Five Cyber-Tech Trends of 2021 and What it Means for 2022.

Minneapolis 01/08/22

By Jeremy Swenson

Intro:

Every year I like to research and commentate on the most impactful security technology and business happenings from the prior year. This year is unique since the pandemic and mass resignation/gig economy continues to be a large part of the catalyst for most of these trends. All these trends are likely to significantly impact small businesses, government, education, high tech, and large enterprise in big and small ways.

Fig. 1. Facebook Whistle Blower and Disinformation Mashup (Getty & Stock Mashup, 2021).

Summary:

The pandemic continues to be a big part of the catalyst for digital transformation in tech automation, identity and access management (IAM), big data, collaboration tools, artificial intelligence (AI), and increasingly the supply chain. Disinformation efforts morphed and grew last year challenging data and culture. This requires us to put more attention on knowing and monitoring our own social media baselines. We no longer have the same office due to mass work from home (WFH) and the mass resignation/gig economy. This infers increased automated zero-trust policies and tools for IAM with less physical badge access required. The security perimeter is now more defined by data analytics than physical/digital boundaries.

The importance of supply chain cyber security was elevated by the Biden Administration’s Executive Order 1407 in response to hacks including SolarWinds and Colonial Pipeline. Education and awareness around the review and removal of non-essential mobile apps grows as a top priority as mobile apps multiply. All the while, data breaches, and ransomware reach an all-time high while costing more to mitigate.

1) Disinformation Efforts Accelerate Challenging Data and Culture:

Disinformation has not slowed down any in 2021 due to sustained advancements in communications technologies, the growth of large social media networks, and the “appification” of everything thereby increasing the ease and capability of disinformation. Disinformation is defined as incorrect information intended to mislead or disrupt, especially propaganda issued by a government organization to a rival power or the media. For example, governments creating digital hate mobs to smear key activists or journalists, suppress dissent, undermine political opponents, spread lies, and control public opinion (Shelly Banjo; Bloomberg, 05/18/2019).

Today’s disinformation war is largely digital via platforms like Facebook, Twitter, Instagram, Reddit, WhatsApp, Yelp, Tik-tok, SMS text messages, and many other lesser-known apps. Yet even state-sponsored and private news organizations are increasingly the weapon of choice, creating a false sense of validity. Undeniably, the battlefield is wherever many followers reside. 

Bots and botnets are often behind the spread of disinformation, complicating efforts to trace and stop it. Further complicating this phenomenon is the number of app-to-app permissions. For example, the CNN and Twitter apps having permission to post to Facebook and then Facebook having permission to post to WordPress and then WordPress posting to Reddit, or any combination like this. Not only does this make it hard to identify the chain of custody and original source, but it also weakens privacy and security due to the many authentication permissions involved. The copied data is duplicated at each of these layers which is an additional consideration.

We all know that false news spreads faster than real news most of the time, largely because it is sensationalized. Since most disinformation draws in viewers which drives clicks and ad revenues; it is a money-making machine. If you can significantly control what’s trending in the news and/or social media, it impacts how many people will believe it. This in turn impacts how many people will act on that belief, good or bad. This is exacerbated when combined with human bias or irrational emotion. For example, in late 2021 there were many cases of fake COVID-19 vaccines being offered in response to human fear (FDA; 09/28/2021). This negatively impacts culture by setting a misguided example of what is acceptable.

There were several widely reported cases of political disinformation in 2021 including misleading texts, e-mails, mailers, Facebook censorship, and robocalls designed to confuse American voters amid the already stressful pandemic. Like a narcissist’s triangulation trap, these disinformation bursts riled political opponents on both sides in all states creating miscommunication, ad hominin attacks, and even derailed careers with impacts into the future (PBS; The Hinkley Report, 11/24/20 and Daniel Funke; USA Today, 12/23/21).

Facebook is significantly involved in disinformation as one recent study stated, “Globally, Facebook made the wrong decision for 83 percent of those ads that had not been declared as political by their advertisers and that Facebook or the researchers deemed political. Facebook both overcounted and undercounted political ads in this group” (New York University; Cybersecurity For Democracy, 2021). Of course, Facebook disinformation whistleblower Frances Haugen who testified before Congress in 2021 is only more evidence of these and related Facebook failings. Specifically that “Facebook executives, including CEO Mark Zuckerberg, misstated and omitted key details about what was known about Facebook and Instagram’s ability to cause harm” (Bobby Allyn; NPR, 10/05/21).

Fig. 2. Facebook Gaps in Ad Transparency (IMEC-DistriNet KU Leuven and NYU Cyber Security for Democracy, 2021).

With the help of Facebook’s misinformation, huge swaths of confused voters and activists aligned more with speculation and emotion/hype than unbiased facts, and/or project themselves as fake commentators. This dirtied the data in terms of the election process and only begs the question – which parts of the election information process are broken? This normalizes petty policy fights, emotional reasoning, lack of unbiased intellectualism – negatively impacting western culture. All to the threat actor’s delight. Increased public to private partnerships, more educational rigor, and enhanced privacy protections for election and voter data are needed to combat this disinformation.

2) Identity and Access Management (IAM) Scrutiny Drives Zero Trust Orchestration:

The pandemic and mass resignation/gig economy has pushed most organizations to amass work from home (WFH) posture. Generally, this improves productivity making it likely to become the new norm. Albeit with new rules and controls. To support this, 51% of business leaders started speeding up the deployment of zero trust capabilities in 2020 (Andrew Conway; Microsoft, 08/19/20) and there is no evidence to suggest this is slowing down in the next year but rather it is likely increasing to support zero trust orchestration. Orchestration is enhanced automation between partner zero trust applications and data, while leaving next to no blind spots. This reduces risk and increases visibility and infrastructure control in an agile way. The quantified benefit of deploying mature zero trust capabilities including orchestration is on average $ 1.76 million dollars less in breach response costs when compared to an organization who has not rolled out zero trust capabilities (IBM Security, Cost of A Data Breach Report, 2021). 

Fig. 3. Zero Trust Components to Orchestration (Microsoft, 09/17/21).

