Tag Archives: byron acohido

The Threat From ‘Security Fatigue’

There is no mistaking that, by now, most consumers have at least a passing awareness of cyber threats.

Two other things also are true: too many people fail to take simple steps to stay safer online; and individuals who become a victim of identity theft, in whatever form, tend to be baffled about what to do about it.

A new survey by the nonprofit Identity Theft Resource Center reinforces these notions. ITRC surveyed 317 people who used the organization’s services in 2017 and had experienced identity theft. The study was sponsored by CyberScout, which also sponsors ThirdCertainty. A few highlights:

  • Nearly half (48%) of data breach victims were confused about what to do.
  • Only 56% took advantage of identity theft protection services offered after a breach.
  • Some 61% declined identity theft services because of lack of understanding or confusion.
  • Some 32% didn’t know where to turn for help in event of a financial loss because of identify theft.

Keep your guard up

These psychological shock waves, no doubt, are coming into play yet again for 143 million consumers who lost sensitive information in the Equifax breach. The ITRC findings suggest that many Equifax victims are likely to be frightened, confused and frustrated — to the point of acquiescence. That’s because the digital lives we lead come with risks no one foresaw at the start of this century. And the reality is that consumers need to be constantly vigilant about their digital life. However, cyber attacks have become so ubiquitous that they’ve become white noise for many people.

See also: Quest for Reliable Cyber Security  

The ITRC study is the second major report showing this to be true. Last fall, a majority of computer users polled by the National Institute of Standards and Technology said they experienced “security fatigue” that often correlates to risky computing behavior they engage in at work and in their personal lives.

The NIST report defines “security fatigue” as a weariness or reluctance to deal with computer security. As one of the study’s research subjects said about computer security, “I don’t pay any attention to those things anymore. … People get weary from being bombarded by ‘watch out for this or watch out for that.’”

Cognitive psychologist, Brian Stanton, who co-wrote the NIST study, observed that “security fatigue … has implications in the workplace and in peoples’ everyday life. It is critical because so many people bank online, and since health care and other valuable information is being moved to the internet.”

Make no mistake, identity theft is a huge and growing problem. Some 41 million Americans have already had their identity stolen — and 50 million reported being aware of someone else who was victimized, according to a Bankrate.com survey.

Attacks are multiplying

With sensitive personal data for the clear majority of Americans circulating in the cyber underground, it should come as no surprise that identity fraud is on a rising curve. Between January 2016 and June 2016, identity theft accounted for 64% of all data breaches, according to Breach Level Index. One reason for the rise was a huge jump in internet fraud. Card not present (CNP) fraud leaped by 40% in 2016, while point of sale (POS) fraud remained unchanged.

It’s not just weak passwords and individual errors that are fueling the rise in online fraud. Organizations we all trust with our personal information are being attacked every single day. The massive breach of financial and personal history data for 143 million people from credit bureau Equifax is just the latest example.

Over the past four years, there have been a steady drumbeat of major data breaches: Target, Home Depot, Kmart, Staples, Sony, Yahoo, Anthem, the U.S. Office of Personnel Management and the Republican National Committee, just to name a few. The hundreds of millions of records stolen never perish; they will continue in circulation in the cyber underground, available for sale and/or to be used in the next innovative fraud campaign.

Be safe, not sorry

Protecting yourself online doesn’t have to be difficult or complicated. Here are seven ways to better protect your privacy and your identity today:

  • Freeze your credit rating at the big three rating agencies so scammers can’t use your identity to take out loans or credit cards
  • Add a website grader to your browser to avoid malware
  • Enroll in ID theft coverage with your bank, insurer or employer —it could be free or surprisingly inexpensive
  • Get and use a password vault so you can create and use hard-to-guess passwords
  • Be knowledgeable about common cyber scams
  • Add a verbal password to your bank account login and set up text alerts to unusual activity
  • Come up with a consistent way to decide whether it’s safe to click on something.

There is a bigger implication of losing sensitive information as an individual: it almost certainly will have a negative ripple effect on your family, friends and colleagues. There is a burden on consumers to be more active about cybersecurity, just as there is a burden on companies to make it easier for individuals to do so.

See also: Cybersecurity: Firms Are Just Sloppy  

NIST researcher Stanton describes it this way: “If people can’t use security, they are not going to, and then we and our nation won’t be secure.”

Melanie Grano contributed to this story.

