validity. Undeniably, the battlefield is wherever many followers reside. 

Bots and botnets are often behind the spread of disinformation, complicating efforts to trace and stop it. Further complicating this phenomenon is the number of app-to-app permissions. For example, the CNN and Twitter apps having permission to post to Facebook and then Facebook having permission to post to WordPress and then WordPress posting to Reddit, or any combination like this. Not only does this make it hard to identify the chain of custody and original source, but it also weakens privacy and security due to the many authentication permissions involved. The copied data is duplicated at each of these layers which is an additional consideration.

We all know that false news spreads faster than real news most of the time, largely because it is sensationalized. Since most disinformation draws in viewers which drives clicks and ad revenues; it is a money-making machine. If you can significantly control what’s trending in the news and/or social media, it impacts how many people will believe it. This in turn impacts how many people will act on that belief, good or bad. This is exacerbated when combined with human bias or irrational emotion. For example, in late 2021 there were many cases of fake COVID-19 vaccines being offered in response to human fear (FDA; 09/28/2021). This negatively impacts culture by setting a misguided example of what is acceptable.

There were several widely reported cases of political disinformation in 2021 including misleading texts, e-mails, mailers, Facebook censorship, and robocalls designed to confuse American voters amid the already stressful pandemic. Like a narcissist’s triangulation trap, these disinformation bursts riled political opponents on both sides in all states creating miscommunication, ad hominin attacks, and even derailed careers with impacts into the future (PBS; The Hinkley Report, 11/24/20 and Daniel Funke; USA Today, 12/23/21).

Facebook is significantly involved in disinformation as one recent study stated, “Globally, Facebook made the wrong decision for 83 percent of those ads that had not been declared as political by their advertisers and that Facebook or the researchers deemed political. Facebook both overcounted and undercounted political ads in this group” (New York University; Cybersecurity For Democracy, 2021). Of course, Facebook disinformation whistleblower Frances Haugen who testified before Congress in 2021 is only more evidence of these and related Facebook failings. Specifically that “Facebook executives, including CEO Mark Zuckerberg, misstated and omitted key details about what was known about Facebook and Instagram’s ability to cause harm” (Bobby Allyn; NPR, 10/05/21).

Fig. 2. Facebook Gaps in Ad Transparency (IMEC-DistriNet KU Leuven and NYU Cyber Security for Democracy, 2021).

With the help of Facebook’s misinformation, huge swaths of confused voters and activists aligned more with speculation and emotion/hype than unbiased facts, and/or project themselves as fake commentators. This dirtied the data in terms of the election process and only begs the question – which parts of the election information process are broken? This normalizes petty policy fights, emotional reasoning, lack of unbiased intellectualism – negatively impacting western culture. All to the threat actor’s delight. Increased public to private partnerships, more educational rigor, and enhanced privacy protections for election and voter data are needed to combat this disinformation.

2) Identity and Access Management (IAM) Scrutiny Drives Zero Trust Orchestration:

The pandemic and mass resignation/gig economy has pushed most organizations to amass work from home (WFH) posture. Generally, this improves productivity making it likely to become the new norm. Albeit with new rules and controls. To support this, 51% of business leaders started speeding up the deployment of zero trust capabilities in 2020 (Andrew Conway; Microsoft, 08/19/20) and there is no evidence to suggest this is slowing down in the next year but rather it is likely increasing to support zero trust orchestration. Orchestration is enhanced automation between partner zero trust applications and data, while leaving next to no blind spots. This reduces risk and increases visibility and infrastructure control in an agile way. The quantified benefit of deploying mature zero trust capabilities including orchestration is on average $ 1.76 million dollars less in breach response costs when compared to an organization who has not rolled out zero trust capabilities (IBM Security, Cost of A Data Breach Report, 2021). 

Fig. 3. Zero Trust Components to Orchestration (Microsoft, 09/17/21).

Zero trust moves organizations to a need-to-know-only access mindset with inherent deny rules, all the while assuming you are compromised. This infers single sign-on at the personal device level and improved multifactor authentication. It also infers better role-based access controls (RBAC), firewalled networks, improved need-to-know policies, effective whitelisting and blacking listing of apps, group membership reviews, and state of the art PAM (privileged access management) tools for the next year. In the future more of this is likely to better automate and orchestrate (Fig. 3.) zero trust abilities so that one part does not hinder another part via complexity fog.

3) Security Perimeter is Now More Defined by Data Analytics than Physical/Digital Boundaries:

This increased WFH posture blurs the security perimeter physically and digitally. New IP addresses, internet volume, routing, geolocation, and virtual machines (VMs) exacerbate this blur. This raises the criticality of good data analytics and dashboarding to define the digital boundaries in real-time. Therefore, prior audits, security controls, and policies may be ineffective. For instance, empty corporate offices are the physical byproduct of mass WFH, requiring organizations to set default disable for badge access. Extra security in or near server rooms is also required. The pandemic has also made vendor interactions more digital, so digital vendor connection points should be reduced and monitored in real-time, and the related exception policies should be re-evaluated.

New data lakes and machine learning informed patterns can better define security perimeter baselines. One example of this includes knowing what percent of your remote workforce is on what internet providers and what type? For example, Google fiber, Comcast cable, CenturyLink DSL, ATT 5G, etc. There are only certain modems that can go with each of these networks and that leaves a data trail. Of course, it could be any type of router. What type of device do they connect with MAC, Apple, VM, or other, and if it is healthy can all be determined in relationship to security perimeter analytics.

4) Supply Chain Risk and Attacks Increase Prompting Government Action:

Every organization has a supply chain big or small. There are even subcomponents of the supply chain that can be hard to see like third/fourth-party vendors. A supply chain attack works by targeting a third/fourth party with access to an organization’s systems instead of hacking their networks directly.

