The State of Cybersecurity Risk Management Strategies

What are the cyber-risks — and opportunities — in the age of AI? The purpose of this research is to determine how organizations are preparing for an uncertain future because of the ever-changing cybersecurity risks threatening their organizations. Ponemon Institute surveyed 632 IT and IT security professionals in the United States who are involved in their organizations’ cybersecurity risk management strategies and programs. The research was sponsored by Balbix.

Frequently reviewed and updated cybersecurity risk strategies and programs are the foundation of a strong cybersecurity posture.  However, cybersecurity risk strategies and programs are outdated and jeopardize the ability to prevent and respond to security incidents and data breaches.

 When asked how far in the future their organizations plan their cybersecurity risk strategies and programs, 65 percent of respondents say it is for two years (31 percent) or for more than two years (34 percent). Only 23 percent of respondents say the strategy is for only one year because of changes in technologies and the threat landscape and 12 percent of respondents say it is for less than one year.

The following research findings reveal the steps that should be included in cybersecurity risks and programs.

 Identify unpatched vulnerabilities and patch them in a timely manner. According to a previous study sponsored by Balbix, only 10 percent of respondents were very confident that their organizations have a vulnerability and risk management program that helps them avoid a data breach. Only 15 percent of respondents rated their organizations’ ability to identify vulnerabilities and patch them in a timely manner was highly effective.

In this year’s study, 54 percent of respondents say unpatched vulnerabilities is of the greatest concern to their organizations. This is followed by outdated software (51 percent of respondents) and user error (51 percent of respondents).

Frequent scanning to identify vulnerabilities should be conducted. In the previous Balbix study, only 31 percent of respondents said their organizations scan daily (12 percent) or weekly (19 percent). In this year’s research, scanning has not increased in frequency. Only 38 percent of respondents say their organizations scan for vulnerabilities more than once per day (25 percent) or daily (13 percent).

The prioritization of vulnerabilities should not be limited to a vendor’s vulnerability scoring. Fifty-one percent of respondents say their organizations’ vendor vulnerability scoring is used to prioritize vulnerabilities. Only 33 percent of respondents say their organizations use a risk-based vulnerability management solution and only 25 percent of respondents say it is based upon a risk scoring system within their vulnerability management tools.

Take steps to reduce risks in the attack vector. These risks especially are software vulnerabilities (45 percent of respondents), ransomware (37 percent of respondents), poor or missing encryption (36 percent of respondents) and phishing (36 percent of respondents). An attack vector is a path or method that a hacker uses to gain unauthorized access to a network or computer to exploit system flaws.

 Inform the C-suite and board of directors of the threats against the organization to obtain the necessary funding for cybersecurity programs and strategies.  In the previous Balbix study, the research revealed that the C-suite and IT security functions operate in a communications silo. Only 29 percent of respondents said their organizations’ executives and senior management clearly communicate their business risk management priorities to the IT security leadership and only 21 percent of respondents said their communications with the C-suite are highly effective. Those respondents who said they were very effective say it was because they were able to present information in a way that was understandable and they kept their leaders up-to-date on cyber risks and didn’t wait until the organization had a data breach or security incident.

 In this year’s study, 50 percent of respondents rate their organizations’ effectiveness in communicating the state of their cybersecurity as very low or low.  The primary reasons are negative facts are filtered before being disclosed to senior executives and the CEO (56 percent of respondents), communications are limited to only one department or line of business (silos) (44 percent of respondents) and the information can be ambiguous, which may lead to poor decisions (41 percent of respondents).

The IT and IT security functions should provide regular briefings on the state of their organizations’ cybersecurity risks. In addition to making their presentations understandable and unambiguous, briefings should not be limited to only when a serious security risk is revealed or if senior management initiates the request.

To address the challenge in meeting SLAs agreements, organizations need to eliminate the silos that inhibit communication among project teams. Forty-nine percent of respondents say their organizations track SLAs to evaluate their cybersecurity posture. Of these respondents,

Only 44 percent say their organization is meeting most or all SLAs to support its cybersecurity posture.

If AI is adopted as part of a cybersecurity strategy, risks created by AI need to be managed. Fifty-four percent of respondents say their organizations have fully adopted (26 percent) or partially adopted (28 percent). Risks include poor or misconfigured systems due to over-reliance on AI for cyber risk management, software vulnerabilities due to AI-generated code, data security risks caused by weak or no encryption, incorrect predictions due to data poisoning and inadvertent infringement of privacy rights due to the leakage of sensitive information.

Steps to reduce cybersecurity risks include regular user training and awareness about the security implications of AI, develop a data security programs and practices for AI, identify and mitigate bias in AI models for safe and responsible use, implement and consider a tool for software vulnerability management, conduct regular audits and tests to identify vulnerabilities in AI models and infrastructure, deploy risk quantification of AI models and their infrastructure and consider tools to validate AI prompts and their responses.

To more read key findings from this research, please visit the Balbix website.

Appeals court rules TikTok could be responsible for algorithm that recommended fatal strangulation game to child

Bob Sullivan

TikTok cannot use federal law “to permit casual indifference to the death of a ten-year-old girl,” a federal judge wrote this week.  And with that, an appeals court has opened a Pandora’s box that might clear the way for Big Tech accountability.

Silicon Valley companies have become rich and powerful in part because federal law has shielded them from liability for many of the terrible things their tools enable and encourage — and, it follows, from the expense of stopping such things. Smart phones have poisoned our children’s brains and turned them into The Anxious Generation; social media and cryptocurrency have enabled a generation of scam criminals to rob billions from our most vulnerable people; advertising algorithms tap into our subconscious in an attempt to destroy our very agency as human beings. To date, tech firms have made only passing attempts to stop such terrible things, emboldened by federal law which has so far shielded them from liability …  even when they “recommend” that kids do things which lead to death.

That’s what happened to 10-year-old Tawainna Anderson, who was served a curated “blackout challenge” video by Tiktok on a personalized “For You” page back in 2021. She was among a series of children who took up that challenge and experimented with self-asphyxiation — and died.  When Anderson’s parents tried to sue TikTok, a lower court threw out the case two years ago, saying tech companies enjoy broad immunity because of the 1996 Communications Decency Act, and its Section 230.

You’ve probably heard of that. Section 230 has been used as a get-out-of-jail-free card by Big Tech for decades; it’s also been used as an endless source of bar fights among legal scholars.

