We make holistic enterprise security possible.
Tailored Solutions & Consulting, Inc. (TSC Advantage) is a cyber risk consultancy specializing in the protection of trade secrets, intellectual assets, and other sensitive information. TSC Advantage was founded in 2006 as a response to the limitations of traditional approaches to cyber security that fail to incorporate holistic and proactive solutions in combating threats to enterprises. Our patent-pending and U.S. Department of Homeland Security (DHS) SAFETY Act-designated methodology holistically optimizes clients’ security posture to suit their unique organizational, procedural and market environments.
Headquartered in the Washington, DC metro area of downtown Silver Spring, MD, the TSC Advantage global team brings together over 300 years of combined experience in intelligence operations and analysis, traditional business acumen, and agile technology solutions. We provide expertise to a wide array of industries and organizations, ranging from the Fortune 500, healthcare, and leading global insurance underwriting markets, to the public sector and operators of U.S. critical infrastructure. Our proven delivery of panoramic cyber risk assessment and credentialed expertise makes us uniquely trusted and qualified in remediating clients’ most complex enterprise challenges.
— Trusted By —
In a complex world growing with sophisticated cyber attacks and threats from insiders, all organizations must be proactive in the defense of their sensitive information. From corporate intellectual property and trade secrets to protected health information, we have innovated an approach to enterprise security risk assessment that can help secure organizations across all industries.
Our unique approach examines holistic vulnerability across six critical domains of an organization as well as modules designed for ICS, PCI, and HIPAA with the intent of reducing risk and preventing cyber attacks, data breaches, and acts of terrorism from occurring in the first place. Using unparalleled expertise and over 300 years of combined specialized experience exploiting technical, physical, and human vulnerabilities of organizations, TSC Advantage better safeguards client value, innovation, and reputation in an age of sophisticated cyber attacks and data breaches.
Threat Vector Manager™
Our patent-pending Threat Vector Manager ™ (TVM) is a U.S. DHS SAFETY-Act designated knowledge management process that identifies trends, patterns, and areas of elevated risk across an enterprise in order to prevent and reduce cyber attacks, data breaches, or physical acts of terrorism.
Mapped to meet and exceed numerous national and international industry standards including NIST, ISO, and fused with proprietary security expertise, TVM™ provides an objective and posture-based perspective of enterprise maturity and security resiliency for a comprehensive understanding of emerging cyber threats and latest in competitive intelligence tradecraft. This methodology identifies best business practices, improves performance and decision-making, and informs resource allocation based upon risk sensitivity and exposure.
TVM™ helps maximize clients’ return on security investments by delivering objective intelligence and practical solutions to FIND, FIX, and PROTECT the most critical problem areas.
Measurement designed to effectively baseline wide range of policies, procedures, behaviors, and technical controls impacting a firm's overall security posture with our U.S. DHS SAFETY Act-designated Enterprise Security Assessment and External Relationship Mapping solution
Comprehensive assessment of client-specific risk that objectively measures cyber security culture and maturity across administrative, technical, and physical categories in conjunction with critical business needs
Outcome-driven instrument, designed to reduce the cost of effective security through emphasis on prevention and awareness across traditional cyber security domains and overlooked threat vectors such as external business relationships and from the insider threat lurking within
Creation of targeted security initiative and implementation of improvements for top vulnerabilities, prioritized by domain maturity, proprietary risk-ranking score and source-needs calculation, level-of-effort and comparison across aggregated industry data
Subscription via highly secure, encrypted cloud portal or local host for periodic reevaluations and illustration of impact of additional security initiatives
Secure intelligence delivery via a customizable executive portal and dashboard tailored to client environment, including sources such as DLP, MDM, and SIEM data, as well as social media and RSS feeds
Ongoing assessments of evolving threats, vulnerabilities, and consequences for critical assets along with tailored recommendations for continuous improvements along with visualizations denoting security risk profile score and domain maturity compared against aggregated industry data
Integration with any vendor's security sensors already owned by the client, to leverage existing investments and positioning for optimization
Read about TSC Advantage in the news
Partners & Customers
Some of our valued Partners and Customers
Check out the latest happenings at TSC Advantage
We like to blog too
A great information resource from TSC Advantage experts
Here you will find recent examples of data breaches, cyber attacks, and insider threats against all industries
TSC Advantage Hosts Third Annual threatLAB Conference
Silver Spring, MD, Feb. 2, 2016 — TSC Advantage, an enterprise cyber risk consultancy specializing in the proactive defense of intellectual assets, trade secrets and other sensitive information, today kicked off ThreatLAB® 2016, an exclusive cybersecurity thought leadership event. The third annual threatLAB conference will educate senior private and public sector security professionals about the multitude of complex threats facing U.S. enterprises. The interactive theme Cyber Risk 360°embodies a philosophy of taking an enterprise-wide view of cybersecurity and risk.
ThreatLAB® 2016 features a keynote address from John Lenkart, Assistant Special Agent in Charge, National Security/Cyber Investigation, Richmond Division, Federal Bureau of Investigation (FBI). Throughout his career as a special agent, Lenkart has led and managed countless counterintelligence and economic espionage investigations aimed at defeating foreign-sponsored adversaries operating in the United States.
Additional speakers include: George Bamford, Director, DHS National Infrastructure Coordination Center; Joseph Ladd, Insider Threat Manager, Southern Company Services; Andrew Lamm, Director, Information Asset Protection, Cummins, Inc.; and Jeffrey Torosian, Partner, DLA Piper.
They will discuss the growing threat to corporations from state sponsors, hackers, and insider threats, what companies should do to protect themselves in an age of sophisticated cyberattacks, and the role of public-private partnerships.
“Knowing that even the best fortifications and preventative measures can fail, the role of achieving cyber resiliency becomes critical,” said Sean Doherty, president of TSC Advantage. “Resilient organizations combine multiple enterprise-wide functions to prevent, detect and recover from disruptions. At threatLAB, our attendees can learn from experts in the field and discuss their challenges and successes.”
ThreatLAB® 2016 is the continuation of efforts to educate organizations across all verticals on how to take a harmonized and panoramic approach to the cyber threat landscape. Hosted by TSC Advantage and Liberty Advisor Group, the 2016 conference is located at the Streamsong Resort in central Florida. Additional support is provided by sponsors McGriff, Seibels & Williams, Miller Insurance, and Sectra Communications.
About TSC Advantage
TSC Advantage is a cyber risk consultancy specializing in the protection of trade secrets, intellectual assets, and other sensitive information using a patent-pending and U.S. DHS SAFETY Act-designated methodology to perform cyber risk assessments for organizations across all verticals. The TSC Advantage team brings over 300 years of combined experience serving in premier U.S. national security organizations. Unlike other solutions, the company stands apart with its holistic approach to cybersecurity, which examines traditional cyber risk plus five other domains of enterprise vulnerability, including the role of business dependencies and the insider threat lurking within. TSC Advantage counts Fortune 500 businesses, global insurance underwriting markets, U.S. critical infrastructure, healthcare, and innovative start-ups as clientele.
TSC Advantage Named Finalist in 2016 Global Excellence Awards by Info Security Products Guide
Silver Spring, MD – January 13, 2016 – TSC Advantage announced today that its Threat Vector Manager™ (TVM) risk assessment solution has been named a finalist for the 2016 IFPG Global Excellence Awards in the category of Best Security Products and Solutions for Insurance. Info Security Products Guide is the industry’s leading information security research and advisory guide. These prestigious global awards recognize security and IT vendors with advanced, ground-breaking products and solutions that help set the bar in all areas of security and technologies. Winners will be announced in San Francisco on February 29, 2016.
Threat Vector Manager™ is a proprietary, patent-pending cyber risk assessment methodology that holistically identifies trends, patterns, and areas of elevated risk across an enterprise environment in order to prevent and reduce cyber attacks, data breaches, or physical acts of terrorism. TVM is unique in the domain of cybersecurity risk assessment due to its U.S. DHS Safety Act designation, which extends liability indemnity to customers for third party claims arising from a covered act of terrorism, as well as the output of the assessment itself, which produces a risk profile score and domain maturity level within six enterprise domains and has been adopted by global underwriters to help determine the insurability of potential insureds operating in the U.S. critical infrastructure segment.
“TSC Advantage is pioneering a vastly improved approach to cyber insurance underwriting, which rewards mature cyber security postures and allows customers to receive insurance with the broadest coverage, fewest exclusions, and tailored to their individual threat profiles,” said Sean Doherty, President of TSC Advantage. “We’re proud that Threat Vector Manager’s™ customer-focused methodology has been recognized as a finalist by Info Security Products Guide.”
About Info Security Products Guide Awards
SVUS Awards organized by Silicon Valley Communications are conferred in 10 annual award programs, including the Info Security Guide’s Global Excellence Awards. These premier awards honor organizations from all over the world, including the people, products, performance, PR and marketing. To learn more, visit www.svusawards.com
About TSC Advantage
TSC Advantage is a cyber risk consultancy specializing in the protection of trade secrets, intellectual assets, and other sensitive information using a patent-pending and U.S. DHS SAFETY Act-designated methodology to perform cyber risk assessments for organizations across all verticals. The TSC Advantage team brings over 300 years of combined experience serving in premier U.S. national security organizations. Unlike other solutions, the company stands apart with its holistic approach to cybersecurity, which examines traditional cyber risk plus five other domains of enterprise vulnerability, including the role of business dependencies and the insider threat lurking within. TSC Advantage counts Fortune 500 businesses, global insurance underwriting markets, U.S. critical infrastructure, healthcare, and innovative start-ups as clientele.
Inc. Names TSC Advantage as Fastest Growing Firm in 2015
Silver Spring, MD – TSC Advantage, an enterprise risk consultancy specializing in the proactive and holistic defense of trade secrets, intellectual assets, and other sensitive information, is pleased to announce that it has been ranked as 3294 on the 2015 Inc. 500|5000, an exclusive ranking of 5,000 of the nation’s fastest-growing private companies. The list represents the most comprehensive look at the most important segment of the economy—America’s independent entrepreneurs. Companies such as Yelp, Pandora, Timberland, Dell, Domino’s Pizza, LinkedIn, Zillow, and many other well-known names gained early exposure as members of the Inc. 500|5000.
“We are honored to be included in the prestigious Inc. 500|5000 list among the other innovative and rapidly growing firms across the U.S.,” said TSC Advantage President Sean Doherty. “Over the past few years, we have experienced substantial growth which couldn’t have been possible without our valued customers and talented employees,” he said. “This honor not only recognizes the need enterprises have for expert and holistic cyber risk assessment, but validates the unique approach and confidence value offered by our methodology.”
The 2015 Inc. 5000, unveiled online at Inc.com, is one of the most competitive group in the list’s history. The companies on this year’s Inc. 5000 list have achieved a median growth rate of 1,772 percent and have collectively created 57,822 jobs. To view TSC Advantage’s complete profile on the 2015 Inc. 5000 list, visit: www.inc.com/profile/tsc-advantage
Inc. 500|5000 Methodology
The 2015 Inc. 5000 list measures revenue growth from 2011 to 2014. To qualify, companies must have been founded and generating revenue by March 31, 2011. Additionally, they had to be U.S.-based, privately held, for profit, and independent–not subsidiaries or divisions of other companies–as of December 31, 2014. The minimum required 2011 revenue is $100,000; the minimum for 2014 is $2 million. Revenue listed in the company profiles is for calendar year 2014. Employee counts are current. Employees receiving benefits are included in the employee counts. Inc. reserves the right to reject applicants for subjective reasons. The companies of the Inc. 500 represent the top tier of the Inc. 5000.
Founded in 1979 and acquired in 2005 by Mansueto Ventures, Inc. is the only major brand dedicated exclusively to owners and managers of growing private companies, with the aim to deliver real solutions for today’s innovative company builders. Total monthly audience reach for the brand has grown significantly from 2,000,000 in 2010 to over 6,000,000 today. For more information, visit www.inc.com.
TSC Advantage Announces Relocation of Corporate Headquarters
Fast-growing Cybersecurity Consultancy Relocates to New Office Space in Maryland
Washington – June 2, 2015 – TSC Advantage, an enterprise risk consultancy specializing in the proactive and holistic defense of trade secrets, intellectual assets and other sensitive information, today announced its plan to move to a larger and newly renovated office space in downtown Silver Spring, Md., to accommodate its growth. TSC Advantage plans to be in its new 6,000 square foot facility on Wayne Avenue for at least the next five years.
