We make holistic enterprise security possible.
Tailored Solutions & Consulting, Inc. (TSC Advantage) is a cyber risk consultancy specializing in the protection of trade secrets, intellectual assets, and other sensitive information. TSC Advantage was founded in 2006 as a response to the limitations of traditional approaches to cyber security that fail to incorporate holistic and proactive solutions in combating threats to enterprises. Our patent-pending and U.S. Department of Homeland Security (DHS) SAFETY Act-designated methodology holistically optimizes clients’ security posture to suit their unique organizational, procedural and market environments.
Headquartered in the Washington, DC metro area of downtown Silver Spring, MD, the TSC Advantage global team brings together over 300 years of combined experience in intelligence operations and analysis, traditional business acumen, and agile technology solutions. We provide expertise to a wide array of industries and organizations, ranging from the Fortune 500, healthcare, and leading global insurance underwriting markets, to the public sector and operators of U.S. critical infrastructure. Our proven delivery of panoramic cyber risk assessment and credentialed expertise makes us uniquely trusted and qualified in remediating clients’ most complex enterprise challenges.
— Trusted By —
In a complex world growing with sophisticated cyber attacks and threats from insiders, all organizations must be proactive in the defense of their sensitive information. From corporate intellectual property and trade secrets to protected health information, we have innovated an approach to enterprise security risk assessment that can help secure organizations across all industries.
Our unique approach examines holistic vulnerability across six critical domains of an organization as well as modules designed for ICS, PCI, and HIPAA with the intent of reducing risk and preventing cyber attacks, data breaches, and acts of terrorism from occurring in the first place. Using unparalleled expertise and over 300 years of combined specialized experience exploiting technical, physical, and human vulnerabilities of organizations, TSC Advantage better safeguards client value, innovation, and reputation in an age of sophisticated cyber attacks and data breaches.
Threat Vector Manager™
Our patent-pending Threat Vector Manager ™ (TVM) is an award winning and U.S. DHS SAFETY-Act designated knowledge management process that identifies trends, patterns, and areas of elevated risk across an enterprise in order to prevent and reduce cyber attacks, data breaches, or physical acts of terrorism.
Mapped to meet and exceed numerous national and international industry standards including NIST, ISO, and fused with proprietary security expertise, TVM™ provides an objective and posture-based perspective of enterprise maturity and security resiliency for a comprehensive understanding of emerging cyber threats and latest in competitive intelligence tradecraft. This methodology identifies best business practices, improves performance and decision-making, and informs resource allocation based upon risk sensitivity and exposure.
TVM™ helps maximize clients’ return on security investments by delivering objective intelligence and practical solutions to FIND, FIX, and PROTECT the most critical problem areas.
Measurement designed to effectively baseline wide range of policies, procedures, behaviors, and technical controls impacting a firm's overall security posture with our U.S. DHS SAFETY Act-designated Enterprise Security Assessment and External Relationship Mapping solution
Comprehensive assessment of client-specific risk that objectively measures cyber security culture and maturity across administrative, technical, and physical categories in conjunction with critical business needs
Outcome-driven instrument, designed to reduce the cost of effective security through emphasis on prevention and awareness across traditional cyber security domains and overlooked threat vectors such as external business relationships and from the insider threat lurking within
Creation of targeted security initiative and implementation of improvements for top vulnerabilities, prioritized by domain maturity, proprietary risk-ranking score and source-needs calculation, level-of-effort and comparison across aggregated industry data
Subscription via highly secure, encrypted cloud portal or local host for periodic reevaluations and illustration of impact of additional security initiatives
Secure intelligence delivery via a customizable executive portal and dashboard tailored to client environment, including sources such as DLP, MDM, and SIEM data, as well as social media and RSS feeds
Ongoing assessments of evolving threats, vulnerabilities, and consequences for critical assets along with tailored recommendations for continuous improvements along with visualizations denoting security risk profile score and domain maturity compared against aggregated industry data
Integration with any vendor's security sensors already owned by the client, to leverage existing investments and positioning for optimization
Read about TSC Advantage in the news
Partners & Customers
Some of our valued Partners and Customers
Check out the latest happenings at TSC Advantage
We like to blog too
A great information resource from TSC Advantage experts
Here you will find recent examples of data breaches, cyber attacks, and insider threats against all industries
Take Advantage of TSC’s Free Cybersecurity Training in October
October is National Cyber Security Awareness Month (NCSAM), and it’s a great time to help the people in your organization understand potential threats to their work and personal information, as well as their role in keeping data secure.
With work and home life increasingly happening online and on-the-move, there is a greater need than ever to help people recognize the implications of their digital footprint.
TSC Advantage Can Help – Free Training
Interested in a Lunch n Learn for staff or a presentation to executives and the board of directors? TSC Advantage is offering complimentary training during October, 2016 to support the sharing of information on cybersecurity threats and appropriate security measures. Topics include:
- Social Engineering
- Resilience vs. Security
- IP Protection Beyond Compliance
Cybersecurity is a Shared Responsibility
NCSAM is an initiative led by the National Cyber Security Alliance and the U.S. Department of Homeland Security, along with more than 350 organizations. As an NCSAM Champion, TSC Advantage is dedicated to promoting a safer, more secure and more trusted internet. We are committed to sharing information on how to secure personal information, sensitive data, intellectual property and trade secrets.
TSC Advantage is an innovative leader in enterprise risk assessments, and cybersecurity consulting. Using our DHS SAFETY Act-designated Threat Vector Manager™ framework, TSC Advantage provides an objective understanding of security posture to help companies prioritize resources and better defend their enterprise. Trusted by global insurance underwriters, TSC Advantage is also the preferred provider of pre-binding enterprise security assessment on behalf of the Lloyd’s of London-backed Critical Asset Protection facility.
TSC Advantage Named a 20 Most Promising Cyber Security Solution Provider
Silver Spring, MD —Aug 25, 2016—TSC Advantage, an innovative leader in enterprise risk assessment and cybersecurity consulting, was named among the 20 Most Promising Cyber Security Solution Providers 2016 by CIOReview.
“It’s a great honor to announce TSC Advantage among these 20 most promising solution providers,” said Jeevan George, Managing Editor of CIOReview. “TSC Advantage’s Threat Vector Manager and Enterprise Security Assessment help to maximize clients’ return on security investments by delivering objective intelligence and practical solutions to find, fix, and protect the most critical problem areas.”
CIOReview ranked TSC Advantage based on the Threat Vector Manager ™ (TVM) methodology, an award winning and U.S. DHS SAFETY-Act designated knowledge management process that identifies areas of elevated risk across an enterprise in order to prevent and reduce cyber attacks, data breaches, or physical acts of terrorism. This enterprise security assessment framework is mapped to numerous national and international industry standards including NIST and ISO, and is enhanced by proprietary security expertise. TVM™ provides an objective perspective on emerging cyber threats and enterprise maturity and security resiliency. It identifies best business practices, improves security performance and decision-making, and informs resource allocation based upon risk sensitivity and exposure.
“We hear from CIOs about budgetary challenges and organizational skills constraints coupled with outsourcing risks,” TSC Advantage president Sean Doherty told CIOReview in an interview. “By framing cyber security as an enterprise risk issue and not just an IT issue, we help CIOs make the business case for proactive investments and departmental due diligence that will prevent loss of intellectual property, damage to the brand, and possible devaluation.”
About TSC Advantage
Headquartered in the Washington, DC region, TSC Advantage is a Service Disabled Veteran-Owned Small Business (SDVOSB) with 10 years of experience helping the federal government and private sector in the proactive and holistic defense of intellectual assets and sensitive information. A leader in enterprise risk assessments, cybersecurity consulting and managed services, TSC Advantage has also partnered with leading global underwriters to provide pre- and post-binding risk assessment to support cyber insurance policies for the critical infrastructure market.
To learn more about TSC Advantage, visit http://www.tscadvantage.com and follow us on LinkedIn and Twitter.
Published from Fremont, California, CIOReview is a print magazine that explores and understands the plethora of ways adopted by firms to execute the smooth functioning of their businesses. A distinguished panel comprised of CEOs, CIOs, IT VPs, and the CIOReview editorial board finalized the “20 Most Promising Cyber Security Solution Providers 2016” in the U.S. and shortlisted the best vendors and consultants. For more info: http://www.cioreview.com/
TSC Advantage Awarded GSA Professional Services Schedule Contract
Silver Spring, MD – August 15, 2016 – TSC Advantage, a Service Disabled Veteran Owned Small Business (SDVOSB) and innovative leader in cybersecurity consulting and managed services, announced today that the U.S. General Services Administration (GSA) has awarded the company a Professional Services Schedule (PSS) Contract.
TSC Advantage will provide Business Consulting Solutions under this Multiple Award Schedule (MAS), which gives agencies direct access to carefully vetted and proven vendors. It was previously known as the Mission Oriented Business Integrated Services (MOBIS) Schedule 874.
“In this our 10th year of supporting federal agencies with proactive security solutions, we are extremely pleased to be awarded this highly competitive contract, which will expand our ability to work with federal, state and local agencies,” said Sean Doherty, co-founder and president of TSC Advantage.
TSC Advantage’s offerings will be available on the GSA Professional Services Schedule under “Tailored Solutions and Consulting” contract number GS-00F-248DA. Agencies can also obtain information by contacting the company directly at 202-629-1960 or at firstname.lastname@example.org.
About TSC Advantage TSC Advantage is a Service Disabled Veteran-Owned Small Business (SDVOSB) with over 10 years of experience helping federal agencies in the proactive and holistic defense of intellectual assets and sensitive information. In addition to cybersecurity consulting and managed services, TSC Advantage is also an innovative leader in enterprise risk assessments. Its U.S. DHS SAFETY Act-designated Threat Vector Manager methodology and associated Enterprise Security Assessment (ESA) improve holistic security maturity for the public sector as well as commercial entities and critical infrastructure. TSC Advantage has partnered with leading global underwriters to provide pre- and post-binding risk assessment to support cyber insurance policies for the critical infrastructure market.
TSC Advantage Named 2016 Most Innovative Enterprise Security Solution by Cyber Defense Magazine
Silver Spring, MD – TSC Advantage announced today that Cyber Defense Magazine, the industry’s leading electronic information security magazine and media partner of the RSA® Conference 2016, has named TSC Advantage winner of the Most Innovative Enterprise Security Solution of 2016.
After many months of review and judged by leading independent information security experts, Cyber Defense Magazine is pleased to have selected TSC Advantage as a winner for its Threat Vector Manager™ (TVM).
“We’re thrilled to recognize next-generation innovation in the information security marketplace and that’s why TSC Advantage has earned this award from Cyber Defense Magazine. Some of the best INFOSEC defenses come from these kinds of forward thinking players who think outside of the box,” said Pierluigi Paganini, Editor-in-Chief, Cyber Defense Magazine.
Threat Vector Manager™ is a patent-pending cyber risk assessment methodology that identifies trends, patterns, and areas of elevated risk across an enterprise environment. TVM is unique in the domain of cybersecurity risk assessment due to its U.S. DHS Safety Act designation, which extends liability indemnity to customers for third party claims arising from a covered act of terrorism. It also stands out from traditional IT-centric solutions by producing a risk profile score and domain maturity level within six enterprise domains: insider threat, physical security, mobility, data security, internal business operations and external business operations. Moreover, global underwriters trust and rely on TVM’s integrated approach to help determine the insurability of potential insureds operating in the U.S. critical infrastructure segment.
“CDM’s recognition of Threat Vector Manager™ further validates our company as an innovator,” said Sean Doherty, President and founder of TSC Advantage. “We know that to truly reach cyber resiliency and to make strategic cyber investments, organizations must look beyond automated solutions to understand enterprise-wide risk. This industry honor is an endorsement that Threat Vector Manager™ is a leading-edge approach, and when combined with TSC’s mix of intelligence experience and business acumen, it puts organizations in a proactive versus reactive posture to counter dynamic threats.”
About Cyber Defense Magazine
Cyber Defense Magazine is the premier source of IT Security information. Its mission is to share cutting edge knowledge, real world stories and awards on the best ideas, products and services in the information technology industry. Learn more at http://www.cyberdefensemagazine.com
About TSC Advantage
TSC Advantage is a cyber risk consultancy specializing in the protection of sensitive information using a patent-pending and U.S. DHS SAFETY Act-designated methodology to perform cyber risk assessments for organizations across all verticals. The TSC Advantage team brings over 300 years of combined experience serving in premier U.S. national security organizations. The company stands apart with an integrated approach to cybersecurity that examines traditional cyber risk but also five other domains of enterprise vulnerability, including the role of business dependencies and the insider threat lurking within. TSC Advantage counts Fortune 500 businesses, global insurance underwriting markets, U.S. critical infrastructure, healthcare, and innovate start-ups as clientele.
TSC Advantage Hosts Third Annual threatLAB Conference
Silver Spring, MD, Feb. 2, 2016 — TSC Advantage, an enterprise cyber risk consultancy specializing in the proactive defense of intellectual assets, trade secrets and other sensitive information, today kicked off ThreatLAB® 2016, an exclusive cybersecurity thought leadership event. The third annual threatLAB conference will educate senior private and public sector security professionals about the multitude of complex threats facing U.S. enterprises. The interactive theme Cyber Risk 360°embodies a philosophy of taking an enterprise-wide view of cybersecurity and risk.
ThreatLAB® 2016 features a keynote address from John Lenkart, Assistant Special Agent in Charge, National Security/Cyber Investigation, Richmond Division, Federal Bureau of Investigation (FBI). Throughout his career as a special agent, Lenkart has led and managed countless counterintelligence and economic espionage investigations aimed at defeating foreign-sponsored adversaries operating in the United States.
Additional speakers include: George Bamford, Director, DHS National Infrastructure Coordination Center; Joseph Ladd, Insider Threat Manager, Southern Company Services; Andrew Lamm, Director, Information Asset Protection, Cummins, Inc.; and Jeffrey Torosian, Partner, DLA Piper.
They will discuss the growing threat to corporations from state sponsors, hackers, and insider threats, what companies should do to protect themselves in an age of sophisticated cyberattacks, and the role of public-private partnerships.
“Knowing that even the best fortifications and preventative measures can fail, the role of achieving cyber resiliency becomes critical,” said Sean Doherty, president of TSC Advantage. “Resilient organizations combine multiple enterprise-wide functions to prevent, detect and recover from disruptions. At threatLAB, our attendees can learn from experts in the field and discuss their challenges and successes.”
ThreatLAB® 2016 is the continuation of efforts to educate organizations across all verticals on how to take a harmonized and panoramic approach to the cyber threat landscape. Hosted by TSC Advantage and Liberty Advisor Group, the 2016 conference is located at the Streamsong Resort in central Florida. Additional support is provided by sponsors McGriff, Seibels & Williams, Miller Insurance, and Sectra Communications.
About TSC Advantage
TSC Advantage is a cyber risk consultancy specializing in the protection of trade secrets, intellectual assets, and other sensitive information using a patent-pending and U.S. DHS SAFETY Act-designated methodology to perform cyber risk assessments for organizations across all verticals. The TSC Advantage team brings over 300 years of combined experience serving in premier U.S. national security organizations. Unlike other solutions, the company stands apart with its holistic approach to cybersecurity, which examines traditional cyber risk plus five other domains of enterprise vulnerability, including the role of business dependencies and the insider threat lurking within. TSC Advantage counts Fortune 500 businesses, global insurance underwriting markets, U.S. critical infrastructure, healthcare, and innovative start-ups as clientele.
TSC Advantage Named Finalist in 2016 Global Excellence Awards by Info Security Products Guide
Silver Spring, MD – January 13, 2016 – TSC Advantage announced today that its Threat Vector Manager™ (TVM) risk assessment solution has been named a finalist for the 2016 IFPG Global Excellence Awards in the category of Best Security Products and Solutions for Insurance. Info Security Products Guide is the industry’s leading information security research and advisory guide. These prestigious global awards recognize security and IT vendors with advanced, ground-breaking products and solutions that help set the bar in all areas of security and technologies. Winners will be announced in San Francisco on February 29, 2016.
Threat Vector Manager™ is a proprietary, patent-pending cyber risk assessment methodology that holistically identifies trends, patterns, and areas of elevated risk across an enterprise environment in order to prevent and reduce cyber attacks, data breaches, or physical acts of terrorism. TVM is unique in the domain of cybersecurity risk assessment due to its U.S. DHS Safety Act designation, which extends liability indemnity to customers for third party claims arising from a covered act of terrorism, as well as the output of the assessment itself, which produces a risk profile score and domain maturity level within six enterprise domains and has been adopted by global underwriters to help determine the insurability of potential insureds operating in the U.S. critical infrastructure segment.
“TSC Advantage is pioneering a vastly improved approach to cyber insurance underwriting, which rewards mature cyber security postures and allows customers to receive insurance with the broadest coverage, fewest exclusions, and tailored to their individual threat profiles,” said Sean Doherty, President of TSC Advantage. “We’re proud that Threat Vector Manager’s™ customer-focused methodology has been recognized as a finalist by Info Security Products Guide.”
About Info Security Products Guide Awards
SVUS Awards organized by Silicon Valley Communications are conferred in 10 annual award programs, including the Info Security Guide’s Global Excellence Awards. These premier awards honor organizations from all over the world, including the people, products, performance, PR and marketing. To learn more, visit www.svusawards.com
About TSC Advantage
TSC Advantage is a cyber risk consultancy specializing in the protection of trade secrets, intellectual assets, and other sensitive information using a patent-pending and U.S. DHS SAFETY Act-designated methodology to perform cyber risk assessments for organizations across all verticals. The TSC Advantage team brings over 300 years of combined experience serving in premier U.S. national security organizations. Unlike other solutions, the company stands apart with its holistic approach to cybersecurity, which examines traditional cyber risk plus five other domains of enterprise vulnerability, including the role of business dependencies and the insider threat lurking within. TSC Advantage counts Fortune 500 businesses, global insurance underwriting markets, U.S. critical infrastructure, healthcare, and innovative start-ups as clientele.