But now, with very colorful language, a federal appeals court has revived the Anderson family lawsuit and thrown Section 230 protection into doubt.  Third Circuit Judge Paul Matey’s concurring opinion seethes at the idea that tech companies aren’t required to stop awful things from happening on their platforms, even when it’s obvious that they could.  He also takes a shot at those who seem to care more about the scholarly debate than about the clear and present danger facilitated by tech tools. It’s worth reading this part of the ruling in full.

TikTok reads Section 230 of the Communications Decency Act… to permit casual indifference to the death of a ten-year-old girl. It is a position that has become popular among a host of purveyors of pornography, self-mutilation, and exploitation, one that smuggles constitutional conceptions of a “free trade in ideas” into a digital “cauldron of illicit loves” that leap and boil with no oversight, no accountability, no remedy. And a view that has found support in a surprising number of judicial opinions dating from the early days of dialup to the modern era of algorithms, advertising, and apps.. But it is not found in the words Congress wrote in Section 230, in the context Congress acted, in the history of common carriage regulations, or in the centuries of tradition informing the limited immunity from liability enjoyed by publishers and distributors of “content.” As best understood, the ordinary meaning of Section 230 provides TikTok immunity from suit for hosting videos created and uploaded by third parties. But it does not shield more, and Anderson’s estate may seek relief for TikTok’s knowing distribution and targeted recommendation of videos it knew could be harmful.

Later on, the opinion says, “The company may decide to curate the content it serves up to children to emphasize the lowest virtues, the basest tastes. But it cannot claim immunity that Congress did not provide.”

The ruling doesn’t tear down all Big Tech immunity. It makes a distinction between TikTok’s algorithm specifically recommending a blackout video to a child after the firm knew, or should have known, that it was dangerous ….. as opposed to a child seeking out such a video “manually” through a self-directed search.  That kind of distinction has been lost through years of reading Section 230 at its most generous from Big Tech’s point of view.  I think we all know where that has gotten us.

In the simplest of terms, tech companies shouldn’t be held liable for everything their users do, no more than the phone company can be liable for everything callers say on telephone lines — or, as the popular legal analogy goes, a newsstand can’t be liable the content of magazines it sells.

After all, that newsstand has no editorial control over those magazines.  Back in the 1990s, Section 230 added just a touch of nuance to this concept, which was required because tech companies occasionally dip into their users’ content and restrict it. Tech firms remove illegal drug sales, or child porn, for example.  While that might seem akin to the exercise of editorial content, we want tech companies to do this, so Congress declared such occasional meddling does not turn a tech firm from a newsstand into a publisher, so it does not assume additional liability because of such moderation — it enjoys immunity.

This immunity has been used as permission for all kinds of undesirable activity. Using another mildly strained metaphor, a shopping mall would never be allowed to operate if it ignored massive amounts of crime going on in its hallways…let alone supplied a series of tools that enable elder fraud, or impersonation, or money laundering. But tech companies do that all the time. In fact, we know from whistleblowers like Frances Haugen that tech firms are fully aware their tools help connect anxious kids with videos that glorify anorexia.  And they lead lonely and grief-stricken people right to criminals who are expert at stealing hundreds of thousands of dollars from them. And they allow ongoing crimes like identity theft to occur without so much as answering the phone from desperate victims like American service members who must watch as their official uniform portraits are used for romance scams.

Will tech companies have to change their ways now? Will they have to invest real money into customer service to stop such crimes, and to stop their algorithms from recommending terrible things?  You’ll hear that such an investment is an overwhelming demand. Can you imagine if a large social media firm was forced to hire enough customer service agents to deal with fraud in a timely manner? It might put the company out of business.  In my opinion, that means it never had a legitimate business model in the first place.

This week’s ruling draws an appropriate distinction between tech firms that passively host content which is undesirable and firms which actively promote such content via algorithm. In other words, algorithm recommendations are akin to editorial control, and Big Tech must answer for what their algorithms do.  You have to ask: Why wouldn’t these companies welcome that kind of responsibility?

The Section 230 debate will rage on.  Since both political parties have railed against Big Tech, and there is the appetite for change, it does seem like Congress will get involved. Good. Section 230 is desperate for an update.  Just watch carefully to make sure Big Tech doesn’t write its own rules for regulating the next era of the digital age. Because it didn’t do so well with the current era.

If you want to read more, I’d recommend Matt Stoller’s Substack post on the ruling. 

 

2024 Global PKI, IoT and Post Quantum Cryptography Study

The Public Key Infrastructure (PKI) is considered essential to keep people, systems and things securely connected. According to this research, in their efforts to achieve PKI maturity organizations need to address the challenges of having clear ownership of the PKI strategy and sufficient skills.

 The 2024 Global PKI, IoT and Post Quantum Cryptography research is part of a larger study — sponsored by Entrust — published in May involving 4,052 respondents in 9 countries. In this report, Ponemon Institute presents the findings based on a survey of 2,176 IT and IT security who are involved in their organizations’ enterprise PKI in the following 9 countries: United States (409 respondents), United Kingdom (289 respondents), Canada (245 respondents), Germany (309 respondents), Saudi (Middle East) (162 respondents), United Arab Emirates (UAE ) (203 respondents), Australia/NZ (156 respondents), Japan (168 respondents) and Singapore (235 respondents).

“With the rise of costly breaches and AI-generated deepfakes, synthetic identity fraud, ransomware gangs, and cyber warfare, the threat landscape is intensifying at an alarming rate,” said Samantha Mabey, Director Solutions Marketing at Entrust. “This means that implementing a Zero Trust security practice is an urgent business imperative – and the security of organizations’ and their customers’ data, networks, and identities depends on it.”

 The following is a summary of the most important takeaways from the research

 The orchestration of the PKI software increased from 42 percent of respondents to 50 percent of respondents. However, 59 percent of respondents say orchestration is very or extremely complex, an increase from 43 percent of respondents.

Responsibility for the PKI strategy is being assigned to IT security and IT leaders. As PKI becomes increasingly critical to an organization’s security posture, the CISO and CIO are most responsible for their organization’s PKI strategy. The IT manager being most responsible for the PKI strategy has declined from 26 percent to 14 percent of respondents.

