Hands pointing towards businessman holding head in hands Being a CISO is a tough gig.  The perpetual deluge of news items on hack after hack, breach after breach, has finally conveyed that data security is an imperative for all companies, large and small.  But the perception still lingers that the Chief Information Security Officer (or her InfoSec team) will single-handedly prevent breaches at “our” company – and if one should occur, will take care of the response.  For some CISOs, it may feel like High Noon, all over again.

This is unfair to the CISO, and wrong on at least two counts.  First, regardless of the CISO’s job description, the full range of cyber risk exceeds the scope of the CISO’s practical control.  Second, effective breach response requires up to ten channels of coordinated activity, and nine of the ten fall outside of the CISO’s authority.
Continue Reading

Fish tempted by fishing hookAs technical security improves, human security vulnerabilities are increasingly in the bulls-eye.  For a fresh look at social engineering, and how best to defend against it, there’s no better source than a hacker.  So, I reached out to Cliff Smith, Ethical Hacker & CISSP at Parameter Security, for his take on the current social engineering battleground.  Here’s what he shared:

Confidence games have been around forever.  Is there anything fundamentally different about social engineering practiced by hackers?

Modern social engineering is no different than the classic con games.  They all run on information, trust, and emotions.  The biggest change in the past 20 years or so is that technology makes the attacker’s job much easier, for several reasons.  First, a skilled practitioner can use countless tactics to make their first contact appear more legitimate, such as spoofing a message’s source or creating a legitimate-looking website.  Second, the average user operates on autopilot much of the time when using their phones or computers.  It’s so easy, for example, to click on a link without stopping to think about the danger, which makes phishing attacks much more likely to succeed.  Third, technology makes the consequences of social engineering much more dire.  In just a few clicks, you can accidentally ruin your financial life, or someone else’s.

It’s commonly understood that phishing is a problem, and that phishing is a deceptive email with a malicious link.  Is it that simple, or are there other social engineering attacks to be concerned about?
Continue Reading

Threatening dark clouds covering the skyIt all seemed so routine, so straightforward.  The case was settled, with a $500,000 payment to be made to the approved settlement administrator.  The law firm received an email from the administrator with wire transfer directions, and the settlement funds were sent per the instructions.  Just one problem – the email didn’t come from the administrator, the receiving bank was not the right bank, and the half million dollars evaporated.  Poof – gone in an instant.

Sure, it would’ve been prudent for the law firm to have picked up the phone and independently verified the email sender and instructions.  But how did the bad guys know precisely when and to whom to send the phony email, and exactly what to say?  Was it from publicly available information in the court file?  Was there a rogue insider at the firm, or at one of the other litigant’s firms, or at the court, or with the settlement administrator?  Or was someone’s email account illicitly monitored after being compromised by malware or through phished access credentials?
Continue Reading

Angry BossIt’s 4:20 p.m. on Friday.  You’re looking forward to meeting your friends soon for happy hour at the local bar.  Your boss is on vacation, and you’re caught up for the week.  All is well.  As you take one last look at your email, you see a message has just arrived from one of your suppliers – marked URGENT.  The supplier is ranting about why you didn’t send payment for last month’s invoice to the right bank account.  They’ve contacted your boss, who they say was irate at being disturbed while in Madrid on vacation, and who told them to contact you personally for immediate resolution.  They helpfully provide the correct bank routing information and demand the payment be made today.  Your authority for wire transfers ($1M) will easily cover the request for $250,000, with change.   The invoice amount sounds about right, you know the supplier, your boss is already upset, it’s Friday, and so you wire the funds.

Of course, you—the reader—already know the ending of this story.  The email was fraudulent, the company is now out a quarter of a million dollars, and you may be out of a job.  Yet this and similar scenarios play out every day, representing a 2,370% increase in the last 18 months in identified exposed losses resulting from business e-mail compromise targeting small, medium, and large businesses.
Continue Reading

White WalkerA swarm of zombies, led by Byte Walkers, surges inexorably onward to penetrate a massive perimeter wall by force and stealth.  Sounds like Game of Thrones, right?  Instead, this is our cyberthreat reality. And in an ironic twist that would make George R. R. Martin blush under his beard, it’s now painfully real for HBO, which recently acknowledged suffering a massive cyber intrusion through which hackers claim to have stolen up to 1.5 terabytes of proprietary data, including Game of Thrones future epsodes.

First Sony, then Netflix, and now HBO – what’s a Westerosi to make of this?
Continue Reading

Verizon 2017 DBIRI always look forward to Verizon’s annual Data Breach Investigations Report.  Verizon dropped the 2017 DBIR last week, and for the 10th year in a row it cuts through the confusing landscape of security incidents and data breaches with analysis, alacrity … and yes, attitude (in what other report can you find a paragraph heading like “Tall, Dark, and Ransom”?).

The 2017 DBIR distills global information from 65 collectors of incident and breach data, analyzing 42,120 security incidents and 1,925 breaches that occurred during 2016.  The threat environment changes each year, but one of the reasons I value the DBIR is that it shines a light on a few key things that don’t change.  Here are four central aspects of data security that endure – and which we forget at our peril:


Continue Reading

Vice President Mike PenceSorry to revive ugly memories of last fall’s vituperative presidential campaign, in which bile was spewed over candidate Clinton’s use of a private email server while Secretary of State, and its vulnerability to hacking.  Clinton eventually conceded that her use of a personal email server was a “mistake.”  Which it was, on so many levels.

Now, news reports indicate that Vice President Mike Pence, while Governor of Indiana, used a private email account (AOL, no less) to conduct state business.  And that some of the messages apparently contained sensitive law enforcement and Homeland Security information.  And that, unlike Clinton’s private server, Governor Pence’s personal email account was actually hackedAnd that the hack occurred (wait for it) last summer – in the midst of all of the self-righteous indignation over Clinton’s email practices.  Thankfully, Governor Pence and his wife were NOT stranded in the Philippines, and we did NOT need to wire them emergency funds.

These revelations will no doubt spur cries of bald-faced hypocrisy, and equally heated arguments that Pence’s situation is different than Clinton’s (AOL v. private server, Governor v. Secretary of State, sensitive Homeland Security information v. classified information, and so forth).

But here’s a thought – instead of yet another round of beating ourselves over the head with partisan cudgels, what if we tried something different this time?


Continue Reading

aerial view of forestAs the calendar year turned there were several great posts highlighting lessons learned in 2016 from notable HIPAA breaches and enforcement actions.  It’s also useful to climb up out of the trees and view the forest.  The HHS Office of Civil Rights publishes information each year on reported HIPAA security breaches affecting 500 or more persons, and this database offers a unique, multi-year dataset on such breaches of protected health information.

Here’s a forest-altitude look at significant HIPAA breaches suffered by healthcare providers (setting aside health plans and clearinghouses), looking for key trends emerging during the five years from 2012 to 2016.


Continue Reading

Phishing emailReports indicate that in mid-March of this year, John Podesta and various Clinton campaign staff members received individual notifications from Google like this one, telling them to change their Google passwords, pronto.  Just one problem – the security alerts weren’t from Google.  Months later, a barrage of Mr. Podesta’s hacked emails were published by WikiLeaks, serving up yet more artillery shells in this war zone of a presidential election.

Let’s look at this through a different lens. What if there was a bank, Podesta Savings & Loan, and the bad guys scammed their way in, emptied the vault, and then scattered the currency all over Main Street.  You’re a bystander, and you see the bank’s cash being strewn on the street in front of the bank – is it OK for you to pocket the money?


Continue Reading