The Elephant in the Room - Election Security

The recent revelation by the Senate Intelligence Committee concluded that election systems in all 50 states were targeted during the 2016 election by Russian operatives. This should come as no surprise considering 2016 was likely only a reconnaissance mission. The stage is set for deeper and more insidious intrusions to grow over time without significant investment in election security. 

We need to acknowledge that the technology which gives us unprecedented access to one another through constant news updates, the ability to control home appliances and yes - even voting - are all lucrative targets for both individual hackers looking to make money and state agencies wishing to sow discord. In many ways, our greatest technological achievement of the past half-century has also become our Achilles heel. 

The sad fact is that the perpetrators don’t necessarily have to do much other than claim access those systems to create a sense of distrust in the security of the election system. Without changing a single vote, the mere knowledge that they claim to have accessed the system creates doubt and uncertainty regarding the outcome of the election. On top of that, the reality is that the majority of potential paths to a successful intrusion can be prevented with security enhancements that exist in the market today.  

  Election interference has the potential to do more than just throw results into doubt, it could also destabilize our democracy as we know it. In an age of misinformation, foreign-state sponsored propaganda and doubt, one of the few things that Americans are able to count on is the legitimacy of our elections. Without appropriate attention and investment that will be thrown into question as well, something we simply can’t afford in the current climate.

Fortunately, there are a series of common-sense steps we can take to increase our election security and strengthen our system. First, a uniform standard needs to be adopted for the security of voting machines and the networks on which they operate. A good baseline is the NIST Cybersecurity Framework which is widely considered to be the gold standard for security in the industry. A 2002 law called HAVA (Help America Vote Act) tasked NIST with creating voluntary guidelines for election machine security. While not as comprehensive as the Cybersecurity Framework, at a minimum these must be made mandatory. 

Secondly, voting machine manufacturers must be held to a higher standard. Since 2016 we have seen multiple instances of manufacturers recommending officials set up voting machines with less than optimal security practices. This must change. Not only in terms of the security controls which they recommend but also the ones they implement on their own networks. Supply chain security is critical. Default passwords, insecure networks, and lack of security consciousness are not acceptable for companies that work on critical election infrastructure. 

Finally, these rules and practices must be enforced just as rigorously and with as much emphasis as other security regulations such as PCI, HIPAA, HITECH, NERC, and FERC among others. The sanctity of our elections is too important for anything less. We have the tools, technology, and knowledge to solve the problem - now all that is required is the will. As a society, we have all been taught to treat emails, downloads, and phone calls with some modicum of suspicion. If we lose the integrity of our elections we will be forced to treat them with the same misgivings. 



Choose a Partner, not a Vendor

Choosing technology vendors for your MSP can be a challenging endeavor. Vendors tend to be full of grand promises of partnership, simplicity, and lead generation. Unfortunately, in many cases, once the contract is signed these promises quickly morph into monthly high-pressure sales calls. So how do you go about selecting vendors who will treat you as a partner rather than a customer? Below are five questions you can ask to help discern a dependable partner-focused vendor from those that see your MSP as nothing more than a line item on their P&L. 

 

1. What benefits does my MSP receive?

This is the most critical question to ask a prospective vendor. A vendor with any experience in the Managed Service Provider market should have a well thought out partnership program with numerous benefits. At a minimum, these should include: 

 

·     Lead Generation and Referral 

·     Training and Implementation Assistance

·     Webinars and in-person events

·     NFR License to test out the product

·     A sounding board that is not tied to a consulting cost

·     Co-Branded Marketing that is not tied to a quota

 

2. Do you set minimum quotas for your partners?

Unfortunately, in the MSP vendor space, many companies have taken to setting minimum quotas for their MSP partners. Even if these quotas are easy to meet at first, this can cause significant problems down the road, particularly in the event of a recession or other unforeseen event that disrupts the sales lifecycle. We recommend choosing vendors when possible that are flexible and willing to work with your MSP, rather than mandate targets. 

 

3. Do you allow a transfer of licenses?

In some cases, you may purchase a license from a vendor, only for the client you bought it for to go out of business or choose a different MSP. A flexible partner-focused vendor should allow you to transfer this license to a current paying customer. The last thing you want is to be stuck paying monthly for a license that is no longer generating revenue. Additionally, a vendor that is reluctant to allow you to transfer licenses is likely to be more revenue than partnership focused, which could mean a bad fit for you. 

4. Can you provide references from other happy MSP customers? 

Any experienced MSP vendor should be able to point out numerous success stories after working in the Managed Services Market. If they fail to do this when asked, or attempt to demure, this may be a strong indication that they would make a weak partner. A lousy vendor can cause just as much if not more trouble for your MSP than a bad hire.