Inc. Names TSC Advantage as Fastest Growing Firm in 2015
Silver Spring, MD – TSC Advantage, an enterprise risk consultancy specializing in the proactive and holistic defense of trade secrets, intellectual assets, and other sensitive information, is pleased to announce that it has been ranked as 3294 on the 2015 Inc. 500|5000, an exclusive ranking of 5,000 of the nation’s fastest-growing private companies. The list represents the most comprehensive look at the most important segment of the economy—America’s independent entrepreneurs. Companies such as Yelp, Pandora, Timberland, Dell, Domino’s Pizza, LinkedIn, Zillow, and many other well-known names gained early exposure as members of the Inc. 500|5000.
“We are honored to be included in the prestigious Inc. 500|5000 list among the other innovative and rapidly growing firms across the U.S.,” said TSC Advantage President Sean Doherty. “Over the past few years, we have experienced substantial growth which couldn’t have been possible without our valued customers and talented employees,” he said. “This honor not only recognizes the need enterprises have for expert and holistic cyber risk assessment, but validates the unique approach and confidence value offered by our methodology.”
The 2015 Inc. 5000, unveiled online at Inc.com, is one of the most competitive group in the list’s history. The companies on this year’s Inc. 5000 list have achieved a median growth rate of 1,772 percent and have collectively created 57,822 jobs. To view TSC Advantage’s complete profile on the 2015 Inc. 5000 list, visit: www.inc.com/profile/tsc-advantage
Inc. 500|5000 Methodology
The 2015 Inc. 5000 list measures revenue growth from 2011 to 2014. To qualify, companies must have been founded and generating revenue by March 31, 2011. Additionally, they had to be U.S.-based, privately held, for profit, and independent–not subsidiaries or divisions of other companies–as of December 31, 2014. The minimum required 2011 revenue is $100,000; the minimum for 2014 is $2 million. Revenue listed in the company profiles is for calendar year 2014. Employee counts are current. Employees receiving benefits are included in the employee counts. Inc. reserves the right to reject applicants for subjective reasons. The companies of the Inc. 500 represent the top tier of the Inc. 5000.
Founded in 1979 and acquired in 2005 by Mansueto Ventures, Inc. is the only major brand dedicated exclusively to owners and managers of growing private companies, with the aim to deliver real solutions for today’s innovative company builders. Total monthly audience reach for the brand has grown significantly from 2,000,000 in 2010 to over 6,000,000 today. For more information, visit www.inc.com.
TSC Advantage Announces Relocation of Corporate Headquarters
Fast-growing Cybersecurity Consultancy Relocates to New Office Space in Maryland
Washington – June 2, 2015 – TSC Advantage, an enterprise risk consultancy specializing in the proactive and holistic defense of trade secrets, intellectual assets and other sensitive information, today announced its plan to move to a larger and newly renovated office space in downtown Silver Spring, Md., to accommodate its growth. TSC Advantage plans to be in its new 6,000 square foot facility on Wayne Avenue for at least the next five years.
The new headquarters will further support the projected expansion of TSC Advantage’s business, including its support to global insurance underwriting markets and its traditional consulting business, while retaining proximity to the U.S. capital region, convenient transportation hubs, deep talent pool and now direct placement within Maryland’s cybersecurity epicenter.
“We evaluated numerous locations within the metropolitan Washington, D.C., area in our search for a new corporate headquarters and ultimately Silver Spring and Montgomery County were too attractive to resist,” said Sean Doherty, president of TSC Advantage. “As a growing business, the various incentives and exciting partnership opportunities with initiatives, such as Cyber Maryland, will be beneficial to our continued success and reaffirms the commitment of state and local leaders in Maryland in attracting firms such as ours.”
In the past four years, TSC Advantage has added an average of six to eight new employees per year and has expanded its range of products and services. In late 2014, TSC Advantage received the U.S. Department of Homeland Security’s SAFETY Act Developmental Testing and Evaluation designation for its Threat Vector Manager™ cyberrisk assessment solution. In early 2015, the company launched Secure Halo™, software used to collect and calculate risk scoring and domain maturity as well as a portal by which customers and insurance underwriters alike can access their security assessments in a secure and personalized platform.
TSC Advantage is experiencing rapid growth, due in part to the company’s 2013 partnership with more than 15 Lloyd’s of London insurance underwriters and brokers to conduct holistic cyberrisk assessments for insurance products sold to operators of U.S. critical infrastructure and other markets, including private equity, healthcare, retail and maritime. With results obtained from TSC Advantage’s holistic cyberrisk assessment, insurance markets are able to underwrite cyber risk and calculate annual premiums for cyberinsurance policies covering liability expenses in the hundreds of millions of dollars.
The move is expected to be completed by July 2015.
TSC Advantage Hosts 2nd Annual ThreatLAB Conference
Anatomy of Resilience™ Theme Will Feature Expertise on Cyber Threats from FBI Counterintelligence Executive
WASHINGTON, May 12, 2015 — TSC Advantage, an enterprise cyberrisk consultancy specializing in the proactive and holistic defense of intellectual assets, trade secrets and other sensitive information, today announced ThreatLAB® 2015, an exclusive thought leadership event taking place May 20-21 in Las Vegas that will educate senior private and public sector security professionals about the multitude of complex threats facing U.S. enterprises. The interactive theme Anatomy of Resilience™ encompasses ways to defend intellectual assets and trade secrets in an age of panoramic cyber threats. Attendees will have the opportunity to dissect recent cyberattacks and data breaches through panels, speaker sessions and interactive labs, as well as the opportunity to participate in collaborative scenarios addressing cybersecurity challenges from a holistic perspective.
ThreatLAB® 2015 will feature a keynote address from John Lenkart, chief of staff and special assistant to the assistant director of the FBI’s Counterintelligence Division. Throughout his career as a special agent and supervisory special agent, Lenkart has led and managed countless counterintelligence and economic espionage investigations aimed at defeating foreign-sponsored adversaries operating in the United States, including state-sponsored efforts to acquire, steal or transfer a broad range of trade secrets in which the United States maintains a definitive innovation advantage. As the keynote speaker, Lenkart will present his expertise on the growing threat to corporations from state sponsors, insider threats and what companies should be doing to protect themselves in an age of sophisticated cyberattacks.
“It is no longer a secret that data breaches and successful cyberattacks of U.S. companies are being perpetuated through a combination of technical and non-technical precursors,” said Sean Doherty, president of TSC Advantage. “Despite a myriad of ways in which cyber threats enter organizations, the market continues to emphasize technology deployments as a panacea for effective enterprise risk management. That is a dangerous and incomplete strategy,” he said.
ThreatLAB® 2015 is the continuation of efforts to educate organizations across all verticals to discuss the Anatomy of Resilience™ and how it must start with recognizing their panoramic threat landscape. In addition to traditional IT security approaches, effective strategies must also include an understanding of behavioral indicators exhibited by insiders as well as threats posed by external business relationships, adopting mature security practices, and recovering quickly through sound business continuity plans if an attack or breach does occur.
TSC Advantage Earns Homeland Security SAFETY Act Designation
Credential provides additional validation of TSC Advantage’s holistic approach to cyber risk assessment
Washington, D.C. – TSC Advantage, an enterprise risk consultancy specializing in the proactive and holistic defense of trade secrets, intellectual assets and other sensitive information, today announced it has earned the U.S. Department of Homeland Security’s SAFETY Act Developmental Testing and Evaluation (DT&E) designation for its patented Threat Vector Manager™ (TVM) cyber risk assessment process.
The SAFETY Act is a federal law passed by the U.S. Congress to facilitate and promote the development and deployment of anti-terrorism technologies that can deter, defend against, identify, respond or mitigate an act of terrorism and save lives. The SAFETY Act designation qualifies Threat Vector Manager™ as an anti-terrorism technology and provides liability protection for both TSC Advantage and its customers in the event of a covered act of terrorism. To earn this designation, TSC Advantage underwent a rigorous due diligence and selection process, which included the Department of Homeland Security interviewing the company’s current and former customers.
“One of the biggest concerns any business can encounter in the marketplace is the exposure potential to excessive liability,” said Sean Doherty, president of TSC Advantage. “With this designation, we are pleased to be able to extend the benefits of liability indemnity from covered acts of terrorism to customers who undergo our unique cyber security assessment.”
TSC Advantage’s Threat Vector Manager and its associated Enterprise Security Assessment enhance cyber risk assessment and improve holistic security maturity in commercial organizations, including the Fortune 1000, U.S. critical infrastructure and the public sector. Tied to international and national standards and fused with subject matter expertise, TVM™ assesses six top-level domains that include the roles of insider threat, external business dependencies and physical security in order to identify trends, patterns and areas of enterprise risk across technical, human and procedural categories.
In 2014, TSC Advantage partnered with more than a dozen insurance underwriters operating on the Lloyd’s of London exchange and worldwide insurance brokers to conduct cyber security assessments for cyberinsurance policies sold to public utility and critical infrastructure sectors. Using TVM’s Enterprise Security Assessment, global underwriters are provided an in-depth and posture-based assessment of a pre-insured’s holistic risk profile that is used by underwriters to determine insurability and calculate insurance premium levels.
“SAFETY Act designation is a critical differentiator for pre-binding cyber risk assessment because it demonstrates the extent to which the methodology and process has been validated,” said Tom Quy, a leading cyber insurance broker with Miller Insurance LLP of London. “Using TSC Advantage’s vetted approach, customers may not only receive holistic cyber risk assessment and insurance tailored to their threat profiles, but through SAFETY Act designation, an additional layer of protection for customers from third-party claims should a covered act of terrorism occur,” he said.
TSC Advantage Enhances Holistic Cyber Assessment to Improve Enterprise Security
Posture-based methodology transforms risk assessment for cyberinsurance, commercial enterprises and public sector
Washington, D.C. – TSC Advantage, an enterprise risk consultancy specializing in the proactive and holistic defense of intellectual assets, trade secrets and other sensitive information, today announced that its patented Threat Vector Manager™ (TVM) technology is enhancing cyberrisk assessment and improving holistic security maturity for commercial organizations, critical infrastructure and the public sector. In addition, through its partnership with leading global insurance underwriters and brokers, TSC Advantage is transforming pre-binding risk assessment, which supports cyberinsurance policies for the critical infrastructure market and for those focusing on cyberterrorism.
Improving enterprise security posture through holistic assessment
As all organizations struggle to defend against cyberattacks, TSC Advantage is informing an intelligence-based process that aligns resources against an entity’s highest priority threats. TVM,™ through its associated Enterprise Security Assessment (ESA) component, identifies trends, patterns and areas of elevated risk within enterprise environments and offers customers a comprehensive and holistic measurement of security controls across the following six top-level domains:
Insider threat – Examines technical and non-technical precursors of risk from high-risk actors, events and behaviors from human beings throughout an enterprise ecosystem
Physical security – Focuses on the potential for physical intrusion and unauthorized access to priority locations where sensitive information is stored and accessed
Mobility – Explores vulnerability of data during foreign travel and from mobile devices
Data security – Examines risks stemming from the use and defense of enterprise IT resources
Internal business operations – Measures the effectiveness of initiatives that manage internal administrative vulnerabilities and critical assets resulting from personnel, organizational or business processes
External business operations – Examines an organization’s security strategy, policies and procedures, and threat universe resulting from external engagements
“With an increasing number of sophisticated cyberattacks arising from external dependencies, such as from third party vendors and trusted insiders, an effective security assessment cannot ignore human behavior in defense of cybersecurity, nor the financial or business constraints affecting security investments,” said Sean Doherty, president of TSC Advantage. “The holistic approach in our ESA provides evidence-based and objective assessments of internal and external forces affecting a client’s security posture, and is not limited in scope by only focusing on a singular area, such as traditional endpoint concepts and other IT-centric solutions,” Doherty said.
Transforming pre-binding risk assessment
TSC Advantage has partnered with more than a dozen insurance underwriters operating on the Lloyd’s of London exchange and worldwide insurance brokers to offer a new cyberinsurance product designed to address cyberliability exposures that arise within the utility and critical infrastructure sectors. Using TSC Advantage’s ESA risk assessment tool, insurance underwriters are afforded in-depth understanding of a pre-insured company’s holistic risk profile that considers the evolving sophistication of cyber threats and complexity of potential attack vectors.
“With the financial impact of cyber risk increasing every day, the cost of inaction leaves all organizations exposed to huge liabilities,” said Tom Quy, a leading cyberinsurance broker with Miller Insurance Services LLP of London. “By working with TSC Advantage, we are pioneering a vastly improved methodology for cyberinsurance underwriting, which rewards mature cyber security postures and allows our customers the ability to receive insurance with the broadest coverage, fewest exclusions, and tailored to their individual threat profiles.”
TSC Advantage Hosts ThreatLAB 2014 to Promote Better Understanding of the Complex Threats Facing U.S. Innovation
Private and public sector security professionals will learn how to better defend intellectual assets and trade secrets in age of diversified threats
Washington, D.C. – TSC Advantage, an enterprise risk consultancy specializing in the proactive and holistic defense of intellectual assets, trade secrets and other sensitive information, today announced ThreatLAB™ 2014, an exclusive thought leadership event, taking place May 14-15 in Las Vegas, that is designed to educate private and public sector security professionals about the multitude of complex threats facing U.S. intellectual assets. Through interactive learning modules derived from case studies involving sophisticated threats to corporate secrets, attendees with will learn the skills to identify enterprise risk using holistic intelligence and analysis techniques.
ThreatLAB 2014 will feature a keynote address from John Powell, former vice president and general counsel for American Superconductor Corporation (AMSC). Powell will present a case study about an insider threat AMSC faced in 2011 that resulted in extraordinary value degradation for AMSC and the loss of hundreds of millions of dollars in revenue. Through lessons learned from the incident, the keynote will reinforce TSC Advantage’s message that corporate investments in security solutions should not be limited to specific technical controls focusing on data security. Rather, effective protection must also incorporate the understanding that corporate threats are diverse and that an integrated approach is the only way to successfully identify trends, patterns and areas of elevated risk across multiple enterprise domains, particularly from trusted insiders and external business dependencies.
“It has been estimated that intellectual asset theft costs American businesses between $300 and $500 billion a year, yet we continue to see the standard corporate response be limited to advanced malware detection programs or legacy endpoint protection,” said Sean Doherty, president of TSC Advantage. “While those are important, they offer limited defense and are just a piece of an overall puzzle. The purpose of ThreatLAB 2014 is to educate the market that threats are as diversified as they are complex – and they require a holistic approach in order to truly understand and remediate them.”
To learn more about ThreatLAB 2014 or to request an invitation, please visit http://threatlab2014.com/.
TSC Advantage Announces Key Partnership with Global Insurance Market Led by Lloyd’s of London
Lloyd’s of London Insurance Product to Integrate TSC Advantage’s Holistic Risk Assessment Methodology with New Cyber Security Policy for U.S. Energy Industry
Washington, D.C. – based Tailored Solutions & Consulting Inc. (TSC Advantage), an innovator in enterprise security intelligence specializing in intellectual asset and trade secret protection, today announced the integration of its patented Threat Vector Manager™ (TVM) platform with a new cyber insurance policy for U.S. critical assets led by Lloyd’s of London.
“As discussed in Executive Order 13636, the cyber threat to U.S. critical infrastructure represents a growing and persistent challenge to the national and economic security of the United States,” said Sean Doherty, President of TSC Advantage. “As a first of its kind, we are excited to pioneer incentives for private industry’s partnership with public sector cyber security initiatives. Our platform provides insurance underwriters a means to reliably and accurately determine the cyber risk class of U.S. critical assets using our objective, standards-based methodology for assessing holistic enterprise security.”
TSC Advantage’s platform will assist London and international underwriters to optimize their pre-binding process through incorporation of TVM’s™ Enterprise Security Assessment component. TSC Advantage’s methodology is trusted to deliver objective, baseline measurement of holistic vulnerabilities across six domains while examining threat vectors both internal and external. With TVM™, underwriters will be afforded contextual awareness of the potential insured’s security posture — not a mere audit — as well as a clear understanding of strengths, weaknesses, and associated risks of loss.
“In an age of growing and sophisticated cyber attacks as well as threats emanating from insiders, it is essential all organizations ensure a proactive and holistic approach to their security,” Doherty said. “Rather than spending money on theory, companies will be receiving objective, real-world risk assessment that will enable them to obtain appropriate insurance for their particular risks, and thereby reducing the cost of implementing Executive Order 13636 and PPD-21,” he said.
TSC Advantage Addresses trade secret theft at Intellectual Property Owners Association annual meeting
TSC Advantage Director of Security Intelligence Reminds Audience of the Dangers Posed by Insider Threats
Washington, D.C. – Tailored Solutions & Consulting (TSC Advantage), an innovator in enterprise security intelligence specializing in intellectual asset and trade secret protection, has announced that TSC Advantage’s Director of Security Intelligence addressed an audience of legal experts, business leaders, and other stakeholders at the Intellectual Property Owners Association annual meeting in downtown Boston, MA on 17 September 2013.
During the keynote panel presentation with in-house counsel and experienced practitioners from Ford Global Technologies LLC and the U.S. Department of Justice’s Computer Crime and Intellectual Property Section, TSC Advantage’s director offered the audience practical advice for preventing and addressing trade secret theft in an age of growing and targeted threats to corporate value.
“The decision of whether to protect innovation via patent, trade secret or otherwise is almost entirely separate from that of effective security. An adversary doesn’t care about what legal category their desired target information falls under, only if they can get access to it,” said Mark Lopes, TSC Advantage’s Director of Security Intelligence.
