Can Wanted Cybercriminals Be Stopped?

February 11, 2016 | Leave a Comment

By Leo Taddeo,  ‎Chief Security Officer, Cryptzone

Part 2 of a 2-part series

Can-Wanted-Cybercriminals-Be-Stopped-iStock-arfo-250x167I recently wrote about the challenges around cybercrime reporting in the US. Organizations often fail to notify law enforcement after discovering a network intrusion – partly because of a reluctance on their part to admit having been a victim, but also because they may not be aware which agency has jurisdiction over their case.

The outcome of this is that a lot of cybercrime is never investigated by the authorities, and a lot of hackers – some of them extremely prolific – are never brought to justice. This makes it difficult for law enforcement to create a meaningful deterrent. The financial rewards of cybercrime are often very high; the risk of getting punished is very low.

However, it’s not just a lack of cybercrime reporting that feeds into this difficulty. There’s also the fact that while the US has had a lot of success in apprehending certain high-profile hackers, other wanted cybercriminals – individuals of similar, if not greater, stature – remain at large with little chance of arrest.

Some of these people are on the FBI’s most-wanted list. Bringing them to justice would act as a significant deterrent for other would-be hackers, and therefore do much to protect the networks of organizations in the US and elsewhere. But can they be stopped?

Apprehending Foreign Cybercriminals is Difficult
One of the key reasons the US has difficulty in stopping wanted cybercriminals is that many of them are located in China and Russia, which significantly hinders our ability to bring them to justice.

I’ve written before about the hacking threat from China and the 2014 indictment of five Chinese military officers for stealing intellectual property from American companies; naturally, those officers have never been extradited. And while President Xi and President Obama have since agreed not to “knowingly support” cybercrime, I would argue that this agreement is unenforceable. In all likelihood, China will continue to use hacking as a tool to further its global power.

Still, at least we’ve opened a discussion. No such dialogue has been sought with Russia, which means US authorities can’t rely on the cooperation of their Russian counterparts when it comes to cracking down on cybercriminal activity originating in that country.

Russian hackers have a long history of targeting financial institutions in the US, and – by all accounts – remain free to do so with relative impunity. Evgeniy Bogachev, one of the most prolific cybercriminals in the world, is a key example; despite having a bigger FBI bounty on his head – $3 million – than any other hacker, he’s reportedly treated as nothing less than a hero in Russia. One policeman in his hometown of Anapa told the British press in 2014: “I’d pin a medal on the guy.”

This is a man whose cybercriminal enterprise is believed to have stolen over $100 million from foreign banks. It’s hard to say for sure if being on the FBI’s most-wanted list has made him any less prolific, but is there any reason for him to stop what he’s doing?

US Organizations Must Act Now to Improve Security
As I said in my last blog post, law enforcement has a hugely important role to play in the fight against cybercrime. By gathering and sharing up-to-date threat intelligence, investigating network intrusions, and ultimately arresting and prosecuting hackers, agencies like the FBI make America a safer place to do business.

At the same time, issues like our inability to extradite wanted cybercriminals from Russia and China, as well as the fact so many cyber attacks go unreported, means no organization can rely on the government to protect it from this growing threat. Only by implementing the best possible controls – securing their networks, applications and data – can American companies truly defend themselves.

Don’t wait for the bad guys to be arrested; strengthen your defenses to stop the bad guys from getting in.

Learn more about Cryptzone’s secure access and data security solutions.

Five Surprising Truths from the Cloud Security Alliance’s Latest Survey

February 8, 2016 | Leave a Comment

Survey of 200 it leaders finds that cloud perceptions, it security reporting structures, and cloud security approaches are changing

By Cameron Coles, Senior Product Marketing Manager, Skyhigh Networks

Screen Shot 2016-02-03 at 3.08.24 PMAfter years of IT leaders loudly voicing their concerns about the security of the cloud, trust in cloud services is now virtually on par with on-premises applications. That’s according to a survey conducted by the Cloud Security Alliance released this week (download a free copy here). It’s just one finding in the 26-page report drawn from a survey of over 200 IT executives about the state of cloud adoption, the evolving role of IT, and how enterprises approach cloud security. While trust in the cloud may be on the rise, that doesn’t mean companies aren’t looking to implement many of the same security controls they did for their on-premises systems.

