Management

now browsing by tag

 
 

#nationalcybersecuritymonth | New Windows Vulnerabilities Highlight Patch Management Challenges –

Source: National Cyber Security – Produced By Gregory Evans

Microsoft’s monthly “Patch Tuesday” is an important part of the cyber hygiene routine for anyone in IT (including home users). This month’s update proved to be a particularly critical one.

Early in January, the National Security Agency (NSA) alerted Microsoft to a major flaw in Windows 10 that could let hackers pose as legitimate software companies, service providers, websites, or others. “It’s the equivalent of a building security desk checking IDs before permitting a contractor to come up and install new equipment,” Ashkan Soltani, a security expert and former chief technologist for the Federal Trade Commission, told CNN.

Fortunately, Microsoft acted quickly and issued a critical update — CVE-2020-0601 — on January 14.

Despite this quick action, businesses and government have a habit of missing, ignoring, or delaying important patches and updates. They do so at their peril. In 2019, the majority of cybersecurity breaches were a result of unapplied patches. However, the reasons for this oversight are complicated and often unintentional.

Patch management — IT’s nightmare

Getting a handle on patch management is an unending challenge for IT and security teams. Last year, 12,174 common vulnerabilities and exposures (CVEs) were reported — making patching an almost impossible task for any organisation. In fact, it takes the average organisation 38 days to patch a vulnerability. Even then, 25% of software vulnerabilities remain unpatched for more than a year.

One of the biggest obstacles to frequent patching is that security teams struggle to identify everything that needs to be fixed. Understaffed and struggling with alert fatigue, it can be hard to identify the systems that are yet to be updated, prioritise remediation, and apply patches quickly.

To add to their workload, IT and cybersecurity teams must also make certain that the appropriate security policies are in place to ensure that users regularly update their PCs and devices, and don’t delay the inevitable “Windows Update”. Risk also extends beyond the four walls of the business.

Third- and fourth-party cyber risk is a big threat to businesses. 59% of breaches have their origins in vulnerable and unpatched third-party systems. The trouble is that vendor risk assessment questionnaires only offer a point-in-time view into the security posture, including unpatched software of suppliers, partners, and sub-contractors. This leaves IT in the dark.

Windows 7 — a new risk

Microsoft has been focused on closing gaps in its Windows 10 OS. This left Windows 7 users walking into a new cybersecurity landmine on January 14, 2020. Microsoft ended support for the nine-year-old OS and will no longer issue security patches or updates.

This is particularly problematic, since almost 70% of organisations are still using Windows 7 in some capacity. It leaves them susceptible to a security issue, attack, or breach — unless they purchase extended support from Microsoft or upgrade to Windows 10.

Fixing the patch management challenge

Maintaining a frequent patching cadence is critical to mitigating cyber risk, but it doesn’t have to be a nightmare.

With the BitSight Security Ratings platform, your organisation can shine a spotlight on vulnerable, unpatched systems and out-of-date operating systems. It provides insight for both internal systems and across nth parties (partners, vendors, customers, etc.). Using these insights, IT teams can prioritise which patches are most critical and take steps to measurably reduce risk. In addition, security ratings make it easier to share actionable security information with other business functions.

This information allows teams to collaborate with each other on pressing security issues. It also helps reduce risk across your business ecosystem. Furthermore, because patching cadence is indicative of the likelihood of a breach, it has stepped into the spotlight as something the Board and C-suite is interested in. Security ratings mean this conversation becomes much easier. Information about vulnerabilities is provided in a straightforward and non-technical way that is easy for everyone to understand.

Organisations can also share security ratings with partners. This allows third parties to identify and rectify issues and blind spots in their systems and software — continuously and in real-time, without waiting on lengthy audits or assessments.

Time is of the essence

As the recent Windows 10 critical update shows, organisations must do everything they can to stay on top of their patching cadence and that of their vendors.

But there’s no need for organisations to be paralysed by the sheer volume of ongoing patches. Learn more about how BitSight can help.


https://www.bitsighttech.com/BitSight transforms how companies manage third and fourth party risk, underwrite cyber insurance policies, benchmark security performance, and assess aggregate risk with objective, verifiable and actionable Security Ratings.

