Imperva, formally Incapsula, disclosed on 08/27/19 a data breach impacting its many customers. The company focuses on cyber-security and DDoS mitigation and consulting, heavily via its cloud web application firewall (WAF).
Fig. 1. Imperva, 2019.
The breach was discovered 08/20/19 via a third-party. Unfortunately, the exposure goes back to 09/15/17 which means they were compromised at least in part for more than two full years! Clearly, this is evidence of poor internal controls. The exposed data includes customer email addresses, hashed and salted passwords; and API keys and customer-provided SSL certificates — for a partial portion of the exposed data.
Don’t count on cyber security and software firms to be more secure than any other type of company. This breach is likely to negatively impact sales, product design, and will trigger a few investigations, and at least one lawsuit. Additionally, the insurance claim question is a loaded one — and is dependant on how much due diligence the company did before the breach.
To learn more about how to stop data breaches like these at your organization consider attending the Cyber Security Summit this fall.
The Ninth Annual Cyber Security Summit, “Pushing the Cyber Security Envelope,” takes place Oct. 28-30, 2019, at the Minneapolis Convention Center in Minneapolis, Minn.
The Summit has given awards to top leaders in industry, government and academia since 2015. However, for 2019 the awards program was expanded to include a wider array of visionaries.
To stay up to date on the Summit and top cyber security issues, follow the Cyber Security Summit on social media: Twitter, Facebook, LinkedIn, YouTube. Follow the hashtag #cybersummitMN for the latest conversations on this top matter.
As Summit co-founder Eileen Manning stresses in a well-circulated cover story for Upsize Magazine, cyber security is fundamental for small businesses that work with larger companies, which require it – not to mention for pure survival.
Data breaches like the one at Impervia are likely to increase so interested parties should come together to learn, debate, and flesh out solutions for a more secure future!
Most organizations view IT as a cost center that generates business data which is increasingly used to make business decisions. As a result, these assets need to be vigorously protected from both internal and external threats. Cyber liability insurance is an undeniable but imperfect way to protect these assets.
Cyber Liability Insurance Defined:
Cyber liability or data breach liability insurance is designed to reduce the risk of civil litigation and other penalties after a hack or data breach occurs. It helps cover the costs of public relations, identity protection solutions, forensic investigation, legal work, and more depending on the coverage you select.
Business interruption is the most common type of loss from a cyber indecent.
You want data breach coverage in place because fast action is required to help restore the public’s confidence if your business is victimized by a hack or data breach.
Note: each carrier and industry will define it uniquely.
Executives and Managers Have a Heightened Duty to Protect Systems and Data – No Exceptions:
Boardrooms are concerned with comprehensive information security, data protection, brand reputation, broad management liability and compliance.
Senior executives realize that the decisions they make impact shareholders and stakeholders; and that they can be held responsible for a hack or breach.
It is essential that IT teams provide the board with real-time compliance and information security status, so they can assess the current cyber risk profile (changes often) to make well-reasoned fact-based decisions.
One of the risk transfer decisions is how much cyber insurance to have, then selecting the correct endorsements and exclusions based on the industry, other insurance coverages, prior events, and the like.
Observing this complexity, IT and business executives need to understand cyber insurance and what role they play in defining cyber coverage. IT involvement is a critical aspect of the organization’s overall cyber risk management strategy for digital and even physical assets.
Your Assets, Risks, and Needed Coverages Must be Detailed and Ongoing:
What are your company’s greatest assets – including in hidden areas?
Have you had any bad events, business or technology related?
Were they documented and reported?
They could impact current coverage and future coverage.
What concerns keep you up at night, or consume more than their share of your attention in the day?
What are your key processes?
Do you have any procedures that are not tied to computers?
What is the 15% of your business that is not central to the operation, but is crucial because it distinguishes your company from others and opens the door for more clients to new markets?
Are your backup systems in place and ready to be activated at a moment’s notice?
Do your insurance coverages, business or technology related, match your risks and cover your assets?
General Liability Coverage Won’t Cover Data Breaches and Hacks:
Cyber insurance is almost always excluded from general liability policies unless you pay extra for and specifically define your cyber coverage needs.
Keep in mind most general business liability insurance policies and terms were drafted before hacking was invented so they are by default behind the technology. Most often general liability business insurance covers bodily injuries and property damage resulting from your products, services or operations.
Many business owners overstate the risk of a workplace slip and fall injury and fail to adequately quantify cyber risk at all because it is a newer digital risk and you can’t see or touch it.
Cyber Liability Insurance Typically Covers Both First-Party and Third-Party Losses:
First-party losses include the breach response costs a company would incur to notify and communicate with the people impacted by a breach, conducting forensic analysis, hiring legal counsel and a crisis management team.
First-party cyber coverage may also pay for the loss or restoration of digital or network assets, trade secrets, intellectual property and business interruption expenses.
First-party coverages are often subject to a deductible. Fig. 1. Hartford Cyber Liability Coverages, Terms, and Exclusions Generally.
Cyber extortion (Ransomware) is another first-party coverage that pays the costs to terminate incidents in which criminals hold (or threaten to hold) a company’s network hostage in exchange for a ransom.
Many policies cover income you lose and extra expenses you incur to avoid or minimize a shutdown of your business after your computer system fails due a covered peril. The perils covered may be the same as those covered under Damage to Electronic Data. The loss of income and extra expense coverages afforded under a cyber liability policy differ from those provided under your commercial property policy.
Network security liability insurance covers lawsuits against you due to a data breach or to the inability of others to access data on your computer system. Coverage may apply if the data breach or inability to access your system is due to a denial of service attack, a virus, malware or unauthorized access and use of your system by a hacker or rogue employee. Policies may cover lawsuits alleging that you failed to adequately protect data belonging to customers, clients, employees or other parties.
Network privacy liability insurance covers lawsuits based on allegations that you failed to properly protect sensitive data stored on your computer system. The data may belong to customers, clients and other parties. Some policies cover liability arising from the release of private data (such as social security numbers) belonging to your employees.
Electronic media liability insurance covers lawsuits against you for acts like libel, slander, defamation, copyright infringement, invasion of privacy or domain name infringement.
Providing Timely Notice of Claim Is Key:
Claims-made coverage responds when a “claim,” as defined in the policy, is first made against an insured, irrespective of when the underlying incident occurred. Discovery-triggered coverage responds when the insured develops a reasonable belief that a first-party loss potentially covered by the policy may have occurred, even if the nature and extent of the loss are unknown (Jeanne Deni and Andrew Moss, 2019).
Notice is generally required as soon as practicable after a claim is made or loss discovered, and policies may require that notice be received during the policy period. In addition to timely notice, some cyber policies may require a sworn proof of loss statement within 90 to 180 days after discovery of certain first-party losses.
It is thus critical that company personnel in a position to detect potentially covered claims or losses have a working understanding of the scope of coverage and how it is triggered so that information is promptly communicated to management responsible for notifying the company’s insurance carriers. Notice should also be given to any excess insurers at the same time as the primary. (Jeanne Deni and Andrew Moss, 2019).
Pre-Select Breach/Hack Counsel and Vendors:
Normally cyber insurance policies require underwriter approval of the use of breach/hack vendors. (FSSCC, Cyber Insurance Buying Guide, 2016).
Pre-selection is critical because the last thing an organization should be worried about is whether their insurance provider will approve their selected breach counsel and forensics firm. It also helps you document your incident response plan (Financial Services Sector Coordinating Council, Cyber Insurance Buying Guide, 2016).
Fig 2. You Should Be Scared If you Have Not Planned For This, Stock, 2019.
Prepare for Likely Coverage Exclusions/Sub-limits:
Portable Electronic Device Exclusion
If the device leading to a cyber breach is portable, many policies could exclude coverage completely for any resulting loss (Financial Services Sector Coordinating Council, Cyber Insurance Buying Guide, 2016).
Intentional Acts Exclusion
What is intentional and by whom is highly confusing, and what about mere negligence viewed as intentional – easy denial case for the carrier.
