Cybercrime

 

 

https://sm.asisonline.org/Pages/Driving-the-Business.aspxDriving the BusinessGP0|#91bd5d60-260d-42ec-a815-5fd358f1796d;L0|#091bd5d60-260d-42ec-a815-5fd358f1796d|Cybersecurity;GTSet|#8accba12-4830-47cd-9299-2b34a43444652017-10-01T04:00:00Zhttps://adminsm.asisonline.org/pages/megan-gates.aspx, Megan Gates<p>​The top speed of a Model S Tesla is 155 miles per hour, which can be reached in approximately 29 seconds. It’s one of the fastest cars in the world, with one of the most powerful sets of brakes on the market. </p><p>“Tesla has a set of brakes on that car that are so oversized and overpowered, that they can stop the car cold even if the engine malfunctions and spikes at full throttle,” says Ryan LaSalle, security growth and strategy lead at Accenture. “The only reason you have a car that goes that fast is because you have a set of brakes that can control it. To be able to corner at speed, you need good controls. That’s supposed to be the partnership between security and innovation.” </p><p>The challenge for many companies, though, is how to develop this partnership so when the CEO goes to the board, he or she is effectively communicating what the cyber risks are to the business and how they are being addressed—ensuring that security is enabling the business to drive smoothly, and safely, towards its goals.</p><p>According to the National Association of Corporate Directors (NACD), only 15 percent of boards are satisfied with the information they are getting from executives on cyber risk management. This could be because many CEOs only recently began discussing cybersecurity regularly with their boards—within the last two years—and were initially unprepared for these important conversations. </p><p>To prepare for these conversations, CEOs turned to their CISOs or vice presidents of information security, but many of those experts struggled to explain cybersecurity in a way that the CEO could understand.</p><p>“Most security professionals have a hard time articulating and conveying not only risk, but also the benefit of what they are doing,” LaSalle says. “And if they continue to have a hard time articulating that, they will struggle to be relevant and be part of the strategic plan of the business.”</p><p>Matt Appler is now the CEO of Corsec Security Inc., which assists companies with security certification and validation processes, but he once was a software developer. When it came to learning how to communicate with executives about cybersecurity, Appler says it was not an easy process.</p><p>“Unfortunately, it was mostly through the school of hard knocks and finding ways to talk about security given that it’s already a subject that’s highly technical, which by its nature makes it extremely difficult to communicate with others about,” he explains. </p><p>The other aspect that made communicating to executives about cybersecurity difficult is that security is not an absolute. Appler compares it to the risks of getting in a car with airbags, seatbelts, and back-up cameras. </p><p>“But ultimately, you’re going to choose how you operate that car, how fast you drive…you’re making choices based on your perception of risk around you,” he says. “But all of us understand that we could be in an automobile accident. The same is true in information security. It’s not an absolute…the only way to eliminate the risk is to not get in the car.”</p><p>Focusing on risk and why that risk matters is the key to communicating with executives—and boards—about cybersecurity, Appler adds.</p><p>“I found very early on that it was more effective to explain why you would care about protecting information—why that would matter—than about the technology,” he says.</p><p>For instance, during the summer of 2017 the WannaCrypt ransomware attack hit companies that were running old or out-of-date operating systems, or unpatched systems. When companies were asked why they had not upgraded their systems, Appler says, many said they hadn’t taken action because it was too expensive.</p><p>“But when they suffered the problem, they were unable to provide service for potentially days. They took a financial hit, a brand hit, and a reputational hit,” Appler says. “I would question whether they truly understood what risk they were taking by not upgrading.”</p><p>To clearly communicate that risk, Appler says that CISOs should avoid reverting to “scary stories” to make boards fearfully invest in security. Instead, they should focus on quantifying risk in terms of dollars to allow the board and CEO to evaluate what they would pay to mitigate risk.</p><p>“There are many things you can do to mitigate that risk, but at the end of the day they are going to have a cost and the return is likely risk mitigation—not features or benefits directly to your company,” Appler adds.</p><p>LaSalle echoes these sentiments and says that CISOs need to prepare their CEOs about the risks the business is taking on in terms of cybersecurity, what needs to be done to address that risk before creating greater exposure, the potential costs of not taking action, and how addressing risks helps the business achieve its goals.