The California Department of Financial Protection closed Silicon Valley Bank (SVB) on Fri 03/10/23 and the FDIC took control of and seized its deposits in the largest U.S. banking failure since the 2008 to 2012 mortgage financial crisis, and the second largest ever. Although SVB was well known in San Francisco and Boston where they had all of their 17 branches; they were little to known to the wider public. SVB specialized in financing start-ups and had become the 16th largest U.S. bank by assets. Their numbers at the end of 2022 were impressive with $209 billion in assets and approximately $175.4 billion in deposits.
As a precursor to their failure, SVB recorded six straight quarterly losses as economic conditions turned unfavorable. Then on Mon 02/27/23 their CEO Greg Becker sold $3.6 million of stock in a pre-arraigned 10b5-1 plan designed to reduce conflict of interest, yet it’s still potentially questionable due to the gain he got and the odd timing weeks before their collapse. Yet other executives that sold in recent weeks may not have the protection of the 10b5-1 and that would be a worse example of conflict of interest.
Some degree of support is needed for SVB because most there are not to blame; but so too is criticism so that the financial system can get better and innovate in the free market. You cannot just blindly support people (mostly sr. mgmt.) and organizations (crypto tie in) who are largely responsible for startup failures, frozen loans and payrolls, huge job loss, loss of deposited money over 250k, and great economic downturn – all the while the SVB mgmt. team gets very rich.
Obviously, the competencies and character of some of the SVB mgmt. team was not as good as other community banks and credit unions who aggressively avoided and overcame such failings. They likely put in more work with a deeper concern for the community, clients, and regulatory compliance – generally speaking. These many small community banks and credit unions are often 90 or 100 plus years old and did not grow at as fast a pace as SVB – super fast growth equals fast failure. Conversely, SVB is only 40 years young and most of its growth happened in the later part of that period. This coming from a guy who has consulted/worked at more than 10 financial institutions among other things including bank launch, tech risk, product, and compliance.
The company’s downward spiral blew up by late Weds 03/08/23, when it surprised investors with news that it needed to raise $2.25 billion to strengthen its balance sheet. This was influenced significantly by the Fed rate increases which forced the bank to raise lending rates, and that in turn made it hard for startups and medium-sized businesses to find approved funding. SVB also locked too much of their capital away in low-interest bonds. To strengthen their balance sheet in a slightly silly and desperate move, SVB sold $21 billion in securities at a large $1.8 billion loss. The details, timing, and governance of this make little sense, since the bank knew regulators were already watching closely. As a result, their stock fell 60% Thurs to $106.04 following the restructuring news.
As would be expected this fueled a higher level of deposit outflows from SVB; a $25 billion decline in deposits in the final three quarters of 2022. This spooked a lot of people, including CFOs, founders, VCs, and some unnamed tech celebrities — most of who started talking about the need to withdraw their money from SVB. SVB had almost 90% of its deposits uninsured by the FDIC which is far out of line with what traditional banks have. This is because the FDIC only covers deposits up to $250k. In contrast, Bank of America has about 32% of its deposits not insured by the FDIC – an enormous difference of 58%.
Crypto firm Circle revealed in a tweet late Fri 03/10/23 that it held $3.3 billion with the bank. Roblox corp. held 5% of its $3 billion in cash ($150 million) at the bank. Video streamer Roku held an estimated $487 million at SVB, representing approximately 26% of the company’s cash and cash equivalents as of Fri. Crypto exchange platform BlockFi — who filed for bankruptcy in November — listed $227 million in uninsured holdings at the bank. Some other SVB customers included Ziprecruiter, Pinterest, Shopify, and CrowdStrike. VCs like Y. Combinator regularly referred startups to them.
Yet after these initial outflows people start talking negatively, the perception became greater than reality. It did not matter whether the bank had a liquidity crisis or not. Heard psychology created a snowball effect in that no one wanted to be the last depositor at a bank — observing the lessons learned from prior banking mortgage crisis from 2008 to 2012 where Washington Mutual failed.
In sum, customers withdrew a massive $42 billion of deposits by the end of Thurs 03/09/23, according to a California regulatory filing. As a result, SIVB stock continued to plummet down another 65% before premarket trading was halted early Fri by regulators.
“All insured depositors will have full access to their insured deposits no later than Monday morning, March 13, 2023. The FDIC will pay uninsured depositors an advance dividend within the next week. Uninsured depositors will receive a receivership certificate for the remaining amount of their uninsured funds. As the FDIC sells the assets of Silicon Valley Bank, future dividend payments may be made to uninsured depositors.
Silicon Valley Bank had 17 branches in California and Massachusetts. The main office and all branches of Silicon Valley Bank will reopen on Monday, March 13, 2023. The DINB will maintain Silicon Valley Bank’s normal business hours. Banking activities will resume no later than Monday, March 13, including on-line banking and other services. Silicon Valley Bank’s official checks will continue to clear. Under the Federal Deposit Insurance Act, the FDIC may create a DINB to ensure that customers have continued access to their insured funds.”
That’s largely a bank run, and it is really bad news for SVB and many startups and medium businesses. SVB has been a foundational piece of the tech startup ecosystem. It was also known to industry commentators and tech risk researchers that SVB struggled with tech risk compliance, overall governance, and even had no chief risk officer in the eight months prior.
With reasoning and no direct evidence, only circumstantial evidence — as I had a couple of interviews with them and was less than impressed with their competency and trajectory — I speculate that crypto ties were a significant negative factor here because many of the companies and tech sub-domains SVB served are entangled with crypto and crypto-related entitles. Examples of this include their dealings with Circle — it manages part of the USDC stablecoin reserve of the American Circle, which confirmed to have a little more than $3 billion dollars of reserve blocked with SVB.
A Fri 03/10/23 Tweet from reporter Lauren Hirsch described BlockFi’s risky crypto entanglements with SVB this way: “Per new bankruptcy filing, BlockFi has $227m in Silicon Valley Bank. The bankruptcy trustee warned them on Mon that bc those funds are in a money market mutual fund, they’re not FDIC secured — which could be a prblm w/ keeping in compliance of bankruptcy law”.
Crypto compliance and insight for a big bank is very complex, undefined, and risk prone. The biggest tech venture bank has to be involved with a few crypto related failings and controversies, and the above are just a few examples but I am sure there are more. I just don’t have the data to back that up now, but I am sure it’s being investigated and/or litigated.
Note * This is a complex, evolving, and new development — some info may be incomplete and/or out of date at the time you view this.
About the Author:
Jeremy Swenson is a disruptive-thinking security entrepreneur, futurist/researcher, and senior management tech risk consultant. Over 17 years he has held progressive roles at many banks, insurance companies, retailers, healthcare orgs, and even governments including being a member of the Federal Reserve Secure Payment Task Force. Organizations relish in his ability to bridge gaps and flesh out hidden risk management solutions while at the same time improving processes. He is a frequent speaker, published writer, podcaster, and even does some pro bono consulting in these areas. As a futurist, his writings on digital currency, the Target data breach, and Google combing Google + video chat with Google Hangouts video chat have been validated by many. He holds an MBA from St. Mary’s University of MN, an MSST (Master of Science in Security Technologies) degree from the University of Minnesota, and a BA in political science from the University of Wisconsin Eau Claire.
1) Educate Employees About Cyber Threats and Hold Them Accountable:
Educate your employees about online threats and how to protect your business’s data, including safe use of social networking sites. Depending on the nature of your business, employees might be introducing competitors to sensitive details about your firm’s internal business. Employees should be informed about how to post online in a way that does not reveal any trade secrets to the public or competing businesses. Use games with training and hold everyone accountable to security policies and procedures. This needs to be embedded in the culture of your company. Register for free DHS cyber training here and/or use the free DHS SMB cyber resource toolkit. Most importantly, sign up for DHS CISA e-mail alerts specific to your company and industry needs and review the alerts – Sign up here. Use the free DHS developed CSET (Cybersecurity Evaluation Tool) to assess your security posture – High, Med, or Low. CSET is downloadable here.
2) Protect Against Viruses, Spyware, and Other Malicious Code:
Make sure each of your business’s computers are equipped with antivirus software and antispyware and updated regularly. Such software is readily available online from a variety of vendors. All software vendors regularly provide patches and updates to their products to correct security problems and improve functionality. Configure all software to install updates automatically. Especially watch out for freeware that contains malvertising. Make sure submission forms can block spam and can block code execution (cross-side scripting attacks).
3) Secure Your Networks:
Safeguard your Internet connection by using a firewall and encrypting information. If you have a Wi-Fi network, make sure it is secure and hidden – not publicly broadcasted. To hide your Wi-Fi network, set up your wireless access point or router so it does not broadcast the network name, known as the Service Set Identifier (SSID). Also, have a secure strong password to protect access to the router. (xbeithyg18695843%&*&RELxu75IGO) — example. Lastly, use a VPN (virtual private network) to encrypt data in transit, especially when working from home.
4) Control Physical Access to Computers and Network Components:
Prevent access or use of business computers by unauthorized individuals. Laptops can be particularly easy targets for theft or can be lost, so lock them up when unattended. Make sure a separate user account is created for each employee and require strong passwords. Administrative privileges should only be given to trusted IT staff and key personnel — with approval records.
5) Create A Mobile Device Protection Plan:
Require users to password-protect their devices, encrypt their data, and install security apps to prevent criminals from stealing information while the phone is on public networks. Use a containerization application to separate personal data from company data. Be sure to set reporting procedures for lost or stolen equipment.
6) Establish Security Practices and Policies to Protect Sensitive Information:
Establish policies on how employees should handle and protect personally identifiable information and other sensitive data. Clearly outline the consequences of violating your business’s cybersecurity policies and who is accountable. Base your security strategy significantly on the NIST Cybersecurity Framework 1.1: Identify, Detect Defend, Respond, and Recover — a respected standard that easy to understand (Fig. 1).The NIST Cybersecurity Framework Small Business Resources are linked here.
Fig. 2. NIST CSF Domains and Sub Areas, NIST, 2022.
7) Employ Best Practices on Payment Cards:
Work with your banks or card processors to ensure the most trusted and validated tools and anti-fraud services are being used. You may also have additional security obligations related to agreements with your bank or processor. Isolate payment systems from other, less secure programs and do not use the same computer to process payments and surf the internet. Outsource some or all of it and know where your risk responsibility ends.
8) Make Backup Copies of Important Business Data and Use Encryption When Possible:
Regularly backup the data on all computers. Critical data includes word processing documents, electronic spreadsheets, databases, financial files, human resources files, and accounts receivable/payable files. Back up data automatically if possible, or at least weekly, and store the copies either offsite or on the cloud. Having all key files backed up via the 3-2-1 rule — three copies of files in two different media forms with one offsite — thus reducing ransomware attack damage.
