- Don’t have a mobile phone (or any smart technology),
- Don’t use the internet, don’t use credit or debit cards,
- Don’t have a vehicle and don’t drive,
- Live in the middle of nowhere and live below ground, and in a Faraday cage…never go out (if you do don’t forget your tin-foil hat ;-))!
It is interesting to see how both the medical professionals and the general public are reacting to the current pandemic; the results are much the same as we in the anti-malware research and protection arena found out, far too many times, the hard way, over the last 3+ decades…
Having personally worked in anti-malware research and protection/remediation (battling digital virus, worms, trojans, etc.) for over three decades it seems that the rest of the world is starting to see what we (anti-malware specialists, and medical practitioners) already know (or should know) that:
- Whatever action you take or don’t take the result will be criticised (so get used to it); act too quickly and defeat (or seriously reduce) the impact of a threat, and “you made this out to be a BIG problem, it was a storm in a teacup/non-event“, if you acted too slowly “why didn’t you act sooner to protect us!” Have you noticed that there are always plenty of instant experts* when you don’t need them! *Those that think they know better than those that have been dealing with these things professionally for year, decades, etc.
- With any new threat you are often fighting mis-information and “learning as you go“; unless it is a new variant of an existing threat. Sharing of good/validated information is a “Good Thing” (TM). Mis-information causes more damage and doesn’t help anyone.
- You need to think outside of the box (what other tools/methodologies can I leverage to give us a fighting chance in restricting the impact?).
- Simple hygiene and good epidemiological practices (both physical and digital) reduce the likelihood of infection/spread and allow us to get ahead of the threat, stopping it spiraling out of control. You can immunise (patch or put defensive tools/methodologies in place) or quarantine (discrete unconnected networks, or disconnected devices for digital risks). Similar things can be done (and has been for Covid-19, social distancing, hand-washing, masks, anti-viral drugs, antibodies).
- Doing nothing (ignoring or underplaying the risk) is not an option.
- Expect and plan for new variants (mutations), as they will occur and you need to be ready for them.
- We need to learn from this crisis (just like in cyber threat/attacks), we need to carry out a post-mortem (I hate to use that term as I recently lost my mother to Covid-19, it is very emotive); what went well, where we could have done better, where things need to change or we need to add/improve our capabilities.
Let me be very clear the current situation is far from simple, we have to look at the impact beyond our own, and loved ones health, there has been and will continue to be a vast impact on both our own and our nations finances (many governments are racking up huge debt trying to keep the nation afloat). We will have to adapt to the situation; changing our behaviours and expectations (at least in the short term). The alternative is too frightening to contemplate, another wave, more deaths, more health issues for those that survive the disease, but have a lasting impact on their health for months, years or the rest of their lives.
A suitable solution is always a trade-off between security (protection/defence) and functionality (access, freedom, capability), both in the case of digital threats and physical threats, such as Covid-19!
Plan for the worst, hope for the best, in other-words, in the case of cyber risks/incidents as well as physical risks (fire/flood/earthquake,alien invasion, etc.) you need to have all of the following in place, and you should test them regularly:
- Incident Response Plan (IRP)
- Business Continuity Plan (BCP)
- Disaster Recovery Plan (DRP)
If you don’t have all of these, how are you going to respond when “the fecal matter hits the rotary air circulation device“?
You are going to run around like a headless chicken, with little or no idea how to respond, who to involve, where to get help, etc. You will probably make things worse; because you don’t have a suitable plan (or haven’t tested it recently); unless you are very, very lucky!
So, in summary, we will beat Covid-19 eventually, but things will (probably) be forever changed;
- Less travel (until we get a viable and safe vaccine); this will result in lower emissions and be good for us all, nature and the planet as a whole.
- Increased use of home working (where feasible); many organisations have seen the benefit of this and have already put in place the infrastructure to support this. However, those organisations that haven’t invested in security (both physical and logical and the supporting technical expertise/management) will become targets of the Bad Guys n Girls (Cyber Criminals, State Actors, etc.)
- Increased distributed working (less physical teams); this will have a knock-on benefit (if done correctly) of offering 24/7/365 follow the sun capabilities to all relevant business or other functions.
- Virtual classrooms/events will become far more normal and acceptable to many of us.
I may update this with other material as I think of it, any feedback, etc. is, as always, most welcome.
Picture of Carrauntoohil and the Hag’s Tooth (the Reeks mountain range in County Kerry, Ireland)
Why am I writing about mountains? Well I have just come back from Ireland after climbing the highest peaks in both Northern Ireland (Slieve Donard) and the Republic of Ireland (Carrauntoohil) with my son.
Yes we climbed the infamous Devil’s Ladder on Carrauntoohil on Saturday the 31st of August, 2019 (it was more like the Devil’s Waterfall or Stream that day, as it had rained extensively for the last week).