Fifty-two percent of respondents say they have PKI specialists on staff who are involved in their organizations’ enterprise PKI. Of the 48 percent respondents who say their organizations do not have PKI specialists rely on consultants (45 percent) or service providers (55 percent).

A certificate authority (CA) provides assurance about the parties identified in a PKI certificate. Each CA maintains its own root CA for use only by the CA. The most popular method for deploying enterprise PKI continues to be through an internal corporate certificate authority (CA) or an externally hosted private CA—managed service, according to 60 percent and 47 percent of respondents, respectively.

No clear ownership, insufficient skills and requirements too fragmented or inconsistent are the top three challenges to enabling applications to use PKI. The challenge of no clear ownership continues to be the top challenge to deploying and managing PKI according to 51 percent of respondents. Other challenges are insufficient skills (43 percent of respondents) and requirements are too fragmented or inconsistent (43 percent of respondents).

Challenges that are declining significantly include the lack of resources (from 64 percent of respondents to 41 percent of respondents) and lack of visibility of the applications that will depend on PKI (from 48 percent to 33 percent of respondents).

As organizations strive to achieve greater PKI maturity they anticipate the most change and uncertainty in PKI technologies and with vendors. Forty-three percent of respondents say PKI technologies and 41 percent of respondents say it will be with products and services.

Cloud-based services continue to be the most important trend driving the deployment of applications using PKI. Cloud-based services continue to be the number one trend driving deployment of applications using PKI (46 percent of respondents). However, respondents who say IoT is the most important trend driving the deployment of applications using PKI has declined from 47 percent of respondents to 39 percent of respondents. BYOD and internal mobile device management has increased significantly from 24 percent of respondents to 34 percent of respondents.

More organizations are deploying certificate revocation techniques. In addition to verifying the CA’s signature on a certificate, the application software must also be sure that the certificate is still trustworthy at the time of use. Certificates that are no longer trustworthy must be revoked by the CA. Those organizations that do not deploy a certificate revocation technique has declined significantly from 32 percent to 13 percent.

The certificate revocation technique most often deployed continues to be Online Certificate Status Protocol (OCSP), according to 45 percent of respondents. For the first time, the manual certificate revocation list is the second technique most often deployed.

Smart cards (for CA/root key protection) to manage the private keys for their root/policy/issuing CAs are used by 41 percent of respondents. Thirty-one percent of respondents say removable media for CA/root keys cards are used.

Organizations’ primary root CA strategies are shifting significantly since 2021. A root certificate is a public key certificate that identifies a root certificate authority (CA). Both offline, self-managed and offline, externally hosted increased to 29 percent of respondents. Online, self-managed decreased from 31 percent of respondents to 25 percent of respondents and online, externally hosted decreased from 21 percent to 17 percent of respondents.

Organizations with internal CAs use an average of 6.5 separate CAs, managing an average of 31,299 internal or externally acquired certificates. An average of 9.5 distinct applications, such as email and network authentication, are managed by an organization’s PKI. This indicates that the PKI is at the core of the enterprise IT backbone. Not only the number of applications dependent upon the PKI but the nature of them indicates that PKI is a strategic part of the core IT backbone.

Conflict with other apps using the same PKI is becoming a bigger challenge to enabling applications to use the same PKI. While the number one challenge is not having sufficient skills, it has decreased from 43 percent to 37 percent of respondents.

Common Criteria Evaluation Assurance Level 4+ and Federal Information Processing Standards (FIPS) 140-2 Level 3 continue to be the most important security certifications when deploying PKI infrastructure and PKI-based applications. Fifty-seven percent of respondents say Common Criteria EAL 4+ is the most important security certification when deploying PKI. The evaluation at this level includes a comprehensive security assessment encompassing design testing and code review.

Fifty-five percent say FIPS 140-2 Level 3 is an important certification when deploying PKI. In the US, FIPS 140 is the standard called out by NIST in its definition of a “cryptographic module”, which is mandatory for most US federal government applications and a best practice in all PKI implementations.

SSL certificates for public-facing websites and services using PKI credentials is still the application most often used but has declined since 2022. Sixty-four percent of respondents say the application most often using PKI credentials is SSL certificates for public-facing websites and services. However, mobile device authentication and private cloud-based applications have increased as apps using PKI credentials (60 percent and 56 percent of respondents, respectively).

Scalability to millions of managed certificates continues to be the most important PKI capability for IoT deployments. While scalability is the most important, the support for Elliptic Curve Cryptography (ECC) is the number two most important PKI capability. ECC is an alternative technique to RSA and is considered a powerful cryptography approach. It generates security between key pairs for public key encryption by using the mathematics of elliptic curves.

Today and in the next 12 months, the most important IoT security capabilities are delivering patches and updates to devices and monitoring device behavior. Device authentication will become more important in the next 12 months.

Post Quantum Cryptography

For the first time, this 2024 global study features organizations’ approach to achieving migration to Post Quantum Cryptography (PQC). As defined in the research, quantum computing is a rapidly emerging technology that harnesses the laws of quantum mechanics to solve problems too complex for classical computers.

Sixty-one percent of respondents plan to migrate to PQC within the next five years. The most popular path to PQC is implementation of pure PQC (36 percent of respondents) followed by a hybrid approach combining traditional crypto with PQC (31 percent of respondents) and test PQC with their organization’s system and applications (26 percent of respondents).

Many organizations are not prepared to achieve migration because of the lack of visibility and not having the right technologies. Only 45 percent of respondents say their organizations have full visibility into their cryptographic estate and 50 percent of respondents say they have the right technology to support the larger key lengths and computing power required with PQC.

To prepare for migration, organizations need to know what cryptographic assets and algorithms they have and where they reside. It is important to know data flows and where organizations’ long-life data resides that is sensitive and must remain confidential. To achieve full visibility, organizations need to ensure they have a full and clear inventory of all the cryptographic assets (keys, certificates, secrets and algorithms across the environment) and what is being secured.

Organizations are slow to prepare for the post-quantum threat. The quantum threat, sometimes referred to as “post quantum”, is the inevitability that within the decade a quantum computer will be capable of breaking traditional public key cryptography. Experts surveyed by the Global Risk Institute predict quantum computing will compromise cybersecurity as early as 2027.

Most respondents are not preparing for the post-quantum threat. Twenty-seven percent of respondents say their organizations have not yet considered the impact of the threat, 23 percent are aware of the potential impact but haven’t started to create a strategy and 9 percent are unsure if their organizations are preparing for the post-quantum threat.