In 2021 cybercriminals focused their surveillance on key components of the supply chain including hacking DNS servers, switches, routers, VPN concentrators and services, and other supply chain connected components at the vendor level. Of note was the massive Colonial Gas Pipeline hack that spiked fuel prices this last summer. This was caused by one compromised VPN account informed by a leaked password from the dark web (Turton, William; and Mehrotra, Kartikay; Bloomberg, 06/04/21). The SolarWinds hack was another supply chain-originated attack in that they got into SolarWinds IT management product Orien which in turn got them into the networks of most of the customers of that product (Lily Hay Newman; Wired, 12/19/21). The research consensus unsurprisingly ties this attack to Russian affiliated threat actors and there is no evidence contracting that.

In response to these and related attacks the U.S. Presidential Administration issued Executive Order 14017, the heart of which requires those who manufacture and distribute software a new awareness of their supply chain to include what is in their products, even open-source software (White House; 05/12/21). This in addition to more spending on CISA hiring and public relations efforts for vulnerabilities and NIST framework conformance. Time will tell what this order delivers as it is dependent on what private sector players do.

Fig. 4. Supply Chain Cyber Attack Diagram (INSURETrust, 2021).

5) Data Breaches Have Greatly Increased in Number and Cost:

The pandemic has continued to be a part of the catalyst for increased lawlessness including fraud, ransomware, data theft, and other types of profitable hacking. Cybercriminals are more aggressively taking advantage of geopolitical conflict and legal standing gaps. For example, almost all hacking operations are in countries that do not have friendly geopolitical relations with the United States or its allies – and all their many proxy hops would stay consistent with this. These proxy hops are how they hide their true location and identity.

Moreover, with local police departments extremely overworked and understaffed with their number one priority being responding to the huge uptick in violent crime in most major cities, white-collar cybercrimes remain a low priority. Additionally, local police departments have few cyber response capabilities depending on the size of their precinct. Often, they must sheepishly defer to the FBI, CISA, and the Secret Service, or their delegates for help. Yet not unsurprisingly, there is a backlog for that as well with preference going to large companies of national concern that fall clearly into one of the 16 critical infrastructures. That is if turf fights and bureaucratic roadblocks don’t make things worse. Thus, many mid and small-sized businesses are left in the cold to fend for themselves which often results in them paying ransomware, and then being a victim a second time all the while their insurance carrier drops them.

Further complicating this is lack of clarity on data breach and business interruption insurance coverage and terms. Keep in mind most general business liability insurance policies and terms were drafted before hacking was invented so they are by default behind the technology. Most often general liability business insurance covers bodily injuries and property damage resulting from your products, services, or operations. Please see my related article 10 Things IT Executives Must Know About Cyber Insurance to understand incident response and to reduce the risk of inadequate coverage and/or claims denials.

According to the Identity Theft Resource Center (ITRC)’s 2021Q3 Data Breach Report, there was a 17% year-over increase as of 09/30/21. This means that by the time they finish their Q4 2021 report it’s likely to be above a 30% year-over-year increase. Breaches are also more costly for organizations suffering them according to the IBM Security Cost of Data Breach Report (Fig 5).

Fig 5. Cost of A Data Breach Increases 2020 to 2021 (IBM Security, 2021).

From 2020 to 2021 the average cost of a data breach in U.S. dollars rose to $4.24 million from $3.86 million. This is almost a 10% increase at 9.1%. In contrast, the preceding 4 years were relatively flat (Fig 5). The pandemic and policing conundrum is a considerable part of this uptick.

Lastly, this is a lot of money for an organization to spend on a breach. Yet this amount could be higher when you factor in other long-term consequence costs such as increased risk of a second breach, brand damage, and/or delayed regulatory penalties that were below the surface – all of which differs by industry. In sum, it is cheaper and more risk prudent to spend even $4.24 million or a relative percentage at your organization on preventative zero trust capabilities than to deal with the cluster of a data breach.

Take-Aways:

COVID-19 remains a catalyst for digital transformation in tech automation, IAM, big data, collaboration tools, and AI. We no longer have the same office and thus less badge access is needed. The growth and acceptability of mass WFH combined with the mass resignation/gig economy remind employers that great pay and culture alone are not enough to keep top talent. Signing bonuses and personalized treatment are likely needed. Single sign-on (SSO) will expand to personal devices and smartphones/watches. Geolocation-based authentication is here to stay with double biometrics likely. The security perimeter is now more defined by data analytics than physical/digital boundaries, and we should dashboard this with machine learning and AI tools.

Education and awareness around the review and removal of non-essential mobile apps is a top priority. Especially for mobile devices used separately or jointly for work purposes. This requires a better understanding of geolocation, QR code scanning, couponing, digital signage, in-text ads, micropayments, Bluetooth, geofencing, e-readers, HTML5, etc. A bring your own device (BYOD) policy needs to be written, followed, and updated often informed by need-to-know and role-based access (RBAC) principles. Organizations should consider forming a mobile ecosystem security committee to make sure this unique risk is not overlooked or overly merged with traditional web/IT risk. Mapping the mobile ecosystem components in detail is a must.

IT and security professionals need to realize that alleviating disinformation is about security before politics. We should not be afraid to talk about it because if we are then our organizations will stay weak and insecure and we will be plied by the same political bias that we fear confronting. As security professionals, we are patriots and defenders of wherever we live and work. We need to know what our social media baseline is across platforms. More social media training is needed as many security professionals still think it is mostly an external marketing thing. Public-to-private partnerships need to improve and app to app permissions need to be scrutinized. Enhanced privacy protections for election and voter data are needed. Everyone does not need to be a journalist, but everyone can have the common sense to identify malware-inspired fake news. We must report undue bias in big tech from an IT, compliance, media, and a security perspective.

