Ethereum ICO Hacks Rattle Investors

Ethereum ICO Hacks Rattle Investors

Cryptocurrency Investors on Edge after Two Ethereum ICO Breaches in a Week

Initial Coin Offerings (ICOs) powered by the Ethereum blockchain platform are the hottest thing going right now, but are they secure? On July 24, 2017, the second Ethereum ICO hack in a week hit the news, as digital wallet firm Veritaseum disclosed to Bleeping Computer that a hacker stole approximately $8.4 million from its Ethereum ICO.

Ethereum ICO Hacks Rattle Investors

Ethereum has had a rough month. A week before the Veritaseum hack, cryptocurrency trading startup CoinDash had $7 million stolen from its Ethereum ICO within minutes of the offering being launched. A few days later, smart contract coding company Parity issued a security alert regarding a vulnerability in its wallet software that had led to approximately $30 million worth of Ether cryptocurrency being stolen. In early July, an unidentified hacker or group breached and took control of the web domain belonging to Classic Ether Wallet, redirecting the domain to their own server and transactions to their own account.

What is an Ethereum ICO?

An ICO is similar to an IPO (Initial Public Offering). Investors use regular, or fiat, currency to invest in the ICO, but instead of receiving units of stock in return, they get units of cryptocurrency, called “tokens.” The investors can either hold the tokens until the issuing company decides to buy them back or sell them to other users in exchange for units of cryptocurrency. Any unit of cryptocurrency can be used; in ICOs powered by the Ethereum blockchain, the cryptocurrency used is called Ether. If all goes well, the cryptocurrency will increase in value, and the investors will profit off their tokens.

Unlike IPOs, initial coin offerings are completely unregulated. This has made them very attractive to disruptive tech startups that wish to bypass the highly regulated IPO process required by banks and venture capitalists. Ethereum ICOs have become extremely popular due to the power of the Ethereum blockchain platform they run on. Unlike competitor Bitcoin, Ethereum is far more than just a cryptocurrency platform; it was designed to be a virtual machine that uses what are called “smart contracts,” or decentralized, self-executing agreements coded into the blockchain itself. Smart contracts are a disruptive technology with enormous potential to replace all manner of traditional financial, social, and legal agreements, from options contracts to bonds, which is one reason why Ethereum is quickly becoming the ICO platform of choice.

Are Ethereum and ICOs Safe?

Because they are unregulated, ICOs are risky. There is no requirement for companies to provide the voluminous investor disclosures that they would have to for an IPO. There are fears that ICOs could be used for money laundering purposes or that the issuers themselves could “hack” their own ICOs and steal tokens. These problems have not escaped the attention of the SEC, which is reportedly eyeing the ICO market warily in preparation for future regulations. Update: After this article went to press, the SEC, NFA finally weighed in on ICOs, declaring them “securities” and paving the way for regulation.

As to the inherent cybersecurity of Ethereum, Ether wallets, and ICOs launched on the Ethereum platform, it is important to note that, as in the SWIFT Network attacks that rocked the international banking world last summer, the Ethereum blockchain itself was not breached during any of these attacks. Instead, in each case, hackers took advantage of website vulnerabilities or coding errors in third-party tools built to make use of the Ethereum blockchain, such as Ether wallets. The blockchain, in and of itself, is very, very secure – it would take massive amounts of computing power to even attempt to hack it – but the applications used to access it, including those used to buy, sell, and store tokens and cryptocurrency, may not be. The Parity breach, for example, was traced back to a single missing word in a line of code for its Ether wallet. The CoinDash and Classic Ether Wallet breaches were the fault of security holes in the issuers’ company websites.

Although cryptocurrency investors are concerned about the recent spate of Ethereum ICO attacks, only time will tell whether they’re rattled enough for permanent damage to be done to the ICO craze. Certainly, anyone who is considering investing in an ICO, regardless of which platform it is being run on, should tread carefully. The lesson all enterprises can take from these hacks is the importance of website security, secure software development, and proactive cyber security and GRC practices in a digital world where most money, including fiat currency, is moved and stored electronically.

After all, just one missing word in a software program resulted in a $30 million loss.

The cyber security experts at Lazarus Alliance have deep knowledge of the cyber security field, are continually monitoring the latest information security threats, and are committed to protecting organizations of all sizes from security breaches. Our full-service risk assessment services and Continuum GRC RegTech software will help protect your organization from data breaches, ransomware attacks, and other cyber threats.

