Tag Archives: U.S. Office of Personnel Management

The Threat From ‘Security Fatigue’

There is no mistaking that, by now, most consumers have at least a passing awareness of cyber threats.

Two other things also are true: too many people fail to take simple steps to stay safer online; and individuals who become a victim of identity theft, in whatever form, tend to be baffled about what to do about it.

A new survey by the nonprofit Identity Theft Resource Center reinforces these notions. ITRC surveyed 317 people who used the organization’s services in 2017 and had experienced identity theft. The study was sponsored by CyberScout, which also sponsors ThirdCertainty. A few highlights:

  • Nearly half (48%) of data breach victims were confused about what to do.
  • Only 56% took advantage of identity theft protection services offered after a breach.
  • Some 61% declined identity theft services because of lack of understanding or confusion.
  • Some 32% didn’t know where to turn for help in event of a financial loss because of identify theft.

Keep your guard up

These psychological shock waves, no doubt, are coming into play yet again for 143 million consumers who lost sensitive information in the Equifax breach. The ITRC findings suggest that many Equifax victims are likely to be frightened, confused and frustrated — to the point of acquiescence. That’s because the digital lives we lead come with risks no one foresaw at the start of this century. And the reality is that consumers need to be constantly vigilant about their digital life. However, cyber attacks have become so ubiquitous that they’ve become white noise for many people.

See also: Quest for Reliable Cyber Security  

The ITRC study is the second major report showing this to be true. Last fall, a majority of computer users polled by the National Institute of Standards and Technology said they experienced “security fatigue” that often correlates to risky computing behavior they engage in at work and in their personal lives.

The NIST report defines “security fatigue” as a weariness or reluctance to deal with computer security. As one of the study’s research subjects said about computer security, “I don’t pay any attention to those things anymore. … People get weary from being bombarded by ‘watch out for this or watch out for that.’”

Cognitive psychologist, Brian Stanton, who co-wrote the NIST study, observed that “security fatigue … has implications in the workplace and in peoples’ everyday life. It is critical because so many people bank online, and since health care and other valuable information is being moved to the internet.”

Make no mistake, identity theft is a huge and growing problem. Some 41 million Americans have already had their identity stolen — and 50 million reported being aware of someone else who was victimized, according to a Bankrate.com survey.

Attacks are multiplying

With sensitive personal data for the clear majority of Americans circulating in the cyber underground, it should come as no surprise that identity fraud is on a rising curve. Between January 2016 and June 2016, identity theft accounted for 64% of all data breaches, according to Breach Level Index. One reason for the rise was a huge jump in internet fraud. Card not present (CNP) fraud leaped by 40% in 2016, while point of sale (POS) fraud remained unchanged.

It’s not just weak passwords and individual errors that are fueling the rise in online fraud. Organizations we all trust with our personal information are being attacked every single day. The massive breach of financial and personal history data for 143 million people from credit bureau Equifax is just the latest example.

Over the past four years, there have been a steady drumbeat of major data breaches: Target, Home Depot, Kmart, Staples, Sony, Yahoo, Anthem, the U.S. Office of Personnel Management and the Republican National Committee, just to name a few. The hundreds of millions of records stolen never perish; they will continue in circulation in the cyber underground, available for sale and/or to be used in the next innovative fraud campaign.

Be safe, not sorry

Protecting yourself online doesn’t have to be difficult or complicated. Here are seven ways to better protect your privacy and your identity today:

  • Freeze your credit rating at the big three rating agencies so scammers can’t use your identity to take out loans or credit cards
  • Add a website grader to your browser to avoid malware
  • Enroll in ID theft coverage with your bank, insurer or employer —it could be free or surprisingly inexpensive
  • Get and use a password vault so you can create and use hard-to-guess passwords
  • Be knowledgeable about common cyber scams
  • Add a verbal password to your bank account login and set up text alerts to unusual activity
  • Come up with a consistent way to decide whether it’s safe to click on something.

There is a bigger implication of losing sensitive information as an individual: it almost certainly will have a negative ripple effect on your family, friends and colleagues. There is a burden on consumers to be more active about cybersecurity, just as there is a burden on companies to make it easier for individuals to do so.

See also: Cybersecurity: Firms Are Just Sloppy  

NIST researcher Stanton describes it this way: “If people can’t use security, they are not going to, and then we and our nation won’t be secure.”

Melanie Grano contributed to this story.

Spear Phishing Attacks Increase

Spear phishers continue to pierce even well-defended networks, causing grave financial wounds.

Spear phishers lure a specific individual to click on a viral email attachment or to navigate to a corrupted Web page. Malicious code typically gets embedded on the victim’s computing device, giving control to the attacker.

A recent survey of 300 IT decision-makers in the U.S. and the U.K.—commissioned by threat-protection solutions provider Cloudmark—found that a spear-phishing attack penetrated the security defenses of more than 84% of respondents’ organizations.

