The release of the NetDiligence® 2015 Cyber Claims Study, the only one of its kind, reveals the most current data on cyber security events and their true costs. NetDiligence President Mark Greisiger shares the latest findings, including the top areas of concern for both insurers and the C-Suite.
A Q&A with Benjamin Stone of the FBI
It’s becoming an increasingly common story: Cyber perpetrators lock systems down with malware and then demand payment to release them. I asked Benjamin Stone, Supervisory Special Agent of the FBI’s Cyber Criminal Squad in Philadelphia, about ransomware and current conditions for cyber criminal activity.
A Q&A with Joe Weiss of Applied Control Solutions
The security of industrial control systems is increasingly vulnerable to cyber-attack and the stakes for failure are extremely high, yet there’s little public understanding and media coverage about these very real risks. I talked to Joe Weiss of Applied Control Solutions about why industrial control systems should be the most important frontier in cyber security and what organizations can do to protect against this growing threat.
A Q&A with John Yanchunis of Morgan & Morgan
The legal landscape around data loss is rapidly evolving, and with major events such as the Anthem breach changing the game on a daily basis, it can be a challenge to keep up with the courts’ current thinking. I spoke with plaintiff attorney John Yanchunis of Morgan & Morgan about some of the most recent developments he’s observed.
A Q&A with Nick Beecroft of Lloyd’s of London
New regulation and awareness around growing threats such as operational attacks is changing the face of the European insurance market. I talked to Nick Beecroft, emerging risks and research manager at Lloyd’s of London, about his work assessing cyber vulnerabilities and helping develop products to address them.
A Q&A with Karl Sigler of Trustwave
The Secret Service estimates that there have been over 1,000 data breaches at point-of-sale (POS) systems via Backoff malware. I asked Karl Sigler, Threat Intelligence Manager of Trustwave and a member of the team that initially identified Backoff to explain this insidious malware and why retailers should be concerned about it.
A Q&A with Gregory Rosenberg of Trustwave
Payment Card Industry Data Security Standards are now in their third version. I talked to Gregory Rosenberg, Sales Engineer at Trustwave, about what organizations need to know about the most recent changes to the standards, particularly as they relate to third party service providers.
A Q&A with Patrick Florer of Risk Centric Security
While it’s easy to get caught up in the splashiest current news story about a particular breach, analyzing a broader swath of cyber security data can give us a more vivid and sometimes more precise picture of the real risks facing organizations today. I spoke with Patrick Florer of Risk Centric Security about what precisely constitutes a data breach and what the statistics show us.
A Q&A with Michael Tanji of Kyrus
The introduction of CryptoLocker “ransomware” poses a new security threat to organizations—in fact, one of our customers was recently hit with this hostage-taking nuisance. To get a better sense of what CryptoLocker does and how it can be stopped before any damage is done, I spoke with Michael Tanji of Kyrus.
Can you please explain in layperson terms what this virus is and what sort of damage it can wreak on an organization?
We call CryptoLocker ransomware because when it infects a system it encrypts the files and keeps the encryption key locked away, so that the only way to get access to those files is to pay a ransom. Ransomware is not a new class of malware, but CryptoLocker is far and away the best of this class. It’s only a couple of months old and it’s already infected a wide range of organizations of various sizes—it’s pretty indiscriminate. Just who is behind CryptoLocker is not known. We do know that they are pretty sophisticated in their understanding of cryptography and they have been able to deal with a large volume of victims so that speaks to their ability to operate to scale. It may be weird to say this about a criminal endeavor, but this is really an enterprise IT operation.
What do the people perpetrating the crime, whoever they may be, stand to gain from this?
The motive is purely financial. There has to be a level of trust there, too—if they were going around and taking ransoms and not turning over the keys the whole thing would fall apart, so these are very business-oriented people. They’ve probably made millions of dollars and they’re not going to jeopardize that by being unreliable.
How does it work? How might CryptoLocker slip through traditional security defenses such as antiviral software (AV)?
There’s no actual malware or virus in the initial attachment, so it’s not something that would be detected. It’s a very simple program. Once you double click on that benign-looking attachment, usually sent to you in an email—it might appear as a zipped PDF or audio file like a voicemail coming from someone you know—and then it downloads the malware. At that point it’s already bypassed the AV and it’s encrypting files. By the time an AV company figures out the file used the perpetrators will change it, so AV will detect it after the fact—it won’t prevent it.
What can be done, then, to mitigate or prevent it?
