Cybercrime: $400 Billion in 2015 to over $6 Trillion in 2021

…according to Herjavec’s Cybercrime Revelation Report.  With Black-Hat hackers getting faster, more experienced and highly motivated by money, espionage and notoriety.

Another $1 Trillion spend for cybersecurity products and service over the same time frame – yet consistent/increased in cybersecurity workforce shortage.  Interestingly, nearly 50% of cyberattacks are committed on small business but the battle is in cyberspace where all things connected being affected.  Apparently, 90% of corporate executive reported they are NOT ready for a major cyber-attack.  Records are being broken yearly with increased/doubled malware, identity theft, victim counts, zero-day; and the 5 most cyber-attacked industries: Healthcare, Manufacturing, Financial Services, Government and followed by Transportation.  Oh, there Ransomware which grew 300% in 2016…

While it’s a foregone conclusion that no one can stop hackers completely, digital growth (size, complexity, convenience/convergence, etc.) will ensure it’s a catch up or reactive game. Stats show 12 people fall victim every second which is 1 million victims in the world daily. Moreover, Herjavec relates it to football terms, bad guys running no-huddle, hurry up offense while good guys require a huddle before any actions takes place…in situations where speed is of the essence.  Of course, you don’t always see the other/bad guys and they don’t stand in front of you to attack but instead remotely and with no set playbook (or rules).

Breaches can sound like a broken record and unfortunately, so one of the biggest solution to help combat which is, security awareness – employee training for the weakest link 

https://www.herjavecgroup.com/

But there is a list of 500 top/hot cybersecurity companies to watch 

http://cybersecurityventures.com/cybersecurity-500/

Medical Device Cybersecurity...account for 42% of reported/related data breaches

With an uptick in FDA scrutiny, emerging requirements & expectations on Manufacturing is taking a hit - according to IRTC (Identity Threat Resources Center) 

Maybe indirectly, but devices can harm patients through interconnected medical devices allowing access to data as well as operations, if not tapering with device programming.  Devices connect to hospital networks, patient devices and healthcare worker...so key factors must come into consideration:

Pre-Design: requirements that address security plans, risks and critical cyber-documentation

Design Process: Connectivity characteristics should be analyzed and incorporated from the start with appropriate mitigation decisions along the way. An early start can result in less expensive remediation or retrofitting efforts

Prototyping: Assessing and conduct penetration testing allows correction of errors or security loopholes in the application, system or its use, allowing vulnerability identification and remediation

Post-Market Updates: Maintenance upon release is key to updating security patches via a security method and vulnerability management lifecycle to address and dedicate resources in addressing threats

Response Disclosure Policy: Ability and social responsibility to allow for reporting of vulnerabilities without legal reprisals and clear internal polices/plans that address reporting, correcting and communication important flaws or defects.

http://www.todaysmedicaldevelopments.com/article/medical-device-manufacturing-cybersecurity-122116/

http://www.fda.gov/downloads/medicaldevices/deviceregulationandguidance/guidancedocuments/ucm356190.pdf

SAP Cyber Report by Ponemon Institute

Key takeaways from "Uncovering the risk of SAPcyber breaches":

- Executives value importance to bottom line but ignore cyber risks; 63% of Exec underestimate the risks and 23% know what data resides in SAP systems
- Average cost of it being off line is $4.5B
- Responsibility for security is conflicted by 62% say SAP not company so ownership issue
- 25% say NO one is response for SAP security, only 19% say SAP security team is accountable and 18% Information Security team
- Consistently over 50% say, difficult to secure SAP app, high level of malware concern, believe one or more malware infections likely
- Less than 49% have the expertise to prevent, detect and respond to cyber attacks
- Visibility into security of SAP application is only at 34%
- 30% say remediation of incident is unknown
- 75% say detection of breach would be undetected at least for a week; in the other hand, 53% say detection would be within 1 Year
- Malware infection is rated at 33% to be Very Likely and 42% to be Likely
- 47% say increased sophistication of attack in next couple years
- New technology increases risks, mobile, IoT
- Only 43% consider the cyber security risks when moving SAP application to the cloud
- 73% say knowledge of recent threats will help identify security risks and zero-day is a significant is a significant threat
- segregation of duty improves SAP security
- Consistently over 80% say achieving security in SAP infrastructure requires zero-day detection, prioritizing threats and monitoring 
- SAP app most susceptible to attack:
  64% content and collaboration
  56% data management
  50% CRM - customer relationship management
  48% technology platform
  37% ERP - enterprise management
  35% financial management
  33% supplier relationship management
  25% human capital management

And study stats: 607 final sample, 35% Technicians, 21% Managers, 17% Directors. 15% Supervisors; 18% Financial Services, 9% Manufacturing, 8% Public Sector, 8% Retail, 7% Healthcare

Continuing predictions of 2017 for cybersecurity

from KnowBe4

1) ARTIFICIAL INTELLIGENCE.
Everyone and their brother will claim that they have machine learning and/or AI as an offering and/or built into their product/platform, yours truly included. It's going to be marketing buzzword hell, because at the moment AI is not nearly as smart as people would like it to be, so buyer beware.
However...
Machine Learning and AI *will* move forward with lightning speed. Some of them will pass the Turing test. You will be able to talk to supportbots and not know if it is a human or not. You will also see fully programmable digital avatars going into commercial use.
2) BLOCKCHAIN
Micropayments and Blockchain applications will go mainstream in 2017. Mobile payments will grow massively, and apps will use "micro-payments" built on digital protocols like the Blockchain. Perhaps Blockchain will allow us to vote from our own devices in the next election. We will see the first smart contracts built on Blockchain.
Ransomware-as-a-Service will become a major threat vector, with a new technical feature using Blockchain to deliver the decryption keys after ransom payment.
3) BOARD ROOM
During 2016, boards of directors have realized that InfoSec risk management is an enterprise risk equivalent to financial, reputational, and legal risk. In 2017, there will be a raft of boards demanding a corporate security culture starting from the C-level down.
4) CEO FRAUD aka BUSINESS EMAIL COMPROMISE
CEO fraud was the up and coming cyberfraud scheme right after ransomware these last 12 months. During 2017 it will be an epidemic, equaling the ransomware plague we are suffering now. Remember the Nigerian prince scams? These cyber gangs are really in Nigeria, but they have climbed up in the criminal food chain and CEO fraud is their focus now. Train your high-risk users within an inch of their lives.
5) ESPIONAGE
During 2017 it will become apparent that espionage will turn out to have gone massively mobile and nobody knew about it. Revelations about both Android and iPhone devices will show they have had 0-days for several years and the NSA was able to own any device they wanted at any time.
6) INTERNET OF THINGS
A major outage caused by a purely malicious Botnet of Things like Mirai will prompt the new U.S. Administration to enforce IoT device security standards and require certification from device vendors.
7) MOBILE MALWARE
Mobile malware will continue to grow at an exponential rate. During 2017 tens of millions of smartphones will be infected with auto-rooting malware. New strains can embed themselves in a phone's bootloader and remain persistent even after factory reset. Scary.
8) OPEN SOURCE
In 2017 we will see a very high-profile data breach based on an open source vulnerability that was disclosed in...wait for it... 2012. The average age of an open source vulnerability in commercial applications is more than five years, and almost everyone is using Open Source these days. Ouch.
9) RANSOMWARE
We have seen exponential ransomware infections in 2016, and this trend will continue in 2017. There are close to 250 different families at this point, this will triple in the next 12 months.
Locky will be the first strain with 1 billion dollar in criminal revenues. Organized Eastern European cybercrime will continue to specifically target health care, education and local government with updated ransomware strains.
10) STATE SPONSORED HACKING
Look, we have a low-grade cyberwar and massive cyber arms-race going on. It's simmering and now and then it flares up, basically with proof-of-concept attacks, except for Stuxnet which was the real deal. In 2017 we may very well see the first major real-world damage caused by state-sponsored hacking.

CISO Executive Summit 2016

With over 200 CISO / Security Leadership in attendance this past week, a great day of session / breakout forums, networking a few vendor product / services solutions…

 

Key-note theme began with Silver Olympic winner John K. Coyle presenting on Apply Design Thinking concept: consisting of Understand, Empathize, Ideate, and Prototype i.e. clearly understanding the problem and uniquely develop solution – brings you to focus on strength and merely working around weaknesses.