9) Use A Password Management Tool and Strong Passwords:
Another way to stay safe is by setting passwords that are longer, complex, and thus hard to guess. Additionally, they can be stored and encrypted for safekeeping using a well-regarded password vault and management tool. This tool can also help you to set strong passwords and can auto-fill them with each login — if you select that option. Yet using just the password vaulting tool is all that is recommended. Doing these two things makes it difficult for hackers to steal passwords or access your accounts.
10) Use Only Whitelisted Sites Not Blacklisted Ones or Ones Found Via the Dark Web:
Use only approved whitelisted platforms and sites that do not expose you to data leakages or intrusion on your privacy. Whitelisting is the practice of explicitly allowing some identified websites access to a particular privilege, service, or access. Backlisting is blocking certain sites or privileges. If a site does not assure your privacy, do not even sign up let alone participate.
About the Author:
Jeremy Swenson is a disruptive-thinking security entrepreneur, futurist/researcher, and senior management tech risk consultant. Over 17 years he has held progressive roles at many banks, insurance companies, retailers, healthcare orgs, and even governments including being a member of the Federal Reserve Secure Payment Task Force. Organizations relish in his ability to bridge gaps and flesh out hidden risk management solutions while at the same time improving processes. He is a frequent speaker, published writer, podcaster, and even does some pro bono consulting in these areas. As a futurist, his writings on digital currency, the Target data breach, and Google combing Google + video chat with Google Hangouts video chat have been validated by many. He holds an MBA from St. Mary’s University of MN, an MSST (Master of Science in Security Technologies) degree from the University of Minnesota, and a BA in political science from the University of Wisconsin Eau Claire.
Fig. 1. 2022 Cyber Year in Review Mashup; Stock, 2023.
The pandemic continues to be a big part of the catalyst for digital transformation in tech automation, identity and access management (IAM), big data, collaboration tools, artificial intelligence (AI), and increasingly the supply chain. Disinformation efforts morphed and grew last year with stronger crypto tie ins challenging data and culture; Twitter hype pump and dumps for example. Additionally, cryptocurrency-based money laundering, fraud, and Ponzi schemes increased partly due to weaknesses in the fintech ecosystem around compliance, coin splitting/mixing fog, and IAM complexity. This requires better blacklisting by crypto exchanges and banks to stop these illicit transactions erroring on the side of compliance, and it requires us to pay more attention to knowing and monitoring our own social media baselines.
The Costa Rican Government was forced to declare a national emergency on 05/08/22 because the Conti Ransomware intrusion had extended to most of its governmental entities. This was a more advanced and persistent ransomware with Russian gang ties (Associated Press; NBC News, 06/17/22). This highlights the need for smaller countries to better partner with private infrastructure providers and to test for worst-case scenarios.
We no longer have the same office due to mass work from home (WFH) and the mass resignation/gig economy. This infers increased automated zero-trust policies and tools for IAM with less physical badge access required. The security perimeter is now more defined by data analytics than physical/digital boundaries. Education and awareness around the review and removal of non-essential mobile apps grows as a top priority as mobile apps multiply. All the while, data breaches, and ransomware reach an all-time high while costing more to mitigate. Lastly, all these things make the Google acquisition of Mandiant more relevant and plausibly one of the most powerful security analytics and digital investigation entities in the world rivaling nation-state intelligence agencies.
Intro:
Every year I like to research and commentate on the most impactful security technology and business happenings from the prior year. This year is unique since crypto money laundering via splitting/mixing, disinformation, the pandemic, and mass resignation/gig economy continue to be a large part of the catalyst for most of these trends. All these trends are likely to significantly impact small businesses, government, education, high-tech, and large enterprise in big and small ways.
1) The Main Purpose of Cryptocurrency Mixer and/or Splitter Services is Fraud and Money Laundering.
Cryptocurrency mixer and/or splitter services serve no valid “real-world” ethical business use case considering the relevant fintech and legal options open. Even in the very rare case when you are a refugee fleeing a financially abusive government regime or a terrorist organization is seeking to steal your assets while the national currency is failing, like in Venezuela, which I wrote about in my 2014 article, “Thought$ On The Future of Digital Curren¢y For A Better World” – that is about political revolution and your personal safety more than anything else. Although cases like this give a valid reason why you might want to mix and/or split your crypto assets, that is not fully the same use case we’re talking about here with the recent uptick of ill-intended crypto mixer and/or splitter service use. Therefore, it’s only fair that we discuss the most likely and common use case, which is trending up, and not the few rare edge cases. This use case would be fraud, Ponzi schemes, and money laundering.
The evidence does not support that a regular crypto exchange is the same thing as a mixer and/or splitter service. For definition’s sake, I am not defining mixing and/or splitting cryptocurrency as the same thing as selling, buying, or converting it – all of this can be done on one or more of the crypto exchanges which is why they are called exchanges. If they are the same or even considerably similar, then why are people and orgs using the mixer and/or splitter services at all? They use them because they offer a considerably different service. Using a mixer and/or splitter service assumes you have gotten some crypto beforehand, from a separate exchange – a step or more before in the daisy chain. This can be done via legal or illegal means. Moreover, why are people paying repeated and hugely excessive fees for these services? The fees are out of line with anything possibly comparable because there is higher compliance and legal risk for the operators of them in that they could get sanctioned like Blender-IO, FTX, Coinbase, Gemini, and others.
You can still have privacy if that is what you are seeking via a semblance of legal moves such as a trust tied to a separate legal entity, family office entity, converting to real estate, and marriage entity – if you have time to do the paperwork. Legally savvy people have anonymity over their assets often to avoid fraudsters, sales reps, and just privacy for privacy’s sake – but again still not the same use case. Even when people/orgs use these legal instruments for privacy, they still have compliance reporting and tax obligations – some disclosure. Keep in mind some disclosure serves to protect you, that you in fact own the assets you say you own. Using these legal instruments with the right technical security including an encrypted VPN and multifactor authentication serves to sustain privacy, and you will then not need a crypto mixer and/or splitter.
Yet if you had cryptocurrency and wanted strong privacy to protect your assets, why would you not at least use some of the aforementioned legal instruments or the like? Mostly because any attorney worth anything would be obligated to report this blatant suspected fraud, and would not want to tarnish their name on the filings, etc. Specifically, the attorney would have to see and know where and what entities the crypto was coming from and going to, under what contexts, and that could trigger them to report or refuse to work with them – a fraudster would want to avoid getting detected.
Specifically, the use of multiple legal entities in different countries in a daisy chain of crypto coin mixing and/or splitting tends to be the pattern for persistent fraud and money laundering. That was the case in the $4.5-billion-dollar crypto theft out of NY (Crocodile of Wall Street), the Blender mixing fraud, and many other cases.
“Blended.io (Blender) is a virtual currency mixer that operates on the Bitcoin blockchain and indiscriminately facilitates illicit transactions by obfuscating their origin, destination, and counterparties. Blender receives a variety of transactions and mixes them together before transmitting them to their ultimate destinations. While the purported purpose is to increase privacy, mixers like Blender are commonly used by illicit actors. Blender has helped transfer more than $500 million worth of Bitcoin since its creation in 2017. Blender was used in the laundering process for DPRK’s Axie Infinity heist, processing over $20.5 million in illicit proceeds.”
Fig 2. U.S. Treasury Dept; Blener.io Crypto Mixer Fraud, 2022.
The question we as a society should be thinking about is tech ethics. What design feature crosses the line to enable fraud too much such that it is not pursued? For example, Silk Road crossed the line, selling illegal drugs, extortion, and other crime. Hacker networks cross the line when they breach companies and steal their credit card data and put it for sale on the dark web. Facebook crossed the line when it enabled bias and undue favor to impact policy outcomes.
Crypto mixer and/or splitter services (not mere crypto exchanges) are about as close to “money laundering as a service” as it gets – relative to anything else technically available excluding the dark web where there are far worse things available technically. Obviously, the developers, product owners, and project managers behind the crypto mixer and/or splitter services like this are serving the fraud and money laundering use case more than anything else. Some semblance of the organized crime rings is very likely giving them money and direction to this end.
If you are for and use mixer and/or splitter services then you run the risk of having your digital assets mixed with dirty digital assets, you have extortion high fees, you have zero customer service, no regulatory protection, no decedent Terms of Service and/or Privacy Policy if any, and you have no guarantee that it will even work the way you think it will.
In fact, you have so much decentralized “so-called” privacy that it could work against you. For example, imagine you pay the high fees to mix and split your crypto multiple times, and then your crypto is stolen by one of the mixing and/or splitting services. This is likely because they know many of their customers are committing fraud and money laundering; yet even if they are not these platforms are associated with that. Therefore, if the platform operators steal their crypto in this process, the victims have little incentive to speak up. Moreover, the mixing and/or splitting service companies have a nice cover to steal it, privacy. They won’t admit that they stole it but will say something like “everything is private and so we can’t see or know but you are responsible for what private assets you have or don’t have”. They will say something like “stealing it is impossible” which of course is a complete lie.
In sum, what reason do you have to trust a crypto mixing and/or splitting service with your digital assets as outlined above as they are hardly incentivized to protect them or you and operate in the shadows of antiquated non-western fintech regulation. So what really do you get besides likely fraud? What is the business rationale behind using these services as outlined above considering no solid argument or evidence can support it is privacy alone, and what net benefit do you get besides business-enabling money laundering and fraud?
Now there are valid use cases for crypto and blockchain technology generally and here are five of them:
1. Innovative tech removing the central bank for peer-to-peer exchange that is faster and more global, especially helping the underbanked countries.
2. Smart contracts can be built on blockchain.
3. Blockchain can be used for crowdfunding.
4. Blockchain can be used for decentralized storage.
5. The traditional cash and coin supply chain is burdensomely wasteful, costly, dirty, and counterfeiting is a real issue. Why do you need to carry ten dollars in quarters or a wad of twenty-dollar bills or even have that be a nation’s economic backing in today’s tech world?
Here are six tips to identify crypto-related scams:
1. With most businesses, it should be easy to find out who the key operators are. If you can’t find out who is running a cryptocurrency or exchange via LinkedIn, Medium, Twitter, a website, or the like be very cautious.
2. Whether in cash or cryptocurrency, any business opportunity promising free money is likely to be fake. If it sounds too good to be true it likely is. Multi-level marketing is one old example of this scam.
3. Never mix online dating and investment/financial advice. If you meet someone on a dating site or social media app, and then they want to show you how to invest in crypto or they ask you to send them crypto. No matter what sob story and huge return they are claiming it’s a scam (FTC).