So, this meant that we had to adapt our risk models, our strategy, our plans to conquer it and to get back down safely after summiting the mountain…
This may seem to be a silly analogy, but you’d be surprised how much they have in common:
In fact, they both require:
- Extensive preparation, including testing that your plans/equipment/tools and your skills are relevant and fit for purpose, and that they work (as expected) before you need them for real.
- The ability to be adaptable to changing conditions/threats/risks, etc.
- Risk analysis/rating and to be able to classify risks as low (acceptable), neutral or high (unacceptable, or unwise).
- Stamina (staying power), perseverance and digging deep (at times) to ensure success or when dealing with an incident (or potential incident) or the immediate workload.
- Teamwork (in an ideal world) to be really successful; both mentally and physically. Also understand that you may need different perspectives (both in knowledge and risk) and skill sets.
- That you need to have experts (or at least people with more knowledge than you) available if things go wrong; for small incidents you may be able to deal with it yourself, or with limited assistance, but when things go badly wrong you need ‘real expertise’ on call.
- Suitable insurance; so that you have a way to offset risk and associated costs with an incident (just in case; worst case scenario).
- That you understand you haven’t succeeded when you’re at the peak, but when you have returned to BaseCamp (normal business operations aka steady state).
Yes, we successfully summited the mountain which we did with nothing more than getting wet (several downpours, and even hail on the last push to the summit) and cold; it was about 20c at the bottom, but close to 0c at the top, when we were over 1,039m (3,409 feet) up, and a complete white-out, and my son slipped and twisted his ankle (slightly) when climbing up the Devil’s Ladder.
As it was a complete white-out at the summit (well actually the top third of the mountain for most of the day), it can be easy to lose your way as visibility is very limited (a matter of a few meters at best), so veering off the path is easy and can be lethal, as there are cliffs around the summit on most sides of the mountain. I however had two GPS devices (with maps on and the route pre-planned) so that this was not an issue for us. I also had a compass and a paper map (as well as two smartphones with the 1:30,000 Harvey’s map on); so I had multiple backups in case one or more of the technical solutions failed!
Does this sound familiar to cyber security best practice?
Please Note: The photos of the Devil’s Ladder do not show just how steep and technical it is in reality!
Most of the experienced hikers/climbers that day also decided against going down the Devil’s Ladder; like us deciding on a safer way down, either using the Zig Zags or the Heavenly Gates and/or Brother O’Shea’s Gully route instead!
As we were descending via this route, ironically a very experienced hill/fell/mountain walker just ahead of me tripped and almost fell over the edge, so this shows that things can still go wrong, even to the most experienced. Luckily that day, if he had fallen over the edge there were members of the Irish Mountain Rescue on the mountain (just below him, in fact), so help was at hand, had it been required, luckily he was fine, with just a few bruises to his body and his pride!
Why not broaden your risk appetite and knowledge, go on I know you want to, it will expand your knowledge and maybe get you out of your chair 😉
If you want to read more about our mountain climbing adventures (we have done all of the 5 highest peaks in the British Isles), you can find far more details on my other site, here: https://talkytoaster.me.uk/category/blog/
*The Zig-Zags is often described as the ‘easy route’ up and down the mountain, however that same week there had been two accidents where the victim underestimated or didn’t respect the path (which although easier is not without challenge and risk). One wrong or missed step can see you falling down the side of the mountain (with nothing to stop you) until you get near to the bottom. This is a potential fall of over 800m (or over 2,500 feet)! To put this in perspective, the Shard in London is 310m (just over 1,000 feet) tall, so it would be the equivalent of falling over 2.5 times the height of the Shard (ouch)!
All photographs used in this article are Copyright, 2019 by Martin Overton, All Rights Reserved.
Disclaimer: The views in this article/blog posting are my own opinion based on the available data that Marsh has made public.
As mentioned in episode 3 of my OMG Cyber! podcast, a number of insurers/brokers have joined a new cyber ratings project known as “Cyber Catalyst”.
More details can be found here: https://www.darkreading.com/risk/insurers-collaborate-on-cybersecurity-ratings/d/d-id/1334258 and direct from Marsh here: https://www.marsh.com/us/campaigns/cyber-catalyst-by-marsh.html
Here are a few snippets from the article on the Marsh site:
In the Cyber CatalystSM program, leading cyber insurers evaluate and identify solutions they consider effective in reducing cyber risk. Participating insurers include Allianz; AXIS; AXA XL, a division of AXA; Beazley; CFC; Munich Re; Sompo International; and Zurich North America. Microsoft is a technical advisor to the program.
Cybersecurity products and services viewed as effective in reducing cyber risk will be designated as “Cyber CatalystSM”. Organizations that adopt Cyber Catalyst-designated solutions may qualify for enhanced terms and conditions on cyber insurance policies from participating insurers.
