It’s summer time, sunscreen in your pocket while you’re vacation to a popular, sunny getaway…or a business trip. After swiping to cover that delicious dinner, your waiter returns with your credit card, the same card you used for those soft serve ice cream cones. Viola, a call from a 1-800 appears on your mobile phone. You let out a deep exhale because you know who’s on the other line, the automated female voice from your card company. You loathe it, you wish there were a way to avoid this annoying occurrence during your vacation, but you can’t because it’s the Fraud Detection Department calling to verify your transactions after disabling your credit card for protection.
That dreaded phone call has become a standard event during a vacation or any travel outside of your local area and you can thank those pesky card skimmers for this low point of your travels.
What is card skimming?
It is the common moniker for copying the most important information from the magnetic strips found on credit and debit cards. As you probably guessed, card skimmers take that important information and through different methods, use it for fraudulent transactions on the internet and/or at physical merchants.
You must be wondering how this is even possible in 2018 because your bank sent you a more “secure” card with a chip and surely, a card skimmer can’t grab vital information from that chip…but then again, think about how many times you swipe your card as opposed to inserting your chip. Yeah, I think we have your attention.
Let’s learn about how card skimming actually works, the different types and most importantly how to avoid it.
How does it actually work?
Card skimming is accomplished through a small device that illegally reads credit card information in an otherwise legitimate credit or debit card transaction. When a credit or debit card is swiped through a skimmer, the device captures and stores all the details, such as card number, expiration date and the card holder's full name stored in the card's magnetic stripe. Card skimmers are often placed over the card swipe mechanism on card readers in all kinds of businesses…but they’re predominantly located in ATMs and gas stations. With ATMs, the crooks may also place a small, undetectable camera nearby to record you entering your PIN. This gives the thief all the information needed to make fake cards and withdraw cash.
Occasionally, retail workers who frequently handle cards are recruited to be part of a skimming ring. These workers use a handheld device to skim your card during a transaction. Remember that great dinner you paid for on vacation, you handed your card to your waiter. The waiter walks away with your card, and for a dishonest waiter, this is the perfect opportunity to swipe your card through a skimmer without detection. For the honest waiter, there may be undetected card skimmer on the machine and he/she unknowingly gave your card information to malicious actors.
Once your card information is captured by a card skimmer, the skimming ring will either create a cloned card to make purchases in store, use the account to make online purchases, or sell the information on the internet. You are often unaware of the scam until it’s too late and you notice unauthorized charges on their account, your card is unexpectedly declined, or you receive an overdraft notification in the mail. Now, you should have a good understanding of why you get that annoying call from your card company during your travels. The good news is that you generally don’t have to pay, but the bad news is that you may need to resubmit your information to all those businesses that automatically debit your card every month. Its annoying, but its more… you feel like you have been violated.
How to Spot a Credit Card Skimmer
It’s very unlikely you’re going to avoid your favorite retail and restaurant spots because you’re leery of workers, but there are ways to become more vigilant and spot a card skimmer.
Thankfully, many card issuers have sophisticated algorithms and fraud alert processes to detect fraudulent transactions and decline suspicious transactions until you verify them. However, simply using your card puts you at risk of becoming a card skimming victim because card skimmers are hard to detect. Unless you know what you're looking for, it can be extremely difficult to detect skimming devices.
Here are more tips to avoid card skimming.
Card skimming can be devastating to your sacred vacation and personal finances. We rely on our card issuers to notify us quickly and work with us to remove fraudulent charges to my card. However, there are instances when it’s too late and they have accumulated to billions of dollars of devastation. Stay safe out there, watch out for skimmers and always pick up that dreaded call to verify your transactions.
Seemingly every few months, there’s news of an organization and its subsequent data breach, resulting in its confidential data in the wrong hands. These security lapses have major consequences, ranging from regulatory scrutiny to fines, lawsuits, and consumer dissatisfaction.
While advances in cloud computing and managed services have made IT operations more agile, efficient and streamlined, those benefits have also introduced not only new vendor risks into your organization, but risks that are even closer to your most sensitive data than ever before.
There are four key trends driving the focus on third party/vendor risk management:
●Globalization: As the world gets flatter, organizations with global third-party networks are faced with a multitude of rules, policies, data, standards and regulations.
●Virtualization: Technology has dramatically changed the way organizations operate. With the advent of the cloud, virtual data centers, and hosted apps, companies are using vendors to process their critical business information, thus transferring data outside their firewalls. Recent data breaches and security incidents have highlighted the vendor risks that come with virtualization, and the need to have deeper visibility into the third-party ecosystem.
● Social Media: On one hand social media improves transparency, collaboration, and efficiency across third-party networks. On the other, it brings potential security risks and privacy concerns for business-critical information. The key is to leverage social media to gather third-party intelligence, while also identifying and mitigating the attendant risks.
● Mobility: Ubiquitous access to data across mobile devices poses multiple security risks. As data access becomes easier, and as security breaches proliferate, a strong third party/vendor risk management program is essential to ensure accountability.
This risk has become one of the biggest culprits of data breaches and has shifted the focus of IT leaders to it. Managing risk, in particular third party/vendor risk, has become an even more central concern. Who wants to work with a partner that’s careless with data? A third party’s reputation can ultimately affect your own organization’s. Outside vendors are an essential part of the technology stack however and it’s simply impossible to perform key functions without them. How do you determine whether a vendor will safeguard your data and handle it with the utmost care? This is the essence of third party/vendor risk management.
