Cyber Attacks

Moody's the Cybersecurity Trifecta for Boards of Directors

Moody’s; The Cybersecurity Trifecta for Boards of Directors

Moody’s; The Cybersecurity Trifecta for Boards of Directors 1200 628 Scott Kannry
Moody’s; The Cybersecurity Trifecta for Boards of Directors

Moody’s; The Cybersecurity Trifecta for Boards of Directors

Intent to rate cybersecurity risk is the third major Board of Directors wake-up call

by Scott Kannry, CEO, Axio and Scott Underwood, Director of Business Development, Axio

November 27, 2018

The past 36 months has seen two significant developments that should have woken up Boards of Directors to their cybersecurity obligations.

First, a spate of high-profile cyber events, namely those experienced by Equifax, Maersk, Mondelez, FedEx and others, proved that regardless of money spent on protection, employing high-caliber cybersecurity professionals, and good intentions to purchase the right amount of insurance, current cybersecurity approaches were not working.  And in Equifax’s case, the severity of the event resulted in a CEO and CISO change and securities class action litigation that remains ongoing.

Second, in February of this year, the SEC released updated cybersecurity disclosure guidance that implored companies to disclose their understanding of cyber risk versus mere disclosure of events after the fact.  As Axio’s post on that announcement noted, “By forcing companies to identify and publish their ongoing cyber risks, [the SEC] is elevating cybersecurity to a risk-based duty of care model, requiring an understanding and articulation of best practices at the Board level. The Commission is pointing squarely at the Board of Directors and elevating cyber program management from the IT department to the highest levels of the corporation.”  Subsequent to this disclosure, the SEC didn’t waste much time evidencing its intent to act when it fined Altaba (formerly Yahoo!) $35M for failing to disclose its breach in a timely manner.

And now, the Trifecta – an announcement by Moody’s that it will soon start incorporating an evaluation of an organization’s risk to a major cyber event into its existing credit ratings, with a future possibility of offering stand-alone cyber risk rating.  While the specific means by which Moody’s will accomplish this have not yet been disclosed (and may not ever be disclosed), the impact of such a decision cannot be ignored because Moody’s ratings’ importance to the investment landscape.  Simply put, if Moody’s issues an un-favorable rating based on its analysis that an organization lacks cybersecurity maturity, that organization could expect to incur higher borrowing costs at a minimum and could suffer further if other entities or investors use the ratings beyond investment transactions.

If the previous two series of events did not garner appropriate Board of Director attention, hopefully Moody’s announcement does.  Because unlike those events, an unfavorable rating from Moody’s could cost a company a considerable amount of money and thus precipitate an argument the company’s executives and Board of Directors is not fulfilling its fiduciary responsibility.  This announcement and the potential implications should not be disregarded.  So what are companies and their Boards of Directors to do?

Luckily achieving appropriate cybersecurity understanding and management is very available today and presumably in a way that could be used to answer any questions raised by Moody’s and others:

ONE

Understand your cyber risk exposure as it relates to the business and in financial terms.

Start by asking one question: “If a cyber event happens to us, what might it look like?” Generate some scenarios based on what you do, how you use technology and what the impact of that technology failing might be. Could there be a data breach? Could there be an interruption in systems? Could somebody dupe one of our treasury folks into wiring money to a fraudulent account? Could a hack into our process control technology cause tangible damage and bodily injury? Now take a sampling of scenarios, get various operational and functional folks around a table and use their collective knowledge to estimate the impact of those events. Gaining this knowledge is especially critical if Moody’s independently attempts to estimate your financial exposure to a catastrophic cyber event. They simply won’t be able to achieve the same level of accuracy without knowing how the organization ticks on a daily basis. You have that knowledge and can use it to your advantage.

TWO

Utilize a maturity based cyber program management framework, such as NIST-CSF or the C2M2.