I applaud Marsh for doing something to try and address the lack of cyber risk analysis, profiling, etc. However, I do question the value of this initiative; I will outline below my concerns and thoughts on why this is, I believe, not a helpful offering.
I do not see the value of Insurers/brokers carrying out product/solution ratings, as:
1. They (the insurers/brokers) are not experts in this area, and
2. There are already plenty of other independent testing/rating organisations that have been doing this for many years, to a very high standard. These include ISCA, NIST, AV-Test, and so on… It would have been far more sensible to partner with one of these instead, and it would have added more credibility…
So, this seems to be a strange thing to attempt; a bit like reinventing the wheel and coming up with a different shape that is not as efficient as the one we already have which has served us rather well, so far.
The program is, by my understanding, stating that if a client/insured has product/service x, y or z from the list of “approved/recommended” ones, that the client will get better rates (such as higher limits/lower premiums) and so on.
1. Now, this is fine, apart from the perspective that just because the client/insured has purchased an “approved/recommended” product/solution, it does not mean that they have rolled it out or installed it.
2. Even if they have done so, where are the checks and balances to confirm this, that it is not only rolled out, but actually configured correctly?
3. Furthermore, where is the ongoing validation? Without that, this is pretty much just a box ticking exercise, and therefore no better than the existing risk rating mechanisms they already use.
4. They state that “Microsoft is a technical advisor to the program.”, this does not really help, as they are not a trusted independent review organisation/body. What happens when Microsoft review their own products and solutions?
5. Their disclaimer doesn’t exactly offer a ringing endorsement of the value of the program, read it for yourself and see if you agree?
I would say that this is little more than a “beauty contest” and it doesn’t really do anything to address cyber risk in a new way.
Now, just to be completely transparent, I used to work for AIG as a Cyber Risk Specialist (and so I understand Cyber Insurance quite well). I helped AIG design their Cyber rating solution known as “CyberMatics”. Let me be very clear, I have no axe to grind with any of the insurers, and receive no financial benefit from “CyberMatics” or AIG on this, or any other article/blog posting that covers cyber insurance.
The difference with “CyberMatics” is that is collects telemetry and/or meta data to validate that:
1. The insured has the solution/service installed correctly, and more importantly
2. That it is being used correctly; not just once, but on-going, and this is shared with the client/insured via a secure portal, to help them further improve their cyber defences and resilience.
That is a huge difference!
You can find out more about “CyberMatics” here: https://www.aig.com/business/insurance/cyber-insurance/cybermatics
What are your thoughts on this? Please let me know…
“Cyber Catalyst” and “Cyber Catalyst by Marsh” are registered trademarks of Marsh LLC
“CyberMatics” is a registered trademark of AIG
This is a companion blog posting to my Episode 1 Podcast about Insurance, etc. which can be found on the Podcast page of this site, or on all good podcasting platforms, including Google, Apple, Spotify, Pocket Casts, etc.
I am not an insurance specialist, I am a techie with over 30 years of real-world experience in malware, over 15 years of ethical hacking experience and over 10 years of digital forensics (incident response) as well as working for a large cyber insurer for over 2 years (note past tense) where I worked hand-in-glove with underwriters, brokers and claims staff in helping them understand cyber risks, defences and remediation. I also used to meet with CISOs, IT Security Managers and Risk Managers/Legal Council to understand their risks and processes, procedures, technologies, business partners, supply chain and cloud/outsourced services.
I run my own business; I do not work for an insurer or sell insurance (of any type). However, when I did work for an insurer, along with being the cyber risk specialist assisting underwriters, brokers and claims adjusters. I also trained many cyber underwriters, helping them to understand the technology, the lingo (acronyms) and what are the right questions to ask (and what are good answers), when to ask them, and to who (so that they could have meaningful risk dialogue with CISOs, IT Managers, etc.) The underwriters then can understand the answers given and price the risk appropriately, rather than just fearing a worse case scenario, and pricing according to their fears/expectations (which is far better situation (both on cover/limits and pricing) for the insured/client too)!
For those of you that are not in the insurance industry, you may not be aware of this term and what the implications are to existing (non-Cyber) policies, such as Property, Casualty, D&O, Kidnap and Ransom or Crime.
In simple terms, Silent Cyber is used to describe the case where cover for Cyber threats is not explicitly mentioned in the policy wording/coverage. As the insurers would say, these non-Cyber policies do not have “affirmative” cover.
What this means to you as a policy holder is that the insurer may not honour a claim if it is Cyber related for a non-Cyber policy (even if you have a Cyber extension to that non-Cyber policy). Why, because the wording and terms and conditions in force will be those from the master policy (the non-Cyber one/the main policy). This can cause claims to be rejected, as can be seen in the next section of this article.
There have been two recent cases reported where the insurer has declined to pay a claim in relation to the NotPetya attacks back in June 2017, these are Hiscox vs DLA Piper and Modelez vs Zurich.
