Author Archives: BobSulli

The secrets of high-performing security organizations

As the threat landscape becomes more sinister, the ability to close the IT security gap is more critical than ever.  Sponsored by HPE, this study has been tracking organizations’ efforts to close gaps in their IT security infrastructure that allow attackers to penetrate their defenses since 2018.

The IT security gap is defined as the inability of an organization’s people, processes and technologies to keep up with a constantly changing threat landscape. It diminishes the ability of organizations to identify, detect, contain and resolve data breaches and other security incidents. The consequences of the gap can include financial losses, diminishment in reputation and the inability to comply with privacy regulations such as the EU’s General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA). Only 30 percent of respondents say their organizations are highly effective in keeping up with a constantly changing threat landscape and closing the IT security gap.

Ponemon Institute surveyed 1,848 IT and IT security practitioners in North America, the United Kingdom, Germany, Australia and Japan. This report presents the global findings and compares them to the 2020 global findings.  All respondents are knowledgeable about their organizations’ IT security and strategy and are involved in decisions related to the investment in technologies.

Few respondents are confident that their organizations can prevent a persistent threat below the platform that would result in data stolen, modified or viewed by unauthorized entities according to 35 percent of respondents. Similar to the last study, 48 percent of respondents believe attacks that have reached inside the network have the potential to do the greatest damage. Forty-two percent of respondents say that attacks inside the IT infrastructure can be detected quickly before they break out and cause a cybersecurity breach resulting in data stolen, modified, or viewed by unauthorized entities.

Best practices from organizations that are effective in closing the IT security gap

Thirty percent of respondents self-reported that their organizations are highly effective in keeping up with a constantly changing threat landscape. We refer to these organizations as “high performers” and compare their responses to the non-high performer. We refer to these organizations as “other” respondents.

Following are the nine best practices of high-performing organizations.

High performers are more likely to have visibility and control into users’ activities and devices. Only 33 percent of high performers believe their security teams lack visibility and control into all activity of every user and device. In contrast, 80 percent of those in the other category say their teams lack visibility and control. High performers are also more likely to get value from their security investments (59 percent vs. 42 percent of respondents). However, both groups agree that the IT infrastructure has gaps that allow attackers to penetrate its defenses (60 percent of high performers and 61 percent of respondents in the other category).

High performers are more likely to agree that attacks that have reached inside the network have the potential to do the greatest damage. Fifty-six percent of high performers recognize the potential damage from attacks that have reached inside the network vs. 45 percent of respondents in the other category. Forty-seven percent of high performers are confident that their organizations have not experienced a persistent threat below the platform software that has resulted in data stolen, modified or viewed by unauthorized entities vs. 30 percent in the other category.

High-performing organizations are more likely to implement a Zero Trust Model. Sixty-four percent of high-performing organizations have a Zero Trust Model because government policies required it (25 percent), have a Zero Trust Model for other reasons (24 percent of respondents) or selected elements from the Zero-Trust framework to improve security (15 percent). Thirty-six percent of organizations in the other category are not interested in a Zero Trust approach (25 percent of respondents) or have chosen not to implement (11 percent of respondents).

High performers say as compute and storage moves from the data center to the edge it requires a combination of traditional security solutions and secure infrastructure (61 percent). The other respondents are more likely to say a new type of security will be required (59 percent).

IoT security is more of a concern for high performers. Eighty-five percent of respondents say identifying and authenticating IoT devices accessing the network is critical to their organization’s security strategy. Only slightly more than half (55 percent) of other respondents agree with this. In addition, high performers are more likely to say legacy IoT technologies are difficult to secure (80 percent vs. 69 percent of respondents in the other category. Forty percent of high-performer respondents say their IoT devices are appropriately secured with a proper security strategy in place vs. 15 percent of respondents in the other sample.

High-performing organizations say security technologies are very important for their digital transformation strategy. Seventy-seven percent of high-performing organizations say it is important (35 percent of respondents) or highly important (42 percent of respondents) to have security technologies to support digital transformation. In contrast, 53 percent of the other respondents say it is important or highly important. 

High performers take a different approach to server security and backup and recovery. Eighty-eight percent of high performer respondents say backup and recovery is a key component of their security strategy and 68 percent of high performers say their organizations make server decisions based on the security inherent within the platform.

 High-performing organizations are more aware of the benefits of automation. The most important benefits are the ability to find attacks before they do damage or gain persistence (78 percent of high performers) and reduction in the number of false positives that analysts must investigate (74 percent of high performers). They also say automation is critical when implementing an effective Zero Trust Security Model (71 percent of respondents).

High-performing organizations are more likely to see the important connection between privacy and security. Ninety-four percent of respondents in high-performing organizations say it is not possible to have privacy without a strong security posture. Eighty-seven percent of high performers believe a strong cybersecurity posture reduces the privacy risk to employees, business partners and customers. High performers are less likely to believe human error is a risk to privacy.

To read the rest of this report, download it from HPE.com

A million appeals for justice, and 14 cases overturned — Facebook Oversight Board off to a slow start

Bob Sullivan

A million appeals for justice, and 14 reversals.  That’s the scorecard from the Facebook Oversight Board’s first annual report, released this week. The creative project has plenty going for it, and I think some future oversight board can benefit greatly from the experience of this experiment, launched by Facebook parent Meta in 2020. Still, it’s hard to see how this effort is making a big impact on the problems dogging Facebook and Instagram right now.

A few months ago, I interviewed Duke University law student Alexys Ogorek about her ongoing research into the Oversight Board for our podcast, “Defending Democracy from Big Tech.”  Her conclusion: There are plenty of interesting ideas in the organization, but in practice, it’s not accomplishing much.  Only a tiny fraction of cases are considered, she found, and decisions take many months. Not very practical for people who feel like their innocent comment about a political candidate was wrongly removed a month before an election.  You can hear our discussion of this on Apple Podcasts, or by clicking play below.  The Oversight Board’s annual report confirmed most of Ogorek’s research, but there are plenty of interesting nuggets in it. I’ve cobbled them together below.

