Jan 02 2023

3 important changes in how data will be used and treated

Category: Data Breach,Data mining,data securityDISC @ 11:51 am
3 important changes in how data will be used and treated

Regula has presented their vision of the developments that will shape the industry’s landscape in 2023. Deepfakes, new cyber-hygiene norms, and demand for mature ID verification platforms are among some of the predictions for the next year.

While more and more industries move their customer experiences to digital, online identity verification is becoming an essential part of our life. It lets people cope with all sorts of mission-critical activities online: opening bank accounts, applying for benefits, getting insurance payouts, and even getting medical advice.

Still, the security of the digital IDV process is the number one concern that is forming the industry’s landscape and driving the majority of significant changes.

Javelin Strategy & Research reports that in 2022, identity fraud and scams cost $52 billion and affected over 42 million people in the US alone. The rising number of identity fraud cases, along with fraudsters’ hunger for personal information collected by service providers, will lead to three important changes in how data will be used and treated:

  • Even industries that are not so heavily regulated will invest more in the ID verification process, adding extra security layers. There will be more checks with increased complexity and additional steps in the verification process: biometric checks, verifying IDs, SMSs, and passwords, checking recent transactions, etc.
  • This will lead to prioritization of comprehensive liveness checks to make sure that submitted documents are valid and really exist. An ID document contains various security features: holograms, elements printed with optical variable inks, and biometric data, to name a few, and an image of it should be taken using methods so that these elements can be captured and verified.
  • Regula experts expect to see a push from users for more data protection rules, and for more transparency from online businesses. In the wake of multiple public disclosures of data leaks, users are gradually losing trust in how their data is treated and becoming more cautious about what they share with third parties and how. Addressing this trend, companies will attempt to bring that trust back via increased investments in customer data protection measures.

When it comes to more complex identity fraud cases related to synthetic media like deepfakes, experts expect to see a rise in amateur scam attempts along with the emergence of next-gen biometric-related fraud.

Both trends are developing in parallel and are powered by the same factor: the growing maturity and availability of machine-learning based technologies that make it possible to fake photos, videos, voices, and other characteristics previously considered unique.

Based on the opinion of Regula experts, all these trends will lead to a market that is developed enough to embrace mature end-to-end IDV solutions that are capable of not only verifying documents, but also biometric characteristics, like face, voice, and fingerprints.

“The good news is that minimal security measures are currently enough to repel 95% of possible attacks. The remaining 5% is where the difficulties lie. Now, most deepfakes are created for free, and they’re of such a quality that there’s no immediate danger. But that’s a matter of how many resources fraudsters will be willing to invest. At the moment, when they’re ready to spend significant amounts of money per deepfake, it’s a problem that requires interactive multi-layered protection. So if we picture the trends above as a scale, where convenience for the customer is on one end and security on the other, the balance is shifting to the latter,” notes Ihar Kliashchou, CTO at Regula.

In relation to this year’s trending topics — digital identity and decentralized identity — the company’s experts have their own take on that:

  • In the ideal world, a universal digital identity would help eliminate most of the issues with fake identities. However, in reality, creating and gaining broad acceptance and implementation of a secure single source of truth is going to take a significant amount of time. Still, we’re already seeing more different local and even company-based digital identities trying to become a single source of truth on a local level.
  • The idea of decentralized identity is going to be held back for some time. With the benefit of being built on blockchains and allowing users to control their digital identifiers, this system still comes with weaknesses. Since no one controls it centrally, no one will be responsible for it in case of any problems. Additionally, there is the matter of trust. Blockchain is strongly associated in people’s minds with crypto, and the FTX crash that has happened in the last couple of months has undermined people’s trust in it.


Infosec books | InfoSec tools | InfoSec services

Tags: data security

Dec 12 2022

14 lessons CISOs learned in 2022

Category: CISO,vCISODISC @ 1:12 pm

The coming new year is a good moment for chief information security officers to reflect upon what they’ve learned this year and how to apply this knowledge going forward.

“If companies are not going to learn these lessons and mature their security practices, we will see increased scrutiny in audits and third-party risk assessments, and this may have a financial, reputational, operational, or even compliance impact on their business,” says Sohail Iqbal, CISO at Veracode.

many lit hanging bulbs

1. Don’t wait for a geopolitical conflict to boost your security

2. The population of threat actors has exploded, and their services have become dirt cheap

3. Untrained employees can cost a company millions of dollars

4. Governments are legislating more aggressively for cybersecurity

5. Organizations should keep better track of open-source software

6. More effort should be put into identifying vulnerabilities

7. Companies need to do more to protect against supply chain attacks

8. Zero trust should be a core philosophy

9. Cyber liability insurance requirements might continue to increase

10. The “shift-left” approach to software testing is dated

11. Using the wrong tool for the wrong asset will not fix the problem

12. Organizations need help understanding their complete application architectures

13. Security should be a continuous effort

14. Have plans in place

Source for more details: 14 lessons CISOs learned in 2022

Tags: CISO

Dec 11 2022

Phishing Scams: How To Recognize A Scam Email, VOIP call, or Text

Category: Email Security,PhishingDISC @ 11:55 am
Phishing Scams: How To Recognize A Scam Email, VOIP call, or Text

A phishing scam is not only about stealing your login credentials, but it can also install malware, including ransomware, which is why it is essential to learn how to tackle this growing threat.

The number of phishing scams reported in the first quarter of 2022 set a new record of over one million total attacks, according to a report by the Anti-Phishing Working Group.

And the scams have been growing fast in recent years. The number of attempts reported in the first quarter of 2022 is more than triple the average numbers just two years before, in early 2020.

With so many attacks underway—and growing by the day—what’s the best way to recognize these scams and prevent them? We’ll look at how to recognize and protect yourself from the most common types of phishing fraud. Meanwhile, you can also learn how to detect phishing images in an email.

Most prevalent types of phishing scams

Phishing today refers to a type of scam that steals people’s personal information by posing as a trusted third party. For example, a scammer might pretend to be a government worker to get you to share your Social Security number or pretend to be from your bank to get you to share account details.

With so many communication channels today, there are more phishing methods than ever before. And scammers have adapted to each type of channel by leveraging trust signals inherent to each one.

This can make it hard for the untrained eye to spot a phishing scam and even difficult to recognize if you’ve been hacked after falling for an attack. The first sign that tips off most victims is an unexpected charge, damaged credit score, or depleted bank account.

Here are the six most common types of phishing scams and how to protect yourself.

1. Email scams

Anyone can fall for an email scam; this U.S. judge did. By far the most common type of phishing attack is via email. You’re probably familiar with the spam emails we all get on a day-to-day basis, but the most sophisticated phishing attacks look very different.

These emails often look identical to official messages and notifications, including the company’s logo and exactly the same content as a real message. For example, one of today’s most common scams is a message notification from LinkedIn that’s almost impossible to tell apart from the real thing.

How to protect yourself:

  • Never click on links in emails. Instead, visit the official site.
  • Beware of email addresses that aren’t from the business domain, especially if the address is from a free provider like Gmail.
  • Disable automatic image loading, as this can let scammers know you’ve seen the message.

2. Voice phishing (vishing)

Another common method fraudsters use to trick victims is over the phone. These calls usually claim to have a one-of-a-kind offer or urgent, life-threatening warning.

Most scammers use a VoIP phone system that lets them change the phone number, meaning the call appears as though it’s from a local number even if it’s not.

How to protect yourself:

  • Never answer calls from numbers you don’t recognize, even if it has a local area code.
  • Don’t return calls from numbers. you don’t recognize (one type of scam collects expensive per-dial and per-minute fees, hoping you’ll call back).
  • Remember that most U.S. government agencies, including the IRS, Medicare, and the Social Security Administration, almost never call by phone and do not have the power to arrest you.
Phishing Scams: How To Recognize A Scam Email, VOIP call, or Text

3. Phishing websites

One of the most common destinations for phishing scams is a fraudulent site that looks like the official website. The cloned site will often be identical to the real page, using the company’s logos, color scheme, and fonts.

After establishing trust with the design, the site will ask you to share personal information, anything from your email and password to your Social Security number or bank account details. For example, this attack impersonating American Express used an email message and web page almost impossible to tell apart from the real brand.

