NIST Releases Draft Report for IoT Cybersecurity Standards The National Institute of Standards and Technology (NIST) released a draft report that aims to provide adequate Internet-of-Things (IoT) international #cybersecurity standards for federal agencies and private industry to adhere to. NIST is seeking public feedback on the draft through April 18th.

Business-Security

NIST Working on Global IoT Cybersecurity Standards

SecurityWeek | By Kevin Townsend

NIST is Working Towards International Cybersecurity Standards for the Internet of Things With Draft Interagency Report (NISTIR) 8200

The Internet of Things (IoT) is here and growing. It has the potential to facilitate or obstruct the further evolution of the Fourth Industrial Revolution; largely depending upon whether it is used or abused. Its abusers will be the same criminal and aggressor state actors that currently abuse information systems. But while there are standards and frameworks for defending information networks against aggressors, there are no adequate international standards for securing the internet of things. In April 2017, the Interagency International Cybersecurity Standardization Working Group (IICS WG) — established by the National Security Council’s Cyber Interagency Policy Committee (NSC Cyber IPC) — set up an Internet of Things (IoT) Task Group to determine the current state of international cybersecurity standards development for IoT.

NIST has now published the draft NISTIR document: The Status of International Cybersecurity Standardization for IoT. It is intended to assist the member agencies of the IICS WG Task Group “in their standards planning and to help to coordinate U.S. government participation in international cybersecurity standardization for IoT.” NIST is seeking feedback, especially on the information about the state of cybersecurity standardization for IoT, at NISTIR-8200@nist.gov by April 18. The scope of securing the IoT is a mammoth task. To aid the understanding of this scope, NIST describes the IoT in five separate functional areas: connected vehicles; consumer IoT; health and medical devices; smart buildings, and smart manufacturing (including ICS). There are nuanced differences between securing these functional areas and traditional cyber security. While security has traditionally prioritized confidentiality, integrity and availability (CIA) in that order of priority, for the most part ‘availability’ is the priority for IoT devices.

Consumer IoT is one area that may be different, with the traditional need for confidentiality (as in privacy) still dominant. Patient privacy is also a consideration for medical devices. But, “In addition to data privacy and patient safety”, comments Jun Du, Senior Director and Architect at ZingBox, “we must also put a heavy focus on ensuring uninterrupted service of medical devices. A cyber-attack can bring down the entire hospital by disrupting their service delivery, putting patient lives at risk.” This is the fundamental difference between traditional information security and IoT security — it is closer to OT than to IT. “The objectives of confidentiality, integrity and availability altogether focus on information security rather than IoT security,” adds Du. “When it comes to IoT security, availability of the device is more relevant to business operations than just the security of information. We should focus on availability first, then look at confidentiality and integrity.”

Even in consumer IoT, there is an operational element. Many of the threat vectors are similar between IoT and information networks, but the effects of a successful attack could be more dramatic. The biggest problem for IoT devices, comments Drew Koenig, security solutions architect at Magenic, “are IoT devices that limit or prevent updating and patching. That’s the killer; a zero day — and the only solution is to replace your fridge before someone hacks it and floods your kitchen.”

That metaphor traverses NIST’s five IoT functional areas: crashed cars, flooded kitchens and locked doors, malfunctioning heart pace makers, stuck elevators and power failures, and failing production lines. To get the IICS WG Task Group started in its work to discover the current state of international IoT standardization, the NISTIR 8200 compiles a table of potentially relevant existing standards separated into eleven core cybersecurity areas. These areas range from cryptographic techniques and cyber incident management, through IAM and network security, to supply chain risk management to system security engineering. Each one of these core cybersecurity areas will present its own IoT-specific difficulties.

For example, Du comments, “While encryption is a highly recommended security trend, it isn’t without its drawbacks. Encryption can hide valuable details needed by various teams including security researchers, incident response teams, and security vendors in addition to hiding them from hackers. Insider threats may also attempt to leverage end-to-end encryption to evade detection. In order to protect against these risks, IoT vendors should provide limited visibility through exportation of logs, session stats and meta data information.”

A wide range of existing and potentially relevant standards are mapped against these core areas, providing links to the standard, the standard developing organization (SDO), and a description of the standard. It becomes the raw material for a gap analysis between existing and necessary standards. Such an analysis is also provided, mapping standards to the core areas across the five functions. Only ‘cryptographic techniques’ and ‘IAM’ have available standards applicable to four of the five categories; but always with the rider that there is slow uptake of these standards.

