According to the CapGemini report, while banks and financial institutions enjoy an extraordinary 83% positive level of trust in the cybersecurity of their systems, just 1 in 5 banking executives surveyed are “highly confident in their ability to detect a breach, let alone defend against it.”
For comparison, e-commerce firms enjoy just a 28% positive level of trust while telecom companies and retailers score a paltry 13%.
The full CapGemini Report Can be downloaded here
According to the report authors, trust in an institution’s ability to protect private data and provide a secure environment is a significant factor for 65% of consumers when choosing which bank to do business with.
And yet, while approximately 25% of all financial institutions have reported being a victim of some level of hack only 3% of consumers believe that their own financial institution has ever been breached. It would seem that indeed there is a “trust halo” being enjoyed by banks that the numbers suggest they do not deserve.
If this halo were to become tarnished banks could be in trouble. According to the report 74% of consumers would switch their bank or insurer if they became aware of a breach.
The GPDR regulations set to be introduced next year should drive more transparency and quicker reporting of breaches and this may result in some tarnished halos.
“When GDPR is introduced and all breaches are likely to be made public soon after they occur, many people will be in for a surprise,” said Zhiwei Jiang, Global Head of Financial Services, Insights & Data at Capgemini. “The introduction of GDPR legislation next year is a prime opportunity for business transformation for banks and insurers to become the digital fortresses consumers believe them to be.”
From financial institutions to university and healthcare organizations, Konsultek builds customized security solutions that protect networks and the data they house. If you are interested in learning exactly how your network may be vulnerable just give us a call and we’ll discuss how we can find your vulnerabilities before they are found by cybercriminals and hackers.
Our partners at proofpoint just released there 3rd Quarter Threat Summary which you should grab here.
Here is a quick overview, by category, of what’s been trending in the way of information security threats over the past 3 months.
By integrating advanced threat protection from proofpoint, Carbon Black, Forescout and others, Konsultek develops customized security plans for clients all industries and all sizes. If you are ready to proactively secure your organization, give us a call to discuss your unique situation.
You would have to be living under some sort of information security rock this week to have not heard about the massive breach at the popular cloud storage service Dropbox.
The breach, at 68,000,000 plus users, is a large one to say the least and it also means that your credentials have been leaked just as mine were if you have been a long-time Dropbox user.
Rather than rehash the breach, I thought I would make this post more of a Public Service Announcement aimed at helping our small and medium sized business clients (who often use Dropbox) navigate the breach.
First, you should head over to haveibeenpwned.com and see if in fact you have been pwned. If you are like me and use your primary email for a number of site subscriptions you will likely see a screen like this:
Now, if you are the type of person who uses the same password for multiple accounts (Shame on you! After all, you are reading an information security blog!) you should probably set aside and hour or two and start the arduous processs of changing passwords at all of your critical accounts such as banking, fincancial services, email accounts, website accounts, airline accounts etc.
If you are not a password reuser then this latest Dropbox incident is a relatively minor hassle once you get past the fact that there is a chance that anything that was stored in your Dropbox account has been stolen.
Have you seen this email?
If not, then ostensibly you were not compromised in the breach but my advice would be to follow the steps below anyway!
If so, then you’ll want to log out of your Dropbox account and log back in.
That should elicit this message:
Which will lead to this email message:
Which leads to this:
And Voilà, your password has been changed and your account is secure once more!
Reusing passwords, weak passwords, insufficient prevention technologies, sub-standard detection and response technologies are all important facets of information and network security. And, guess what? These are all facets that Konsultek addresses each time we work with a client.
If you are ready to upgrade your security, give us a call. We are here to help.
In a narrative that could have been lifted from a Tom Clancy novel, reports surfaced this week that an elite hacking group with ties to the NSA had been hacked and a treasure trove of their hacking tools stolen.
According to theHackerNews.com, the elite covert hackers known as the “Equation Group” have been hacked and a portion of their toolkit has been released publicly. Another portion of their most potent tools and exploits is apparently up for sale at auction with an asking price of $1 Million Bitcoins!
Source: Washington Post
The hackers, who go by the name “The Shadow Brokers” had this to say about their stunning hack:
“We follow Equation Group traffic,” says the Shadow Broker. “We find Equation Group source range. We hack Equation Group. We find many many Equation Group cyber weapons. You see pictures. We give you some Equation Group files free, you see. This is good proof no? You enjoy!!! You break many things. You find many intrusions. You write many words. But not all, we are auction the best files.”
While the authenticity of the hack was at first questioned, many security experts from free-lancers to Kaspersky have examined the publicly leaked materials and have concluded that they are indeed products from Equation Group.
In an update to the rapidly unfolding story, security expert Matt Suiche spoke with an anonymous source who used to work in the NSA’s TAO (Tailored Access Operations) unit. The credible source indicated that the leaked files were stored on a physically isolated network and that either an inside mistake or purposeful act brought the files into contact with the outside world.
