“Having a universal standard for privacy may not be practically possible”

CISO MAG | Cyber Security Magazine

Anshuman Sharma is a seasoned professional with over 15 years of experience in the field of cybersecurity, leading the Hong Kong & India market for the Investigative Response (VTRAC) practice. He brings unique and vast experience in leading digital forensics and incident response, threat hunting, threat & vulnerability, advisory & security assurance, and PCI DSS compliance. Currently, he is the Principal Consultant, APAC, VTRAC (Verizon Threat Research Advisory Center).

In an exclusive interaction with Augustin Kurian, Senior Feature Writer at CISO MAG, Sharma talks about his journey, the impact of COVID-19 on cybersecurity, the adoption of AI and ML, and the global compliance norms.

Edited excerpts of the interview follow:

AK: You have over 15 years of experience across a wide spectrum of areas spanning information security, cybersecurity, cyber forensics, cyber warfare, risk management, expertise in the SOC and CERT, cloud computing, Big Data, Internet of Things (IoT), MEC, ML, and AI. How has your journey been so far? How has the cybersecurity space evolved in the last 20 years, and how did COVID-19 change the cybersecurity dynamics?

Sharma: My journey in the past 15 years has been fascinating. I need to be on my toes, keeping myself abreast with the latest know-how within the security domain. The security landscape has undergone exponential growth in the past 20 years. For example, two decades ago, organizations were taken by storm with the advent of firewalls. Then came the era of Intrusion Detection and Intrusion Prevention Systems (IDS/IPS).

Moving to the more recent past, with the advent of the Internet of Things (IoT), Artificial intelligence, and Machine Learning (AI & ML), cybersecurity has taken another quantum jump. The threat landscape changed with the advent of the cloud, and the complexity of the threats increased parallelly.

Digital transformation has played a key role in how cybersecurity has changed over the years. We moved from packet-filtering firewalls to next-gen firewalls, which provided other functionalities such as gateway AV controls, web content filtering, and email content filtering.

In the current context, AI and ML is being used for the next generation preventive and detective solutions such as Endpoint Detection and Response (EDR) at the endpoints; Network Detection and Response (NDR) at the network level, and User Entity Behavior Analytics (UEBA) — all utilizing the power of AI and ML to identify anomalies by first understanding what is normal. The contribution that threat intelligence brings to the table cannot be ignored. Threat intelligence (from Clearnet and Darknet) is providing the necessary ingredients for a threat hunting program in an organization, and it matures with the help of EDR and NDR technologies. Couple that with other recently matured and evolving technologies such as Security Incident and Event Management (SIEM), Deception Technologies, and Security Orchestration, Automation and Response (SOAR). This provides the necessary tools to a cybersecurity professional to thwart most of the cyberattacks and/or helps them in detecting many within a timely fashion. Also, matured organizations have great response plans in place as they know, “it is no more a question of if, but when.” The COVID-19 pandemic has changed, possibly forever, the way we work. It has caused many organizations to adapt and/or hasten their roadmap towards digital transformation and has resulted in many organizations such as banks, which traditionally have never moved aggressively towards the cloud or even toward providing remote access to the work environment.

When there is change, there exists a potential for confusion, omissions, and mistakes. Cybercriminals are aware of this and will do their best to capitalize on any opportunities that are afforded by them. I do not mean to imply that the cloud and remote technologies mentioned above are inherently less secure. Rather, the concern arises from the fact that due to the conditions the pandemic has created, most organizations are hurriedly adopting them, and they are often forced to do so while relying on fewer resources in terms of both personnel and revenue. When one adds to that dangerous concoction of digital transformation, the additional ingredient of large-scale remote work enablement, it can easily spell disaster. The likely factors contributing to the incident and breaches in the COVID-19 situation include:

  • Increase in error – These error types are typically due to carelessness and/or hurry on the part of a system administrator or regular end-user, which includes misconfiguration, misdelivery, and publishing errors.
  • Stolen credential-related hacking – Our recent research shows that over 80% of breaches within the hacking category are caused by stolen or brute-forced credentials. The majority of the time, these occur via web apps and/or the cloud. Since businesses are forced to lean on Software-as-a-Service (SaaS) platforms more heavily now, we expect this increased reliance to substantially widen the attack surface for bad actors looking for stolen and brute-forced credentials.
  • Asset management and patching – Most of us will agree that making sure that, all corporate-owned assets are promptly and consistently patched, may be more difficult in the current environment than it has been in the past. However, given the current circumstances in which a large number of employees are being encouraged (or mandated) to work from home, maintaining those newly external workstations for remote access suddenly becomes a much bigger deal.
  • Ransomware likely to rise – Several incidents where the ransomware group was also confirmed to have taken a copy of the data before triggering encryption and posting the data (either partially or entirely) publicly on their website of choice.
  • Impact on the phishing landscape – The surge in remote working due to the pandemic may increase the reliance on mobile phones and tablets. Research from last year’s DBIR report indicates that many users are more likely to click on a malicious link when using a mobile device than a desktop or laptop.
  • The Mind Games – Clearly, COVID-19-related terms are showing up in threat indicators. However, how susceptible people are to them is still an open question. To try to provide an answer, Verizon examined some simulated phishing data provided by a report contributor. Verizon compared emails that contained COVID-19-related terms (such as COVID, Corona, pandemic, Wuhan, SARS, etc.) to those emails that did not contain such references. Based on the data, phishing emails that were related to COVID-19 had a somewhat higher success rate and showed more organizations having far higher click rates, even above 50% in some cases.

AK: CEO frauds are a concern these days. Do you believe the new work from home format has heightened cybersecurity risks on CEOs and those with privileged access?

Sharma: In one of the recent reports, it was mentioned that senior executives are 12x more likely to be the target of social incidents, and 9x more likely to be the target of social breaches than in previous years. One of the factors behind targeting the senior executives is that they have access to the most critical information, and often, they have unrestricted access to such information.

With the new work from home scenario, we expect to see a rise in phishing emails. With the number of executives making use of personal devices for work-related tasks increasing, the risk for compromise becomes greater. So, we may see the number of business email compromise attacks increasing.

AK: When it comes to data security, many times, industries do not know what their critical data is. So, how do you think they can combat it?

Sharma: One of the most important aspects of securing data is being able to answer what sensitive data an organization has (PII, PHI, Payment Data, etc.), where it is stored, processed, and transmitted, who has the access, and what privileges they have, and what it will cost the organization if such data gets leaked. It means that a data classification exercise needs to be carried out.

Organizations are creating massive amounts of data that is both structured and unstructured. The key is to have a sound understanding of business processes and having business process flows to identify the data life cycle — creation, storage, usage, sharing, archiving, and destruction. Having a data classification policy is another important aspect as it identifies any legal and regulatory requirement and setting up of various classification levels. Using an Identity and Access Management Solution (IAM) and Privilege Identity Management (PIM) solution with assigned roles and responsibilities can help in better managing users’ access to data.

Augustin Kurian

About the Interviewer

Augustin Kurian is the Senior Feature Writer and part of the editorial team at CISO MAG and writes interviews and features.


This interview first appeared in the December 2020 issue of CISO MAG. Get all your copies now! Subscribe

The post “Having a universal standard for privacy may not be practically possible” appeared first on CISO MAG | Cyber Security Magazine.

North Korea Accused by its Southern Counterpart for Cyberattack on Pfizer

CISO MAG | Cyber Security Magazine

North Korea seems to be getting desperate to resolve the COVID-19 crisis even when the country has not yet officially reported any positive cases. Its southern counterpart has accused them of launching a cyberattack against COVID-19 vaccine maker, Pfizer. This is the second attack reported in the past three months; the first being against AstraZeneca.

Related News:

COVID Vaccine Frontrunner AstraZeneca Targeted by Suspected North Korean Threat Actors

North Korea Targets Pfizer

North Korea has been previously accused of targeting the then COVID-19 vaccine frontrunner, AstraZeneca, to know more about its research. The alleged threat actors used social engineering techniques and baited the employees of AstraZeneca with phishing emails containing fake job offers. They hid malicious links and attachments in these emails that led to the download of data exfiltrating malware. Although the attack was not so successful, it gave impetus to the North to try it on other vaccine makers as well. Thus, taking a cue from its previous campaigns, North Korea has now targeted another vaccine maker, Pfizer.

The accusation has been made by Ha Tae-Keung, a South Korean lawmaker and opposition party member of the parliament. After a security briefing from the National Intelligence Service (NIS), Ha told reporters,  There were attempts to steal COVID vaccine and treatment technology during cyberattacks, and Pfizer was hacked. The NIS though has remained tight-lipped and only accepted that a record of multiple security incidents was discussed in the security briefing without accepting or rejecting Ha’s claims of Pfizer being compromised. The NIS though did mention that it has successfully averted all attacks from the North directed towards its own COVID vaccine research.