Facebook removes user posts all the time — perhaps it’s happened to you — with little or no explanation.  After years of public frustration with this practice, the firm launched an innovative project called the Facebook Oversight Board. It’s billed as an independent, outside entity that can make binding decisions — mainly, tasked with telling Facebook to restore posts it has removed incorrectly.  Most of the time, these takedown decisions are made by automated tools designed to detect hate speech, harassment, violence, or nudity.  In a typical scenario, a user posts a comment that contains language that is judged to include racial slurs, or language that encourages violence, or adult content, or medical misinformation, and the post is removed. Users who disagree can file an appeal, which might be judged by a person at Facebook.  If that appeal fails, users now have the option to appeal to this outside Oversight Board.

This is a good idea.  We should all be uncomfortable that a large corporation like Facebook gets to make decisions about what stays and what goes in the digital public square. Yes, the First Amendment doesn’t apply to Facebook in most of these cases, but because it’s such a powerful entity when Meta acts as judge and jury, it offends our notions of free speech. So, the experiment is worthwhile and like Ogorek, I’ve tried to look at it with an open mind.

One big problem revealed in the report is the tiny, tiny fraction of cases the board can take up, combined with the 83 days it took to decide cases.  About 1.1 million people appealed to the board from  October 2020 to December 2021, and only 20 cases were completed. Of them, the board overturned Facebook’s choice 14 times. To be fair, the board says it tried to choose cases that had wider impact, and could set precedent.  Still, the numbers show the board process, to put it politely,  doesn’t scale.

“I am struggling with this due to a cognitive disconnect. They had 1.1 million requests but only examined 20 cases. In those 20 cases they found that Meta was wrong 70% of the time. So, is it likely that over 700,000 mistakes by Meta have gone unexamined,” said Duke professor David Hoffman.  “The small number of decisions when compared to the demand indicates to me that the (board) is at best a sampling mechanism to see how Meta is doing, and based on this sample it appears that Meta’s efforts at enforcing their own policies are a dismal failure. It all begs the question, what additional structure is necessary so that all 1.1 million claims can be analyzed and resolved.”

Reading through the cases Facebook did pick, one can gain sympathy for the complexity of the task at hand. I’ve pasted a chart above to show a sample of cases that rose to the top of the heap. But here’s one example of competing interests that require nuanced decisions: in one case, a video of political protestors in Columbia included homophobic slurs in some chants. Facebook initially removed the video; the board restored it because it was newsworthy.  In another case, an image involving a women’s breast was removed for violating nudity rules, but the image was connected to health care advocacy. It was also restored.

Other items in the report I found interesting: the board openly criticized Facebook’s lack of transparency in many situations.  It urges the firm to explain initial takedown decisions, and notes that moderators “are not required to record their reasoning for individual content decisions.”

There are other critical comments:

  • “It is concerning that in just under 4 out of 10 shortlisted cases Meta found its decision to have
    been incorrect. This high error rate raises wider questions both about the accuracy of Meta’s content moderation and the appeals process Meta applies before cases reach the board.”
  • “The board continues to have significant concerns, including around Meta’s transparency and
    provision of information related to certain cases and policy recommendations.”
  • “We have raised concerns that some of Meta’s content rules are too vague, too broad, or unclear, prompting recommendations to clarify rules or make secretive internal guidance on interpretation of those rules public.”
  • “We made one recommendation to Meta more times than any other, repeating it in six decisions: when you remove people’s content, tell them which specific rule they broke.” Facebook has partly addressed this suggestion.

The board also briefly took up the issues raised by Facebook whistleblower Frances Haugen. Among her revelations, she exposed a practice by the company to “whitelist” certain celebrities, making them exempt from most content moderation rules.  The board mentions this issue, and its demands for more information from Facebook about it, but only in passing. Combine this issue with other references to secret or unknown internal moderation policies that Facebook maintains, and it’s easy to see how the Oversight Board has a very difficult job to do. One wonders if its work might end one day with members resigning in frustration. Until then, it’s still worth learning whatever lessons this experiment might teach.  There are plenty of good ideas being tested.

 

How Covid-19 pushed more organizations into the cloud

During Covid-19, many organizations began or accelerated efforts to migrate applications to public cloud environments. The purpose of this study is to learn important information about how COVID-19 changed the migration of applications and the effect it has had on organizations’ cloud security practices and costs. As defined in this research, the post-COVID cloud boom refers to the impact of the pandemic on corporate cloud migrations and deployment.

According to the research, the use of public cloud resources for securing critical applications outpaced on-premises deployment because of the need to maintain a higher level of agility, flexibility and resilience during the pandemic. Further, the “boom” refers to the innovations made by cloud users and providers to respond to threats and vulnerabilities that have emerged during the pandemic.

Sponsored by Anitian and conducted by Ponemon Institute, 643 IT and IT security respondents in the United States were surveyed in organizations that use all or mostly public clouds. A key takeaway from the research is that 61 percent of respondents say migration or expansion of cloud resources significantly increased (31 percent) or increased (30 percent) their organizations’ ability to achieve its business goals such as revenue growth, expansion into new markets, retention and hiring of in-house expertise and innovation.

Our study confirms that organizations’ migration and expansion of cloud resources during the COVID pandemic significantly increased their ability to achieve their business goals. Enterprise’s objectives such as revenue growth, expansion into new markets, retention and hiring of in-house expertise, and innovation were all prominent findings in our research.

The following findings reveal how the Post-Covid-19 boom is supporting three equally important objectives for organizations: business growth, security posture and financial strength.

 Business growth:

  • Despite the challenges of dealing with COVID, migration and transition to public clouds resulted in a boom. During this period, many organizations realized greater agility and innovation in responding to threats and vulnerabilities that emerged during the pandemic.
  • The use of most or all public cloud providers increased significantly in the post-Covid-19 era resulting in many organizations benefiting from the boom. The boom significantly increased or increased the ability of organizations to achieve their business growth despite risks due to a remote workforce, according to 61 percent of respondents. 
  • The primary benefits from the boom are to support business goals. According to the research, 62 percent of respondents say the migration or transition to the public cloud was to reduce cost, 53 percent of respondents say it is to increase efficiency and 41 percent of respondents say it is to support business growth.