Third Party/Vendor Risk
It’s rare in 2018 for any organization to conduct all of its operations using only its own resources and personnel. For many, it takes business partners, often called “third party/vendor” partners, to get things done. Whether it’s a bank that uses vendor-managed cloud services to store and analyze its data, or a supermarket that hires an EPOS provider to process its credit card transactions, firms large and small rely on third party partners to manage tasks that frequently involve a high volume of sensitive information.
The question of trust looms large in such partnerships, particularly since an organization is often liable for its third party/vendor functions, even though they don’t directly carry them out. Third party/vendor risk management has become one of the most important risk issues facing organizations today. In addition to the growth of the vendor risk management professional, senior executives and boards increasingly find themselves involved in third party risk management as it has become an accepted and important element of a director/officer’s fiduciary duty to the company.
The process of assessing third party vendors and conducting security assessments and questionnaires can quickly become overwhelming. There are many organizations and governing bodies, which have their own guidelines. Throw in the increasing complexity of cybersecurity issues and your security team can quickly become buried under a mountain of tasks and processes that are ineffective and don’t actually protect data, customer, partners, and other key stakeholders. Just as cyber risk management requires a whole-of-company approach, a sophisticated vendor risk management program requires governance, policy, training, and technology (tools) to be effective.
Shared Assessments Program
A well known framework to assess third party/vendor risk is the Shared Assessments Program, which is used in over 115 countries and in a variety of industry verticals: financial services, energy, government, healthcare, manufacturing, pharmaceutical, retail, telecommunications, and education. The program is the trusted source for third party/vendor risk management with resources, including tools and best practices, to effectively manage the critical elements of the vendor risk management lifecycle. It follows a two-step approach to managing third party risks. Using industry-established best practices, the Shared Assessments Program follows a “trust, but verify” approach to conducting third party assessments, enabling you to fine-tune your third party risk management program according to your company’s strategy for managing risk.
Program in Depth
The Shared Assessments Program consists of three core tools that your organization can utilize to assess its third party/vendor risk.
There’s a GDPR tool kit as well (we have covered GDPR in a previous blog).
SIG (Standardized Information Gathering) questionnaire:
SIG is based on a comprehensive question library that determines how information technology and data security risks are managed across a broad spectrum of risk control areas. SIG Lite is designed to be completed by a third party vendor facilitating non-critical functions or posing less risk to the requesting organization. SIG Core is the next step up…designed to be completed by vendors supporting critical functions. The SIG Lite or SIG Core can be supplemented with additional questions from the SIG library as well or the SIG library can be used to do deep dives on targeted risk areas. These aren’t just “check the box” questions and answers. SIG is an in-depth questionnaire that gathers an incredible amount of information. The security domains covered include:
● Risk Management
● Security Policy
● Organizational Security
● Asset Management
● HR Security
● Physical and Environmental Security
● Communications and Operations Management
● Access Control
● Incident Event and Communications Management
● Business Continuity and Disaster Recovery
● Cloud Computing
● Additional Questions
For those who are intimidated by the size of SIG generally, then perhaps SIG Lite is the risk assessment framework to consider….its essentially a questionnaire covering all of the aforementioned topics, but achieves its goal with a distilled fraction of the questions in the full SIG library and significantly less than even the Core SIG library.
SCA (Standardized Control Assessment):
The SCA uses a standardized, efficient, substantiation-based protocol for on-site assessments that allows companies to evaluate their own controls, as well as those of their third-party service providers. Robust third-party risk management is achieved through a continuous re-evaluation of content and frequent updates, ensuring that the SCA remains relevant in terms of both current and emerging best practices. It defines 17 critical risk control areas listed below, procedures, and an on-site assessment reporting template, all of which enhance the efficiency of the assessment process.
● Risk assessment and treatment
● Security policy
● Organizational security
● Asset and information management
● Human resources security
● Physical and environmental security
● Operations management
● Access control
● Application security
● Incident event and communications management
● Business resiliency
● Network security
● Treatment management
● Server security
● Cloud security
VRMMM (Vendor Risk Management Maturity Model)
While the SIG and AUP are used to identify and evaluate your third party vendor’s risk, the focus of the VRMMM is to provide risk managers with a tool they can use to evaluate their vendor risk program against a comprehensive set of best practices. Essentially, it’s a scoreboard or report card to see how a vendor risk management program stacks up against standard practices.
VRMMM is updated yearly, but below is a list of the high-level components that make up the VRMMM:
● Monitor & Review
● Tools, Measurements & Analysis
● Communication and Information Sharing
● Skills and Expertise
● Vendor Risk Identification and Analysis
● Policies, Standards & Procedures
● Program Governance
Certified Third Party Risk Professional (CTPRP)
The Certified Third Party Risk Professional (CTPRP) designation is the only certification program that validates proficiencies in third party risk management concepts and principles, including managing the vendor lifecycle, vendor risk identification and rating, and the fundamentals of third party risk assessment, monitoring and management. Those that pass the exam will have a knowledge of third party risk principles of managing the third party lifecycle, identification of risks and rating, and the basics for risk assessments, monitoring and management.
Versatile for Internal Security Program Management
The Shared Assessments framework is the process to evaluate third party/vendor risk because it’s a thorough method to establish the security posture of your third party/vendors. There’s also another pertinent application for this framework: your own organization. The same framework that is used to establish a sense of trust between your organization and its vendors can easily be used to establish trust between your organization and its own security posture and processes. If your organization is a vendors to established businesses, adopted the Shared Assessment Framework as a governing document for your own information security program may be particularly compelling. Approaching your program with the Shared Assessments framework with this in mind, your organization can effectively kill two birds with one stone! With that noted, no animals were harmed in the drafting of this blog nor is such harm condoned.