The fifth and missing category is medical IoT, which fares worst of all the five categories for existing applicable standards. However, the two core areas of ‘IT system security evaluation’ and ‘network security’ have no available standards applicable to any of the five IoT categories. In reality, the entire gap analysis makes depressing viewing: there are no core areas that have standards adequately adopted in any of the five IoT categories. Even where there are standards, uptake is slow. Missing from this draft document is any standard that requires the ability for firmware updates within the IoT device build. This may be because there is no existing standard that attempts this. Where ‘patching’ is mentioned in the draft NISTIR document, it is solely for patch management, or remediation where patching is not possible.

“This document is a good start,” comments Koenig. The reality, however, is that it will be a long time before any serious benefit comes from the work. He sees two areas of primary concern. The first is a lack of regulation. NIST doesn’t regulate the private sector, although its recommendations can be required for the public sector. Even if this work eventually leads to IoT standards recommendations, it will require separate legislation to enforce the recommendations across the private sector. That still won’t necessarily address the manufacture of overseas-sourced devices, or the assembly of devices with multiple foreign components. Without regulation over device manufacture and development, Koenig’s second big concern comes into play: “IoT devices that limit or prevent updating and patching. That’s the killer,” he says.

But even with regulation controlling the manufacture of IoT devices, that still won’t necessarily solve the problems. Steve Lentz, CSO and director information security at Samsung Research America has always believed that security teams need to do their own ‘due diligence’ on products and processes, and not rely on what they are told by vendors. He suspects that standards and regulations “will bring out vendors claiming to provide IoT security. Again, this is where security teams need to do their due diligence and really check/test out these claims,” he warns. “IoT is also Wi-Fi which is now everywhere. We need to ensure complete work infrastructure is secure just not the traditional network defenses.

“We need to ensure we thoroughly research solutions that fit our environments,” he continued. “The government can give oversight and make recommendations, but we need to find the solution that works best for us.”

Justice Dept. Launches #CyberTaskForce to Review Elections Attorney General Jeff Sessions is creating a cyber task force to evaluate attempts to interfere with U.S. elections. It is believed the task force will be comprised of representatives from various Justice Department offices, as well as outside law enforcement and #federal agencies. InfoSec Insights Team.

13002-cybersecurity

Sessions Creates Cyber Task Force to Study Election Interference

The Hill | By Olivia Beavers

The Justice Department is creating a cyber-digital task force to examine outside attempts to interfere with U.S. elections, Attorney General Jeff Sessions announced Tuesday.

“At the Department of Justice, we take these threats seriously. That is why today I am ordering the creation of a Cyber-Digital Task Force to advise me on the most effective ways that this Department can confront these threats and keep the American people safe,” Sessions said in a statement. Sessions said Deputy Attorney General Rod Rosenstein will name a senior department official to chair the task force. The effort will seek to “canvass the many ways that the Department is combatting the global cyber threat” as well as “identify how federal law enforcement can more effectively accomplish its mission in this vital and evolving area,” according to the press release.

The task force will be in charge of looking into a broad range of efforts in which outside actors sought to interfere. It is tasked with providing a report on its findings at the end of June.

“The Internet has given us amazing new tools that help us work, communicate, and participate in our economy, but these tools can also be exploited by criminals, terrorists, and enemy governments,” Sessions added. The new task force comes shortly after special counsel Robert Mueller charged 13 Russian nationals and three Russian companies on Friday with attempting to sow discord and interfere in the country’s presidential election by waging “information warfare.”

President Trump spent the weekend tweeting that the grand jury’s indictment vindicates him in the federal Russia probe because this particular set of charges did not point to collusion between Trump campaign aides and Russians. Trump in particular seized on the fact that the indictment accuses the Russians of beginning such efforts in 2014, before he had officially thrown his hat in the ring.

“Russia started their anti-US campaign in 2014, long before I announced that I would run for President. The results of the election were not impacted. The Trump campaign did nothing wrong – no collusion!” Trump tweeted shortly after the indictment became public.

But Trump’s critics pointed to Mueller’s indictment detailing the Russians’ sophisticated operation. The eight-count indictment also includes the explosive allegation that some defendants, who masqueraded as politically active Americans, had contact with “unwitting individuals associated with the Trump campaign” and others. The cyber force will bring together representatives from a wide range of DOJ offices along with outside law enforcement and federal agencies, depending on the direction of Rosenstein.