Security posture:

  • Organizations’ cloud security improves in the post-Covid-19 boom. Pre-Covid-19 before transition or migration to the public cloud, 35 percent of respondents say their organizations had a very effective cloud security posture. Post-Covid-19 about half (49 percent) of respondents say their organizations’ security posture is very effective. Further, business risk did not significantly increase or increase during migration or transition to the public cloud. 
  • Remote worker productivity increased while supporting security in the cloud. Applications were moved to the cloud to improve remote worker productivity. Employees working remotely increased significantly during the pandemic and organizations moved their applications to the cloud for productivity and security reasons.

Special analysis: Financial strength

Ponemon Institute, as part of this research, conducted a benchmark study of 158 senior-level CISOs in companies that primarily transitioned or migrated to the public cloud during the pandemic (81 respondents) vs. companies that did not significantly transition or migrate from the on-premises environment (77 respondents) during this period.

As revealed, companies that primarily migrated or transitioned to the cloud have lower costs to secure the cloud and respond to the financial consequences of data breaches in the cloud. These organizations also made greater investments in security technologies because of the ability to reduce costs.

  • Lower costs to secure cybersecurity operations in the cloud. On average, in a comparison between those organizations that primarily migrated or transitioned to the public cloud during the pandemic had lower costs to ensure the security of the cloud ($14.5 million) vs. those organizations that primarily performed cybersecurity practices on-premises ($16.1 million) for a net benefit of $1.6 million.
  • Lower data breach costs. For those organizations that migrated and transitioned all or most of their cybersecurity practices to the public cloud had significantly lower data breach costs ($13.3 million vs. $18 million) for a net benefit of $4.7 million.
  • Higher annual investments in cybersecurity operations in the public cloud. Due to lower costs as described above, those organizations that performed cybersecurity operations in the public cloud were able to increase their annual investments ($16.8 million vs. $12.2 million), for a net benefit of an increase of $4.6 million in annual investments.

Visit Anitian’s website to download the full report. In it, you’ll find a complete analysis of the research findings. The report is organized according to the following themes.

  • The benefits of the post-COVID-19 cloud boom
  • Managing security risks in the cloud
  • Special analysis: The financial benefits of the post-COVID cloud boom
  • Steps taken to secure remote workers’ access to the cloud

Tim Hortons tracked when customers went to Starbucks … and much more

Bob Sullivan

How many sugars do you want with that coffee? And how much surveillance? If you were “cheating” on your favorite coffee shop with a different one, would you mind if an app told on you?

Earlier this month, Canada’s Privacy Commissioner found that the Tim Hortons chain violated the law by when it surveilled app users, who were “tracked and recorded every few minutes of every day, even when their app was not open.” That sounds bad enough, but the story behind the investigation reveals far more creepy surveillance capitalism was going on. Two years ago, Financial Post journalist James McLeod used Canadian law to demand every piece of information Tim Hortons had collected on him, and spun it into a dramatic narrative.

“I had no idea how extensive the tracking data was until I saw it. There were readings taken at all hours of the day and night, and (the app) kept tabs on me every time the app thought I was visiting one of its competitors,” he wrote.

The app, McLeod found, “identified where he lived and worked…and noted when it believed he entered a Starbucks, Second Cup, McDonald’s, Pizza Pizza, A&W, KFC or Subway,” according to the Canadian investigation.  It also knew when he went to a Toronto Blue Jays baseball game, when he went to Manitoba for a wedding, even when he arrived at Amsterdam’s Schiphol Airport.

The full investigation is worth reading; so is the original news report from 2020.

As conversation around a federal privacy law in the U.S. seems to be suddenly reignited, much to the delight of many who thought efforts to pass any legislation during this testy political season were doomed, there are still plenty of lingering questions. Have tech industry insiders had too much to say about the proposed language in the American Data Privacy and Protection Act? Will consumers really acquire new protections, or will the law entrench existing (bad) behaviors?  And how many exceptions will be made for law enforcement, for employers, even for data brokers?  Shoshana Wodinsky at Gizmodo offers a level-headed, skeptical analysis of the bill in its current form here. And a summary of its provisions is here (PDF).

But I think the timing of the Tim Hortons investigation is helpful, because however icky the story is, it also points to a couple of things that worked well. McLeod only had a hunch something was wrong because Google added a new privacy feature to his smartphone  — the option to limit sharing of location information with apps only when they are open. The Tim Hortons app was requesting more access than that, which led McLeod to file a so-called PIPEDA request. Under Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA), users can ask companies to divulge all the data that’s been collected about them.  When McLeod got his response, he had his story, and Canada’s privacy commissioner had an investigation.

Under California’s state privacy law, consumers can now file what is known as DSAR’s — Data Subject Access Requests — and get reports similar to the one McLeod got from Tim Hortons. This disclosure right should be an essential tool for all Americans, made as easy as possible, and advertised broadly as a feature. In its current form, the American Data Privacy and Protection Act calls for such disclosure, and critically, for it to be made available “in a human-readable and downloadable format that individuals may understand without expertise.” Sure, most consumers won’t take advantage of the opportunity, but a few will. And who knows what stories might be uncovered as a result.

Architecting the Next Generation for OT Security

Ponemon Institute is pleased to have conducted the research behind the recent report Architecting the Next Generation for OT Security, sponsored by Applied Risk. I’ve included the executive summary of the report in this month’s column. The full report can be downloaded from the Applied Risk website.

“This is a time of change and challenges,” the Applied Risk report begins. “It’s an era that is both transformative and disruptive, shaped by digital technologies that are improving billions of lives around the world, even as they make us vulnerable in ways we never anticipated.

This digitalization has been a fact of life for quite some time, but it is also becoming a factor in the operation of critical infrastructure and other industrial environments at an accelerating speed. At the same time, the Operational Technology (OT) systems that monitor and control industrial equipment, assets, processes and events in critical infrastructure are facing more and more threats from increasingly sophisticated malicious actors, including nation-states.

