Many small businesses have a problem they may not even be aware of: they don’t have an incident response (IR) plan in place. This is a problem they should fix, especially with the Covid emergency multiplying the already plentiful malware and social engineering attacks that appear each day. Small businesses often have limited funds and personnel for IT security, and incident response may end up near the bottom of their priority lists. However, not having the ability to react quickly and correctly when an incident strikes can end up costing far more that setting up a basic IR plan and program. Plus, putting together such plan need not be difficult at all. Below are some simple steps small businesses can take to set up their own IR plan.

• Identify likely security incidents that could impact your business. This information can easily be found on the Internet. Write this down.
• Decide how the business should react to each one of these incident types and write this down. This advice is also readily available online. Write this down.
• Decide which personnel are going to be responsible for handling incidents (the incident response team). This usually includes IT and management personnel of various levels. Other personnel like legal advisors and security experts should also be identified. Once the team is chosen decide who is going to be in charge of response efforts. This is the person first contacted once an incident is detected. Write this down.
• Decide how and what you are going to communicate not only among the team, but with employees, customers who have been affected, regulators, law enforcement personnel, news media, third party security service providers, etc. Also decide who is going to do these communications. Make sure phone lists are included in this document. Write this down.
• Take all the information from above that you have written down and consolidate it into one plan.
• Train your personnel what their responsibilities are and who they should contact if they detect an incident. This includes both the team and employees.
• Finally practice the plan and make adjustments and improvements as needed. A good way to practice incident response is by performing table top exercises that are as realistic as possible.

The above is a very simplified version of an incident response program, but it is really all you need to get started. Having such a plan in place is a kind of insurance that could pay real dividends if a data breach or other serious incident occurs.

Wealth Management Firms are under a lot of pressure as regards information security and privacy issues. These firms are regulated by the Securities and Exchange Commission (SEC) and the nongovernmental Financial Industry Regulatory Authority (FINRA) here in America.

In 2016 the SEC itself announced a security breach of their main investor database resulting in over one hundred million dollars in illicit trading profits and other gains. This event was particularly damning and embarrassing to the SEC as the Government Accountability Office had spent the previous eight years warning them about lax security practices.

This caused the SEC to make cybersecurity a priority of its National Exam Program. This program is actually conducted by the SEC’s Office of Compliance Inspections and Examinations (OCIE). Wealth Management Firms are under scrutiny from these examinations as well as those conducted annually by FINRA. The SEC can use its civil authority to bring cyber-related enforcement actions against bad actors, and FINRA has the power to impose substantial fines and penalties (including permanent revocation of registration) for those who fail to comply with their rules.

Unfortunately, all financial institutions suffer under the same vague information security requirements found in the statute laws that they are regulated under. An example of such language from the National Credit Union Administration’s 12 CFR part 748 follows: “1. Identify reasonably foreseeable internal and external threats that could result in unauthorized disclosure, misuse, alteration, or destruction of member information or member information systems…” As you can see, this kind of guidance gives you a goal, but it doesn’t include any specific guidance to tell credit unions how to accomplish it. It’s like that across the body of financial institution regulation.

This basically left it to the regulators themselves to determine what measures financial institutions should take to maintain proper information security. These bodies in response turned to NIST for the basis of their information security guidance. Entities such as the FFIEC, FDIC and OCC all use this guidance as the basis for their own infosec requirements.

Dissatisfaction with this guidance has seen changes and improvements in information security and privacy paradigms in the last decade or so. New thinking in information security recommendations such as the CIS Critical Security Controls and MSI’s own 80/20 Rule of Information Security have started to take hold. The goal of all these newer information security recommendations is to ensure that the most effective infosec controls are prioritized, allowing the user to get the most bang for their information security buck.

My recommendation is that Wealth Management Firms should leverage these programs to meet SEC and FINRA infosec requirements. It would also be advisable to couch these security measures according to the NIST Cybersecurity Framework. This year the focus for OCIE examiners is liable to be:

• Cyber Governance
• Cyber Resilience
• Privacy and Data Security, and
• Outsourcing Risks

The OCIE also released a handy document called Cybersecurity and Resiliency Observations (https://www.sec.gov/files/OCIE-Cybersecurity-and-Resiliency-Observations-2020-508.pdf). The purpose of this document is to relate security practices that they have observed being used by the industry. It includes sections on Governance and Risk Management, Access Rights and Controls, Data Loss Prevention, Mobile Security, Incident Response and Resiliency, Vendor Management and Training and Awareness. I suggest that Wealth Management Firms should employ these observations when structuring their own information security programs according to the guidance mentioned above. This should provide them with a compliant, effective and low-cost information security program.

