I have a long track record with business down situations. When everything fails, no one manage to get the systems up and running again my phone used to ring and I was expected to come and solve the situation and…I always did. After a while you have seen it all and know where to tackle a specific problem. One thing that was very common then, and sadly still is, is the lack of incident response plans. In at least 40% of the cases a simple incident response plan would have stopped a problem in it´s tracks and returned it to a simple backup restore solution. Today in 2014 only two-third of the companies have incident response plans. In any business down situation those plans are worth their weight in gold. Anyone that has had a visit by me knows that.
Finding hard facts about breaches and statistics is quite often a cumbersome process. For this reason I have added a new key word Security metrics to tag post where I have identified valuable security metrics.
This is a report from UK with some interesting facts. 81% of large organisations had a breach during 2013 and the average cost was estimated to £600k – £1.5M for the worst breaches. The median of breaches for large organisations was 16. Even if the cost for a small breach was substantially lower it still put the cost of breaches for a company at a very high figure.
Something to think about when you ask for the budget next year.
Running a small business with an unknown brand is not protection enough anymore or attacks. As soon as you have a web presence you will be scanned and possible hacked. The reason that small business are in scope for attacks now is that they quite often have lower defences and simply are easier to breach. As companies tends to integrate with each other a foothold at a minor company that integrates with a bigger target could prove to be a great way to get hold of the riches in the otherwise hard to crack large corporation. So investing in cyber security will be important even for smaller companies if they want to conduct business with larger more secure companies. Read some more insights about small companies here.
Military attacks are quite often interesting from the viewpoint that they will sooner or later find its way into the attacks geared towards different civil companies. I doubt that there is a possible gain to target civil nuclear centrifuges but of course there are other possibilities. Reading this article you get a bit of an insight of how Stuxnet where initially deployed and the first type of attack that was launched. It turned out that a vector of attack was highly specialised contractors that are lousy at cyber security.
With the trend of outsourcing everything and acquiring systems where you depend on a contractor to manage the system you need you are possibly giving an attacker a possible foothold.
If you ever been to Sweden you now that the third Friday in June is Midsummer Eve and all of Sweden goes to celebrate that summer has finally arrived. I´m not an exception here so just a short post today.
If a credit card costs as much as $40 and is resold for $20, $10$, $2, $1, $0.1 making it a grand total of $73.1 how much money is there in a hack rendering you a total of 300 000 credit cards with CVV code? Simple enough $21 930 000. Any one still thinks that credit card theft is a declining business?
There is way too much money in it still.
If you decided to start working with security you have understood by now that you need to read, read and read a lot more that you originally thought. Not everything is about that happy moment when you manage to open up a DOS-prompt and get full root access to a server. Most of the time you try to understand the complexity of an environment and understand where the vulnerabilities are.
One paradigm that has been around for quite a while is the belief that you could protect everything and that you could manage to build a hackproof system. This has finally changed into the notion that you WILL be hacked and that you should focus on protecting what has a value instead of trying to protect everything. Otherwise the cost for security will be too high making it impossible to do business. In conjunction with this every manager should include costs for managing breaches as part of the cost of conducting business on the web. At least for now.
Currently the situation resembles that of trying to conduct business during a war. In any given time enemy troops could come running in through your door and either shoot you or loot your store. Sadly we need to focus on resilience of our business rather than protecting it making sure that it could withstand at least being partly hacked.
One of the more interesting malware I encountered is CryptoLocker. As most of you are aware of it exploits peoples inability to take aand manage backups of their files. When it manages to install itself on a user´s computer it encrypts a number of different file types and demands money from the user to decrypt the files again.
Cryptolocker uses an algorithm for creating new domains on a daily basis for the command and control servers. When BitDefender managed to break the algorithm and registered the domains before CryptoLocker did they found that about 12 000 computers where infected by CrytpoLocker and that the most part where in US.
For some reason the culprits behind this infection have decided to target only US computers and infected computers outside of US are mostly collateral damage.
So if you are not living in US you are most possible safe from any infection for now but this will change when the pay-out rate goes down. Others will create similar malware like CryptoLocker and start targeting on a bigger scale.
If you havn´t taken a backup yet now is a very good time to do it. ?
Not all my clients are big international companies with subsidiaries all over the world, on the contrary quite a number are small to medium companies with a lot less budget to manage security and hence a lot of my assignments are focused on minimising cost while giving them as much security as possible.
As very few of them has ever experienced a major security incident (hopefully due to my work) they tend to underestimate the risks of ever experiencing a breach. No matter the numbers I produce I´m typically met with the belief that ‘We are too small to be of interest and have nothing that is valuable.’
Quite often that is seldom the case. Even small companies have valuables in one way or another. Most of the times they have some kind of intellectual property that should be protected but at the very least they have infrastructure that an attacker possibly would like to user for their own interest, either as Bit-Coin miners or as a jump station to launch attacks at others, and during the pass time check for credit cards, commit some minor fraud with ordering phones to another address and utilise the affected company´s accounts for hardware purchases.
Now and then I enjoy reading war stories, especially when they have a more personal touch. I´m no cryptologist so understanding the math behind breaking a crypto is not my cup of tea but when they point out a flaw I laugh as much as everyone else.
This is a rather fun description on how Bitcrypt malwares crypto turned out to be flawed and possible to break to the relief of a father that got all his photos of his kid encrypted.
Just a short post this time. Are you interested in exploit kits and not sure which one to get? Take a look at this page and find out…or just stay informed on the patches you need to mitigate.