In today’s complex, outsourced environment, it’s critical to step up third party/vendor risk management initiatives to protect both reputation and revenue. Gain a clear view of the third party/vendor relationships and collaborations, and adopt a proactive approach to manage their associated risks. Be well-prepared to manage supply chain disruptions by proactively identifying hidden risks, and using well-defined business continuity plans. Also, establish a robust closed-loop process to continuously evaluate third parties based on Shared Assessment Program. The key is to effectively manage the third-party ecosystem in such a way as to create a culture of transparency and accountability. Lastly, if appropriate for your risk profile, contemplate adopting the Shared Assessment framework as part of your own information security program.
Outlook 365 is a cloud-based email service designed to help meet your organization’s needs for robust security, reliability, and user productivity. It is widely used by enterprises globally for its ease of use, seamless integration, mobile access, and enhanced productivity.
When you move your organization to a cloud service, you must be able to trust your service provider with your most important, sensitive, and confidential data. Microsoft has robust policies, controls, and systems built into Outlook 365 to help keep your information safe. Microsoft’s security team is world class and it covers physical and network security for your email infrastructure. If you migrated from an on-premise/hybrid cloud setup of Outlook to cloud based Outlook 365, then congratulations. But while Outlook 365 offers a number of built-in data protection features, those features alone are usually not enough for the robust security posture required by the modern enterprise.
Let’s examine a recently discovered Outlook 365 vulnerability and how you can securely configure your Outlook setup to thwart this and similar future vulnerabilities.
Security researchers revealed an attack method to bypass a security feature of Microsoft Outlook 365, which is originally designed to protect users from malware and phishing attacks. Safe Link, part of Microsoft's Advanced Threat Protection (ATP) offering, works by replacing all URLs in an incoming email with Microsoft-owned secure URLs. Every time a user clicks on a link provided in an email, it first sends the user to a Microsoft owned domain, where it immediately checks the original URL for anything suspicious. If Microsoft's scanners detect any malicious element, it then warns users about it, and if not, it redirects the user to the original link.
The baseStriker attack sends a malicious link, which would ordinarily be blocked by Microsoft, past security filters by splitting the URL into two snippets of HTML: a base tag and a regular hypertext reference tag. The malicious URL is let through because the email filters are not handling the base HTML code correctly. ATP only performs the lookup on the base domain, and ignores the URL in the rest of the body. Because only part of the URL is tested, it mistakenly appears to not exist in the malicious URL database and the email is let through. Furthermore, Safe Link does not replace the malicious link. Consequently, the user gets the original malicious link and can click it to navigate to the phishing page.
In summary, this attack method may be the most severe security flaw in Outlook 365 since the service was created. Unlike other attacks that can be learned and blocked, this vulnerability allows hackers to completely bypass all of Microsoft’s security features and is the email equivalent of a virus that blinds the immune system. Even if the attack is already known, Microsoft does not have a way to see it and lets it through. We have only seen hackers using this vulnerability to send phishing attacks, but it is also capable of distributing ransomware, malware and other malicious content…potentially unleashing risks that its users have not been accustomed to on the platform.
Defense in Depth to Protect Outlook 365
There is no single solution to mitigate the attack described above and it is an example of a failure of controls at many levels. You cannot rely on a single Outlook 365 security feature, such as Safe Links, to reduce the likelihood of that attack, or any other, being successful. A layered defensive strategy using multiple Microsoft security features and controls stands a much better chance of preventing the attacker from succeeding.
The initial phishing attack can be mitigated using Microsoft EOP (Exchange Online Protection) and ATP. These security features go beyond just Safe Links, which was the source of the reported vulnerability. An attacker's email has to make it past every layer of EOP and ATP to successfully reach a user’s Inbox. It may also be removed from an Inbox by ATP if it is later determined that it was malicious, potentially before the user has even read it.
The user credential reuse risk can be mitigated by Azure Identity Protection. When Microsoft becomes aware of a breach containing a re-used set of credentials, you can have Azure Identity Protection alert you and automatically force the user's password to be reset. That security feature can also identify suspicious login patterns, such as an attacker logging in from a remote country. Azure Identity Protection is just one way to mitigate the re-use of compromised user credentials. Another security feature is enabling MFA (multi-factor authentication), which prevents user credentials being used by anyone but the account owner. Azure Active Directory conditional access can enforce MFA and other conditions on logins, such as requiring all logins to originate from trusted devices.
If the attacker manages to gain remote access to a user's computer, Windows Defender ATP can detect the suspicious behavior of the attacker's exploit tools and alert you to the breach immediately. If the attacker is performing reconnaissance of your network and attempting privilege escalation, Azure ATP can alert you to that suspicious activity immediately. On the chance that the attacker still manages to figure out who to send a phishing email to, the use of MFA and other identity protection measures mentioned earlier prevents them from directly exploiting a mailbox. That leaves them with email spoofing or impersonation as a vector, which can be mitigated with ATP once again.
All of those security measures mentioned above must be evaluated, tested, and deployed to be effective and some of them require additional investment in licenses. Unfortunately, there isn’t a single button to push that will turn on all of those security features; some of the features work in isolation, some of them are tightly integrated with other features. All of them work together to secure your organization’s Outlook 365 setup.
baseStriker is a perfect example of a very simple exploit which has a huge possibility to cause significant damage to your organization. As more organizations move further into cloud offerings, we will need keep more aware of the potential security risks and remain vigilant.
As you know, unlike MFIDII or other pan-European regulations, the General Data Protection Regulation (GDPR) reaches it beyond the EU and impacts those businesses that formerly thought they were safely ensconced in the U.S. For some, they are still wondering if they have to comply with it….I mean, shouldn’t they be getting a letter in the mail or something? But then, there are the rather large fines they might hear about…20mn EUD or $28mn USD depending on exchange rate and all of a sudden, the veil of willful ignorance must lift and they must ask: What about us?