 

Other key takeaways:

- SaaS is the new development model – trending to reality

- SAP is the shadow IT with limited security visibility (gap in patching and flow/integration)

- Ransomware will happen (to anyone) so weigh price of recovery vs. paying ransom (and do tabletop exercise)

- Mobile End-Points increase threats particularly without multiple factor authentication / MDM strategy, so a little friction is not always bad

- Security controls should weigh in on IT Operational cost – it's a shift in duty / control

- Directed attacks cannot be stopped; so position for response/detection more than position for prevention

- Hunting or spot-audits is necessary though resource is a constraint

- Lead in 2 directions, being normal security controls as well as user experience / expectation 

- We cannot be the CI"no" (user-centric security)

 

 

And, for an industry cyber security survey roll-up of over 700 CISOs (over 50% from Finance, Retail, Healthcare), see attached; summary being:

- Top Threats: IP theft, 3^rd-Party risk and Reputational harm

- Top Priorities: Detect/Respond to adversarial threats, Build Security Awareness Organization, Communicate risk to stakeholders, Apply Risk Mgmt. to Security Strategy and Protect Cloud data/app/infrastructure

- 6% of overall IT spend is on Security

- 59% of CISO budgets expect to increase (modestly or significantly) on Vul mgmt., Incident Response and Awareness

Welcome IoT (Internet of Things)

A Mirai botnet hacked into IoT's cameras and routers (according to Flashpoint) which targeted Dyn (large Domain Name Server – translates domain names to IP addresses via hierarchical manner) with a Distributed Denial of Service (DDoS).  Ultimately rendering major websites off line including: Twitter, Spotify, Reddit, NY Times, Pinterest, PayPal, etc.  This same Mirai attack is the same that affect Brian Krebs website last month with packets/traffic peaking at 620 Gbps…with this recent case of internet vandalism as per U.S. intelligence reported by NBC News.

The Mirai source open-source code had been released to the public which showed itself in multiple waves on October 21 with the first approx.. 6:10am and the third realized around 2:30PM CST and lasted/resolved approx. 5:15pm.  While DDoS is not new to the industry/Internet, it becomes more persuasive in the industry with connected devices – particularly with default login or management/SNMP credentials… DDoS can come in flavors of simply flooding your routers or devices with too many packets that it simply cannot process, and more commonly are packets sent to obtain acknowledgement (e.g. TCP handshake, GET requests) with further overwhelms bandwidth and processing congestion.  And, the more sophisticated is this Mirai type which makes your individual PC become a DNS server which further floods the internet with bogus requests and response for name/IP requests.

Point being, early detection via monitoring network/bandwidth spikes can offer good triggers for your environment.  Also, obtaining high-capacity server and/or configuring scrubbing filters to prevent large traffic spikes (for at least tapering the slowdown); and finally opt for out-of-band connection from your hosting provider or a Content Delivery Network (CDN) for your company's primary websites. Not bullet proof but some counter measures.

Continuing on Twitter

https://twitter.com/cyber_boardroom

Some notable hacks reported since my last post

But first, news related to the Shadow Brokers posting keys-to-the-kingdom:
WHAT IF the National Security Agency’s topgun hacking tools/code were exposed on the Internet?  Reports indicate that TAO (Tailored Access Operations) members of the agency’s hacking division seem to point to legitimacy of the code (related to zero-day and other coding flaws) that potentially exposes commercial name firewalls such as Cisco and Fortinet – used by government and large corporations.
A group calling themselves the Shadow Brokers used BitTorrent nd DropBox to deliver the content and is auctioning off the rest of the code to the highest bidder.  Hacker hoax, diversion tactics by whom, oops/mistaken upload, political opportunity….we’ll see
Source: washingtonpost.com 

And from privacyrights.org, at least August's list of reported hacks which contains mostly medical-type of data exposed/unauthorized access – interesting

• HEI Hotels & Resorts (Marriott, Starwood, Sheraton, Westin) – Payment processing systems breach in several states and District of Columbia – total records unknown/not reported yet
• John Gonzales DDS – Stolen briefcase with external hard drive with patient records (SSN, DL, DOB, Health info) – total records unknown/not reported yet [July]
• Bon Secours Health System – Files inadvertently left visible/accessible via Internet totaling 655K patients (containing names, health insurance ID, SSN, clinical info) [April]
• Valley Anesthesiology & Pain Consultants – Medical information along with SSN may have been compromised via 3rd-party [June]
• Prosthetic & Orthotic Care, Inc. – Medical, cyberattack of 23K+ records [June]
• Autism Home Support Services – Medical, unauthorized access of 533 records 
• Brian D. Halevia-Goldman MD – Medial, 2 laptops stolen resulting in 2K+ records [July]
• Professional Dermatology Care PC – Medical, unauthorized access of 13K+ records
• Oracle’s MICROS PoS – Retail and Bank information, via customer support portal and over 700 infected systems
• Newkirk Products – Health insurance via cybersecurity incident
• 7-Eleven – Personal employee data via database [June]
• Center for Minimally Invasive Bariatric and General Surgery – Medical data of unauthorized access reported by HHS
• Banner Health – Medical information through unauthorized access on server

Leadership for Managers – succinct version

A 10 week Dale Carnegie class condense into 3 days…and the upshot is below – by virtue of 1-liners

1. Set a VISION – without boundaries and is believable…and don’t put a timeframe since you may need to roll forward new things
2. SMART goals are specific and measurable – and perfection should not be a goal
3. LEADERS will reflect on what’s not working and adapt a plan to fit it
4. Drivers for SUCCESS
• Self-Direction, People, Skills, Process Skills, Communication, and Accountability
5. Your MESSAGE: 
• What I say counts for 7% 
• How I say it (tone) counts for 38% 
• What I do when I say it (body language) counts for 55%
6. EMOTION is the single factor that drives thinking and alters decision
7. Cycle of growth equates primarily to ATTITUDE and is the performance metric, otherwise the difference is called motivational gap
8. MOTIVATION is single more important driver for effectiveness
• Apply Maslow’s Hierarchy of Needs (Survival, Safety, Belongingness, Esteem, Self-Actualization) to the other person 
9. COACHING using GROW 
• Goal – Clarity with specificity 
• Reality – self-reflection of today
• Options – what to change to get there and why
• Way Forward – prioritization and follow-up
10. FAIRNESS is based on: Assurance, Belief, Relationship, Identity, and Control
11. Understand areas of INFLUENCE and control the areas you have DIRECT CONTROL (anything else any be ignored)
12. BUSY WORK is a waste of time/effort!  Time used will never get back
13. Good FEEDBACK should be given by itself – Bad feedback does not necessary have to be sandwiched (between good)
14. BELIEVE in yourself – never question what leadership looks like, it’s YOU
15. Practice DRILLING – for factual details and ask WHY e.g. Why is it important to you or someone else
16. Planning Process: Desired Outcome, Current Situation, Goals, Action Steps, Time Frames, Resources, Obstacles and Contingencies, and Tracking and Measurement
17. I will remember others’ NAMES, only if I say/believe, I will (because it’s important to you)
18. Our VALUES are our believe system – which drives our behavior so how one behaves speaks to their real values
• Our perception of values might change but who we are do not
19. Have a meaningful conversation, storytelling and injecting WHY - To learn about the situation and appreciating the other person 
20. Understand and apply what’s most important to your organization, direct manager and to yourself i.e. Time, Cost or Quality trifecta / dimensions
21. The Innovation Process: Visualization, Fact Finding, Problem OFI Finding, Idea Finding, Solution Finding, Acceptance Finding, Implementation, Follow-up, Evaluation
22. Presentation effectiveness is rooted from personal SELF-CONFIDENCE and based on individual experiences
23. LEADERSHIP involves people while MANAGERS involve processes
• Lead the People, Manage the System
24. Without managing your TIME properly, nothing else can be managed, Tyranny of the Urgent
25. Employee ENGAGEMENT circles around: Pride in the organization, Belief in senior management and Satisfaction with Immediate Manager
26. Problem solving TOOLS – Google it :)
• Affinity Diagram
• 4 Problem solving questions (What is, Cause, Possible and Best Solution)
• Criteria method 
27. DELEGATION Process: Select the person, Identify the need, plan the Delegatin, Hold a delegation meeting, Create a plan of action, Review the plan, Implement the plan, and Follow up
28. Delegation to DEPUTIZING is truly giving total ownership and letting the other prosper
29. PRAISE includes: Context, Specifics, Impact, Identity, Congratulate
30. COUNSEL includes: Context, Specific, Impact, reinforcement, Seek Solutions
31. FILTERS exist in all communication e.g. environment, assumptions, cultural, distortion becomes reality
32. Right approach to handling MISTAKES: Research, Rapport, Reference, Restore, Reassure and Retain - otherwise Restate, reinforce, Replace
33. Be Self-awareness

More to come...till then Plan-Do-Action based on Dale Carnegie's Golden Book

What was your last team building event? Your next, and why?

