Category Archives: Uncategorized

When seconds count: How Security Analytics Improves Cybersecurity Defenses

Larry Ponemon

When Seconds Count: How Security Analytics Improves Cybersecurity Defenses sponsored by SAS Institute was conducted to evaluate organizations’ experiences with security analytics solutions. Specifically, how have these solutions impacted organizations’ security postures? Where have security analytics initiatives succeeded or encountered roadblocks?  

Ponemon Institute surveyed 621 IT and IT security practitioners who are familiar and involved with security analytics in their organizations.  Eighty-seven percent of these respondents have personally been using the security analytics solution in their organizations and, 80 percent of these organizations have solutions that are fully implemented.

Although many respondents cite deployment challenges, they still believe security analytics has been effective. They report a major improvement in reducing the number of false positives in the analysis of anomalous traffic. Before implementation, 80 percent of respondents say it was very difficult to reduce false positives. After implementation, only one-third of respondents say reducing the number of false positives is very difficult.

Key findings

In this section of the report, we provide an analysis of the findings. The complete audited research results are presented in the Appendix of this report. We have organized the report according to the following topics.

  • Organizations’ security analytics experiences
  • Results of organizations’ security analytics initiatives
  • The future of security analytics: the integrated security intelligence platform
  • Tips for successful security analytics initiatives

Organizations’ security analytics experiences

Most organizations adopt security analytics after an attack. As shown in Figure 2, 68 percent of respondents say the main driver to implement a security analytics solution was a cyber attack or successful intrusion and 53 percent of respondents say their organization was concerned about becoming a victim of a cyber attack or successful intrusion. Only 33 percent of respondents say their organizations are proactive and regularly update their cyber defenses with new technologies.

 

Organizations use a variety of security analytics solutions, but in-house developed tools are most popular. According to Figure 3, 50 percent of respondents use in-house developed tools used with data lake, followed by 47 percent of respondents who use a Security Information and Event Management (SIEM) solution. Thirty-nine percent of respondents say their solution is delivered and managed by a third party.

Security analytics solutions are mostly deployed both on premise and in the cloud (40 percent of respondents). Thirty-three percent of respondents say the solution is deployed on premise and 23 percent of respondents say it is deployed in the cloud.

 

Most respondents say the initial deployment of security analytics was challenging. Fifty-six percent of respondents say it was very difficult (26 percent) or difficult (30 percent) to deploy security analytics.

According to Figure 4, 67 percent of respondents who feel the deployment was difficult cite extensive configuration and/or tuning before it was usable. Fifty-one percent of respondents felt there was too much data to deal with and 45 percent of respondents say they had issues getting access to the required data.

Data is a critical component of security analytics initiatives. According to Figure 5, 65 percent of respondents say data challenges are a barrier to success followed by lack of in-house expertise (58 percent of respondents) and insufficient technologies (50 percent of respondents).

Only 40 percent say insufficient resources is a challenge. The findings reveal the average cybersecurity budget is $12.5 million and an average of 22 percent of this budget is earmarked for big data analytics.

The quality of data collected and used for security analytics is the biggest data challenge. As shown in Figure 6, 66 percent of respondents say data quality is an issue followed closely by the ability to integrate data (65 percent of respondents) and data volume (55 percent of respondents). Only two percent of respondents say they have no data challenges.

Most organizations are looking to security analytics to learn what is happening in their networks now. Each one of the objectives listed in Figure 7 is considered important. Seventy-two percent of respondents say it is important or essential to be able to detect security events in progress followed by the ability to determine the root cause of past security events or forensics (69 percent of respondents).

Also important are to: provide advance warning about potential internal threats and attackers (65 percent of respondents), provide advance warning about potential external threats and attackers (62 percent of respondents), prioritize alerts, security threats and vulnerabilities (62 percent of respondents) and analyze logs and/or events (61 percent of respondents).

To read the rest of this research, visit the SAS website.

Howard Schmidt, America's digital guardian angel, served as cyberczar to two Presidents — a memorial

Howard Schmidt

Bob Sullivan

Howard Schmidt had an incredible American life.  He was cyberczar to two presidents – a Republican and a Democrat.  Before that, he ran security at Microsoft, and later practically rescued eBay when it was turning into a cesspool of fraud.  He was a soldier (Air Force, then the Army Reserves), a cop (in Arizona), a genius, and a gentleman. He was one of the first law enforcement officers in America to understand how computers could be used to catch criminals.  He won a Bronze Star in Vietnam. He was an in-demand speaker everywhere on the planet.  I saw him dazzle crowds everywhere from Seattle to Romania.

But I knew him as the guy who always wanted to help. Everyone, all the time.

He died today, “in the presence of his wife and four sons…a loving husband, father and grandfather peacefully passed away following a long battle with cancer,” according to a statement posted on his Facebook page.

I first met Howard Schmidt in the late 1990s when he was the big-deal keynote speaker at a computer conference I had attended as a cub reporter.  I was a nobody. But good fortune had us both stranded in an airport when our flights were canceled, both trying to get back to Seattle. I worked up the courage to talk to him in the waiting area about our options for getting home.  When we ended up on the same flight, and he discovered I wasn’t traveling in first class, he stopped me at the gate.

 

“No colleague of mine sits in the back while I sit up front,” he said, a kindness so genuine I never forgot the tone of voice he used.  He upgraded me to first class so we could sit together.  During the next three hours, I enjoyed a graduate-school class in cyber-security as I picked his brain about everything.

