About admin

This author has not yet filled in any details.
So far admin has created 42 blog entries.

Navigating the Security Maze in a New Era of Cyberthreats


Multiple, dynamic threats have reshaped the cyber-risk landscape; ignore them at your peril. As we look forward to the new year and the potential for a return to some measure of normalcy, we have the opportunity to consider how we might tackle the new challenges of the rapidly evolving cyber-threat environment going forward. In particular, as cyber defenders in both the public and private sectors assess our posture and consider how our approach should shift going forward, it is strikingly clear that while we have made significant progress in strengthening our defenses and are getting better at raising the cost to our adversaries. However, we have yet to fundamentally shift our paradigm to account for the threats we face and to keep up with our adversaries' capabilities. In 2017, we saw two cyberattacks that have fundamentally shifted our understanding of the threat environment. NotPetya, a cyberattack aimed at Ukraine by Russia, spun out of control, causing $10 billion in damages worldwide. That attack taught us that collateral damage is a real thing in cyberspace and one need not be the direct target of a cyberattack to suffer significant harm.  Likewise, the WannaCry ransomware attack conducted by North Korea, also in 2017, demonstrated the crippling effect such attacks can have on the public and private sector, including healthcare institutions. Less noticed by the public, but perhaps even more critical to the American economy, is the continued theft of core intellectual property by nation-states, principally China, which undermines the global competitiveness of American companies and directly threatens American jobs, particularly as we seek to grow as an innovation-focused economic power.   This effort undercuts not only the work of large enterprises but also small startups that are highly dependent on the creation of new and unique intellectual property and which are increasingly at the heart of American economic growth.  More recently, as the global COVID pandemic has spread, we've seen a marked increase in malware attacks taking advantage of the situation and targeting the response and recovery infrastructure, including international organizations and vaccine manufacturers. We've likewise seen attacks on medical facilities resulting, indirectly, in patient deaths, financial institutions and governments being robbed or defrauded of hundreds of millions of dollars, continued efforts by adversaries to put privately owned critical infrastructure at risk, potentially to shape or modify government behavior.  This all takes place as we continue to see nation-states like China not only siphoning off billions of dollars of intellectual capital from across the globe as noted above but also extracting massive amounts of data to train sophisticated machine learning algorithms. Furthermore, China, Russia, and Iran are engaged in efforts to manipulate popular opinion and undermine the rule of law and confidence in elected leaders and key institutions. Unfortunately, the threat landscape is likely to get worse before it gets better. With the broad rollout of 5G networks globally and increasing capabilities and use of mobile and Internet of Things devices, not to mention the new work-from-home environment spurred by the COVID pandemic, we are operating in a target-rich environment for both nation-state and private cyberattackers. And the lines between the two are increasingly becoming blurred. While we've long known that the Russians operate through criminal proxies, the advent of such double-dipping in China is troubling given the massive scale and sophistication of attacks that collusion between criminal and nation-state actors in China can bring to cyber-threat landscape. Moreover, this rapid growth in infrastructure and threats also means that the workload facing cybersecurity personnel is growing faster than we can possibly develop talent. There simply will not be enough people to solve this problem and, as such, we must crowdsource the knowledge we need and leverage advanced technologies to address this shortfall.  The good news is that the private sector and the government have been improving defenses. The cybersecurity conversation has made it into nearly every boardroom, even if directors and risk committees aren't always prepared — or equipped — to fully grapple with the myriad threats they face. Corporate cybersecurity leaders are increasingly gaining a seat at executive leadership meetings and seeing budgets more aligned to the threat. And the government has finally started to get serious about the threat by taking the fight to cyber adversaries overseas under new authorities with advanced capabilities and working across traditional lines. We should preserve and expand on these efforts by doubling down on the defend forward strategy and persistent engagement mission of US Cyber Command overseas, and by expanding partnerships and joint training, exercises, and planning among our cyber defenders in government and the private sector. Yet more needs to be done. Government and industry continue to operate in traditional silos, focused first on defending individually, rather than protecting collectively. To be sure, industry and government have done more to share information recently than perhaps ever before, but such sharing is simply one aspect of the larger effort. The real key is to be able to collaborate defensively at speed and scale across companies, industries, states, and national boundaries.  As the Cyberspace Solarium Commission noted earlier this year, we need a paradigm shift to collective defense, with shared situational awareness and broad collaboration across the board. As we look to the next year, and think about change we need, when it comes to the cyber realm, it's worth remembering the old adage that united we stand, divided we fall. Gen. (Ret) Keith B. Alexander is the former director of the National Security Agency and founding commander of the US Cyber Command, and currently serves as chairman, president, and co-CEO of IronNet Cybersecurity. Jamil Jaffer served in senior national security roles in the ... View Full Bio Recommended Reading: More Insights