It’s not an event but a process to work on interpersonal relations…with intended benefits such as improved performance, alignment and reduced ambiguity within a TEAM.  You can google for the definitions…but the entire activity and should be "cycle", from planning, agreeing, participating and reflecting is all part of the experience.  Envision the problem-solving skill that is required to gain agreement on the activity alone i.e. there’s no “i” in team, the event that focus on results-based outcomes, simply promoting full engagement, or whatever the theme might be.  Feeling like you’re a member and helping to motivate each other is essential to driving downstream productivity – because feeling valued is second to none.
APA’s Psychologically Healthy Workplace Program – deemed most effective activity:

• Volunteering
• Physical Activities
• Field Trips
• Professional Development Activities
• Shared Meals

Considerations points: Its about problem-solving and communication, self-examination, underlying leadership (from facilitator or host), theme / goal hopefully with some analytics, and feedback

Constant improvement: The upshot is everyone learns differently and each take away will be based on personal experience and self-discovery.  Answering the question WHY during the entire process / activity will allow each person to get the most of the experience.  Oh, don't forget to celebrate!

Synopsis of IIA’s Managers Forum on IT Security

With good presenters and maybe over half of the 70+ registered in attendance, the focus centered on cyber security, CEO/executive concerns on the topic, and M&A exposures i.e. breach trends and controls on the topic

• Among the culprits of cyber hacking include Morpho group – no association with nations yet but linked to 49 corporate data breaches / theft in 2013 i.e. who knows how many more under investigation and cannot be published yet; and Psuedo-nation state group – operating in hostile countries with no evidence of government funding and focuses on avoiding R&D costs
• Many statistical studies and publications including Version security breach mentions 2015 being height of data breach thus far i.e. approx. 4000 incidents, 1854 occurred with for profit organizations, and 736 Million records exposed 
• Key points mentioned was cyber-espionage up-tick in Manufacturing (overall #2) and 90% of incidents related trade secrets, e.g. Pharma manufacturing, newspaper/magazine paper mills with PHI data...
• Companies conduct due diligence during M&A including: value of trade secret, market analysis on brand and of course capability/viability…but a hidden danger is for unreported breach due to non-customer PI data since public disclosure is not necessary
• Additional considerations include: determining security posture/risk and efforts to sustain your security requirements/controls, ability/agility to activity react to log activities i.e. proactive threat vectors, and having a eye on data inventory and distribution/flow including 3rd-party connects

Finally, when out with executives or senior leadership, have your elevator speak ready.  Know with confidence where your highest security risks / threats are; your capability and diligence to react/correct/recover (tools, processes, SMEs); awareness strategy; and put a healthy plug for budget to ensure delivery of your security goals.

On M&A, my personal take/experience is try analyzing the “value” of the company data and analytics on related exposure cost (due to non-compliance or lack of security controls); and have the value clause written into the contract.  If anything, might be used to leverage the price/bid of the company being acquired!  Can you put an ROI on that math/benefit?

Cyber shift from banking to healthcare / education

Tripwire Inc. reports an increase in cyber attacks in generally all major sectors except banking and finance.  Citing 3 trends / examples:

1. Anti-Phishing Report Group noted 250% increase in phishing activity between 10/2015 and 3/2016 and nearly 300K unique phishing sites just in Q1 of 2016
2. UK’s Telegraph noted about 80% drop in digital attacks
3. University of Calgary reported a digital state of emergency when malware infection resulted in shutting down the university’s infrastructure just as an international academic event was being hosted for over 8000 participants.  A similar event happened to MedStar, a healthcare provider.

So while banks are heavily investing in securing systems/infrastructure, cyber programs may be a step behind in general, or are not as mature for Internal Audit departments, for example.  A few industry comments summarized on where to begin, from Linkedin post:
Approach:

• Continuious / non-static review and as important as the framework maybe, value of output is key
• Study Governance structure and IT framework which will lead to 2-4 year audit program/cycle

Major to-dos:

• Map IT audit universe
• Determine risk and gap assessment
• Conduct risk assessment

Audit types listed: Operational, management, business risk, HR, financial, IT, incident, problem, backup, log, data center, outsourcing, application, 3rd-party management
And, prevalent topics offered: Access control – on/off-boarding, Change management, Anti-malware.
We'll update as more weigh in on the IA topic...

Pharma: Valeant says NO to joint Takeda and TPG takeover

...giving Papa time to run the ship as the newly appointed chief executive.  So, the Quebec keeps the embattled but said to be world-class franchise known for therapeutic areas with dynamic workforce and affordable products...
The rejection came after a "premium" offer in a time when Valeant stocks had been plunging this year - perhaps due to debt load scandal and prompting to sell off non-core assets.  Valeant won a bid over Takeda last year of Salix which Valeant predictors think it's could be worth $1B in sales this year.  Upon news, VRX traded +6% to $28.  For Takeda, the takeover would have provided a spark to Xifaxan and uplift to Entyvio - reportedly.

Read more on Wall Street Journal

Hillary's email printer = 24.187.234.188

and on the campaign news (again)
Internet / IP-based printer was setup from clintonemail.com domain called, printer.clintonemail.com.
I wonder if it had a config banner that said print to me or please capture packets now… Hacking 101 seeks the obvious is searching for target names (or derivatives – but not needed here, a bit obvious), identify / scanning open and clear-text ports to attain available or vulnerable services; and listen (packet capture / man-in-the-middle), store info. and/or exploit vulnerabilities for exfiltration, extortion, etc.  That said, encryption/VPN was not mentioned…Krebs on Security also noted passive DNS records adjacent to:
24.187.234.186 rosencrans.dyndns.ws
24.187.234.187 wjcoffice.com
24.187.234.187 mail.clintonemail.com
24.187.234.187 mail.presidentclinton.com
24.187.234.188 printer.clintonemail.com
24.187.234.188 printer.presidentclinton.com
24.187.234.190 sslvpn.clintonemail.com

Buzz to business or bust – Google Life Sciences’ Verily

The Baseline Study - Integration of personal and external information/population of human health and transition to disease e.g. understanding the mutations over time and before onset of disease through exams

Collection and analysis of viruses / malware to credit history or spending trends may have been the normal for some (long) time but health data collection in fitness bands and rapid digital health records might be unique identifiers that cannot be easily changed/replaced in comparison.  Yet the corresponding data confidentiality/integrity protection is finally being noticed.  Of course, the centerpiece bringing it to the forefront is availability and affordability of digital/wearable devices, for example, but the ramification on personal life and health is invaluable.  The launch of the
spinoff Verily, preceded / advanced the stacking of leading researchers and biomedicine experts including Harvard grad Medical Officer, Technology officer from Univ of Washington and other Google principals in business developments.  Moreover, it will also land itself in competing with tech companies including Apple as well as a furry of bio-tech startups.  Aside from running experimental genetics and clinical studies, the company makes miniaturized medical devices with intelligence/software and licenses them to medical companies and pharmaceutical…
Key pursuits reported by recode.net including:

• Diabetes partnerships (Novartis, Dexcom, Sanofi)
• Multiple sclerosis partnerships (Biogen Inc. for wearable sensors)
• Nanodiagnostics (by taking a tiny pill and monitoring with wearable devices)
• Liftware (Parkinson’s disease study)
• Heart Disease (diabetes with American Health Association’s $50M funding)
• Metal Health
• And, probably most known/hyped for Robots (Johnson & Johnson robot joint venture)

And of course, Baseline – underplayed genomic, molecular and cellular science but really big data of volunteers prepped for studied.  A record 10,000 patients records are to be collected over the next 5 years which has sparked some so-so debate about ethical and privacy, including resonance of the patients or profiling such as socioeconomic, psychosocial, geospatial and genetic data.  Of course, some of the turmoil is occurring internally as the scientist and business worlds collide. But patient health and ethnics will align; or at least preventive health will prevail, right

The upshot is basically preventative care by merging technology and life sciences by identifying trends / synergy of health and reactive approach to disease management.  So, the innovation and ecosystem of disease and treatment will offer Patient Management set of Services in a Healthcare centric platform.