</p><p>“That’s where, at the board level, when you’re telling stories around the biggest threats to what the business is trying to do, you’re using the language of business—not the language of hackers—when you talk about threats,” LaSalle says, “when you’re trying to talk about programs you have in place and how effective they are at managing those risks.”</p><p>For instance, a client that LaSalle works with put this into practice a few years ago just before the Sony hack occurred. The client had recognized through a threat intelligence function that destructive malware was one of the biggest threats to the business’s operational resiliency.</p><p>The client went through a process to examine how a destructive worm would impact the business. It then changed its investment portfolio, implemented a solution to create more operational resiliency and increase its defenses, and then briefed its board. </p><p>The client, LaSalle explains, told the board that it was tracking destructive malware because of the risk it posed to the business and explained how it was mitigating that risk. It also described past failures to mitigate that risk and the market indicators it was tracking that could change its perception of its readiness to handle the risk.</p><p>A few quarters later, during the Sony attack, the client went back to the board. The briefing included details on how IT would repel a similar attack, why those actions would be warranted, and what new threats were looming. </p><p>“That’s the kind of example I use to explain this because it had a tremendous business impact,” LaSalle says. “It demonstrates the effectiveness of the investment, and it provides clarity from a risk perspective, to a bunch of business owners who aren’t really worried about what the vulnerability is or how it propagates—but they are very worried about the business outcome.”</p><p>Taking this approach of regularly briefing the board and providing benchmarks of where the business is in addressing cyber risks is a best practice approach, says Lisa Sotto, head of the global privacy and cybersecurity practice at Hunton & Williams LLP and former chair of the U.S. Department of Homeland Security’s Data Privacy and Integrity Advisory Committee.</p><p>“Some of our clients are appearing before the board on a routine basis and using benchmarking as a way of showing where the company is today as compared with others in their industry sector, and then also showing benchmarking as compared with a point in time—say today versus where the company is two or three months from now,” she explains. “Benchmarking is very helpful in putting the evolution of the cybersecurity program into context.”</p><p>Having this regular dialogue helps build a base of understanding for board members and educates them on the company’s cybersecurity strategy. “The board wants to hear the overall strategy, but they are also going to want to hear about some of the more granular testing, like penetration tests and the results, risk analysis, data flow mapping exercises,” Sotto adds. “High level is very good, but with details waiting in the wings in case board members are interested in going into more detail.”</p><p>This is likely to happen as boards become increasingly interested in cybersecurity and more knowledgeable on the topic. They may also be required to become more knowledgable under new regulations or legislation making its way through the U.S. Congress.</p><p>For instance, U.S. Senators Mark Warner (D-VA), Jack Reed (D-RI), and Susan Collins (R-ME) introduced legislation, the Cybersecurity Disclosure Act (S. 536), that would require publicly traded companies to include information on whether any member of the company’s board of directors is a cybersecurity expert in their Securities and Exchange Commission disclosures to investors. If a company has no cybersecurity experts, it would be required to explain why a greater level of expertise was unnecessary.</p><p>“Cybersecurity is one of the most significant and enduring challenges that all businesses, across industries, face and should be accounted for as part of the corporate risk management process,” Senator Reed explained in a statement. “Investors and customers deserve a clear understanding of whether public companies are prioritizing cybersecurity and whether they have directors who can play an effective role in cyber risk oversight.”</p><p>S. 536 has been introduced and referred to the U.S. Senate Committee on Banking, Housing, and Urban Affairs, but has not advanced.</p><p>“The bill alone is interesting, and, even if the bill doesn’t pass, more efforts like this could have the effect of incentivizing boards to look for cyber savvy directors,” Sotto says.</p><p>And while many companies are struggling with connecting cybersecurity to the mission of the business and articulating the risks associated with it, CEOs are beginning to track the issue and invest in it.</p><p>“If we continue to improve and unlock more of the stories and the business value of what security is doing for the business, I think the population of [cyber-focused] CEOs will grow,” LaSalle says. “I don’t know if they will ever be the majority, but I do think that it will be a best practice for a CEO in five years to be not just interested and involved in the security of their organization, but really committed to it.”       ​</p>

