Kaspersky Labs reported a large scale, long duration "unprecedented cyberrobbery" this week. This attack lasted years, involved multiple approaches (including hijacking actual ATMs), and resulted in the loss of up to a billion dollars worldwide.
Instead of targeting the banks customers, who likely have several measures in place from the bank to protect their accounts from fraud, this attack likely began with a phishing attack on the bank employees. "The cybercriminals began by gaining entry into an employee’s computer through spear phishing, infecting the victim with the Carbanak malware. They were then able to jump into the internal network and track down administrators’ computers for video surveillance. This allowed them to see and record everything that happened on the screens of staff who serviced the cash transfer systems. In this way the fraudsters got to know every last detail of the bank clerks’ work and were able to mimic staff activity in order to transfer money and cash out" says Kaspersky in it's post. From there:
- "When the time came to cash in on their activities, the fraudsters used online banking or international e-payment systems to transfer money from the banks’ accounts to their own. In the second case the stolen money was deposited with banks in China or America. The experts do not rule out the possibility that other banks in other countries were used as receivers.
- In other cases cybercriminals penetrated right into the very heart of the accounting systems, inflating account balances before pocketing the extra funds via a fraudulent transaction. For example: if an account has 1,000 dollars, the criminals change its value so it has 10,000 dollars and then transfer 9,000 to themselves. The account holder doesn’t suspect a problem because the original 1,000 dollars are still there.
- In addition, the cyberthieves seized control of banks’ ATMs and ordered them to dispense cash at a pre-determined time. When the payment was due, one of the gang’s henchmen was waiting beside the machine to collect the ‘voluntary’ payment."
This incident highlights how important it is to provide the tools, training and education to employees needed to lessen the impact of this kind of attack. In addition, sophisticated monitoring tools should alert organizations when seemingly legitimate employee transactions look wrong. See the link above for additional detail.
Tuesday was "Safer Internet Day", and Google celebrated by offering users free space in their Google Drives if they performed a simple security check. Click here for a letter from the Group Product Manager for Google Drive, explaining the offer and the check.
This is an interesting approach to a growing problem. This blog has discussed usability as a critical factor when it comes to adoption, but what about offering incentives to keep information current, and users aware of policies in place to protect them? For a program like this to be most effective, it has to offer something end users want. In this case, that is storage on Google Drive. It would benefit any online business to consider what they could incentivize their users with to enhance their security while encouraging use of their product. Promotional discounts, exclusive content and free services are just a few that come to mind.
RSA and TeleSign have released a report with key findings on the state of mobile fraud in ecommerce. "An uptick in online fraud resulting from today's environment of large-scale data breaches and security incidents is something TeleSign is seeing first-hand," said Steve Jillings, CEO of TeleSign. "Illicit activities including spamming, phishing attempts, affiliate fraud and e-commerce fraud all have a common primary motivation: money."
Below are some key findings from the report, with more details here:
- Average revenue loss due to mobile fraud: $92.3M per year (among 250 organizations with average revenue of $2.54 billion).
- Mobile growth trend: More than 50 percent of respondents believe that mobile revenues will grow 11-50 percent over the next three years, and 30 percent believe it will grow 51-100 percent.
- Rising fraud trend: The growth of mobile interactions is expected to increase the percentage of mobile incidents significantly, with 19 percent of companies already indicating that 25-49 percent of their fraud incidents are due to mobile. These rates are expected to grow, and in some cases at least double over the next 2-3 years as mobile revenue contributions increase, unless significant remedial actions are implemented quickly.
- Current lack of adequate security: One in four businesses currently don't require login identification for mobile users.
- Addressing the problem: In the next 2-3 years, next generation authentication technologies like biometrics, soft tokens and other two factor authentication will largely replace the user name and password as the primary method of authentication.
The need to better secure the technologies we use every day is clear. Data breaches, hacks and stolen information create a backdrop for the discussion, but often that discussion fails to address a crucial reality, and in doing so misses the mark. As Michael Goedecker points out: "If we truly want to tackle the challenges of this millennium then we need to deal with the facts and face the truth. If we want to keep a globally linked and open system, we will also have to accept the risks associated with that "open" network. So when we face the facts that: The Internet is insecure by design, that it has opened up otherwise closed networks, and that people can attack at any time, from anywhere, and we never really know for sure were they come from, we get to our "truth" in security. We need to change the way we build, secure and protect things on an open and vulnerable network."
In his post, Goedecker sets forth 7 compelling ways we can start to address security effectively:
- Recognize the weakness in Internet and its connected networks, systems and technology
- Move towards better security technology that leverages what I call the proactive security practice
- Leaders of Security teams, organizations and companies need to be transformational and servant leaders. These "leaders" inspire and create an environment of innovation and spark creativity.
- Stop promising the silver bullet, customers know this is "sales speak" so just stop it.
- Get to actionable intel in SIEM, IPS, IDS systems that work, are secure and dependable.
- Recognize as fact that without IT and IT Security, the business can't fulfill orders, book revenue or exist.
- Stop being drama queens and selling snake oil.