4. Watch out for scammers who pretend to be celebrities who can multiply any cryptocurrency you send them. If you click on an unexpected link they send or send cryptocurrency to a so-called celebrity’s QR code, that money will go straight to a scammer, and it’ll be gone. Celebrities don’t have time to contact random people on social media, but they are easily impersonated (FTC).
5. Celebrities are however used to pump crypto prices via social media, so they get a windfall, and everyone else takes a hit. Watch out for crypto like Dogecoin which is heavily tied to celebrity pumps with no real-world business value. If you are lucky enough to get ahead, get out then.
6. Watch out for scammers who make big claims without details, white papers, filings, or explanations at all. No matter what the investment, find out how it works and ask questions about where your money is going. Honest investment managers or advisors want to share that information and will back it up with details in many documents and filings (FTC).
2) Disinformation Efforts Are Further Exposed:
Disinformation has not slowed down any in 2022 due to sustained advancements in communications technologies, the growth of large social media networks, and the “appification” of everything thereby increasing the ease and capability of disinformation. Disinformation is defined as incorrect information intended to mislead or disrupt, especially propaganda issued by a government organization to a rival power or the media. For example, governments creating digital hate mobs to smear key activists or journalists, suppress dissent, undermine political opponents, spread lies, and control public opinion (Shelly Banjo; Bloomberg, 05/18/2019).
Today’s disinformation war is largely digital via platforms like Facebook, Twitter, Instagram, Reddit, WhatsApp, Yelp, Tik-tok, SMS text messages, and many other lesser-known apps. Yet even state-sponsored and private news organizations are increasingly the weapon of choice, creating a false sense of validity. Undeniably, the battlefield is wherever many followers reside.
Bots and botnets are often behind the spread of disinformation, complicating efforts to trace and stop it. Further complicating this phenomenon is the number of app-to-app permissions. For example, the CNN and Twitter apps having permission to post to Facebook and then Facebook having permission to post to WordPress and then WordPress posting to Reddit, or any combination like this. Not only does this make it hard to identify the chain of custody and original source, but it also weakens privacy and security due to the many authentication permissions involved. The copied data is duplicated at each of these layers, which is an additional consideration.
We all know that false news spreads faster than real news most of the time, largely because it is sensationalized. Since most disinformation draws in viewers which drives clicks and ad revenues; it is a money-making machine. If you can significantly control what’s trending in the news and/or social media, it impacts how many people will believe it. This in turn impacts how many people will act on that belief, good or bad. This is exacerbated when combined with human bias or irrational emotion.
In 2022 there were many cases of fake crypto initial coin offerings (ICOs) and related scams including the Titanium Blockchain where investors lost at least $21 million (Dept of Justice; Press Release, 07/25/22). The Celsius’ crypto lending platform also came tumbling down largely because it was a social media-hyped Ponzi scheme (CNBC; Arjun Kharpal, 07/08/22). This negatively impacts culture by setting a misguided example of what is acceptable.
Elon Musk’s controversial purchase of Twitter for $44 billion in October 2022 resulted in a big management shakeup and strategy change (New York Times; Kate Conger and Lauren Hirsch, 10/27/22). The goal was to reduce bias and misinformation in the name of free and fair speech. To this end, the new Twitter under Musk’s direction produced “The Twitter Files” which are a set of internal Twitter, Inc documents made public beginning in December 2022. This was done with the help of independent journalists Matt Taibbi, Bari Weiss, Lee Fang, and authors Michael Shellenberger, David Zweig and Alex Berenson.
“Twitter granted great deference to government agencies and select outside organizations. While any Twitter user can report a tweet for removal, officials at the platform provided more direct and expedited channels for select organizations, raising obvious ethical questions about the government’s non-public efforts at censorship. It also captured the degree to which law enforcement requested information – from the physical location of users to foreign influence – from social platforms outside of formal court orders, raising important questions of due process and accountability.”
With the help of Twitter’s misinformation, huge swaths of confused voters and activists aligned more with speculation and emotion/hype than unbiased facts, and/or project themselves as fake commentators. This dirtied the data in terms of the election process and only begs the question – which parts of the election information process are broken? This normalizes petty policy fights, emotional reasoning, lack of unbiased intellectualism – negatively impacting western culture. All to the threat actor’s delight. Increased public-to-private partnerships, more educational rigor, and enhanced privacy protections for election and voter data are needed to combat this disinformation.
3) Identity and Access Management (IAM) Scrutiny Drives Zero Trust Orchestration:
The pandemic and mass resignation/gig economy has pushed most organizations to amass work from home (WFH) posture. Generally, this improves productivity making it likely to become the new norm. Albeit with new rules and controls. To support this, 51% of business leaders started speeding up the deployment of zero trust capabilities in 2020 (Andrew Conway; Microsoft, 08/19/20) and there is no evidence to suggest this is slowing down in 2022 but rather it is likely increasing to support zero trust orchestration.
Orchestration is enhanced automation between partner zero trust applications and data, while leaving next to no blind spots. This reduces risk and increases visibility and infrastructure control in an agile way. The quantified benefit of deploying mature zero trust capabilities including orchestration is on average $ 1.51 million dollars less in breach response costs when compared to an organization who has not rolled out zero trust capabilities (IBM Security; Cost of A Data Breach Report, 2022).
Fig. 4. Zero Trust Components to Orchestration; Microsoft, 09/17/21
Zero trust moves organizations to a need-to-know-only access mindset with inherent deny rules, all the while assuming you are compromised. This infers single sign-on at the personal device level and improved multifactor authentication. It also infers better role-based access controls (RBAC), firewalled networks, improved need-to-know policies, effective whitelisting and blacking listing of apps, group membership reviews, and state of the art privileged access management (PAM) tools for the next year. In the future more of this is likely to better automate and orchestrate (Fig. 4.) zero trust abilities so that one part does not hinder another part via complexity fog.
4) Security Perimeter is Now More Defined by Data Analytics than Physical/Digital Boundaries:
This increased WFH posture blurs the security perimeter physically and digitally. New IP addresses, internet volume, routing, geolocation, and virtual machines (VMs) exacerbate this blur. This raises the criticality of good data analytics and dashboarding to define the digital boundaries in real time. Therefore, prior audits, security controls, and policies may be ineffective. For instance, empty corporate offices are the physical byproduct of mass WFH, requiring organizations to set default disable for badge access. Extra security in or near server rooms is also required. The pandemic has also made vendor interactions more digital, so digital vendor connection points should be reduced and monitored in real time, and the related exception policies should be re-evaluated.
New data lakes and machine learning informed patterns can better define security perimeter baselines. One example of this includes knowing what percent of your remote workforce is on what internet providers and what type? For example, Google fiber, Comcast cable, CenturyLink DSL, ATT 5G, etc. There are only certain modems that can go with each of these networks and that leaves a data trail. Of course, it could be any type of router. What type of device do they connect with MAC, Apple, VM, or other, and if it is healthy – all can be determined in relation to security perimeter analytics.
5) Cyber Firm Mandiant Was Purchased by Google Spawning Private Sector Security Innovation.
Google completed its acquisition of security and incident response firm Mandiant for $5.4 billion dollars in Sept 2022 (Google Cloud; Thomas Kurian CEO – Google Cloud, 09/12/22). This acquisition positions the search and advertising leader with better cloud security infrastructure, better market appeal, and more diversification. With a more advanced and integrated security foundation, Google Cloud can compete better against market leader Amazon Web Services (AWS) and runner-up Microsoft Azure. They will do this on more than price because features will likely grow to leverage their differentiating machine learning and analytical abilities via clients throughout the industry.
Other benefits of integrating Mandiant include improved automated breach response logic. This is because security teams can now gather the required data and then share it across Google customers to help analyze ransomware threat variants. Many of Google’s security related products will also be enhanced by Mandiant’s threat intelligence and incident response capabilities. Some of these products include Google’s security orchestration, automation and response (SOAR) tool which is described this way, “Part of Chronicle Security Operations, Chronicle SOAR enables modern, fast and effective response to cyber threats by combining playbook automation, case management and integrated threat intelligence in one cloud-native, intuitive experience” (Google; Google Cloud, 01/16/23).
According to Dave Cundiff, CISO at Cyvatar, “if Google, as one of the leaders in data science, can progress and move forward the ability to prevent the unknown vectors of attack before they happen based upon the mountains of data available from previous breaches investigated by Mandiant, there could truly be a significant advancement in cybersecurity for its cloud customers” (SC Media; Steve Zurier, 04/15/22). This results in a strong focus on prevention vs. response, which is greatly needed. Lastly, since AWS and Microsoft will be unlikely to hire Mandiant directly because Google owns them, they will likely look to acquire another security services player soon.
6) Data Breaches Have Increased in Number and Cost but Are Generally Identified Faster.
The pandemic has continued to be a part of the catalyst for increased lawlessness including fraud, ransomware, data theft, and other types of profitable hacking. Cybercriminals are more aggressively taking advantage of geopolitical conflict and legal standing gaps. For example, almost all hacking operations are in countries that do not have friendly geopolitical relations with the United States or its allies – and all their many proxy hops would stay consistent with this. These proxy hops are how they hide their true location and identity.
Moreover, with local police departments extremely overworked and understaffed with their number one priority being responding to the huge uptick in violent crime in most major cities, white-collar cybercrimes remain a low priority. Additionally, local police departments have few cyber response capabilities depending on the size of their precinct. Often, they must sheepishly defer to the FBI, CISA, and the Secret Service, or their delegates for help. Yet not unsurprisingly, there is a backlog for that as well with preference going to large companies of national concern that fall clearly into one of the 16 critical infrastructures. That is if turf fights and bureaucratic roadblocks don’t make things worse. Thus, many mid and small-sized businesses are left in the cold to fend for themselves which often results in them paying ransomware, and then being a victim a second time all the while their insurance carrier denes their claims, raises their rate, and/or drops them.
Further complicating this is lack of clarity on data breach and business interruption insurance coverage and terms. Keep in mind most general business liability insurance policies and terms were drafted before hacking was invented so they are by default behind the technology. Most often general liability business insurance covers bodily injuries and property damage resulting from your products, services, or operations. Please see my related article “10 Things IT Executives Must Know About Cyber Insurance” to understand incident response and to reduce the risk of inadequate coverage and/or claims denials.
Data breaches are more expensive than ever. IBM’s 2022 Annual Cost of a Date Breach Report revealed increased costs associated with the average data breach at an estimated $4.35 million per organization. This is a $110,000 year-over-year increase at 2.6% and the highest in the reports history (Fig. 5). However, the average time to identify and contain a data breach decreased both decreased by 5 days (Fig 6). This is a total decrease of 10 days or 3.5%. Yet this is for general data breaches and not ransomware attacks.