Despite what the press and other media has claimed, in both cases that the policy was a cyber policy and the reason stated by the press or other media for the claim being declined was down to an “act of war, or hostile action”.
From what I have found out, neither of these claims are in relation to Cyber Insurance policies, in fact they both are related to Property policies (which are, even with a cyber extension added on, not the same as a dedicated Cyber Policy. Very sloppy reporting, which doesn’t help anyone…
So, this has resulted in every person and their pet of choice making statements, such as “well, what is the point of buying insurance as the insurer will weasle their way out of having to pay” and “there is no point in buying cyber insurance, as I’ve seen what happened to the claims from Mondelez and DLA Piper”.
Expecting wide-ranging/expert Cyber coverage from a Property policy is like expecting wide-ranging/expert Health insurance from your House and Contents policy! Not surprisingly you will not get comprehensive health cover backed by experts in this area. It’s a bit like expecting your gardener to offer health screening (without them being a medical practitioner).
A few days a go a written statement was sent to SC Media UK (owner of the SC Magazine) in which Kylie O’Connor, the head of group communications at Hiscox stated “The dispute we are in with DLA Piper, is not about a cyber policy and has nothing to do with a war exclusion.” This just proves that the press and other media were (shock, horror) making things up so that they could publish (without little things like “facts” get in the way!
However, in the case of Norsk Hydro, they do have a dedicated Cyber policy, and therefore are covered under that policy (up to their limit, and after taking into account any excess, waiting period, and loss adjustment).
Why do companies invest in cyber insurance?
Well, for lots of reasons, including the ones listed below:
- Hacking (external or internal misuse)
- Physical loss of data (left on train, back of cab, accidents (sending data to the wrong person, etc.)
- Data corruption or eraser (cost to recover or recreate), even paying for ransomware decryption keys.
- Business Interruption, such as DDoS, Ransomware, etc. including loss of business
- Costs for first response (forensics, legal, PR), etc. covered under the policy
- PCI and other fines covered (where legally allowed)
- Bricking (where a device becomes unusable due to a firmware or other update failing).
- Legal or contractual requirements (from industry, business partners, etc.)
- In some cases the insurer will offer services/solutions/products to help the insured improve their overall security posture/maturity for free (as part of the policy) or at a discounted price.
At the end of the day suffering a cyber breach has almost become “normal” and “expected” as not a day seems to go by when we don’t hear about yet another breach (new or historical); a good cyber insurance policy can help offset the risk and related costs for such breaches/incidents.
Then there are new risks/attacks such as CryptoJacking and Password Spraying (O365 and GSuite targeted via IMAP and even if 2FA or MFA is enabled they may be able to get in to your account).
What are the ways that companies could avoid falling into this crevasse?
Check the policy you have is fit for purpose, check with your insurer or broker. I strongly suggest that you ask your insurer or broker which scenarios/risks you are covered for by the policy and if you identify gaps in your existing coverage decide if the cost of taking out extra insurance is a good risk/benefit trade-off or solution.
Check that the coverage includes first response (forensics, legal and PR services), that you have enough cover for business interruption, including lost business and remediation costs. Also consider the brand/reputational damage and knock-on customer effects, loss of trust, etc.
Check to see that the policy will cover financial fraud, such as BEC/Fake CEO, employee fraud, if not, find a crime policy that includes this. Crime policies are not the same as a Cyber policy as what they cover is different, or from a different perspective.
Make sure that the Limits, waiting period and excess is suitable for your business needs.
Don’t go for the cheapest, especially if the insurer/broker only ask 5-10 questions and doesn’t sit down with your CISO or IT Manager, etc. to discuss the answers afterwards (very few questions can be answered yes or no; they are usually a bit of both and the answer may vary across a typical organisation), as may the questions that should be asked by the Insurer or Broker.
Even though a dedicated Cyber policy is a far better bet in today’s incident/breach strewn world, there are some things that they still don’t cover.
I want to see the Insurance industry step up and make Cyber policies more inclusive; it would be better if Crime cover was also included (including not only crime and fraud due to hacking, but also fraud due to social engineering or insiders/insider collusion). This should include BEC/Fake CEO and Invoices, etc. even when NO hacking or breach has occurred!
Organisations need to ensure (no pun intended) that the existing Insurance policy or policies they have are fit for purpose and will actually pay-out when needed. You need to purchase the right policy type for the right risk, as otherwise you could end up in the same situation as DLA Piper and Mondelez… If in doubt check with your insurer or broker, before it is too late!
Update 15th April, 2019: It has come to my attention that Merck is also suing their insurer for refusing a claim; again it is NOT a Cyber policy, it is in relation to their Property policy.
This is a companion blog posting to my Episode 0.5 (the Teaser) Podcast about Ransomware, etc. which can be found on the Podcast page of this site, or on all good podcasting platforms, including Google, Apple, Spotify, Pocket Casts, etc.
