Barry Poindexter

IBM Security has released its organizational cyber resiliency report for 2020.  This year’s report, based on research from the Ponemon Institute is based on a survey of IT and cybersecurity experts from around the world.  The National Institute of Science and Technology (NIST) defines cyber resiliency as a merging of systems engineering, resilience engineering, and systems security.  Its goal is to develop systems with the ability to anticipate, withstand, recover from, and adapt to an increasingly hostile cyber environment.

Key Takeaways from the Cyber Resilient Organization Report

IBM’s organizational cyber resiliency report is an extremely detailed analysis of the current situation.  There are however, many key takeaways that can provide guidance for businesses attempting to critical cyber concerns.

Cybersecurity Incident Response Plans

Most organizations surveyed had suffered business disruptions during the last two years.  While it’s impossible to thwart every attack a well developed plan can greatly mitigate the effects.  Because the amount of cyber threats has markedly grown, many organizations have implemented Cybersecurity Incident Response Plans (CSIRP).  Effective CSIRPs involve all levels of an enterprises.  They include regular reporting to C suite stakeholders and incorporate regular reviews.  This is consistent with a well developed Information Security Management System (ISMS) such as ISO 27001 or NIST 800-171.

Automated Tools for Cybersecurity

Most participants reported that they had accomplished better resilience by employing automation tools.  Organizations that noted effectiveness used more than 20 tools when investigating or responding to a cybersecurity incidents.  While these tools can provide security, organizations that used too many tools (over 50) reduced their effectiveness.  These tools included technologies such as analytics, automation, AI, and machine learning.

Improved Cloud Service Implementation

More than two-thirds of companies in the United Kingdom, Germany, France, the United States and Canada sited value in the the use of cloud services.  These included organizations in healthcare, retail, and public sectors.  The leading reasons given for improvement due to cloud services were the benefits of leveraging a distributed environment, economies of scale, and availability of service level agreements.

It is important to note however, that poorly configured cloud services can severely endanger an organizations data security.  About a third of respondents reported negative results from investing in cloud services.

Sharing of Threat Intelligence

While a majority of participants agree that sharing intelligence with government and industry peers provides benefit, most do not share information.  Among reasons given were a lack of resources and cost.

CVG Strategy Cybersecurity Consulting

CVG Strategy cybersecurity consultants can help you tailor and implement effective CSIRPs that:

• Incorporate all sectors of an enterprise.
• Provide reporting to and participation of executives.
• Identify top threats to your specific industry and assess risks.
• Develop accelerated responses to specific attack types.
• Optimize the implementation of automated technologies.
• Incorporate regular reviews for evaluation and process improvements.

Contact Us today to see how our team of experts can bring their extensive experience to improve your cybersecurity processes on time and on budget.

Mobile Banking Apps Warning

The FBI issued a mobile banking apps warning on June 10, 2020.  Many people are now switching over to mobile bank apps to limit visits to the bank during the Covid-19 pandemic.  The agency is concerned that this increased usage presents opportunities for exploitation from cyber actors.  The chief concern is that customers new to mobile banking may download fake or trojan apps.

Fake and Trojan Apps

Fake apps have become one of the fastest growing forms of cyber crime.  Fraudulent apps impersonate real apps to gather login credentials.  These apps show an error message after login and use permission requests to obtain and bypass security codes texted to users.

Trojan apps use codes concealed in apps unrelated to financial activities.  They can often be founds in games or tools that have been downloaded.  The malicious code will remain dormant until triggered by a legitimate banking app.  The trojan will then create a false version of the legitimate login page to collect credentials.  It then returns the user back to the authentic app so as to hide the data theft.

Important Tips for Protecting Your Information

Purchase Your App From a Reputable Source

The FBI encourages people to purchase apps from smartphone app stores or download them directly from a major U.S. bank website.  Smartphone app stores actively screen apps for malicious content. Additionally, most major US banks will provide a link to their mobile app on their website.  