Fig 5. Cost of A Data Breach Increases 2021 to 2022 (IBM Security, 2022).
Fig. 6. Average Time To Identify and Contain a Data Breaches Decreases 2021 to 2022, (IBM Security, 2022).
Lastly, this is a lot of money for an organization to spend on a breach. Yet this amount could be higher when you factor in other long-term consequence costs such as increased risk of a second breach, brand damage, and/or delayed regulatory penalties that were below the surface – all of which differs by industry. In sum, it is cheaper and more risk prudent to spend even $4.35 million or a relative percentage at your organization on preventative zero trust capabilities than to deal with the cluster of a data breach.
7) The Costa Rican Government was Heavily Hacked and Encrypted by the Conti Ransomware.
The Costa Rican Government was forced to declare a national emergency on 05/08/22 because the Conti Ransomware intrusion had extended to most of its governmental entities. Conti is an advanced and persistent ransomware as a service attack platform. The attackers are believed to the Russian cybercrime gang Wizard Spider (Associated Press; NBC News, 06/17/22). “The threat actor entry point was a system belonging to Costa Rica’s Ministry of Finance, to which a member of the group referred to as ‘MemberX’ gained access over a VPN connection using compromised credentials” (Bleeping Computer; Ionut Ilascu, 07/21/22). Phishing is a common way to get in to monitor for said credentials but in this case it was done “Using the Mimikatz post-exploitation tool for exfiltrating credentials, the adversary collected the logon passwords and NTDS hashes for the local users, thus getting “plaintext and bruteable local admin, domain and enterprise administrator hashes” (Bleeping Computer; Ionut Ilascu, 07/21/22).
Fig. 7. Costa Rica Conti Ransomware Attack Architecture; AdvIntel via (Bleeping Computer; Ionut Ilascu, 07/21/22).
This resulted in 672GB of data leaked and dumped or 97% of what was stolen (Bleeping Computer; Ionut Ilascu, 07/21/22). Some believe Costa Rica was targeted because they supported Ukraine against Russia. This highlights the need for smaller countries to better partner with private infrastructure providers and to test for worst-case scenarios.
Take-Aways:
The pandemic remains a catalyst for digital transformation in tech automation, IAM, big data, collaboration tools, and AI. We no longer have the same office and thus less badge access is needed. The growth and acceptability of mass WFH combined with the mass resignation/gig economy remind employers that great pay and culture alone are not enough to keep top talent. Signing bonuses and personalized treatment are likely needed. Single sign-on (SSO) will expand to personal devices and smartphones/watches. Geolocation-based authentication is here to stay with double biometrics likely. The security perimeter is now more defined by data analytics than physical/digital boundaries, and we should dashboard this with machine learning and AI tools.
Education and awareness around the review and removal of non-essential mobile apps is a top priority. Especially for mobile devices used separately or jointly for work purposes. This requires a better understanding of geolocation, QR code scanning, couponing, digital signage, in-text ads, micropayments, Bluetooth, geofencing, e-readers, HTML5, etc. A bring your own device (BYOD) policy needs to be written, followed, and updated often informed by need-to-know and role-based access (RBAC) principles. Organizations should consider forming a mobile ecosystem security committee to make sure this unique risk is not overlooked or overly merged with traditional web/IT risk. Mapping the mobile ecosystem components in detail is a must.
IT and security professionals need to realize that alleviating disinformation is about security before politics. We should not be afraid to talk about it because if we are then our organizations will stay weak and insecure and we will be plied by the same political bias that we fear confronting. As security professionals, we are patriots and defenders of wherever we live and work. We need to know what our social media baseline is across platforms. More social media training is needed as many security professionals still think it is mostly an external marketing thing. Public-to-private partnerships need to improve and app to app permissions need to be scrutinized. Enhanced privacy protections for election and voter data are needed. Everyone does not need to be a journalist, but everyone can have the common sense to identify malware-inspired fake news. We must report undue bias in big tech from an IT, compliance, media, and a security perspective.
Cloud infra will continue to grow fast creating perimeter and compliance complexity/fog. Organizations should preconfigure cloud-scale options and spend more on cloud-trained staff. They should also make sure that they are selecting more than two or three cloud providers, all separate from one another. This helps staff get cross-trained on different cloud platforms and add-ons. It also mitigates risk and makes vendors bid more competitively.
In regard to cryptocurrency, NFTs, ICOs, and related exchanges – watch out for scammers who make big claims without details, white papers, filings, or explanations at all. No matter what the investment, find out how it works and ask questions about where your money is going. Honest investment managers or advisors want to share that information and will back it up with details in many documents and filings (FTC).
Moreover, better blacklisting by crypto exchanges and banks is needed to stop these illicit transactions erroring on the side of compliance, and it requires us to pay more attention to knowing and monitoring our own social media baselines. If you are for and use crypto mixer and/or splitter services then you run the risk of having your digital assets mixed with dirty digital assets, you have extortion high fees, you have zero customer service, no regulatory protection, no decedent Terms of Service and/or Privacy Policy if any, and you have no guarantee that it will even work the way you think it will.
About the Author:
Jeremy Swenson is a disruptive-thinking security entrepreneur, futurist/researcher, and senior management tech risk consultant. Over 17 years he has held progressive roles at many banks, insurance companies, retailers, healthcare orgs, and even governments including being a member of the Federal Reserve Secure Payment Task Force. Organizations relish in his ability to bridge gaps and flesh out hidden risk management solutions while at the same time improving processes. He is a frequent speaker, published writer, podcaster, and even does some pro bono consulting in these areas. As a futurist, his writings on digital currency, the Target data breach, and Google combing Google + video chat with Google Hangouts video chat have been validated by many. He holds an MBA from St. Mary’s University of MN, an MSST (Master of Science in Security Technologies) degree from the University of Minnesota, and a BA in political science from the University of Wisconsin Eau Claire.
Cryptocurrency mixer and/or splitter services serve no valid “real-world” ethical business use case considering the relevant FinTech and legal options open. Even in the very rare case when you are a refugee fleeing a financially abusive government regime or terrorist organization is seeking to steal your assets while the national currency is failing, like in Venezuela which I wrote about in my 2014 article; that is about political revolution and your personal safety more than anything else. Although cases like this give a valid reason why you might want to mix and/or split your crypto assets – that’s not fully the same use case we’re talking about here with the recent uptick of crypto mixer and/or splitter service use. It’s only fair that we discuss the most likely and common use case, which is trending up, and not the few rare edge cases. This use case would be fraud and money laundering.
The evidence does not support that a regular crypto exchange is the same thing as a mixer and/or splitter service. For definitions sake, I am not defining mixing and/or splitting cryptocurrency as the same thing as selling, buying, or converting it – all of this can be done on one or more of the crypto exchanges which is why they are called exchanges. If they are the same or even considerably similar, then why are people and orgs using the mixer and/or splitter services at all? They use them because they offer a considerably different service. Using a mixer and/or splitter services assumes you have gotten some crypto beforehand, from a separate exchange, a step or more before in the daisy chain. This can be done via legal or illegal means. Moreover, why are they paying repeated and hugely excessive fees for these services? The fees are out of line with anything possibly comparable because there is higher compliance and legal risk for the operators of them in that they could get sanctioned like Blender.IO and others.
You can still have privacy if that is what you are seeking via a semblance of legal moves such as a trust tied to a separate legal entity, family office entity, converting to real estate, and marriage entity – if you have time to do the paperwork. Legally savvy people have anonymity over their assets often to avoid fraudsters, sales reps, and just privacy for privacy’s sake – but again still not the same use case. Even when people/orgs use these legal instruments for privacy, they still have compliance reporting and tax obligations – I.E., some disclosure. Keep in mind some disclosure serves to protect you that you in fact own the assets you say you own. Using these legal instruments with the right technical security including an encrypted VPN and multifactor authentication serves to sustain privacy, and you will then not need a crypto mixer and/or splitter.
Yet if you had cryptocurrency and wanted strong privacy to protect your assets, why would you not at least use some of the aforementioned legal instruments or the like? Mostly because any attorney worth anything would be obligated to report this blatant suspected fraud, and would not want to tarnish their name on the filings, etc. Specifically, the attorney would have to see and know where and what entities the crypto was coming from and going to, under what contexts, and that could trigger them to report or refuse to work with them – I.E. a fraudster would want to avoid getting detected.
Specifically, the use of multiple legal entities in different countries in a daisy chain of crypto coin mixing and/or splitting tends to be the pattern for persistent fraud and money laundering. That was the case in the 4.5-billion-dollar crypto theft out of NY and in Blender mixing fraud, and many other cases.
“Blended.io (Blender) is a virtual currency mixer that operates on the Bitcoin blockchain and indiscriminately facilitates illicit transactions by obfuscating their origin, destination, and counterparties. Blender receives a variety of transactions and mixes them together before transmitting them to their ultimate destinations. While the purported purpose is to increase privacy, mixers like Blender are commonly used by illicit actors. Blender has helped transfer more than $500 million worth of Bitcoin since its creation in 2017. Blender was used in the laundering process for DPRK’s Axie Infinity heist, processing over $20.5 million in illicit proceeds”.
Fig 1. U.S. Treasury Dept, Blener.io Crypto Mixer Fraud, 2022.
The question we as a society should be thinking about is tech ethics. What design feature crosses the line to enable fraud too much such that it is not pursued? For example, Silk Road crossed the line, selling illegal drugs, extortion, and other crime. Hacker networks cross the line when they breach companies and steal their credit card data and put it for sale on the dark web. Facebook crossed the line when it enabled bias and undue favor to impact policy outcomes.
Crypto mixer and/or splitter services (not mere crypto exchanges) are about as close to “money laundering as a service” as it gets – relative to anything else technically available excluding the dark web where there are far worse things available technically. Obviously, the developers, product owners, and project managers behind the crypto mixer and/or splitter services like this are serving the fraud and money laundering use case more than anything else. Some semblance of the organized crime rings is very likely giving them money and direction to this end.
If you are for and use mixer and/or splitter services then you run the risk of having your digital assets mixed with dirty digital assets, you have extortion high fees, you have zero customer service, no regulatory protection, no decedent Terms of Service and/or Privacy Policy if any, and you have no guarantee that it will even work the way you think it will.