Source link

The post #nationalcybersecuritymonth | New Windows Vulnerabilities Highlight Patch Management Challenges – appeared first on National Cyber Security.

View full post on National Cyber Security

#cybersecurity | #hackerspace | Cybersecurity Risk Management … Beyond the “Golden Period”

Source: National Cyber Security – Produced By Gregory Evans

Where do we stand with the management of cybersecurity
risk? Answer … Not in a good place.

This position was further augmented upon reading an
article in the January 23, 2020 Washington Post by Anna Fifield
with the title “Wuhan quarantine expands as Chinese fear authorities
withholding information about coronavirus outbreak,” available at https://www.washingtonpost.com/world/coronavirus-china-wuhan-latest/2020/01/23/2dc947a8-3d45-11ea-afe2-090eb37b60b1_story.html

One statement, by Guan Yi, a virologist who helped
identify severe acute respiratory syndrome (SARS) in 2003, really resonated. In
reference to the coronavirus epidemic, he said that “We have passed through the
‘golden period’ for prevention and control.”

That characterization rings so true if applied to
cybersecurity attacks and defenses. One can argue as to when that transition
took place. My opinion is that it happened a decade or more ago.

What this means for cybersecurity is that we are beyond
protection, avoidance and (minimally) deterrence, and are turning to detection
and response.

In an interview article “Epidemics expert Jonathon Quick:
‘The worst-case scenario for coronavirus is likely,’” in The Guardian
of March 1, 2020 available at https://www.theguardian.com/world/2020/mar/01/the-worst-case-scenario-for-coronavirus-dr-jonathan-quick-q-and-a-laura-spinney , Quick, the
former heads of the Global Health Council, states that:

“… we have a measure of epidemic preparedness—the Global
Health Security (GHS) Index—that scores countries on six dimensions:
prevention, detection, response, health system, risk environment and compliance
with international standards.”

The GHSI does not appear to include protection, avoidance or
deterrence. I think that it should. Perhaps they are implicit. In any event, it
would seem to make sense for Infosec professionals to consider a similar index
for cybersecurity risk by country, region, industry and organization. Yes,
there are some forms of these considerations such as the Payment Card
Industry’s Data Security Standard (PCI DSS), but they are not ubiquitous and
not completely effective. Furthermore, we don’t have generally-accepted
international cybersecurity standards.

There have been a number of attempts to establish such
standards, but they always seem to fizzle out. I was involved in the GAISP
(Generally-Accepted Information Security Principles) effort when it eventually
came under the auspices of the ISSA (Information System Security Association)
and I was involved directly in the project, heading up one of the tracks. A
January 2004 draft of the GAISP principles is available at https://citadel-information.com/wp-content/uploads/2010/12/issa-generally-accepted-information-security-practices-v3-2004.pdf and is well
worth reading.

The project was never completed. It collapsed under its own
weight and because of differences of opinion among the leaders of the project. It
is one of my greatest regrets that the standards were never finalized. It was
the right time. Since then, we have seen significant failures in cybersecurity
risk management, in large part because there are no universal standards and
global enforcement mechanisms.

We can be reasonably certain that eventually the coronavirus
will be controlled and that vaccines will be developed and made available to
the masses. At this point, we do not know how much physical, emotional and
economic harm will be inflicted on the world population, but it is reasonable
to believe in the prospect of protection against the coronavirus and/or a cure.

Wish that it were so for cybersecurity risk. At this point in
time, there is little indication that cybersecurity risk will be constrained
nor that we will develop the prevention and protection mechanisms needed to
mitigate, if not eliminate, the risk.

It is time to resurrect the creation of global standards and institute
effective organizational structures that will begin to contain rampant
cyberattacks and minimize the destruction that they cause.

*** This is a Security Bloggers Network syndicated blog from BlogInfoSec.com authored by C. Warren Axelrod. Read the original post at: https://www.bloginfosec.com/2020/03/09/cybersecurity-risk-management-beyond-the-golden-period/?utm_source=rss&utm_medium=rss&utm_campaign=cybersecurity-risk-management-beyond-the-golden-period

Source link

The post #cybersecurity | #hackerspace |<p> Cybersecurity Risk Management … Beyond the “Golden Period” <p> appeared first on National Cyber Security.