Two Factor Identification

Most users of websites and applications do not enable two-factor identification.  Most people who don’t use this tool consider it an inconvenience.  Actually, two factor identification is easy to use and is very effective against cyber crime.  The FBI strongly recommends using two factor identification whenever possible.

Password Protocols

The FBI encourages people to engage in practices recommended by the National Institute of Standards and Technology (NIST).  These include:

Cyberspace Solarium Commission Report – March 2020

The Cyberspace Solarium Commission Report, released in March 2020, paints a grim picture of the level of cyber vulnerability in the United States.  It stresses the need for immediate action from both the public and private sectors to deter looming catastrophe.  The report focuses on strategic approaches to defend the United States against cyberattacks and the necessary policies and legislation to implement them.

A Layered Approach to Deterrence Recommended

To achieve a reduced probability of critical cyberattacks the report recommends three necessary layers of deterrence.  To achieve this deterrence the United States must:

1. Work with allies and partners to promote responsible cyber behavior.
2. Deny benefits to adversaries who exploit cyberspace by securing critical networks.
3. Impose costs by maintaining a credible capacity and capability to retaliate against cyber actors.

This approach to deterrence should incorporate a “defend forward” concept to disrupt and defeat adversaries.  This would be accomplished by actively observing, persuing adversarial operations and imposing costs for those actions.  These costs as defined should be “short of armed conflict”.

Six Policy Pillars for Implementation

To implement an effective national cybersecurity strategy six pillars have been defined for implementation of the three layered approach.

Reform the U.S. Government’s Structure and Organization for Cyberspace

Proposed governmental reforms include rapid and comprehensive improvements at a all levels.  This would begin with an updated National Cyber Strategy from the executive branch.  Along with this, creation of cyber oversight committees in the House and Senate should be created.  A Senate-confirmed “National Cyber Director” is also advised.  Along with these actions, the strengthening of the Cybersecurity and Infrastructure Security Agency (CISA) is recommended.

Strengthen Norms and Non-military Tools

While there has been significant international norms established for responsible cyberspace behavior, little if any enforcement is taken against cyberthreat actors.  To mitigate this the report urges the Department of State to work with allies to employ law enforcement, information sharing, diplomacy, and sanctions, to support a “rules-based international order.

Promote National Resilience

A resilience to cyberthreats in both the public and private sector is required to deny adversaries a benefit from their actions and reduce confidence in actors from achieving their strategic ends.  This resilience could be addressed through:

• Strengthening CISA.
• Develop a planning mechanism in consultation with the private sector to develop contingent planning for significant cyber disruptions.
• Codifying Cyber States of Distress tied to Response and Recovery Agencies and Funds.
• Improvement of the Election Assistance Commission.
• Governmental promotion of digital literacy through advancement of public awareness.

Reshape the Cyber Ecosystem Towards Greater Security

These efforts would include raising the baseline level of security by providing a National Cybersecurity Certification and Labeling Authority.  They would also involve creating laws making hardware, firmware, and software final goods assemblers liable for damages from known unpatched vulnerabilities.  Mention is also made for creation of national standardizing requirements for the collection, retention, and sharing of user data.

Operationalize Cybersecurity Collaboration with the Private Sector

Private sector entities must have primary responsibility for creating and maintaining viable Information Security Management Systems (ISMS), but the government can greatly assist these entities.  This could be accomplished by using government resources and intelligence capabilities to support businesses.

Preserve and Employ the Military Instrument of Power – and All Other Options to Deter Cyberattacks at Any Level

Efforts in this regard include comprehensive assessment of the Cyber Mission Force, a vulnerability assessment of weapon systems, and a sharing between governmental agencies and the Defense Industrial Base of potential threats.