In fact, you have so much decentralized “so-called” privacy that it could work against you. For example, imagine you pay the high fees to mix and split your crypto multiple times, and then your crypto is stolen by one of the mixing and/or splitting services. This is likely because they know many of their customers are committing fraud and money laundering, yet even if they are not these platforms are associated with that. Therefore, if the platform operators steal their crypto in this process, the victims have little incentive to speak up. Moreover, the mixing and/or splitting service companies have a nice cover to steal it, privacy. They won’t admit that they stole it but will say something like “everything is private and so we can’t see or know but you are responsible for what private assets you have or don’t have”. They will say something like “stealing it is impossible” which is course is a complete lie.
In sum, what reason do you have to trust a crypto mixing and/or splitting service with your digital assets as outlined above as they are hardly incentivized to protect them or you and operate in the shadows of antiquated non-western fintech regulation. So, what really do you get besides likely fraud? What is the business rationale behind using these services as outlined above considering no solid argument or evidence can support it is privacy alone, and what net benefit do you get besides business-enabling money laundering and fraud?
Now there are valid use cases for crypto and blockchain generally and here are five of them:
Innovative tech removing the central bank for peer-to-peer exchange that is faster and more global, especially helping the underbanked countries.
Smart contracts can be built on blockchain.
Blockchain can be used for crowdfunding.
Blockchain can be used for decentralized storage.
The traditional cash and coin supply chain is burdensomely wasteful, costly, dirty, and counterfeiting is a real issue. Why do you need to carry ten dollars in quarters or a wad of twenty-dollar bills or even have that be a nation’s economic backing in today’s tech world?
Here are six tips to identify crypto-related scams:
With most businesses, it should be easy to find out who the key operators are. If you can’t find out who is running a cryptocurrency or exchange via LinkedIn, Medium, Twitter, a website, or the like be very cautious.
Whether in cash or cryptocurrency, any business opportunity promising free money is likely to be fake. If it sounds too good to be true it likely is. Multi-level marketing is one old example of this scam.
Never mix online dating and investment/financial advice. If you meet someone on a dating site or social media app, and then they want to show you how to invest in crypto or they ask you to send them crypto. No matter what sob story and huge return they are claiming it’s a scam (FTC).
Watch out for scammers who pretend to be celebrities who can multiply any cryptocurrency you send them. If you click on an unexpected link they send or send cryptocurrency to a so-called celebrity’s QR code, that money will go straight to a scammer, and it’ll be gone. Celebrities don’t have time to contact random people on social media, but they are easily impersonated (FTC).
Celebrities are however used to pump crypto prices via social media, so they get a windfall, and everyone else takes a hit. Watch out for crypto like Dogecoin which is heavily tied to celebrity pumps with no real-world business value. If you are lucky enough to get ahead, get out then.
Watch out for scammers who make big claims without details, white papers, filings, or explanations at all. No matter what the investment, find out how it works and ask questions about where your money is going. Honest investment managers or advisors want to share that information and will back it up with details in many documents and filings (FTC).
Jeremy Swenson is a disruptive thinking security entrepreneur, futurist/researcher, and senior management tech risk consultant. Over 17 years he has held progressive roles at many banks, insurance companies, retailers, healthcare orgs, and even governments including being a member of the Federal Reserve Secure Payment Task Force. Organizations relish in his ability to bridge gaps and flesh out hidden risk management solutions while at the same time improving processes. He is a frequent speaker, published writer, podcaster, and even does some pro bono consulting in these areas. As a futurist, his writings on digital currency, the Target data breach, and Google combing Google + video chat with Google Hangouts video chat have been validated by many. He holds an MBA from St. Mary’s University of MN, a MSST (Master of Science in Security Technologies) degree from the University of Minnesota, and a BA in political science from the University of Wisconsin Eau Claire.
Use the free DHS developed CSET (Cybersecurity Evaluation Tool) to assess your security posture – High, Med, or Low. CSET is downloadable here.
Educate Employees About Cyber Threats and Hold Them Accountable:
Educate your employees about online threats and how to protect your business’s data, including safe use of social networking sites. Depending on the nature of your business, employees might be introducing competitors to sensitive details about your firm’s internal business.
Employees should be informed about how to post online in a way that does not reveal any trade secrets to the public or competing businesses.
Use games with training and hold everyone accountable to security policies and procedures.
This needs to be embedded in the culture of your company.
Protect Against Viruses, Spyware, and Other Malicious Code:
Make sure each of your business’s computers are equipped with antivirus software and antispyware and updated regularly. Such software is readily available online from a variety of vendors. All software vendors regularly provide patches and updates to their products to correct security problems and improve functionality. Configure all software to install updates automatically. Especially watch freeware which contains malvertising.
Secure Your Networks:
Safeguard your Internet connection by using a firewall and encrypting information. If you have a Wi-Fi network, make sure it is secure and hidden. To hide your Wi-Fi network, set up your wireless access point or router so it does not broadcast the network name, known as the Service Set Identifier (SSID).
Have a secure strong password to protect access to the router (xeeityyg18695845%&*&RELxu78IGO) — example.
Lastly, use a VPN (virtual private network).
Control Physical Access to Computers and Network Components:
Prevent access or use of business computers by unauthorized individuals. Laptops can be particularly easy targets for theft or can be lost, so lock them up when unattended. Make sure a separate user account is created for each employee and require strong passwords.
Administrative privileges should only be given to trusted IT staff and key personnel.
Create A Mobile Device Protection Plan:
Require users to password-protect their devices, encrypt their data, and install security apps to prevent criminals from stealing information while the phone is on public networks.
Use a containerization application to separate personal data from company data.
Be sure to set reporting procedures for lost or stolen equipment.
Protect All Pages on Your Public-Facing Webpages, Not Just the Checkout and Sign-Up Pages:
Make sure submission forms can block spam and can block code execution (cross-side scripting attacks).
Establish Security Practices and Policies to Protect Sensitive Information:
Establish policies on how employees should handle and protect personally identifiable information and other sensitive data. Clearly outline the consequences of violating your business’s cybersecurity policies and who is accountable.
Base Your Security Strategy Significantly on the NIST Cybersecurity Framework 1.1: Identify, Detect Defend, Respond, and Recover:
The NIST Cybersecurity Framework Small Business Resources are linked here.
Fig. 2. NIST Cyber Security Framework Sub Tasks, NIST, 2022:
Require Employees to Use Strong Passwords and to Change Them Often:
Consider implementing multifactor authentication that requires additional information beyond a password to gain entry. Check with your vendors that handle sensitive data, especially financial institutions, to see if they offer multifactor authentication for your account. Smart card plus passcode for example.
Employ Best Practices on Payment Cards:
Work with your banks or card processors to ensure the most trusted and validated tools and anti-fraud services are being used. You may also have additional security obligations related to agreements with your bank or processor. Isolate payment systems from other, less secure programs and do not use the same computer to process payments and surf the Internet.
Outsource some or all of it and know where your risk responsibility ends.
Make Backup Copies of Important Business Data and Use Encryption When Possible:
Regularly backup the data on all computers. Critical data includes word processing documents, electronic spreadsheets, databases, financial files, human resources files, and accounts receivable/payable files. Backup data automatically if possible, or at least weekly, and store the copies either offsite or on the cloud.
Having all key files backed up via the 3-2-1 rule — three copies of files in two different media forms with one offsite — thus reducing ransomware attack damage.
Make Sure Your Vendors Have the Required Security Compliance Attestations and Insurance:
SOC 2, PCI, and HIPAA for example.
Cyber/data breach insurance should be separate from general business liability, and you should know the exclusions and sub-limits.
Use A Password Management Tool and Strong Passwords:
Another way to stay safe is by setting passwords that are longer, complex, and thus hard to guess. Additionally, they can be stored and encrypted for safekeeping using a well-regarded password vault and management tool. This tool can also help you to set strong passwords and can auto-fill them with each login — if you select that option. Yet using just the password vaulting tool is all that is recommended. Doing these two things makes it difficult for hackers to steal passwords or access your accounts.
Use Only Whitelisted Sites Not Blacklisted Ones or Ones Found Via the Dark Web:
Use only approved whitelisted platforms and sites that do not expose you to data leakages or intrusion on your privacy. Whitelisting is the practice of explicitly allowing some identified websites access to a particular privilege, service, or access. Backlisting is blocking certain sites or privileges. If a site does not assure your privacy, do not even sign up let alone participate.
Mimic Your Likely Threats with a Threat Modeling Methodology that works for your Industry:
Every year I like to research and commentate on the most impactful security technology and business happenings from the prior year. This year is unique since the pandemic and mass resignation/gig economy continues to be a large part of the catalyst for most of these trends. All these trends are likely to significantly impact small businesses, government, education, high tech, and large enterprise in big and small ways.
The pandemic continues to be a big part of the catalyst for digital transformation in tech automation, identity and access management (IAM), big data, collaboration tools, artificial intelligence (AI), and increasingly the supply chain. Disinformation efforts morphed and grew last year challenging data and culture. This requires us to put more attention on knowing and monitoring our own social media baselines. We no longer have the same office due to mass work from home (WFH) and the mass resignation/gig economy. This infers increased automated zero-trust policies and tools for IAM with less physical badge access required. The security perimeter is now more defined by data analytics than physical/digital boundaries.
The importance of supply chain cyber security was elevated by the Biden Administration’s Executive Order 1407 in response to hacks including SolarWinds and Colonial Pipeline. Education and awareness around the review and removal of non-essential mobile apps grows as a top priority as mobile apps multiply. All the while, data breaches, and ransomware reach an all-time high while costing more to mitigate.
1) Disinformation Efforts Accelerate Challenging Data and Culture:
Disinformation has not slowed down any in 2021 due to sustained advancements in communications technologies, the growth of large social media networks, and the “appification” of everything thereby increasing the ease and capability of disinformation. Disinformation is defined as incorrect information intended to mislead or disrupt, especially propaganda issued by a government organization to a rival power or the media. For example, governments creating digital hate mobs to smear key activists or journalists, suppress dissent, undermine political opponents, spread lies, and control public opinion (Shelly Banjo; Bloomberg, 05/18/2019).
Today’s disinformation war is largely digital via platforms like Facebook, Twitter, Instagram, Reddit, WhatsApp, Yelp, Tik-tok, SMS text messages, and many other lesser-known apps. Yet even state-sponsored and private news organizations are increasingly the weapon of choice, creating a false sense of validity. Undeniably, the battlefield is wherever many followers reside.
Bots and botnets are often behind the spread of disinformation, complicating efforts to trace and stop it. Further complicating this phenomenon is the number of app-to-app permissions. For example, the CNN and Twitter apps having permission to post to Facebook and then Facebook having permission to post to WordPress and then WordPress posting to Reddit, or any combination like this. Not only does this make it hard to identify the chain of custody and original source, but it also weakens privacy and security due to the many authentication permissions involved. The copied data is duplicated at each of these layers which is an additional consideration.