Free resource: Planning ahead to reduce breach expenses

Spear phishing continues to turn up time and again as the trigger to massive network breaches, including widely publicized attacks on JPMorgan Chase., eBay, Target, Anthem, Sony Pictures and the U.S. Office of Personnel Management.

“Criminals have achieved high success rates with spear-phishing attempts, and that success is breeding even more attempted attacks,” says Angela Knox, Cloudmark’s senior director of engineering and threat research.

knox
Angela Knox

Respondents to Cloudmark’s survey said that, on average, their organizations lost more than $1.6 million from spear-phishing attacks during the 12 months before the survey.

Spear phishers install malware, seek privileged access accounts and scour breached networks for confidential business plans, information about current negotiations and other valuable data. And the attackers are in a position to manipulate, disrupt or destroy systems.

Related video: CEO fraud caper nets $450,000

Attacks on banks, credit unions and professional services firms that help conduct financial transactions often focus on persuading employees to wire money to the phishers’ accounts.

“Even if the money can be recovered, it takes time and effort to recover it,” Knox says. “In one high-profile incident, a company lost $46.7 million due to email spoofing.”

Resist oversharing

One reason spear phishing persists is because people reveal a wealth of personal and behavioral data on the Internet. Attackers tap this information to profile victims and create email and social media messages crafted to appear to come from a trusted source—in a context that puts the targeted victim at ease.

The end game: Get the person to open a viral email attachment or click to a malicious Web page.

“Everyone is now a target, and users can no longer depend on spelling mistakes or random scams,” says Chester Wisniewski, senior security adviser at antimalware vendor Sophos.

Peter Cassidy, secretary general of the Anti-Phishing Working Group, an international coalition fighting cyber crime, says spear phishers in recent years have gone to greater depths in focus and planning.

Peter Cassidy, Anti-Phishing Working Group secretary general
Peter Cassidy

“These days, it’s not uncommon to see an attack that targets specific personalities for their access within an enterprise and loads a malware payload to execute an exploit that will open a pathway the attackers are waiting for—and will use to gain access to data they prize,” Cassidy says. “Talk about orchestration! Stravinsky and these guys would have a lot to talk about.”

Employees part of solution

A primary defense is to continually train employees to be vigilant, and a cottage industry of training services and technologies has arisen in recent years to assist companies of all sizes. But even trained employees remain susceptible to sophisticated trickery.

Nearly 80% of organizations surveyed by Cloudmark reported using staff training to prevent attacks. Of organizations that test their employees’ responses to spear-phishing attacks, only 3% said that all employees passed. Respondents estimated that 16% of staff members failed their organizations’ most recent spear-phishing tests.

“Humans are flawed,” Wisniewski says. “You can never stop spear phishing entirely,” because “it is not a technical problem that can be solved.”

It’s human nature for employees who spot something wrong or who believe they may have been tricked to hesitate reporting the incident. Yet quick reporting is a key to remediation. “Accidents happen, but detection and remediation are more successful the less time the criminal has to take advantage of your errors,” Wisniewski says.

info

This post was written by Gary Stoller.

Expect More Cyber Turbulence in 2016

In February 2015, Anthem, the nation’s second-largest health care insurer, disclosed losing records for 80 million employees, customers and partners. That was followed a few weeks later by Premera Blue Cross admitting it lost records for 11 million people.

Then in July 2015, the U.S. Office of Personnel Management began a series of mea culpas. OPM ultimately conceded that hackers swiped sensitive personnel records for 21.5 million federal employees, contractors and their family members. Anthem, Premera Blue Cross and OPM were among the high-profile breaches in a year when the Identity Theft Resource Center counted more than 750 publicly disclosed data leaks.

ThirdCertainty asked three IDT911 experts — Brian Huntley, Eduard Goodman and Victor Searcy — for their 2016 prognostications. (Full disclosure: IDT911 underwrites ThirdCertainty.)

Wire fraud and politics 

Brian Huntley, IDT911 Chief Information Security Officer
Brian Huntley, IDT911 Chief Information Security Officer

 

Huntley: In the coming year, fraud and theft will plague the merchant payments and ACH wire transfer systems. Small and medium-size businesses are especially vulnerable. If enough SMBs get victimized, it could result in a public outcry about the inherent vulnerabilities in these systems, especially as consumers and small business owners come to realize there is minimal regulatory protections in these types of cases.

This being an election year, U.S. presidential candidates will focus on cyber war strategy and armament. Armchair quarterbacking of the 2015 U.S.-China cybersecurity agreement will arise as the centerpiece of this debate. We could see the U.S.-China cyber accord ascend as the basis for peer agreements between other nation states.

Meanwhile, the search will continue in different industries for an information security control framework that is akin to what the financial services sector has in the Federal Financial Institutions Examination Council’s (FFIEC) Information Security Guidelines and the health care sector has in the Health Insurance Portability and Accountability Act (HIPAA) of 1996.

