Recent Posts

Executives Open a Whole Lot of Spearphishing Emails, Verizon Data Breach Report Says

Verizon released today its Annual Data Breach Investigations Report and among the treasure trove of findings across an impressive list of participating global organizations is that executives are the prime identified internal recipients who open threat-laden social communications, predominately spearphishing emails, according to an analysis of 2012 data breaches.  Although the vast majority of targets (69%) within organizations can't be identified for a variety of reasons, of those who can be identified, executives and managers top the list of those responsible for data breaches resulting from the communications.

Overall, executives accounted for 16% of the breaches that come from "social" sources, mostly spearphishing emails, while managers accounted for 11% of the breaches, followed by former employees, who rounded out the top three internal targets at 10% of the breaches.  At large organizations, the picture is even worse:  executives accounted for 30% of the social source breaches, while managers accounted for 27% of the breaches.  (Percentages exceed 100% because the items presented were not mutually exclusive).

The report, written by Verizon Managing Principal for RISK Intelligence Wade Baker, notes that "executives and managers make sweet targets for criminals looking to gain access to sensitive information via spear phishing campaigns. Not only do they have a higher public profile than the average end user, they’re also likely to have greater access to proprietary information."  The often jaunty report (which mentions Led Zeppelin, bemoans high school math classes and features many zingy sentences) further adds that when it comes to executives "we all know how much they love .ppt and .pdf attachments," the frequent vehicles through which spearphishing malware enter network systems.

This finding is important given that the proportion of breaches incorporating social tactics like phishing was four times higher in 2012 than it was in 2011 and that more than 95% of all attacks tied to state-affiliated espionage employed phishing as a means of establishing a foothold in their intended victims' systems.  Not surprisingly, state-affiliated actors tied to China account for one-fifth of all breaches and 96% of espionage cases were attributed to threat actors in China.

The ranks of organizations who share data with Verizon grew to 19 during 2012 and included police organizations from around the globe, major cybersecurity consulting organizations and the top U.S. entities responsible for collecting cyber threat and incident data.  The report covers 47,000 reported security incidences and 621 confirmed data breaches.

International Experts: Cyber Threats Are Not As Scary As You Think

(Washington, DC)  Cybersecurity is the hottest topic in international relations, diplomacy and warfare, but the topic has arisen so quickly that the world community has yet to develop a common language for even describing the nature of cyber threats, much less arrive at solutions.  And cyber warfare, although currently fostering scary headlines, may not pose the catastrophic outcome many fear. Those messages came through clearly today at a major conference hosted by Georgetown University's Institute for Law, Science and Global Security and the Atlantic Council.

"What do we call a national emergency for cybersecurity?" asked Andrea Rigoni, Director General, Global Cyber Security Center in Poste Italiane.  "Most of the time it's difficult to tag an event as cybercrime or espionage or cyberwar.  It can take weeks or years to determine what's behind an activity."

Israel has developed a two category definition for dealing with cyberthreats, Gen. (Ret.) Doron Tamir, Head of the International Cooperation Division for Israel, said.    The first category consists of cyberthreats that are criminal, such as the recent attack by Anonymous on the Israeli government's websites.  These threats, while annoying, cause little damage.  "As of yet, they have had limited effect.  In Israel, we have been attacked quite heavily by Anonymous.  They have had very limited achievement."

The second category is government-sponsored attacks, where cyberspace is used as the new domain for waging conflict.  Even there, though, "launching a cyberattack with extreme damage on a state scale is extremely difficult," Tamir said.

The biggest priority, though, should be confronting the non-state aggressors, Tamir said.  These are the groups that are more likely to attack and "they are progressing and improving their capabilities and can ruin the main sites that can affect the way of life in countries."

"The big missing component addressing any of those issues is not just a lack of situational awareness in cyberspace but a lack of situational understanding," Rafal Rohozinski, Principal, The SecDev Group said. Without a common framework for understanding the nature of the threats, where they're coming from and what they mean, cyber incidents can easily escalate, Roger Hurwitz, Senior Fellow, The Canada Centre for Global Security Studies at the University of Toronto said.  "When they [governments] don't do the math, escalatory spirals occur."

Although press reports portray cyberattacks in frightening terms, cyber weapons are just another tool in the warfare kit and should not evoke, but often do, the kind of fears that nuclear war does.  "Cyber-based attacks do not equate to nuclear-type attacks in that they do not affect society at its very basic level," Rohozinski said. "It is yet another element of force that can be used across the spectrum."

"Even in Estonia [where a high-profile series of cyber attacks occurred in 2007], nobody dies, nobody gets hurt," Tamir said.  "It's a meaningful tool...but proportion is very important."

