The Main Purpose of Cryptocurrency Mixer and/or Splitter Services is Fraud and Money Laundering.

Cryptocurrency mixer and/or splitter services serve no valid “real-world” ethical business use case considering the relevant FinTech and legal options open. Even in the very rare case when you are a refugee fleeing a financially abusive government regime or terrorist organization is seeking to steal your assets while the national currency is failing, like in Venezuela which I wrote about in my 2014 article; that is about political revolution and your personal safety more than anything else. Although cases like this give a valid reason why you might want to mix and/or split your crypto assets – that’s not fully the same use case we’re talking about here with the recent uptick of crypto mixer and/or splitter service use. It’s only fair that we discuss the most likely and common use case, which is trending up, and not the few rare edge cases. This use case would be fraud and money laundering.

The evidence does not support that a regular crypto exchange is the same thing as a mixer and/or splitter service. For definitions sake, I am not defining mixing and/or splitting cryptocurrency as the same thing as selling, buying, or converting it – all of this can be done on one or more of the crypto exchanges which is why they are called exchanges. If they are the same or even considerably similar, then why are people and orgs using the mixer and/or splitter services at all? They use them because they offer a considerably different service. Using a mixer and/or splitter services assumes you have gotten some crypto beforehand, from a separate exchange, a step or more before in the daisy chain. This can be done via legal or illegal means. Moreover, why are they paying repeated and hugely excessive fees for these services? The fees are out of line with anything possibly comparable because there is higher compliance and legal risk for the operators of them in that they could get sanctioned like Blender.IO and others.

You can still have privacy if that is what you are seeking via a semblance of legal moves such as a trust tied to a separate legal entity, family office entity, converting to real estate, and marriage entity – if you have time to do the paperwork. Legally savvy people have anonymity over their assets often to avoid fraudsters, sales reps, and just privacy for privacies sake – but again still not the same use case. Even when people/orgs use these legal instruments for privacy, they still have compliance reporting and tax obligations – I.E., some disclosure. Keep in mind some disclosure serves to protect you that you in fact own the assets you say you own. Using these legal instruments with the right technical security including an encrypted VPN and multifactor authentication serves to sustain privacy, and you will then not need a crypto mixer and/or splitter.

Yet if you had cryptocurrency and wanted strong privacy to protect your assets, why would you not at least use some of the aforementioned legal instruments or the like? Mostly because any attorney worth anything would be obligated to report this blatant suspected fraud, and would not want to tarnish their name on the filings, etc. Specifically, the attorney would have to see and know where and what entities the crypto was coming from and going to, under what contexts, and that could trigger them to report or refuse to work with them – I.E. a fraudster would want to avoid getting detected.

Specifically, the use of multiple legal entities in different countries in a daisy chain of crypto coin mixing and/or splitting tends to be the pattern for persistent fraud and money laundering. That was the case in the 4.5-billion-dollar crypto theft out of NY and in Blender mixing fraud, and many other cases.

A recent U.S. Treasury press release concerning mixer service money laundering described it this way:

  • “Blended.io (Blender) is a virtual currency mixer that operates on the Bitcoin blockchain and indiscriminately facilitates illicit transactions by obfuscating their origin, destination, and counterparties. Blender receives a variety of transactions and mixes them together before transmitting them to their ultimate destinations. While the purported purpose is to increase privacy, mixers like Blender are commonly used by illicit actors. Blender has helped transfer more than $500 million worth of Bitcoin since its creation in 2017. Blender was used in the laundering process for DPRK’s Axie Infinity heist, processing over $20.5 million in illicit proceeds”.
Fig 1. U.S. Treasury Dept, Blener.io Crypto Mixer Fraud, 2022.

The question we as a society should be thinking about is tech ethics. What design feature crosses the line to enable fraud too much such that it is not pursued? For example, Silk Road crossed the line, selling illegal drugs, extortion, and other crime. Hacker networks cross the line when they breach companies and steal their credit card data and put it for sale on the dark web. Facebook crossed the line when it enabled bias and undue favor to impact policy outcomes.

Crypto mixer and/or splitter services (not mere crypto exchanges) are about as close to “money laundering as a service” as it gets – relative to anything else technically available excluding the dark web where there are far worse things available technically. Obviously, the developers, product owners, and project managers behind the crypto mixer and/or splitter services like this are serving the fraud and money laundering use case more than anything else. Some semblance of the organized crime rings is very likely giving them money and direction to this end.

If you are for and use mixer and/or splitter services then you run the risk of having your digital assets mixed with dirty digital assets, you have extortion high fees, you have zero customer service, no regulatory protection, no decedent Terms of Service and/or Privacy Policy if any, and you have no guarantee that it will even work the way you think it will.

In fact, you have so much decentralized “so-called” privacy that it could work against you. For example, imagine you pay the high fees to mix and split your crypto multiple times, and then your crypto is stolen by one of the mixing and/or splitting services. This is likely because they know many of their customers are committing fraud and money laundering, yet even if they are not these platforms are associated with that. Therefore, if the platform operators steal their crypto in this process, the victims have little incentive to speak up. Moreover, the mixing and/or splitting service companies have a nice cover to steal it, privacy. They won’t admit that they stole it but will say something like “everything is private and so we can’t see or know but you are responsible for what private assets you have or don’t have”. They will say something like “stealing it is impossible” which is course is a complete lie.

In sum, what reason do you have to trust a crypto mixing and/or splitting service with your digital assets as outlined above as they are hardly incentivized to protect them or you and operate in the shadows of antiquated non-western fintech regulation. So, what really do you get besides likely fraud? What is the business rationale behind using these services as outlined above considering no solid argument or evidence can support it is privacy alone, and what net benefit do you get besides business-enabling money laundering and fraud?

Now there are valid use cases for crypto and blockchain generally and here are five of them:

  1. Innovative tech removing the central bank for peer-to-peer exchange that is faster and more global, especially helping the underbanked countries.
  2. Smart contracts can be built on blockchain.
  3. Blockchain can be used for crowdfunding.
  4. Blockchain can be used for decentralized storage.
  5. The traditional cash and coin supply chain is burdensomely wasteful, costly, dirty, and counterfeiting is a real issue. Why do you need to carry ten dollars in quarters or a wad of twenty-dollar bills or even have that be a nation’s economic backing in today’s tech world?

Here are six tips to identify crypto-related scams:

  1. With most businesses, it should be easy to find out who the key operators are. If you can’t find out who is running a cryptocurrency or exchange via LinkedIn, Medium, Twitter, a website, or the like be very cautious.
  2. Whether in cash or cryptocurrency, any business opportunity promising free money is likely to be fake. If it sounds too good to be true it likely is. Multi-level marketing is one old example of this scam.
  3. Never mix online dating and investment/financial advice. If you meet someone on a dating site or social media app, and then they want to show you how to invest in crypto or they ask you to send them crypto. No matter what sob story and huge return they are claiming it’s a scam (FTC).
  4. Watch out for scammers who pretend to be celebrities who can multiply any cryptocurrency you send them. If you click on an unexpected link they send or send cryptocurrency to a so-called celebrity’s QR code, that money will go straight to a scammer, and it’ll be gone. Celebrities don’t have time to contact random people on social media, but they are easily impersonated (FTC).
  5. Celebrities are however used to pump crypto prices via social media, so they get a windfall, and everyone else takes a hit. Watch out for crypto like Dogecoin which is heavily tied to celebrity pumps with no real-world business value. If you are lucky enough to get ahead, get out then.
  6. Watch out for scammers who make big claims without details, white papers, filings, or explanations at all. No matter what the investment, find out how it works and ask questions about where your money is going. Honest investment managers or advisors want to share that information and will back it up with details in many documents and fillings (FTC).

Jeremy Swenson is a disruptive thinking security entrepreneur, futurist/researcher, and senior management tech risk consultant. Over 17 years he has held progressive roles at many banks, insurance companies, retailers, healthcare orgs, and even governments including being a member of the Federal Reserve Secure Payment Task Force. Organizations relish in his ability to bridge gaps and flesh out hidden risk management solutions while at the same time improving processes. He is a frequent speaker, published writer, podcaster, and even does some pro bono consulting in these areas. As a futurist, his writings on digital currency, the Target data breach, and Google combing Google + video chat with Google Hangouts video chat have been validated by many. He holds an MBA from St. Mary’s University of MN, a MSST (Master of Science in Security Technologies) degree from the University of Minnesota, and a BA in political science from the University of Wisconsin Eau Claire.

Five Cyber-Tech Trends of 2021 and What it Means for 2022.

Minneapolis 01/08/22

By Jeremy Swenson

Intro:

Every year I like to research and commentate on the most impactful security technology and business happenings from the prior year. This year is unique since the pandemic and mass resignation/gig economy continues to be a large part of the catalyst for most of these trends. All these trends are likely to significantly impact small businesses, government, education, high tech, and large enterprise in big and small ways.

Fig. 1. Facebook Whistle Blower and Disinformation Mashup (Getty & Stock Mashup, 2021).