When you think about it, automobile dealerships can have a lot of very detailed and private information about you. For example, when you buy a car, the dealer may collect your identity and location information (name, address, telephone number, email address and even information about family members and pets). If you finance the vehicle through them, they also may collect a great deal of financial information about you (Social Security Number, credit history, bank(s) you use, account numbers and credit rating). And, of course, they have detailed information about at least one of your vehicles such as make, model, accessories, vehicle identification numbers, etc. All of this information is very desirable to cyber-criminals and hackers.

Not only do auto dealerships have a lot of your private information, the nature of the business gives online and on-site attackers numerous opportunities to access and compromise this information. Employees and customers move about a great deal in automobile dealerships often leaving their work areas unattended. There are numerous workstations around a dealership from the parts department to the service department to the finance department to the sales departments. If users share their passwords with fellow employees for convenience sake or leave their computers active when they are away from them, compromise of private information is made easy. In addition, auto dealership networks are usually connected to numerous service providers, partners and information systems. If these systems are compromised, then compromise of the dealership system could soon ensue. There are also liable to be paper documents containing private information that could be left exposed on desks or in unlocked drawers.

Luckily, auto dealerships that extend credit to someone, arrange for someone to finance or lease a car for personal, family or household use, or that provide financial advice or counseling to individuals are identified as financial institutions and are regulated by the Federal Trade Commission (FTC) under the Gramm-Leach-Bliley Act of 1999 (GLBA). These businesses therefore are required to comply with the FTC Privacy Rule and the FTC Safeguards Rule. Auto dealerships may also be subject to state or local ordinance, or some private regulatory body such as the PCI DSS. This is a good thing for the consumer.

Under the FTC Privacy Rule, dealerships are required to protect private customer financial information, and are required to provide customers with a number of written notices detailing their rights under the Privacy Rule. Under the FTC Safeguards Rule, dealerships must protect physical, paper and electronic customer information. They are also required to have an information security program designed to protect the confidentiality, integrity and availability of private customer information. Since dealerships are considered to be financial institutions, these security requirements are much the same as those your bank must adhere to. There are fines in place for failure to comply with these regulations, and lawsuits may also be filed against dealerships that fail to adequately protect your private information.

Although these regulations don’t guarantee your private information won’t be compromised, they do put a big roadblock in the path of information thieves. Plus, auto dealers know that 84% of those surveyed said they wouldn’t do business with a dealership that has had a customer data breach incident. That surely helps inspire dealers to take information security seriously.

In 2009, there was a big effort on the Federal level to establish a consensus among a varied group of information security experts from all sectors as to which information security controls were most effective in the modern computing and networking environment. This was driven by the perception that the Federal Information Security Management Act (FISMA) was ponderous and unable to effectively protect the confidentiality, integrity and availability of private information.

This effort initially led to the publication of the 20 Most Important Controls for Continuous Cyber Security Enforcement: Consensus Audit Guidelines. It also stimulated thinking among organizations and information security professionals about possible variations and adaptations of this guidance. One such effort was the MicroSolved 80/20 Rule of Information Security (2009). While very similar to the Consensus Audit Guidelines, the focus of the 80/20 Rule was to establish a group of security control projects that provided the most “bang for the buck” for the small and medium-sized organizations that don’t typically have the resources of the Federal Government or other large organizations.

Continue reading →

They say that every cloud has a silver lining. That has certainly been true for cyber-criminals during the Covid 19 emergency! While the country as a whole is experiencing 20% unemployment and general hardship, these folks continue to reap the rewards chaos inevitably brings to the larcenous. Here are some of the shenanigans that have darkened the news this week:

One article this week talks about “Hack for Hire” groups in India that are spoofing World Health Organization (WHO) emails to steal access credentials from businesses around the world (including the U. S.). These hacking emails come from hosted websites that are crafted to look like the official WHO website, and claim to provide direct notification from the WHO on Covid 19-related announcements. They are targeting financial services, consulting and healthcare organizations.