The announcement also comes amid growing calls on Capitol Hill to prioritize election security ahead of the approaching midterms.

 

FY2019 Budget Sees Cyber Funding Boost, Research Cuts. President Trump’s recently revealed budget for fiscal year 2019 increases #cybersecurity funding across the government, but also includes significant cuts in funding for #cyber #research.

cybersecurity-budget-sm

Trump’s 2019 Budget Boosts Cyber Spending but Cuts Research

Nextgov | By Joseph Marks

President Donald Trump’s 2019 fiscal year budget request boosts cybersecurity funding by about 4 percent across the government, including significant hikes at the Homeland Security Department and Pentagon.

The overall increase includes even larger cyber funding spikes at key agencies, including a 23 percent jump at the Energy Department, a 33 percent jump at the Nuclear Regulatory Commission and a 16 percent hike at the Veterans Affairs Department. The budget, however, includes a massive cut of 18 percent to the government’s main cyber standards organization, the National Institute of Standards and Technology. That cut comes as NIST is working on an update to its cybersecurity framework, which is now mandatory for all federal agencies.

The budget also marks a major shift for cyber research and development funding inside the Homeland Security Department. Cyber research was formerly housed primarily in the department’s Science and Technology Directorate. Going forward, that funding, which totals $41 million in the president’s budget request, will be inside the cyber and infrastructure protection division—called the National Protection and Programs Directorate, or NPPD. The move is another blow for the Science and Technology Directorate, which has faced significant budget cuts since the start of the Trump administration.

The shift was made so “operators on the ground have influence over research and development,” a senior administration official said during a press call. The cyber and infrastructure protection division will work closely with the science and technology division on research priorities, the official said.The budget also calls for a small spike in government-wide information technology spending.

The president’s budget request is as much an ideological document as a budgeting one. The request lays out the executive branches’ funding priorities, but those numbers are only a rough starting point when Congress begins its own budgeting process and they’re often ignored entirely. Funding Hikes at Homeland Security and Defense, Homeland Security cyber spending overall will stay roughly flat at about $1.72 billion.

The cyber division of the department’s cyber and infrastructure protection wing, however, will get a 7 percent spike from $665 million in the 2018 fiscal year to $712 million this year.

In addition to protecting federal civilian government computer networks, that division is also helping states secure their election systems against cyberattacks.

The budget includes $238 million for Homeland Security’s continuous diagnostics and mitigation program, which delivers a suite of cybersecurity tools to federal agencies and will eventually track federal computer systems on a government-wide dashboard. That’s down from $279 million in last year’s request.

The budget commits $407 million for a government-wide intrusion detection program called Einstein. That’s up from $397 million in last year’s request.

At the Pentagon, total cyber funding jumps to $8.5 billion in this year’s request, a 4.2 percent hike over the prior year.

That jump comes as U.S. Cyber Command, which was elevated last year to a unified combatant command, is in the process of reaching full operational capability.

The budget released Monday also:

  • Includes $8 million for the White House Office of Management and Budget’s cybersecurity oversight responsibilities, down from $19 million last year.
  • Includes $25 million for a cybersecurity enhancements account at the Treasury Department, which will help upgrade high-value Treasury computer systems that rely on outdated technology. The fund will also help the department respond more nimbly to cyber incidents. Overall cyber funding at Treasury will drop from about $529 million last year to $500 this year.
  • Raises funding for the Justice Department’s national security division, which prosecutes cyber crimes, from $95 million to $101 million. Overall Justice Department cyber funding is at $721 million, up from $704 million last year but down from $735 during the final year of the Obama administration.
  • Includes $10 million for cyber upgrades at the Transportation Department.
  • Hikes Veterans Affairs Department cyber funding 16 percent from $360 million last year to $418 million this year.
  • Raises cyber funding at the Office of Personnel Management 18 percent, from about $39 million to about $46 million.
  • Hikes Nuclear Regulatory Commission cyber funding 33 percent, from about $24 million to about $32 million.

Hikes Energy Department cyber funding 23 percent, from about $379 million to about $465 million.