Zero trust moves organizations to a need-to-know-only access mindset with inherent deny rules, all the while assuming you are compromised. This infers single sign-on at the personal device level and improved multifactor authentication. It also infers better role-based access controls (RBAC), firewalled networks, improved need-to-know policies, effective whitelisting and blacking listing of apps, group membership reviews, and state of the art PAM (privileged access management) tools for the next year. In the future more of this is likely to be better automate and orchestrate (Fig. 3.) zero trust abilities so that one part does not hinder another part via complexity fog.

3) Security Perimeter is Now More Defined by Data Analytics than Physical/Digital Boundaries:

This increased WFH posture blurs the security perimeter physically and digitally. New IP addresses, internet volume, routing, geolocation, and virtual machines (VMs) exacerbate this blur. This raises the criticality of good data analytics and dashboarding to define the digital boundaries in real-time. Therefore, prior audits, security controls, and policies may be ineffective. For instance, empty corporate offices are the physical byproduct of mass WFH, requiring organizations to set default disable for badge access. Extra security in or near server rooms is also required. The pandemic has also made vendor interactions more digital, so digital vendor connection points should be reduced and monitored in real-time, and the related exception policies should be re-evaluated.

New data lakes and machine learning informed patterns can better define security perimeter baselines. One example of this includes knowing what percent of your remote workforce is on what internet providers and what type? For example, Google fiber, Comcast cable, CenturyLink DSL, ATT 5G, etc. There are only certain modems that can go with each of these networks and that leaves a data trail. Of course, it could be any type of router. What type of device do they connect with MAC, Apple, VM, or other, and if it is healthy can all be determined in relationship to security perimeter analytics.

4) Supply Chain Risk and Attacks Increase Prompting Government Action:

Every organization has a supply chain big or small. There are even subcomponents of the supply chain that can be hard to see like third/fourth-party vendors. A supply chain attack works by targeting a third/fourth party with access to an organization’s systems instead of hacking their networks directly.

In 2021 cybercriminals focused their surveillance on key components of the supply chain including hacking DNS servers, switches, routers, VPN concentrators and services, and other supply chain connected components at the vendor level. Of note was the massive Colonial Gas Pipeline hack that spiked fuel prices this last summer. This was caused by one compromised VPN account informed by a leaked password from the dark web (Turton, William; and Mehrotra, Kartikay; Bloomberg, 06/04/21). The SolarWinds hack was another supply chain-originated attack in that they got into SolarWinds IT management product Orien which in turn got them into the networks of most of the customers of that product (Lily Hay Newman; Wired, 12/19/21). The research consensus unsurprisingly ties this attack to Russian affiliated threat actors and there is no evidence contracting that.

In response to these and related attacks the U.S. Presidential Administration issued Executive Order 14017, the heart of which requires those who manufacture and distribute software a new awareness of their supply chain to include what is in their products, even open-source software (White House; 05/12/21). This in addition to more spending on CISA hiring and public relations efforts for vulnerabilities and NIST framework conformance. Time will tell what this order delivers as its dependent on what private sector players do.

Fig. 4. Supply Chain Cyber Attack Diagram (INSURETrust, 2021).

5) Data Breaches Have Greatly Increased in Number and Cost:

The pandemic has continued to be a part of the catalyst for increased lawlessness including fraud, ransomware, data theft, and other types of profitable hacking. Cybercriminals are more aggressively taking advantage of geopolitical conflict and legal standing gaps. For example, almost all hacking operations are in countries that do not have friendly geopolitical relations with the United States or its allies – and all their many proxy hops would stay consistent with this. These proxy hops are how they hide their true location and identity.

Moreover, with local police departments extremely overworked and understaffed with their number one priority being responding to the huge uptick in violent crime in most major cities, white-collar cybercrimes remain a low priority. Additionally, local police departments have few cyber response capabilities depending on the size of their precinct. Often, they must sheepishly defer to the FBI, CISA, and the Secret Service, or their delegates for help. Yet not unsurprisingly, there is a backlog for that as well with preference going to large companies of national concern that fall clearly into one of the 16 critical infrastructures. That is if turf fights and bureaucratic roadblocks don’t make things worse. Thus, many mid and small-sized businesses are left in the cold to fend for themselves which often results in them paying ransomware, and then being a victim a second time all the while their insurance carrier drops them.

Further complicating this is lack of clarity on data breach and business interruption insurance coverage and terms. Keep in mind most general business liability insurance policies and terms were drafted before hacking was invented so they are by default behind the technology. Most often general liability business insurance covers bodily injuries and property damage resulting from your products, services, or operations. Please see my related article 10 Things IT Executives Must Know About Cyber Insurance to understand incident response and to reduce the risk of inadequate coverage and/or claims denials.

According to the Identity Theft Resource Center (ITRC)’s 2021Q3 Data Breach Report, there was a 17% year-over increase as of 09/30/21. This means that by the time they finish their Q4 2021 report it’s likely to be above a 30% year-over-year increase. Breaches are also more costly for organizations suffering them according to the IBM Security Cost of Data Breach Report (Fig 5).

Fig 5. Cost of A Data Breach Increases 2020 to 2021 (IBM Security, 2021).

From 2020 to 2021 the average cost of a data breach in U.S. dollars rose to $4.24 million from $3.86 million. This is almost a 10% increase at 9.1%. In contrast, the preceding 4 years were relatively flat (Fig 5). The pandemic and policing conundrum is a considerable part of this uptick.

Lastly, this is a lot of money for an organization to spend on a breach. Yet this amount could be higher when you factor in other long-term consequence costs such as increased risk of a second breach, brand damage, and/or delayed regulatory penalties that were below the surface – all of which differs by industry. In sum, it is cheaper and more risk prudent to spend even $4.24 million or a relative percentage at your organization on preventative zero trust capabilities than to deal with the cluster of a data breach.

Take-Aways:

COVID-19 remains a catalyst for digital transformation in tech automation, IAM, big data, collaboration tools, and AI. We no longer have the same office and thus less badge access is needed. The growth and acceptability of mass WFH combined with the mass resignation/gig economy remind employers that great pay and culture alone are not enough to keep top talent. Signing bonuses and personalized treatment are likely needed. Single sign-on (SSO) will expand to personal devices and smartphones/watches. Geolocation-based authentication is here to stay with double biometrics likely. The security perimeter is now more defined by data analytics than physical/digital boundaries, and we should dashboard this with machine learning and AI tools.

