Tag Archives: cyber risk management

Cyber Liability: Managing Password Threats

Posted on October 29, 2013 by Marijana Dabic

Organizations trust passwords to protect valuable assets such as data, systems and networks. Passwords are versatile—they authenticate users of operating systems (OS) and applications such as email, labour recording and remote access, and they guard sensitive information like compressed files, cryptographic keys and encrypted hard drives.

Because passwords protect such valuable data, they are often a prime target of hackers and thieves. Although no method of password protection is 100 per cent effective, it is still important to understand and mitigate threats to password security so you can protect your company and its assets.

Types of Password Threats

Implementing security measures starts with anticipating security threats. There are four main ways that attackers attempt to obtain passwords: capturing passwords, guessing or cracking passwords, replacing passwords and using compromised passwords.

1. Password Capturing

An attacker can capture a password through password storage, password transmission or user knowledge and behaviour. OS and application passwords are stored on network hosts (a computer connected to a network) and used for identification. If the stored passwords are not secured properly, attackers with physical access to a network host may be able to gain access to the passwords. Never store passwords without additional controls to protect them. Security controls include:

Encrypting files that contain passwords
Restricting access to files that contain passwords using OS access control features
Storing one-way cryptographic hashes for passwords instead of storing the passwords themselves

Hashes are the end result of putting data, like passwords, through an algorithm that changes the form of the original information into something different. For example, the password ‘default’ could be mapped as an integer such as 15. Only the network host knows that 15 stands for the password ‘default’. Read more >>

2.9 million Adobe customers affected by cyber-attack

Posted on October 17, 2013 by Marijana Dabic

The cyber attack on Adobe is just another example in a wave of global attacks targeting personal and business financial data.

Adobe, the software company behind Acrobat, Photoshop and InDesign has experienced a data breach, potentially compromising the data of 2.9 million customers, including customer names, encrypted credit or debit card numbers, expiration dates, and other information relating to customer orders.

“Our investigation currently indicates that the attackers accessed Adobe customer IDs and encrypted passwords on our systems,” said Brad Arkin, Adobe chief security officer in a Customer Security Announcement on October 3^rd.

Adobe has reset passwords on customers’ accounts and recommended that customers change their passwords on any other website where they may have used the same user ID and password. The company has alerted the banks processing customer payments, as well as federal law enforcement.

Adobe also said it would give affected customers the option of enrolling in a one-year complimentary credit monitoring membership where available.

What’s the threat?

According to Brian Krebs, of the KrebsonSecurity blog, the threat is that the Adobe hackers could have hidden zero-day exploit code within a PDF document, or Flash animations, to create weaponised content. They would then use a spear-phishing email to deliver the weaponised content to the targeted user. “When the user opens the attachment or watches the animation, the exploit code exploits the vulnerability to silently download malware on the user’s machine. The user isn’t aware that this download has happened. But this malware, often a Remote Access Trojan (RAT), enables the attacker to access sensitive data or even gain full control over the user’s machine” explains Krebs.

Lessons Learned

These breaches underscore the importance of organizations continuously monitoring their systems for suspicious changes and unknown programs on their systems, as well as providing their employees with security awareness training.

Once the breach happens, it is imperative that a business continuity plan be executed in a timely manner and that the proper communication be established with the public.

Please feel free to contact ABEX and WatSec for more information on how you can effectively manage your cyber risks.

Cyber Threats Top Concern over Other Business Risks

Posted on September 30, 2013 by Marijana Dabic

A survey of perceptions about cyber risk, released by AIG earlier this year, found that corporate executives are more concerned about cyber threats than about other major business risks.

Survey Results

More than 85% of the 258 executives surveyed said they were very or somewhat concerned about cyber risks to their organizations, compared with the group’s response to six other areas of risk, including income loss (82%), property damage (80%), and securities and investment risk (76%).

AIG noted that 80% of executives and insurance brokers said they find it difficult to keep pace with changing cyber threats.