Ransomware is not new, but how many of you actually know when it first appeared?
Believe it or not, the very first Ransomware appeared in 1989; yes you read that right! Want to know more, then read on, and I’ll explain the history and major changes that have occurred since that very first Ransomware way back in 1989…
Back in Time
The very first Ransomware was the so-called AIDS Trojan which was supplied on a 5.25″ Floppy Disc to thousands of attendees of the World Health Organisation’s AIDS Conference and also mailed out to over 20,000 individuals across Europe.
The disc was created by PC Cyborg which was the company run by Dr. Joseph Popp and it contained a program that claimed to work out your risk/chance of catching AIDS (now called HIV). If you inserted the disc into your IBM (or compatible) PC and ran the program, it would indeed do what it claimed; however after 90 boots/reboots the malicious payload (encryption) would trigger and you would see the following:
Ironically, if you actually read the EULA that came with the disc, it clearly explained that you needed to pay a licence fee to use it and that it would encrypt your system if you didn’t pay, sound familiar?
Here is part of the text of the supplied EULA:
"If you install [this] on a microcomputer... then under terms of this license you agree to pay PC Cyborg Corporation in full for the cost of leasing these programs... In the case of your breach of this license agreement, PC Cyborg reserves the right to take legal action necessary to recover any outstanding debts payable to PC Cyborg Corporation and to use program mechanisms to ensure termination of your use... These program mechanisms will adversely affect other program applications... You are hereby advised of the most serious consequences of your failure to abide by the terms of this license agreement; your conscience may haunt you for the rest of your life... and your [PC] will stop functioning normally... You are strictly prohibited from sharing [this product] with others..." Here is the full version:
Luckily the program used trivial encryption and soon a decryption tool was written by Jim Bates and given away for free. He also wrote up his analysis of the Trojan (the term Ransomware didn’t exist in 1989).
An arrest warrant was issued by New Scotland Yard and Popp was eventually arrested at Schiphol airport in Amsterdam during a routine baggage inspection.
From that date his behaviour became very erratic; he was held in Brixton prison until he was due to go to appear at court. There have been reports that he was known to wear a cardboard box whilst in prison, and that when he finally appeared in court, that he had curlers in his beard and a condom (prophylactic) on his nose, allegedly “to ward off radiation”. Whatever the real state of his appearance in court, he was declared “mentally unfit to stand trial” and returned to the United States without charge.
Other researchers (Yung and Young) analysed the Trojan in more detail and wrote a paper on it (in 1996) pointing out its many flaws, but the major one was that is used Symmetric (single key) encryption rather than Asymmetric (Public Key Cryptography, that uses two keys, a Public and a Private key). Most modern Ransomware uses the latter, and this means that unless you have access to the Private key, you can’t decrypt the encrypted data (unless the encryption methodology used is not properly implemented).
Not surprising, the Bad Guys n Girls were taking notes, and in the early Noughties we saw the re-birth of (or birth of modern) Ransomware. Of course it used Public Key Cryptography (PGP/GPG). Some of the early new versions were named PGP or GPGCoder. However, the problem was how to get the money from a victim without being caught or unmasked (always a tricky issue for any extortionist or blackmailer in the days before cryptocurrencies existed).
We saw a small (compared to the explosion that was to follow) number of these new Ransomware, but all was about to change in 2009 with the first launch of a little cryptocurrency called Bitcoin (invented in 2008).
It took a few years for the cyber-criminals (the Bad Guys n Girls) to catch on to the value of Bitcoin as a method of payment for Ransomware and other crimes, but by around the start of 2013, they had started to embrace Bitcoin and Ransomware exploded over the next 4-5 years. The first modern Ransomware that took full advantage of not only Public Key Cryptography, but also Bitcoin was known as Cryptolocker. Many saw the success of this malware, and promptly developed their own Ransomware strains.
Once Cryptolocker had arrived, Ransomware quickly became a thriving way to make money for the Bad Guys n Girls. Estimates appeared that claimed that in 2015 Ransomware netted (according to the FBI) over $24 Million USD, in the first three months of 2016 this had grown to over $209 Million USD, and Kaspersky claimed that Ransomware attacks tripled in 2016. Things just got worse in 2017 as we saw the first Worm-enabled Ransomware (which can move from system to system without human help). 2017 is remembered for two major Ransomware attacks, Wannacry in May, and then NotPetya in June (both Worms). The problem with NotPetya was although it acted like Ransomware, it was in reality a wiper, so even if you paid up, you wouldn’t get your data back!
According to Cybersecurity Ventures, they predict that Ransoware will cost $6 Trillion USD annually by 2021.
But read on dear reader, things are about to change, in 2018!
As mentioned previously things were about to change in 2018 (actually from the last quarter of 2017)…
During 2018 we saw the number of Ransomware attacks shrink, but the average Ransom being charged increased (significantly), why?