View full post on National Cyber Security

#cybersecurity | #hackerspace | GUEST ESSAY: Strategic tactics are key to a robust Cloud Security Posture Management regime

Source: National Cyber Security – Produced By Gregory Evans A cyber strategy is a documented approach to handling various aspects of cyberspace. It is mostly developed to address the cybersecurity needs of an entity by focusing on how data, networks, technical systems, and people are protected. An effective cyber strategy is normally on par with […] View full post on AmIHackerProof.com

#cybersecurity | #hackerspace | New Insights into Privileged Access Management (PAM) Best Practices

Source: National Cyber Security – Produced By Gregory Evans

The increasingly sophisticated and persistent nature of cyber threats underscores the importance of protecting your privileged accounts, along with their respective privileged users and privileged credentials. Privileged accounts, by their very nature, tend to be the sort of digital “crown jewels” that are much sought-after by hackers. Best practices for Privileged Access Management (PAM), the main countermeasure for this risk, are thus evolving as the threats become better understood.

A Brief Overview of Privileged Access Management

PAM comprises a collection of practices, policies and technologies that protect administrative or “privileged” access to the back ends of critical systems. Privileged users operate privileged accounts, where they are authorized to set up, configure, reconfigure or delete systems, e.g. servers, databases and storage volumes. They can also set up, modify or erase user accounts—or promote regular users to privileged status and so forth.

Privileged users are necessary for the proper functioning of your IT department. However, their power makes them very attractive targets for hackers. Some of the most notorious data breaches in recent memory resulted from the abuse of privileged accounts and the impersonation of privileged user identities. Protecting privileged credentials is therefore a major goal of cyber security policy and security operations (SecOps).

PAM Best Practices

The basic idea of PAM is easy to understand: Restrict privileged access only to privileged users. It seems simple enough. Indeed, some companies still use spreadsheets and common sense to manage privileged accounts. This is no longer a viable approach though, operationalizing PAM will take focus and effort, along with the right tools.

Virtually all organizations that take PAM seriously have acquired dedicated PAM solutions. In some cases, it’s a good practice to integrate PAM with your Identity and Access Management (IAM) system. This approach creates a single source of user data. From this master data set, you can then elevate access privileges while tracking all user identities in the same place

#1 Map your privileged accounts

It’s wise to know where your privileged accounts are and who has access to them. This may seem unnecessary, but in today’s IT world of cloud servers, APIs and mobile endpoints, you might be surprised to learn how many previously unknown systemic backdoors you have. If your organization has distributed management of business units, the problem can be even worse than you imagine. Furthermore, if outside entities like IT consultants have privileged access, that expands the attack surface area that much more. In many cases, a privileged user might even be a machine, not a human being.

#2 Establish Privileged Account Governance

This may seem a bit overly formal, but governance is an essential element of an effective PAM program. The execution of PAM governance doesn’t have to be fancy, but it’s a good idea to commit rules and policies to writing and then make sure that stakeholders understand them. One reason this is so important has to do with the circumstances in which privileged access is granted. For example, if an IT admin gets a call at home on the weekend, with someone asking to be given access to the email server, how should he or she respond? If you’ve established that privileged access can never be granted based on a call to a personal cell phone, you’ll be protected against a potential social engineering hack.

#3 Get organization-wide buy-in

Everyone has to be aware of your PAM program and how it works. This includes senior executives. PAM should factor into general security training, so people will understand and follow privileged access policies. They’ll know it’s happening for everyone’s benefit.

#4 Create a written privileged account password policy

This falls under governance, but it’s worth calling out on its own. Hackers thrive in ambiguity, particularly when there’s turnover of personnel and a lack of clarity about who is allowed to do what. For instance, if your company has an external IT provider managing the ERP system, a hacker can impersonate one of their employees to gain back end access. However, if you have a written policy that requires sign-off from a senior executive at the IT contractor, then you have taken a step toward mitigating that risk. Privileged password policies templates are available from SANS, NIST, GLBA and the ISO (e.g. ISO17799 and ISO9000).