A crime or fidelity policy generally covers first-party loss to the Insured even where such loss is caused by the Insured, while liability policies generally provide for damages or losses the Insured causes to a third party (Financial Services Sector Coordinating Council, Cyber Insurance Buying Guide, 2016). Most cyber insurance policies do not adequately provide for both first-party and third-party loss. For example, liability policies typically exclude coverage for damages or losses intentionally caused by an Insured. Thus, if an employee accidentally caused a cyber breach, the resulting loss would be covered (either under a general liability or umbrella policy that does not exclude cyber perils or under a stand-alone cyber policy). However, if a different employee caused the exact same cyber breach intentionally, the resulting loss would be denied under a general liability policy if this exclusion is present (Financial Services Sector Coordinating Council, Cyber Insurance Buying Guide, 2016).
Nation/State, Terrorism, Cyber Terrorism Exclusions/Acts of God
Acts of God exclusions can result in coverage being precluded simply based on who or what caused the breach to occur. For example, if a terrorist attack resulted in an explosion at an organization’s facility or a tornado caused massive damage to an organization’s power source, the resulting losses may not be covered under a standard cyber policy. Fundamentally, companies expect cyber insurance to cover their losses whenever a cyber breach happens, regardless of who caused it or why
Negligent Computer Security Exclusion
Some policies exclude coverage if data is unencrypted or if the Insured has failed to appropriately install software updates or security patches.
Data on unencrypted devices or BYOD
Some policies do not cover devices that are unencrypted or non-company-owned devices.
Some coverage is limited only to incidents that occur in the United States and an organization may need additional coverage depending on where data is stored.
Many policies also have sub-limits that may apply for things like breach notification costs, forensic expenses, credit monitoring costs, business or Post-Breach Services. Some insurers are starting to partner with cybersecurity specialists to assist customers who experience a cyber breach with forensic investigations, proactive incident response strategies, and training as they realize the benefit both to the customer and themselves in responding as quickly and efficiently as possible to a cyber breach to keep resulting costs, claims, and damages as low as possible.
Insurance Companies Tend to Deny Cyber Liability Issuance or Claims Coverage When One or More of These Items Are Present:
Inadequate cybersecurity testing procedures and audits.
It should be independent and auditable.
Inefficient processes to stay current on new releases and patches.
Patch management should be based on a qualitative and quantitative method.
It must be detailed, written, up to date, and it must have been practiced.
Inadequate backup processes and recovery procedures.
This assumes you have a data classification scheme and network segmentation.
This requires that you have tested the speed of your back up.
Inadequate policies concerning the security of vendors and business partners.
How you measured their risk and criticality to your business
Then put mitigating controls in place or cut the vendor.
Poor-quality security software and employee training.
Training on phishing, social engineering, and acceptable use of company data and technology.
Lack of adherence to a published security standard.
Your policies and procedures should generally conform to the standard that most closely fits your industry and company.
Cobit 5, NIST CSF, ISO 27001, etc.
Evaluating Cyber Liability Carriers:
The way to compare carriers is via their A.M. best rating, time in business, market share, S&P credit rating, industries excluded from coverage, premium cost, and amount of premium written.
You can also ask a broker for their assessment since they get feedback from many clients, etc.
Also, consider the country of legal jurisdiction.
Here are two carrier examples below.
Chubb Insurance of Switzerland (Cynthia Harvey, eSecurity Planet.com, 11/09/18)
The world’s largest publicly traded property and casualty insurance company and the largest commercial insurance provider in the United States.
The company launched its first “cyber risk” product in 1998.
Direct premiums written: $316.3 million
Market share: 17.0 percent
S&P rating: AA
A.M. Best rating: A++ (Superior)
Most risk classes eligible for at least $10 million in limits; maximum capacity of $100 million available through Chubb’s Global Cyber Facility.
Cyber Insurance product descriptions
Enterprise Risk Management (ERM) product is for large organizations in a wide array of industries.
DigiTech ERM offers enhanced protection tailored to the needs of technology companies, consultants and systems integrators, data processors and software developers. Integrity+ offers separate policies for claims made by customers, vendors, suppliers and other third parties.
ForeFront Portfolio 3.0 is tailored for private companies and includes crime insurance, kidnap ransom and extortion insurance, workplace violence expense insurance, and several other kinds of insurance, in addition to cyber insurance.
Beazley Insurance of London (Cynthia Harvey, eSecurity Planet.com, 11/09/18)
This insurance company offers marine, political, accident and contingency, property, reinsurance (insurance for insurers) and specialty products, which includes its cyber insurance business.
Founded in 1986, it is headquartered in London and does business in the U.S. Europe, Canada, Latin America and Asia. In 2018, it won multiple awards including Launch of the Year for Beazley Smart Tracker, Risk Carrier of the Year, Innovative Initiative for Weather Guard, Insurance CEO of the Year and Insurer of the Year.
Direct premiums written: $95.0 million
Market share: 5.1 percent
S&P rating: A+ (Strong)
A.M. Best rating: A (Excellent)
Limits: Up to $15 million with BBR, but additional coverage is available through BBR Boost.
Beazley has been providing cyber insurance since 2009.
Beazley calls its cyber insurance Beazley Breach Response (BBR). The company claims that it offers 360-degree protection against all cyber risks. That protection includes BBR Services, a business unit dedicated to helping organizations manage their response to incidents. It includes forensics experts, specialized lawyers and public relations professionals who can help organizations address breaches. Through a partnership with Lodestone Security, it also offers pre-breach services.
Lastly, we will be doing a cyber liability podcast to talk through these items in detail soon. See our podcast here.
Disclaimer: This article does not represent the views of former or current employers and / or clients. Non-public information will not be disclosed. Information obtained in this article may be materially out of date at or after the time of the publication. This article is not legal, accounting, audit, health, technical, or financial advice.
year we like to review and commentate on the most impactful technology and
business concepts from the prior year. Those that are likely to significantly
impact the coming year. Although incomplete, these are five areas worth
5. 5G Expansion Will
Spur Business Innovation
was the year 5G moved from hype to reality, and it will become more widespread
as the communications supply chain adopts it in 2019. 5G is the next iteration of
mobile connectivity and it aims to be much faster and more reliable than 4G,
3G, etc. Impressively, data speeds with 5G are 10 to 100 times faster than 4G.
The benefits of this includes enabling: smart IoT connected cities, seamless 8K
video streaming, improved virtual reality styled gaming, self-driving cars that
communicate with each other without disruption thereby enhancing safety and
reliability, and improved virtual reality glasses (HoloLens, Google Glass,
etc.) providing a new way of looking at the world around us.
As emerging technologies such
as artificial intelligence (AI), blockchain, the Internet of Things (IoT), and
edge computing — the practice of processing data near the edge of the network
where the data is being generated, not a centralized data-processing repository
— take hold everywhere, 5G can offer the advancements necessary to truly take
advantage of them. These technologies require 5Gs bolstered data transfer
speeds, interoperability, and its improved reliability. Homes will get smarter,
hospitals will be able to provide more intelligent care, the Internet of Things
will go into hyperdrive — the implications of 5G are massive. Yet most
importantly, 5G has much less latency, thereby enabling futuristic real-time
“There’s no doubt that much of the recent 5G activity has been focused on investments from service providers and equipment manufacturers,” Nick Lippis, co-founder and co-chairman of the Open Networking User Group (Kym Gilhooly, BizTech, 11/08/18). “However, more IT leaders are starting to make plans for 5G, which includes determining its impact on their data center architecture, procurement strategies and the solutions they’ll roll out”(Kym Gilhooly, BizTech, 11/08/18).
AT&T is one of the leaders in 5G distribution and as of 12/27/18 they have service up and running in these 12 cities: Atlanta, Charlotte, Dallas, Houston, Indianapolis, Jacksonville, Louisville, Oklahoma City, New Orleans, Raleigh, San Antonio and Waco (CNN Wire, 12/27/18). Verizon has a similar initiative in an earlier phase in some cities. While Google has Google Fiber is some cities, but there is lots of debate about if its better or worse than 5G – time will tell. More data and faster speeds derive more connected devices which need security, data protection, and privacy — failure to protect it aggressively derives to much risk at high costs.