- The Bad Guys and Girls moved to a more targeted approach, often manually hacking an organisations infrastructure, mapping out there network, and then encrypting the organisations “crown jewels”. Often part of this mapping would identify where the backups were and these would either be erased (securely) or encrypted too. They started to look for high value targets, rather than use the previous scatter-gun (mass-mailing) approach they had used during 2015-2017.
- Writing Ransomware is not trivial (if done properly), so the Bad Guys n Girls were also looking for other ways to monetise vulernable systems (ones they can hack, either manually or via an automated script). They decided to steal the processing power of compromised systems to “mine” cryptocurrency. Less work, less risk and more profit; it was a match made in heaven!
I blogged about the “Curse of Cryptojacking” recently.
However, I don’t think we have seen the back of Ransomware, the Bad Guys n Girls may have moved on to Cryptojacking and Sextortion scams, however, they will continue to hold data and systems to ransom where the payout is worth the effort. Increasingly this means Public Services (Government), Healthcare, Education, and Law Enforcement (including Law firms), as well as the more traditional targets (Retail, Travel, Finance, etc.)
Update March 20th: Ironically less than 24 hours after I posted this blog, Norsk Hydro was hit by manually deployed Ransomware (in this case is was LockerGoga) which uses the same approach as other manually deployed Ransomware (such as SamSam); the victims infrastructure in penetrated via a vulnerability or insecure open port, and the Bad Guys n Girls map out the network and then deploy their Ransomware personally.
- Harden and patch all systems, applications and Cloud infrastructure.
- Use unique passwords for all access; even better use two or multi-factor authentication (not SMS based).
- Install and run anti-malware, end-point/server protection, and on servers enable and configure the firewall and if it is a web server protect it via a Web Application Firewall too.
- Remove all default accounts and sample content on web and database servers, etc.
- Close off ports for remote administration, or put them behind a VPN. That includes RDP (Terimal Services), Telnet, SSH and others
- Stay aware of new threats and countermeasures, both specific and generic.
- Train and test your staff; they are often the first and last line of defence.
- Take BACKUPS, and store them physically off-site (not in the Cloud), and test that they work (do a RESTORE). That way you have the option to recover your systems and data without having to pay the Bad Guys n Girls.
- If you are using O365 or GSuite enable 2FA/MFA and do NOT allow the services to be accessed via IMAP or POP3, as this will bypass Multi-Factor Authentication (you have been warned!)
- If you have cyber or crime insurance, check that Ransomware is covered by the policy (most cyber insurance policies currently do cover this, but Property and Casualty policies usually don’t)…
Until next time, stay safe out there!
‘Tis the season to get out the crystal ball and play at being the cyber equivalent of “Mystic Meg” (no that’s not me in the picture).
For 2018 I predicted a number of things that were spot on, these included the following:
- The change from mass ransomware campaigns to more targeted ones asking for higher ransom payments.
- The move from ransomware to cryptomining/cryptojacking as the primary monetisation payload/method.
- GDPR being used for extortion/blackmail attempts.
- Organisations still not focussing on the basics and best practice for their industry/vertical and wondering why they suffered security breaches/incidents.
So what will 2019 bring, according to OMG?
- More targeted extortion attempts; Ransomware, GDPR, DDoS, etc. All with higher ransom being demanded.
- Organisations will still be mainly focussed on the latest, must have “shiny toys/technologies” rather than dealing with the basics and best practice for their industry/vertical.
- A mainstream move towards two or multi-factor authentication, as password theft is increasingly seen as the main way that bad guys and girls get in; other than social engineering (phishing) or via the supply-chain/business-partner. This move will be required due to massive Credential Stuffing attacks in 2018 fuelled by the many data breaches where user ids and passwords were stolen.
- More supply-chain breaches as a method to gain access to the intended victim organisation.
- Cloud service breaches and/or take-downs and mis-use by the Bad Guys n Girls.
- The skills-gap and staff shortage will increase, again. And those of us in the industry will be in demand and frequently head-hunted or just pestered by desperate recruiters that don’t read your LinkedIn profile and still approach you with roles that you are not interested in or have the skills/background for.
- More Business Email Compromise attacks (aka Fake CEO/CFO, etc.); these will rake in far more money in 2019
- Artificial Intelligence and Machine Learning will continue be touted as “The” solution to deal with cyber threats and breaches; they are useful but generally too prone to false positives (detect things that are not an issue) and more worryingly false negatives (don’t detect what they should do).
- The Internet of Things will start to “grow-up” as manufactures start to bake in security and offer it as a differentiator to competing products/services.
- However, despite this we will continue to see IoT devices/infrastructure used as an attack platform and I suspect that we will start to see volumetric DDoS attacks exceed 2Tbps (largest so far was 1.35Tbps against Github in 2018).