netflow and OODA loop

Circling back to the beginning with each step/phase is a must for OODA - Observe | Orient | Decide |Act
Observation points for what occurred is identified through various logs including firewall, IDS/P, Proxy services, and to local system logs; and helpful is a central / aggregated store or SIEM.  Perhaps one of my favorite these scenario is the use of netflow data.  A couple options exist for exports including: Taps, Span, mirror ports and virtual machine installs on WMware ESX servers.  Of course, advances in technology stretch the capabilities and blur analysis of full data packet capture including APTs, virtualized data centers, DDoS, IPv6, etc. so whats equally important is proper kill chain.  Starts with Reconnaissance and understanding the Exploitation, and determining/detecting the command-and-control methods which can lead to data exfiltration, corruption, and harvest (or hold hostage) of critical information.  So, having the appropriate toolset is complemented by having the right escalation, communication path and SMEs.  Recovery strategy and capability will come to bear in terms of recovery as much as Dwell Time (time of infection to detection to recovery).
Specific considerations for Netflow include: flow assembly, flow deduplication and retention (allows efficient storage and eliminates false positives), and behavioral analysis/recognition (algorithm and visualization).  Finally, related analytics and visual representation will offer the best indexes, alarms, and reactionary awareness.  An available source of info: lanscope.com

Healthy Big Data for Biomakers

Pharmaceuticals have been on the tabloids lately due in part for infamous company price gouging but today 3 firms are uniting to make their contributions by analyze data of healthy adult volunteers.  By studying health data patients, it can used to compare/contrast other patient stratification in with a global footprint and perhaps accelerate innovation of other drugs and discovery.  Though the initial focus on therapeutic areas, the power of big data and analytics is contagious.  The 3 biomakers are Astellas, Daiichi Sankyo, and Takeda.
Article Source: The Financial

Have you seen the red clock counting down - Cybercrooks

Ransomware is the biggetst online threat…as if it came as a surprise
Numbers include 4 Million reported during this time/Q2 of 2015, and who’s got the number for unreported cases?
With the playing field contributing to strong/open encryption algorithms, anonymous communication protocols and digital currencies, the landscape is prime. Why wait to resell confidential and/or time-sensitive information (or processes) in the black market when you get paid directly by the victim, right?  The evolution of randsomware started with files being encrypted or zip to immobilized the computers by overwriting master book record; and from Windows to Linux and now, just about anything, iPhone, Android phones.  True to malware form, there are variants and derivatives that have become prevalent within other software.  Even more terrifying is your own web servers infected and distributes malware so social engineering is not required i.e. Samsam – which includes capabilities to create backdoors and leaves the entire network at risk.
So, prompt patching, signature updates and quarantine, good backups with effective recovery solution and sound behavioral-based defenses / APT…are all solutions that need to be immediately addressed.
Article source: The Economist

Failed action plan for UK cybersecurity

According to zdnet.com, 2/3 of largest UK business suffered a breach within the last 12 months and 1/4 of them suffer a breach 1/month.  And  51% of medium firms also suffered cyber attacks, 33% small firms and 17% for micro firms. These number are even more staggering when factoring in just breaches that were reported.  The cause of the cyber breach is reported to be virus, malware and spyware.
By the numbers...
Of the over 13,000 businesses surveyed, a few key breakdowns

• Manufacturing totaled 687: Small/Micro 150 | Medium 313 |Large 224
• Retail/Wholesale/Vehicle Repair totaled 657: Small/Micro 324 | Medium 192 | Large 141
• Finance or insurance totaled 1315: Small/Micro 718 | Medium 277 | Large 320
• Health or social care totaled 432: Small/Micro 113 | Medium 248 | Large 71

Summary Results:

• 69% of business claim cyber security is a high priority for senior managers but only 51% have taken recommended action plans to identify and 29 have formal written cyber security policies
• 65% of firms detected cyber breach within the past year due to 68% being virus/malware/spyware and 32% impersonation of the organization
• $3.4 Million was the most costly breach identified…average for large firms was $41,600
• 51% have taken 5 or more Government’s 10 steps to Cyber Security, of which 28% include technical measures
• 13% have cyber security standards for their suppliers (25% medium and 24% large firms)

Source: Cyber Security Breaches Survey 2016

FBI will be allowed to hack computers worldwide

A downstream affect of US-EU Safe Harbour debacle is that the FBI have been given authority to hack computers and devices anywhere in the world – based on a recent US supreme court action.  The European Parliament is pending vote on the Privacy Shield as a means to address data-protection responsibilities but this new order just a formality AKA Snowden’s revelation on surveillance, etc.  Hence, warrants and process of search/seize may go by the wayside and has no boundaries. More developments and rulings, I'm sure....
Article source: IrishTimes.com

Contributors and hinderance to being a Leader

The do’s and don’ts according to TedTalk - Forbes

• Be present, reach for the stars, and believe in yourself – do not sit in the sidelines or edge looking in, and don’t underestimate your skills 
• Be more engaged in conversation – a smile goes a long way but equally important is the tone of your voice to convey the message…which should NOT include: gossiping, judging, negativity, complaining, excuses, lying, dogmatism
• Understand your audience, and the WHY, not just the what  – people buy more into why you believe such things, not what you believe in i.e. the later is just proof

Inspiring others will naturally make them follow and for themselves - because they want to...as long as there is integrity, honesty and compassion in the words that mimics the actions - takeaway from #trueleader article

GRC Roundtable

A brief collaboration of nearby (brand name) industry leaders at various (earlier stages) of the GRC journey for their organization...hosted by PwC
Very participative discussion with highlights / notes below:

• Leading product mentioned were Archer (of course), RSAM, ServiceNow, MetricStream, Protiviti, ACL
• Key question raised was requesting and formulation of requirements from all GRC participants i.e. Stakeholders, end-users 
• Determining what processes require inclusion is vital to the strategy and success of a GRC solution...as well as obtain professional services at pivotal points
• No single executive sponsor witnessed to drive solution from strategy to deployment - which results from high cost of investment for a comprehensive/cross-departmental deployment. 
• Essential fact is that, demonstrating success within your own/individual deployment or department will break the barriers with others / cross-divisional lines
• Considerations with existing platforms such as company ERP, ERM, Security Practice can greatly influence requirements, architecture, support, etc.
• Off-line feature can be essential when working remote or due to other limitations.  However, off-set mobile capabilities are still in its infancy 
• GRC delivers metrics, reflection of trends and operational status; however, decision making, ROI and particularly risk reduction is a future state.
• Multiple (GRC) toolset is the norm so set your expectations and plan accordingly for integration i.e. a single solution is highly unlikely
• To achieve "sexy" or comprehensive dashboards for C-Suite levels to Managers to End-Users require other visualization tools.
• Not accessing change management for deployment and daily usage will hamper implementation and longevity 
• Data privacy (access, storage) is a concern for global organizations although most are turning to cloud based solutions (that offer better product/service support and customer accessibility)
• Product mobility and accessibility is a need, yet 2+ years away from general use/release e.g. leverage GRC for operational efficiency via mobile devices is just a wish for now regardless of marketing slides

Can't wait to compare notes throughout this journey

Glass-ceiling index for women in the workforce

...study by The Economist.com
Weighted values can be adjusted but overall, based on role of women in the workforce vs men, wage-gap, education:

• Top/best countries are Iceland, Norway and Finland
• The bottom/worst are Japan, Turkey and South Korea 

Also, studies show that where new fathers take parental leave, mothers tend to return to the labour market, female employment is higher and the earnings gap between men and women is lower. Each country’s score is a weighted average of its performance on ten indicators - from the Economist.com

Snippets of security breaches around the world

in 30 seconds since Japan site seeing…

• 1.4 Gig of personal identifier numbers and other sensitive data of 10 millions of Turkey citizens were upload to the web…pointing to the Turkish government as the source for the unencrypted data.  Any references to it being related to a prior 2010 breach, Americans or comments related to the presidential candidate / Trump, etc. but authenticity being still being investigated.
• The Philippines election website was hacked just before the general election
• A former employee of the FDIC (Federal Deposit Insurance Corporation) inadvertently downloaded information that caused a cyber breach of 44,000 customer records.  This is coming of the heals of a 22 million personal records exposed last summer due to an hack on the Office of Personnel Management database.
• Indianapolis’ Decatur Township robbery lead administrators to quickly disable a teacher’s key fab when his home was burglarized in the early morning hours of April 11th (which would have allowed access to the school and other sensitive school areas such as server rooms and student records). The stolen computer and iPad was not issued by the school and no information regarding it’s data content has been reported.
• Water treatment plant said to have been infiltrated by a Syria related hacktivist group using SQL injection and phishing techniques resulting in control of regulated values and ducts for the flow of water and chemicals that could directly affect 2.5 million customers
• A Delhi Metro security breach which included a stabbing is leading to further dispute about who should be in charge of security, Delhi police vs. Central Industrial Security Force.  Apparently, repeat incidents over the years has once again raise the topic/urgency.
• National Childbirth Trust (NCT) website was breach leading to compromise of email addresses, usernames and passwords (but claimed no financial or personal data exposed).  The Charity organizations bring together networks of local parents with other parents for relationship developments, emotional support, etc.  Based in London, it has branches in Scotland and other bordering counties.
• Trump hotels looking into credit card data hack due to suspected fraudulent activities related to New York, Toronto, Honolulu hotel locations.