CVG Strategy and Cybersecurity

Cybersecurity Alert Issued by United States and United Kingdom

A cybersecurity alert for healthcare and essential services was filed jointly by the United States and the United Kingdom.   The U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the U.K. National Cyber Security Centre (NCSC) issued the alert on May 5, 2020.  These agencies have detected Advanced Persistent Attacks (APT) against organizations involved in Covid-19 responses.  Targeted entities include healthcare, pharmaceutical, academia, and research organizations.  Local governmental agencies are also being attacked.

System Vulnerabilities Being Exploited

CISA and NCSC have reported numerous incidents of APT actors scanning pharmaceutical and medical research organization external websites for vulnerabilities.  These actors are exploiting a Citrix vulnerability known as Citrix CVE-2019-19781.  They are also gaining access through vulnerabilities in Virtual Private Network (VPN) products from Pulse Secure, Fortinet, and Palo Alto.

Healthcare Organizations Subjected to Password Spraying

Healthcare organizations in a number of countries are being subjected to large-scale password spraying campaigns.  Password spraying is a brute force style of attack.  The cyber actor uses  tries a single and commonly used password against many accounts and then will attempt another. Because of the time between attempts at a single site rapid or frequent account lockouts are prevented.

Recommended Forms of Mitigation

In its cybersecurity alert for healthcare CISA recommends risk based holistic approaches to organizational cybersecurity consistent with the National Institute of Standards and Technology (NIST). 

CISA other recommendations for mitigation in this alert included:

• Update VPNs, network infrastructure devices, and devices being used to remote into work environments with the latest software patches and configurations.
• Use multi-factor authentication to reduce the impact of password compromises.
• Protect the management interfaces of your critical operational systems.
• Set up a security monitoring capability.
• Review and refresh your incident management processes.
• Use modern systems and software.

CVG Strategy

According to recent studies, organizations are unprepared to meet the challenges of modern cybersecurity.  CVG Strategy can help by implementing Information Security Management Systems (ISMS) that will protect your organization’s vital data and information systems.  Our Subject Matter Experts can guide your business through a variety of solutions including NIST 800-171.  Contact Us to learn more

Apple Email App Vulnerabilities Found in Over Half a Billion Devices

Apple Email App Vulnerabilities in iPhone and iPad were reported by ZecOps, a mobile security forensics company on April 20, 2020.  These vulnerabilities have existed since the release of iPhone 5 in September of 2012.  The vulnerabilities allows attackers to remotely infect a device by sending emails.    Attacks inserted into emails can allow remote code execution by consuming device memory resources.

ZecOps also reported that attackers may have used these vulnerabilities against a Fortune 500 organization, “an executive from a carrier in Japan” and “a journalist in Europe”.  It concluded that these attacks were conducted by “an advanced threat operator”.

Apple Debates Exploitation of Flaws

Although Apple has acknowledged the vulnerabilities, it has countered claims that that these flaws were exploited.  An Apple representative was quoted by Reuters as stating  that “these issues do not pose and immediate risk to our users”.  A patch is planned to be released to remedy the issues.  A beta update has already been released.

Possible Interim Security Measures

It can be surmised that if attacks are occurring that they will increase in frequency until patches are released.  Therefore, it may be advisable to access emails on effected devices until the required updates are available.  This news is unfortunately developing at a time when larger numbers of people are working remotely and are accessing business emails in a potentially unsafe manner.   

Apple mobile devices have generally had a good reputation for security and are used by many businesses.  There have however, been previous flaws that have exposed user data.  Because no platform is free from such flaws business IT departments should carefully select email apps and protocols to protect vital data.

CVG Strategy

Studies have shown that a majority of businesses have not achieved a sufficient cybersecurity maturity level.  This is especially distressing considering that the level of cyber attacks are growing and that businesses are primary targets.  CVG Strategy is committed to helping businesses secure their vital data.  We can assist businesses in establishing effective Information Security Management Systems (ISMS) through the implementation of ISO 27001.  Contact us with your questions.

