Security

SolarWinds Orion: The Biggest Hack of the Year

Federal agencies faced one of their worst nightmares this past week when they were informed of a massive compromise by foreign hackers within their network management software. An emergency directive from the Cybersecurity and Infrastructure Security Agency (CISA) instructed all agencies using SolarWinds products to review their networks and disconnect or power down the company’s Orion software. 

Orion has been used by the government for years and the software operates at the heart of some crucial federal systems. SolarWinds has been supplying agencies for some-time as well, developing tools to understand how their servers were operating, and later branching into network and infrastructure monitoring. Orion is the structure binding all of those things together. According to a preliminary search of the Federal Procurement Data System – Next Generation (FPDS-NG), at least 32 federal agencies bought SolarWinds Orion software since 2006.

Listed below are some of the agencies and departments within the government that contracts for SolarWinds Orion products have been awarded to. Even though all them bought SolarWinds Orion products, that doesn’t mean they were using them between March and June, when the vulnerability was introduced during updates. Agencies that have ongoing contracts for SolarWinds Orion products include the Army, DOE, FLETC, ICE, IRS, and VA. SolarWinds estimates that less than 18,000 users installed products with the vulnerability during that time.

  • Bureaus of Land Management, Ocean Energy Management, and Safety and Environmental Enforcement, as well as the National Park Service and Office of Policy, Budget, and Administration within the Department of the Interior
  • Air Force, Army, Defense Logistics Agency, Defense Threat Reduction Agency, and Navy within the Department of Defense
  • Department of Energy
  • Departmental Administration and Farm Service Agency within the U.S. Department of Agriculture
  • Federal Acquisition Service within the General Services Administration
  • FBI within the Department of Justice
  • Federal Highway Administration and Immediate Office of the Secretary within the Department of Transportation
  • Federal Law Enforcement Training Center, Transportation Security Administration, Immigration and Customs Enforcement, and Office of Procurement Operations within the Department of Homeland Security
  • Food and Drug Administration, National Institutes of Health, and Office of the Assistant Secretary for Administration within the Department of Health and Human Services
  • IRS and Office of the Comptroller of the Currency within the Department of the Treasury
  • NASA
  • National Oceanic and Atmospheric Administration within the Department of Commerce
  • National Science Foundation
  • Peace Corps
  • State Department
  • Department of Veterans Affairs

YOU CAN READ THE JOINT STATEMENT BY THE FEDERAL BUREAU OF INVESTIGATION (FBI), THE CYBERSECURITY AND INFRASTRUCTURE SECURITY AGENCY (CISA), AND THE OFFICE OF THE DIRECTOR OF NATIONAL INTELLIGENCE (ODNI) HERE.

How the Attack was Discovered

When Cyber security firm FireEye Inc. discovered that it was the victim of a malicious cyber-attack, the company’s investigators began trying to figure out exactly how attackers got past its secured defenses. They quickly found out,  they were not the only victims of the attack. Investigators uncovered a weakness in a product made by one of its software providers, SolarWinds Corp. After looking through 50,000 lines of source code, they were able to conclude there was a backdoor within SolarWinds. FireEye contacted SolarWinds and law enforcement immediately after the backdoor vulnerability was found.

Hackers, believed to be part of an elite Russian group, took advantage of the vulnerability to insert malware, which found its way into the systems of SolarWinds customers with software updates. So far, as many as 18,000 entities may have downloaded the malware. The hackers who attacked FireEye stole sensitive tools that the company uses to find vulnerabilities in clients’ computer networks. The investigation by FireEye discovered that the hack on itself was part of a global campaign by a highly complex attacker that also targeted government, consulting, technology, telecom and extractive entities in North America, Europe, Asia, and the Middle East.

The hackers that implemented the attack were sophisticated unlike any seen before. They took innovative steps to conceal their actions, operating from servers based in the same city as an employee they were pretending to be. The hackers were able to breach U.S. government entities by first attacking the SolarWinds IT provider. By compromising the software used by government entities and corporations to monitor their network, hackers were able to gain a position into their network and dig deeper all while appearing as legitimate traffic.

Read how Microsoft and US Cyber Command joined forces to stop a vicious malware attack earlier this year.

How Can the Attack Be Stopped?

Technology firms are stopping some of the hackers’ key infrastructure as the U.S. government works to control a hacking campaign that relies on software in technology from SolarWinds. FireEye is working with Microsoft and the domain registrar GoDaddy to take over one of the domains that attackers had used to send malicious code to its victims. The move is not a cure-all for stopping the cyber-attack, but it should help stem the surge of victims, which includes the departments of Treasury and Homeland Security.