As per Reuters, Pfizer’s offices in Asia and South Korea have not yet commented on Ha’s revelations. However, Ha did provide a picture of the notes he had taken during the briefing, but this is not enough to prove anything as of now, and we will have to sit tight to know more. If it is true, there are two conclusions for the motive behind the attack:

  1. North Korea wants to steal vaccine data and COVID-19 research information to develop its own indigenous vaccine.
  2. They wish to sell this information to another country or organization in exchange for a huge sum to support other activities.

Meanwhile, North Korea is set to receive around two million doses of the AstraZeneca/Oxford University vaccine later this year, via the Covax programme.

Related News:

“The battle for the vaccine market to launch cyberattacks has already begun”

The post North Korea Accused by its Southern Counterpart for Cyberattack on Pfizer appeared first on CISO MAG | Cyber Security Magazine.

DopplePaymer Ransomware Gang Behind Kia Motors IT Outage?

CISO MAG | Cyber Security Magazine

Kia Motors has quickly climbed the sales ladder in the U.S. It has captured the market across the country with its gold-standard product offerings like the Telluride, which is incidentally named the “2020 World Car of the Year.” Kia owes a huge part of this success to its latest technology adaptations. It offers great build quality, but it is the tech on offer that woes its customers – its connected car tech. The ability to interact with your car remotely and enjoy functions like remote start and stop of ignition, climate control, seat warming, and boot opening is stunning. But what happens when this goes down? It is an owner’s nightmare and the company’s embarrassment. This is what Kia is going through right now because the company has announced a nationwide IT outage in the U.S.

Kia IT Outage a Ransomware Attack?

On February 13, several Kia customers complained that they were unable to use Kia’s official UVO mobile application for initiating remote commands.

Later Kia put out an “IT service outage” note on its website (refer to the image below) to assure their customers that they would be back soon.

KIA motors IT outage, KIA motors ransomware attack
Image Credit: KIA Motors America

However, it has been nearly five days, and yet the services seem to be down and some reports, which surfaced recently, suggest that Kia Motors America was attacked by the DopplePaymer ransomware gang. This possibly explains the delay in the restoration of services.

According to the reports, the ransom note was left in the name of Hyundai Motors America, which is the parent company of Kia Motors. However, Hyundai Motors does not seem to be affected by this ransomware attack. The DopplePaymer gang informed that they have stolen “sensitive data” and shall require a ransom of 404 BTC (equivalent to $20 million) in exchange for the decryption key. The note carries a link to their TOR page where a countdown timer is set for a deadline, which if not met increases the ransom amount to 600 BTC.

Speaking exclusively to CISO MAG, Purandar Das, CEO and Co-Founder of Sotero Software, said,

One more ransomware incident. While the focus is on recovering the stolen data, minimizing customer exposure, and restoring normal operation, as it rightfully should be, companies ought to start revisiting their security approaches.

There are two parts to this. One, start by making the data useless when stolen. That eliminates a big part of the leverage the criminals have. The data is just as valuable as the operational aspects of the system that are affected. The stolen data also causes long-term damage to innocent consumers who trust organizations to protect their data and privacy.

Adopting newer encryption technologies, which keep data encrypted even while in use, is a must. Second, enabling secure backups of operational systems with fast recovery paths is another. Layering on more security products is not a viable or scalable solution.

Don’t Pay the Ransom, It’s Illegal!

Ransomware is a growing plague and currently, there seems to be no antidote to it other than paying. However, paying the ransom is now illegal in the U.S. as per an advisory issued by the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC). Read more about it here!

Related News:

Why is Ransomware Still a Problem?

The State of Ransomware: From Evolution to Progression

The post DopplePaymer Ransomware Gang Behind Kia Motors IT Outage? appeared first on CISO MAG | Cyber Security Magazine.

Use business email compromise training to mitigate risk

“Please respond ASAP.”

When CFO Joe receives an email from CEO Taylor with this urgent subject line, he goes into high alert. The message is pressing. The email’s sender, Joe’s superior, and its language engage his instinct to respond to authority and deadlines. Without thinking, Joe completes a payment at her request.

Only, the message from “Taylor” was not sent by the CEO herself, but from a malicious actor who compromised her email account and set up a fake invoice to a fraudulent account for payment.

This hypothetical business email compromise (BEC) scam illustrates that, however well intentioned, an employee’s automatic urge to respond to emails like Taylor’s presents a significant security risk. Understanding how and why employees respond to such emails is critical when designing more effective BEC training that could have helped Joe identify and flag the fraudulent email.