The new headquarters will further support the projected expansion of TSC Advantage’s business, including its support to global insurance underwriting markets and its traditional consulting business, while retaining proximity to the U.S. capital region, convenient transportation hubs, deep talent pool and now direct placement within Maryland’s cybersecurity epicenter.
“We evaluated numerous locations within the metropolitan Washington, D.C., area in our search for a new corporate headquarters and ultimately Silver Spring and Montgomery County were too attractive to resist,” said Sean Doherty, president of TSC Advantage. “As a growing business, the various incentives and exciting partnership opportunities with initiatives, such as Cyber Maryland, will be beneficial to our continued success and reaffirms the commitment of state and local leaders in Maryland in attracting firms such as ours.”
In the past four years, TSC Advantage has added an average of six to eight new employees per year and has expanded its range of products and services. In late 2014, TSC Advantage received the U.S. Department of Homeland Security’s SAFETY Act Developmental Testing and Evaluation designation for its Threat Vector Manager™ cyberrisk assessment solution. In early 2015, the company launched Secure Halo™, software used to collect and calculate risk scoring and domain maturity as well as a portal by which customers and insurance underwriters alike can access their security assessments in a secure and personalized platform.
TSC Advantage is experiencing rapid growth, due in part to the company’s 2013 partnership with more than 15 Lloyd’s of London insurance underwriters and brokers to conduct holistic cyberrisk assessments for insurance products sold to operators of U.S. critical infrastructure and other markets, including private equity, healthcare, retail and maritime. With results obtained from TSC Advantage’s holistic cyberrisk assessment, insurance markets are able to underwrite cyber risk and calculate annual premiums for cyberinsurance policies covering liability expenses in the hundreds of millions of dollars.
The move is expected to be completed by July 2015.
TSC Advantage Hosts 2nd Annual ThreatLAB Conference
Anatomy of Resilience™ Theme Will Feature Expertise on Cyber Threats from FBI Counterintelligence Executive
WASHINGTON, May 12, 2015 — TSC Advantage, an enterprise cyberrisk consultancy specializing in the proactive and holistic defense of intellectual assets, trade secrets and other sensitive information, today announced ThreatLAB® 2015, an exclusive thought leadership event taking place May 20-21 in Las Vegas that will educate senior private and public sector security professionals about the multitude of complex threats facing U.S. enterprises. The interactive theme Anatomy of Resilience™ encompasses ways to defend intellectual assets and trade secrets in an age of panoramic cyber threats. Attendees will have the opportunity to dissect recent cyberattacks and data breaches through panels, speaker sessions and interactive labs, as well as the opportunity to participate in collaborative scenarios addressing cybersecurity challenges from a holistic perspective.
ThreatLAB® 2015 will feature a keynote address from John Lenkart, chief of staff and special assistant to the assistant director of the FBI’s Counterintelligence Division. Throughout his career as a special agent and supervisory special agent, Lenkart has led and managed countless counterintelligence and economic espionage investigations aimed at defeating foreign-sponsored adversaries operating in the United States, including state-sponsored efforts to acquire, steal or transfer a broad range of trade secrets in which the United States maintains a definitive innovation advantage. As the keynote speaker, Lenkart will present his expertise on the growing threat to corporations from state sponsors, insider threats and what companies should be doing to protect themselves in an age of sophisticated cyberattacks.
“It is no longer a secret that data breaches and successful cyberattacks of U.S. companies are being perpetuated through a combination of technical and non-technical precursors,” said Sean Doherty, president of TSC Advantage. “Despite a myriad of ways in which cyber threats enter organizations, the market continues to emphasize technology deployments as a panacea for effective enterprise risk management. That is a dangerous and incomplete strategy,” he said.
ThreatLAB® 2015 is the continuation of efforts to educate organizations across all verticals to discuss the Anatomy of Resilience™ and how it must start with recognizing their panoramic threat landscape. In addition to traditional IT security approaches, effective strategies must also include an understanding of behavioral indicators exhibited by insiders as well as threats posed by external business relationships, adopting mature security practices, and recovering quickly through sound business continuity plans if an attack or breach does occur.
TSC Advantage Earns Homeland Security SAFETY Act Designation
Credential provides additional validation of TSC Advantage’s holistic approach to cyber risk assessment
Washington, D.C. – TSC Advantage, an enterprise risk consultancy specializing in the proactive and holistic defense of trade secrets, intellectual assets and other sensitive information, today announced it has earned the U.S. Department of Homeland Security’s SAFETY Act Developmental Testing and Evaluation (DT&E) designation for its patented Threat Vector Manager™ (TVM) cyber risk assessment process.
The SAFETY Act is a federal law passed by the U.S. Congress to facilitate and promote the development and deployment of anti-terrorism technologies that can deter, defend against, identify, respond or mitigate an act of terrorism and save lives. The SAFETY Act designation qualifies Threat Vector Manager™ as an anti-terrorism technology and provides liability protection for both TSC Advantage and its customers in the event of a covered act of terrorism. To earn this designation, TSC Advantage underwent a rigorous due diligence and selection process, which included the Department of Homeland Security interviewing the company’s current and former customers.
“One of the biggest concerns any business can encounter in the marketplace is the exposure potential to excessive liability,” said Sean Doherty, president of TSC Advantage. “With this designation, we are pleased to be able to extend the benefits of liability indemnity from covered acts of terrorism to customers who undergo our unique cyber security assessment.”
TSC Advantage’s Threat Vector Manager and its associated Enterprise Security Assessment enhance cyber risk assessment and improve holistic security maturity in commercial organizations, including the Fortune 1000, U.S. critical infrastructure and the public sector. Tied to international and national standards and fused with subject matter expertise, TVM™ assesses six top-level domains that include the roles of insider threat, external business dependencies and physical security in order to identify trends, patterns and areas of enterprise risk across technical, human and procedural categories.
In 2014, TSC Advantage partnered with more than a dozen insurance underwriters operating on the Lloyd’s of London exchange and worldwide insurance brokers to conduct cyber security assessments for cyberinsurance policies sold to public utility and critical infrastructure sectors. Using TVM’s Enterprise Security Assessment, global underwriters are provided an in-depth and posture-based assessment of a pre-insured’s holistic risk profile that is used by underwriters to determine insurability and calculate insurance premium levels.
“SAFETY Act designation is a critical differentiator for pre-binding cyber risk assessment because it demonstrates the extent to which the methodology and process has been validated,” said Tom Quy, a leading cyber insurance broker with Miller Insurance LLP of London. “Using TSC Advantage’s vetted approach, customers may not only receive holistic cyber risk assessment and insurance tailored to their threat profiles, but through SAFETY Act designation, an additional layer of protection for customers from third-party claims should a covered act of terrorism occur,” he said.
TSC Advantage Enhances Holistic Cyber Assessment to Improve Enterprise Security
Posture-based methodology transforms risk assessment for cyberinsurance, commercial enterprises and public sector
Washington, D.C. – TSC Advantage, an enterprise risk consultancy specializing in the proactive and holistic defense of intellectual assets, trade secrets and other sensitive information, today announced that its patented Threat Vector Manager™ (TVM) technology is enhancing cyberrisk assessment and improving holistic security maturity for commercial organizations, critical infrastructure and the public sector. In addition, through its partnership with leading global insurance underwriters and brokers, TSC Advantage is transforming pre-binding risk assessment, which supports cyberinsurance policies for the critical infrastructure market and for those focusing on cyberterrorism.
Improving enterprise security posture through holistic assessment
As all organizations struggle to defend against cyberattacks, TSC Advantage is informing an intelligence-based process that aligns resources against an entity’s highest priority threats. TVM,™ through its associated Enterprise Security Assessment (ESA) component, identifies trends, patterns and areas of elevated risk within enterprise environments and offers customers a comprehensive and holistic measurement of security controls across the following six top-level domains:
Insider threat – Examines technical and non-technical precursors of risk from high-risk actors, events and behaviors from human beings throughout an enterprise ecosystem
Physical security – Focuses on the potential for physical intrusion and unauthorized access to priority locations where sensitive information is stored and accessed
Mobility – Explores vulnerability of data during foreign travel and from mobile devices
Data security – Examines risks stemming from the use and defense of enterprise IT resources
Internal business operations – Measures the effectiveness of initiatives that manage internal administrative vulnerabilities and critical assets resulting from personnel, organizational or business processes
External business operations – Examines an organization’s security strategy, policies and procedures, and threat universe resulting from external engagements
“With an increasing number of sophisticated cyberattacks arising from external dependencies, such as from third party vendors and trusted insiders, an effective security assessment cannot ignore human behavior in defense of cybersecurity, nor the financial or business constraints affecting security investments,” said Sean Doherty, president of TSC Advantage. “The holistic approach in our ESA provides evidence-based and objective assessments of internal and external forces affecting a client’s security posture, and is not limited in scope by only focusing on a singular area, such as traditional endpoint concepts and other IT-centric solutions,” Doherty said.
Transforming pre-binding risk assessment
TSC Advantage has partnered with more than a dozen insurance underwriters operating on the Lloyd’s of London exchange and worldwide insurance brokers to offer a new cyberinsurance product designed to address cyberliability exposures that arise within the utility and critical infrastructure sectors. Using TSC Advantage’s ESA risk assessment tool, insurance underwriters are afforded in-depth understanding of a pre-insured company’s holistic risk profile that considers the evolving sophistication of cyber threats and complexity of potential attack vectors.
“With the financial impact of cyber risk increasing every day, the cost of inaction leaves all organizations exposed to huge liabilities,” said Tom Quy, a leading cyberinsurance broker with Miller Insurance Services LLP of London. “By working with TSC Advantage, we are pioneering a vastly improved methodology for cyberinsurance underwriting, which rewards mature cyber security postures and allows our customers the ability to receive insurance with the broadest coverage, fewest exclusions, and tailored to their individual threat profiles.”
TSC Advantage Hosts ThreatLAB 2014 to Promote Better Understanding of the Complex Threats Facing U.S. Innovation
Private and public sector security professionals will learn how to better defend intellectual assets and trade secrets in age of diversified threats
Washington, D.C. – TSC Advantage, an enterprise risk consultancy specializing in the proactive and holistic defense of intellectual assets, trade secrets and other sensitive information, today announced ThreatLAB™ 2014, an exclusive thought leadership event, taking place May 14-15 in Las Vegas, that is designed to educate private and public sector security professionals about the multitude of complex threats facing U.S. intellectual assets. Through interactive learning modules derived from case studies involving sophisticated threats to corporate secrets, attendees with will learn the skills to identify enterprise risk using holistic intelligence and analysis techniques.
ThreatLAB 2014 will feature a keynote address from John Powell, former vice president and general counsel for American Superconductor Corporation (AMSC). Powell will present a case study about an insider threat AMSC faced in 2011 that resulted in extraordinary value degradation for AMSC and the loss of hundreds of millions of dollars in revenue. Through lessons learned from the incident, the keynote will reinforce TSC Advantage’s message that corporate investments in security solutions should not be limited to specific technical controls focusing on data security. Rather, effective protection must also incorporate the understanding that corporate threats are diverse and that an integrated approach is the only way to successfully identify trends, patterns and areas of elevated risk across multiple enterprise domains, particularly from trusted insiders and external business dependencies.
“It has been estimated that intellectual asset theft costs American businesses between $300 and $500 billion a year, yet we continue to see the standard corporate response be limited to advanced malware detection programs or legacy endpoint protection,” said Sean Doherty, president of TSC Advantage. “While those are important, they offer limited defense and are just a piece of an overall puzzle. The purpose of ThreatLAB 2014 is to educate the market that threats are as diversified as they are complex – and they require a holistic approach in order to truly understand and remediate them.”
To learn more about ThreatLAB 2014 or to request an invitation, please visit http://threatlab2014.com/.
TSC Advantage Announces Key Partnership with Global Insurance Market Led by Lloyd’s of London
Lloyd’s of London Insurance Product to Integrate TSC Advantage’s Holistic Risk Assessment Methodology with New Cyber Security Policy for U.S. Energy Industry
Washington, D.C. – based Tailored Solutions & Consulting Inc. (TSC Advantage), an innovator in enterprise security intelligence specializing in intellectual asset and trade secret protection, today announced the integration of its patented Threat Vector Manager™ (TVM) platform with a new cyber insurance policy for U.S. critical assets led by Lloyd’s of London.
