Cybersecurity Actors Increasingly Target the C-SuiteGP0|#91bd5d60-260d-42ec-a815-5fd358f1796d;L0|#091bd5d60-260d-42ec-a815-5fd358f1796d|Cybersecurity;GTSet|#8accba12-4830-47cd-9299-2b34a43444652019-08-01T04:00:00Z, Megan Gates<p>​When considering a new business venture, companies look to where they can get the highest return on their investment. Malicious cyber actors engage in the same process. And in the past year, that process led them to target C-level executives with access to sensitive corporate information.</p><p>This attack focus is highlighted in the annual <em><a href="" target="_blank">Verizon 2019 Data Breach Investigations Report (DBIR)​</a>, </em>which found that senior executives are 12 times more likely to be the target of social incidents and nine times more likely to be the target of social breaches than they were in the 2018 report.</p><p>“A successful pretexting attack on senior executives can reap large dividends as a result of their—often unchallenged—approval authority, and privileged access into critical systems,” according to the report. “Typically time-starved and under pressure to deliver, senior executives quickly review and click on emails prior to moving on to the next (or have assistants managing email on their behalf), making suspicious emails more likely to go through.”</p><p>The 12th version of the annual report analyzed 41,686 security incidents and 2,013 confirmed breaches from 86 countries. Verizon also worked with 73 contributors on the report, including the FBI for the first time.</p><p>Alex Pinto, head of Verizon security research and author of the report, says this was the main narrative that emerged after reviewing the data—that attackers are prioritizing targets that will give them the largest payout. </p><p>“The nature of phishing hasn’t changed,” Pinto adds, but Verizon saw a “huge uptick from maybe 1.5 percent of executives being targeted to 20 percent of executives this year.”</p><p>Executives are being targeted through a variety of attacks, including business email compromise (BEC) schemes (see “<a href="/Pages/Spoofing-the-CEO.aspx">Spoofing the CEO</a>,” Security Management, October 2016). Stressful work environments are also helping these types of attacks succeed, Verizon found.</p><p>“The increasing success of social attacks, such as business email compromises (which represent 370 incidents or 248 confirmed breaches of those analyzed), can be linked to the unhealthy combination of a stressful business environment combined with a lack of focused education on the risks of cybercrime,” according to the report.</p><p>The industries that saw the largest increase in this type of activity were professional services, such as law offices and consulting partners.</p><p>“It’s interesting because, arguably, given how these companies work, they would probably be one of the best to target if you’re looking to exfiltrate email or have a combination of financial outcomes and secret data,” Pinto adds. “Those would be good C-level executives to target.”</p><p>Kevin O’Brien, CEO of cybersecurity firm GreatHorn, agrees with Pinto’s assessment and says that it’s no surprise that cyber criminals are increasingly targeting the C-suite.</p><p>“A well-timed email from the CEO can get employees to share sensitive financial information, while stolen credentials from this group grant them access to most of a company’s sensitive information,” he explains. “The majority of these attacks are coming via BEC attacks, which is why businesses need to use a holistic approach to email security that identifies, addresses, and reinforces business processes vulnerable to phishing.”</p><p>One positive finding in the report, however, is that when a successful BEC attack—one where an individual transferred money to a fraudster—was reported to the FBI’s Internet Crime Complaint Center (IC3) Recovery Asset Team, it was able to work with the destination bank to recover or freeze 99 percent of the funds in half of all cases.</p><p>“Only 9 percent had nothing recovered,” according to the report. “Let that sink in. BECs do not play out as well as it initially appears, and just because the attacker won the first round doesn’t mean you shouldn’t keep fighting.”</p><p>Another major finding from the report is the rising trend to share and store data in cloud-based solutions, which comes with its own set of security risks.</p><p>“Analysis found that there was a substantial shift towards compromise of cloud-based email accounts via the use of stolen credentials,” according to the report. “In addition, publishing errors in the cloud are increasing year-over-year. Misconfiguration led to a number of massive, cloud-based file storage breaches, exposing at least 60 million records in the DBIR dataset. This accounts for 21 percent of breaches caused by error.”</p><p>For instance, in February 2019, UW Medicine confirmed that a misconfigured Web server made internal files available and visible online on 24 December 2018—potentially affecting 974,000 patients.</p><p>“The files contained protected health information about reporting that UW Medicine is legally required to track, such as reporting to various regulatory bodies, in compliance with Washington state reporting requirements,” the hospital said in a statement.