“In this dynamic environment, it is important to understand the thoughts and concerns that drive organizations to take action to keep their OT domains safe, secure and resilient. Applied Risk has undertaken the research needed to gain that understanding and to take a forward-looking approach to crucial questions about how to architect the next generation of OT Security solutions.

“The report, entitled “Architecting the Next Generation for OT Security,” is based on data collected by the Ponemon Institute from more than 1,000 IT and OT Security practitioners in the United States and Europe. The research was then complemented by input from the knowledge and experience that Applied Risk’s team has accumulated over the years, as well as analysis from the company’s own subject matter experts (SMEs).

“In this document, we present the results of that research. We use these data to assess current trends in the OT Security space, paying special attention to people-, process-, and technology-related issues, and offer recommendations on responses to these trends. Additionally, we describe current conditions in the OT Security realm and offer insight into the OT Security trends that are likely to emerge over the next two to four years.

“Respondents to the survey were asked to answer questions about how to architect the next generation of OT Security solutions. All respondents have responsibility for securing or overseeing cyber risks in the OT environment and understand how these risks impact the state of cyber security within their organizations. The research was then complemented by input from Applied Risk’s own engagements and assessments as well as analysis from our subject matter experts.

“Maximizing safety and minimizing unplanned outages are the top operational priorities for the organizations represented in this research. Reducing inefficiencies and minimizing operating costs are also high priorities, as is the ability to maintain plant connectivity. Respondents see the convergence of IT and OT systems as one of the primary drivers toward meeting these organizational targets. At the same time, though, they note that attackers are focusing more and more on industrial environments and are quickly developing OT skills – and that this shift has resulted in more sophisticated and clandestine attacks.

“The results of the survey indicate that companies are struggling to develop their OT Security maturity at a pace comparable to the speed with which attackers are developing their own skill sets. Meanwhile, the OT landscape is becoming more complex due to IT/OT convergence and to the introduction of Industrial Internet of Things (IIoT) devices, virtualization, and cloud computing in these environments. The overall sense of the respondents is that they need to do more to ensure that the business benefits of these new technological developments can be realized in a secure manner.

“More than half of the respondents believe that their cyber readiness is not at the right level yet and that they are not able to adequately minimize the risk of cyber exploits and breaches in the OT environment. As such, it is clear that there is still work to be done in general and across the board. The respondents are aware that they need to upskill their staff and that of their service providers and that they need better procedures. But above all, they understand that they will need enabling technologies to accelerate OT Security maturity. In summary, a combination of people-, process-, and technology-centric controls will remain key.”

Click here to obtain the full report.

‘Don’t Break my Prime?’

Bob Sullivanbg

“Amazon Prime is *incredibly* popular with Americans. How popular? There are more than 150 million members in the U.S, with many (most?) there to enjoy “free”* two-day shipping. That’s roughly equal to the number of Americans who VOTED in 2020. And Amazon is betting all 150 million will do almost anything to keep that “free” shipping — including abandoning any pretense that they prefer to live in a free country that supports capitalism and free-market principles.

“Don’t Break Our Prime” is a deeply cynical ad campaign that’s being thrust onto your TVs and Internet space as pro-competition legislation makes its way through Congress. Amazon’s monopoly power has deeply hurt American small businesses for years — and made Jeff Bezos so much money that his hobby is going to space —  but lately, the tech giant’s tactics at crushing competitors have kicked up a notch.

Amazon’s customer base is so large that many small companies *have* to sell products on their platform. That’s weird, because it makes Amazon both a fulfillment service *and* a retailer.  There have long been accusations that Amazon’s data nerds study all these competitors on their platform, rip off their products, and then advantage Amazon brands when consumers search for items. More than accusations, actually. Congress recently made a criminal referral about this practice to the Department of Justice.

The kind, gentle term for this — minus the sneaky data harvesting — is “self-preferencing.” And yes, some supermarkets put their own brand of toilet paper on the best shelf, right there next to the Charmin.  If there were a few dozen Amazon-like services out there, self-preferencing there wouldn’t be so bad. But since Amazon has 150 MILLION U.S. MEMBERS on Prime, it’s deeply anti-competitive. Kind of like owning most of the gas refineries, and most of the gas trucks, and most of the gas stations….

So the U.S. Senate is considering legislation that would ban this practice of advantaging its own products over competitors.  Both Democrats and Republicans support the idea.

Amazon has now come out swinging.  As is tradition with such campaigns, it is not attacking the premise of the bill. It’s hitting consumers in an emotional spot, with the message that — given all these concerns about inflation, and supply chains, and the pandemic — now would be a terrible time to lose Amazon Prime’s free shipping! Don’t Break Our Prime!

What are the particulars of this argument? Please read up on it. Here’s a position piece from Project Disco (?) which attempts to explain why Amazon NEEDS its anti-competitive behavior in order to provide two-day shipping.  And here’s a Wired piece that does a good job of debunking that press release. 

It should be clear that this isn’t about two-day shipping.  Rather, Amazon is hoping the popularity of Prime gives it enough clout to beat back, or at least delay, reasonable efforts at reform.

This is just the tip of the spear, however.  Tech industry lobbyists are using this “Don’t Break Our Tech” model to defend the status quo in the face of various reform efforts. Google serves up the most self-serving links, rather than the best links, it has engaged in ad bid-rigging, its business has been called the biggest data breach of all time, but if Congress messes with that, maps won’t work!  Your privacy will be violated. Also, China will become more powerful!

These are emotionally compelling arguments; they just might work.  But as you begin to see all these “Don’t Break Our …” messages, please keep something in mind.  Silicon Valley invented the phrase “move fast and break things.” So it’s deeply ironic that Big Tech firms are suddenly afraid of trying new things that might break something.