To prepare for the post-quantum threat, 44 percent of respondents say their organizations are building a post-quantum cryptography strategy. Although it is recommended as a best practice, only 38 percent of respondents say their organization is taking an inventory of its cryptographic assets and/or ensuring it is crypto agile. Crypto agility is the capacity for an information security system to adopt an alternative to the original encryption method or cryptographic primitive without significant change to system infrastructure.

To protect against the post-quantum threat, organizations need to be able to have an inventory of their cryptographic assets and achieve a fully crypto agile approach to be able to easily transition from one algorithm to another. Improving the ability to have a complete inventory of cryptographic assets (43 percent of respondents) and to achieve crypto agility (40 percent of respondents) are the top two concerns.

Crypto agility is critical to the migration to PQC. Crypto agility is the capacity for an information security system to adopt an alternative to the original encryption method or cryptographic primitive without significant change to system infrastructure. Only 28 percent of respondents say their organizations have a fully implemented crypto agile approach.

To read more key findings and the full report, please visit Entrust.com’s website.

Social media hack attack relies on the kindness of friends; I was (almost) a victim

Bob Sullivan

You might think your humble social media account would be of no use to multinational crime gangs, but you’d be wrong. Computer criminals have dozens of ways to turn hijacked Facebook, Instagram, TikTok or Twitter accounts into cash…or worse. You’d be stunned how quickly friend-of-friend attacks escalate into massive crime scenes, so it’s essential you protect your account. Be suspicious of ANY odd or surprising incoming messages. Your best bet in most cases is to do nothing.

I offer this reminder because I’ve just learned about a new(ish) way criminals steal social accounts. It relies only on the kindness of friends. It’s so simple, it almost got me, and it did get a friend of mine. And because there’s a bit of “truth” to the ask, you can see why victims might comply with the single, brief request the criminals make —  and inadvertently enable the hacker to use the change password / password recovery feature to hijack their account.

I’ll describe it.  It’s a bit confusing, but a picture is worth 1,000 words. I recently got this instant message on Instagram from a friend.

And, indeed, I had recently received an email from Facebook that looked like this:

The kicker is this message came from a long-time friend of mine — or at least from his account. So I was inclined to help him. He’d lost access to his account, which I know is essential to his small business. Also, the message came late at night, when I didn’t really have on my cybersecurity journalist hat. So, I opened the message and thought about responding by sending him the code.

I also recalled that Facebook uses friends to assist with account recovery when a criminal hijacks an account. At least, that was true until about a year ago.  An innovative feature called “trusted contacts” used to be available when victims were working to recover access to their accounts. In essence, Facebook/Meta would write to people in this trusted contact list and ask them to vouch for someone who was locked out of their account. Hackers learned how to exploit the feature, however, so Facebook discontinued it sometime in 2023. 

Still, since I had some vague recollection about it, I entertained my friend’s request.   Fortunately, instead of sending him the code I’d received in email from Facebook, I chose to send him a message using another piece of software owned by another company — not Facebook or Instagram or WhatsApp — to ask him what was going on.

And there, a few hours later, he told me he’d been hacked…just because he was trying to help out a friend regain access to his account. And now, like so many account hijacking victims I’ve written about, he’s lost in the hellscape that is trying to restore account access using Meta’s backlogged process.

It’s no secret I think companies like Facebook could do a lot more to protect users, beginning with better customer service to deal with problems when they arise. Recall, it took me half a year to regain access to my dog’s Instagram account after my cell phone was stolen.  In this case, I have an additional beef with Facebook. Look again at the email I received. The subject line really works in the criminal’s favor. It just says “XXXX is your account recovery code.” That’s all you see in an email preview, and it would be easy to just read that off to someone who asked for it.  The *body* of the email indicates that the code was sent in response to “a request to reset your Facebook password.”  But if a recipient were to quickly try to help out a friend in distress, they might not read that far.

By now, you’ve figured out the “game” the hackers are playing. They were trying to get a code that would have allowed them to reset my Facebook account and hijack it.  I was lucky; my friend was not.

What could a criminal do with access to his account, or mine? They could soon start offering fraudulent cryptocurrency “opportunities.”  Or run a convincing “I need bail money” scam.  Or, they would bank the account with thousands of other hijacked accounts for use in some future scam or disinformation campaign.  An account could be used to spread a fake AI video of a presidential campaign, for example. Pretty awful stuff you’d never want to be a part of.

This attack is not new; I see mentions of it on Reddit that date back at least two years.  So I hope this story feels like old news to you and you are confident you’d see through this scam. But it feels very persuasive to me, so I wanted to get a warning to you as soon as possible.

Let me know if you’ve seen this attack, or anything similar, operating out there in the wild.  Meanwhile, please take this as a reminder that criminals want to steal your digital identity, even if you believe your corner of the Internet universe is so small that no one would ever want to steal it.

2024 Cybersecurity Threat and Risk Management Report

The threat landscape keeps breaking records as it becomes more volatile and complex. Most organizations are experiencing data breaches and security incidents; what’s more, they are also reporting an increase in frequency. Sixty-one percent of organizations represented in this research had a data breach or cybersecurity incident in the past two years and 55 percent of respondents say they have experienced more than four to five of these incidents.

The purpose of this research, sponsored by Optiv,  is to learn the extent of the cybersecurity threats facing organizations and the steps being taken to manage the risks of potential data breaches and cyberattacks. Ponemon Institute surveyed 650 IT and cybersecurity practitioners in the US who are knowledgeable about their organizations’ approach to threat and risk management practices.

In the past 12 months 61 percent of respondents say cybersecurity incidents have increased significantly (29 percent) or increased (32 percent). Only 21 percent of respondents say incidents have decreased (13 percent) or significantly decreased (8 percent).

The following is a summary of the most salient research findings

An enterprise-wide Cybersecurity Incident Response Plan (CSIRP) is an essential blueprint
for navigating a security crisis. A CSIRP is a written and systematic approach that establishes
procedures and documentation and helps organizations before, during and after a security
incident. Despite the importance of such a plan, less than half of respondents (46 percent) say
their organizations have a CSIRP that is applied consistently across the entire enterprise.
Twenty-six percent of respondents say their CSIRP is not applied consistently across the
enterprise and 17 percent of respondents say it is ad hoc. Of those organizations with a CSIRP, only 50 percent say it is effective or highly effective. To improve its effectiveness, CSIRPs need to be applied consistently throughout the organization. This would ensure that should a data breach occur the response activities would be uniform and not siloed based on the different functions having different CSIRPs.