Security Training Gets Much-Needed Reboot

Using innovative strategies, some companies may be erasing employee security training’s reputation for ineffectiveness.

Security training “got a bad rap, because it was so bad,” says Steve Conrad, the founder and managing director of MediaPro, a Bothell, Wash.-based security awareness training company with such clients as Microsoft, Yahoo and Adobe.

Old training methods “usually consisted of slide presentations — or their online equivalent — that were super dull and could last an hour or two,” he says. “Employees were expected to sit through this, either at their desks or in a group and come away with knowledge gained. And that was it. Awareness training was once and done, and it just didn’t work.”

See also: How Good Is Your Cybersecurity?  

Stu Sjouwerman, founder and CEO of KnowBe4, a security awareness training company founded in 2010 and based in Clearwater, Fla., says “old-school security training” often stems from “classical break-room sessions where employees are kept awake with coffee and doughnuts and exposed to death by PowerPoint.”

Those days are over, according to officials of the two companies.

MediaPro — which was founded in 1992 and has focused on security awareness training programs as a product since 2003 — says it’s an e-learning company that bases its training on proven adult learning principles, providing educational content in a way that learners remember.

“This concept extends beyond the training courses themselves,” Conrad says, “to our focus on consistent reinforcement of key learning principles through extracurricular content such as games, videos and posters, as well as phishing simulation exercises.”

Phishing exercises help change behavior

KnowBe4, Sjouwerman says, sends frequent simulated phishing attacks to train employees “to stay on their toes.”

Both companies believe that employees’ most common security mistake is falling for an email phishing scam.

“Bad guys have come up with all sorts of creative ways to convince employees to click on a link or send sensitive information via a spoofed (sender) address,” he says.

Clicking on a link in a suspicious email and opening an infected attachment can be avoided, Sjouwerman says, “by recognizing red flags.” Red flags include receiving an email from a suspicious domain or address you don’t ordinarily communicate with, or one sent at an unusual time, such as 3 a.m.

No company is immune to such scams, Conrad says, “but simulated phishing campaigns aimed at an organization’s employees teamed with comprehensive cybersecurity education can go a long way toward changing risky employee behavior.”

Technical safeguards against phishing scams exist, “but no organization should rely on those alone,” he says. “Social engineering — the basis of phishing scams — is such an effective way into the sensitive data of an organization because it completely bypasses these technical safeguards and goes after what is most companies’ weakest link: the human.”

Workers’ weak spot

Why do employees engage in risky behaviors when cybersecurity threats are so abundant?

“It’s likely a combination of being busy and being exposed to so many technological sources of distraction on a daily basis,” Conrad says.

Sjouwerman mentions another reason: “No one ever took the time to enlighten them about the clear and present danger that risky behavior can really cause, especially in an office environment.”

A 2016 study by PhishMe, a Virginia-based phishing threat management company, found that 91% of cyber attacks — and the resulting data breaches — begin with a spear-phishing email.

Another study done last year by LastPass, a Virginia-based password management service, found that 91% of respondents know it’s risky to reuse passwords for multiple online sites, but 61% do it anyway. The study also found that the No. 1 reason respondents changed their password was because they forgot it, and only 29% changed it for security reasons.

Employees’ risky behaviors have triggered an increasing number of companies to provide better security training.

“I think this is a really exciting time in the market. Huge numbers of companies are committing to doing real education, and we’re seeing exciting innovations in the variety of content that is available,” Conrad says. “I like to think that the age of boring people about security is over and we’re entering an era where people are going to be motivated and engaged by education around these issues.”

See also: Cyber, Tech Security Start to Merge  

Repetition is key

Employee training, Conrad says, needs to be more frequent than an annual affair.

He says, “Learners need to hear something more than once for it to stick — just ask any ad executive or marketing jingle writer,” he says. “Think about what makes up an advertising campaign: a series of messages that share a single idea or theme, transmitted via different media channels on a regular basis, for an extended period of time — with the singular goal of influencing consumer behavior.

“A great security awareness initiative should look like a great advertising campaign. Repeated, consistent messages delivered throughout the month, quarter or year — whatever cadence is appropriate for a given organization.”

This post originally appeared on ThirdCertainty. It was written by Gary Stoller.

Cyber Crimes Outpace Innovation

IT systems have never been more powerful or accessible to businesses. However, the scope and scale of cyber crimes continues to outpace tech innovation.

