Cybercrooks’ preferred path to critical data is through privileged accounts, those held by users who have broad access and powers within the target’s network.

That’s according to a recent survey conducted by the cybersecurity firm Thycotic at the recent Black Hat conference in Las Vegas, reported Infosecurity Magazine.  About a third of respondents named privileged accounts the fastest and easiest path to critical data, while user email accounts were a close second at 27 percent.

Some 85 percent said human error, not inadequate security or unpatched software, was most to blame for security breaches.

Hackers’ biggest headaches? Multifactor authentication and encryption, according to the survey.

 

 

 

 

 

A German cybersecurity firm reports that manufacturers have become a top target of cybercriminals.

The NTT Security Global Threat Intelligence Center (GTIC) Quarterly Threat Intelligence Report for the second quarter of 2017 notes that manufacturers were targeted in 34 percent of incidents, the highest of any industry segment. About a third of those incidents involved “reconnaissance” which suggests the industry is still in hackers’ sights. “If trends from the past few years continue, this probably indicates that attacks and malware are likely to increase in manufacturing organizations in the second half of 2017,” according to the report.

The report also noted a 24 percent increase in attacks on NTT clients in the second quarter and that cyber criminals go-to attack vector has been “phishing emails with malicious attachments containing PowerShell commands in VBA macros.”

Read the full report.

Computer networking giant Cisco says the recent WannaCry and Petya/NotPetya incidents signal the advent of a new generation of cyberattacks that is aimed more at mass disruption than financial gain. The new breed of “Destruction of Service” attacks will only grow more sophisticated and potent, the company says in its Cisco 2017 Midyear Cybersecurity Report.

The report warns that cybercriminals “now have the ability—and often now, it seems, the inclination—to lock systems and destroy data as part of their attack process.” The report, released July 20, also lays out new threats posed by the growing network of connected devices known as the “Internet of Things” and examines’ hackers’ continued use of Business Email Compromise (BEC) attacks, which it says accounted for $5.3 billion in cybertheft between 2013 and 2016.

Venerable insurer Lloyd’s of London says a global cyber attack on a major provider of cloud services could carry costs of up to $53 billion, reports Data Breach Today.

That’s a hefty price tag that explains the rising demand for cyber insurance. It also sheds light on why insurers are proceeding extremely carefully. The costs of a major data breach can be significant and difficult to predict.

To help define the level of exposure, Lloyd’s worked with cyber consultant Cyence to produce a new report that outlines the direct economic costs of two types of global cyber attacks and estimates the portion of the loss in each scenario that would covered by insurance. In the case of a cloud services attack, only 17 percent of the loss would be insured, Lloyd’s estimates. In the case of a global attack exploiting a software vulnerability, only 7 percent of the estimated loss of up to $28 billion would be assured.

Analysts estimate the cyber insurance market is worth up to $3.5 billion today and could grow to $7.5 billion by 2020.

Yesterday, a massive ransomware attack now known as “Petya” spread across the globe in a similar fashion to the WannaCry cyberattack in May. In an Alert today, Fox Chief Privacy Officer and Partner Mark McCreary breaks down what we know about the attack, how to address it if your organization falls victim to it, and how to minimize the risks of future attacks:

Yesterday’s worldwide cyberattack once again exploited a vulnerability that has been known to experts for many months. These attacks are sure to continue and the best defense is knowledge. Awareness of how malware works and employee training to avoid the human error that may trigger an infection can prevent your organization from becoming a victim.

This latest ransomware variant, referred to as “Petya,” is similar in many respects to the “WannaCry” ransomware that affected hundreds of thousands of computers in mid-May, using the same Eternal Blue exploit to infect computers. The purpose of this Alert is to provide you some information believed or known at this time.

How Is a Computer Infected?

Experts believe the Petya malware is delivered in a Word document attached to an email. Once initiated by opening the Microsoft Word document, an unprotected computer becomes infected and the entire hard drive on that computer is encrypted by the program. This is notably different from WannaCry, which encrypted only files.

Once Petya is initiated, it begins seeking other unprotected computers in the same network to infect. It is not necessary to open the infected Microsoft Word document on each computer. An infection can occur by the malware spreading through a network environment.

To read Mark’s full discussion of the Petya attack, please visit the Fox Rothschild website.

Mark also notes that “I continue to stress to clients that in addition to hardening your IT resources, the absolute best thing your business can do is train employees how to detect and avoid malware and phishing.  In-person, annual privacy and security training is the best way to accomplish this.”

Yesterday we witnessed new ransomware spread across the world with incredible speed and success, bringing businesses to their knees and home users learning for the first time about ransomware and why computer backups are so important.