“As discussed in Executive Order 13636, the cyber threat to U.S. critical infrastructure represents a growing and persistent challenge to the national and economic security of the United States,” said Sean Doherty, President of TSC Advantage. “As a first of its kind, we are excited to pioneer incentives for private industry’s partnership with public sector cyber security initiatives. Our platform provides insurance underwriters a means to reliably and accurately determine the cyber risk class of U.S. critical assets using our objective, standards-based methodology for assessing holistic enterprise security.”
TSC Advantage’s platform will assist London and international underwriters to optimize their pre-binding process through incorporation of TVM’s™ Enterprise Security Assessment component. TSC Advantage’s methodology is trusted to deliver objective, baseline measurement of holistic vulnerabilities across six domains while examining threat vectors both internal and external. With TVM™, underwriters will be afforded contextual awareness of the potential insured’s security posture — not a mere audit — as well as a clear understanding of strengths, weaknesses, and associated risks of loss.
“In an age of growing and sophisticated cyber attacks as well as threats emanating from insiders, it is essential all organizations ensure a proactive and holistic approach to their security,” Doherty said. “Rather than spending money on theory, companies will be receiving objective, real-world risk assessment that will enable them to obtain appropriate insurance for their particular risks, and thereby reducing the cost of implementing Executive Order 13636 and PPD-21,” he said.
TSC Advantage Addresses trade secret theft at Intellectual Property Owners Association annual meeting
TSC Advantage Director of Security Intelligence Reminds Audience of the Dangers Posed by Insider Threats
Washington, D.C. – Tailored Solutions & Consulting (TSC Advantage), an innovator in enterprise security intelligence specializing in intellectual asset and trade secret protection, has announced that TSC Advantage’s Director of Security Intelligence addressed an audience of legal experts, business leaders, and other stakeholders at the Intellectual Property Owners Association annual meeting in downtown Boston, MA on 17 September 2013.
During the keynote panel presentation with in-house counsel and experienced practitioners from Ford Global Technologies LLC and the U.S. Department of Justice’s Computer Crime and Intellectual Property Section, TSC Advantage’s director offered the audience practical advice for preventing and addressing trade secret theft in an age of growing and targeted threats to corporate value.
“The decision of whether to protect innovation via patent, trade secret or otherwise is almost entirely separate from that of effective security. An adversary doesn’t care about what legal category their desired target information falls under, only if they can get access to it,” said Mark Lopes, TSC Advantage’s Director of Security Intelligence.
“Paranoia is part of good business practice as long as it does not impede efficiency or disrupt innovative culture,” he continued. “You should always assume somebody wants your company’s most sensitive information simply because of the current or potential future economic value it represents. To assume everyone will respect ownership rights is not only naïve, it could also mean corporate suicide.”
Distinguishing between TSC Advantage and other security firms who only apply cyber-centric or software solutions to enterprise security challenges, Lopes reminded the audience that most threats actually originate from human beings within organizations and not from external and distant hackers.
“We continue to see a vast amount of security resources being poured into purely IT and cyber solutions while the vast majority of data shows that most intellectual property and trade secrets are compromised via insider threats,” he said. “While investment in IT and cyber is important and can help prevent the remote theft of corporate secrets, it does very little to deter, detect and prevent the more prevalent source of theft: someone within your own corporate ecosystem. This is what we focus on at TSC Advantage.”
Statement by TSC Advantage on FBI’s iguardian platform for cyber threat reporting
TSC Advantage Expert: Platform Complementary to Executive Order 13636; Highlights U.S. Government’s Commitment to Value-based Cyber Programs for Private Sector
Washington, D.C. – While U.S. Executive Order 13636 represents a new policy emphasis on public and private sector coordination on cyber threats, the FBI’s recent launch of iGuardian is a complementary initiative dedicated to the mutual benefit of government and industry. It is a mechanism designed to expedite and augment the cyber security dialogue between private industry and the FBI. It also extends to private industry actors that are not officially designated as critical infrastructure, which is the primary scope of E.O. 13636. More importantly, however, it demonstrates the FBI’s commitment to establishing cyber programs that create value for participating US businesses.
While not a replacement for corporate security investments, iGuardian is intended to transform cyber partnerships into enabling proactive and preventative postures. For example, it is intended to facilitate assessments of sophisticated cyber adversaries within and across sectors, aimed at exposing shared as well as unique cyber threats and vulnerabilities. Rather than evaluating cyber threat data from an exclusively enterprise-centric view, this portal will assist FBI’s generation of crosscutting examinations that result in improved cyber awareness and ultimately the dissemination of actionable information to private industry. In short, it enables industry to benefit from the skills and expertise of US Government cyber technologists, while still maintaining and tailoring enterprise cyber investments.
Collaboration between the public and private sectors is requisite to the defense of US economic ingenuity. Neither sector in isolation has at its disposal the depth and breadth of skills, resources and information required to stem the tide of cyber attacks. In the cyber realm, national security concerns and economic interests are interleaved, as is public-private sectors’ interest in defense of American cyber posture.
“Participation in programs such as iGuardian will enable industry trailblazers to shape the scope and outcome of this nascent mechanism for dialogue with the US government – assuring it meets the bottom line needs of the US commercial sector and the Executive Branch,” says Natalie Lehr, TSC Advantage’s co-founder and Director of Analytics. “It is a critical step in exposing the barriers and tackling the uncertainties surrounding cyber risk and federal dialogue with private industry,” she said.
TSC Advantage continues thought leadership on intellectual asset protection
TSC Advantage Director of Security Intelligence Speaks to Business Leaders in Boston on Corporate Espionage and BYOD
Washington, D.C. – Tailored Solutions & Consulting (TSC Advantage), an innovator in enterprise security intelligence specializing in intellectual asset and trade secret protection, has announced that TSC Advantage’s Director of Security Intelligence addressed an audience of business leaders and security experts at the Licensing Executive Society Conference in Boston, MA on June 18th.
During a panel presentation on the topic of protecting sensitive data such as intellectual assets and trade secrets, TSC Advantage’s director offered a suggestion as to how U.S. companies should understand the growing phenomenon of corporate espionage directed against them.
“Instead of looking at this issue from a moral standpoint, it is better to understand why this issue is occurring from an economic perspective,” said Mark Lopes, TSC Advantage’s Director of Security Intelligence. “Why would a competitor choose the longer, harder, and more expensive path to value creation when they could simply steal it from you with the click of a mouse or through a well-placed insider?”
In response to a proposed question concerning effective BYOD policy development, Lopes highlighted the growing challenges companies face while trying to maintain the right balance between information security and employee productivity as wrought by the ubiquity of mobile devices. “At TSC Advantage, we tell our clients that access control is the key to preserving intellectual property as it pertains to BYOD,” he said. “From this standpoint, we believe that access to information on devices such as personal tablets and phones must be limited to information that a company would feel comfortable losing in the event of a security incident.”
Consumer Demand Drives Need for Secure Mobile
Business communications and transactions are increasingly moving from the security of legacy networks as organizations demand the agility of mobile. Meeting threats on the mobile arena will become a top challenge when transforming business and critical functions of society.
How can organizations embrace the mobile future while also reducing the risk of cyber breaches? The question will be explored at threatLAB 2016 – Cyber Risk 360°, Feb 1-3, by Robin von Post, CTO of Sectra Communications. threatLAB asked von Post for a preview.
threatLAB: What’s your prediction for the continued adoption of secure mobile technology?
Robin von Post: The drive to introduce mobile technology in business and process environments comes from an extreme progress in technology with respect to stability, availability, performance and reduced cost for mobile communication solutions. It is mainly the consumer market that pushed this and that will also drive the end users’ requirements on what information can and will be available to whom and when in their respective professional environments.
At the same time, organizations see a way of improving their operations by letting information flow more fluidly between domains. The cost cutting effects and possibilities to scale up operations with the same staff is of course tempting. But the threat towards exposed connected devices (Internet of Things) and communications will increase. The adversaries see their business models evolving in line with the increased attack surfaces and opportunities to turn information into money (such as mobile ransomware).
Balanced protection of communication is needed, which for instance could be a Mobile VPN-solution or the application designed with end-to-end protection out of the box.
threatLAB: What do organizations need to know about how to make this transition smoothly?
von Post: In order to embrace change, organizations need to understand their current picture. Developing a map of where assets in systems are created, handled and communicated will help managers understand where the move to mobile will introduce new attack surfaces. Plus, it gives a helpful starting point for how to design a good security net around the assets in the new architecture. Usually a roadmap for segmentation, early detection and a defense-in-depth will catch adversaries before they can actually create disruptions or ransom situations to the critical parts of your operations.
threatLAB: The European Union has the most stringent data privacy regulation anywhere. What should companies in the United States know about the rules around data privacy and data sovereignty?
von Post: In the European Union (EU), business models relying on personal data gathering do not work the same as in the United States. The essential difference is that in the EU, interpretation of agreement law views company-person asymmetry strongly in favor of private individuals much more than in the US, meaning that acceptance of user conditions is void.
It is possible to make business models based on data gathering in the EU but you need to address the gathering of information with the data as a group not by the individual.
threatLAB: What lessons can industry draw from your experience working with government and defense organizations?
von Post: These organizations have worked with a defined threat model for many many years and not only with respect to communications. So they understand the need to design security solutions as a part of the overall system that holds the information needing protection. It could be extremely costly or almost impossible to add security “after the fact.” And my main advice would be to work closely with strategic security partners to help when defining, building or procuring IT solutions for business transformation.
Learn more about threatLAB 2016, Cyber Risk 360° to accelerate your cybersecurity strategy and hear from a cross-section of cyber experts. Feb. 1-3 at the Streamsong Golf Resort & Spa in central Florida.
Losses Fuel Interest in Cyber Insurance
Cyber incidents are the most important long-term risk for companies in the next 10 years, according to the Allianz Risk Barometer, which surveyed over 800 risk managers and insurance experts in more than 40 countries. With hundreds of millions already paid out to cover cyber losses in the United States alone, businesses are seeking greater insurance coverage. The forecast for cyber insurance is a topic that will be explored at the TSC Advantage threatLAB 2016 – Cyber Risk 360° conference, Feb 1-3, by Mary Guzman, Senior Vice President, Director of E&O and Cyber Sales and Strategy at McGriff, Seibels & Williams. threatLAB asked Guzman for a preview.
threatLAB: How would you characterize the change in demand for cyberinsurance?
Mary Guzman: I would say that over the last three years the demand for cyber insurance in general across all industries has probably doubled or even more. The interest is at an all-time high. Every client that we have, no matter the industry they’re in, is trying to educate themselves and understand whether they need cyber insurance and what their risks and exposures are. Healthcare, financial, technology services, and retailers have been earlier adopters but even they are assessing their limits and potentially buying more as they gain insight into how much one of these losses could really cost them.
Their boards are demanding they carry more insurance if they’re public companies. The boards are saying, “What are we doing about this? We’re being held personally accountable for making sure we understand our risk mitigation strategies around information security. One of those has to be insurance.” And they’re saying that to the risk manager now or the general counsel.
We’re also seeing a lot more interest among critical infrastructure companies, including the full spectrum of energy – oil and gas, pipelines, and utilities – because they understand their SCADA and other industrial control systems are vulnerable to attack.
threatLAB: What trends do you see in what is being offered in cyberinsurance?
Guzman: The policies have become broader, specifically addressing the needs clients have around the disclosure of confidential personally identifiable information (PII) and personal health information (PHI). The underwriters understand the risks when they write this exposure now and they’ve dramatically increased their rates and adjusted their rating models to compensate for the fact that there will be significant payouts either from card brand demands or regulatory requirements to respond to a breach. As a result, the coverage is still there, but it has become more expensive and you have to know the ins and outs of the policy language to make sure that it’s going to address all of the unique exposures that arise out of those contractual and regulatory obligations that clients have, as opposed to most insurance policies, which are designed to respond to general legal liability or negligence claims.
I would also say that until two or three years ago, there wasn’t coverage available to critical infrastructure, specifically to power companies for failure to supply, and now you can get failure to supply coverage, which has brought a lot more clients to the table.
threatLAB: What do companies need to know about cyber risk policies?