For years, the challenge for internal IT and security teams has been to use existing company data to construct an integrated picture of oddities and unexpected actions on their network. Recent advancements in machine learning and behavior or anomaly-based analytics that leverage existing enterprise logs have provided security teams with much more accurate intelligence than ever before.

See also: 3 Technology Trends Worth Watching  

In the past, security expertise was embodied in signatures, representing particular and specific types of malware. In time, the experts couldn’t keep up, signatures were out of date or not installed quickly enough, and hackers began to take full advantage. An attack from an employee account is signature-less, making conventional security approaches that rely on blacklists ineffective.

Security experts quickly realized that pattern patching alone wouldn’t work, so they added rules, such as the correlation rules found in security information and event management (SIEM). For example, if an HR employee has been terminated and begins accessing sales data for the first time, something is likely wrong, and an alert will immediately be sounded.

Technology outpaces analysis

As the number of endpoints (i.e. mobile devices) skyrocketed, so did the volume of data to be analyzed by firms, making it more difficult for security experts to rely on cut-and-dried rules. Existing—not to mention expensive—intelligence tools, typically some form of SIEM, were supposed to predict and detect these types of threats, but were unable to keep up. This left companies at an all-time vulnerable state for both insider threats and hackers.

Experts predict a 4,300 percent increase in annual data production by 2020 and IDC anticipates that the “digital universe” of data will reach 180 zettabytes in 2025 (that’s 180 followed by 21 zeroes). Thankfully, open source big data systems have provided a way to collect, process and manage monstrous amounts of data.

Open source big data technologies such as HDFS and Elasticsearch enable solutions that handle petabytes of security data with ease. This not only allows firms to store a wide range of data sources, but also reduces overhead cost of data storage altogether, which can reach millions of dollars annually for large organizations, due to the cost of vendor data management hardware and vendor per-byte pricing models. Consequently open source big data frees up the budget to invest in stronger analytics.

Algorithms crunch data

Another major advancement that has fortified cybersecurity tools is machine learning. The method of analysis flips the expert approach on its head; instead of requiring expert rule-writers to guess at attacks that might come, machine learning algorithms analyze trends, create behavior baselines—on a per user basis—and can detect new types of attacks very quickly using baselines and statistical models. These systems are more flexible and effective than any pure expert-driven predecessors.

See also: Innovation: ‘Where Do We Start?’  

Technology options available to enterprises are at an all-time high, and so are the number of cyber crimes that are committed. Fortunately, as technology has advanced, so has the ability to seek out cyber criminals that may have been virtually invisible in the past. User and entity behavior analytics and machine learning technology continue to provide chief information security officers with the accurate insights they need to thwart attacks before severe damage is done.

This article originally appeared on ThirdCertainty. It was written by Nir Polak.

HBO Breach Raises New Cyber Concerns

Following on the heels of the two globe-spanning ransomware worms, the HBO hack—with its distinctive blackmail component—rounds out a summer of extortion-fueled hacks and destruction and theft of valuable data at an unprecedented scale.

WannaCry and Petya raced around the planet demanding ransoms after locking up servers at hundreds of organizations. The HBO hackers pilfered 1.5 terabytes of intellectual property and business documents from the television giant. Next, they heaved samples into the internet wild and demanded $7.5 million to halt disclosures of even more highly perishable intellectual assets.

See also: New Approach to Cyber Insurance  

These high-profile cyber attacks have sent shockwaves through the insurance industry. Inga Goddijn, executive vice president at Risk Based Security Inc., a Richmond, Virginia-based supplier of risk management services, agreed to supply some context and discuss the implications. Here are excerpts from our conversation, edited for clarity and length.

ThirdCertainty: How common is it for big media companies to hold cyber liability policies?

3C: Is it likely HBO held a cyber liability policy?

Goddijn: Cyber insurance is largely accepted by large organizations as an important and necessary part of their overall coverage portfolio. That’s not limited to just the big entertainment companies, that applies across the board to most large enterprises. Where we see a drop-off in the adoption rate is with small to midsize organizations.

It is likely there is some element of cyber coverage in place for HBO. It’s important to keep in mind it was HBO’s intellectual property that was compromised, not personally identifiable information. It’s not especially common to find cyber coverages that respond to the value of the policyholder’s creative content. So even with cyber insurance in place, it may not apply to this type of data compromise event.

3C: How do you expect the HBO hack to impact the emerging cyber insurance market?

