• Cyber Counterintelligence Blog - Speartip

SpearTip Blog

SpearTip’s blog provides insight and information about cyber security and counterintelligence related news and events that are of strategic importance to leadership within these sectors.

About SpearTip:

SpearTip, LLC Is A World Class Cyber Security & Counterintelligence Firm.We offer incident response, malware detection, managed security services, MSSP, penetration testing, enterprise risk management, zero day malware analysis, gap analysis and digital forensics services through the US, and in select foreign countries.

Questions Directors Should Be Asking About Cybersecurity.

Cybercrime has quickly become the single greatest threat to most businesses, with damages projected to top $6 trillion by 2021 , just three short years away. Directors need to prioritize cybersecurity and make the topic a substantive issue during all conversations. The following questions are essential for Directors of all organizations, large and small, in order to better understand the cybersecurity landscape.

Should cybersecurity require full Board oversight, considering it is truly a business issue?

At SpearTip, our answer is always a resounding “yes.” However, the issue comes down to your Board’s structure and comfort level with evaluating cybersecurity and all it entails. Should the entire Board choose not to oversee cyber risk, then at least guarantee the committee responsible delivers regular, comprehensive reports to the whole Board at every opportunity. Additionally, the audit committee for most Boards is commonly overloaded. Consider creating a new committee for cyber risk, composed of Members with the most relevant experience.

Who should be a part of the cybersecurity discussion?

Getting the right information begins with getting the right people in the room. The CEO and CFO are givens, as are the organization’s business, technology and risk management leaders.

The CISO should play a critical role and be made to feel comfortable enough to candidly discuss shortcomings and risk factors, as well as successes and current measures being taken. In most organizations, the CISO is responsible for only information technology and not operational technology (OT), which leaves a critical gap.

Whomever, oversees OT also needs to be included in all discussions to better ensure full cybersecurity measures are being addressed.

How can Directors improve their cybersecurity knowledge?

The cybersecurity landscape is changing by the minute, so you should never stop expanding your knowledge base. Consider the following activities to keep from falling behind:

  1. Hold in-depth internal discussions about how cyber risk is being addressed. Topics should include: organizational cybersecurity strategy, the types of threats you are facing now and anticipate facing in the near future, and what’s being done to protect your organization’s “crown jewels.”
  2. Engage law enforcement, such as the FBI and other cyber security experts, to present common vulnerabilities, growing attack trends and the overall threat environment. Use this information for updating and shaping cyber risk management practices and procedures at all levels of your organization.
  3. Attend external programs and conferences focused on cyber risk, as well as connecting with industry peers and professional groups, for best practices that can be shared across company lines.

How can our Board understand if we’re adequately prepared for a breach? 

Preparedness for a cyber breach is essential if you are to survive an attack. Ask management to present your organization’s incident response and crisis management plan on a regular basis and demand updates, upgrades and modifications with every report.

If there’s no plan in place, call for management to deliver a timeline with full program development and testing deliverables. Should you have no plan, you’re placing your entire organization, your vendors and your customers in a position of extreme and unnecessary risk.

Be sure to conduct a comprehensive pre-breach assessment to determine if you are currently breached and have yet to discover the problem.

Also, be sure to, include breach notification and escalation procedures in your plan, along with Board and regulatory notification timelines, and a thorough strategy on informing stakeholders and individuals whose information may have been compromised.

Lastly, have management participate in Table Top testing exercises with external technical and legal teams to provide a more thorough understanding of how management, and the organization as a whole, will respond to a cyber crisis.

New SEC Cybersecurity Directives For Accountants

The Securities and Exchange Commission recently released its 2018 Guidance on Public Company Cybersecurity Disclosures, which targets two new areas of concern: Cybersecurity policies and procedures, and insider trading prohibitions, specifically those revolving around cyber breach notifications to the public. The role of accounting and the CFO will be critical in assuring guidelines are met and that public companies stay compliant.

The last major SEC guidance on Cybersecurity was 7 years ago. What has changed and is there a new focus?

The SEC seems focused on greater accountability and more proactive procedures and processes. The laser focus will be on the C-Suite, the Board of Directors and the Audit Committee.

This new guidance narrows its emphasis on the establishment of comprehensive policies and procedures, as well as a management directive for proactive evaluations of these policies and procedures. Per the SEC, in the event of a breach there must be an established protocol for the disclosure of relevant information to internal stakeholders, investors, analysts, and the public at large. The goal is to bring together a team of internal and external experts to analyze and evaluate the right information the right way, then communicate it effectively across all channels.