Howard was a natural giver.

The most important thing to know about Howard is that the job of White House cyberczar is awful.  All the responsibility, none of the power.  Herding cats. Pick your cliché.  Making America’s computers secure is the job of private industry. They own all the hardware; they write all the software; they hire all the best people.  All a government official can do is “coordinate.”  Cajole. Beg and plead.  It sounds like a glamorous job. In fact, the pay stinks, compared to what someone like Howard could earn in the tech world. And it’s kind of humiliating to go around begging companies to share what they know about hackers.

But it had to be done. Howard was always doing what had to be done.

Along the way, he always took my calls.  He would message me from half-way around the world, and apologize if it took him 10 hours to get back to me.  Sometimes, he even dragged me along, as in the case of a banking security conference in Bucharest where Howard and I both spoke. A few years later, I ended up getting a plum invitation to speak in Malta at a similar conference. Howard never admitted it, but I’m virtually sure he set me up for the gig because it was one of the few times he had to turn something down.

Whenever we spoke, I would get tired just hearing about Howard’s grueling travel schedule. When he finally started to slow down, he spent his last years traveling, of course…this time via motorcycle. Sometimes to see America’s beauty, but mostly to see his grandchildren.

“Ride my bikes as much as possible in Milwaukee…our second home (grandkids),’ he messaged me once.

Howard was always interested in what I was doing, and cheered me on as I had some success writing books. So it was natural that the day he retired from the White House, we chatted about doing a book together.

“I get approached all the time about doing one,” he said.

“Let’s chat some time and see if there isn’t a good fit? Before the months disappear,” I pleaded.  It was one of those conversations we never finished, one of those dream projects that you never get to.

I didn’t know Howard was sick until recently.  I reached out to him when President Donald Trump *almost* signed an executive order on cybersecurity. If anyone could make sense of it, he could.  I messaged him on Facebook.

“Hi Bob, This is Howard’s wife,” the response came. “Howard is fighting a brain tumor and apologizes for not being able to help.”

I was stunned.  But also, not stunned. I could picture Howard lying there, as ill as a human being can be, apologizing because he couldn’t help.  Perhaps the words he used suggested he meant “help you with your story.” But I know what he really meant:  he felt badly he couldn’t help the country.

I said I would pray for him and asked if there was anything I could do. Then, true to form, he tried once more.

“Howard said he will call in a little while” his wife wrote to me.

He never did call; I figured he’d had a bad day and I didn’t want to be a pest.  I’m so sad it was my last chance.  Let me tell you: I am much more sorry that Howard was unable to help us this one last time. Heaven knows we need it.

I’ll console myself with the thought that Heaven’s networks are much more secure now, and the Devil is no longer spreading viruses up there.

Like all women and men who work in the protection field — computer security people, health department inspectors, fire marshals — Howard spent a lifetime toiling tirelessly and invisibly, saving people from dangers they never knew existed.  Countless crushing hacker attacks didn’t happen because of Howard’s work.  He was America’s digital guardian angel for many decades. In fact, his work lives on, and you will continue to enjoy the protections from policies that Howard created and pushed for years, if not decades.

Now, he’s a real Guardian Angel. I suspect we’ve yet to see his best work.


 

Survey: Half of small firms hit by ransomware, paid an average $2,500 in 'ransom'

Larry Ponemon

We are pleased to present the findings of The Rise of Ransomware, sponsored by Carbonite, a report on how organizations are preparing for and dealing with ransomware infections. As of September 2016, the Justice Department reported more than 4,000 ransomware attacks daily since January 1, 2016. This is a 300-percent increase over the approximately 1,000 attacks per day seen in 2015.

You can read the full research at Carbonite.com.  Here is a summary:

We surveyed 618 individuals in small to medium-sized organizations who have responsibility for containing ransomware infections within their organization. These individuals, as revealed in this study, dread a ransomware infection and many of them (59 percent of respondents) would rather go without WiFi for a week than deal with a ransomware attack. Furthermore, 77 percent of respondents believe that those who unleash ransomware should pay for the crime. Specifically, 47 percent of respondents say criminals should face criminal prosecution and 27 percent of respondents say they should be subject to civil prosecution.

There is a significant gap between the perceptions of the seriousness of the threat and the ability of a company to prevent ransomware in the future. While 66 percent of respondents rate the threat of ransomware as very serious, only 13 percent of respondents rate their companies’ preparedness to prevent ransomware as high.

Fifty-one percent of companies represented in this research have experienced a ransomware attack. The following explains how these companies were affected.

  •  Companies experienced an average of 4 ransomware attacks and paid an average of $2,500 per attack.
  • If companies didn’t pay ransom, it was because they had a full and accurate backup. Respondents also believe a full and accurate backup is the best defense.
  • Companies suffered financial consequences such as the need to invest in new technologies, the loss of customers and lost money due to downtime.
  • Cyber criminals were most likely to use phishing/social engineering and insecure websites to unleash ransomware. Respondents believe the cyber criminal specifically targeted their company.
  • Compromised devices infected other devices in the network. Very often, data was exfiltrated from the device.
  • Companies were reluctant to report the incident to law enforcement because of concerns about negative publicity.

Following are the key takeaways from this research.