Summary:

The pandemic continues to be a big part of the catalyst for digital transformation in tech automation, identity and access management (IAM), big data, collaboration tools, artificial intelligence (AI), and increasingly the supply chain. Disinformation efforts morphed and grew last year challenging data and culture. This requires us to put more attention on knowing and monitoring our own social media baselines. We no longer have the same office due to mass work from home (WFH) and the mass resignation/gig economy. This infers increased automated zero-trust policies and tools for IAM with less physical badge access required. The security perimeter is now more defined by data analytics than physical/digital boundaries.

The importance of supply chain cyber security was elevated by the Biden Administration’s Executive Order 1407 in response to hacks including SolarWinds and Colonial Pipeline. Education and awareness around the review and removal of non-essential mobile apps grows as a top priority as mobile apps multiply. All the while, data breaches, and ransomware reach an all-time high while costing more to mitigate.

1) Disinformation Efforts Accelerate Challenging Data and Culture:

Disinformation has not slowed down any in 2021 due to sustained advancements in communications technologies, the growth of large social media networks, and the “appification” of everything thereby increasing the ease and capability of disinformation. Disinformation is defined as incorrect information intended to mislead or disrupt, especially propaganda issued by a government organization to a rival power or the media. For example, governments creating digital hate mobs to smear key activists or journalists, suppress dissent, undermine political opponents, spread lies, and control public opinion (Shelly Banjo; Bloomberg, 05/18/2019).

Today’s disinformation war is largely digital via platforms like Facebook, Twitter, Instagram, Reddit, WhatsApp, Yelp, Tik-tok, SMS text messages, and many other lesser-known apps. Yet even state-sponsored and private news organizations are increasingly the weapon of choice, creating a false sense of validity. Undeniably, the battlefield is wherever many followers reside. 

Bots and botnets are often behind the spread of disinformation, complicating efforts to trace and stop it. Further complicating this phenomenon is the number of app-to-app permissions. For example, the CNN and Twitter apps having permission to post to Facebook and then Facebook having permission to post to WordPress and then WordPress posting to Reddit, or any combination like this. Not only does this make it hard to identify the chain of custody and original source, but it also weakens privacy and security due to the many authentication permissions involved. The copied data is duplicated at each of these layers which is an additional consideration.

We all know that false news spreads faster than real news most of the time, largely because it is sensationalized. Since most disinformation draws in viewers which drives clicks and ad revenues; it is a money-making machine. If you can significantly control what’s trending in the news and/or social media, it impacts how many people will believe it. This in turn impacts how many people will act on that belief, good or bad. This is exacerbated when combined with human bias or irrational emotion. For example, in late 2021 there were many cases of fake COVID-19 vaccines being offered in response to human fear (FDA; 09/28/2021). This negatively impacts culture by setting a misguided example of what is acceptable.

There were several widely reported cases of political disinformation in 2021 including misleading texts, e-mails, mailers, Facebook censorship, and robocalls designed to confuse American voters amid the already stressful pandemic. Like a narcissist’s triangulation trap, these disinformation bursts riled political opponents on both sides in all states creating miscommunication, ad hominin attacks, and even derailed careers with impacts into the future (PBS; The Hinkley Report, 11/24/20 and Daniel Funke; USA Today, 12/23/21).

Facebook is significantly involved in disinformation as one recent study stated, “Globally, Facebook made the wrong decision for 83 percent of those ads that had not been declared as political by their advertisers and that Facebook or the researchers deemed political. Facebook both overcounted and undercounted political ads in this group” (New York University; Cybersecurity For Democracy, 2021). Of course, Facebook disinformation whistleblower Frances Haugen who testified before Congress in 2021 is only more evidence of these and related Facebook failings. Specifically that “Facebook executives, including CEO Mark Zuckerberg, misstated and omitted key details about what was known about Facebook and Instagram’s ability to cause harm” (Bobby Allyn; NPR, 10/05/21).

Fig. 2. Facebook Gaps in Ad Transparency (IMEC-DistriNet KU Leuven and NYU Cyber Security for Democracy, 2021).

With the help of Facebook’s misinformation, huge swaths of confused voters and activists aligned more with speculation and emotion/hype than unbiased facts, and/or project themselves as fake commentators. This dirtied the data in terms of the election process and only begs the question – which parts of the election information process are broken? This normalizes petty policy fights, emotional reasoning, lack of unbiased intellectualism – negatively impacting western culture. All to the threat actor’s delight. Increased public to private partnerships, more educational rigor, and enhanced privacy protections for election and voter data are needed to combat this disinformation.

2) Identity and Access Management (IAM) Scrutiny Drives Zero Trust Orchestration:

The pandemic and mass resignation/gig economy has pushed most organizations to amass work from home (WFH) posture. Generally, this improves productivity making it likely to become the new norm. Albeit with new rules and controls. To support this, 51% of business leaders started speeding up the deployment of zero trust capabilities in 2020 (Andrew Conway; Microsoft, 08/19/20) and there is no evidence to suggest this is slowing down in the next year but rather it is likely increasing to support zero trust orchestration. Orchestration is enhanced automation between partner zero trust applications and data, while leaving next to no blind spots. This reduces risk and increases visibility and infrastructure control in an agile way. The quantified benefit of deploying mature zero trust capabilities including orchestration is on average $ 1.76 million dollars less in breach response costs when compared to an organization who has not rolled out zero trust capabilities (IBM Security, Cost of A Data Breach Report, 2021). 

Fig. 3. Zero Trust Components to Orchestration (Microsoft, 09/17/21).

Zero trust moves organizations to a need-to-know-only access mindset with inherent deny rules, all the while assuming you are compromised. This infers single sign-on at the personal device level and improved multifactor authentication. It also infers better role-based access controls (RBAC), firewalled networks, improved need-to-know policies, effective whitelisting and blacking listing of apps, group membership reviews, and state of the art PAM (privileged access management) tools for the next year. In the future more of this is likely to better automate and orchestrate (Fig. 3.) zero trust abilities so that one part does not hinder another part via complexity fog.

3) Security Perimeter is Now More Defined by Data Analytics than Physical/Digital Boundaries:

This increased WFH posture blurs the security perimeter physically and digitally. New IP addresses, internet volume, routing, geolocation, and virtual machines (VMs) exacerbate this blur. This raises the criticality of good data analytics and dashboarding to define the digital boundaries in real-time. Therefore, prior audits, security controls, and policies may be ineffective. For instance, empty corporate offices are the physical byproduct of mass WFH, requiring organizations to set default disable for badge access. Extra security in or near server rooms is also required. The pandemic has also made vendor interactions more digital, so digital vendor connection points should be reduced and monitored in real-time, and the related exception policies should be re-evaluated.

New data lakes and machine learning informed patterns can better define security perimeter baselines. One example of this includes knowing what percent of your remote workforce is on what internet providers and what type? For example, Google fiber, Comcast cable, CenturyLink DSL, ATT 5G, etc. There are only certain modems that can go with each of these networks and that leaves a data trail. Of course, it could be any type of router. What type of device do they connect with MAC, Apple, VM, or other, and if it is healthy can all be determined in relationship to security perimeter analytics.

4) Supply Chain Risk and Attacks Increase Prompting Government Action:

Every organization has a supply chain big or small. There are even subcomponents of the supply chain that can be hard to see like third/fourth-party vendors. A supply chain attack works by targeting a third/fourth party with access to an organization’s systems instead of hacking their networks directly.

In 2021 cybercriminals focused their surveillance on key components of the supply chain including hacking DNS servers, switches, routers, VPN concentrators and services, and other supply chain connected components at the vendor level. Of note was the massive Colonial Gas Pipeline hack that spiked fuel prices this last summer. This was caused by one compromised VPN account informed by a leaked password from the dark web (Turton, William; and Mehrotra, Kartikay; Bloomberg, 06/04/21). The SolarWinds hack was another supply chain-originated attack in that they got into SolarWinds IT management product Orien which in turn got them into the networks of most of the customers of that product (Lily Hay Newman; Wired, 12/19/21). The research consensus unsurprisingly ties this attack to Russian affiliated threat actors and there is no evidence contracting that.

In response to these and related attacks the U.S. Presidential Administration issued Executive Order 14017, the heart of which requires those who manufacture and distribute software a new awareness of their supply chain to include what is in their products, even open-source software (White House; 05/12/21). This in addition to more spending on CISA hiring and public relations efforts for vulnerabilities and NIST framework conformance. Time will tell what this order delivers as it is dependent on what private sector players do.

Fig. 4. Supply Chain Cyber Attack Diagram (INSURETrust, 2021).

5) Data Breaches Have Greatly Increased in Number and Cost:

The pandemic has continued to be a part of the catalyst for increased lawlessness including fraud, ransomware, data theft, and other types of profitable hacking. Cybercriminals are more aggressively taking advantage of geopolitical conflict and legal standing gaps. For example, almost all hacking operations are in countries that do not have friendly geopolitical relations with the United States or its allies – and all their many proxy hops would stay consistent with this. These proxy hops are how they hide their true location and identity.

