Tag Archives: Cyber Risk

Для тех, кто интересуется безопасным доступом к онлайн-играм, наш партнер предлагает зеркало Вавады, которое позволяет обходить любые блокировки и сохранять доступ ко всем функциям казино.

Top Obama Administration Officials, Law Enforcement Reach Out at RSA Conference

Posted on by
loretta lynch at RSA

Attorney General Loretta Lynch addresses RSA Conference 2016

SAN FRANCISCO—Many of the Obama administration’s top brass are here in force, addressing some 40,000 practitioners from every part of the technology and information security industry at the annual RSA Conference. Set against the backdrop of the ongoing fight over between Apple and the FBI encryption and backdoors, the tension ebbed and flowed during sessions with Attorney General Loretta Lynch, Secretary of Defense Ashton Carter, and Admiral Mike Rogers, U.S. Navy Commander, U.S. Cyber Command, and director of the NSA. While many speakers will not address the issue directly, the subtext is clear throughout the show, particularly as the public battle brings considerable interest to the privacy and security issues the RSA has centered on for 25 years.

Indeed, in his keynote address, RSA President Amit Yoran called law enforcement’s current stance on encryption “so misguided as to boggle the mind.” Brad Smith, president and chief legal officer of Microsoft, chimed in as well, asserting that we cannot keep people safe in the real world unless we can keep them safe in the virtual world. He lauded Apple and pledged that the tech giant would stand with Apple in its resistance.

Ash Carter at RSA

Secretary of Defense Ashton Carter in Conversation with Ted Schlein of Kleiner Perkins at RSA

While the gravity of the issue and the massive potential impact for many in the sector are boggling many minds here, the administration officials’ sessions also offered more broadly positive comments for businesses outside the tech sector. The conciliatory tone Lynch and Carter often struck centered on the critical need for partnerships between technology and government. They tried to emphasize the ways the administration is reaching out to private entities, both within Silicon Valley and across corporate America at large.

According to Sec. Carter, for example, the United States Cyber Command has three core missions: defending the Department of Defense’s network; helping American companies, the economy and critical infrastructure; and engaging in offensive cyber missions. The second is a key pillar, he said, as the DoD must keep in perspective that the strength of American entities is the strength of the nation. From threat intelligence to the Defense Innovation Unit Experimental he announced yesterday, to be helmed by Google’s Eric Schmidt, Carter believes there is considerable need for industry to engage with government on cyberrisk, and both parties have valuable assets to contribute. “Data security is a necessity, and we must help our companies harden themselves,” Carter said. Indeed, he wants both help for and from the industry. In closing, he said, “We are you. You pay us. We represent you and our job is to protect you, and we’d love to have your help.”

He also noted that the DoD is trying to learn a bit about managing its cyberrisk from the commercial sector’s best practices. “We do grade ourselves and we’re not getting good grades across the enterprise,” Carter told reporters Wednesday, according to Defense News. “I have these meetings where I call everyone in and we have these metrics which tell us how we’re doing [and] if you don’t score well, that is evident to the Secretary of Defense at those meetings.

“We don’t assume for a minute that we’re doing a perfect job at this,” he added. “That’s the whole reason for me to be here and the whole reason for me to be engaging with this community here at this conference.”

Carter also announced that the Department of Defense will be hosting “Hack the Pentagon,” a bug bounty program offering white hat hackers cash for finding and reporting vulnerabilities in the Pentagon’s websites. Many companies have been offering these programs to try to discover their exposure in a controlled setting, without the risk of reputation damage, personal information exposure and business interruption that accompany an unknown hacker finding them instead. Carter called these a “business best practice” to gauge preparedness.

Federal law enforcement also has a notable presence at RSA and is making a pronounced effort to reach out to businesses regarding cyberrisk, threat intelligence, and managing a cyberattack. Indeed, in one session Tuesday, panelists from the Department of Homeland Security, FBI and the White House urged a call to action for businesses to get serious about proactively building bridges with law enforcement and to make use of the many resources the administration is trying to activate to help private industry fortify against cyber threats. The government is working to make it easier for companies to turn to it for help, they said, and attitudes are shifting to more consistently recognize and respect victimized businesses and minimize business interruption.

