now browsing by tag


Should #Companies be #Fined for Poor #Cyber Security?

Companies in the UK are being fined by the government for not properly securing their data. Is this a model the U.S. and other countries should adopt?

News broke recently that there would be fines of up to £17m in the UK for companies that have poor or inadequate cyber security measures in place. Specifically, if a company fails to effectively protect themselves from a cyber security attack, they could be subject to a large fine from the government as a “last resort” according to Digital Minister Matt Hancock. The U.K. also placed industry-specific regulations on essential services. Essential services industries such as water, health, energy and transportation are expected to have stronger safeguards against cyber attacks.

Cyber Security Inspections to Take Place

In order to keep companies compliant with cyber security regulations, the UK government will now have regulators inspect cyber security efforts in place. Essential services (think water, healthcare, electricity, transportation, financial) will face more scrutiny than other companies. If a regulator finds a company does not have security safeguards in place, the company will have to come up with a plan for beefing up cyber security. Fines will be brought down on companies that continue to fail at implementing the proper securities.

Cyber Attacks Becoming More Dangerous

The essential services people use every day are being targeted by cyber attacks at an increasingly high rate. This can make for extremely dangerous situations, such as the WannaCry attack that hit several National Health Service (NHS) facilities and impacted several hospitals’ abilities to admit patients. It was later found that this attack could have been prevented with proper cyber security efforts in place.  It also means that services people depend on every day — from electricity, to water, to industrial safety systems — could all be at risk.

This makes it clear why the UK government has chosen to regulate cyber security, particularly among companies who provide services they deem essential to the public. It also begs the question as to if the United States should follow suit. U.S. companies have fallen victim to their fair share of cyber attacks. These attacks have disrupted the lives of Americans who depend on the services affected or who are having sensitive information accessed by the attackers.

What Safeguards are Currently in Place?

While it is obviously in a company’s best interest to have cyber security precautions in place rather than cleaning up the mess of an attack afterwards, that doesn’t mean everyone invests as much as they should in cyber security. In the U.S. there are a few federal regulations in place to establish a bare minimum for cyber security in certain essential industries.

HIPAA (1996): HIPPA introduced provisions for data privacy and data security of medical information. All companies and establishments dealing with medical information must have specific cyber security measures in place.
Gramm-Leach-Bliley Act (1999): The Gramm-Leach-Bliley Act states that financial institutions in the U.S. must share what they do with customer data and information and what protections they have in place to protect customer data. Noncompliance means hefty fines for financial institutions and could lead to customers taking their business elsewhere.
FISMA (2002): FISMA was introduced under the Homeland Security Act as an introduction to improving electronic government services and processes. This act ultimately established guidelines for federal agencies on security standards.
Critics state that these three regulations are good for establishing minimum security, but do not go far enough. Compliance with all of these regulations have not been robust enough to safeguard against advanced cyber attacks in recent years. There have been clear breaches of cyber security measures that have occured in the medical, financial and government sectors over the past years. While some state governments have put additional regulations in place, the general consensus is that individual companies should be responsible for beefing up cyber security as they see fit.

Cyber Security Investments Should be Increased
At the end of the day, U.S. companies will need to make the decisions that are best for their businesses and customers about what level of cyber security protection is necessary. Marcus Turner, Chief Architect at Enola Labs Software, often discusses cyber security measures with his clients, stating:

“Ultimately, high levels of cyber security are a necessary and worthwhile investment for businesses that care about protecting their customers and safeguarding their businesses. I often tell businesses that they can pay an upfront cost now to protect their data, or wait until a cyber security attack and pay an even bigger price later to clean up the mess. Waiting may very well cost you your business”.

This year we are expecting a much higher investment in cyber security, so it will be interesting to see if this is enough to hinder government intervention or if additional U.S. government regulation of cyber security becomes necessary.


The post Should #Companies be #Fined for Poor #Cyber Security? appeared first on National Cyber Security Ventures.

View full post on National Cyber Security Ventures

Public #sector executive #pay should be #linked to #cybersecurity

Source: National Cyber Security News

Cybersecurity is constantly in the headlines for all the wrong reasons.