“Paranoia is part of good business practice as long as it does not impede efficiency or disrupt innovative culture,” he continued. “You should always assume somebody wants your company’s most sensitive information simply because of the current or potential future economic value it represents. To assume everyone will respect ownership rights is not only naïve, it could also mean corporate suicide.”
Distinguishing between TSC Advantage and other security firms who only apply cyber-centric or software solutions to enterprise security challenges, Lopes reminded the audience that most threats actually originate from human beings within organizations and not from external and distant hackers.
“We continue to see a vast amount of security resources being poured into purely IT and cyber solutions while the vast majority of data shows that most intellectual property and trade secrets are compromised via insider threats,” he said. “While investment in IT and cyber is important and can help prevent the remote theft of corporate secrets, it does very little to deter, detect and prevent the more prevalent source of theft: someone within your own corporate ecosystem. This is what we focus on at TSC Advantage.”
Statement by TSC Advantage on FBI’s iguardian platform for cyber threat reporting
TSC Advantage Expert: Platform Complementary to Executive Order 13636; Highlights U.S. Government’s Commitment to Value-based Cyber Programs for Private Sector
Washington, D.C. – While U.S. Executive Order 13636 represents a new policy emphasis on public and private sector coordination on cyber threats, the FBI’s recent launch of iGuardian is a complementary initiative dedicated to the mutual benefit of government and industry. It is a mechanism designed to expedite and augment the cyber security dialogue between private industry and the FBI. It also extends to private industry actors that are not officially designated as critical infrastructure, which is the primary scope of E.O. 13636. More importantly, however, it demonstrates the FBI’s commitment to establishing cyber programs that create value for participating US businesses.
While not a replacement for corporate security investments, iGuardian is intended to transform cyber partnerships into enabling proactive and preventative postures. For example, it is intended to facilitate assessments of sophisticated cyber adversaries within and across sectors, aimed at exposing shared as well as unique cyber threats and vulnerabilities. Rather than evaluating cyber threat data from an exclusively enterprise-centric view, this portal will assist FBI’s generation of crosscutting examinations that result in improved cyber awareness and ultimately the dissemination of actionable information to private industry. In short, it enables industry to benefit from the skills and expertise of US Government cyber technologists, while still maintaining and tailoring enterprise cyber investments.
Collaboration between the public and private sectors is requisite to the defense of US economic ingenuity. Neither sector in isolation has at its disposal the depth and breadth of skills, resources and information required to stem the tide of cyber attacks. In the cyber realm, national security concerns and economic interests are interleaved, as is public-private sectors’ interest in defense of American cyber posture.
“Participation in programs such as iGuardian will enable industry trailblazers to shape the scope and outcome of this nascent mechanism for dialogue with the US government – assuring it meets the bottom line needs of the US commercial sector and the Executive Branch,” says Natalie Lehr, TSC Advantage’s co-founder and Director of Analytics. “It is a critical step in exposing the barriers and tackling the uncertainties surrounding cyber risk and federal dialogue with private industry,” she said.
TSC Advantage continues thought leadership on intellectual asset protection
TSC Advantage Director of Security Intelligence Speaks to Business Leaders in Boston on Corporate Espionage and BYOD
Washington, D.C. – Tailored Solutions & Consulting (TSC Advantage), an innovator in enterprise security intelligence specializing in intellectual asset and trade secret protection, has announced that TSC Advantage’s Director of Security Intelligence addressed an audience of business leaders and security experts at the Licensing Executive Society Conference in Boston, MA on June 18th.
During a panel presentation on the topic of protecting sensitive data such as intellectual assets and trade secrets, TSC Advantage’s director offered a suggestion as to how U.S. companies should understand the growing phenomenon of corporate espionage directed against them.
“Instead of looking at this issue from a moral standpoint, it is better to understand why this issue is occurring from an economic perspective,” said Mark Lopes, TSC Advantage’s Director of Security Intelligence. “Why would a competitor choose the longer, harder, and more expensive path to value creation when they could simply steal it from you with the click of a mouse or through a well-placed insider?”
In response to a proposed question concerning effective BYOD policy development, Lopes highlighted the growing challenges companies face while trying to maintain the right balance between information security and employee productivity as wrought by the ubiquity of mobile devices. “At TSC Advantage, we tell our clients that access control is the key to preserving intellectual property as it pertains to BYOD,” he said. “From this standpoint, we believe that access to information on devices such as personal tablets and phones must be limited to information that a company would feel comfortable losing in the event of a security incident.”
Continuously Connected: The Hidden Costs in Healthcare Technology Investments
Every day, my Fitbit tracks my calories burned and steps taken. The app on my phone calculates how much protein and fat I’ve consumed based on the foods I ate. Another app uses GPS to track how far I’ve run and in how much time. These are just a few ways the Internet of Things (IoT) impacts my daily health, and it’s only just the beginning.
The healthcare industry is rapidly developing wireless medical devices that continuously monitor heart rate, blood pressure, sleeping schedules and more. These devices offer an unmatched amount of data that is useful for you and your doctor to track your health, send alerts if any thresholds are crossed, and reduce time spent at the doctor’s office.
With the continuous development of these devices, it’s likely we will soon see major advances in healthcare tools, like medical apparatuses that are implanted into bodies to regulate insulin and sugar levels or to manage heart and lung functions. On an organizational level, tracking devices throughout a hospital can measure operational efficiency, reduce patient wait time by collecting data on a patient’s steps and identify patient traffic jams.
Connected devices can yield tremendous benefits, but also come with security, privacy, and business challenges. That’s the topic of this week’s National Cyber Security Awareness Month theme. Below, we look at some of the hidden costs that healthcare organizations must consider as they implement cutting-edge connected technologies, while still providing security, safety and privacy. (For even more hidden costs, read our Healthcare Informatics article “The Real Cost of a Healthcare Data Breach”):
- Many Health Insurance Portability and Accountability Act (HIPAA) breaches are caused by lost or stolen devices that contain Protected Health Information (PHI). As PHI devices multiply swiftly, the risk of breaches and stress of keeping track of devices increases. Combating these breaches involves maintaining, through customized or manual solutions, an inventory of all authorized devices used to collect patient information and a list of who is allowed to access each device. This is a labor intensive effort that usually goes beyond the initial cost of the technology itself.
- The wireless network in which healthcare tools operate is more vulnerable to exploit and potential data overload than the device itself. As the number of entryways into your network expand, proper authentication and managing of data becomes increasingly important to ensure continuous availability of information to those who need it. Limiting the amount of data each device collects and segregating this information also helps further decentralize exploits. For example, a heart rate monitor may track a patient’s number with corresponding heart rate information while the network that matches a patient’s number to their identity is stored on a separate system.
- New technology is dependent on its managers, users and software. Human error can be attributed to a vast majority of data breaches. Proper training and testing of workforce effectiveness is the best defense to human error. New tools come with new skills that require time to be learned and mastered. This time and resource requirement is often overlooked and neglected. Training for new devices should include all users of the tool, not just the IT back office. All users of these devices should be instructed on best practices and periodically tested for effectiveness.
- All the additional information that these devices collect adds to the growing “pot of gold” of PHI stored on your systems. PHI is the most valuable of personal information due to its permanency, advanced level of detail, and opportunity for insurance and medical fraud. Unlike credit card numbers, your patients cannot replace their medical history overnight. The use of PHI is the highest level of identity theft and involves some of the most personal and sensitive information about our lives. Healthcare managers cannot overlook this factor and need to invest in securing information collected along with the benefits this information provides.
- Finally, every responsible healthcare organization should do their best by planning for the worst. That includes creating a business continuity plan to maintain operations in the event of a breach or ransomware situation such as those experienced by numerous healthcare providers in 2016. While they require an investment of time, business continuity plans are essential features of a corporate risk management plan because they ultimately reduce the cost of a cyber incident by preserving access to critical business information and assets. Click Here for our Infographic on “Four Ways to Get Started on a Business Continuity Plan.”
Healthcare managers must keep the investment of people in mind regardless of how advanced and developed technology becomes. Consider the time it takes to train managers on new software and devices, train all users on proper and acceptable use procedures, and the overall effort to maintain access lists, inventories, and patch management. Vendors will offer training, but it’s up to the healthcare organization to ensure proper use and protection of information. After all, saving $2 million in operational efficiencies means less after a $2 million HIPAA violation fine.
Protect Your Company From The Fastest Growing Cybercrime – Ransomware
As businesses adopt more and newer internet advances, they face a greater risk of being subjected to cybercrime. Ransomware is one of the fastest growing cybercrimes in today’s digital era and is increasingly becoming more prevalent at the enterprise level. The threat ransomware poses to the ability to maintain operations and customer service should make organizations, from the C-Suite on down, think twice about their approach to cybersecurity, before it’s too late.
Changing Nature of Threat
Ransomware is emerging as one of the most widespread types of malware used for cyberattacks. This specific type of malware inhibits users from accessing their systems and files by locking or encrypting them until the victim pays the required ransom to restore their network to its normal state. Companies may encounter a ransomware threat through a variety of methods. Two of the most common ways ransomware is downloaded onto devices is by viewing compromised websites or by clicking on and accessing attachments from spammed emails.
As ransomware and its variations have become more sophisticated, cybercriminals have gone from targeting individuals and smaller businesses, to aiming their threats at large organizations and C-level executives. According to Osterman Research, Inc., C-Suites and other senior executives are being targeted 25 percent of the time because of the potential for a higher ransom payment.
The “high-end” cybercriminals that target enterprise level companies use phishing or whaling emails as their main method of cyberattacks. To do this, they use advanced social engineering tactics such as incorporating professional, expert-looking messages as well as including relevant information pertaining to the victim to make their communications seem more legitimate. These deceptive strategies make it harder for recipients, including C-level executives, to decipher if content is real or a malicious act of ransomware.
Eight Steps to Combat Ransomware
While ransomware threats continue to evolve rapidly, there are still ways for the C-Suite and other executives to combat threats and prevent their companies from facing cyberattacks. Through its Stop.Think.Connect. program, the US Department of Homeland Security (DHS) offers tips for basic cybersecurity hygiene.
- Keep all machines clean. Constantly ensure your devices are up-to-date on all current versions of software.
- Get two steps ahead and protect core accounts. Set up a two-factor authentication on accounts to require a second step, such as text message verification, along with initial password log in to guarantee safety.
- Back it up. Store all important data for safe keeping.
- Make better passwords. Think outside the box and be sure not to use easily deciphered phrases like middle names, birthdays or pet’s name in your password. For more tips on creating a strong and secure password read our blog Simple Changes to Improve Cybersecurity.
- When in doubt, throw it out. Don’t open emails or links you weren’t expecting. If it isn’t familiar or looks skeptical, delete it.
- Plug and scan. Use your security software to scan USBs and other external devices for viruses and malware to increase your computer’s protection.
In addition, TSC Advantage recommends that companies adopt two more best practices to better prepare for and prevent ransomware:
Conduct Security Awareness Training. By now, corporate risk managers and other enterprise security leaders understand the adage of being only as strong as the weakest link. A culture of security must be created that instills a sense of skepticism at the user level. Some solutions might include simulated phishing attacks and other training.
Create a Business Continuity Plan. Simply put, it provides companies with fundamental capabilities needed to reduce the cost of a cyber incident by preserving their access to critical business information and assets. The ability to recover and to return to normal functioning as quickly as possible is paramount. As such, businesses must categorize both their information and systems based on their criticality to operations and they must determine appropriate risk tolerance levels for these assets accordingly. Once that is understood, they should develop processes which then must be incorporated into a written business continuity plan which is tested and can be implemented with confidence in the event of a ransomware attack.
Don’t wait to think about your company’s cybersecurity plan until it’s too late. Be vigilant and attentive to ensure your cyber safety measures are up-to-date and to prevent your company from experiencing a ransomware attack.
Break Room to Boardroom: Your Urgent Questions Answered
This October, TSC Advantage is participating as a Cyber Champion during the DHS and National Cyber Security Alliance’s National Cyber Security Month (NCSAM). As a Cyber Champion, TSC is showing our support for cybersecurity by partaking in weekly online Twitter chats with Stop.Think.Connect. Each week, we provide inputs on various topics relating to cybersecurity and online safety. This week, our discussion focused on the theme, Creating a Culture of Cybersecurity from the Break Room to the Boardroom. We turned to Brendan Fitzpatrick, Enterprise Security Assessment Program Manager at TSC, to shed some light on the subject. Here are his responses:
Why is it important for every organization, no matter the size or industry, to be cyber aware?
The nature of information security attacks has shifted dramatically in the last ten years or so towards criminal activities. These attacks come from a variety of sources, but the method of delivery is largely ‘spray and pray.’ They attack in every possible way – phishing attacks to either steal credentials or drop malware (like crypto locker) onto a PC/device, or creating drive-by ‘watering hole’ attacks by infecting websites (or the advertisements that run on them) that may be visited by an organization’s users. No organization is immune to infection or having credentials stolen.
What examples can you share of organizations’ need for cybersecurity that might not be obvious?
For targeted attacks, we’ve seen several examples of ‘man-in-the-middle’ attacks involving an organization’s email system. One example is that an attacker will intercept communications between vendors and the organization and, at an opportune time, will masquerade as the vendor and change payment details (bank routing information, etc.) to receive transferred funds.
We’ve also seen several self-inflicted information security wounds, for example, failing to test disaster recovery and business continuity plans. We’ve seen some larger organizations store all DR plans and procedures on the organization’s network shares. When a disaster occurred, they lost access to those plans because didn’t have a complete set of offline copies. A simple DR test would have revealed that.
Less obvious problems: many organizations forget that procedures like Change Management are an essential part of information security. If you do not track and control all changes to your environment, then it becomes likely that additions or changes will undermine your security. An example: a firewall port is opened for a special project or purpose but not documented or approved in the change management system. The project ends, and the organization forgets to close the port.
What are the most critical pieces of data for an organization to protect?
There is no definitive set of ‘most critical data’ for all organizations. What is critical information for one company, may not be for another; each organization must determine for itself what its most critical information is. Some information, such as regulated data (PFI, PII, PCI, PHI, etc.), should always be considered critical, since the breach of that information would have multiple negative financial and reputational repercussions. This information includes not just client information, but employee information as well. Any intellectual property, source code, industrial production advantages, material formula and recipes, business intelligence, financial information, etc. should all be evaluated for criticality.
What we know doesn’t work is to treat all information equally. An organization must differentiate and categorize (even in a general way) the information it possesses and depends upon. That knowledge will drive all other information security concerns and decisions.
What measures can organizations put in place – and employees follow – to help guard against cyber incidents?
Of course there are a whole host of technical safeguards that can be put into place to secure this information. However, many organizations fail at the administrative level – specifically:
- They fail to determine how to classify and categorize the information they acquire, generate, or use.
- They fail to determine what and how the information should be protected (i.e., confidentiality, integrity, availability), and the proper parameters of its use and disposal.
- They fail to assign explicit ownership and custodianship of all the different types of critical information.
- They fail to communicate this (through training and awareness) to their employees in order to make it every employee’s responsibility to protect the information.
How can leaders encourage all levels of an organization to detect and report cyber threats?
Explicit training and awareness campaigns are essential. It’s also more effective to have at least some training and awareness activities be in person-to-person settings. PowerPoint and CBT is okay for much of the training lift, but at some point, sitting in a room with trainers creates a more lasting effect. In this light, having company leaders as students in those settings (to be seen as full participants) lends weight and authority to the training – after all, if the COO is taking the same training I take, it must be important! Some of the most effective training I have seen explicitly incorporated various levels of the organization within one room. This is easier to perform for smaller organizations.
What should be included in an incident response plan, and what are your tips for building one?
The bare bones of an incident response plan should have the following:
- Organizational structure of the incident response team. You need to know the members and what each of their roles are within the team. You need to designate ‘responsible parties’ who will own the IR processes. You will need to list all parties that might need to be alerted, and under what circumstances they would need to be alerted.
- You need to define what constitutes an incident. i.e., what thresholds have to be passed to move something from an event (which can be handled in a routine way), to an incident. Every organization with a developed plan defines this differently, so figure out what works for your organization.
- You need to know what organizational things need to happen along each of the stages of incident response. E.g., first, events are recorded in a ticketing system. Then, all events are evaluated by some member of the team. If the threshold is passed, the IR team is activated and these business officers are alerted, etc.
- You will need establish a documentation methodology and repository for all incidents. This includes after action reports and root cause analyses that occur after closing an incident.
- You will need to establish a regular schedule to fully test and update your plans.
Specific playbooks for incident response can be developed during these tests, as well as when dealing with real events and incidents.
How can organizations return to normal operations after cyber incidents and protect info and reputations long-term?
As mentioned above, an incident doesn’t end when it is closed. After action reports and root-cause analyses are essential for the organization to develop changes to its information security strategy and implementation. Understanding what threat vectors were used and what vulnerabilities exploited is essential to repairing the damage. Taking a step back and analyzing what proactive changes to overall information security strategy may be needed will have a larger impact on future security than living a reactive state of mind.
What does it mean to have a culture of cybersecurity at an organization?
As a company that does assessments, this is one of the easiest things to spot. There is always the “pat” answers of leadership engagement with security, visible awareness, etc., and those are all true. For us, we see it in attitude – is the organization making excuses for the lack of security controls and practices? Or are they freely admitting their difficulties and genuinely seeking help to solve the challenge of achieving good security despite limited resources? When security, IT, legal, and the leadership really ‘own’ security, their focus inevitably is on making it better. Nobody’s security is ‘good enough.’ Every organization has room for improvement. A culture of cybersecurity is one where you’re constantly trying to improve – and to do that, YOU MUST KNOW WHERE YOU ARE. You must assess and evaluate your security, otherwise you will be blind to your weaknesses.