</p><p>The hospital became aware that the information was online after a patient googled their name and found a file containing their personal health information. The patient reported it to UW Medicine. The hospital then worked with Google to have the files removed from its search results by 10 January 2019.</p><p>“We believe the risk of identity theft to you is negligible since no financial information or Social Security numbers were exposed,” UW Medicine said. “Even though the files contained your name and medical record number, the medical record number generally is only used for internal purposes, not for communicating with patients.”</p><p>To prevent similar incidents from happening, corporations need to have processes to identify and assess security risks from new technology.</p><p>Businesses “need access to cyber detection tools to gain access to a daily view of their security posture, supported with statistics on the latest cyber threats,” said Bryan Sartin, executive director of security professional services at Verizon, in a press release. “Security needs to be seen as a flexible and smart strategic asset that constantly delivers to the businesses and impacts the bottom line.”</p><p>While the report found that specific targets and attack locations are changing over time, the tactics that criminals use to infiltrate them are largely remaining the same.</p><p>“There is an urgent need for businesses—large and small—to put the security of their business and protection of customer data first,” Sartin said. “Often, even basic security practices and common sense deter cybercrime.”</p><p>These general recommendations include implementing two-factor authentication, providing security training, and regularly assessing user privileges to prevent excessive access.</p><p>To aid organizations further, Verizon also included a variety of recommendations for each industry sector based on the trends identified in its 2018 data set.</p><p>For instance, in the professional, technical, and scientific services category, Verizon saw a rise in phishing and credential theft associated with cloud-based email accounts—similar to BEC attacks.</p><p>“Financial staff were the most likely to be compromised in incidents involving fraudulent transactions, but it should be noted that executives were compromised in 20 percent of the incidents and are six times more likely to be asset compromised in Professional Services breaches than the median industry,” according to the report.</p><p>To prevent this, the report’s authors recommended that these industry vectors use password managers and two-factor authentication to prevent static password use.</p><p>“Don’t forget to audit where all your doors are,” the authors added. “It doesn’t help to put XO-9s on most of your entrances if you’ve got one in the back rocking a screen door.”</p><p>The report’s authors also recommended monitoring email for links and executables and creating ways to report potential phishing.</p><p>“Set your staff up for success. Monitor what processes access personal data and add in redundant controls so that a single mistake doesn’t result in a breach,” they explained.</p><p>Verizon found that the healthcare sector stands out because most breaches are associated with internal actors who have access to the organization’s system. </p><p>“Effectively monitoring and flagging unusual and/or inappropriate access to data that is not necessary for valid business use or required for patient care is a matter of real concern for this vertical,” the report explained. “Across all industries, internal actor breaches have been more difficult to detect, more often taking years to detect than do those breaches involving external actors.”</p><p>To address these problems, the report recommended healthcare organizations identify where their data stores are, limit access to them, and track access attempts.</p><p>“Start with monitoring the users who have a lot of access that might not be necessary to perform their jobs, and make a goal of finding any unnecessary lookups,” it explained.</p><p>Some organizations will not be able to implement these recommendations immediately, but Pinto says that they are designed to give organizations goals to move towards to improve their overall cybersecurity posture.</p><p>“Our job here is to give people a North Star,” he says. “We know that you have finite resources.”</p> Five Challenges for Managing Cybersecurity Risk Software Buzz Actors Increasingly Target the C-Suite Review: Click Here to Kill Everybody Biometrics Complement GDPR Regulations Cost of a Connection Privacy Problem Breaches Review: Click Here to Kill Everybody Threat Intelligence Outpaces Ransomware Attacks the Robots for Remote Workers Mayhem