“As data leaves the company data center for the cloud, IT is caught between delivering technologies to support innovation and growth in the business and securing sensitive data against proliferating threats.”
– Cloud Security Alliance “The Cloud Balancing Act for IT: Between Promise and Peril

64.9% of IT trusts the cloud as much or more than on-premises software
It’s a well-established conceit, heard whenever IT executives are discussing the merits of cloud projects, that “the cloud is not secure” but that’s changing. Despite concerns about the security of corporate data moving to the cloud, just 35.0% of IT leaders believe that, as a general rule, cloud-based systems of record are less secure than their on-premises counterparts. A majority, 64.9%, say that the cloud is either more secure than on-premises software or equally secure. One potential reason for this is that cloud providers like Salesforce and Workday have invested heavily in security, extending beyond even what some of their customers do to secure their on-premises applications.

64.9

While IT leaders are more confident in the platform security of cloud applications, there’s still a lot that can go wrong. Careless or malicious insiders, compromised accounts, and misconfigured security settings can all lead to data loss, even within enterprise-ready cloud services whose platforms are arguably more secure than what most companies run in their own data centers. Perhaps that’s why the ability to enforce corporate security policies is the number one barrier to moving applications to the cloud, indicated by 67.8% of IT leaders. That’s followed by the need to comply with regulatory requirements (61.2%) and lack of budget to replace legacy systems (31.6%).

64.9% of IT leaders say the cloud is as secure or more secure than
on-premises software

The top barrier to securing data is a lack of skilled security professionals
Surprisingly, the biggest barrier to stopping incidents that result in data loss is not a limitation with security technology or budgeting; it’s a human resource limitation. Companies are struggling to find and hire skilled employees to take advantage of their security technology. That’s because businesses are hiring IT security professionals faster than the market can educate, train, and develop experienced security professionals. In August, it was reported that JP Morgan expected to spend $500 million on cyber security in 2015, double its 2014 budget of $250 million. Rapid hiring is leading to a shortage of people to fill open positions.

CSA-Report-2015-barriers-to-detecting-data-loss-961-dark

A 2015 report from labor analytics firm Burning Glass shows that cyber security job postings grew 91% from 2010 to 2014, more than three times the rate of growth in all IT jobs. More than a third (35%) of cyber security jobs require industry certifications such as CISSP, 84% of postings require at least a bachelor’s degree, and 83% require at least three years of experience. However, education, certifications, and experience pay off for security professionals. The same report revealed that cyber security jobs have a 9% salary premium over other IT jobs. That’s why some say it’s the hottest job of 2016 and one with job security.

screenshot

24.6% of companies would pay a ransom to prevent a cyber attack
In the now infamous Sony cyber attack, hackers contacted the company and demanded a ransom before making over 100 terabytes of sensitive company data public and crippling its IT infrastructure. In the CSA survey, the greatest concern reported by IT leaders about the impact of a cyber attack is the loss of reputation and trust, followed by financial loss. In the Sony attack, external analysts estimate it cost the company $35 million to deal with the immediate aftermath of the data breach and another $83 million to completely rebuild its damaged IT infrastructure.

CSA-Report-2015-ransom-961

It’s not clear whether Sony could have stopped the release of company data if it had responded to hacker demands in the days leading up to data dump (or if, indeed, the company attempted to answer the demands of the attackers). Nevertheless, if faced with a situation in which hackers have stolen information in a major breach and plan to make the information public, 24.6% of companies would be willing to pay a ransom to prevent the release of sensitive information. Across all companies, 14.0% would be willing to pay a ransom in excess of $1 million to prevent the release of such information. Not surprisingly, companies with cyber insurance were more likely to be willing to pay a ransom to stop a breach (28.6% vs 22.6%).

14% of companies would pay a ransom of $1+ million to prevent the release of data stolen by hackers

Systems of record are the next wave of cloud adoption
In 2011, Geoffrey Moore introduced the concept of systems of engagement and predicted they would be the next wave in enterprise IT. Systems of record, which capture every dimension of data relevant to a company and process that data, were the focus of information technology initiatives last century. The new focus, he said, was on systems of engagement that enabled greater collaboration and communication. These new tools allow users to share files and information and communicate in real time via video and chat, and they were built from the ground up to run in the cloud.

Fast-forward a couple years and Moore’s prediction appears prescient. Companies have invested in a new generation of communication and collaboration tools that are cloud-native. However, as more companies experience the benefits of cloud computing, they are beginning to look toward extending these benefits to their systems of record. Systems of record, far from being left behind in legacy on-premises data centers, are starting to move to the cloud. The most common system of record to be deployed in the cloud today is customer relationship management (CRM) solutions but nearly one third of companies plan to migrate their accounting/finance, HRM, and IT service management systems to the cloud.

