[metaslider id=2951] … Read More
Archives for April 2016
Ransomware poses complex legal and reputational risks
Brent Arnold and Christopher Oats Contributed to The Globe and Mail
As businesses and public institutions increasingly become the targets of ransomware – malware that blocks access to computer systems or the information they contain until the user performs actions demanded by hackers – legal risks surrounding such headline-making attacks have come to the fore in Canadian corporate consciousness.
A January report by the Online Trust Alliance reveals that ransomware attacks aimed at companies are not only growing more prevalent, but they are also becoming more sophisticated. Today’s hackers can custom tailor their demands according to the size and market value of their corporate mark. Making matters worse, last month Apple’s iOS operating system was infected with ransomware for the first time.
Ransomware typically gains access to a computer system when a user clicks on unfamiliar links or strange attachments (although a growing number of programs are infecting computers via the download of ostensibly legitimate applications). In its most benign form, an infection could force employees to complete a survey; at its most malignant, it has strong-armed companies into paying actual ransoms (typically in the nationless and virtually untraceable currency of bitcoin).
Businesses that fail to comply face the destruction of client and proprietary data, and intellectual property – not to mention sustaining significant reputational damage and exposure to third-party lawsuits from clients and consumers (and there is never any guarantee that meeting hackers’ demands will result in computers or data being unlocked).
Despite this growing threat, legal recourses for ransomware victims are slim. The activity is, of course, illegal and should be immediately reported to police (the RCMP also suggests reporting to the Canadian Anti-Fraud Centre). But despite the fact that such attacks have been reported for more than a decade, there are no documented cases of ransomware perpetrators ever having been prosecuted in Canada.
Given the often remote nature of the crime (the few attacks that have been successfully traced typically come from foreign countries), criminal and civil remedies may be unlikely to succeed. In the rare event that a cybercriminal is identified, civil proceedings against foreign nationals are most likely to result in default judgments that are difficult if not impossible to collect on.
While cybercriminals frequently avoid prosecution, their corporate victims may find themselves in the legal spotlight. Recent amendments to the Personal Information Protection and Electronic Documents Act (PIPEDA) will soon require companies subject to PIPEDA to alert the federal privacy commissioner, affected individuals and relevant organizations or government institutions following a breach of security safeguards that “creates a real risk of significant harm to the individual.” This can include risk of economic loss by the person whose personal information is subject to the breach, as well as potential reputational harms.
While reporting obligations provide an important consumer protection and will be a legal necessity in certain cases (companies that fail to report where required by PIPEDA may be subject to fines of up to $100,000), they are nonetheless problematic for businesses – particularly those for whom data security is a critical component of their brand identity. Recent hacks have shaken consumer and shareholder confidence and resulted in both significant disruption for targeted businesses and resignations by top executives.
All indicators suggest ransomware will only become more vicious and prevalent in the foreseeable future. With added reporting pressure looming on the horizon, companies that fall prey may soon find themselves facing complex legal and reputational risks.
Big data analytics a useful security tool, says analyst
By Warwick Ashford – Security Editor – ComputerWeekely.com
The majority of companies using big data security analytics report a high business benefit, according to the Business Application Research Center
While data analytics from places like KNIME are already helping businesses to make sense of their data and use it to inform decisions within the company, big data analytics is a useful tool for enabling organisations to become more resilient in the face of increasing cyber attacks, according to a software market analyst and IT consultant.
“A recent survey found that 53% of organisations that are using big data security analytics report a ‘high’ business benefit,” said Carsten Bange, founder and managing director of the Business Application Research Center (Barc).
“The survey also found that 41% reported a ‘moderate’ benefit and only 6% said benefit was ‘low’, so there is fairly strong evidence of the business benefits of big data security analytics, ” he told Computer Weekly.
While adoption across the board is still relatively low, more than two-thirds of the more advanced companies surveyed are adopting advanced big data security analytics technologies, such as user behaviour analytics, the Barc survey revealed. For example, Splunk Technology is one of the leading big data analytics companies that is getting adopted by many companies. Hiring splunk professional services to implement and leverage the tools has become common in big organizations.
The more advanced companies, which classified themselves as having “much better” skills and competency in security analytics than their companies, represented 13% of the total sample, with 68% saying they have deployed user behaviour analytics.
“Of the 87% who did not consider themselves to be in the more advanced group, only 27% have deployed user behaviour analytics,” said Bange.
User behaviour analytics can help improve an organisation’s cyber security resilience, he said, by tracking user behaviour across all IT systems, for example, to identify whenever there are significant deviations from normal behaviour to warn of potential malicious activity.
“There is nothing new in being able to identify patterns of behaviour – most of the analysis techniques are 30 to 40 years old – but now we are able to apply them to extremely large data sets across multiple information technology systems,” said Bange.
“Organisations need to know there is now the technology to support this kind of analysis that can be very beneficial in the field on information security. It can enable organisations to become more resilient through data-driven security decision-making, planning and incident responses,” he said.
Modern Spear Phishing is a Security Wake-Up Call
Spear phishing attacks prey on the fact that employees want to please a superior or some other high-level executive.
By Richard Baker – April 18th, 2016
In a recent report, the Federal Bureau of Investigation warned that a type of spear phishing attack known as “CEO email scams” is on the rise. In those kinds of attacks, the perpetrator usually assumes the identity of someone in a position of authority and sends email requests for privileged information or the transfer of assets outside the company. It’s not a new tactic, but it is one that is becoming increasingly popular; according to the FBI, businesses have racked up more than $2.3 billion in losses to targeted phishing attacks since 2013.