 You May Also Like... Duty and Vulnerable<p>Awareness of police misconduct and calls for reform in the United States have increased over the last decade. In some cases, officers were investigated and prosecuted at the state level for their actions. Other incidents investigated by the U.S. Department of Justice resulted in criminal prosecution of a police officer for violating a person’s constitutionally protected rights.</p><p>For example, from 2009 to 2012 the U.S. Department of Justice charged 254 police officers throughout the United States with violating the individual rights of Americans. </p><p>The private security industry remains historically insulated from claims of civil rights-related violations and the resulting criminal sanctions that can be imposed against security personnel. The private security industry in the United States is much larger than the public sector police force; the industry outnumbers public police by a ratio of at least three to one. This growing number of security personnel could lead to increased civil rights violations. </p><p>The security industry is also less regulated, meaning that security personnel have varying amounts of training while public sector police counterparts have mandated training programs. This discrepancy in training can also become a problem because many private security personnel have direct contact with the public, often performing quasi-judicial police-related activities. ​</p><h4>Criminal Sanctions</h4><p>One federal statute that has been used to prosecute police officers for civil rights violations is Title 18 of the United States Code, Section 242. It makes it a crime for anyone acting “under color of any law, statute, ordinance, regulation or custom” to willfully deprive a person of a right or privilege protected by the U.S. Constitution or state and local laws. </p><p>The statute also applies to public officials violating a person’s civil rights, including elected officials, public facilities’ care providers, correctional officers, court staff, and security officers.</p><p>For example, if a police officer assaults a citizen, the officer can be prosecuted for assault and battery and be charged at the federal level for violating the citizen’s Fourth Amendment rights under Section 242.</p><p>A conviction under the statute re­quires three elements. First, the act must violate a protected right guaranteed by the U.S. Constitution. If defendants reasonably understand that their actions are constitutionally impermissible, they can be held accountable for their actions. </p><p>Second, the accused must be acting under “color of law,” meaning an officer authorized under state or federal law and acting in his or her official capacity.</p><p>Lastly, there must be intent to “deprive a person of a right which has been made specific either by the express terms of the Constitution or laws of the United States or by decisions interpreting them,” according to <em>Screws v. United States</em> (U.S. Supreme Court, 1945). </p><p>This case clarified that a defendant violated Section 242 when engaged in activities to deprive an individual of his or her rights and was also “aware that what he does is precisely that which the statute forbids,” according to the Court’s opinion. </p><h4>​Prosecutions</h4><p>Few federal Section 242 prosecutions have involved security personnel. Of those cases, however, private security personnel were prosecuted when they conferred with police powers, were working off duty or moonlighting, or when they were employed as security guards under government contracts.</p><p><strong>Police powers. </strong>Some security personnel were prosecuted under Section 242 when they were granted state-related powers and considered “state actors.” In the events leading to <em>Williams v. United States</em> (U.S. Supreme Court, 1951). Williams was a private detective with a special police officer’s card issued by the City of Miami. He had also taken an oath. Lindsey Lumber Company hired Williams to investigate a series of thefts, and during the investigation Williams used “brutal methods,” displayed his badge, and included the presence of a policeman to “lend authority” to the interrogations of four suspects who were “unmercifully punished for several hours,” according to court documents.</p><p>A jury convicted Williams of violating Section 242. He appealed the ruling, ultimately appearing before the U.S. Supreme Court to answer the question of whether private persons could be prosecuted under the statute.</p><p>In its opinion, the Court reasoned that Williams was acting under color of law and was not a private person. The Court concluded Williams’ actions were an “investigation conducted under the aegis of the state” because a regular police officer attended the interrogation and Williams was “asserting the authority granted him and not acting in the role of a private person.”</p><p>The Court upheld his conviction and noted that Williams was “no mere interloper but had the semblance of a policeman’s power from Florida” and his conduct violated the due process right to be free “from the use of force and violence to obtain a confession.”</p><p>Another case where private security personnel were convicted under Section 242 was <em>United States v. Hoffman </em>(U.S. Seventh Circuit Court of Appeals, 1974). In the case, two members of the Penn Central Transportation Company’s police force were convicted for physically assaulting trespassers on or near company property.</p><p>The officers admitted that they attacked trespassers but argued that they were not acting under Illinois law. Instead, they said they were acting in a purely private capacity and as private persons at the time they committed the crimes.</p><p>Ultimately, the appellate court determined the officers were acting under color of law because Illinois state statute had given the railroad company’s police force “police powers as those conferred upon the police of cities,” according to court documents.</p><p><strong>Moonlighting.