Cloud infra will continue to grow fast creating perimeter and compliance complexity/fog. Organizations should preconfigure cloud-scale options and spend more on cloud-trained staff. They should also make sure that they are selecting more than two or three cloud providers, all separate from one another. This helps staff get cross-trained on different cloud platforms and add-ons. It also mitigates risk and makes vendors bid more competitively. 

The increase in number and cost of data breaches was in part attributed to vulnerabilities in supply chains in a few national data breach incidents in 2021. Part of this was addressed in President Biden’s Executive Order 1407 on supply chain security. This reminds us to replace outdated routers, switches, repeaters, controllers, and to patch them immediately. It also reminds us to separate and limit network vendor access points to strictly what is needed and for a limited time window. Last but not least, we must have up-to-date thorough business interruption / cyber insurance with detailed knowledge of what it requires for incident response with breach vendors pre-selected.  

About the Author:

Jeremy Swenson is a disruptive thinking security entrepreneur, futurist/researcher, and senior management tech risk consultant. Over 17 years he has held progressive roles at many banks, insurance companies, retailers, healthcare orgs, and even governments including being a member of the Federal Reserve Secure Payment Task Force. Organizations relish in his ability to bridge gaps and flesh out hidden risk management solutions while at the same time improving processes. He is a frequent speaker, published writer, podcaster, and even does some pro bono consulting in these areas. As a futurist, his writings on digital currency, the Target data breach, and Google combing Google + video chat with Google Hangouts video chat have been validated by many. He holds an MBA from St. Mary’s University of MN, a MSST (Master of Science in Security Technologies) degree from the University of Minnesota, and a BA in political science from the University of Wisconsin Eau Claire.

Esports Cyber Threats and Mitigations

Esports Cyber Threats and Mitigations:

On 06/10/21 major Esports software company, Electronic Arts (EA) was hacked. They are one of the biggest esports companies in the world. They count many major hit games including Battlefield, The Sims, Titanfall, and Star Wars: Jedi Fallen Order, in addition to many online league sports games; and they develop and/or publish many others. An EA spokesperson described game code and related tools as stolen in the hack and that they are still investigating the privacy implications. Early reports however indicated that a whopping 780GB of data was stolen (Balaji N, GBHackers On Security, 06/12/21).

Fig 1. EA Sports Hacked Image. Balaji N, GBHackers On Security, 06/12/21.

Given this recent hack here is an updated overview of some of the esports cyber threats and mitigations.

Threats:

1. Aimbots and Wallhacks

As esports revenues and player prizes increase, more players will look for opportunities to exploit the game to gain an advantage over competitors. Many underground hacker forums reveal hundreds of aimbots and wallhacks. Prices for such tools start as low as $5.00 but go as high as $2,000. These are essentially cheat tools for sale but they are technically prohibited in official competitions (Trend Micro, 2019).

Aimbots are a type of software used in multiplayer first-person shooter games to provide varying levels of automated targeting that gives the user an advantage over other players. Wallhacks allow the player to change the properties of in-game walls by making them transparent or nonsolid, making it easier to find or attack enemies.

Fig 2. Wallhack Cheat For WarZone (May 6th 2020, Tom Warren).

No alt text provided for this image
Fig 2. Wallhack Cheat For WarZone (May 6th 2020, Tom Warren).

2. Hidden Hardware Hacks

Some of the hardware used in competitions can be manipulated by hackers with ease. For each tournament, a gaming board sets the rules on what equipment they allow tournament participants to use. A lot of professional tournaments allow players to bring their own mouse and keyboard, which have been known to house hacks.

Case in point, in 2018 a Dota 2 team was disqualified from a $15 million tournament after judges caught one of its members using a programmable mouse – the Synapse 3 configuration tool. The mouse allowed the player to perform movements that would be impossible without macros, a shortcut of preset key sequences not possible with standard nonprogrammable hardware (Trend Micro, 2019).

3. Stolen Accounts and Credentials

Threat actors have been increasingly targeting the esports industry. They do this by harvesting and selling user ID and password data of both internal and external systems for esports companies. A study by threat intelligence company KELA indicated that more than half a million login credentials tied to the employees of 25 leading game publishers have been found for sale on dark web bazaars (Amer Owaida, Welivewellsecurity, 01/05/2021).

4. Ransomware and DDoS (Distributed Denial of Services) Attacks

Ransomware can come via phishing, smishing, spam, or via free compromised plug-ins. When installed on the gaming platform they lock everything up and force the host to pay ransom in the form of difficult-to-trace digital currency like Bitcoin. Interestingly, researcher Danny Palmer of ZDnet cited Trend Micro’s research when he described the marriage of ransomware and DDoS attacks as follows:

“Researchers also warn that attackers could blackmail esports tournament organizers, demanding a ransom payment in exchange for not launching a DDoS attack – something which organizers might consider given how events are broadcast live and the reputational damage that will occur to the host organizer if the event gets taken offline” (Danny Palmer, ZDnet, 10/29/2019).

Mitigations:

1. Use a VPN (Virtual Private Network)

VPN establishes an encrypted tunnel between you and a remote server ran by the VPN provider. All your internet traffic is run through this tunnel, so your data is secure from eavesdropping. Your real IP address and location is masked preventing IPS tracking as your traffic is exiting the VPN server. You can also more confidently use public WIFI with a VPN.

2. Use A Password Management Tool and Strong Passwords

Another way to stay safe is by setting passwords that are longer, complex, and thus hard to guess. Additionally, they can be stored and encrypted for safekeeping using a well-regarded password vault and management tool. This tool can also help you to set strong passwords and can auto-fill them with each login — if you select that option. Yet using just the password vaulting tool is all that is recommended. Doing these two things makes it difficult for hackers to steal passwords or access your gaming accounts.