We all know that false news spreads faster than real news most of the time, largely because it is sensationalized. Since most disinformation draws in viewers which drives clicks and ad revenues; it is a money-making machine. If you can significantly control what’s trending in the news and/or social media, it impacts how many people will believe it. This in turn impacts how many people will act on that belief, good or bad. This is exacerbated when combined with human bias or irrational emotion. For example, in late 2021 there were many cases of fake COVID-19 vaccines being offered in response to human fear (FDA; 09/28/2021). This negatively impacts culture by setting a misguided example of what is acceptable.
There were several widely reported cases of political disinformation in 2021 including misleading texts, e-mails, mailers, Facebook censorship, and robocalls designed to confuse American voters amid the already stressful pandemic. Like a narcissist’s triangulation trap, these disinformation bursts riled political opponents on both sides in all states creating miscommunication, ad hominin attacks, and even derailed careers with impacts into the future (PBS; The Hinkley Report, 11/24/20 and Daniel Funke; USA Today, 12/23/21).
Facebook is significantly involved in disinformation as one recent study stated, “Globally, Facebook made the wrong decision for 83 percent of those ads that had not been declared as political by their advertisers and that Facebook or the researchers deemed political. Facebook both overcounted and undercounted political ads in this group” (New York University; Cybersecurity For Democracy, 2021). Of course, Facebook disinformation whistleblower Frances Haugen who testified before Congress in 2021 is only more evidence of these and related Facebook failings. Specifically that “Facebook executives, including CEO Mark Zuckerberg, misstated and omitted key details about what was known about Facebook and Instagram’s ability to cause harm” (Bobby Allyn; NPR, 10/05/21).
Fig. 2. Facebook Gaps in Ad Transparency (IMEC-DistriNet KU Leuven and NYU Cyber Security for Democracy, 2021).
With the help of Facebook’s misinformation, huge swaths of confused voters and activists aligned more with speculation and emotion/hype than unbiased facts, and/or project themselves as fake commentators. This dirtied the data in terms of the election process and only begs the question – which parts of the election information process are broken? This normalizes petty policy fights, emotional reasoning, lack of unbiased intellectualism – negatively impacting western culture. All to the threat actor’s delight. Increased public to private partnerships, more educational rigor, and enhanced privacy protections for election and voter data are needed to combat this disinformation.
2) Identity and Access Management (IAM) Scrutiny Drives Zero Trust Orchestration:
The pandemic and mass resignation/gig economy has pushed most organizations to amass work from home (WFH) posture. Generally, this improves productivity making it likely to become the new norm. Albeit with new rules and controls. To support this, 51% of business leaders started speeding up the deployment of zero trust capabilities in 2020 (Andrew Conway; Microsoft, 08/19/20) and there is no evidence to suggest this is slowing down in the next year but rather it is likely increasing to support zero trust orchestration. Orchestration is enhanced automation between partner zero trust applications and data, while leaving next to no blind spots. This reduces risk and increases visibility and infrastructure control in an agile way. The quantified benefit of deploying mature zero trust capabilities including orchestration is on average $ 1.76 million dollars less in breach response costs when compared to an organization who has not rolled out zero trust capabilities (IBM Security, Cost of A Data Breach Report, 2021).
Fig. 3. Zero Trust Components to Orchestration (Microsoft, 09/17/21).
Zero trust moves organizations to a need-to-know-only access mindset with inherent deny rules, all the while assuming you are compromised. This infers single sign-on at the personal device level and improved multifactor authentication. It also infers better role-based access controls (RBAC), firewalled networks, improved need-to-know policies, effective whitelisting and blacking listing of apps, group membership reviews, and state of the art PAM (privileged access management) tools for the next year. In the future more of this is likely to better automate and orchestrate (Fig. 3.) zero trust abilities so that one part does not hinder another part via complexity fog.
3) Security Perimeter is Now More Defined by Data Analytics than Physical/Digital Boundaries:
This increased WFH posture blurs the security perimeter physically and digitally. New IP addresses, internet volume, routing, geolocation, and virtual machines (VMs) exacerbate this blur. This raises the criticality of good data analytics and dashboarding to define the digital boundaries in real-time. Therefore, prior audits, security controls, and policies may be ineffective. For instance, empty corporate offices are the physical byproduct of mass WFH, requiring organizations to set default disable for badge access. Extra security in or near server rooms is also required. The pandemic has also made vendor interactions more digital, so digital vendor connection points should be reduced and monitored in real-time, and the related exception policies should be re-evaluated.
New data lakes and machine learning informed patterns can better define security perimeter baselines. One example of this includes knowing what percent of your remote workforce is on what internet providers and what type? For example, Google fiber, Comcast cable, CenturyLink DSL, ATT 5G, etc. There are only certain modems that can go with each of these networks and that leaves a data trail. Of course, it could be any type of router. What type of device do they connect with MAC, Apple, VM, or other, and if it is healthy can all be determined in relationship to security perimeter analytics.
4) Supply Chain Risk and Attacks Increase Prompting Government Action:
Every organization has a supply chain big or small. There are even subcomponents of the supply chain that can be hard to see like third/fourth-party vendors. A supply chain attack works by targeting a third/fourth party with access to an organization’s systems instead of hacking their networks directly.
In 2021 cybercriminals focused their surveillance on key components of the supply chain including hacking DNS servers, switches, routers, VPN concentrators and services, and other supply chain connected components at the vendor level. Of note was the massive Colonial Gas Pipeline hack that spiked fuel prices this last summer. This was caused by one compromised VPN account informed by a leaked password from the dark web (Turton, William; and Mehrotra, Kartikay; Bloomberg, 06/04/21). The SolarWinds hack was another supply chain-originated attack in that they got into SolarWinds IT management product Orien which in turn got them into the networks of most of the customers of that product (Lily Hay Newman; Wired, 12/19/21). The research consensus unsurprisingly ties this attack to Russian affiliated threat actors and there is no evidence contracting that.
In response to these and related attacks the U.S. Presidential Administration issued Executive Order 14017, the heart of which requires those who manufacture and distribute software a new awareness of their supply chain to include what is in their products, even open-source software (White House; 05/12/21). This in addition to more spending on CISA hiring and public relations efforts for vulnerabilities and NIST framework conformance. Time will tell what this order delivers as it is dependent on what private sector players do.
5) Data Breaches Have Greatly Increased in Number and Cost:
The pandemic has continued to be a part of the catalyst for increased lawlessness including fraud, ransomware, data theft, and other types of profitable hacking. Cybercriminals are more aggressively taking advantage of geopolitical conflict and legal standing gaps. For example, almost all hacking operations are in countries that do not have friendly geopolitical relations with the United States or its allies – and all their many proxy hops would stay consistent with this. These proxy hops are how they hide their true location and identity.
Moreover, with local police departments extremely overworked and understaffed with their number one priority being responding to the huge uptick in violent crime in most major cities, white-collar cybercrimes remain a low priority. Additionally, local police departments have few cyber response capabilities depending on the size of their precinct. Often, they must sheepishly defer to the FBI, CISA, and the Secret Service, or their delegates for help. Yet not unsurprisingly, there is a backlog for that as well with preference going to large companies of national concern that fall clearly into one of the 16 critical infrastructures. That is if turf fights and bureaucratic roadblocks don’t make things worse. Thus, many mid and small-sized businesses are left in the cold to fend for themselves which often results in them paying ransomware, and then being a victim a second time all the while their insurance carrier drops them.
Further complicating this is lack of clarity on data breach and business interruption insurance coverage and terms. Keep in mind most general business liability insurance policies and terms were drafted before hacking was invented so they are by default behind the technology. Most often general liability business insurance covers bodily injuries and property damage resulting from your products, services, or operations. Please see my related article 10 Things IT Executives Must Know About Cyber Insurance to understand incident response and to reduce the risk of inadequate coverage and/or claims denials.
According to the Identity Theft Resource Center (ITRC)’s 2021Q3 Data Breach Report, there was a 17% year-over increase as of 09/30/21. This means that by the time they finish their Q4 2021 report it’s likely to be above a 30% year-over-year increase. Breaches are also more costly for organizations suffering them according to the IBM Security Cost of Data Breach Report (Fig 5).
Fig 5. Cost of A Data Breach Increases 2020 to 2021 (IBM Security, 2021).
From 2020 to 2021 the average cost of a data breach in U.S. dollars rose to $4.24 million from $3.86 million. This is almost a 10% increase at 9.1%. In contrast, the preceding 4 years were relatively flat (Fig 5). The pandemic and policing conundrum is a considerable part of this uptick.
Lastly, this is a lot of money for an organization to spend on a breach. Yet this amount could be higher when you factor in other long-term consequence costs such as increased risk of a second breach, brand damage, and/or delayed regulatory penalties that were below the surface – all of which differs by industry. In sum, it is cheaper and more risk prudent to spend even $4.24 million or a relative percentage at your organization on preventative zero trust capabilities than to deal with the cluster of a data breach.
Take-Aways:
COVID-19 remains a catalyst for digital transformation in tech automation, IAM, big data, collaboration tools, and AI. We no longer have the same office and thus less badge access is needed. The growth and acceptability of mass WFH combined with the mass resignation/gig economy remind employers that great pay and culture alone are not enough to keep top talent. Signing bonuses and personalized treatment are likely needed. Single sign-on (SSO) will expand to personal devices and smartphones/watches. Geolocation-based authentication is here to stay with double biometrics likely. The security perimeter is now more defined by data analytics than physical/digital boundaries, and we should dashboard this with machine learning and AI tools.
Education and awareness around the review and removal of non-essential mobile apps is a top priority. Especially for mobile devices used separately or jointly for work purposes. This requires a better understanding of geolocation, QR code scanning, couponing, digital signage, in-text ads, micropayments, Bluetooth, geofencing, e-readers, HTML5, etc. A bring your own device (BYOD) policy needs to be written, followed, and updated often informed by need-to-know and role-based access (RBAC) principles. Organizations should consider forming a mobile ecosystem security committee to make sure this unique risk is not overlooked or overly merged with traditional web/IT risk. Mapping the mobile ecosystem components in detail is a must.
IT and security professionals need to realize that alleviating disinformation is about security before politics. We should not be afraid to talk about it because if we are then our organizations will stay weak and insecure and we will be plied by the same political bias that we fear confronting. As security professionals, we are patriots and defenders of wherever we live and work. We need to know what our social media baseline is across platforms. More social media training is needed as many security professionals still think it is mostly an external marketing thing. Public-to-private partnerships need to improve and app to app permissions need to be scrutinized. Enhanced privacy protections for election and voter data are needed. Everyone does not need to be a journalist, but everyone can have the common sense to identify malware-inspired fake news. We must report undue bias in big tech from an IT, compliance, media, and a security perspective.