Moreover, with local police departments extremely overworked and understaffed with their number one priority being responding to the huge uptick in violent crime in most major cities, white-collar cybercrimes remain a low priority. Additionally, local police departments have few cyber response capabilities depending on the size of their precinct. Often, they must sheepishly defer to the FBI, CISA, and the Secret Service, or their delegates for help. Yet not unsurprisingly, there is a backlog for that as well with preference going to large companies of national concern that fall clearly into one of the 16 critical infrastructures. That is if turf fights and bureaucratic roadblocks don’t make things worse. Thus, many mid and small-sized businesses are left in the cold to fend for themselves which often results in them paying ransomware, and then being a victim a second time all the while their insurance carrier drops them.

Further complicating this is lack of clarity on data breach and business interruption insurance coverage and terms. Keep in mind most general business liability insurance policies and terms were drafted before hacking was invented so they are by default behind the technology. Most often general liability business insurance covers bodily injuries and property damage resulting from your products, services, or operations. Please see my related article 10 Things IT Executives Must Know About Cyber Insurance to understand incident response and to reduce the risk of inadequate coverage and/or claims denials.

According to the Identity Theft Resource Center (ITRC)’s 2021Q3 Data Breach Report, there was a 17% year-over increase as of 09/30/21. This means that by the time they finish their Q4 2021 report it’s likely to be above a 30% year-over-year increase. Breaches are also more costly for organizations suffering them according to the IBM Security Cost of Data Breach Report (Fig 5).

Fig 5. Cost of A Data Breach Increases 2020 to 2021 (IBM Security, 2021).

From 2020 to 2021 the average cost of a data breach in U.S. dollars rose to $4.24 million from $3.86 million. This is almost a 10% increase at 9.1%. In contrast, the preceding 4 years were relatively flat (Fig 5). The pandemic and policing conundrum is a considerable part of this uptick.

Lastly, this is a lot of money for an organization to spend on a breach. Yet this amount could be higher when you factor in other long-term consequence costs such as increased risk of a second breach, brand damage, and/or delayed regulatory penalties that were below the surface – all of which differs by industry. In sum, it is cheaper and more risk prudent to spend even $4.24 million or a relative percentage at your organization on preventative zero trust capabilities than to deal with the cluster of a data breach.

Take-Aways:

COVID-19 remains a catalyst for digital transformation in tech automation, IAM, big data, collaboration tools, and AI. We no longer have the same office and thus less badge access is needed. The growth and acceptability of mass WFH combined with the mass resignation/gig economy remind employers that great pay and culture alone are not enough to keep top talent. Signing bonuses and personalized treatment are likely needed. Single sign-on (SSO) will expand to personal devices and smartphones/watches. Geolocation-based authentication is here to stay with double biometrics likely. The security perimeter is now more defined by data analytics than physical/digital boundaries, and we should dashboard this with machine learning and AI tools.

Education and awareness around the review and removal of non-essential mobile apps is a top priority. Especially for mobile devices used separately or jointly for work purposes. This requires a better understanding of geolocation, QR code scanning, couponing, digital signage, in-text ads, micropayments, Bluetooth, geofencing, e-readers, HTML5, etc. A bring your own device (BYOD) policy needs to be written, followed, and updated often informed by need-to-know and role-based access (RBAC) principles. Organizations should consider forming a mobile ecosystem security committee to make sure this unique risk is not overlooked or overly merged with traditional web/IT risk. Mapping the mobile ecosystem components in detail is a must.

IT and security professionals need to realize that alleviating disinformation is about security before politics. We should not be afraid to talk about it because if we are then our organizations will stay weak and insecure and we will be plied by the same political bias that we fear confronting. As security professionals, we are patriots and defenders of wherever we live and work. We need to know what our social media baseline is across platforms. More social media training is needed as many security professionals still think it is mostly an external marketing thing. Public-to-private partnerships need to improve and app to app permissions need to be scrutinized. Enhanced privacy protections for election and voter data are needed. Everyone does not need to be a journalist, but everyone can have the common sense to identify malware-inspired fake news. We must report undue bias in big tech from an IT, compliance, media, and a security perspective.

Cloud infra will continue to grow fast creating perimeter and compliance complexity/fog. Organizations should preconfigure cloud-scale options and spend more on cloud-trained staff. They should also make sure that they are selecting more than two or three cloud providers, all separate from one another. This helps staff get cross-trained on different cloud platforms and add-ons. It also mitigates risk and makes vendors bid more competitively. 

The increase in number and cost of data breaches was in part attributed to vulnerabilities in supply chains in a few national data breach incidents in 2021. Part of this was addressed in President Biden’s Executive Order 1407 on supply chain security. This reminds us to replace outdated routers, switches, repeaters, controllers, and to patch them immediately. It also reminds us to separate and limit network vendor access points to strictly what is needed and for a limited time window. Last but not least, we must have up-to-date thorough business interruption / cyber insurance with detailed knowledge of what it requires for incident response with breach vendors pre-selected.  

About the Author:

Jeremy Swenson is a disruptive thinking security entrepreneur, futurist/researcher, and senior management tech risk consultant. Over 17 years he has held progressive roles at many banks, insurance companies, retailers, healthcare orgs, and even governments including being a member of the Federal Reserve Secure Payment Task Force. Organizations relish in his ability to bridge gaps and flesh out hidden risk management solutions while at the same time improving processes. He is a frequent speaker, published writer, podcaster, and even does some pro bono consulting in these areas. As a futurist, his writings on digital currency, the Target data breach, and Google combing Google + video chat with Google Hangouts video chat have been validated by many. He holds an MBA from St. Mary’s University of MN, a MSST (Master of Science in Security Technologies) degree from the University of Minnesota, and a BA in political science from the University of Wisconsin Eau Claire.

3 Key Points From “Unsecurity” By Evan Francen

UNSECURITY-1200x628-adNational author, speaker, consultant, and entrepreneur Evan Francen got into information security long before it was cool and buzzing in the media, and long before every so-called IT consultancy started chasing the money. In fact, he and I both dislike the money chasers. He and his growing consultancy, FRSecure are for-profit, but they don’t do it for the money.

Like a patriot who delays college to join the army amid dire national conflict, Francen offers a fact-based call to arms to fix the broken cybersecurity industry in his 2019 book “Unsecurity”. Having known him and his company for a few years, and having read the book and many on this subject, this content is worth sharing because too few people write or talk about how to actually make this industry better. Here are my three unbiased key points from his book.

1)    We’re Not Speaking the Same Language:

614hGPZRmJL._SY600_Francen opens his book with a lengthy chapter on how poor communication between cybersecurity stakeholders exacerbates trouble and risk. You can’t see or measure what isn’t communicated well. It starts because there are five main stakeholder groups who don’t share the same vocabulary amid conflicting priorities.

  1. IT: Speaks in data tables and code jargon.
  2. Cyber: Speaks in risk metrics and security controls.
  3. Business: Speaks in voice of the customer and profits.
  4. Compliance:Speaks in evidence collection and legal regulatory frameworks.
  5. Vendor: Speaks in sales and marketing terms.

Ideally, all these stakeholders need to work together but are only as strong as the weakest link. To attain better communication and collaboration between these stakeholders, all must agree on the same general security framework best for the company and industry, maybe NIST CSF with its inferred definitions or maybe ISACA Cobit. However, once you pick the framework you need to start training, communicating, and measuring against it and only it –going with its inferred definitions.

Changing frameworks in the middle of the process is like changing keys in the middle of a classical song at a concert – don’t do it. That’s not to say that once communication and risk management gets better, that you can’t have some hybrid framework variation – like at a jazz concert. You can but you need proof of the basic items first.

Later, in the chapter Francen describes the communication issue of too many translations. That’s too many people passing the communication onto other people and giving it their spin. Thus, what was merely a minor IT problem ticket turns into a full-blown data breach? Or people get tied up arguing over NIST, ISSA, ISACA, and OWASP jargon – all the while nothing gets fixed and people just get mad at each other yet fail to understand one another. Knowing one or two buzz words from an ISACA conference or paper yet failing to understand how they apply to NIST or the like does not help. You should be having a framework mapping sheet for this.

The bigger solution is more training and vetting who is authorized to communicate on key projects. The issue of good communication and project management is separate from cybersecurity though it’s a critical dependency. Organizations should pre-draft communication plans with roles and scope listed out, and then they should do tabletops to solidify them. Having an on-site Toastmasters group is also a good idea. I don’t care if you’re a cyber or IT genius; if you can’t communicate well that’s a problem that needs to be fixed. I will take the person with much better communication skills because likely they can learn what they don’t know better than the other.

2)    Overengineered Foundations:

In chapter two, Francen addresses “Bad Foundations”. He gives many analogies including building a house without a blueprint. However, I’m most interested in what he says on page 76:

  • “Problem #4 Overengineered Foundation – too much control is as bad as too little control, and in some cases, it’s even worse than no control at all.”

What he is saying here is that an organization can get so busy in non-real world spreadsheet assessments and redundant evidence gathering that their heads are in the sand for so long that they don’t see to connect the dots that other things are going array and thus they get compromised. Keep in mind IT and security staff are already overworked, they already have many conflicting dials and charts to read – amid false alarms. To bog them down in needless busywork must be weighed against other real-world security tasks, like patch management, change management, and updating IAM protocols to two-factor.