The techlash is real.  Human beings are realizing that for all the great gifts tech has given us, there are serious costs. The pendulum has swung too far. Big Tech companies aren’t the only source of trouble, but they are a good place to start. Tech companies are so large they don’t really have to answer to anyone right now.  Facebook paid a $5 billion fine for ignoring a consent decree with the Federal Trade Commission and…didn’t really change anything. It’s time to draw some boundaries around the monoliths.  As Harvard’s Francella Ochillo said to me in my recent docu-podcast, Defending Democracy from Big Tech, while we keep arguing about the details, these firms are making billions of dollars.  We want techland to be free for competition. To do that, we’re going to have to break (up) a few things.  So what? We’re on iPhone 13. The beta version of tech reform might not be perfect. That’s shouldn’t stop us. The cost of inaction is far too high. I’m here for v2.0, and 3.0 and … 13 pro! You should be, too.

*Free shipping isn’t free, of course.  Prime costs money!  The cost is built into the products you buy.  As with Uber, the price is being (temporarily) subsidized by investment money, which is another way of saying it’s a Ponzi scheme. Also, Amazon drivers live awful lives because of Prime.  There’s all that cardboard. “Free” is never free. 

 

The Costs of Authentication Failure and Negligence

Authentication failures–defined as a weakness in an organization’s authentication processes resulting in an inability to verify user identity — not only pose great risk resulting in the theft of credentials but are costly. According to the research, organizations are spending an average of approximately $3 million on activities relating to authentication failures annually.

Participants in this research also estimate that the maximum loss as a result of one authentication failure can range from $39 million to $42 million and the average maximum loss as a result of a material business disruption caused by an authentication failure can range from an average of $34 million to $40 million. Reasons that authentication failures can be costly, as confirmed in this research, is the downtime to resolve authentication failure, disruption of business processes, loss of customers and the negative impact on third party and business relationships.

Sponsored by Nok Nok, Ponemon Institute surveyed 1,007 IT staff (360), IT security leaders (339) and non-IT security leader or lines of business leaders (LoBs) (308). All respondents are familiar with authentication processes in their organizations and have some level of responsibility for the security of their organization’s authentication processes.

A key takeaway from this research is the gap between IT security and  LoBs in the seriousness of authentication risks facing their organizations. In this report, we present these differences and discuss how they may be affecting the security posture of organizations represented in this research.

In the context of this research, credential theft involves stealing the user’s exact password rather than randomly guessing it. The focus of this crime can be to make fraudulent purchases, make fraudulent financial transactions and steal confidential information.

The authentication failures perception gap in organizations

Based on the findings, the following are the most significant gaps in understanding the state of authentication processes in organizations among the IT security staff, IT security leaders and lines of business leaders. These differences can be a barrier to achieving a secure and holistic response and strategy to addressing the risks and cost of authentication failures. According to the research, most organizations do not have an enterprise-wide strategy for reducing the risk of authentication failures.

  • Lines of business leaders are not likely to recognize the difficulty in knowing the “real” employees, customers and/or users from criminal imposters who are using stolen credentials. Sixty-six percent of IT security staff respondents say it is very difficult or difficult. Less than half (48 percent) of lines of business respondents say it is very difficult or difficult.
  • Authentication processes are out of control, according to IT security respondents. Only 32 percent of IT security respondents and 44 percent of IT security leaders say their organizations have a high level of control over their authentication processes. However, 67 percent of lines of business respondents are confident in their organizations’ controls.
  • IT security staff respondents detect more authentication failures. IT security staff estimates a per-user average of 28 authentication failures occur in a month vs. lines of business leaders who estimate an average of 19 authentication failures occur per user monthly.
  • IT security staff says on average there are significantly more undetected authentication failures than the IT security and lines of business say there are. IT security staff respondents say on average 45 percent of authentication failures go undetected—almost twice as much as reported by lines of business leaders.
  • IT security staff report a higher percentage of the volume and frequency of authentication failures. Seventy-one percent of IT security respondents vs. 55 percent of lines of business leader respondents say authentication failures have significantly increased or increased. Fifty-nine percent of respondents say the severity of failures have increased vs. 51 percent of business leader respondents.
  • IT security staff respondents are not as confident that the risk of authentication failures can be reduced. Today, 66 percent of lines of business respondents say their organizations are very prepared or highly prepared to reduce the risk of authentication failures and this will increase to 82 percent of these respondents who are very prepared or highly prepared. Only 40 percent of IT security staff respondents say their organizations are very prepared or highly prepared and in two years 53 percent say their organization will be very or highly prepared.
  • Only 28 percent of IT security staff respondents believe an annual budget of $2.5 million allocated to staff and technologies to prevent detect, contain and resolve authentication failures is sufficient. Whereas, 45 percent of lines of business leaders say the budget is sufficient. Only 45 percent of IT security staff say their organizations’ leaders recognize the need to invest in automation, AI and orchestration as part of its efforts to prevent authentication failures.

The risk of credential theft is high and only 30 percent of respondents say their companies have good visibility into credential theft attacks — 66 percent of IT security staff respondents say it is very difficult (32 percent) or difficult (34 percent). In contrast, less than half (48 percent) of LoB respondents say it is very difficult or difficult.

To read the rest of the report, register to download it at Nok Nok’s website:

Resources

The first crypto war? Let’s talk about that

Bob Sullivan

There is a historic tendency for tech enthusiasts to overstate the importance of the latest digital wizardry during major global conflicts. Remember Iran’s “Twitter Revolution?” That’s not to ignore tech’s impact. Scholars will debate the role of disinformation during our time for decades. I find Carole Cadwaller’s discussion of the first Great Information War, which she says began in 2014 during Russia’s first invasion of Ukraine, compelling. Still, plenty of tech analysts and sales agents sitting behind keyboards stand to gain a lot by inserting themselves into the middle of a war from a comfortable distance. When there are real bullets, bombs, and blood, I think it’s really important to keep bits and bytes in perspective.

And so it is with cryptocurrency and the current invasion of Ukraine. Let’s not get carried away with this “crypto’s big moment” talk. In fact, if I were a blockchain speculator, I’d be nervous that cryptocurrency is could take a big step back into the shadows.