What is GDPR and Why does it exist?
The short answer to that question is public concern over privacy. The EU has long had more stringent rules around how companies use the personal data of its citizens. In 1995, the EU enacted the Data Protection Directive. This was well before the Internet became a constant data marketplace that it is today. Consequently, the directive is outdated and does not address the many ways in which data is stored, collected and transferred today. Thus, EU Parliament adopted the GDPR in April 2016, replacing the outdated data protection directive from 1995. GDPR consists of 11 chapters and 91 articles that outline the requirements and regulations required of businesses to protect the personal data and the privacy of EU citizens for transactions that occur within EU member states. GDPR also regulates the exportation of personal data outside the EU. The regulation is consistent across all 28 EU member states, which means that a company thankfully has just one standard to meet within the EU.
As noted above, foreign companies that collect data on citizens in European Union (EU) countries must also comply with GDPR. More specifically, if your foreign company interacts with any customer data from the EU’s 28 member states, then your company must comply with the pending regulation because it is subject to the aforementioned fine. If your company is in the clear, then rejoice, but I still encourage you to continue reading because this will prepare you for that moment when your company works with EU customer data. Most importantly, if your company is US based, with each Facebook debacle we are inching closer toward stricter data privacy regulation in the U.S.
Compliance with GDPR will cause some concerns and new expectations of your security team because the regulation takes a wide view of what constitutes personally identifiable information. Your company must utilize the same level of protection for data such as an individual’s IP address or cookie data as it does for Name, Address and Social Security number. Like any regulation, it is an inch deep and a mile wide with a lot to be desired in interpretation and candor. GDPR states that a company must provide a “reasonable” level of data control for personal data, but does not define what constitutes “reasonable”. This ambiguity gives EU’s GDPR governing body a lot of leeway when it comes to assessing fines for data breaches and non-compliance.
What types of data does the GDPR protect?
How does GDPR define “data control”?
GDPR states that data can’t be kept indefinitely. It requires a company to completely erase data when a data subject revokes its consent or a third-party requests data deletion or a third-party agreement comes to an end.
Which companies do GDPR affect?
The regulation affects any company that stores or processes personal information about EU citizens even if it does not have a business presence within the EU. Specific criteria is below:
Come again? The last criteria effectively encompasses almost all companies with less than 250 employees because it’s interpreted as any company processing, storing and exchanging data points on EU citizens.
When does my company need to be in compliance?
By now, you should have a good inclination about your company’s requirement to comply with GDPR. Your company must be compliant with GDPR by May 25, 2018. That’s this month!
Who within my company is be responsible for compliance?
The GDPR regulation defines several roles that are responsible for ensuring compliance:
GDPR holds Data Processors liable for breaches or non-compliance. It’s entirely possible that both your company and processing partner such as a cloud provider will be liable for penalties even if the fault is entirely on the processing partner. Yes, GDPR just injected third-party risk to your data processing and storage strategies and ultimately changes your company’s third-party selection and business interactions.
How does the GDPR affect my company and its third-party service providers?
The GDPR regulation places equal liability on a Data Controller (a company that owns the data) and a Data Processor (third-parties that manage or interact with a Data Controller’s data). The regulation is interpreted as such that a third-party Data Processor not in compliance with GDPR equals your company isn’t in compliance.
This means that all existing and new agreements with third-party Data Processors (IE, cloud providers, SaaS vendors, or payroll service providers) must explicitly declare data responsibilities within the GDPR structure. Also, agreements must define data management and protection processes, and data breach reporting.
GDPR has strict rules for reporting breaches:
What happens if my company isn’t in compliance with the GDPR?
GDPR allows for steep penalties ranging from 10-20mn EUD or 2-4% of global annual revenue for non-compliance. If your company isn’t compliant due to technical measures, the fine imposed may be up to 10mn EUD or 2% of global revenue from the prior year, whichever is greater. If not compliant due to key provisions of the GDPR, such as transferring data to third-parties with inadequate data protection measures, fines imposed may be up to 20mn EUD or 4% of global annual revenue from the prior year, whichever is greater.
What should my company do to prepare for the GDPR?
You want to know what data you store and process on EU citizens and understand the risks around it. Your risk assessment must outline measures taken to mitigate those risks.
Your company may already have a plan in place, but it must review and update it to ensure that it aligns with GDPR requirements. Data breach reporting is one of the trickiest areas of GDPR compliance, especially given the short timeframe of 72 hours because your company will still be trying to figure out the scope of a data breach and the appropriate response during that time frame. Given the required rapid response, it’s best to have a preexisting relationship with law enforcement or understand who you would reach out to. Typically, this would be either the Federal Bureau of Investigations or the Secret Service.
GDPR doesn’t clearly state whether the DPO needs to be a discrete position, so presumably your company can appoint someone as long as that person can ensure the data protection with no conflict of interest. In practical terms, this means that your IT manager or director, CTO or security manager are bad choices for your DPO. Your marketing manager is a conflict of interest while sensible options could be your head of finance, risk or legal. Your DPO doesn’t need to be someone within your company and so it may be easier to appoint a lawyer or external expert. GDPR states that a DPO may work for multiple organizations, so even HLC could function in such a role.
When it comes to GDPR compliance, your legal or compliance departments can’t do it alone. Instead, any department or employee at your company with involvement in processing personal data must be involved and trained appropriately about the GDPR.