Phishing email and the phishing page (Screenshots via Armorblox)

How to protect yourself:

  • If you get a message with a link—even if it looks trustworthy—go to the official site instead.
  • Check the URL of a website to make sure it’s correct. (You’ll notice the American Express phishing page above comes from a site other than AmericanExpress.com.)
  • Don’t automatically trust an HTTPS connection. The “green padlock” icon is an important trust signal, but it doesn’t mean a site is safe. Hackers can use them on phishing sites, too.

4. SMS text message scams (smishing)

Text messages don’t have much space for the scammer’s message, but that hasn’t stopped criminals from trying new tactics to trick innocent victims. The goal of most SMS scams is to get you to click on a link or make a call, so immediately be suspicious of any message with a link or number (though of course, some legitimate messages have these as well).

One of the most common ruses right now with text scams is, ironically enough, helping to protect you from scams. You’ll often see a message “confirming” an expensive purchase or withdrawal, directing you to a number or link to cancel or investigate. There is nothing to cancel or investigate, but the scammer will pretend to resolve the situation by collecting your personal data for a future attack.

How to protect yourself:

  • Don’t trust texts from numbers you don’t recognize. Instead, visit the official site.
  • Beware of texts that use vague terms like “your bank” or “package service.” Scammers use these (instead of actual company names) so the message can apply to anyone.
  • Don’t reply to scam messages, even unsubscribe. This only confirms you have an active number and will result in more attacks.

5. Social media phishing

Social media has become one of the more recent additions to the phishing repertoire. Scammers reach out either using a fake lookalike account or a compromised account.

One common ruse is a friend reaching out for help, usually with an authentication code. But it’s not a friend—it’s a scammer who’s taken over their account and is trying to take over yours. Another ruse is a message from someone posing as the official company support account, asking you to provide information to verify you’re the authentic owner or to keep your page active.

Fake Support chatbot (Image: Trustwave)

How to protect yourself:

  • Beware of anyone who reaches out and asks for personal information or verification codes, even if they appear to be coming from a friend.
  • Don’t respond to messages from “official” accounts. If you’ve received an alert from the social networking site, it’ll usually appear in your account settings.
  • Don’t ever share your social media password with a third-party website.

6. Man-in-the-middle attack

This type of phishing scam requires the attacker to be nearby but can be one of the most dangerous because it’s almost impossible to detect. It works when you and the attacker are on the same Wi-Fi network, like at a coffee shop or airport. The attacker intercepts everything you send and receive and can redirect your browser to safe sites to look-alike sites without you knowing.

Once the attacker has set up a man-in-the-middle attack, they can see almost all the information you share, including usernames, passwords, credit card details, and more.

How to protect yourself:

  • Never use public Wi-Fi networks. A better option is to connect to a hotspot from your cell phone, which has a secure and private connection.
  • If you have to use public Wi-Fi, turn on a VPN. This can protect you against most types of man-in-the-middle attacks and safeguard your personal details.

How to prevent phishing

Every type of phishing requires a slightly different method to spot, and scammers are constantly developing new methods that leverage our weaknesses. But there are a few common warning signs you can look for across different types of phishing attacks.

  • Unfamiliar senders. Emails, texts, or calls from people you don’t recognize are automatically suspect.
  • Poor spelling or grammar. Major corporations pay careful attention to small details like this. Scammers, on the other hand, don’t usually worry about a few typos and often use poor English.
  • Urgency and threats. Scammers demand immediate action or scare you using intimidation tactics, like arrest or deportation, so you don’t recognize warning signs of a scam.
  • Unusual payment methods. Phishing scams often take the opportunity to charge a “fee” for a service but will only accept forms of payment like gift cards, money orders, or cryptocurrency. Legitimate businesses use other methods.

What to do if you’re a victim of phishing

You’ve learned how to protect yourself from phishing scams, but what if you’ve already fallen victim? If you know you’ve shared information with a scammer, here’s what you should do, based on what information you’ve shared.

  • Credit or debit card details. Call the issuing company and have the card canceled immediately. Ask to reverse or dispute any fraudulent charges.
  • Login details or passwords. Log into the compromised account, change the password, look for an option to close all active sessions, and add two-factor authentication if possible. Do the same for any other accounts using the same password.
  • Medical insurance information. Call your insurance company and any impacted companies, explain the fraud, and dispute any fraudulent charges.
  • Social Security number. Set up a credit freeze at each of the three credit bureaus (Experian, Equifax, and TransUnion). This prevents anyone from requesting credit in your name.
  • Name, email, date of birth, or other information. Keep a close eye on your accounts for signs of identity theft.

No matter what kind of information you’ve shared, it’s always a good idea to report the fraud to the Federal Trade Commission at IdentityTheft.gov. Filing the report helps protect others, gives you documentation of the attack, and will provide you with recovery steps specific to your situation

Conclusion

Phishing attacks are on the rise, and scammers are developing even more intricate scams all the time. But if you know the most common warning signs and stay vigilant, you can protect yourself and take quick action in case you’ve been compromised.

Tags: Phishing scams

Nov 29 2022

Why the updated ISO 27001 standard matters to every business’ security

Category: Information Security,ISO 27kDISC @ 10:13 am

On the morning of August 4, 2022, Advanced, a supplier for the UK’s National Health Service (NHS), was hit by a major cyberattack. Key services including NHS 111 (the NHS’s 24/7 health helpline) and urgent treatment centers were taken offline, causing widespread disruption. This attack served as a brutal reminder of what can happen without a standardized set of controls in place. To protect themselves, organizations should look to ISO 27001.

ISO 27001 is an internationally recognized Information Security Management System standard. It was first published in 2005 to help businesses implement and maintain a solid information security framework for managing risks such as cyberattacks, data leaks and theft. As of October 25, 2022, it has been updated in several important ways.

The standard is made up of a set of clauses (clauses 4 through 10) that define the management system, and Annex A which defines a set of controls. The clauses include risk management, scope and information security policy, while Annex A’s controls include patch management, antivirus and access control. It’s worth noting that not all of the controls are mandatory; businesses can choose to use those that suit them best.

Why is ISO 27001 being updated?

It’s been nine years since the standard was last updated, and in that time, the technology world has changed in profound ways. New technologies have grown to dominate the industry, and this has certainly left its mark on the cybersecurity landscape. 

With these changes in mind, the standard has been reviewed and revised to reflect the state of cyber- and information security today. We have already seen ISO 27002 (the guidance on applying the Annex A controls) updated. The number of controls has been reduced from 114 to 93, a process that combined several previously existing controls and added 11 new ones.

Many of the new controls were geared to bring the standard in line with modern technology. There is now, for example, a new control for cloud technology. When the controls were first created in 2013, cloud was still emerging. Today, cloud technology is a dominant force across the tech sector. The new controls thus help bring the standard up to date.

In October, ISO 27001 was updated and brought in line with the new version of ISO 27002. Businesses can now achieve compliance with the updated 2022 controls, certifying themselves as meeting this new standard, rather than the now-outdated list from 2013.

How can ISO 27001 certification benefit your business?

Implementing ISO 27001 brings a host of information security advantages that benefit companies from the outset.

Companies that have invested time in achieving ISO 27001 certification will be recognized by their customers as organizations that take information security seriously. Companies that are focused on the needs of their customers should want to address the general feeling of insecurity in their users’ minds.

Moreover, as part of the increasingly rigorous due-diligence processes that many companies are now undertaking, ISO 27001 is becoming mandatory. Therefore, organizations will benefit from taking the initiative early to avoid missing out commercially.

In the case of cyber-defense, prevention is always better than cure. Attacks mean disruption, which almost always proves costly for an organization, in regard to both reputation and finances. Therefore, we might view ISO 27001 as a form of cyber-insurance, where the correct steps are taken preemptively to save organizations money in the long term.

There’s also the matter of education. Often, an organization’s weakest point, and thus the point most often targeted, is the user. Compromised user credentials can lead to data breaches and compromised services. If users were more aware of the nature of the threats they face, the likelihood of their credentials being compromised would decrease significantly. ISO 27001 offers clear and cogent steps to educate users on the risks they face.

Ultimately, whatever causes a business to choose implementation of ISO 27001, the key to getting the most out of it is ingraining its processes and procedures in their everyday activity.