Guzman: We still see a lot of policy forms that have sub-limits in them, especially around all the breach notification expenses that are incurred. When you have an information security breach that involves PII or PHI, a lot of those policies have limitations on how much the client can spend for forensics, notification or credit monitoring. So you want to make sure you don’t have sub-limits or that you understand exactly how they’re going to work.
The second thing is that I don’t think people have a great understanding of how their policies will cover their contingent risks from use of vendors or third-party service providers, which is a huge exposure in the cyber world. On the first party side you have coverage for your own business interruption loss, and on the third party side for liability claims. It can cause significant problems for clients if they don’t understand how their policy will respond if the loss doesn’t happen directly to them. It happens regularly where a business will have a loss and expect it to be covered and it’s not covered because it happened to a third party service provider. For example, the third party provides web hosting or security services or another service relied upon to keep systems up and running. It’s a major exposure and it’s actually hard to insure.
threatLAB: What kind of information should companies expect to provide to insurers?
Guzman: That’s definitely changed over the last 18 to 24 months, especially for retailers and large merchants. It used to be that you could fill out the form and check the box that said that you were PCI compliant, for example, and you could get $200M in cyber insurance. Now, the underwriters have a full questionnaire just around PCI, POS applications and assessments. And they’re wanting to take a deep dive on point to point or end to end encryption, and whether or not you’ve followed the requirements by the card brands to move from the stripe to chip and pin. So it’s a lot more involved than it used to be and may require a separate questionnaire or a conference call with the CIO or CISO.
Or, if it’s really significant or challenging risk, some of the underwriters require at least a separate conference call no matter what limit the client buys or how broad the policy is. Others will require it only for critical infrastructure clients. The markets are spending a lot more time asking questions and focusing on security assessments and whether or not you follow recommended guidelines. The riskiest industries may require a formal on-site assessment.
threatLAB: What connection have you seen between the purchase of cyber insurance and organizational security posture?
Guzman: There definitely is a connection. From year to year, when you go to renew the policy, insurers want to see consistent improvements to information security. Some of the recent articles and statistics point to the fact that if you have better security and a better business continuity and disaster recovery plan, you will do far better in the event of a breach. Many assessments focus on preventing the hacker from getting in, whereas I think the underwriters are coming to realize that hackers will get in, and that if you don’t have a developed and tested business continuity and disaster recovery plan, things will not go well. The cost to respond to the breach, the public fallout, changes in share price will all be reflective of how ready you are as a company. So insurers are a lot more focused on business continuity and disaster recovery planning than they have been before.
threatLAB: Have you see companies benefit from the experience of going through assessments?
Some of our energy clients who have been through the TSC Tier 3, including one of the largest utilities in the country, developed their whole 2015 information security plan based on what they learned in their 2014 TSC assessment. They put their focus on improving their security maturity in the identified areas and it really paid off for them. They got kudos from their board of directors, they had a very actionable plan that could help them justify their information security spend in their budget and hiring the resources they wanted. And they also got a reduction on this year’s renewal for their information security insurance program.
Learn more about threatLAB 2016, Cyber Risk 360°.
POWER GRID HACK SIGNALS MOUNTING THREAT
Reports of a late December cyber attack that caused a widespread power outage in Ukraine signal an escalation in the use of malware to disrupt critical infrastructure, and emphasize the need for a full-spectrum approach to security.
Ukrainian government officials attributed the December 23 power outage, which affected about 700,000 homes for several hours, to a remote access attack on industrial control systems of energy companies. If the blackout is confirmed to be the work of hackers, it will be the first documented case of a cyber attack that led to a loss of power, and an escalation of the use of malware designed to disrupt operations by deleting files to make systems un-bootable.
Black Energy Malware Identified
Malicious software known as BlackEnergy was found on the networks of the targeted Ukrainian power company Prykarpattyaoblenergo – the same malware used in a campaign that targeted U.S. power facilities in 2014. The Department of Homeland Security (DHS) has twice issued warnings about BlackEnergy malware, urging power companies to “isolate industrial control systems from the Internet using reliable defensive measures and sound authentication requirements,” stating, “If you’re connected, you’re likely infected!”
Disruption Attack Highlights Need for Security Planning
While the 2014 U.S. attacks appeared to be for the purpose of espionage, the Ukrainian attack was intended to sabotage or disrupt electricity providers. This highlights the need for a Continuity of Operations Plan, according to Natalie Lehr, vice president of analytics for TSC Advantage. “How do you sustain your operations while in a reduced state? The speed of your response is dependent upon your ability to quickly effect a plan that involves the whole organization working together, and which also includes third party dependencies. Having that plan already in place provides clarity of vision.”
It’s significant that when Trojan malware deletes files, rendering systems inoperable, backup tapes are essential to “roll back and restore integrity to systems in order to recover faster,” adds Lehr.
Also notable about the BlackEnergy attacks is their method of delivery – through spear-phishing emails that contain an attachment with an infected document. While the attack approach is relatively simple, no operation of this type is conducted on a whim, says Mark Lopes, TSC Advantage Director of Security Intelligence. He notes that countless hours of planning, targeting, searching for and finding weaknesses over time is involved. “A piece of technology purchased in 2015 is worthless against a potential adversary who has been planning for years to conduct an attack on an unknown date. They target weaknesses they are confident will exist regardless of technological changes between the targeting phase and the execution phase.”
Proactive Posture is Best Defense
What can asset owners take away from the 2014 and 2015 intrusions? That an enterprise-wide approach to cybersecurity will provide the best defense against an adversary that is constantly evolving its methods and is patiently probing for vulnerabilities, preparing for the moment to execute when the order is given. Consider the following:
- While deploying technical sensors to detect and respond to advanced persistent threats is good practice, it is not a panacea since threats change and the people implementing policy are fallible.
- Cybersecurity Insurance provides a backup to IT tools, systems and processes. While it can help offset liability and speed a company’s return to business, when approached as an offensive measure, insurance can be a significant part of a proactive risk management strategy.
- Security assessment as part of the underwriting process identifies vulnerabilities, both within an organization, and among third parties, such as vendors and partners. An assessment also informs the strategic planning process that enables companies to respond to and shorten an attack window.
- Boards of directors, the government, and the public increasingly demand that companies demonstrate mature security practices – and the resiliency that results from them. A comprehensive security assessment report captures security maturity and provides actionable recommendations to mitigate deficiencies – in essence, a roadmap for improved security.
U.S. companies can’t possibly expect to enact security protocols that will compete with sophisticated and constantly evolving adversaries. This is a lesson already learned by major retailers, health insurers and the financial sector. However, insurance combined with a comprehensive risk assessment provides the power of proactive risk mitigation.
4 MUST-KEEP CYBER RESOLUTIONS FOR BUSINESS
The New Year is almost here and you know what that means – a brand new set of cyber-related security challenges. Thankfully, there are ways to navigate the ominous waters of a dynamic threat environment so that you and your company can hold on to as much as possible of that most precious of data sets: Trade Secrets, Intellectual Property, and Customer Privacy Information.
We asked some TSC Advantage experts for the New Year’s resolutions they recommend to help companies develop a mature security enterprise and face down the risks of 2016.
Armond Caglar, Senior Threat Specialist
Address Third Party Threats: You already heard about Target and countless other examples of companies that have suffered extraordinary loss as a result of cyber exposure originating from their vendor, suppliers, and other business dependencies. These kinds of third-party threats, steadily on the rise within the last couple of years, will continue to be overlooked in 2016. This is due to continued lack of awareness and vigilance about the security practices of third-party partners.
In 2016, if you find yourself in the market for a cloud service provider (CSP), and before signing any Service Level Agreement, remember to ask these vendors (and others) important questions about their security practices and what they will be doing in order to keep your precious data secure.
Specifically, you should inquire about their technical controls on three levels:
- Application layer controls, which address whether apps are well written;
- Data layer controls, where the last line of defense is often encryption;
- Access controls and the client user-base, which addresses concerns regarding privileged use and access control strength/consistency.
Remember, when it involves your company’s precious data, don’t take anything for granted and if you are not comfortable with a vendor’s cyber security culture or their implementation of industry best practices, exercise the power of the purse and find a mature vendor that takes this seriously.
Brendan Fitzpatrick, Enterprise Security Assessment Team Lead and Threat Analyst
Implement Effective Cyber Security Training: Increasing the effectiveness of your cyber security training is one of the biggest bangs for the security buck. What does effective cyber security training look like? In our capacity as enterprise security assessors, we have seen a number of training programs with vastly different capabilities. Within those organizations that demonstrate strong cyber security resilience, we have noted a few key factors that contribute to effective training programs:
- Whether it is an interactive computer-based delivery or a classroom setting, training that engages a student increases the comprehension and retention of the material versus passive, slide-based presentations.
- Organizations that deliver cyber security training throughout the year, instead of in one large training session, create training that is easier to digest, is responsive to the changing threat landscape, and that constantly reinforces the organization’s cyber security culture.
- Effective organizations establish key training metrics to identify gaps and improve the quality of their training materials.
- Mature cyber security training is specific to the organization and to the individual business or functional units, addressing the unique and specific threats that these each of these units face.
An effective training program demonstrates to each employee the organization’s commitment to cyber security and enlists their help as a key component of that security. While not as easy as “fire and forget” slide show training, mature organizations find the extra effort pays large dividends.
Gabriel Whalen, TSC Insider Threat Senior Official, Behavioral Analyst
Recognize Insider Threat Vectors Are Not “Cyber”: While cybersecurity solutions tend to focus on computing – it’s a problem for the computer guys – Insider Threat is a human vector. Information technology certainly has a part to play, but is not the sole or star player. Some points to consider for your Insider Threat program:
- Non-spectacular. Humans tend to over-emphasize and prepare for the spectacular attack, but the non-spectacular is far more likely. In other words, it’s more likely someone will leak details of a planned merger than carry out a “sophisticated cyber attack.”
- Human Resources. They are your first responder and detector. Enable and empower your HR department to not only detect, but also mitigate employee issues, which lowers the risk of inadvertent and malicious insider threat.
- Training: Humans are horrible at “if-then” tests, especially when it doesn’t affect them directly (e.g. protecting company intellectual property to keep America “safe”). Training does need to alert the employee to trigger behaviors or situations, but it must address immediate employee needs to be effective (e.g. if the company loses this contract, you won’t get a paycheck).
- Public Relations: I predict that in 2016, industry will see a greater number of ideology-driven attacks from “cyber vigilantes.” Perhaps more now than at any time in history, company actions and relationships are open to public discovery. We are entering a new age of checks and balances. Companies that are insensitive to the public whim may expose themselves to more hacks and more inspired insider events.
Remember, humans precipitate Insider Threat events, not machines. Likewise, human behavior needs to be the focus of screening, training, and prevention.
Craig Guiliano, Director, Threat Analytics
Don’t overlook the obvious: Surprisingly enough, too many enterprises fail to implement even the most basic security protocols. As we welcome 2016, consider finally enforcing these simple, but often overlooked, best practices:
- Password Length and Complexity – Passwords should be at least eight characters and contain upper and lowercase with at least one number and one special character. Please do not write it down. Consider that a very strong password should be at least 128 bits.
- Multi-Factor Authentication – This simply adds another (or multiple) layer of authentication, in addition to your password. Think of it this way: what we know, what we have, and what we are, thus multiple ways to determine we are who we say we are when using our protected sites.
- Use of a virtual private network (VPN) – Companies should require their employees to connect securely via VPNs to access files, applications, printers, and other resources on the office network without compromising security.
The year ahead will undoubtedly bring a continued barrage of cybersecurity challenges, but organizations that stick to their cyber resolutions will be stronger and more resilient in 2016.
What ESA Trends Show About Cyber Resilience
2015’s devastating cyber attacks on Sony, the Office of Personnel Management and the Ashley Madison site are just the latest evidence of why it’s so important to remain vigilant against cyber threats. Awareness of the need to put protections in place grows with every major breach. What takes longer is an understanding of what should be protected, how, and by whom.
Are organizations moving beyond the IT department and software solutions to achieve a higher level of cyber maturity? It’s a topic that will be explored at threatLAB 2016, Feb 1-3, by Jason Tugman, Enterprise Security Assessment Program Manager at TSC Advantage. threatLAB asked Tugman for a preview.
threatLAB: What is your presentation “Trending Vulnerability and Resilience Data – Findings from the Field” about?