U.S. Government Provides Guidance on North Korean Cyber Threat

Guidance was provided on the North Korean cyber threat by the U.S. Departments of State, the Treasury, Homeland Security, and the Federal Bureau of Investigation on April 15, 2020.  North Korea, formally known as the Democratic People’s Republic of Korea (DPRK) continues to pose a significant threat to the international financial system through an increase in malicious cyber activities.  Many of these cybercrimes are being utilized to generate funding for DPRK development of weapons of mass destruction and ballistic missile programs.  Of special concern is DPRK’s increased ability to to conduct destructive activities on critical infrastructure.

Financial Theft and Money Laundering

In its 2019 mid-term report the UN Security Council 1718 Committee Panel of Experts (POE) found that the DPRK was using increasingly sophisticated cyber techniques to attempt in the theft and laundering of as much as $2 billion dollars in that year.  These findings are consistent with U.S. Department of Justice allegations released in March of 2020.  These activities were targeted at digital currency exchanges.

Other DPRK Cyber Crimes

The DPRK has conducted a number of extortion campaigns.  In some instances, DPRK cyber actors have demanded payment from victims under the guise of long-term paid consulting arrangements in order to ensure that no such future malicious cyber activity takes place.  These cyber actors have also been hired guns in the hacking of websites for extortion purposes.

Cryptojacking has been an activity engaged in by the DPRK.  This is accomplished by compromising a computer and steal its computing resources to mine digital currency.  The POE reported several instances in which infected computers mined assets and transferred digital currency to servers at the Kim Il Sung University in Pyongyang.

The DPRK Rap Sheet

The DPRK has had a long dark history of cyber crime.  The list below includes some of the more notable operations:

• Sony Pictures cyber attack in November 2014 in retaliation for the film “The Interview”.
• Bangladesh Bank Heist in February of 2016 where the DPRK allegedly stole $81 million.
• WannaCry 2.0 ransomware that infected computers in hospitals, businesses, schools, and homes in over 150 countries in 2017
• FASTCash Campaign which has targeted ATMs in Asia and Africa since 2016.
• Digitial Currency Exchange Hack in April of 2018 where the DPRK stole nearly $250 million through digital currency transactions.

Countering the Threat

In its report the U.S. Government agencies have listed numerous measures to counter the DPRK threat include raising the awareness of the gravity and scope of the problem.  The single most important thing that must be accomplished however, is the adoption and promotion of cybersecurity best practices.  As mentioned in a previous post businesses around the world including the United States have not attained appropriate levels of cyber strategy and execution.  In a survey of businesses undertaken by the insurance provider Hiscox in 2019, 74% fell into the Novice classification for cybersecurity.

CVG Strategy

CVG Strategy knows the importance of effective cybersecurity and is committed to helping businesses create effective Information Security Management Systems (ISMS) to protect their sensitive information and vital assets.  Contact us to see how we can help you.

Business Cybersecurity Report Card for 2019

There are growing concerns for business cybersecurity to meet the challenges of today’s hostile environment.  The international insurance underwriter Hiscox recently released its Hiscox Cyber Readiness Report 2019 and the news was not good.  The report showed that the number of cyber attacks has increased and that businesses of all sizes are being targeted.  While cybersecurity spending has increased fewer companies have attained appropriate levels of cyber strategy and execution.  The report included findings from companies located in Belgium, France, Germany, The Netherlands, Spain, United Kingdom, and the United States.

Trends in Cyber Attacks

Increases in the number of organizations reporting incidents of cyber attacks have occurred over the past year.  While larger businesses are more likely to experience these attacks, large increases in rates among medium and small size firms have occurred.  Reported losses from these attacks have increased by over dramatically, but the true value of damage done from loss or compromise of sensitive data is impossible to truly assess.  While cybersecurity spending has increased by as much as 24%, the number of firms rated as having adequate cyber strategy and execution has fallen.

Particular Concerns for Business Cybersecurity

Supply Chain Vulnerabilities

Large numbers of companies reported incidents involving their supply chain in the last year.  A majority of these organizations now recognize these vulnerabilities and are including cyber Key Point Indicators (KPI) in their contracts with suppliers.  Other efforts included increased audit and evaluation of their supply chain.