With over 123,000 computers infected, experts believe the “WannaCrypt/WannaCry/WCry” attacks have stopped after researchers registered a domain that the software checks before encrypting.  However, nothing is stopping someone from revising the software to not require that check and releasing it into the wild.  In other words, do not expect the infections to stop.

To battle the malicious software, Microsoft took the highly unusual step of issuing updates for versions of Windows that have reached their end of life and otherwise are not supported (e.g., Windows XP, Windows 8, and Windows Server 2003).  WannaCrypt/WannaCry/WCry did not even try to target Windows 10 machines, but that does not mean Windows 10 machines cannot be affected and encrypted by the ransomeware.  The blog describing Microsoft’s efforts can be found here and is worth reading.  Although your business may normally take a wait and see approach to software updates to avoid conflicts with other programs, this is a situation you should fast track that process.

If there is any silver lining here, it is that it may lead to more organizations to focus harder on computer security and efforts to battle malicious attacks similar to WannaCrypt/WannaCry/WCry.  Having seen first hand from clients the panic and feeling of helplessness caused by WannaCrypt/WannaCry/WCry in mere hours, it seems likely that companies are starting to better understand the risk, loss of productivity and costs that can be associated with a ransomware attack.

Below is a screenshot of the WannaCrypt/WannaCry/WCry software on an infected machine.  (Note the financial aid offer in the last line of the “Can I Recover My Files?” paragraph.  The bad guys must have a public relations firm!)

wannacrypt

With tax season in full swing, a different season is impacting businesses across all industries: “phishing season.”

Phishing scams
Copyright: fberti / 123RF Stock Photo

“Phishing” or “spear phishing” refers to cyberattack scams that target certain individuals within an organization with the hope of gaining access to valuable information.

These scams take advantage of the busy tax season, the desire to promptly respond to purported upper management and social engineering employees in order to target and trick only employees with immediate access to sensitive employee data. These scams have spread to a variety of for-profit sectors and even nonprofits and school districts.

Spear phishing attacks are virtual traps set up by criminals who, in this case, send emails to employees that appear to come from actual upper management. Typically, they are well-written and look authentic. Usually, there is some explanation or pressing reason offered for why personal information is required. The targets have increasingly become payroll and human resources personnel with the goal of stealing employees’ W-2 information during tax season.

Roughly 100 businesses with more than 125,000 employees were victims of phishing scams last year. This year has already seen a dramatic increase in phishing scams, as approximately 80 businesses have already been targeted during tax season. These are only the businesses that reported phishing scams, and the real number is certainly dramatically larger.

The IRS has previously stated that tax season is likely partly responsible for this surge in phishing emails. Last year, the IRS issued an alert to payroll and human resources professionals about emails purporting to be from company executives requesting employees’ personal information.

“Now the criminals are focusing their schemes on company payroll departments,” said IRS Commissioner John Koskinen. “If your CEO appears to be emailing you for a list of company employees, check it out before you respond. Everyone has a responsibility to remain diligent about confirming the identity of people requesting personal information about employees.”

The IRS bulleted some of the requests contained in these fake emails:

  • Kindly send me the individual 2015 W-2 (PDF) and earnings summary of all W-2 of our company staff for a quick review.
  • Can you send me the updated list of employees with full details (name, social security number, date of birth, home address, salary).
  • I want you to send me the list of W-2 copy of employees wage and tax statement for 2015, I need them in PDF file type, you can send it as an attachment. Kindly prepare the lists and email them to me ASAP.

No organization is immune during phishing season. Last year a large social media provider issued an apology and offered two years of identity theft insurance and monitoring after one of its workers inadvertently released sensitive company payroll information to a criminal. The unidentified employee opened an email that appeared to be from the victim company’s CEO. Although none of the company’s internal systems were breached and no user information was compromised, hundreds of employees had their personal information exposed to the public.

The FBI has also warned the public and has published suggestions to avoid becoming a victim during phishing season, including:

  • Keep in mind that most companies, banks, agencies, etc., don’t request personal information via email. If in doubt, give them a call (but don’t use the phone number contained in the email — that’s usually phony as well).
  • Use a phishing filter. Many of the latest web browsers have them built in or offer them as plug-ins.
  • Never follow a link to a secure site from an email. Always enter the URL manually.
  • Don’t be fooled (especially today) by the latest scams.

The Minnesota Department of Revenue recently announced its excellent Stop. Connect. Confirm. program. From the Department of Revenue’s announcement:

When a request for private/sensitive information is made, Stop. Connect. Confirm.