Lazarus Alliance is proactive cyber security®. Call 1-888-896-7580 to discuss your organization’s cyber security needs and find out how we can help your organization adhere to cyber security regulations, maintain compliance, and secure your systems.

Get Ready for Greater SEC, NFA Cyber Security Enforcement

SEC, NFA cyber security enforcement is set to intensify in light of recent global attacks and new enforcement chiefs

SEC, NFA cyber security enforcement is set to intensify in light of recent global attacks and new enforcement chiefs

Public companies and firms operating in regulated industries, especially finance, should expect more SEC, NFA cyber security enforcement in the wake of new and emerging threats, like WannaCry and NotPetya, as well as the appointment of two new cyber-minded enforcement chiefs. Reuters reports:

SEC, NFA cyber security enforcement is set to intensify in light of recent global attacks and new enforcement chiefs

On Thursday, the U.S. Securities and Exchange Commission named Stephanie Avakian and Steven Peikin as new co-directors of enforcement.

In an exclusive interview ahead of the formal announcement, the two said they were deeply concerned about cyber threats and see the topic as a major enforcement priority.

“The greatest threat to our markets right now is the cyber threat,” said Peikin, who was still wearing a guest badge because he has not yet received his formal SEC, NFA credentials yet. “That crosses not just this building, but all over the country.”

The SEC, NFA has started to see an “uptick” in the number of investigations involving cyber crime, as well as an increase in reports of brokerage account intrusions, Avakian said. As a result, the agency has started gathering statistics about cyber crimes to spot broader market-wide issues.

This follows on the heels of a risk bulletin the SEC, NFA released in response to the WannaCry attacks, urging broker-dealers, investment advisers, and investment companies “to assess industry practices and legal, regulatory, and compliance issues associated with cybersecurity preparedness.” The bulletin directed readers to a website established by the Financial Industry Regulatory Authority (FINRA), a self-regulatory organization overseen by the SEC, that provides numerous cyber security tips and resources.

Cyber Security Problems Uncovered During Regulatory Exams

Also contributing to the new SEC, NFA cyber security focus are widespread security lapses the SEC, NFA found during recent regulatory exams at financial companies, including:

  • Unauthorized disclosures of personally identifiable information (PII).
  • Issues with phishing emails; employees were found to click on suspicious attachments more than 20% of the time.
  • Third-party wires not being properly authenticated.
  • Organizations not conducting periodic risk assessments, penetration tests, and vulnerability scans.

Penalties for non-compliance with SEC, NFA cyber security standards can be severe. Last June, the agency fined Morgan Stanley Smith Barney LLC $1 million for failing to sufficiently secure its systems to prevent a breach; sanctioned Craig Scott Capital LLC for $100,000 for using non-firm email addresses to receive faxes; and made R.T. Jones Capital Equities Management Inc. pay $75,000 for “failing to implement proper cyber policies” after the firm was breached.

Financial firms aren’t the only ones on the SEC’s radar. Law360 reports that the SEC, NFA is investigating Yahoo for its numerous data breaches.

Sound GRC Practices Will Keep Your Organization on the SEC’s Good Side

A panel held at the recent 2017 FINRA Annual Conference discussed five best practices organizations should adopt to prevent cyber attacks and maintain compliance with both FINRA and SEC, NFA cyber security standards: governance, risk assessment, cyber security training, access management, and vendor management.

Some organizations, especially small and medium-sized businesses, struggle with the cost and time commitment that proactive cyber security and GRC require. To slash the time and money companies must devote to cyber security, Lazarus Alliance utilizes the Continuum GRC IT Audit Machine (ITAM), a proprietary RegTech software package with user-friendly self-help modules, including modules for the FINRA SEC, NFA Cyber Security Report Card and the FINRA Small Firm Cybersecurity Checklist. ITAM saves money, simplifies the compliance process, eliminates audit anarchy, and speeds up the GRC assessment and reporting processes by 180%.

The cost of cyber attacks and non-compliance penalties are much higher than preventing attacks and maintaining compliance in the first place.

The cyber security experts at Lazarus Alliance have deep knowledge of the cyber security field, are continually monitoring the latest information security threats, and are committed to protecting organizations of all sizes from security breaches. Our full-service risk assessment services and Continuum GRC RegTech software will help protect your organization from data breaches, ransomware attacks, and other cyber threats.