 

According to FireEye, the seized domain, known as a “killswitch,” will affect new and previous infections of the malicious code coming from that particular domain. Depending on the IP address returned under certain conditions, the malware would terminate itself and prevent further execution. The “killswitch” will make it harder for the attackers to use the malware that they have already deployed. Although, FireEye warned that hackers still have other ways of keeping access to networks. With the sample of invasions FireEye has seen, the hacker moved quickly to establish additional persistent mechanisms to access to victim networks.

 

The FBI is investigating the compromise of SolarWinds’ software updates, which was linked with a Russian intelligence service. SolarWinds’ software is used throughout Fortune 500 companies, and in critical sectors such as electricity. The “killswitch” action highlights the power that major technology companies have to throw up roadblocks to well-resourced hackers. This is very similar to Microsoft teaming up with the US Cyber Command to disrupt a powerful Trickbot botnet in October.

US Cyber Command & Microsoft launch attack on TrickBot Malware

With one of the biggest, most impactful elections in United States history just hours away, there is growing concern over voter fraud, rigged election results, and involvement from third parties influencing the results. Sadly, one of these has become reality as the Trickbot malware botnet was caught. Recently, an alliance of major tech companies organized an effort to take down the backend infrastructure of the TrickBot.

Companies fighting the good war against this bot include Microsoft’s Defender team, FS-ISAC, ESET, Lumen’s Black Lotus Labs, NTT, and Broadcom’s cyber-security division Symantec. Even the U.S. government cyber security teams got in on the takedown. Prior to the attempted takedown the companies launched investigations into TrickBot’s backend infrastructure of servers and malware modules. 

 

Over a period of months, the team of tech corporations collected more than 125,000 TrickBot malware samples, analyzed the content, and extracted mapping information about the malware’s inner workings, including all the servers the botnet used to control infected computers. With evident to back their claims, Microsoft went to court asking for legal rights to counterattack and for control over TrickBot servers. 

 

Read Microsoft’s legal documents  

 

However, even with some of the most advanced tech giants in the world firing a counterattack against the malware bot, it still hasn’t gone away. The TrickBot botnet has survived a takedown attempt. TrickBot command and control servers and domains have been taken and substituted with a new infrastructure. The Trickbot takedown has been described as temporary and limited but gives its current victims time to breathe until a more permanent solution can be implemented. 

 

Even from the early planning phases, the tech companies anticipated TrickBot making a revival, and actually planned ahead for it. But why not kill it off all at once instead of just taking it out slowly. This multi-phased method to dismantling TrickBot is a result of the botnet’s complex infrastructure, much of which runs on bulletproof hosting systems, which are unresponsive or slow to react to takedown attempts.

Microsoft’s Victory in Court

Unbeknownst to many, the attempted take down of TrickBot played another role, one that could have ramifications long down the road. The court case that paved the way for the takedown also helped Microsoft set a new legal standard. In court, the tech giant argued that TrickBot’s malware abused Windows code for malicious purposes, against the terms of service of the standard Windows software development kit, on which all Windows apps are used.

Microsoft successfully argued that TrickBot was infringing on Microsoft’s copyright of its own code by copying and using its SDKs for unethical purposes.

Some have applauded Microsoft for this strategic legal maneuver. In the past, Microsoft had to present evidence to prove that the malware was causing financial damages to victims, which resulted in the long and laborious task of identifying and contacting victims. The new legal tactic Microsoft used in court focused on the misuse of its Windows SDK code. This method was easier to prove and argue, giving Microsoft’s legal team a more agile approach to going after malware groups. I wouldn’t be surprised to see Microsoft or other tech companies use the same approach in the future. 

Microsoft and Cyber Command Working to Save the US Election 

Microsoft was largely concerned that the masterminds behind Trickbot would use the botnet to upset the US election through ransomware. Attackers could lock down systems keeping voter rolls or reporting on election night results. When Microsoft began their investigations into the malware bot, it wasn’t expected to coincide with the US government’s own investigation. United States Cyber Command, the relative of the National Security Agency, had already started hacking TrickBot’s command and control servers around the world back in September. Microsoft only discovered this effort while launching its own.

In both investigations, the anti-TrickBot plans were meant to disrupt any possible Russian attacks during the next few critical days. However, it’s still not clear whether Russia intended to use Trickbot for a malware campaign, but this takes the option away before the vote on November 3rd.

The collaborative efforts of both Microsoft and government agency fast-tracked cyberconflict resolutions in the final days before the elections. Cyber Command, following a model it created in the 2018 midterm elections, kicked off a series of covert pre-emptive strikes on the Russian-speaking hackers it believes could interrupt the casting, counting and certifying of ballots on election day.