4. Browser/Device Fingerprinting Growth Will Spur Better PET (Privacy Enhancing Technologies)
Device fingerprinting overcomes some of
the inefficiencies of using other means of customer-tracking. Most notably,
this includes cookies installed in web browsers, which businesses have long
used monitor user behavior when we visit their websites (Bernard
Marr, Forbes, 06/23/17). Employers do this at a much more invasive
level, but the pay is the tradeoff. Yet when employees use their own mobile
device for work-related things, protection of their personal data is best
achieved via data containerization tools like AirWatch and Centrify. Even on
these devices, the problem is that cookies can be deleted whenever we want. Its
relatively easy for us to stop specific sites, services or companies from using
them to track us — depending on how technical we are. Device fingerprinting
doesn’t have this limitation as it doesn’t rely on storing data locally on our
machines, instead, it simply monitors data transmitted and received as devices
connect with each other” (Bernard
Marr, Forbes, 06/23/17).
This type of data exploitation,
even with the user’s consent, allows for more complexity and thus higher
malware or SPAM/advertising risk. Antivirus makers are challenged to stay ahead
of these exploits. The GDPR (General Data Protection Regulation) unequivocally
states that this kind of personal data collection and user tracking is not
permitted to override the “fundamental rights and freedoms of the data subject,
including privacy” and is, we believe, not permitted by the new European
Budington, Bennett Cyphers, Alan Toner, and Jeremy Gillula, Electronic Freedom
Foundation, 12/22/18). The high courts will validate this over time.
Further complicating the matter is the terms of service on data-centric technology platforms such as Facebook, Twitter, LinkedIn, WordPress, Instagram, Amazon, etc. Their business models require considerable data sharing with third and fourth-party business entities, who gather elements of specific user data and then combine them with other browser and device fingerprinting data elements, thus completing the dataset. All the while the data subject and interconnected entities are mostly clueless. This further complicates compliance, erodes privacy, but is great for marketers — many people appreciate that Amazon correctly suggests what they often desire. Yet that is not always a good thing because this starts to precondition a person or a culture to norms at the expense of originality. In the past we saw tobacco companies do this unethically targeting young people, and there are more examples — think for yourself.
This begs the question of who owns these datasets and at what point in their semblance, where are they stored, how are they protected, and to what extent can informed consumers opt out if practicable — observing there is be some incidental data collection that has business protection. This paradox spurs competition and the growth of privacy enhancing technologies (PETs). Existing PETs include communication anonymizers, shared bogus online accounts, obfuscation tools, two or three-factor authentication, VPNs (virtual private networks), I.P. address rotation, enhanced privacy ID (EPID), and digital signature algorithms (encryption) which support anonymity in that each user has unique public verification key and a unique private signature key. Often these PETs are more useful when used with a fake account or server (honeynet). This attempts to divert and frustrate a potential intruder but gives the defender valuable intelligence.
Opera, Tor and Firefox are leading secure
browsers but there is an opportunity for better security and privacy plugins
from the Chrome (Google) browser, while VPN (Virtual Private Network)
technologies should be used at the same time for added privacy. These
technologies are designed to limit tracking and correlation of users’
interactions with third-party entities. Limited-disclosure (LD) often uses
cryptographic-techniques (CT) which allows users to retrieve only data that is
vetted by providers, for which the transmitted data to the third party is
trusted and verified.
Artificial Intelligence Will Grow on The SMB (Small and Medium Business) and
the past artificial intelligence (AI) has been primarily the plaything of big
tech companies like Amazon, Baidu, Microsoft, Oracle, Google, and some
well-funded cybersecurity startups like Cylance. Yet for many other companies
and sects of the economy, these AI systems have been too expensive and too
difficult to roll out effectively. Heck, even machine learning and big data
analytics systems can be cost and time prohibitive for some sects of the
economy, and for sure the individual market in prior years. However, we feel
the democratizing of cloud-based AI and machine learning tools will make AI
tools more accessible to the SMB and individual market.
At present, Amazon dominates cloud AI with its AWS (Amazon
Web Services) subsidiary. Google is challenging that with TensorFlow, an
open-source AI library that can be used to build other machine-learning
software. TensorFlow was the Machine Learning behind suggested Gmail smart replies.
Recently Google announced their Cloud AutoML, a suite of pre-trained systems
that could make AI easier to use (Kyle
Wiggers, Venture Beat, 07/28/18). Additionally, “Google announced
Contact Center AI, a machine learning-powered customer representative built
with Google’s Dialogflow package that interacts with callers over the phone.
Contact Center AI, when deployed, fields incoming calls and uses sophisticated
natural language processing to suggest solutions to common problems. If the
virtual agent can’t solve the caller’s issue, it hands him or her off to a
human agent — a feature Google labels “agent assist” — and presents the agent
with information relevant to the call at hand” (Kyle
Wiggers, Venture Beat, 07/28/18).
The above contact center AI and
chatbots can both be applied successfully to personal use cases such as medical
triaging, travel assistance, self-harm prevention, translation, training, and
improved personal service. Cloud platforms and AI construction tools like the
open source TensorFlow will enable SMBs to optimize insurance prices, model
designs, diagnosis and treat eye conditions, and build intelligence contact
center personas and chatbots, and much more as technology evolves in 2019.
2. Useful Big Data
Will Make or Break Organizational Competitiveness
Developed economies increasingly use big data-intensive technologies for everything from healthcare decisioning to geolocation to power consumption, and soon the world will to. From traffic patterns, to music downloads to web service application histories and medical data. It is all stored and analyzed to enable technology and services. Big data use has increased the demand for information management companies such as, Oracle, Software AG, IBM, Microsoft, Salesforce, SAP, HP, and Dell-EMC — who themselves have spent billions on software tools and buying startups to fill their own considerable big data analytics gaps.
For an organization to be competitive and
to ensure their future survival a “must have big data goal”
should be established to handle the complexity of the ever-increasing massive
volume of both, structured (rows and table) and unstructured (images and blobs)
data. In most enterprise organizations, the volume of data is too big, or it
moves too fast or it exceeds current processing capacity. Moreover, the
explosive growth of the Internet of Things (IoT) devices provides new data,
APIs, plugins/tools, and thus complexity and ambiguity.
We know there are open source
tools that will likely improve reliability in big data, AI, service, and
security contexts in 2019. For example, Apache Hadoop is well-known for its
capabilities for huge-scale data processing. Its open source big data framework
can run on-prem or in the cloud and has very low hardware requirements (Vladimir
Fedak, Towards Data Science, 08/29/18). Apache Cassandra is another
big data tool born out of Facebook around 2010. It can process structured data
sets distributed across a huge number of nodes across the world. It works well
under heavy workloads due to its architecture without single points of failure
and boasts unique capabilities no other NoSQL or relational database has.
Additionally it features, great liner scalability, simplicity of operations due
to a simple query language used, constant replication across nodes, and more (Vladimir
Fedak, Towards Data Science, 08/29/18).
2019 organizations should consider big data a mainstream quality business
practice. They should utilize and research new tools and models to improve
their big data use and applications — creating a center of excellence without
being married to buzzwords or overly weak certifications that all too often
squash disruptive solutioning. Lastly, these centers of excellence need to be
dominated not by the traditional IT director overloads. Rather, the real people
between the cracks who know more and have more creative ideas than these
directors who often build yes clichés around themselves and who are often not
the most qualified — great ideas and real leaders defy title.