PhRMA takes Cures Act to the Hill

Drug industry is going straight to Capital Hill to meet with lawmakers in hopes to curve the discussion and set precedence instead of a wait-and-see approach that only leads to contentious debates.  Leading the charge while the Senate ponders the FDA reform bill called 21st Century Cures is PhRMA's CEO.  The Act could be a ground breaking approach to a Pharmaceutical industry plagued with price gauging and notorious leadership that has come into question.  Steve Ubl, CEO PhRMA intends on having both scientists and patients speak directly with lawmakers in hopes to shape emanate policy making.
The 30K view of Cures is focused on medical innovation, FDA approval process and new drug….so topics around exempt reprints and reference text related to Sunshine Act (reversing some CMS rule), extension of FDAMA 114 for manufacturers communication with scientific developments, FDA new development guidelines and reversal of some FDA regulation on social media.  For specifics, turn to docs.house.gov
For IT, Healthcare vendors will notice downstream affects from HIPAA related to upgraded and compliance to practice management software including:

• Fax machine (like Mainframes) - lingering deployment so added tracking and security will be required
• Security training - updates programs / procedures and mandatory awareness training 
• Access control - increased protection of PHI including audits and proactive account management
• Physical security - facility and equipment room security protection, badges and key codes
• And, all this with increase healthcare data access

.suprise another ransomware

A new remote-control ransomware called surprise has surfaced, working off of memory whereby another executable of an encrypted BASE64 encoded string is launched to encrypt your files (except with $ symbol or in C:\windows or C:\programs)…then, executes a delete executable to remove shadow files and provides you with a notepad ransom note.  The trend apparently, is linked with use of TeamViewer software but the ransomware trail has reportedly gone cold and thus, cause/source is unknown/unconfirmed.  TeamViewer rejected reports it's logs/accounts were compromise/posted or the flaw within it’s software since it deploys end-to-end encryption, applies botnet attack protection, etc. accourding to myce.com

Just a quick news flash...and one of many dBs of victims at haveibeenpwned.com - for your edification

Retailer beach impact

By the numbers...and this report by Entrepreneur does the summary:
• 64% of shoppers have accepted security breaches to be part of the shopping process and 53% say that security breaches are a risk they’re willing to take in exchange for convenience...
• 43% of shoppers (compared to 45% in 2014*) don’t trust companies to keep their personal information safe. Of these, 30% don’t think companies invest in enough security measures.
• 85% of shoppers are aware of companies that have had a security breach where customers’ personal financial information was exposed.
• 39% spend less per shopping trip than before (Compared to 26% in 2014*)
• 69% try to use cash instead of credit/debit cards (Compared to 79% in 2014*)
• 60% shop online with one specific card designated to online purchases so that they can monitor its activity
• 62% of shoppers have used credit and/or debit cards with chip technology to make purchases. Of these…
• 71% say that using credit card with chip technology makes them feel more secure when shopping.
• 60% prefer to use a card enabled with chip technology over any other method of payment.
• 26% say that they do not like using a credit card with chip technology because it takes too long
• 80% Being honest about the incident
• 73% Communicating with shoppers and responding to questions
• 72% Taking financial accountability for their mistake
• 69% Investing in additional preventative security measures
• 6% Firing their CEO
• 6% Firing the head of the IT department

Onto breaking news that the Justice Dept is withdrawing legal action against Apple's iPhone related encryption case of San Bernardino since the encryption was cracked by an unidentified entity...according to USA Today.  Nothing is unbreakable...surely more to follow on this topic

For Sale: 1.5 million Verizon customer info for $100K or $10K chucks

Verizon Enterprise customers information and CNBC reports stolen via communication subsidiary - but not hacked was the phone network / Customer Proprietary network Information (CPNI)…according to KrebsOnSecurity
The teller and hacker analytics reporter, Verizon is now investigating its own and will be addressing potential exposure of confidential data on the black market and then, long term brand topic.

It pays for Ransomware

Is the consensus to pay or not, for your data back? Is there guarantee your data will be unencrypted? Good thing your or your organization diligent performs daily/incremental backups, correct?
Unfortunately, there is no do-it-yourself kit to unencrypt once infected with variants of ransomware.  As mentioned in past posts, the best precaution is not open or clicking on emails/links you do not trust.
Last month, Hollywood Presbyterian Medical Center fell victim when hospital systems were held ransom for money.  And since we are a global society, during the same time frame, two German hospitals also became victims (as well as a LA hospital).  That's just a snapshot of the hospital industry but it's happening in retail, financial, manufacturing, etc.  While the uptick is confirmed, reporting of incidents vary or simply, lack thereof.  The rise will also come from novice cybercriminals that will use ransomare-as-a-service model to accelerate growth throughout various business sectors or individual cases.  But the mass impact is still brewing as increasingly store and share data in cloud services.  So, the traditional perimeters are disappearing and so will the home and office through wearable devices when considering 6.4 billion connected devices said to be connect by Gartner in the next year - meaning, everything connected from one device/PC to another, one local drive to another shared drive, one company database instance to another...
Aside from good backup and fully investigating your options e.g. law enforcements, it’s all about proportions.  That being, putting a price on how much your data is worth to your company and how much your company's networth/value i.e. large organization have resources to pay the millions of dollars being asked.  Aside from the latest, Locky and PadCrypt, the most lucrative malware being, CryptoWall with at least 3 variants, TorrentLocker, TeslaCrypt, and CTB-Locker.  Practical experience tells me never to pay up but according to c|net “When you face the real deal, even the FBI says you should pay.” So, choose wisely…

It’s worth noting that payout does not necessarily mean cold cash delivery but in bitcoins.  Don’t know how to buy up large amount of bitcoin.  Well, you may also be sent with links or online chat on “how-to”.  That’s right, a help desk on how to extort funds to the source, your criminal holding your data hostage.  No joke and certainly not a laughing matter!
Number resulting from analysis of CryptoWall affects include, from Cyber Threat Alliance:

• 4,046 malware samples 
• 839 command and control URLs 
• 5 second-tier IP addresses used for command and control 
• 49 campaign code identifiers 
• 406,887 attempted infections of CW3 
• An estimated US $325 million in damages

Mostly accomplish through phishing (other 1/3 being exploit kits with Angler being at the top of the list) either through attachments and/or redirection of landing page (sometimes with help from out dated or vulnerable web browser); and obfuscating exe files in PDFs, flash or other MS Office type files. So, upshot for prevention is awareness and implementation of various levels of security training/phishing techniques, firmware-browser/OS patching, sound application security practices, and base foundation for kill chain methods via implementation of Anti-virus/Anti-spam, Intrusion Detection Sensors, Web filtering, SSL inspection, Data Leakage Prevention, and appropriate incident response and management.

2016 Top Hacking Tools

Back on the top from 2015 are: Nmap, Metasploit, Burp Suite, John The Ripper, THC Hydra
Others listed on www.techworm.net—

• 2016: Acutenix Web Vul Scanner, OWASP Zed Attack Proxy Project, Wireshark, Burp Suite, Aircrack-ng
• 2015: Cane and Abel, Angry IP Scanner, Burp Suite, Nessus Remote Security Scanner, Ettercap, Wapiti

Nice to see some of the oldies of 10+ years ago have continued to make the top of the list including: Nmap, Metasploit and John The Ripper!  The fundamental of network sniffing, password cracking and vulnerability exploitation has remain static - and as open source and some really cheap investments.  Technology has advanced but the same tools that guaranteed 100% success in penetration testing have not. I would also add to the collection: WebScarab, DumpSec, netStumbler, Nipper, Minikatz, netcat, Ngrep and suite of PS tools…  Happy hacking from VMs instead of the old/clumsy drive partitions ;)

Oncology data breach

2.2 Million patient names, SSNs, diagnosis/treatments, and insurance information hacked – copied and transferred.  Notifications were sent to past/current patients if 21st Century Oncology, Florida-based healthcare provider, (across 145 cancer treatment centers in the U.S. and 36 in Latin America).  Of course credit monitoring was offered as a result.  Notification came from the FBI of the data loss and after the company hired investigators, revealed hackers accessed the database in October 3, 2015 but we’re authorized to publically notify till March 4, 2016. Questions remain unanswered (or to be published) by why weren’t 21st Century Oncology security and systems altered of the issue beforehand?  And not to confuse it with the 34 Million Fraud case...
This is coming off the heels of a settlement (unrelated) of St. Joseph Health patients to receive $242 (and plaintiffs can apply up to $25K for suffered identity theft losses) based on a 2012 data breach.  Of course attorney fees/costs mounted to $7.5 Million.  St. Joseph also spent more than $17 Million on added security systems and $4.5 Million on credit monitoring fees for patients.
Details: businesswire.com 