Continue reading →

In the news this week was an article about a successful ransomware attack. It detailed how network access was achieved using email phishing and then went on to explain how the attackers leveraged this low-level network access to compromise the entire network. It was done by breaking password hashes in an attempt to gain access to local admin accounts, then trying these passwords on other hosts and domain administrator accounts. Compromise of a domain admin account then allowed the attackers to take control of the domain, which led to game over. This kind of attack scenario has been around for years and continues to work for a variety of reasons, two of which are inadequate network segmentation and configuration control.

Many of the networks we see are “flat.” In other words, there is no appreciable network segmentation in place. This woeful state of affairs allows any user on the network to see the entire setup, including “server space.” It also provides cyber criminals with many attack surfaces and helps them maneuver around the network. Such network implementations make it very difficult indeed to meet two of the hallmark principles of information security: need to know and least privilege.

Continue reading →

Since World Password Day is the big news this week, there are a ton of study reports about password woes in the news. According to a Balbix study report, 99% of enterprise users reuse passwords either across work accounts, or between work and personal accounts. The report goes on to give statistics about password sharing, and states that the rapid uptick of remote working due to the Covid19 crisis has shifted the balance of control away from IT and towards employees.

Another report, released by SecureAuth, shows that management is worse than junior staff at practicing good password hygiene. Their survey states that 53% percent of people admitted to reusing passwords across multiple accounts. Among respondents using the same password, 62% said that they are using it across three to seven accounts; 10% said that they are using over 10 accounts with the same password. The article also highlights that people are so bad about this simply because keeping track of a number of different passwords is difficult and time consuming. Not to mention the fact that users need to change all those passwords regularly!

Continue reading →

Every week during the last couple of months I have seen an ever-increasing number of cyber-attacks designed to exploit the present Covid19 crisis. Some recent instances include:

Fake websites that promise to provide vital information about Covid19 include videos that contain the Grandoreiro Trojan. Attempting to play the videos leads to a nasty and sophisticated payload being installed on visitor devices. A variety of techniques such as keystroke logging, blocking access to websites, unwanted restarts, access credential thefts and more are possible. This trojan is also very difficult to detect and remove.

Phishing emails supposedly from popular package carriers such as FedEx and UPS claim to be notifying customers about delivery delays due to a variety of reasons. These emails ask the recipient to open an attachment to fill in missing details or to follow links, but they actually contain the Remcos RAT or Bsymem Trojan.

Continue reading →

One thing that cyber-criminals love to see is businesses operating outside of their normal routines. Non-routine operations can cause confusion and chaos. New ways of operating must be developed and fielded on the fly. Personnel are often required to work from remote locations and may need to undertake duties that are new and unfamiliar to them. This is almost sure to cause IT personnel to become overwhelmed, which can cause delays that can seriously affect business operations.

And when it becomes a question of providing services or maintaining security, most businesses will opt for continuing services and dealing with security matters later. Such situations not only greatly increase the number of attack surfaces and vectors available for cyber-criminals to exploit, it also increases their chances of success in any given attack. The current pandemic situation has them all licking their chops!

Outside of war, I can’t think of more widespread and disruptive disaster scenario than a pandemic response of this magnitude. Unlike earthquakes or hurricanes or floods or most other catastrophes, pandemic interruptions are anything but localized; they affect virtually every business and person on the planet.

People are afraid of getting the flu, and of course they are also afraid of losing income and not being able to pay their bills. They fear that perhaps their employer companies will fold, and that they won’t be able to catch up once things settle back down. Such fears can lead to mistakes and security failures. That is why businesses should be increasing their security efforts, not letting them fall along the wayside.

Businesses should ensure that all their systems have logging enabled, and that monitoring of those logs is being undertaken. If possible, the number of employees dedicated to security monitoring should be increased. This effort will be much easier to implement if cross-training of personnel and full written operating procedures are in place; a lesson that should be learned from the current emergency and implemented in written pandemic planning.

In addition, businesses should ensure that secure mechanisms for remote working are in place. It is important that not only secure connection mechanisms are in place, but that multipart authentication techniques are used to the greatest extent possible. Whitelisting of authorized devices, tokens, digital certificates and biometrics should all be considered.

Just as important as technical security, businesses should ensure that all personnel are receiving security and awareness training. They should be fully trained in how to secure their laptops and home computers, how to connect to business assets securely and how to respond if they suspect they are vulnerable or being hacked. Responding to incidents quickly and correctly are key factors in minimizing damage from a security event.