1. Election Disinformation
and Weak U.S. Polling Systems Harms Business and Must Be Fixed
intersection of U.S. politics and media can be at times nasty, petty, selfish,
or worse outright lies and dirty smear campaigns under shadow proxies who skirt
campaign finance laws by being either a policy advocacy group – non-political,
or worse yet, a foreign-sponsored clandestine intelligence agency of an enemy
to the nation whose only rule is to disrupt U.S. elections. Perhaps Russian,
North Korea, or even China affiliated groups.
in big data and social media, browser proxies and fiber optic cable, 5G, in
conjunction with the antiquated and insecure U.S. polling system, makes
election news and security complicated, fragile and highly important. At
present, there are few people and technology companies that can help resolve
this dilemma. For a state-sponsored hacker group altering a U.S. election is
the ultimate power play.
for all parties is a must and disinformation of any type should not be
tolerated. Universities, think tanks, startups, government, and large companies
need to put time and money into experimenting as to how we can reduce
disinformation and better secure the polling systems. The first step is public
awareness and education on checking purported news sources, especially those
from digital media. The second step is more frequent enforcement of slander
laws and policies. Lastly, we should hold technology companies to high media
ethics standards and should write to their leaders when they violate them.
for securing the polling systems, multi-factor authentication should be used,
and voting should be done digitally via secure encrypted keys. If Amazon can
securely track the world’s purchases of millions of products with way more data
and complexity, and with service a moon shot better than your local state DMV
(driver and motor vehicle) office, than the paper ballot and OCR (Optical
Character Recognition) scanners need to go. There are many Android and iOS
applications that are more secure, faster, and easier to use than the current
U.S. polling system and they are doing more complex things and with more data
that is changing at an exponentially faster rate. They were also made for less
money. Shame on the U.S. OCR election system.
Business should not be afraid to talk about this, because, like a poisonous malware, it will spread and be used to easily run businesses out of business – often due to greed and/or petty personal differences. Examples of this include hundreds or thousands of fraudulent negative Yelp reviews, driving a competitor’s search rankings down or to a malicious site, redirecting their 1-800 number to a travel scam hotline, spreading false rumors, cyber-squatting, and more. Let 2019 be the year we stand to innovate via disruptive technologies for a more ethical economy.
About the Authors:
Jeremy Swenson, MBA,
MSST &Angish Mebratu, MBA meet in graduate
business school where they collaborated on global business projects concerning
leadership, team dynamics, and strategic innovation. They also worked together
at Optum / UHG. Mr. Swenson is a seasoned (14 years) IT consultant, writer, and
speaker in business analysis, project management, cyber-security, process
improvement, leadership, music, and abstract thinking. Over 15 years Mr.
Mebrahtu has worked with various fortune 500 companies including Accenture and
Thomson Reuters, and he is currently principal quality engineer/manager at
UnitedHealthcare. He is also an expert in software quality assurance,
cybersecurity technologies, and design and architecture of technology frames.
In this increasingly complex security landscape with threat actors and vendors changing their tools rapidly, managing third-party risk is very difficult, ambiguous, and it’s even more difficult to know how to prioritize mitigation spend. Thus, it’s not surprising that a 2017 Ponemon Institute vendor risk management survey across many industries concluded that 17% of the participants were not at all effectively managing these security risks (Maureen McKinney, 2018).
Fig. 1. Third Party Risk Mgmt Inputs.
The key to any vendor risk management program or framework is measurement, repeatability, and learning or improving from what was repeated as the business and risks change. These are the nine best practices you can follow to help assess your vendors’ security processes and their willingness to understand your risks and collectively mitigate both of them.
1) Identify All Your Vendors / Business Associates: Many companies miss this easy step. Use RBAC (role-based access controls) when applicable – windows groups or the like. Creating a repeatable, written, compliance process for identifying them and making updates to the list as vendors move in and out of the company is worthwhile.
2) Ensure Your Vendors Perform Regular Security Assessments: Risk assessments should be conducted on a weekly, monthly, or quarterly basis and reviewed and updated in response to changes in technology and the operating environment.
At a minimum, security risk assessments should include:
a) Evaluate the likelihood and potential impact of risks to in scope assets.
b) Institute measures to protect against those risks.
c) Documentation of the security measures taken.
Vendors must also regularly review the findings of risk assessments to determine the likelihood and impact of the risk that they identify, as well as remediate any deficiencies.
3) Make Sure Vendors Have Written Information Security Policies / Procedures: a) Written security policies and procedures should clearly outline the steps and tasks needed to ensure compliance delivers the expected outcomes.
b) Without a reference point, policies and procedures can become open to individual interpretation, leading to misalignment and mistakes. Verify not only that companies have these written policies, but that they align with your organization’s standards. Ask other peers in your industry for a benchmark.
4) Verify That Vendors Encrypt Data in All Applicable Places – At Rest, In Transit, etc: a) Encryption, a process that protects data by making it unreadable without the use of a key or password, is one of the easiest methods of protecting data against theft.
b) When a vendor tells you their data is encrypted, trust but verify. Delve deeper and ask for details about different in-transit scenarios, such as encryption of backup and what type of backup. Ask them about what type of encryption it is and get an infographic. Most people get lost when you ask this question.
c) It’s also imperative that the keys used to encrypt the data are very well-protected. Understanding how encryption keys are protected is as vital as encryption itself. Are they stored on the same server? Is multi-factor authentication needed to get access to them? Is there a time limit on how long they can have access to the key?
5) Ensure Vendors Have A Disaster Recovery Program: In order to be compliant with the HIPAA Security Rule and related rules, vendors must have a detailed disaster recovery program that includes analysis on how a natural disaster—fire, flood or even a rodent chewing through cables—could affect systems containing ePHI. The plan should also include policies and procedures for operating after a disaster, delineating employees’ roles and responsibilities. Finally, the plan should clearly outline the plan for restoring the data.
6) Prioritize Vendors Based on Risk – Use Evidence and Input from Others – NOT Speculation: a) Critical Risk: Vendors who are critical to your operation, and whose failure or inability to deliver contracted services could result in your organization’s failure.
b) High Risk: Vendors (1) who have access to customer data and have a high risk of information loss; and / or (2) upon whom your organization is highly dependent operationally.
c) Medium Risk: Vendors (1) whose access to customer information is limited; and / or (2) whose loss of services would be disruptive to your organization.
d) Low Risk: Vendors who do not have access to customer data and whose loss of services would not be disruptive to your organization.
7) Ensure Access Is Based on Legitimate Business Needs: It’s best to follow the principle of least privilege (POLP), which is the practice of limiting access rights for users to the bare minimum permissions they need to perform their work. Under POLP, users are granted permission to read, write, or execute only the files or resources they need to do their jobs. In other words, the least amount of privilege necessary. RBAC is worth mentioning here again.
Fig 2. RBAC Flow.
8) Vet All New Vendors with Due Diligence: a) Getting references.
b) Using a standard checklist.
c) Performing a risk analysis and determining if the vendor will be ranked Critical, High, Medium or Low.
d) Document and report to senior management.
9) Ensure All Contracts Are Reviewed with Legal and Risk Counsel: a) Requirements to keep system and data secure per best practices and industry standards.
b) Requirements to provide you access to audit documents.
c) Confidentiality and privacy requirements – GDPR, CA, and NY privacy rules.
d) Requirements to notify you of security breaches, incidents, and vulnerabilities. Quantify what these terms mean as there is lots of ambiguity dependent on the industry and use case. Identify who is the decider of if something is an event or incident.
e) Requirements to undergo independent penetration tests and vulnerability (scans) assessments.
Whether it’s Power Mining Pool today or Bitconnect yesterday, the crypto space is festering with parasitic scams and opportunistic swindlers. The conditions are ripe for them and there’s money to be made.
Fig. 1. BTCProMiner Free Scam research, 2018.
Among the dangers, Bitcoin mining scams are a tough one to identify and parting the good from the nasty can be tricky. Mining scams are wrapped up in an already technically demanding task of Bitcoin mining. They are billed as a consumer-friendly method for building exposure to Bitcoin mining, and when run like this, they really do provide value for investors looking to diversify.
Legit Bitcoin cloud mining pools are too often buried in search results and outranked by throngs of fly-by-night operations. Finding the legit pools can be a tall order and require sifting through Reddit posts and Bitcointalk forum entries. With that said, there are legit mining operations out there. As always, do your own research and stay skeptical as we settle and develop this wild frontier. For now, let’s take a look at what a crypto mining scam looks like to hopefully better prepare us to identify the key red flags.