What are some effective and/or creative ways to talk to staff about online safety in the workplace?
Here is one example, though it’s not online safety oriented – instead it’s information security oriented. One company had a clean desk policy – they didn’t want confidential materials left on desks for everyone to see or walk away with. So they would pick a random day, go around to everyone’s desk after work hours had ended and pack up any papers or work materials into individual boxes with the employee’s name on them. The senior manager (VP or above) would get the boxes and the employees would have to go in the next day and retrieve their belongings from the senior manager. They kept this practice light hearted, but it was very embarrassing to the employee, and as a result, it was a very effective lesson.
And what topics are important to cover in these office cyber aware talks?
Phishing, safe surfing, policy reinforcement (such as clean desk example above, information ownership), incident reports for anything that might be a problem – i.e., when in doubt, shout it out.
For non-computer experts, what are some quick steps to take to protect your organization from a cyber attack?
The first thing every organization has to do is assess where they are. An internal or external (third party) assessment is essential to identify what you’re doing right, what needs to be tweaked, and what you need to begin doing to secure your organization. Information security is only partly a technical problem; It is also an administrative and organizational problem. As a doctor might say, you can’t treat a patient without examining the patient.
What should an organization’s leaders consider and put in place before allowing BYOD in the workplace?
At minimum, organizations need to perform a risk assessment to identify and understand what the threats are posed by mobile devices, what vulnerabilities there are, what the potential impact and likelihood of occurrence would occur. Once the organization understands the risk levels involved, it can implement controls (such as MDM platforms and specific mandated configuration settings) appropriate to the environment and sufficient to protect the data that needs protection. Again, one size does not fit all.
What are the key considerations for organizations regarding protecting individuals and their information?
You get one chance to protect this valuable information. Once it has been breached, the toothpaste is out of the tube. With that in mind, you must identify and categorize this information. You must explicitly determine how to protect and manage the information. You must assess yourself to see if the controls you put in place are sufficient to achieve the protection requirements.
How do we equip employees with the info they need to take cybersecurity beyond the office to their homes and communities?
Training and awareness is the path to increasing security at home and in communities. We’ve seen a number of organizations who will do lunch and learns with topics that address information security at home. Their explicit focus isn’t organization security, but protecting personal identity, safe surfing habits, phishing identification and avoidance, safe Wi-Fi use, secure travel, etc. Frequently we hear that employees enjoy these type of sessions, and it has the effect of increasing the security consciousness of the employees in all areas of their life.
To combat cybercrime at work, we need a strong cyber workforce. Why should students consider careers in cyber?
Information security is going to be an essential part of everything we do from now on. Information is valuable — it is a currency — and currently, many organizations have secured it with the equivalent of a screen door. It is essential that we bring new minds to help us look at the problem from new angles, develop innovative solutions and strategies. The landscape is changing so rapidly that everyone in school now has a chance to leave a permanent mark on the information security industry.
Building a Culture of Cybersecurity: Only You Can Secure the Network
Well, 2016 is almost over and it’s had no shortage of “cyber” events. Right now you might be thinking about the 200 million Yahoo accounts that were compromised, the Democratic National Committee hack, or the warnings about potential election hacking. Compromises of confidentiality, integrity, and availability are so commonplace now that the average person is probably pretty desensitized to the whole thing – even when they are the victim.
The irony is that average people – you and I – continue to be the single largest threat vector for organizations. Up to 70 percent of breaches occur due to insider threat, usually unintentional. That’s why finding a way to help individuals understand their role in cybersecurity is a challenging but crucial effort.
As I’ve mentioned in other articles on insider threat, it’s hard for people to internalize rules that don’t have any immediate bearing on their welfare or safety. So, what can the C-Suite do about it? Training is the obvious answer, but consider a recent study of security savvy internet users and how often they violated their own rules.
Dr. Zinaida Benenson and researchers from the computer science department at Friedrich-Alexander University, sent 1,700 FAU students emails or Facebook messages under a false name with text indicating a link taking the recipient to pictures from a recent party. In a second variation, the text did not address the subject by name, as it had in the first, but more specific information was provided regarding the supposed photos on the provided link (e.g. a New Year’s party). Afterward, subjects were surveyed to self-assess their own awareness of online security and then asked why they did or did not click on the link.
In the variation that addressed the recipient by name, 56 percent of email and 38 percent of Facebook recipients clicked the link. In the nameless variation, email recipients who clicked went down to 20 percent while Facebook users went up to 42 percent. The survey results indicated 78 percent of participants were aware of the risk of accessing links from unknown sources. Only 20 and 16 percent of participants from each respective study self-identified as accessing the unknown source links, whereas technical results showed 45 and 25 percent (overall) had clicked links in each respective study. The main reason – curiosity.
This example should send chills up the spine of any network administrator – a simple phishing attack on an organization of any size is almost guaranteed to net at least one wayward user, even if they’ve passed their quarterly training.
So again, what can the C-Suite or managers in charge of protecting the realm do? You can never fully eliminate risk but here are four solid ways you can reduce it:
First and foremost, define what you need to defend. Is everything super sensitive and critical to your business? Or, can you narrow down critical assets to processes, products, property, and the like? This is an essential element of any insider threat program – consider who the various stakeholders are and what they define as critical assets, be they physical or virtual. Once the organization has defined what is critical (don’t forget people!) it can prioritize defense and mitigation mechanisms.
Next, you’ve heard it before and I’ll say it again – assign least privilege to users and programs and enforce separation of duties. Least privilege does everyone a favor. Not only does it act as a layer of defense, but to a degree, it protects the user from even looking like they tried to violate company protocols, accidentally or otherwise. Separation of duties is similar, it reduces the power of any one user to make significant changes to the system and can be viewed as reducing culpability. Will this mean it takes a bit longer to get things done sometimes? Yes, but would you rather be able to access/modify item X right now at the potential cost of losing credibility with your client? Security and speed always seem to be at odds, but in hindsight the correct choice always seems obvious.
Point three, do not assume employees will report anomalies, be they indicators of insider threat, “cyber” events, or social engineering attempts. Some will, some won’t, and there are a variety of valid behavioral reasons for the latter. Obviously, we should still train employees to the threat indicators, means of reporting, and consider alternate reporting streams, but we shouldn’t expect this to replace systems that detect, monitor, and mitigate threats. I’m talking about firewalls, intrusion detection systems, well-designed networks, securing ports, logs of device access to the network, user logs, and rule based log analysis (e.g. Splunk). Some of these are lower lift than others, but few of them are privy to the biases of human nature, meaning you’ll get results.
Last, but certainly not least, when you have all of this in place – test it. Test it often. In my military days we had something called an after action review (AAR). During an AAR, we talked about what went right and what went wrong during testing, and how we would correct those errors moving forward. It’s not enough to just test and read a report – have an AAR with stakeholders, then take steps to make systems better.
When you do test, make sure to include stakeholders from security, IT, and human resources at a minimum. You might want to include social engineering as part of the test, both the classic (e.g. holding the door and following someone inside a secure space) and the newer versions (e.g. phishing).
As the cost and time required to enter the cyber criminal market is declining, and critical assets are increasingly information based, the threat to businesses will only become more commonplace. Take the time not only to secure your networks, but to build resilience within your processes AND your people. Because only they – and you – can secure the network.
Simple Changes to Improve Cybersecurity
It may seem obvious, but a vital strategy to cyber defense includes a simple thought: stopping and thinking for a moment before clicking a button. This idea includes using the following practices:
- Read the notifications before clicking OK.
- Find out how the product stores your information and what it does with your information before accepting the terms and conditions.
- Conduct quick research on possible alternatives that might include one extra step to prevent others from gaining access to information you want protected.
Beyond being cyber aware, the first line of defense in any computer environment is a user set password. Therefore, it is important to have a firm grasp on what you can do as an end user to ensure that your password is a strong one. Certain strategies are more obvious than others, such as increasing character length and variety to create a stronger password. However, other password tips might not be immediately apparent, such as the four listed below.
Four Password Tips
1. Ensure that numbers related to personal information that can be easily discovered, such as birthdays or anniversary dates, are not used.
2. Come up with a system to create your own unique passwords. For example, try using a song lyric, then a number, and then a sports team name. This way it is both memorable and difficult to crack.
3. Enable multi-factor verification when possible.
4. Use a password manager to ensure your passwords are varied for different services. Make sure to check how the password manager stores your passwords as well. Do you prefer to have your passwords in the cloud or stored locally on your drive? Both have their advantages and disadvantages.
In addition to these tips, it is important to change default passwords and settings. Leaving the defaults in place makes attacks much easier. For instance, routers from certain manufacturers or internet service providers will frequently use the same pattern to generate passwords. The default credentials to view router settings once on the network is admin/admin. This type of access gives an attacker total control over the network. It takes a minimal amount of time to change default passwords and can be well worth it in the long run.
Like default passwords, many default settings can be harmful. Wi-Fi Protected Setup (WPS) is a protocol that until recently was available and turned on by default on most home routers. WPS is extremely easy to crack, but can be turned off in the router settings rather quickly. Make sure to verify that the settings are configured appropriately.
More Best Practices
Web browsers and computers offer users a lot of different information and some of it can be easy to gloss over. However, there is one area that is important to look for when visiting random sites. Users will frequently see a small lock icon on the left hand side of the address bar in a browser window. This indicates a connection to the site via https. The importance of this connection is that the web traffic is encrypted, which makes it more difficult for attackers to view the information sent and received. Be sure to check for this when entering confidential information. A lack of this encryption can be a giveaway for fraudulent websites.
Be sure to update applications and operating systems on a regular basis. Most updates are for security improvements and bug fixes. Release notes are a quick way to gain a greater understanding of why the update is needed.
There are many other more technical methods to improve cybersecurity practices, but the guidelines listed above are simple ways to create a safer and stronger cyber environment with little effort. Being more aware of potential threats as individuals will not only lead to a better personal defense, but also to a stronger impact on workplaces as a whole.
Four Yahoo Breach Business Lessons
A week ago, Yahoo admitted to having been hacked, compromising the login and user information of half a billion user accounts. Yes, 500 million, or just short of one and a half times the population of the United States. The largest data breach in history provides several important lessons for the business community.
1. Timing is everything. The breach itself took place in 2014. Whether Yahoo withheld knowledge of the hack this long, or simply didn’t know about it until now has not been disclosed. If the former, it could result in liability issues. If the latter, it demonstrates very poor situational awareness and risk mitigation of its network’s vulnerabilities. This should be an eye opener to anyone hosting critical information or services. Know your strengths, but more importantly, know your weaknesses. Moreover, be honest about how to mitigate them, and do so in a timely manner to minimize damage to your brand. In addition, security controls dedicated to detecting, correcting, and recovering from an attack are as important, if not more important, than just preventing an attack and vital to achieving cyber resiliency.
2. Login info is cyber gold. Names, hashed passwords, birth dates, and security questions and answers were all targeted. This is all information that can be used to log into user accounts, both on Yahoo and beyond, since internet users generally reuse passwords (or slight variations of passwords) across domains (email, banking, e-commerce, etc.) With this information, ne’er do-wells can attempt, with up to 2% accuracy, to log into additional personal accounts. This 2% may not sound significant, but in this case it amounts to 10 million user accounts. From a consumer standpoint, Yahoo users should change their password immediately and update any other online profiles that use the same email as login, or have a similar password. Both individuals and businesses should employ multi-factor authentication to ensure that those attempting to gain access are who they say they are. (Read more on “How to Strengthen Passwords to Better Guard the Door.”)
As a precautionary measure in the event that login credentials for your network are compromised, the concept of “least privilege” is an important mitigation strategy. Least privilege means employees are only granted access to information and resources that they need to perform their job. This can and should extend to physical locations such as different sites, or even parts of your company’s buildings. By restricting your employee’s access only to that which they require, hackers’ ability to escalate privilege within your network or organization will likewise be restricted. Sure, “login info is cyber gold,” but ensure that they don’t become the keys to the castle in the wrong hands.
3. Hacks expose business information. If you are using Yahoo to host your business email this breach means possible leaked credentials enabling access to your organization’s emails. Any information that those credentials unlock potentially belongs to whoever cares to purchase them. That means emails, remote network logins, and sensitive proprietary information can all be up for grabs. This also means proprietary information could be exposed. Security equipment purchases, data and network equipment inventories, planned service outages, and even default equipment usernames and passwords are useful for hackers. Often, this is more useful than the take from the initial breach. These pieces of information, no matter how innocuous they may seem by themselves, become elements of a toolbox hackers can use to gain further access to your network.
You have spent years, maybe even decades building up a brand, and with that you have a reputation with your customers. A loss of this type and scale can cause customers to lose faith in that brand. Rebounding from such an event can cost time, money, and clients you can’t afford to lose. Already having effective risk management and mitigation plans in place are invaluable in helping your organization navigate, rebound from, and even thrive after such a crisis.
4. Social engineering of individuals leads to cyber crime against businesses. Social engineering is the art of hacking people. By leveraging information on individuals found in personal accounts such as Yahoo, hackers can gain access to corporate information or resources they desire without having to touch the target network. This is often done through specially-crafted emails known as spear phishing and whaling. Spear phishing is the use of specifically targeted email that appears to come from a known, friendly entity. Whaling particularly targets upper management. Both techniques are used for business e-mail compromise (BEC) attacks, which target a company’s financial or purchasing personnel and manipulate them into wiring substantial amounts of money to fraudulent accounts.
According to the FBI’s Internet Crime Complaint Center (IC3), nefarious elements have managed to redirect nearly $3.1 billion from over 22,000 victims from October 2013 to May of 2016. According to Trend Micro, the most popular “sender” of fraudulent emails in BEC exploitations is the CEO at 31% of scams. The second most popular is the company President at 17%. On the other end of the game, the CFO was the most likely recipient at just over 40%, while the finance director was targeted nearly 10% of the time.
The Yahoo breach sets a new bar for threat exposure, but it provides lessons. It is incumbent upon individuals and companies, as responsible digital citizens, to do what we can to make ourselves hard targets. Let’s start immediately by at least following the time-honored advice of changing passwords every three-to-six months to strong passwords.
What is the Private Sector’s Role in Cybersecurity?
Cyber security has evolved into a central board topic and a core business concern. Gone are the days where cyber risk management was avoidable. Today, companies are more informed security buyers, looking for efficient and effective investments rather than mere silver bullets.
In a constantly-evolving world of cyber threat, what is the role of the private sector? A panel of experts addressed the topic at the US Chamber of Commerce 5th Annual Cybersecurity Summit in Washington, DC. The panel agreed that businesses of all sizes must take on the challenges of ransomware, third party risk, and security complacency. They must also recognize the increasing attention regulators are placing on private sector cyber practices and safeguards, according to panelist Natalie Lehr, Vice President of Analytics at TSC Advantage.
Cyber Now A Board Responsibility
While board members have always held a traditional role of fiduciary responsibility, cyber security risks now fit within this realm. Having become more proactively engaged, boards demand better cyber insights than basic, one-size-fits-all checklists. Cyber research indicates that reactive and uncoordinated governance of risk functions ultimately leaves staff members unprepared to stem losses – corporate harm is therefore dictated by the capability of the attacker rather than the strength of a safeguard.
In addition to establishing a proper defense, organizations are subject to federal regulations concerning the status of their security and their compliance with said regulations. The impact of the recent LabMD, Inc. case (in which the Federal Trade Commission determined in August that a medical testing lab’s data security practices could be considered “unfair or deceptive” and were “likely to cause substantial injury to consumers”) is clear: companies should assess and improve their cyber hygiene in advance of any allegation, to produce artifacts consistent with reasonable security protection of “consumers’ personal data,” according to the Federal Trade Commission (FTC).
Proactive Defense Requires Going on the Offense
As the number and sophistication of threats has increased over time, the conversation around cybersecurity has changed from educating business leaders on why it’s important, to identifying their priority security needs and providing them with solutions that offer the greatest return on their security investment dollar.
Lehr recommended four ways to start.
1. Harmonize Technology, Processes and People
Security is neither a single act, nor sensor. Technology is crucial to any risk management discussion, but it cannot be relied upon at the expense of other considerations, such as developing a mature cybersecurity culture and synchronizing third party vendor security. In its years of performing Enterprise Risk Assessments on organizations of varying sizes and sectors, TSC has found that those that invest in complementary cyber security efforts across their enterprise are more resilient when confronting a cyber attack or breach.
2. Transfer Risk!
Since there is no technical silver bullet that eliminates economic risks in an increasingly digital ecosystem, corporate risk strategies leveraging cyber insurance can help businesses assure their operational integrity, maintain customer privacy and defend corporate value. The potential benefits of cyber insurance were noted by other Chamber conference speakers, such as General Michael Hayden, USAF (Ret.) and Chris Inglis, former Deputy Director, National Security Agency. Hayden suggested insurance could be a good motivator for improving private sector cybersecurity, likening pre- or post-binding insurance assessments to requiring a physical. As breaches continue to abound, insurers are placing more emphasis on assessment performed by independent security firms, which review the maturity of a company’s practices, the security of vendors, sensitivity of corporate data, and ability to maintain business continuity and recover from an attack.
In more than three years performing such assessments for insurers on the Lloyd’s of London underwriter market, TSC has provided analysis that underwriters use to determine an entity’s insurability and craft a fair and accurate policy. More importantly, detailed recommendations provide a road map for continued security improvements. Among the keys to successful cyber insurance, notes Lehr, are to understand both exposure and risk (including potential physical damage and third-party exposures), and to understand your policies (including exclusions and limits).