3. Use Only Whitelisted Gaming Sites Not Blacklisted Ones or Ones Found Via the Dark Web

Use only approved whitelisted gaming platforms and sites that do not expose you to data leakages or intrusion on your privacy. Whitelisting is the practice of explicitly allowing some identified websites access to a particular privilege, service, or access. Blacklisting is blocking certain sites or privileges. If a site does not assure your privacy, do not even sign up let alone participate.

Seven Impactful Cyber-Tech Trends of 2020 and What it Means for 2021.

Every year I like to research and commentate on the most impactful security technology and business happenings from the prior year. This year is unique since the pandemic is partly the catalyst for most of these trends in conjunction with it being a presidential election year like no other. All these trends are likely to significantly impact small businesses, government, education, high tech, and large enterprise in big and small ways.

Fig 1. Stock Mashup, 2020.

1) Disinformation Efforts Accelerate Challenging Data and Culture:

Advancements in communications technologies, the growth of large social media networks, and the “appification” of everything increases the ease and capability of disinformation. Disinformation is defined as incorrect information intended to mislead or disrupt, especially propaganda issued by a government organization to a rival power or the media. For example, governments creating digital hate mobs to smear key activists or journalists, suppress dissent, undermine political opponents, spread lies, and control public opinion (Shelly Banjo, Bloomberg, 05/18/2019). Today’s disinformation war is largely digital via platforms like Facebook, Twitter, iTunes, WhatsApp, Yelp, and Instagram. Yet even state-sponsored and private news organizations are increasingly the weapon of choice creating a false sense of validity. Undeniably, the battlefield is wherever many followers reside. 

Bots and botnets are often behind the spread of disinformation, complicating efforts to trace it and to stop it. Further complicating this phenomenon is the number of app-to-app permissions. For example, the CNN and Twitter apps having permission to post to Facebook and then Facebook having permission to post to WordPress and then WordPress posting on Reddit, or any combination like this. Not only does this make it hard to identify the chain of custody and source, but it also weakens privacy and security due to the many authentication permissions. 

We all know that false news spreads faster than real news most of the time, largely because it is sensationalized. Since disinformation draws in viewers, which drives clicks and ad revenues – it is a money-making machine. If you can control what’s trending in the news and/or social media, it impacts how many people will believe it. This in turn impacts how many people will act on that belief, good or bad. This is exacerbated when combined with human bias or irrational emotion. For example, in late 2020 there were many cases of fake COVID-19 vaccines being offered in response to human fear (FDA, 12/22/2020). This negatively impacts culture by setting a misguided example of what is acceptable.

There were several widely reported cases of political disinformation in 2020 including misleading texts, e-mails, mailers, and robocalls designed to confuse American voters amid the already stressful pandemic. Like a narcissist’s triangulation trap these disinformation bursts riled political opponents on both sides in all states creating miscommunication, ad hominin attacks, and even derailed careers (PBS, The Hinkley Report, 11/24/20). Moreover, huge swaths of confused voters aligned more with speculation and emotion/hype than unbiased facts. This dirtied the data in terms of the election process and only begs the question of which parts of the election information process are broken. This normalizes petty policy fights, emotional reasoning, lack of unbiased intellectualism – negatively impacting western culture. All to the threat actor’s delight. Increased public to private partnerships, more educational rigor, and enhanced privacy protections for election and voter data are needed to combat this disinformation.

2) Stalkerware Grows and Evolves Reducing Mobile Privacy:

The increased use of mobile devices in conjunction with the pandemic induced work from home (WFH) growth has produced more stalkerware. According to one report, there was a 51% increase in Android spyware and stalkerware from March through June, vs the first two months of the year (Avast, Security Boulevard, 12/02/20); and this is likely to be above a 100% increase when all data is tabulated for the end of 2020. Inspired by covert law enforcement investigation tactics, this malware variant can be secretly installed on a victim’s phone hiding as a seemingly harmless app. It is not that different from employee monitoring software. However, unlike employee monitoring software, which can easily be confused with this malware; stalkerware is typically installed by fake friends, jealous spouses and partners, ex-partners, and even concerned relatives. If successfully installed, it relays private information back to the attacker including the victim’s photos, location, texts, web browsing history, call records and more. This is where the privacy violation and abuse and/or fraud can start yet it is hard to identify in the blur of too many mobile apps.

3) Identity & Access Management (IAM) Scrutiny Drives Zero Trust:

The pandemic has pushed most organizations to amass WFH posture. Generally, this improves productivity making it likely to become the new norm, albeit with new rules and controls. To support this, 51% of business leaders are speeding up the deployment of Zero Trust capabilities (Andrew Conway, Microsoft, 08/19/20). Zero trust moves organizations to a need to know only access mindset with inherent deny rules, all the while assuming you are compromised. This infers single sign-on at the personal device level and improved multifactor authentication. It also infers better role-based access controls (RBAC), improved need to know policies, group membership reviews, and state of the art PAM tools for the next year.

4) Security Perimeter is Now More Defined by Data Analytics than Physical/Digital Boundaries:

This increased WFH posture blurs the security perimeter both physically and digitally. New IP addresses, internet volume, routing, geolocation, and virtual machines (VMs) exacerbate this blur. This raises the criticality of good data analytics and dashboarding to define the digital boundaries in real-time. Therefore, prior audits, security controls, and policies may be ineffective. For instance, empty corporate offices are the physical byproduct of mass WFH, requiring organizations to set default disable for badge access. Extra security in or near server rooms is also required. The pandemic has also made vendor interactions more digital, so digital vendor connection points should be reduced and monitored in real-time, and the related exception policies should be revaluated.

5) Data Governance Gets Sloppy Amid Agility:

Mass WFH has increased agility and driven sloppy data governance. For example, one week after the CARES Act was passed banks were asked to accept Paycheck Protection Program (PPP) loan applications. Many banks were unprepared to deal with the flood of data from digital applications, financial histories, and related docs, and were not able to process them in an efficient way. Moreover, the easing of regulatory red tape at hospitals/clinics, although well-intentioned to make emergency response faster. It created sloppy data governance, as well. The irony of this is that regulators are unlikely to give either of these industries a break, nor will civil attorneys hungry for any hangnail claim.