Education and awareness around the review and removal of non-essential mobile apps is a top priority. Especially for mobile devices used separately or jointly for work purposes. This requires a better understanding of geolocation, QR code scanning, couponing, digital signage, in-text ads, micropayments, Bluetooth, geofencing, e-readers, HTML5, etc. A bring your own device (BYOD) policy needs to be written, followed, and updated often informed by need-to-know and role-based access (RBAC) principles. Organizations should consider forming a mobile ecosystem security committee to make sure this unique risk is not overlooked or overly merged with traditional web/IT risk. Mapping the mobile ecosystem components in detail is a must.

IT and security professionals need to realize that alleviating disinformation is about security before politics. We should not be afraid to talk about it because if we are then our organizations will stay weak and insecure and we will be plied by the same political bias that we fear confronting. As security professionals, we are patriots and defenders of wherever we live and work. We need to know what our social media baseline is across platforms. More social media training is needed as many security professionals still think it is mostly an external marketing thing. Public-to-private partnerships need to improve and app to app permissions need to be scrutinized. Enhanced privacy protections for election and voter data are needed. Everyone does not need to be a journalist, but everyone can have the common sense to identify malware-inspired fake news. We must report undue bias in big tech from an IT, compliance, media, and a security perspective.

Cloud infra will continue to grow fast creating perimeter and compliance complexity/fog. Organizations should preconfigure cloud-scale options and spend more on cloud-trained staff. They should also make sure that they are selecting more than two or three cloud providers, all separate from one another. This helps staff get cross-trained on different cloud platforms and add-ons. It also mitigates risk and makes vendors bid more competitively. 

The increase in number and cost of data breaches was in part attributed to vulnerabilities in supply chains in a few national data breach incidents in 2021. Part of this was addressed in President Biden’s Executive Order 1407 on supply chain security. This reminds us to replace outdated routers, switches, repeaters, controllers, and to patch them immediately. It also reminds us to separate and limit network vendor access points to strictly what is needed and for a limited time window. Last but not least, we must have up-to-date thorough business interruption / cyber insurance with detailed knowledge of what it requires for incident response with breach vendors pre-selected.  

About the Author:

Jeremy Swenson is a disruptive thinking security entrepreneur, futurist/researcher, and senior management tech risk consultant. Over 17 years he has held progressive roles at many banks, insurance companies, retailers, healthcare orgs, and even governments including being a member of the Federal Reserve Secure Payment Task Force. Organizations relish in his ability to bridge gaps and flesh out hidden risk management solutions while at the same time improving processes. He is a frequent speaker, published writer, podcaster, and even does some pro bono consulting in these areas. As a futurist, his writings on digital currency, the Target data breach, and Google combing Google + video chat with Google Hangouts video chat have been validated by many. He holds an MBA from St. Mary’s University of MN, a MSST (Master of Science in Security Technologies) degree from the University of Minnesota, and a BA in political science from the University of Wisconsin Eau Claire.

Abstract Forward Podcast #10: CISO Risk Management and Threat Modeling Best Practices with Donald Malloy and Nathaniel Engelsen!

Fig. 1. Joe the IT Guy, 10/17/2018

Featuring the esteemed technology and risk thought leaders Donald Malloy and Nathaniel Engelsen — this episode covers threat modeling methodologies STRIDE, Attack Tree, VAST, and PASTA. Specifically, how to apply them with limited budgets. It also discusses the complex intersection of how to derive ROI on threat modeling with compliance and insurance considerations. We then cover IAM best practices including group and role level policy and control best practices. Lastly, we hear a few great examples of key CISO risk management must-dos at the big and small company levels.

Fig. 2. Pasta Threat Modeling Steps (Nataliya Shevchenko, CMU, 12/03/2018).

Donald Malloy has more than 25 years of experience in the security and payment industry and is currently a security technology consultant advising many companies. Malloy was responsible for developing the online authentication product line while at NagraID Security (Oberthur) and prior to that he was Business Development and Marketing Manager for Secure Smart Card ICs for both Philips Semiconductors (NXP) and Infineon Technologies. Malloy originally comes from Boston where he was educated and has M.S. level degrees in Organic Chemistry and an M.B.A. in Marketing. Presently he is the Chairman of The Initiative for Open Authentication (OATH) and is a solution provider with DualAuth. OATH is an industry alliance that has changed the authentication market from proprietary systems to an open-source standard-based architecture promoting ubiquitous strong authentication used by most companies today. DualAuth is a global leader in trusted security with two-factor authentication include auto passwords. He resides in southern California and in his spare time he enjoys hiking, kayaking, and traveling around this beautiful world.

Nathaniel Engelsen is a technology executive, agilest, writer, and speaker on topics including DevOps, agile team transformation, and cloud infrastructure & security. Over the past 20 years he has worked for startups, small and mid-size organizations, and $1B+ enterprises in industries as varied as consulting, gaming, healthcare, retail, transportation logistics, and digital marketing. Nathaniel’s current security venture is Callback Security, providing dynamic access control mechanisms that allow companies to turn off well-known or static remote and database access routes. Nathaniel has a bachelor’s in Management Information Systems from Rowan University and an MBA from the University of Minnesota, where he was a Carlson Scholar. He also holds a CISSP.

The podcast can be heard here.

More information on Abstract Forward Consulting can be found here.

Disclaimer: This podcast does not represent the views of former or current employers and/or clients. This podcast will make every reasonable effort to verify facts and inferences therefrom. However, this podcast is intended to entertain and significantly inform its audience based on subjective reason-based opinions. Non-public information will not be disclosed. Information obtained in this podcast may be materially out of date at or after the time of the podcast. This podcast is not legal, accounting, audit, health, technical, or financial advice. © Abstract Forward Consulting, LLC.

Cybersecurity Firm Imperva Discloses Data Breach

Imperva, formally Incapsula, disclosed on 08/27/19 a data breach impacting its many customers. The company focuses on cyber-security and DDoS mitigation and consulting, heavily via its cloud web application firewall (WAF).