 Many companies think they are too small to be a target. Perceptions about the likelihood of an infection affect ransomware prevention and detection procedures. Fifty-seven percent of respondents believe their company is too small to be a target of ransomware and, as a result, only 46 percent of respondents believe prevention of ransomware attacks is a high priority for their company. Despite not being a high priority, 59 percent of respondents believe a ransomware attack would have serious financial consequences for their company and 53 percent of respondents would consider paying a ransom if their company’s data was lost (100 percent – 47 percent of respondents who would never pay a ransom).

 Current technologies are not considered sufficient to prevent ransomware infections. Only 27 percent of respondents are confident their current antivirus software will protect their company from ransomware. There is also concern about how the use of Internet of Things connected devices will increase their risk of ransomware.

 Inability to detect all ransomware infections puts companies at risk. An average of one or more ransomware infections go undetected per month and are able to bypass their organization’s IPS and/or AV systems, according to 44 percent of respondents. However, 29 percent of respondents say they cannot determine how many ransomware infections go undetected in a typical month.

 One or more ransomware attacks are believed to be possible in the next 12 months. Sixty-eight percent of respondents believe their company is very vulnerable (30 percent) or vulnerable (38 percent) to a ransomware attack. Relative to other types of cyber attacks, 67 percent of respondents say ransomware is much worse (35 percent) or worse (32 percent).

 The severity and volume of ransomware infections have increased over the past 12 months. Sixty percent of respondents say the volume or frequency of ransomware infections have significantly increased (22 percent) or increased (38 percent). Fifty-seven percent say the severity of ransomware infections have significantly increased (18 percent) or increased (39 percent) over the past 12 months. In a typical week, the companies documented in this research have experienced an average of 26 ransomware alerts per week. An average of 47 percent of these alerts are considered reliable.

 Negligent and uninformed employees put companies at risk. Fifty-eight percent of respondents say negligent employees put their company at risk for a ransomware attack. Only 29 percent of respondents are very confident (9 percent) or confident (20 percent) their employees can detect risky links or sites that could result in a ransomware attack.

 To prevent ransomware infections, employees need to become educated on the ransomware threat. Fifty-five percent of respondents say their organizations conduct training programs on what employees should be doing to protect data. However, only 33 percent of respondents say their companies address the ransomware threat.

 Most companies experience encrypting ransomware. Fifty-one percent of respondents had a ransomware incident within the past 3 months to more than one year ago. Eighty percent of respondents say they experienced encrypting ransomware and 20 percent of respondents say their company experienced locker ransomware. These companies have experienced an average of 4 ransomware incidents. Most respondents (59 percent) believe the cyber criminal specifically targeted them and their company.

 The consequences of ransomware are costly. The top consequences of a ransomware attack are financial. Attacks required companies to invest in new security technologies (33 percent of respondents), customers were lost (32 percent of respondents) and lost money due to downtime

(32 percent of respondents). Moreover, the ransomware incident is believed to make their company more vulnerable to future attacks (49 percent of respondents).

By far, most ransomware incidents are unleashed as a result of phishing and insecure websites. Forty-three percent of respondents say the ransomware was unleashed by phishing/social engineering and 30 percent of respondents say it was unleashed by insecure or spoofed websites. Desktops/laptops and servers were the devices most often compromised at 55 percent and 33 percent of respondents, respectively.

 According to 56 percent of respondents, the compromised device was used for both personal and business purposes. The compromised device infected other devices in the network (42 percent of respondents) and the cloud (21 percent of respondents).

 Many companies paid the ransom. Forty-eight percent of respondents say their company paid the ransom. The average payment was $2,500. A key element in making ransomware work for the attacker is a convenient payment system that is hard to trace. The ransom was most often paid using Bitcoin (33 percent of respondents) or cash (25 percent of respondents). Fifty-five percent of respondents say once the payment was made, the cyber criminal provided the decryption cypher or key to unlock compromised devices.

 Attackers demand speedy payment. Forty-six percent of respondents say the attacker wanted payment in less than two days. Only 16 percent did not place a time limit for payment.

 Data was exfiltrated from the compromised device. Fifty-five percent of respondents say with certainty or it was likely that the ransomware exfiltrated data from the compromised device(s). On average companies spent 42 hours dealing with and containing the ransomware incident.

 Full and accurate backup is a critical ransomware defense. Fifty-two percent of respondents did not pay the ransom because they had full backup (42 percent of respondents). Sixty-eight percent of respondents in companies that experienced a ransomware incident say it is essential (30 percent) or very important (38 percent) to have a full and accurate backup as a defense against future ransomware incidents.

 Fear of publicity stops companies from reporting the incident to law enforcement. Despite the FBI’s pleas to report the incident to law enforcement, 49 percent of respondents say their company did not report the ransomware attack. As shown in Figure 16, the primary reason was to avoid the publicity.

Read the rest of this research at Carnbonite.com.

Treason, arrests, a suspicious death, the vanishing executive order — Trump's cyber-mystery

Bob Sullivan

A suspicious death related to a British spy. Accusations of treason.  Arrests — including one, during a meeting, where the suspect was marched out with a bag over his head.  Election interference and ‘Kompromat.’

These are some of the things that, while hanging in the air, weren’t mentioned in the Trump administration’s first cautious steps into managing the cyberworld this week.

Like almost everything in the cyber-spook world, the Trump Administration’s first step into computer security is now shrouded in mystery, intrigue and speculation.

Trump’s team trotted out a series of experts and officials on Tuesday — including former New York City Mayor Rudy Giuliani — at an event marking an executive order Trump planned to sign. It was to be a sign that Trump wanted to get tough on computer security.