Cloud infra will continue to grow fast creating perimeter and compliance complexity/fog.Organizations should preconfigure cloud-scale options and spend more on cloud-trained staff. They should also make sure that they are selecting more than two or three cloud providers, all separate from one another. This helps staff get cross-trained on different cloud platforms and add-ons. It also mitigates risk and makes vendors bid more competitively.
The increase in number and cost of data breaches was in part attributed to vulnerabilities in supply chains in a few national data breach incidents in 2021. Part of this was addressed in President Biden’s Executive Order 1407 on supply chain security. This reminds us to replace outdated routers, switches, repeaters, controllers, and to patch them immediately. It also reminds us to separate and limit network vendor access points to strictly what is needed and for a limited time window. Last but not least, we must have up-to-date thorough business interruption / cyber insurance with detailed knowledge of what it requires for incident response with breach vendors pre-selected.
About the Author:
Jeremy Swenson is a disruptive thinking security entrepreneur, futurist/researcher, and senior management tech risk consultant. Over 17 years he has held progressive roles at many banks, insurance companies, retailers, healthcare orgs, and even governments including being a member of the Federal Reserve Secure Payment Task Force. Organizations relish in his ability to bridge gaps and flesh out hidden risk management solutions while at the same time improving processes. He is a frequent speaker, published writer, podcaster, and even does some pro bono consulting in these areas. As a futurist, his writings on digital currency, the Target data breach, and Google combing Google + video chat with Google Hangouts video chat have been validated by many. He holds an MBA from St. Mary’s University of MN, a MSST (Master of Science in Security Technologies) degree from the University of Minnesota, and a BA in political science from the University of Wisconsin Eau Claire.
On 06/10/21 major Esports software company, Electronic Arts (EA) was hacked. They are one of the biggest esports companies in the world. They count many major hit games including Battlefield, The Sims, Titanfall, and Star Wars: Jedi Fallen Order, in addition to many online league sports games; and they develop and/or publish many others. An EA spokesperson described game code and related tools as stolen in the hack and that they are still investigating the privacy implications. Early reports however indicated that a whopping 780GB of data was stolen (Balaji N, GBHackers On Security, 06/12/21).
Fig 1. EA Sports Hacked Image. Balaji N, GBHackers On Security, 06/12/21.
Given this recent hack here is an updated overview of some of the esports cyber threats and mitigations.
Threats:
1. Aimbots and Wallhacks
As esports revenues and player prizes increase, more players will look for opportunities to exploit the game to gain an advantage over competitors. Many underground hacker forums reveal hundreds of aimbots and wallhacks. Prices for such tools start as low as $5.00 but go as high as $2,000. These are essentially cheat tools for sale but they are technically prohibited in official competitions (Trend Micro, 2019).
Aimbots are a type of software used in multiplayer first-person shooter games to provide varying levels of automated targeting that gives the user an advantage over other players. Wallhacks allow the player to change the properties of in-game walls by making them transparent or nonsolid, making it easier to find or attack enemies.
Some of the hardware used in competitions can be manipulated by hackers with ease. For each tournament, a gaming board sets the rules on what equipment they allow tournament participants to use. A lot of professional tournaments allow players to bring their own mouse and keyboard, which have been known to house hacks.
Case in point, in 2018 a Dota 2 team was disqualified from a $15 million tournament after judges caught one of its members using a programmable mouse – the Synapse 3 configuration tool. The mouse allowed the player to perform movements that would be impossible without macros, a shortcut of preset key sequences not possible with standard nonprogrammable hardware (Trend Micro, 2019).
3. Stolen Accounts and Credentials
Threat actors have been increasingly targeting the esports industry. They do this by harvesting and selling user ID and password data of both internal and external systems for esports companies. A study by threat intelligence company KELA indicated that more than half a million login credentials tied to the employees of 25 leading game publishers have been found for sale on dark web bazaars (Amer Owaida, Welivewellsecurity, 01/05/2021).
4. Ransomware and DDoS (Distributed Denial of Services) Attacks
Ransomware can come via phishing, smishing, spam, or via free compromised plug-ins. When installed on the gaming platform they lock everything up and force the host to pay ransom in the form of difficult-to-trace digital currency like Bitcoin. Interestingly, researcher Danny Palmer of ZDnet cited Trend Micro’s research when he described the marriage of ransomware and DDoS attacks as follows:
“Researchers also warn that attackers could blackmail esports tournament organizers, demanding a ransom payment in exchange for not launching a DDoS attack – something which organizers might consider given how events are broadcast live and the reputational damage that will occur to the host organizer if the event gets taken offline” (Danny Palmer, ZDnet, 10/29/2019).
Mitigations:
1. Use a VPN (Virtual Private Network)
VPN establishes an encrypted tunnel between you and a remote server ran by the VPN provider. All your internet traffic is run through this tunnel, so your data is secure from eavesdropping. Your real IP address and location is masked preventing IPS tracking as your traffic is exiting the VPN server. You can also more confidently use public WIFI with a VPN.
2. Use A Password Management Tool and Strong Passwords
Another way to stay safe is by setting passwords that are longer, complex, and thus hard to guess. Additionally, they can be stored and encrypted for safekeeping using a well-regarded password vault and management tool. This tool can also help you to set strong passwords and can auto-fill them with each login — if you select that option. Yet using just the password vaulting tool is all that is recommended. Doing these two things makes it difficult for hackers to steal passwords or access your gaming accounts.
3. Use Only Whitelisted Gaming Sites Not Blacklisted Ones or Ones Found Via the Dark Web
Use only approved whitelisted gaming platforms and sites that do not expose you to data leakages or intrusion on your privacy. Whitelisting is the practice of explicitly allowing some identified websites access to a particular privilege, service, or access. Blacklisting is blocking certain sites or privileges. If a site does not assure your privacy, do not even sign up let alone participate.
Every year I like to research and commentate on the most impactful security technology and business happenings from the prior year. This year is unique since the pandemic is partly the catalyst for most of these trends in conjunction with it being a presidential election year like no other. All these trends are likely to significantly impact small businesses, government, education, high tech, and large enterprise in big and small ways.
Fig 1. Stock Mashup, 2020.
1) Disinformation Efforts Accelerate Challenging Data and Culture:
Advancements in communications technologies, the growth of large social media networks, and the “appification” of everything increases the ease and capability of disinformation. Disinformation is defined as incorrect information intended to mislead or disrupt, especially propaganda issued by a government organization to a rival power or the media. For example, governments creating digital hate mobs to smear key activists or journalists, suppress dissent, undermine political opponents, spread lies, and control public opinion (Shelly Banjo, Bloomberg, 05/18/2019). Today’s disinformation war is largely digital via platforms like Facebook, Twitter, iTunes, WhatsApp, Yelp, and Instagram. Yet even state-sponsored and private news organizations are increasingly the weapon of choice creating a false sense of validity. Undeniably, the battlefield is wherever many followers reside.
Bots and botnets are often behind the spread of disinformation, complicating efforts to trace it and to stop it. Further complicating this phenomenon is the number of app-to-app permissions. For example, the CNN and Twitter apps having permission to post to Facebook and then Facebook having permission to post to WordPress and then WordPress posting on Reddit, or any combination like this. Not only does this make it hard to identify the chain of custody and source, but it also weakens privacy and security due to the many authentication permissions.
We all know that false news spreads faster than real news most of the time, largely because it is sensationalized. Since disinformation draws in viewers, which drives clicks and ad revenues – it is a money-making machine. If you can control what’s trending in the news and/or social media, it impacts how many people will believe it. This in turn impacts how many people will act on that belief, good or bad. This is exacerbated when combined with human bias or irrational emotion. For example, in late 2020 there were many cases of fake COVID-19 vaccines being offered in response to human fear (FDA, 12/22/2020). This negatively impacts culture by setting a misguided example of what is acceptable.
There were several widely reported cases of political disinformation in 2020 including misleading texts, e-mails, mailers, and robocalls designed to confuse American voters amid the already stressful pandemic. Like a narcissist’s triangulation trap these disinformation bursts riled political opponents on both sides in all states creating miscommunication, ad hominin attacks, and even derailed careers (PBS, The Hinkley Report, 11/24/20). Moreover, huge swaths of confused voters aligned more with speculation and emotion/hype than unbiased facts. This dirtied the data in terms of the election process and only begs the question of which parts of the election information process are broken. This normalizes petty policy fights, emotional reasoning, lack of unbiased intellectualism – negatively impacting western culture. All to the threat actor’s delight. Increased public to private partnerships, more educational rigor, and enhanced privacy protections for election and voter data are needed to combat this disinformation.
2) Stalkerware Grows and Evolves Reducing Mobile Privacy:
The increased use of mobile devices in conjunction with the pandemic induced work from home (WFH) growth has produced more stalkerware. According to one report, there was a 51% increase in Android spyware and stalkerware from March through June, vs the first two months of the year (Avast, Security Boulevard, 12/02/20); and this is likely to be above a 100% increase when all data is tabulated for the end of 2020. Inspired by covert law enforcement investigation tactics, this malware variant can be secretly installed on a victim’s phone hiding as a seemingly harmless app. It is not that different from employee monitoring software. However, unlike employee monitoring software, which can easily be confused with this malware; stalkerware is typically installed by fake friends, jealous spouses and partners, ex-partners, and even concerned relatives. If successfully installed, it relays private information back to the attacker including the victim’s photos, location, texts, web browsing history, call records and more. This is where the privacy violation and abuse and/or fraud can start yet it is hard to identify in the blur of too many mobile apps.
3) Identity & Access Management (IAM) Scrutiny Drives Zero Trust:
The pandemic has pushed most organizations to amass WFH posture. Generally, this improves productivity making it likely to become the new norm, albeit with new rules and controls. To support this, 51% of business leaders are speeding up the deployment of Zero Trust capabilities (Andrew Conway, Microsoft, 08/19/20). Zero trust moves organizations to a need to know only access mindset with inherent deny rules, all the while assuming you are compromised. This infers single sign-on at the personal device level and improved multifactor authentication. It also infers better role-based access controls (RBAC), improved need to know policies, group membership reviews, and state of the art PAM tools for the next year.
4) Security Perimeter is Now More Defined by Data Analytics than Physical/Digital Boundaries:
This increased WFH posture blurs the security perimeter both physically and digitally. New IP addresses, internet volume, routing, geolocation, and virtual machines (VMs) exacerbate this blur. This raises the criticality of good data analytics and dashboarding to define the digital boundaries in real-time. Therefore, prior audits, security controls, and policies may be ineffective. For instance, empty corporate offices are the physical byproduct of mass WFH, requiring organizations to set default disable for badge access. Extra security in or near server rooms is also required. The pandemic has also made vendor interactions more digital, so digital vendor connection points should be reduced and monitored in real-time, and the related exception policies should be revaluated.