If you or your organization have an issue figuring this out, as Francen outlines, you need to simplify your risk management to a real-world foundational goal that even the company secretary can understand. It may be as simple as requiring long complex (multicharacter) passwords, badge entry time logs for everyone, encrypting data that is not public, or other basics. You must do these things and document that they have been done one at a time, engraining a culture of preventative security vs. reactive security.

3)    Cultivate Transparency and Incentives:

In chapter five, “The Blame Game” Francen describes how IT and business stakeholders often fail to take responsibility for security failings. This is heavily influenced by undue bias, lack of diversity, and lack of fact-based intellectualism within the IT and business silos at many mid-sized and large organizations. I know this is a hard pill to swallow but its so true. The IT and business leaders approving the bills for the vendors doing the security assessments, tool implementations, and consulting should not be under pressure to give a favorable finding in an unrealistic timeframe. They should only be obligated to give timely truthful risk prudent advice. Yet that same advice if not couched with kid gloves can get a vendor booted from the client – fabricating a negative vendor event. Kinda reminds me of accounting fraud pre-Sarbanes Oxley.

The reason why is because risk assessors are creating evidence of security violations that the client does not agree with or like, and thus you are creating legal risk for them – albeit well justified and by their own doing. From Francen’s viewpoint, this comprehensive honest assessment also gives the client a way to defend and limit liability by disclosing and remediating the vulnerabilities in a timely manner and under the advisement of a neutral third party. Moreover, you’re going to have instructions on how to avoid them in the future thus saving you money and brand reputation.

Overall, transparency can save you. Customers, regulators, and risk assessors view you more positively because of it. That’s not to say there are not things that will remain private because there are many, trade secrets, confidential data, and the like. My take on Francen’s mention of the trade off’s between transparency and incentives in a chapter called “The Blame Game” is that it’s no longer acceptable to delay or cover up a real security event – not that it ever was. Even weak arguments deliberately miscategorizing security events as smaller than they are will catch up with you and kick your butt or get you sued. Now is the time to be proactive. Build your incident response team ahead of time. It should include competent risk business consultants, cyber consultants, IT consultants, a communication lead, and a privacy attorney.

Lastly, if we as an industry are going to get better we’re going to have to pick up books, computers, pens, and megaphones. And this book is a must-read! You can’t be passive and maintain your expert status – it expires the second you do nothing and get poisoned by your own bias and ego. Keep learning and sharing!

10 Things IT Executives Must Know About Cyber Insurance!

cyber-liability-coverage-1Most organizations view IT as a cost center that generates business data which is increasingly used to make business decisions. As a result, these assets need to be vigorously protected from both internal and external threats. Cyber liability insurance is an undeniable but imperfect way to protect these assets. 

  1. Cyber Liability Insurance Defined:
    • Cyber liability or data breach liability insurance is designed to reduce the risk of civil litigation and other penalties after a hack or data breach occurs. It helps cover the costs of public relations, identity protection solutions, forensic investigation, legal work, and more depending on the coverage you select.
      • Business interruption is the most common type of loss from a cyber indecent.
    • You want data breach coverage in place because fast action is required to help restore the public’s confidence if your business is victimized by a hack or data breach.
      • Note: each carrier and industry will define it uniquely.
  2. Executives and Managers Have a Heightened Duty to Protect Systems and Data – No Exceptions:
    • Boardrooms are concerned with comprehensive information security, data protection, brand reputation, broad management liability and compliance.
    • Senior executives realize that the decisions they make impact shareholders and stakeholders; and that they can be held responsible for a hack or breach.
    • It is essential that IT teams provide the board with real-time compliance and information security status, so they can assess the current cyber risk profile (changes often) to make well-reasoned fact-based decisions.
    • One of the risk transfer decisions is how much cyber insurance to have, then selecting the correct endorsements and exclusions based on the industry, other insurance coverages, prior events, and the like.
    • Observing this complexity, IT and business executives need to understand cyber insurance and what role they play in defining cyber coverage. IT involvement is a critical aspect of the organization’s overall cyber risk management strategy for digital and even physical assets.
  3. Your Assets, Risks, and Needed Coverages Must be Detailed and Ongoing:
    • What are your company’s greatest assets – including in hidden areas?
      • Have you had any bad events, business or technology related?
        • Were they documented and reported?
        • They could impact current coverage and future coverage.
      • What concerns keep you up at night, or consume more than their share of your attention in the day?
    • What are your key processes? 
      • Do you have any procedures that are not tied to computers?
      • What is the 15% of your business that is not central to the operation, but is crucial because it distinguishes your company from others and opens the door for more clients to new markets? 
    • Are your backup systems in place and ready to be activated at a moment’s notice?
    • Do your insurance coverages, business or technology related, match your risks and cover your assets?
  4. General Liability Coverage Won’t Cover Data Breaches and Hacks:
    • Cyber insurance is almost always excluded from general liability policies unless you pay extra for and specifically define your cyber coverage needs.
    • Keep in mind most general business liability insurance policies and terms were drafted before hacking was invented so they are by default behind the technology. Most often general liability business insurance covers bodily injuries and property damage resulting from your products, services or operations.
      • Many business owners overstate the risk of a workplace slip and fall injury and fail to adequately quantify cyber risk at all because it is a newer digital risk and you can’t see or touch it.
  5. Cyber Liability Insurance Typically Covers Both First-Party and Third-Party Losses:
    • First-party losses include the breach response costs a company would incur to notify and communicate with the people impacted by a breach, conducting forensic analysis, hiring legal counsel and a crisis management team.
    • First-party cyber coverage may also pay for the loss or restoration of digital or network assets, trade secrets, intellectual property and business interruption expenses.
    • First-party coverages are often subject to a deductible.

      Fig. 1. Hartford Cyber Liability Coverages, Terms, and Exclusions Generally.hartford-cyber-liablity-209
    • Cyber extortion (ransomware) is another first-party coverage that pays the costs to terminate incidents in which criminals hold (or threaten to hold) a company’s network hostage in exchange for a ransom.
    • Many policies cover income you lose and extra expenses you incur to avoid or minimize a shutdown of your business after your computer system fails due a covered peril. The perils covered may be the same as those covered under Damage to Electronic Data. The loss of income and extra expense coverages afforded under a cyber liability policy differ from those provided under your commercial property policy.
    • Network security liability insurance covers lawsuits against you due to a data breach or to the inability of others to access data on your computer system. Coverage may apply if the data breach or inability to access your system is due to a denial of service attack, a virus, malware or unauthorized access and use of your system by a hacker or rogue employee. Policies may cover lawsuits alleging that you failed to adequately protect data belonging to customers, clients, employees or other parties.
    • Network privacy liability insurance covers lawsuits based on allegations that you failed to properly protect sensitive data stored on your computer system. The data may belong to customers, clients and other parties. Some policies cover liability arising from the release of private data (such as social security numbers) belonging to your employees.
    • Electronic media liability insurance covers lawsuits against you for acts like libel, slander, defamation, copyright infringement, invasion of privacy or domain name infringement.
  6. Providing Timely Notice of Claim Is Key:
    • Claims-made coverage responds when a “claim,” as defined in the policy, is first made against an insured, irrespective of when the underlying incident occurred. Discovery-triggered coverage responds when the insured develops a reasonable belief that a first-party loss potentially covered by the policy may have occurred, even if the nature and extent of the loss are unknown (Jeanne Deni and Andrew Moss, 2019).
    • Notice is generally required as soon as practicable after a claim is made or loss discovered, and policies may require that notice be received during the policy period. In addition to timely notice, some cyber policies may require a sworn proof of loss statement within 90 to 180 days after discovery of certain first-party losses.
      • It is thus critical that company personnel in a position to detect potentially covered claims or losses have a working understanding of the scope of coverage and how it is triggered so that information is promptly communicated to management responsible for notifying the company’s insurance carriers. Notice should also be given to any excess insurers at the same time as the primary. (Jeanne Deni and Andrew Moss, 2019).
  7. Pre-Select Breach/Hack Counsel and Vendors:
    • Normally cyber insurance policies require underwriter approval of the use of breach/hack vendors. (FSSCC, Cyber Insurance Buying Guide, 2016).
    • Pre-selection is critical because the last thing an organization should be worried about is whether their insurance provider will approve their selected breach counsel and forensics firm. It also helps you document your incident response plan (Financial Services Sector Coordinating Council, Cyber Insurance Buying Guide, 2016).