Breach or not - Retailers and regulators again

To investigate effectively and not cause panic without having full/most of the background, security breaches are not made known for a little while until an organization (or investigators) has formalize a communication strategy.  Hence, Amazon’s recent email blast regarding resetting passwords could be a prelude to sometime - or maybe nothing at all.  Based on the limited details thus far, it does not appear to be a phishing attempt since no link is present in the email, yet a mention of passwords might have been posted online thereby, suggest of changing.
In an unrelated matter, the CFPB (Consumer Financial Protection Bureau) issued its first Consent Order against an online payment platform – questioning reasonable and appropriate data security practices not in place i.e. not meeting at least industry security standards.  Citing mishap in employee data security training, lack of encryption, no periodic internal risk assessment and missing policies, procedures, etc.
Hence, CFPB issued order without prior report of a breach and is proactively representing consumers (which is adding to the growing awareness) and actions taken by authorities such as SEC and FTC (Securities and Exchange Commission and Federal Trade Commission).  CFPB included the following recommendation:

• Annual/bi-annual security risk assessment
• 3-rd party to perform audit
• Maintaining reasonable procedures
• Encrypting data
• Regular employee training
• Appropriate customer identity authentication
• Update security patches for web and mobile applications

Tale of two breach payouts

Can’t help but compare Home Depot's $19 Million vs Erin Andrew's $55 Million though realizing it’s two different kinds of breach, or is it?  Loss of privacy, sensitivity information, trust, and the other weighing in more on dignity...
While Erin Andrews court appears comes to a close (pending potential appeals), Home Depot is will to pay out $13 Million in funds for “reasonably traceable fraud” to compensate 56 Million effected customers’ out of pocket costs (from a malware breach of credit card information in 2014).  Proposed class action lawsuits amount to at least 57 filed in the U.S. and Canada; but the balance of the funds would go to legal fees.  And, on the other side, speculation has it that the sports announcers may only end up with approx. $5 Million after all the legal fees / attorney profits, etc.  Home Depot also reported booking $161 Million in pre-tax expenses for the breach… Of course, the infamous Target breach offered $10 million to settle the class-action lawsuit; and Obama’s administration reported to have shelled out $19 Billion to improve security for individuals, companies and government agencies.

By the numbers...of headlines making the news this week

International Women’s Day – except from RSAC2016 and more

Women account for 10% for the InfoSec workforce which remain consist from last year…according to ISC2.org.  The number is bumped to 20% for GRC (Governance Risk and Compliance) and risk management roles.  Women considerably dominate in these role both as leaders and practitioners (versus mostly operational roles where men dominate in both role types).  So, shortage in technology talent estimated at 545,000 and Symantec saying 1.5 million by 2019) is consistent and filling the roles, regardless of gender is attributed to mixture of monetary and non-monetary incentives...more so than ever. Study also showed a spike of interest from women post 9/11; and women are taking jobs the men aren’t.  Women employed percentage totals (ISC2):

• 74% HR Managers
• 38% Management occupations
• 26% Cmoputer and information systems managers
• 26% Chief executives
• 25% Computer and mathematical occupations
• 18% Information security analysts

Titles are one thing, but experts predict 65% of children entering schools today will have entirely different job titles by the time they enter the workforce.  Retention mimic each other regardless of gender but 3 areas where women leave are a result of:

• Poor leadership / management: 44% women vs 39% men
• Unhappy with work environment/culture: 41% women vs 34% men
• Lack of work/life balance: 26% men vs 21% men

In a salary study of mostly U.S. respondents, the results show women in GRC groups average salary were 4.7% less than men ($115K vs $121K); and while salary is approximately equal or more throughout the ranges except for salaries range over $120K.
Takeaway is invest in women/girls, roots of socialist holiday and first held in 1914 till UN proclaimed it as a holiday in 1977…and now, 2015 International Women’s Day
Additional links: UNwomen.org | The Guardian | India | quotes

RSAC2016 25th Anniversary

Another great show at #RASC2016 except the crowd this year – So, brain dump of key takeways. First, I did not win the CloudLock Harley Davidson raffle [Bummer]. Other big ticket items including asking yourself “what does the data say” which runs parallel my own motto, “follow the data” trail.  Both have significant impact in how you address holistic data security practices, diversity in implementation and incident recovery.  Having an exit prevention strategy, for example, can be as essential, if not more, to being proactive and preventative controls.  While it has been proven that no security is full proof, there are many commonalities the root-cause. But first recapping the notables: Anthem 80 Million medical records which is the largest of it’s kind and new pathway to type of rich data breach; Premera for 11 Million accounts compromised for over 9 months which would segway to Dwell-time (I posted in the past)?; or Ashley Madison for failure of contracted services and security (so not actually/so much for the profile who likes what data itself i.e. $19 fee for deletion of data was not delivered prior to incident); 333,000+ IRS breach of records which is still climbing – that revealed 400,000 attempts of credits reports leading to this hack…
And so the commonalities:

• Improperly segmented networks
• detection deficit disorder (ignoring or looking at incidents in wrong places)
• Failure to white list
• Not monitoring critical systems
• Poor awareness
• No multi-factor authentication
• Phishing messages 

Can’t have an IT discussion without, The Cloud – Companies should be responsible for their data and so warrants should be issued to the individual organization not to the cloud service providers.  Yes, worth more than a few words but does allow and command more transparency for customers and their clients to have the level of “trust” and necessary attestation upon signing-up for cloud services.  Matters of privacy is a timeless value and a balance between right to privacy and personal data, public value, and safety will be in the hot seat in legal, courts as the laws try to catch up with technology.
RSA’s key note heightened the privacy issues and how that would related to opening pandora’s box for allowing backdoors, etc. revealed without textual diligence, modern technological construct and consideration of its impact, both fundamental practices in the past as well as decisions for the future.

So, what’s the long-and-short? Defense in Depth is Dead. The source is not connecting data elements and lack of collaboration within teams and outside company boundaries.  Solutioning is based on now based on integration and not layers!  The 6 key domains are

• Discovery-got to know what’s on networks not just servers but cloud providers, IOT
• State of security for each asset we own – not just vulnerability , malicious file e.g. phishing exploiting client-side vulnerability
• Need ability to monitor activity across the network – packet inspection integration
• Analyze – pulling domains together (event correlation, behavior analysis) to prioritize
• Response – typically the SOC and effectively response
• Protect – proactively protect devices (NOT prevent) and can it be done in an automated way – longest item for industry to solve since it’s based on trust of ability to do this

As a result, the upshot is (1) results will be visibility (for all state of assets including shadow), (2) understanding critical context (to prioritize threats/weaknesses), and (3) ability to take appropriate action in a decisive manner.  Conclusion instead is Long Live Depth in Defense.

More recap / notes...as RSAC comes to a close

#darktriad - Psychopathy | Narcissism | Machiavellianism

The dark side harbors the bright side…I guess
It’s Friday - copy-paste from Harvard Business Review:

• Narcissism was positively linked to salary
• Machiavellianism was positively linked to leadership level and career satisfaction
• individuals with psychopathic and narcissistic characteristics gravitated towards the top of the organizational hierarchy and had higher levels of financial attainment
• Base rate for clinical levels of psychopathy is three times higher among corporate boards than in the overall population
• Dark triad traits tend to enhance competitiveness, if only by inhibiting cooperation and altruistic behaviors at work
• dark triad personality characteristics constitute the essence of the freeriding
• An intermediate – rather than low – level of Machiavellianism predicts the highest level of organisational citizenship, perhaps because Machiavellian individuals are politically savvy and good at networking and managing upwards
• Best leaders displayed the bright-side features of narcissism while inhibiting its dark-side traits: they were high in egotism and self-esteem but low in manipulativeness and impression management

...for me, it’s all about Balance

Opt-in to Leadership

Talent does not equal success.  Some of the most successful business man/women, politicians, Presidents, etc. rank in the lower half of their graduating class (and some didn't even graduate college).  Talent might very well be given to you or inherent but success must be earned.
Often times leaders are thrust upon the role due to technical accomplishments or accolades from previous projects or tasks but to be success, however, starts within oneself and can incite the unlimited human potential of others and deliver results.
While leadership is a teachable skill, it can be a lifelong process and may come more natural for some.  Capitalize on each opportunity and buy-in to earning success because your potential is limitless.
“HOW YOU LEAD DETERMINES HOW SUCCESSFUL YOU ARE” - Richard Rierson’s Dose of Leadership

UK CIOs' cyber readiness may not be what you think

82% of UK CIOs are pressured by the business to prevent, detect and resolve security incident faster (particularly in financial sector) however,
• 25% not concerned with security breach
• 15% are proactively identifying threats
UK CIO’s believe 26% would be able to uncover breach within 14 days and 33% within 90 days. Additionally, the biggest tale revealed/say, 52% would know how and what systems were affected if a breach were to happen today and within 24 hours.  Really...with other stats that show:
• 256 days to detect breach
• 100-120 days to remediate after attack
• Average cost of $3.8 million

Alarming statistics particularly since hackers are no longer just smart young kids but instead, heavily funded organizations with high stakes and very passionate motives.
End-point protection is still lacking in comparison to the deployment of traditional firewall, anti-virus, intrusion detection system and encryption.  External partner connections extend the physical boarder which offers no consistency in data protection today and dialog between companies as well as inter-countries have proven to be a challenge.  Additionally, another gap is the lack of qualified cyber security professionals as seen by the large volume of open positions that have proven difficult to fill.  Cyber security is the 6th fastest growing industry in the UK and is set to grow 13% per year according to the Department of Business, Innovation and Skills (BIS)…which some say can take 20 years to fulfill.