Earlier this month, we heard that all 200 UK NHS Trusts that have been assessed so far failed to meet the standards of the government-backed Cyber Essentials Plus scheme. Some of them even failed on patching, which was the vulnerability that led to the WannaCry ransomware attack. They clearly haven’t learned the lessons from an event which caused massive disruption across the health service, with operations postponed and appointments cancelled.

You would think that, if public sector organisations can’t even manage basic security hygiene such as patching, there would be consequences for those running them. However, while the forthcoming GDPR is bringing in new requirements for the protection of personal data, the large fines (€20m or 4% of global revenue) for a privacy breach will apply to the organisations concerned and will not affect their leaders.

After the TalkTalk cyberattack, its then chief executive Dido Harding may have had her cash bonus halved, from £432,000 to £220,000, but she was still paid a total of £2.81M in 2015, despite the personal and financial details of tens of thousands of customers disappearing into the ether.

Read More….


View full post on National Cyber Security Ventures

Why you should be #checking your #data security

Source: National Cyber Security News

If organisations need an incentive to look at how the upcoming reforms to the Privacy Act (Privacy Act 1988 Cth) affect them, the threat of a $2.1m fine could be the motivator.

From February 22, any organisation that is covered by the Privacy Act will be obligated to notify the Australian Information Commissioner and the affected individuals when there has been an eligible data breach – types of breaches will vary, but examples include bank accounts hacked into, or personal details with potential for identity theft accessed, such as names and addresses.

Organisations most at risk include those holding large amounts of personal information, such as retailers, telecommunications and utilities providers, banks, insurance companies, professional services firms, and medical/health care providers.

The new regime will rightly make some organisations nervous as data breaches are becoming more common thanks to new ransomware and other hazardous software.

The smart response is to prepare early for the notification regime. Waiting until a breach happens and then scrambling to deal with your obligations on the run may attract the Commissioner’s ire and may put your organisation at risk of substantial penalties.

Read More….


View full post on National Cyber Security Ventures

Why #companies should make #security a key #performance #indicator

Source: National Cyber Security News

Businesses can’t just buy a bunch of security products, and think that they’re protected from cyberattacks. Security involves more than that including strategy, education, and training. TechRepublic talked with Secure Anchor CEO Eric Cole to discuss how employers can teach cybersecurity best practices to their employees.

“There’s a lot of different awareness programs where people get phishing emails and if they click they get penalized,” Cole said. “What I found, and I was sort of shocked of how effective this is, make security a KPI. A key performance indicator, not only for individuals but managers.”

If employees get penalized for their actions like using poor judgement when clicking links, they become much more aware and careful of what they do from a cybersecurity standpoint. “I’m not usually a big fan of penalizing, but KPI-based security metrics has had a huge, huge positive impact on all my clients,” he said.

To keep important information secure, companies need to make sure their servers that are accessible to the internet don’t contain critical data. Over the past 12 months, the companies that were hit by cyberattacks should have asked themselves “Do we have any servers accessible from the internet that contains critical data?

Read More….


View full post on National Cyber Security Ventures

Hackers #stole $172 #billion last #year: #Consumers should #avoid these #mistakes

Source: National Cyber Security – Produced By Gregory Evans

Online hackers made out like true bandits in 2017, stealing over $172 billion from people in 20 countries around the world, a new report said.

Norton Cyber Security released its annual insights report and found that 44% of consumers were affected by a cybercrime in the last 12 months with an average victim losing $142.

Read More….

The post Hackers #stole $172 #billion last #year: #Consumers should #avoid these #mistakes appeared first on National Cyber Security Ventures.

View full post on National Cyber Security Ventures

Cryptocurrency will drive #AI adoption but #companies should not lose #sight of #present #dangers

Source: National Cyber Security – Produced By Gregory Evans

Bitcoin and other cryptocurrencies have become a routine part of today’s cyber attack landscape.

The press is awash with cryptocurrency. Reports on the all-time highs, the billionaires who jumped on the bandwagon early, and the news that the likes of Goldman’s are setting up trading desks to exploit the wave are rife.

Read More….

The post Cryptocurrency will drive #AI adoption but #companies should not lose #sight of #present #dangers appeared first on National Cyber Security Ventures.