Cybersecurity Experts: It's Child's Play to Attack Energy Industrial Control Systems

Two top cybersecurity experts today painted a unsettling scenario regarding the state of cybersecurity in energy and other industrial control systems, with both in agreement that little to no effective measures of securing critical infrastructure are in place.  "On the SCADA (supervisory control and data acquisition) side, these systems do not have the basic security systems built into them," Jonathan Pollet, Founder and Principal Consultant of Red Tiger Security said during a webinar.

Most of the time, key security controls, such as encrypted passwords, that apply to corporate IT networks do not apply to industrial networks that operate critical infrastructure.  Even basic testing of software for bugs, a routine procedure for corporate IT networks, is not applied to industrial systems, with system vendors implementing only about 5% of the kind of testing that Microsoft, for example, puts its software through, according to Pollet.

As a consequence, it's no surprise that over the past year there has been a 753% increase in vulnerability disclosures to ICS-CERT (Industrial Control Cybersecurity Emergency Response Team).  Ironically, this known volume of vulnerability exploits has been parlayed into businesses by vendors who are selling exploits for the purposes of hacking industrial systems.

And nation-states are clearly in the energy sector hacking business.  Pollet visited clients in the Fortune 50 energy, oil and gas business who experienced attacks originating from China.  The rootkit malware infiltrated the industrial systems through corporate IT networks and resided on the companies' systems for 18 months, extracting emails, financial information, blueprints of plants and factories and more.

The failure of corporate IT departments to consider how malware and other exploits flow from corporate systems into the relatively unprotected industrial systems is a major source of vulnerability for the energy sector.  "You almost have to treat the corporate network as the Internet…and then view the SCADA and industrial control systems as a sub-network," Pollet said.

One of the biggest problems is that industrial systems "have embedded items inside embedded items inside embedded items where we have forgotten what we embedded," Patrick Miller, Founder, Director and President Emeritus of energy security consortium EnergySec said.  "But the bad guys know they are there."

"The vulnerability is quite high. Most industrial control systems weren't designed for what we have today.
Frankly it’s almost child’s play to get into these systems," Miller said.

For the time being, however, there is no need to fear a widespread electricity outage because utility systems have evolved over time with a diversity of technology that varies from utility to utility.  "If you look at things like power, gas and even water systems, there is such a diversity of technology.  It’s not easy to cause a widespread, long-term outage," Miller said.

NIST Cybersecurity Workshop: Aiming for the Impossible?

(Washington, DC) The National Institute of Standards and Technology (NIST) kicked off yesterday the first of series of workshops aimed at creating an overarching cybersecurity framework for all critical infrastructure industries as directed under President Obama's cybersecurity executive order issued in February.  Although the impressive line-up of speakers generated little in the way of new information or insight into what the ultimate framework might look like, the gathering of a wide range of cybersecurity technology, policy and legal experts across a number of industries did serve to reiterate important messages about how to think about cybersecurity.

First, it's obvious that cybersecurity is crucial to virtually every activity underpinning society.  "We ought to take security in cyberspace as much for granted as we do in using cyberspace in our everyday lives," Jane Holl Lute, Deputy Secretary at DHS said.

Secondly, we will never find a single solution that solves all cybersecurity problems.  The best approach is an ongoing strategy to prevent, protect and respond when threats arise.  "There is no silver bullet," Russell Schrader, Chief Privacy Officer, Visa said.

Third, because no single solution exists, any framework must be flexible and adaptable.  "There is no way you can prepare in advance a template that can protect against the unknowns," Robert Mayer, VP of Industry and State Affairs at US Telecom said.  "Whatever framework we ultimately settle on, it's going to have to be a living framework," Paul Nicholas, Senior Director, Global Security Strategy and Diplomacy at Microsoft said.

Finally, information-sharing is crucial.  "The vast majority of what you need to know about threat is already out there.  It's just badly distributed," Tony Sager, Director of the SANS Institute said.

The elephant in the room was whether NIST can achieve anything approaching a useful framework that covers 16 diverse critical infrastructure industries within 240 days as stipulated under the EO.  The consensus among the attendees I spoke with is that given the timeframe, the complexity of the issues and the diversity of the industries covered, the best that NIST can hope for is a generic outline of principles or concepts, which may or may not push the cybersecurity ball forward very much.

One participant in the NIST working group that produced cybersecurity guidelines for cloud computing said that NIST is aiming for the impossible with this effort.  That may not matter another cybersecurity specialist said because the administration is really banking on Congress to step in soon enough with comprehensive cybersecurity legislation that produces more effective requirements and information-sharing capabilities.

Whether the ultimate framework proves useful, the workshop seemed to serve as an effective gathering for cross-pollinating ideas and for networking among cybersecurity professionals who otherwise might never meet.  In that sense, the information sharing has already begun.

Other reports from the workshop are worth a read.  Check out Andy Bochman's write-up here. Grant Gross takes a policy perspective in this piece.  And Brian Fung has this post from the event about how Northrup Grumman spearfishes its own employees to teach them important lessons.

Twitter Delicious Facebook Digg Stumbleupon Favorites More