6) The Divide Between Good and Bad Cloud Security Grows:

The pandemic has reminded us that there are two camps with cloud security. Those who have a planned option for bigger cloud-scale and those that are burning their feet in a hasty rush to get there. In the first option, the infrastructure is preconfigured and hardened, rates are locked, and there is less complexity, all of which improves compliance and gives tech risk leaders more peace of mind. In the latter, the infrastructure is less clear, rates are not predetermined, compliance and integration are confusing at best, and costs run high – all of which could set such poorly configured cloud infrastructures up for future disasters.

7) Phishing Attacks Grow Exponentially and Get Craftier:

The pandemic has caused a hurricane of phishing emails that have been hard to keep up with. According to KnowBe4 and Security Magazine, there has been a 6,000% increase in phishing e-mails since the start of the pandemic (Stu Sjouwerman, KnowBe4, 07/13/20 & Security Magazine, 07/22/20). Many of these e-mails have improved their approach and design, appearing more professional and appealing to our emotions by using tags concerning COVID relief, data, and vaccines. Ransomware increased 72% year over year (Security Magazine, 07/22/20). With many new complexities in the mobile ecosystem and exponential app growth, it is not surprising that mobile vulnerabilities also increased by 50% (Security Magazine, 07/22/20).

Take-Aways:

COVID-19 is the catalyst for digital transformation in tech automation, IAM, big data, collaboration tools, and AI. We no longer have the same office and thus less badge access is needed. Single sign-on (SSO) will expand to personal devices and smartphones/watches. Geolocation based authentication is here to stay with double biometrics likely. The security perimeter is now more defined by data analytics than physical/digital boundaries, and we should to dashboard this with machine learning and AI tools.

Education and awareness around the review and removal of non-essential mobile apps is a top priority. Especially for mobile devices used separately or jointly for work purposes. This requires a better understanding of geolocation, QR code scanning, couponing, digital signage, in-text ads, micropayments, Bluetooth, geofencing, e-readers, HTML5, etc. A bring your own device (BYOD) policy needs to be written, followed and updated often – embracing need to know and role-based access (RBAC) principles. Organizations should consider forming a mobile ecosystem security committee to make sure this unique risk is not overlooked or overly merged with traditional web/IT risk. Mapping the mobile ecosystem components in detail is a must.

Cloud infra will continue to grow fast creating perimeter and compliance complexity/fog. Organizations should preconfigure cloud scale options and spend more on cloud trained staff. They should also make sure that they are selecting more than two or three cloud providers, all separate from one another. This helps staff get cross-trained on different cloud platforms and add-ons. It also mitigates risk and makes vendors bid more competitively.  IT and security professionals need to realize that alleviating disinformation is about security before politics. We should not be afraid to talk about it because if we are then our organizations will stay weak and insecure and we will be plied by the same political bias that we fear confronting. As security professionals, we are patriots and defenders of wherever we live and work. We need to know what our social media baseline is across platforms. More social media training is needed as many security professionals still think it is mostly an external marketing thing. Public-to-private partnerships need to improve and app to app permissions need to be scrutinized. Enhanced privacy protections for election and voter data are needed. Everyone does not need to be a journalist, but everyone can have the common sense to identify malware inspired fake news. We must report undue bias in big tech from an IT, compliance, media, and a security perspective.

About the Author:

Jeremy Swenson is a disruptive thinking security entrepreneur and senior management tech risk consultant. Over 15 years he has held progressive roles at many banks, insurance companies, retailers, healthcare orgs, and even governments. Organizations relish in his ability to bridge gaps and flesh out hidden risk management solutions while at the same time improving processes. He is also a frequent speaker, published writer, and even does some pro bono consulting in these areas. He holds an MBA from St Mary’s University of MN and MSST (Master of Science in Security Technologies) degree from the University of Minnesota.

Abstract Forward Podcast #10: CISO Risk Management and Threat Modeling Best Practices with Donald Malloy and Nathaniel Engelsen!

Fig. 1. Joe the IT Guy, 10/17/2018

Featuring the esteemed technology and risk thought leaders Donald Malloy and Nathaniel Engelsen — this episode covers threat modeling methodologies STRIDE, Attack Tree, VAST, and PASTA. Specifically, how to apply them with limited budgets. It also discusses the complex intersection of how to derive ROI on threat modeling with compliance and insurance considerations. We then cover IAM best practices including group and role level policy and control best practices. Lastly, we hear a few great examples of key CISO risk management must-dos at the big and small company levels.

Fig. 2. Pasta Threat Modeling Steps (Nataliya Shevchenko, CMU, 12/03/2018).

Donald Malloy has more than 25 years of experience in the security and payment industry and is currently a security technology consultant advising many companies. Malloy was responsible for developing the online authentication product line while at NagraID Security (Oberthur) and prior to that he was Business Development and Marketing Manager for Secure Smart Card ICs for both Philips Semiconductors (NXP) and Infineon Technologies. Malloy originally comes from Boston where he was educated and has M.S. level degrees in Organic Chemistry and an M.B.A. in Marketing. Presently he is the Chairman of The Initiative for Open Authentication (OATH) and is a solution provider with DualAuth. OATH is an industry alliance that has changed the authentication market from proprietary systems to an open-source standard-based architecture promoting ubiquitous strong authentication used by most companies today. DualAuth is a global leader in trusted security with two-factor authentication include auto passwords. He resides in southern California and in his spare time he enjoys hiking, kayaking, and traveling around this beautiful world.