Data tranfers and children’s privacy

Eduard Goodman, IDT911 Chief Privacy Officer
Eduard Goodman, IDT911 Chief Privacy Officer

 

Goodman: U.S. companies with a European presence will encounter a tremendous amount of uncertainty in 2016 with respect to Europe’s stricter Safe Harbor data privacy rules, relating to the sensitive data transfers to businesses in the U.S.

European regulators can be expected to harass the likes of Facebook and Google. And the threat of sanctions for noncompliance with Europe’s tougher Safe Harbor standards could easily filter down to many smaller companies, as well.

In another area, the recent hacking of toy maker VTech and Hello Kitty parent company SanrioTown.com signals that the theft of children’s information could become a worrisome new trend. As children obtain earlier access to social media, smartphones and Web-enabled toys, details of their personal information and preferences are rapidly becoming part of the greater data ecosystem.

As a result, we will see more breaches that involve the theft of information for individuals under the age of 18. Hopefully, we also will see more public dialogue about the concept of preserving children’s privacy, whether it be school record data, health information or data files containing images, video and audio recordings.

Taxpayers targeted—once again

Victor Searcy, IDT911 Director of Fraud Operations
Victor Searcy, IDT911 Director of Fraud Operations

 

Searcy: One of the most pervasive identity theft scams involves the filing of a faked federal tax return using an ill-gotten Social Security number. Sadly, this will continue to be true again in 2016.

In the 2010 and 2011 tax seasons, the Internal Revenue Service paid out $8.8 billion of taxpayer money to identity thieves. And statistics pulled from a sampling of customers assisted through IDT911’s Resolution Center in 2014 show a 120% increase in tax fraud victims in 2014 and another 134% increase in 2015.

We expect this number to grow again in 2016. It can take months for a victim to sort out the mess with the IRS. Worse, there is little stopping criminals from using a victim’s Social Security number and other personal information in other scams.

IDT911 stats show that 16% of tax fraud victims also were victims of financial identity theft; 12% of customers experienced multiyear tax fraud; and 16% were victims of both federal and state tax fraud.

Cyber Risk: Is It Worth All the Pain?

With an onslaught of bad recent cyber news, is cyber risk worth the trouble, and how should corporate directors be looking at this issue? The recent news is the high-profile breach of 4 million employee records at the U.S. Office of Personnel Management by alleged Chinese hackers and the news that even the security experts are getting hacked, with Kaspersky Labs reporting a breach supposedly committed by a nation state.

President Obama also made cyber security an emphasis of his G7 talks in Germany, commenting that the U.S. government needs to be more “nimble, aggressive and well-resourced” to combat this threat. He also urged the U.S. Congress to pass the 2015 Cybersecurity Information Sharing Act, a first step in a coordinated and systemic public/private response to cyber risks.

The attacks show no signs of slowing. PwC’s 2015 Global State of Information Security Survey indicates a compound annual growth rate of 66% for cyber incidents since 2009. The 10,000 respondents to the survey reported almost 43 million detected incidents during 2014 alone—or 117,339 incoming attacks every day of the year.

Is cyber security risk worth it? Yes, but with a caveat. Without a doubt, the many innovations currently taking place with today’s information technologies open up many new vulnerabilities. Risks are now difficult to isolate, and a protect-and-defend model is not effective against the systemic risks inherent across any corporate ecosystem.

Attacks can also come from a growing list of sources, including hacktivists, foreign and domestic nation-states, customers, employees, partners, consultants, competitors, organized crime and the bored neighbor kid living in the basement and surviving on a diet of Cheetos, Red Bull and your weak IT security infrastructure. The direct and indirect costs of mounting an effective cyber security defense are only getting more expensive, and the risks are only increasing.

Despite this, these technologies also have an upside—a significant one as they are now competitive table stakes, as new business tools always are. These tools are changing market dynamics and customer preferences, and the technologies embody distinct economic advantages such as the lowering of transaction and engagement costs. Business models and competitive advantages are changing as a result of these tools.

These tools are shaping and defining business success, but the risks are holding many companies back. Which takes us to the caveat. The upside of these technologies outweighs the downside.

Cyber is worth the risk, but boards, directors and managers need to be looking to exploit the business advantages of these tools, while at the same time mounting a “a nimble, aggressive and well-resourced” approach to mitigating these incessant risks.

This is easier said than done; 89% of companies listed on the Fortune 500 in 1955 are no longer on the list. Business cannibalizes the companies that can’t capitalize on the opportunities presented by changing market conditions, including new technologies.

Directors need to be diligent in overseeing cyber risk as part of a comprehensive IT governance and enterprise risk governance approach. But they also need to be on top of governing cyber opportunity—that’s the only way that they can make cyber security risk worth it.