The ability to collect personal data and contact individuals is the lifeblood of the charity and not-for-profit sectors. However, under GDPR, both must be in compliant with the same rules as every other company.
Smaller companies will be affected by GDPR, some more significantly than others. If your company is small, then it may not have the resources necessary to meet GDPR’s requirements. HLC is available to provide advice and technical expertise to help you through the process and maximize internal resources.
GDPR isn’t a simple checklist or one size fits all framework, it speaks in terms of broad standards instead of specific rules, requiring your company to take measures for compliance. Those measures will vary from your company to another one. GDPR is a comprehensive legal and regulatory framework that imposes complex initial requirements and ongoing duties upon your company. Compliance is a marathon, not a sprint.
When an enterprise begins actively monitoring its network to establish its security posture, an often-overlooked component of an enterprise’s security posture is vulnerability management. The core of that component is vulnerability scanning and subsequent remediation through patch management. Vulnerability scanning is an important part of a well-established vulnerability management program for a multitude of reasons, but the 2 main reasons are:
Scanning allows you to identify threats and weaknesses within all the devices within your network to include: routers, switches, endpoints, printers, servers and web applications. Detecting vulnerabilities and taking corrective action is important to your overall security posture and essential in protecting valued data assets from internal and external threats. An enterprise must remember, however, that maintaining an effective vulnerability management program is an ongoing process. When it comes to vulnerabilities, malicious actors benefit from automation, crowdsourcing, big data, mobile, low cost cloud computing, and other resources as much as an enterprise’s security team does. Only the bad guys have the advantage; malicious actors need to find just one unpatched vulnerability, whereas a security team must find and patch all vulnerabilities. Though a host may be safe today after a spotless vulnerability scan, a malicious actor could discover a serious vulnerability tomorrow. The result can become a game of Whack-A-Mole — an endless cycle of identifying vulnerabilities and then racing against the clock to patch them before malicious actors develop exploits for them. Therefore, an enterprise should strive towards continuous vulnerability scans to discover those constant incremental changes. An enterprise might not have the scanning infrastructure or human capital needed to conduct and analyze continuous scans of its network environment, so it may need to explore outsourcing solutions that can do this cost efficiently. Continuous vulnerability scans not only help organizations determine whether they are fixing the flaws they discover, they also help companies identify trends in the performance of the vulnerability management program, information which security managers and other executives can use to justify current and future budget allocation.
What is a vulnerability scan?
A vulnerability scan is often confused with a penetration test and the two mistakenly often used interchangeably, but they are quite different tests and processes within your vulnerability management program.
A vulnerability scan is performed by using commercial software package to scan an IP address or range of IP addresses for known vulnerabilities. A scan typically consists of four stages:
It’s important to keep in mind that a vulnerability scan is dependent on a database of known vulnerabilities to test; similarly, anti-virus software operate with the same dependency. Obviously, there are vulnerabilities that are unknown to the public at large called 0-day vulnerabilities and these scanners will not detect and offer remediation.
There are different types of vulnerability scans and each operates with a different level of thoroughness and activity. A simple vulnerability scan checks the Windows Registry and software version information to determine whether the latest patches and updates have been applied. More comprehensive and thorough vulnerability scan, such as the kind that HLC performs, involves the aforementioned simple scan and additional functionality to execute malicious code to determine whether a vulnerability is exploitable.
Vulnerability Prioritization and Patch Management
The aforementioned scan results in a report that lists out discovered vulnerabilities, their severity, and remediation steps. After vulnerabilities are identified, they need to be evaluated so the risks posed by them are dealt with appropriately and in accordance with an enterprise’s vulnerability management strategy. A vulnerability scan will provide different risk ratings and scores for vulnerabilities, such as Common Vulnerability Scoring System (CVSS) scores. These scores are helpful for enterprise to which vulnerabilities it should focus on first, but the true risk posed by vulnerabilities should consider these factors:
● Is this vulnerability a true or false positive?
● Could a malicious actor directly exploit this vulnerability from the Internet?
● How difficult is it to exploit this vulnerability?
● Is there known, published exploit code for this vulnerability?
● What would be the impact to the business if this vulnerability were exploited?
● Are there any other security controls in place that reduce the likelihood and/or impact of this vulnerability being exploited?
● How old is the vulnerability/how long has it been on the network?
Patch Management is important for the security of your enterprise and imperative to a successful vulnerability management program. There are times when patches are released just to fix a functionality issue, but often they are released to fix security issues. As soon as a piece of software is released malicious actors attempt to exploit software through vulnerabilities; when successful, there’s a subsequent need for patches and a patch management process. Patches protect your network and data from constantly-evolving malicious actors and they can only do their job if you have a system in place to discover and analyze through a vulnerability scan and manage and apply patches through a patch management process.
Stressing the importance of vulnerability scanning and patch management, malicious actors, who are looking to infiltrate and compromise networks, are using vulnerability scanners to identify weaknesses and find the easiest path to their desired goal. While a vulnerability scan and patch management are not a perfect security solution, they are tools that can help proactively identify issues and resolve them before attackers have a chance to exploit them. Most importantly, a vulnerability scan is important to an effective vulnerability management program and an enterprise’s overall security posture. However, the results of a vulnerability scan are only as valuable as the willingness to accept the results, act and remediate them. Simply identifying vulnerabilities might be enlightening, but in and of itself it does truly little to reduce your risk or improve your security.
Enslaved As Miner Against Your Will? Recent Malware Attacks May Have Your Systems Mining Crypto Without Your Knowledge
In the past few months, HLC has been noting a decided uptick in one type of malware: crypto currency mining. While our solutions have prevented these infections, the malware is often embedded into .png picture files, making it appear all the more innocuous to the user who is inadvertently infected.