Nathaniel Engelsen is a technology executive, agilest, writer, and speaker on topics including DevOps, agile team transformation, and cloud infrastructure & security. Over the past 20 years he has worked for startups, small and mid-size organizations, and $1B+ enterprises in industries as varied as consulting, gaming, healthcare, retail, transportation logistics, and digital marketing. Nathaniel’s current security venture is Callback Security, providing dynamic access control mechanisms that allow companies to turn off well-known or static remote and database access routes. Nathaniel has a bachelor’s in Management Information Systems from Rowan University and an MBA from the University of Minnesota, where he was a Carlson Scholar. He also holds a CISSP.

The podcast can be heard here.

More information on Abstract Forward Consulting can be found here.

Disclaimer: This podcast does not represent the views of former or current employers and/or clients. This podcast will make every reasonable effort to verify facts and inferences therefrom. However, this podcast is intended to entertain and significantly inform its audience based on subjective reason-based opinions. Non-public information will not be disclosed. Information obtained in this podcast may be materially out of date at or after the time of the podcast. This podcast is not legal, accounting, audit, health, technical, or financial advice. © Abstract Forward Consulting, LLC.

8 Effective Third-Party Risk Management Tactics

In this increasingly complex security landscape with threat actors and vendors changing their tools rapidly, managing third-party risk is very difficult, ambiguous, and it’s even more difficult to know how to prioritize mitigation spend.

Fig 1. Risk, Stock Image, 2019.

The key to any vendor risk management program or framework is measurement, repeatability, and learning or improving from what was repeated as the business and risks change. These are the nine best practices you can follow to help assess your vendors’ security processes and their willingness to understand your risks and collectively mitigate both of them.

1) Identify All Your Vendors / Business Associates:

Many companies miss this easy step. Use RBAC (role-based access controls) when applicable – windows groups or the like. Creating a repeatable, written, compliance process for identifying them and making updates to the list as vendors move in and out of the company is worthwhile.

2) Ensure Your Vendors Perform Regular Security Assessments:

Risk assessments should be conducted on a weekly, monthly, or quarterly basis and reviewed and updated in response to changes in technology and the operating environment.

At a minimum, security risk assessments should include:

a) Evaluate the likelihood and potential impact of risks to in-scope assets.

b) Institute measures to protect against those risks.

c) Documentation of the security measures taken.

Vendors must also regularly review the findings of risk assessments to determine the likelihood and impact of the risk that they identify, as well as remediate any deficiencies.|

Fig. 2. Stock Image, Third-Party Risk Mgmt Inputs, 2019.

3) Make Sure Vendors Have Written Information Security Policies / Procedures:

a) Written security policies and procedures should clearly outline the steps and tasks needed to ensure compliance delivers the expected outcomes.

b) Without a reference point, policies and procedures can become open to individual interpretation, leading to misalignment and mistakes. Verify not only that companies have these written policies, but that they align with your organization’s standards. Ask other peers in your industry for a benchmark.

 4) Prioritize Vendors Based on Risk – Use Evidence and Input from Others – NOT Speculation:

a) Critical Risk: Vendors who are critical to your operation, and whose failure or inability to deliver contracted services could result in your organization’s failure.

b) High Risk: Vendors (1) who have access to customer data and have a high risk of information loss; and / or (2) upon whom your organization is highly dependent operationally.

c) Medium Risk: Vendors (1) whose access to customer information is limited; and / or whose loss of services would be disruptive to your organization.

d) Low Risk: Vendors who do not have access to customer data and whose loss of services would not be disruptive to your organization.

5) Verify That Vendors Encrypt Data in All Applicable Places – At Rest, In Transit, etc:

a) Encryption, a process that protects data by making it unreadable without the use of a key or password, is one of the easiest methods of protecting data against theft.

b) When a vendor tells you their data is encrypted, trust but verify. Delve deeper and ask for details about different in-transit scenarios, such as encryption of backup and what type of backup. Ask them about what type of encryption it is and get an infographic. Most people get lost when you ask this question.

c) It’s also imperative that the keys used to encrypt the data are very well-protected. Understanding how encryption keys are protected is as vital as encryption itself. Are they stored on the same server? Is multi-factor authentication needed to get access to them? Is there a time limit on how long they can have access to the key?

6) Ensure Vendors Have A Disaster Recovery Program:

In order to be compliant with the HIPAA Security Rule and related rules, vendors must have a detailed disaster recovery program that includes analysis on how a natural disaster—fire, flood or even a rodent chewing through cables—could affect systems containing ePHI. The plan should also include policies and procedures for operating after a disaster, delineating employees’ roles and responsibilities. Finally, the plan should clearly outline the plan for restoring the data.

7) Ensure Access Is Based on Legitimate Business Needs:

Fig 3. Stock Image, RBAC Flow, 2019.

It’s best to follow the principle of least privilege (POLP), which is the practice of limiting access rights for users to the bare minimum permissions they need to perform their work. Under POLP, users are granted permission to read, write, or execute only the files or resources they need to do their jobs. In other words, the least amount of privilege necessary. RBAC is worth mentioning here again.

8) Vet All New Vendors with Due Diligence:

a) Getting references.

b) Using a standard checklist.

c) Performing a risk analysis and determining if the vendor will be ranked Critical, High, Medium or Low.

d) Document and report to senior management.

Contact us here to learn more.

Watch Out for Coronavirus (COVID-19) Scams and Malware

The coronavirus disease (COVID-19) is being used in a variety of malicious/hacking campaigns including email spam, ransomware, BEC (business e-mail compromise), malware, drive-by downloads, and even fraudulent domains. The mention of current events in malicious cyber-attacks is nothing new as threat actors often use current events and popular personalities in their social engineering strategies.

Fig. 1. Nate Benson (WGRZ), 03/16/20.