Some in the audience expressed skepticism, such as one man who seized upon the Q&A portion of a session on government departments’ specific roles in fighting cyber criminals. He asked how the government can be trusted to help industry when it cannot protect itself. But corporate entities should be taking note, particularly of the services available. While many hesitate to share threat intelligence or even successful attacks, Eric Sporre, deputy assistant director of the FBI’s cyber division, stressed that FBI Director James Comey has made it a directive for FBI field offices to develop relationships with local businesses and to treat businesses as crime victims, not perpetrators. In responding to attacks, he noted, the Bureau sometimes even brings in victim services to holistically approach aiding in the investigation and recovery process.

Andy Ozment, assistant secretary for cybersecurity and communications at the Department of Homeland Security, also highlighted the preventative measures his department offers companies, including personal risk assessment services. In some cases, chief information security officers and other executives engaged in cyberrisk management functions have been getting DHS assessments, using them as a tool to drive investment or otherwise sell cyber upwards with the board or C-suite of their organizations.

65% of Businesses Unprepared For Email-Based Cyber Threats

Posted on by

In a recent threat report, cloud email management company Mimecast warned they had seen a 55% increase in whaling attacks over the past three months. As we reported in this month’s Risk Management cover story “The Devil in the Details,” social engineering fraud schemes like whaling (which is phishing that targets higher-profile employees and executives) resulted in a total losses of more than $1.2 billion worldwide between October 2013 to August 2015. According to the Mimecast Business Email Threat Report 2016, released yesterday, IT security professionals clearly recognize the risk, with 64% of respondents in the new saying they see email as a major cybersecurity threat to their business. Yet only 35% feel confident about their level of preparedness against data breaches, while 65% feel ill-equipped or too out of date to reasonably defend against the risk.

buy sinequan online youngchiropractic.com.au/wp-content/uploads/2023/10/jpg/sinequan.html no prescription pharmacy

“Our cyber-security is under attack and we depend on technology, and email in particular, in all aspects of business. So it’s very disconcerting to see that while we might appreciate the danger, many companies are still taking too few measures to defend themselves against email-based threats in particular,” said Peter Bauer, chief executive officer of Mimecast. “As the cyber threat becomes more grave, email attacks will only become more common and more damaging. It’s essential that executives, the C-suite in particular, realize that they may not be as safe as they think and take action. Our research shows there is work still to be done to be safe and we can learn a lot from the experience of those that have learnt the hard way.”

Even the most secure companies feel the most at risk of these scams. Of the top 20% of organizations that feel most secure, 250% are more likely to see email as their biggest vulnerability. Those who feel most confident about guarding against the risk are 2.7 times more likely to have a C-suite that is extremely or very engaged in email security. Among the IT security managers who feel most prepared, five out of six say that their C-suite is engaged with email security, Mimecast reports. However, of all IT security managers who were polled, only 15% say their C-suite is extremely engaged in email security, while 44% say their C-suite is only somewhat engaged, not very engaged, or not engaged at all.

The firm also had some insight on best budgeting against the risks of phishing. Those who feel better prepared to handle email-based threats also allocate higher percentages of their IT security budgets toward email security, the firm found, with these IT security managers allocating 50% more of their budgets to email security compared to managers who were less confident in their readiness. Mimecast found 10.4% of the total IT budget toward email security is the ideal intersection between email security confidence and spend.