Fig. 1. Imperva, 2019.incapcloud

The breach was discovered 08/20/19 via a third-party. Unfortunately, the exposure goes back to 09/15/17 which means they were compromised at least in part for more than two full years! Clearly, this is evidence of poor internal controls. The exposed data includes customer email addresses, hashed and salted passwords; and API keys and customer-provided SSL certificates — for a partial portion of the exposed data.

Don’t count on cyber security and software firms to be more secure than any other type of company. This breach is likely to negatively impact sales, product design, and will trigger a few investigations, and at least one lawsuit. Additionally, the insurance claim question is a loaded one — and is dependant on how much due diligence the company did before the breach.

To learn more about how to stop data breaches like these at your organization consider attending the Cyber Security Summit this fall.

  • The Ninth Annual Cyber Security Summit, “Pushing the Cyber Security Envelope,” takes place Oct. 28-30, 2019, at the Minneapolis Convention Center in Minneapolis, Minn.
  • The Summit has given awards to top leaders in industry, government and academia since 2015. However, for 2019 the awards program was expanded to include a wider array of visionaries.
  • New this year, women in Cyber, PLUS 16 Tech Sessions, along with Healthcare & Med Device Cyber Security.  Check out this Star Tribune piece from Summit co-chair Catharine Trebnick and colleague Kyle Bauser on this very important topic.
  • To stay up to date on the Summit and top cyber security issues, follow the Cyber Security Summit on social media: TwitterFacebookLinkedInYouTube. Follow the hashtag #cybersummitMN for the latest conversations on this top matter.

As Summit co-founder Eileen Manning stresses in a well-circulated cover story for Upsize Magazine, cyber security is fundamental for small businesses that work with larger companies, which require it – not to mention for pure survival.

Data breaches like the one at Impervia are likely to increase so interested parties should come together to learn, debate, and flesh out solutions for a more secure future!

U.S. Healthcare Orgs and the GDPR: A New Wave of Privacy Is Blowing In From Europe

4131.jpgIn the United States (US), healthcare organizations and providers have much experience with the Health Insurance Portability Accountability Act (HIPAA), and other pertinent federal laws and regulations. Now, with the new European privacy regulations, the General Data Protection Regulation (GDPR), Europe’s new framework for data protection laws, should cause many U.S. healthcare organizations to think well beyond information security and patient privacy.

Keith-Daniels.jpgNow, important considerations will also include data flows, handling data, cross-border data transfer, data privacy, security monitoring and overall policy compliance for international patients. For those healthcare organizations that offer services in the European Union (EU) or service European Union citizens, then the GDPR, which took effect on May 25, 2018, is a new burden.

The GDPR is designed to standardize data privacy and protection laws across Europe, but it will impact processes, technology, relationships and communication internationally. The new obligations pertain to any organization that handles EU data, whether that organization is in the EU or not. U.S. healthcare organizations will need to safeguard EU patients’ data based on the GDPR in addition to HIPAA and other U.S. regulations. The GDPR fundamentally changes how personal and sensitive data can be used, processed, managed, stored, deleted and disclosed and applies whether an organization is a data controller or data processor.

Healthcare organizations with operations in the EU or who collect personal data in Europe on EU citizens (even such things as collecting business cards at a conference in the EU) will clearly be within the GDPR regime.

The GDPR rules now in force could see a great increase in the penalties slapped on firms for past data breaches, with fines levied at a maximum of 4% of global revenues – which seems excessive, but is intended to be scary.  One major change from most US laws on data breach reporting is that the regulations requires organizations notify authorities of a data breach within 72 hours and, if the breached data is of a serious personal nature, that those individuals whose data has been breached also be notified within 72 hours.

Now, those healthcare organizations subject to GDPR will need to prove that they have adequate processes in place to manage and protect EU residents’ “personal data.” The regulator who manages GDPR in each country may request written documentation in support of GDPR compliance.  Key requirements of the GDPR include:

1)     Appoint a Data Protection Officer (DPO) responsible for data processing.

2)     Document privacy and security policies and procedures.

3)     Implement GDPR special codes of conduct.

4)     Measure effectiveness of privacy and security compliance controls.

5)     Implement risk-based approach for data processing.

6)     Define risks presented by data processing activities.

7)     Implement Data Protection Impact Assessment (Article 35).

8)     Define implement controls and processes related to potential security threats, vulnerabilities and breaches.

9)     Utilize pseudonymization and encryption as controls – a data management and de-identification procedure by which personally identifiable information fields within a data record are replaced by one or more artificial identifiers.

10)  Regulate controls to ensure the ongoing confidentiality, integrity, availability (CIA), and resilience of systems and services

11)  Enable restoration of availability and access to data and services, in a timely manner, in the event of a security incident.

12)  Implement process for regularly testing, assessing, and evaluating the effectiveness of technical and organizational measures.

13)  Right to erasure (‘right to be forgotten’).

In conclusion, an organization’s CEO and Board of Directors are responsible for GDPR compliance as well as complying with American laws. They must ensure that practices are balanced with all cybersecurity and data privacy regulations that apply to their organization. If not done properly, organizations will leave themselves vulnerable to huge fines and criminal consequences under the GDPR, damage to their public reputations, the possibility of additional penalties in the U.S. and securities lawsuits. Multinationals and their US business partners can expect to have to answer underwriters’ queries as to their compliance with GDPR when they are buying or renewing their cyber liability and management liability policies for the next several years.

As the number and breadth of massive data breaches increase, pressure will build on politicians to enact new statutes and regulations with a focus on making corporate management and boards responsible parties for protecting personal information. GDPR is going to be an important “test case” that other countries and jurisdictions will watch closely. New regulations and statutes such as GDPR are mandating that boards and individual directors become focused and engaged on cybersecurity issues. Now, individual directors may be personally responsible for cybersecurity-related issues. There is currently a lack of cyber knowledge on boards of directors in general.

It is unlikely that the threat of holding individual directors responsible for cybersecurity will abate. Data breaches which are reported almost daily have raised the general level of distrust of “big business”, such as the recent criticism of the officers of Experian and Uber and many others before them, and a corresponding increase in the desire to hold top executives personally responsible. In response to these trends, directors must increase their cybersecurity skills, engagement and awareness to comply with the GDPR and the likely next wave of cyber laws and regulations.