Article sources:
Carbon Black 
Ponemon 
Computer Weekly

Encryption and Backdoors

The upshot of ISACA's the sky is falling article identifies the following, from an SME that lives and breathes cybersecurity and forensics:

•          Humans are the weakest link i.e. phishing and social engineering
•          Security awareness training is essential…since data harvesting can occur over years
•          Continuous communication since some of the preventative items seemingly easy and just makes common sense

Now, instead of diving deep into forensics which is probably best left as a separate post, lets transition off to recent events. Trending lately is data encryption and backdoors by the way of Blackberry and RSA, respectively.

As if Blackberry didn’t have enough to worry about its place in the market.  A claim has surfaced that its PGP used for email can be decrypted with commercially available tools.  In fact source, Dutch investigators, was quick to point out that not all, but nearly 85% of encrypted emails including deleted messages were recovered. Blackberry’s response have been limited, to be expected, but what encryption isn’t full proof, right. 

There again, unless you purposefully or offer to leave backdoors…as reported by Reuters that NSA paid RSA for making the random number generator algorithm the default option in its cryptographic toolkit.  Of course Snowden’s information leaks spurred conversation which now may have some affects on the upcoming 2016 RSAConference.  Over half-dozen presenters have withdrawn including members of Google, Mozilla, Taia Global, F-Secure and now OWASP is voting on the boycott matter.  Unfortunately, the RSA named conference was intended to be an independent forum anyway; yet likely to suffer from the RSA brand for which the event is hosted under.  Wonder if naming it EMConference make a difference?  The vendor presentations, exhibits and sponsorships has opened doors for other companies and it does not seem to have a short of those requesting.

Identity Theft: 65,000 UCF SSN

If you’re the not so lucky University of Central Florida Sentinels past/current study or staff, you will be receiving notice today of a Social Security Number security breach.  Records also included student IDs, class studies and their sports - including 600 student-athletes of 2014-2015.  Apparently access shown to occur on Jan. 8 and realization of breach occurred on Jan. 15, but release notification held due to investigations and work with law enforcement.  It’s suggested that hack resulted from multiple individuals, and phishing is suspected but not confirmed.  While no evidence indicated thus far that the information has been published or used/exploited, free 1-year credit reporting and services is being offered as a result of the mishap.
Recall other notable other higher education breach: University of Maryland and North Dakota University with 300,000, Auburn University with 370,000 and Butler University with 163,000 records...

TalkTalk update to earlier post & Outsourcing

It’s been months since the UK cyber attack and while investigation continues, but last week 3 Wipro Kolkata call center employees were arrested in connection with the 157,000 customer records (and approx 15,000 banking information) data breach.  Apparently the BPO relationship had been formed to increase customer satisfaction by 10% and targeting results in the tunes of $2 million in annual cost plus $1 million increase in revenue via analytics that would lead to reduction in TalkTalk customer complaints.  Reports indicate TalkTalk’s had lost 7% of its existing customers as a result of the breach (of which 250,000 broadband customers the week of the breach in October).
Of course, Wipro isn’t commenting much on an existing investigation but state the confidentiality and integrity of its customers’ data is important and has zero tolerance policy.  Recall another outsourcing competitor, Infosys, who lost their CEO and CFO of BPO Operations that resulted in overbilling of Apple by Infosys employees.  Looks like the new Wirpo CEO, Mr. Neemuchwala, will be relying on it's new-age technology and artificial intelligence to make some immediate impact...on top of trying to grow the 3rd largest software firm and its profits.

Vendor and Supplier Information Security Diligence and Audit programs are essential part of doing business...across the street or across the pond.  It always a balance of business capability/flexibility and IT/security - but particular focus areas including: data exfiltration [thin clients], comingling of data [network and application segregation], dedicated resources/SME [least privileges], accountability/liability [contract/legal/incident response], and spot/surprise audits [contracts].

Cyber events in early 2016

Few of the notable conferences:

• First, needing no intro, who’s going to the February 25th anniversary of #RSAC in the Bay?
• General Audit Management Conference in Dallas, March – IIA summit for audit management with tracks from Technology Risk, Leadership and of course, auditing strategically
• SANS Cyber Threat Intelligence Summit in Alexandria, February – with SANS courses including hacking, monitoring/operations and forensics
• B-Sides Tampa Security Conference in April – for security hackering
• ICISSP 2016 in Rome, Italy, 2nd Annual in February – Security and Privacy practitioners
• CISO Summit in New York, February – for practices in Enterprise Security Threats
• Secureworld in Boston, March – for cybersecurity
• CyberSecurity – Women in cyber, Dallas in March
• ASIS International in London, UK, April – European security conference on various industries and topics on threat landscape
• Interop Las Vegas, in May – with various conference tracks

Just a few that crossed the radar.  Enjoy...see you out there

FDA Survey by EY – risk mitigation and ROI

EY's study conducted June-Sept 2015 of 665 respondents on Forensic Data Analytics (FDA), involving 17 countries with anti-fraud/anti-corruption programs .  The interview pool included: 192 Internal Audit heads / CRO, 129 Head of compliance / CFO, 28 CEO/COO/CIO and other managers, etc…and spanned industry such as 162 financial services, 149 consumer products/retail, 59 life sciences and 77 technology/communication organization.
Key Trends:

• Cyber breach and insider threat tops risk and fastest growing at a rate 32% vs. 17% for bribery/corruption; followed by 12% for capital projects risk; 
• FDA investment gap has been reduced over the last couple years; 
• Technology growth and increase in virtualization with FDA adoption is on the rise by 25% vs. 12% last year (and social media  25% vs. 21% last year, and statistical analysis at 18% vs. 11% last year); 
• Correlation between positive results and large data, for both structured and unstructured;
• Increased government and public scrutiny of fraud risks – resulting from 53% response to growing cyber risks, 43% increased regulatory scrutiny, 32% increased risk of fraud in emerging markets and 31% pressure from the board or management team

See chart below but top perceived risks include: Financial services for cyber breach at 74%; Oil/gas for bribery/corruption at 52%; Life Sciences and Technology/Communication for Internal fraud/abuse at 49% each; Power/Utilities for capital project risk at 46%; Power/Utilities for merger/acquisition at 44% and Financial services for money laundering at 46%.

Additional takeaway:

• FDA is used in 77% of internal fraud, 70% of cyber breach /insider threat, 68% of bribery/corruption risk and 60% financial statement fraud…
• FDA spending proactively, making a strong push based on 63% of respondents – which results in nearly 60% lower cost on a per fraud incident basis than companies not using proactive data analytics
• Interestingly enough, 67% (from 45% 2 years ago) plan to conduct FDA completely in-house while another 24% doing in-house would consider outsourcing (leaving 9% who outsource)

While the industry has demonstrated great strides over the last couple years, continued commitment, investment and implementation of strategy will ensure it’s positive trend.  Finally, the benefits of FDA centered around faster response in investigations, increased business transparency, getting business to take more responsibility, early fraud detection and reduced costs of anti-fraud program.