To reduce the threat of whaling, Mimecast recommends that companies:

  • Educate your senior management, key staff members and finance teams on this specific type of attack. Don’t include whaling in a general spear-phishing awareness campaign—single out this style of attack for special attention to ensure key staff remain vigilant.
    buy biaxin online youngchiropractic.com.au/wp-content/uploads/2023/10/jpg/biaxin.html no prescription pharmacy

  • Carry out tests within your own business. Build your own whaling attack as an exercise to see how vulnerable your staff are.
  • Use technology where possible. Consider an inbound email stationery that marks and alerts readers of emails that have originated outside of the corporate network.
  • Consider subscribing to domain name registration alerting services so you are alerted when domains are created that closely resemble your corporate domain.
    buy bactrim online youngchiropractic.com.au/wp-content/uploads/2023/10/jpg/bactrim.html no prescription pharmacy

    Consider registering all available TLDs for your domain, although with the emergence of generic TLDs (gTLD) this may not be scalable.

  • Review your finance team’s procedures; consider revising how payments to external third parties are authorized. Require more than single sign-off, or perhaps use voice or biometric approval only with the requestor to ensure validity of the request.

Check out the infographic below for more on business email threats:

mimecast business email threats

Prosecutors Reveal ‘Securities Fraud on Cyber Steroids’

Posted on by

The investigation into a huge cyberattack on JP Morgan Chase last year has exposed one of the largest computer hacking and fraud schemes to date.

online pharmacy periactin with best prices today in the USA

According to U.S. prosecutors, Gery Shalon, Joshua Samuel Aaron and Ziv Orenstein, all from Israel, hacked a total of 12 companies to expose the personal information of more than 100 million people, netting hundreds of millions of dollars in profit. The men face 23 criminal counts, including wire fraud, computer hacking, illegal internet gambling and money laundering, with alleged crimes targeting 12 companies, including nine financial services companies and media outlets including the Wall Street Journal. Investigators say their massive criminal empire used 75 shell companies that employed hundreds of people, and hacked seven major banks, ran an online casino, laundered money around the world and set up an illegal Bitcoin trading operation.

online pharmacy zestril with best prices today in the USA

“It is hacking in support of a diversified criminal conglomerate,” said Preet Bharara, U.S. attorney for the Southern District of New York. “In short, it is hacking as a business model.”

In addition to the hack of JP Morgan, which U.S. Attorney General Loretta Lynch called “the largest theft of customer data from a U.S. financial institution” and exposed the personal information of 83 million customers, the criminals also attacked E*Trade Financial Corp., TD Ameritrade, Scottrade Inc., Fidelity Investments and News Corp’s Dow Jones, which publishes the Wall Street Journal. The breaches date as far back as 2007.

“By any measure, the data breaches at these firms were breathtaking in scope and in size,” Bharara said. “This showcases a brave new world of hacking for profit.”

Breaking into these financial institutions gave the attackers information to target specific people, and gave them extra insight into the stock market. According to the indictment, they used the customer data to contact individuals and push them to buy stocks in order to manipulate their prices. In addition to the pump-and-dump scheme, sometimes the defendants reportedly engineered mergers with shell companies to create publicly traded stocks that could be manipulated.

online pharmacy symbicort with best prices today in the USA

Bharara called the scheme “securities fraud on cyber steroids.”

Beginning in 2012, in addition to disguising payments and constantly obtaining new bank accounts, the men further tried to evade detection by hacking into a company that assessed merchant risk for credit-card issuers. The breach allowed the defendants to read employees’ emails and figure out how to sidestep the company’s efforts to monitor illegal payments, according to the indictment.

The defendants are also accused of operating at least 12 illegal internet casinos, even launching cyberattacks against rival gambling businesses to review executives’ email and gain a competitive edge. Shalon hacked competitors’ customer databases and directed denial of service attacks to shut down their businesses.

Several compliance officers may soon feel the heat as well: the investigation found that, in operating the online casinos and illegal pharmaceutical payment processing enterprises, the co-conspirators deceived financial institutions into processing and authorizing payments between the casino companies and others. “They colluded with corrupt international bank officials who willfully ignored its criminal nature in order to profit from, as a co-conspirator described it to Shalon, their payment processing ‘casino/software/pharmaceutical cocktail’,” the indictment charges.