#5 Protect the PAM Solution

Understand that the PAM solution itself is a major target for hackers. What better way is there to get inside an organization and steal its data or wreak utter havoc? If hackers can penetrate the PAM solution, they can create privileged users at will. Or, they can switch off privileged account access for actual privileged users—blunting incident response capabilities at the same time. A compromised but functioning PAM system could mask unauthorized privilege assignments and erase privileged account sessions. For these reasons, it’s a highly recommended practice to devise countermeasures that provide defense in depth for the PAM solution.

The breach events of 2019 only serve to heighten the importance of robust privileged access management. The threats aren’t likely to get any less serious or advanced. Bad actors are coming for your privileged accounts. Now is the time to increase the depth and intensity of your countermeasures.

Are your current privileged access management efforts enough? Learn how Hysolate isolates PAM access for top grade endpoint security. Request a demo with a specialist today.

The post New Insights into Privileged Access Management (PAM) Best Practices appeared first on Hysolate.

*** This is a Security Bloggers Network syndicated blog from Blog – Hysolate authored by Jessica Stanford. Read the original post at: https://www.hysolate.com/blog/new-insights-into-privileged-access-management-pam-best-practices/

Source link

The post #cybersecurity | #hackerspace |<p> New Insights into Privileged Access Management (PAM) Best Practices <p> appeared first on National Cyber Security.

View full post on National Cyber Security

API Management and Security: No One Stop Shop Yet

Source: National Cyber Security – Produced By Gregory Evans

From what used to be a purely technical concept created to make developers’ lives easier, Application Programming Interfaces (APIs) have evolved into one of the foundations of modern digital business. Today, APIs can be found everywhere – at homes and in mobile devices, in corporate networks and in the cloud, even in industrial environments, to say nothing about the Internet of Things.

When dealing with APIs, security should not be an afterthought

In a world where digital information is one of the “crown jewels” of many modern businesses (and even the primary source of revenue for some), APIs are now powering the logistics of delivering digital products to partners and customers. Almost every software product or cloud service now comes with a set of APIs for management, integration, monitoring or a multitude of other purposes.

As it often happens in such scenarios, security quickly becomes an afterthought at best or, even worse, it is seen as a nuisance and an obstacle on the road to success. The success of an API is measured by its adoption and security mechanisms are seen as friction that limits this adoption. There are also several common misconceptions around the very notion of API security, notably the idea that existing security products like web application firewalls are perfectly capable of addressing API-related risks.

An integrated API security strategy is indispensable

Creating a well-planned strategy and reliable infrastructure to expose their business functionality securely to be consumed by partners, customers, and developers is a significant challenge that has to be addressed not just at the gateway level, but along the whole information chain from backend systems to endpoint applications. It is therefore obvious that point solutions addressing specific links in this chain are not viable in the long term.

Only by combining proactive application security measures for developers with continuous activity monitoring and deep API-specific threat analysis for operations teams and smart, risk-based and actionable automation for security analysts one can ensure consistent management, governance and security of corporate APIs and thus the continuity of business processes depending on them.

Security challenges often remain underestimated

We have long recognized API Economy as one of the most important current IT trends. Rapidly growing demand for exposing and consuming APIs, which enables organizations to create new business models and connect with partners and customers, has tipped the industry towards adopting lightweight RESTful APIs, which are commonly used today.

Unfortunately, many organizations tend to underestimate potential security challenges of opening up their APIs without a security strategy and infrastructure in place. Such popular emerging technologies as the Internet of Things or Software Defined Computing Infrastructure (SDCI), which rely significantly on API ecosystems, are also bringing new security challenges with them. New distributed application architectures like those based on microservices, are introducing their own share of technical and business problems as well.

KuppingerCole’s analysis is primarily looking at integrated API management platforms, but with a strong focus on security features either embedded directly into these solutions or provided by specialized third party tools closely integrated with them.

The API market has changed dramatically within just a few years

When we started following the API security market over 5 years ago, the industry was still in a rather early emerging stage, with most large vendors focusing primarily on operational capabilities, with very rudimentary threat protection functions built into API management platforms and dedicated API security solutions almost non-existent. In just a few years, the market has changed dramatically.