Trickbot and Malware as a Service (MaaS) 

So now that we’ve gotten to the bottom of how the malware botnet was discovered and potentially thwarted enough to find by time to find a permanent solution, we can dive deeper into how the Trickbot operates. 

The dual anti-threat efforts weren’t only dedicated to taking down TrickBot servers, which they knew would only be temporary, but also adding extra costs to TrickBot authors and delaying current malware operations. Additionally, security researchers also aimed to damage TrickBot’s reputation in cybercrime circles.

TrickBot is currently ranked as one of the Top 3 most successful Malware-as-a-Service (MaaS) operations in the cybercrime industry. The innovative bot uses email spam campaigns to infect computers, downloads its malware, and then steals data from infected hosts that it later resells for profit. Even more impressive is Trickbot’s ability to rent access to infected computers to other criminal groups, which makes a substantial amount of its revenues. The customers that rent this unauthorized access include infostealer trojans, BEC fraud groups, ransomware operators, and nation-state hacking groups.

A network bot like Trickbot that has potential to be disrupted risks revealing the operations of customers, most of which would prefer not to be exposed to law enforcement tracking. If Trickbot can be disrupted it would prove unreliable businesswise, especially for regular customers who are paying substantial fees to have access to infected systems at specific times.

Emotet, a Trickbot Malware, is kept alive in server spots like this one.

NCSAM Week 2 ; Securing Devices at Home and Work

Securing Devices at Home and Work

 

According to a 2018 study by CNBC, there were over 70% of employees around the world working remotely at least one day per week. With the recent COVID-19 pandemic, many organizations have had to make full-time remote work an option just to stay in business. As full-time remote workers are progressively more common, there still aren’t many resources that focus on the cybersecurity risk created by working remotely.

With the latest surge in working from home (WFH) employees, businesses are forced to rely on business continuity planning. This means that organizations must find ways to protect their customer’s sensitive data simultaneously granting workplace flexibility. Provided the current conditions we are all facing and in celebration of Cyber Security Awareness Month (CSAM), we thought we should share a few tips to help your business increase its cybersecurity.

Security tips for the home, office and working from a home office

Secure your working area

The first and easiest piece of security advice would be to physically secure your workspace. Working remotely should be treated the same as working in the office, o you need to lock up when you leave. There have been way too many instances when laptops with sensitive data on them have been stolen from living rooms, home offices, and even in public settings such as coffee shops. Never leave your devices unattended and lock doors when you leave.

See why laptop and home office security is so important. 

Secure your router

Cybercriminals take advantage of default passwords on home routers because it is not often changed, leaving any home network vulnerable. Change the router’s password from the default to something unique. You can also make sure firmware updates are installed so known vulnerabilities aren’t exploitable. 

Use separate devices for work and personal

It’s important to set separate restrictions between your work devices and home devices. At first it may seem like an unnecessary burden to constantly switch between devices throughout the day, but you never know if one has been compromised. Doing the same for your mobile devices, can decrease the amount of sensitive data exposed if your personal device or work device has been attacked.

Encrypt the device you are using

Encryption is the process of encoding information so only authorized parties can access it. If your organization hasn’t already encrypted its devices, it should. Encrypting the devices prevents strangers from accessing the contents of your device without the password, PIN, or biometrics. 

Below is a way to encrypt devices with the following operating systems:

  • Windows: Turn on BitLocker.
  • macOS: Turn on FileVault.
  • Linux: Use dm-crypt or similar.
  • Android: Enabled by default since Android 6.
  • iOS: Enabled by default since iOS 8.

Check that your operating system is supported and up to date.

Usually, operating system developers only support the last few major versions, as supporting all versions is costly and the majority of users upgrade when told to do so. Unsupported operating systems no longer receive security patches, making your device and sensitive data at risk. If your device does not support the latest operating system, it may be time to look into updating the device.

Here’s how to check if your operating system is still supported:

  • Windows: Check the Windows lifecycle fact sheet
  • macOS: Apple has no official policy for macOS. That said, Apple consistently supports the last three versions of macOS. So assuming Apple releases a new version of macOS each year, each release of macOS should be supported for roughly three years.
  • Linux: Most active distributions are well supported.
  • Android: Security updates target the current and last two major versions, but you may need to check that your manufacturer/carrier is sending the security patches to your device. 
  • iOS: Like macOS, Apple has no official policy for iOS but security updates generally target the most recent major version and the three prior. 

Read more about Android security here

Create a strong PIN/password only YOU know

Everything mentioned prior to this won’t matter if you don’t use a strong password. A common tip for creating a strong password is to avoid using repeating numbers (000000), sequences (123456), or common passwords such as the word password itself.

