[BreachExchange] Column: Cyber Threat Roundup

Audrey McNeil audrey at riskbasedsecurity.com
Tue Oct 3 20:12:26 EDT 2017


https://www.greenwichsentinel.com/2017/09/30/column-cyber-threat-roundup/

There is so much happening in the Cyber Security front. It affects you. You
can learn from it. As a bonus, you can rant along with me. Hardly anyone
takes the time to read insurance policy fine print. Likewise, few business
people really want to deal with cyber security. Dig in and understand it.

According to Microsoft, in companies with less that 250 employees, 75% use
the same two to four passwords on nearly everything. In fact, 87% of senior
managers have unwittingly leaked corporate data; 57% sent it to the wrong
person. Top executives and administration officials alike, use personal
email accounts for official business. Do not be like them. (Go back and
read the last two week’s columns to learn how to save yourself, if you
can’t wait until next week.) Did you know, on average, over 200 days pass
before organizations realize their data or network has been hacked? More
than 300,000 new malicious files are created every day. Cut this article
out. It’ll make great cocktail party conversation. Everyone loves to talk
about how “scary it is!”

Does your organization have a “diligence in depth” plan to combat these
vulnerabilities? Today, every company can afford to take advantage of
fantastic protection tools. Pay attention and spend just a little.

What’s been happening lately?

According to FedEx, a June 27 “Petya” attack cost them $300,000. DLA Piper,
one of the world’s largest law firms, was crippled for over three weeks
this summer, and continues to reel in the devastation of lost revenue and
client confidence. Princeton Hospital was forced to scrap and replace its
entire computer network this summer. These were all ransomware or
faux-ransomware attacks. Avoidable, all of it.

You are lucky if your breach is just about a ransom payment. Maybe your
data is worth more.

Take Equifax. The Wall Street Journal reports, “Hackers roamed undetected
in the Equifax computer network for more than four months.” Experts believe
bad guys gained entry simply because DinosaurFax hadn’t patched their
systems. Even a small company can do that, right? (See how I am giving you
hints along the way?) On Tuesday, CEO Richard Smith resigned as I
predicted. Last week, the SEC announced hackers penetrated their systems,
and may have even traded, undetected, for over a year!

This of course came from the institution that allowed big traders
pre-knowledge of market disclosures – ahead of the rest of us. I think it
is better they get hacked and embarrassed than be allowed to operate with
total impunity. Gosh, they don’t even have to disclose their breaches like
the rest of you. Sorry to rant. SEC Chairman, Jay Clayton, cannot discuss
the details due to, “an ongoing enforcement probe.” Sounds very official.
Accounting firm Deloitte just reported a hacker accessed “very few” client
records, and there was “no disruption of client business.” Sounds like a
huge cover-up to me. The “Krebs on Security” website quoted a Deloitte
insider who indicated the hacker, through their email system, accessed all
of their internal systems and all administrative accounts.

This week, the Commodity Futures Trading Commission advocated significantly
reduced fines for companies who report breaches. The idea being, breached
companies would be more likely to come forward if they didn’t face such
huge punitive penalties. But that won’t work because most breaches occur
because of gross negligence, and nobody wants to admit to their customers,
shareholders, and the world at large that they are inept executives.
Especially not a “master of the universe.” Just ask Richard Smith, though
he is certain to be paid handsomely for his fine work not paying attention
and obscuring the truth. You see, protecting against most threats is not
“high cyber science,” just common sense and fundamental management. This is
what explains the lies we read each week. I guess it is easier to lie than
do your job.

Bet you didn’t know that the SEC applies its cyber security rules in
mysterious ways. Jay Clayton, now a beacon on this subject, says recent
cyber security lapses have, “highlighted the importance of cyber
security…to market participants.” Why then, doesn’t Congress and the
Commission work toward changing application and adherence to Reg SCI. Reg
SCI is a requirement that, if it applies, requires complete, deep
procedures to ensure robust and resilient technological trading systems and
controls are in place. This is a rather vague regulation and is applied to
exchanges and certain trading venues. Not all. It doesn’t apply to Morgan
Stanley, Charles Schwab, E-Trade, Scottrade, or Citadel, who handles over
one-third of all trades executed in the United States. Nor does the SEC
publish a list of who needs to comply. This sort of reminds me of “double
secret probation” in the movie, “Animal House.” I guess it really matters,
but we don’t need to know who is cyber secure or not?

To wrap all this directionlessness (new word just invented) up, according
to a recent Wall Street Journal headline, “In Today’s Cyber War, Everyone
Is a Target.” The FBI agrees, threats against small business are growing at
an escalating rate (over 35% annually). So, if these large outfits, with
all sorts of resources can’t keep out the bad guys, should smaller outfits
even try?

Yes, and yes, bad things will happen to your company if you don’t. The
reason small companies are a target is they pay even less attention to
security than your higher paid bretheren. Bad actors can gain access to
your best customers (who are much bigger than you) through you. Sound like
a good deal? It is much worse than you think. In spite of all you read,
most cybercrime is not reported. Again, business executives don’t like
advertising they are unconscientious. You might even say unconscious. I
think it was Dan Quale who said, “What a waste it is to lose one’s mind. Or
not to have a mind is being very wasteful. How true that is.”

Sorry, we used up too much space ranting today. Next week we will discuss
what you can do, without breaking the bank, to protect your business and
critical customer relationships. In half the space! In the meantime, do
worry about it, and what you will do if a weather disaster strikes our area
again.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20171003/279dcd9d/attachment.html>


More information about the BreachExchange mailing list