 

5. How is your product priced? 

Implementation Fees, Onboarding Fees, Partnership Fees, Training Fees – the number of fees that vendors charge is infinite. A good partner-focused vendor will make their pricing as simple as possible to provide an excellent experience for their customers. Beware of vendors who have complicated fee structures that aren't easily understandable at first glance. This can make billing a nightmare and dramatically overcomplicate the partnership. A good rule of thumb is: if you can't get a complete picture of how much it will cost to deploy the solution to a client within a 5-minute conversation, it may be best to find a different partner. 

 

Vendor relationships are incredibly significant for Managed Service Providers. A weak vendor can cause untold difficulty, lost time, and extreme expense. Conversely, a partner-focused vendor will seek to grow with the MSP and will work hard to make sure that the service provider has the best experience possible. Don't get lulled in by false promises - ask the hard questions before the contract is signed to make sure you pick a vendor that will enhance your business.

We are not a transactional company.

You have seen it all before. The 30-second elevator pitches, the pushy sales guys who won’t leave you alone, the companies that sign you on with grand promises but devote little to no effort to supporting you as a new partner. MSP security vendors are not always known for their customer service skills. Dark Cubed is different. Right now, we imagine you are probably reading this with healthy skepticism at best but let us explain why we’re different. 

 

Dark Cubed was founded because cybersecurity in its current state is simply too complicated and difficult to implement. To build even a fledgling security program requires hundreds of thousands of dollars of investments in people, processes, and technology, and that’s just the starting point. Dark Cubed started with a singular mission: to make cybersecurity accessible to all organizations — not just for the large banks of the world, but also for the mom-and-pop grocery stores, the locally owned gyms, and the cash-strapped non-profits providing water to those in need. Our goal of making security accessible to our clients is infused throughout everything we do as a company. 

 

To facilitate this goal, Dark Cubed offers an industry-leading partnership program. We partner with geographically dispersed MSPs in order to provide their clients with cutting-edge cybersecurity at a small-business price point. However, unlike many of our competitors, we consider that the starting point of our partnership rather than its end. We believe security works best when communities of businesses and individuals work together to improve our collective security. So here are some of the highlights of what we offer our partners.

 

Dedicated and responsive support.So many companies have a set-it-and-forget-it mentality with their partners — we don’t. We want to provide our partners with the best, most responsive support to make sure our product is working for both them and their customers.

 

A dedicated marketing specialist. Every MSP serves a different vertical and has a different mix of customers. We find our MSP partners tend to have the most success when they team up with a Dark Cubed marketing expert to build materials for their unique needs.

 

Access to our security acumen. To design the best product possible for our partners, we built a team of experienced security professionals with a variety of backgrounds. When our partners need help, we strive to be there for them as much as possible. One of the ways we do this is by advising our partners on how they can build their security programs and improve their clients’ security (and no, we don’t try to upsell them!)

 

Referred leads. Dark Cubed receives demo requests weekly from individual companies looking to improve their cybersecurity. When we have an MSP partner in the area, we refer those leads to the nearest partner. We’ll be honest — we can’t promise our partners leads. But if we get them and they’re in an MSP’s area, we will do our best to hand them off.

10 Security Tips for 2019

#1. Two Factor is Not Optional

A simple username and password no longer provides enough security for many systems. If you are protecting your sensitive systems (e.g. customer data, e-mail, patient data, payments and banking, social media etc.) with only a username and password, then you are likely going to face a breach. 

  •    Implement Two factor Authentication on E-mail.

  •    Identify corporate systems that store and process sensitive data (medical records, customers records) and implement 2FA on them.

  •   Implement two-factor on banking and payment systems.

 

#2. The Basics Matter

Just like you might recommend key activities for your patient’s hygiene, you also need to do the basics to protect the security of our systems. There are simple things that can help make a cyber-attack less likely. In fact, some of the most technically simple solutions can have the greatest impact in reducing your organizational risk and minimizing the damage if an incident does occur. 

  • Use antivirus/antimalware on all systems and require that they update automatically

  •  Make sure all desktops and laptops are the on the current version of the operating system and require that they auto-update as patches are available.

  •  Deploy a firewall and make sure someone qualified to configure it checks on it quarterly. 

  • Require employees to enable screen saver set for 15 minutes of inactivity, and to require credentials be entered again upon waking

  •  Run simulated phishing exercises to teach your employees how easy it is to accidentally fall prey to a targeted phishing email.

 

#3 Pay attention to what is coming in and out of your network

Many breaches could be detected faster if companies collected data on what is coming in and out of their network and looked for anomalies in that traffic. Such data can be produced by your firewall. 