      Fig 2. You Should Be Scared If you Have Not Planned For This, Stock, 2019.
      8eefef464d9b5799f0256c64bd6d3aa4_Fotolia_48155256_Subscription_Monthly_M-1-800-320-c
  8. Prepare for Likely Coverage Exclusions/Sub-limits:
    • Portable Electronic Device Exclusion
      • If the device leading to a cyber breach is portable, many policies could exclude coverage completely for any resulting loss (Financial Services Sector Coordinating Council, Cyber Insurance Buying Guide, 2016).
    • Intentional Acts Exclusion
      • What is intentional and by whom is highly confusing, and what about mere negligence viewed as intentional – easy denial case for the carrier.
      • A crime or fidelity policy generally covers first-party loss to the Insured even where such loss is caused by the Insured, while liability policies generally provide for damages or losses the Insured causes to a third party (Financial Services Sector Coordinating Council, Cyber Insurance Buying Guide, 2016). Most cyber insurance policies do not adequately provide for both first-party and third-party loss. For example, liability policies typically exclude coverage for damages or losses intentionally caused by an Insured. Thus, if an employee accidentally caused a cyber breach, the resulting loss would be covered (either under a general liability or umbrella policy that does not exclude cyber perils or under a stand-alone cyber policy). However, if a different employee caused the exact same cyber breach intentionally, the resulting loss would be denied under a general liability policy if this exclusion is present (Financial Services Sector Coordinating Council, Cyber Insurance Buying Guide, 2016).
    • Nation/State, Terrorism, Cyber Terrorism Exclusions/Acts of God
      • Acts of God exclusions can result in coverage being precluded simply based on who or what caused the breach to occur. For example, if a terrorist attack resulted in an explosion at an organization’s facility or a tornado caused massive damage to an organization’s power source, the resulting losses may not be covered under a standard cyber policy. Fundamentally, companies expect cyber insurance to cover their losses whenever a cyber breach happens, regardless of who caused it or why
    • Negligent Computer Security Exclusion
      • Some policies exclude coverage if data is unencrypted or if the Insured has failed to appropriately install software updates or security patches.
    • Data on unencrypted devices or BYOD
      • Some policies do not cover devices that are unencrypted or non-company-owned devices.
    • Territorial limits
      • Some coverage is limited only to incidents that occur in the United States and an organization may need additional coverage depending on where data is stored.
    • Sub-limits
      • Many policies also have sub-limits that may apply for things like breach notification costs, forensic expenses, credit monitoring costs, business or Post-Breach Services. Some insurers are starting to partner with cybersecurity specialists to assist customers who experience a cyber breach with forensic investigations, proactive incident response strategies, and training as they realize the benefit both to the customer and themselves in responding as quickly and efficiently as possible to a cyber breach to keep resulting costs, claims, and damages as low as possible.
  9. Insurance Companies Tend to Deny Cyber Liability Issuance or Claims Coverage When One or More of These Items Are Present:
    • Inadequate cybersecurity testing procedures and audits.
      • It should be independent and auditable.
    • Inefficient processes to stay current on new releases and patches.
      • Patch management should be based on a qualitative and quantitative method.
    • Inadequate cyber incident response plans.
      • It must be detailed, written, up to date, and it must have been practiced.
    • Inadequate backup processes and recovery procedures.
      • This assumes you have a data classification scheme and network segmentation.
      • This requires that you have tested the speed of your back up.
    • Inadequate policies concerning the security of vendors and business partners.
      • How you measured their risk and criticality to your business
        • Then put mitigating controls in place or cut the vendor.
    • Poor-quality security software and employee training.
      • Training on phishing, social engineering, and acceptable use of company data and technology.
    • Lack of adherence to a published security standard.
      • Your policies and procedures should generally conform to the standard that most closely fits your industry and company.
        • Cobit 5, NIST CSF, ISO 27001, etc.
  10. Evaluating Cyber Liability Carriers:
    • The way to compare carriers is via their A.M. best rating, time in business, market share, S&P credit rating, industries excluded from coverage, premium cost, and amount of premium written.
    • You can also ask a broker for their assessment since they get feedback from many clients, etc.
    • Also, consider the country of legal jurisdiction.
    • Here are two carrier examples below.
    1. Chubb Insurance of Switzerland (Cynthia Harvey, eSecurity Planet.com, 11/09/18)
      • The world’s largest publicly traded property and casualty insurance company and the largest commercial insurance provider in the United States.
      • The company launched its first “cyber risk” product in 1998.
      • Direct premiums written: $316.3 million
      • Market share: 17.0 percent
      • S&P rating: AA
      • A.M. Best rating: A++ (Superior)
      • Most risk classes eligible for at least $10 million in limits; maximum capacity of $100 million available through Chubb’s Global Cyber Facility.
      • Cyber Insurance product descriptions
        • Enterprise Risk Management (ERM) product is for large organizations in a wide array of industries.
        • DigiTech ERM offers enhanced protection tailored to the needs of technology companies, consultants and systems integrators, data processors and software developers. Integrity+ offers separate policies for claims made by customers, vendors, suppliers and other third parties.
        • ForeFront Portfolio 3.0 is tailored for private companies and includes crime insurance, kidnap ransom and extortion insurance, workplace violence expense insurance, and several other kinds of insurance, in addition to cyber insurance.
    2. Beazley Insurance of London (Cynthia Harvey, eSecurity Planet.com, 11/09/18)
      • This insurance company offers marine, political, accident and contingency, property, reinsurance (insurance for insurers) and specialty products, which includes its cyber insurance business.
      • Founded in 1986, it is headquartered in London and does business in the U.S. Europe, Canada, Latin America and Asia. In 2018, it won multiple awards including Launch of the Year for Beazley Smart Tracker, Risk Carrier of the Year, Innovative Initiative for Weather Guard, Insurance CEO of the Year and Insurer of the Year.
      • Direct premiums written: $95.0 million
      • Market share: 5.1 percent
      • S&P rating: A+ (Strong)
      • A.M. Best rating: A (Excellent)
      • Limits: Up to $15 million with BBR, but additional coverage is available through BBR Boost.
      • Beazley has been providing cyber insurance since 2009.
      • Product description
        • Beazley calls its cyber insurance Beazley Breach Response (BBR). The company claims that it offers 360-degree protection against all cyber risks. That protection includes BBR Services, a business unit dedicated to helping organizations manage their response to incidents. It includes forensics experts, specialized lawyers and public relations professionals who can help organizations address breaches. Through a partnership with Lodestone Security, it also offers pre-breach services.

Lastly, we will be doing a cyber liability podcast to talk through these items in detail soon. See our podcast here.

© Abstract Forward Consulting, LLC. 2019. All rights reserved. Contact us here.

Disclaimer:  This article does not represent the views of former or current employers and / or clients. Non-public information will not be disclosed. Information obtained in this article may be materially out of date at or after the time of the publication. This article is not legal, accounting, audit, health, technical, or financial advice.

Top 12 Ways Small To Med Businesses Can Reduce Cyber Risk

1) Use the Free DHS Developed CSET (Cybersecurity Evaluation Tool) To Assess Your Security Posture: High, Med, or Low.

Figure 1. (DHS, 2018).
CSET Process.PNG

2) Educate Employees About Cyber Threats and Hold Them Accountable. 

Educate your employees about online threats and how to protect your business’s data, including safe use of social networking sites. Depending on the nature of your business, employees might be introducing competitors to sensitive details about your firm’s internal business. Employees should be informed about how to post online in a way that does not reveal any trade secrets to the public or competing businesses. Use games with training and hold everyone accountable to security policies and procedures.

3) Protect Against Viruses, Spyware, and Other Malicious Code.

Make sure each of your business’s computers are equipped with antivirus software and anti-spyware and updated regularly. Such software is readily available online from a variety of vendors. All software vendors regularly provide patches and updates to their products to correct security problems and improve functionality. Configure all software to install updates automatically. Especially watch freeware which contains malvertising.

4) Secure Your Networks.

Safeguard your Internet connection by using a firewall and encrypting information. If you have a Wi-Fi network, make sure it is secure and hidden. To hide your Wi-Fi network, set up your wireless access point or router so it does not broadcast the network name, known as the Service Set Identifier (SSID). Have a secure strong password such as (xeyg1845%RELIGO) to protect access to the router.

5) Base Your Security Strategy Significantly on the NIST Cybersecurity Framework 1.1: Identity, Detect Defend, Respond, and Recover.

Fig. 2. (NIST, 2018).
NIST

6) Establish Security Practices and Policies to Protect Sensitive Information.

Establish policies on how employees should handle and protect personally identifiable information and other sensitive data. Clearly outline the consequences of violating your business’s cybersecurity policies and who is accountable.

7) Require Employees to Use Strong Passwords and to Change Them Often.

Consider implementing multi-factor authentication that requires additional information beyond a password to gain entry. Check with your vendors that handle sensitive data, especially financial institutions, to see if they offer multi-factor authentication for your account. Smart card plus pass-code for example.

8) Employ Best Practices on Payment Cards. 

Work with your banks or card processors to ensure the most trusted and validated tools and anti-fraud services are being used. You may also have additional security obligations related to agreements with your bank or processor. Isolate payment systems from other, less secure programs and do not use the same computer to process payments and surf the Internet.

9) Make Backup Copies of Important Business Data and Use Encryption When Possible.

Regularly backup the data on all computers. Critical data includes word processing documents, electronic spreadsheets, databases, financial files, human resources files, and accounts receivable/payable files. Backup data automatically if possible, or at least weekly, and store the copies either offsite or on the cloud.

10) Control Physical Access to Computers and Network Components.

Prevent access or use of business computers by unauthorized individuals. Laptops can be particularly easy targets for theft or can be lost, so lock them up when unattended. Make sure a separate user account is created for each employee and require strong passwords. Administrative privileges should only be given to trusted IT staff and key personnel.

11) Create A Mobile Device Protection Plan.