More tips on creating a strong password include:

  • Avoid using anything that is related to you
  • Avoid using your date of birth
  • Avoid using your license plate
  • Avoid using your home address
  • Avoid using any family members or pets’ names.

 

 A good pin/password should appear arbitrary to everyone except you. Consider investing in a password manager. A good password manager can help you create strong passwords and remember them, as well as share them with family members, employees, or friends securely. 

Learn more about how to create a strong password

 Install antivirus software

An antivirus software is a program that detects or recognizes a harmful computer virus and works on removing it from the computer system. Antivirus software operates as a preventive system so that it not only removes a virus but also counteracts any potential virus from infecting the device in the future.

Authorize two-factor authentication

Two-factor authentication is an authentication method where access is granted only after successfully presenting two pieces of evidence to an authentication mechanism.  This method has been proven to reduce the risk of successful phishing emails and malware infections. Even if the cybercriminal is able to get your password, they are unable to login because they do not have the second piece of evidence.

The first and most common evidence is a password. The second takes many forms but is typically a one-time code or push notification. There are several applications that can be used for two factor authentication such as Google Authenticator. 

Erase data from any devices you plan to sell

This should be the number one rule on any cybersecurity list. It is only a matter of time until your devices are obsolete, and it is time to upgrade. The one thing you don’t want is to have a data leak because you failed to properly erase the data from your device before selling or disposing of it. Returning the device to factory setting may not always be enough, as some hackers know how to retrieve the data that has been “erased”. Before doing anything, always remember to back up your data to multiple devices before clicking that “delete” button. 

Consult with your operating system to see how to properly reset your device to factory settings. If you are certain you do not want the data on your device to be accessed ever again, we can help with that. Here is a list of data destruction services we provide:

Security tips for employers handling a remote workforce

Train employees on cybersecurity awareness

As cybercriminals are always looking for new ways to bypass security controls to gain access to sensitive information, cybersecurity isn’t something that can just be taught once. It must be a continual learning and retention. Here are a few things that a business can teach their staff in order to help thwart a cyberattack:

  • Avoid malicious email attachments and other email-based scams
  • Identify domain hijacking
  • Use operations security on their social media accounts and public profiles 
  • Only install software if they need to 
  • Avoid installing browser plugins that come from unknown or unidentified developers

Use a virtual private network (VPN)

A virtual private network (VPN) extends a private network across a public network, enabling you to send and receive data across shared or public networks as if you are directly connected to the private network. They do this by establishing a secure and encrypted connection to the network over the internet and routing your traffic through that. This keeps you secure on public hotspots and allows for remote access to secure computing assets. 

Celebrating National Cyber Security Awareness Month

Celebrating National Cyber Security Awareness Month

 

Every October since 2004, National Cyber Security Awareness Month (NCSAM) is observed in the United States. Started by the National Cyber Security Division within the Department of Homeland Security and the nonprofit National Cyber Security Alliance, the NCSAM aims to spread awareness about the importance of cybersecurity. The National Cyber Security Alliance launched NCSAM as a large effort to improve online safety and security. Since 2009, the month has included an overall theme, for 2020 we celebrate “Do Your Part, #BeCyberSmart”. Weekly themes throughout the month were introduced in 2011. This year, our weekly themes will be as follows:

  • Week of October 5 (Week 1): If You Connect It, Protect It
  • Week of October 12 (Week 2): Securing Devices at Home and Work
  • Week of October 19 (Week 3): Securing Internet-Connected Devices in Healthcare
  • Week of October 26 (Week 4): The Future of Connected Devices

If You Connect IT. Protect IT.

 

October 1, 2020, marked the 17th annual National Cybersecurity Awareness Month (NCSAM), reminding everyone of the role we all play in online safety and security at home and in the workplace. Brought forth by both the Cybersecurity and Infrastructure Security Agency (CISA) and the National Cyber Security Alliance (NCSA), NCSAM is a joint effort between government and industry to make sure every American has the resources they need to stay safe and secure online. 

To kick off National Cyber Security Awareness Month, here are some tips to stay say online:

Enable multi-factor authentication (MFA). This ensures that the only person who has access to your account is you. Use MFA for email, banking, social media and any other service that requires logging in.

Use the longest password allowed. Get creative and customize your standard password for different sites, which can prevent cybercriminals from gaining access to these accounts and protect you in the event of a breach. Use password managers to generate and remember different, complex passphrase for each of your accounts.

Protect what you connect. Whether it’s your computer, smartphone, game device or other network devices, the best defense against viruses and malware is to update to the latest security software, web browser and operating systems. 