  •  Make sure you are storing at least 30 days of logs in some format (ask your IT team about a centralized logging solution).

  • Have someone review this data at least monthly for foreign or suspicious traffic. This can be accomplished at a basic level for a low cost. 

 

#4 Know your Data and Secure It.

Often data breaches involve data that companies just simply do not use anymore. It is important to know where sensitive data (PII, HIPAA, PCI) is being stored on your network, and to routinely delete sensitive data that no longer serves a business purpose in accordance with applicable regulations.

  • Run a data census” to search for and document locations where sensitive data might be stored; this is a good job for summer interns!

  • Advise all employees and staff to only store data in approved locations, hold them accountable.

  • Encrypt sensitive data using strong passwords; there are many low-cost ways to accomplish this.

  • Dispose of data that no longer has business value in accordance with any applicable regulations under which your business operates 

 

#5 Segment to Save it

The most exciting thing for an attacker to find is a wide-open network where user machines are on the same network as servers and other systems. Your IT provider should know how to separate these systems on distinct networks to slow down the attacker. 

  • Do not allow personal machines or mobile devices to connect to the company network. 

  • Ask your IT provider if your servers are on a separate firewalled segment of the network from your desktop computers.

  • If you have a data center, you should have a firewall segmenting the data center from the rest of the network. 

#6 Have a plan and test it

While cyber security may feel overwhelming, pulling your leadership team together for a couple hours of discussions can go a long way. Search for headlines on cyber-attacks in your industry and ask yourselves what you would do if that happened to you. 

  • Just thinking about how you would respond can save your team major headaches when a cyber incident does occur. 

  •  Figure out who would take the lead, who would be in the room for the discussions, and who would make the final decision.

  • Partner with your IT staff to get their inputs and ideas

 

 #7 Know who you are going to call 

Having your vendors identified ahead of time will save you valuable time and energy. Do a little research on the vendors other companies like yours are using and introduce yourself to those vendors. Building the relationship before an incident is a critical factor to success. 

  • Identify the cyber security company that will do forensics and incident response when you need help.

  • Consider who will provide legal support and public affairs support and make sure they are prepared.

  • Consider getting cyber insurance to help cover losses and damages, but also to get access to a team of companies that can help you respond. 

 

#8 Recognize the overlap of digital and physical security

Do you keep your sensitive IT assets protected? Sometimes an unlocked door or a stolen device can have more impact than a digital attack. Make sure you are thinking about how devices could be stolen, or unauthorized access could be gained due to weak security. 

 

  • Make sure all of your laptops and mobile devices are encrypted; this should be easy and low cost to implement.

  • Lock IT rooms and consider using motions sensors or cameras to manage unauthorized access. 

  •  Either deactivate unused network ports of place plastic locks in them to prevent unauthorized network access. 

 

#9 Train your Employees

One employee making a good choice can be the difference between a thwarted attack and a data breach. Equip your employees with information on which attacks are likely and who should receive reports of suspicious activity. 

  •  Make sure employs know who should receive reports of suspicious activity.

  • Train employees how to avoid phishing attacks and to avoid downloading potentially malicious files.

  • Encourage employees to teach their family members and friends. Sometimes we learn best by teaching others. 

  

#10 Don’t be Embarrassed! 

At some point even the most secure companies suffer an incident. Talk with other companies and your peers and learn about their experiences with cybersecurity.  We are stronger together, and only by working together can we be prepared. 

Wake Up! The time to care about IoT security is now!

This posting is following up on the recent release of our report titled, “The State of IoT Security” which can be found here: stateofiotsecurity.com.   The public response to this report has been humbling and exciting; we have definitely hit on an issue about which many of you care.  However, we have also received responses that did not surprise me, but have nonetheless made me think about the role of the security community in solving this problem.  

As a security expert, I understand the fatigue associated with discussions on the security of IoT devices; frankly, I have felt same way.  However, after observing our customers being hit relentlessly by botnets of IoT devices, our team decided to look into this matter ourselves.  This study changed the way I think about IoT Security, and I hope you will take a few more minutes to read why. I will start with my argument and three key points, then follow up with a few more details about our study.

My Argument

IoT security is not a security issue, it is simultaneously a public safety and a national security issue.  The security community must make solving these issues a priority.

  1. At a macro level, IoT security is one of the most critical challenges of our time.  The security, or lack thereof, of any individual device has no impact, just like a single drop of water.  However, the macro effect of an infinite number of water drops has shaped the face of the earth by creating mountains, valleys, and oceans.  Similarly, at scale, the security of the larger IoT ecosystem will have profound impacts on national and economic security for every country.  It is these types of complex, macro-level security problems which are the hardest. As a security community, we can not afford to give up.
     