Crypto enthusiasts are having a hard time holding the company line that bitcoins=freedom when so many of them have been collected by Russians via ransomware. True, there are crypto donations headed towards Ukraine, but the greater use case seems to be evading international sanctions. Meanwhile, there is fear that cutting off Russian access to Western banking institutions would shove those transactions underground, into crypto-land. As exchanges debate how to handle this problem — cut off all Russian accounts? How would one even do that? — I asked a couple of leading critics what they thought the war means for the future of cryptocurrency. (Note: I am a visiting scholar at Duke University’s Sanford School of Public Policy).

Duke University professor Lee Reiners

Russia absolutely can and will use crypto to undermine and avoid U.S. sanctions. We know this because North Korea and Iran have already done it! While I agree that crypto’s limited use restricts its desirability, I am confident that U.S. sanctions on Russia will serve as an accelerator for broader crypto adoption. And when you’re talking about a nation-state, the question is not whether they can buy a coke with crypto, but whether they can store and transfer large amounts of wealth with it. And somehow, crypto has persisted as a store of value. We also know that Russia is the final destination for many ransomware payments, with Russian-based crypto exchanges willing to convert crypto to fiat. The only two cryptocurrency exchanges to be sanctioned by OFAC were in Russia.

See https://home.treasury.gov/news/press-releases/jy0364 and https://home.treasury.gov/news/press-releases/jy0471

Finally, I think it’s telling that the U.S. and our allies have yet to cut off Russian banks from SWIFT (Edit note: Some payments are slated to be cut off, but not all). There are several reasons for this, but the one left unsaid is that the administration worries this could accelerate Russia’s adoption of crypto.

The dollar’s status as the world’s reserve currency affords all Americans with tremendous opportunities (lower interest rates, easy travel, more commerce, etc…). It’s also allowed the U.S. government to leverage our financial system as an instrument of foreign policy. Crypto undermines all of this and once again I ask: what are we getting in return?

Cybersecurity consultant John Reed Stark

My take is that, unless the use of cryptocurrency is curtailed by the U.S. government: 1) Russia will seek to evade U.S. sanctions by transacting in cryptocurrency; and 2) Russia-based ransomware attackers will initiate a new wave of ransomware attacks. Here’s why:

First off, cryptocurrency use is not just well-suited to evade U.S. sanctions, its pseudo-anonymity is ideal for that purpose (and a broad range of other crimes).

Second, the key to sanctions programs is banks and KYC (know your customer) rules. Using cryptocurrency blinds banks and paralyzes AML (anti-money laundering) enforcement. Meanwhile, threat actors associated with rival nations such as Iran and North Korea have adopted using cryptocurrency (sometimes extorted via ransomware attacks) as a fast and easy means to bypass U.S. economic sanctions and funnel badly needed capital into their cash-starved economies. North Korea and Iran have already proven this notion by example. Indeed, per a United Nations Report, North Korea is using ransomware attacks to fund its nuclear program. Moreover, Iran reportedly uses bitcoin mining to evade sanctions and “export” millions of barrels of oil.

Third, we know already that Russia is the final destination for many ransomware payments, with Russian-based cryptocurrency exchanges willing to convert cryptocurrency to fiat. Thus, a profitable and successful ransomware attack revenue stream already exists for Russia. N.B. that though crypto exchanges in the U.S., Europe and Asia might (and that’s a big “might”) stop dealings with Russia (if that’s even possible), there are still some exchanges that are complicit in facilitating illicit activity, such as the Russian-based SUEX and Chatex services who were both sanctioned by the U.S. last year after facilitating more than $350 million in cryptocurrency transactions for Russia-based criminals. U.S. Treasury has already warned about these risks before, with officials pointing to an “explosion of risk” stemming from their use in terrorist financing and ransomware attacks and cautioning in October that cryptocurrencies “if left unchecked . . . could potentially harm the efficacy of American sanctions.”

Finally, Ransomware attacks have evolved into an extraordinarily successful tool for quickly raising cryptocurrency revenue  — while also disrupting (sometimes significantly) the lives of U.S. businesses and citizens. Historically, ransomware attackers employed a type of malicious software designed to block access to a computer system or computer files until an extortion demand is paid. Now, in addition, by licensing their criminal wares to franchisees who can then orchestrate ransomware-as-service attacks, the threat is no longer merely the kidnapping of data but also the public release of that data via social media. To further pressure the victim, a ransomware attacker might even flood a website or network with more requests than it can handle by executing a distributed denial of service, or DDoS, attack, rendering the company inaccessible.

Indeed, the continuing success of ransomware attacks has spawned large, central, sophisticated cybercriminal organizations operating within a new and emerging criminal ecosystem consisting of an army of global threat actors using a dangerously evolving arsenal of high-tech intrusion appliances. Russia has, according to many reports, become the mothership of these organizations.

Extortion innovation is now an industry within itself as ransomware attackers have sharpened their business models, including guaranteeing turnaround times, providing real-time chat support for victims and offering payment demands customized to a victim’s financial profile. When it comes to ransomware attacks, there has perhaps never before in history been a crime that law enforcement seems so powerless to prevent, investigate, prosecute and bring to justice.

As an aside, please pay no attention to those spreading the myth that crypto-transactions will actually make it easier to impose sanctions because cryptocurrency trails are easy to trace. This is perhaps the most absurd, frustrating and entirely misleading of all crypto-enthusiast retort.

Bottom Line: Don’t count on Russian cyber-attackers to behave like the two Instagram celebrities DOJ recently arrested in NYC (and took six years to find) for money laundering in connection with a cyber-attack on Bitfinex. For dictatorial and rogue governments using ransomware attacks to extort cryptocurrency to use to replace their yachts, mansions and other ill-gotten assets, I would not expect search warrants and subpoenas (while certainly well-intentioned) to become any kind of panacea. Moreover, unless the U.S. takes action, the sanctions might even accelerate the use of cryptocurrency everywhere, ushering in an even more dangerous era of crypto-related cyber-crimes.

So What Should the U.S. Do Right Now About This Problem?

Curb the flow of bitcoin and other cryptocurrencies immediately.