3. Share Information
The Federal Bureau of Investigations (FBI) and the U.S. Department of Homeland Security (DHS) both have robust threat intelligence sharing and public/private sector outreach programs covering critical infrastructure, white-collar crime, economic espionage, terrorism and more. These additional resources should be included as part of your organization’s cyber toolkit. Depending on your specific industry, there are also numerous member-driven Information Sharing and Analysis Centers (ISACs) which collect, analyze and share threat information. Join one to maintain sector-specific situational-awareness.
4. Get Back to Basics
Surprisingly, some enterprises overlook basic security controls such as complex passwords, multi-factor authentication, and use of a virtual private network (VPN), but basics should go beyond that. TSC Advantage has found that only half of the organizations it has assessed had fully documented external crisis communication plans for disasters or breaches, and very few organizations have identified, classified, and monitored their critical and valuable assets. While this is not an easy undertaking, it makes the job of protecting those assets virtually impossible if you are unaware of what exists or where the assets are located.
The private sector has a responsibility to proactively mitigate cyber risk rather than react only when an attack occurs, and also to remain compliant with regulators. Only analyzing one aspect of a business is a surefire way to grant unwanted intruders easy access and face potentially disastrous results, hence the need for a panoramic view of cybersecurity, says Lehr. Cyber resilience, just like personal grit, requires both resource investments and an emphasis on outcomes and improvement.
The Answer to Diminishing Returns in Cybersecurity
The defenses of commercial organizations continue to be successfully exploited by determined adversaries operating in cyberspace, despite significant security investments. Although the scope, severity and cost varies by incident, even the smallest of them can be detrimental to a business, causing disruption, data loss, or data corruption.
Some of the better known casualties – such as Anthem, Sony Pictures, and Target – highlight not only the vulnerability of disparate industries to sophisticated attacks, but also how relevant the economic principal of diminishing returns can be when applied to this persistent challenge of preventing and detecting such costly threats to corporate information.
In its most basic form, the idea of diminishing returns is that as the number of technical controls or security staff increases at any organization, at some point the marginal effectiveness or utility of each additional sensor or employee will be less than the previous one, especially in a threat landscape of savvy and creative attackers.
The oft-discussed 2013 Target hack is a case in point. Despite being compliant with data security standards of the payment card industry, the dozens of security staff located in India and its US-based global security operations center, or even the $1.6 million intrusion detection tool that Target used specifically to monitor potential security incidents around the clock, the company was still victimized. The attack resulted in the compromise of 40 million credit card numbers and over 70 million pieces of customer personally identifiable information.
Optimizing Cyber Investments
The Target breach reminded corporations of the need for companies to invest smartly in security controls across people, process, and technology to address the reality that defending against threats to sensitive information cannot be solved by an overinvestment in technical solutions focusing on data security. Just as critical and often overlooked, there should also be equal consideration for other activities such as employee training and the development of a mature cyber security culture through effective policies and procedures. In its work assessing the bulk electric sector, TSC Advantage has found that companies with a better cyber risk profile score and higher maturity scores had little difference in the domain of data security than those with lower scores. Where companies would become more mature, was in their implementation of other controls such as Insider Threat or External Business Operations.
For a better return on cyber security spending and to avoid the challenge of diminishing returns, TSC Advantage recommends the following three steps:
Promotion of Proper Cyber Hygiene and Best Practices: As attacks increase in sophistication, corporate workforces must not only be aware of the changing threat landscape, to include how malicious adversaries are frequently targeting firms, but must discontinue outdated and unsafe computing practices that imperil the confidentiality and availability of networks and the information they hold.
This promotion of cultural change to better enhance information security and sound hygiene must begin at the top. With executive-level buy-in, IT security leaders and other stakeholders are empowered to start the process of creating realistic standards and best practices that can be pushed down to the greater organization.
Strategic Use of Sensors: Discussions with corporate board members and other leaders sometimes reveal an assumption that the deployment of best-of-breed sensors or traditional legacy defenses can be the 90% solution to the majority of cybersecurity problems. The Target example shows that is not always the case, and that a “one-size-fits-all” approach to risk management is both dangerous and outdated. Some sensors require a multitude of customizations, and since they are programmed to operate continuously and around the clock, it is often the case that firms do not have the manpower and talent resources to effectively manage them.
Take for instance data loss prevention (DLP), which is a particularly helpful tool used in the proactive monitoring and tracking of sensitive information from corporate networks. While useful in identifying inadvertent or deliberate insider threat, such programs can easily overwhelm a system with false positives that inevitably make it harder to identify true anomalies indicative of real compromise. To avoid casting such a large net as it relates to threat monitoring and detection, a rules-based approach should be applied to these systems which allow companies to program specific algorithms into the devices so that only the most relevant and likeliest potential threats can be identified.
Enlist the Help of Each Employee: Inadvertent insider threat is one of the most frequent sources of data breach and large cyber loss events afflicting corporations. While employees are often the target of such attacks (for example, through spear phishing), they can also be the solution as they are the human being behind every endpoint and all represent the last line of defense. In concert with the promotion of safe hygiene, training and awareness programs can remind employees of the creative ways in which malicious actors may target them while online or at the office, such as through social engineering or pretext phone calls. From a physical security perspective, and especially in larger corporations, challenging strangers who appear to look out of place, understanding and awareness of tailgating, as well as clean desk and white board policies are also helpful.
The law of diminishing returns is important to consider when thinking about how firms can get a better return on their cyber security spending. While technology is indeed crucial to any risk management discussion, it cannot be relied upon at the expense of other considerations. Those that invest in cybersecurity across their enterprise are best able to prevent, detect, correct, and ultimately recover from an attack or breach.
Social Engineering – How Employees Become Corporate Threats
Work, life, and the internet are intertwined these days – it all happens online and in real time. But the personal details we innocently post leave a footprint that can be used by hackers to step on their real target – corporate information and finances. How? Bad actors gather up personal information such as interests, education, and employee promotions to create a profile of their targets, then craft highly sophisticated attacks.
Cybersecurity tends to focus on data security, but threats to an enterprise’s security may emanate from a variety of vectors, including trusted insiders and those who work with them, such as third party providers. That’s why at TSC Advantage, we focus on six domains: Data Security, Insider Threat, External Business Operations, Internal Business Operations, Mobility, and Physical Security.
Where does social engineering and your online profile fit in? As TSC’s Director of Threat Analytics, Craig Guiliano, described in a presentation at today’s Olympus Insurance Fall 2016 Risk Conference in Salt Lake City, it’s the connection to one domain in particular – Insider Threat.
What is Insider Threat?
Insider Threat is a current or former employee, contractor or someone who has or had authorized access to sensitive data, systems, technology, personnel, or other items of interest. That’s most of us, and that’s why more than 70% of all cyber breaches are attributed to a credentialed or trusted insider.
Do you have a written list of all your passwords? Do you ever share usernames and passwords with colleagues? Have you ever used “password” as your password? Negligent insiders – most of us – may be targeted through phishing or spear-phishing campaigns. With increasing access to smart phones and the Internet of Things, unwitting or negligent insiders represent the largest pool of potential insiders, and if you haven’t already been targeted by some sort of scam, you’re in the minority.
Malicious insiders, most often a disgruntled or departing employee, may knowingly steal or sabotage systems, IP or other important virtual or physical assets. Compromised insiders have had their credentials compromised or stolen by an outsider for purposes such as espionage, fraud or attack. If you’re a Compromised or Malicious Insider, you may be susceptible to recruitment through social media or some other electronic medium like chat rooms or message boards.
The Big Con Game
Hackers prey on the fact that most people don’t want to challenge authority or create an uncomfortable social interaction. Social engineering takes advantage of this by combining human interaction, whether in person or via a virtual medium, with social skills, in order to obtain or compromise sensitive data.
First the attacker identifies employment history, family data, hobbies, etc. to create a profile and identify your potential motivations or vulnerabilities. Next, he tries to build a relationship remotely using a cover that appeals to your preferences. Do you ever accept online connection invites with someone you’ve never heard of, or receive unsolicited offers for jobs or interviews?
Determined hackers also craft tailor-made emails using information gathered on your company, often including actual names of colleagues and a malicious attachment. If you click – which studies repeatedly show many people do – you unwittingly become the Insider and the attacker uses this as a jumping off point to infest your organization’s network.
How Social Engineering Is Used
Example 1: Using posted details about travel plans, an individual may pose as a hotel employee to call and “confirm” details such as credit card and room number, or birthdate.
Example 2: Business Email Compromise in which targeted emails that appear to originate from company executives are sent to an employee with access to company funds, ordering them to make wire transfers. Clever criminals have already gathered intelligence and know the companies work with foreign suppliers or are expanding into foreign markets, so their instructions are not questioned. Such schemes have netted criminals a billion dollars since 2015, according to the FBI.
Example 3: Phishing attempts to manipulate victims into opening files, attachments, or clicking on embedded links in an email as a means to deliver malware. In fact, not only criminals, but nation-states use phishing campaigns to target broad industries of interest. Most people have probably received a phishing email – or hundreds of them. Most end up in your junk box or are blocked by your network’s perimeter defenses.
Example 4: Spear phishing is much more targeted. Collecting data on the potential victim and using social engineering techniques will increase the likelihood that a phishing email will bypass spam filters and actually reach the end user. Once the email is opened, a variety of malware can be injected. This is how a trusted insider becomes the threat.
Think Beyond Data Security
Each day individuals are targeted, through mass online schemes and detailed social engineering efforts. As a result, we are all insider threats. Cyber security is not so much a technology problem for your IT department to solve; it’s a people problem. In fact, simply investing in technological solutions eventually reaches a point of diminishing returns.
We believe holistic cyber security addresses not only technology, but also processes and people. That means changing the culture of your workplace, involving key stakeholders across the enterprise, creating awareness, and providing training. A cross-departmental and proactive approach is the best way to defend against the possibility of your digital presence impacting yourself and your employer.
8 Things to Understand Before Buying Cyber Insurance
At TSC Advantage, we are proud to have partnered with leading insurance brokers and global underwriting markets to provide pre-and post-binding cyber risk assessment for insurance programs across key industries. Insurers are placing increased emphasis on a holistic assessment performed by an independent third party, which reviews the maturity of cybersecurity practices, the role of internal and external business operations, and ability to recover and return to regular operations following a cyber attack. All of this information helps insurers craft a fair and accurate policy.
While TSC Advantage is an enterprise cyber risk consultancy and not an insurance company, our three-year partnership with global insurance supporting the Critical Asset Protection facility has forced us to quickly absorb the often tricky world of insurance and how buyers can counterweight their exposure through insurance channels.
According to the Allianz Risk Barometer, which surveyed over 800 risk managers and insurance experts in more than 40 countries, cyber incidents are the most important long-term risk for companies in the next 10 years. While the fields of healthcare, financial, retail, and technology services have been early adopters of cyber insurance, demand from most other verticals is expanding as well. This will continue as corporate boards across industry continue to mandate protection and insist coverage be tailored to their unique liability exposure and individual threat landscapes.
Pitfalls of Cyber Insurance Difficult to Recognize
Unfortunately for potential insureds, while cyber insurance products and services abound, there is almost zero homogeny in terms of individual coverage, contract language, and the meaning of key definitions. As costs associated with cyber attacks and breaches continue to reach new heights, insurers might naturally attempt to limit their exposure through exclusions, clauses, and other limitations. As a result, potential insureds in the market for cyber insurance are advised to sit down and talk with their broker to better understand some of the below considerations.
1. Understand Your Unique Risk Before determining the amount of coverage to purchase, as well as what particular policy you might need, it is imperative to at least be knowledgeable of current strengths and weaknesses of those security controls already deployed across your holistic enterprise. What are you currently doing to prevent, detect, correct, and recover from a cyber event?
Depending on your industry, what is the likelihood of your company and industry being in the crosshairs of the adversary? TSC Advantage uses a “5 C’s of Cyber” model to explain the target profiles within which organizations could fall. They include being targets of: convenience, circumstance, consequence, conflict, and conscience. Hackers and cyber criminals have a variety of motives for engaging in malicious cyber attacks. Understanding these motives can help you identify and mitigate the risks to your organization.
Furthermore, in the event of an attack, what digital assets are at risk? Corporate intellectual property? Customer payment card data? Patient protected health information? Using historical examples of victimized companies in your peer group, what was their estimated cost to contain the incident? How much did their post-incident forensic investigation cost? What were their costs associated with legal and public relations? How about credit monitoring, notification, and call service support to customers? And lastly, what were the regulatory costs, including both federal and state?
2. Not All Policies Created Equal Because of the lack of uniformity of cyber insurance policies, it is critical to read them in their entirety and pose many questions to your broker regarding inclusions. Does the policy cover exactly what your C-suite and Board needs it to?
3. Indemnity Through Vendors? It is important to understand how policies will cover contingent risks from use of vendors or third-party service providers, which can obviously result in huge exposure. Think Target, which was breached through an HVAC provider. Significant problems can arise if you don’t understand how a policy will respond to a cyber event that doesn’t happen directly to your organization yet still results in business interruption to your enterprise. Don’t assume that losses will automatically be covered.
4. Any Policy Sublimits? Deductibles? It is certainly the case that some types of coverage might subject you to sublimits or substantial deductibles. So while you might think you have adequate coverage, you may be responsible for significant deductibles before coverage is activated. Additionally, according to Mary Guzman, Senior Vice President of Cyber Sales and Strategy at McGriff, Seibels & Williams, a lot of policy forms tend to have sublimits in them, especially around breach notification expenses. “When you have an information security breach that involves PII or PHI, a lot of those policies have limitations on how much the client can spend on forensics, monitoring or credit monitoring. So you want to make sure you don’t have sublimits or that you understand exactly how they’re going to work.”
5. Arbitration Does the policy contain mandatory arbitration clauses in the event of a dispute with the carrier? If yes, in what jurisdiction will arbitration be held and who would assume the cost?
6. First-Party Loss and Third-Party Damage Claims? This is a crucial factor. Data breaches obviously can devastate and will result in losses and claims. Take the time to methodically examine the language contained in the policy in order to evaluate the insurer’s coverage of both first-party loss (your costs of responding to a breach) and third-party issues (regulatory responses and investigations, fines and penalties, et al). Consider utilizing outside counsel to review policy forms for a full understanding of coverage.
7. Where Does Cyber Insurance Fit Among Other Coverage? Look into the other insurance you carry, such as policies that cover business interruption, directors and officers (D&O), and errors and omissions (E&O). Is cyber covered or excluded under these policies? Determine how they can be complemented by cyber insurance.
8. Cyber Insurance Limitations While cyber insurance can obviously help in the transference of risk, there are some things it will not cover. Some policies for instance, will not provide indemnification for damages such as loss of reputation, which could result in lost revenue.
Cyber insurance on a large scale is relatively new and standardization has been slow to materialize. Therefore, it is imperative to be as prepared as possible before making a decision as consequential as the purchase of cyber insurance.
Please reach out to TSC Advantage or our partners at McGriff, Seibels & Williams Inc. to learn more about how we have worked together to provide cyber risk assessments for insurance programs.
Cybersecurity & the C-Suite – Knowing Does Not Equal Solving
No CEO wants to have to apologize to customers for a data breach or loss, or face the business disruption they cause. While the prospect of those scenarios would seemingly propel cybersecurity to the top of “to-do” lists across the C-suite, executive surveys continue to show a disconnect between the recognition of cyber threats and the way in which they are addressed.
As TSC Advantage shared during a panel discussion at the U.S. Chamber of Commerce’s Chicago Cybersecurity Conference, the C-suite has a responsibility to foster cybersecurity at every level of an organization. They must support this through strategic communications with the workforce and through long-term investments in technology, process and training.
Yet despite the ubiquity of digital threats, the increasing sophistication of determined adversaries, and the havoc they can wreak on operations and sensitive business data, executive surveys show that a lack of planning, collaboration and shared responsibility on cybersecurity continues.
A new survey of Fortune 500 CISO/CIOs and IT executives by British Telecom and KPMG showed only 22 per cent of companies have a comprehensive plan in place to deal with major cybersecurity incidents, though 95 per cent have been the victims of a digital attack.
The IBM C-Suite Survey of executives across 18 industries released earlier this year, noted the low level of engagement of some key officials in cybersecurity initiatives. It showed the chief financial officer (CFO), chief human resources officer (CHRO), and chief marketing officer (CMO) feel “the least engaged in cybersecurity threat management activities” despite the fact they are “stewards of data most coveted by cybercriminals,” such as non-public corporate financials desired by competitors, confidential employee health and privacy information (which we know has enormous value on the black market), and proprietary corporate strategy information.
The survey found that 75% of those leaders “do not believe that cybersecurity plans include them in a cross-functional approach.” It is clear there is still much work to be done.
Departmental Threats Add Up to Enterprise Risk
As a provider of holistic enterprise security, TSC Advantage understands that disengagement by key stakeholders creates dangerous scenarios that can contribute to successful attacks or breaches.
Take for instance, a department or division that unilaterally signs a service level agreement with a cloud service vendor without input from the IT and Legal team. In this basic scenario, the requesting department would not only be oblivious to the inherent vulnerability created by a third party relationship, but as a result, neglect to adequately review the vendor’s security practices or even question the contract’s legal language relating to indemnification and liability should data loss occur as a result of vendor negligence. Forsaking a cross-functional approach to security can mean the difference between victimhood and potentially avoiding a threat entirely.
Two Execs on the Cyber Frontline
The CFO should work with the CIO or CISO on discussions involving governance and data security and to help them whip up support from other executives to encourage greater enterprise collaboration. Because these executives routinely work with confidential documents such as financial statements, and due to the rise in financial fraud known as “business email crime” where billions of fraudulent financial transfers are being authorized through sophisticated phishing attacks impersonating leaders such as the CFO, these leaders’ role in security is an obvious one. As an example, how could development of formal policies and procedures governing the verification and authentication of accounts payable requests occur without their input and support?
