In this episode of the MSI podcast, we continue our series on the business email compromise checklist. While BEC is a significant issue and a common form of compromise leading to fraud, there are several things you can do to combat this form of attack. The second step is to “Protect”.
https://s3.amazonaws.com/MSIMedia/MSIMicro_005_BEC_Protect.mp3
If you would like to know more about MicroSolved or its services please send an e-mail to info@microsolved.com or visit microsolved.com.
A good day phishing is better than a bad day doing anything else! (Or was that fishing…)
Business Email Compromise (BEC) attacks saw a 479% increase between Q4 2017 and Q4 2018 per Proofpoint. The dramatic increase in web-based implementations like Office 365 (O365) contributes to the corresponding increase in attacks. Yeah, yeah, we’re going to talk about phishing again, @TheTokenFemale? Really?
Yes. Because no matter how well trained your people are, no matter how diligent…everyone has a bad day. Your organization may not be the “phish in a barrel” type…but it just takes once. A family member in the hospital, a rush to clean things up before vacation, or any kind of significant distraction can make the most diligent person overlook…and click.
Algorithms, step-by-step processes designed to tell a computer what to do and how to do it, are used to encipher data. Passwords and crypto keys are strings of characters needed to decrypt enciphered data. If these strings are not properly managed, you can lose the ability to decrypt this data forever. That is why proper key management is so important any time you are using cryptography on your systems. When using Blockchain, it can be especially important.
The most notable use of Blockchain to date is in Cryptocurrency. Last December, the 30-year-old founder of the Canadian cryptocurrency exchange QuadrigaCX reportedly died abroad. Unfortunately, he went to his reward without telling anyone the password for his storage wallet, causing the loss of up to 190 million dollars. What a mess! The exchange is now out of business and the court has appointed a monitor (Ernst & Young) and law firms to represent QuadrigaCX customers. An object lesson indeed for employing proper key management.
2018 was a record year. But not in a good way. U.S. organizations paid out a record $28 million in settlements or judgments for data breaches 1. That number was boosted by Anthem’s $16 million settlement for the largest healthcare breach in history.
But information security is getting better, isn’t it? Alright, fines for the year is not reflective of the number of data breaches for the same year, after all, the actual breaches for the fines mentioned above occurred years prior. Such as, the Anthem cyber-attack occurred in 2014 and 2015 2, and the $4.3 million judgment against the University of Texas MD Anderson Cancer Center occurred in 2012 and 2013.
In the Protenus 2019 Breach Barometer Report 3, the U.S.Department of Health and Human Services HHS reported 503 health care data breaches that compromised over 15 million patient records. That is up from 2017 of 477 data breaches with 5.5 million patient records. A 5% increase in number of breaches resulted in triple the number of patient records compromised.
How data was compromised varied from stolen/lost credentials, unauthorized insider access, “hacking” from an external source, human error, and phishing. One of the most common vector for intrusion comes through 3rd party vendors.
Continue reading
Yesterday, I was doing an interview with one of my mentees. The questions she asked brought up some interesting points about MSI, our history and Columbus. I thought I would share 3 of the questions with the SoS readers:
“You have to remember that when I founded MicroSolved, back in 1992, there wasn’t a strong commercial Internet yet. Most of the electronic commerce efforts and digital business was done via dial-up or dedicated networks. I came to Columbus in 1988 to go to school and eventually ended up at DeVry. I was working at Sterling Software and doing a lot of experimentation with technology. Somehow, I got completely interested in security, hacking, phreaking and online crime. I took that passion and began to explore building it into a business. There were a few of us starting consulting companies back then, and Columbus was certainly an interesting place to be in the early 90s. Eventually, Steve Romig, from The Ohio State University started putting groups together – meeting at different parks and restaurants. That was the first place I really identified as the beginning of a security community in the city.”
Recently, Brent – MSI’s CEO – put together a Business Email Compromise checklist to help our clients combat phishing attempts, and prepare to discover and remediate successful attempts. The checklist:
But, what does that mean for you? Our team put together an educational series based on the checklist, to help security programs at all levels. The next thing we’d like to share are a few war stories – tales from the field in various industries. These are drawn from our security and incident response work in these industries, and call out specific attack vectors and points to consider for these entities.
A few weeks ago, we published the Business Email Compromise (BEC) Checklist. The question arose – what if you’re new to security, or your security program isn’t very mature?
Since the checklist is based on the NIST model, there’s a lot of information here to help your security program mature, as well as to help you mature as a security practitioner. MSI’s engineers have discussed a few ways to leverage the checklist as a growth mechanism.
Part 1 and Part 2 covered the first checkpoint in the list – Discover. Part 3 covered the next checkpoint – Protect. Part 4 continued the series – Detect. Part 5 addressed how to Respond.
In this episode of the MSI podcast, we begin our series on the business email compromise checklist. While BEC is a significant issue and a common form of compromise leading to fraud, there are several things you can do to combat this form of attack. The first step is to “Identify” the threat at hand.
https://s3.amazonaws.com/MSIMedia/MSIMicro_004_Identify.mp3
If you would like to know more about MicroSolved or its services please send an e-mail to info@microsolved.com or visit microsolved.com.
The Ohio Data Protection Act differs from others in the country in that it offers the “carrot” without threat of the “stick.” Although companies are rewarded for implementing a cyber-security program that meets any of a variety of security standards, having a non-compliant program carries no penalty under this act.
The theory is that Ohio companies will be more willing to put resources into their information security programs proactively if a tangible return on their investment is available; like investing in insurance to hedge risk. Alternatively, if there is no threat of penalty for non-compliance, why wouldn’t a business simply adopt a wait and see attitude? After all, most companies do not have big data breaches, and developing and documenting a compliant information security program is expensive.
Whether you are trying to comply with HIPAA/HITECH, NAIC Model Laws, SOX, PCI DSS, ISO or the NIST Cybersecurity Framework, you must address incident response and management. In the time I have been involved in risk management, I have seen an ever-growing emphasis being placed on these functions.
I think that one of the reasons for this is that most of us have come to the realization that there is no such thing as perfect information security. Not only are data breaches and other security incidents inevitable, we are seeing that there are more and more of them occurring each year; a trend I don’t expect to change anytime soon. In addition, people are becoming increasingly concerned with their privacy and protecting their proprietary information. In response, regulators are becoming tougher on the subject too.