Cryptocurrency Malware Hits #UK, #US, Australian #Government Websites. A security researcher uncovered over 4,000 websites compromised by malware that mines for crypto currency. Websites affected include several government websites in the UK, US, and Australia.

cryto2

UK Government Websites, ICO Hijacked by Cryptocurrency Mining Malware

ZDNet | By Charlie Osborne

A number of government websites in the UK, US, and Australia, including the UK Information Commissioner’s Office (ICO), have been compromised by cryptojacking malware. According to security researcher Scott Helme, over 4,000 websites have been affected. The security consultant was made aware of the scheme after another security expert, Ian Thornton-Trump, pointed out that the ICO’s website had a cryptominer installed within the domain’s coding.

Helme confirmed the findings on Twitter, and upon further exploration, discovered that the mining code was present on all of the ICO’s web pages. It was not long before the researcher realized far more than the ICO had been compromised. Websites including the UK’s Student Loans Company (SLC), the UK National Health Service (NHS) Scotland, the Australian Queensland government portal, and US websites were also affected, such as uscourts.gov.

Cryptocurrency mining software is not illegal and some websites have begun tinkering with plugins that borrow visitor CPU power to mine virtual currency, potentially as an alternative for advertising. However, malware which installs such mining software without consent is fraudulent and can slow down visitor systems when legitimate websites are serving up mining scripts. The researcher traced the code found in the ICO website to a third-party plugin, Browsealoud, which is intended to assist visually impaired visitors to website domains. The plugin’s developers, Texthelp, confirmed that the plugin had been compromised to mine cryptocurrency.

In a blog post, the researcher said that the script for the Browsealoud plugin, ba.js, was altered to include the Coinhive cryptocurrency miner, which specializes in Monero.Any website using the plugin and loading the file would then unwittingly load the cryptocurrency miner with it. As a result, it is not the websites themselves that have been internally compromised, but rather a third-party service that was tampered with for the purpose of cryptojacking.

“If you want to load a crypto miner on 1,000+ websites you don’t attack 1,000+ websites, you attack the one website that they all load content from,” Helme noted. “In this case, it turned out that Texthelp, an assistive technology provider, had been compromised and one of their hosted script files changed.”

A public search on PublicWWW revealed that up to 4,275 websites may have loaded the infected script and mined cryptocurrency by borrowing visitor processing power as a result.

At the time of writing, the Browsealoud website is not accessible.

Texthelp said no customer information has been exposed due to the security lapse, and “Browsealoud [was removed] from all our customer sites immediately, addressing the security risk without our customers having to take any action.”

The exploit was active for roughly four hours on Sunday.

Texthelp intends to keep the plugin offline until 12.00pm GMT on Tuesday to “allow time for Texthelp customers to learn about the issue and the company’s response plan.”

Helme says that this attack vector is nothing new, but it would have taken a simple tweak to the loading script to prevent it happening in the first place. By altering the standard coding to load a .js file to include the SRI Integrity Attribute, which allows a browser to determine whether or not a file had been modified, the entire campaign could have been “completely neutralized.”

“In short, this could have been totally avoided by all of those involved even though the file was modified by hackers,” the researcher says. “I guess, all in all, we really shouldn’t be seeing events like this happen on this scale to such prominent sites.”

At the time of writing, the ICO website is not available.

On Sunday, the UK National Cyber Security Center (NCSC), part of the GCHQ intelligence agency, said that there is “nothing to suggest that members of the public are at risk.”

“NCSC technical experts are examining data involving incidents of malware being used to illegally mine cryptocurrency,” an NCSC spokesperson said. “The affected service has been taken offline, largely mitigating the issue. Government websites continue to operate securely.”

Dark Caracal Targets Thousands in Over 21 Countries. The Electronic Frontier Foundation and Lookout Security released a report detailing several active Dark Caracal #hacking campaigns that successfully targeted mobile devices of #military personnel, medical #professionals, #journalists, #activists, and others in over 21 countries.

the

Dark Caracal: Hackers Spied on Targets in Over 21 Countries and Stole Hundreds of Gigabytes of Data

International Business Times UK | By India Ashok

A new and massive cyberespionage campaign, believed to be the work of Lebanese hackers linked to Lebanese General Security Directorate (GDGS) in Beirut, has been uncovered.

A new report by the Electronic Frontier Foundation and Lookout Security revealed that the cyberespionage group, dubbed Dark Caracal, has conducted numerous attacks against thousands of targets in over 21 countries in North America, Europe, the Middle East, and Asia.

