Verizon, Trump Hotels, and the RNC are Among the Recent Victims of Third-Party Breaches

Even if your own cyber security is up to snuff, your organization could be at risk of third-party breaches if your business partners are not as diligent as you are. Verizon just learned this lesson the hard way after one of its vendors, telephonic software and data company NICE Systems, left the information of 14 million Verizon customers on a misconfigured Amazon server.

This incident did not happen in a vacuum. Other recent third-party breaches affecting major organizations include:

• The Republican National Committee (RNC), whose data analytics vendor exposed the data of 198 million voters after leaving it on – you guessed it – a misconfigured Amazon server.
• Trump Hotels, which, along with chains such as Hard Rock and Four Seasons, had its customer data exposed after a breach at its reservations vendor, Sabre Corporation.
• A number of Google employees were also impacted by the Sabre breach because Google’s third-party travel management company used Sabre’s systems – meaning this breach happened at the third-party vendor of a third-party vendor.
• Netflix, which had the upcoming season of its hit series Orange Is the New Black dumped online after a hacker breached a third-party post production house, Larson Studios. It has since been discovered that the hackers got into Larson’s systems by taking advantage of the fact that the company was running an antiquated version of Windows.

Third-Party Breaches Common in the Age of Outsourcing

Once a dirty word, outsourcing is a normal part of doing business in the 21^st century. Organizations of all sizes routinely retain the services of third-party business partners to take care of all manner of functions outside their core competencies, from cloud storage to customer billing to payroll services. Unfortunately, because so many business functions are now outsourced, third-party breaches have more common than primary data breaches; an estimated 63% of all enterprise breaches can be traced back to a third-party vendor.

If one of your vendors gets hacked, don’t expect to be able to point fingers and pass the buck. Even if your business partner makes a colossal mistake, your organization will be the one that’s held responsible by your customers, any affected banks, and regulatory bodies. The infamous Target breach, which cost the company nearly $300 million and shook up its C-suite, involved a third-party vendor.

Protecting Your Organization from Third-Party Breaches

As with primary cyber attacks, the best way to deal with third-party breaches is to prevent them from happening in the first place. While you cannot dictate to your business partners how they should run their firms, as their paying customer, your enterprise is not without recourse:

• Understand your enterprise ecosystem so that you can build risk profiles for all of your business partners. Who are your business partners, and what service does each provide? What level of access do they have to your data and systems?
• Understand who your vendors are subcontracting to and whether they will have access to your data. As in Google’s case, a breach at a third-party vendor used by one of your third-party vendors can come back to haunt your organization.
• Include cyber security provisions in your vendor contracts, including security measures your business partners must take regarding their own vendors.
• Give your vendors the minimum level of access to your systems and data that they need, and no more.
• Only do business with IT services vendors who have released AICPA SOC / SSAE16 reports and/or who have important IT security certifications such as NIST, ISO, or FedRAMP. These organizations have undergone rigorous security audits and have proven their commitment to the highest levels of data security.

Further to the above, if your business provides IT services to other businesses, obtaining the appropriate data security certifications is a wise investment that will help you instill trust in your customers. Continuum GRC’s IT Audit Machine (ITAM IT audit software) RegTech solution empowers organizations to get and maintain compliance the easy way, with self-help modules covering numerous compliance standards, including FedRAMP, SSAE 16, AT 101, CJIS, DFARS, COBIT, ISO 27001, ISO 27002, ISO 27005, SOX, FFIEC, PCI, GLBA, HIPAA, CMS, NERC CIP and other federal and state mandates.

The cyber security experts at Continuum GRC have deep knowledge of the cyber security field, are continually monitoring the latest information security threats, and are committed to protecting your organization from security breaches. Continuum GRC offers full-service and in-house risk assessment and risk management subscriptions, and we help companies all around the world sustain proactive cyber security programs.

Continuum GRC is proactive cyber security®. Call +1 (888) 896-6207 to discuss your organization’s cyber security needs and find out how we can help your organization protect its systems and ensure compliance with all applicable laws, frameworks, and standards.

Schedule some time with our Superheroes for a Free Assessment!

The NotPetya attacks weren’t as bad as WannaCry; they were worse, and we all need to start cooperating to prevent the next attack.