Overcoming the challenge of ISO 27001 certification

A lot of companies have already implemented many controls from ISO 27001, including access control, backup procedures and training. It might seem at first glance that, as a result, they’ve already achieved a higher standard of cybersecurity across their organization. However, what they continue to lack is a comprehensive management system to actually manage the organization’s information security, ensuring that it is aligned with business objectives, tied into a continuous improvement cycle, and part of business-as-usual activities.

While the benefits of ISO 27001 may be obvious to many in the tech industry, overcoming obstacles to certification is far from straightforward. Here are some steps to take to tackle two of the biggest issues that drag on organizations seeking ISO 27001 certification:

  • Resources — time, money, and manpower: Businesses will be asking themselves: How can we find the extra budget and dedicate the finite time of our employees to a project that could last six to nine months? The key here is to place trust in the industry experts within your business. They are the people who will be implementing the standard day-by-day, and they should be placed at the wheel.
  • Lack of in-house knowledge: How can businesses that have no prior experience implementing the standard get it right? In this case, we advise bringing in third-party expertise. External specialists have done this all before: They have already made the mistakes and learned from them, meaning they can come into your organization directly focused on implementing what works. In the long run, getting it right from the outset is a more cost-effective strategy because it will achieve certification in a shorter time.

Next steps toward a successful future

While making this all a reality for your business can seem daunting, with the right plan in place, businesses can rapidly benefit from all that ISO 27001 certification has to offer.

It’s also important to recognize that this October was not the cutoff point for businesses to achieve certification for the new version of the standard. Businesses will have a few months before certification bodies will be ready to offer certification, and there will likely then be a two-year transition period after the new standard’s publication before ISO 27001:2013 is fully retired.

Ultimately, it’s vital to remember that while implementation comes with challenges, ISO 27001 compliance is invaluable for businesses that want to build their reputations as trusted and secure partners in today’s hyper-connected world.

Source: https://wordpress.com/read/blogs/126020344/posts/2830377

ISO 27001 Risk Assessment and Gap Assessment

ISO 27001 Compliance and Certification

Tags: iso 27001, iso 27002

Sep 22 2022

How to Spot Your Biggest Security Threat? Just Look out for the Humans

Category: Cyber Threats,Insider Threat,Threat detectionDISC @ 8:04 am

How to Spot Your Biggest Security Threat? Just Look out for the Humans

As it turns out, it’s not some AI-powered machine learning super virus or pernicious and anonymous cybercrime syndicate. It’s not the latest and greatest in botnets, malware, or spyware either.

Sure, these can be scary, and they are worth protecting against. The headlines report the increased volume and velocity of security threats every other day. The risk is real, and companies need to take cybersecurity seriously.

Just Look out for the Humans

How to Spot Your Biggest Security Threat? Just Look out for the Humans
What is the biggest security threat in your company?

But the greatest threat of all? Well, that would be humans. Look no further if you’re trying to identify your biggest cyber threats.

Humans: The Biggest Cyber Security Threats

When we say “humans,” you may assume we are talking about hackers and cybercriminals. After all, they are humans, too, right?

But no, we are talking about employees in your organization, not necessarily disgruntled or vengeful ones.

Verizon’s latest 2022 Data Breach Investigation Report showed that 82% of breaches involved the human element, including social attacks, errors, and misuse.

This is the 80/20 Rule (also known as the Pareto Principle) at work. In cybersecurity, 80% of your problems come from 20% of sources – in this case, human beings.

Whether using a weak, compromised password, clicking on a link in a phishing email, or accidentally setting sensitive cloud-based databases to “public,” your team is the weakest link in the chain.

Here’s a breakdown of the leading issues:

  • Credential problems account for nearly 50% of non-error, non-misuse breaches
  • Phishing accounts for nearly 20% of breaches
  • Nearly 20% of breaches are the result of misconfigured cloud accounts or emailing sensitive data to the wrong people
  • Vulnerability exploits account for less than 10% of attacks

The biggest cyber threats, therefore, cannot be prevented with a robust security technology infrastructure alone. Technology is critical but cannot always account for the human element.

3 Types of Internal Threats

The biggest security threat is humans, who make up your team. The majority are innocent, or at the very least well-meaning. But there are also those with malicious intent. Identifying the different types of internal threats is critical to your security plans.

These are the three types of internal threats to be aware of:

  1. Unintentional. Employees with poor cybersecurity training and habits can unintentionally compromise an organization’s security by clicking on a malicious link, trusting a spoofed website with their credentials, offering sensitive data to the wrong person, or otherwise. Proper cybersecurity training is key to mitigating risk.
  2. Malicious. The occasional disgruntled employee whose primary interest is personal or financial gain. Advanced technologies can help prevent internal threats such as these, but there is no way to read the minds of your employees, so as with cybersecurity in general, an ounce of prevention is worth a pound of cure.
  3. Accomplice. Employees can also collude with cybercriminals or other external parties to steal information from your company for personal gain. Limiting access to key data is critical to preventing scenarios like the “Wolf of Manchester,” who made thousands by selling customer data from an insurance company.

How To Prevent the Biggest Cyber Security Attacks

It’s critical to understand that the same hackers exploiting software vulnerabilities also exploit human vulnerabilities. Cybercriminals have grown wiser about human psychology and are waiting at every turn to seize upon the unsuspecting.

So, you can’t simply reallocate your resources from vulnerability management to in-house training programs. The key is finding a meaningful balance where good cybersecurity practices are baked into your IT security infrastructure.

Preventing the biggest security threat will mean developing a cybersecurity culture in your organization. Blanket policies and procedures are helpful, but they can fall short. Creating an entire culture of cybersecurity will ensure that best practices and good habits are adopted by all.

Naturally, this will mean investing in training. These are the key topics that should be addressed:

  • Password management
  • Phishing attacks, how they work, how to avoid them
  • Encryption and digital signing
  • Authentication
  • Creating backups
  • Best practices in sending personal or sensitive information
  • Account access and privileges as well as oversight and management

Note that if you don’t have all the resources and personnel necessary to handle the training internally, you can hire an outside party to lead it.

Cyber Security Threats and Challenges Facing Human Life

InfoSec Threats

Tags: InfoSec Threats, Security Threat

Sep 19 2022

SMBs are hardest-hit by ransomware

Category: cyber securityDISC @ 8:21 am

Coalition announced the mid-year update to its 2022 Cyber Claims Report detailing the evolution of cyber trends, revealinig that small businesses have become bigger targets, overall incidents are down, and ransomware attacks are declining as demands go unpaid.

SMBs are hardest-hit by ransomware

During the first half of 2022, the average cost of a claim for a small business owner increased to $139,000, which is 58% higher than levels during the first half of 2021.

“Across industries, we continue to see high-profile attacks targeting organizations with weak or exposed infrastructure — which has become exacerbated by today’s remote working culture and companies’ dependence on third-party vendors,” said Catherine LyleCoalition’s Head of Claims.

“Small businesses are especially vulnerable because they often lack resources. For these businesses, avoiding downtime and disruption is essential, and they must understand that Active Insurance is accessible.”

The good news: both Coalition and the broader insurance industry observed a decrease in ransomware attack frequency and the amount of ransom demanded between the second half of 2021 and the first half of 2022. Ransomware demands decreased from $1.37M in H2 2021 to $896,000 in H1 2022. Of the incidents that resulted in a payment, Coalition negotiated down to roughly 20% of the initial demand.

More good news: Coalition policyholders experienced 50% fewer claims compared to the broader market. The severity of these claims has also declined, with 45% of incidents resolved at no cost. The substantial decrease in overall claims stems from Coalition’s combination of cybersecurity tools, including active monitoring and alerting, access to digital forensics and incident response, and broad insurance coverage.

“Organizations are increasingly aware of the threat ransomware poses. They have started to implement controls such as offline data backups that allow them to refuse to pay the ransom and restore operations through other means,” said Chris Hendricks, Coalition’s Head of Incident Response. “As ransomware is on the decline, attackers are turning to reliable methods. Phishing, for example, has skyrocketed – and only continues to grow.”