</strong> Off-duty police officers granted government powers in a private security capacity have also been prosecuted and convicted of civil rights violations, such as in 2003 when a federal court ruled that a security guard in a strip club was acting under the color of law when he assaulted a dancer.</p><p>The off-duty police officer, moonlighting as a private guard, was wearing his badge and gun during the assault, identified himself as a police officer, and prevented the victim from calling the police. He also filed an arrest report against the victim for allegedly assaulting him.</p><p>The officer was found guilty under Section 242 and received a 27-month sentence as well as three years of supervised release. The officer appealed the decision, and the federal circuit court upheld the original ruling <em>(United States v. White, </em>U.S. Court of Appeals for the Sixth Circuit, 2003). A federal judge found that “displaying signs of state authority” by wearing his gun and badge, declaring himself to be a police officer while off-duty, and filing a police report “underscores his imposition of state authority,” according to court documents.</p><p><strong>Government contract.</strong> The third identified theme is that security personnel can be prosecuted under Section 242 when operating under a contractual relationship with the state. In cases where security personnel employed as contractors for the state were prosecuted under Section 242, private security personnel had positions within a state agency, making the parties liable for their actions under the statute. Private security personnel working in correctional settings have also been prosecuted under similar circumstances.</p><p>Some of these cases are based on violations of a person’s Eighth Amendment right to be free from cruel and unusual punishment. In <em>United States v. Mendez </em>(U.S. District Court for the Eastern District of Texas, 2009), the defendant, an employee of a privately-owned prison transport company, received six months imprisonment and one year of supervised release for assaulting an inmate in her care and custody.</p><p>In another case, <em>United States v. Fuller</em> (U.S. District Court for the District of New Mexico, 2009), four defendants who worked for the Wackenhut Corporation, a contractor for a New Mexico county correctional facility.</p><p>Employed as correctional officers, two of the defendants physically assaulted an inmate, kicking him in the head multiple times. Prosecutors charged another defendant with failing to prevent the attack and indicted the fourth defendant with conspiracy for fabricating evidence, lying to, and providing false statements to police investigators. A jury convicted three of the defendants—the two defendants directly involved in the assault and the employee that lied to investigators—for violating Section 242.</p><p>Fifth Amendment violations involving contract security also exist. In <em>United States v. Loya</em> (U.S. District Court for the Southern District of Texas, 2009), Loya was employed as a contract guard at an Immigration and Customs Enforcement (ICE) detention facility. </p><p>While working in the facility’s infirmary, Loya sexually assaulted female inmates—a violation of the detainees’ Fifth Amendment right, to “life and liberty, including the right to bodily integrity.” Loya pleaded guilty to Section 242 violations and served a 36-month sentence.</p><h4>Lessons</h4><p>These cases show that private security personnel can be prosecuted under Section 242, but also raise questions as to why so few cases have been brought. This may be because people fail to report violations, prosecutorial discretion, or the use of other federal statues to prosecute security personnel for civil rights-related violations.</p><p>For example, federal prosecutors can recommend a case for diversion instead of prosecuting suspects under Section 242 when the accused agree to probation and dismissal of the charges upon completion of probation. </p><p>Additionally, proving all requirements to secure a Section 242 conviction can be a barrier. “Color of law” and the “willfulness” standards can be difficult to establish, subsequently insulating security officers from prosecution.</p><p>Despite these factors that may limit prosecutions of private security personnel, the security industry should be aware of these liabilities, which could become greater as public-private partnerships expand to fight crime. Security managers should train their officers to protect the constitutional rights of the people they serve.  </p><p><em>Brian Johnson, Ph.D., is a professor in the School of Criminal Justice at Grand Valley State University. He is the author of four books, including Principles of Security Management. HE specializes in private security, criminology, and law enforcement. Naoki Kanaboshi, S.J.D., is an associate professor in the School of Criminal Justice at Grand Valley State University. He writes on constitutional law, civil rights, and legal issues for criminal justice practitioners.