Cyber and D&O underwriters will also be closely monitoring these developments and we can expect changes in policy forms to occur as the risks evolve and any negative loss trends become apparent.

For U.S. healthcare organizations subject to GDPR, a demonstrable effort to comply is mandatory, and time is critical.  It seems that the regulators are not requiring immediate and total compliance. Rather, they are looking for entities to be able to show that they are making steps towards compliance and are moving forward with what yet needs to be done. Almost all healthcare organizations, whether now subject to the GDPR or not, will soon also face new laws, such as have just been passed in California (and due to be in effect in 2020), which will bring GDPR-type regulations to the USA itself.

Writer Keith Daniels, JD, CIPP/US[1]
Editor Jeremy Swenson, MBA, MSST

[1] Keith Daniels, JD, CIPP/US is a graduate of the University of Wisconsin – Eau Claire and the University of Wisconsin Law School. He has practiced law in Wisconsin and Illinois and has been involved in cyber liability insurance since its inception around the year 2000. Keith is a Sr independent cyber privacy, compliance, data protection, and risk liability consultant who partners with Abstract Forward Consulting. He is located in Minneapolis, MN and can be reached on LinkedIn here.

British Airways Data Breach Likely The First GDPR Rollback Test.

On 08/21/18 British Airways (BA) suffered the start of a data breach which ended on or about 09/05/18. A UPS (uninterruptible power supply) failure and subsequent power surge was partly how the breach was exacerbated. It was also indicated that a third party (vendor) was involved in some way which complicates liability and brings supply chain security more into scope.

The breach allowed cyber criminals to steal personal and financial information from about 380,000 customers who booked directly with the airline in the preceding two weeks (Ivana Kottasová, CNN, 09/07/18). When a passenger makes a booking through the BA website, they must submit their name, e-mail address, address, and credit or debit card details including: the number, expiration date, date, and the security code or “Card Verification Value” (CVV) — all of this was compromised.

BA Breach
Photo: Steve Parsons/PA.

Yet most interestingly, this is one of the first major data breaches since GDPR came into effect in May this year, Walters said (Samuel Gibbs, the Guardian, 09/07/18). “It appears that the company notified the Information Commissioner’s Office and customers within the GDPR’s mandatory 72 hours but the breach will now be investigated and the company could be penalized if it did not take all the necessary measures to protect customer data” (Samuel Gibbs, the Guardian, 09/07/18).

The GDPR rules now in force could see a great increase in the penalties slapped on firms for past data breaches, with fines levied at a maximum of 4% of global revenues. For British Airways’ this amounts to about $630 million dollars based on last years revenue (Gwyn Topham, the Guardian, 09/06/18).

Yet many observers see fines this hefty as counterproductive and the catalyst to push business outside of the EU. Moreover, many international law firms and economists have doubts about the applicability of the GDRP outside of the EU, citing state sovereignty, and free enterprise protection in the United States, etc. The courts will likely further define the context of GRPRs applicability and may roll its reach back some. It is way to early to know what GDPR means in practicality but pushback is coming from well funded, well organized, well researched powerful law and business interest groups. GDPR is dangerously overbroad and ambiguous as echoed in this law firm newsletter (Wendy Butler Curtis and Jeffrey McKenn, Orrick, Herrington & Sutcliffe LLP, 09/09/18). We welcome the debate for a better more modern GDPR.

6 Pronged Approach to Data Exfiltration Detection

The best way to detect precursors to data exfiltration is to employ a six-prong detection approach applied to all risk areas as practicable. Figure 1. shows the six-pronged detection approach.

Figure 1. Six-Pronged Data Exfiltration Precursor Detection Approach [1] [2].

1) Signature Based.

Characteristics: 1) Uses known pattern matching to signify attack; 2) Former zero days, known exploits, etc.

Advantages: 1) Widely available; 2) Most antivirus is based heavily on this; 3) Fairly fast; 4) Easy to implement; 5) Easy to update.

Disadvantages: 1) Cannot detect attacks for which it has no signature – Zero days; 2) Insider threat.

2) Host Based.

Characteristics: 1) Runs on a single host; 2) Can analyze audit-trails, logs, the integrity of files and directories, etc.

Advantages: 1) More accurate than NIDS; 2) Less volume of traffic so less overhead.

Disadvantages: 1) Deployment is expensive; 2) No plan for if the host gets compromised – Real risk for organizations with more than 10 thousand employees.

3) Human Based [2].

Characteristics: 1) Has the unique experience set deriving intuition; 2) Has five senses.

Advantages: 1) Has the ability to learn multiple tools and connect the dots; 2) Can set team direction and inspire people; 3) Can think creatively; 4) Can think with the voice of the customer or recipient of a phishing e-mail.

Disadvantages: 1) Bias and ego; 2) Cannot calculate large numbers fast.

4) Anomaly Based.

Characteristics: 1) Uses statistical model or machine learning engine to characterize normal usage behaviors; 2) Requires big data and other software tools; 3) Recognizes departures from normal as potential intrusions.

Advantages: 1) Can detect attempts to exploit new and unforeseen vulnerabilities; 2) Can recognize authorized usage that falls outside the normal pattern.

Disadvantages: 1) Generally slower, more resource intensive compared to signature-based tools; 2) Greater complexity, difficult to configure; 3) Higher percentages of false alerts.

5) Network Based.

Characteristics: 1) NIDS (network intrusion detection system) examine raw packets in the network passively and triggers alerts.

Advantages 1) Easy deployment; 2) Unobtrusive; 3) Difficult to evade if done at the low level of network operation.

Disadvantages: 1) Fail Open; 2) Different hosts process packets differently; 3) NIDS needs to create traffic seen at the end host; 4) Need to have the complete network topology and complete host behavior; 5) Highly unlikely.

6) Externally Based.

Characteristics: 1) Studies show there are 258 externally measurable characteristics about network infrastructure (without any inside info).

Advantages: 1) Beaching marking – identifying mismanagement symptoms such as poorly configured DNS or BGN networks; 2) Beaching marking – identifying malicious activity which mostly includes SPAM, phishing, and port scanning; 3) One study found it to be highly reliable in predicting breaches (90% true positives in a closed limited test) [3].