Now that President Biden has created a cryptocurrency prosecutorial and investigative team, the next logical step is to sign an Executive Order to curtail the flow of bitcoin and other cryptocurrencies, making it challenging for Russia and other criminals to use cryptocurrencies to purchase U.S. goods and services. The Executive Order should:

  1. Prohibit any U.S. governmental entity from transacting in cryptocurrency and mandate that any entity that contracts with the U.S. government must attest that they do not engage in any transactions involving cryptocurrency; and
  2. Direct The Financial Crimes Enforcement Network of the U.S. Treasury (FinCEN) to require U.S. taxpayers holding more than $10,000 of cryptocurrency offshore to file FinCEN Form 114, known as the FBAR, to report these holdings (a proposal that FinCEN has already announced in 2020).

This kind of expeditious, efficient, inexpensive, straightforward and powerful approach could help deter the use of cryptocurrency to evade U.S. sanctions and help combat the many cyber-crimes that DOJ has cited as cryptocurrency’s most notorious abuses.

Though some experts seriously doubt it and some engineers specifically refute it or negate it, perhaps blockchain technology is more than a “glorified spreadsheet,” and will somehow become the most exciting, disruptive, transformative and efficiency enhancing breakthrough since sliced bread. If so, by rooting out cryptocurrency abuses via the powers of an Executive Order, President Biden could usher in a new era where blockchain and all of its purported promise can thrive, free from the onerous drag of its criminal exploitation.

I provide more detailed analysis and support for this executive order recommendation in an article I just wrote entitled, “What President Biden’s Crypto-Executive Order Should Say” and found here.

Survey: Average ransomware payment is $1 million; average incident costs $170,000

This is the second study Ponemon Institute has conducted on the devastating impact ransomware attacks have on small to large-sized enterprises. The first study was completed in 2017, and as revealed in this research, little progress has been made in mitigating the consequences of these threats. In this year’s research, the percentage of companies experiencing an attack increased from 51 percent in the 2017 study to 80 percent. Yet, 57 percent of respondents believe their companies are too small to be the target of ransomware. This has remained unchanged since 2017.

Ponemon Institute surveyed 659 IT and IT security professionals in small to large-sized companies in the United States. All respondents have responsibility for containing ransomware infections within their organization.  This study was sponsored by CBI and Check Point and conducted independently by Ponemon Institute.

The cost per incident will continue to increase, and the types of attacks will continue to evolve. What’s most striking is the vast majority of organizations are not doing enough to evaluate the security of their third parties. These findings should be a wakeup call and motivate organizations to evolve their ransomware mitigation playbooks

The following findings describe the costs and consequences of a ransomware attack.

  • Of the 80 percent of companies that experienced one or more ransomware attacks, 53 percent of respondents say the ransom was paid and averaged over $1 million. The preferred methods of payment are bitcoin and virtual currencies.
  • If companies didn’t pay a ransom, it was because they had a full and accurate backup. However, respondents also believe a full and accurate backup is not enough when experiencing a ransomware attack.
  • Of the companies that paid the ransom, it was because they could not afford the downtime and had a cyber insurance policy that covered the financial consequences of a ransomware attack. Fifty percent of respondents say the cybercriminals provided a decryption key.
  • Companies suffered financial consequences such as having to shut down for a period of time, losing customers, and eliminating jobs.
  • According to the research, an average of 14 staff members each spent 190 hours to contain and remediate their companies’ largest ransomware incident. Based on an average hourly rate of $63.50, the average cost to assign staff to deal with the incident was approximately $170,000.
  • The highest total costs resulting from a ransomware attack are from legal and regulatory actions, followed by the cost resulting from the company’s response to information misuse or theft.
  • Cybercriminals were most likely to use phishing/social engineering and insecure websites to unleash ransomware. The most compromised devices are desktops and laptops; however, since 2017, mobile devices have been increasingly being targeted.
  • Compromised devices infected other devices in the network. Very often, data was exfiltrated from the device.
  • As in the previous study, companies are reluctant to report the incident to law enforcement because of concerns about negative publicity and the potential loss of customers.

Following are the key takeaways from this research.

IoT risk awareness is rising and ransomware prevention is increasingly prioritized. Since 2017, awareness of IoT risks has risen from 58 percent of respondents in 2017 to 67 percent of respondents in this year’s research. Prevention of ransomware is becoming more of a priority, increasing 46 percent to 53 percent. Respondents say that if companies are attacked their organizations are slightly less likely to pay the ransom since 2017.

There is a lack of confidence in security controls. Companies spend an average of $6 million annually on staff and technologies meant to prevent, detect, contain and resolve ransomware attacks. However, there is only a slight improvement in confidence about security controls that prevent ransomware attacks.

Companies are increasingly relying upon third parties to deal with the prevention and consequences of a ransomware attack. Since 2017, the engagement of third parties to reduce the risk increased significantly from 58 percent of respondents to 69 percent of respondents. To remediate the incident, the use of the expertise of third parties has increased from 59 percent of respondents to 70 percent of respondents.

Despite the seriousness of ransomware, the ability to respond is low. As reported, the increase in ransomware attacks has been significant since 2017. However, the ability to respond to such attacks is very low. Companies must assess their staff, technologies, and policies to increase overall readiness.

 The severity of ransomware infections has increased over the past 12 months. Sixty-one percent of respondents say the severity of ransomware infections has significantly increased (25 percent) or increased (36 percent) since last year. In 2017, 57 percent of respondents said the severity of ransomware infections increased significantly (18 percent) or increased (39 percent) over the past 12 months.

 Companies have been receiving more ransomware alerts since 2017. As defined in this research, a ransomware alert is a notice that your system may be targeted or susceptible to a ransomware attack. These alerts are communicated via threat intelligence and law enforcement.

The number of weekly alerts has increased from 25 weekly alerts in 2017 to 34 in this year’s study. In 2017, 46 percent of these alerts were considered reliable. In this year, 51 percent are considered reliable. In a typical month, an average of 6 percent of attempted attacks trigger an alert through one or more security controls but remain undetected.