</em></p><p></p>GP0|#21788f65-8908-49e8-9957-45375db8bd4f;L0|#021788f65-8908-49e8-9957-45375db8bd4f|National Security;GTSet|#8accba12-4830-47cd-9299-2b34a4344465 on Threat Assessment Teams<p>​Recent guidance from the U.S. Secret Service, <em><a href="">Enhancing School Safety Using a Threat Assessment Model: An Operational Guide for Preventing Targeted School Violence,</a></em> offers baseline information for developing a threat assessment team (TAT) to mitigate potentially violent or devastating events at K-12 schools in the United States. </p><p>The Secret Service advocates for a five-step process to establish a TAT with a multidisciplinary approach to information sharing. For each step, the author will provide guidance that extends beyond the scope of the Secret Service report with additional threat prevention measures.</p><p><strong>1. Establish a multidisciplinary team.</strong> The TAT is designed to direct, manage, and document threat assessment processes. Assemble a team from a variety of disciplines, which may include teachers, school guidance counselors, coaches, school resource officers, mental health professionals, and school administrators. Have a designated leader with the authority to act immediately in cases where time is of the essence. Meet on a regular basis and when needed if there is an emergent concern. These meetings should include dealing with potential threat indicators, training and role-playing focused on building confidence and capability, and building rapport and confidence in other team members.</p><p><strong>Additional guidanc</strong><strong>​e:</strong> Threat assessment is an intelligence-led activity and requires a certain skill set to synthesize information. Schools could partner with an agency or consider employing an employee with an intelligence background. The Multi-State Information Sharing and Analysis Center (MS-ISAC) also offers valuable trend information on physical and cyber threats that could be useful for the TAT. </p><p><strong>2. D</strong><strong>efine prohibited and concerning behavior</strong><strong>.</strong> Concerning behavior progresses through a continuum, and policies must consider warning signs, which include “a marked decline in performance; increased absenteeism; withdrawal or i<strong></strong>solation; sudden or dramatic changes in behavior or appearance; drug or alcohol use; and erratic, depressive, and other emotional or mental health symptoms,” according to the report. Policies and procedures should be set in place to monitor and direct action to collect additional information to consider if these are indeed a concern.</p><p><strong>Additional guidance:</strong> The Secret Service does allude to a continuum, but there is no specific guidance on how to categorize threats. A more in-depth understanding of transient and substantive threats is needed. It may be advisable to develop a tailored process map for each TAT, which describes each step and indicates responsibility in each phase to avoid anything falling through the cracks. </p><p><strong>3. Create a central reporting system.</strong> Establishing a central reporting system is crucial to all other threat assessment activities. Schools should establish multiple streams of information that could include online reporting, email, phone, and face-to-face communication. No reporting should be dissuaded but educating the school community on what to report will increase the validity of information. Document thoroughly when responding to each report, categorizing threats, and determining whether to act. Anonymous reporting should be an option for those who are uncomfortable coming forward in a formal or public way. It is important to handle each case with professionalism, considering privacy and confidentiality concerns.</p><p><strong>Additional guidance: </strong>Consider partnering with an Information Sharing and Analysis Center (ISAC), which is a nonprofit organization that provides an avenue for two-way sharing between the public and private sectors. Though ISACs have traditionally dealt with cyber and physical security, the model could be used to develop information sharing practices related to threat assessment. ​</p><p><strong>4. Determining the threshold for law enforcement intervention.</strong> Law enforcement intervention may be needed in some cases, though it may not be involved in all threat assessment efforts. Create policies and procedures to indicate when law enforcement should be involved—for example, in cases that deal with weapons, threats of violence, and physical violence. Law enforcement should be involved when elements of a crime are present.</p><p><strong>Additional guidance: </strong>Certain privacy laws set limitations on law enforcement activity when it comes to minors. School administrators and the TAT should familiarize themselves with state law before developing policies and procedures around law enforcement response.</p><p><strong>5. Establish assessment procedures.</strong> Establishing threat assessment procedures will help paint an accurate picture of the student’s thinking and behavior, formalize a reporting structure, and identify appropriate interventions. Documentation is once again stressed, with creation of forms and templates to capture necessary information. The report recommends a community-wide approach and encourages a brainstorming exercise on sources of potentially helpful information. This exercise can be repeated once an individual of concern is identified for information more specific to that person. Additionally, social media should be examined to gain information, interviews should be conducted, and the student’s locker should be searched. </p><p><strong>Additional guidance: </strong>The Secret Service guidance seems to only consider internal threats—mainly students—but narrowing the focus is a risk in and of itself. A threat could be anyone: a teacher, contractor, administrator, or someone not associated with the school. </p><p>Threat assessment is a necessary part of threat prevention at every K-12 school. Threat assessment programs and teams will be more successful if they are a function of an overarching enterprise risk management process, fueled by both internal and external sources of information.