The 2017 Verizon Data Breach Report Reveals that Hackers Aren’t Just After Payment Cards and Identities Anymore

Cyberespionage is a growing problem, especially in the manufacturing industry, professional services, education, and the public sector, according to the 2017 Verizon Data Breach Report, which was released last week. While hackers are still after credit card numbers, employee tax data, health records, and other sensitive personal information, they’ve discovered that targeting intellectual property, company secrets, and even state secrets can be quite lucrative.

Almost as if on cue, around the same time the Verizon Data Breach Report was released, online entertainment provider Netflix fell victim to intellectual property theft. A hacker or group identifying itself as “TheDarkOverlord” demanded a ransom and threatened to publicly release episodes of the upcoming season of the Netflix original series Orange Is the New Black, which had been scheduled to be released [to paying subscribers] on June 9. Netflix refused to pay up, and TheDarkOverlord dumped 10 episodes (or at least, what appear to be 10 episodes) online. Because the hacker or group accessed the material by compromising a post-production facility utilized by several major television studios, other networks will likely be targeted in the weeks and months to come; in fact, TheDarkOverlord has already Tweeted as such:

https://twitter.com/tdohack3r/status/858893194297315328

Intellectual Property Especially Vulnerable in the Digital Age

In the digital age, companies are in possession of more intellectual property than ever before. In addition to product prototypes, patents, market research data, and sales lists, many companies develop proprietary software and mobile apps to gain a competitive edge. Casinos, for example, pour millions into the development of gaming software, and as consumers demand to watch television series and movies online, entertainment companies are investing heavily in content-delivery technologies.

The Verizon Data Breach Report notes that 90% of cyberespionage attacks are launched by “state-affiliated groups.” While most people might assume these groups are primarily targeting the public sector in search of state secrets, private-sector companies are not immune from cyber spycraft; cyberespionage is the top cyber threat facing the manufacturing industry, far eclipsing all other forms of hacking, and 90% of the data stolen consists of company secrets.

Why would state actors be interested in hacking a manufacturing company? Private-sector firms have long been targets of spycraft on the part of foreign agents who wish to steal cutting-edge technology for use in their own countries. A recent plotline on the FX spy drama The Americans, which is set during the Cold War, involved Soviet spies infiltrating an agricultural company to steal samples of a new pest-resistant wheat crop for the KGB. The Verizon report implies that not much has changed since the series’ fictional spies’ time, noting that education institutions are increasingly being targeted by state actors and theorizing that this is because “[c]olleges are centers of innovation and are building technologies” that are of great interest to foreign governments.

While intellectual property theft by disgruntled current or former employees or competitors isn’t as common, it’s costly when it happens. It’s estimated that the Houston Astros MLB team lost $1.7 million after an employee of a competing team hacked their database, stealing confidential scouting and trade information. While it’s unknown at this juncture how much Netflix stands to lose from the theft of Orange Is the New Black, industry experts are already wondering if the company will be forced to release the next season early just so they can hope to compete with the “free” version provided by TheDarkOverlord.

How Are Hackers Getting In, and How Can Companies Stop Them?

The Verizon Data Breach Report found that the typical cyberespionage attack starts like most others do: An unsuspecting employee clicks on a malware-infected file attached to a phishing email. Once the malware is installed, a cyber spy can use it to steal legitimate login credentials and get into the organization’s system, where they can remain undetected for days, weeks, even months.

The best defense against phishing emails is to implement proactive cyber security procedures to prevent employees from being phished in the first place. The Verizon report suggests installing anti-malware protection at the email gateway, keeping software and operating systems up to date, implementing network segmentation and multi-factor authentication, security awareness training for all employees, and having a system in place where employees can immediately report suspected phishing emails to security personnel.

Any company that owns, or is perceived to own, useful or valuable intellectual property or competitive information is at risk of having it stolen. Verizon’s report illustrates that it’s just as important to protect intellectual property data as it is to protect payment card, customer, and employee data.

The cyber security experts at Lazarus Alliance have deep knowledge of the cyber security field, are continually monitoring the latest information security threats, and are committed to protecting organizations of all sizes from security breaches. Our full-service risk assessment services and Continuum GRC RegTech software will help protect your organization from data breaches, ransomware attacks, and other cyber threats.

Lazarus Alliance is proactive cyber security®. Call 1-888-896-7580 to discuss your organization’s cyber security needs and find out how we can help your organization adhere to cyber security regulations, maintain compliance, and secure your systems.

Yahoo Is Trying to Pass the Buck, but Data Breach Responsibility Starts at the Top

Who should be held responsible when a company’s systems get breached? Historically, the CIO, the CISO, or both have shouldered the lion’s share of data breach responsibility; well over half of security decision-makers expect to lose their jobs if a hack happens at their organizations. However, breaches don’t happen in vacuums, and CIOs and CISOs don’t operate in them, either. Many CIOs report directly to the CEO, and some security experts feel that CISOs should be elevated to the same reporting level.

Whatever an organization’s reporting structure, the bottom line is the same: the responsibility for everything that happens within the organization, positive or negative, ultimately falls on the CEO and the board of directors. This includes data breach responsibility. This has been reflected in the numerous CEO firings (or “resignations”) that have followed bad breaches over the past few years, including those at Target, Sony Pictures, and the Democratic National Committee.

Apparently, Yahoo didn’t get the memo about this. After years of poor cyber security practices caught up with them, resulting in multiple breaches affecting over a billion user accounts, putting its acquisition by Verizon into question, and making the Yahoo brand name synonymous with the phrase “data breach,” the company decided to fire … its General Counsel, Ron Bell. Shockingly, CEO Marissa Mayer remains in place, albeit with a pay cut.