Limit what information you post on social media.  Cyber criminals look for everything, from personal addresses to your pet’s names. What many people don’t realize is that these seemingly random details are all cybercriminals need to know to target you, your loved ones, and your physical belongings. Keep Social Security numbers, account numbers and passphrases private, as well as specific information about yourself, such as your full name, address, birthday and even vacation plans. Disable location services that allow anyone to see where you are.

Stay protected on public networks. Before you connect to any public Wi-Fi be sure to confirm the name of the network and exact login procedures with appropriate staff to ensure that the network is legitimate. Your personal hotspot is a safer alternative to free Wi-Fi. Also, only use sites that begin with “https://” when shopping or banking online.

Introducing CISA, the Federal Governments Protection Against Cyber-Attacks

 

On November 16, 2018, the United States Congress formed the Cybersecurity and Infrastructure Security Agency (CISA) to detect threats, quickly communicate the information and aid in defense of the nation’s critical infrastructure. The new federal agency was created through the Cybersecurity and Infrastructure Security Agency Act of 2018, which was signed into law by President Donald Trump. That legislature made the National Protection and Programs Directorate (NPPD) of the Department of Homeland Security’s (DHS) the new Cybersecurity and Infrastructure Security Agency, reassigning all resources and responsibilities within. Before the bill was passed, the NPPD handled all of DHS’s cybersecurity-related affairs.

 

Why the CISA was Formed

In April 2015, IT workers at the United States Office of Personnel Management (OPM), the agency that manages the government’s civilian workforce, discovered that some of its personnel files had been hacked. Sensitive personal data on 22 million current and former federal employees was stolen by suspected Chinese hackers. Among the sensitive data that was stolen, were millions of SF-86 forms, which contain extremely personal information collected in background checks for people requesting government security clearances, along with records of millions of people’s fingerprints. 

In the wake of the massive data breach, it became even more evident that the Department of Homeland Security was not effectively positioned to respond to the growing threat of cyber-attacks, both foreign and domestic.  As more foreign invasions into U.S. IT infrastructure and other forms of cybersecurity attacks increased, industry experts demanded the creation of a new agency that would be more aligned to handle the issue of cyber security.

DHS’s cybersecurity strategy, made public in May 2018, offered a strategic framework to carry out the government’s cybersecurity responsibilities during the following five years. The strategy highlighted a unified approach to managing risk and lending greater authority to the creation of a separate cybersecurity agency. Besides the need for a new approach to the nation’s cybersecurity threats, CISA was created to solve what security professionals and government officials frequently referred to as a “branding” problem DHS faced with NPPD. CISA would be a clear and focused federal agency.

Learn more about the 2015 OPM Attack

What Does CISA Do?

 

In a nutshell, CISA is in charge of protecting the nation’s critical infrastructure from physical and cyber-attacks. The agency’s mission is to build the national capacity to defend against cyber-attacks and to work with the federal government to provide cybersecurity tools, incident response services and assessment capabilities to safeguard the .gov networks that support the essential operations of partner departments and agencies. Below is a list of other responsibilities the CISA has undertaken as a newly formed federal agency:

  • Coordinate security and resilience efforts using trusted partnerships across the private and public sector
  • Deliver technical assistance and assessments to federal stakeholders as well as to infrastructure owners and operators nationwide
  • Enhance public safety interoperable communications at all levels of government 
  • Help partners across the country develop their emergency communications capabilities
  • Conducts extensive, nationwide outreach to support and promote the ability of emergency response providers and relevant government officials to continue to communicate in the event of a natural disaster, act of terrorism, or other man-made disaster

Visit the CISA official government page

Who Leads the CISA?

 

The CISA is made up of two core operations that are vital to the agency’s success. First, is the National Cybersecurity and Communications Integration Center (NCCIC), which delivers 24×7 cyber-situational awareness, analysis, incident response and cyber-defense capabilities to the federal government. The NCCIC operates on state, local, tribal, and territorial government levels; within the private sector; and with international partners. The second is the National Risk Management Center (NRMC), which is a planning, analysis and collaboration center working to identify and address the most significant risks to the nation’s critical infrastructure.

The CISA is led by a team of eight highly respected and experienced team of individuals.

  • Director, Cybersecurity, and Infrastructure Security Agency (CISA), Christopher C. Krebs 
  • Deputy Director, Matthew Travis 
  • Assistant Director for Cybersecurity, Bryan Ware 
  • Assistant Director (Acting) for Infrastructure Security, Steve Harris
  • Assistant Director, National Risk Management Center, Bob Kolasky 
  • Assistant Director (Acting) for Emergency Communications, Vincent DeLaurentis 
  • Assistant Director for Integrated Operations, John Felker
  • Assistant Director (Acting) for Stakeholder Engagement, Bradford Willke

You can learn more about the CISA leadership team and their structure here.