- We may well see some critical infrastructure attacks (outside of Ukraine) that are successful, and that cause major outages and/or physical damage/loss of life.
- Too many organisation thinking that using a single Cloud provider will give them a fully resilient infrastructure; it won’t. Just like having multiple data-centers, you need multiple Cloud providers (this should be part of your Business Continuity and Disaster Recovery Plan), no single-points of failure!
- GDPR will finally start to bite (hard) and organisations that should have already been following industry best practice for data/privacy will finally do something about it (well, most of them)!
- Blockchain will be finally recognised as not being the solution to everything!
- Increase in use of Sextortion, Bomb and other extortion/blackmail emails/calls, despite the fact that most Sextortion campaigns did not net piles of bitcoin as those behind them expected.
- More social-media scams mainly focussed around crypto-currency giveaways; like the many Elon Musk themed ones we saw in 2018.
- People will still mainly fail to learn from history; we will see yet more old techniques/technologies dusted off and re-used by the Bad Guys n Girls, for victims that weren’t around (or paying attention) the last time it was successfully used…
Don’t have nightmares, remember that 80-90% of all security breaches/incident I have dealt with could have been avoided by just following best practice and doing the basics… This includes taking (and testing) backups, educating (and testing) your staff, patching your systems, applications and writing secure code, good Identity and Access Management, and so on…
What do most staff think when they hear the words “end-user security training” or “security awareness training“?
They think, “Oh no, is it really that time of the year again? What a waste of my time; it is so boring and doesn’t teach me anything that is useful to me. Security is the IT department’s problem/job, not mine!”
In many organisations security awareness training is dull, impersonal and does not use “real life or real world” stories to add colour and flavour and help explain the problem, the risks, and the impact of security breaches/incidents. In most cases the training is to read a policy document (Internet Usage Policy/Security Policy, etc.) or to watch a video or attend a webinar where they are preached to rather than being allowed to participate in an interactive or interesting session.
Staff need to understand that in today’s world, security is everyone’s job, because if your staff are not part of the solution, they are part (if not most*) of the problem!
[*] 95% of successful cyber attacks are the result of a phishing scam.
Source: (2017) Ironscales,.
Add to this that many staff treat end-point protection (anti-malware, personal firewall and related security tooling) as an “authentication” method; “if I can open this link/file in the email, go to this site, etc. and my system gets hacked/infected, it is not my fault, it is the security/IT departments fault!” This is captured very nicely in this cartoon.
Given the above perceptions of many staff/end-users, what can we do to try and reverse this situation, so that staff see security as part of their job/responsibility and become part of the extended security team?
What do you need to make end-user security training successful, rather than something that is hated/despised/loathed and avoided at all costs for as long as possible by most staff in almost every organisation?
Here are some top tips:
- Make it fun; use gamification, where they are engaged, entertained, involved and tested throughout each module.
- Keep it short and punchy; no longer than 20 minutes, backed up with bite-size (5 minute) modules to reinforce an individual topic/threat. Don’t try and do the whole organisation at the same time; do it in groups and stagger the roll-out to be more effective.
- If you can make it a competition; who can report the most spam/scams/phishing emails, etc. Give prizes, or at least recognition!
- Make is personal; teach them skills that they can use in everyday life, including at home.
- Phish your own staff (after training them, and before) so that you can gauge the effectiveness of the training, but do it wisely and sparingly as otherwise they will quickly become fatigued and disinterested.
- Don’t penalise those that fall for the phishing test emails; use this instead as a “teachable (not preachable) moment“, rather than shame or blame them, try to understand why they fell for it, and explain how they could have recognised it for what it was.
- Make sure you set-up an email address such as: “[email protected]” which can be used by employees when they suspect they have received a phishing email. Explain what steps they should take in order to report the email and give them with the necessary tools/guidance to report a suspected phishing email, such as a “report-phish” button in their email program.
- Training is not a one-time or once a year thing; good awareness training is part of the culture of an organisation and needs to be topped-up and refreshed all the time to stay effective. Make sure all staff, from the C-Suite down to the most junior staff in the organisation are included, not just techies.
- Ask for feedback, especially ask them about what they are worried about, e.g. Ransomware, Scams, Sextortion, Social Networks, Privacy, Passwords, GDPR, Data Breaches and how it impacts them personally and the company/organisation/industry, etc.
- You could always bring in a real-life “hacker” (an Ethical one, also known as a Penetration Tester or White Hat Hacker) and let them talk to your staff and answer their questions; they will have lots of real-world stories and good advice. T here are some that are good at talking to non-techies without resorting to acronyms and technical jargon. These rare individuals will use humour, analogies and stories to help illustrate and bring the subject to life; they will often be very passionate about security, and this will keep the audience engaged.
However, you will find that 10-20% of your staff will just not be trainable (from a security awareness perspective)and you need to identify them and work on ways to reduce the risk that they pose to your organisation.