  2. The operation and maintenance of the largest sensor grid in the world comes with extraordinary capabilities and responsibilities; we are not paying attention.  The sensor grid associated with the rapidly growing consumer IoT infrastructure can collect audio, video, motion, energy consumption, location data, and much, much more.  Whoever operates this grid has access to an extraordinary volume of high-quality data and control over each and every device.  We are concerned as a nation about China running our telecommunications infrastructure, but we are not concerned about Chinese companies running consumer IoT infrastructure?  I would argue that the consumer IoT infrastructure will be, if it is not already, more valuable than any other infrastructure.  We must realize the value that this infrastructure has from a strategic perspective and prioritize our actions accordingly.
     
  3. Nobody is accepting responsibility for IoT security.  We have proven that neither manufacturers nor retailers are accepting the responsibility to develop and sell safe, secure consumer IoT devices.  Nor is the government taking responsibility for oversight.  The security community as a whole has just given up. In the soft gooey center of this lack of accountability, consumers are deploying billions of new devices every year.  As a security community, it is our job to push responsibility and accountability for security, and we are failing.  As a starting point, I suggest that retailers must take ownership of IoT security before government mandates action.

About Our Study

Our tests were not sophisticated, esoteric hacking, instead they were simple, boring security tests that anyone even considering security would have performed.  We performed these tests through rigorous, exhaustive review of each individual device to collect real, hard data on the lack of security on these devices, the results of which we are excited to share in this report.  Our findings are the result of analyzing over 1.25 million communications to more than 3,000 external servers from 12 off-the-shelf IoT devices.

What we found, on one hand, was not surprising.  Many of these devices are not secure.  Much of the associated infrastructure is not secure.   Several of the Android applications are borderline dangerous.  Yes, it is scary to think that some stranger could watch your child sleep (easy to do with some of the devices we reviewed). We also found that someone could set off the alarm on your security system repeatedly to drive you crazy just by pasting a URL into their browser.   We also proved that we could write a simple, five-line computer script to get visibility into every time a lightbulb or an outlet was turned on or off, which could be accomplished by anyone that has access to any network that your mobile phone has connected to.  It is scary to think that someone could intercept traffic from one of your devices and get information such as your birthdate, e-mail address, telephone number, or even your passwords. As a part of our study, we found that all of these things are simple to accomplish on one device or another. 

These things are scary, but they are nothing compared to what we, as security experts, worry about on a macro level.  

What happens if we take a global perspective on these devices and we consider the impact of not just one or two insecure devices, but billions of them? While it may be an inconvenience if our thermostat stops working on a cold night, what if every thermostat in a large metropolitan city caused a massive power surge and took down the power grid? What if millions of smart lightbulbs and outlets caught fire at the same time? What if a foreign intelligence service could have millions of cameras and security systems capture audio and video on command?   Think this could not happen?  We found that the extent to which the manufacturers and infrastructure associated with these devices communicate with, or is related to, China is shocking and has significant national security implications.

Now, our report is not all doom and gloom.  We ultimately would like to ask a simple question…what if the general public could do something small and change the future? 

We are talking about consumers and retailers taking a stand to require that manufacturers and the platforms used by these devices have at least considered security and where the data of U.S. citizens is being stored in the development of their devices and the associated infrastructure. 

Surprisingly, by requiring a basic level of security, there is no need to hike costs to consumers. The insecure devices we reviewed were priced similar to the secure ones, but retailers appear unaware or unconcerned about differentiating these devices to consumers, despite the clear marketing advantage, and a critical need to demonstrate that they do indeed care about the privacy and security of their customers.  

We are excited to have finally released our report and share our findings with the community.  I hope you will take the time to read through it and let us know your thoughts!  You can access the report at http://www.thestateofiotsecurity.com and make sure to follow us on Twitter at @darkcubedcyber as we release more content associated with this report in the coming days and weeks.

The Start Of Something Great…

Warning:  This was not written by a marketing company!  We believe if we are truly going to be a force for good in the cyber market, we need to start being honest.  So, here are my unfiltered initial thoughts on our product launch and why we decided to build out a SaaS offering in the first place.

My team and I have spent the last four years dedicated to the mission of making cyber security more affordable and accessible to companies of all sizes. While this seems like a small thing, it has not been an easy road.  There are lots of reasons for this, but to name a few:

  1. Cyber security is a very crowded market
  2. There are massive marketing budgets being spent by cyber startups making it hard to stand out from the crowd
  3. It is hard to create a new approach when you see an entire industry moving in one direction and you want to do something different, something creative. 