Navigating the Security Maze in a New Era of Cyberthreats2020-12-09T10:35:05-05:00

How Retailers Can Fight Fraud and Abuse This Holiday Season


Online shopping will be more popular than ever with consumers... and with malicious actors too. The pandemic has had a significant impact on retailers across the spectrum from apparel brands to grocery stores to big-box retailers. While each category of retail has faced its own specific challenges, there has been one common theme across industry: increased demand and traffic across online platforms.  As retailers rush to meet these online demands, many have had to fast-track their digital roadmaps and establish new protocols to launch omnichannel services like BOPIS (buy online and pick-up in-store) and curbside pickup.  Many retailers know that when it comes to reliability, just a second in lag time can mean the difference between a sale and an abandoned cart. Research shows that nearly 90% of consumers would leave a website and 30% of shoppers would think twice about being a return customer if a website was too slow. But these sudden increased shifts to online shopping have also brought attention to new surface areas that retailers must secure.  Case in point: Since March 2020, our security service reCAPTCHA, which protects websites from fraud and abuse, has seen a 40% increase in usage. Businesses and services that previously saw most of their users in-person have shifted to online-first or online-only models. This increased demand for online services and transactions can expose businesses to various forms of online fraud and abuse. In fact, 8% of online business revenue today is lost to fraud and account takeovers. And there's no busier online shopping time than the holiday season.  It's never been more crucial for retailers to protect their customers as they use their online services. Despite traditionally being an in-store holiday, Black Friday topped Cyber Monday in 2019 as the busiest day for online purchases with 93.2 million shoppers compared with 83.3 million. This year, many retailers have decided to close their doors on Thanksgiving and are rolling out online promotions and deals throughout November and December, to keep shoppers and employees safe. We're planning for a "peak on peak" online holiday shopping season for 2020.    As shoppers seek to take advantage of the hottest bargains and retailers prepare for a predominantly online holiday shopping season, cybercriminals are looking to do the same with vulnerable IT systems and websites. There are several automated threats businesses must be on the lookout for to protect from brand damage and negative impacts to the bottom line. For example, attackers could use leaked credentials to hijack user accounts and stolen credit cards to make fraudulent purchases. Elevated basket abandonment, a higher proportion of failed payment authorizations, and disproportionate use of the payment step are all possible signs of card cracking. Or denial of inventory attacks, which involves attackers taking ecommerce items out of circulation by adding many of them to a cart/basket, but never actually proceeding to checkout — which creates stock-outs, preventing legitimate buyers from making a purchase. Just like phishing and malware target employees, users are also under attack. Imagine if infected URLs are being shared on websites or social channels to take customers to malicious pages to steal payment info or account credentials. Retailers need access to tools to prevent this kind of activity and, at the same time, need to be able to warn users before they visit sites that are known to be unsafe.  These are just a few tricks bad actors might have at the ready this holiday season. So, how can security teams detect these emerging attack methods and reduce their customers' and business' chance of compromise or revenue loss? One way is to deploy CAPTCHA systems on sites to prevent fraudulent activity, spam and abuse. The CAPTCHA system should leverage machine-learning and advanced risk analysis to help customers tell humans and bots apart. The CAPTCHA system should also have accurate detections to minimize false positives and offer risk scores with reason codes for security teams to take action within the context of a company's website. For example, if the CAPTCHA system shows a low score, next steps can be to require two-factor authentication or email verification in order to allow a user to continue. Moreover, the CAPTCHA system should have enterprise-level service level agreements and terms of service.  We also recommend using an API of constantly updated lists of unsafe Web resources, which retailers can use to keep risky URLs off their sites and protect users. This year has been one of frantic and unexpected change, but there’s no reason to be caught offguard this holiday season. Security must continue to be a top business priority as attackers will always look for ways to disrupt or damage businesses during the pandemic, during the holidays and beyond. Achieving a sustainable security posture is essential to a successful business transformation. Now is the time for retailers to be proactive about securing online environments to make this new normal, a safer normal, so they can deliver holiday cheer.  Sunil Potti is General Manager and Vice President of Cloud Security at Google Cloud. In his role, he focuses on bringing the best of Google Security's practices to the GCP platform and its enterprise customers. Prior to Google Cloud, Sunil served as the Chief Product & ... View Full Bio Recommended Reading: More Insights