‘Click, whirr’ responses make humans vulnerable

In his seminal book, Influence: The Psychology of Persuasion, Robert Cialidini described a set of conditioned responses and fixed action patterns as “click, whirr” behavior. This refers to responses so ingrained and reflexive in humans that they are done almost without thinking.

These automatic responses are either critical to survival, such as steering a vehicle away from an unexpected pedestrian, or provide a mental shortcut to reduce the overhead of decision-making, as in expecting an expensive bottle of wine to have a better flavor than a cheaper one.

While conditioned responses in humans can affect our menu choices and potentially even save lives on the road, they can also make us vulnerable. In fact, cybercriminals commonly weaponize this conditioning and use it against us in BEC scams.

How BEC scams exploit human psychology

There are many technical controls to help thwart BEC attacks, but humans and security awareness training are at the root of the solution. To build effective BEC training and prevention programs, it is critical to explore what triggers automatic responses in humans — and how BEC scams are designed to capitalize on them.

Response to scarcity

One trigger that kicks off our click, whirr response is scarcity of a resource or limited time. Most people have been exposed to advertising messages such as “Supplies are limited, act now!” In most cases, the message has nothing to do with how much supply is available. The seller is simply trying to engage our scarcity trigger so the product will seem more desirable and worthy of purchase.

Similarly, BEC attempts commonly include urgent language such as “Invoice past due” or “Time sensitive: Action required.” These messages also activate our scarcity response. BEC attackers understand that employees are conditioned to take overdue invoices seriously and respond to them quickly.

Response to authority

Another effective automatic response trigger is the power of authority. People are more likely to act when directed to by an authority figure. BEC is so successful because the criminals know who to emulate as a sender to get a rapid result. When Joe, the CFO, gets an email from Taylor, the CEO, asking for a large fee transfer, Joe is conditioned to comply with the request because of Taylor’s authority.

Sophisticated BEC attempts will look and sound as if they came from the actual sender. Thus, directing users to simply check the sender’s address or to look for typos or grammar mistakes isn’t enough. To be truly effective, BEC training needs to help users recognize when they are in click, whirr mode and prompt them to pause to consider the request.

Image displays an example of a BEC scam email asking the recipient to make a fraudulent payment.
BEC scams are designed to exploit the brain’s automatic responses to scarcity and authority.

Typically, a message such as “Urgent, please pay this now!” from Taylor’s email would prompt Joe to act fast. But, if he takes a moment to think about this request, he can combat the immediate click, whirr response to comply with Taylor’s transfer request. Then, he can cross-reference his records to determine if any payments are outstanding and text Taylor to confirm whether the payment request is legitimate.

Design BEC training with psychology in mind

It is important for IT leaders to understand that BEC training is not a one-and-done activity. Psychological research on how humans learn shows it’s easy to forget what is learned if it’s not consistently reinforced. Thus, many experts recommend training and practice on a quarterly or bimonthly basis.

Even well-trained users and executives may click a malicious link or initiate an authorized funds transfer, which is why training users on what to do next matters.

Since BEC exploits begin with a phishing email, BEC training is usually part of antiphishing campaigns. These should include periodic videos that not only remind employees what BEC scams look like, but are also designed to be entertaining for employees. Campaigns may also involve BEC phishing tests launched against employees by the security department. When users engage with fake phishing emails by clicking links or responding, they receive a warning to notify them that they were duped. This feedback is designed to improve user behavior and, when combined with training, provides insight about BEC training efficacy.

Psychological research also shows the adrenal hormones released during an emotional arousal — epinephrine and corticosterone — also regulate long-term memory. This can be applied to BEC training during which users may experience an emotional response in the immediate aftermath of a bad click notification. This is an ideal time to reeducate users and help them remember how important it is to interrupt their click, whirr before responding to emails.

It is vital to avoid shaming users during BEC training. It is easy for well-intentioned employees to make mistakes when trying to be the most efficient workers possible. Incorporating empathy into employee development and culture will be critical to the success of the lesson. User training should be about learning, not punishment.

What to do when mistakes happen

No one is perfect. Even well-trained users and executives may click a malicious link or initiate an authorized funds transfer, which is why training users on what to do next matters.

If possible, set up a reporting portal, email or hotline for users who think they may have fallen for a BEC scam. Timely disclosure is important from both a security and business perspective. If the user is able to report a suspicious payment quickly, there may be time to cancel the transfer before it is completed.

Organizations hit by successful BEC scams should report them to the authorities and file a complaint with the FBI’s Internet Crime Complaint Center to help law enforcement catch the criminals.