Disadvantages: 1) Its low hanging fruit – easy weaknesses to spot; 2) Good I.T. audits and red teaming is similar.

[1] Dash, Debabrata. “Introduction to Network Security”. PowerPoint presentation. 2017.
[2] Photo of public figure Bruce Schneier by Per Ervland. https://www.schneier.com/ 2018.
[3] Liu, Yang; Sarabi, Armin; Zhang, Jing; Naghizadeh, Parinaz; Karir, Manish; Bailey, Michael; and Liu, Mingyan. “Cloudy with a Chance of Breach: Forecasting Cyber Security Incidents” 2015. Pg. 1.

Decryption Options For 3 Ransomware Types

ransomware-main.pngRansomware is on the rise and is going after more victims with little to no defenses, small to medium-small sized businesses and even quiet non-profits. Here are a few tools with a valid track record of stopping and removing 3 common types of ransomware.
1) LockCrypt is a ransomware discovered in June 2017 but is still active in various mutations. It spreads by brute forcing Remote Desktop Protocol credentials – a key port (3389) that should be obviously locked. A prominent example of this exploit occurred in December 2017 when an employee opened an email which was maliciously sent from another co-worker’s account. This was merely an attempt to trick the person to click on the malicious attachment which was appended to the letter. Once it was opened, the ransomware download began after which 48 out of 500 servers of North Carolina County were compromised with LockCrypt (Ugnius Kiguolis, Spyware.com, 12/11/17).

As per Bitdefender, this ransomware family has several sub-variants with the following specific extensions, the first (.1btc) is decryptable with this free Bitdefender tool and the others may be decryptable with the free Trend Micro Malwarebytes Ransomware File Decryptor tool (check for updates).

  1. .1btc (decryptable and included in this version of the tool)
  2. .lock (decryptable, not included in our tool)
  3. .2018 (decryptable, not included in our tool)
  4. .bi_d (not decryptable)
  5. .mich (decryptable, not included in our tool)

2) The five-year-old ransomware Trojan-Ransom.Win32.Rakhni has received a facelift recently which now allows it to decide whether or not to install its traditional ransomware or to drop a cryptominer.

The malware is delivered through spam campaigns where the email comes with a PDF attached which the receiver is prompted to save and then enable editing. When the victim attempts to open the document he or she is presented with an executable that portrays itself as an Adobe Reader plugin and it asks the person to allow it to make changes to their computer (Doug Olenick, SC Magazine, 07/06/18).

According the Kaspersky labs, the current injection chain on this newer exploit is largely the same as before. However, the malware moves along a rather complex path before it decides which form it will take. During the process it will check to make sure the device is not a virtual machine, it will check for and disarm an AV software and also Widows Defender and finally erase most of the footprints made during the malware installation.

The executable, which is written in Delphi and has its strings encrypted, then presents a message box that states the PDF could not be opened, basically to keep the victim from thinking anything negative is about to happen (Doug Olenick, SC Magazine, 07/06/18).

It first checks that the device has one of the substrings:

  1. \TEMP
  2. \TMP
  3. \STARTUP
  4. \CONTENT.IE
  5. Registry check

It then checks to see if the registry contains checks that in the registry there is no value HKCU\Software\Adobe\DAVersion and if it finds this is so it creates HKCU\Software\Adobe\DAVersion = True (Doug Olenick, SC Magazine, 07/06/18). As of Feb 2018 Kaspersky Labs has a free decryption tool (since updated) to get rid of most variations of this infection.

3) Thousands of LabCorp’s servers were impacted by the SamSam ransomware attack on 07/13/18, a CSO online report confirmed (Steve Ragan, 07/19/18). Early information indicates that the company contained the spread of the infection and neutralized the attack within 50 minutes – great. However, before the attack was fully contained, 7,000 systems and 1,900 servers were negatively impacted; 350 were production servers (Steve Ragan, CSO Online, 07/19/18. This is a growing trend in the healthcare sector that reached 15% in 2016 (Fig1. Greg Slabodkin, Health Data Management, 04/11/18).

Fig. 1.
Ransomeware Health.pngAs per Jessica Davis of HealthcareITnews, “SamSam is the virus that shut down the Allscripts platform for about a week in January 2017 and is known to use brute force RDP (remote desktop protocol) attacks to breach a system and spread. The variant is also responsible for taking down Hancock Health, Adams Memorial and the government systems of Atlanta — among a host of others” (HealthcareITNews.com, 07/20/18).

The ransom note it displays is quite interesting, giving the option of randomly-selected file encryption (if you don’t pay the full amount). They’ll also unlock one file for free as a token of trust that they will give your files back after payment (Christopher Boyd, Malwarebytes Labs, 05/01/18).

Fig 2.
samsam-ransomware-infected-file-sensorstechforum-com-sorry-for-files-html-virus
The virus has been updated a couple of times. Currently, it appends one of the following file extensions (Julie Splinters, spyware.com, 06/23/18):

  1. .weapologize;
  2. .AreYouLoveMyRansFile;
  3. .breeding123;
  4. .country82000;
  5. .disposed2017;
  6. .fucku;
  7. .happenencedfiles;
  8. .helpmeencedfiles;
  9. .howcanihelpusir;
  10. .iaufkakfhsaraf;
  11. .mention9823;
  12. .myransext2017;
  13. .noproblemwedecfiles;
  14. .notfoundrans;
  15. .prosperous666;
  16. .powerfulldecryp;
  17. .supported2017;
  18. .suppose666;
  19. .VforVendetta
  20. .Whereisyourfiles;
  21. .wowreadfordecryp;
  22. .wowwhereismyfiles;
  23. .loveransisgood.

Different variants of the virus might drop different versions of ransom notes. However, at the moment victims might receive one of these ransom notes in:

  1. 0009-SORRY-FOR-FILES.html,
  2. IF_WANT_FILES_BACK_PLS_READ.html,
  3. 000-PLEASE-READ-WE-HELP.html,
  4. 000-No-PROBLEM-WE-DEC-FILES.html,
  5. READ-FOR-DECCCC-FILESSS.html,
  6. HELP_DECRYPT_YOUR_FILES.HTML,
  7. 001-HELP_FOR_DECRYPT_FILE.html,
  8. 006-READ-FOR-HELLPP.html,
  9. PLEASE_READ_FOR_DECRYPT_FILES_[Number].html,
  10. PLEASE-README -AFFECTED-FILES.html.