We started with a business model that focused on installing easy-to-deploy on-site sensors for our customers and had some great early success.  However, we quickly ran into a few key challenges. 

  • First, as technologists know, every network is different and things seem to work differently in every one.  
  • Second, when something does break, it is difficult to get access to the hardware.  When you are trying to make things easy on customers, asking them to reboot machines or troubleshoot problems is not something you want to do. 

Over the past few years we have built some amazing customer relationships, signed some big customers, and lost customers for a myriad of reasons, some our fault, some not.  This is to be expected in the lifecycle of a startup. 

As we continued to grow in 2017, our team was increasingly bothered by the fact that impact we can make on the community at large was significantly limited by an appliance-centric business model.  We didn’t just set out to sell an awesome security product, we set out to change the world.  That seems hokey, but it is true.  We believe it is time for a different approach to cyber security that provides companies of all sizes access to enterprise-grade cyber capabilities without the overwhelming investment and requirement for the highly skilled personnel that most cyber security products require. 

As we started to look to our options, the clear choice was to roll out a new service-oriented technology stack that focused on our key priorities.  First, we needed to allow customers to instantly sign up and access Dark Cubed.  With all of the marketing and noise in our industry, the proof is in the pudding…the faster we can get our customers access to Dark Cubed the better.  Second, we needed to provide the ability for customers to send us data or drop in a simple, easy-to-install sensor to collect data for us.  There are plenty of approaches to accomplishing this goal but building a system that makes this process easy is, well, hard.  Finally, we needed to make cyber security information actionable.  This requires allowing customers to look into the details of their network traffic, benefit from enterprise-grade threat intelligence and predictive analytics, and then block threats quickly and easily.  This was our mission and as of today, we have reached our first major milestone.

So here we are, seven months after deciding that we needed to stretch ourselves and accomplish something that we haven’t seen any other cyber security company accomplish yet: a new approach to cyber security that works for companies of all sizes that is easy to use and actually provides value at an incredible price point.  Can we do everything? No, but we aren’t trying to.  We are trying to do what matters in a way that actually works for all of the organizations that have been abandoned by today’s cyber security market because they don’t have enough money, people, or time. 

What is it we are actually doing you ask? Well, we are providing an online service that will receive network data that you send (or we can send out a simple, easy-to-install hardware sensor), identify threats targeting you, and then allow you to block traffic with a click of the button or even automatically if you so choose.  Now, I hear you, none of the individual things we have accomplished are all that innovative, but allowing all of this to happen within minutes, without required large investments or a team of cyber experts?  That is innovation.

Today, we officially launched our new approach to Dark Cubed using a “software as a service” business model, therefore, subjecting ourselves to the forces of the market.  This launch is the result of countless hours of hard work, evenings, weekends, blood, sweat, and tears, but it is now here. We are excited to start showing it off to new customers.   The most exciting thing about this product launch is that we see it as the beginning of a much more strategic roadmap, with many creative innovations coming. 

As "launch day" draws to a close, I am humbled by the amazing outpouring of support and encouragement from friends, family, customers, and the community at large.  If you are reading this, thank you for your support and your time...and know that it is deeply appreciated by our team!

If you have any questions about Dark Cubed or our product, drop us a line at info@darkcubed.com.  We look forward to a conversation with you!

 

2018 Is The Year We Make Information Actionable!

If we assume that security isn’t a security problem but really a resource problem, then how can we start to address it from a defensive perspective.  The most important thing we can do is to develop actionable information that can be acted on in an automated fashion. There is some great thinking going into this concept within the IACD initiative at The Johns Hopkins University Applied Physics Laboratory (see here: https://www.iacdautomate.org/), but I think it is also important to talk about what we can change today—right now—to make a difference in cyber security.

Fixing the Imbalance

I often talk about the imbalance between what larger companies with larger budgets and more people can do versus the other 99% of companies—this disparity must be addressed immediately, and we can’t let perfect be the enemy of good. It is great in theory to say that we need to find a way to start forcing smaller companies to invest in cyber security, but that isn’t reality. Smaller banks, hospitals, doctor’s offices, investment firms, and electrical utilities just simply do not have the resources to approach cyber security in any form or fashion that is similar to their larger counterparts—and I would argue they never will. However, there is a shift in mindset that needs to occur around how those companies with the ability to invest can support those that can’t. While many of these companies are in fact competitors, having a business ecosystem that can maintain the trust and confidence of its consumers is a greater good. Further, pretending that the fortunes and futures of these companies are not linked in a number of ways (supply chains, vendors, partners, etc.) is like an ostrich sticking its head in the sand. 