  1. Stop – Stop for a moment before complying with the request and sending that information.
  2. Connect – Connect with the person who sent you the request by phone or by walking over to see them. Do not respond to the email to get confirmation of the sender’s identity. The sender may be a criminal who has disguised his or her identity by spoofing your colleague’s email address.
  3. Confirm – Confirm with the executive requesting the information that the request is legitimate.

Businesses can download and print this poster and display it in their human resources and payroll departments to remind employees to Stop. Connect. Confirm. if a request for employee personal information is made.

If your employer notifies you that your W-2 or other personal information has been compromised:

  • Review the recommended actions by the Federal Trade Commission at www.identitytheft.gov or the IRS at www.irs.gov/identitytheft.
  • File a Form 14039, Identity Theft Affidavit if your tax return is rejected because of a duplicate Social Security number or if instructed to do so by the Internal Revenue Service.

More of these attacks should be expected as tax season, and phishing season, continue, so organizations should be vigilant about ensuring that all employees are aware about phishing scams.

On March 15, Fox Rothschild partner Scott Vernick will participate in a panel discussion on Developments in Data Privacy & Security as part of the 2017 Argyle Chief Legal Officer Leadership Forum. The Forum will take place from 8 a.m. to 5 p.m. at the Convene Conference Center at 730 3rd Ave in New York City.

Scott L. Vernick, Partner, Fox Rothschild LLPScott and his fellow panelists will discuss the evolution of the GC role to include cybersecurity and data privacy, how cybersecurity fits into an organization’s risk management structure, as well as proactive risk assessments GCs can use to identify and prioritize critical assets and data for their business. Attendees will also receive information on new regulatory challenges, how GCs can best collaborate with and advise other organization leaders on the topic of cybersecurity, and working with outside counsel on these and related issues. The panel discussion is scheduled from 10:10 a.m. to 11:00 a.m.

To register for the event, please visit the Argyle Forum event page.

The “new age” of internet and dispersed private data is not so new anymore but that doesn’t mean the law has caught up.  A few years ago, plaintiffs’ cases naming defendants like Google, Apple, and Facebook were at an all-time high but now, plaintiffs firms aren’t interested anymore.  According to a report in The Recorder, a San Francisco based legal newspaper, privacy lawsuits against these three digital behemoths have dropped from upwards of thirty cases in the Northern District of California i 2012 to less than five in 2015.   Although some have succeeded monumentally—with Facebook writing a $20 million check to settle a case over the fact that it was using users’ images without their permission on its “sponsored stories” section—this type of payout is not the majority.  One of the issues is that much of the law in this arena hasn’t developed yet.  Since there is no federal privacy law directly pertaining to the digital realm, many complaints depend on old laws like the Electronic Communications Privacy Act and Stored Communications Act (1986) as well as the Video Privacy Protection Act (1988).  The internet and its capacities was likely not the target of these laws—instead they were meant to prohibit such behavior as tapping a neighbor’s phone or collecting someone’s videotape rental history.

Further, it seems unavoidable now to have personal data somewhere somehow.  Privacy lawsuits attempting to become class actions have a difficulty in succeeding in a similar way that data breach class actions do: the plaintiffs face the challenge of proving concrete harms.  In a case later this year, Spokeo v. Robins, the Supreme Court may change this area of law because it will decide whether an unemployed plaintiff can sue Spokeo for violating the Fair Credits Reporting Act because Spokeo stated that he was wealthy and held a graduate degree.  The issue will turn on proving actual harm.  Companies that deal with private information on a consistent basis should protect themselves by developing privacy policies that, at the very least, may limit their liability.   The reality is that data is everywhere and businesses will constantly be finding creative and profitable ways to use it.

To keep up with the Spokeo v. Robins case, check out the SCOTUSblog here.

http://www.scotusblog.com/case-files/cases/spokeo-inc-v-robins/

Copyright: argus456 / 123RF Stock Photo
Copyright: argus456 / 123RF Stock Photo

Fox Rothschild partner Scott L. Vernick was quoted in The New York Times article, “Hacking Victims Deserve Empathy, Not Ridicule.” Full text can be found in the September 2, 2015, issue, but a synopsis is below.

While some data breach victims may face only minor frustrations – changing a password or getting a new credit card – it is a different story for the more than 30 million Ashley Madison users who had their accounts for the infidelity website compromised.

Many of the victims of this latest massive data breach have been plunged into despair, fearing they could lose jobs and families, and expecting to be humiliated among friends and colleagues.

“It’s easy to be snarky about Ashley Madison, but just because it’s unpopular or even immoral, it doesn’t mean this sort of activity shouldn’t be protected,” said Scott L. Vernick, a noted privacy attorney. “This gets at fundamental issues like freedom of speech and freedom of association – today it’s Ashley Madison, tomorrow it could be some other group that deserves protection.”