What kind of Cybersecurity policies and procedures should we consider in order to comply with SEC guidelines?

Cybersecurity must now be a critical part of your company’s overall risk management program, not an afterthought or a standalone. The threat level is simply too great in today’s business environment. You can’t be complacent. Not only do new regulations call for direct policies and procedures, they call for comprehensive processes, controls, and continuous evaluation, to help management not only identify risks but appropriately mitigate them. Engaging third-party resources, such as SpearTip, in table top exercises, real-time “war games,” and cybersecurity monitoring services should be part of your plan to meet SEC expectations.

What’s all the talk of insider trading with the new SEC stance?

Because stock prices can tumble massively following a breach, there’s a spotlight on insiders to keep them from acting on their own behalf before a public disclosure.

The SEC is pushing for rigid enforcement of a stricter set of rules concerning use of material non-public information.

It’s critical for company management to implement additional policies, procedures, checks, balances, processes, and controls to stop company executives and insiders from exploiting confidential inside information with regard to cybersecurity, and trade on securities using this information before the public is aware of the situation.

Is there a specific emphasis concerning insider trading that we should address immediately?

Yes. Without question. The new directive clearly points not only toward accountability, but enforcement. Should management become aware of material cybersecurity risks, breaches or other incidents that have taken place within the organization, responsibility is now placed squarely upon their shoulders.

Directors, C-suite executives and the executive management team must thoroughly evaluate the effectiveness and viability of your company’s code of conduct, code of ethics, cyber defensive posture, and insider trading policies to prevent and deter trading based upon sensitive, non-public information to which only your highest ranking officials will have access.

What’s the most important takeaway we can glean from this SEC action?

From our interpretation at SpearTip, the SEC wants assurances that management has a full and complete understanding of your company’s cybersecurity framework, the procedures and controls you’ve put in place, and your ongoing testing and evaluation as to how effective your controls truly are.

We highly recommend engaging a third party cybersecurity firm to assist in the process; one who would participate as an unbiased, impartial, neutral party, who can advise, assist and inform management and add an arm’s length level of security, which will demonstrate your commitment to cyber risk management and reflect favorably upon you in the event of a breach or intrusion.

Ask the Experts (STL Business Journal Article)

Check out SpearTip’s CEO, Jarrett Kolthoff’s interview with the St. Louis Business Journal as he addresses changing cyber regulations and how they will affect your organization.

Questions addressed:

Could cyber security legislation put my business at financial risk?

Will there be increased accountability for Executives and Directors?

Will legislation address B-to-B issues as well as consumer?

Are there any industries you see at significant risk?

Consumer Cyber Best Practices

The end of the year is a valuable time to clean up bad cyber habits. With a new year comes new opportunities for both you, and the bad guys. Bad guys prey on ignorance to compromise your identity and assets. I frequently hear, “I’m not worth a whole lot so bad guys aren’t going to waste time trying to compromise me,” or “there’s nothing in my bank accounts so I’m not a target.”

Consider this – in most cases, the content of your bank account is irrelevant to the hacker because the original hacker is only after your account information to be sold to a third party on the dark net. The average credit/debit card is worth about 25 dollars on the cyber black market. This is why you see “skimmers” being used at retail locations and gas stations. Each time a consumer swipes a card at that terminal with a hidden skimmer, bad guy pockets 25 bucks, regardless of the owner of the card, or their current wealth.

There are many easy steps that can be taken to better protect yourself from cybercrime on and off the internet. First and foremost, good password hygiene. Having at least a 10-digit password utilizing at least 2 upper and lower-case letters, as well as a special character drastically lowers an adversary’s ability to break your password. Think of it this way; if I was tasked with trying to guess a co-worker’s password, and the co-worker’s password was 123456, it may be a quick day at the office. However, if that co-worker’s password was 9ijhB&^72A, I’m in for a long night. The password cracking ability of a hacker works in the exact same manner. If a password is short and typical such as password1, the hacker’s computer will guess it correctly in a matter of minutes. If the password is 9ijhB&^72A, the hacker would give up long before the computer program came close to guessing the correct sequence. In addition, use different passwords for each website visited, especially sites with sensitive information such as online banking or social media accounts. This way, if one site’s credentials are compromised, the attacker doesn’t have access to all the others with the same credentials.