89ac23c0-6408-4e68-a8ff-94f8b227e7d0_750x422

As the number of those infected continues to increase, campaigns that use the disease as a lure are likely to also increase because people tend to get excited about trending information and they click without double-checking, especially when their defenses are down in this emotional and media-hyped context. Let facts and science rule the day, not speculation and sensationalized news media. As we seek recovery and healing, the last thing we need is the double whammy of being hacked, scammed, or the victim of ransomware. Don’t let that be you, always double-check.

Here are some detailed internet hygiene and scam avoidance tips (compiled from the FTC, Trend Micro, and Symantec):

  1. Don’t click on links from sources you don’t know. They could download viruses onto your computer or device.
  2. Trend Micro identified the following exploits as of 03/16/20 and more are likely coming. Five of which were .exe or executable files – very high risk.

Fig. 1. Trend Micro Identified Cyber Exploit Files (Trend Micro, 03/16/20).

COVID 19 Exploit Files 03_17_20
  1. Watch for emails claiming to be from the Centers for Disease Control and Prevention (CDC) or experts saying that they have information about the virus.
  2. For the most up-to-date information about the Coronavirus, visit the Centers for Disease Control and Prevention (CDC) and the World Health Organization (WHO).
  3. Symantec Identified the following Fake example:

Fig 2. Fake CDC Alert Phishing Example (Steve Symanovich, Symantec, 03/17/2020).

CDC Phishing Scam E-mail Example From Symantec 03_17_20
  1. Ignore online offers for vaccinations. There currently are no vaccines, pills, potions, lotions, lozenges or other prescription or over-the-counter products available to treat or cure Coronavirus disease (COVID-19) — online or in stores.
  2. Report any suspected product scams to the FTC here – scroll to the bottom for reporting link.
  3. Do your homework when it comes to donations, whether through charities or crowdfunding sites. Don’t let anyone rush you into making a donation. If someone wants donations in cash, by gift card, or by wiring money, don’t do it.
  4. Beware of online requests for personal information. A coronavirus-themed email that seeks personal information like your Social Security number or login information is a phishing scam. Legitimate government agencies won’t ask for that information.
  5. Never respond to email by giving your personal data.
  6. Check the email address or link. You can inspect a link by hovering your mouse button over the URL to see where it leads. But keep in mind phishers can create links that closely resemble legitimate addresses. Never go to HTTP only sites but look for the HTTPS. Use the trend micro URL checker here but know it won’t catch all bad sites but is a good start.
  7. Watch for spelling and grammatical mistakes. If an email includes spelling, punctuation, and grammar errors, it’s likely a sign you’ve received a phishing email.
  8. Look for generic greetings. Phishing emails are unlikely to use your name. Greetings like “Dear sir or madam” signal an email is not legitimate.
  9. When in doubt, don’t open, block, and delete.

Lastly, with so many people working from home amid the pandemic, our next podcast will deal with IAM / vendor risk mgmt., and the related work from home network security considerations — coming around April/May 2020! Follow our podcast here.

Wishing you, your family, and the greater community — strength, healing, innovation, and fast recovery. Together we can get through this.

Charles Schwab, Chase, Wells Fargo, and others Use New Voice IAM Biometrics Technology

Over the last few two years, many financial firms have introduced a new voice identity and access (IAM) management service which uses voice biometrics technology to identify you by your unique voice. This starts each customer interaction with effortless biometric authentication improving customer experience.

mobile_computing-mobile biometrics

Fig. 1. Voice Biometric Authentication Graphic, Source: Si-Gal/Getty Images, 2020.

Charles Schwab describes it this way (2020):

  • Whether you want to use our automated phone service or speak with one of our financial professionals, our voice ID service is one of the fastest and most convenient ways to securely identify yourself over the phone.
  • We know that you have a lot of passwords and pins to remember. Voice ID helps reduce the hassle of answering security questions when we can verify you by the sound of your voice.
  • When you call us, you will simply be prompted to say the passphrase “At Schwab, my voice is my password” to be securely verified. No more personal questions. No more PINs.

According to leading voice technology vendor Nuance (2020):

  • Biometric authentication delivers simpler, stronger customer authentication.
  • It reduces the average handling time (AHT) by 37 seconds.
  • Just like your fingerprint, your voiceprint is uniquely yours.

To make this work, the technology stores a digital representation of your voice using a proprietary algorithm. This unique voiceprint is created from more than 100 different physical and behavioral characteristics such as pitch, accent, shape of your mouth and vocal tract as you speak with a customer service representative. Your voice ID only works with the system you provide your voice to, etc.

Using this service requires the collation of data to know that you are you. Melissa Looker of Fast Company describes how Chase does this as follows (2019):

  • But Chase isn’t just amassing data on its customers. It’s also collecting intel on known fraudsters for so-called “voice biometric blacklists,” which keep tabs on identity thieves and credit card scammers and prevent them from accessing bank information or requesting new credit cards.
  • Of course, it’s not just JPMorgan Chase & Co. using the technology. According to the Associated Press, Wells Fargo, Barclays, and U.S. Bank all use some form of Voice ID (IAM). In 2017, Pindrop, a company that offers sound-based fraud detection tools to call centers, told Fast Company it worked with eight of the top 10 U.S. banks and two of the top 5 insurers to detect phone scams.

Although voice IAM is a good start, I think more research needs to be done to validate the long-term viability of this authentication. What if a fraudster has a recording of your voice, or can mimic your voice pattern with a computer? Also, a lot of people’s voices sound the same. According to a 2017 BBC report voice, biometric authentication was easily passed by a twin brother when they tested it, and the technology has improved little since then (Dan Simmons).

3 Key Points From “Unsecurity” By Evan Francen

UNSECURITY-1200x628-adNational author, speaker, consultant, and entrepreneur Evan Francen got into information security long before it was cool and buzzing in the media, and long before every so-called IT consultancy started chasing the money. In fact, he and I both dislike the money chasers. He and his growing consultancy, FRSecure are for-profit, but they don’t do it for the money.