How Retailers Can Fight Fraud and Abuse This Holiday Season2020-11-23T10:36:49-05:00

To Pay or Not to Pay: Responding to Ransomware From a Lawyer's Perspective


The threat of data extortion adds new layers of risk when determining how to respond to a ransomware attack. Ransomware has grown an additional gnarly tentacle: data extortion. It was gruesome enough with threat actors encrypting data in place but has morphed and added data extortion to the mix. Cases are emerging with a two-part payload of data encryption and data extraction, where data is encrypted in place while a small portion of unknown data is ferried offline under the threat of publication. (Or, in the case of cybercriminal organizations such as the now defunct Maze group, actual publication of a portion of the data — with threats to publish more on the way.) In previous ransomware scenarios, an organization just had to decide whether to pay a ransom to get the key to unencrypt the data. But now it must consider making what is essentially a "forever promise" with a criminal organization. The threat actors are demanding payment in exchange for alleged proof that they deleted the data. In practice, they are saying "trust us" to delete data that they previously threatened to publish. It's not a great situation to find yourself in. Having lived through this several times with my clients, I have learned some immediate tactical considerations any organization must keep in mind before deciding how to respond to a ransomware attack. 1. Negotiate? If so, should you do it yourself or use a professional negotiation company? Even when you have logging in place, it may be impossible to discern exactly what the threat actor removed from the network. Even if the threat actor claims they took only a small portion of data, they often leave you guessing about what else they may have in their possession. Therefore, you're racing to determine what information may be dumped into the Dark Web. So, do you negotiate? This may be wise — even if you don't plan to pay — so that you can buy time to determine more about what information may have been lost. The decision to hire an outside negotiation company is really an incident-by-incident decision. Often, skipping the extra cost can be the best bet but it can be very circumstance specific. Work with your legal team on strategy before engaging an outside negotiation company. 2. Deleting the data doesn't alleviate your legal risks. Even if the threat actor deletes the data they exfiltrated from your network, this does not alleviate your legal responsibilities or risks. Generally, the law will look at whether the data was both "accessed and acquired" or, in the case of other statutes, accessed with some proof of misuse. Given that a threat actor has taken the data, there is no way to dodge the "acquired" component of the law. You are legally required to notify any individual whose information was taken — even if the threat actor deletes the data. 3. Will you pay? Or pay and face a sanction? The US Department of Treasury Office of Foreign Assets Control issued an advisory opinion on Oct. 1, noting that there are risks of sanctions associated with certain ransomware payments because ransoms often fund criminal activities. So, if you are considering making a ransom payment, analyze the issue thoroughly with counsel to make certain you do not jump from the frying pan into the fire. Cyber data-extortion incidents are wicked. And because they are fraught with liability, it's best to work through these issues with your lawyer to cloak your investigation and actions with attorney-client privilege while navigating the legal risks associated with the extortion. Beth Burgin Waller is a lawyer who knows how to navigate between the server room and the board room. As chair of the cybersecurity & data privacy practice at Woods Rogers, she advises clients on cybersecurity and on data privacy concerns. In this capacity, she ... View Full Bio Recommended Reading: More Insights

To Pay or Not to Pay: Responding to Ransomware From a Lawyer's Perspective2020-11-18T10:40:53-05:00