Require users to password protect their devices, encrypt their data, and install security apps to prevent criminals from stealing information while the phone is on public networks. Use a containerization application to separate personal data from company data. Be sure to set reporting procedures for lost or stolen equipment.

12) Protect All Pages on Your Public-Facing Web-pages, Not Just the Checkout and Sign-Up Pages.

Make sure submission forms can block spam and can block code execution (cross side scripting attacks).

Contact Abstract Forward here for more info.

Top Ten Ways Companies Can Reduce Cyber Risk

cost-of-cyber-attacks-to-business-mq593szq6dt3vzuawhu5qtm2upt66jfkqpxzl18l8sMid-sized businesses are defined from about $50 million to $800 million in revenue. A 2017 report published by Keeper Security and the Ponemon Institute found more than 50% of small and medium business had been breached in the past 12 months, but only 14% of them rated their ability to defend against cyber-threats as “highly effective” (Keeper / Ponemon, 2017). According to the 2017 Verizon Data Breach Investigations Report, 75% of the breaches were caused by outsiders with 51% involving organized criminal groups and the remaining involved internal actors. Not surprising, malware installed via malicious email attachments was present in 50% of the breaches involving hacking(Verizon, 2017). Here are ten steps (applicable to any size business) you can take to shield your mid-sized business from cyber-attacks:

10) Train Staff Often:

Most cyber-attacks take the form of phishing and spear phishing which is hackers targeting individuals rather than computer systems – typically with the help of good social engineering (IT Governance Blog, 2017). Therefore, employees need to be educated to roll back what they share on social media and to opt out of data harvesting when they can. Training needs to be ongoing because the threat landscape and technology change so fast. For example, ransomware was not a serious attack vector 6 years ago, but it is front and center today. Additionally, crypto-currency mining networks is an exploit vector that is arguably less than 2 years old and growing rapidly. Lastly, training more often improves the company security culture and that is directly related to keeping a good business reputation and core customer base. Here are a few more training necessities:

1. Follow cyber security best practices and conduct audits on a regular basis – based on your selected one or two frameworks (Cobit 5, ISO 2700, etc)

2. Use games contest and prizes to teach cyber safety – leadership must do this as well.

3. Notify and educate staff of any current cyber-attacks – have a newsletter.

4. Teach them how to handle and protect sensitive data – do lunch and learns.

9) Secure Wireless Networks:

Wireless networks can be easily exploited by cyber attackers, unknowing guests, and even angry customers. Your network is not like a coffee shop community room but rather it’s like a bank vault with many segmented areas – map the segments and know their rank order value. To harden your wireless network, avoid WEP (Wired Equivalent Privacy) encryption (which can be cracked in minutes) and use only WPA2, which uses AES-based encryption and provides better security than WPA.

Fig 1. (WPA2 Selection Screen Clip).

wpa_top

If you have a Wi-Fi network, be sure access to the router is secured by a password and hidden so that it does not broadcast the network name. To hide your Wi-Fi network, set up your wireless access point or router so it does not broadcast the network name, known as the Service Set Identifier (SSID). Also, remember to password-protect access to the router. Additionally, for protection against brute-force attacks, protect your network with a complex passphrase containing at least 25 characters and including a mix of letters, upper and lower case and numerals and symbols. Use a firewall and encryption to safeguard your internet connection.

8) Physically Secure Your Environment:

Focusing on web tools and monitoring is needed, but it’s also important to remember there are physical concerns about securing your network as well. To a threat actor overcoming all of your security measures may be as easy as walking up to your router and pressing the reset button. Make sure that your key pieces of in-office infrastructure are secure, and that you’re monitoring them with video, sensors or other physical security controls. Make sure to be creative and thorough about how you define a physical security connection point including: doors, public lobbies, windows, air vents, turnstiles, roofs, printer room, network closet, and USB ports on machines, etc. Lastly, employees should keep their devices near them at all times.

7) Double Down on Firewalls:

While most routers have a firewall built in that can protect your internal network against outside attacks, you should know that it may not be automatically activated. It’s generally called something like SPI (stateful packet inspection) or NAT (network address translation). Either way, turn it on (Chelsea Segal, Cox Blue, 09/16/18).

It’s also important to ensure that your own software isn’t sending information out over the network or the internet without your permission. For that, you’ll want to install firewall software on your PC as well. PC Magazine’s top pick is Check Point ZoneAlarm Pro, but the default firewall that comes with Windows 8 and 10 is also a good start.

6) Evaluate Your Operational Resilience and Cyber-Security Practices Quarterly: 

A good start is the US-CERT’s Cyber Resilience Review (CRR), which helps organizations assess enterprise programs and practices across 10 domains including risk management, incident management, service continuity, and more (SBA, 2018). They can also use the CSET (Cyber Security Evaluation Tool), which is a free customizable multi-framework DHS created general cyber security assessment.

5) Review Control Access / IAM and Audit Access Regularly:

Administrative access to your systems should only be granted on a need-to-know basis – least privilege principle. The correct job roles should be in the correct windows access groups. Keep sensitive data – such as payroll – out of the hands of anyone who doesn’t need it to do their job, marketing for example. Remove unused, stale, or unnecessary IAM users/credentials. Also, consider decommissioning old systems for risk reduction and cost savings – with the appropriate project analysis done. Use a secure strong password especially for single sign on interfaces – two factor authentication. Organizations should audit their IAM user activity to see which users haven’t logged into AWS for at least 90 days and revoke their permissions. Monitor user activity in all cloud services (including IAM user activity) to identify abnormal activity indicative of threats arising from a compromised account, or malicious/negligent internal employee – when corroborated with event logs and related intelligence.

4) Back up and Secure Your Systems and Data but Don’t Over Retain:

Ransomware, or viruses used by hackers to encrypt an organization’s computer files and detain them until a ransom is paid, has emerged as a serious and growing threat to businesses worldwide, according to the FBI (FBI CISO Report 2018). Whether data is stored in the cloud, on-premises, or in a hybrid data center, businesses should back up all files to hard drives stored in a safe place outside the reach of cyberthieves. These are some key data backup subpoints.

1. Limit access to sensitive data to only a few authorized employees.

2. Encrypt all your sensitive data – do not over-classify.

3. Backup your data periodically and store it in an offsite location.

4. Protect all devices with access to your data – third party vendor implications.

5. If you accept credit cards transactions, secure each point of sale.

3) Create a Guidebook for Mobile Security:

While mobile devices allow for work anywhere, anytime, they create significant security challenges. The FCC suggests requiring users to password-protect their devices, encrypt data, and install security apps to prevent criminals from stealing information while the phone is on public networks (FCC, Feb 2018). Plus, set reporting procedures for lost or stolen mobile devices. Draft a BYOD policy that separates personal vs. corporate data and covers the below points.

1. Ensure your equipment has the latest security software and run anti-virus/malware scans regularly. If you don’t have good anti-virus software installed, buy and install it.

2. Install all software updates as soon as they are available, including all web browsers.

3. Have the latest operating systems on your devices with access to regular updates.

4. Make sure your internet connect is protected with firewall security.

5. Make sure your Wi-Fi network is encrypted, hidden, and password protected.

2) Use Encrypted Websites for E-commerce Via Strong Third-Party Risk Management Policies:

Only buy from encrypted websites by looking for https on every page. Don’t’ be teased in by super low prices or the like, it may be a drive by download set-up. Ensure that the owner of the website is reputable and is who they say they are. This kind of gets at third party and supply chain risk management, which should be based on some applicable security framework for your industry, etc.

1) Avoid When Possible and Rigorously Evaluate Freeware:

There are a lot of free options for software including anti-virus (AVG), graphic design (GIMP), marketing and sales applications, some of which are quite reliable. However, many are not reliable and pose risk because they often come with malvertising, utility ad ons that slow things down, or direct malware. All of this complicates cyber risk and blurs sight lines into the infrastructure stack. Cyber security isn’t a good place to cut costs so pay for a good antivirus and firewall tool-set. If you are going to use a robust free graphic design tool like GIMP make sure it is documented, always updated, and that it is run in a limited area.

Bonus) Have a Sound Way To Prioritize Patching.

Establish a process to risk-rate vulnerabilities based on: ease of exploit and potential impact of the vulnerability (reference the CVE scores), if other working defenses are in place, and lastly by grouping the assets they may impact.

Reach out to me here for questions.

Two Equifax Leaders Charged with Insider Trading Amid Data Breach Mess

equifax (1).jpgA former software developer for Equifax, Sudhakar Reddy Bonthu, faces insider trading charges related to the company’s massive data breach last year, according to the SEC and federal prosecutors. Allegedly, in August 2017, Bonthu was asked to participate in Project Sparta, which Bonthu’s bosses described as a major project for one of the company’s clients who suffered a major breach that exposed details of over 100 million users.

Unknown to Bonthu at the time, that client was Equifax itself, which a month prior discovered that it was hacked and an intruder stole details for over 145.5 million US and international users. Bonthu was tasked with creating “an online user interface into which users could input information to determine whether they had been impacted by the breach.” According to court documents, he was told that “the project was a high priority for the unnamed company and had a short deadline because the client intended to ‘go live’ on September 6, 2017, with the breach remediation applications designed by Equifax.”