It’s looking more and more like last week’s NotPetya malware attacks, which infected computers around the world but hit Ukraine particularly hard, were designed to cause widespread damage and disruption, not make money.

Unlike WannaCry and other ransomware, NotPetya doesn’t just encrypt files; it destroys Windows machines’ master boot record (MBR), doing irrevocable damage to the system. There is no such thing as a key that can restore a destroyed MBR. Additionally, one, lone email address was set aside for victims to pay the “ransom” and receive their de-encryption keys. This address was immediately shut down by the email provider, rendering payment useless. Cyber criminals who truly wanted to collect money would have anticipated this.

NotPetya also has no known “kill switch.” The only way to stop it is to prevent it from infecting your machine in the first place.

NotPetya successfully caused chaos, mostly in Ukraine, where it hit organizations ranging from shipping companies to the infamous Chernobyl plant.

NSA Hack the Gift That Keeps on Giving to Cyber Criminals

Like the recent WannaCry attacks and cryptocurrency mining malware infections, NotPetya exploits the EternalBlue vulnerability found in older versions of MS Windows, the one made public last year after a group calling itself the Shadow Brokers sent a list of stolen NSA hacking tools to WikiLeaks. In the immediate aftermath of the NSA hack, the biggest question arguably was, “If one of the world’s most covert spy agencies can be breached, where does that leave everyone else?” Now, even bigger questions are emerging regarding the NSA’s (or any government agency’s) responsibility for cyber attacks that are committed using the cyber-spy tools it has developed, especially vulnerabilities that it finds but does not disclose to manufacturers. NextGov reports:

NSA, which employs more mathematicians than any organization on Earth, has been collecting these vulnerabilities. The agency often shares the weaknesses it finds with American manufacturers so they can be patched. But not always.

As NSA Director Mike Rogers told a Stanford audience in 2014, “the default setting is if we become aware of a vulnerability, we share it,” but then added, “There are some instances where we are not going to do that.” Critics contend that’s tantamount to saying, “In most cases we administer our special snake bite anti-venom that saves the patient. But not always.”

Everyone Needs to Start Cooperating

In the aftermath of NotPetya, U.S. Representative Ted Lieu (D-CA) sent a written appeal to the NSA, imploring the spy agency to do whatever was in its power to halt NotPetya and to commit to working with tech companies to prevent future attacks. Meanwhile, NATO released a statement declaring that NotPetya “can most likely be attributed to a state actor” and that the WannaCry and NotPetya attacks “[raise] questions about possible response options of affected states and the international community.” In other words, these attacks could be construed as potential acts of war, and everyone needs to start cooperating to defend against them.

A few months ago, an article on ZDNet bemoaned what the author saw as a lack of cooperation on cyber security between organizations in Australia. Allegedly, we here in the U.S. collaborate much better – but do we, really? We’ve got a situation where our country’s top spy agency may or may not share discovered software vulnerabilities with manufacturers, and this lack of disclosure has led to two major cyber attacks in as many months, three if you count the cryptocurrency mining malware attacks.

Clearly, the motive behind NotPetya was to cause real-world disruption of critical infrastructure. Even more concerning, the hackers behind it may have chosen Ukraine as a beta test environment for this new breed of malware, one that seeks not to steal data or lock down files, but to destroy systems beyond repair. The next attack – and there will be one – may be launched on a much larger country, maybe even the U.S., either as a standalone event or in conjunction with a wider-scale, real-world terrorist event.

Preventing cyber attacks isn’t just about losing money and data anymore; it’s about national security. There needs to be cooperation between countries, and within countries, between all organizations, both private and public.

The cyber security experts at Continuum GRC have deep knowledge of the cyber security field, are continually monitoring the latest information security threats, and are committed to protecting your organization from security breaches. Continuum GRC offers full-service and in-house risk assessment and risk management subscriptions, and we help companies all around the world sustain proactive cyber security programs.

Continuum GRC is proactive cyber security®. Call 1-888-896-6207 to discuss your organization’s cyber security needs and find out how we can help your organization protect its systems and ensure compliance with all applicable laws, frameworks, and standards.