A full and accurate backup is not considered enough by 55 percent of respondents. As discussed previously, only 32 percent of respondents are confident in their security controls, indicating the need to use more effective technologies to prevent ransomware attacks.

More companies need to conduct security assessments as part of their ransomware readiness strategy. Only about half (51 percent) of respondents say their organizations regularly conduct assessments to test their ransomware prevention and recovery practices.

In some cases, cyber insurance providers are decreasing their coverage for ransomware attacks. Most companies (64 percent of respondents) do not have cyber insurance policies that cover ransomware. Of the 36 percent of respondents who say their policies cover such attacks, 40 percent say the cyber insurance provider modified its ransomware protection resulting in decreased coverage. The average annual premium for a cyber insurance policy is $17,100.

Employees are still considered the weakest link in preventing ransomware attacks. Despite employee security training awareness programs that address social engineering, spear phishing and ransomware attacks, only 30 percent of respondents are very confident (12 percent) or confident (18 percent) in their employees’ ability to detect social engineering lures that could result in a ransomware attack.

Despite the risk, only half of training programs fully cover social engineering, spear phishing and ransomware. Sixty-one percent of respondents say their companies conduct continuous employee security awareness training. Of these respondents, 92 percent say the training covers social engineering, spear phishing and ransomware attacks fully (50 percent of respondents) or some coverage (42 percent of respondents).

In addition to insider risks, companies face ransomware threats from their suppliers and third parties. Seventy-five percent of respondents say they are very concerned about the risks the supply chain poses to their company as they relate to ransomware. Only 33 percent of respondents say third parties have the necessary privacy and security practices in place to reduce the risk of a data breach involving their companies’ sensitive and confidential information.

To reduce the risk of ransomware attacks, companies need to assess the security and privacy practices of their supply chain and third parties. As discussed, 75 percent of respondents are concerned about the ransomware risks posed by third parties. However, only 36 percent of respondents say their organizations evaluate third parties’ security and privacy practices. Only slightly more than half (53 percent) of respondents say their organizations conduct an assessment of the third party’s security and privacy practices. Currently, organizations mainly rely upon a review of written policies and procedures, according to 64 percent of respondents.

Download and read the report’s full findings here. 

New podcast: Defending democracy (and us) from Big Tech

Bob Sullivan

As war rages in Ukraine, big technology companies are struggling to keep up. Thousands of small decisions are being made at breakneck speed. Think, for just a moment, about the overwhelming task of sifting through propaganda-spewing social media accounts. Make yourself a tech exec right now.  What’s free speech? What’s harassment? What’s incitement to violence? Where should we disable our service?

What if….my product makes the war worse?

These are life-altering decisions — not as real as pulling a trigger or launching a bomb, but not too far behind.  I don’t envy those fighting the disinformation war right now. It’s no secret I am a frequent Big Tech critic, but it appears to me Facebook, Twitter, Google, Microsoft, etc, are all doing the best they can under the most difficult circumstances.

Makes it hard not to wonder why these firms couldn’t have been fighting disinformation this hard all along.  (In fairness, as I see the world rise up in a global effort to care for refugees, for justice, for freedom, and against war, I think we should probably all be asking ourselves that question.)

All good intentions aside, there’s a really big question to ask, one which will be with us even after the current crisis passes: Who made Facebook, Google, and Twitter judge and jury over the digital universe? You might agree entirely with every decision these firms are making right now. But one day, you won’t.  Then what?

Whether or not you realize it, Big Tech companies are running our lives in ways unimaginable just a few years ago. They tell us what to read, where to eat, what lawnmower to buy….and in many cases what mate to marry, even what cancer treatment to get.  And at each decision, they take a cut. Tech titans have amassed incredible wealth doing this — so much money that executives are dabbling in space travel the way earlier titans bought luxury cars.

It’s one thing to be rich.  But it’s another to usurp the functions of a democratic society. Big Tech has done that, and right now, there isn’t much we can do about it. Facebook broke the law, signed a consent decree, violated the consent decree, was fined $5 billion, and….well, not much changed.  After Frances Haugen’s whistleblower testimony, Facebook  — far from humbled — started nudging more pro-Facebook content onto users’ walls. That’s power.

More important, it’s unchecked power.  The notion of checks and balances is built into the fabric of our society – of any free society. But right now, Big Tech is judge and jury in so many critical situations. When you search Twitter for news on Ukraine, or search for a vacuum cleaner on Amazon, or Google prostrate cancer, who knows why you see what you see? If your Facebook post is pulled down for a “violation,” do you really expect you’ll get a decent explanation?

These are fundamental, existential questions in a democracy.  They might have seemed academic, even a week or so ago, but our time makes it clear: Big Tech is wielding almost limitless power on our lives. Unaccountable for these decisions. That’s unhealthy.  It has to change.

That is the idea behind “platform accountability.” What can be done to create a force equal to Big Tech firms, so these companies and their leaders must answer to some kind of higher power.  Yes, we’ve seen hearings in Congress.  To date, they’ve been little more than reality TV shows.   To be really accountable, Big Tech has to run into Big Limits.

I’ve been a visiting scholar at Duke University for a couple of years, looking into these issues.  As part of that work, I am helping set up a platform accountability project at the Sanford School of Public Policy. Students and faculty there are engaged in long-term research projects examining structures that might prop up some Big Limits around Big Tech.  My first contribution to this effort is a documentary podcast I’ve been working on for many months called “Protecting Democracy (and us) from Big Tech.”  Episode 1 dropped this week: It’s called Too Big to Sue.  I hope you’ve give it a try. I feel really passionately about the need for people to pick their heads up and realize all the ways, large and subtle, that technology companies are changing our lives, changing the way we relate to each other. Maybe it’s more good than bad. Maybe it’s mostly good. But a handful of super-rich executives hiding behind keyboards and rocket ships shouldn’t be making those decisions for us.  We need to be involved. We need to have real power.

I normally release podcasts at Duke as the host of Debugger — but the school has an ongoing podcast called Ways and Means, and this series is a co-production with their team. You can find out more about the entire podcast project at Duke’s Ways and Means page here.

This is a link to the Too Big to Sue episode page.