Goddijn: We have already seen an uptick of interest in cyber coverage post-WannaCry and Petya malware events. This is yet another high-profile breach that highlights the fact that data has value. Attackers will go after what has value, which in turn can have a real financial impact on the breached organization. Cyber insurance is still the best option for addressing that monetary fallout.

3C: Could this accelerate wider implementation of third-party best practices; or, perhaps, smarter and wider use of encryption?

Goddijn: It’s hard to say. We’ve seen so many high-profile breaches come and go with little visible impact on security practices. Certainly that’s not true for all—as there is an argument to be made that the Target and Home Depot breaches accelerated the adoption of chip-enabled credit cards. What we can say is that each event like this does highlight just how important data security is to practically every business.

3C: Do you anticipate that the HBO hack will help give focus to cyber insurance?

Goddijn: Each breach that makes headlines the way the HBO event has puts more focus on cyber insurance options. What will be interesting to watch unfold is how the cyber market will address the increasing number of attacks targeting intellectual property.

3C: So what is being discussed in the insurance community with respect to extending coverages to include loss of intellectual property?

Goddijn: Traditionally, the insurance market has shied away from covering events like theft of trade secrets or damage to intellectual property. Perils like trademark or copyright infringement arising out of content created by the insured is widely available, but events such as the HBO breach—and more specifically the compromise of proprietary works—is not an area most carriers are comfortable entering.

Unlike a car or a building, it’s difficult to determine the value of something like a secret formula or an unreleased episode of a popular show. The actual value of the intellectual property itself is subjective and can change over time. Anytime there is that level of uncertainty around pricing a risk, it’s sure to cause hesitation for the underwriters.

See also: How to Shield Your Sensitive Data  

3CHow far off on the horizon is wide availability of intellectual property coverage? A year or two? Beyond that?

Goddijn: The diligent buyer that is interested in third-party coverage for a compromise of the I.P. of others can find this in today’s marketplace. It may take some looking, and specific circumstances may prevent any carrier from offering the coverage to a specific buyer, but it can be found. As for first-party coverage for intellectual property, that is a very rare product. There are only a handful of carriers willing to offer this, and it comes with its own host of coverage caveats. Given the nature of the exposure, it’s not likely we’ll see insurance carriers jumping into this area anytime soon.

This article originally appeared on ThirdCertainty.

How to Mitigate Cyber Threats

Employees often are seen as the weakest link in cybersecurity. Breaches by hackers may hit the headlines, but human error (or intent) is responsible for the majority of attacks.

IBM’s 2016 Cyber Security Index reported that insiders carried out 60% of all attacks. Three-quarters of these attacks were malicious, and a staggering 25% of breaches were accidental.

See also: How to Determine Your Cyber Coverage  

I took the opportunity to sit down with Richard Ford, chief scientist at Forcepoint Security at Black Hat 2017 in Las Vegas. The notion of understanding human behavior and its role in cybersecurity was the topic of our discussion, and you can find the key takeaways below.

Look at the why, not the what.

We’re great at focusing on what is happening within our network and capturing every single event. What we’re bad at doing is talking about the why. This often is much more significant. It’s time companies think about what the hacker is trying to accomplish. Why did that file get moved? Why did that data loss prevention (DLP) event occur? Mitigation depends on the why. You’d mitigate an accidental data breach very differently than an intentional one. When companies move toward the why, they can start to mitigate much more effectively.

Reduce the friction caused by IT security. 

A lot of security measures aren’t successful because they create friction between users. Currently, we see security’s role as protecting the business. In the future, we will see it as a way to enable business to be done safely. For example, to stop restricted files from leaving company servers, most firms would turn off universal serial bus (USB) access. But that creates friction. Instead, the file should be seamlessly and silently encrypted so that it will only decrypt if it is loaded onto another company device. It’s the same level of protection but with far less friction. The more seamless security is, the more people will buy into it.

See also: Cyber Measures Starting to Pay Off  

Make privacy a first-class citizen.

Too often, companies send a bad message by giving the impression that they don’t trust their employees. Security and privacy should be a benefit to the employee, not a negative. One way companies can achieve this is by being open with employees. When employees understand what’s happening, they understand why it’s protecting the company. Another is by anonymizing the data in a way that protects an employee’s personal information but still continues to protect the company. When done right, employees’ privacy should be protected and so should the company’s data. You shouldn’t do one at the expense of the other.