Cyber Insurance in the Modern World

Yes, you read that correctly, cyber insurance is a real thing and it does exactly what is says. No, cyber insurance can’t defend your business from a cyber-attack, but it can keep your business afloat with secure financial support should a data security incident happen. Most organizations operate their business and reach out to potential customers via social media and internet-based transactions. Unfortunately, those modes of communication also serve as opportunities to cyber warfare. The odds are not in your favor, as cyberattacks are likely to occur and have the potential to cause serious losses for organizations both large and small. As part of a risk management plan, organizations regularly must decide which risks to avoid, accept, control or transfer. Transferring risk is where cyber insurance will pay massive dividends.

 

What is Cyber Insurance?

By definition, a cyber insurance policy, also known as cyber risk insurance (CRI) or cyber liability insurance coverage (CLIC), is meant to help an organization alleviate the risk of a cyber-related security breach by offsetting the costs involved with the recovery. Cyber insurance started making waves in 2005, with the total value of premiums projected to reach $7.5 billion by 2020. According to audit and assurance consultants PwC, about 33% of U.S. companies currently hold a cyber insurance policy. Clearly companies are feeling the need for cyber insurance, but what exactly does it cover? Dependent on the policy, cyber insurance covers expenses related to the policy holder as well as any claims made by third party casualties. 

Below are some common reimbursable expenses:

  • Forensic Investigation: A forensics investigation is needed to establish what occurred, the best way to repair damage caused and how to prevent a similar security breach from happening again. This may include coordination with law enforcement and the FBI.
  • Any Business Losses Incurred: A typical policy may contain similar items that are covered by an errors & omissions policy, as well as financial losses experienced by network downtime, business disruption, data loss recovery, and reputation repair.
  • Privacy and Notification Services: This involves mandatory data breach notifications to customers and involved parties, and credit monitoring for customers whose information was or may have been violated.
  • Lawsuits and Extortion Coverage: This includes legal expenses related to the release of confidential information and intellectual property, legal settlements, and regulatory fines. This may also include the costs associated from a ransomware extortion.

Like anything in the IT world, cyber insurance is continuously changing and growing. Cyber risks change often, and organizations have a tendency to avoid reporting the true effect of security breaches in order to prevent negative publicity. Because of this, policy underwriters have limited data on which to define the financial impact of attacks.

How do cyber insurance underwriters determine your coverage?

 

As any insurance company does, cyber insurance underwriters want to see that an organization has taken upon itself to assess its weaknesses to cyberattacks. This cyber risk profile should also show how the company and follows best practices by facilitating defenses and controls to protect against potential attacks. Employee education in the form of security awareness, especially for phishing and social engineering, should also be part of the organization’s security protection plan. 

Cyber-attacks against all enterprises have been increasing over the years. Small businesses tend to take on the mindset that they’re too small to be worth the effort of an attack. Quite the contrary though, as Symantec found that over 30% of phishing attacks in 2015 were launched against businesses with under 250 employees. Symantec’s 2016 Internet Security Threat Report indicated that 43% of all attacks in 2015 were targeted at small businesses.

You can download the Symantec’s 2016 Internet Security Threat Report here

The Centre for Strategic and International Studies estimates that the annual costs to the global economy from cybercrime was between $375 billion and $575 billion, with the average cost of a data breach costing larger companies over $3 million per incident. Every organization is different and therefore must decide whether they’re willing to risk that amount of money, or if cyber insurance is necessary to cover the costs for what they potentially could sustain.

As stated earlier in the article, cyber insurance covers first-party losses and third-party claims, whereas general liability insurance only covers property damage. Sony is a great example of when cyber insurance comes in handy. Sony was caught in the 2011 PlayStation hacker breach, with costs reaching $171M. Those costs could have been offset by cyber insurance had the company made certain that it was covered prior.

The cost of cyber insurance coverage and premiums are based on an organization’s industry, type of service they provided, they’re probability of data risks and exposures, policies, and annual gross revenue. Every business is very different so it best to consult with your policy provider when seeking more information about cyber-insurance.

Apple’s Bug Bounty Program : Hacker’s Getting Paid

How does one of the largest and most innovative companies in history prevent cyber attacks and data hacks? They hire hackers to hack them. That’s right, Apple pays up to $1 million to friendly hackers who can find and report vulnerabilities within their operating systems. Recently, Apple announced that it will open its Bug Bounty program to anyone to report bugs, not just hackers who have previously signed up and been approved. 

 

Apple’s head of security engineering Ivan Krstic says is that this is a major win not only for iOS hackers and jailbreakers, but also for users—and ultimately even for Apple. The new bug bounties directly compete with the secondary market for iOS flaws, which has been booming in the last few years. 