To determine if the plan can deal with incidents that are increasing in frequency and severity, the CSIRP should be regularly reviewed and tested. However, only 23 percent of respondents say the CSIRP is reviewed and tested each quarter and 44 percent of respondents say it is reviewed twice per year (29 percent) or once per year (15 percent). Only 48 percent of respondents say it is tested by a third party.

Proof that investments in technologies and resources are effective in reducing security
incidents determines how much to allocate to the cybersecurity budget. An average of $26
million was allocated to cybersecurity investments in 2024. To calculate how much to allocate to
the 2024 budget for cybersecurity budgets, organizations focus on evaluating the proven
effectiveness of investments in reducing security incidents (61 percent of respondents),
assessing the threats and risks facing the organization (53 percent of respondents) and analyzing the total cost of ownership (48 percent of respondents). Only 36 percent of respondents say there is no formal approach for determining the cybersecurity budget.

More resources are allocated to assessing the effectiveness of organizations’
cybersecurity processes and governance practices. The 2024 cybersecurity budget is being
used to conduct an internal assessment of the effectiveness of their organizations’ security
processes and governance practices (60 percent of respondents), to increase resources
allocated to Identity and Access Management (58 percent of respondents), to purchase more
cybersecurity tools (51 percent of respondents) and to hire more skilled security staff (49
percent).

Compliance practices and cybersecurity insurance are considered the most important
governance activities. Fifty-two percent of respondents say the most important cybersecurity
governance activity is to conduct internal or external audits of security and IT compliance
practices. The second and third most important governance practices are the purchase of
cybersecurity insurance (46 percent of respondents) and establishment of a business continuity
management function (42 percent of respondents).

Cybersecurity insurance is difficult to purchase because of insurers’ requirements. Only
29 percent of respondents say their organizations have cybersecurity insurance. Forty-eight
percent of respondents say they plan to purchase cybersecurity insurance in the next six months (23 percent) or in the next year (25 percent of respondents). Fifty-two percent of respondents say it is highly difficult to purchase cybersecurity insurance because of the insurer’s requirements.

Insurers often require having certain policies and technologies in place such as regular scanning
for vulnerabilities that need to be patched, adequate staff to support cybersecurity programs and policies and multi-factor authentication required for remote access. The ability to reduce the time to detect, contain and recover from a data breach measures the effectiveness of cybersecurity threat and risk management programs. The metrics most often used to report on the state of the cybersecurity risk management program are the time to detect a data breach or other security incident (47 percent of respondents), time to contain a data breach or other security incident (43 percent of respondents) and time to recover from a data breach or other security incident (41 percent of respondents). An enterprise-wide CSIRP is valuable in enhancing the ability to respond quickly to a data breach.

Too many cybersecurity tools are hindering a strong cybersecurity posture. Organizations
in this research have an average of 54 separate cybersecurity technologies. Forty percent of
respondents say their organizations have too many cybersecurity tools to be able to achieve a
strong cybersecurity posture. Only 29 percent of respondents say their organizations have the
right number of cybersecurity tools. Not only are there too many tools, only 51 percent of
respondents rate these technologies as highly effective in mitigating cyber risks.

Technology efficiency and integration are key to achieving the right number technologies.
To have the right number of separate security technologies, 53 percent of respondents say it is to make sure technologies are used efficiently and 51 percent of respondents say it is to make sure the data is integrated across the technologies deployed.

The primary technologies deployed are network firewalls (NGFW) and intrusion detection
prevention (IDS/IPS), according to 58 percent of respondents. Other technologies most often
deployed are endpoint antivirus (AV) and anti-malware (AM) (51 percent of respondents),
cloud/container security (50 percent of respondents) and endpoint detection and response (EDR) (48 percent of respondents).

Organizations are investing more in cloud services that go beyond traditional on-premises
security methods. A SASE (secure access service edge) or Security Service Edge (SSE)
architecture combines networking and security as a service function into a single cloud-delivered service at the network edge. Forty-six percent of respondents say their organizations have implemented SASE and of these respondents, 42 percent of respondents say their organizations engaged a third party or system integrator to support the SASE or SSE implementation.

According to the findings there is significant interest in Security Orchestration Automation
and Response (SOAR) adoption. SOAR seeks to alleviate the strain on IT teams by
incorporating automated response to a variety of events. Seventy-three percent of respondents
say their organizations use SOAR significantly (38 percent) or moderately (35 percent).
Cybersecurity use cases for artificial intelligence (AI) and machine learning (ML) models
are on the rise. A ML model in cybersecurity is a computational algorithm that uses statistical
techniques to analyze and interpret data to make predictions or decisions related to security.
Forty-four percent of respondents say their organizations use AI/ML to prevent cyberattacks and to maintain competitive advantage (49 percent of respondents) and to support their IT security team (40 percent of respondents). To ensure that AI/ML reduces cybersecurity risks and threats, 59 percent of respondents say they use AI vulnerability scanning, an AI firewall (52 percent of respondents) and adversary TTP training for security staff (47 percent of respondents).

To read best practices of high performing organizations, and the rest of this report, download it from Optiv’s website.

Cybercrime adds a new, very dangerous twist — face-to-face meetings

Bob Sullivan

We often think of cybercrime as a long-distance nightmare.  A victim is manipulated by someone pretending to be a lover, or a boss, or a seller, and then sends that criminal money using some electronic, virtual method.  A really disturbing trend I’ve noticed recently is the increased frequency of in-person meetings as part of a cybercrime.  A criminal visits the victim to pick up cash, or even gold, at their home (like this story we did in March). A criminal sends an Uber delivery person to pick up a  “package” that contains fraudulent payments. A victim is lured into a meeting over a Facebook Marketplace purchase, then robbed. Or, in the case of a recent Perfect Scam podcast I worked on, a con artist lurks at a “zone of trust” place like a golf course or a church looking for generous people to target with a charity scam.

This in-person meeting trend is alarming because a lot more things can go wrong when criminals are in the same physical space as their victims.  Earlier, I told you about the tragic story of an Ohio man who had been communicating with criminals attempting to commit a “grandparent scam”  and shot an Uber driver that he said he believed was part of the scam; he has been indicted for murder and pleaded not guilty. The driver, who died, was not a part of the scam.