View full post on National Cyber Security Ventures

ADS-B and #Aviation #Cybersecurity: Should #Passengers Be #Concerned?

Source: National Cyber Security – Produced By Gregory Evans

Automatic Dependent Surveillance Broadcast (ADS-B) is a technology mandated in all commercial and general aviation aircraft by 2020. It gives the pilot a kind of weather radar and assists with situational awareness, bringing excellent value to the cockpit for professional and private pilots alike. The ability to see thunderstorms and other aircraft in close proximity helps avoid collisions and accidents due to weather.

There is no debate as to the value and effectiveness of ADS-B. However, the technology used to bring all this wonderful situational awareness is rooted in equipment developed and commercialized in the 1960s, and it remains to be seen whether it puts passengers’ privacy at risk.

The Aviation Cybersecurity Challenge
The data format of the transponder was created to help with ground-based radar systems in tracking and to identify aircraft en route. As its name suggests, ADS-B takes the data coming in from the aircraft’s transponder (and related equipment such as a GPS position source) and aggregates it into a broadcast packet much like on an Ethernet network. For example, if two aircraft position reports are received by the ground station, it will broadcast both positions back on a given frequency. The aircraft then takes the data it receives and displays its position and the other aircraft’s position in the cockpit. Much like position data, weather data is aggregated by the ground station and then rebroadcast for display in the cockpit.

So far, so good. Now for the challenge: Like many industrial Internet of Things (IIoT) controllers, ADS-B equipment does not support encryption, so it is possible to forge the broadcast packet with a man-in-the-middle (MitM) attack. In theory, a threat actor could take a 777 and make it appear miles away from its actual location, potentially leading to midair collisions.

The FAA’s Solution
Since aircraft systems do not have enough CPU power for encryption due to backward compatibility concerns with the installed base, the Federal Aviation Administration (FAA) devised other methods to verify authenticity. These methods, while not publicly detailed, involve analytic geometry combined with a database of aircraft performance to calculate an aircraft’s previous position and compare it to the recently received packet.

Think of it like this: If the airplane has a maximum speed of 300 mph and it moves from position A to position B at a rate of 600 mph, it can be assumed that the data received is forged and will be dropped from the broadcast packet. Additionally, since the cyclic redundancy check (CRC) must remain valid, the attacker has limited choices of where he or she can place the victim aircraft. This solves the problem of making an aircraft appear on screen in a location that it is not.

But what if an attacker wanted to do a distributed denial-of-service (DDoS) attack? Could the ground station be overwhelmed with false packets, causing it to go off the air? Worse yet, the default behavior for a packet with a failed CRC is to drop it. Could a MitM attack simply flood the ground station with malformed packets for each of the aircraft received in the previous broadcast packet? Would this make all the aircraft simply drop off the screen in the cockpit?

ADS-B and Data Privacy
The good news is that air traffic control in the U.S. and elsewhere in the world is using the ADS-B technology as a wonderful supplement to situational awareness. It is not being used to replace actual ground radar stations that air traffic control (ATC) uses to control the movement of commercial flights and some general aviation flights. So for the flying public, the risk, while not zero, is indeed very small since only general aviation flights that are not on a filed flight plan are outside of ATC jurisdiction.

While the concern is real, the probability of an attacker causing a midair collision is very small. The real aviation cybersecurity concern is for data privacy. With all this information available in the clear, apps exist to track flights on your smartphone today. Will someone find a way to monetize your location data for a profit, and do you care? Furthermore, drones are not currently required to have ADS-B and, in many cases, are too small for radar to pick up. Should commercial drones be required to have ADS-B?

The post ADS-B and #Aviation #Cybersecurity: Should #Passengers Be #Concerned? appeared first on National Cyber Security Ventures.

View full post on National Cyber Security Ventures

Cybersecurity #101 for #Manufacturers: Why Should You #Care?