Jason Tugman: One of the things I’m most excited about with threatLAB 2016 will be our signature Trends from the Field talk. This year will be threatLAB’s third iteration and I think it will be really exciting to dig into the enormous amounts of data we’ve been able to collect over the course of the last two years performing holistic cyber assessment on customers within the U.S. critical infrastructure segment and Fortune 1000. This is especially true because now we can start to trend that data year over year, as well as share with our attendees what our data is telling us. For example, in 2014, cyber breaches in the news began to really capture the attention of the c-suite and boards of directors. In 2015, we’ve seen an expansion of IT budgets and a demand for controls against these emerging threat actors.
threatLAB: That sounds like a positive trend. Would you agree?
Tugman: Yes and no, because a lot of organizations purchase new hardware to solve network security issues, however what we’re finding is that these are not necessarily network security issues but instead are asset security issues. That difference is incredibly important and is something we will spend a good amount of time on at threatLAB 2016. With that said, what we’re seeing in the data we’ve collected and from the community of people we’ve been talking to the past year, shows a change in voice. Three years ago the conversation was about cybersecurity. It’s been fascinating to witness a transition from cybersecurity — network security — to cyber resiliency.
threatLAB: What is the difference between the two?
Tugman: Cybersecurity is the piece parts, the IT functions that make up the security of your organization. They’re like the “guards, gates and guns” of physical security. Cyber resiliency is really understanding how cyber fits within the risk structure of your enterprise. It’s a change in tone, a transition of thinking. Identifying cyber vulnerabilities is plugging holes in a dam. Cyber resiliency is more akin to building the dam itself.
Think of it this way – cybersecurity is predicated on keeping all external threats out through fortifications and controls. Cyber resiliency is predicated on the fact that no controls are perfect and could fail. So in addition to fortifications, what resilient functions are you putting in place to detect, correct and recover with the least amount of damage in the event that a breach does occur.
threatLAB: Why is it so important to approach cyber threats this way?
Our data shows there is a clear correlation between an organization’s effort to adopt a wider cyber governance framework and its ability to recognize and mitigate risk. threatLAB attendees have been asking us to speak more in-depth on the philosophy that helps guide TSC Advantage and its assessments. The absolute difference between cybersecurity and resiliency is that cybersecurity is a big circle function and cyber resiliency is a small circle function. You will ask, “What is the difference?” To really understand what that means, I will see you in Florida!
Learn more about threatLAB 2016, Cyber Risk 360°.
4 Cybersecurity Disconnects in an Always-Connected World
We live in a connected world, and as the lines between work, home and travel blur, being always connected can expose your company’s intellectual assets to risk. As incidents of competitive intelligence and corporate espionage are becoming more prevalent, it’s a good time to heed the advice offered during Cyber Security Awareness Month. Here are four behaviors – let’s call them cybersecurity disconnects – that may open the door to significant data loss.
Busy people rely on and trust the tools that make it possible to work on the go. But some of those conveniences reduce security defenses. Plus, inattention to surroundings can reveal confidential information.
- While convenient and tempting, Public Wi-Fi is rife with risk and vulnerable to data exposure. While surfing online, personally identifiable information and payment card information may be visible to the opportune criminal sniffing your web session or cloning your accounts
- Removable media devices such as USB sticks offer quick and easy storage and transfer of data, but have long been the delivery mechanism of catastrophic malware
- Working in public places like the executive lounge, taxis, or up in business class can expose confidential details through an overheard conversation, curious shoulder surfer, or lost or stolen laptop
Sure, you know that cybercrime is in the news almost daily. But did you know that credentialed insiders present one of the most underreported yet biggest threats to corporate data?
Companies can protect sensitive data through effective policy and procedure development as well as providing routine training and awareness on:
- Social engineering tactics such as spear phishing and pretext phone calls
- Dangers of removable media and the importance of policies limiting their use
- Data compartmentalization and classification
- Personal factors and behavioral indicators that some Insider Threat for Intellectual Property Theft exhibit
The IT department handles cybersecurity so it’s taken care of, right? Nope. Security-conscious organizations understand how threats to data security can originate from multiple sources and directions. Are you aware of enterprise weak spots, the sensitive digital assets your organization possesses, and the potential motivations of those attackers targeting it? Possibilities can include:
- A state-sponsored hacker group with a political bent looking for retribution
- A software engineer, passed up for promotion, who is enticed to sell your intellectual property to a competitor
- An employee of your maintenance contractor falling victim to a theft of his credentials to an adversary, causing a foothold on your network to be established and the exfiltration of customer payment card data from your network
People who travel for business, especially to countries known for state-sponsored IP theft, should take extra precautions to avoid becoming a victim.
- Always bring a dedicated travel laptop and ensure the data you bring is just the minimum amount needed for the successful outcome of your trip
- Politely decline unsolicited upgrades for hotel rooms
- Keep laptop and other devices with you at all times, even when you’re in the gym, at dinner, or taking in some tourist attractions
Visit the TSC Advantage blog often to learn more about staying protected in an always-connected world.
CYBERSECURITY THREATS EVERY EMPLOYEE SHOULD UNDERSTAND
Employees are the fuel that drives organizations, but their actions can also put the brakes on success. Why? Because not surprisingly, every employee presents a potential security threat to intellectual property, trade secrets, and other protected information. Most employees are not malicious data thieves, but their actions could inadvertently open the door to cyber attackers scanning for the weakest link.
National Cybersecurity Awareness Month highlights the need to create a culture of cybersecurity at work. In our last blog “Who Owns Cybersecurity?” we said it’s a shared responsibility, and that each person in an organization should be accountable. Proactive awareness of potential threats is a step that individuals can take to protect their organizations. Here are three threat trends every employee should know about:
PHISHING ATTACKS can cost an organization up to $3.7 million per year, and waste more than 4 hours annually per employee, according to a 2015 report by the Ponemon Institute. While many individuals know about phishing emails, they still fall for the messages which can trick the recipient into giving out personal or financial information, or provide access to networks which is then used to exfiltrate information. It is difficult to change employee habits. Months after an attack that revealed the personal details of more than 800,000 workers, the US Postal Service tested its employees and found that a quarter of recipients clicked on a phony link in its simulated attack. On the private sector side, a CBS News/Intel Security test of 19,000 people revealed in early 2015 that 80% clicked on at least one of the phishing emails they received. As we can see, the growing sophistication of these types of attacks are causing havoc across both the public and private sector – and even those employees who might fancy themselves as being relatively cyber savvy are being duped.
What should employees do to avoid this type of threat? Take part in proactive training and awareness campaigns that corporate risk managers should be rolling out. If they’re not, push for such training. In addition, the federal government does have numerous websites that may be helpful. Like TSC Advantage and others in the industry, the Federal Trade Commission has been evangelizing what it takes to be safe in this new threat environment. This includes warning about the rise in application-targeted attacks (such as Google Docs, Adobe, or file sharing sites); how the commercial availability of malware has essentially industrialized and propagated these malicious acts; and the under-reported reality that an increasing amount of sophisticated phishing attempts are becoming heavily personalized and tailored to the target and therefore are more believable than ever. Remember, phishing is no longer the Nigerian 419 scam promising you great wealth. It’s a good practice to report such emails to email@example.com, a working group of security vendors, financial institutions and law enforcement agencies.
BUSINESS EMAIL COMPROMISE (BEC) is a rapidly growing and increasingly sophisticated form of cyber fraud. According to the FBI’s Internet Crime Complaint Center (IC3), more than 7,000 US companies have been victimized since late 2013 at a loss of over $740 million, and the number has spiked in 2015 alone. Often, criminals establish a foothold onto a company’s network through targeted malware such as phishing, then gather information from email threads about billing and invoices to create legitimate-looking requests from CEO’s and CFO’s for wire transfers. The money is directed to fraudulent accounts.
The IC3 offers numerous tips to avoid being victimized, including: verify changes in vendor payment location and confirm requests for transfer of funds; be suspicious of requests for secrecy or pressure to take action quickly; use intrusion detection system rules that flag emails with suspicious addresses.
THIRD PARTY RISK is an area TSC Advantage spends a lot of time with via our External Business Operations domain and is a threat that all organizations and employees must understand since partnering is part of doing business. The recent T-Mobile breach affecting 15 million customers began with a data breach at Experian, which T-Mobile used to run credit checks on customers. Whether they’re unsuspecting portals for cyber attackers or the originators of such assaults, vendors and subcontractors now represent a growing, frequent and serious risk to organizations. Security professionals continue to overlook that risk, however, even as high-profile cases crop up in the U.S., the Middle East, Europe and the Asia Pacific region.
As the customer, a company has the ability to choose which vendors it wants to hire. A significant part of that decision should hinge on the vendor’s answers to questions about its security policies and controls. Further, if a vendor will need access to the company network, preventative measures such as segmentation should be discussed, as would be the importance of understanding other defense-in-depth areas, such as access controls, data layer controls, and a serious look at language contained in service level agreements.
The one constant in the world of cyber is that threat is continually evolving. While it’s impossible for every individual to stay on top of every threat, making cybersecurity awareness part of organizational culture can go a long way in reducing susceptibility to victimhood in the first place.
Who Owns Cybersecurity? Everyone
We all benefit from the advantages of a connected world. Business, government, education, healthcare, and individuals have come to rely on the data at our fingertips and the ease of work and commerce that it affords. Most of us though, take those benefits for granted, leaving digital security to the IT department only or worse, not thinking of it at all until there’s a problem (which, despite the constant headlines of attacks and breaches, happens more often than you think!).
Who owns cybersecurity? Everyone. During October’s national cybersecurity awareness month, here are three ways that organizations can ensure everyone has a role in the shared responsibility of reducing cyber risk.
- Understand what cybersecurity really means. There are countless data security tools and technologies to prevent and detect cyber intrusions. However, a single-minded approach to IT security elevates the role of these sensors at the expense of other considerations, such as the importance of instituting a mature cyber security culture, a panoramic threat analysis across the enterprise of how cyber infection can metastasize, and understanding what it means to be resilient and get back to business as quickly as possible if a cyber event does occur.
- Establish a proactive cybersecurity strategy. Seems crazy to have to mention this still, but never assume that your organization won’t or hasn’t already been a target. It is still amazing to hear risk managers and other enterprise security leaders that we encounter in the market and on the speaking circuit who deny their victimhood or think they are not “important” enough to even be targeted in the first place. Sixty per cent of attacks in 2014 were against small-and medium-sized organizations, according to the Symantec 2015 Internet Security Threat Report. Advanced attackers targeted five out of six large companies. Don’t wait.
- Start by creating a data classification policy. Review and categorize data and intellectual assets by degree of sensitivity and value to the organization.
- Assess risk. Identify the most serious threats to your data by considering how and where your organization operates, your supply chain, and what risk controls are currently in place.
- Plan for the worst. Do you have a crisis management plan in place to quickly respond to a cyber attack? Multiple studies have shown that financial losses from a single cyber attack can exceed $50,000 for small businesses, and well over $1 million for large organizations. Having a quickly executable plan that includes clear responsibilities and lines of communication will help minimize the damage.
- Consider cyber insurance as a final safeguard of an overall risk management plan that prioritizes security assessment, holistic cyber risk solutions, and an organizational focus on security. In September, Sarah Bloom Raskin, Deputy Secretary of the Treasury Department, described cyber insurance as “a game changer” because the underwriting process that businesses undergo to apply for cyber insurance can help determine weaknesses and encourage best practices. Cybersecurity then “becomes part of an organization’s DNA,” she said.
- Create a cybersecurity culture. Cybersecurity is a shared responsibility. Each person in an organization should understand this and be accountable. And unfortunately, it starts with the not-so-exciting task of ensuring processes are in place to provide the backbone governing necessary security-related activities – from processes covering controls such as vendor access management, to firewall configuration, to remote wipe capability procedures within an enterprise BYOD deployment. Culture starts with process, and process is implemented through effective policies and procedures that are matured through equal application, enforcement, and management.
Cyber attacks happen every day. The cyber threat is evolving and growing. Knowing these facts, it’s time for organizations large and small to put cybersecurity in the hands of the whole team.