Steve Baker, a longtime consumer advocate and former Federal Trade Commission lawyer, first pointed out this trend to me, and now I’m seeing it in many places. The Social Security Administration issued a dire-sounding warning a few weeks ago titled “Don’t Hand Off Cash to ‘Agents.’ ”   It reads:

“The Social Security Administration (SSA) Office of the Inspector General (OIG) is receiving alarming reports that criminals are impersonating SSA OIG agents and are requesting that their targets meet them in person to hand off cash. SSA OIG agents will never pick up money at your door or in any type of exchange. This is a SCAM!

NEVER exchange money or funds of any kind with any individual stating they are an SSA OIG agent. This new scam trend introduces an element of physical danger to scams that never existed before.

Meanwhile, police in New York are warning about a rise in crimes that begin as fake Facebook Marketplace ads — and end with victims staring down the barrel of a gun.

Why are cybercriminals getting this bold and meeting victims in person, or sending someone else to do that?  It’s too early to tell, but part of the reason *could* be increased transaction scrutiny at places like Zelle or cryptocurrency exchanges, along with increased fraud awareness around gift cards.  Time will tell.

In the meantime, I’m very concerned we will see more situations like that story from Ohio. Please be extra vigilant when speaking with loved ones about cybercrime.  Look and listen for signs of surprising new friends or unexpected meetings. Keep those lines of communication open.

 

2024 Global Study on Securing the Organization with Zero Trust, Encryption, Credential Management & HSMs

To stave off never-ending security exploits, organizations are investing in advanced technologies and processes. The purpose of this report, sponsored by Entrust, is to provide important information about the use of zero trust, encryption trends, credential management and HSMs to prepare for and prevent cyberattacks. The research also reveals what organizations believe to be the most significant threats. The top three are hackers, system or process malfunction and unmanaged certificates.

A second report will present the research findings of PKI and IoT, as well as how organizations are preparing to transition to post quantum cryptography in order to mitigate the quantum threat. For both reports, Ponemon Institute surveyed 4,052 IT and IT security practitioners who are familiar with the use of these technologies in their organizations.

“With the rise of costly breaches and AI-generated deepfakes, synthetic identity fraud, ransomware gangs, and cyber warfare, the threat landscape is intensifying at an alarming rate,” said Samantha Mabey, Director, Solutions Marketing at Entrust. “This means that implementing a Zero Trust security practice is an urgent business imperative – and the security of organizations’ and their customers’ data, networks, and identities depends on it.”

The countries in this research are the United States (908 respondents), United Kingdom (458 respondents), Canada (473 respondents), Germany (582 respondents), UAE (355 respondents), Australia/New Zealand (274 respondents), Japan (334 respondents), Singapore (367 respondents) and Middle East (301 respondents).

Organizations are adopting zero trust because of cyber risk concerns. Zero trust is defined in this research as an evolving set of cybersecurity paradigms that move defenses from static, network-based perimeters to focus on users, assets and resources. It assumes there is no implicit trust granted to assets or user accounts based solely on their physical or network location or based on asset ownership. Sixty-two percent of respondents say their organizations have adopted zero trust at some level. However, only 18 percent of respondents have implemented all zero-trust principles.

 In the survey, 67 percent of respondents say the most important drivers to implementing a zero-trust strategy is the risk of a data breach and/or other security incidents (37 percent) and the expanding attack surface (30 percent).

Following are the most salient findings from this year’s research

 The slow but growing adoption of zero trust

  • As evidence of the importance of zero trust to secure the organization, 57 percent of respondents that have or will implement zero trust say their organizations will include zero trust in their encryption plans or strategies. Sixty-two percent of respondents say their organizations have implemented all zero-trust principles (18 percent), some zero-trust principles (12 percent), laid the foundation for a zero-trust strategy (14 percent) or started exploring various solutions to help implement its zero-strategy (18 percent). According to the research, a lack of in-house expertise is slowing adoption.
  • Senior leaders are supporting an enterprise-wide zero-trust strategy. Fifty-nine percent of respondents say their leadership has significant or very significant support for zero trust. As evidence of senior leadership’s support, only 37 percent of respondents say lack of leadership buy-in is a challenge. The biggest challenges when implementing zero trust are lack of in-house expertise (47 percent of respondents) or lack of budget (40 percent of respondents). 
  • Securing identities is the highest priority for a zero-trust strategy. Respondents were asked to select the one area that has the highest priority for their zero-trust strategy. The risk areas are identities, devices, networks, applications and data. Forty percent of respondents say identities and 24 percent of respondents say devices are the priorities. 
  • Best-of-breed solutions are most important for a successful zero-trust strategy (44 percent of respondents). This is followed by an integrated solution ecosystem from one to three vendors (22 percent of respondents). 

Trends in encryption and encryption in the public cloud: 2019 to 2024 

  • Hackers are becoming more of a threat to sensitive and confidential data. Organizations need to make the hacker threat an important part of their security strategies. Since the last report, a significant increase from 29 percent of respondents to 46 percent of respondents cite hackers as the biggest concern to being able to protect sensitive and confidential information. 
  • Management of keys and enforcement of policy continue to be the most important features in encryption solutions. Respondents were asked to rate the importance of certain features in encryption solutions. The most important features are management of keys, enforcement of policy and system performance and latency. 
  • Since 2019, organizations have been steadily transferring sensitive and confidential data to public clouds whether or not it is encrypted or made unreadable via some other mechanism. In this year’s study, 80 percent of respondents say their organizations currently transfer (52 percent) or likely to do so in the next 12 to 24 months (28 percent). 
  • Encryption performed on-premise prior to sending data to the cloud using organizations’ own keys has declined significantly since 2019. The main methods for protecting data at rest in the cloud are using keys generated/managed by the cloud provider (39 percent of respondents) or encryption is performed in the cloud using keys their organizations generate and manage on-premises. Only 23 percent of respondents say encryption is performed on-premise. 
  • There has been a significant decrease in organizations only using keys controlled by their organization (from 42 percent to 22 percent of respondents). Instead, the primary strategy for encrypting data at rest in the cloud is the use of a combination of keys controlled by their organization and by the cloud provider, with a preference for keys controlled by their organization, a significant increase from 19 percent of respondents to 32 percent of respondents in 2024. This is followed by only using keys controlled by the cloud provider (24 percent of respondents). 
  • The importance of privileged user access controls has increased significantly. Respondents were asked to rate the importance of cloud encryption features on a scale of 1 = not important to 5 = most important. Privileged user access controls increased from 3.23 in 2022 to 4.38 in 2024 on the 5-point scale. The importance of granular access controls and the ability to encrypt and rekey data while in use without downtime also increased significantly. 