Then, without explanation, the order signing was canceled, leaving cyber-folks to do what they often do best: Guess at what it all means.

On the surface, Trump’s executive order and the spy-novel-like intrigue happening in Russia’s cyberworld have nothing to do with each other.  It’s hard not to connect them, however.

Here’s a quick scorecard to catch you up on what’s going on.  Three, or possibly four, Russians with ties to law enforcement have been arrested and charged with treason.  One suspect was grabbed at a meeting and had a bag thrown over his head in a clear show of force.

Another suspect, Ruslan Stoyanov, was a researcher at respected antivirus firm Kaspersky, and previously worked in Moscow’s cybercrime unit. He had stopped crime rings that were targeting Russian banks. I have been told he is accused of snooping on and sharing data with outside entities — perhaps the U.S., though that isn’t clear. My source requested anonymity, but others have confirmed that basic story.

Brian Krebs has painstaking amounts of additional detail on that here.

It’s easy to connect these arrests with the accusations of Russian meddling into U.S. elections, but there are other explanations.  For one, Russian officials are upset that secret information keeps making its way to a blog called Shaltay Boltay (Humpty Dumpty) in Russia that’s a bit like Wikileaks.

Meanwhile, a former KGB official was found dead a few weeks ago in his car under mysterious circumstances. The man, Oleg Erovinkin, was reportedly a source for Christopher Steele, the former British spy who authored the notorious dossier of allegedly embarrassing information about President Trump.

When Trump assembled the folks who will be in charge of making U.S. computer systems safer, none of this came up.

On the surface, a draft version of the order that was widely shared showed it would primarily call for a 60-day review of the most critical U.S. networks, including military command and control systems.  It also asked for a review of America’s cyber enemies; a review of computer security education; and asked for proposals to create incentives for private firms to improve their security.

It is unclear why the president didn’t sign the order as planned.

The draft order got, expectedly, mixed reviews from industry.

“What I like about it is that it creates a sense of urgency and seriousness that we really have to double down on security,” said Eric Geisa, vice president of products at Tempered Networks, discussing the draft order.

Morey Haber, vice president of technology at BeyondTrust, was far more critical.

“We already do all this (vulnerability assessment). The only difference is that it’s (to be) reported to the president,” he said.  Prior to BeyondTrust, Haber spent 10 years as a contractor providing vulnerability assessment to the Department of Defense.  “It ignores attack vectors that have actually been exploited before. It’s almost a knee-jerk reaction, similar to ban of certain countries for immigration.”

Haber pointed out that most hacks involve the human element, like an employee responding to a phishing email.

“We should be making sure the front doors are locked before we change the combination on the safe,” he said. “We are targeting the wrong things here. We do need to look at these things, but this is not typically how attacks have occurred. We should be targeting the lowest hanging fruit, like phishing emails, USB sticks left in parking lots.”

Perhaps because of this kind of feedback, the order was delayed.  Or something entirely unrelated is the cause.

Geisa said this moment in time gives the administration an opportunity to succeed where others have failed.

“This isn’t something new. After the (Office of Personnel and Management) hack Obama signed an executive order…but what I’ve seen from the government in the past is you get high-level guidelines, but there isn’t a lot of of prescriptions. They might say you need to encryption, or example. Well, no kidding,” he said. “The time is now to get very specific.”

The Internet has suffered from a “fundamental flaw” since its earliest days, he said —  the use of IP addresses to authenticate computers, which makes it easy for machines, and criminals, to lie about who they are. Changing that will require a very heavy-handed implementation of new protocols that define how computers talk to each other.  Perhaps Trump’s administration could lead that charge, Geisa said.

On the other hand, it’s important to understand how different Internet security is from other kinds of security.  The “weapons” of cyberspace are mainly controlled by civilians. Instead of bombs stored in silos that the government can secure, ‘cyber-bombs’ can be hacked servers, private computers, even webcams — as we all learned last year when an army of zombie webcams knocked a large portion of the Internet offline.  They cannot be secured without massive efforts and cooperation by private industry.

And that brings us back to the Russian hacks.  I’ve spent years attending international security conferences where the real work of rescuing the Internet happens.  Naturally, private firms are reluctant to share information with government officials and with each other — many see this very expensive and difficult research as competitive advantage.  Still, informal exchanges happen all the time. Secret cyberheros rescue us from digital doomsdays on a regular basis, in conversations we’ll never hear about or see in a press release.  Often, these involve “hackers” with a past, who have spent time in the murky world between white and black hat. That’s precisely why they know what’s going on.  But that can also make them very “shy” when speaking to law enforcement.

You can bet Russian cyber-experts are getting more shy by the minute. That hurts everyone except the criminals.

But it’s a good reminder of how hard U.S. officials must work to keep the information flowing between private industry and government workers fighting to keep our water dams and power grid safe.   That’s going to take a lot more than an executive order.

Complexity is the enemy of security

Larry Ponemon

We are pleased to present the findings of The Cost & Consequences of Security Complexity, sponsored by MobileIron. The purpose of this research is to understand the reasons behind the growing complexity of companies’ IT security architecture and how it is affecting their ability to respond to cyber threats. We surveyed 589 individuals involved in securing, overseeing and assessing the effectiveness of their organizations’ information systems or IT infrastructure.

While some complexity in an IT security architecture is expected in order to deal with the many threats facing organizations, too much complexity, as shown in this research, can impact the ability to respond to cyber threats. Participants in this research understand the negative impact IT security complexity has on their organizations’ security posture. In order to be able to protect their organizations from cyber threats, 68 percent of respondents believe it is essential (33 percent) or very important (35 percent) to reduce complexity within their IT security architecture.