Making Information Actionable

So, the key question is how can we make information actionable and make a difference today?

There are two parts to this question: (1) What “information” are we talking about? (2) What does it mean to make that information “actionable”? First, when it comes to information, and as I stated in a previous blog posting, the information we are discussing has to do with the infrastructures being used by the “bad guys.” The purpose of sharing this information should be focused primarily on requiring more resources for the bad guys to be successful. Today, an attacker can set up a fake DocuSign phishing attack, hit a thousand companies over the course of a couple weeks, and have success compromising 20 of those companies. Such a small amount of resources were required here with a big payoff. The information in this case would be the domain name and URL of the phishing attack and the IP address of the server that houses it. When a phishing attack like this occurs, it is almost always due to a compromised host that can then be used for other purposes by the attacker. 

So, how do we make this actionable? Actionable to me means that once anyone becomes aware of this phishing attempt, the infrastructure gets “burned” and anyone that comes into contact with that infrastructure is able to block communications to and from that infrastructure. Now, it is easy to say that much of this work has been accomplished with threat intelligence platforms, information sharing, and great sites such as PhishTank, VirusTotal, and a myriad of others—but here is where the rub occurs: 

Most smaller companies (99% of the companies by our calculations) have no ability to benefit from these capabilities because they don’t have a team of security analysts that can consume the information. They don’t have Splunk or ArcSight or AlienVault or (name your SIEM) installed. They have no ability to purchase or consume threat intelligence. They have very limited firewalls or other security infrastructures installed. They are surely not logging network traffic or netflow and archiving it in any searchable form. Spoiler alert: Many of the largest companies aren’t doing most of this very well either. 

Launching Something New

Dark Cubed is on a mission to change the world in cyber security by developing the capability to generate, share, and act on this information—all without assuming that our customers will have the time or ability to manually take action. We automate the sharing of real-time network information and make it fully anonymous to protect our customers. We have developed innovative algorithms and machine learning capabilities that identify threats in our customers’ networks in near real time, we integrate years of threat intelligence and lessons learned into our monitoring, and we allow for our customers to be automatically protected from threats that would previously have slipped in under the radar. 2018 is going to be a big year for Dark Cubed. We are getting ready to launch a new capability and it is going to be big. This new capability came out of discussions among our team about how we can better help companies of all sizes be successful in our mission of changing the future of cyber security.

Stay tuned for more information as we begin to announce what we have been working on!

A Notice to Dark Cubed Customers on the Equifax Data Breach

By now, you have likely heard about the cyber breach announced by Equifax today, September 7th, 2017.  You can read the full release from Equifax here: https://www.equifaxsecurity2017.com.

This blog posting summarizes our initial thoughts on this incident and what it means to you, our customers.  In summary, this breach resulted in a massive loss of personal information potentially for 143 million people in the United States.  It is more likely than not that your information was included.  You should consider if you are prepared personally for the effects of this breach and if your company is prepared for a breach to your sensitive data.  Our team at Dark Cubed is watching vigilantly for signs of such attacks amongst our customers and take our role in being your partner seriously.  For more information on this data breach, read on!

First, it is clear that this was a breach that provided an outside party with access to a significant data set held by Equifax.  In the public press release, Equifax states that this was an incident “potentially impacting approximately 143 million U.S. consumers.”  If that sounds like an incredibly large number, it is.  Considering that in 2016 the United States had a population of approximately 323 million people this estimation means that three out of every four adults in the US are potentially impacted by this breach.  

Second, the data breach contains sensitive information.  According to the release, the data to which the attackers gained access “includes names, Social Security numbers, birth dates, addresses and, in some instances, driver’s license numbers.”  Probably less interesting to most readers, but something significant is this line in their notification, “Equifax also is in the process of contacting U.S. state and federal regulators and has sent written notifications to all U.S. state attorneys general, which includes Equifax contact information for regulator inquiries.”  This sounds like boring, legal jargon, but the United States is a country that does not have a national data breach law.  This means that 48 states – that is every state except for South Dakota and Alabama – each has their own law and requirements for a company when a data breach affects residents of that state.  Think about the scale and complexity of the effort faced by Equifax working with every individual state to follow the letter of the law in each and every location.  In addition, many of these states have provisions that allow residents to sue companies when such an event occurs.  Let me be clear, we are only seeing the tip of the iceberg on this incident and it is going to be a significant event for the future of cyber security in the United States.