To create the website, which later turned out to be equifaxsecurity2017.com, Bonthu was given test data and was included in mailing lists exchanging information about the still-secret breach. SEC investigators say that Bonthu concluded on his own that the secret client in Project Sparta was in fact Equifax itself.

In an attempt to obstruct his trail he used his wife’s trading account, wherefrom he purchased eighty-six out-of-the-money put option contracts for shares of Equifax common stock with an expiration date of September 15, 2017, and a strike price of $130 per share. Bonthu made this purchase despite the fact that Equifax’s policies expressly prohibit any trading in derivative securities, including put and call options.

By purchasing out-of-the-money put options, Bonthu could make money only if the market price of Equifax stock were to drop below the put option strike price before the contract expired approximately two weeks later, on September 15. If the market price did not so drop, the put options would expire and his investment would be worthless.

On September 8, the price of Equifax common stock closed at $123.23, a drop of $19.49 (nearly 14%) per share from the prior day’s closing price of $142.72. […] As a result of the precipitous drop in Equifax’s share price, Bonthu turned his initial investment of $2,166.11 into $77,333.79 in only six days. In sum, Bonthu’s ill-gotten gains from his trading in Equifax options totaled $75,167.68, a return of more than 3,500% on his initial investment.

3028.03.15equifaxchart.JPG

The SEC says Bonthu had never previously traded in Equifax options. Equifax fired Bonthu in March 2018 after he allegedly refused to cooperate on an internal investigation on charges that he violated the company’s insider trading policy. Bonthu has agreed today to a permanent injunction and to return ill-gotten gains plus interest. If the settlement is approved by a judge, this will terminate SEC civil charges.

The equifaxsecurity2017.com website, on which Bonthu worked, has been deemed one of the most poorly put together breach notification sites in recent years, with several issues affecting it.

He is the second Equifax employee charged with insider trading after Equifax’s breach last year. Earlier this March the SEC charged former CIO of Equifax U.S. Information Solutions Jun Ying. Equifax says it tipped off the Department of Justice and the SEC to Ying’s alleged insider trading.

Although Ying wasn’t directly told that Equifax had been breached, he was assigned to assist Equifax’s Global Consumer Solutions unit with what was billed as “a business opportunity for an unnamed client,” code-named Project Sparta, according to court documents. The project was designated as “urgent,” and everyone participating, including Ying and his team, were instructed to cancel their Friday evening plans and respond to all requests.

At 5:27 p.m. that day, Ying texted a co-worker that the breach they were working on “sounds bad” and noted: “We may be the one breached. . .. Starting to put 2 and 2 together,” according to the SEC complaint. Later that evening, Ying learned that Equifax’s CSO, chief legal officer and vice president of cybersecurity had all canceled their travel plans, it adds.

The following Monday, around 10 a.m., “Ying used a search engine to find information on the internet concerning the September 2015 cybersecurity breach of Experian, another one of the three major credit bureaus, and the impact that breach had on Experian’s stock price,” according to the complaint. “The search terms used by Ying were: (1) ‘Experian breach’; (2) ‘Experian stock price 9/15/2015’; and (3) ‘Experian breach 2015.’

“This defendant took advantage of his position as Equifax’s USIS chief information officer and allegedly sold over $950,000 worth of stock to profit before the company announced a data breach that impacted over 145 million Americans,” says U.S. Attorney Byung J. “BJay” Pak. “Our office takes the abuse of trust inherent in insider trading very seriously and will prosecute those who seek to profit in this manner. By selling when he did, Ying avoided losses in excess of $117,000.”

Earlier this month, Equifax revised its estimate of the breach’s impact to 147.9 million U.S. consumers. About 15 million U.K. consumers – of which about 860,000 are at risk of identity theft – and 8,000 Canadian consumers also saw their personal information get breached (see Equifax Breach Victims: UK Count Goes Up).

I identified Equifax’s control gaps and conflict of interest in a post shortly after the breach in 2017. I suspected then as I do now that more people will be charged related to conflict of interest with LifeLock identity theft protection.

Information sourced from Tara Siegel Bernard for the New York Times, Allison Prang for the Wall Street Journal, and the associated press. Curated and edited by Jeremy Swenson of Abstract Forward Consulting.

Key Updates to the NIST Cyber Security Framework

framework-01The first version of the NIST Cybersecurity Framework came about in Feb. 2014. In May 2017 President Donald Trump issued an executive order directing all federal agencies to use the framework to manage this risk, including future versions. Conversely, the private sector more so uses it as a non-uniform guide (sometimes in part) when needed. They use other more industry specific frameworks as well. On 04/17/18 NIST released the updated version of this standard-setting framework. We attended the NIST hosted webcast reviewing this on 04/27/18 and my key points are:

Framework 7 Step Process:

1)    Prioritize and Scope: Implementation tiers may be used to express varying risk tolerances.
2)    Orient
3)    Create a Current Profile
4)    Conduct a Risk Assessment
5)    Create a Target Profile: When used in conjunction with an Implementation Tier, characteristics of the Tier level should be reflected in the desired cybersecurity outcomes.
6)    Determine, Analyze, and Prioritize Gaps
7)    Implementation Action Plan

These recent changes to the framework are based on feedback collected through public calls for comments, questions received by team members, and workshops held from 2016 to 2017.

NIST Cyber Security Framework 3 Areas

The newest version (1.1) includes these updates:

1)    Clarifies utility as a structure and language for organizing and expressing compliance with an organization’s own cyber security requirements.

2)    Added a new section for self-assessing cybersecurity risk which explains how organizations can use the framework. Emphasizes the role of measurements in self-assessment stresses critical linkage of business results:

  • Cost
  • Benefit
  • to cybersecurity risk management
  • Continued discussion of this linkage will occur under
  • Roadmap area – Measuring Cybersecurity

3)    Added a new section for supply chain risk management which focuses on identifying, assessing, and mitigating acquired products and services that may contain malicious functionality, be counterfeit, or have critical vulnerabilities because of poor manufacturing practices.

4)    Added new focus area for small business – what this means is yet to be seen.

“Engagement and collaboration will continue to be essential to the framework’s success,” said Matt Barrett of NIST. “The Cybersecurity Framework will need to evolve as threats, technologies and industries evolve. With this update, we’ve demonstrated that we have a good process in place for bringing stakeholders together to ensure the framework remains a great tool for managing cybersecurity risk”, he said.

PwC’s 2018 Global State of Information Security Survey (GSISS) indicated that respondents from healthcare payer and provider organizations, as well as oil and gas companies, said the NIST Cybersecurity Framework is the most commonly adopted set information security standards in their respective industries.

In another case, the University of Chicago’s Biological Sciences Division (BSD) successfully implemented the Cybersecurity Framework to help them comply with HIPAA and other federal data security rules.

If you want to know how to customize this to your organization please contact us.

5 Things Equifax Could Have Improved to Prevent Their Data Breach

Equifax_breach_exposes_143_million_peopl_0_4110363_ver1.0_640_360Minneapolis, MN – 11/22/17. The recent Equifax data breach impacted one-third of the U.S. population with more than 143.5 million records exposed.  This epic hack started on 05/13/2017 and lasted until 07/29/2017, all the while the company was clueless.  As a result, the threat actors trolled around Equifax’s network, staging and exfiltrating data undetected for 2.5 months.  It is one of the biggest data breaches in U.S. history but clearly not the biggest.  Going forward, breaches are likely to be bigger, given the threat actors risk vs. reward tradeoff, and the increasing capabilities of cloud computing and botnets thereby enabling anonymity.

Equifax 1Yet this breach may be one of the most negatively impactful because of the comprehensive sensitive data lost in it including social security numbers, full names, addresses, birth dates, and even drivers licenses and credit card numbers for some.  “This information is the kind that several businesses like financial companies, insurance companies, and other security-sensitive businesses use to identify a customer accessing their accounts from online, by phone, or even in person” (Pelisson, Anaele; & Villas-Boas, Antonio, 09/08/17).

Therefore, this breach lends itself perfectly to future identity theft.  To date, hundreds of fraudulent loan applications, credit card charges, student loans, and insurance claims have been documented and it’s not likely to stop anytime soon.  All of this has inspired negligence lawsuits and regulatory reviews across most states.  If there is one thing you would expect from a credit monitoring company claiming to protect the accuracy of your data, it is that they would at least have above average information security standards.  Yet they clearly did not.  Below are the things that went wrong at Equifax to enable and exacerbate the breach:

1) Equifax’s first problem was that they failed to take a recent critical update notice seriously:
NIST (The National Institute of Standards in Technology) via CERT (critical emergency readiness team) issued an update alert for the Apache Struts platform on 03/08/17, CVE (critical vulnerability exploit) 5638 (Fig 2) which Equifax ignored or gave low priority.  Apache Struts is a free, open-source, MVC (model view controller) framework for creating nice, new Java web applications.  At Equifax, the Apache Struts platform was used for multiple applications and thus the risk associated with failing to patch the vulnerably was exponentially large and complex.