According to respondents, employees’ access to cloud-based apps and data and use of mobile devices in the workplace are the biggest drivers of complexity. The growth in unstructured data is making it increasingly difficult to deal with cyber threats.

Complexity seems unstoppable. As shown in Figure 1, complexity is a growing problem. Fifty-eight percent of respondents say in the past two years the complexity of their organizations’ IT security architecture increased significantly (28 percent) or increased (30 percent) and 66 percent believe in the next two years complexity will increase.

Following are eight consequences of complexity.

  • Inability to integrate security technologies across different platforms.
  • Inability to ensure policies and governance practices are applied consistently across the enterprise.
  • Too many active endpoints.
  • Poor investments in overly complex security technologies that are difficult to operate and financial loss due to the scrapping of these complex technologies.
  • Inability to see vulnerabilities in the system.
  • Difficulty in communicating the organization’s security strategy and approach to deal with cyber threats to senior management.
  • Decline in productivity of IT security staff due to complexity.
  • Lack of accountability for IT security practices.

Part 2. Key findings

Here is a sampling of key findings: These will be explored in more detail during a webinar held on Jan. 17. Click here to register for the webinar.

Most IT security architectures are very complex. Sixty-seven percent of respondents say their organizations’ IT security architecture is very complex.

What are the consequences of complexity? Only 35 percent of respondents rate their ability to hire and retain qualified security personnel as high (7+ on a scale from 1 = no ability to 10 = strong ability). Also problematic is the ability to integrate security technologies across different platforms (only 29 percent rate their ability as high) or to ensure policies and governance practices are applied consistently across the enterprise (only 21 percent rate their ability as high).

Employees’ use of cloud-based apps and mobile devices is considered most responsible for IT security complexity.  Some 64 percent say it is access to cloud-based applications and data and 56 percent say it is the use of mobile devices (including BYOD and mobile apps) that increase the complexity of dealing with IT security risks. The rapid growth of unstructured data and constant changes to the organization as a result of mergers and acquisitions, divestitures, reorganizations and downsizing also increase complexity.

Investments in security technologies have contributed to complexity. In the survey, 61 percent of respondents say enabling security technologies have made it more complicated to deal with threats, and 72 percent say they have lost money on poor investment in enabling security technologies.

Current security architectures are overly complex. According to 71 percent of respondents, the complexity of their companies’ IT and IT security architecture makes it difficult to see vulnerabilities in the system and 51 percent of respondents say simplified policies and processes are needed to improve the ability to respond to a changing threat landscape.

Companies shelved or scrapped enabling security technologies because of complexity. Sixty-five percent of respondents say their company has had to frequently (27 percent) or sometimes (38 percent) scrap or shelve one or more enabling security technologies because they did not effectively moderate cyber threats or were too complex to operate. The primary reason for not deploying technologies purchased is that they were too complicated to operate (63 percent of respondents. Other reasons are the lack of in-house expertise to deploy and manage the technology (54 percent of respondents) and poor vendor support and service (48 percent of respondents).

Complexity makes it difficult to explain the approach taken to reduce IT security risks to senior management. Some 67 percent of respondents believe their company’s approach to dealing with cyber threats is too complex to explain to senior executives. Such difficulty in communicating IT security practices to senior management leads to difficulty in achieving goals and objectives set by senior management (49 percent of respondents). As a result, 62 percent of respondents say their company needs to simplify and streamline its security architecture.

Complexity affects the staffing of knowledgeable IT security professionals. As discussed previously, only 35 percent of respondents rate their companies’ ability to hire and retain qualified security personnel as high; 56 percent of respondents say they do not have the necessary expertise to deal with the complexity of their IT and IT security processes and 52 percent of respondents say their companies’ current IT security infrastructure is too complicated and, as a result, decreases the productivity of their IT security staff.

Ineffective IT security architectures are costly. Respondents estimate an average potential total cost exposure from IT security failures of $77 million. The most significant financial impact results from the organization’s response to information misuse or theft followed by costs associated with reputation and brand damage because of IT security failure.

To learn more about these findings, check out the webinar

Here's what millions of leaked passwords look like, and other scenes from inside The Glass Room

Bob Sullivan

It’s very hard to make privacy and security sexy. The folks at Mozilla and the Tactical Technology Collective have done just that this month with a clever art installation/ pop-up shop in lower Manhattan called “The Glass Room.”

The Glass Room aims to inform and challenge visitors by making them see and touch real-life representations of digital risks, the same way you might wander through an art gallery and ponder other life mysteries.

Visitors there are forced to look at an encyclopedia-style pile of books in which every password stolen from LinkedIn is printed. They are listed alphabetically, so every few minutes someone exclaims when they find their password printed in the volumes.

20161215_174040

The point is really the sheer size of that hack…which was indeed quite a bit smaller than Yahoo’s hack announced this week.

Other works include a fitbit attached to a metronome, designed to fool the gadget’s supposed health predictive abilities; Where the F&^&* was I, a printed book showing all the places the artist had been during a year, according to the cloud; and a screen showing data on leaked by smartphones as people walk by outside.

Maya Indira Ganesh gave me a tour of the place

“It’s an art exhibition that’s trying to shine a light on what it means to live in the data society, ” she told me.  It’s also trying to scare folks a little bit.