Source: National Cyber Security – Produced By Gregory Evans

Anyone living through today’s news cycle who does not recognize cybersecurity as an issue is simply not paying attention. But, until recently, most manufacturing companies have considered it someone else’s issue. Most reported cyber incidents have been aimed at acquiring large caches of consumer data (think breaches at Target affecting 70 million consumers, and Verizon affecting 40 million consumers.) Hackers were historically intent on identity theft, and the acquisition of consumers’ personally identifiable information (PII) is a first step toward that goal. Most manufacturers do not deal directly with consumers or collect their data, so many put cybersecurity on the back burner. However, a recent study found that the manufacturing sector is now the second most frequently hacked industry, after healthcare. (2016 Cyber Security Intelligence Index, IBM X-Force Research.)

Recent cyber breaches have gone far beyond collecting consumer PII. Cyber criminals (and some foreign countries) are after trade secret technology and IP — yours, your vendors’, and your customers’.  Losses from these breaches can include direct payments in the form of “ransom” for shutting down your computerized systems and holding your data hostage (ransomware); business email compromises (BECs), where inside information about upcoming transactions or wire transfers are mistakenly directed to a cybercriminal by your own employees under the misapprehension they are acting on the instructions of a senior executive (phishing); or loss of employee PII or a whole host of other information you may not realize is accessible to a sophisticated cybercriminal.

All Modern Manufacturing Systems are Susceptible to Exploitation. Think about your company’s reliance on computerized industrial control systems (ICS) and supervisory control and data acquisition (SCDA) systems, employees’ use of multiple data storage devices (servers, laptops, smartphones, social media), your vendors’ and customers’ everyday access to your systems to streamline communications or production, cloud computing, vindictive or disgruntled employees with access to sensitive information, or innocent employees opening an email link or attachment without verifying the source. Any and all of these may provide points of entry for a determined hacker or data phisher. Target’s massive data breach in late 2015, for instance, was engineered through access unwittingly provided by a company HVAC vendor that did not have a secure system, despite Target’s own otherwise sophisticated and thorough security and breach prevention program.

Ransomware/BEC attacks have not distinguished manufacturing companies from other targets. A hacker may gain access to a company’s computerized systems by means of an insider/employee opening an official-seeming link or attachment in an innocent-seeming email, and implant a virus into the system that holds critical data hostage or shuts down critical functions. Even payment of the demanded “ransom” to unfreeze the system may not guarantee a return of data or normal functionality.

Data and System Breaches are Expensive. Costs can include business disruption, product discounts, forensic and investigative activities, loss of customers, litigation and regulatory, and reporting costs. According to the 2017 Cost of Data Breach Study recently released by the Ponemon Institute, the total organizational cost per data breach incident for the U.S. was $7.35 million last year, the highest of the 13 countries studied. The study did not address loss of competitive advantage when trade secret technology and IP are stolen, which could be substantially more costly; the U.S. Federal Bureau of Investigation (FBI) estimated that $400 billion of intellectual property leaves the U.S. every year as a result of cyberattacks targeted at manufacturing companies.

BECs increased 2,370% between January 1, 2015 and December 31, 2016, with victims reporting losses of $346 million. The FBI estimated in a May 2017 alert that such crimes have caused losses of $1.6 billion in the U.S. since 2013 and $5.3 billion globally. For instance, in 2015 paint manufacturer Sherwin-Williams reportedly sent $6.5 million to overseas bank accounts of Russian criminals due to BECs.

How Can You Fight Back? There are a number of protections available to manufacturing companies, many of which are relatively inexpensive.

  • Train your employees. People are the weakest link in cybersecurity, since hackers can access your systems through a single point of contact. If employees are alert to potential email threats, confine their work to your secure network, and limit postings on social media, many potential attacks can be blocked.
  • Use two-step authentication to mitigate threats from BECs. Companies that require confirmation of funds transfer requests by secure telephone or a secondary sign-off by company personnel can virtually eliminate unauthorized transfers.
  • Segment your network on a “need to access” basis. This practice limits accidental transfer of critical data and prevents a hacker from using one point of entry to move a virus or malware through your entire system.
  • Encrypt critical data and back up your systems regularly.
  • Audit your vendors’ and contractors’ cybersecurity systems. Contractual provisions can create cybersecurity duties for your business partners and give you the right to examine their systems for weaknesses that might otherwise compromise your network.
  • Use penetration testing or public domain audits regularly to ensure that your sensitive information is not accessible online.
  • Apply software patches and update your systems on a timely basis. Operators of ICS/SCADA tend not to update or apply software patches because these require system downtime or gaps in service, but most of the systems hacked in recent ransomware attacks were running out-of-date software, and the attacks could have been foiled if the victims had simply applied manufacturer-supplied patches regularly.
  • Check the NIST Guide to Industrial Control Systems (ICS) Security for additional cybersecurity guidance.
  • Have a response plan in place in case of a breach.
  • Look into cyber insurance to mitigate the cost of a cyber incident. The current insurance market is competitive and well-priced, so you should be able to negotiate for the appropriate protection.