For certain, this story is not over yet and probably won’t be for some time. Will the final plot twists be as interesting as something penned by Clancy? We’ll have to wait and see!
In the meantime, if you have security concerns about your information and network please pick up the phone and speak with one of our operatives, um I mean team members!
In November 2014 we reported on the vibrancy of the underground marketplace for all things hacking related in our post titled RAND Report “Markets for Cybercrime Tools and Stolen Information: Hackers’ Bazaar”.
In this post we’ll be revisiting the topic armed with fresh data and insights from the recently released DELL SecureWorks Underground Hacker Markets 2016 Annual Report, their 3rd installment in the series that was first published in 2013.
One of the most interesting things about the “underground” services market is just how much energy and effort is being expended to make the marketplace a more comfortable and convenient place for shoppers.
DELL SecureWorks found numerous examples of this improved customer experience including:
All of this is good news for those looking to use these criminal services for personal or corporate gain! DDOS attacks, email account hacking, social media hacking and complete legitimate business dossiers (Russian businesses) including bank accounts, tax identification numbers and articles of incorporation can now be procured easier than ever.
While all of this is good news for the criminals it puts legitimate organizations like yours at more risk. Why? Because all markets require buyers and sellers to function and the easier and safer it becomes for buyers to participate, the more demand will increase. As demand increases so does price. And, in order to meet the increased demand and take advantage of elevated prices hackers will be working harder and harder to increase supply.
The DELL report is filled with pricing data for credit cards, personal information, hardware and hacking services. Historical information is not complete but at a glance it appears that prices have been climbing for credit card and personal information as shown below.
Source: DELL SecureWorks Underground Hacker Markets 2016 Annual Report
Here at Konsultek we develop custom security solutions. From education and firewalls, intrusion detection, malware prevention and endpoint detection we have the experience and technologies to develop the correct solutions for your organization. Give us a call today to begin a dialogue about your unique situation.
“Target didn’t actually miss the alert — the security team had seen so many false positives that they determined this particular notification wasn’t worth looking into. Security appliances are more sensitive than ever to better detect potential threats, but the sharp increase in alerts leaves security teams running ragged.”
Security teams are comprised of humans that are ultimately just as subject to data-overload as any other humans. We’ve all heard the phrase “paralysis by analysis”. Add to this data overload a good helping of “the boy who cried wolf” and you create a situation where your security team is more likely to miss legitimate breach warning signs.
While a cybercriminal’s day job is learning more about your organization and your network than you probably know, they sometimes are working with outdated information or get lazy and look inside networks for general vulnerability exploits that make no sense.
For example, if you notice that portions of your network are being accessed using a former employee’s credentials you probably have an issue on your hand! Or, if a current employee’s credentials are suddenly being used to attempt access to areas that the employee has no legitimate need for, you probably have an issue!
On the lazy front, if you see requests for a popular enterprise software such as MS SharePoint and you know your company doesn’t use SharePoint, alarm bells should be sounded!
As we have discussed here on the blog many times, the best security technologies in the world can be compromised by employees in just 1 mouse click. The rise in social engineering exploits we documented here are a reflection of the success cybercriminals are having duping members of your organization into clicking links, downloading attachments or visiting malicious websites.
Awareness education can go a long ways to helping your security team protect your network.
There you have it. 3 pretty simple concepts that if addressed can help keep your network and your data secure. At Konsultek we build custom security solutions that address these concepts and many more to networks and information safe. So go ahead and give us a call to begin a friendly and informative discussion about your security situation.
Uber has had its share of bad publicity in recent months but last week they got a bit more bad news when the New York state Attorney General fined them $20,000 for failing to report a data breach that released the personal information of customers.
The $20,000 fine is hardly notable in terms of dollar value but it apparently served enough of a wakeup call to prompt Uber to evaluate their information security and begin making changes.
According to an article on CRM-Daily.com Uber collects and store sufficient personally identifiable information on its app users to put their identities at risk.
Back in November of 2014 (what seems like a lifetime ago for Uber news!), Eric Schneiderman began investigating Uber when it was disclosed that app users’ personal information was being displayed in a virtual aerial view that is referred internally at Uber as “God’s View”.
Then, last spring Uber came clean with officials stating that “an unauthorized third-party” had accessed personal information including names and driver’s license numbers as far back as September of 2014.
“This settlement protects the personal information of Uber riders from potential abuse by company executives and staff, including the real-time locations of riders in an Uber vehicle,” said Schneiderman. “We are committed to protecting the privacy of consumers and customers of any product in New York State, as well as that of employees of any company operating here. I strongly encourage all technology companies to regularly review and amend their own policies and procedures to better protect their customers’ and employees’ private information.”