The hacker group successfully targeted mobile devices of military personnel, medical professionals, journalists, lawyers, activists and more. It has stolen hundreds of gigabytes of data, including photos, text messages, call records, audio recordings, contact information and more.

The cyberespionage group stole this massive trove of information using its custom-developed mobile spyware called Pallas. The spyware, which Lookout discovered in 2017, is found in malware-laced Android apps — knock-offs of popular apps like WhatsApp, Telegram and others that users downloaded from third-party online stores.

“People in the US, Canada, Germany, Lebanon, and France have been hit by Dark Caracal,” EFF director of Cybersecurity Eva Galperin said in a statement. “This is a very large, global campaign, focused on mobile devices. Mobile is the future of spying, because phones are full of so much data about a person’s day-to-day life.”

According to the report, Dark Caracal has been active in several different campaigns, running parallel, with its backend infrastructure also having been used by other threat actors. For instance, Operation Manul, which according to the EFF targeted journalists, lawyers and dissidents of the Kazakhistan government, was launched using Dark Caracal’s infrastructure.

According to Galperin, the Dark Caracal group may be offering its spyware services to various clients, including governments, The Register reported.

Dark Caracal hackers also make use of other malware variants such as the Windows malware called Bandook RAT. The group also uses a previously unknown multi-platform malware dubbed CrossRAT by Lookout and EFF, which is capable of targeting Windows, Linux and OSX systems. The report states that the APT group also borrows or purchases hacking tools from other hackers on the dark web.

“Dark Caracal is part of a trend we’ve seen mounting over the past year whereby traditional APT actors are moving toward using mobile as a primary target platform,” said Mike Murray, VP of security intelligence at Lookout. “The Android threat we identified, as used by Dark Caracal, is one of the first globally active mobile APTs we have spoken publicly about.”

“One of the interesting things about this ongoing attack is that it doesn’t require a sophisticated or expensive exploit. Instead, all Dark Caracal needed was application permissions that users themselves granted when they downloaded the apps, not realizing that they contained malware,” said EFF staff technologist Cooper Quintin. “This research shows it’s not difficult to create a strategy allowing people and governments to spy on targets around the world.”

Ransomware Posing as Flash Player Download A new strain of ransomware hit organizations throughout Eastern Europe earlier this week. Spread through compromised websites, the Bad Rabbit ransomware poses as an Adobe Flash Player download, and after infecting one machine, can quickly spread through an organization’s network without being detected.

imagesRHVA6HVG

The Latest Ransomware Presents Itself as an Adobe Flash Player Download

Nextgov | By Keith Collins |

A new strain of ransom ware, called Bad Rabbit, began hitting organizations throughout Russia and Eastern Europe on Wednesday (Oct. 25). The malware is being spread through compromised websites, presenting itself as an Adobe Flash Player download.

“When users visited one of the compromised websites, they were redirected to 1dnscontrol[.]com, the site which was hosting the malicious file,” according to a blog post by Talos, Cisco’s threat intelligence team.

Once infected with the ransom ware, victims are directed to a web page on the dark web, which demands they pay 0.05 bit coin (roughly $285 USD) to get their files back.

After one computer on a network is infected, Bad Rabbit can quickly and covertly spread through an organization without being detected. Although the ransom ware has been detected in several countries, it appears to be concentrated in organizations in Russia and Ukraine, particularly media outlets.

U.S. Takes Down International #ID #Theft Ring the U.S. Justice Department indicted 36 people in connection with an international identity theft ring known as #Infraud. #cyberfraud

untitled.png

International Cyber Crime Ring Smashed After More Than $530 Million Stolen

CNN | By Ben Westcott

US authorities have indicted 36 people for stealing more than $530 million from victims across the world in one of the “largest cyber fraud enterprises ever prosecuted.” In a statement, US investigators claimed the accused were taking part in a massive operation known as the Infraud Organization, which stole and then sold other people’s personal information, including credit card and banking information. “Today’s indictment and arrests mark one of the largest cyberfraud enterprise prosecutions ever undertaken by the US Department of Justice,” Acting Assistant US Attorney General John Cronan said in a statement. Cronan said it was believed the group had intended to cause losses totaling more than $2.2 billion during their seven years of operation. Authorities have already arrested 13 people from a range of countries including the United States, Australia, the United Kingdom, France and Italy. The Infraud Organization has been in operation since October 2010, according to the statement from the US Justice Department, when it was launched by a 34-year-old Ukrainian man Svyatoslav Bondarenko. He had wanted to grow the organization into the internet’s largest “carding” group — that is, a criminal group who buy retail purchases with counterfeit or stolen credit card information. Their motto was, “In Fraud We Trust.” According to the Justice Department statement, there were 10,901 registered members of the Infraud Organization as of March 2017, who were divided into specific roles. They ranged from the “administrators” who oversaw the organization’s strategic planning and approved membership, all the way down to the “members” who used the Infraud forum to facilitate their criminal activities. Law enforcement agencies from across the world collaborated on the investigation into Infraud, including Italy, Australia, the United Kingdom, France and Luxembourg, among many others.