 While it is impossible to create impenetrable systems, be aware that hackers tend to go after low lying fruit. The more protections you implement, the less likely you are to experience a debilitating cyber-attack.

The post Cybersecurity #101 for #Manufacturers: Why Should You #Care? appeared first on National Cyber Security Ventures.

View full post on National Cyber Security Ventures

Cybersecurity should be a #strategic issue, not just an #IT #investment

Source: National Cyber Security – Produced By Gregory Evans

Part of the problem in managing cybersecurity challenges revolves around the fact that security isn’t seen as a critical business problem by senior executives and board members alike.

The recent 2017 global survey on the changing attitudes towards cybersecurity in business by Fortinet reveals that cybersecurity does not rank amongst the high focus areas for board members of organisations.

Surveying over 1,800 IT decision makers, Fortinet found that almost half of respondents believe that security is still not a top priority discussion for the board. At the same time, they also strongly contend that cybersecurity should become a top management priority, with 77% of respondents indicating that the board needs to put IT security under greater scrutiny, says Paul Williams, Country Manager for Southern Africa at Fortinet.

“One would assume there would have been a substantial uptick in interest by boards as a result of some of the most recent security attacks—and the dire implications they had on the targeted businesses,” says Williams. “However, even though boards do react when security attacks occur, their actions are generally reactive rather than prescriptive. Specifically, boards appear more involved in post-breach management than prevention.”

For example, the survey reveals that 77% of boards demand to know what happened after a security event occurs, and 67% review or increase security budgets. Security leaders obviously still have much work to do in up-levelling security to the board level.

Williams says findings from the survey corroborates the statement that no organisation is immune from the threat of breaches, ransomware attacks, or operational disruptions. Companies of all sizes and shapes as well as all industry segments are targets as 85% of respondents indicated that they suffered a security breach in the past two years, with almost half reporting a malware or ransomware attack.

There are a number of factors driving boards, executives, and IT decision makers to make cybersecurity a top priority in 2018.

According to Williams the more significant ones are:

Security Breaches and Global Attacks. The vast majority of organisations have experienced some type of security breach or attack in the past two years. 49% of survey respondents said their organisations increased their focus on security following a global attack such as WannaCry. Increased publicity and attention, along with implications on brand reputation and business operations makes these board-level issues rather than IT operational undertakings.

Attack Surface. The adoption of the cloud, emergence of IoT, and growth in big data expands both the circumference of the attack surface as well as its complexity. 74% of survey respondents indicate cloud security is a growing priority for their organisations. Half say their organisations plan cloud security investments over the next 12 months. IoT is just as big a factor when it comes to the ever-expanding attack surface. The number of connected IoT devices is predicted to balloon to more than 8.4 billion by yearend according to Gartner. Of these, 3.1 billion belong to businesses. As many IoT devices are difficult to protect, experts concurrently predict that more than 25% of all security attacks will target IoT devices by 2020.

Regulatory Compliance. New government and industry regulations are also increasing the importance of security. 34% of respondents indicated that these regulations heighten the awareness of security at the board level. Passage of the General Data Protection Regulation in the EU, which goes into effect in 2018, is one such example.

“These trends are forcing cybersecurity to be seen as a strategic issue, within an organisation’s broader risk management strategy, rather than a simple IT investment. To succeed in their digital transformation efforts, IT security leaders must rethink their cybersecurity approach with a view to extending visibility across the attack surface, shortening the window between time to detection and mitigation, delivering robust performance, and automating security intelligence and management.”