Other key findings:

  • Phishing triggers the majority of cyber incidents, accounting for 57.9% of reported claims
  • Cyber gangs have built a thriving business
  • Funds transfer fraud (FTF) claims have held steady thanks to phishing, and
  • Microsoft Exchange has become the vulnerability that persists.

100 dollars

Cybersecurity for Small and Midsize Businesses

Tags: Cybersecurity for Small and Midsize Businesses, Small and Midsize Businesses, SMB

Aug 30 2022

US-based CISOs get nearly $1 million per year

Category: CISO,Information Security,vCISODISC @ 9:12 am
US-based CISOs get nearly $1 million per year

The role of the Chief Information Security Officer (CISO) is a relatively new senior-level executive position within most organizations, and is still evolving.

To find out how current CISOs landed in that role, their aspirations, the compensation they receive, and which risks they face and responsibilities they shoulder, analysts with international executive search firm Heidrick & Struggles have asked 327 CISOs (and CISOs in all but name) to participate in their 2022 Global CISO Survey.

The results of the survey revealed these main takeaways:

Who reports to CISOs and to whom do the CISOs report?

The main organizational functions that report to CISOs are SecOps (88%); governance, risk, and compliance (87%); penetration testing (87%); security architecture (86%); product and application security (79%); and business continuity planning or disaster recovery (79%).

OPIS

CISOs mostly report to the CIO (38%); the CTO or senior engineering executive (15%); the COO or CAO (9%); the global CISO (8%); and the CEO (8%). But 88% of them also report to the company board and/or advisory committee.

CISO roles are often terminal

Most CISOs move laterally into their current role and the career path forward for CISOs is most often to another CISO role, the analysts found.

If they were not CISOs before – and 53% of them were! – they were mostly a deputy CISO, a regional or business unit CISO, and the senior information security executive in their organization.

Many CISOs aspire to be a board member next, but that ambition is unlikely to be realized. Even though cybersecurity experience is sorely needed on boards, many boards still frequently prefer board members with prior board experience, the analysts pointed out.

The Chief Security Officer (CSO) or the Chief Information Officer (CIO) roles are also coveted by many of the respondents.

Threats CISOs are facing and personal risks they are worried about

CISOs say ransomware attacks are the most significant cyber risk to their organization (67%), followed by insider threats (32%) and nation/state attacks (31%).

On a more personal note, CISOs are most worried about stress related to the role (59%) and burnout (48%), and much less about job loss as a result of a breach (25%) or being faced with personal financial accountability for a breach (11%).

“Our survey responses here tell a few different stories,” the analysts noted.

“One is that there is burnout and stress associated with this role, which should lead organizations to consider succession plans and/or retention strategies so that CISOs don’t make unnecessary exits. The second story is that CISOs feel relatively secure in their jobs—job loss as a result of a breach wasn’t the highest risk. That is, in part, because the best CISOs are able to command executive-level protections (D&O insurance coverage and severance, for example) that enable them to do their jobs unencumbered by the threat of career risk.”

CISO compensation keeps rising

“In the United States, reported median cash CISO compensation has risen to $584,000 this year, up from $509,000 last year and $473,000 in 2020. Median total compensation, including any annualized equity grants or long-term incentives, also increased, to $971,000 from $936,000,” the company found.

New CISOs, in particular, saw the highest rises in overall compensation – probably because talent to fill out the role is hard to find and organizations are competing fiercely to take hold of it.

In the UK, the median cash CISO compensation has risen to £318,000 this year, but there was a 14% drop in annual equity.

For those interested, Heidrick & Struggles’s report offers more granular insight on the various factors that impact CISO compensation in different geographical locations.

ciso compensation

More on:

Chief Information Security Officer

Tags: CISO, vCISO as a service

Jul 28 2022

Experts warn of hacker claiming access to 50 U.S. companies through breached MSP

Category: Hacking,Security BreachDISC @ 2:23 pm
Experts warn of hacker claiming access to 50 U.S. companies through breached MSP

Experts warn of hacker claiming access to 50 U.S. companies through breached MSP

Cybersecurity experts are raising concerns about an individual on a hacker forum claiming to have access to 50 American companies through an unnamed managed service provider (MSP).

MSPs are paid to manage IT infrastructure and provide support, typically by smaller organizations lacking their own IT departments. In recent years they have been singled out by cybersecurity agencies as potentially vulnerable access points for hackers to exploit.

Harlan Carvey, senior incident responder at cybersecurity firm Huntress, told The Record that on July 18 someone with the handle “Beeper” had posted in Russian on exploit.in asking for help monetizing access to a managed service provider.

“Looking for a Partner for MSP processing. I have access to the MSP panel of 50+ companies. Over 100 ESXi, 1,000+ servers … I want to work qualitatively, but I do not have enough people,” the translated message said.

“In terms of preparation, only little things are left, so my profit share will be high. Please send me a message for more details and suggestions.”

https://therecord.media/experts-warn-of-hacker-claiming-access-to-50-u-s-companies-through-breached-msp/

Several cybersecurity experts have shared the message on Twitter and other social media sites warning of the potential fallout from the kind of access the hacker purportedly has. 

Carvey said it appears that the hacker gained access to an MSP’s management system and has already done some of the initial legwork.

“It sounds as if they’re claiming to have done some pre-work, perhaps something like identifying an account with a high privilege level. As a result, anyone who takes them up on their offer isn’t going to have to do much ‘heavy lifting’ to achieve whatever their goals may be,” Carvey said. “It doesn’t appear that there’s any data involved at this point, per se. Intent isn’t clear at this point, and it may depend upon who responds to the ad. The original poster does seem to be offering to answer questions and provide additional details.”

Carvey added that based on the typical customer base he sees for MSPs, personal details, business data and healthcare information could be at risk. 

Some online noted that Kansas City-based MSP NetStandard announced on Wednesday morning that their hosted environment had been hit by a cyberattack. The company did not respond to requests for comment but told customers they discovered the attack on Tuesday and are “working to isolate the threat and minimize impact.”

“MyAppsAnywhere services, which include Hosted GP, Hosted CRM, Hosted Exchange, and Hosted Sharepoint, will be offline until further notice,” the company said. 

“At this point, no additional information on the extent of the impact nor time to resolution can be provided. We are engaged with our cybersecurity insurance vendor to identify the source of the attack and determine when the environment can be safely brought back online.” 

The cybersecurity authorities of the U.K. (NCSC-UK), Australia (ACSC), Canada (CCCS), New Zealand (NCSC-NZ), and the United States (FBI, CISA and NSA) warned in May that hackers and APT groups have stepped up their targeting of MSPs in their efforts to exploit provider-customer network trust relationships.

Two of the most prominent hacks from the last two years involved popular MSPs – SolarWinds and Kaseya – and caused widespread damage due to the access they have to hundreds of companies and government agencies. 

The CISA alert noted that government agencies are aware of reports of an increase in malicious cyber activity targeting MSPs, adding that they “expect this trend to continue.”

“As this joint advisory makes clear, malicious cyber actors continue to target managed service providers, which can significantly increase downstream risk to the businesses and organizations they support – why it’s critical that MSPs and their customers take action to protect their networks,” said CISA Director Jen Easterly. 

The agencies provided a range of recommendations to MSPs, such as hardening defenses against password spraying and phishing by potential attackers.

Former Obama administration cybersecurity commissioner Tom Kellermann, who now serves as head of cybersecurity strategy at VMware, previously told The Record that cybercrime cartels have studied the interdependencies of financial institutions and have a better understanding of which MSPs are used.

“In turn, these organizations are targeted and hacked to island hop into banks. Rogue nation states love this method of cyber-colonization,” Kellermann explained, referring to an attack that targets a third party in order to gain access to another entity. VMware has found that such attacks have increased 58% over the past year.

“I am concerned that as geopolitical tension metastasizes in cyberspace, these attacks will escalate and Russian cyber-spies will use this stratagem to deploy destructive malware across entire customer bases of MSP,” he said.

Tags: breached MSP

Jul 20 2022

Catches of the Month: Phishing Scams for July 2022

Category: PhishingDISC @ 1:41 pm
Catches of the Month: Phishing Scams for July 2022

Welcome to our July 2022 review of phishing attacks, in which we explore the latest email scams and the tactics that cyber criminals use to trick people into handing over their personal data.