Cloud Vulnerabilities

There was a marked increase in cloud vulnerabilities in the last year with 22% of respondents reporting outages from third-party cloud providers.  This is a 9% increase from the previous year.  This increase is likely due to more firms using cloud based solutions for sensitive data.

Costs of Losses

The mean losses from cyber attacks to businesses has risen as much as 61% in the last year.  These losses were seen in all businesses regardless of size or sector.  The greatest increases were seen in large businesses with between 250 and 999 employees.

Cyber Maturity

Overall progress in attaining effective cybersecurity programs has stalled out even though increases in cybersecurity spending have occurred.  Of those who participated in the survey, 74% fell in to the Novice classification.  This assessment included strategy, oversight, resourcing, technology, and processes.  Of special concern, the United States ranked among the lowest in this category.

Some Take Aways

Businesses are beginning to take notice and are becoming less complacent.  Many are being prompted by increased regulation from governments and those companies they supply goods and services to.  Cybersecurity is an interdependent undertaking.  For an fully effective program an Information Security Management System (ISMS) should be employed.  A good example is ISO/IEC 27001.  It employs a comprehensive that includes processes, people, and IT systems to maintain data security.  Because it uses a constant improvement model, it can remain adaptable to changing threats through a risk management approach.

CVG Strategy

CVG Strategy shares your concerns for business cybersecurity.  We are committed to helping businesses secure their vital data.  CVG Strategy can establish ISO 27001 and NIST 8001-171 programs that incorporate security architecture, detective controls, and preventative controls.  We provide training so that a cooperative and coordinated effort can be made by all involved.  We are also committed to helping those who provide serviced and goods the the U.S. Department of Defense in achieving requirements for Cybersecurity Maturity Model Certification (CMMC).  Contact Us to see how we can help.

The FBI is Investigating NSO Group for Personal and Government Hacks

The Israeli based NSO Group is under investigation concerning possible attacks on United States citizens and companies by the FBI.   Reuters reported on January 30, 2020 that the probe, which has been active since 2017, concerns the infection of smartphones.  NSO Group creates products for government intelligence and law enforcement agencies for use against crime and terror.  A spokesperson for the NSO Group stated “We have not been contacted by any U.S. law enforcement at all about any such matters,” and the FBI will neither confirm or deny the existence of any investigations.

Pegasus Product of Special Concern

The NSO Group‘s Pegasus product is a software tool that can capture data on a phone including encrypted messages and audio.  Allegations have been raised that Pegasus might have been used in a hack against Amazon’s Jeff Bezos.  The FBI has met with Bezos and has reported that if US citizens are being hacked that it considered both the company supplying the software and the criminals using those tools responsible.  In a quote an FBI official said “Whether you do that as a company or you do that as an individual, it’s an illegal activity”.

Where to Draw the Line

As with any tool, the ultimate benefit or harm in its use lays in the hands of the person or agency employing it.  While few would argue that fighting crime and terror are not noble goals, care must be taken in providing those tools to appropriate people or agencies.  Furthermore continued oversight by those agencies empowered by such tools must be maintained to make sure rogue individuals within an organization do not use them maliciously.   Perhaps of greater concern is that once the technologies are obtained by nefarious players there is no way to reestablish control of them, placing all of us at risk.

Smartphone Cyber Vulnerabilities for Businesses

Smartphones are of special concern to businesses because of the ability of users to inadvertently place proprietary data at risk.  The costs of such data breaches is difficult to ascertain because of the shared risk with suppliers, vendors, and customers.  Adequate mitigation requires a flexible strategic program that can adapt to threats as they evolve.  This is best provided by an Information Security Management System (ISMS).  An ISMS is a management system based on risk assessment to establish, implement, operate, monitor, maintain and improve information security.  CVG Strategy can help you achieve ISMS Certification.   Contact us to learn more.