For the Human Resources executive, not only must their department have an active and collaborative relationship with the CIO or CISO and IT due to the security role they play as it relates to network access requests for both arriving and departing employees, but these leaders also play a security role on background checks, BYOD, intellectual property protection, insider threat programs, social engineering, and basic data security. As the IRS has warned, savvy cyber criminals are increasingly targeting payroll and human resources personnel based on their proximity to employee privacy information, utilizing phishing attacks that prey on their susceptibility to manipulation and general lack of awareness on the threat.
And the list goes on. The threat posed from malicious actors in cyber space requires all organizations to implement a cross-functional and collaborative approach that aims to deter potential adversaries away and onto less-defended targets. As TSC Advantage routinely reiterates, the objective of any basic cybersecurity plan – no matter the industry – should be to anticipate enterprise threats by assessing an organization’s unique threat profile. From there, holistic security controls can be implemented across multiple domains that posture the organization to effectively prevent, detect, correct and recover from attacks. However, as recent surveys have revealed, the effectiveness of such a plan will be predicated on the extent to which C-suite leaders collaborate and integrate with the CIO or CISO and with each other.
After all, cybersecurity is a shared responsibility – and one that can never be accomplished in silos.
Don’t Fumble Your Mobility Security: Lessons from Redskins Laptop Theft
The disclosure this week that the medical records of thousands of National Football League (NFL) players may have been compromised through the theft of a laptop and external hard drive serves two reminders: mobility of data is an oft-overlooked but crucial issue in 21st century business where employees take work anywhere; and any type of organization, not just those in the healthcare industry, can suffer the loss of protected health information (PHI).
According to the Verizon 2015 PHI Data Breach Report, lost and stolen assets top the “nefarious nine” incident patterns that account for 96% of data breaches. The NFL revealed this week that in April, a backpack containing electronic and paper files – 12 years’ worth of records – was stolen when a thief smashed the window of a locked car rented by a Washington Redskins athletic trainer.
The NFL said the laptop was not encrypted. So far, it has not seen “evidence that the thief obtained access to any information on the computer that was stolen.” Still, the NFL is directing all teams to use encrypted laptops, review the security of medical information they hold, and train employees on privacy and security.
Regardless of whether the theft was a targeted breach or if the stolen data is ever actually compromised, the NFL security fumble serves as yet another reminder to constantly evaluate cybersecurity. Brendan Fitzpatrick, who leads TSC Advantage Enterprise Security Assessments, offers some questions to ask.
1. Does your organization have an explicit written policy that all laptops have full hard drive encryption so that even if a laptop is lost or stolen and the hard drive is pulled out, it can’t be accessed through another machine?
2. Do you have a policy that deals with downloading certain types of information onto a laptop? For example, is it okay for unlimited PHI to be stored on a local laptop, or does the policy say that only PHI required for work in the field can be on a laptop. The Redskins laptop had 12 years of medical records on the drive.
3. Are all media that you’re using with your laptop (such as the Redskins zip drive) encrypted so that if the worst happens and it’s stolen or lost, the data is unavailable?
4. How strong are your passwords? Passwords should always be at least 10 characters long, should not contain names, and must incorporate a unique combination of uppercase, lowercase, numbers, and special characters.
5. Do your employees share passwords? If being shared by more than one person in an organization (and especially if used for public-facing purposes), credentials should be stored securely in a controlled area and mature procedural controls should be in place that prohibit access to these accounts via mobile devices or from unsecure networks.
6. Does your organization provide communication and training around cyber policies to promote a cybersecurity culture from top to bottom? Do you enforce and check for understanding of the policies?
7. Do you employ multi-factor authentication to provide an additional layer of protection?
8. Are defense-in-depth perimeter and endpoint controls in place and is your organization consistent with the latest patching?
9. Does your organization conduct electronic monitoring only on the centralized system or do you have a Data Loss Prevention (DLP) solution on laptops, which would send an alert if information was taken from a lost or stolen device?
10. Does your management system allow administrators to remotely shut down or wipe a device such as a laptop?
11. Do laptops have an automatic VPN connection and if so, can it be turned off by administrators?
12. Does your remote login system have the capability to easily remove login access to prevent an unauthorized user logging in and further infiltrating the organization?
That’s just a short list of the many questions it seems can’t be repeated often enough around cyber hygiene. It’s crucial to remember the multitude of non-technical ways in which cyber risk can be introduced into an enterprise environment. Faceless remote access attacks originating in foreign countries are not the only threat. An unencrypted laptop that is stolen or lost, or a disgruntled employee, or gaps in physical security can lead to the exposure or theft of valuable information, regulatory fines, and negative brand impact.
The NFL is learning this difficult lesson. Yet, it’s a reminder for other organizations to mature their cybersecurity practices through a more holistic risk management approach. Mobility is one of six domains (also including Data Security, Insider Threat, Physical Security, Internal and External Business Operations) that TSC Advantage examines to identify vulnerabilities. An enterprise approach to cybersecurity can lead to a healthier risk posture and fewer data fumbles.
“I’m Jon Snow” How to Strengthen Passwords to Better Guard the Door
Passwords – they are a bane of our online existence, a necessary evil of connectivity to keep the bad guys out and allow us access to our most treasured (literally and figuratively) possessions. That’s one reason why many people assume once they’ve used a password to protect something that it’s safe and secure. But is it? Passwords are a weaker defense than you might believe—but there are ways to strengthen them.
The use of passwords to protect items of value has a long history. During the time of Ancient Rome, sentries of the watch would challenge people entering a restricted area and require them to provide a “watchword” before they could gain access to the area. In a similar fashion, our online assets are protected by requiring a user to identify him or herself with a username and password to enter a restricted website.
In honor of World Password Day on May 5, let’s look at a scenario that depicts the steps involved in gaining access to a protected space. Let’s imagine that one person is on the outside of a party at a very exclusive Game of Thrones-themed cigar bar and the other is on the inside. The cigar bar is protected by a locked door that the person on the inside will open only for people on an approved list. Here’s how the conversation might go:
Outside Person: Knock knock!
Inside Person: “Who’s there?”
Outside Person: “Jon Snow. I’m on the list.”
Inside Person: (sees Jon Snow’s name on list) “Come in, Jon Snow.” Opens door
Simple enough. The person on the inside will only open the door if the person on the outside identifies as Jon Snow. Great, right?
Nope. Say, for example, a passerby heard Jon Snow talking about this exclusive party and said only certain people were allowed in. It wouldn’t take much work to talk with Jon, learn his name, and if you were clever, the location and time of the fancy cigar party to use that information to impersonate him. With this knowledge, you have assumed Jon Snow’s identity and can access the party.
Real World Scenario: the very common and very bad practice of leaving passwords on sticky notes around your computer screen, on your computer’s desktop, or other location that is not protected. Anyone with access to these credentials IS you, as most times the other side (your bank, your email account, your wifi) can’t tell the difference between you and an imposter entering credentials.
Takeaway: don’t leave passwords in unprotected spaces. Remember them, or better yet, use separate ones for separate services (more on making this easier later on).
Now imagine another scenario at the same club, but with someone guarding the door who’s more paranoid about letting the wrong person in. The same conversation would occur, but with an added caveat: the guard would ask for a phrase only Jon Snow would know before he would be let in, which would authenticate John’s identity. See below:
“Jon Snow. I’m on the list.”
Inside Person sees Jon Snow’s name on list. But does he know the entry phrase? “What’s the secret phrase?”
“Winter is coming.”
This is a small step forward in ensuring Jon gets to enjoy a cigar at his favorite spot. It is, however, not a strong and secure solution, as someone with interest in gaining entry to this club could chat Jon up, discover that he loves Game of Thrones (and cigar bars associated with it), and could guess that his secret phrase would be one of the most widely-known ones associated with the series. That famous phrase is the single factor of authentication needed to bypass the door.
Real World Scenario: this can be seen in social engineering attacks targeting less-savvy users of technology, who may associate a password (or the service it protects) with something they enjoy. For example, a fantasy football fan’s password might be “DaBears!” In addition, the dislike of long or hard-to-remember passwords may prompt people to use the same password for multiple services, further weakening its ability to secure other information (once an attacker knows credentials for one service, they’d know them for all your services).
Takeaway: don’t multi-purpose your passwords, and try to use passwords that are not related to the service you’re using.
One final scenario for the cigar bar. The newest guard is so paranoid of the wrong people gaining entry that in addition to needing their name on the list plus a password phrase, the guard sends a text to the member’s phone after they’ve given the guard the password. If a member replies to the text properly, they’re allowed entry.
“Jon Snow. I’m on the list.”
“What’s the secret phrase?”
“Winter is coming.”
Inside Person pushes button that sends a text to Jon Snow’s phone, saying, “Jon, reply to this text with the code JOFFREY to gain access. This code expires in one minute.”
Snow replies to the text with the correct code.
Inside Person opens door
Real World: Now we’re on the right path! What’s being described is multi-factor authentication, where multiple means are used to verify that the person attempting to gain access is who they say they are, both through something they have (in the example, Jon Snow’s phone with the text), and something they know (the famous phrase). Real-world examples of this can be found in secure building entry systems where both a badge and PIN are needed to open a door, corporate environments with more mature cybersecurity policies that require employees to take a second action after providing a password in order to access critical information, as well as more and more websites such as Gmail/Facebook, etc. (but you may have to opt-in for these). Systems like these are harder for adversaries to break into, because if they’re missing one of the authentication factors (name, password, or code), they can’t get in.
Takeaway: multi-factor authentication is the most secure way to protect your confidential information and critical assets. Companies should consider employing multi-factor authentication controls around privileged access and remote access to sensitive data and critical systems. Individuals should take advantage of multi-factor authentication wherever it’s offered. For many popular sites, it just needs to be turned on.
Takeaway: If you have trouble remembering passwords, you can use password managers. These programs (LastPass, KeePass, SecretServer, and others) manage your credentials for multiple website logins by storing them on your computer or smartphone in an encrypted database so they’re not in the open. A master password is required to use these programs. You can generate random, long, and hard-to-guess credentials with these programs and use different ones for different websites. With a password manager, you can take those stickies down from your monitor and rest assured the passwords are available when you need them.
The moral of the Jon Snow story? We live in interesting times. Our data is at once more accessible than ever, AND increasingly at risk to access by groups who wish to use it to ends unknown. Protect what you possess and don’t rely on the weak protections of simple passwords alone to guard what you hold dear.
Two Ways to Improve Healthcare Cybersecurity Today
The rash of high-profile ransomware attacks in 2016 has moved cybersecurity up the list of top risk considerations for healthcare organizations. However, two areas often present stumbling blocks: lack of budget and the fact that an organization’s weakest IT security link is often its people.
As Will Durkee of TSC Advantage discussed at the Maryland HIMSS Spring Educational Event: “Rapid Evolution of Cybersecurity in Health Care,” cybersecurity should be approached as an enterprise-wide issue. While it can’t be solved overnight, there are a couple of ways to begin to climb over the stumbling blocks.
Communicate that Cyber Risk is an Enterprise Risk: It cannot be reiterated enough – cybersecurity is not just an IT problem – and that’s why budget needs to be allocated not only for traditional tools and sensors, but for an enterprise-wide approach to security. The bottom line is that more than ever, organizations are connected digitally to their customers, suppliers, vendors and the public. That puts intellectual property, sensitive business information, operational dependencies, company reputation, and in the case of healthcare, customer/patient information at risk. Why? Because all of that data has a value to enterprising cyber criminals. The Ponemon Institute’s 2015 Cost of Data Breach study revealed that the healthcare industry has the highest cost per stolen record – at $363 – more than double that of other industry averages.
Such high stakes and determined adversaries demand an integrated approach involving business leaders from multiple departments. Yet in many organizations, corporate silos still exist. An IBM C-Suite survey reported that 60% of Chief Financial Officers (CFOs) and Chief Human Resources Officers (CHROs) “feel the least engaged in cybersecurity threat management activities, yet are the stewards of data most coveted by cybercriminals.”
When TSC Advantage teams assess the cyber posture of companies, they look for evidence of cross-departmental collaboration. Ask these questions to gauge whether your organization considers cybersecurity an enterprise risk, and therefore is allocating appropriate budget to security:
- Is there a security governance program involving representatives from multiple departments?
- Have policies and processes been developed, enacted, communicated and measured – not just for the IT department, but for the whole organization’s approach to securing data?
- Does the organization have an incident response and crisis management plan to enact in the event of a breach? Are these plans periodically tested and reviewed?
Foster a Security Culture to Combat “People Problem:” The evidence shows that people continue to be a weak link in protecting the security of information. Adversaries use increasingly sophisticated methods to trick employees into clicking on malware-infested emails or to request fraudulent transfers of funds; and disgruntled or malicious insiders may knowingly steal or sabotage assets or systems.
TSC Advantage believes that the best defense is a proactive and holistic approach to cybersecurity that includes technology, processes, and people. While it’s impossible for every individual to stay on top of every threat, making cybersecurity awareness part of organizational culture can help reduce susceptibility to breaches. Here are three ways to get started immediately:
- Communicate the importance of cybersecurity from the top down. From the board of directors to the C-suite, to every level of the organization, each employee has a front line responsibility. Their diligence protects the organization, its mission, and ultimately the livelihood of each individual on the team.
- Conduct Effective Cybersecurity Training either through interactive computer-based delivery or in a classroom setting. Consider spreading the training out through the year to reinforce security culture and stay on top of evolving threats. Test employee knowledge to identify gaps.
- Empower the HR department to implement programs that mitigate employee dissatisfaction. This lowers the risk of malicious insider threat.
There are a multitude of security basics, such as technical controls, data segmentation, strong passwords, and multi-factor authentication that help keep organizations secure. The additional points described above can help start a conversation today about how to deepen cyber maturity and be more resilient tomorrow.
Flickr Photo: jfcherry
MedStar Attack Signals Growing Ransomware Threat to Healthcare
EMBOLDENED FRAUDSTERS HAVE LEAPFROGGED FROM SINGLE HOSPITALS TO EXTENSIVE SYSTEMS
MedStar Health Inc., the Maryland-based healthcare provider that operates 10 hospitals and employs approximately 30,000 people, suffered a crippling ransomware attack in late March that was so devastating it not only forced all of its hospitals to revert to paper documentation, but idled electronic record systems and prevented patients from booking appointments.
The MedStar Health attack comes on the heels of two other recent cases involving ransomware directed at similar but smaller healthcare providers. In these cases, both Methodist Hospital in Kentucky and Hollywood Presbyterian, a Los Angeles-based hospital owned by CHA Medical Center of South Korea, were each held hostage within the last two months by a particular form of malware called Locky. While Hollywood Presbyterian decided to pay its attackers a ransom and the Kentucky hospital did not, each case and others like it signal the troubling arrival of an effective brand of cyber extortion uniquely susceptible to healthcare.
Lucrative Returns Make Healthcare a Target
It should come as no surprise that privacy data such as protected health information is increasingly viewed as a new form of currency to enterprising cyber criminals bent on identity theft and other fraud. In recent years, cyber attacks against companies such as Anthem, Community Health Systems, and Premera Blue Cross, have served as a testament to this, while also highlighting the requirement for these companies to mature their cybersecurity beyond the standard if they are serious about escaping regulatory penalties and the accompanying havoc to their business operations.
But the industry is targeted for reasons that go beyond the inherently lucrative nature of patient privacy data on the black market. With the advent of Locky and other Cryptolocker-type malware targeting the industry, attackers understand the criticality with which medical providers require timely and uninterrupted access to essential systems and records. After all, if an attack locks up a physician’s ability to access critical data like a patient’s medical or drug history, the delivery of urgent care on their behalf may be impeded. And some hospital administrators, already weary of lawsuits by litigious patients, are opting to shell out as a result, further emboldening these criminals and all but inspiring others to get in on this bankable game as well.
The Pervasiveness of Ransomware
Ransomware can take various forms but the more prevalent variety are malware such as Locky, which is part of the Cryptolocker genus and designed to target the victim’s back-up folders while forcing them to pay a Bitcoin ransom before being provided a special decryption key to retrieve their files and systems. Having initially targeted individuals or small businesses, sophisticated variants such as Locky have graduated to encrypting and locking entire network servers, thereby preventing users at the enterprise level from accessing shared files and databases.
The FBI says ransomware attacks such as these have increased so sharply that companies have already paid more than eight times in ransomware payments so far in 2016 than they did in all of 2015.
Ways to Avoid Victimhood
Unfortunately, for those organizations victimized by such ransomware, the options to retrieve stolen data and regain access are very limited. As some cybersecurity professionals and the FBI recommend, companies must either pay their ransom – despite the ethical ramifications of doing so – or retrieve their data from back-ups. Short of those two options, there is very little left to do. While it might seem obvious, it is important to remember that the fundamental business model of ransomware is predicated on an organization’s willingness to pay. By routinely and securely backing up data, systems, and configurations, to include of course maintaining copies that are kept offline, proactive organizations take the power away from their extortionists and may avoid the pitfalls of such victimhood in the first place.
In addition to backing up systems, simple practices such as patching regularly, keeping preventative controls like antivirus and firewalls both up to data and properly configured, and blocking potentially dangerous ZIP files are crucial as well. TSC Advantage further encourages healthcare organizations and other companies to adopt additional (and basic) best practices to better prepare and prevent such threats in this new landscape:
Conduct Security Awareness Training. By now, corporate risk managers and other enterprise security leaders understand the adage of being only as strong as the weakest link. With the rise of phishing attacks as well as the use of popups by cyber criminals to spread malware, recognizing threats and preventing accidental clicks becomes crucial. In addition to solutions such as popup blockers and spam filters, a culture of security must be created that instills a sense of skepticism at the user level that aims to defeat the increasingly clever ways in which adversaries are using social engineering to trick well-intentioned employees. Some solutions might include simulated phishing attacks and other training.