Cybercrime

 

 

https://sm.asisonline.org/Pages/Klososky-Opines-on-the-Future-of-Technology.aspx2017-09-27T04:00:00ZKlososky Opines on the Future of Technology
https://sm.asisonline.org/Pages/Hackers-Hit-Equifax,-Compromising-143-Million-Americans’-Data.aspx2017-09-08T04:00:00ZHackers Hit Equifax, Compromising 143 Million Americans’ Data
https://sm.asisonline.org/Pages/Data-Breach-Trends.aspx2017-08-01T04:00:00ZData Breach Trends
https://sm.asisonline.org/Pages/Book-Review---Data-Hiding.aspx2017-08-01T04:00:00ZBook Review: Data Hiding
https://sm.asisonline.org/Pages/Vulnerability-Rediscovery-Occurs-At-More-Than-Twice-The-Previously-Reported-Rate.aspx2017-07-21T04:00:00ZVulnerability Rediscovery Occurs At More Than Twice The Previously Reported Rate
https://sm.asisonline.org/Pages/Business-Theft-and-Fraud--Detection-and-Prevention.aspx2017-07-17T04:00:00ZBook Review - Business Theft and Fraud: Detection and Prevention
https://sm.asisonline.org/Pages/Survey-Of-InfoSec-Professionals-Paints-A-Dark-Picture-Of-Cyber-Defenses.aspx2017-07-07T04:00:00ZSurvey Of InfoSec Professionals Paints A Dark Picture Of Cyber Defenses
https://sm.asisonline.org/Pages/Ukraine-Among-Countries-Affected-by-Petya-Ransomware-Attack-.aspx2017-06-27T04:00:00ZUkraine Among Countries Affected by Petya Ransomware Attack
https://sm.asisonline.org/Pages/Average-Cost-of-Data-Breach-Declines-Globally-First-Time.aspx2017-06-20T04:00:00ZAverage Cost of Data Breach Declines Globally for First Time
https://sm.asisonline.org/Pages/EU-Needs-Comprehensive-Strategy-To-Address-Cybersecurity-Risks,-Think-Tank-Finds.aspx2017-06-09T04:00:00ZEU Needs Comprehensive Strategy To Address Cybersecurity Risks, Think Tank Finds
https://sm.asisonline.org/Pages/Most-Companies-Take-More-Than-A-Month-To-Detect-Cyberattackers.aspx2017-06-02T04:00:00ZMost Companies Take More Than A Month To Detect Cyberattackers
https://sm.asisonline.org/Pages/Hacking-Culture.aspx2017-06-01T04:00:00ZHacking Culture
https://sm.asisonline.org/Pages/IT-Security-Professionals-Admit-To-Hiding-Data-Breaches,-Survey-Finds--.aspx2017-05-09T04:00:00ZIT Security Professionals Admit To Hiding Data Breaches in New Survey
https://sm.asisonline.org/Pages/Cyber-War-Games.aspx2017-04-01T04:00:00ZCyber War Games
https://sm.asisonline.org/Pages/Outdated-Protocols-and-Practices-Put-the-IoT-Revolution-at-Risk.aspx2017-03-24T04:00:00ZOutdated Protocols and Practices Put the IoT Revolution at Risk
https://sm.asisonline.org/Pages/Hacked-Again.aspx2017-02-01T05:00:00ZBook Review: Hacked Again
https://sm.asisonline.org/Pages/Rise-of-the-IoT-Botnets.aspx2017-02-01T05:00:00ZRise of the IoT Botnets
https://sm.asisonline.org/Pages/Top-5-Hacks-From-Mr.-Robot.aspx2016-10-21T04:00:00ZThe Top Five Hacks From Mr. Robot—And How You Can Prevent Them
https://sm.asisonline.org/Pages/Spoofing-the-CEO.aspx2016-10-01T04:00:00ZSpoofing the CEO
https://sm.asisonline.org/Pages/Yahoo-Confirms-Hackers-Stole-at-Least-500-Million-Users’-Data-in-2014.aspx2016-09-22T04:00:00ZYahoo Confirms Hackers Stole at Least 500 Million Users' Data in 2014

 You May Also Like...

 

 