Align it with the scenarios that you’ve quantified in step one, and ensure that it is reported to the Board in an understandable means. Why one of these maturity models? Because a maturity-based approach recognizes that cyber risk is dynamic and managing it is a 24/7 endeavor. Compliance frameworks and standards on the other hand, won’t ever go away, but all too often produce a fall sense of confidence once the checklist is complete and compliance framework met. And why align the methodology with the scenarios? Because that connects the cybersecurity program with the business, a critical link for Boards effectively understand the cyber program. Further, it is the best way to align the universe of controls and technologies with the areas of greatest risk, providing additional evidence for folks like Moody’s that you are focused on appropriately protecting the long-term health of the organization.

THREE

Maintain the resources and financial ability to recover from a meaningful event.

At the end of the day, everything translates into financial terms. Strive to maintain the right balance of financial reserves and insurance to pay for as much or all of the forensics costs, notification requirements, lost revenue, stolen funds, legal fees and liabilities, repair costs or replacement of damaged assets, and others. How do you get there? See Step One.

FOUR

Evidence all of the aforementioned components with peer benchmarking and best practices insight.

Because cyber risk is incredibly dynamic and traditional means of risk management, such as complying with standards or achieving certifications can only serve as a baseline, benchmarking and best practices insight can be the best way to prove cybersecurity maturity. Is your cyber exposure in line or more favorable than your peers? Is your cyber program in line or more favorable than your peers? Have you purchased an insurance program that is in line or more favorable than your peers?

Put it all together and Board of Directors can confidently and continuously validate that the organization is meeting its fiduciary responsibility for managing cyber risk: “We understand our exposure, we’re managing the risk as effectively as possible, we have the ability and financial resources to recover from a major event, and we can provide evidence.”

biggest data breach in us history

The Biggest Data Breach in US History Just Happened, Now What?

The Biggest Data Breach in US History Just Happened, Now What? 1200 628 Jason Christopher
The Biggest Data Breach in US History Just Happened, Now What?

The Biggest Data Breach in US History Just Happened, Now What?

Suggestions forProtecting Your Credit and Your Identity

by Jason Christopher, Axio Chief Technology Officer

November 3, 2018

Being first is usually thought of as a good thing. Except when it’s not.

Take the recent Equifax data breach, for example. It’s the first of its kind in many ways—not the least of which is its overall impact on the average American—but in no way is this a good thing.

Unless you have been spending time with Gilligan and his fellow castaways lately, you have by now heard of the massive Equifax data breach. While we will undoubtedly learn more about this incident in the coming months, as it now stands over 143 million records may have been compromised. This means that the names, Social Security Numbers, addresses and, in some instances, driver’s license numbers of almost every American adult have been laid bare.

This is a big deal.

If credit card numbers are compromised, they can be changed. The same is not true for your birth date or SSN. Putting that aside for a minute, this means that should your identity be compromised, proving you are who you say you are will be very difficult going forward.

In order to help you, we have compiled a list of actions you can—and should—undertake immediately to protect yourself and your family. We highly recommend that everyone follow these steps. It is additional work, but it could potentially save you years of headaches if your information is ever used against you.

Six steps to staying safe from the Equifax Hack

  1. Obtain your credit report immediately. If you have not requested your free report this year, you are entitled to it. You can use this to track any changes post-Equifax breach
  2. Sign up for free credit monitoring as part of the breach.
  3. Get a security freeze with every credit bureau. This is your best bet at protecting yourself. Pro tip: Brian Krebs has a great guide.Security freezes have been around for years—I personally have leveraged it in the past. While there are minor charges associated with freezing/unfreezing your credit (fees are decided on a state-by-state basis) it’s money well spent. You can also request freezes on your children’s accounts—they may not have been impacted by the incident, but better safe than sorry.Luckily, it’s all a simple phone call. Unluckily, since our financial systems revolve around credit, you’ll need to unfreeze it before you buy a car, house, or perform any other credit check-based function.For easy reference, here are the numbers to call. Make sure you call all three.
    • TransUnion: 1-888-909-8872
    • Equifax: 1-800-349-9960
    • Experian: 1-888-397-3742
  4. Monitor your financial accounts and change any shared passwords—especially if you have an online account with Equifax. As always, if your accounts offer two-factor authentication, you should have it enabled.
  5. Up your social engineering awareness game. Now that all of your information is in the open, experts are expecting an uptick in social engineering attacks, including phishing emails, texts, and calls.
  6. File your taxes immediately from here on out. With your credit frozen your biggest risk of direct impact is going to come from a fraudulent tax return.Unfortunately, the IRS only requests your SSN to verify your identity—which is now out in the open. If somebody files with your SSN, you will be locked out from filing yourself. This is a common financial attack. Keep in mind that the IRS will never ask for your personal information on the phone—if someone calls you from the IRS, hang up and call your local office to verify any request. To be proactive, you can register with the IRS for additional protection.