Understand Risk Tolerance. As TSC Advantage constantly reiterates, the objective of any effective risk management plan – no matter the industry – should be to anticipate threats to an enterprise based on an assessment of its unique threat profile and an understanding of why determined adversaries might target it in the first place. From there, a preventative and proactive strategy should be implemented that incorporates holistic security controls across multiple domains, such as data, physical and mobile security, internal and external business operations, and insider threat.
Create a Business Continuity Plan. Business continuity plans are essential features of a corporate risk management plan. Simply put, it provides companies with fundamental capabilities needed to reduce the cost of a cyber incident by preserving their access to critical business information and assets. For healthcare organizations to survive the potentially disastrous consequences of ransomware such as Locky, the ability to recover and to return to normal functioning as quickly as possible is paramount. As such, these organizations must categorize both their information and systems based on their criticality to operations and they must determine appropriate risk tolerance levels for these assets accordingly. Once that is understood, they should develop processes which then must be incorporated into a written business continuity plan and executed with confidence should something as dreadful as ransomware occur.
As we at TSC Advantage are fond of saying, while it may be impossible to completely prevent sophisticated cyber attacks using Cryptolocker-type malware, it is essential for organizations to understand that the scope of victimhood will always be a function of an organization’s preparedness.
Contact TSC for more information on ransomware or for help to develop impactful strategies to reduce the impact of cyber extortion on your enterprise.
The Growing Cybersecurity Threat to Critical Infrastructure
The United States Justice Department charged seven hackers tied to the Iranian government over their alleged involvement in a series of cyberattacks on banks as well as a 2013 cyber attack directed against the Bowman Avenue Dam, located 30 miles north of New York City near the town of Rye, NY. After gaining access to the dam’s control system, the hacker was able to acquire operational information, such as water level, temperature and status of the sluice gates, which control water levels and flow rates.
The attacker would have been able to control the dam’s gates had they not been disconnected from the facility’s computer network for maintenance at the time of the intrusion. As a result, the hacker’s ability to sabotage or cause widespread disruption through the remote alteration of equipment settings or sluice gates was eliminated. The hackers were unable to compromise any of the dam’s operational technology.
But how close of a call was this? Is this a sign of things to come, or is it, as U.S. Senator Chuck Schumer (D-NY) described, “a shot across the bow,” signaling perhaps a harbinger of future cyber sabotage that could cause death or even cascading failure of the power grid? In January, the U.S. DHS Industrial Control Systems Cyber Emergency Response Team warned that bad actors are “gaining more and more access to [these target’s] control system layer.”
Why Critical Infrastructure is a Target
Through Executive Order 13636, President Obama defines critical infrastructure as “systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters.”
There are 16 critical infrastructure sectors, which among others, include transportation systems, power generation, telecommunications, water supply, financial services, government and public safety, and food production and distribution. It’s clear why targeting these sectors would be appealing to hackers with bad intentions.
Industrial control systems, just like traditional IT environments, are equally targeted by nation-states, hackers, and deliberate insider threat. Nefarious actors understand that the health and prosperity of any country rests on functioning infrastructure. As a consequence, their ability to disrupt or damage these essential backbones can allow their acts of sabotage to have maximum impact.
Vulnerabilities of Industrial Controls
Additionally, these actors likely understand the inherent vulnerabilities within these environments. They realize that security problems with control systems are exacerbated by asset owners’ desire to keep their systems running at all costs. Why? To take a very simple example of an electric utility, any activity that has the potential to inadvertently cause a failure of systems for any amount of time (which in this case, would be the inability of a utility to transmit and distribute power) is simply anathema.
Not only would such a disruption mean loss of revenue for the electricity provider, but also reputation damage and perhaps even penalties as well. Such a reality may explain the historical resistance by these operators to practice basic cybersecurity like patching, for instance, which can be notorious for causing performance glitches and stubborn bugs.
Nefarious actors also understand one other reality commonly associated with industrial control system environments: they do not get replaced for years. In fact, some reports have suggested that the lifespan of an average control system is two decades. Now compare that to a standard PC desktop or laptop we all use, which most of us tend to upgrade every 3-5 years. With legacy systems that are decades old and that use insecure protocols and architecture, it is therefore easy to see why control systems are so attractive to to attackers and why the cyber security of these industrial environments are finally getting the attention they deserve.
Victimized Entities to Date
But besides the Bowman Avenue Dam and the widely publicized Stuxnet rootkit in 2010 that resulted in the physical destruction of 2,000 Iranian centrifuges, are there any more examples of targeted attacks against control system environments? Sadly, the answer is yes.
Ukraine Power Grid Attack: In December 2015, it was reported that as many as 225,000 residents in western Ukraine lost power for six hours after Russian hacking group Sandworm and its malware Black Energy 3 targeted the Prikarpattiaoblenergo electric company and the electric grid it operated.
German Steel Mill Attack: In December 2014, an annual report by the German Federal Office for Information Security discussed a cyber attack of an unnamed steel mill in Germany that was alleged to have utilized both social engineering and spear-phishing in order to gain access to the mill’s information technology environment and later its operational technology environment. Based on reporting, this targeted attack resulted in the compromise of individual industrial control components and the inability of workers to shut down a blast furnace, thus causing physical damage.
Metcalf Sniper Attack: In April 2013, it was widely reported that a coordinated and sophisticated sniper attack against 17 transformers at a PG&E Corporation substation near San Jose, California resulted in approximately $15 million worth of damage. Although originally believed to have been an act of terrorism due to its timing with the Boston Marathon attack across the country, the FBI later ruled that out. Because of this incident, the importance of physical security at critical sites was elevated and resulted in the subsequent publication of security standards for all U.S. substations by the Federal Energy Regulatory Commission.
U.S. Railway Company Hack: In December 2011, the U.S. Transportation Security Agency reported that “hackers, possibly from abroad, executed an attack on a Northwest rail company’s computers that disrupted railway signals for two days.” According to news reports, the investigation revealed malicious actors had penetrated the system from three IP addresses but did not contain the countries where the attacks may have originated.
Turkish Oil Pipeline: In 2008, western intelligence agencies concluded that a portion of the Baku-Tbilisi- Ceyhan oil pipeline near the city of Erzincan exploded and was attributable to hackers and not the result of a technical malfunction or Kurdish separatists, as originally reported. According to reporting, hackers were able to shut down and dismantle alarms, cut off communications, as well as pressurize the crude oil in the line to such an extent as to deliberately trigger a blast.
Australian Water and Sewage System Attack: In late October 2001, an Australian man was sentenced to a two year prison term for his involvement in a cyber attack against a sewage plant in Queensland, Australia that resulted in the unauthorized release of millions of liters of waste water and sewage into local parks, tributaries, and the grounds of a local hotel.
Important Steps to Confront Threats to Critical Infrastructure
What can critical infrastructure businesses do to address the risk of cyber attacks? There are three first steps to take:
- Like with traditional cybersecurity vulnerability impacting IT environments, the first step is to identify every and all risks through a holistic cyber assessment.
- Once risks are identified, manage risk through the development of a strong cyber security culture that establishes cybersecurity goals, adopts best practices, as well as implements (and enforces) policies and procedures covering all aspects of enterprise risk management.
- Consider risk transfer through insurance options which can assist with any financial consequences of an attack.
While federal authorities continue to pursue identified attackers, critical infrastructure businesses can proactively find and fix vulnerabilities, and mitigate risk.
For more information on cyber insurance and to learn more about TSC Advantage’s cyber assessment support to U.S. critical infrastructure, please contact TSC Advantage or our partners at McGriff, Seibels & Williams, Inc.
How Your Digital Crumbs Are a Feast for Corporate Cyber Hackers
It’s a digital world and increasingly, as we all live and work online, we leave bytes of information – digital crumbs – scattered across social media that can be used by hackers to attack not just us but bigger targets – our employers.
Yes, the family trips, causes we support, alumni associations we’re part of, and new jobs or promotions we celebrate online are the details determined hackers can, and have, used to target individuals in an effort to compromise the sensitive information of their employers. How? Because what we view as interests, bad actors see as opportunities and vulnerabilities.
In the view of many, cybersecurity or enterprise security tends to focus on what we refer to as data security, but in fact, threats to an enterprise’s security may emanate from a variety of vectors. The trusted insider plays an important and oftentimes overlooked role in the compromise of data. Additionally, a lack of vetting of third party providers and supply chains creates an immense risk to corporations. That’s why at TSC Advantage, we focus on six domains: Data Security, Insider Threat, External Business Operations, Internal Business Operations, Mobility, and Physical Security.
But what does this have to do with social engineering and your Facebook or LinkedIn account? As we described in a presentation at the recent Business Insurance Risk Management Summit in New York, it’s the connection to one domain in particular – Insider Threat.
We are all the Insider Threat
Simply put, an Insider Threat is a current or former employee, contractor or someone who has or had authorized access to sensitive data, systems, technology, personnel, or other items of interest. That’s most of us, and that’s why more than 70% of all cyber breaches are attributed to a credentialed or trusted insider.
The greatest number of security breaches occur from negligent employees. How many of us have written down all our passwords and left them in plain sight, given our usernames and passwords to colleagues, or yes, even used “password” as our password?
Malicious insiders, most often a disgruntled or departing employee, may knowingly steal or sabotage systems, IP or other important virtual or physical assets. Compromised insiders have had their credentials compromised or stolen by an outsider for purposes such as espionage, fraud or attack.
If you’re a Compromised or Malicious Insider, you may be susceptible to recruitment through social media or some other electronic medium like chat rooms or message boards. Negligent insiders – most of us – may be targeted through phishing or spear-phishing campaigns. With increasing access to smart phones and the Internet of Things, unwitting or negligent insiders represent the largest pool of potential insiders, and if you haven’t already been targeted by some sort of scam, you’re in the minority.
Social Engineering – How it Works
Social engineering is nothing more than conning you. Most people within organizations don’t want to challenge or create an uncomfortable social interaction so as a result they assume someone belongs or is not out to manipulate them into providing private or proprietary information. Social engineering takes advantage of this by combining human interaction, whether in person or via a virtual medium, with social skills, in order obtain or compromise sensitive data.
An adept criminal or other malicious actor will compile data on you using whatever means necessary. The logical first step is to scour your social media presence to tailor their social engineering exploits. For example, using posted details about travel plans, an individual may pose as a hotel employee to call and “confirm” details such as credit card and room number, or birthdate.
Another example of social engineering is the dramatically increasing problem of Business Email Compromise. Targeted emails that appear to originate from the company executives are sent to an employee with access to company funds, ordering them to make wire transfers. Clever criminals have already gathered intelligence and know the companies work with foreign suppliers or are expanding into foreign markets, so their instructions are not questioned. Such schemes have netted criminals $800 million in the past six months since August 2015, according to the FBI.
Phishing on the Menu
But the most ubiquitous form of online compromise is through phishing and spear-phishing. What’s the difference? Phishing campaigns tend to be exploratory, looking for targets of opportunity. Most people have probably received a phishing email – or hundreds of them. Most of them are directed to your junk box or blocked by your network’s perimeter defenses. Similar to social engineering – or used in conjunction with – phishing is a technical deceit that attempts to manipulate victims into opening files, attachments, or clicking on embedded links in an email as a means to deliver malware. In fact, not only criminals, but nation-states use phishing campaigns to target broad industries of interest.
Spear phishing is much more targeted. Collecting data on the potential victim and using social engineering techniques will increase the likelihood that a phishing email will bypass spam filters and actually reach the end user. Once the email is opened, a variety of malware can be injected. This is how a trusted insider becomes the threat.
So, what does a typical targeting cycle look like? First the attacker identifies employment history, family data, hobbies, etc. to create a profile and identify your potential motivations or vulnerabilities. Next, he tries to build a relationship remotely using a cover that appeals to your preferences. Do you ever accept online connection invites with someone you’ve never heard of, or receive unsolicited offers for jobs or interviews?
Determined hackers also craft tailor-made emails using information gathered on your company, often including actual names of colleagues and a malicious attachment. If you click, which studies repeatedly show many people do, you unwittingly become the Insider and the attacker uses this as a jumping off point to infest your organization’s network.
Cyber Threats About More than IT
Every day individuals are targeted, through mass online schemes and detailed social engineering efforts. As a result, we are all insider threats. Cyber security is not so much a technology problem for your IT department to solve; it’s a people problem. In fact, increasing IT budgets to combat the problem through a technological solution eventually results in diminishing returns on those investments.
We believe the best defense is a proactive and holistic approach to cyber security that includes not only technology, but also involves processes and people. That means changing the culture of our workplace, involving key stakeholders across the enterprise, and creating awareness about how to prevent your digital presence from impacting yourself and your employer.
Is Your Supply Chain Open to Hackers? Tips to Ensure Third-Party Vendors Protect Your Data
Like with most things in life, it is crucial to understand history in order to better understand and prepare for the future. Countless examples of cyber attacks that originated through trusted third parties (such as those that affected Jimmy Johns, Lowe’s, Goodwill Industries) serve as a cautionary tale of the extraordinary threats that enterprises face from supply chains and vendors alike.
Still resonating today is the story of retail giant Target and a small HVAC provider. According to analysis by researcher Brian Krebs at the time, Pennsylvania-based Fazio Mechanical Services’ reliance on a free version of a malware detection tool that was licensed explicitly for individuals and not for corporate use, its non-segmented access to Target’s administrative and online project management portals, plus a determined adversary at the helm, all added up to what has been described as the fourth largest data breach of all time.
As TSC Advantage explained at the International Risk Management Institute (IRMI) CyberRisk Summit in Houston on March 3, the vast majority of organizations we have assessed have not identified what information assets are most at risk and why, or where they reside. This lack of insight provides a perfect opening for determined adversaries, who prefer the path of least resistance. The Fazio and Target example illustrate how that path can include use of third parties and supply chain partners to gain foothold onto a targeted network.
As frameworks such as Lockheed Martin’s Cyber Kill Chain Model has demonstrated, sophisticated attackers do their homework during a reconnaissance phase prior to an attack where the main objective is to observe, probe, and formulate potential avenues of approach. Once a plan has been identified and a payload weaponized for delivery, attackers go to work, quietly and systematically purloining data, causing business disruption, and in the case of SCADA attacks, sparking devastating sabotage that can result in ‘failure to supply’ events.
In the case of Target, the infection was delivered through malware-laced emails, opened by Fazio employees, that paved the way for access to segments of the network containing highly sensitive payment card and customer privacy data. Once hackers established a foothold, they prepared for their coup de grâce by uploading malicious software to collect payment card information within a few registers. Once they confirmed that the malware performed properly, they infected hundreds of point-of-sale devices with malware. The attack resulted in the exposure of nearly 110 million customers’ personal and credit card information and upwards of $420 million in liability for the retail giant.
Due Diligence with Third-Party Vendors Protects Supply Chain
While the monumental story of Fazio and Target increased awareness, third-party threats are on the rise and continue to be widely overlooked. Beyond acknowledging the threat exists, the next step is to implement a proactive security posture throughout the enterprise by insisting on greater vigilance on the security practices of third-party partners.
For companies seeking outsourcing of key services, such as data storage in the form of cloud service providers (CSP’s), critical questions must be asked of vendors and suppliers before signing any service level agreement (SLA). From a technical standpoint, companies should be focusing on data security and inquire about the vendor’s controls on three levels:
- Application layer controls, which address whether applications are well written;
- Data layer controls, which address encryption; and
- Access controls for the CSP and the greater client user-base, which address concerns regarding privileged use and access control strength, consistency, and maturity.
Some of the questions that may fall under these technical controls include:
- Is multi-factor authentication used?
- What kinds of legacy defenses are used, such as firewalls, anti-virus, and intrusion detection & prevention?
- What are the encryption standards used for both data in transit and data at rest? Allow the vendor to articulate its security philosophy. Do they invest in ‘compliance’ or are they evidencing maturity beyond the standard?
- Has there ever been a significant cyber breach in the past?
- If so, what was the cause and are there recovery time objectives? Did the third party meet those objectives?
- What resilient measures are in place to prevent similar events from happening again?
- What type of vetting is done on new hires? When somebody is fired, what termination protocols are enacted as to ensure access paths and credentials are revoked?
- Who and how many employees will have access to my data?
- What types of preventative and detective physical security controls are implemented at this location, such as barriers, alarms, cameras, and intrusion detection?
- To what extent is auditing performed on my account if changes are made?
When Subcontractors Send Malicious Messages
The above questions should help companies stay vigilant against accidental breaches via partners, but what about subcontractors and other third parties with nefarious intentions who act deliberately? Although recent and high profile cyber attacks such as Edward Snowden, and the attack on Sony brought focus to the issue of insider threat, the little known case of Khosrow Zarefarid, a subcontractor working for three major banks in the Middle East, shows just how problematic this threat can be.
Zarefarid, a software manager at the company responsible for operating the banks’ networks, was good at his job. He discovered a potentially serious security flaw, and he wrote a formal report to notify the CEOs of each of the three banks that they were at risk of an impending attack. After a year passed with no action being taken, Zarefarid felt unappreciated and resented that bank executives did not heed his advice. The frustrated subcontractor decided to make a point.
The result was the compromise of three million bank accounts and thousands of card numbers and PINS, which Zarefarid exported and posted on his personal blog. This resulted in not just the compromise of payment card and privacy data of millions of the banks’ customers, but enormous reputational and revenue loss for the banks themselves.
Ensure Security Beyond Compliance
Whether they’re the unsuspecting vehicles used by cyber attackers or the originators of such assaults themselves, vendors and subcontractors continue to represent potentially devastating areas of risk to companies.