https://sm.asisonline.org/Pages/Hacked-Again.aspxBook Review: Hacked Again<p>​ScottSchober.com Publishing; ScottSchober.com, 202 pages; $34.95</p><p>If you are seeking useful security advice on how to mitigate or prevent cybersecurity breaches, <em>Hacked Again</em> is a good resource to have in your library. </p><p>Author Scott Schober, a business owner and wireless technology expert, discusses pitfalls that all businesses face and the strategies used to mitigate cyberattacks. He discusses malware, email scams, identity theft, social engineering, passwords, and the Dark Web. </p><p> Another important concept is having systems in place to enable information access both as the data breach is occurring and afterwards. Most companies’ IT departments will have an incident response team; however, the individual user needs to know what to do when breached. Schober offers advice for that. </p><p> The abundance of personal information on social media is another concern of the author’s. He states that we are twice as likely to be victims of identity theft from these sites. He also reminds us that no matter how we try to eliminate risk, we’re never completely protected from a cyberattack. </p><p> Many cybersecurity books are more advanced, but Schober’s style is easy to follow, and he explains concepts and theories without confusing the reader. When concepts become overly technical, he incorporates scenarios to explain what these technical terms mean. Students, IT professionals, and novices would benefit from this book. They will learn that everyone must be aware of cybersecurity and stay on top of evolving trends.</p><p>--</p><p><em><strong>Reviewer: Kevin Cassidy</strong> is a professor in the security, fire, and emergency management department at John Jay College of Criminal Justice. He is a member of ASIS.</em><br></p>GP0|#91bd5d60-260d-42ec-a815-5fd358f1796d;L0|#091bd5d60-260d-42ec-a815-5fd358f1796d|Cybersecurity;GTSet|#8accba12-4830-47cd-9299-2b34a4344465
https://sm.asisonline.org/Pages/Klososky-Opines-on-the-Future-of-Technology.aspxKlososky Opines on the Future of Technology<p>​When it comes to technological innovation, the human race circa 2017 has just barely scratched the surface.</p><p>But in the future, every new invention that brings benefits to humankind will also present opportunities for criminals, bad political actors, and all those looking to inflict harm.</p><p>That was the message that futurist and technology expert Scott Klososky delivered to ASIS 2017 attendees during his keynote address on Tuesday. And he cautioned every security professional in the ballroom to always be cognizant of the downsides and vulnerabilities of advanced innovations. </p><p>"We invent technologies without ever really having an understanding of what they are going to do to us," he said. "It's probably time to get a little wiser." </p><p>Klososky then took the audience through layers of potential future innovations and developments, and their unintended potential negative effects. </p><p>In much the same way that technology has wiped out some blue-collar jobs, artificial intelligence (AI) could wipe out many white-collar jobs, he explained. But masses of unemployed white-collar workers could have a destabilizing impact on society, and the more skilled among them could turn to cybercrime. </p><p> To Klososky, society is transitioning from The Age of Information to The Age of Entanglement. AI will become more and more sophisticated and useful, and be entangled in more human processes.  </p><p>But for some people, that development means that AI will go from "knowing me to representing me to being me to replacing me," he said. And it will be vulnerable. "Criminals are going to get very good at hijacking AI."  </p><p>Devices now known as wearables will evolve into IT implants, which will evolve into a type of augmentation where implanted technologies will enhance body processes like brain and organ function. </p><p>"Some people argue that this will be the dividing line, that we will become transhuman," Klososky explained. In addition, augmentation will take money, and it could lead to another version of inequality, in which schools are divided into augmented and nonaugmented students, and augmented workers will get the best jobs and highest salaries. </p><p>In the end, those who believe we have already reached very advanced stages of technological innovation are sadly mistaken, Klososky said, adding "we're five percent into this battle—if that."</p><p> </p>GP0|#91bd5d60-260d-42ec-a815-5fd358f1796d;L0|#091bd5d60-260d-42ec-a815-5fd358f1796d|Cybersecurity;GTSet|#8accba12-4830-47cd-9299-2b34a4344465
https://sm.asisonline.org/Pages/The-Problem-with-Data-.aspxThe Problem with Data <p>​More than 2.5 quintillion bytes of data are created every day. The sum of all knowledge will double every 12 hours in the future, said 2017 ASIS President Thomas J. Langer, CPP, in his opening remarks at ASIS 2017.</p><p>That is a mind-boggling amount of data that will be created in the near future. And as we've seen over the past few years, it's becoming a liability for companies facing ever-more sophisticated cyberattacks.</p><p>Earlier this month, credit reporting agency Equifax reported that approximately 143 million of its customers' private data may have been exposed in a massive data breach. </p><p>The hackers behind the attack gained access to customers' names, birth dates, Social Security numbers, and addresses. While most of the customers were from the United States, individuals from Canada and the United Kingdom were also impacted.</p><p>The Equifax breach was almost seven times larger than the U.S. Office of Personnel Management breach. The treasure trove of data it exposed is ideal for criminals looking to carry out benefits and tax fraud, identity theft, and more, wrote Rick Holland, vice president of strategy at Digital Shadows, in a blog about the impact of the Equifax breach on enterprises and consumers.</p><p>"Attribution aside, one thing is certain though, regardless of the motivations of the attackers, this data is perfect for social engineering attacks," Holland wrote.</p><p>And social engineering attacks are still criminals' preferred method when it comes to spreading malware to victims—such as ransomware.</p><p>"Now firmly established as a daily desktop malware threat, the profile of ransomware as a threat on mobile devices will grow as developers hone their skills in attacking those operating systems and platforms," EUROPOL said in a recent report on Internet crime.</p><p>EUROPOL also predicts that devices will be the next "fertile ground for the proliferation of mobile ransomware."</p><p>All of this has prompted renewed debate on the increased need for data breach laws and regulation to keep sensitive data secure. </p><p>Europe is leading the way with the EU General Data Protection Regulation, and the United States may follow suit in light of the Equifax breach. </p><p>"In a world where one line of faulty computer code can mean the difference between normalcy and chaos, it is often not a question of if, but when, the most sensitive systems will be hacked," wrote U.S. Representative Ted Lieu (D-CA) in an op-ed for Slate about the fallout from Equifax. "Given this reality, we must improve our ability to react at every level after companies have been breached."</p>GP0|#91bd5d60-260d-42ec-a815-5fd358f1796d;L0|#091bd5d60-260d-42ec-a815-5fd358f1796d|Cybersecurity;GTSet|#8accba12-4830-47cd-9299-2b34a4344465