In Yahoo’s case, the CISO and the rest of the security staff couldn’t be fired. Fearing that a major security incident would eventually happen, they’d already run for the hills. The New York Times reported that former CISO Alex Stamos and his team had spent years warning Mayer of potential security issues, but Mayer insisted on putting “the user experience” ahead of cyber security and even cut the team’s budget.

Preventing Breaches Is Everyone’s Responsibility

Cyber security isn’t just an IT issue. It impacts every individual and department in an organization, from the board of directors all the way down to minimum-wage clerical and retail employees. The overwhelming majority of data breaches originate inside an organization, either because a negligent or untrained employee makes a mistake or a malicious insider decides to strike back against the company. No cyber security policy is complete unless it addresses the human factor behind data breaches by promoting a culture of cyber security awareness. This culture must start at the top of the organization; if the board, the CEO, and the rest of the C-suite do not take security seriously, front-line employees certainly won’t.

Yahoo’s firing of Ron Bell has shaken up the legal community and is causing much debate over where data breach responsibility ultimately lies. While this may serve to light a fire under organizations with questionable cyber security practices, the focus should not be on whose heads will roll if a breach happens; it should be on implementing proactive cyber security and compliance measures to prevent hacks from happening in the first place.

As for Yahoo, the company is now looking at a possible worldwide class-action lawsuit alleging security issues dating back as far as 2003. Should the suit proceed, we’ll see what the courts have to say about data breach responsibility.

The cyber security experts at Lazarus Alliance have deep knowledge of the cyber security field, are continually monitoring the latest information security threats, and are committed to protecting organizations of all sizes from security breaches. Our full-service risk assessment services and Continuum GRC RegTech software will help protect your organization from data breaches, ransomware attacks, and other cyber threats.

Lazarus Alliance is proactive cyber security®. Call 1-888-896-7580 to discuss your organization’s cyber security needs and find out how we can help your organization adhere to cyber security regulations, maintain compliance, and secure your systems.

The word “ransomware” has become synonymous with the healthcare industry, but government ransomware attacks are a growing threat.

Over the past year, the healthcare industry has been battered by an epidemic of ransomware attacks. The problem has become so ubiquitous that it is making their way into works of fiction: A ransomware attack on a hospital in a major city is the focus of an upcoming episode of the NBC drama Chicago Med. However, a new study by security ratings firm BitSight reveals that the number-one target for ransomware is the education industry, followed by the government sector. In fact, BitSight reports, government ransomware attacks have tripled over the past 12 months.

Among the recent high-profile government ransomware attacks that have grabbed headlines:

• In January, hackers installed ransomware on a police closed-circuit surveillance camera network in Washington, D.C., disabling 70% of the cameras only eight days prior to President Donald Trump’s inauguration.
• In March, ransomware disabled the IT network used by the Pennsylvania State Democratic Caucus, locking 16 senators and their staff out of the system and throwing the caucus’ website offline.
• In late January, several local government offices in Ohio were hit by ransomware, including a county police force and 911 center, forcing the 911 center to operate in manual mode and lengthening emergency response times.
• A new twist on government ransomware has recently been targeting public sector organizations in the Middle East; instead of being instructed to pay a ransom to unlock their networks, victims are being extorted to post inflammatory public statements against various political figures.

Why the Public Sector is Being Targeted

Government agencies are attractive ransomware targets for many of the same reasons medical facilities and schools are. Their networks store and process reams of highly sensitive data; public sector employees suffer from the same lack of security training and awareness that plague the private sector; and an inability to access a government network could put people’s lives at stake, as in the case of the 911 center in Ohio.

Government bureaucracy exacerbates the problems. While it may not be easy for IT personnel at a private-sector corporation to convince the C-suite they must invest in cyber security improvements – just ask anyone who worked at Yahoo! – nailing down an appropriate security budget can be even more difficult at a government agency. Not only must public-sector IT employees argue their case to their bosses, but also, the general public, the taxpayers whose money will be used to fund these improvements, have to be convinced. As the Pew Research Center recently found, very few Americans have even a fundamental grasp of cyber security risks and best practices, creating a situation where elected figures are asking their constituents to fund services they do not fully understand and may not see a need for. The government machine also tends to move very slowly; public sector agencies have always been notorious for being years behind the private sector in adopting new technologies.

Not surprisingly, BitSight ranks the government sector second-to-last in its security ratings.

Cyber Security is Not a Partisan Issue

There are some bright spots in the fight against government ransomware and other cyber attacks against the private sector. Virginia Governor Terry McAuliffe (D) has made cyber security the focal point of his chairmanship of the National Governors Association. The association’s winter meeting in February put a heavy emphasis on the need for state and federal governments to work together to improve their cyber security postures.

Government ransomware attacks are not a partisan issue, and there is no such thing as an agency that is “too small” to be victimized. A series of small cyber attacks could be employed by terrorists to create confusion and distraction as part of a much larger real-world terrorist attack. Attacks against the public sector, whether a federal government agency or a local police department, are a matter of public safety. They are everyone’s problem. Waiting until an attack happens and attempting to clean up the mess doesn’t work in the private sector, and it certainly doesn’t work when critical infrastructure such as a 911 system is hampered or disabled. Government agencies of all sizes must take the ransomware threat seriously and employ proactive cyber security measures to prevent their systems from being victimized.

The cyber security experts at Lazarus Alliance have deep knowledge of the cyber security field, are continually monitoring the latest information security threats, and are committed to protecting organizations of all sizes from security breaches. Our full-service risk assessment services and Continuum GRC RegTech software will help protect your organization from data breaches, ransomware attacks, and other cyber threats.

Lazarus Alliance is proactive cyber security®. Call 1-888-896-7580 to discuss your organization’s cyber security needs and find out how we can help your organization adhere to cyber security regulations, maintain compliance, and secure your systems.