Since the introduction of Bitcoin in 2009, the popularity and adoption of cryptocurrencies as an asset class has grown at a rapid pace. Once reserved for black market activity, hobbyists, mathematicians, and computer geeks, cryptocurrency is now becoming a global topic of interest with a market capitalization of ~$400 billion and continuing to rise with Initial Coin Offerings (ICO) to further fund the development of projects related to cryptocurrencies. Unfortunately, the anonymity provided by digital currencies has become quickly abused for illegal extortion, as was the case during the various ransomware outbreaks we’ve witnessed in the last few years. As the value of cryptocurrencies has increased significantly, a new kind of threat has become mainstream and replaced ransomware extortion: cryptocurrency mining malware. Malware creators target outside computing power because the price of a dedicated cryptocurrency mining machine easily exceeds thousands of dollars. The emergence of cryptocurrencies that can be mined by average computers has attracted malware creators and has contributed to the widespread abuse we are witnessing globally.
What Is Crypto Mining and How Do You Get Infected?
Cryptocurrency mining is a record-keeping service that is done using computer processing power. Transactions are recorded in blockchains, which function as a public ledger. The consistency and completeness of the blockchain is maintained in an unalterable state by miners, who repeatedly verify and collect newly broadcast transactions, called blocks. Cryptocurrency mining malware comes in many forms, for many different operating system and application platforms, but the common theme among all of them is threat actors leveraging the computing power of as many compromised devices to maximize cryptocurrency mining profitability. It is critically important for the malware creator that the cryptocurrency mining malware infects as many systems as possible, to control a larger pool of CPU resources for mining. Let’s investigate the numerous common malware delivery methods for cryptocurrency mining.
The Wannacry ransomware, a highly publicized malware, exploits the leaked EternalBlue and DoublePulsar vulnerabilities and was modified to by different malware groups to leverage the same vulnerabilities to infect hundreds of thousands of Windows servers with a cryptocurrency miner, ultimately generating millions of dollars in revenue. Other vulnerabilities, such as a flaw with Oracle’s WebLogic Server (CVE-2017-10271), were also used to deliver miners onto servers at universities and research institutions. Servers are a favorite among malware creators because they offer the highest hash rate to solve the mathematical operations required by cryptomining. Existing malware families like Trickbot, which is distributed via malicious spam attachments, added a cryptocurrency miner module to its payload. Another commonly used malware delivery method is fake software patches for highly publicized vulnerabilities such as Spectre and Meltdown. The favorite malware group is SmokeLoader and cryptocurrency miners have become the most commonly installed malware payloads.
Indicators of Compromise: Identifying Infection
There are 3 common IoC (Indicators of Compromise) on every infected victim’s device.
First, for cryptocurrency mining to occur, the malware runs background processes on the infected host that results in the significant over-usage of its resources, and subsequently its performance slows down significantly. Common symptoms are an overheating system due to constant CPU & GPU over usage, drastic system performance degradation, and hardware malfunction. Open a resource monitor on your computer to check if CPU usage is abnormally high; on a Mac that’s Activity Monitor, and on Windows it’s Task Manager. Additionally, the worst part is that there is no residual file, also known as fileless malware, meaning it is very difficult to detect and impossible for standard signature based anti-malware software. What is fileless malware? Just as the name suggests, fileless malware is a variant of a malicious code which affects your system without leaving an installed file on the victim’ s device. Fileless malware is written directly into the device’s working memory, RAM. You may think a simple reboot will remove the malware, however, the malware code is also injected into commonly running processes such as service.exe, chrome.exe, to sustain life after each reboot.
Second, in order to achieve maximum profitability mining cryptocurrency, malware must connect to a C&C (command & control) server to download the cryptocurrency mining software and execute without leaving a file. Most importantly, the malware must add the compromised host to a mining pool network. This abnormal network traffic is a common identification method to confirm you’re a victim of cryptocurrency mining malware. All mining software must be able to connect to either the cryptocurrency network or a mining pool to exchange data, in other words its proof-of-work. Without this connection, it cannot get the data it needs to generate hashes, rendering it useless. Malware creators will add network rules to block the ports associated with exploited vulnerability to close the proverbial door behind it for other potential attacks. This is done to keep the infected system to itself and close it off to any other malware targeting the same vulnerability. Not only are malware creators mischievous, but apparently greedy.
Third, websites have become the biggest culprits of cryptocurrency mining campaigns, specifically CoinHive and its derivatives. Coinhive is a cryptocurrency mining service that relies on a small chunk of computer code designed to be installed on Web sites. The code utilizes all of the computing power of any browser that visits the site in question, enlisting the machine in a bid to mine cryptocurrency. Coinhive is pitched as a way for website owners to earn an income without running intrusive or annoying advertisements. However, Coinhive’s code has emerged as the top malware threat because the code is installed on victimized websites. If you surf to a particular website without additional browser tabs, no other applications running and notice a huge spike in CPU usage while on that website, then it is likely running a cryptocurrency mining campaign such as CoinHive unbenounced to its visitors. Commonly, cryptocurrency mining malware will automate and force the visitation of these particular websites in foreground and background browser tabs to generate cryptocurrency revenue.
By now, you’ve learned that cryptocurrency mining malware is something you want to avoid. How do you avoid infection? And what should you do upon learning you’re infected?