CSA-Report-2015-system-of-records-550

Companies with a CISO are more prepared for a cyber attack
Companies with an executive in charge of information security, known as the chief information security officer (CISO), are more confident about their internal strategy to operationalize threat data. One of the reasons that companies with a CISO may be more confident is that they are more likely to have an incident response plan. Across all companies, 82.2% have some form of an incident response plan that details how the company would respond to a serious breach, including security remediation, legal, public relations, and customer support. However, fewer than half of these companies have a complete plan that covers all of these areas.

CSA-Report-2015-incidence-response-plan-961

Just 19.0% of companies without a CISO have a complete incident response plan. However, 53.8% of companies with a CISO have a complete incident response plan. Companies with a CISO are also more likely to have cyber insurance to protect against the cost of a data breach. Across all companies, 24.6% have cyber insurance. However, just 17.2% of companies without a CISO have insurance compared with 29.2% of companies with a CISO. This insurance can help pay for the cost of a major cyber attack. Following the Target credit card breach in 2013, the company’s insurance covered $90 million of the $264 million cost related to the attack.

53.8% of companies with a CISO have a complete incident response plan
vs 19.0% of companies without a CISO

Improving Data Privacy One Employee at a Time

February 4, 2016 | Leave a Comment

By Rick Orloff, ‎Vice President and Chief Security Officer, Code 42

dpm_li crop (1)It’s no Hallmark holiday, but here at Code42, Data Privacy Day is kind of a big deal. We think it should be a big deal for your organization, too. It’s a great chance to focus on the biggest security threat in your organization: your end users and their devices.

As IT and InfoSec professionals, we spend a lot of time on complex strategies that protect us from the most sophisticated cyber threats. And then we spend more time cleaning up the messes that employees get us into just by clicking corrupt links. These unintentional “user mistakes” are the biggest insider threat today, causing around 25 percent of data loss.

Your end users don’t care about data security procedures
Why are end users so mistake-prone? Because, frankly, most don’t care. They think data security is IT’s problem—that if IT does its “job” and filters out the threats, they have nothing to worry about. Moreover, when they do something stupid, they think it’s IT’s job to come to the rescue. They don’t understand the risks they create for the company or the fact that once rung they can’t unring the bell. So, they go on ignoring security policies and finding creative workarounds for security measures that inconvenience them—such as utilizing “shadow IT.”

This is changing, and we’d like to help.

Code42 + National Cyber Security Alliance = Data Privacy Month 2016
Code42 is partnering with the National Cyber Security Alliance to champion Data Privacy Day and the entire Data Privacy Month of February. We’re helping enterprise security professionals address the problem of end-user education and motivation.

Making data security an end-user responsibility
Ready to celebrate this joyous holiday? Then it’s time to “talk turkey” with your end users. Here are some key considerations and topics to get you started:

1. Security education should be an in-your-face affair
Talk to employees, face-to-face. They ignore your emails and videos.

Your employee education has to a) deliver a crisp, meaningful message; b) demonstrate that security is a core responsibility bestowed by executives; c) close the loop between what you say and what employees understand; and d) hold employees accountable. Part of holding employees accountable is providing the easy-to-use tools and capabilities employees need to work.

2. Focus on keeping a clean machine
You might not be able to win the fight against “shadow IT,” but make sure your employees understand exactly how an unknown or unapproved app can quickly lead to a massive data breach that extends far beyond their device. It’s also important that they see how apps for personal use (social media, gaming, etc.) are not designed to offer the same level of data security as enterprise-grade productivity apps—and why installing these apps on work devices creates open doors to the entire enterprise ecosystem.

3. No more lazy passwords
This one can be fun. See if you can guess your end users’ passwords. It’s amazing how many people use something like “password” or “123456.” Call them out on using the same password for every login (as 73% of enterprise employees do). Call them out on never changing their passwords (47% of people use passwords that are 5+ years old). Take the group on a cubicle tour and see how many Post-It Note passwords you can find. If you haven’t already, implement technical controls to support your policies.

4. Have doubts? Throw it out
This one’s simple: Don’t be gullible. Don’t be stupid. Remind them not to open emails, click links or open attachments from unknown or suspicious sources. It’s uncanny how many people say, in retrospect, that “something seemed odd” about that email in broken English—but they figured the spam filter didn’t catch it, so they clicked the link. To that end, make sure they understand that spam filters are just the first line of defense—that they’re not perfect. Show them how to use your company’s spam filters: how to make sure filters are on, how to refine the filtering by flagging spam, and how to report a suspicious email, attachment, etc.