On one hand, the core API management capabilities are quickly becoming almost a commodity, with, for example, every cloud service provider offering at least some basic API gateway functionality built into their cloud platforms utilizing their native identity management, monitoring, and analytics capabilities. Enterprise-focused API management vendors are therefore looking into expanding the coverage of their solutions to address new business, security or compliance challenges. Some, more future-minded vendors are even no longer considering API management a separate discipline within IT and offer their existing tools as a part of a larger enterprise integration platforms.

On the other hand, the growing awareness of the general public about API security challenges has dramatically increased the demand for specialized tools for securing existing APIs. This has led to the emergence of numerous security-focused startups, offering their innovative solutions, usually within a single area of the API security discipline.

Despite consolidation, there is no “one stop shop” for API security yet

Unfortunately, the field of API security is very broad and complicated, and very few (if any) vendors are currently capable of delivering a comprehensive security solution that could cover all required functional areas. Although the market is already showing signs of undergoing consolidation, with larger vendors acquiring these startups and incorporating their technologies into existing products, expecting to find a “one stop shop” for API security is still a bit premature.

Although the current state of API management and security market is radically different from the situation just a few years ago, and the overall developments are extremely positive, indicating growing demand for more universal and convenient tools and increasing quality of available solutions, it is yet to reach anything resembling the stage of maturity. Thus, it’s even more important for companies developing their API strategies to be aware of the current developments and to look for solutions that implement the required capabilities and integrate well with other existing tools and processes.

Hybrid deployment model is the only flexible and future-proof security option

Since most API management solutions are expected to provide management and protection for APIs regardless of where they are deployed – on-premises, in any cloud or within containerized or serverless environments – the very notion of the delivery model becomes complicated.

Most API management platforms are designed to be loosely coupled, flexible, scalable and environment-agnostic, with a goal to provide consistent functional coverage for all types of APIs and other services. While the gateway-based deployment model remains the most widespread, with API gateways deployed either closer to existing backends or to API consumers, modern application architectures may require alternative deployment scenarios like service meshes for microservices.

Dedicated API security solutions that rely on real-time monitoring and analytics may be deployed either in-line, intercepting API traffic or rely on out-of-band communications with API management platforms. However, management consoles, developer portals, analytics platforms and many other components are usually deployed in the cloud to enable a single pane of glass view across heterogeneous deployments. A growing number of additional capabilities are now being offered as Software-as-a-Service with consumption-based licensing.

In short, for a comprehensive API management and security architecture a hybrid deployment model is the only flexible and future-proof option. Still, for highly sensitive or regulated environments customers may opt for a fully on-premises deployment.

Required Capabilities

In our upcoming Leadership Compass on API Management and Security, we evaluate products according to multiple key functional areas of API management and security solutions. These include API Lifecycle Management core capabilitiesflexibility of Deployment and Integration, developer engagement with Developer Portal and Tools, strength and flexibility of Identity and Access Control, API Vulnerability Management for proactive hardening of APIs, Real-time Security Intelligence for detecting ongoing attacks, Integrity and Threat Protection means for securing the data processed by APIs, and, last but not least, each solution’s Scalability and Performance.


Alexei Balaganski is lead analyst at KuppingerCole. Read more KuppingerCole blogs here.

Source

The post API Management and Security: No One Stop Shop Yet appeared first on National Cyber Security.

View full post on National Cyber Security

#cyberfraud | #cybercriminals | Rachel Wilson: Cyber Cop at Morgan Stanley Wealth Management

Source: National Cyber Security – Produced By Gregory Evans

WHEN RACHEL WILSON WAS A KID, gripping tales of wartime code-breaking were her dad’s idea of bedtime stories – and the little girl was fascinated. “I became very interested in code making and code breaking, and also in serving my country,” says the Northern California native.

Following her passion, Wilson would grow up to lead first the National Security Agency’s counter-terrorism mission, and later its cyber-exploitation mission. Currently
Morgan Stanley
Wealth Management’s cybersecurity chief, Wilson talks with Barron’s Advisor about how fraudsters are trying to gain an edge in data theft and how advisors can stay a step ahead. And she reveals how a bunch of cyber criminals “in a basement somewhere in Tehran” drew her to Wall Street.

Q: What is your job description?

A: My job is to make sure every system, every network, every application we field across 600 branches, 15,550 financial advisors and 3.2 million client relationships is as safe and secure as we can make it.