"Although the "steps" above are not everything" he says, "they are a great way to reorganize how security needs to work, how we can get value from what we have, and if we need to buy stuff we at least know how, why and where we will need it and how to implement it."
We often associate cyber security risks with the devices we have seen get "hacked" - Laptops, email accounts, mobile phones etc. are typically at the forefront of our minds when we think about this risk because we are likely to have experiences one of these devices being compromised. But an ever growing number of devices for our homes, lives and even our health are online now. This IoT environment means that awareness of the risks associated with compromising these devices be discussed in the same context as the risks we are familiar with now. Medical devices are one kind of device to which this applies:
"Medical devices are just the latest in a growing list of Internet of Things that are at risk for potential hacks. On the surface, it may seem almost foolish to worry that some stranger will want to control a person’s insulin dosage or shut off a pacemaker or manipulate health data, but we also wondered why anyone would want to hack into cloud storage to steal compromising photos of actresses or someone would stage a major attack on an entertainment company in retaliation for a movie. If something can be hacked, it will be hacked. If for no other reason, this puts medical devices and the patients who rely on them at great risk.
Like virtually every device connected to a network, medical equipment was never designed with cyber security in mind. However, thanks to the Food and Drug Administration’s new guidelines, that will change. Manufacturers are now instructed to build cyber security functionality into new medical devices. How these cyber security functions will be addressed will depend on the device itself – its intended use, overall vulnerability concerns, and risks to the patient, for instance. The guidelines go on to list the types of cyber security functions that should be included, such as layered authentication levels and timed usage sessions that ensure the device isn’t connected to the network any longer than necessary" says Sue Porembra for Forbes.com.
Broadening our sense of what devices pose a risk will help us collectively design technologies and solutions that will protect us against this kind of threat. While there is no silver bullet, it's time we started viewing the issue in a much more inclusive way, as more and more kind of devices go online.
President Obama has proposed new law that would standardize the required response to consumers and users when their data has is compromised, and would take steps to protect the privacy of users online. At presents, state laws vary on the subject, which confuses consumers and makes them harder to enforce. In an article on CNET, Seth Rosenblatt cited several statistics that suggest that the recent increase in data breaches is fueling renewed interest in, and cooperation around, passing this kind of legislation.
By collectively rallying around new legislation, users are showing that they understand some of the risks and the potential for their data being compromised to significantly effect them. However, this will be the first of many steps to becoming more educated and proactive as a society when it comes to protecting ourselves online. Meaningful progress will require individual education and improved practices, as well as support from the legal system and the government.
2014 was a busy year for hackers, with several high profile data breaches making the news and inspiring discussion. In a piece for Forbes, Lior Div makes a compelling case for a shift in mindset to a "post-breach mindset" as companies and organizations rally to put what we learned in 2014 to use.
"2015 must be a year of change" says Div, "organizations must assume that their networks have been or will be breached and focus on identifying attackers that are already in their environment." By changing the way we think about security from "I hope this doesn't happen to me" to "Here's my strategy to protect myself", we will collectively shift our thinking when it comes to security - employing more well rounded strategies, technologies for different stages of prevention and response, and intelligent solutions that will keep pace with the hackers. Div says in closing: "Security teams must adopt a post-breach mentality and develop their capabilities accordingly. Improving network and endpoint visibility will enable organizations to better identify irregularities and malicious activity. Hackers might have reigned supreme in 2014, but this year, we can apply our hard earned lessons. Security budgets are sure to go up, and automated solutions that can help organizations better detect and respond to malicious intruders are rapidly maturing. We might not be able to keep determined cyber criminals from getting in, but we can get much, much better at finding and containing them once they are. Hopefully, 2015 will be the year the good guys level the playing field and defend against sophisticated attacks with equally sophisticated detection and response."
2015 is shaping up to be a big year for cybersecurity, with several driving events having occurred in 2014 (including high profile data breaches) bringing security concerns to the forefront. Tech Crunch summarizes the landscape nicely, citing trends and making predictions for what the space will look like in 2015.
Whether all of these predictions come to pass, it seems inevitable that a subset of them will. We're seeing an active and increasing focus on technologies and strategies to improve security, respond to incidents, and to create new products that will change the landscape.
Much has been published and discussed in the news over the past week involving the Sony hack and the fallout. This article offers a unique and valuable perspective that transcends this specific incident and is worth reading for the perspective it offers - how it actually feels to be an employee at a company that suffers a hack of this kind.
"Going forward, I want to know that I won’t get a random $500 charge. I decided that I’m never going to access any of my financial accounts on my work computer ever again. If I need to do something urgently, I’ll use my smartphone, or I’ll go home and do it. It’s not worth the risk" says the anonymous employee of the practical lessons learned from this experience, but there are deeper, lasting consequences as well for those who rely on their company's security to keep them safe at work: "It’s taken a toll, mentally—do I have to worry about someone getting a random medical procedure with my benefits? And there’s the frustration at the way the top top brass handled the situation. Why didn’t they provide more for the employees?...it is like, wow, you always have to look over your shoulder. This is forever."