The main challenge is that these fraudulent emails look legitimate at first glance. They target employees in human resources, legal, accounting, finance, and other departments with seemingly urgent and innocent requests for W2 records, wire transfers, invoices, company credit card information, employees’ personal information, and more. With fairly believable asks being made by a sender that appears to be an executive or an outside service provider who would naturally want that information, employees end up cooperating and unwittingly put the company at risk.
The best thing that a company can do to help prevent becoming the victim of this kind of an attack is to educate employees.
Telltale Signs of Spear Phishing
- The greeting seems off – If the sender typically refers to the recipient as “Andy,” but the email opens with, “Hello Andrew,” this would be an immediate red flag.
- The tone is abnormal – Overly formalized wording, international spelling differences, or frequent typos that seem out of character are all strong indicators that something isn’t right. If the voice or tone of the email seems out of place, recipients should think twice.
- It’s an unusual request – If the CEO has never requested a wire transfer be made to a vendor before, this should pique some skepticism on the part of the email recipient.
- There’s an inconsistency in the typical chain of command – For example, if the CEO does not request payroll information from the payroll manager and instead typically goes through the controller, the payroll manager should be suspicious about a request that is purported to be from the CEO.
Often times, spear phishing attacks prey on the fact that employees want to please their boss and other people who may be perceived to be in positions of authority. The fear of not responding quickly enough to an executive or the pleasant notion of a pat on the back from a superior can cloud employees’ judgment and prevent them from raising concerns and asking the right questions when faced with a suspect email request. Additionally, many employees simply aren’t aware of the most recent security threats and as a result, don’t focus on remaining vigilant and critical.
An Ounce of Prevention
Given that the CFO’s team is typically responsible for cash disbursements as well as payroll and sometimes sensitive HR information, it typically has an opportunity and an obligation to educate staffers about these threats and put the necessary controls in place to prevent spear phishing attacks from being successful. Many start-ups also tend to opt for an outsourced CFO, as they are more than capable and at the same time reliable to handle emergency situations such as these.
That said, here are four things CFOs can do to address spear phishing threats to their organizations:
- Alert and educate employees. Awareness is one of the best protections against spear phishing. Regularly send notifications to staff members, especially those in HR, accounting, finance, legal, and other departments that have access to the information the bad guys would want. Explaining how spear phishing scams might target each respective department will give employees a better understanding of what’s at stake and how to keep an eye out for red flags.
- Be aware of the latest spear phishing tactics. Staying up to date on this information will help a CFO figure out whether his or her company would be susceptible to new schemes. If the CFO feels the organization is exposed, they should go back to #1 and ensure employees are aware of new and developing dangers.
- Establish a safe culture for skepticism. Questions should be praised, not punished. Work on building an atmosphere in which employees feel comfortable and confident in questioning requests for sensitive information – even from higher-ups. Employees who aren’t afraid to question their superiors or bring up their suspicions are less likely to remain silent and fall victim to spear phishers.
- Set up preventive controls with spear phishing in mind. Establish processes that would make it impossible for an employee to act based only on a single email, even if it’s from someone who appears to be an executive. For example, require dual authorizations or require emailed requests to be followed up with an oral confirmation.
The nature of spear phishing attacks will continue to evolve. If a CFO has not yet addressed spear phishing threats in their organization, I strongly suggest they do so right away, as it is only a matter of time before the organization is targeted.
New Malware Steals $4 Million at U.S., Canada Banks
Malware uses email to target bank customers with business accounts, IBM cybersecurity researchers say
Cybersecurity researchers at IBM Corp. said Thursday they have discovered a new type of malicious software that has been used to attack customers of 22 U.S. banks and two in Canada.
The attacks have resulted in the theft of roughly $4 million dollars in the first few days of April, the researchers said.
The malware is targeting bank customers with business accounts, mostly at banks in the U.S., according to a blog posting on IBM X-Force, which is part of IBM’s security business. The malware also focuses on credit unions and “popular” e-commerce platforms.
IBM Security didn’t identify the institutions, but said they have been alerted to the incidents and have taken measures to stop the attacks.
Unlike other recent attacks that are aimed at the bank directly or its employees, the latest incidents use email to target account holders, said Etay Maor, executive security adviser at IBM Security. The malware is installed when the account holder clicks on an email link or attachment and remains dormant until the victim logs onto his bank account.
The malware can then access information in multiple ways, recording keystrokes or even taking pictures of the bank account screen.
“It all happens without the user seeing anything,” Mr. Maor said. The malware can also send the victim emails that appear to come from the bank.
The malware, called GozNym, is a hybrid of two other types of malware “that takes the best of both,” according to the blog post. It combines two techniques that are used to infect devices and steal data, making it easier for criminals to attack.
The attackers are believed to originate from a criminal organization in Eastern Europe, Mr. Maor said.
Sophos Webcast Featuring Gartner: Synchronized Security
The Next Leap Forward
Organizations today have to deal with increasingly coordinated and sophisticated IT threats that can use multiple techniques in each attack. Traditional security products stop the individual elements of an attack, but do so without coordinating their response.
Synchronized Security enables the endpoint and network security components to directly share information in order to improve protection and make better, faster decisions.
This on-demand webcast features Gartner Analyst Peter Firstbrook and Dan Schiappa, SVP and GM at Sophos, as they discuss how organizations can respond to these growing IT threats.
The webcast covers:
· The challenges faced by IT organizations today
· The benefits of a coordinated approach to IT security
You’ll also hear from Sophos about how they are solving problems with synchronized security.
To view the recording – please click here