SamSam Ransomware: A Continued and Growing Cyber Threat

The SamSam ransomware has affected far more victims than initially thought – raising nearly $6 million and counting in ransom demands. According to Sophos’ research of the SamSam ransomware, it’s estimated that roughly 233 victims have paid a ransom to the attackers so far.

Sophos Report

Sophos has uncovered new details about the SamSam ransomware, focusing on how it works and how it’s evolving. Most ransomware is spread out in large, untargeted spam campaigns sent to thousands of people. These attacks use simple techniques to infect victims, raising money through large numbers of relatively small ransom requests. SamSam, on the other hand, is used in specific, targeted attacks.

SamSam attackers break into a specific victim’s network and then run the malware manually. These attacks are tailored to cause maximum damage, with ransom demands in the tens of thousands of dollars – the largest individual victim so far shelled out $64,000.

Although initially thought to specifically target healthcare, government and education sectors, the Sophos report indicates that the private sector has been equally attacked. However, victims in the private sector have been more reluctant to come forward. Continue reading SamSam Ransomware: A Continued and Growing Cyber Threat

The Cost of a Data Breach and Four Ways to Lower It

The results are in! The Ponemon Institute interviewed more than 2,200 IT, data protection, and compliance professionals from over 450 companies that had a recent data breach, and their 2018 Cost of a Data Breach Study: Global Overview reveals lessons we can all learn from.

Stats Are More Than Just Numbers – They’re Consequences

  • The average total cost of a breach in the U.S. is $7.91 million (more than double the global average of $3.86 million).
  • Data breach costs have increased by 6.4 percent from last year.
  • The number of compromised records rose by 2.2 percent.
  • Heavily regulated industries, such as healthcare, and financial organizations pay substantially more than other industries when data is compromised.
  • A data breach due to malicious or criminal activity costs $157 per record, while the cost for breaches caused by system and human errors were $131 and $128, respectively.

Key Factors that Influence Cost and What You Can Do

These days, it’s not a matter of if but when a breach will happen to you. The Study offers helpful tips to reduce the cost in the event of a breach.

  1. Pay less by finding and fixing it fast

The Study found that the quicker a company acts, the less a breach may ultimately cost. When considering a timely response, companies who identified a breach in less than 100 days saved more than $1 million. Likewise, organizations that contained or resolved a breach in less than 30 days saved more than $1 million as well. Consider an intrusion detection system (IDS) to monitor your environment for malicious activity or policy violations, so you can quickly identify any unauthorized access and save money in the long run.

  1. Create an incident response team

The Study also found that having a capable incident response (IR) team reduced the cost of a breach by almost $14 per compromised record. That may not sound like a lot but multiply it by the average number of records compromised during a breach, and the numbers quickly add up. If you don’t have an IR plan and team in place, build one and test it regularly. The Study provides tips for building a business case for IR, so you can quantify why your organization needs one.

  1. Encryption cuts costs even further

Want to bring that per record cost down even more? Encryption reduced costs by $13 per capita. Encrypting stored personally identifiable information saves you legal and notification costs should an incident occur.

  1. Limit your dependence on these factors

Third party involvement, extensive cloud migration, compliance failure, and the extensive use of mobile platforms all increase the cost of a data breach.

The Study is an annual reminder that, while breaches are expensive, certain measures can be taken to reduce the costs that follow. Download a complete copy of the Study here and learn how your organization can put its findings to work.

 

Reddit Hacked: A Lesson in the Evolving Role of Cybersecurity

Reddit, the immensely popular social news website, has been hacked. Reddit’s CTO Christopher Slowe posted a discussion saying that it discovered the data breach in June, after an attacker compromised a handful of employee accounts.

The employees’ accounts were protected with SMS-based two-factor authentication, meaning that any would-be attacker not only would have to steal a worker’s password but also intercept the authentication verification sent to the employee’s mobile phone. “We learned that SMS-based authentication is not nearly as secure as we would hope, and the main attack was via SMS intercept,” Slowe shared. Reddit is encouraging users to move to a more secure token-based Two Factor Authentication (2FA).