As the old saying goes:
“The Bad Guys n Girls only have to get lucky once;
the Good Guys n Girls have to be lucky all the time“.
So, what is a good solution that isn’t going to break your budget, but still allow you to deliver most of the above as a managed service and tie in to your Active Directory do that you can assign training to groups or individuals and see the results (meta data) from the training and testing?
One vendor that I have found to be very effective in this space is Techguard Security, this is what they say about their offering:
“Empowering your workforce to recognize and respond to sophisticated threats is only a click away. TechGuard S.H.I.E.L.D is a cutting-edge and comprehensive training solution for businesses of all sizes.”
You can use the following link to find out more about Techguard and their offerings, including the end-user training and phishing testing offerings, and what’s more, if you decide you like what you see and sign-up with them, you will get 10% off the price!
To find out more and claim your 10% discount when you sign up, use this unique web link: https://www.techguard.com/omg-cyber-security/
If you don’t use that link to register your interest, you won’t get the discount when you sign up.
Don’t just take my word for the effectiveness of good Security Awareness training, here are some statistics:
- According to research by Ponemon, even the least effective training programmes have a 7-fold return on investment.
- Most cybersecurity training programmes result in a 37-fold return on investment.
Source: (2015) Maria Korolov,
If you don’t train your staff and carry out phishing tests, the Bad Guys n Girls will, and the results won’t be pretty…
I have been doing security for over 30 years and I often state “The day I stop learning will be the day they bury me“, in other-words, I’m still learning and will continue to do so until I die.
Some interesting, but not surprising findings from F-Secure:
They found that many users were re-using passwords even though they knew the risk of doing so, and I quote:
“59% reuse passwords across multiple accounts, even though 91% say they understand the risks of doing so.”
You can read the full article from F-Secure here: https://blog.f-secure.com/how-to-keep-your-passwords-from-being-an-attackers-key-to-your-account/
Please, please do not make a hackers job easier by using the same password on multiple sites; if you must use the same password at least enable 2FA (Two Factor Authentication)/MFA (Multi-Factor Authentication)* on the sites where you do this, as this will make it harder for the hackers to compromise (take-over) your account(s).
The problem is, if you use the same password on multiple sites, it allows the bad guys and girls to carry out what is known as “Credential Stuffing” attacks….once they have found a valid set of credentials for one site that you use, they will try the same ones on other sites…
It is better if you use not only 2FA/MFA, but also a Password Manager to store and create strong unique passwords for you (belt and braces, folks!)
You can even enable 2FA/MFA on the Password Manager, so if that is stolen, the bad guys and girls can’t gain access to that either… Belt, Braces and Super-glue 😉
* One factor authentication, is something you know (user id and password), Two or Multi-Factor authentication, is something you know, and something you have or are (such as a one-time password/key/token, biometrics, smart card, hardware or software token, certificate, etc.) Unless the Bad Guys and Girls can gain access to the second factor, they can’t sign in as you…
Question of the day: “If Password Managers are so great, what happens when a hacker cracks/steals/guesses the password for your password manager?”
Short Answer: Not an issue if you enable and use a secure 2FA/MFA on the Password Manager (definitely NOT using SMS for 2FA/MFA)… Hackers can steal/guess/crack your password and get nowhere unless they steal your token too (soft or hard) or can find a way to bypass 2FA/MFA instead!
OK, maybe I need to explain this in more depth?
What is a Password Manager? It is a secured (encrypted) database for storing all your passwords, so that you don’t need to remember them all, only the (hopefully) strong password/passphrase to unlock the Password Manager that you should NEVER use anywhere else or tell anyone. But, I hear you cry:
“Why would I want lots of passwords, why can’t I just use the same password on all sites/systems?”
Now, where do I start?
Using the same password on multiple sites, etc. is, unfortunately, a recipe for disaster. This is due to the fact that billions (yes you read that right) of user credentials (user IDs and Passwords) have been stolen, so if yours is one of them, the “bad guys and girls” already have your password. Guess what? They will try the password they have for one of your web accounts on all sites that you use (this is known as credential stuffing).
This means that they can now login as you and take over your accounts!
Now, that may be a slight annoyance on some sites, but let us say that they have gained access to your webmail (GMail, Live, Yahoo, etc.) account. If they have gained access to this, they can get any site that you’ve used (with a different password) to send a password reset link…can you see where this is going?
That is why a Password Manager is a “good thing” and why you should be using one and using it to generate and store unique passwords for every site you use.
Even better you can secure the Password Manager with Two or Multi-Factor authentication (password and a constantly changing code that only you have access to, generated by a unique software or hardware token), but that’s another story…
Some good password managers include:
Many anti-malware/end-point security solutions now include a password manager (also called a password safe) in the bundle, so there really is no excuse not to use one.