My team was formed at the beginning of 2017 out of recognition that the nature of our business model was changing. We wanted our advisors to be able to safely access the totality of Morgan Stanley’s intellectual property from anywhere, and we wanted our clients to do and see much more through Morgan Stanley online. Enabling these things meant we needed cybersecurity controls.

Q: What kinds of schemes are you protecting against these days?

A: Think about where we were with phishing campaigns years ago, when we got emails designed to make you open an attachment or go to a website and share personal information.

Well now we see a trend of spear-phishing email, which is designed specifically for you. These fraudsters will do an exorbitant amount of research into the person they are targeting. They are co-opting email accounts of real people and mining social media. Think of everything in your email. If someone can get into your email, read all your emails you have ever sent and received, then they know a lot about you. They’d have a good sense of who your financial service firms are, who your advisor is, how you communicate and your communication style. So what we see happen is, if you’re a financial advisor, you start receiving emails from someone who may sound just like your client, when in fact the account has been co-opted by the fraudster.

This is why financial service firms are so militant about not accepting instruction over email. They have low confidence that the email is truly from the person it says it is.

Q: So how are fraudsters getting ahead of the game, if advisors aren’t accepting instructions from clients electronically?

A: It is still possible. The hacker injects himself into a legitimate transaction. For example, the hacker gets into an email and gets ready for a significant transaction—maybe it’s a purchase or transfer or assets—and at the right moment sends instructions for assets to be transferred somewhere else. We see a ton of this with title companies and escrow accounts.

Q: And so how is this prevented?

A: If the financial advisor asks if a client sent instructions, and the client says yes, it still has to be a digit-by-digit verification of the transaction numbers.

Q: In those types of scams, the victim inadvertently reveals sensitive personal information to a criminal. If you’re super-careful not to do that, and do the digit-by-digit verifications, are there other ways you can still be vulnerable?

A: We see clients with malware infections. The malware sits in the background and harvests their keystrokes. It takes screen shots of wherever someone’s going, using all of that to harvest the login and passwords for credit card logins, banking and investment accounts. Then the hacker locks the individual out of their digital existence in one fell swoop. They go in at 1 a.m. and change all of the login and passwords and then that individual can’t get into their accounts.

In some examples, we also see hackers go after the mobile [phone] account, and they make it very difficult for you to be reached by anyone. The longer the window of time where they’re able to operate with freedom, [the greater the] margin for fraud opportunity.

Q: Who are the criminals?

A: Ten years ago, most of the activity going on online was by nation states’ intelligence agencies. What we’ve seen over the last five years is a proliferation of pretty advanced cyber-capabilities; things that once would have been the purview of nation states are available to traditional fraudsters.

Two things have happened: A lot of these high-end capabilities have been disclosed in various forms, in many cases by security researchers as they discover things that nation states are doing. They publish those tactics and they become known to those who would use them for ill. Also, there’s been a proliferation in the ability to learn about these capabilities. My son, how does he learn to do something? He watches a YouTube video.

Q: Where do these scams originate?

A: They are coming from all over the place, but it’s difficult to assess—they work hard to obfuscate where they are coming from. Many of these cyber actors are operating from areas where U.S. law enforcement doesn’t have a lot of jurisdiction or influence, where we don’t have extradition agreements. And even if we determine where they are and where they are trying to send money, in a lot of cases they use what we call mule accounts. The owner of the account is an innocent bystander.

Q: That sounds like a hopeless situation. Is it?

A: It is a cat-and-mouse game. I don’t think all is lost. In financial services we recognize we are such a prominent target that we’ve done a great job shoring up control. The cyber teams across financial services are constantly putting our heads together to hear about the latest activity and what can we do as a sector to guard against it. It’s a very collaborative space.

Q: Do the bad guys only go after really big accounts? Are the smaller ones safer?

A: It’s a bit of both. If you’re a prominent ultra-high-net-worth individual, publicly known and your wealth is apparent, certainly we see those folks targeted. They’re big fish and the payout has the potential to be very large. At the same time, those people are savvy and cognizant, so maybe they invest in more protection.

Q: How do scammers target potential victims?