The internet however is not the only place you can unknowingly give up your identity or bank account information. Every time you swipe a credit/debit card, you give up your data to the vendor, hoping that they have the means and infrastructure in place to keep your information safe. As we’ve seen with Target and The Home Depot, assuming an organization is secure based on its size is a recipe for identity theft. So, the question isn’t should I never swipe a card again, as much as what card should I be swiping?

If you can navigate the temptations of the almighty credit card, this is your safest option. When using a debit card as your everyday method of payment, you are accepting the risk of losing the entirety of your bank account relevant to that card. In other words, when you swipe with your debit card, whatever amount is in all accounts relevant to that card, ie -checking, savings, IRA’s, you are liable for that full combined amount in the event that the card is compromised. With a credit card however, limitations of liability are attached, usually around 500 dollars, to which you are responsible for in the event of a breach. Banks and other financial institutions are getting better and better about not holding their members liable for these fraudulent activities, however, you can limit your liability simply by switching to a credit card as your go-to card for everyday swiping.

Around 90% of compromises are initiated from user’s ignorance of cyber best practices. In most cases, if it feels like a scam, it’s probably a scam. Fellas, no, the Victoria’s Secret model on Tinder did not come across your profile and decide she wants to immediately chat with you on this other website link for you to click on, and ladies, unfortunately no, you did not win the purse shopping spree that this email claims you won even though you never entered into a contest and only needs your social security number to process your winnings. Instead, if it feels like a scam, or might be too good to be true, consult with an information security expert who can diagnose the contact as legitimate or spam. If you don’t know one, I’m happy to help!

Are Your Firewalls and Antivirus Keeping You Safe

Nearly every day I’m asked if an impressive firewall configuration is enough to prevent malware from entering a company’s environment, or I overhear someone’s overconfidence in their own security architecture. Unfortunately, no matter how many rules you write, or ports you close, utilizing firewalls as your go to defense against your organizations cyber adversaries is a recipe for ransomware!

To answer this question, it is important to first consider the purpose of these security elements in your security architecture and environment. A firewall serves an advantageous and necessary purpose to your organization, and should be managed properly and frequently. However, really understanding the firewall’s purpose will help you to understand your weaknesses. The firewall’s purpose, whether protecting the network or a singular host, has one job: only allow safe traffic in and out. “Safe” traffic being deemed by your IT team.

This opens up a few problems for an organization and a few opportunities for the bad guys. If your organization doesn’t have a dedicated IT Security team, it can be difficult for the network admin alone to focus on current threats and organizational vulnerabilities. Without this constant intelligence gathering, bad guys are going to take advantage of new access techniques and neglected vulnerabilities, which grant them access through the firewall and onto the host system. In addition, you can write as many firewall rules as you want, any security professional will tell you that your companies biggest vulnerability is your users, and users who are ignorant of cyber hygiene best practices frequently and unknowingly invite bad guys in, bypassing the firewall.

This gets bad guy to your host where the antivirus or host based IPS is supposed to kick in. Unfortunately again, unless the exploit is old enough that antivirus managing companies have had time to write a patch against the threat, and then consecutively your team follows good patch management practices and applies the patch to each of your systems, your hosts will not recognize the infection. (Equifax breach) This puts your entire enterprise at risk, and possibly spreading the infection across the network because you have no other security measures in place to protect against the most critical exploit: zero-day malware.

A decently talented hacker can find his way through your firewalls and avoid antivirus detection with little effort. However, once on the system, the activity is still detectable, but requires a much more advanced detection and mitigation system. To catch malicious activity as it happens in it’s infancy on the network, every host and operating system in the environment needs to have active memory sensors looking for activities such as power-shell commands launched from a word-file executable that can cut the transmission and report the activity to a qualified team of engineers who can diagnose the infection and eradicate the exploit. Unfortunately, hiring a team with this skill set is difficult to find and more importantly often cost prohibitive.

If your organization has or hosts clients and/or employee personally identifiable information, (PII) or falls under one of the many heavily governed compliance standards such as HIPPA or Sarbanes Oxley, you are a constant target, and keeping your information secure is imperative to the success of your company. I encourage each of my Information Officer friends to ask your team, ” What is our plan for zero-day risks such as new ransomware, as well as, what is our incident response plan to such an event?” If you get back the same blank stare or shoulder shrug I normally see when I ask teams that question, you’re at risk, and I’d be happy to help!