The post Cybersecurity should be a #strategic issue, not just an #IT #investment appeared first on National Cyber Security Ventures.

View full post on National Cyber Security Ventures

14 #Cybersecurity Tips All #Business Leaders Should Know

Source: National Cyber Security – Produced By Gregory Evans

14 #Cybersecurity Tips All #Business Leaders Should Know

As a business owner, cybersecurity can be a daunting topic: It’s complex, threatening, and you might not even know where to start. But considering hacks will cost companies as much as trillions of dollars annually within the next five years, cybersecurity is a measure all businesses — both big and small — must take.

To help break down different pieces of the puzzle, we’ve compiled tips and takeaways from 14 cybersecurity experts from Forbes Technology Council.

1. Cyber criminals feed off human error

“With the proper behavioral changes, organizations can greatly minimize their chances of suffering a devastating blow. It all starts with developing a culture of cybersecurity. But what does that look like?,” writes Reg Harnish, CEO, GreyCastle Security.

“A consistent buy-in among employees starts with driving home the fact that everyone has a role to play in protecting the company’s assets, and no role is more important than any other,” writes Harnish. “Additionally, employees are more likely to stay committed to the task if the security concepts can be easily implemented into their daily routines, much like brushing their teeth.”

Read more in What It Means To Have A Culture Of Cybersecurity

2. But you might want to hire a hacker …

Research forecasts the cost of cybercrime to hit $6 trillion per year by 2021. Whether you own a company or not, everyone is at risk of having their data stolen, as cybercrime is the fastest-growing crime in the U.S.. Knowing how to best position yourself before an attack happens is essential.

“More and more businesses and government agencies are engaging with independent security researchers to help them find vulnerabilities in their systems that they otherwise wouldn’t,” writes Alex Bekker, VP of engineering at HackerOne, “Most cyberattacks are executed via security holes unknown to the target organization, so having well-intentioned hackers find vulnerabilities in our computer systems is the closest we can get to real-world conditions.”

3. Most companies know about cyber threats, but aren’t doing much about it

“The hackers have done an excellent job of bringing the cybersecurity industry to the forefront, but how can we translate that into successfully helping corporations, governments and individuals defend themselves? The answer is rather simple: education,” writes Nick Espinosa, Chief Security Fanatic of Security Fanatics.

“Consider two major points in this vein: First, a recent study of global governments shows that while they’re aware of cyberthreats to their infrastructure, roughly 50% of said governments do not have a formal cyberdefense strategy or plan,” writes Espinosa. “Second, we have plenty of corporations and governments with vast amounts of intellectual property who continue to be behind in cyberdefense, using outdated strategies instead of the latest and greatest defense hardware, software and methodology. The ‘if it ain’t broke, don’t fix it’ mentality is alive and well, sadly.”

4. Beware of another threat: biased security providers

As cybersecurity becomes non-optional, third-party vendors seem to be popping up out of the woodwork. They make big promises, but not all of them can deliver.

“Setting advanced testing standards would be an important step in codifying what is promised and delivered by various products,” writes Jamie Butler, CTO of Endgame, “Unfortunately, much of the available third-party testing organizations receive compensation for testing, which makes the results inherently biased. Instead, non-pay-to-play organizations like MITRE and the Cyber Independent Testing Lab need to become the norm.”

5. It’s not enough to plan against an attack, IT departments must plan for one as well

“No matter the extent and level of investment an organization puts into cyberthreat prevention, leadership must recognize a hard reality: It only takes one wrong click to invite an intrusion . Thus, a restorative approach (i.e., a well-equipped disaster recovery plan) is needed to ensure ongoing business in the event of a ransomware attack,” writes Jeffrey Ton, EVP of product and service development at Bluelock.

“It’s crucial for companies to ensure their restorative capabilities are just as strong, if not stronger, than their preventative measures in place. In every breach scenario, quick responsiveness avoids extensive data loss and reputational fallout,” writes Ton. “Achieving the creative and analytical tension for this type of resilience is just another reason for IT departments to shift their traditional approach.”

The post 14 #Cybersecurity Tips All #Business Leaders Should Know appeared first on National Cyber Security Ventures.

View full post on National Cyber Security Ventures