This month, we look at a cyber attack at OpenSea, a US school district that was tricked into transferring funds to a crook and a report on the rising threat of phishing.

NFT marketplace warns users of phishing scams

Last month, the world’s largest NFT (non-fungible token) marketplace, OpenSea, disclosed a data breach in which users’ email addresses were compromised.

The organisation’s head of security, Cory Hardman, said that the breach occurred when an employee at a third-party email delivery vendor downloaded the details of OpenSea users and newsletter subscribers.

OpenSea has since warned that the information could be used to launch phishing attacks.

“If you have shared your email with OpenSea in the past, you should assume you were impacted. We are working with Customer.io in their ongoing investigation, and we have reported this incident to law enforcement,” Hardman said.

“Because the data compromise included email addresses, there may be a heightened likelihood for email phishing attempts.”

OpenSea warned users via an email notification

Hardman provided tips to help OpenSea users spot phishing attacks. He urged people to keep an eye out for emails that use domains replicating the genuine OpenSea.io address.

Cyber criminals could do this by using a different top-level domain (such as opensea.org), or by deliberately misspelling the domain name (such as opensae.io).

Hardman also advised users not to download or open email attachments if they believe the message is suspicious, and to never sign wallet transactions if prompted directly via email.

It was that technique that caught out fans of the NFT artist Beeple last month. His Twitter account was hacked, with the attackers stealing $70,000 (about £56,000) worth of cryptocurrency.

In addition to the theft, the cyber criminals shared a phishing link on Beeple’s Twitter account that, if clicked, took money directly from their wallets.

Incidents such as this and the OpenSea hack demonstrate the challenges that NFT trading presents. Although many people are enticed into NFTs because the market is unregulated, that also creates major security risks.

Whereas banks and other regulated trading platforms are required to take steps to protect people’s assets – and will typically have proof of unauthorised access – the crypto culture emphasises personal responsibility.

If a cyber criminal compromises a crypto wallet, victims have little recourse and will have to accept their loss.

School district accidentally wires $200,000 to fraudulent bank

The Floyd County School District in in Georgia admitted in June that it had wired $197,672.76 (about £164,000) to a bank account controlled by cyber criminals.

Officials said they received the request from an email address seemingly associated with Ben Hill Roofing, an organisation that had previously worked with a school in the district.

Floyd County Schools made the payment on 29 April, and was only alerted to its mistake after the real Ben Hill Roofing submitted an invoice.

Speaking to a local news outlet, the school district said: “Floyd County Schools has been made aware of a spear phishing incident, which is a targeted email attack pretending to be from a trusted sender. This cyber-attack resulted in funds being stolen from the school system by an outside source.”

It added: “We are working with local law enforcement, GEMA, GBI, and insurance officials to recover the funds.

“Because of the cyber security measures FCS has put in place over the past few years, school system officials believe this is an isolated incident. Due to the ongoing investigation, more details cannot be released at this time.”

Floyd County Schools has since recovered almost all of the stolen funds following a police investigation. Officers traced the stolen money to a bank in Texas, which had already flagged the account as suspicious.

Phishing attacks reach all-time high, report finds

The first three months of 2022 saw more than a million reported phishing attacks, according to the APWG’s Phishing Activity Trends Report

It’s the highest number of phishing attacks that has ever been reported in a quarter, and it follows a steady increase in attacks throughout the past year. In April 2021, the APWG observed just over 200,000 phishing attacks. By March 2022, it almost doubled, to 384,291. 

According to the report, the industry most likely to be targeted was the financial sector. It found that 23.6% of all incidents affected organisations that provide such services. 

The next most frequent targets were software-as-a-service and webmail providers (20.5%) and e-commerce sites and retail stores (14.6%).

The report also found that 12.5% of phishing attacks target social media sites, while cryptocurrency platforms account for 6.6% of incidents. 

According to John Wilson, Senior Fellow of Threat Research at HelpSystems, the majority of phishing attacks are conducted using BEC (business e-mail compromise).

Wilson noted that in the first quarter of 2022, 82% of BEC messages were sent from free webmail accounts. Gmail is the most popular provider, accounting for 60% of BEC scams. 

Meanwhile, 18% of BEC messages used email domains owned by the attacker. 

The report also found that the average sum that scammers requested in wire transfer BEC attacks in Q1 2022 was $84,512 (about €98,000). This is a significant increase over the previous quarter, in which scammers requested €50,027 (about €58,000) on average. 

Can you spot a scam?

All organisations are vulnerable to phishing, no matter their size or the sector, so it’s essential to understand how you might be targeted and what you can do to prevent a breach.

You can help educate your staff with IT Governance’s Phishing Staff Awareness Training Programme.

This 45-minute course uses real-world examples like the ones we’ve discussed here to explain how phishing attacks work, the tactics that cyber criminals use and how you can detect malicious emails.

Get Started Now

Tags: Phishing scams, phishing training

Apr 11 2022

SuperCare Health discloses a data breach that Impacted +300K people

Category: Data BreachDISC @ 8:39 am
SuperCare Health discloses a data breach that Impacted +300K people

SuperCare Health, a leading respiratory care provider in the Western U.S, disclosed a data breach that impacted more than 300,000 individuals.

SuperCare Health disclosed a security breach that has led to the exposure of personal information belonging to its patients, patients/members of its partner organizations and others.

The company notified impacted individuals and law enforcement agencies.

The company told the US Department of Health and Human Services that the data breach has impacted 318,379 individuals.

The security breach was discovered on July 27, 2021, when the company IT personnel noticed unauthorized activity on some systems. SuperCare Health immediately launched an investigation into the incident with the help of independent cybersecurity experts that revealed that the intrusion took place between July 23 and July 27, 2021.

Seven months later, in February 2022, the company determined the potential compromise of some information relating to certain patients. 

“On July 27, 2021, we discovered unauthorized activity on our systems. In response, we immediately began containment, mitigation, and restoration efforts to terminate the activity and to secure our network, systems, and data. In addition, we retained independent cybersecurity experts to conduct a forensic investigation into the incident and assist us in determining what happened.” reads the data security notice published by the company. “The forensic investigation revealed that an unknown party had access to certain systems on our network from July 23, 2021 to July 27, 2021. Based on that information, we worked diligently to identify the potentially affected files and their contents. On February 4, 2022, we determined that the potentially impacted files contained some information relating to certain patients.”

Potentially compromised data depend on the individual and may include:  name, address, date of birth, hospital or medical group, patient account number, medical record number, health insurance information, testing/diagnostic/treatment information, other health-related information, and claim information. For a small subset of individuals, their Social Security number and/or driver’s license number may have been contained in the impacted files.

The company is not aware of any abuse or misuse for the information exposed as a result of the incident.

SuperCare Health

Tags: SuperCare Health

Nov 10 2021

Most CIOs and CISOs underestimate the risk of an OT breach

Category: CISO,OT/ICS,vCISODISC @ 10:27 am
Most CIOs and CISOs underestimate the risk of an OT breach

“Not only do enterprises rely on OT, the public at large relies on this technology for vital services including energy and water. Unfortunately, cybercriminals are all too aware that critical infrastructure security is generally weak. As a result, threat actors believe ransomware attacks on OT are highly likely to pay off,” said Skybox Security CEO Gidi Cohen. “Just as evil thrives on apathy, ransomware attacks will continue to exploit OT vulnerabilities as long as inaction persists.”

The research unearths the uphill battle that OT security faces – comprised of network complexity, functional silos, supply chain risk, and limited vulnerability remediation options. Threat actors take advantage of these OT weaknesses in ways that don’t just imperil individual companies – but threaten public health, safety, and the economy.

Key takeaways

Organizations underestimate the risk of a cyberattack

Fifty-six percent of all respondents were “highly confident” their organization will not experience an OT breach in the next year. Yet, 83% also said they had at least one OT security breach in the prior 36 months. Despite the criticality of these facilities, the security practices in place are often weak or nonexistent.

CISO disconnect between perception and reality

Seventy-three percent of CIOs and CISOs are highly confident their OT security system will not be breached in the next year. Compared to only 37% of plant managers, who have more firsthand experiences with the repercussion of attacks. While some refuse to believe their OT systems are vulnerable, others say the next breach is around the corner.