You didn’t think you would make it through this article without yet another reference to common sense, right? As previously described, the numerous methods for cryptocurrency mining malware center around making careless mistake such as installing trojanized mobile apps via your App Store of choice, Apple App Store or Google Play, opening an attachment with malicious malware, or surfing to a website with malicious code installed. Since no one reading this is going to be happy with the gratuitous common sense takeaway, here some other simple steps to take if you’d like additional protection to ward off pesky cryptocurrency mining malware:
First, avoid mobile apps with low or limited app reviews. Apple has an extensive mobile app review process, but trojanized apps still find a way through the process as we saw with the XcodeGhost malware that was installed in over 4000 mobile apps. Review the mobile app developer’s logo and profile to confirm the legitimate mobile app you’re about to download is not merely a copy of a legitimate app with malware added by a malicious actor. This practice is more prevalent on Google Play because of the open source policy and developer freedom that Android practices, which results is less oversight of mobile app distribution.
Second, install a trusted browser-based extension to detect CoinHive website code. Common Chrome browser extensions to block CoinHive code are Miner Dectector, Coin-Hive Blocker and No Coin. These browser blockers review a website’s code and alert an end user that CoinHive and other common cryptocurrency mining code has been detected/blocked. Similarly, to malware mobile apps, ensure that the browser extension you are installing is indeed not a knock off of a trusted browser extension because there are always malware creators are looking for any method to get you to make that careless mistake.
Third, while your standard anti-virus software is rendered useless against fileless cryptocurrency mining malware, it can protect you against the necessary network traffic to participate in a cryptocurrency mining pool. Large anti-virus software companies have the scalable resources to identify and research cryptocurrency mining campaigns and thusly, are constantly updating their host firewall rules to ensure that network traffic to aforementioned command and control cryptocurrency mining servers is blocked. This feature eliminates the need for users to tediously monitor cryptocurrency mining pools and update their hosts file to redirect network traffic to those C&C servers.
As we’ve discussed, cryptocurrency mining malware has gone mainstream and will only continue to increase in deployment and proliferation thanks in large part to cryptocurrencies’ values and the inability to confidently detect. As we face this increasing threat, we must remain vigilant in proactive steps taken to avoid and remediate cryptocurrency mining malware. Those steps require previously discussed common sense steps combined with relying on a trusted provider like HLC to help you navigate pre and post malware infection troubles. That powerful combination is necessary in the continued escalating battle against cryptocurrency mining malware and other emerging malware types.
So many different IT systems and devices, so little time for compliance. Small and medium-sized enterprises (SMEs) represent up to 99% of national economies and a huge market for IT products. The wide variety of systems in use in the SME sector makes it a breeding ground for vulnerabilities and cyberattacks. Yet so far, suitable solutions to help SMEs be compliant in information security have been lacking.
SMEs are generally budget constrained and have little time to stay on top of IT configurations and security settings. Regulators remain unsympathetic – information security is a cost of doing business. Companies that do not audit or assess their security or cannot otherwise prove appropriate information security controls are subject to fines and sanction, putting their hard earned reputations at risk. Automating monitoring and reporting of system and device compliance can make a significant difference. It can reduce effort and increase reliability, helping SMEs meet their compliance obligations more easily and cost effectively, while reinforcing the confidence of their partners and clients.
Compliance and Security Challenges Facing SMEs
On its own, one small or medium-sized business may not have a large IT installation. IT infrastructures and security profiles, however, will vary considerably from business to business. What makes one company compliant cannot be copied over to another company. Even 1% of noncompliance can then be enough to make a company vulnerable to cyberattacks or incidents, which is why auditors are so fastidious when they check.
IT vendors do not always help matters either. Their IT products are usually destined for a wide range of uses, meaning that restrictive security settings may not be part of default configurations. Some vulnerabilities even exist right ‘out of the box’. Between new and legacy systems, there are hundreds of types of machines. According to end-user needs, there are then thousands or more possible configurations. This complexity increases yet again with combinations of cloud systems and on-premise data centers, as well as other devices used by external users and advisory networks that all need to be connected.
To compound the problem, the specialist knowledge to ensure compliance is lacking in many SMEs. Even when an SME has employees who know about compliance with industry standards and who know about information technology, there is no guarantee that all this knowledge exists in one person. Different individuals often have separate areas of expertise, leaving a gap between regulatory requirements and IT actions.
Options for Assessing and Improving Compliance
Unlike annual fire safety inspections, information security compliance is a continual activity. IT vendors constantly update the versions of their operating systems and systems, making a compliance a moving target. Cybercriminals are a round-the-clock threat. Thanks to internet, hackers from halfway across the world can threaten a company’s data center, day and night.
There are several ways that SMEs might approach their information security compliance, each with its limitations. There is unfortunately no “silver bullet”. A better solution is a program that combines different approaches, using the advantages of each one and avoiding or compensating for the limitations. Here are some primary elements:
Smart Automation, Key to Efficiency and Affordability
Vulnerability scans and checklist assessments, coupled with periodic controls assessments, stand out as the approaches with the potential for covering the most compliance at the least cost. This is largely due to the possibilities of automating them and the extensive databases of information available for use with them. What cannot be automated will need to be accomplished manually. Examples include penetration testing and security hardening of proprietary developments that do not feature in standard checklists. These automated and manual procedures should also be integrated into a larger information security program for prevention and remediation of IT security threats and incidents, with end user security awareness training, endpoint protection, firewalls, SIEM, intrusion detection systems, and other measures as appropriate.
As well as offering wide coverage for compliance and the software audit trails to prove it, there is another advantage to automated solutions. They force hackers and cybercriminals to ‘up their game’ or to seek another easier target. In many cases, attackers choose the second option, preferring not to waste time attacking an organization that has already extensively checked and corrected vulnerability and compliance issues. Automated checking can also be extended across onsite and in-cloud systems, as well as mobile computing devices such as smartphones, tablets, and laptops. In addition, automated solutions may offer benchmarking to show how an organization’s security posture compares with the rest of the industry. Good posture makes for good public relations. This can help improve the organization’s corporate image as being secure and responsible in matters of information and data protection and privacy.