Not all surveillance technology is bad, of course. The Glass House tells both sides of the story. Video monitors can help you check in on elderly family members, for example.  But you should always wonder: Who else is watching, and why?

Thankfully, The Glass Room includes a detox bar in the back, with Apple-store-like “ingeniuouses” there to help you fix the privacy settings on your gadgets.  They also offer an 8-day data detox kit, which I’ll be sharing in the future.

The Glass Room first popped-up in Germany before making its way to Manhattan this month.  The store closes this weekend, but you can browse the entire exhibit online.  And, better yet, you can watch the videos I’ve attached to this story.

Patient misidentification a life-or-death crisis

Larry Ponemon

A serious and life-threatening problem in healthcare organizations is a medical error or adverse event due to the misidentification of patients. In the 2016 National Patient Misidentification Report of nurses, physicians, and IT practitioners, we examine the frequency and root causes of near misses, adverse event and sentinel events due to patient misidentification. We also survey CFOs and others in financial operations to determine the financial consequences of denied claims due to patient misidentification. A total of 460 individuals participated in this research.

How serious is the problem? Eighty-six percent of respondents say they have witnessed or know of a medical error that was the result of patient misidentification. The two primary root causes of patient misidentification are mistakes made when a patient is registered (63 percent of respondents) and the pressure to treat patients quickly (60 percent of respondents).

Difficulty in finding charts or medical records and finding duplicate medical records for a patient contributes to errors — 68 percent of respondents say when caring for a patient they have a hard time finding their chart or medical record almost all the time and 67 percent of respondents say when searching for information about the patient they find duplicate medical records for that patient almost all the time.

In addition to life and death consequences from making mistakes, healthcare organizations are losing money because of denied claims connected with patient misidentification. An analysis of costs associated with the denial of claims due to patient misidentification is provided in Appendix 1 of this report.  It shows that the average-sized hospital incurs reworking costs exceeding $71,000 per year. We also estimate the total cost of $1.2 million for rejected claims that resulted from patient misidentification.

Key takeaways from this study include the following.

Most patient misidentification starts at registration. Eighty-four percent of respondents strongly agree or agree that misidentifying a patient can lead to medical errors or adverse events. These include a near miss, sentinel event and even death.

Misidentification starts at the beginning of the patient’s experience.  Most misidentification occurs when the patient is being registered for a procedure (63 percent of respondents). Another primary cause for errors is the time pressure nurses, physicians and physicians assistants experience when treating patients (60 percent of respondents).

What leads to patient misidentification? According to 64 percent of respondents, a patient is misidentified in the “typical” healthcare facility very frequently or all the time. The following errors are very common in most healthcare facilities.

  • Inability to find a patient’s chart or medical record (68 percent of respondents)
  • A search or query that results in multiple or duplicate medical records for that patient (67 percent of respondents)
  • A wrong record is associated with the wrong patient because of the same name and/or date of birth (56 percent of respondents)
  • The wrong record is pulled up for a patient because another record in the registration system or EMR has the same name and/or date of birth (61 percent of respondents)

Correcting or getting additional patient information contributes to medical errors. Also putting patients at risk is the inability to quickly get information that is missing or incomplete in patient records. According to 37 percent of respondents, up to or more than one hour is spent contacting medical records or HIM department to get critical information about their patients.

What are the medical consequences of patient misidentification? Patient misidentification can result in errors in medication, blood transfusion and radiation that could have life and death consequences for patients. Ninety percent of respondents say medication errors could be fatal.

Research points to the need to improve the accuracy of patient registration. As part of this research, we surveyed CFOs and individuals involved in the healthcare facility’s revenue cycles. As with clinicians, the most common root cause is incorrect patient identification at registration such as an incorrect armband placement followed by reliance on homegrown or obsolete identification systems.

Denied claims from providing wrong patient information cost healthcare organizations. The patient identification process at registration can be cumbersome and challenging and can result in unintended duplicate medical records and overlays due to typing errors or miscommunication. Such errors can result in denied claims.

Sixty-five percent of respondents involved in the finances of healthcare organizations believe denied claims have a very significant or significant impact on accounts receivable. On average, hospitals have 30 percent of all claims denied and an average of 35 percent of these denied claims are attributed to inaccurate patient identification or inaccurate/incomplete patient information.

The use of biometrics can ensure proper patient identification. Seventy-two percent of respondents believe positively identifying a patient at registration through biometrics could improve cash flow for their hospitals. Positively identifying a patient at registration through biometrics could reduce denied claims (76 percent of respondents) by an average of 25 percent. It could also reduce the average number of days in accounts receivable (104 days) by an average of 22 percent. As a result of reducing denied claims, 80 percent of respondents say their hospital’s cash flow could improve by an average of 25 percent.

Healthcare executives and care providers believe the use of biometrics could reduce the consequences of patient misidentification. A positive (biometric) patient identification could reduce overall medical errors and adverse events, according to 77 percent of respondents. In fact, 50 percent of all deaths could be eliminated with such technology, according to respondents.

 

Click here to download the full report.

‘Your money or your data!’ – Most still have never heard of ransomware; while a majority of victims have paid up, IBM says

Bob Sullivan

There’s fresh evidence out Wednesday to show the ransomware epidemic has staying power. Why? Victims are paying ransoms for their data, that’s why.

Madison County, Indiana made headlines last week because it admitted a recent ransomware attack will cost taxpayers there $220,000 — some to the hackers, most for security upgrades.

