Phone in the Right Hand? You're a Hacker!

Published in Security

Phone in the Right Hand? You're a Hacker!

Hackers are finding it too easy to circumvent traditional cyber defences, forcing businesses to rethink their security strategies. Many firms are now harnessing big data and adopting cutting edge verification checks. In fact, some can even identify you by how quickly you type your computer keys, or how you hold your mobile phone.

In these days of regular space travel, nanotechnology and quantum computers it is easy to believe we live in an age plucked from the pages of a science-fiction novel. But there are some aspects of this shiny, computer-powered era that look more feudal than futuristic.

Consider the way many organisations protect themselves and their staff from cyber-attacks.

Many approach cyber-security like a medieval king would have tackled domestic security - by building a castle to protect themselves, says Dr Robert Blumofe, a senior manager at cloud services firm Akamai.

Portcullis

The high walls, moat and drawbridge are the security tools, anti-virus and firewalls they use to repel the barbarians at the gates trying to breach their cyber defences.

"But now," Dr Blumofe says, "that castle metaphor is really starting to break down."

Outer defences

The first issue is mobility. Digital fortifications worked well when all staff sat at desks, used desktop computers and were concentrated in a few buildings. But now many work from home, airports or coffee shops and use their laptops, tablets and phones on the go, to work at all times of day.

The second problem, Dr Blumofe says, is that many firms wrongly assume that those in inside their castle walls can be trusted and are "safe".

This leaves many firms dangerously exposed, agrees John Maynard, European head of cyber-security for Cisco. "Typically once attackers have penetrated a trusted network they find it is easy to move laterally and easy to get to the crown jewels. That's because all the defences point outward. Once on the inside there is usually little to stop attackers going where they want to."

Tumbling walls

In a bid to get beyond this outdated thinking many organisations have torn down the old castle walls in favour of a model known as the "Beyond Corp" approach.

China map

Image copyright Reuters Image caption - China was implicated in the Aurora attacks on Google and lots of other big companies

It was pioneered by Google in response to a series of cyber-attacks in 2009 called Aurora orchestrated by China-backed hackers. The attackers went after Google as well as Adobe, Yahoo, Morgan Stanley, Dow Chemical and many other large firms.

According to Mr Maynard, Beyond Corp assumes every device or person trying to connect to a network is hostile until they are proven otherwise. It obtains this proof by analysing external devices, how they are being used and what information they are submitting.

This encompasses obvious stuff such as login names and passwords, as well as where someone logs in from; but it also relies on far more subtle indicators. It can be how quickly do you type the keys, are you holding the device in your right or left hand. How an individual uses a device acts as a second layer of identity and a different kind of fingerprint.

Gathering, storing and analysing all that data on those individual quirks of usage was the type of big data problem only a tech-savvy company such as Google could tackle at the time of the Aurora attacks. However, as familiarity with big data sets has spread, many more big firms are adopting the Beyond Corp approach when organising their digital defences.

One big advantage is that Beyond Corp turns a firm's network into an active element of defence, says Mr Maynard from Cisco. "In the castle and moat approach the network was passive... But beyond Corp involves continuous monitoring where you are constantly using the network as a sensor or a way to get telemetry about what's going on."

The analysis done when users join a network makes it much easier to spot when attackers are trying to get access. That's because the authentication step will flag any anomalies meaning security staff will find out quickly that something suspicious is going on. Anything other than normal login behaviour will stand out.

Faster detection

It can also mean a "significant reduction" in time to detect threats, says Mr Maynard. "The industry average is about 100 days to spot threats. With Beyond Corp you should be down to hours not days."

In addition, Beyond Corp can "limit the blast radius" if a breach does happen. This is because it usually involves dividing up a company's internal network so users only get access to applications they are approved to use. The mass of data gathered on users, their devices and the way they act once they have connected may appear bewildering to many companies. However, advances in automation are increasingly helping them keep a handle on the millions of events that now occur on their systems.

In summary, If you are expecting to secure your estate by having humans watch TV screens you are probably going to be too late to spot it. Human reactions are always going to be much slower than automation.

News Source: BBC

Read more...

The True Cost of Security Breaches

Published in Security

What does a security breach or malicious hacker attack actually cost? For organizations that lack a fully resilient infrastructure, the true costs can include operational interruptions, loss of customer trust, lawsuits and compliance regulation fines. 

Consider the costs an organization can expect to incur from ransomware. 

In March 2018, Atlanta’s city government was hit with a ransomware attack, in which criminals demanded roughly $51,000 in bitcoin to restore the city’s systems. Atlanta didn’t pay. 

The True Costs of Security BreachesConsequently, according to Engadget, more than one-third of the city’s necessary programs went offline or were disabled in part. Worse, Atlanta’s city attorney office lost six of its 77 computers and 10 years of documents. The Atlanta police department lost its dash cam recordings. Initially, the cost of recovering from the attack was an estimated $2 million—but that soon increased by another $9.5 million.  