Compromised Data

After breaking into the employee accounts, the intruder gained access to databases and logs, including usernames and their corresponding email addresses – as well as encrypted passwords dating back to the site’s early days from 2005 through 2007. Continue reading Reddit Hacked: A Lesson in the Evolving Role of Cybersecurity

Guidance on Disposing Sensitive Data-Storing Devices

The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) recently released their July 2018 newsletter entitled: Guidance on Disposing of Electronic Devices and Media(Guidance) , which provides suggestions for properly disposing technology that may contain sensitive data – such as financial or protected health information (PHI). While directly applicable to the healthcare sector, this guidance is best practice for all organizations.

OCR’s Mission

Part of OCR’s mission is to provide guidance to health care providers, insurers and other stakeholders on cybersecurity issues like properly disposing equipment that contains sensitive information. This equipment includes desktops, laptops, tablets, copiers, servers, smartphones, hard drives, USB drives and other type of electronic storage devices.

Improper disposal of devices can lead to a data breach that can be costly to an organization, both financially and reputationally. Some of the financial costs include notifications, investigations, lawsuits, consultants, legal counsel, fees paid to security specialists and loss of clients. Continue reading Guidance on Disposing Sensitive Data-Storing Devices

W3C Publishes New Website Accessibility Guidelines

The World Wide Web Consortium (W3C), a private organization which develops website accessibility standards, has published an update to its Web Content Accessibility Guidelines (WCAG 2.1).  WCAG 2.1 serves as an expanded version of the WCAG, adding 17 new “success criteria.”

W3C

The W3C has led the way for individuals with disabilities to fully access public websites and mobile apps, as well as other digital content and has become widely accepted as the standard for such technical requirements.

The consortium is made up of member organizations which maintain full-time staff that work to develop standards for the World Wide Web. The W3C also engages in education and outreach, develops software and serves as an open forum for discussion about the Web. Continue reading W3C Publishes New Website Accessibility Guidelines

DOJ Unveils Cyber-Digital Task Force Report

The Justice Department’s new Cyber-Digital Task Force has issued a report (Report) highlighting its comprehensive assessment of the Department’s work in the cyber area and an identification of how federal law enforcement can even more effectively accomplish its mission in the cyber world.

The Task Force, established by Attorney General Jeff Sessions in February 2018, will also focus on other cyberthreats facing the U.S., including attacks on infrastructure and privacy.

Unveiling the Report

Deputy Attorney General Rod Rosenstein unveiled the report, outlining a new policy for responding to foreign influence operations ahead of the midterm elections in November.

Speaking at the Aspen Security Forum in Aspen, Deputy Attorney General Rosenstein said, “Every day, malicious cyber actors infiltrate computers and accounts of individual citizens, businesses, the military, and all levels of government.” Continue reading DOJ Unveils Cyber-Digital Task Force Report

Encryption: Combating the Growing Threat of Data Breaches

Data breaches happen all the time, simply look to the headlines and you’ll find multiple examples of corporations struggling to protect their data. From Target and Equifax to Anthem – all these organizations have fallen victim to some form of data breach usually affecting customer data. Yes, many (most) of us have received a breach notification letter or, at the very least, know someone who has.

Every state in the U.S. now has a data breach notification law. This trend is a signal to organizations conducting business in the U.S. that they should start taking the necessary actions to protect the personal identifying information (PII) of their customers, clients and employees.

Encryption

One of the best ways to protect PII is through encryption; an algorithmic process which transforms readable data into unreadable data and that requires a confidential process/key to make the data readable again. An encryption key is a string of bits used to scramble and unscramble data, essentially unlocking the information and turning it back to readable data.  Continue reading Encryption: Combating the Growing Threat of Data Breaches

Threat Alert: Banking Trojan May Predict Ransomware Attack!