Third, to date there has been very little data released about the details of the breach, this is to be expected.  According to the press release, the breach occurred in Mid-May and was discovered on July 29th.  Most readers will probably be surprised that notification of the general public occurred today, over 30 days later, but they shouldn’t be.  Following the discovery of the breach, an outside firm was likely brought in to perform forensics.  This process was not a short one and likely took a minimum of a week or two.  Once a breach is confirmed, many states require a notification within 30 days.  This indicates that this breach was likely confirmed internally on or around August 8th, 10 days after it was discovered.  The data accessed, according to the press release, was “certain files,” while CEO of Equifax states in his video message it was “data files.”  These files were accessed through a method broadly defined as “a U.S. website application vulnerability.”  In addition they are claiming that they “found no evidence of unauthorized activity on Equifax’s core consumer or commercial credit reporting databases.”  This final statement likely means one of two things.  Either (A) the attackers were able to exploit something such as a SQL Injection to pull data from servers and didn’t gain access to the systems themselves or (B) Equifax may not have been storing the data necessary to “find” evidence of such activities and therefore can make this claim.

Finally, it is important to note the actions being taken by Equifax following a breach.  They are following the textbook on what to do following a breach and it is clear they have learned the lessons from those companies that have gone down this road before them.  Their activities have included:

  • Engaging a firm to perform a forensics review
  • Establishing a website to provide monitoring services to their customers
  • Establishing a call center to support concerned customers
  • Sending written notifications to all affected
  • Working with law enforcement
  • Notifying U.S. state and federal regulators
  • Notifying all U.S. state attorneys general

It is clear that the scope and scale of the actions required by Equifax following this incident are staggering and the costs associated with this response are going to be enormous.  For perspective, the Home Depot breach in 2014 likely cost the company around $179M and that breach only affected 50 million credit card numbers and around 53 million e-mail addresses[1].

So the real question is what does this breach mean to you?

First, it is more likely than not that your personal information was included in this breach.  If attackers use this information, they could attempt identity theft or other scams.  You should make sure that you are monitoring your credit files at the credit bureaus and monitor your credit cards and bank accounts for suspicious activities.  Fortunately, Equifax will provide this for free for a year to all affected. (it is the least they can do)

Second, it is very highly likely that other scammers will exploit this event to try to capture your information.  Never give your personal information to anyone over the phone or to a website that you have not verified as being legitimate.  If you are told to visit a website in response to a breach (such as Equifax’s own website for this incident: www.equifaxsecurity2017.com) never click on a link in an e-mail to that website.  It is better to cut and paste the domain name or manually type the domain name in the browser.  We have already seen indications that spammers have shown interest in this event.  For example, the domain name released by Equifax was registered on the 22nd of August, however many variants of that domain name were registered today by a different service, likely on behalf of Equifax.  This delay is likely the result of some form of an oversight by the company in not considering the fact that a good attacker could use the domain name “equifaxsecuvity2017.com” to trick unwitting customers; notice the “v” instead of the “r” in security.  Our assumption was that Equifax’s mass registration of these variants was in response to an individual registering the name “equifoxsecurity2017.com.”  Interestingly enough, visiting that url brings up a website that tells the user “You're probably looking for https://www.equifaxsecurity2017.com/” and then asks the question “Why was I able to register this after the Equifax breach announcement??”

equifox.png

Finally, you should certainly be considering if your own infrastructure is exposed to an attack and if you have adequate protections in place.  Of course, being a Dark Cubed customer is a great start!  You should also consider if you are prepared to respond in the event a data breach occurs within your company or organization.  A good way to evaluate your preparedness is to get into a room with your leadership team and to walk through what would happen if you discovered a data breach.  Here are some key questions to consider:

  1.     Who would be responsible for managing the incident?
  2.     Who would support the forensics and analysis?
  3.     What data are you collecting that could help determine the breadth of the attack?
  4.     Is your law firm prepared to support you?
  5.     Do you know who to contact in law enforcement?

If you have any questions related to this incident, don’t hesitate to reach out to our team at info@darkcubed.com and we will help you out.  Thanks for being a great customer; we are honored to have the opportunity to continue to serve you!

Swimming Upstream at Black Hat

Recently I was one of the many tens of thousands of attendees converging on Las Vegas at Black Hat, the massive annual cyber security conference.  One morning of the event I found myself walking down a long venue hallway while thousands, and this is no exaggeration, I mean thousands of attendees were walking the opposite direction.  

The whole corridor was filled with people heading to the expo floor to see the new cyber security technologies on display and learn how AI, machine learning, magical mystery boxes, and other toys would help them finally secure their network.

How Do You Sniff Out Cyber Threats?