 

In 2015, liability broker Zerodium revealed that will pay $1 million for a chain of bugs that allowed hackers to break into the iPhone remotely. Ever since, the cost of bug bounties has soared. Zerodium’s highest payout is now $2 million, and Crowdfense offering up to $3 million.

So how do you become a bug bounty for Apple? We’ll break it down for you.

 

What is the Apple Security Bounty?

As part of Apple’s devotion to information security, the company is willing to compensate researchers who discover and share critical issues and the methods they used to find them. Apple make it a priority to fix these issues in order to best protect their customers against a similar attack. Apple offers public recognition for those who submit valid reports and will match donations of the bounty payment to qualifying charities.

See the Apple Security Bounty Terms and Conditions Here

Who is Eligible to be a Bug Bounty?

 

In order to qualify to be an Apple Bug Bounty, the vulnerability you discover must appear on the latest publicly available versions of iOS, iPadOS, macOS, tvOS, or watchOS with a standard configuration. The eligibility rules are intended to protect customers until an update is readily available. This also ensures that Apple can confirm reports and create necessary updates, and properly reward those doing original research. 

Apple Bug Bounties requirements:

  • Be the first party to report the issue to Apple Product Security.
  • Provide a clear report, which includes a working exploit. 
  • Not disclose the issue publicly before Apple releases the security advisory for the report. 

Issues that are unknown to Apple and are unique to designated developer betas and public betas, can earn a 50% bonus payment. 

Qualifying issues include:

  • Security issues introduced in certain designated developer beta or public beta releases, as noted in their release notes. Not all developer or public betas are eligible for this additional bonus.
  • Regressions of previously resolved issues, including those with published advisories, that have been reintroduced in certain designated developer beta or public beta release, as noted in their release notes.

How Does the Bounty Program Payout?

 

The amount paid for each bounty is decided by the level of access attained by the reported issue. For reference, a maximum payout amount is set for each category. The exact payment amounts are determined after Apple reviews the submission. 

Here is a complete list of example payouts for Apple’s Bounty Program

The purpose of the Apple Bug Bounty Program is to protect consumers through understanding both data exposures and the way they were utilized. In order to receive confirmation and payment from the program, a full detailed report must be submitted to Apple’s Security Team.  

 

According to the tech giant, a complete report includes:

  • A detailed description of the issues being reported.
  • Any prerequisites and steps to get the system to an impacted state.
  • A reasonably reliable exploit for the issue being reported.
  • Enough information for Apple to be able to reasonably reproduce the issue. 

 

Keep in mind that Apple is particularly interested in issues that:

  • Affect multiple platforms.
  • Impact the latest publicly available hardware and software.
  • Are unique to newly added features or code in designated developer betas or public betas.
  • Impact sensitive components.

Learn more about reporting bugs to Apple here

The Role of Cryptocurrencies in the Age of Ransomware

Now more than ever, there has become an obvious connection between the rising ransomware era and the cryptocurrency boom. Believe it or not, cryptocurrency and ransomware have an extensive history with one another. They are so closely linked, that many have attributed the rise of cryptocurrency with a corresponding rise in ransomware attacks across the globe. There is no debating the fact that ransomware attacks are escalating at an alarming rate, but there is no solid evidence showing a direct correlation to cryptocurrency. Even though the majority of ransoms are paid in crypto, the transparency of the currency’s block chain makes it a terrible place to keep stolen money.

The link between cryptocurrency and ransomware attacks

There are two keyways that ransomware attacks rely on the cryptocurrency market. First, the majority of the ransoms paid during these attacks are usually in cryptocurrency. A perfect example is with the largest ransomware attack in history, the WannaCry ransomware attacks. Attackers demanded their victims to pay nearly $300 of Bitcoin (BTC) to release their captive data..

A second way that cryptocurrencies and ransomware attacks are linked is through what is called “ransomware as a service”. Plenty of cyber criminals offer “ransomware as a service,” essentially letting anyone hire a hacker via online marketplaces. How do you think they want payment for their services? Cryptocurrency.

Read more about the WannaCry ransomware attacks here

Show Me the Money

From an outsider’s perspective, it seems clear why hackers would require ransom payments in cryptocurrency. The cryptocurrency’s blockchain is based on privacy and encryption, offering the best alternative to hide stolen money. Well, think again. There is actually a different reason why ransomware attacks make use of cryptocurrencies. The efficiency of cryptocurrency block chain networks, rather than its concealment, is what really draws the cyber criminals in.

The value of cryptocurrency during a cyber-attack is really the transparency of crypto exchanges. A ransomware attacker can keep an eye on the public blockchain to see if his victims have paid their ransom and can automate the procedures needed to give their victim the stolen data back. 