What’s a Cloud Mining Pool?
A cloud mining pool is the most hands-off version of crypto mining you can get. They allow a participant to rent or lease hashing power not directly owned by themselves. The rented hashing power is then pooled and paid out proportionally to the members (after fees and operational costs).
A traditional mining pool instead requires participants to supply their own hashing power and pool it with other miners. The participant owns and operates their own hardware and contributes to the pool’s overall hashing power. The critical difference between a cloud mining pool and a traditional mining pool is the ownership of the hardware.
Cloud mining: you don’t own the hardware (hashing power).
Traditional mining: you own hardware (hashing power).
Why pool at all? In short, block rewards become more difficult to obtain as overall hashing power of a particular blockchain increase. Take Bitcoin as an example. There was a time in Bitcoin mining when a standard CPU could mine whole blocks itself. Gone are those days. Bitcoin mining is now big business with plenty of stakeholders leveraging their resources into the security of the blockchain. Miners with serious hashing power make it improbable for small miners to reasonably expect block rewards. Their hashing power is just not enough to compete.
The solution: gather together all these smaller players and pool their hashing power. Miners in a pool no longer compete for blocks of their own, instead, they work together and proportionally share the booty.
What’s a Ponzi Scheme?
It’s theft, let’s just clear that up. If you’re in a Ponzi scheme you are either being robbed or doing the robbing yourself. A typical Ponzi scheme involves enticing participants to invest their money into a fund or investment strategy that has seemingly guaranteed returns. In reality, and with variation, the returns are not gained by real-world trading or superior business acumen. Conversely, new investments to the funds are distributed around existing investors and represented as market returns.
Fig 2. General Ponzi Scheme Principles, 2018.
Ponzi schemes require a constant flow of new investment to keep the machine moving. Once things fall apart or new investment slows, the scheme is often revealed for what it is. In the world of crypto Ponzi schemes, a collapsing Ponzi scheme is followed by a hasty exit scam.
Case in point; “A New York federal court has ordered cryptocurrency hedge fund Gelfman Blueprint, Inc. (GBI) and its CEO Nicholas Gelfman to pay over $2.5 million for operating a fraudulentPonzi scheme, according to an official announcement published Oct. 18. GBI is a New York-based corporation and denominated Bitcoin (BTC) hedge fund incorporated in 2014. As stated on the company’s website, by 2015 it had 85 customers and 2,367 BTC under management. The order is the continuation of the initial anti-fraud enforcement action filed by the U.S. Commodity Futures Trading Commission (CFTC) against GBI in September 2017. The CFTC charged GBI for allegedly running a Ponzi scheme from 2014 to 2016, telling investors that it had developed a computer algorithm called “Jigsaw” which allowed for substantial returns through a commodity fund. In reality, the entire scheme was a fraud” (Ana Alexandre, Cointelegraph.com, 10/19/18).
Keep in mind that Ponzi schemes thrive in times of economic expansion and speculative bubbles. Capturing collective optimism is pivotal to its success. Bitconnect is a choice example of the market fervor getting the best of investors.
Identifying the Red Flags of a Cloud Mining Ponzi Scheme
Firstly, the duck test. If it looks like a duck, swims like a duck, and quacks like a duck, then it probably is a duck. The duck test isn’t scientific by any standard but can be used to leverage your gut feeling to identify early warning signs. Ponzi schemes, whether in Wall Street, Main Street or Bitcoin mining pools, all share very common characteristics. If the opportunity you’re looking at is checking off the same boxes that previous Ponzi schemes had, it’s probably a duck.
Let’s take a look at some criteria or common characteristics of Bitcoin cloud mining Ponzi schemes.
**Much appreciation to Puppet on the BitcoinTalk forum for their work on this template to review Bitcoin cloud mining operations. Until this type of vetting is part of the investor process, crowd-sourced community led investigation is paramount.**
Red flags of a cloud mining Ponzi scheme (adapted from Puppet’s Criteria)
No public mining address / Users unable to select own pools
When you rent hashing power from a cloud miner, you are only renting hashing power. This means that the pool you contribute to should be your own choice. The cloud mining operator you rent from may also have a pool for convenience but should not require you to use it. There is no reason for a mining pool to hide their public mining address, it just doesn’t make sense.
No endorsement from hardware/ASIC provider
With the overwhelming amount of cloud mining operations being Ponzi schemes, the industry virtually requires a shout-out from their hardware provider to ensure customers that there really are miners buzzing away on their behalf. If your cloud mining company can’t prove they own their hardware (without raising more questions) then you should reconsider.
No pictures or recordings of their hardware or datacenter
It is common practice for miners to be closed lipped about where their data centers are located. So, don’t expect to get robust images or recordings that dox the facility or owners. However, some evidence should exist and beyond their location, the pictures or video shouldn’t look to be hiding anything.
No limits on how much hashing power you can lease
Cloud mining providers will have a limited inventory of hashing power on hand at any time. Furthermore, expanding an operation’s inventory takes time and can be limited by the market supply of ASIC’s and other factors. It’s questionable for a cloud miner to not share their inventory supply with their customers. Most concerning, offenders will promise you instant and limitless scalability.
Referral payouts schemes
Often, mining Ponzi schemes will also feature a form of multi-level marketing to encourage members to bring on new investments. Members are incentivized to grow their own teams, and each new member they bring in increases their rewards.
If the owners are anonymous, move on. There is little-to-no reason to be an anonymous operator of a cloud mining service. If they provide identification, double check it, ask around, and do some due diligence. Is the owner hidden behind private registration? Has the domain been registered for less than six months? (You can find this information by searching for the platform’s URL registration details on a site like WHOis.net). The more information you can find about the people/company behind a website, the better.
No clear path for divesting
There should be well-defined methods for withdrawing funds or closing rental contracts.
Quack, quack, quack!
If any of these red flags are present in the cloud mining business than take a moment and consider why.
Power Mining Pool: A Case Study for Cloud Mining Ponzi Schemes
Power Mining Pool was a typical Bitcoin mining pool Ponzi scheme and even included a multi-level marketing (MLM) styled referral system. Looking back it is a lot easier now to see the red flags that were present then. Hindsight is twenty-twenty. When a company expects you to send them money, but refuses to disclose any information about itself, you’re almost certainly being scammed. A WHOIS checkup shows that PowerMiningPool.com domain was registered on June 27, and the mining pool website launched online on September 4, 2017.
Red Flag #1 Power Mining Pool didn’t have a public mining address and didn’t allow for mining outside their own pool.
Red Flag #2 No endorsement or sign of approval from hardware suppliers. Nothing to be found on Reddit, Telegram, BitcoinTalk, and so on.
Red Flag #3 A serious lack of informative images. An archive of the Power Mining Pool shows a website riddled with stock images and vague copywriting. In addition to the generic images, there is a video that provides no additional insight into the company.
Red Flag #4 No limits to how much you can invest. Power Mining Pool sold hashing power in the form of shares, which any investor could purchase without limit. Shares would not only be your claim to the guaranteed returns but also provide you with more ability to climb the ranks of the MLM reward system.
Red Flag #5 From Associate to President Millionaire, members could climb the ranks by both acquiring new shares in the pool and successfully referring new members. At each new rank in membership, you received bonuses and higher returns. For you to move up in ranks, however, your referrals also needed to move up. Not only do you need to bring in new successful members, but your referrals do too. Sound familiar?
Red Flag #6 The founders of Power Mining Pool are brothers and live in central Europe. And that’s all the information available. Searching their names, Andrew and Mike Conti, is about as helpful as the caricatures of themselves on their about page. Additionally, a WHOIS search of the company’s domain shows the admin contacts hidden behind a domain name privacy service.
Red Flag #7 After the cease and desist, Power Mining Pool has up and left with members’ principal investments. Initially, there were accounts of members receiving their daily mining profits as promised. However, it’s common for early adopters of Ponzi schemes to see earnings while their principal investments are siphoned off.