I read recently that the nose isn’t very good at maintaining awareness of the smells around us constantly, however it excels at detecting changes in smells.  Kind of strange to think about, but it explains how someone can live in a house with a deadly natural gas leak for hours or days and not realize it.  This may be a strange thought to start out a blog on cyber security, but thinking about how we relate to the world around us can help to develop new ways to improve the speed, scale, cost, and accessible of security. So how do you sniff out cyber threats?

The Cyber Security Context Challenge

In my last blog posting, I spoke about the importance of thinking about cyber security as a resource problem rather than a technology problem. I challenged readers to think about speed and scale as a solution for the resource problem. This posting expands on that discussion by considering the importance, or lack thereof, of “Context.” My assertion is that while context may matter in some situations, it is one of the biggest impediments to implementing effective cyber security today.  

The cyber security community is primarily made up of geeks, technologists, and nerds that typically can’t help themselves from going down a rabbit hole when it comes to digging into a problem. This growing community of men and women are on the front lines of protecting our payment systems, preserving our privacy, and keeping the valuable intellectual property from getting sucked out of the servers of companies of all sizes.  

Rethinking The Approach to Cyber Security

Everyone knows that cyber security is a big problem and most of what we hear about in the media is just how big of a problem it truly is: the average cost of a breach is $4M (http://fortune.com/2016/06/15/data-breach-cost-study-ibm); the global economic impact of cyber crime is $450B (http://www.cnbc.com/2017/02/07/cybercrime-costs-the-global-economy-450-billion-ceo.html); there were 4B data records stolen in 2016 alone (http://www.nbcnews.com/storyline/hacking-in-america/more-4-billion-data-records-were-stolen-globally-2016-n714066). Those are definitely some big numbers! Now, rather than wringing our hands over the size of the problems and challenges, let’s spend a little time thinking about a solution.

Expanded Threat Information is Almost Live!!

Friday is a big day for Dark Cubed!  We are preparing to launch a new feature that has been in the works for quite a while, and I couldn’t be more excited!  As I approach my one-year anniversary at Dark Cubed, I have enjoyed taking a few minutes to look back over time and see the incredible progress we have made.  From the rapid growth of customers, the new features implemented in the product, to the features requested by our amazing customers such as automated notifications, one-click blocking, and multi-level reporting.

SMBS and Cyber Security: A Real Challenge

Make no mistake: a proper cyber security strategy is essential for all companies that deal with intellectual property, customer data, financial information, and other sensitive materials. However, all too often small and mid-sized companies can feel lost in the marketplace since the majority of mainstream cyber security companies only offer services with a hefty price tag attached.

Yes, cyber security solutions can be expensive. But so are cyber attacks.

What is Grizzly Steppe? Dark Cubed Explains Russian Hackers, Elections, and Data-Driven Analytics

Two days before New Years, something interesting happened in the world of cyber security. The Department of Homeland Security released a report on hacking activities by Russian Intelligence Services related to activities against the U.S. Government. The report was somewhat interesting, however DHS also released a set of indicators in a .csv file with 956 lines of data. As the CEO of a new cyber security startup focused on using data in smarter, more interesting ways, this data tugged and pulled at me in a way that I did not expect. Over the next two days, in between (and through) family events, football games, and dogs grabbing food off of the counters, I sat on a stool in my in-law’s kitchen and tuned out the world. There was something about this analysis that I could not ignore.

How An Information Sharing Environment Can Better Predict Cyber Threat Trends

With sophisticated hacking schemes gaining velocity, maintaining an organization's cyber security can feel demanding. Few know that reality better than the federal government. In response to the events of September 11, 2001, the Department of Homeland Security, together with Congress, began to develop methods by which to gather crucial information on illicit cyber activity and disseminate it to other government agencies within the national security enterprise and private networks considered as critical infrastructure. Known as the Information Sharing Environment (ISE), DHS endeavored to boost inter-agency cooperation and reduce attitudes clinging to parochial interests in order to better protect the country from future cyber peril.

Cyber Security Monitoring In 15 Minutes? Really???

If you've read anything about Dark Cubed, you know that we pride ourselves on being different. We have built a powerful cyber security platform that is easy to install and use.

"no way." It's too simple.

Most people hear claims like that and think, “no way.” It's too simple. They are jaded. I don’t blame them. Most people discount those claims as marketing hype… if it is powerful, it cannot be easy to install or use. It has to be hard and expensive.

I have a Firewall, so I am protected, right??

Mike owns a financial advisory firm. He helps people save for life’s big events like college and retirement and knows each one of his clients personally. His team consists of 15 employees with a range of responsibilities, from providing investment advice to making trades and other administrative activities. As a result, Mike's company collects some really important personal information like social security numbers, bank account numbers, balances and transaction instructions.