Don’t stop now …

Finally, there are a few additional steps you can take to further protect yourself in the unfortunate event that your identity is stolen. For example, if you only have a copy of your birth certificate, look up your County of Birth’s rules on requesting a new one and keep it safe. This will help prove that you are… well… “you” if you are handling fraud. Likewise, if you don’t have a passport, consider getting one. Having both of these can help you get out of a bad situation if you need to prove that you are who you say you are.

SANS recently gave a webinar that covered some of these steps, along with information about the data breach. In the event you missed it, you can listen to the recorded version at your convenience. (We recommend sooner rather than later.)

We hope you find these tips helpful. We want to make sure everyone is safe.

It’s what we do.

understanding the impact of the krack attack

Understanding the Impact of the KRACK Attack

Understanding the Impact of the KRACK Attack 1200 628 Axio Global
Understanding the Impact of the KRACK Attack

Outrunning the Bear

A Cybersecurity Assessment Boards Actually Care About

by Brendan Fitzpatrick, VP of Cyber Risk Engineering

October 25, 2017

I am writing to give you the skinny on KRACK, the attack, and to provide some of the “facts” along with some recommendations for what to do now. The bottom line is that your devices ARE vulnerable to this newly discovered attack. Practically every WiFi enabled device is affected. Computers and mobile devices will likely get updates in the near future, though IoT and embedded devices may be a different story. You will want to update your devices as vendors release patches. You may also consider getting in compliance with your backup policies now to save frustration later.

What is the KRACK attack?

  • KRACK is short for key reinstallation attacks
  • The vulnerability is within the WPA2 protocol which means all WiFi enabled devices utilizing WPA2 are vulnerable
  • WPA2 is short for Wi-Fi Protected Access 2 and is how the connection to your WiFi access point is secured
  • The attack relies upon the 4-way handshake negotiation at the beginning of WiFi sessions
    • An attacker needs to be physically in range of a particular Wi-Fi network to carry out the assaults
    • The attack must take place during the 4-way handshake
    • The attack does not reveal the WiFi passphrase and does not allow the attacker to join the network
    • If the attack is successful they can potentially decrypt traffic between the victim client and their access point
    • Currently, the attack is focused only on the client side of the handshake
    • The researcher discovered the vulnerability in May, informed vendors in July, and made it public very recently
    • Most vendors are working diligently on patches
    • The researcher has not released a toolkit or script for the exploit
    • There are no known uses of the attack in the wild

What can you do?

  • Update your devices as vendors release patches
    • Microsoft claims that an update is already available for currently supported Windows versions
    • Apple claims that their update for all currently supported devices is in Beta and will be pushed to the public soon
    • Google Android and other Linux based devices may be the most affected and updates are still being developed
  • Changing your Wi-Fi password or getting a new router won’t protect against Krack attacks, but are never bad ideas
  • Protect sensitive company and client data according to your company policies
  • Enterprise users should ensure you use the your company VPN when on public WiFi and use https enabled websites whenever possible
  • Consider tethering your phone when WiFi networks do not play nice with your corporate VPN, as cellular connections are encrypted

 

Researcher’s site on KRACK
Research paper on KRACK
Great article for the non-techie 1
Great article for the non-techie 2

Axio

Company

Support

Copyright 2018 Axio Global, Inc.

Axio360 NIST CSF

The time has come for you to take control of your cyber risk.