For SMEs or other organizations with limited technical expertise in-house, an automated solution for information security compliance must also offer suitable user-friendliness. Administrators or users should be able to see the security and compliance status of their company at a glance, for example, via an intuitive dashboard. They should also be able to easily achieve optimal security settings across systems and devices, independently of their location. Continually monitoring configurations, the solution must also immediately alert users or management to changes in configuration, especially those that result in non-compliance. Additional functionality such as checking that necessary security scans are being done regularly and verification of disk data encryption can also contribute to a well-rounded view for an SME of its security and compliance posture.
Responsibilities and Results
While smart software can go a long way to help ensure compliance and security, the organization and its users always retain the final responsibility. An automated solution can find issues, flag them, and even suggest ways to remediate them. Users then make or authorize suitable changes. A software solution does not in itself guarantee compliance, although it can provide valuable records of compliance settings and changes.
Nonetheless, all enterprises and organizations, and SMEs especially, can take advantage of such a solution for faster, better, more affordable compliance and security checking. By leveraging vendor and government checklist data and monitoring IT security essentials effortlessly via a suitable software application, they can meet requirements of auditors and regulators and significantly reduce the risks of IT system and network attacks.
Not In Compliance With NYDFS’s Cybersecurity Regulations? Helpful Guidance From HLC On What To Do Now.
You have been busy. Your company has clients to service and business to win. Maybe you were vaguely aware of the New York State Department of Financial Services’ (“NYSDFS”) cybersecurity regulation that went into effect last March but now the deadline has passed for filing the cybersecurity annual certification and you did not submit. Not only that, but maybe you didn’t do anything to comply. Of course, there is also the reminder you recently received from New York State underscoring your non-compliance….
The first step is obvious: deflect blame. Target prospects include anyone from your organization, your vendors, politicians, lawyers (obligatory), and New York State itself.
If you have already received the notice, then it is likely that you need to comply. There has been some confusion about the need for individuals to comply versus firms, since the requirements apply to both. Covered companies may comply on behalf of affiliates, subsidiaries, employees, and contracted individuals (e.g., registered representatives) but may not comply on behalf of third party providers that are entities. This means that third party providers who are regulated by NYSDFS may still be subject to the regulations even if they have employees who are in compliance through the information security program of another Covered Entity.
Another important point to remember is that it does not matter if you are located out of state. If your firm must register with the NYSDFS to conduct covered businesses within New York, then you must comply with the regulations.
Is My Business Partially Exempt?
After you have determined that you are subject to the regulation, the next question you need to ask is whether you are eligible to file for a partial exemption (which you may also be delinquent on…sorry). If you are, then you only must comply with the major requirements indicated by the red boxes below. If you are not, then red and blue are your colors.
Partial exemptions are available if your firm: (i) has less than ten employees and contractors; (ii) less than $5mm in gross annual revenues; (iii) less than $10mm in year-end total assets; OR (iv) if your firm effectively has nothing to do with Nonpublic Information, as defined in the regulations.
If you know you are covered by the law, qualify for an exemption and have not filed, then you should do so now. Log in here:
https://myportal.dfs.ny.gov/web/cybersecurity and file now…I’ll wait.
Whether or not you are exempt, the next step is to start to comply and first step there is to get an information security risk assessment done. This is not a DIY project unless you have in house information security professionals. You should hire an experienced cyber security assessment firm to assist. In addition, if you are not partially exempt, you will need to ensure that a vulnerability scan and penetration test is done on your systems. Even if you are not partially exempt, you should perform vulnerability scanning and penetration testing anyway as it is an industry best practice for any information security program.
The risk assessment is generally the first step towards assessing where your gaps are and a security program, if not in place already, is best to flow from the results of a risk assessment. The assessor should also provide your firm with a prioritization map to facilitate your response. In addition, a qualified third party information security risk assessor should be able to provide your firm with direction as to how it can address the gaps identified, including those specifically required by New York’s regulations.
While a risk assessment is in process, you should also assess (or compile) your policies and procedures since this process will require your active engagement from the beginning. Do not simply adopt off the shelf information security policies and procedures without fully understanding how they will apply within your organization. The regulations require that your policies be based on the findings from the risk assessment, so if your firm just adopts form policies without any review or customization, it is effectively documenting non-compliance with the regulation. Again, you should consult experienced third parties with regards to crafting such policies.
The areas that your policies will need to cover include:
Once you have established your course of action as set forth above, you should reach out to NYSDFS and advise that your compliance certification will be delayed but you are taking the above actions (excepting blame deflection) to correct.
Having managed to correct this one lapse, make sure to keep an eye on the forthcoming regulatory timelines. Implementation of controls respecting audit trails, data retention, data encryption, application security and user monitoring is required by September 3rd of this year. By March of next year, covered firms will need to certify that they have implemented a Vendor Risk Management program.
In February, 2015, HLC’s “The Convergence of AML and Cybersecurity” post noted “customer activity that may be a possible basis for a Suspicious Activity Report (SARs) should also be viewed as a potential information security breach…similarly, a detected cybersecurity breach may be the first indicator of a financial crime.”
Last week, the SEC’s Office of Compliance, Examinations and Inspections (“OCIE”) released its third cybersecurity National Examination Program Risk Alert (the “September Alert”) inside of eighteen months, heralding in a second round of cybersecurity sweeps and greater general examination focus on the issue.