SamSam is the newest and most powerful of the three types of ransomeware mentioned above. There is no known decryption tool or fix for data that you don’t already have your data backed up. Yet it is known to uses tools such as Mimikatz to steal valid user credentials and common IT management tools to move malware to new hosts. Attackers and their malware are increasingly reliant on Mimikatz and similar tools, such as PsExec — associated with everything from PoS malware to webshells — to spread through the network and do damage (Dark Reading, 06/20/18, Ajit Sancheti). Stay tuned here for updates regarding a stable decryption tool for SamSam.

Review of the 2018 Verizon Data Breach Report

The 11th edition of the DBIR (Data Breach Investigation Report) was released this month. It analyzed more than 53,000 cybersecurity incidents and over 2,200 data breaches across the globe. Here is a summary of its key findings:
Ransomware continues to be a top cybersecurity threat, according to the report. Ransomware is found in almost 39 % of malware attacks – double the amount in last year’s analysis. “Ransomware remains a significant threat for companies of all sizes,” says Bryan Sartin, executive director security professional services, Verizon. “It is now the most prevalent form of malware, and its use has increased significantly over recent years.” This comes as no surprise to many city and state officials that have battled with ransomware takeovers recently. Systems in the city of Atlanta were offline for several days last month following a ransomware attack. Government offices and municipal systems have also been targeted in Baltimore, North Carolina, San Francisco, and others yet to come forward – the government does not like to admit their errors.

The report also shows that attacks on public sector organizations continue to focus on espionage. 43 % of public sector attacks were motivated by espionage. Of those attacks, 61 % were carried out by state-affiliated actors. Privilege misuse and error by insiders account for a third of breaches. Small businesses represent 58 percent of data breach victims. Over 50% of the attacks on public sector organizations were accomplished using backdoors in software, which arguably makes the case for why putting backdoors in software is a bad idea even if a government plans to use it for its own purposes – the government is far behind the private sector in incubating innovation here. Using phishing techniques to get data from individuals remains the most popular method as individuals continue to be the weakest link when it comes to security.

Fig 1. Data Breach Causes, Verzion 2018
Using stolen credentials topped the list of causes for data breaches (See Fig 1. for the other top causes). A common saying is “it’s easier to ask the employee for their password than try to guess it”, so social engineering continues to be a very useful tactic for hackers. For most employees, the only security protection system is their password. If a cyber-criminal obtains it, they can easily bypass most of the company’s security controls.

Attribution is probably one of the most difficult tasks in cyber-crime which already has more challenges than most people realize, with misdirection and lack of digital footprints to help lead to the cyber-criminal. This is likely due to several virtual machines and botnets used to facilitate the attack across several nations – all of which are likely unfriendly to the United States. Specifically, 73% of cyber-attackwere caused by outsiders. Organized crime rings are very likely using hackers as a service because 50% of cyber-attacks were attributed to organized crime. 12% was attributed to nation-states – APT (advanced persistent threats) who have unlimited funds.

Specific to Healthcare: The healthcare industry is rife with error and misuse. In fact, it is the only industry that has more internal actors behind breaches than external. In addition to these problem areas, ransomware is endemic in the industry—it accounts for 85 % of all malware in healthcare.

In total, there were 750 incidents and 536 with confirmed data disclosed. The top three patterns include: miscellaneous errors, crimeware, privilege misuse – 63 % of all incidents within healthcare. Breach threat actors breakdown: 56 % internal, 43 % external, 4 % partner, 2 % multiple parties. Breach actor motives are: 75 % financial, 13 % fun, 5 % convenience, Data compromised: 79 % medical, 37 % personal, 4 % payment.

The full report is available here.

Abstract Forward Consulting can help you review the issues in this report to build stronger security and process controls. Contact us here to learn more.

Jeremy Swenson, MBA, MSST

AbstractFwdHzTag300

Abstract Forward Consulting Now Open For Business!

AbstractFwdHzTag300

In 2016 Mr. Swenson decided to go back to graduate school to pursue a second masters degree in Security Technologies at the University of MN’s renowned Technological Leadership Institute to position himself to launch a technology leadership consulting firm. This degree was completed in 2017 and positions Swenson as a creative and security savvy Sr. consultant to CIOs, CTOs, CEOs, and other business line leaders. His capstone was on “pre-cursor detection of data exfiltration” and included input from many of the regions CIOs, CISOs, CEOs, and state government leaders. His capstone advisor was technology and security pioneer Brian Isle of Adventium Labs.

Over 14 years, Mr. Swenson had the honor and privilege of consulting at 10 organizations in 7 industries on progressively complex and difficult problems in I.T. including: security, proj. mgmt., business analysis, data archival and governance, audit, web application launch and decommission, strategy, information security, data loss prevention, communication, and even board of directors governance. From governments, banks, insurance companies, minority-owned small businesses, marketing companies, technology companies, and healthcare companies, he has a wealth of abstract experience backed up by the knowledge from his 4 degrees and validated by his 40,000 followers (from LinkedIn, Twitter, and his blog). Impressively, the results are double-digit risk reductions, huge vetted process improvements, and $25+ million on average or more in savings per project!

As the desire for his contract consulting work has increased, he has continued to write and speak on how to achieve such great results. Often, he has been called upon to explain his process and style to organizations and people. While most accept it and get on board fast, some aren’t ready, mostly because they are stuck in the past and are afraid to admit their own errors due to confirmation bias. Two great technology leaders, Steve Jobs (Apple) and Carly Fiorina (HP) often described how doing things differently would have its detractors. Yet that is exactly why there is a need for Abstract Forward Consulting.

With the wind at our backs, we will press on because the world requires better results and we have higher standards (if you want to know more reach out below). With a heart to serve many organizations and people, we have synergized a hybrid blend of this process and experience to form a new consulting firm, one that puts abstract thinking first to reduce risk, improve security, and enhance business technology.