Trends in credential management and HSMs: 2019 to 2024 

  • Lack of skilled personnel and no clear ownership makes the management of credentials painful. Fifty-nine percent of respondents say managing keys has a severe impact on their organizations. There are interesting trends in what causes the pain since 2019. The lack of skilled personnel (50 percent of respondents) and no clear ownership (47 percent of respondents) continue to make credential management difficult. Insufficient personnel increased from 34 percent to 46 percent of respondents. Not causing as much pain are the inadequacy of key management tools (from 52 percent to 32 percent) and systems are isolated and fragmented (from 46 percent to 29 percent). 
  • Many types of keys are getting less painful to manage. Between 2019 to 2024 the following keys have become less painful to manage are external cloud or hosted services including Bring Your Own Keys (from 54 percent to 22 percent of respondents), SSH keys (from 57 percent to 27 percent of respondents) and signing keys (e.g. code signing, digital signatures (from 52 percent to 25 percent of respondents). 
  • Management of credentials is challenging because it is harder to consistently apply security policies over credentials used across multi-cloud and cross cloud environments. Fifty-five percent of respondents say the management of credentials becoming more challenging in a multi-cloud and cross-cloud environment. Thirty-six percent of respondents say it is due to the difficulty in consistently applying security policies over credentials used across cloud services followed by it is harder to have visibility over credentials that protect and enable access to critical data and applications (33 percent of respondents).  The applications that require the use of credential management across cloud-based deployments are mainly KMIP-compliant applications (44 percent of respondents), and databases, back-up and storage (43 percent of respondents). 
  • More organizations are using Hardware Security Modules (HSMs). HSMs are a dedicated crypto processor that is specifically designed for the protection of the crypto key lifecycle. Since 2019, the use of HSMs has increased from 47 percent of respondents to 55 percent of respondents. 
  • Organizations value the use of HSMs. Since 2019, organizations are increasing the use of HSMs as part of their encryption and credential management strategies. The use of application-level encryption, database encryption and TLS/SSL have increased significantly. For the first time, respondents were asked where HSMs are deployed.  Most are deployed in online root, offline root and issuing CA.  

You can download a full copy of the report at Entrust’s website.

They’re finding dead bodies outside scam call centers; it’s time to sound the alarm on fraud

Bob Sullivan

“The cartel just very quickly, easily, and efficiently made an example of them by leaving their body parts in 48 bags outside of the city….They’re good at making high profile, gruesome examples of those who would defy them.”

I’ve spent many years writing about Internet crime, so I don’t spook easily.  After working on this week’s podcast, I’m spooked.

For the last year or two, I’ve had a gathering sense of doom about the computer crime landscape. I hear about scams constantly, but something has seemed different lately. The dollar figures seem higher, the criminals more relentless, the cover stories far more sophisticated. Thanks to fresh reporting and statistics, I am now fairly certain I’m not being paranoid. Increasingly, Internet scams are being run by organized crime organizations that combine the dark side of street gangs with Fortune 500 sales tactics.   I will share numbers in a moment, but stories are always needed to make a point this important, and that’s why we bring you “James’ ” harrowing tale this week.  He wanted to sell an old, useless timeshare, but instead had $900,000 stolen from him — by the New Generation Jalisco Cartel in Mexico. That same group was blamed for murdering call center workers and spreading their body parts around Jalisco.

 This episode offers a rare chance to hear a scam in action. James recorded some of his calls with criminals and shared them with us.  ‘Show me, don’t tell me’ is the oldest advice in storytelling, and that’s why I really hope you’ll listen.  As you hear criminals who go by the names “Michael” and “Jesus” badger and manipulate James, your skin will crawl, as mine did. But I hope it will also place a memory deep in your limbic brain, so when you inevitably find yourself on the phone with such a criminal one day, an autonomic defensive reaction will kick in.

For this episode, I also spoke with a remarkable journalist named Steve Fisher. An American from rural Pennslyvania, he worked in farms as a youth, learned a lot about the plight of migrant workers, and that led him to take a post as an investigative journalist in Mexico City covering crime gangs.  Fisher recently wrote about a victim like James who thought he was unloading an unwanted timeshare, but instead had $1.8 million stolen during a decade of interactions with the cartel. In that victim’s case, about 150 different cartel “workers” interacted with him. I can’t begin to stress how vast this conspiracy is — how detailed the cartel’s record-keeping must be — in order to carry on this kind of ongoing crime. As we point out in the story, timeshare scams have become so profitable that this dangerous Mexican cartel is trading in drug running operations for call centers.  The gruesome methods of control remain, however.

This model is replicated around the world.  From India, there are tech support scams. From Jamaica, we get sweepstakes fraud. From Southeast Asia, cryptocurrency scams.  From Africa, romance scams.

(Of course, there are scams operated in the U.S., too, but those criminals don’t enjoy the natural protection that international boundaries and jurisdictional challenges provide).

I know most of us imagine scam criminals sitting in dark, smoke-filled boiler rooms placing 100s of calls every day desperately hunting for single victims.  That’s not how it works any more. Scam call center “employees” work in cubicles  (though in some cases, they are victims of human trafficking).  They have fine-tuned software; they work from lead lists; they have well-researched sales scripts; they have formalized training. And they succeed, very often.

The numbers bear this out. Theft through fraud has surged over the last five years, with losses jumping from $2.4 billion in 2019 to more than $10 billion in 2023. Of course, many scam losses are never reported, so the real number could easily be four or five times that.

But I trust my own ears, and you should too.  Recently, I have heard a pile of stories from victims in my larger social circle.  Plenty of near misses — friends who tell me they got a call from a “sheriff” about an arrest summons that was so believable they were driving to a bitcoin ATM before something triggered skepticism.  Unfortunately, I hear plenty of heartbreaking stories too, of people who bought gift cards or sent crypto before that skepticism kicked in.