Other Findings from the Survey

More than two out of three (69%) executives and brokers believe that the reputational risk from a cyber attack is far greater to a company than the financial risk.

In addition, the survey found that:

More than seven in ten (75%) executives and brokers say legal compliance issues are making companies think more about cyber risks
The vast majority of insurance brokers and executives (82%) believe hackers are the primary source of cyber threats, though a significant portion of those surveyed (71%) also perceive human error as a significant component of cyber risk

Why is this important?

Your company, your clients, and your business partners are depending on you to ensure that cyber risk is being addressed properly. With a comprehensive and strategic approach to cyber risk management, you will accomplish this without breaking the bank.

Cybercriminals Ruin Escrow Firm and Cause Job Losses

Posted on September 16, 2013 by Marijana Dabic

Efficient Services Escrow Group of Irvine, California, was subjected to a $1.5 million Cyber heist that caused it to go out of business and lay off all 9 of its employees. Escrow companies are responsible for safeguarding funds, and if escrowed funds are at risk, the state regulator has the right to step in and protect those escrowed funds.

What went wrong?

Between December 2012 and January 2013, Efficient Services was hit with three separate fraudulent wire service transfers. These were from the company’s bank, First Foundation of Irvine, CA, to bank accounts in Russia and China. The first $432,215 that left Efficient Services’ account on Dec. 17 was recovered from Russia, but two other wires totaling over $1.1 million, which were sent to China on Jan. 24 and Jan. 30, were not recovered.

Efficient Services reported its losses to the California Department of Corporations on February 22, which launched an investigation. On Feb. 28, The Department of Corporations froze the escrow company’s activity and noted that the company had previously had instances of negligent bookkeeping and record-keeping practices.

According to former Washington Post reporter and now fraud blogger Brian Krebs, who first reported the Efficient Services incident on Aug. 13, the bank initially thought the losses resulted from embezzlement, not an account hack.

Why is this important?

Since then, a state investigation determined that a cyber theft was to blame for the losses. The cause of the incident was a remote access Trojan virus that was planted in Efficient Services’ systems. Nonetheless, the escrow company, unable to make up for its losses, has closed.

This incident now stands as one of the largest account takeover cases on record, eclipsed only by the June 2010 Global Title Services theft, which resulted in $2 million in fraudulent transfers and just over $200,000 in unrecovered losses.

Lessons Learned

In a case like this it is hard to determine whether the responsibility lies with the company or the bank. No litigation has been filed yet, but a civil suit may be filed in order to resolve the issue of responsibility for this case. Regardless, the fact remains that a cyber security breach has caused the company to close its doors and terminate jobs.

This cyber attack killed a viable business that was on its way to clear half a million in profits in 2014 and a million the year after.

Cyber Security for Small Businesses

Posted on July 2, 2013 by Marijana Dabic

High-profile cyber attacks and data breaches at Sony, Honda Canada and HRSDC have raised awareness of the growing threat of cyber crime—but recent surveys conducted by Symantec suggest that many small business owners are still operating under a false sense of cyber security.

Don’t Equate Small with Safe

The statistics are grim: The majority of Canadian small businesses lack a formal Internet security policy for employees, and only about half have even rudimentary cyber security measures in place. Despite significant cyber security exposures, 50 per cent of small business owners believe their company is safe from hackers, viruses, malware or a data breach. This disconnect is largely due to the widespread, albeit mistaken, belief that small businesses are unlikely targets for cyber attacks. In reality, data thieves are simply looking for the path of least resistance. Symantec’s study found that 40 per cent of attacks are against organizations with fewer than 500 employees.

Hackers and data thieves aren’t the only threats. Smaller companies often boast of an almost family-like work environment and have a tendency to put a lot of trust in their employees. This can lead to complacency when it comes to data security, which is exactly what a disgruntled or recently fired employee needs to execute an attack on the business. Read more >>