5. Endpoint backup is your best friend
Make sure your employees know that endpoint backup is the closest thing to a “Get Out of Jail Free” card in the data security world. The best way to get employees to embrace endpoint backup is to promote its benefits. Demonstrate how the “utility” makes it easy to work anywhere and recover any file in real time with or without the original device. This capability (with no IT intervention) will make IT the hero when employees lose data or suffer a malware attack at a critical moment.

6. Make the call for accountability
Make it clear that data security is everyone’s responsibility and that it’s not a cliché.

End users are actually the ones on the front lines of the battle—IT and InfoSec teams are more like the generals pushing big-picture strategies. End users are often the primary points of attack and need to embrace the defense strategies provided to them. They need to understand that all the fancy security tools in the world are worthless if they don’t follow the rules. They need to understand the true impact of even a tiny mistake—that IT can’t always “fix” it, and that a small error could easily lead to immense costs, lost productivity, brand damage and more. This can’t be understated. Most importantly, no employee—even trusted administrators and executives—should expect absolution for their ignorant or careless actions. At Code42, several data privacy “no-no’s”—not having full disk encryption on laptops, disabling Code42 CrashPlan for any reason, etc.—are fire-able offenses. Considering the damaging impact of data loss, we don’t think this is harsh—we think it’s critical to creating a culture of accountability.

Be privacy aware. Take the pledge and enter to win an iCloak.

You’ve Been the Victim of a Cybercrime. Who You Gonna Call?

February 2, 2016 | Leave a Comment

By Leo Taddeo,  ‎Chief Security Officer, Cryptzone

Part 1 of a 2-part series

Youve-Been-the-Victim-of-a-Cybercrime-250x167Right now, one of the greatest challenges in the fight against cybercrime is the difficulty we have in creating a meaningful deterrent for hackers.

Basically, the number of cybercriminals out there is demonstrably very large, and all the available data shows the number grows larger all the time. And yet the number those cybercriminals who are caught and punished is very small, and changes little from year to year. In terms of risk versus reward, it’s a very attractive game for hackers to be in.

In this blog post – the first of two – I’d like to talk about how one of the reasons for this difficulty in creating a deterrent is that US organizations often fail to engage law enforcement when their networks come under attack.

Let’s say you’ve been the victim of a cybercrime. Who you gonna call?

The Trouble with Cybercrime Reporting
The first challenge many US organizations encounter when they attempt to report cybercrime is that there’s no one correct way to do this. Even if you restrict your definition of the term to only cover network intrusions and not other illegal online activity like identity theft, there are still several different places a person can go to alert the authorities to an incident.

According to the official guidance of the Department of Justice, organizations have no fewer than three options when it comes to reporting cybercrime. They can call their local FBI office; they can call the Secret Service; or they can log a complaint with the Internet Crime Complaint Center (IC3).

On top of that, the Department of Homeland Security has its own online portal for reporting cybercrime of any type, including network intrusions. State and local authorities add more options, as some victims resort to calling their local police departments or prosecutors offices.

Then there’s the question of which agency actually has jurisdiction over what. According to Title 18 Section 1030 of the US Criminal Code, both the FBI and Secret Service have the authority to investigate criminally-motivated cyberattacks. Should an incident be a matter of national security, the FBI is designated the lead agency.

In a nutshell, cybercrime reporting can be confusing. This is exacerbated by the fact that it’s rarely possible to know whether a cyberattack is a criminal or national security issue at the outset of an investigation – you might need to study a large amount of forensic information before this becomes apparent. Who wants to deal with this level of confusion right after discovering a data breach?

Why Engage Law Enforcement, Anyway?
Consequently, a lot of cybercrime goes unreported. This is an issue I touched upon in a recent blog about the lack of reliable cybercrime statistics, and it’s troubling for a number of reasons. It means that authorities don’t consistently have access to up-to-date threat intelligence; the victim has no access to the intelligence that law enforcement does have; and, at the end of the day, nobody is arrested and prosecuted.

Obviously, no organization should rely on the government to protect it against network intrusions and any damage that occurs as a result by chasing down and locking up hackers. But if the authorities had a more complete picture of the threat landscape, it’d be an enormous net positive for the security community – we’d be better equipped as a country to fight cybercrime and therefore create the deterrent we so badly need.

My advice? If you’re the victim of a cybercrime, report it to the FBI, which has jurisdiction over both criminal and national security cases.

Really, though, you should be doing everything you possibly can to ensure it never comes to that. Invest now, and strengthen your network defenses, because we’re a long way from having a sufficiently powerful deterrent to prevent the threat from growing day by day.

In part two of this blog, I’ll talk about the difficulty we have in bringing wanted cybercriminals to justice.