Army to Modernize Tracking System for Cyber Attacks

US Army Cyber CommandThe U.S. Army is preparing to modernize Blue Force Tracking, its friendly forces tracking system, to ensure continued operability in the event of cyber and electronic warfare attacks.

The Army Wants to be Able to Track Friendly Forces During a Cyber Attack
C4ISRNET | By Daniel Cebul

Washington — The U.S. Army is preparing to modernize its friendly forces tracking system so that it will continue to operate through cyber and electronic warfare attacks.

The service’s situational awareness network, known as Blue Force Tracking, already receives periodic updates, but a more significant upgrade is needed if troops are to be adequately equipped for future warfare. “This capability improvement is necessary as the United States faces increased cyber and electronic warfare threats from near-peer adversaries,” Lt. Col. Shane Sims said in an Army press release.

Defense News reported in November 2017 that Russia’s Zapad exercise took place in a largely EW-hostile environment. Because Russia proved it can jam its own forces relatively easily, military officials are concerned about how well NATO forces are prepared to operate in GPS- and communication-denied environments.

To address these issues, the program office partnered with the Army’s Communications Electronic-Research, Development and Engineering Center, or CERDEC, and ran concurrent studies that examined the capabilities and limitations of current blue force tracking technology.

The work included:

A traffic study that explored how the current blue force tracking system generates and receives data, as well as the requirements of moving data digitally to identify any network vulnerabilities.

A cyber and electronic warfare study that aimed to identify what emerging technologies need to be developed to stay ahead of adversaries. The Army announcement notes, “assured positioning, navigation and timing, known as PNT, for soldiers in GPS-denied environments was the primary goal in this study.”

A network study that examined how to communicate future data more efficiently within the network.

A transport study that identified the physical infrastructure — radios, satellites and antennas — needed to move larger quantities of information. Part of the solution is to build in redundancies into the network to use different radios and different frequency bands.

This might entail deploying satellites of higher technological quality in larger quantities. A new satellite infrastructure that could handle more data and transmit information faster was credited with the improvements soldiers observed the last time the BFT system was upgraded in 2011.

“The goal of the next-generation BFTs is to reduce the cognitive burden on soldiers by creating a simply and intuitive network,” Sims said.

The Army issued a request for information on the system this month, and CERDEC is set to meet with Army leaders to discuss an acquisition strategy in February.

The Army hopes to issue a request for proposals from industry in early 2020, and could begin fielding the new BFT by 2025, the release said.

The Risk of Insider Threat

Research demonstrates that most fraud risk is attributed to insider threat. In a study almost one third of all cyber attacks were committed by ex-employees.

It’s Not Just Cybercriminals: Insider Threats Still a Top Cyber Risk for Corporations
Property Casualty 360° | By Rhys Dipshan