According to Informationweek.com Uber has agreed to make changes to the way personal information is handled within the organization and its network. For example, location data will now be kept in a password-protected system and data in transit will be encrypted. Location data will also be limited to employees with legitimate business needs.
As regulating and law enforcement agencies begin to better understand the best practices available to organizations in regards to protecting personally identifiable data we can expect to see more frequent and heavier fines being levied against organizations that fail to apply sufficient safeguards.
At Konsultek, our business process savvy combines with over 20 years of information and network security to develop custom solutions for organizations of all sizes and across a myriad of industries. If you don’t want to be taken for a ride when it comes to your organization’s security, just give us a call.
Verizon’s debut report on PHI (Personal Health Information) breaches is full of data, analysis and commentary on one of the most sensitive areas of information security.
To say that A LOT of PHI has been compromised in the past decade would be a serious understatement. According to the data compiled by Verizon, half of the people in the United States have had their PHI impacted by breaches since the first quarter of 2009!
And while you couldn’t be faulted for assuming that organizations in the healthcare industry are primarily responsible for the loss of PHI, you would be taking a myopic view as there are plenty of other industries responsible for the loss of PHI as the graphic below indicates.
Additionally, while you would be forgiven for thinking that most of the data loss comes in the form of mega-breaches at huge organizations, it turns out that PHI loss is not strongly correlated to organization size.
While the majority of bad actors are external to the organization experiencing the loss, a fair amount of loss can be attributed to those internal to the organization. To put a finer point on it, Verizon further breaks down their “actor” data into different types of organizations which shows some really interesting things.
For example, in the world of ambulatory healthcare services, the external predators are having a feeding frenzy. Encryption, it would seem would be one way to stem this type of loss. Contrast this with hospitals which experience the largest losses from internal sources (including both error and malicious losses) and access control solutions would appear to be a likely part of any solution.
While hacking always seems to grab the headlines, it comes in 4th place in the PHI Loss Vector pageant. Physical loss (think stolen laptops, drives and devices, not paper files) remains the clear winner. Error and misuse take the silver and bronze medals. Of course, as shown in the graphic above, there are considerable differences across the different types of healthcare providers.
Verizon sums all of this up into 1 graphic they describe as “The Nefarious Nine” incident patterns (which incidentally would make a great title for Quentin Tarantino’s next film).
The Nefarious Nine which account for a full 93% of all PHI incidents can be further reduced to the Terrible Triplets since the top 3 incident patterns account for an astounding 85% of all PHI incidents!
While the Nefarious Nine indicate a strong commonality to incident pathways it should also be clear that by the time you factor in actors, vectors and which area of healthcare your organization resides (hospital vs. ambulatory care for example) your PHI security plan will end up being unique.
And this means that no “off the shelf” solution will adequately address your particular solution. And that is where Konsultek comes in. Our customized, process driven security engineering solutions begin with your end goals in mind. Ready to take your PHI security to the next level? Just pick up the phone and give us a ring.
Back in September Standard &Poor’s issued a warning to the global banking industry that said a downgrade could be issued following an information security breach that resulted in significant reputational, monetary or legal damages. At the same time Joseph Marinucci, S&P’s senior director of insurance ratings told Information Security Media Group that a similar assessment was underway in the healthcare arena.
“An emergent risk for the health sector relates to cyberattacks – data breaches that have escalated during the past few years in connection with the rise in the value of medical data,” he said. “Thus far, credit implications have been muted for U.S. health insurers. But the emergent risk has contributed to the growing list of operational challenges, which could result in diluted brand strength and greater earnings volatility in the absence of more robust countermeasures.”
“Moody’s views material cyber threats in a similar vein as other extraordinary event risks, such as a natural disaster, with any subsequent credit impact depending on the duration and severity of the event,” according to a new report from Moody’s Investors Services. As the threat of cyberattacks continues to rise across all sectors, “the implications could start taking a higher priority in credit analysis,” the credit ratings company says.
“We do not explicitly incorporate the risk of cyberattacks into our credit analysis as a principal ratings driver,” the report notes. “But across all sectors, our fundamental credit analysis incorporates numerous stress-testing scenarios, and a cyber event, like other event risks, could be the trigger for those stress scenarios. A successful cyber event’s severity and duration will be key to determining any credit impact.”
The recognition of cyber threats as potential large scale risks by the key global credit rating agencies is a natural and logical evolution that reflects the ever growing role that technology and information are playing in virtually all industries.
Beyond the healthcare and banking/financial sectors, both ratings agencies point out that companies and organizations involved in the nation’s critical infrastructure are also likely to have their credit impacted by cyberattacks. These could include power generation and distribution, water and sewer as well as oil and gas distribution.
As cyber threats become more widely recognized as potential disruptions to reputations earnings you may find yourself wondering what you can do to protect your organization. Well, wonder no more! Simply pick up the phone and give Konsultek a call. We’re always ready to talk security and see what solutions will best work for your particular situation.