Compliance does not equal security

To date, compliance standards have proven insufficient in preventing security incidents. Maintaining compliance with regulations and requirements was the most common top concern of all respondents. Regulatory compliance requirements will continue to increase in light of recent attacks on critical infrastructure.

Complexity increases security risk

Seventy-eight percent said complexity due to multivendor technologies is a challenge in securing their OT environment. In addition, 39% of all respondents said that a top barrier to improving security programs is decisions are made in individual business units with no central oversight.

Cyber liability insurance is considered sufficient by some

Thirty-four percent of respondents said that cyber liability insurance is considered a sufficient solution. However, cyber liability insurance does not cover costly “lost business” that results from a ransomware attack, which is one of the top three concerns of the survey respondents.

Exposure and path analysis are top cybersecurity priorities

Forty-five percent of CISOs and CIOs say the inability to conduct path analysis across the environment to understand actual exposure is one of their top three security concerns. Further, CISOs and CIOs said disjointed architecture across OT and IT environments (48%) and the convergence of IT technologies (40%) are two of their top three greatest security risks.

Functional silos lead to process gaps and technology complexity

CIOs, CISOs, Architects, Engineers, and Plant Managers all list functional silos among their top challenges in securing OT infrastructure. Managing OT security is a team sport. If the team members are using different playbooks, they are unlikely to win together.

Supply chain and third-party risk is a major threat

Forty percent of respondents said that supply chain/third-party access to the network is one of the top three highest security risks. Yet, only 46% said their organization as a third-party access policy that applied to OT.

CISO COMPASS: Navigating Cybersecurity Leadership Challenges with Insights from Pioneers

Oct 25 2021

CISO Interview Series: Investing in Frameworks, Humans, and Your Technical Skills

Category: CISO,vCISODISC @ 7:24 am
CISO Interview Series: Investing in Frameworks, Humans, and Your Technical Skills

The journey for someone to the role of Chief Information Security Officer (CISO) isn’t often straightforward. Take Sandy Dunn, for example. Per SailPoint, Sandy started as a paper delivery kid at 10 years old. She then worked her way through software sales, insurance, and even horses before becoming the CISO of a health insurance provider in Idaho.

All these “entry-level” jobs share one thing in common. They gave Sandy the experience to fulfill a CISO’s multifaceted responsibilities. But don’t just take my word for it. Check out my conversation with Sandy below.

“One skill I think every CISO needs is business acumen.”

Joe Pettit: Thanks for taking the time to speak with me today, Sandy. I would love to hear some of your views on the role of the modern CISO. How is it changing, and what are the essential skills that a CISO should have now?

Sandy Dunn: The required skills for a CISO is an interesting question. Every business is different, so really every CISO role will be slightly different with different expectations for where they fit in the organization. One skill I think every CISO needs is business acumen. You need to be able to understand how security fits into that specific business. Having some level of technical skills is important, too. It helps you with effective communication with your cybersecurity team about issues, tools, proposed remediation, and then to be able to explain everything they just told you back to the business or put it into a business context. Technical knowledge will benefit you in understanding the severity of a problem, too (independent of the volume of the voice who is bringing it) and determine if a situation is a one-alarm fire or a five-alarm fire.

“…one of the things I really had to (Read more…)

*** This is a Security Bloggers Network syndicated blog from The State of Security authored by Joe Pettit. Read the original post at: https://www.tripwire.com/state-of-security/security-data-protection/ciso-interview-series-investing-in-frameworks-humans-and-your-technical-skills/

The 5 Roles of Leadership: Tools & best practices for personable and effective leaders

Tags: CISO, Fractional CISO, vCISO

Oct 15 2021

U.S. Treasury Offers Crypto Guidance Amid Ransomware Surge

Category: Crypto,Information Security,RansomwareDISC @ 12:48 pm

US Treasury says there was $590M in suspicious ransomware activity in H1 2021, exceeding the entire amount in 2020, when $416M was reported  —  Suspicious activity reports related to ransomware jumped significantly in 2021, according to the U.S. Treasury Department’s Financial Crimes Enforcement Network.

There was $590 million in suspicious activity related to ransomware in the first six months of 2021, exceeding the entire amount in 2020, when $416 million was reported, according to a report released Friday by the U.S. Treasury Department’s Financial Crimes Enforcement Network.

The average amount of reported ransomware transactions per month in 2021 was $102.3 million, according to the report. If the current trend continues, suspicious activity reports filed in 2021 “are projected to have a higher ransomware-related transaction value than SARs filed in the previous 10 years combined,” according to the report. SARs is shorthand for suspicious activity reports.

U.S. based cybersecurity companies filed most of the SARs related to ransomware while banks and cryptocurrency exchanges filed more than a third of the reports. The reports reflect just how quickly ransomware attacks have grown.

The report offers new insight into the scale of ransomware attacks devastating U.S. businesses and impacting critical infrastructure. A Treasury spokesperson said the SARs don’t represent all ransomware payments. 

Reporting ransomware payments to the Treasury via a suspicious activity report is often a requirement of cybersecurity insurance policies, according to a person familiar with the matter. 

The Treasury Department also identified 68 ransomware variants, noting that the most commonly reported types were REvil, Conti and DarkSide. Ransomware groups often sell their malware, or variant, to affiliates who then use it to plot attacks, in what is known as ransomware-as-a-service. REvil, Conti and DarkSide are suspected by cybersecurity firms of being tied to Russia in some way — because they use the Russian language or are suspected of being based there.  

The report was filed as the Treasury Department issued guidance to the virtual currency industry to prevent exploitation by entities sanctioned by the U.S. and ransomware groups. It is part of a broader effort by the Biden administration to attempt to curb ransomware attacks. In ransomware attacks, hackers encrypt a victim’s files and promise to unlock them if they are paid a fee.

Among the more notable attacks were those in May on Colonial Pipeline Co. in May that squeezed fuel supplies on the East Coast and on the meatpacker JBS SA

The Treasury report stated that ransomware actors are increasingly requesting payment in cryptocurrencies like Monero, which are designed to enhance anonymity. 

More: BleepingComputerThe RecordCNETThe HillPYMNTS.comCyberScoop, and CoinDesk

Tags: Ransomware Surge, U.S. Treasury

Jun 28 2021

Navigating the complexity of ransomware negotiations

Category: RansomwareDISC @ 2:29 pm
Navigating the complexity of ransomware negotiations

Ransom negotiation protocol checklist

First and foremost, before communications can begin, you need to determine if legal engagement with the threat actor is possible. How? An OFAC (Office of Foreign Assets Control) check must be run to see whether any data (i.e., IP addresses, language, system access, etc.) or metadata is associated with an entity that has been put on the U.S. Sanctions list. If the answer is yes, communication with and ransom payments to the attacker is prohibited.

It’s relatively rare for data from an attack to match an entity on the list because threat actors are using tools to mask their identities (i.e., VPNs, proxy connections, language translation, etc.). If you know where to dig, it’s not impossible to discover pieces of information to help unmask threat actors. For example, if a threat actor’s IP address says they are in the Netherlands, but upon reviewing the executable files they dropped on compromised systems you see they are written in Russian, this could reveal the attacker’s true location.

Once you’ve confirmed that legal engagement with the threat actor can proceed, you must weigh your answers to the following questions:

  • Is my data backed up and accessible on the network?
  • If not, can I rebuild the data from scratch?
  • If the stolen data is shared publicly, how will this impact the company?
  • Will my business survive if I don’t pay?

Source: Navigating the complexity of ransomware negotiations

Ransomware Protection Playbook

No cybersecurity plan will ever be perfect, no defense is impenetrable. With the dangers and costs of a successful ransomware attack on an organization increasing daily, it is important for cybersecurity and business leaders to have a prevention and recovery plan before disaster strikes.


In Ransomware Protection Playbook experienced penetration tester and cybersecurity evangelist Roger Grimes lays out the steps and considerations organizations need to have in place including technical preventative measures, cybersecurity insurance, legal plans, and a response plan. From there he looks at the all important steps to stop and recover from an ongoing attack starting with detecting the attack, limiting the damage, and what’s becoming a trickier question with every new attack – whether or not to pay the ransom.