I want you to listen for these stories in your life. Look for them in your social feeds, ask for them at family parties. I bet you leave this exercise just as concerned as I am. Scams have become big businesses, operated by large, sophisticated crime gangs all over the world. It’s time to talk with your friends and family about this.

We can’t educate our way out of this problem.  There’s a lot more than U.S. financial institutions, regulators, and law enforcement can do to slow the massive growth of fraud.  But at the moment, you are the best defense for yourself and the people you love.

To that end, I would like to suggest you listen to this week’s episode and share it with people you care about. I can tell you that scams are up, and that criminals are so persuasive anyone can be vulnerable. But there is nothing like hearing it for yourself.

Be careful out there.

You can listen to part 1 of our series by clicking here. And part two is at this link.

The ‘protected health information’ crisis in healthcare

The PHI crisis in healthcare is putting patient safety and privacy at risk. Healthcare organizations represented in this research experienced an average of 74 cyberattacks in the past two years and almost half of respondents (47 percent) say these cyberattacks resulted in the loss, theft or data breach of PHI. Over the past two years, the cost to detect, respond and remediate PHI cyberattacks was $2.6 million and another $1.6 million was spent to hire staff, paralegals and technologies to determine the cost to patients.

Protected health information (PHI) is any information in the medical record or designated record set that can be used to identify an individual and was created, used, or disclosed when providing a health care service such as diagnosis or treatment.

The purpose of this research, sponsored by Tausight and independently conducted by the Ponemon Institute, is to understand the challenges healthcare organizations face in securing PHI data. Ponemon Institute surveyed 551 US IT and IT security practitioners who are in the following healthcare organizations: hospitals (37 percent of respondents), healthcare service providers (23 percent of respondents), clinics (21 percent of respondents) and healthcare systems (19 percent of respondents). The primary responsibilities of respondents are managing IT and IT security budgets, assessing cyber risks to PHI, setting IT or IT security priorities and selecting vendors and contractors.

Healthcare organizations’ ability to protect patient PHI is in critical condition. Organizations are losing control of the risk because of the lack of visibility into the enormous amount of PHI outside EHR. There are two serious root causes of the PHI crisis. According to 58 percent of respondents, their organizations are unable to determine how much PHI exists outside of EHR, where it is and how it is being accessed. And Fifty-five percent of respondents say their organizations are at risk because of the excessive presence of PHI across their data centers, endpoints and email accounts. On average, organizations have 30,030 network-connected devices.

Findings that illustrate the PHI crisis in healthcare 

  • Organizations lack the budget to invest in PHI protection technologies (52 percent of respondents) and the ability to have the necessary expertise to manage PHI protection technologies (48 percent of respondents). 
  • Current legacy technologies have difficulty protecting the enormous amounts of PHI across our systems (66 percent of respondents) and identifying PHI on servers and endpoints to understand what to put in organizations’ secure storage (69 percent of respondents).
  • Migration to the cloud and collaboration tools have increased risks to PHI (52 percent of respondents).
  • The level of security risk to PHI created by remote care and accessing or transmission of PHI outside the firewall is very high, according to 57 percent of respondents.
  • Current technologies are not improving visibility into PHI outside EHR. As a result, only 39 percent of respondents say their organizations have a high ability to detect and classify unstructured data and only 47 percent of respondents say their organizations have a high ability to detect and classify structured data wherever they exist throughout the expanding digital environment.
  • Only 30 percent of respondents say their organizations have significant visibility into PHI located in the data center and endpoints where it is exchanged between doctors’ and patients’ systems or applications.
  • Most organizations say DLP and DSP software are not effective in improving visibility into PHI on endpoints, networks and in the cloud and providing visibility into data movement of PHI.
  • Once organizations have a PHI data breach, 71 percent of respondents say it very difficult to assess how many patients were affected by the breach and almost half of respondents (47 percent) say their organizations are likely to overreport the number of patients affected because of the difficulty in determining the device or server that was compromised.
  • The negative consequences of a PHI data breach are exacerbated because it can take an average of more than two months to recover, remediate and assess the impact to PHI and to be able to disclose the breach and notify affected patients.
  • Insiders put PHI data at risk. The most frequent types of insider negligence are accessing PHI on uncontrolled devices and accessing hyper-connected endpoints on networks and varying IT security standards. Other frequent incidents are sending emails with unencrypted PHI and moving PHI to an unknown USB drive and data is lost.

Click here to to watch a webinar about these findings with Larry Ponemon and David Ting — CTO and Co-Founder of Tausight, which helps healthcare organizations protect data.

When fraud turns fatal — Uber driver shot after ‘grandparent scam’ call

Bob Sullivan

When consumers and criminals interact, you just never know how combustible a situation can become. A recent story out of Ohio is a reminder that any scam can get very serious and lead to devastating consequences.

An Ohio man who had been communicating with criminals attempting to commit a “grandparent scam” shot and killed an Uber driver that he said he believed was part of the scam; he has been indicted for murder and pleaded not guilty.

Police say 81-year-old Michael Brock told them he had spent hours talking on the phone with someone who claimed that his nephew was in jail and needed bail money. Brock allegedly believed that Lo-Letha Hall, 61, had come to his house to pick up the money. He accused her of being part of the scam, and when she tried to leave, he fatally shot her.

Local news reports indicate Hall was an Uber driver simply picking up a package for what she thought was a normal delivery.

“Upon being contacted by Ms. Hall, Mr. Brock produced a gun and held her at gunpoint, making demands for identities of the subjects he had spoken with on the phone,” the sheriff’s office said, according to the Associated Press. Hall was unarmed and unthreatening, the sheriff’s office alleges in that story. A video posted on a local news site shows her walking away from Brock as he threatens her with a gun.

“I’m sure glad to see you guys out here because I’ve been on this phone for a couple hours with this guy trying to say to me I had a nephew in jail and had a wreck in Charleston and just kept hanging on and needing bond money,” Brock said to police, according to the Associated Press. “And this woman was supposed to get it.”

According to a memorial page set up for Hall, she was retired.

Whenever I speak in front of cybersecurity and fraud groups, I try to remind them how important their work is. There are plenty of reasons to take cybersecurity and financial fraud seriously — even crimes that might seem like common thefts can turn very serious, or be part of wider conspiracies. Even though it can feel exhausting and at times fruitless, all of us must continue the fight against scams and cybercrime.