A: They do scams of a broad swath of the internet to see who is vulnerable. They work to monetize that. There’s been a focus recently on some of the local and regional banks, brokers and advisors. Hackers know they don’t have the same investment pool and they haven’t hired the same level of cybersecurity experts as many of the larger firms. I’m spending more and more time in this job working at the local level.

Q: Ransomware attacks have been in the news lately, crippling cities such as Baltimore and Atlanta. Are financial companies vulnerable?

A: Fraudsters are entirely opportunistic; everything from local government to school districts have been targeted, but lots of companies experience this too—from global large companies to smaller companies, law firms, accounting firms, any place fraudsters can get where there is significant data that they can hold for ransom. Even individuals on their personal computers.

I never recommend paying a ransom. We recommend having data appropriately backed up. We see a lot of people paying, and what happens is you pay the first $50,000 in bitcoin equivalent and they give you a little bit of data back, then they ask you for more for the rest of the data and at that point, there’s no going back.

Ransomware attacks have been more lucrative this year than ever. There’s actually some talk now about making it illegal to pay ransoms, because the more people pay, the more it incentivizes the criminals.

Q: Should all advisors be concerned?

A: Yes, given that they are responsible for and have access to client information and can move assets between accounts, they should absolutely be concerned and talking to clients.

Q: What can they do?

A: Talking to your clients about cybersecurity well in advance of anything happening is critical. An ounce of prevention is worth a pound of cure. Be skeptical of email, cautious about downloading anything. Aside from advisors having the conversations, financial service firms are trying to make strong authentication technologies available to clients. Multi-factor authentication is the best we can do; it can go a long way to preventing this fraud. This goes beyond a login and password. We give clients different options for how they want to authenticate their accounts.

Even simple behavioral things are important, like not using the same password for a banking or brokerage account that you use anywhere else on the internet. Use a unique password for a high-consequence account.

Q: Do clients generally understand the importance of following procedure? Are they cooperative?

A: We survey our clients every year and ask them what they’re most concerned about. For the last two years the answer is not volatility, natural disasters, it is data protection. The wealthier the individual, the more likely they answer cybersecurity and data protection.

Q: Can you quantify the cybercrime problem?

A: The numbers are staggering. Cybercrime damages are expected to be at $6 trillion by 2021.

Q: Any other newer types of fraud to keep an eye out for?

A: What we’re seeing is counterintuitive, somewhat. It’s around paper. Firms recognize cyber fraud is so big, so they’re introducing controls like multi-factor authentication, call-back verification. But it’s like squeezing a balloon. This has forced fraudsters back to traditional frauds circa 1986: check washing. If they can get a hold of a name and address on a check, they take the name, account number and routing number and just print new checks. That’s a huge issue, because there are no digital forensics for the signatures on checks.

When an advisor puts you in investments, you look at basis points of return. We look at fraud the same way: How many basis points of fraud did we experience against a payment channel? Things like checks, even debit cards, have higher basis points of fraud than many of the digital transaction methods. If a client uses electronic bill payment, you reduce the exposure of the routing number and account number and when moving through the online process, they use strong authentication and we have the digital forensics to give us a higher degree of assurance that the activity is legitimate.

Q: What does the future for cybersecurity look like for U.S. financial service companies?

We aren’t breeding new cybersecurity specialists fast enough. We don’t have enough people to fill these jobs. This leaves me concerned. We need to get more people, men and women, involved in STEM early on to think about cybersecurity as an option. I spend a lot of my giveback time talking at schools about cybersecurity, telling young people that it is a hugely rewarding field.

Q: After years at the NSA, was there a single event that prompted you to think about getting into the financial world?

A: It was never my plan. I thought I was going to be a lifer in government. But there was a moment that changed my mind. It was back in the 2012 to 2014 timeframe, a crazy time where essentially the Iranian government had made it part of its strategy to retaliate against economic sanctions around their nuclear program, and they started conducting distributed denial of service attacks. This means they throw a whole bunch of packets (units of data) against websites so customers can’t log in. They’re never going to sail an aircraft carrier into New York harbor, but they put a bunch of guys in a basement in Tehran and they wreak some disruption. It’s a way to hit back.

This was frustrating because the relationship between the financial sector and government entities was not as robust. Now, we work together to better secure ourselves. But before, it was difficult to sit by and watch these attacks happen and not be in a position to help defend Wall Street, which is a critical piece of the U.S. infrastructure.