No organization with mission-critical systems or data can afford to be unprepared for ransomware. Prepare your organization with the Ransomware Protection Playbook.

Tags: ransomware negotiations, Ransomware Protection Playbook

Jun 22 2021

Ransomware: What REALLY happens if you pay the crooks?

Category: Cyber Insurance,RansomwareDISC @ 1:49 pm
Ransomware: What REALLY happens if you pay the crooks?

Governments and law enforcement hate it when ransomware victims pay the blackmail demands that almost always follow a ransomware attack, and you can understand why, given that today’s payments fund tomorrow’s cybercriminality.

Of course, no one needs to be told that.

Paying up hurts in any number of ways, whether you feel that hurt in your head, in your heart or even just in the pit of your stomach.

I was happy to pay up for a job well done,” said no ransomware victim ever.

However, it’s easy for people who aren’t looking down the wrong end of the cybercrime barrel to say, “You should never, ever pay. You should let your entire business implode, and let everyone in the company lose their job, because that’s just the price of failure.

So, if your back’s against the wall and you DO pay up in the hope that you’ll be able to restart a business that has ground to a total halt…

…how well will it all go?

Guess what? You can find out by tuning into a fun but informative talk that we’re giving twice this week.

Catch us online on Wednesday 23 June 2021 at the SC Annual Digital Congress, at 14:15 UK time (UTC+1), or on Thursday 24 June 2021 at the Sophos Break a Hacker’s Heart online event, at 11:00 UK time (UTC+1).

You need to register, but both events are free to join. (They’re both 100% virtual, given that the UK is still in coronavirus lockdown, so feel free to attend from anywhere.)

We’ll give you a clue by sharing a key slide from the talk:

As you can see, paying up often doesn’t work out very well anyway, even if you have no ethical qualms about doing so, and enough money burning a hole in your pocket to pay without flinching.

And remember that if you lose 1/3 of your data, like 1/2 of our respondents said they did, you don’t get to choose which computers will decrypt OK and which will fail.

Murphy’s law warns you that the laptops you could have reimaged easily enough will probably decrypt just fine, while those servers you really meant to backup but didn’t… probably won’t.

We’re going to try to make the talk amusing (as amusing as we dare be when talking about such a treacherous subject), but with a serious yet not-too-technical side.

We’ll be giving some tips you can use both at work and at home to reduce the risk of getting ransomed in the first place.

Ransomware Protection Playbook

No cybersecurity plan will ever be perfect, no defense is impenetrable. With the dangers and costs of a successful ransomware attack on an organization increasing daily, it is important for cybersecurity and business leaders to have a prevention and recovery plan before disaster strikes.


In Ransomware Protection Playbook experienced penetration tester and cybersecurity evangelist Roger Grimes lays out the steps and considerations organizations need to have in place including technical preventative measures, cybersecurity insurance, legal plans, and a response plan. From there he looks at the all important steps to stop and recover from an ongoing attack starting with detecting the attack, limiting the damage, and what’s becoming a trickier question with every new attack – whether or not to pay the ransom.


No organization with mission-critical systems or data can afford to be unprepared for ransomware. Prepare your organization with the Ransomware Protection Playbook.

Tags: ransomware attacks, Ransomware elearning, Ransomware Protection Playbook

Jun 10 2021

Global Scamdemic: Scams Become Number One Online Crime

Category: CybercrimeDISC @ 8:25 pm
Global Scamdemic: Scams Become Number One Online Crime

Threat hunting and adversarial cyber intelligence company Group-IB published a comprehensive analysis of fraud cases on a global scale.

Group-IB,  a global threat hunting and adversarial cyber intelligence company specializing in the investigation and prevention of high-tech cybercrime, has published a comprehensive analysis of fraud cases on a global scale. 

Group-IB,  a global threat hunting and adversarial cyber intelligence company specializing in the investigation and prevention of high-tech cybercrime, has published a comprehensive analysis of fraud cases on a global scale. 

Overall, fraud accounts for  73% of  all online attacks:  56% are scams  (fraud that results in the victim voluntarily disclosing sensitive data) and  17% are  phishing attacks  (theft of bank card details). Using patented  Digital Risk Protection (DRP) technologies, the experts at Group-IB discovered over  70 groups of fraudsters that are only used in one of the fraudulent schemes, Classiscam, of which 36 are aimed at Europe. Classiscam threat actors alone were found to defraud users by $ 7.75 million in one year   .

On June 10th, during the Digital Risk Summit 2021  online conference ( Amsterdam ), Group-IB presented its research on various fraudulent machinations, obtained thanks to neural networks and ML-based scorings of the  Group-IB Digital Risk Protection System. Group-IB also unveiled Scam Intelligence, a fraud-tracking technology that paved the way for DRP, the company’s proprietary solution. In one year, the system has helped save  € 363 million for companies in Asia Pacific, Europe and the Middle East by preventing potential damage.

The number of scam and phishing violations detected by Group-IB in Europe in 2020 increased by 39% compared to the previous year. DRP’s research into threat actors’ fraud activity around the world helped categorize fraud schemes, uncovering over 100 basic schemes and their modifications. For example, a scheme of fake branded social media accounts (typical of the financial sector)  affected over 500 fake accounts per bank on average in 2020  . Insurance companies around the world are now suffering from phishing. Over the past year, an average of over 100 phishing websites were created  per insurer.

In 2020, a multi-stage scam called Rabbit Hole targeted companies’ brands, primarily retail and online services. Users received a link from friends, via social media or in messengers with the request to take part in a competition, a promotional offer or a survey. On average, users visited  40,000 fraudulent websites every day. Rabbit Hole has attacked the customers of at least  100 brands worldwide. The threat actors target the theft of personal and bank card details.

Classiscam has been the most widespread fraud in the world during the pandemic. The scheme is aimed at people using marketplaces and services related to property rentals, hotel bookings, online bank transfers, online retail stores, ridesharing and deliveries. The scheme aims to extort money as payment for non-existent goods. At least  44 countries, including Austria, France, Italy, the Netherlands and Great Britain, are affected by Classiscam. According to Group IB, a total of  93 brands were misused as part of Classiscam. As of early 2021, there were more than  12,500 threat actors made money with fake delivery services. The total number of websites involved in the scheme reached  10,000. A Classiscam -Bedrohungsgruppe makes up to  97,000 euros  per month.

“Last year the world was searched by the scamdemicheim, which represents the influx of online scams on an unprecedented scale: if your business is successful and well-known, it’s only a matter of time before scammers keep an eye out”, explains  Dmitry Tiunkin , Group-IB DRB Head, Europe. “Digital risks to brands such as online fraud, the illegal sale of products and services, and intellectual property infringement are the most widespread crimes on the Internet. Group-IB’s DRP system gives analysts a tool to uncover the entire infrastructure of fraudsters and learn about different categories of fraud attempts that could target their organizations. Group-IB DRP helps our clients identify the person behind the wrongdoing, gather as much information about them as possible, and bring them to justice.”

Tags: Global Scamdemic, Scam Me If You Can

Mar 30 2021

Five signs a virtual CISO makes sense for your organization

Category: CISO,Information Security,vCISODISC @ 11:59 am
Five signs a virtual CISO makes sense for your organization

Here are five signs that a virtual CISO may be right for your organization.

1. You have a lot to protect

Companies produce more data than ever, and keeping track of it all is the first step to securing it. A virtual CISO can identify what data needs to be protected and determine the negative impact that compromised data can have, whether that impact is regulatory, financial or reputational.

2. Your organization is complex

Risk increases with employee count, but there are many additional factors that contribute to an organization’s complexity: the number of departments, offices and geographies; how data is used and shared; the distribution of architecture; and the life cycle of applications, data and the technology stack.

A virtual CISO offers an unbiased, objective view, and can sort out the complexity of a company’s IT architecture, applications and services. They can also determine how plans for the future add complexity, identify and account for the corresponding risk, and recommend security measures that will scale to support future demand.

3. Your attack surface is broad

For many organizations, potential vulnerabilities, especially those that share a great deal of data within the organization, may not be obvious at first glance. Virtual CISOs can identify both internal and external threats, determine their probability and quantify the impact they could have on your organization. And at a more granular level, they can determine if those same threats are applicable to competitors, which can help maintain competitiveness within your market.