A Call for Change in Physical Security


We're at an inflection point. The threats we face are dynamic, emerging, and global. Are you ready? Despite dedicating the majority of my life to protective intelligence in the private and public sectors, I still find it hard to believe when I see companies that have thousands of employees and dozens of offices and facilities — but a scant few physical security professionals using legacy tools and processes to try to keep the business harm-free. It's almost an exercise in futility. In the 1980s and '90s, when I was a special agent in the counterterrorism and protective intelligence division in the Diplomatic Security Service at the Department of State, we did the best we could to organize and analyze intelligence by scouring through hundreds of cables, paper documents, and files. Decades later, physical security and safety professionals are gathering time-sensitive and sometimes life-saving insights, but still using paper records and manual processes, unnecessarily limiting their ability to more efficiently detect, link, and mitigate threats. Sure, change isn't easy. When things have been working "just fine" and management thinks it's "good enough," getting an organization to try new processes and tools is a challenge. Adopting new ways to address physical threats may, to some, feel threatening and costly. But for far too long, although it's not intentional, corporate physical security teams have been reactive, and only after something bad occurs are they given the resources and investment they truly need. For holistic physical security programs, change must focus on augmenting and enhancing existing operations with new technology platforms that can efficiently scale the identification, investigation, assessment, monitoring, and management of physical security threats. Protective Intelligence — Then and NowHistorically, eyes, ears, and acute observation kept physical assets safe. We would spend hours looking and watching for pre-operational surveillance to unpack the attack cycle. In gathering protective intelligence, teams would store data in command-post hotel rooms, surveillance cars, and handwritten logs. After an incident, we would record each event's specific details, which became data for future use. Detecting and vetting a threat on the street was challenging and inefficient. Institutional memory was the norm. Information was passed via cables and memos and sometimes via the diplomatic pouch — a slow and tedious process. We got our first glimpses of digital transformation in the 1980s with Polaroid cameras, Sony VHS tape recorders, and Motorola radios and pagers. As more sophisticated technology and mobile applications were developed, the idea of transmitting intelligence via a pager headed for retirement, and a new era of physical security emerged. Physical security technologies and innovations also appeared due to catastrophic embassy attacks, kidnappings, and aircraft bombings. Bridging Digital Transformation and Physical SecurityAccording to Gartner, 82% of CEOs have a digital transformation program underway. And yet, physical security is still often perceived as "guns, guards, and gates." But we know today it is much, much more. The recent detection of a plot to kidnap Michigan Governor Gretchen Whitmer and the arrest of those involved was, of course, due to tremendous efforts by law enforcement. Virginia Governor Ralph Northam was also considered, which doesn't surprise me. In every case I've worked, the bad guys always look at multiple targets. While they are looking, they are usually the most vulnerable to detection. Many threatening signals were found on social media, and FBI undercover informants played an essential role. Health and economic challenges have converged. Global workforces under hybrid office-home corporate structures have also emerged. Retail safety requirements are heightened. The scope and scale of liability for companies not actively and holistically monitoring for growing threats has increased dramatically. We must bridge generations: those who developed, tested, and proved the value of protective intelligence, and those applying technology and data to bring a new level of expediency and effectiveness to protection. As organizations undergo digital transformations, physical security teams that embrace digitization can automate mundane work and use their creativity and insights to enhance their approaches, minimize liabilities, and usher in a new era of advancing safety. Many corporations believe that their current security program is good enough. But I would argue that we are at an inflection point. The threats we face are dynamic, emerging, and global. We are rapidly approaching a new frontier that allows for mobile applications and massive amounts of real-time physical threat data to be structured into single, easily maneuverable platforms that are more than good enough; they are what human lives and livelihoods deserve. Fred is the Executive Director of Ontic's Center for Protective Intelligence. He is one of the world's foremost experts on security and counterterrorism. A former police officer, special agent and New York Times best-selling author, Fred has served on the front lines of ... View Full Bio Recommended Reading: More Insights

A Call for Change in Physical Security2020-11-16T10:39:03-05:00
Go to Top