Red Flag #8 “Every share you purchase will earn you €70.” That’s a promise plucked directly from the former subpage subtly titled opportunities. Each share costs members €50 which means Power Mining Pool is guaranteeing 40 percent returns.
Power Mining Pool is only one example of a Bitcoin cloud mining service riddled with red flags and warning signs. In fact, there are breadcrumbs of evidence linking Power Mining Pool to other operational Bitcoin cloud mining scams. Battling these schemes is a game of whack-a-mole: closing down one just creates three more.
The code is what makes the cryptocurrency work, and most legitimate cryptocurrency teams will make their codes ‘open source’. This means it is published openly, so anyone can read it, edit it, and check it is what the founders say it is. Of course, just because you can’t read the code yourself doesn’t mean not being able to see it is OK. If a cryptocurrency team is keeping their code secret, it should set off alarm bells. Unless they have validated I.P., what are they trying to hide, but even then they would have long legal paperwork and patient documents they could show…..
Just because red flags are present doesn’t always mean you have identified a scam. They are early warning signs and alarms telling us to look a little deeper, investigate further, and remain skeptical. Questions and suspicions are not inherently dangerous themselves but ignoring them is. Power Mining Pool was peppered with reasons to raise concern and seek clarity. The answers provided to these questions should support unique technological offerings, business savvy, and this should all be logically connected. If operators don’t directly answer most of these questions see if they have other commonalities with know crypto scams as it may be another example in a long line of Bitcoin cloud mining Ponzi schemes. BitClub Network, HashOcean, Coinmulitplier Club, MinersLab, and Bitcoin Cloud Services are just a handful of other examples. Unscrupulous operators are swindling and cheating people out of their money. If you see reasons to be concerned, then share it with the community, ask the operators for clarity, and be cautious. Don’t keep it a secret.
1) Use the Free DHS Developed CSET (Cybersecurity Evaluation Tool) To Assess Your Security Posture: High, Med, or Low.
Figure 1. (DHS, 2018).
2) Educate Employees About Cyber Threats and Hold Them Accountable.
Educate your employees about online threats and how to protect your business’s data, including safe use of social networking sites. Depending on the nature of your business, employees might be introducing competitors to sensitive details about your firm’s internal business. Employees should be informed about how to post online in a way that does not reveal any trade secrets to the public or competing businesses. Use games with training and hold everyone accountable to security policies and procedures.
3) Protect Against Viruses, Spyware, and Other Malicious Code.
Make sure each of your business’s computers are equipped with antivirus software and anti-spyware and updated regularly. Such software is readily available online from a variety of vendors. All software vendors regularly provide patches and updates to their products to correct security problems and improve functionality. Configure all software to install updates automatically. Especially watch freeware which contains malvertising.
4) Secure Your Networks.
Safeguard your Internet connection by using a firewall and encrypting information. If you have a Wi-Fi network, make sure it is secure and hidden. To hide your Wi-Fi network, set up your wireless access point or router so it does not broadcast the network name, known as the Service Set Identifier (SSID). Have a secure strong password such as (xeyg1845%RELIGO) to protect access to the router.
5) Base Your Security Strategy Significantly on the NIST Cybersecurity Framework 1.1: Identity, Detect Defend, Respond, and Recover.
Fig. 2. (NIST, 2018).
6) Establish Security Practices and Policies to Protect Sensitive Information.
Establish policies on how employees should handle and protect personally identifiable information and other sensitive data. Clearly outline the consequences of violating your business’s cybersecurity policies and who is accountable.
7) Require Employees to Use Strong Passwords and to Change Them Often.
Consider implementing multi-factor authentication that requires additional information beyond a password to gain entry. Check with your vendors that handle sensitive data, especially financial institutions, to see if they offer multi-factor authentication for your account. Smart card plus pass-code for example.
8) Employ Best Practices on Payment Cards.
Work with your banks or card processors to ensure the most trusted and validated tools and anti-fraud services are being used. You may also have additional security obligations related to agreements with your bank or processor. Isolate payment systems from other, less secure programs and do not use the same computer to process payments and surf the Internet.
9) Make Backup Copies of Important Business Data and Use Encryption When Possible.
Regularly backup the data on all computers. Critical data includes word processing documents, electronic spreadsheets, databases, financial files, human resources files, and accounts receivable/payable files. Backup data automatically if possible, or at least weekly, and store the copies either offsite or on the cloud.
10) Control Physical Access to Computers and Network Components.
Prevent access or use of business computers by unauthorized individuals. Laptops can be particularly easy targets for theft or can be lost, so lock them up when unattended. Make sure a separate user account is created for each employee and require strong passwords. Administrative privileges should only be given to trusted IT staff and key personnel.
11) Create A Mobile Device Protection Plan.
Require users to password protect their devices, encrypt their data, and install security apps to prevent criminals from stealing information while the phone is on public networks. Use a containerization application to separate personal data from company data. Be sure to set reporting procedures for lost or stolen equipment.
12) Protect All Pages on Your Public-Facing Web-pages, Not Just the Checkout and Sign-Up Pages.
Make sure submission forms can block spam and can block code execution (cross side scripting attacks).
In the United States (US), healthcare organizations and providers have much experience with the Health Insurance Portability Accountability Act (HIPAA), and other pertinent federal laws and regulations. Now, with the new European privacy regulations, the General Data Protection Regulation (GDPR), Europe’s new framework for data protection laws, should cause many U.S. healthcare organizations to think well beyond information security and patient privacy.
Now, important considerations will also include data flows, handling data, cross-border data transfer, data privacy, security monitoring and overall policy compliance for international patients. For those healthcare organizations that offer services in the European Union (EU) or service European Union citizens, then the GDPR, which took effect on May 25, 2018, is a new burden.
The GDPR is designed to standardize data privacy and protection laws across Europe, but it will impact processes, technology, relationships and communication internationally. The new obligations pertain to any organization that handles EU data, whether that organization is in the EU or not. U.S. healthcare organizations will need to safeguard EU patients’ data based on the GDPR in addition to HIPAA and other U.S. regulations. The GDPR fundamentally changes how personal and sensitive data can be used, processed, managed, stored, deleted and disclosed and applies whether an organization is a data controller or data processor.
Healthcare organizations with operations in the EU or who collect personal data in Europe on EU citizens (even such things as collecting business cards at a conference in the EU) will clearly be within the GDPR regime.
The GDPR rules now in force could see a great increase in the penalties slapped on firms for past data breaches, with fines levied at a maximum of 4% of global revenues – which seems excessive, but is intended to be scary. One major change from most US laws on data breach reporting is that the regulations requires organizations notify authorities of a data breach within 72 hours and, if the breached data is of a serious personal nature, that those individuals whose data has been breached also be notified within 72 hours.
Now, those healthcare organizations subject to GDPR will need to prove that they have adequate processes in place to manage and protect EU residents’ “personal data.” The regulator who manages GDPR in each country may request written documentation in support of GDPR compliance. Key requirements of the GDPR include:
1) Appoint a Data Protection Officer (DPO) responsible for data processing.
2) Document privacy and security policies and procedures.
3) Implement GDPR special codes of conduct.
4) Measure effectiveness of privacy and security compliance controls.
5) Implement risk-based approach for data processing.
6) Define risks presented by data processing activities.
7) Implement Data Protection Impact Assessment (Article 35).
8) Define implement controls and processes related to potential security threats, vulnerabilities and breaches.
9) Utilize pseudonymization and encryption as controls – a data management and de-identification procedure by which personally identifiable information fields within a data record are replaced by one or more artificial identifiers.
10) Regulate controls to ensure the ongoing confidentiality, integrity, availability (CIA), and resilience of systems and services
11) Enable restoration of availability and access to data and services, in a timely manner, in the event of a security incident.
12) Implement process for regularly testing, assessing, and evaluating the effectiveness of technical and organizational measures.
13) Right to erasure (‘right to be forgotten’).