I thought if I ever leave government, I would come to the financial service sector. We’re protecting Wall Street, but it’s really protecting main street. It’s people’s life legacy. This is the next step in my patriotic journey.

Q: Thanks, Rachel.

Source link

The post #cyberfraud | #cybercriminals | Rachel Wilson: Cyber Cop at Morgan Stanley Wealth Management appeared first on National Cyber Security.

View full post on National Cyber Security

How to #Build a #Cybersecurity Risk #Management #Framework

Source: National Cyber Security News

When our country’s businesses are safe, our nation is safe. That’s the message that former President Obama gave when he talked about his executive order on “Improving Critical Infrastructure Cybersecurity” in his 2013 State of the Union address. Just a year later, the Obama administration launched the “Cybersecurity Framework,” which is a guide on enhancing cybersecurity developed by the private sector.

The cybersecurity infrastructures of our country’s businesses support national efforts toward economic security, public safety and health safety. The infrastructures of cybersecurity also affect our businesses’ bottom lines, profitability margins and reputations.

Regardless of their risk profiles or size, all companies should build a foundation of cybersecurity risk management based on good business principles and best practices.

Getting Started on a Risk Management Framework

There are many aspects to running a business. The issue of cybersecurity doesn’t usually make the top 10 list of priorities unless a problem rises to the surface that companies can’t ignore. At best, cybersecurity is often a knee-jerk reaction to a problem or new regulation. At worst, it’s an afterthought.

In today’s corporate world, companies need a well-thought-out, strategic plan for cybersecurity to protect themselves and everyone else from potential sources of harm.

Read More….

advertisement:

View full post on National Cyber Security Ventures

Healthcare Information and Management Systems Society (HIMMS) 2018

Source: National Cyber Security – Produced By Gregory Evans

Healthcare Event

 March 5 – 9, 2018 | Las Vegas, Nevada, United States

Cybersecurity Conference Description

The 2018 HIMSS Annual Conference & Exhibition brings together 40,000+ health IT professionals, clinicians, executives and vendors from around the world. Exceptional education, world-class speakers, cutting-edge health IT products and powerful networking are hallmarks of this industry-leading conference.

Read More….

The post Healthcare Information and Management Systems Society (HIMMS) 2018 appeared first on National Cyber Security Ventures.

View full post on National Cyber Security Ventures

CYBERSECURITY VERY #WEAK AT #CRITICAL #DUTCH WATER #MANAGEMENT #SITES

Water locks and pumping stations in the Netherlands are in danger of being hacked due to inadequate computer hardware and software, according to an investigation published by the Telegraaf. Security software is updated just about every five years, a sign of poor maintenance, and the computer systems that control the water operations date back as far as the mid-1980s, the newspaper said.

“Locks and pumping stations can always be operated manually. You can never be totally safe, you never know what might happen,” a spokesperson for the association of local water boards told the paper. Security is a top priority, but manual operation is always available in case the automated systems are hacked, the spokesperson added.

Business association Evofenedex called noted the urgency of maintaining critical infrastructure for the transportation of goods. “The hacking of a sea container terminal earlier this year at the Port of Rotterdam shows that importance. That hack cost Dutch businesses tens of millions of euros from delays and product damages,” an Evofenedex spokesman said.

Software and hardware updates are a key method of thwarting hackers searching for known vulnerabilities. By hacking a water lock or a pump, a hacker could control the gates that determine if water is blocked or released.

The newspaper also raised issue with the poor choice of passwords used to access remote operations of sewage pumps and locks.

View full post on National Cyber Security Ventures

Main #cybersecurity #management #challenge? People, but simple #tech can help

more information on sonyhack from leading cyber security expertsSource: National Cyber Security – Produced By Gregory Evans Alissa Johnson doesn’t hesitate when asked whether people or technology is the harder-to-crack cybersecurity management challenge. It’s people, the Xerox Corp. CISO told SearchCIO at Gartner Symposium/ITxpo in Orlando, Fla., earlier this month. “You can tell technology exactly what you want it to do, and it’s […] View full post on AmIHackerProof.com | Can You Be Hacked?