Forensic investigators have recently discovered a banking trojan malware infection could predict an imminent BitPaymer ransomware attack.  This discovery is significant because, in the past, ransomware was typically a standalone attack not associated with another threat.

Background

Trojan malware is malware designed to look like legitimate software so that you allow it (and attackers) into your environment and a banking trojan is a trojan designed specifically to steal your banking credentials (typically while you perform online banking). The attacker then uses the stolen banking credentials to raid your account. Bitpaymer is a well-known ransomware variant that immediately encrypts your data and demands money for unlocking it. The “.locked” extension signifies an infected and locked file.

The New Combined Threat

Recently, forensic investigators at Kivu Consulting have discovered on many occasions that the presence of a banking trojan will indicate a later Bitpaymer ransomware attack. On these occasions, the banking trojan was either Trickbot or Emotet malware and it’s thought that the banking trojan can pulldown ransomware to later infect the environment or that the attacker is manually introducing both malware pieces.

What to Do

  • Run an antivirus scan on your systems for the presence of a banking trojan (e.g. Trickbot or Emotet)
  • Identify, shutdown and take the infected machines off network.
  • Do not log in to infected systems using domain or shared local administrator accounts.
  • Alert the appropriate members of your Incident Response Team.
  • Issue password resets for domain and local credentials.

Long Term Protection Strategies

  • Don’t fall for phishing emails by clicking on a link or attached file (implement social engineering training for employees).
  • Create easily accessible and up-to-date backups.
  • Update (patch) all systems and software.
  • Use up-to-date antivirus software with automatic updates of signatures and software.
  • Use 2FA for any remote access into your environment.
  • Use Group Policy Object to set a Windows Firewall rule to restrict inbound SMB communication between clients.

European Parliament Passes Resolution to Suspend EU-U.S. Privacy Shield

European Parliament has approved the suspension of the EU-U.S. Privacy Shield unless the U.S. fully complies by September 1, 2018. According to European lawmakers, the suspension is primarily in response to the Facebook-Cambridge Analytica data breach.

The EU-U.S. Privacy Shield was  adopted in July 2016 and was designed by the U.S. Department of Commerce and the European Commission (EC) to provide companies with a way to comply with European data protection requirements when transferring personal data to the United States from the European Union.

The EC only allows the export of EU personal data to countries that provide “adequate” protection to the exported personal data. Unfortunately, in the view of the EC, the U.S. does not meet the standard. Consequently, U.S.-based organizations must separately demonstrate compliance with EU data privacy and protection principles and self-certification under the Privacy Shield is one way to show compliance.

Because European Parliament’s resolution is non-binding, the EC can choose to ignore it. However, this is a clear signal that companies relying on the Privacy Shield might want to consider other options should the Privacy Shield go under like its predecessor, the Safe Harbor. Those companies may want to consider, for example, data transfer procedures like binding corporate rules or standard contractual clauses as an alternative to the Privacy Shield.

California’s Sweeping New Privacy Legislation – What You Need to Know!

With the recent passage of the California Consumer Privacy Act of 2018 (CCPA), California continues to be a leader when it comes to protecting the privacy rights of individuals. Many experts agree that the CCPA is the most comprehensive consumer privacy legislation in the United States to date.

Like the new EU privacy regulation GDPR, the CCPA is meant to give consumers more control over their personal information, including:

  • knowing what kind of information is being collected about them;
  • knowing if their information is being sold or disclosed (and to whom);
  • allowing them to restrict the sale of their information; and
  • giving them access to their information.

Most U.S. privacy legislation focuses on specific sectors or privacy issues, but the new CCPA applies broadly to businesses that collect personal information about California consumers and creates significant new consumer privacy rights. That means your business may face new obligations. Here’s what you should know.

Does it apply to you?

The CCPA only applies to companies that conduct business in California and Continue reading California’s Sweeping New Privacy Legislation – What You Need to Know!