In conclusion, an organization’s CEO and Board of Directors are responsible for GDPR compliance as well as complying with American laws. They must ensure that practices are balanced with all cybersecurity and data privacy regulations that apply to their organization. If not done properly, organizations will leave themselves vulnerable to huge fines and criminal consequences under the GDPR, damage to their public reputations, the possibility of additional penalties in the U.S. and securities lawsuits. Multinationals and their US business partners can expect to have to answer underwriters’ queries as to their compliance with GDPR when they are buying or renewing their cyber liability and management liability policies for the next several years.
As the number and breadth of massive data breaches increase, pressure will build on politicians to enact new statutes and regulations with a focus on making corporate management and boards responsible parties for protecting personal information. GDPR is going to be an important “test case” that other countries and jurisdictions will watch closely. New regulations and statutes such as GDPR are mandating that boards and individual directors become focused and engaged on cybersecurity issues. Now, individual directors may be personally responsible for cybersecurity-related issues. There is currently a lack of cyber knowledge on boards of directors in general.
It is unlikely that the threat of holding individual directors responsible for cybersecurity will abate. Data breaches which are reported almost daily have raised the general level of distrust of “big business”, such as the recent criticism of the officers of Experian and Uber and many others before them, and a corresponding increase in the desire to hold top executives personally responsible. In response to these trends, directors must increase their cybersecurity skills, engagement and awareness to comply with the GDPR and the likely next wave of cyber laws and regulations.
Cyber and D&O underwriters will also be closely monitoring these developments and we can expect changes in policy forms to occur as the risks evolve and any negative loss trends become apparent.
For U.S. healthcare organizations subject to GDPR, a demonstrable effort to comply is mandatory, and time is critical. It seems that the regulators are not requiring immediate and total compliance. Rather, they are looking for entities to be able to show that they are making steps towards compliance and are moving forward with what yet needs to be done. Almost all healthcare organizations, whether now subject to the GDPR or not, will soon also face new laws, such as have just been passed in California (and due to be in effect in 2020), which will bring GDPR-type regulations to the USA itself.
Writer Keith Daniels, JD, CIPP/US Editor Jeremy Swenson, MBA, MSST
 Keith Daniels, JD, CIPP/US is a graduate of the University of Wisconsin – Eau Claire and the University of Wisconsin Law School. He has practiced law in Wisconsin and Illinois and has been involved in cyber liability insurance since its inception around the year 2000. Keith is a Sr independent cyber privacy, compliance, data protection, and risk liability consultant who partners with Abstract Forward Consulting. He is located in Minneapolis, MN and can be reached on LinkedIn here.
In this episode, we have a deep conversation with CISO Consultant Chip Harris. We start with an overview of network scanning, both free open source tools like OpenVAS and other more costly options like Tenable. We then talk about red teaming, issues with data security lakes, the Equifax data breach, how leadership impacts security, and how threat actors are better at innovating than defenders typically are. We also cover the evolution of messaging, mobile device application hype and exploits, mobile application containerization, how the cyber kill chain came about, and a few things about the future of incident response.
Harris has an extensive background in government and business InfoSec engineering and red team planning and operations — with over 25 years of experience designing and managing IT systems. His expertise is in identifying and solving problems by delivering projects and solutions. His experience includes serving as the IT lead and project manager within the business unit, evaluating system performance, helping business leaders and non-technical clients understand how technology can improve workflow, developing and enforcing standard IT practices, and ensuring IT compliance with regulations such as NERC CIP, PCI, GDPR, HIPAA, and SOX.
He has a Ph.D. in Cyber Security and Cyber Operations from the United States War College, a Masters in Cyber Security and Cyber Crime from the United States War College, and a Bachelors in Computer Science and Animation from Memphis College of Art. He has the following certifications: MCE, MCSE, NCE, MCSA, MCM, MCT, Security +, SUSE Novell Linux, Open SUSE Enterprise, Ubuntu Server Admin, PICK WMS, Backtrack 5, Netools 5, Dell Kace 3000 and 1000, IBM Q-Radar, Carbon Black, Tenable Security Suite, Dark Trace, Q-Radar, IBM Guardium, OWASP, Check Point, RHL, Kali Linux Certified, C|EH, C|PT, C|HFI, CCE, GIAC Rated, Barracuda, and he is even Tripwire Certified.
As crypto-currency enters the mainstream cyber-criminals are using crypto-mining malware (Fig. 1) to infect websites and devices ranging from smartphones to servers. All of this is dependent on a strong understanding of bitcoin mining in the blockchain as described below.
Fig. 1. Bitcoin Crypto-Jacking Threat Actor.
Every ten to fifteen minutes mining computers collect hundreds of waiting bitcoin transactions (a block) and then convert them into mathematical puzzles. The first miner to find the puzzle solution shares it with others on the network. Then other miners check whether the sender of the funds has the right to spend the money and if the solution to the puzzle is correct. If enough of them grant their approval, the block is crypto-graphically added to the ledger and the miners move on to the next set of transactions (hence the term “blockchain”). The miner who found the solution gets 12.5 bitcoins as a reward (presently), but only after another 99 blocks have been added to the ledger. This is the incentive to participate in the system and validate these transactions (L.S., The Economist, 2015).
Clever as it may be, this system has weaknesses. One is rapid consolidation. Most mining power today is provided by pools—big groups of miners who combine their computing power to increase the chance of winning the coin reward. As mining pools have gotten bigger, it no longer seems inconceivable that one of them might amass enough capacity to mount a 51% attack—whereby an organization is somehow able to control most of the network mining power (hashrate). Bitcoin is secured by having all miners (computers processing the networks transactions). Indeed, in June 2014 one pool, GHash.IO, had the bitcoin community running scared by briefly touching that level before some users voluntarily switched to other pools.
As the bitcoin price continues to fall, consolidation could become more of a problem. Some miners are giving up because the rewards of mining no longer cover the costs. Some worry that mining will become concentrated in a few countries where electricity is cheap, like China, thus allowing a hostile government to seize control of bitcoin. Others predict that mining will end up as a monopoly—the exact opposite of the decentralized system that the elusive Bitcoin founder Mr. Nakamoto set out to create.
With a strong understanding of blockchain technology, crypto-mining malware attacks and infects websites and devices ranging from smartphones to servers in one of these three common but not exhaustive ways.
1) Sneaking dedicated crypto-mining software into your network via unpatched and out of date server vulnerabilities. Servers are especially at risk here: the crooks love them because they’re usually more powerful than desktops and laptops, and they’re usually running 24/7. Old mid-sized data centers are at high risk because they often have minimal defenses.
3) Mobile application exploits—twenty-four Android apps recently (Sept 2018) made it into the Google Play store with code that turns users’ phones into crypto-currency mining workers. Some of them targeted users in the U.S. by using the guise of educational tools—they have been download around 120,000 times (Bleeping Computer, Ionut Ilascu, 09/28/18).
Crypto-jacking malware on enterprises running thousands of computers can disturb the daily operations of the business and even damage the hardware. In February 2018, Crypto-currency mining malware CoinHive was found on more than 5,000 government websites (Fig 3.) in the U.K., U.S., and Australia (Patrick Greenfield, The Guardian, 02/11/18).
Once infected, the crypto-mining malware uses hosts CPU / GPU power to mine coins thus allowing cyber-criminals to grow their personal wallets. According to McAfee Labs crypto-mining malware attacks increased by 1,189% in Q1 2018. Attackers are getting smarter, instead of a one-time payment from ransomware, they prefer the long game and a steady revenue stream from infected devices (McAfee Labs Threats Report, June 2018). Crypto-mining is in its infancy and thus there’s a lot of room for growth and evolution over the next few years.
Oftentimes crypto-jacking goes undetected as attackers find new ways to infect the devices.
Yet here are the top three indicators that a machine is infected with crypto-malware:
1. The device is acting unusually slow.
2. Smartphone or personal computer constantly overheats.
3. The battery on laptop or phone dies unreasonably fast.
In today’s threat landscape here are the top five things you can do to prevent crypto-jacking:
1. Run the most up-to-date anti-malware and antivirus programs. Ideally a strong one like Avast.
2. If your device significantly slows down when you’re on a certain site close it and check it again. It may be an infected website especially if you get a bunch on pop-ups.