4. Your industry is highly regulated

Organizations in regulated industries like healthcare, finance, energy/power and insurance will have data that is more valuable, which could make them a bigger target for bad actors. Exposure is even more of a concern due to potential noncompliance. Virtual CISOs bring a wealth of expertise on regulatory standards. They can implement processes to maintain compliance and offer recommendations based on updates to applicable rules and regulations.

5. Your risk tolerance is low

An organization without a great deal of sensitive data may have a much greater tolerance for risk than a healthcare provider or a bank, but an honest assessment is important in determining how much risk each organization should accept. A virtual CISO can coordinate efforts to examine perceived and actual risk, identify critical vulnerabilities and provide a better picture of risk exposure that can inform future decisions.

Cybersecurity is growing more complex, and organizations of all sizes, especially those in regulated industries, require a proven security specialist who can address the aforementioned challenges and ensure that technology and processes are in place to mitigate security risks.

Tags: auditing CISO compliance, CISO, vCISO

Aug 15 2019

Data Loss Prevention: Protect Yourself, Your Family, and Your Business

Category: data security,Security AwarenessDISC @ 2:30 pm

photo courtesy of Unsplash

By Jasmine Dyoco

Another day, another data breach. Lately, it seems like we can’t go more than a few days without hearing about another cyber attack. Data breaches have recently occurred at health insurance providers like Anthem, banks like Capital One, and even the Equifax credit bureau. If there’s anything these recent hacks have shown us, it’s that no industry is safe.
Social Security numbers, credit cards, and passwords are just some of the types of compromised data. Given the number of recent attacks, Bloomberg reports that some cybersecurity professionals now make millions of dollars per year.
Massive amounts of information have been stolen. According to The Week, “virtually everyone in the U.S. has been affected by a data breach in some way — even those who never go online.” If you’re worried a hacker might have your data, here’s how you can protect yourself and your family:

Malware and Viruses

Malware and computer viruses are common ways that scammers get sensitive information. Contrary to popular belief, Macs (and smartphones and tablets) can get viruses. Whether you use Mac, Windows, Linux, or an iPad, protecting your computer against viruses also protects your information.

According to Secure Data Recovery, proactive actions can help keep hackers and viruses from accessing your data. Use strong passwords that are hard to guess. A sentence or phrase is stronger than a single word, for example. You should also install a firewall and antivirus software. Save backups of your files to a device like an external hard drive. Alternatively, you could also save data to the cloud using Google Drive or similar.

Security and Compliance

Cyber threats are continually evolving. By having an information security (InfoSec) plan in place, you can protect data from falling into the wrong hands. InfoSec helps organizations maintain confidentiality while complying with industry regulations.  DISC help the organization to succeed in infosec and Privacy program by building and assessing Information Security Management System (ISMS) and Privacy Information Management System (PIMS) based on various standards and regulations.

For instance, Deura Information Security Consulting (DISC) can perform a risk assessment to identify the security risks. Based on those gaps, they’ll help you create a “safe, secure, and resilient cyber environment.” Additionally, they’ll help your organization comply with regional cyber laws. Those laws include Europe’s General Data Protection Regulation (GDPR) or the California Consumer Privacy Act (CCPA).

 

Protect Your Teens 

Nobody is safe from online attacks. Unfortunately, that includes children and teenagers. Some scams specifically target teens and young adults. One example is phishing, which tricks teens into revealing their social media passwords. Teens are also susceptible to phishing scams that include “urgent” subject lines. These scams often trick people into clicking a link to avoid missing a once-in-a-lifetime opportunity.

To protect your children, the InfoSec Institute advises telling them to keep their login information private and to never click on social media links via email. Teach them red flags, like email scams claiming they’ve won money or website URLs that have misspellings or extra letters. Your whole family can learn what to look for by practicing with a phishing simulator.

 

Credit Freezes and Monitoring

Many people believe cybercriminals only steal money. The reality is that many of them are interested in stealing data, identities, or intellectual property. In the event that you do experience data loss, whether due to a virus, malware, or online scam, it’s essential to take action.

According to the IRS, you should report identity theft to the FTC, your bank, and each of the credit bureaus. You might want to freeze your credit and place a one-year alert on your credit report. Credit monitoring companies can help you protect your credit score by alerting you of any fraudulent activity. If you follow the tips listed above, you can recover your data and protect yourself from future attacks.

How to report and protect yourself from credit card fraud

How to prevent credit card fraud amid coronavirus pandemic

The Secret to Cybersecurity: A Simple Plan to Protect Your Family and Business from Cybercrime






Mar 26 2014

Most common type of data breaches

Category: data security,Security BreachDISC @ 9:24 pm

DataSecurityBreach

Cyber attacks have become a regular occurrence in the last few years; in fact, you can’t turn the news on without some mention of a business suffering an attack. Most attacks are fuelled by criminals looking to steal valuable information, but what type of information is being stolen?

According to a report by Veracode, the top 5 types of information that are stolen are:

Payment Data

No surprises here of course. Card payment data is a very attractive form of information for cyber criminals to steal. Card data provides quick access to money in multiples ways such as siphoning the victims account, using their card for purchases or selling on the black market.

Selling and purchasing card payment data online is terrifyingly easy, so easy in fact that you could have bought several card details in the time it’s taken you to read this far.

Authentication Details

Details that allow authorised access into online systems are very valuable on the black market. Imagine the price tag on login credentials for the email address of a celebrity, or the president of an international bank.

Unfortunately, humans are subjects to bad habits such as using the same password for online accounts. So if cyber criminals manage to get hold of your Facebook password, then they will most likely be able to login to any of your accounts.

Copyrighted Material

Why would a cyber criminal pay for software when they could just steal it? With most websites being vulnerable to attack, a cyber criminal could in theory steal any software they fancy, costing organisations a large sum of money.

Medical Records

Thieves could sell your stolen personal health information on the Internet black market, use your credentials to obtain medical services and devices for themselves and others, or bill insurance companies for phantom services in your name.

Medical ID theft is worse than financial identity theft, because there are fewer legal protections for consumers. Many victims are forced to pay out of pocket for health services obtained by the thieves, or risk losing their insurance and/or ruining their credit ratings.

Classified Information

Depending on how you define classified, this could include information such as your organisation’s top secret product idea or the code for your security door. Either way, if it’s labelled classified then you don’t want it to be in the hands of cyber criminals.

Protecting this information

There is a high chance that the five forms of information listed above can be found on your organisation’s network, so what are you doing to protect it?

Data Security Breaches: Notification Law

Related articles




Tags: Computer security, data breach, data stolen, data theft, Identity Theft

Jan 29 2013

Impact of an Effective Risk Assessment to ISO 27001

Category: Security Risk AssessmentDISC @ 11:08 pm

RA

First to start with a definition of risk – Risk is a function of the probability that an identified threat will occur and then impact the mission or business objectives of an organization.

The kind of risks we deal with information assets are mostly those risks from which only loss can occur, which may be one of the reason why it’s hard for the security professionals to justify ROI for security controls. Comparatively business risks are attributed with either a profit or a loss. As we know, business folks make decision on risks on daily basis; it’s easier to make a decision for profit sake rather than on a loss. So increase risk to information asset will decrease the value of an asset or will harm the organization bottom line in some way.

To minimize the loss to an information asset, organization may decide to treat the higher risk assets which are above accepted risk threshold with following four ways:

1. Eliminate the risks
2. Reduce the risk to acceptable level
3. Accept the risk and live with it
4. Transfer by means of insurance

Risk Assessment Basic Steps for ISO 27001:

o Determine risk methodology and level of acceptable (residual) risk
o Identify assets and who owns them
o Identify the value of each asset
o Identify threats to each assets
o Identify vulnerabilities that each threat may exploit
o Estimate Likelihood of the threat exploiting vulnerability
o Finally determine risk the security of individual assets by combining impacts and likelihoods

Risk Assessment Titles from eBay | Risk Assessment Titles from DISC InfoSec Store

 

Related articles

Related articles




Tags: Corporate governance of information technology, Information Security Management System, ISO/IEC 27001, Risk Assessment, Risk management

« Previous PageNext Page »