3 Ways to Check Your Medical Cyber Pulse
Ten million – that’s the latest staggering number of victims in the cyber hacking world’s rush to steal protected health information (PHI). Excellus BlueCross BlueShield estimates 10 million members and individuals have been affected by an attack that may have gained unauthorized access to names and addresses, dates of birth, social security numbers, financial, and health claim information. Excellus is now contacting those victims with promises to provide free credit monitoring and identity theft protection. What are the lessons of yet another massive cyber breach in the health sector? Here are three:
1. Consider the widespread damage of a cyber breach
There are immediate and long-term costs to both the individuals whose information was compromised, and to the companies that care for their health needs. For individuals, the wealth of stolen data dramatically increases the possibility that a cybercriminal can assume their identity to open new lines of credit, make fraudulent purchases or medical claims, and empty bank accounts.
As TSC Advantage explained at the 11th Annual Medical Liability Insurance ExecuSummit in Connecticut on 16 September, cyber attacks and data breaches are impacting health care organizations, large and small. There are immediate and significant costs associated with incident resolution and reputation harm and also the longer-range costs such as decreased customer trust and the potential loss of revenue that such events bring.
Additionally, and as covered entities and their business associates are undoubtedly aware, there is the potential for regulatory penalties levied by the U.S. Department of Health and Human Services for failing to meet HIPAA Privacy and Security Rules. It all adds up to considerable losses. The Ponemon Institute’s 2015 Global Cost of Data Breach study found the healthcare industry has the highest cost per stolen record – at $363 – more than double that of other industry averages.
2. Understand why the medical industry is at particular risk
Excellus is just the latest in a growing list of health insurers like Anthem and CareFirst to be hacked. What is the lure of the healthcare industry to cybercriminals?
- The value of the information stored in healthcare organization databases: personally identifiable information (PII), personal medical history, diagnosis codes, billing and payment card information. It can all be sold on the black market, with fraudulent claims and charges through identity theft not being noticed for months or years.
- The limitations of a compliance-based approach to enterprise security: Savvy cybercriminals and other nefarious actors understand the difference between security and CYA. They know most organizations implement security as a ‘check-the-box’ exercise as a means to pass an annual audit and are not interested in maturing their security beyond the standard. This is an unfortunate reality that must change.
3. Create a holistic and proactive understanding of enterprise threat posture
With attacks in the medical industry happening at a growing rate, the time is now to put a risk-based and relevant risk management program in place.
- While you may start with legacy technical controls and other traditional IT deployments, it’s crucial to remember the multitude of non-technical ways in which cyber risk can be introduced into an enterprise environment. Faceless remote access attacks originating in foreign countries are not the only threat. What about an unencrypted laptop that is stolen, or a disgruntled employee, or gaps in physical security? The TSC Advantage risk assessment methodology incorporates standards from best-in-class compliance audits like HIPAA, but exceeds them with a unique approach mapping to over 10 international and national standards. This is combined with expertise obtained from service in the U.S. national security community to provide a complete or holistic view of enterprise risk.
- To meet your HIPAA Security Rule obligation requiring all covered entities and business associates, conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity and availability of e-PHI. An assessment approach such as our Threat Vector Manager methodology can help.
It is no secret by now that diversified cyber threats are impacting all organizations, and covered entities and their business associate colleagues in particular. Maturing beyond the standard to a more holistic risk management approach will ultimately lead to a healthier risk posture.
THINK CYBERSECURITY, THINK I-T? THINK AGAIN!
When you think of cybersecurity, do you still think IT? If so, you’re not alone. Even though cyber attacks are increasing in frequency and costing more than ever, many organizations view the problem as one that can only be solved through the introduction of those legacy sensors we commonly associate with traditional cyber security. But as the market is increasingly becoming aware, these “off-the-shelf” tools are only part of the solution.
Relying on data security practices in isolation from non-technical threats leaves gaping holes that undermine an organization’s ability to prevent, detect, correct and recover from intrusions. In a deep dive on cybersecurity at a recent cyber security seminar in Northern Virginia, TSC Advantage presented six key areas that public and private organizations should focus on to create awareness of a holistic and proactive threat posture: insider threat, physical security, mobility, external business operations, internal business operations, and yes, data security.
Threats Cross Departmental Borders
Why do these all matter? Because as the news headlines are increasingly reporting, cyber is about more than IT. A traditional organizational chart would likely show each of the domains in a separate vertical, with their own leaders, policies, programs and procedures, and with separate accountability and responsibility mechanisms. From a risk management perspective, a stove-piped and traditional view of security wouldn’t recognize how a business event occurring in one domain could introduce enterprise vulnerability via another. Take a major commercial customer our team recently assessed. For high-risk employee terminations, while we found there to be ‘good’ communication between the HR and IT departments at this client location, our team nonetheless identified priority vulnerabilities associated with access control, change management, and the maturity of existing procedures governing these activities.
To take another example, how about the business traveler in a foreign country who engages in business talk and unwittingly shares proprietary details of an upcoming project during the cab ride from the airport to the hotel. If you don’t think that in certain countries the driver could also be a member of his country’s security apparatus, think again. Armed with that knowledge, the information is eventually passed along to a competitive intelligence rival who is all too eager to erase years of your sweat equity and smash your bottom line.
Insider threat, one of the most underreported as well as most taboo, can take the form of an employee who inadvertently introduces malware through a seemingly innocuous click, to a disgruntled employee who deliberately downloads or erases proprietary information, to a worker who is targeted and paid by competitors to steal information. Training and awareness programs highlighting the personal, behavioral, and organizational precursors that contribute to these events is a responsibility that crosses all departments within the enterprise.
Cost of Cyber Attacks Grow
Those are just a few examples of the many ways in which cyber threats can enter an organization. Any one of them can have a devastating cost. Leaders are forced to resign – most recently the CEO of extramarital dating site Ashley Madison, and in July the Director of the Office of Personnel Management (OPM). Consider the reputation harm suffered by Sony Pictures when unflattering emails were revealed. Or the cost to the taxpayers to cover the OPM breach – $133 million just to pay for victims’ credit and identity theft monitoring.
The Ponemon Institute’s annual Cost of Data Breach Study of 11 countries puts the average cost of a single data breach at $3.8 million, a 23 per cent increase since 2013. The study also found the average cost for each lost or stolen record containing sensitive and confidential information is $154, and double that for healthcare information.
Five Ways to Improve Organizational Cybersecurity
• When you think of cyber, think beyond the IT department. How are your departments working together to identify potential risk, formulate and communicate policy? Consider creating a risk management team.
• Identify your organization’s most valuable intellectual assets. Define and categorize this data according to its level of sensitivity, value to the organization, and when they might be most imperiled.
• Assess risk by reviewing how your organization operates – what physical assets need to be protected, how often do employees travel, do they use personal and/or work devices?
• Consider the potential for not just external, but also internal threats. Does your organization monitor for unintentional or deliberate unauthorized access or inappropriate use of data?
• Foster and communicate a security culture. From the board of directors, to the C-suite, to every level of the organization, each employee has a front line responsibility in securing the enterprise.
In today’s environment, cyber attacks are an eventual certainty for every organization. So take a deep dive on cybersecurity. Thinking about risk holistically will help minimize the potential damage.
We Made the Inc. 5000 List of Fastest Growing Companies!
We are pleased to announce that TSC Advantage has been ranked #3294 in the prestigious Inc. 500|5000 for 2015 – Inc. Magazine’s List of America’s Fastest Growing Private Companies. This accomplishment is the direct result of a lot of tireless effort by members of the TSC Advantage team, the trust our customers place in us, and the support of our colleagues, friends, and family.
Just a couple years ago, we were a company with very little name recognition in a very crowded space. Our vision was to upend traditional approaches to cyber security and endeavor to be one of the most prestigious cyber risk assessment firms out there – to take our passion and unique lens by which we explore enterprise vulnerability and use it to transform organizations into becoming more resilient enterprises in these extraordinary times of data breaches and sophisticated cyber attacks.
Now, that passion has built a 50-person company with customers and trusted partners, scores of successfully completed projects around the world, and a growth rate that even made us pause for a minute. We’re thrilled to be working with leading global brands across many verticals in helping them transform awareness of their risk postures as well as chartering new paths in other areas, including delivering objective and comprehensive cyber insurance assessments on behalf of Lloyd’s and other leading markets.
We want to extend a big thanks to everyone who has supported us so far. Inc. has recognized the growth we have achieved, but we have an ambitious plan for what is next for us. We couldn’t be more excited for what the future will bring and we know our team and valued clients will continue to be a part of it.
St. Louis Cardinals’ Hacking Scandal Highlights Realities of Corporate Espionage
The alleged hack perpetrated by the St. Louis Cardinals against the Houston Astros took a traditional sports rivalry into foul territory. The FBI is investigating evidence that suggests Cardinals employees infiltrated a network the Astros built to store data containing discussions about trades, proprietary stats and scouting reports.
Some reports suggest the Cardinals conducted the attack as revenge against Jeff Luhnow, a former Cardinals executive, now with the Astros. Others suggest the hack was an attempt to gain a competitive advantage. Regardless the motive, the news rocked the sports world and brought home an often-overlooked fact: most organizations still do not take cybersecurity seriously enough.
Cyber espionage is a very real issue in highly competitive industries, such as manufacturing and technology, but it’s something of a surprise in Major League Baseball. While Luhnow has downplayed the significance of the hack, suggesting much of the information named by the FBI would be entirely obsolete at this point, the damage could have been much worse.
Almost Too Easy
Unfortunately, many organizations outside of the traditional hacking targets don’t seem to approach cybersecurity with the same level of rigor as healthcare, financial institutions, or big retailers. Their complacency leads to the kind of security lapses officials believe made this hack possible, such as poor password hygiene and a complacent cybersecurity culture.
According to media reports, the alleged perpetrators were able to guess network passwords based on those previously used by Luhnow or Sig Mejdal, another former Cardinals employee now working for the Astros. Sports organizations regularly see players, staff and executives leave for rival franchises. It’s therefore critical to integrate preventative security controls that make it harder to breach network defenses and make proactive, holistic security part of the process.
All Data is Valuable to Someone
With all the attention on foreign sponsored data breaches, such as the recent OPM breach attributed to China, many organizations believe themselves to be safe from cyberattacks. However, domestic corporate espionage events can be just as prevalent. Consider the 2009 spat between Starwood Hotels and Hilton where Starwood claimed two of its former executives stole sensitive trade secrets and brought them to Hilton. Or the famous corporate espionage scandal between General Motors and Vokswagen A.G.
In this case, even if the Cardinals didn’t get access to information that truly gave them a competitive advantage, it’s clear enterprise security is still not taken seriously enough by most organizations – whether corporate or government. As this hack (and others before it) demonstrates, every industry and organization has data worth protecting, and the onus is on them to ensure they have all their bases covered.
The OPM Data Breach: Why This Could Be the Worst Yet
By now everyone has heard about the data breach that hit the Office of Personnel Management (OPM). The breach has potentially exposed personally identifiable information (PII) and even extensive biographical data of up to four million federal employees, including members of federal law enforcement, active duty military, political appointees, and security clearance holders assigned to sensitive national security positions within the Defense Department and Intelligence Community. A government source said this could be one of the largest ever thefts of government data. Informed speculation points to Chinese hackers as the culprits behind the breach, though the Chinese Embassy in Washington is denying involvement. Below, we’ll break down the facts about this breach and its potential implications.
Who and why?
The attack on OPM is not surprising; the organization – as well as the data that it maintains – has been in the crosshairs for years. Similar remote access attacks against OPM targeting PII and detailed personal information of federal employees are well documented, including the 2014 attacks directed against contractors USIS and Key Point Government Solutions. Other recent attacks attributed to China targeting the same information includes the 2014 breach of the U.S. Postal Service; the hack of the U.S. Nuclear Regulatory Commission; and the attack on the National Oceanic and Atmospheric Administration.
The implication of suspected state-sponsorship and China in particular is not surprising given the immense value PII and biographic data can have from an intelligence standpoint (in addition to traditional cybercrime such as identity theft). As the custodian of federal employee records, OPM is a treasure trove of information that foreign security services covet. Information such as detailed personal history, including previous addresses going back 10 years, names and addresses of foreign relatives and other close associates, and current state of financial health would all serve as key blueprints in the development of tailored campaigns targeting specific people or networks for exploitation.
Is this breach linked to Anthem and Premera?
There has been much speculation that China was behind the Anthem and Premera health data breaches as well. When you take into account that Anthem is also the health insurance provider for U.S. government agencies and defense contractors, it would be a safe (and correct) opinion to conclude the breaches are probably related. Still, is there irrefutable proof right now that China was behind these hacks? Like in most cases relating to attribution, not exactly and not yet. However, experts at one firm point to striking similarities between the techniques used in all three hacks, with the finger pointing at China.