On the other hand, the cryptocurrency market is possibly the worst place to keep the stolen funds. The transparent quality of the cryptocurrency blockchain means that the world can closely monitor the transactions of ransom money. This makes it tricky to switch the stolen funds into an alternative currency, where they can be tracked by law enforcement.

Read about the recent CSU college system ransomware attack here

Law and Order

Now just because the paid ransom for stolen data can be tracked in the blockchain doesn’t automatically mean that the hackers who committed the crime can be caught too. Due to the anonymity of cryptocurrency it is nearly impossible for law enforcement agencies to find the true identity of cybercriminals, However, there are always exceptions to the rule. 

Blockchain allows a transaction to be traced relating to a given bitcoin address, all the way back to its original transaction. This permits law enforcement access to the financial records required to trace the ransom payment, in a way that would never be possible with cash transactions.

Due to several recent and prominent ransomware attacks, authorities have called for the cryptocurrency market to be watched more closely. In order to do so, supervision will need to be executed in a very careful manner, not to deter from the attractiveness of anonymity of the currency. 

Protect Yourself Anyway You Can

The shortage of legislative control of the cryptocurrency market, mixed with the quick rise in ransomware attacks, indicates that individuals need to take it upon themselves to protect their data. Some organizations have taken extraordinary approaches such as hoarding Bitcoin in case they need to pay a ransom as part of a future attack. 

For the common man, protecting against ransomware attacks means covering your bases. You should double check that all of your cyber security software is up to date, subscribe to a secure cloud storage provider and backup your data regularly. Companies of all sizes should implement the 3-2-1 data backup strategy in the case of a ransomware attack. The 3-2-1 backup plan states that one should have at least three different copies of data, stored on at least 2 different types of media, with at least one copy offsite. It helps to also have a separate copy of your data stored via the air-gap method, preventing it from ever being stolen.

Learn More About Getting Your 3-2-1 Backup Plan in Place

3-2-1 Backup Rule

What is the 3-2-1 Backup Rule?

 

The 3-2-1 backup rule is a concept made famous by photographer Peter Krogh. He basically said there are two types of people: those who have already had a storage failure and those who will have one in the future. Its inevitable. The 3-2-1 backup rule helps to answer two important questions: how many backup files should I have and where should I store them?

The 3-2-1 backup rule goes as follows:

  • Have at least three copies of your data.
  • Store the copies on two different media.
  • Keep one backup copy offsite.

Need help with building your data backup strategy?

  1. Create at least THREE different copies of your data

Yes, I said three copies. That means that in addition to your primary data, you should also have at least two more backups that you can rely on if needed. But why isn’t one backup sufficient you ask? Think about keeping your original data on storage device A and its backup is on storage device B. Both storage devices have the same characteristics, and they have no common failure causes. If device A has a probability of failure that’s 1/100 (and the same is true for device B), then the probability of failure of both devices at the same time is 1/10,000.

So with THREE copies of data, if you have your primary data (device A) and two backups of it (device B and device C), and if all devices have the same characteristics and no common failure causes, then the probability of failure of all three devices at the same time will be 1/1,000,000 chance of losing all of your data. That’s much better than having only one copy and a 1/100 chance of losing it all, wouldn’t you say? Creating more than two copies of data also avoids a situation where the primary copy and its backup copy are stored in the same physical location, in the event of a natural disaster.

  1. Store your data on at least TWO different types of media

Now in the last scenario above we assumed that there were no common failure causes for all of the devices that contain your precious data. Clearly, this requirement is much harder to fulfill if your primary data and its backup are located in the same place. Disks from the same RAID aren’t typically independent. Even more so, it is not uncommon to experience failure of one or more disks from the same storage compartment around the same time.

This is where the #2 comes in 3-2-1 rule. It is recommended that you keep copies of your data on at least TWO different storage types. For example, internal hard disk drives AND removable storage media such as tapes, external hard drives, USB drives, od SD-cards. It is even possible to keep data on two internal hard disk drives in different storage locations.

 

Learn more about purchasing tape media to expand your data storage strategy 

  1. Store at least ONE of these copies offsite

Believe it or not, physical separation between data copies is crucial. It’s bad idea to keep your external storage device in the same room as your primary storage device. Just ask the numerous companies that are located in the path of a tornado or in a flood zone. Or what would you do if your business caught fire? If you work for a smaller company with only one location, storing your backups to the cloud would be a smart alternative. Tapes that are stored at an offsite location are also popular among companies of all sizes.

 

Every system administrator should have a backup. This principle works for any virtual environment; regardless of the system you are running, backup is king!

Scroll to top