AppSec gap continue to be theory vs practice - preso

ISACA Chicago presentation on application security identifies focus areas:

• Risk based approach is the goal
• Align to business strategy of 2-5 years direction with leadership buy-in, tactical step can be taken to adapt 
• Need for measureable results via metrics 
• Focus on IT weaknesses specific to organization 
• Unique challenges but same approach can apply 
• Find your application influencers
• It's a marathon not a sprint
• Remediation consideration for compliance and allowance for stead state before validation
• Remember appsec capabilities including stocking up on your tool belt
• Considerations: app assessment compliance/design | Threat modeling | Attack and Pen | Secure dev training | Full integration and security toll-gates in SDLC | Vendor risk management concept

Awaiting sides to post and 2 CPEs

Happy Data Privacy Day - inside job

Much attention goes to external sources of threat and the bad guys outside our organization.  But, how about the insiders that we need to trust?
Knowledge is king or at least is what you get paid for… So, when employees leave to greener pastures, they often take with them information created when on/in the job.  With tenure being less than 5 years on average, loyalty may not seem as valued – in a digital world where mobility and collaboration is the norm i.e. BYOD, Wi-Fi, USB, Cloud, IoT.
Sure there’s things such as legal hold or data recovery backups for missing/destroyed data, but numbers show 60% of organization polled had reported insider attempts to steal data and 93% believe they are vulnerable. Source Code42
So, who’s monitoring them? Who would even know? What cost does it have for any organization? What competitive advantage does it results in?

Key contributors and top threats include lack of: layered security architecture, data leakage protection, security awareness, systems vulnerability patching, mobile device management, removable media security…
For more more info, check out IBM X-Force Security Systems report , CSOOline, CyLab

2016 cybersecurity predictions - another view

Cybersecurity integration with business i.e. recall when information security was also tagged the enable…and an emphasis on detection over prevention/mitigation or the usual suspect of dwell time has also re-surfaced.  Themes that align with InfoSec of years past but now in new digital world.  So, Forcepoint security predictions for 2016:

• US Elections is a large/public event drawing attention (both media and for downstream technology decision) so preponderance of social and online media threat vectors equates toe. translation of related data leakage activities (and intellectual advantages).  
• Payment security always plays a role and with chip/pin and online targets, mobile wallets and bleeding edge payment landscape are sure to be sources for theft and fraud.  So, organization should be aware of exposures and everyone/consumers should be attuned to cyber tactics and know precautions.  
• .doman names offers organization to benefit from customized websites and perhaps opportunities to direct/filter ISP traffic, however, with any action/benefits comes reaction or threat/exposure.  So, adoption may come at a price, even if it’s just re-education or training behaviors.
• Insurance – we know is a tricky game in terms of what qualifies or disqualifies you and your payouts.  So, expect requirements leading to payment for breaches to be stringent and insurers to be defensive about downstream liability and perhaps variations / options resulting for type of cyber incidents.
• Data theft prevention because your data is worth money.  $1.5 per record to $20-40 range for bulk data and so value depend on who/what/where e.g. personal (credit) information of a 850 credit score is worth more than person with 600
• Aging Internet infrastructure resulting from technology changes/shifts and cost of conversion/upgrades or even expense of maintenance (hardware/software and labor) are high
• Complexity in technology transverses into exposures and when speed of deployment is not meeting business needs, image the speed in which monitoring or mitigating efforts are implementation, not i.e. little to none. Healthcare field penetration of technology will reach 40% by 2020 and that’s just with current expected growth or adoption.
• Privacy is in a state of evolution, whereby personal information and business data are intermingling in the devices uses but also behavior and overall cultural normals.

Back to the future - we'll aim to compare/contracts a year from now

Article source: Forcepoint.com

APDoS is the clear and imminent danger

Global Application and Network Security Report by Radware: Advanced Persistent Denial of Service (APDoS) attacks are imminent threats, involving network and application layer attacks.  With bursts of attacks now trending to be one hour, an increase of 27% from previous year, the present danger has shifted.  Typically 5-8 multi-vector attacks are exploited a time, generating over 10 million of requests (typically SYN floods for denial of services); hence, rendering the system inoperable…
Industry survey of 311 individual from varying global organizations represented a perspective in fighting cyber attacks, both technical and business, from 2015:

• 24% of the industry were Telecom or Cloud providers, 15% Financial Services, 14% Computer related, and 4% Healthcare/Biotech/Pharmaceuticals
• 30% were Network Engineers, 22% Security Engineers, 20% Mangers, and 5% CIO/CTO/EVP

The study revealed few are prepared to address cyber attacks, resulting from 90% having experienced attacked – in industries including: financial services to enterprise verticals and cloud to critical infrastructure .  And, no one is immune with high certainty related to threat of DDoS (Distributed Denial of Services) attacks.  The preparedness for this as well as APT (Advanced Persistent Threats) hovers around 60% which reflects weakness in overall security gap protection and prevention.  Additionally, a spike in ransom or SSL/TLS-based attacks from 16% to 25% is up in just one year.  While unauthorized access to confidential data is still high on the list, slowness to service delivery and customer service tops the list.  As a result, reputational loss showed a decline from 47% to 26% in one year (as service models are affect - though the two are not completely disconnected).
Automated defenses are preferred, yet only 6% have solutions against cyber attacks and 60% have a degree of manual solutions.  Additionally, an uptick of hybrid solutions have increase from 21% to 41%.
So, APDoS is a top prediction for this year and below is what follows:

• RansomDoS to hit cloud companies
• Privacy is endemic of human conditions and stewards of data beware of rights and penalties
• Introduction/proliferation of Permanent DoS (PDoS) that physically destroys firmware/hardware and renders unusable
• Uplift in cloud encryption 
• Of course, IoT (Internet of Things) and breach of rich data source in the wild wild Internet 

Article source: Radware.com

App Delivery Controllers - Gartner's Magic Quadrant

Bridging gap between application and underlying protocols and traditional packet-based networks
ADC for availability, scalability, end-user performance, data center resource utilization and security
Kinds: single or multi-instance hardware appliance, software-based instance, cloud-based as-a-service offering (OTT, Over-the-Top). A preview of a few:

• Citrix is ranked #2 with its vast array of software and hardware options (integration with Cisco, for example) and certainly enough funding and partnerships yet remaining cost-effective 
• ADC selection – influencing/optimizing delivery of enterprise application across networks
• A10 is the 4th largest ADC vendor so ideal for larger scale deployment and utilized APIs for increased functionality and known for high performance NAT (Network address translation) and SSL (Secure Socket Layer) functionality.  However, it’s WAF (Web Application Firewall) is not mature and lacks some functionality; and does not offer cloud OTT
• Amazon well known brand and speed-to-market rollout edges others and the product suite including balancers, DNS services and cloud network delivery is available on Amazon Web Services (AWS).  However, you tend to be limited by AWS as well as select ADC players and tendencies to require in-house support.
• Barracuda focuses on SMB (Small or midsize business) with rapid growth in the market and product rich offerings with good feature sets including newly offering balancers for increase security infrastructure.  However, limitation with ADC/WAF is restricting and has not played in the larger markets.

Aside from hardware and software options, desired profiles settings, aggregation and integration is key.  Features include below and full description at Gartner.com

IT Audit Transformation in a digital society

Top 10 transformation towards the digital IT journey by ISACA Journal, Transforming the Auditor:

1. Establish/solidify better integration across entire risk spectrum
2. Reexamine fundamental mission strategy and formulate capabilities needed to audit IT of tomorrow
3. Examine and realize end-to-end audit life cycle 
4. Continuous alignment and risk assessments, instead of outsiders coming in, to help advance business strategy in rapidly changing technology
5. Leveraging technology and provide a managed services approach
6. Establishing robust GRC (Governance, Risk and Compliance) to best offer automation, improved productivity, ensure consistency, enhance risk coverage and assessments
7. Advance analysis is key for trending and prediction of high risk
8. How to do this
9. Engage CRM (Customer Relationship Management) technology to manage interview process, capture risk notes and themes and making information available on real-time basis for global team inclusion
10. Leveraging collaboration technology throughout enterprise 

When Accenture applied these characteristics, audit totals increased by 250% from (16 to 45 annually) from 2012 to 2015.  It was noticed that monitoring proactively embarks awareness of changing risk profiles and resulted in leadership reaching out to audit team for strategic decisions rather than post decision. Lessons learned included:

1. Alignment of IT audit with business strategy – audit function nimble to changing technology/business needs
2. Clarify governance on a continuous basis not just annually and IA plan accordance with business strategy/risk
3. Run IT as a business with organization/people as customers with defined service offerings and focus on value-add and measure customer satisfaction
4. Manage performance metrics and critical success factor – and highlight deficiencies as well as achievements
5. Transforming people requires strong leadership to change internal culture and foster proactive change and radical shifts
6. Go big with increasing enterprise capabilities, applying rigor and discipline to internal business processes of IT
7. Communicate success by demonstrating value IT audit adds and speaking highly of accomplishments that is meaningful and measurable