Like a patriot who delays college to join the army amid dire national conflict, Francen offers a fact-based call to arms to fix the broken cybersecurity industry in his 2019 book “Unsecurity”. Having known him and his company for a few years, and having read the book and many on this subject, this content is worth sharing because too few people write or talk about how to actually make this industry better. Here are my three unbiased key points from his book.

1)    We’re Not Speaking the Same Language:

614hGPZRmJL._SY600_Francen opens his book with a lengthy chapter on how poor communication between cybersecurity stakeholders exacerbates trouble and risk. You can’t see or measure what isn’t communicated well. It starts because there are five main stakeholder groups who don’t share the same vocabulary amid conflicting priorities.

  1. IT: Speaks in data tables and code jargon.
  2. Cyber: Speaks in risk metrics and security controls.
  3. Business: Speaks in voice of the customer and profits.
  4. Compliance:Speaks in evidence collection and legal regulatory frameworks.
  5. Vendor: Speaks in sales and marketing terms.

Ideally, all these stakeholders need to work together but are only as strong as the weakest link. To attain better communication and collaboration between these stakeholders, all must agree on the same general security framework best for the company and industry, maybe NIST CSF with its inferred definitions or maybe ISACA Cobit. However, once you pick the framework you need to start training, communicating, and measuring against it and only it –going with its inferred definitions.

Changing frameworks in the middle of the process is like changing keys in the middle of a classical song at a concert – don’t do it. That’s not to say that once communication and risk management gets better, that you can’t have some hybrid framework variation – like at a jazz concert. You can but you need proof of the basic items first.

Later, in the chapter Francen describes the communication issue of too many translations. That’s too many people passing the communication onto other people and giving it their spin. Thus, what was merely a minor IT problem ticket turns into a full-blown data breach? Or people get tied up arguing over NIST, ISSA, ISACA, and OWASP jargon – all the while nothing gets fixed and people just get mad at each other yet fail to understand one another. Knowing one or two buzz words from an ISACA conference or paper yet failing to understand how they apply to NIST or the like does not help. You should be having a framework mapping sheet for this.

The bigger solution is more training and vetting who is authorized to communicate on key projects. The issue of good communication and project management is separate from cybersecurity though it’s a critical dependency. Organizations should pre-draft communication plans with roles and scope listed out, and then they should do tabletops to solidify them. Having an on-site Toastmasters group is also a good idea. I don’t care if you’re a cyber or IT genius; if you can’t communicate well that’s a problem that needs to be fixed. I will take the person with much better communication skills because likely they can learn what they don’t know better than the other.

2)    Overengineered Foundations:

In chapter two, Francen addresses “Bad Foundations”. He gives many analogies including building a house without a blueprint. However, I’m most interested in what he says on page 76:

  • “Problem #4 Overengineered Foundation – too much control is as bad as too little control, and in some cases, it’s even worse than no control at all.”

What he is saying here is that an organization can get so busy in non-real world spreadsheet assessments and redundant evidence gathering that their heads are in the sand for so long that they don’t see to connect the dots that other things are going array and thus they get compromised. Keep in mind IT and security staff are already overworked, they already have many conflicting dials and charts to read – amid false alarms. To bog them down in needless busywork must be weighed against other real-world security tasks, like patch management, change management, and updating IAM protocols to two-factor.

If you or your organization have an issue figuring this out, as Francen outlines, you need to simplify your risk management to a real-world foundational goal that even the company secretary can understand. It may be as simple as requiring long complex (multicharacter) passwords, badge entry time logs for everyone, encrypting data that is not public, or other basics. You must do these things and document that they have been done one at a time, engraining a culture of preventative security vs. reactive security.

3)    Cultivate Transparency and Incentives:

In chapter five, “The Blame Game” Francen describes how IT and business stakeholders often fail to take responsibility for security failings. This is heavily influenced by undue bias, lack of diversity, and lack of fact-based intellectualism within the IT and business silos at many mid-sized and large organizations. I know this is a hard pill to swallow but its so true. The IT and business leaders approving the bills for the vendors doing the security assessments, tool implementations, and consulting should not be under pressure to give a favorable finding in an unrealistic timeframe. They should only be obligated to give timely truthful risk prudent advice. Yet that same advice if not couched with kid gloves can get a vendor booted from the client – fabricating a negative vendor event. Kinda reminds me of accounting fraud pre-Sarbanes Oxley.

The reason why is because risk assessors are creating evidence of security violations that the client does not agree with or like, and thus you are creating legal risk for them – albeit well justified and by their own doing. From Francen’s viewpoint, this comprehensive honest assessment also gives the client a way to defend and limit liability by disclosing and remediating the vulnerabilities in a timely manner and under the advisement of a neutral third party. Moreover, you’re going to have instructions on how to avoid them in the future thus saving you money and brand reputation.

Overall, transparency can save you. Customers, regulators, and risk assessors view you more positively because of it. That’s not to say there are not things that will remain private because there are many, trade secrets, confidential data, and the like. My take on Francen’s mention of the trade off’s between transparency and incentives in a chapter called “The Blame Game” is that it’s no longer acceptable to delay or cover up a real security event – not that it ever was. Even weak arguments deliberately miscategorizing security events as smaller than they are will catch up with you and kick your butt or get you sued. Now is the time to be proactive. Build your incident response team ahead of time. It should include competent risk business consultants, cyber consultants, IT consultants, a communication lead, and a privacy attorney.

Lastly, if we as an industry are going to get better we’re going to have to pick up books, computers, pens, and megaphones. And this book is a must-read! You can’t be passive and maintain your expert status – it expires the second you do nothing and get poisoned by your own bias and ego. Keep learning and sharing!