Here are some examples of the hidden costs a security incident may bring, with tips on how to avoid them through business resilience best practices.  

Hidden security breach costs 

Emergency assistance from consulting firms. After a breach or attack for which you’re unprepared, you may need an outside consulting firm to help you bounce back. For instance, the city of Atlanta spent $600,000 with Ernst & Young for incident response consulting.  

Technology and security upgrades. A successful attack means the exposure of weak links in your security—which you’ll need to repair going forward. Equifax, which in September 2017 experienced what’s probably the costliest data breach in history, was forced to upgrade its technology and security infrastructures. Its ongoing IT and data security costs related to the breach were $45.7 million in the first quarter of 2018 alone. 

For lessons learned from the Equifax breach, see our blog post “The Equifax Breach: No More Excuses.” 

Legal fees. Your organization may be vulnerable to class-action lawsuits or other legal action stemming from data privacy leaks. Following its 2015 breach, Anthem was liable for more than $33 million in attorney fees and expenses, according to Big Law Business. That’s in addition to pay outs to class-action plaintiffs, which in Anthem’s case included $7,500 each for 29 individuals and $5,000 each for 76 plaintiffs.  

Insurance deductibles. Insurance against losses from cyberattacks and breaches is a growing market. But like most insurance policies, organizations may have to pay a deductible. Equifax’s deductible was $7.5 million 

Crisis communications and PR. After an attack is discovered, organizations should get the word out in a timely manner, which may mean engaging a crisis communications PR firm. Atlanta spent $50,000 hiring such a firm after its ransomware attack.   

Regulatory compliance penalties or fees. With new data privacy regulations such as Europe’s GDPR, organizations can face stiff penalties if personal data isn’t adequately protected. Infringement fines can go up to 20 million euros 

See “What Does the GDPR Mean for Your Business?” for more information.  

Damage to reputation and brand. This side effect of a data breach can be difficult to predict or estimate. But here’s one example: In February 2017, Verizon reduced its offer to acquire Yahoo by $350 million after Yahoo had disclosed two significant data breaches.  

But that’s not all. Other hidden costs may include:  

  • Notifying customers via email, letters, phone calls 
  • Increase in calls to help desk and customer support  
  • Cost of business disruption and revenue losses from downtime 
  • Loss of customers and inability to acquire new ones 

4 tips for avoiding attacks and breaches 

  1. Cover the basics. Egress filtering. Keeping security updated. Deploying Multi-Factor Authentication (MFA). Encouraging users to take passwords seriously. These are all basic security practices your organization should implement to help prevent breaches.
  1. Continually educate users about cyber security risks. Many cyber attacks and data breaches start with phishing emails that fool someone inside the organization into clicking a link they shouldn’t click.

Phishing messages are by design made to look authentic, slip by spam filters and appear to come from people the victim ‘knows’ due to spoofing. Social media accounts can also be used as a tool to tailor phishing messages specifically to the targeted employee, making it even harder to be identified by the naked eye. The most effective way to counter these type of attacks is to educate users and frequently test their awareness.  

  1. Make incident response plans part of your resilience program. The quicker you can identify and respond to an attack, the more likely your organization can recover and stop an attacker from accessing sensitive data. A cross functional team of employees spanning IT security, legal, corporate communications, sales and human resources should be trained in what to do, in accordance with your incident response procedures.
  1. Segment each division of your network. In addition to training employees about how to respond after an incident, you should also segment each division of your network. This way, if you experience a cyber-attack, you just need to identify the origin of the attack and shut off that single segment isolating it from the rest of the company. This minimizes the amount of sensitive data stolen and allows you to recover quickly and to continue with normal operations.

Network segmentation can be used to protect sensitive data and effectively thwart a cyber-attack. For example, a client of ours prepared their network by segmenting each division and trained their employees on the incident response procedures in the event of an attack. When the company experienced a cyber-attack it was able to quickly identify the origin of attack, shut off that single segment from the rest of the company, and recover quickly to continue operating as normal. Having a well-thought-out incident response plan that employees know how to execute properly is critical to business continuity.

Most recently, enterprises are increasingly leveraging micro-segmentation to create secure zones in data centers and cloud deployments for isolating and protecting workloads, as well as containers to isolate virtual machines to reduce the attack surface.  

In addition, you can improve resiliency via snapshots of files and storage, which will help you roll back to a predetermined Recovery Point Objective (RPO)—minimizing your exposure to data loss and its associated costs.  

For additional tips on avoiding cyber-attacks and protecting your organization against data breaches, consider reading these resources:  

Data breach responses: 4 ways the most resilient businesses handle hacks  

Do you know which of these cyber-attacks isn’t real?  

 6 Steps to Make Customers Less Vulnerable to Ransomware 

Read more...
Subscribe to this RSS feed