Lazarus Alliance is proactive cyber security®. Call 1-888-896-7580 to discuss your organization’s cyber security needs and find out how we can help your organization adhere to cyber security regulations, maintain compliance, and secure your systems.

Outsourcing Can Help Bridge the Cyber Security Skills Gap

The cyber security skills gap is real and growing; there simply aren’t enough cyber security employees to go around.

The cyber security skills gap is real and growing; there simply aren’t enough cyber security employees to go around.

Cyber crime is rapidly escalating, and board rooms are taking notice. KPMG’s 2017 U.S. CEO Outlook survey shows cyber security risk to be among CEOs’ top concerns, yet only 40% of them feel that their organizations are fully prepared to handle a cyber attack. This isn’t surprising in light of the very serious – and worsening – cyber security skills gap. The cyber security unemployment rate was zero in 2016, and it’s expected to remain there until 2021. Coincidentally, that’s the same year by which Cybersecurity Ventures predicts there will be 3.5 million unfilled cyber security jobs.

The cyber security skills gap is real and growing; there simply aren’t enough cyber security employees to go around.

Small and medium-sized firms are being hit the hardest by the cyber security skills gap, as the short supply of qualified talent is quickly snapped up by multinational firms that can afford to pay the high salaries and provide the “Cadillac” benefits and perks that this talent has the power to demand. The situation is expected to worsen in light of New York’s new cyber security law, which requires finance and insurance firms operating within the state to hire CISOs and “qualified cyber security personnel.”

Governments and private-sector organizations are wringing their hands over how to deal with the problem. The mayor of New York City has announced a plan to invest $30 million in in cybersecurity training, academic research, and development labs, with the goal of creating 10,000 new cyber security jobs over the next decade. IBM has launched what it’s calling a “new collar” jobs initiative to train both students and older workers in cyber security.

Outsourcing the Best Way to Immediately Bridge the Cyber Security Skills Gap

In light of the cyber security skills gap, the best option for most organizations is to outsource their cyber security functions to a reputable cyber security provider such as Lazarus Alliance. Our Cybervisors® service allows organizations of all sizes to immediately retain the services of the best and brightest subject matter experts in cyberspace law, cyber security, risk assessments and management, audit and compliance, governance and policies, and more.

In addition to getting the help you need right away, there are many other benefits to outsourcing your enterprise’s cyber security functions, including:

  • Significant cost savings. It is almost always less expensive to outsource cyber security than to hire and maintain a security team full-time in-house. Even outsourcing just part of your cyber security functions, such as compliance, could result in significant savings.
  • Allows you to focus on your business’ core competency. Most likely, you don’t hire in-house staff to handle your own legal matters or do your own taxes. You realize that law and accounting are not part of your core competency, so you outsource those functions to attorneys and accountants. (Along the same lines, you probably outsource your building security to a security firm!) Using this logic, why would your firm handle its own cyber security? Outsourcing this function to a professional frees up monetary and human resources that can be used to create, innovate, and drive your business.
  • Allows you to access a level of expertise most companies don’t have internally. Cyber security is a highly specialized field, and the skill set it requires is quite different than those in other IT areas. It’s also highly dynamic, with new technologies and threat vectors emerging daily. Our Cybervisors® focus on only one thing: cyber security. They are highly experienced in this field, they are immersed in it, and they engage in continuous education to stay abreast of the cyber threat landscape.

Initiatives like the ones New York City and IBM have launched are positive steps in the direction of bridging the cyber security skills gap, but training new cyber security professionals takes time, and organizations need help right now. Your organization can’t wait 10 years, or even six months, to get the security help it needs, at a price it can actually afford. The cyber security skills gap is here for the long-haul, and outsourcing is the best way to handle the problem right now.

The cyber security experts at Lazarus Alliance have deep knowledge of the cyber security field, are continually monitoring the latest information security threats, and are committed to protecting organizations of all sizes from security breaches. Our full-service risk assessment services and Continuum GRC RegTech software will help protect your organization from data breaches, ransomware attacks, and other cyber threats.

Lazarus Alliance is proactive cyber security®. Call 1-888-896-7580 to discuss your organization’s cyber security needs and find out how we can help your organization adhere to cyber security regulations, maintain compliance, and secure your systems.