To detect and stop CryptoLocker before it can encrypt all your files, you’d have to have a security solution such as Carbon Black in place, monitoring the system constantly for CryptoLocker-type of behavior—not the files used by CryptoLocker per se. Carbon Black is unique because it runs all the time so you could catch CryptoLocker in the act. It is equally important to ensure that your backups are working. Test them! We’ve had a number of customers who thought their backups were working only to find out once they become victims that they were wrong. Finally, train employees to be suspicious of attachments; it only takes one click to get infected, and in a large enterprise that’s sharing files and drives, that one click will enable CryptoLocker to access everything. If employees do notice errors or corruption warnings when they try to open files, they should turn their computers off to stop CryptoLocker from working on that system. At that point forensics could pull any unencrypted files from the victim’s drive.
What steps must be taken to remedy the damage?
Once it’s run, you really only have two options. If you have a backup you can restore your system from that. But if you don’t, you have to pay the ransom demanded, and you won’t get your files back unless you do. Some people have a serious ethical problem with paying for the ransom and I don’t disagree, but you have to put your morals and emotions aside in this case—if there are no backups you stand to lose the lifeblood of your business. Calling a security company to do traditional incident response will cost more than the ransom and in the end it won’t help because no amount of forensics will get the key needed to unlock your files. It’s best to think of it as a business transaction.
Assume you do pay the ransom: what’s the procedure and what’s the typical cost?
The magic of CryptoLocker is that the ransom is always more cost effective than any kind of incident response. If you pay within 72 hours, it’s usually 300 dollars, payable in Bitcoins. Beyond 72 hours the cost goes up. If you call an incident response company they should not charge you any more than a few hundred dollars to help with the transaction and decryption. The perpetrators even provide a program to decrypt the files and maintain an online forum with FAQs to help people having trouble getting their files back.
We thank Mr. Tanji for illuminating this emerging tricky threat for the cyber liability insurance industry. We’ve already seen CryptoLocker in action on a firsthand basis with several of our clients. The unfortunate reality is that while staff education about threats (e.g., don’t click on email attachments from strangers) can help prevent some attacks, awareness campaigns are not a perfect salve and bad guys will always be able to exploit this weak spot.
A Q&A with Ramon Peypoch of McAfee, Inc.
One of the most insidious enemies of data security is advanced malware. But what are these advanced persistent threats, and how can companies protect themselves from them? I asked Ramon Peypoch, VP of Web Protection at McAfee to share his expertise.
Can you please define ‘advanced malware’ and describe the harm it can bring to an organization?
There’s a confluence of different situations that can fall under the term advanced malware, but basically these are stealth attacks that tend to get past existing security solutions. The threats might come from state-sponsored entities such as the Chinese or Russian governments trying to penetrate United States government networks or steal IP from commercial enterprises. What we know is that advanced malware is responsible for a great deal of loss in terms of IP and financial assets. In terms of the actual techniques involved, advanced malware typically combines sophisticated hacking, social engineering and spear fishing that allow an intruder to go undetected in your network for a long period of time. One example might be something that looks like an email from a friend telling you to click on a link to view vacation photos—you click on the link and nothing seems to happen but important code is downloaded to the machine that would “wake up” the next time you enter in PII. The bottom line is that these are very real threats being perpetrated by very sophisticated people. This is not some 13 year-old antisocial kid trying to make a name for himself.
How common is this threat for organizations?
Research shows us that the true cost of cyber crime is staggering—multiple billions of dollars of losses on an annual basis. If you are a business with any type of sensitive financial information or intellectual property, you are a target. And unfortunately hackers don’t just go after the largest organizations. They actually get the most bang for their buck with small and medium enterprises, because these are often more susceptible than the big guys.
How does advanced malware get through the system? Are organizations failing to implement controls that could stop it?
Basically, advanced malware can defeat signature-based defenses—the conventional security solutions that most people are using today. These are great at stopping already-identified threats but they won’t catch anything new. Since traditional solutions are not effective, the gap is widening, allowing the threats to grow exponentially.
What can a company do to mitigate this exposure proactively?
The easy answer from my perspective is to look into McAfee’s solutions. We are taking a different approach to solving this problem. We use the traditional signature-based solution and complement it with a specific advanced malware solution that uses cloud-based lookups and analysis including a hash of malware sent to different parts of the McAfee protection network. Once it’s identified, it’s stopped right there at all the endpoints and we can do a lookup to make sure nothing has been compromised—if it has, we initiate a remediation process. Unlike a lot of our competitors’ solutions, it’s not just a malware sandbox, it’s actually multiple products working to combat the problem in an integrated way.
Ramon underscores the problem that many of our clients are seeing and combating on a daily basis. The bad guys are very smart and often one step ahead of both human and electronic security measures, giving them unauthorized access to information-based assets. Even clients with sophisticated IT operations and large security budgets can fall victim simply because there are so many variables and third-party dependencies to control. (A few examples include a large server farm with an unknown system missing a patch, mishaps with vendors, or staff that get duped.) Organizations need to keep this in mind when selecting solutions for combating malware.