As the customer, the power of the purse reigns supreme and a company seeking out third-party support has the power to decide with their pocketbook if vendors fail to demonstrate adherence to industry standards and best practices as their minimum baseline. But sadly, that is also not enough. Often lost in the discussion of the Target case is the fact that the retail giant was certified as meeting the standard for the payment card industry (PCI-DSS). And as we know, this did not prevent its victimhood.
Although much has been revealed about the litany of vulnerabilities that contributed to the success of this attack, such as lack of network segmentation of the payment processing network or hardware-based point-to-point encryption, there is still the requirement of companies to exceed minimum, defense-in-depth obligations to ensure security is not just a ‘check-the-box’ exercise.
Conversely, cybersecurity must be an ongoing process that demands vigilance and multiple layers that address people, process, and technology. It is imperative that companies approach their own risk management with these important factors in mind. If history has taught us anything, it’s that those who do not learn from it, are only doomed to repeat it.
WE’VE IDENTIFIED THE ENEMY AND IT’S US!
The overwhelming majority of insider threat events are not the result of a malicious employee’s actions, rather they are caused by the unintentional insider – someone gets hit by a spear phishing email, data spillage occurs, documents are destroyed improperly, a data storage device is lost or stolen, people are the victims of social engineering and elicitation.
Research shows that while well-known events like the Ashley Madison compromise, which involved an insider, get a lot of attention, organizations may be too focused on the spectacular threat vectors. A 2013 CERT Software Engineering Institute (SEI) study on unintentional insider threat showed that 17% of cases were unintentional hacks, while 49% were unintentional disclosure. The SEI highlights that employees should be cognizant of the non-spectacular risks which are far more common than the over-exaggerated spectacular risks. In other words, it may be more often the case that organizations are the victims of 10,000 paper cuts rather than a single atomic event.
While a lot of time and energy has gone into examining the root elements of the malicious insider, the unintentional vector has received less focus. Available research on the topic points to the perception of risk, biases, the influence of environment, and everyday stressors, though we shouldn’t discount simple ignorance. So, how can organizations address the very real risk of unintentional insider threat? Start by getting inside the mind of the average employee as you roll out your strategies.
Insider threat and cybersecurity training during onboarding or even annually may not be enough. The constantly evolving threat landscape requires ongoing training. For example, phishing emails used to be fairly obvious – spelling errors, an obviously incorrect sender email address, etc. Now, spear phishers commonly spoof legitimate sender email addresses, or have taken control of a legitimate user’s account through earlier attacks.
There may be little that employees can do other than call the sender to verify unusual requests for information or action, but that highlights another challenge to security.
Hoping for the Best!
Many of us don’t want to contact our superior on seemingly simple requests at the risk of looking insubordinate or challenging their authority. This deference to authority is exactly what attack authors are preying on. Of course, this could be addressed by management or even incorporated into organizational policy – such as using voice confirmation for certain types of requests – but it must be part of a larger cultural shift to have any lasting effect.
Ignorance is Bliss.
People in general have a deferential attitude towards what happens on their workstations – if there is no error screen or warning, then they must be ok, right? For most people who are not intimately familiar with the mechanics of computing and the internet, they trust their machine or an administrator to tell them when something is wrong. The message to employees and the public in general usually says something to the extent of having anti-virus software and not providing a social security number to anyone asking for it in an email.
I Know What I’m Supposed to Do, But….
Consider the feet-on-the-ground workplace culture – in this case I am referring to culture as a system of beliefs, practices, orientations, acceptable norms, demonized and praised attributes, that organically emerge – not the practices as written. Individuals may be trained to respond in a certain way when risk presents itself, but face a cost-benefit analysis in terms of culture compliance. When there is no obstacle between the individual and cultural practices, or when individual and cultural norms are aligned, there is no pressure on the individual to act in a contrary manner (e.g. not follow security protocol). When the individual’s behavior is not in line, or contrary to cultural norms, then the individual must make a cost-benefit decision, the result of which could depend on any number of factors.
Consider the recent Department of Justice “hack” in which 20,000 FBI employee names were released. According to media reports, the hacker said he or she was able to access systems by telling a help desk attendant he or she lacked a token code (dual-factor authentication) and the attendant provided one since he/she posed as a “new employee.”
It seems unbelievable at first, but consider it from the attendant’s point of view. The caller seemed to know what they were talking about in terms of access. The caller may be in a position of authority and could pose risk to the attendant’s job by not performing. The attendant’s primary duty is to resolve issues, not to analyze issues.
Going back to the authority statement, while most of us have been trained to know when to deny a privilege escalation – it’s another thing to get a request from a person who seems to be in charge – who might be able to affect our day to day stress level. So what do you do? What does a low level system administrator in today’s economy do?
But Mom Said it’s OK.
A dysfunctional work culture, or work culture incongruent with documented policies and procedures, tends to be the result of some incentivized behavior, either through perceived or actual punishment or reward. This isn’t too far a stretch from mixed messaging in parenting psychology – inconsistent rule application/messaging and unbalanced, sometimes opposing, responses to behaviors, result in confusion for the child and ability to function accordingly.
Why Should I Care?
As I pointed out in my blog post “Why Insider Threat Detection Fails”, humans are poor performers when it comes to detecting rule violations of anything other than social contract or personal safety rules. While we function in a super connected world of relationships, the human mind still functions in a hunter-gatherer world, designed to monitor maybe 50 relationships. Simply put, the human mind is really concerned with its own survival, and by extension its progeny; concepts like threat to the corporation from abstract concepts like supply chain are not natural to the human mind and do not present as an immediate threat to self.
As such, if training and communications about cybersecurity are only presented as a series of “if-then” concepts without tying those to the individual’s health and well being, they will fall on deaf ears. That message – that the health of the company is the health of the individual – needs to be articulated, repeated, demonstrated, and believable. Rote memorization of “if-then” rules will yield some measure of protection, but it does nothing to build a culture or to take real residence in the mind of the employee.
Your employees are your first responders, your first line of defense, and the most critical asset. There are certainly a variety of factors which might cause them to become the next unintentional insider threat, but nothing is worse than apathy.
5 Ways to Combat Insider Risk
- Climate surveys by a third party industrial psychologist can clarify what the culture really is.
- Messaging to the workforce – if in doubt, question. Build a culture of rewarding security posture and questioning suspect vectors.
- Tie organizational risk to real life employee risk in training. Don’t just say it’s bad for the company to lose money from IP theft via insider threat. Tie it all to the employee’s bottom line.
- Be consistent – what’s on paper needs to match what managers exude.
- Encourage questions. It might save you a lot of money. Employees who think they might be facing a security issue, insider or cyber, should feel reporting/questioning is a duty rather than a burden. Make this a value and you could very well save a lot of pain in the end.
Gabriel Whalen is a behavioral consultant and social engineer expert at TSC Advantage.
FIVE IDEAS TO ACCELERATE YOUR CYBER STRATEGY
The third annual threatLAB conference, Feb 1-3 in Florida, brought together cyber leaders from U.S. federal law enforcement and the intelligence community as well as industry experts from across the Fortune 500, including sectors such as energy, manufacturing, telecommunications, insurance, and more. Together, they shared insights on this year’s theme – Cyber Risk 360° – which embodies the TSC Advantage philosophy of encouraging businesses to take a proactive and panoramic view of their cyber security.
After a packed agenda that included discussions on cyber resiliency, a review of the latest threat actors, a case study on the Ashley Madison attack, and significant findings collected from TSC Advantage’s holistic Enterprise Security Assessments (ESA) conducted over the course of two years, we’ve compiled a short list of takeaways that organizations should consider as they plan their cyber strategies.
- Harmonization of Technology, Processes and People
Security is neither a single act, nor a vendor sensor. Rather, it is the collection of activities that harmonize corporate investments in people, process, and technology. While technology is indeed crucial to any risk management discussion, it cannot be relied upon at the expense of other considerations, such as the importance of developing a mature cyber security culture that has complete C-suite buy-in, or understanding the litany of technical and non-technical threats that may imperil sensitive digital assets. TSC Advantage’s ESAs performed on organizations of varying sizes and sectors have demonstrated that those that invest in cyber security across their holistic enterprise are best able to prevent, detect, correct, and ultimately recover from a cyber attack or breach.
- Cyber Security + Cyber Resiliency = Cyber Maturity
In the years TSC Advantage has been conducting assessments, we have seen a transition from a discussion about cyber security – network security – to one of cyber resiliency. Cyber security is focused on keeping external threats out through preventative fortifications. Cyber resiliency acknowledges that no controls are perfect and because threats evolve, consideration must be paid to those resilient functions designed to detect and correct. Right now the average amount of time it takes to detect a breach is 256 days. That’s simply too long and costly. But, by combining cyber security and cyber resiliency, enterprises would be in a better position to achieve a level of cyber maturity that will make them a much harder target and help them get back to business as quickly as possible.
- Transfer Risk!
Enterprises can choose to avoid, mitigate, accept, or transfer risks to their organization. Cyber insurance can serve as part of an overall risk management plan designed to maintain customer privacy and corporate reputation. The first step is to understand both exposure and risk, including potential physical damage and third party exposures. Step two is to understand your policies. threatLAB guest speaker Mary Guzman of McGriff, Seibels & Williams, outlined how policyholders should be aware there may be exclusions in their current policies for cyber-related incidents. Know the limits and exclusions, and depending on sector, understand regulatory requirements that may impact your enterprise. Cyber insurance can provide an additional line of defense by transferring risk, but more importantly, by requiring organizations to submit to annual holistic cyber risk assessments per the terms of their policy, a virtuous cycle is created that leads to greater cyber maturity of the insured and a lower risk inherited by the insurer.
- Partnerships Promote Sharing
At threatLAB, we heard from senior special agents from the FBI as well as officers representing U.S. Department of Homeland Security (DHS). Both have robust threat intelligence sharing and public/private sector outreach programs covering critical infrastructure, white-collar crime, economic espionage, terrorism and more. Make these additional resources part of your organization’s cyber toolkit. Depending on your specific industry, there are also numerous member-driven Information Sharing and Analysis Centers (ISACs) which collect, analyze and share threat information. Join one to maintain sector-specific situational-awareness.
- Get Back to Basics
Finally, let’s get back to basics and practice basic cyber hygiene. Surprisingly, some enterprises overlook basic security controls such as complex passwords, multi-factor authentication and use of a virtual private network (VPN). But basics should go beyond that. TSC Advantage has found that only half of the organizations we’ve assessed had fully documented external crisis communication plans for disasters or breaches, and very few organizations have identified, classified, and monitored their critical and valuable assets. While we understand this is not an easy undertaking, it makes the job of protecting those assets virtually impossible if you don’t know what exists or where these assets are located. Executives: you’ve seen the data – board involvement and good governance reduces the actual cost of a cyber breach. Be a champion of good cyber hygiene within your enterprise.
These are just five of the many take-aways we gleaned from our roster of speakers at threatLAB 2016. Contact the TSC Advantage team for more information on these or other enterprise risk topics and we look forward to welcoming you to threatLAB 2017!
Six Treats for Cyber Tricksters: Vulnerability Areas Hackers Scan for When Choosing Their Next Victim
Business Continuity Plans Key to Cybersecurity
Understand Your Unique Threat Profile – 5 C’s of Cyber
7 Deadly Sins Of Business Travel
April 28, 2016
Hacktivist group Anonymous shut down the website of white supremacist group the White Knights of the KKK through a Distributed Denial of Service (DDoS) attack which overwhelmed the site. The hackers told the media they were protesting the KKK’s “blunt racism.”
April 26, 2016
The international money transfer network known as SWIFT says it has suffered a number of recent cyberattacks and recommends that its 11,000 financial institution customers update their systems with newly released software. SWIFT acknowledges that its software was altered as part of the February cybertheft of $81 million from the Bangladesh central bank account at the New York Federal Reserve Bank.
April 18, 2016
IBM researchers say they’ve discovered a new type of hybrid malware called GozNym that has been used to attack customers of banks in the U.S. and Canada, stealing about $4 million dollars in the first few days of April. Bank customers with business accounts are targeted with an email that when clicked installs malware which remains dormant until the victim logs onto a bank account.
April 12, 2016
The Federal Deposit Insurance Corporation (FDIC) experienced a case of Insider Threat. It says 44,000 customer records were removed from its files when a departing employee downloaded the data to a removable media device in February. The FDIC says a data loss prevention tool detected the breach within three days and the employee returned the device with the data.
April 8, 2016
The Federal Bureau of Investigation (FBI) says “business email compromise” is responsible for $2.3 billion in company losses from October 2013 through February of this year. In the scams, hackers impersonate company executives in emails, ordering staff to transfer large amounts of money to accounts that are actually controlled by criminals.
March 31, 2016
Just weeks after hospitals in Kentucky and California were hit with ransomware attacks, the MedStar Health network in the Washington, DC region faced a cyberattack on its email and patient records databases. Staff reported to media they saw pop-up messages demanding a $19,000 payment in bitcoin to release the records or they would be rendered unrecoverable.
March 11, 2016
Just over $80 million was stolen from the Central Bank of Bangladesh when cyber attackers hacked into the Bank’s system, acquired credentials, then sent a series of money-transfer requests to the New York Federal Reserve. Four requests for $20 million were processed before a typo in the routing instructions alerted officials that something was amiss.
March 10, 2016
For the first time, a ransomware attack has successfully affected Apple Inc’s Mac computers. The “KeRanger” ransomware found in a tainted version of data transfer program Transmission, was downloaded more than 6,000 times by Apple users before the threat was contained. Ransomware attacks are more common on computers running Windows.
February 26, 2016
The Internal Revenue Service (IRS) says a 2015 cyber attack may have affected seven times more taxpayers than it originally reported. The IRS says criminals used credentials obtained from “non-IRS sources” to access 724,000 “Get Transcript” accounts, which contain information similar to that on a tax return.
February 18, 2016
Hollywood Presbyterian Medical Center paid a 40 bitcoin ($17,000) ransom demanded by hackers to end a week-long cyber attack and regain control of its computer network. The “significant IT issues” caused by the hack required the hospital to work on paper, divert hundreds of patients to other hospitals, and shut down whole departments.
February 9, 2016
The IRS said it recently stopped an automated attack upon its Electronic Filing PIN application on IRS.gov. Using personal data stolen elsewhere outside the IRS, identity thieves used malware in an attempt to generate E-file PINs for approximately 464,000 stolen social security numbers. An E-file pin is used in some instances to electronically file a tax return.
January 28, 2016
The Fraternal Order of Police (FOP), America’s biggest police union, saw its private files, including officer names and addresses, forum posts critical of the U.S. President, and controversial contracts with city authorities, posted online after a hacker breached its website.
January 22, 2016
The State of Michigan said it was the victim of a Distributed Denial of Service (DDoS) attack that slowed and eventually crashed its website. It came a day after a Flint, MI hospital was hacked, following warnings by a hacktivist group upset about a crisis over lead in the water supply.
January 13, 2016
Automaker Nissan shut down its global websites after a distributed denial of service (DDoS) cyberattack that may have been carried out by “hacktivists” opposed to Japan’s controversial whale and dolphin hunts. An activist connected with the hacking collective Anonymous tweeted objections to whale hunting and photos of a Nissan executive.
January 6, 2016
U.S. power companies have been advised by an electric industry group to review network defenses following reports that a malware known as BlackEnergy caused a widespread late-December power blackout in Ukraine. It’s believed to be the first time that a cyber attack has taken down an electric grid.
January 4, 2016
The Department of Health and Human Services (HHS) confirms that hackers accessed more than 100 million health records of Americans in 2015. Eight of the 10 largest health care provider hacks took place last year, according to the federal agency.
December 29, 2015
The details of 191 million U.S. voters, including names, addresses, birth dates, party affiliations, phone numbers and emails, were discovered in a publicly-available database by an independent computer security researcher who says the database was incorrectly configured. Such information could be a valuable one-stop site for criminals wishing to target large numbers with fraud schemes.
December 22, 2015
Iranian hackers are reported to have gained access to control systems at a small dam in the downstate town of Rye, NY in 2013, though no action was carried out. According to the Associated Press, Iranian cyber operators are also responsible for multiple intrusions into the US electrical grid since August 2013, for information-gathering and data theft.
December 15, 2015
December 14, 2015
The website for Trump Towers, owned by republican presidential candidate Donald Trump, was offline for about an hour, allegedly breached by hacktavist group Anonymous. The group tweeted that it took down the site “as a statement against racism and hatred,” after Trump suggested temporarily barring Muslims from entering the United States.
It’s easier than you think for your sensitive data – such as intellectual assets, trade secrets, protected health information, or customer data – to fall into the hands of a competitor, hacker, disgruntled employee, or foreign government.
Let us introduce you to a couple of our team members who will be helping you secure your enterprise.
AllenSenior Project Manager
Allen joined the company in 2011. With more than 20 years of experience in the commercial and government sectors, Allen has worked at a variety of organizations including several Fortune 500 corporations. During his commercial tenure, Allen managed numerous programs within the telecommunications and information security industries, including several large multi-million dollar projects related to cellular/satellite network implementation. Allen’s background also includes defense policy analysis and national security policy, as well as military experience in the US Navy as a Russian Linguist and Soviet Naval analyst. Allen possesses a PMP and CISSP certification and holds a Masters degree in International Affairs from Columbia University.
NatalieDirector of Analytics
Natalie has been with the company since 2007. With more than 15 years of experience as an intelligence professional, Natalie’s expertise spans both the government and commercial sectors. Natalie’s work for the U.S. Government includes extensive experience in the identification, acquisition, and development of critical information, supporting high value national security interests. In the commercial arena, Natalie led the development of innovative methods to acquire and analyze critical information to protect specific interests and high-value intellectual assets. Natalie holds a Masters degree in International Relations from Yale University.
Interested in proactively defending your enterprise? Curious about possible employment opportunities?