But Madison County shouldn’t be singled out. Ransomware nightmares  — involving malicious software that encrypts victims’ data and won’t “give it back” unless a fee is paid —  are playing out everywhere.  The Carroll County, Arkansas, sheriff’s department admitted this week it had paid $2,400 to recover data held captive from the its law enforcement management system, which holds reports, bookings and other day-to-day operational data, according to Townhall.com.

The hits keep coming because victims keep paying; and victims keep paying because they seem to have no other choice.  Obviously, criminals keep will keep doing what works.

IBM researchers set out recently to understand the prevalence of ransomware. In a report released Wednesday, IBM’s X-Force said that the volume of spam containing ransomware has skyrocketed.  The FBI claims there were an average of 4,000 attacks per day in the first quarter of 2016.

And yet, IBM found that only 31 percent of consumers had even heard the term “ransomware.” Meanwhile, 75 percent said they “are confident they can protect personal data on a computer they own.”  Meanwhile, 6 out of 10 said they had not taken any action in the past three months to protect themselves from being hacked.

That’s head-in-the-sand stuff, folks. Forward your friends this story now — but don’t include it as an attachment, please.

Meanwhile, companies seem to be more realistic, and more frightened — 56 percent of companies surveyed by the Ponemon Institute said, in a separate study, they are not ready to deal with ransomware. (I have a business partnership with Larry Ponemon at PonemonSullivanReport.com).

All this matters because a majority of consumers and corporations actually say they’d pay to recover data encrypted by a criminal. Some 54 percent said they’d pay up to $100 to get back financial data, and 55 percent said they’d do so to retrieve lost digital photos. Not surprisingly, Parents (71 percent) are much more concerned than non-parents (54 percent) about family digital photos being held for ransom or access blocked.

(Back up those family photos, kids!)

Now, for the meat of the report.  Many corporations told IBM that they had already paid ransom for data — seven in ten of those who have experience with ransomware attacks have done so, with with more than half paying over $10,000, IBM said.  Many paid more.

  • 20 percent paid more than $40,000
  • 25 percent paid $20,000 – $40,000
  • 11 percent paid $10,000 – $20,000

“The perception of the value of data, and the corresponding willingness to pay to retrieve it, increases with company size. Sixty percent of all respondents say their businesses would pay some ransom and they’re most willing to pay for financial (62 percent) and customer/sales records,” the report said.

All this paying up flies in the face of law enforcement’s advice, which is to never pay.

“Paying a ransom doesn’t guarantee an organization that it will get its data back,” said FBI Cyber Division Assistant Director James Trainor in a report earlier this year. “We’ve seen cases where organizations never got a decryption key after having paid the ransom. Paying a ransom not only emboldens current cybercriminals to target more organizations; it also offers an incentive for other criminals to get involved in this type of illegal activity. And finally, by paying a ransom, an organization might inadvertently be funding.”

Of course, the FBI is looking at the macro impact, while the victims are looking at a huge, immediate micro problem.

How can you protect yourself?  IBM says the main way ransomware arrives is through an unsolicited email with a booby-trapped attachment — usually a Microsoft Office document that asks for macro permissions. So don’t click on those and you’ve gone a long way towards protecting yourself. Here’s some other tips from IBM.

Banish unsolicited email: Sending a poisoned attachment is one of the most popular infection methods used by ransomware operators. Be very discerning when it comes to what attachments you open and what links you click in emails.

No macros: Office document macros have been a top choice for ransomware operators in 2016. Opening a document and that then requires enabling macros to see its content is a very common sign of malware, and macros from email should be disabled altogether.

Update and patch: Always update your operating system, and ideally have automatic updates enabled. Opt to update any software you use often, and delete applications you rarely access.

Protect: Have up-to-date antivirus and malware detection software on your endpoint. Allow scans to run completely, and update the software as needed. Enable the security offered by default through your operating system, like firewall or spyware detection.

Junk it: Instead of unsubscribing from spam emails, which will confirm to your spammer that your address is alive, mark it as junk and set up automatic emptying of the junk folder.

 

'Your money or your data!' – Most still have never heard of ransomware; while a majority of victims have paid up, IBM says

Bob Sullivan

There’s fresh evidence out Wednesday to show the ransomware epidemic has staying power. Why? Victims are paying ransoms for their data, that’s why.

Madison County, Indiana made headlines last week because it admitted a recent ransomware attack will cost taxpayers there $220,000 — some to the hackers, most for security upgrades.

But Madison County shouldn’t be singled out. Ransomware nightmares  — involving malicious software that encrypts victims’ data and won’t “give it back” unless a fee is paid —  are playing out everywhere.  The Carroll County, Arkansas, sheriff’s department admitted this week it had paid $2,400 to recover data held captive from the its law enforcement management system, which holds reports, bookings and other day-to-day operational data, according to Townhall.com.

The hits keep coming because victims keep paying; and victims keep paying because they seem to have no other choice.  Obviously, criminals keep will keep doing what works.

IBM researchers set out recently to understand the prevalence of ransomware. In a report released Wednesday, IBM’s X-Force said that the volume of spam containing ransomware has skyrocketed.  The FBI claims there were an average of 4,000 attacks per day in the first quarter of 2016.

And yet, IBM found that only 31 percent of consumers had even heard the term “ransomware.” Meanwhile, 75 percent said they “are confident they can protect personal data on a computer they own.”  Meanwhile, 6 out of 10 said they had not taken any action in the past three months to protect themselves from being hacked.