3. Install web browser anti-crypto-mining extensions.
4. Use AI driven network monitoring software (SecBl, Darktrace, etc). Mostly for servers not so much individual PCs.
Mid-sized businesses are defined from about $50 million to $800 million in revenue. A 2017 report published by Keeper Security and the Ponemon Institute found more than 50% of small and medium business had been breached in the past 12 months, but only 14% of them rated their ability to defend against cyber-threats as “highly effective” (Keeper / Ponemon, 2017). According to the 2017 Verizon Data Breach Investigations Report, 75% of the breaches were caused by outsiders with 51% involving organized criminal groups and the remaining involved internal actors. Not surprising, malware installed via malicious email attachments was present in 50% of the breaches involving hacking(Verizon, 2017). Here are ten steps (applicable to any size business) you can take to shield your mid-sized business from cyber-attacks:
10) Train Staff Often:
Most cyber-attacks take the form of phishing and spear phishing which is hackers targeting individuals rather than computer systems – typically with the help of good social engineering (IT Governance Blog, 2017). Therefore, employees need to be educated to roll back what they share on social media and to opt out of data harvesting when they can. Training needs to be ongoing because the threat landscape and technology change so fast. For example, ransomware was not a serious attack vector 6 years ago, but it is front and center today. Additionally, crypto-currency mining networks is an exploit vector that is arguably less than 2 years old and growing rapidly. Lastly, training more often improves the company security culture and that is directly related to keeping a good business reputation and core customer base. Here are a few more training necessities:
1. Follow cyber security best practices and conduct audits on a regular basis – based on your selected one or two frameworks (Cobit 5, ISO 2700, etc)
2. Use games contest and prizes to teach cyber safety – leadership must do this as well.
3. Notify and educate staff of any current cyber-attacks – have a newsletter.
4. Teach them how to handle and protect sensitive data – do lunch and learns.
9) Secure Wireless Networks:
Wireless networks can be easily exploited by cyber attackers, unknowing guests, and even angry customers. Your network is not like a coffee shop community room but rather it’s like a bank vault with many segmented areas – map the segments and know their rank order value. To harden your wireless network, avoid WEP (Wired Equivalent Privacy) encryption (which can be cracked in minutes) and use only WPA2, which uses AES-based encryption and provides better security than WPA.
Fig 1. (WPA2 Selection Screen Clip).
If you have a Wi-Fi network, be sure access to the router is secured by a password and hidden so that it does not broadcast the network name. To hide your Wi-Fi network, set up your wireless access point or router so it does not broadcast the network name, known as the Service Set Identifier (SSID). Also, remember to password-protect access to the router. Additionally, for protection against brute-force attacks, protect your network with a complex passphrase containing at least 25 characters and including a mix of letters, upper and lower case and numerals and symbols. Use a firewall and encryption to safeguard your internet connection.
8) Physically Secure Your Environment:
Focusing on web tools and monitoring is needed, but it’s also important to remember there are physical concerns about securing your network as well. To a threat actor overcoming all of your security measures may be as easy as walking up to your router and pressing the reset button. Make sure that your key pieces of in-office infrastructure are secure, and that you’re monitoring them with video, sensors or other physical security controls. Make sure to be creative and thorough about how you define a physical security connection point including: doors, public lobbies, windows, air vents, turnstiles, roofs, printer room, network closet, and USB ports on machines, etc. Lastly, employees should keep their devices near them at all times.
7) Double Down on Firewalls:
While most routers have a firewall built in that can protect your internal network against outside attacks, you should know that it may not be automatically activated. It’s generally called something like SPI (stateful packet inspection) or NAT (network address translation). Either way, turn it on (Chelsea Segal, Cox Blue, 09/16/18).
It’s also important to ensure that your own software isn’t sending information out over the network or the internet without your permission. For that, you’ll want to install firewall software on your PC as well. PC Magazine’s top pick is Check Point ZoneAlarm Pro, but the default firewall that comes with Windows 8 and 10 is also a good start.
6) Evaluate Your Operational Resilience and Cyber-Security Practices Quarterly:
A good start is the US-CERT’s Cyber Resilience Review (CRR), which helps organizations assess enterprise programs and practices across 10 domains including risk management, incident management, service continuity, and more (SBA, 2018). They can also use the CSET (Cyber Security Evaluation Tool), which is a free customizable multi-framework DHS created general cyber security assessment.
5) Review Control Access / IAM and Audit Access Regularly:
Administrative access to your systems should only be granted on a need-to-know basis – least privilege principle. The correct job roles should be in the correct windows access groups. Keep sensitive data – such as payroll – out of the hands of anyone who doesn’t need it to do their job, marketing for example. Remove unused, stale, or unnecessary IAM users/credentials. Also, consider decommissioning old systems for risk reduction and cost savings – with the appropriate project analysis done. Use a secure strong password especially for single sign on interfaces – two factor authentication. Organizations should audit their IAM user activity to see which users haven’t logged into AWS for at least 90 days and revoke their permissions. Monitor user activity in all cloud services (including IAM user activity) to identify abnormal activity indicative of threats arising from a compromised account, or malicious/negligent internal employee – when corroborated with event logs and related intelligence.
4) Back up and Secure Your Systems and Data but Don’t Over Retain:
Ransomware, or viruses used by hackers to encrypt an organization’s computer files and detain them until a ransom is paid, has emerged as a serious and growing threat to businesses worldwide, according to the FBI (FBI CISO Report 2018). Whether data is stored in the cloud, on-premises, or in a hybrid data center, businesses should back up all files to hard drives stored in a safe place outside the reach of cyberthieves. These are some key data backup subpoints.
1. Limit access to sensitive data to only a few authorized employees.
2. Encrypt all your sensitive data – do not over-classify.
3. Backup your data periodically and store it in an offsite location.
4. Protect all devices with access to your data – third party vendor implications.
5. If you accept credit cards transactions, secure each point of sale.
3) Create a Guidebook for Mobile Security:
While mobile devices allow for work anywhere, anytime, they create significant security challenges. The FCC suggests requiring users to password-protect their devices, encrypt data, and install security apps to prevent criminals from stealing information while the phone is on public networks (FCC, Feb 2018). Plus, set reporting procedures for lost or stolen mobile devices. Draft a BYOD policy that separates personal vs. corporate data and covers the below points.
1. Ensure your equipment has the latest security software and run anti-virus/malware scans regularly. If you don’t have good anti-virus software installed, buy and install it.
2. Install all software updates as soon as they are available, including all web browsers.
3. Have the latest operating systems on your devices with access to regular updates.
4. Make sure your internet connect is protected with firewall security.
5. Make sure your Wi-Fi network is encrypted, hidden, and password protected.
2) Use Encrypted Websites for E-commerce Via Strong Third-Party Risk Management Policies:
Only buy from encrypted websites by looking for https on every page. Don’t’ be teased in by super low prices or the like, it may be a drive by download set-up. Ensure that the owner of the website is reputable and is who they say they are. This kind of gets at third party and supply chain risk management, which should be based on some applicable security framework for your industry, etc.
1) Avoid When Possible and Rigorously Evaluate Freeware:
There are a lot of free options for software including anti-virus (AVG), graphic design (GIMP), marketing and sales applications, some of which are quite reliable. However, many are not reliable and pose risk because they often come with malvertising, utility ad ons that slow things down, or direct malware. All of this complicates cyber risk and blurs sight lines into the infrastructure stack. Cyber security isn’t a good place to cut costs so pay for a good antivirus and firewall tool-set. If you are going to use a robust free graphic design tool like GIMP make sure it is documented, always updated, and that it is run in a limited area.
Bonus) Have a Sound Way To Prioritize Patching.
Establish a process to risk-rate vulnerabilities based on: ease of exploit and potential impact of the vulnerability (reference the CVE scores), if other working defenses are in place, and lastly by grouping the assets they may impact.