Apache Struts
Negatively, the Apache Struts vulnerability allowed remote code execution via a cmd string upload in the HTTP header.  Both versions of this vulnerability were listed as being highly severe by the CVE alert.  There is no way Equifax did not know this to a considerable degree.  Lesson learned: solidify your security baseline and update and patch based on likely impact and ease of execution.

2) Equifax had a history of poor security culture back to 2014 and failed to make key improvements:
“In April 2017, cyber-risk analysis firm Cyence rated the probability of a security breach at Equifax at 50 percent in the next 12 months.  Credit analytics firm FICO gave Equifax low marks on data protection — an enterprise security score around 550 on a scale of 300 to 850.  In 2014, Equifax “left private encryption keys on its server,” potentially allowing hackers to decrypt sensitive data, according to a recent breach related lawsuit.” (Harney, Kenneth; 11/21/2017).  Thus, Equifax had poor security long before the recent breach and they have been warned.

a) Creating a culture of security where rank and title do not suppress valid evidence and reason, and outside vendors are vetted and listened to in a timely order concerning security risks would improve their security posture.  Yet this requires cross-departmental collaboration, openness, and it requires firing those insulating themselves in fiefdoms of “yes sayers”.

3) Executives had more concern for short-term profit than long-term security:
On 08/01/17 and 08/02/17 three top executives from Equifax sold nearly $2 million worth of company stock at a high price but maintain that they had no knowledge of the breach that was discovered by the company on 07/29/17. Allegedly these trades were placed before August 2017. Although these may be innocent well-earned stock trades, the totality of the circumstances warrants further validation even though Equifax’s attorneys reviewed the trades at the time. Trades like these should not just be reviewed by the legal department but also by the P.R. department when a disaster is near, likely, or present. Most importantly, long-term security should be on the mind of executives, not short-term profits – implicates a huge culture issue.

4) They have business products that create conflicts of interest that incent data breaches and identity theft:
This is because Equifax sells credit monitoring services at about $17 per month per customer.  They also partner to sell identity theft monitoring via LifeLock.  LifeLock has a direct copy of most of Equifax’s data so they can accurately monitor for fraud indicators.  LifeLock cost about $30 per month per customer and a part of that profit is shared with Equifax via a prearranged deal inked in 2015.  Sen. Elizabeth Warren described it in the video below.

5) Equifax used stunningly simple PIN numbers that were composed of date
and time:

This was corroborated by Wes Moehlenbruck, MS, CISSP, CEH, CHFI, a California-based senior cybersecurity engineer with a master of science degree in cybersecurity.  He stated, “The PINs used to lock and unlock credit files were simply based on the time and date – nothing more complicated than that.  Absolutely yes, this is a rookie mistake” (Hembree, Diana, 11/15/17).  Obviously, in using such a simplistic approach in PIN generation, a user’s PIN could easily be guessed or brute-forced by testing every possible combination using a computer program.  PINs should be more complex, completely confidential, and there should be a policy mandating that they change often (every six months for example).

If you want to talk more about these and related concepts applied to my consulting and speaking, please contact me here.

Lessons Learned From the Sony Hack

sony-hack-photo-3This article reviews the 2014 Sony hack from a strengths and weaknesses standpoint based on select parts of the SysAdmin, Audit, Network and Security (SANS) and National Institute of Standards in Technology (NIST) frameworks. Although an older hack, the lessons learned here are still relevant today.

Strengths – A Track Record of Innovation and Multilayered Information Security:
From early boom-boxes in the 1980s to the first portable disc player in the early 1990s.  To high-quality headphones, the first HD TVs, to high-quality speakers, a gaming system revolution called the PlayStation, and now a massive on-line gaming network, Sony has been creative and innovative.  This has made them one of the most respected and profitable Japanese companies to date.  Yet this success derived overconfidence in other areas including information security but they still have the potential and the money to be a security leader.   The managerial layering of Sony’s information security team was a good start even if their head count was too low.  One source stated, “Three information security analysts are overseen by three managers, three directors, one executive director and one senior vice president” (Hill, 2014).  Although contradictory, at least there was some oversight.

Failure 1 – Poor Culture and Lack of Leadership Support:
Sony’s leadership is on the record as not respecting the recommendations of either internal or external auditors.  A quote from an I.T. risk consultancy summarized it this way, “The Executive Director of Information Security talked auditors out of reporting failures related to Access Controls which would have resulted in Sony being SOX (Sarbanes-Oxley) non-compliant in 2005” (Risk3sixty LLC, 2014).  Things like this trickle down the layers of management and become a part of the company culture.  Specifically, low level whistle blowers were silenced even though their I.T. risk arguments were solid.  “Sony’s own employees complained that the network security was a joke. (Risk3sixty LLC, 2014)”.  When this happened Sony’s leaders failed to execute their fiduciary duty to the board, shareholders, and customers.  They did this so they did not look bad in the short term yet it cost the company more in the long term.

Failure 2 – Not Understanding Their Baseline:
The baseline is a measure that determines when you have the right amount of security and security process in relationship to your required business objectives and risk tolerance.  Being below the baseline means risk is too high and an attack or breach is likely.  This is why the baseline changes often and needs to be closely monitored.  For example, when you are producing a very politically controversial movie about an unruly world leader who has a history of making war threats against his political opponents, you should have a higher baseline to be on guard from hacktivists.  Sony overly focused on their cash generating core competencies and security was at most an afterthought.  According to one source, Sony Pictures had just 11 people assigned to a top-heavy information security team out of 7,000 total employees (Hill, 2014).  For a technology company that is way too few people working in security.  It’s not enough people to collect and intelligently review logs, patch software, pen test, red team, and be available for one or more war room type projects which are bound to come up – all things prudent security would require.

Understanding your I.T. risk baseline requires testing and measurement and this has to be based on some framework, SANS, NIST, or some of the others.  One former employee described Sony’s failure to comply with any framework as follows, “The real problem lies in the fact that there was no real investment in or real understanding of what information security is.  One issue made evident by the leak is that sensitive files on the Sony Pictures network were not encrypted internally or password-protected” (Hill, 2014).  Had they conformed to the SANS or NIST framework they would have been required to encrypt the data – see conclusion.

Failure 3 – Weak Password Policies:
Sony’s password policy was embarrassingly weak.  In fact, so weak you might think they were deliberately trying to help hackers.  “Employees kept plaintext passwords in Microsoft Word documents” (Franceschi-Bicchierai, 2014).  Even very small companies from the 1990s would have policies against that.  Moreover, one source confirmed that the word files were named with password in the file name (Risk3sixty LLC, 2014).  Once in the network, all a hacker has to do is search for a file with password in the name and they have it.

Failure 4 – Late Detecting the Hack and Data Exfiltration:
Right away the intruders easily walked into Sony’s internal network and began stealing unencrypted sensitive data with apparently no log alarms going off.  Sony had not followed data classification, retention, or governance plans – not even checkbox compliance.  If they did they would not have had all types of data mixed together.  One reporter described it this way, “Intruders got access to movie budgets, salary information, Social Security numbers, health care files, unreleased films, and more” (Hill, 2014).  Thus, their network segmentation here must have been weak or non-existent.  Health care data should not be near unreleased film files as they are totally different.  There is no business justification for this.  Segmenting and encrypting the data would have greatly reduced and delayed any data theft.

Conclusion:
sans-top-3-sony
nist-cyber-sec-framework-for-sony

References:
Baker, L., & Finkle, J.  “Sony PlayStation suffers massive data breach”.  Reuters.  Published 04/26/11.  Viewed 10/26/16.  http://www.reuters.com/article/2011/04/26/us-sonystoldendata-idUSTRE73P6WB20110426

Franceschi-Bicchierai, Lorenzo.  “Don’t believe the hype: Sony hack not ‘unprecedented,’ experts say.”  Mashable.  Published 12/08/14.  Viewed 10/20/16.  http://mashable.com/2014/12/08/sony-hack-unprecedented-undetectable/#359BD06aEkq6

Greene, Tim.  “SANS: 20 critical security controls you need to add.” Networked world.  Published 10/13/15.  Viewed 10/23/16.  http://www.networkworld.com/article/2992503/security/sans-20-critical-security-controls-you-need-to-add.html

Hill, Kashmir.  “Sony Pictures hack was a long time coming, say former employees”.  Published 12/04/14.  Viewed 10/20/16.  http://fusion.net/story/31469/sony-pictures-hack-was-a-long-time-coming-say-former-employees/

NIST.  “Framework for Improving Critical Infrastructure Cyber Security”.  Published 01/01/2016.  Viewed 10/23/16. https://www.nist.gov/sites/default/files/documents/cyberframework/Cybersecurity-Framework-for-FCSM-Jan-2016.pdf Risk3sixty LLC.

Risk3sixty. “The Sony Hack – Security Failures and Solutions.”  Published 12/19/14.  Viewed 10/20/16. http://www.risk3sixty.com/2014/12/19/the-sony-hack-security-failures-and-solutions/

Sanchez, Gabriel.  “Case Study: Critical Controls that Sony Should Have Implemented”.  SANS Institute Information security Reading Room.  Published 06/01/2015.  Viewed 10/20/16.  https://www.sans.org/reading-room/whitepapers/casestudies/case-study-critical-controls-sony-implemented-36022