5) Data Governance Gets Sloppy Amid Agility:
Mass WFH has increased agility and driven sloppy data governance. For example, one week after the CARES Act was passed banks were asked to accept Paycheck Protection Program (PPP) loan applications. Many banks were unprepared to deal with the flood of data from digital applications, financial histories, and related docs, and were not able to process them in an efficient way. Moreover, the easing of regulatory red tape at hospitals/clinics, although well-intentioned to make emergency response faster. It created sloppy data governance, as well. The irony of this is that regulators are unlikely to give either of these industries a break, nor will civil attorneys hungry for any hangnail claim.
6) The Divide Between Good and Bad Cloud Security Grows:
The pandemic has reminded us that there are two camps with cloud security. Those who have a planned option for bigger cloud-scale and those that are burning their feet in a hasty rush to get there. In the first option, the infrastructure is preconfigured and hardened, rates are locked, and there is less complexity, all of which improves compliance and gives tech risk leaders more peace of mind. In the latter, the infrastructure is less clear, rates are not predetermined, compliance and integration are confusing at best, and costs run high – all of which could set such poorly configured cloud infrastructures up for future disasters.
7) Phishing Attacks Grow Exponentially and Get Craftier:
The pandemic has caused a hurricane of phishing emails that have been hard to keep up with. According to KnowBe4 and Security Magazine, there has been a 6,000% increase in phishing e-mails since the start of the pandemic (Stu Sjouwerman, KnowBe4, 07/13/20 & Security Magazine, 07/22/20). Many of these e-mails have improved their approach and design, appearing more professional and appealing to our emotions by using tags concerning COVID relief, data, and vaccines. Ransomware increased 72% year over year (Security Magazine, 07/22/20). With many new complexities in the mobile ecosystem and exponential app growth, it is not surprising that mobile vulnerabilities also increased by 50% (Security Magazine, 07/22/20).
Take-Aways:
COVID-19 is the catalyst for digital transformation in tech automation, IAM, big data, collaboration tools, and AI. We no longer have the same office and thus less badge access is needed. Single sign-on (SSO) will expand to personal devices and smartphones/watches. Geolocation based authentication is here to stay with double biometrics likely. The security perimeter is now more defined by data analytics than physical/digital boundaries, and we should to dashboard this with machine learning and AI tools.
Education and awareness around the review and removal of non-essential mobile apps is a top priority. Especially for mobile devices used separately or jointly for work purposes. This requires a better understanding of geolocation, QR code scanning, couponing, digital signage, in-text ads, micropayments, Bluetooth, geofencing, e-readers, HTML5, etc. A bring your own device (BYOD) policy needs to be written, followed and updated often – embracing need to know and role-based access (RBAC) principles. Organizations should consider forming a mobile ecosystem security committee to make sure this unique risk is not overlooked or overly merged with traditional web/IT risk. Mapping the mobile ecosystem components in detail is a must.
Cloud infra will continue to grow fast creating perimeter and compliance complexity/fog.Organizations should preconfigure cloud scale options and spend more on cloud trained staff. They should also make sure that they are selecting more than two or three cloud providers, all separate from one another. This helps staff get cross-trained on different cloud platforms and add-ons. It also mitigates risk and makes vendors bid more competitively. IT and security professionals need to realize that alleviating disinformation is about security before politics. We should not be afraid to talk about it because if we are then our organizations will stay weak and insecure and we will be plied by the same political bias that we fear confronting. As security professionals, we are patriots and defenders of wherever we live and work. We need to know what our social media baseline is across platforms. More social media training is needed as many security professionals still think it is mostly an external marketing thing. Public-to-private partnerships need to improve and app to app permissions need to be scrutinized. Enhanced privacy protections for election and voter data are needed. Everyone does not need to be a journalist, but everyone can have the common sense to identify malware inspired fake news. We must report undue bias in big tech from an IT, compliance, media, and a security perspective.
About the Author:
Jeremy Swenson is a disruptive thinking security entrepreneur and senior management tech risk consultant. Over 15 years he has held progressive roles at many banks, insurance companies, retailers, healthcare orgs, and even governments. Organizations relish in his ability to bridge gaps and flesh out hidden risk management solutions while at the same time improving processes. He is also a frequent speaker, published writer, and even does some pro bono consulting in these areas. He holds an MBA from St Mary’s University of MN and MSST (Master of Science in Security Technologies) degree from the University of Minnesota.
Featuring the esteemed technology and risk thought leaders Donald Malloy and Nathaniel Engelsen — this episode covers threat modeling methodologies STRIDE, Attack Tree, VAST, and PASTA. Specifically, how to apply them with limited budgets. It also discusses the complex intersection of how to derive ROI on threat modeling with compliance and insurance considerations. We then cover IAM best practices including group and role level policy and control best practices. Lastly, we hear a few great examples of key CISO risk management must-dos at the big and small company levels.
Fig. 2. Pasta Threat Modeling Steps (Nataliya Shevchenko, CMU, 12/03/2018).
Donald Malloy has more than 25 years of experience in the security and payment industry and is currently a security technology consultant advising many companies. Malloy was responsible for developing the online authentication product line while at NagraID Security (Oberthur) and prior to that he was Business Development and Marketing Manager for Secure Smart Card ICs for both Philips Semiconductors (NXP) and Infineon Technologies. Malloy originally comes from Boston where he was educated and has M.S. level degrees in Organic Chemistry and an M.B.A. in Marketing. Presently he is the Chairman of The Initiative for Open Authentication (OATH) and is a solution provider with DualAuth. OATH is an industry alliance that has changed the authentication market from proprietary systems to an open-source standard-based architecture promoting ubiquitous strong authentication used by most companies today. DualAuth is a global leader in trusted security with two-factor authentication include auto passwords. He resides in southern California and in his spare time he enjoys hiking, kayaking, and traveling around this beautiful world.
Nathaniel Engelsen is a technology executive, agilest, writer, and speaker on topics including DevOps, agile team transformation, and cloud infrastructure & security. Over the past 20 years he has worked for startups, small and mid-size organizations, and $1B+ enterprises in industries as varied as consulting, gaming, healthcare, retail, transportation logistics, and digital marketing. Nathaniel’s current security venture is Callback Security, providing dynamic access control mechanisms that allow companies to turn off well-known or static remote and database access routes. Nathaniel has a bachelor’s in Management Information Systems from Rowan University and an MBA from the University of Minnesota, where he was a Carlson Scholar. He also holds a CISSP.
In this increasingly complex security landscape with threat actors and vendors changing their tools rapidly, managing third-party risk is very difficult, ambiguous, and it’s even more difficult to know how to prioritize mitigation spend.
Fig 1. Risk, Stock Image, 2019.
The key to any vendor risk management program or framework is measurement, repeatability, and learning or improving from what was repeated as the business and risks change. These are the nine best practices you can follow to help assess your vendors’ security processes and their willingness to understand your risks and collectively mitigate both of them.
1) Identify All Your Vendors / Business Associates:
Many companies miss this easy step. Use RBAC (role-based access controls) when applicable – windows groups or the like. Creating a repeatable, written, compliance process for identifying them and making updates to the list as vendors move in and out of the company is worthwhile.
2) Ensure Your Vendors Perform Regular Security Assessments:
Risk assessments should be conducted on a weekly, monthly, or quarterly basis and reviewed and updated in response to changes in technology and the operating environment.
At a minimum, security risk assessments should include:
a) Evaluate the likelihood and potential impact of risks to in-scope assets.
b) Institute measures to protect against those risks.
c) Documentation of the security measures taken.
Vendors must also regularly review the findings of risk assessments to determine the likelihood and impact of the risk that they identify, as well as remediate any deficiencies.|
3) Make Sure Vendors Have Written Information Security Policies / Procedures:
a) Written security policies and procedures should clearly outline the steps and tasks needed to ensure compliance delivers the expected outcomes.
b) Without a reference point, policies and procedures can become open to individual interpretation, leading to misalignment and mistakes. Verify not only that companies have these written policies, but that they align with your organization’s standards. Ask other peers in your industry for a benchmark.
4) Prioritize Vendors Based on Risk – Use Evidence and Input from Others – NOT Speculation:
a) Critical Risk: Vendors who are critical to your operation, and whose failure or inability to deliver contracted services could result in your organization’s failure.
b) High Risk: Vendors (1) who have access to customer data and have a high risk of information loss; and / or (2) upon whom your organization is highly dependent operationally.
c) Medium Risk: Vendors (1) whose access to customer information is limited; and / or whose loss of services would be disruptive to your organization.
d) Low Risk: Vendors who do not have access to customer data and whose loss of services would not be disruptive to your organization.
5) Verify That Vendors Encrypt Data in All Applicable Places – At Rest, In Transit, etc:
a) Encryption, a process that protects data by making it unreadable without the use of a key or password, is one of the easiest methods of protecting data against theft.
b) When a vendor tells you their data is encrypted, trust but verify. Delve deeper and ask for details about different in-transit scenarios, such as encryption of backup and what type of backup. Ask them about what type of encryption it is and get an infographic. Most people get lost when you ask this question.
c) It’s also imperative that the keys used to encrypt the data are very well-protected. Understanding how encryption keys are protected is as vital as encryption itself. Are they stored on the same server? Is multi-factor authentication needed to get access to them? Is there a time limit on how long they can have access to the key?
6) Ensure Vendors Have A Disaster Recovery Program:
In order to be compliant with the HIPAA Security Rule and related rules, vendors must have a detailed disaster recovery program that includes analysis on how a natural disaster—fire, flood or even a rodent chewing through cables—could affect systems containing ePHI. The plan should also include policies and procedures for operating after a disaster, delineating employees’ roles and responsibilities. Finally, the plan should clearly outline the plan for restoring the data.
7) Ensure Access Is Based on Legitimate Business Needs:
Fig 3. Stock Image, RBAC Flow, 2019.
It’s best to follow the principle of least privilege (POLP), which is the practice of limiting access rights for users to the bare minimum permissions they need to perform their work. Under POLP, users are granted permission to read, write, or execute only the files or resources they need to do their jobs. In other words, the least amount of privilege necessary. RBAC is worth mentioning here again.
8) Vet All New Vendors with Due Diligence:
a) Getting references.
b) Using a standard checklist.
c) Performing a risk analysis and determining if the vendor will be ranked Critical, High, Medium or Low.
Abstract Forward Consulting 