Proudly announcing: Abstract Forward Consulting, LLC.

Company Mission Statement: We use abstract thinking on security, risk, and technology problems to move business forward!

Company Vision: To be the premier provider of technology and security consulting services while making the world a better and safer place.

Main service offerings for I.T. and business leaders:

1) Management Consulting

2) Cyber Security Consulting

3) Risk Management Consulting

4) Data Governance Consulting

5) Enterprise Collaboration Tools Consulting

6) Process Improvement Consulting

If you want to have a free exploratory conversation on how we can help your organization please contact us here or inbox me. As our business grows, we will announce more people and tactics to build a tidal wave to make your organization the best it can be!

Thanks to the community for your support!

Founder and CEO: Abstract Forward Consulting, LLC.

Jeremy Swenson, MBA MSST (Master of Science In Security Technologies)

5 Things Equifax Could Have Improved to Prevent Their Data Breach

Equifax_breach_exposes_143_million_peopl_0_4110363_ver1.0_640_360Minneapolis, MN – 11/22/17. The recent Equifax data breach impacted one-third of the U.S. population with more than 143.5 million records exposed.  This epic hack started on 05/13/2017 and lasted until 07/29/2017, all the while the company was clueless.  As a result, the threat actors trolled around Equifax’s network, staging and exfiltrating data undetected for 2.5 months.  It is one of the biggest data breaches in U.S. history but clearly not the biggest.  Going forward, breaches are likely to be bigger, given the threat actors risk vs. reward tradeoff, and the increasing capabilities of cloud computing and botnets thereby enabling anonymity.

Equifax 1Yet this breach may be one of the most negatively impactful because of the comprehensive sensitive data lost in it including social security numbers, full names, addresses, birth dates, and even drivers licenses and credit card numbers for some.  “This information is the kind that several businesses like financial companies, insurance companies, and other security-sensitive businesses use to identify a customer accessing their accounts from online, by phone, or even in person” (Pelisson, Anaele; & Villas-Boas, Antonio, 09/08/17).

Therefore, this breach lends itself perfectly to future identity theft.  To date, hundreds of fraudulent loan applications, credit card charges, student loans, and insurance claims have been documented and it’s not likely to stop anytime soon.  All of this has inspired negligence lawsuits and regulatory reviews across most states.  If there is one thing you would expect from a credit monitoring company claiming to protect the accuracy of your data, it is that they would at least have above average information security standards.  Yet they clearly did not.  Below are the things that went wrong at Equifax to enable and exacerbate the breach:

1) Equifax’s first problem was that they failed to take a recent critical update notice seriously:
NIST (The National Institute of Standards in Technology) via CERT (critical emergency readiness team) issued an update alert for the Apache Struts platform on 03/08/17, CVE (critical vulnerability exploit) 5638 (Fig 2) which Equifax ignored or gave low priority.  Apache Struts is a free, open-source, MVC (model view controller) framework for creating nice, new Java web applications.  At Equifax, the Apache Struts platform was used for multiple applications and thus the risk associated with failing to patch the vulnerably was exponentially large and complex.

Apache Struts
Negatively, the Apache Struts vulnerability allowed remote code execution via a cmd string upload in the HTTP header.  Both versions of this vulnerability were listed as being highly severe by the CVE alert.  There is no way Equifax did not know this to a considerable degree.  Lesson learned: solidify your security baseline and update and patch based on likely impact and ease of execution.

2) Equifax had a history of poor security culture back to 2014 and failed to make key improvements:
“In April 2017, cyber-risk analysis firm Cyence rated the probability of a security breach at Equifax at 50 percent in the next 12 months.  Credit analytics firm FICO gave Equifax low marks on data protection — an enterprise security score around 550 on a scale of 300 to 850.  In 2014, Equifax “left private encryption keys on its server,” potentially allowing hackers to decrypt sensitive data, according to a recent breach related lawsuit.” (Harney, Kenneth; 11/21/2017).  Thus, Equifax had poor security long before the recent breach and they have been warned.

a) Creating a culture of security where rank and title do not suppress valid evidence and reason, and outside vendors are vetted and listened to in a timely order concerning security risks would improve their security posture.  Yet this requires cross-departmental collaboration, openness, and it requires firing those insulating themselves in fiefdoms of “yes sayers”.

3) Executives had more concern for short-term profit than long-term security:
On 08/01/17 and 08/02/17 three top executives from Equifax sold nearly $2 million worth of company stock at a high price but maintain that they had no knowledge of the breach that was discovered by the company on 07/29/17. Allegedly these trades were placed before August 2017. Although these may be innocent well-earned stock trades, the totality of the circumstances warrants further validation even though Equifax’s attorneys reviewed the trades at the time. Trades like these should not just be reviewed by the legal department but also by the P.R. department when a disaster is near, likely, or present. Most importantly, long-term security should be on the mind of executives, not short-term profits – implicates a huge culture issue.

4) They have business products that create conflicts of interest that incent data breaches and identity theft:
This is because Equifax sells credit monitoring services at about $17 per month per customer.  They also partner to sell identity theft monitoring via LifeLock.  LifeLock has a direct copy of most of Equifax’s data so they can accurately monitor for fraud indicators.  LifeLock cost about $30 per month per customer and a part of that profit is shared with Equifax via a prearranged deal inked in 2015.  Sen. Elizabeth Warren described it in the video below.

5) Equifax used stunningly simple PIN numbers that were composed of date
and time:

This was corroborated by Wes Moehlenbruck, MS, CISSP, CEH, CHFI, a California-based senior cybersecurity engineer with a master of science degree in cybersecurity.  He stated, “The PINs used to lock and unlock credit files were simply based on the time and date – nothing more complicated than that.  Absolutely yes, this is a rookie mistake” (Hembree, Diana, 11/15/17).  Obviously, in using such a simplistic approach in PIN generation, a user’s PIN could easily be guessed or brute-forced by testing every possible combination using a computer program.  PINs should be more complex, completely confidential, and there should be a policy mandating that they change often (every six months for example).

If you want to talk more about these and related concepts applied to my consulting and speaking, please contact me here.