That’s head-in-the-sand stuff, folks. Forward your friends this story now — but don’t include it as an attachment, please.

Meanwhile, companies seem to be more realistic, and more frightened — 56 percent of companies surveyed by the Ponemon Institute said, in a separate study, they are not ready to deal with ransomware. (I have a business partnership with Larry Ponemon at PonemonSullivanReport.com).

All this matters because a majority of consumers and corporations actually say they’d pay to recover data encrypted by a criminal. Some 54 percent said they’d pay up to $100 to get back financial data, and 55 percent said they’d do so to retrieve lost digital photos. Not surprisingly, Parents (71 percent) are much more concerned than non-parents (54 percent) about family digital photos being held for ransom or access blocked.

(Back up those family photos, kids!)

Now, for the meat of the report.  Many corporations told IBM that they had already paid ransom for data — seven in ten of those who have experience with ransomware attacks have done so, with with more than half paying over $10,000, IBM said.  Many paid more.

  • 20 percent paid more than $40,000
  • 25 percent paid $20,000 – $40,000
  • 11 percent paid $10,000 – $20,000

“The perception of the value of data, and the corresponding willingness to pay to retrieve it, increases with company size. Sixty percent of all respondents say their businesses would pay some ransom and they’re most willing to pay for financial (62 percent) and customer/sales records,” the report said.

All this paying up flies in the face of law enforcement’s advice, which is to never pay.

“Paying a ransom doesn’t guarantee an organization that it will get its data back,” said FBI Cyber Division Assistant Director James Trainor in a report earlier this year. “We’ve seen cases where organizations never got a decryption key after having paid the ransom. Paying a ransom not only emboldens current cybercriminals to target more organizations; it also offers an incentive for other criminals to get involved in this type of illegal activity. And finally, by paying a ransom, an organization might inadvertently be funding.”

Of course, the FBI is looking at the macro impact, while the victims are looking at a huge, immediate micro problem.

How can you protect yourself?  IBM says the main way ransomware arrives is through an unsolicited email with a booby-trapped attachment — usually a Microsoft Office document that asks for macro permissions. So don’t click on those and you’ve gone a long way towards protecting yourself. Here’s some other tips from IBM.

Banish unsolicited email: Sending a poisoned attachment is one of the most popular infection methods used by ransomware operators. Be very discerning when it comes to what attachments you open and what links you click in emails.

No macros: Office document macros have been a top choice for ransomware operators in 2016. Opening a document and that then requires enabling macros to see its content is a very common sign of malware, and macros from email should be disabled altogether.

Update and patch: Always update your operating system, and ideally have automatic updates enabled. Opt to update any software you use often, and delete applications you rarely access.

Protect: Have up-to-date antivirus and malware detection software on your endpoint. Allow scans to run completely, and update the software as needed. Enable the security offered by default through your operating system, like firewall or spyware detection.

Junk it: Instead of unsubscribing from spam emails, which will confirm to your spammer that your address is alive, mark it as junk and set up automatic emptying of the junk folder.

 

The price of the insider threat — negligence more common, criminals more costly

Larry Ponemon

Larry Ponemon

Ponemon Institute is pleased to present the findings of the 2016 Cost of Insider Threats study sponsored by Dtex. The purpose of this benchmark study is to understand the direct and indirect costs that result from insider threats. In the context of this research, insider threats are defined as:

  • A careless or negligent employee or contractor,
  • A criminal or malicious insider or
  • A credential thief.

We interviewed 280 IT and IT security practitioners in 54 organizations from April to July 2016. Each organization experienced one or more material events caused by an insider. These organizations experienced a total of 874 insider incidents over the past 12 months. Our targeted organizations were business organizations with a global headcount of 1,000 or more employees located throughout the United States.

Imposter risk is the most costly

The cost ranges significantly based on the type of incident. If it involves a negligent employee or contractor, the incident can average $206,933. The average cost more than doubles if the incident involves an imposter or thief who steals credentials ($493,093). Criminal and malicious insiders cost the organizations represented in this research an average of $347,130.  The activities that drive costs are: monitoring & surveillance, investigation, escalation, incident response, containment, ex-post analysis and remediation.

The negligent insider is the root cause of most incidents

Most incidents in this research were caused by insider negligence. Specifically, the careless employee or contractor was the root cause of almost 600 (598) of the 874 incidents reported. The most expensive incidents, due to imposters stealing credentials, were the least reported and totaled 85 incidents.

Organizational size and industry affects the cost per incident

The cost of incidents varies according to organizational size. Large organizations with a headcount of more than 75,000 spent an average of $7.8 million to resolve the incident. To deal with the consequences of an insider incident, organizations with a headcount between 1,000 and 5,000 spent an average of $2 million. Financial services, retail, industrial and manufacturing spent an average of $5 million.

User behavior analytics combined with other tools reduce the total cost

Using incremental analysis, we recalculated the total cost of insider-related incidents under the condition that a given tool or activity is deployed across the enterprise. Companies that deploy user behavior analytics (UBA) realized an average cost reduction of $1.1 million. The use of threat intelligence systems resulted in an $0.8 million average cost reduction.  Similarly, the deployment of data loss prevention (DLP) tools resulted in an average cost reduction of $0.7 million. Companies that deploy user behavior analytics in combination with threat intelligence, employee monitoring and data loss prevention have an average total cost of $2.8 million, which is $1.5 million lower than the overall average.

 Click here to read the rest of the study