As cyber espionage and ransom ware attacks wreak increasing damage on the world economy, it makes sense that many companies think their biggest threats comes from external actors.
But most risk still emanates from inside the organization, according to the Kroll’s Global Fraud & Risk Report.
The report was based on a survey conducted among 540 senior executives across six continents and found that a significant amount of companies’ fraud, cybersecurity and security incidents were caused by current or former employees.
Risks from current & former employees
Ex-employees, for example, were key perpetrators in 37% of security incidents that happened outside the cyber realm. What’s more, 25% of security incidents were caused by middle- or senior-level employees, while 26% were by junior employees.
Junior employees were also the most likely to cause fraud incidents, followed by ex-employees.
And while most cybersecurity incidents were caused by random cyberattackers, at 34%, ex-employees still accounted for 28% of all attacks, while senior or middle management employees accounted for 19%, and junior employees 16%.
Alan Brill, senior managing director with Kroll’s cyber security and investigations practice, noted that oftentimes, organizations will concentrate too much on high-tech cybersecurity needs, such as protecting their networks, and miss the fact that their biggest “risk factor comes from those who have access to sensitive information.”
Ensure former employees don’t have access
One major shortcoming among organizations is not properly ensuring former employees do not have access to enterprise systems. “You need to be able to not just plan the steps the company is going to take [when an employee leaves], but you have to have a way of knowing that the steps are actually being done. I think in many cases, there is a disconnect from what managers believe is being done and what is happening on the ground,” Brill said.
Brill also advised organizations to ensure that “the right agreements are [in] place” to limit employees’ and contractors’ access to sensitive information, and train employees on the appropriate data handling procedures.
Most companies surveyed took measures to mitigate the risk of insider threats. Over 80%t restricted employees from installing software on company devices and had employee training programs. Over 75% had internal cybersecurity policies and procedures.
But Brill noted that it’s not enough to just have security programs and policies without constantly reviewing their usefulness. He said that many companies need to use “metrics to understand if what they’re doing is effective,” and build their security programs around tested results.
Fraud, information theft
Such proven programs are becoming increasingly necessary given the wide range of fraud and cybersecurity incidents that organizations face in the current economy. The survey found, for example, that 29% of respondent companies suffered fraud, which resulted in information theft, loss or attack, while 27% had theft of physical assets or stock, and 26% uncovered a conflict of interest.
Information theft and conflict of interest incidents were experienced by 5% more companies in 2017 than in 2016, the biggest increase among all types of fraud incidents.
Brill noted that such conflict of interest incidents are becoming more common as enterprises rely on more vendors in their supply chain and as compliance offices become “more able to detect conflicts of interest” through the use of better compliance technology.
More vulnerable to all types of threats in 2018
With regards to cyber incidents, the survey found the amount of companies attacked by malicious viruses rose 3% to 36% in 2017, while those suffering email phishing attacks rose 7% to 33%, which Brill attributed to such scams becoming more sophisticated.
When compared with the 2015 survey results, respondents believed they’re more vulnerable to all types of threats in 2017 than they were two years prior, with the exception of theft of physical assets or stock. Areas where respondents believe their vulnerability had increased the most since 2015 included IP theft, management of conflicts of interest, and market collusion.

DHS: More Fed Cyber Services Could Be Outsourced

Barry West, the Department of Homeland Security’s senior accountable official for risk management, believes that federal agencies may pursue outsourced cyber security services from contractors more frequently, due to the ongoing global shortage of and competition for cyber talent.

Government Could Shift to Security-as-a-Service, DHS’s West Says
Fedscoop | By Carten Cordell

With cyber talent in high demand, Barry West said Thursday that the government may soon to lean more heavily on the private sector for cyber security help.

West, the Department of Homeland Security’s senior accountable official for risk management, said that an ongoing global shortage of cyber talent could soon push agencies to more frequently pursue outsourced cyber security services from contractors rather than try to compete with the private sector.

“When I look at a visionary view of cyber, I think this is really where we are headed,” he said at ATARC’s Federal CISO Summit. “This would have been far-fetched probably five years ago, saying you were going to have a private sector company perform your security.”

West pointed to research from Gartner that predicted that there would be a global cyber shortfall of 1.8 million by 2022 — with the federal government struggling to compete with the private sector for talent, it may be more beneficial for agencies to contract for it, he said.

“This isn’t to say that there’s not going to be government oversight; there’s still not going to be a [chief information security officer] in charge,” he said, “but I really think we are headed for a model where we are going to see security-as-a-service and you are going to see [security operations center, or SOCs] as a service.”

West added that DHS is already in talks to consolidate 12 to 13 “disparate SOCs” — which help monitor cyber security posture from across the agency’s networks — saying that it is a key priority for Secretary of Homeland Security Kirstjen Nielsen.

“She really wants to see that happen,” he said. “It really shows when you have a major incident — when we had the WannaCry incident last year, it became real clear some of the disorganization we had around reporting.”

Consolidation would precede SOC-as-a-service, West said, with DHS beginning to merge SOC operations in the National Capital Region.

“I think it’s the way we’re headed. I think you will hear more of the SOC consolidation at DHS next year. That’s going to be a big focus for us,” he said.

After that, West said, DHS would likely craft some prototypes to test the SOC-as-a-service model over the next three to four years.

“I think we have to start thinking about it now and planning, but I think it’s the way of the future,” he said.