What’s the point?
The disturbing conclusion here is that with this attack and the others that preceded it (and that will most certainly come after it), nation-states can have the ability to methodically piece together complete dossiers of people using the array of medical, privacy, personal, and financial data they exfiltrate. While having immense value from a traditional cybercrime standpoint, the strategic goal is likely something bigger and more devastating. Unfortunately, that part is probably yet to come.
A Threat to Employee Privacy Can Become an Attack on Your Organization
You’re only as strong as your weakest link. That tired old adage has taken on new meaning when applied to the current state of cybersecurity. And often times, the weak links are a company’s employees. The fact is, every employee has the potential to present a security threat to his or her employer’s business in one way or another. That isn’t to say that every employee is a malicious data thief, but employees are certainly responsible for inadvertent behaviors that are giving rise to potentially devastating cyber incidents, sometimes involving hacktivists and cybercriminals and whose main goal is to cause business disruption and reputational harm. One way for malicious actors to do this is through the exploitation of employees’ personal privacy on third party service platforms such as social media.
As an example, earlier this month, it was widely reported that the Twitter and Facebook accounts of U.S. Central Command (CENTCOM) had been hacked by a group sympathetic to the terror group ISIS. Authorities believe hackers gained control of the accounts by stealing the login credentials of a CENTCOM administrator, probably by exploiting weak procedural controls governing how the Command promulgated and enforced minimum composition requirements for passwords, susceptibility to a phishing scam, or from keylogging malware. It is probably safe to say that CENTCOM administrators avoided use of two-factor authentication for this service as well which paved the way for this breach to occur.
Once inside, actors posted pro-ISIS messages as well as revealed personally identifiable information of retired general grade officers to include home addresses and personal e-mail information. Although the account was quickly shut down following the breach, the enormity of this event was quickly parlayed as a cyber attack against CENTCOM itself when in reality it was more of an act of vandalism. Regardless of the severity, however, it nonetheless caused great embarrassment to the Command, the Administration, and it offered the rest of us a teachable moment on how fast a breach to personal privacy can cause disruption and reputational harm to a parent organization.
As a first example, it reaffirmed the importance of ensuring passwords meet minimum requirements in order to defeat brute force tools. Regardless of the cause of this breach, passwords should always be at least 10 characters long, should not contain a full word or obvious things like a name, and must incorporate a unique combination of uppercase, lowercase, numbers, and special characters. If being shared by more than one person in an organization (and especially if used for public-facing purposes), credentials should be stored securely in a controlled area and mature procedural controls should be in place that prohibit access to these accounts via mobile devices or from unsecure networks.
Second, defense-in-depth perimeter and endpoint controls are a requirement and awareness for phishing attacks as well as minimum access control solutions like two-factor authentication are a must. Additionally, continuous holistic risk assessments are helpful in identifying other potential ingress points of vulnerability as well, since any cyber risk assessment is insufficient if it ignores expert examination on the role of insider threat, physical security, and the unique vulnerabilities introduced by business dependencies. If you would like to hear more about how TSC Advantage can assist your organization defend its innovation, reputation, and execution, I would love to hear from you. Contact us.
The Uninsured Consequences of the Sony Data Breach
The December 2014 cyberattack against Sony wasn’t the largest or even the most expensive, but this breach may go down as the most embarrassing on record. And it’s that collateral damage that raises the stakes and places the Sony breach among the most damaging in recent history.
While Sony’s CEO is confident that the financial costs of the breach, estimated at around $100M, will be covered by its cyberinsurance policies, he is glossing over the harmful consequences of the sensitive, private and shameful information the hackers revealed to the world. Sony executives were shown making fun of and even insulting the artists they work with in email communications. Will those actors forgive and forget, or will they refuse to work with Sony in the future? How does Sony quantify that damage? How does a company insure against reputational harm?
And consider the internal harm done to employees whose personal information was stolen or who were privy to the leaked internal emails, including some branded as racist or sexist? Could there be legal implications and costs stemming from the theft of employee data or those discriminatory emails?
How about the impact this breach will have on Sony’s insurance coverage? The company was smart to have cyber liability coverage in place, but Sony is now considered a higher risk and will undoubtedly face significantly higher premiums in the future. No underwriter will accept this risk without major offsets in exclusions to future coverage or much higher rates.
Let’s not overlook that $100M cyberinsurance claim. Sony may be off the hook for the short-term financial costs of this breach, but the policy’s underwriter(s) will now have to pay that bill, so the damage flows downstream. However, the consequences of this breach far surpass the sting of a multimillion dollar payout.
The cyberinsurance market has already begun moving toward more comprehensive risk assessment, and this will tip the scales in favor of required pre-binding risk assessment throughout the industry. This will help underwriters reduce gigantic payouts that directly affect not only their bottom line, but also their ability to offer affordable insurance to other companies.
The fact is, there are countless potential ramifications related to this breach that are difficult to predict and hard to quantify. Sony, for all its bravado, will eventually have to pay the price. But, if there’s a silver lining in this story, it’s that the need to better understand cyberrisk at the outset will encourage greater adoption of holistic risk assessment within the cyberinsurance market – an outcome that will benefit everyone.
ThreatLAB 2015 is coming! Save the Date.
Are you looking for a fun and interesting opportunity to network with experts from a wide variety of industries while learning about the multitude of complex cyber threats facing U.S. organizations? After a resounding success last year, ThreatLAB® is back for version 2.0!
ThreatLAB 2015 will combine exciting keynote speakers and panel discussions supplemented with real-world scenarios, where attendees will have the opportunity to learn the latest in cyber leaks and breaches (LAB) as well as other findings, including how traditional investments in cyber security are leaving organizations more vulnerable than secure. And just like with ThreatLAB 2014, our select attendees will have the opportunity to learn and practice applying critical intelligence techniques in order to better diagnose and remediate holistic vulnerabilities often associated with cyber loss events, including corporate espionage incidents and other attacks. ThreatLAB 2015 will illustrate the importance of a proactive, holistic approach in defending your organization’s intellectual assets and creating a more resilient and mature security enterprise.
ThreatLAB 2015 will take place on May 20th and 21st and will be held at Las Vegas’s premier resort and casino, the Aria. This is an incredible opportunity – don’t miss it!
The changing threat landscape: insider threats and state-sponsored attacks
If you aren’t one of the 4.5 million people who were directly affected by the Community Health Systems (CHS) Heartbleed data breach, then you’ve certainly heard about it by now. Unfortunately, cases like these and others have become commonplace in today’s business environment. In 2014, the threat landscape is more advanced than ever, with no single industry or organization completely immune from victimhood of cyber attacks.. Within the past two weeks alone, we have seen organizations within the healthcare, government, infrastructure and banking industries caught in the crosshairs of cybercriminals, state-sponsored entities and both malicious and accidental insider threats.
Foreign state-sponsored attacks on the rise
The recent hack of the Nuclear Regulatory Commission (NRC) illustrates the threat of state-sponsored hacking groups with punishing clarity. In a third hack in three years, it was alleged that anNRC employee unwittingly clicked on an email link that navigated them to a Google spreadsheet where they were instructed to enter sensitive data.
Armond Caglar, one of our threat specialists here at TSC Advantage, speculated that the hacker campaign focused on two key areas: 1. gathering information on US nuclear reactors’ condition and health, and 2. assessing the cyber-readiness of the NRC workforce. This scenario likely could have been avoided through employee training and awareness programs highlighting the growing sophistication of targeted phishing campaigns such as what occurred here.
JPMorgan Chase and several other banks revealed they were also victims of a data breach believed to be perpetrated by Russia-sponsored hackers earlier this month. While the purpose of the attack and the extent of the data breached is still unclear, TSC Advantage believes financial information was likely theinitial target, followed by intelligence data, such as corporate secrets, which could have been passed to security services once all the desired privacy data had been harvested.
Healthcare industry compliance is not enough
The CHS breach compromised the personally identifiable information of millions of patients. The attack, which resulted from the Heartbleed vulnerability, highlights a common issue among healthcare organizations, whichCaglar referred to as the dangers of the “compliance audit mentality.” The is because the single-minded pursuit of meeting compliance baselines could actually contribute to organizational complacency once an audit is completed.
No company is completely secure
Even companies that provide essential services to the U.S. government aren’t immune. U.S. Investigations Services, or USIS, is a company used by a variety of U.S. government agencies, including the U.S. Department of Homeland Security, U.S. Immigration and Customs Enforcement, and U.S. Customs and Borders Protection to perform background investigations on all employees. Nearly 25,000 of those employees had personal information such as Social Security numbers, birth dates, education and criminal history, and the names and addresses of family and friends compromised in a data breach earlier this month.
Caglar notes, “The implications of this attack are serious and highly concerning. An attack such as this is almost always intended for the purposes of identifying potential recruitment candidates [for intelligence purposes]. By collecting information such as this, attackers will now be able to systematically research which members of the security clearance population could be suitable for a potential approach by foreign [service].”
Implement a proactive security culture to defend against cyberattacks
We can cite compliance standards like HIPAA and various executive orders all day long, but what ultimately serves as the best defense is a good offense and a solid understanding of the evolving nature of cyber threat. In both the foreign intelligence and competitive intelligence world, there will always be motivation to target innovation, privacy data, and national security information. Safeguarding sensitive data – no matter what it is – begins with a proactive and panoramic approach to security that incorporates all possible threat vectors fused with proper training and awareness campaigns tailored to mutable nature of threat.
Contact us to learn how TSC Advantage can help identify and prevent security risks before they damage your organization.
Implications of Smaller-Scale Data Breaches: Citigroup, 2013
Poor security – Citigroup, 2013
The personal information of 150,000 Citigroup clients who filed for bankruptcy between 2007 and 2011 was exposed after Citigroup failed to properly redact court records prior to storing them on the Public Access to Court Electronic Records (PACER) system.
Citigroup claims that the mishap occurred due to a limitation in the software that the company used to redact personal information. Since Citigroup refused to divulge what software led to the breach, it is impossible for the public to know how the attack was conducted.
Following the incident, the company was quick to upgrade its computer software and re-train its employees on enhanced redaction policies and procedures in order to avoid similar attacks in the future.
Expert insight: Software updates are vital to maintaining computer security because they patch security vulnerabilities, fix program bugs and provide program enhancements. Computer software that is not updated presents a higher risk of being infected with malware and being exploited by other malicious attacks. Organizations must be proactive in order to ensure that security technologies and procedures are up to date and employees are properly trained on security procedures.
It only takes one mistake or oversight to open a company’s network to risk. Contact us to learn how our Enterprise Security Assessment (ESA) can help identify and prevent security risks.
Implications of Smaller-Scale Breaches: Policy and Procedure
Breaches aren’t always the work of external hackers or malicious insider threats. They are frequently the result of carelessness on the part of an employee or security administrator. But when it comes to securing confidential information, there’s no room for error. Improperly implemented or unsuccessfully enforced security policies and procedures leave an organization vulnerable to a wide array of security risks.
Stolen device – Florida Department of Juvenile Justice, 2013
A thief broke into a secure office of the Florida Department of Juvenile Justice (DJJ) and stole a mobile device that contained sensitive data. Although DJJ’s technology policy requires that all mobile devices be encrypted and password-protected, the stolen device was not compliant with these security measures.
As a result, the records of more than 100,000 juvenile delinquents and employees were compromised, putting them at risk of identity theft. In response to the incident, all DJJ employees and contracted provider programs were emailed a copy of its policy reminder and security instructions.
In order to ensure that employees and contracted provider programs understood DJJ’s technology policy, the documents defined the parameters of the policy in regards to employee requirements and the expectations of contracted provider programs.
Expert insight: In addition to providing a strict and specific mobile security policy, organizations should periodically review policies with employees in order to ensure that everyone thoroughly understands the processes and ramifications of compliance failures. They should also implement training and checks to guarantee security procedures are being followed. Additionally, planned and random audits can help identify weaknesses or irresponsible activities before serious consequences occur.
Why Insider Threat Detection Fails
Virtually anyone who works in industry or government can tell you what the reportable warning signs of insider threat are – sudden behavioral changes, unexplained affluence, odd working hours, etc. Yet every time an espionage incident, intellectual property theft, or mass shooting takes place, it seems as though indicators are either not reported, or somehow fail to reach those who need to know. So what exactly is going on here?