White-Hat Hackers Are Already Being Caught in the Cryptocurrency Regulation Net

Cryptocurrencies have long been associated with cyber crime. The cryptocurrency Bitcoin was the de facto currency of the notorious online black market Silk Road, it remains the preferred payment method on the Dark Net, and the majority of ransomware attacks, including WannaCry, demand payment in Bitcoin. As if cryptocurrency didn’t have enough of a bad rep, shortly after the WannaCry attacks, reports emerged of a new type of cyber attack that may pose an even larger threat than WannaCry: cryptocurrency mining malware, which turns machines into “zombies” to mine a Bitcoin competitor called Monero. It’s no wonder that critics are clamoring for government cryptocurrency regulation.

Cryptocurrencies, in and of themselves, are not nefarious. Many perfectly legitimate businesses accept payment in Bitcoin, and large Wall Street investment firms are betting on a bright future for cryptocurrencies. However, outside the realm of tech enthusiasts, small-government advocates, and cyber security experts, cryptocurrencies are still widely misunderstood – and primarily associated with criminal activity. Ever since Silk Road was taken down, cryptocurrency critics, claiming that the digital currencies are fueling ransomware attacks and other cyber crime, have been calling for governments to implement cryptocurrency regulation, and these calls have grown louder since the WannaCry attacks.

Due to the very nature of cryptocurrencies – unlike fiat currencies, they are not issued or overseen by any central authority – attempts at cryptocurrency regulation have been slow and scattered. Unfortunately, it also appears that they may be harming the “good guys” more than the criminals, as reported in a recent story by CoinDesk. White-hat hacker Vinny Troia found his account on U.S. Bitcoin exchange Coinbase suspended after the exchange flagged his account for engaging in what they considered to be illegal activity, namely, paying ransomware demands and purchasing data from the Dark Net. Problem is, Troia was doing these things on behalf of his clients. Sometimes, Troia told CoinDesk, the best way to find out if a client’s information has truly been compromised, or to determine the scope of a hack, is to buy the data sets in question. Further, while it’s generally advised not to pay ransomware demands, some victims feel that paying up is their best bet; Hollywood Presbyterian Medical Center thought so.

Bitcoin Experts Blame Offshore Cryptocurrency Exchanges

Bitcoin experts and other cryptocurrency enthusiasts, alarmed by experiences like Troia’s and fearing Draconian cryptocurrency regulation, recently told a U.S. House subcommittee that the bulk of the problem lies with unregulated, offshore cryptocurrency exchanges, not those based in the U.S. and Europe, which must already comply with anti-money laundering and “know your customer” laws. However, these exchanges often strategically set up shop in countries where local governments are happy to look the other way and not cooperate with U.S. authorities in exchange for kickbacks.

Another issue hampering cryptocurrency regulation is the rise of next-generation cryptocurrencies such as Monero. While Bitcoin transactions are technically anonymous, the anonymity only stretches so far; all Bitcoin addresses and transactions are recorded on the cryptocurrency’s blockchain, allowing security experts and law enforcement to use blockchain analytics to tie addresses and transactions with users. Monero, on the other hand, uses ring signatures and stealth addresses to provide real, total anonymity.

Proactive Cyber Security Is Still Your Best Bet

Not everyone is against government cryptocurrency regulation. Morgan Stanley claims that government oversight is inevitable if Bitcoin wants to grow and truly go mainstream. But with technology advancing so quickly, the wheels of government moving slowly, and most politicians barely able (if at all) to grasp how the technology that powers cryptocurrencies works, cryptocurrency regulation faces an uphill battle, at best. Even if one technology were banned tomorrow, another one that gets around the new law would undoubtedly replace it. Governments need to tread lightly here, lest new regulations cause more problems than they solve.

Whatever the government decides to do with cryptocurrencies, the best way to cripple cyber crime is for organizations to engage in proactive cyber security practices that prevent hacks from happening in the first place.

The cyber security experts at Continuum GRC have deep knowledge of the cyber security field, are continually monitoring the latest information security threats, and are committed to protecting your organization from security breaches. Continuum GRC offers full-service and in-house risk assessment and risk management subscriptions, and we help companies all around the world sustain proactive cyber security programs.

Continuum GRC is proactive cyber security®. Call Call +1 (888) 896-6207 to discuss your organization’s cyber security needs and find out how we can help your organization protect its systems and ensure compliance with all applicable laws, frameworks, and standards.

Schedule some time with our Superheroes for a Free Assessment!