</p><p><em>Cody Mulla, CPP, has 20 years of experience in security and crisis management. He has worked supporting both the private and public sectors and is a member of the ASIS International School Safety and Security Council and the Utilities Security Council.​</em></p>GP0|#3795b40d-c591-4b06-959c-9e277b38585e;L0|#03795b40d-c591-4b06-959c-9e277b38585e|Security by Industry;GTSet|#8accba12-4830-47cd-9299-2b34a4344465 Five Challenges for Managing Cybersecurity Risk<p>​Cybersecurity threats continue to grow and evolve. Trusted identities combat these threats as part of holistic, end-to-end solutions that combine multifactor authentication, credential management, and physical identity and access management (PIAM) and are supported by real-time risk profiling technology plus digital certificates, all bringing trust to the Internet of Things (IoT). Following are five of the top cybersecurity risks where trusted identities provide critical protection:  </p><p><strong>1. Fighting fraud. </strong>Today’s risk management solutions use trusted identities and analytics to protect transaction systems and sensitive applications. Employing a combination of evidence-based capabilities, behavioral biometrics, and machine learning, these solutions help organizations detect phishing, malware, and fraudulent transactions. They can also prevent account takeovers and session stealing. </p><p><strong>2. User experience and business decisions.</strong> Besides detecting threats, adding an analytics engine behind an organization’s archiving solutions, digital certificates, and user location information enables organizations to realize other valuable benefits. Predictive analytics help pinpoint threats and facilitate countermeasures by defining a user’s attributes and behavior so that risk can be assigned to people and areas. It also provides insights around personnel movement in a building so organizations can optimize workflows and the usage of facilities, common areas, and individual rooms.</p><p><strong>3. Securing the IoT.</strong> Digital certificates add trust in the IoT and are becoming a core component for combating cybersecurity risks. Trusted cloud services are used to issue unique digital IDs to devices ranging from mobile phones, tablets, video cameras, and building automation systems to connected cars and medical equipment. One example is cloud-based secure issuance, in which the use of digital certificates creates a trusted relationship between the cloud and all issuance consoles, printers, and encoders. Industrial IoT is another area that is seeing huge adoption in critical industries like utilities, oil and gas, chemicals, pharmaceuticals, transportation, and more, being able to collect and correlate physical, IT, and operational events from IoT devices. This multidimensional information can provide indicators of compromise that are otherwise hard to detect with traditional means.</p><p><strong>4. Plugging gaps in security defenses.</strong> The move to unified identity management reduces risk by extending multifactor authentication across an entire identity and access management lifecycle. A cloud-based model is used to provision IDs and perform authentication for physical and logical access control. The next step is to migrate to convergence solutions that pull everything related to identity management into a unified system capable of granting and managing access rights. PIAM software is a key element, unifying identity lifecycle management by connecting the enterprise’s multiple and disparate physical and IT security systems to other parts of the IT ecosystem, such as user directories and HR systems, as well as cloud-based card issuance systems, wireless locks, and location-based services.  </p><p><strong>5. Minimizing risks associated with GDPR compliance. </strong>PIAM software also simplifies General Data Protection Regulation (GDPR) compliance for physical security departments, automating previously manual processes of ensuring and documenting that all requirements are being met and data breach notification guidelines are being correctly implemented. It centralizes and applies policy- and rules-based automation for all compliance processes, from identity enrollment through auditing. It also ensures no individual names or other details are transmitted to access control systems, simplifies user consent procedures related to personal information, applies deep system integration to identify threat patterns, and provides robust compliance reporting.  </p><p><em>Pan Kamal is vice president, product and segment marketing at IAM Solutions with HID Global.</em></p><p><br></p>GP0|#69b4a912-eafa-43d2-b6a4-8aed47f69245;L0|#069b4a912-eafa-43d2-b6a4-8aed47f69245|Security Technology;GTSet|#8accba12-4830-47cd-9299-2b34a4344465