There are a variety of mechanisms responsible for the failure of insider threat detection; reporting mechanisms, inter-organizational communications, and the existence and enforcement of policy are just a few laid out in CERT’s Common Sense Guide to Mitigating Insider Threats (2012). While any valid insider threat program certainly should address the nineteen components presented within the guide – it must also examine how detection is communicated to employees.
In a discussion pertaining to evolutionary psychology and business ethics, Cosmides and Tooby (2004) delve into a crucial element of the human mind that gets overlooked when discussing threat detection and reporting – humans are unable to detect procedural rule violations that are not precautionary or social in nature. The hunter-gather mind that humans have developed is equipped with specific machinery to detect social contract violations – instances wherein one receives the benefit (Q) without paying the price (not P) or vice versa – but the majority of humans fail at detecting violations of non-social “if then” rules.
The reason for this selective reasoning specialization is simple; our minds are the product of millions of years of natural selection. In terms of scale, we have just recently emerged from hunter-gatherer societies, yet our minds largely remain within this realm. Our mental machinery has been tailored for a starkly different world from which we live in today. In the past, societies were smaller and people often lived with extended family and spent most of their time outdoors. The number of people that an individual might have encountered throughout his or her lifetime was far less than that of an individual in 2014. In a world where people spent most of their days simply trying to stay alive, being able to detect social contract cheaters, or free-riders, was an essential skill because every individual had the incentive to reap benefits without expending personal resources.
Within the context of natural selection, the fact that humans are adept at detecting violations of precautionary rules (e.g. if you’re going take risk A, then you must take precaution B) makes perfect sense. Possessing this skill provides palpable utility to an individual; and that utility is survival. However, the procedural rules of the workplace are another matter. They are not social or precautionary rules and they generally do not identify a benefit or risk to the individual. For example, most insider threat programs can be boiled down to “if you see something, say something.” While straightforward, it simply does not hit the same mental circuits that say, walking through a pit of snakes might. If there is no obvious risk to the individual, and no potential personal benefit – humans are less engaged.
What threats and benefits to an organization mean to an individual remains largely ambiguous. The human mind was developed in an environment in which social exchanges were face to face, in real time, and the results were often observable. The indirect relationship between benefits to the individual and the group were more readily observable (e.g. if I spend time crafting tools in order to allow the hunters more time to hunt, I will eat better). Reporting a coworker who fails to lock their computer may not activate the same mechanisms. The value to the individual through the group is not as apparent and the threat and benefit are obscured. Even within organizations that are serious about implementing security measures through negative reinforcement (counseling, performance review), individuals generally do not lose their jobs. With that said, a culture of enforcement and repercussions can be advantageous.
To put it in more everyday terms, this is one of the reasons why it’s so difficult to get the public out of traditional ways of doing things. For example, it is common knowledge that studies reflect a direct correlation between smoking tobacco and cancer; it’s usually just a matter of time. In most metropolitan areas of the United States today, the effects of smoking are not observed and documented as often as they should be. Going back a few decades, we all knew smoking led to cancer, but it took serious public campaigns and incentives to curb smoking – even though people could rationally understand that smoking might kill them, the lengthy process generally wasn’t rapidly observable enough to command the public’s attention.
If there isn’t a negative repercussion directly associated with an action, our minds fail to acknowledge the association. This is the substance of modern parenting. In order to curb dangerous behaviors, punishment must be swift, consistent and enforceable; otherwise the lesson is lost. This concept can be assimilated to ocean thermal delay – when actions and reactions are separated by timeframes that exceed the normal human attention span, we are less apt to acknowledge (and accept) the connection.
So how can an organization take steps to effectively address insider threat? Anchor the threat of observable impact to the employee. Simply providing training on the machinations of “if you see something, say something” does not go far enough; insider threat detection needs to be tied to livelihood. Consider the impact of the following two statements:
- All personnel must badge into facility X, never allow a person to “tailgate” into the building.
- Reviews of security incidents over the past two years have found tailgating to be the most common method for unauthorized personnel to gain access to intellectual property at facility X. As a result, several companies are now selling our product at a lower price. We will likely have to find ways to streamline budgets, to include no bonuses or pay increases, and the possibility of layoffs.
The first statement is valid, but it fails to emphasize the bottom line impact. Even the second statement is insufficient due to the fact that the damage has already occurred; therefore, the threat could be considered non-existent.
Another aspect to contemplate is the likelihood of a perceptual difference in security stance between management and the average employee. There are very good reasons for employees to nod in accordance with management when security edicts are discussed, but the underlying truth can be acutely different. Management may be oblivious simply because no one wants to tell the emperors they have no clothes.
In order to address this issue, organizations might consider a neutral third party assessment that compares attitudes and perceptions of security from the viewpoint of both employees and management on a scheduled basis. Industrial psychologists could also assist organizations through framing security training in a manner that elicits not only compliance, but active participation from employees as well.
The combination of impartial active listening, conveyance of threats to the individual employee, and the implementation of swift, observable repercussions can create a proactive culture of security awareness, but the organization must be willing to invest. Please contact us below if you would like to know more about this or our ESA methodology to help secure your enterprise.
About the Author
Gabriel Whalen has a Master’s in Forensic Psychology, a decade of experience in the U.S. National Security community, and a background in acting, biology, and ethical hacking. Gabriel represents TSC Advantage’s diversified talent portfolio as a social engineer, behavioral analyst, and insider threat expert.
Cosmides, L. & Tooby, J. (2004). Knowing thyself: The evolutionary psychology of moral reasoning and moral sentiments. In R. E. Freeman and P. Werhane (Eds.), Business, Science, and Ethics. The Ruffin Series No. 4. (pp. 91-127). Charlottesville, VA: Society for Business Ethics.
Silowash, G., Cappelli, Dawn., Moore, Andrew., Trzeciak, Randall., Shimeall, Timothy., & Flynn, Lori. (2012). Common Sense Guide to Mitigating Insider Threats, 4th Edition (CMU/SEI-2012-TR-012). Retrieved April 02, 2014, from the Software Engineering Institute, Carnegie Mellon University website: http://resources.sei.cmu.edu/library/asset-view.cfm?AssetID=34017
January 13, 2016
Automaker Nissan shut down its global websites after a distributed denial of service (DDoS) cyberattack that may have been carried out by “hacktivists” opposed to Japan’s controversial whale and dolphin hunts. An activist connected with the hacking collective Anonymous tweeted objections to whale hunting and photos of a Nissan executive.
January 6, 2016
U.S. power companies have been advised by an electric industry group to review network defenses following reports that a malware known as BlackEnergy caused a widespread late-December power blackout in Ukraine. It’s believed to be the first time that a cyber attack has taken down an electric grid.
January 4, 2016
The Department of Health and Human Services (HHS) confirms that hackers accessed more than 100 million health records of Americans in 2015. Eight of the 10 largest health care provider hacks took place last year, according to the federal agency.
December 29, 2015
The details of 191 million U.S. voters, including names, addresses, birth dates, party affiliations, phone numbers and emails, were discovered in a publicly-available database by an independent computer security researcher who says the database was incorrectly configured. Such information could be a valuable one-stop site for criminals wishing to target large numbers with fraud schemes.
December 22, 2015
Iranian hackers are reported to have gained access to control systems at a small dam in the downstate town of Rye, NY in 2013, though no action was carried out. According to the Associated Press, Iranian cyber operators are also responsible for multiple intrusions into the US electrical grid since August 2013, for information-gathering and data theft.
December 15, 2015
December 14, 2015
The website for Trump Towers, owned by republican presidential candidate Donald Trump, was offline for about an hour, allegedly breached by hacktavist group Anonymous. The group tweeted that it took down the site “as a statement against racism and hatred,” after Trump suggested temporarily barring Muslims from entering the United States.
December 2, 2015
A hack on Toymaker VTech exposed the private data of 6.4 million children, including unencrypted, names, email addresses, passwords, secret questions and answers for password retrieval, IP addresses, postal addresses, download histories and children’s names, genders and birth dates. The attack centered on the company’s portal used to download games to its computer tablets.
November 28, 2015
The Anonymous hackers collective says it is responsible for bringing down five government websites in Iceland as part of a protest against that country’s commercial whale hunting. The sites hacked with a Distributed Denial of Service (DDoS) attack included websites for the prime minister and the departments of environment and interior.
November 25, 2015
Hilton Worldwide is advising travelers who used payment cards at its hotels between Nov. 18 and Dec. 5 of 2014 or April 21 and July 27 of 2015 to watch for irregular activity on credit or debit card accounts. The hotel chain says hackers infected some of its point-of-sale computer systems with malware crafted to steal credit card information.
November 23, 2015
The Government Accountability Office (GAO) says in a new report that most federal agencies overseeing the security of America’s critical infrastructure do not have formal methods to track whether those essential networks are protected from hackers. The report examined 15 critical infrastructure industries and found that 12 were overseen by agencies that didn’t have proper metrics.
November 20, 2015
Hackers used malware to infiltrate payment systems at hotel restaurants and gift shops at 54 locations operated by Starwood Hotels & Resorts Worldwide Inc. The eight-month data breach resulted in the theft of customer credit-card and debit-card information, the latest in a wave of hacking attacks targeting the hotel industry.
November 10, 2015
About 200,000 Comcast customers are being advised to change their email passwords after the company discovered email accounts, including user names and passwords, was being sold on a so-called dark web marketplace. Comcast said information from 590,000 accounts was likely obtained through phishing, malware or customers visiting compromised sites.
October 31, 2015
UK telephone company TalkTalk confirms that hackers stole bank account details of more than 20,000 customers. The number was announced as a 16-year-old and 15-year-old were arrested in connection with the data breach.
October 23, 2015
Three Long Island, NY high school students face from four to eleven years in prison for hacking into their school’s computer system to change grades and student schedules. The charges include burglary, computer tampering and identity theft.
October 21, 2015
An anonymous hacker who claims to be a high school student, has claimed responsibility for allegedly hacking into the personal email account of CIA Director John Brennan. The hacker posted documents that included names of senior intelligence officials on Twitter. Wikileaks says it will also soon release the contents of Brennan’s account.
October 19, 2015
America’s Thrift Stores confirms that during the month of September 2015, hackers used malware to access customers’ payment card data, including card numbers and expiration dates. The breach is believed to have originated in Eastern Europe.
October 14, 2015
Cyber thieves have stolen more than $30 million from British bank accounts by using malware that when clicked, provides access to online account login details. The National Crime Agency believes the hackers are based in Eastern Europe.
October 8, 2015
Samsung has confirmed that LoopPay – a mobile payment technology company it acquired in February – was breached by Chinese government-affiliated hackers. The company says the hackers appear to have been after LoopPay’s magnetic secure transmission technology, which uses a wireless signal to send payment information from a phone to cash registers.
October 5, 2015
Retail brokerage Scottrade says it was the victim of a cyberattack which lasted from late 2013 to early 2014. The company says client names and street addresses of up to 4.6 million clients were in the targeted database.
It’s easier than you think for your sensitive data – such as intellectual assets, trade secrets, protected health information, or customer data – to fall into the hands of a competitor, hacker, disgruntled employee, or foreign government.
Let us introduce you to a couple of our team members who will be helping you secure your enterprise.
AllenSenior Project Manager
Allen joined the company in 2011. With more than 20 years of experience in the commercial and government sectors, Allen has worked at a variety of organizations including several Fortune 500 corporations. During his commercial tenure, Allen managed numerous programs within the telecommunications and information security industries, including several large multi-million dollar projects related to cellular/satellite network implementation. Allen’s background also includes defense policy analysis and national security policy, as well as military experience in the US Navy as a Russian Linguist and Soviet Naval analyst. Allen possesses a PMP and CISSP certification and holds a Masters degree in International Affairs from Columbia University.
NatalieDirector of Analytics
Natalie has been with the company since 2007. With more than 15 years of experience as an intelligence professional, Natalie’s expertise spans both the government and commercial sectors. Natalie’s work for the U.S. Government includes extensive experience in the identification, acquisition, and development of critical information, supporting high value national security interests. In the commercial arena, Natalie led the development of innovative methods to acquire and analyze critical information to protect specific interests and high-value intellectual assets. Natalie holds a Masters degree in International Relations from Yale University.
Interested in proactively defending your enterprise? Curious about possible employment opportunities?