According to prosecutors, the case illustrates the growing power of criminals and their tools, and makes such crimes particularly difficult to solve. But it may also highlight one key resource to do so: self-reporting to law enforcement. Officials credited JP Morgan’s early cooperation for helping to uncover the network of criminal activity. The firm came forward early on to share information with the government, a move many forensic investigators encourage.
buy prednisone online https://galenapharm.com/pharmacy/prednisone.html no prescription

This case provides one of the clearest examples of why: hackers frequently use the same schemes to target a swath of companies in a given industry. While many companies worry about the reputational and regulatory risks of disclosing a breach to law enforcement, as hackers grow more sophisticated in their techniques and complex in their operations, it may prove an ever more critical step in the breach response and investigation process.

“Shalon, Aaron, and their co-conspirators allegedly robbed victim companies, often for months at a time, stealing the contact information of tens of millions of customers,” said FBI Assistant Director-in-Charge Diego Rodriguez. “They cloaked themselves in secrecy, but their methods rivaled those of the traditional masked robber. Today’s indictment sheds light on an increasingly complex threat. But just as criminals continue to develop relationships with one another in order to advance their objectives, the law enforcement community has developed a collaborative approach to fighting these types of crimes.”

Corporate Directors and Officers Face Cybersecurity Pressure

Posted on by

Stock market down

One of the primary issues confronting corporate directors, officers and others involved in risk management today is cybersecurity. News cycles have been littered with high-profile data breaches at companies ranging from Sony Pictures Entertainment, Wyndham Hotels, Anthem and Home Depot, since Target Corporation’s massive data breach kicked off this scrutiny in 2013. The massive federal data breach earlier this year demonstrated that the U.S. government is not immune either.

A corporate data breach not only inflicts reputational and financial pain on the targeted company, but, depending on the data disclosed, the impact on consumers can be dramatic. According to Redspin’s Breach Report 2013, since 2009, nearly 30 million Americans have had their personal health information accidentally disclosed—or worse, breached. Further, the Cyber Edge Group recently surveyed 800 security decision makers and practitioners and found that more than 70% indicated that their networks were breached in 2014, an increase of 8% from 2013.

Claims against Directors

Cybersecurity is an issue of risk assessment that should be on the mind of board members. As every director has likely experienced, corporate decision-makers are under more scrutiny today than ever before because of corporate scandals that led to the adoption of the Sarbanes-Oxley Act and the more recent Dodd-Frank Act. One of the main objectives of Dodd-Frank is to increase transparency and improve accountability in the corporate financial world. As a result, board members are now required to spend more time overseeing a company’s operations than perhaps was the case in prior years.

A key determinant of liability is how a director acts once a red flag has been identified. When a warning sign appears, a director is required by law to diligently undertake a reasonable investigation.

online pharmacy apixaban with best prices today in the USA

But an open issue at hand is how much training companies provide to their directors so that they can identify potential issues and respond accordingly, or actively oversee the corporate compliance program. In light of many recent cases, the answer is: not enough. One proactive approach is for a corporate board to annually review all of the material events that impacted their company over the past year (both externally and internally) and assess how prepared the management team was for each event. They should also assess the company’s overall approach to cybersecurity policies and practices annually, including any incident response plans.

All this said, if history is our guide, the likelihood of a corporate board member being held personally liable for poor oversight of a public company is low. This is because directors and officers insurance almost always covers any liability or settlement. According to a 2006 Stanford Law Review study, between 1980 and 2005, there were only 12 cases where directors were forced to make payments that were not covered by insurance, including legal fees.

While data breaches have spawned litigation brought by consumers or employees, widespread litigation has not ensued with shareholders seeking damages as a result of a data breach. This is likely because of the challenges inherent in demonstrating that a company’s share price was materially affected by a breach.

online pharmacy minocin with best prices today in the USA

The data breach at Home Depot provides a good example of potential litigation strategies that may be employed in the future. Following that breach, a lawsuit was filed in Delaware Chancery Court seeking access to Home Depot’s books and records related to the data breach. It appears that the plaintiffs are using this suit to determine whether Home Depot’s directors and officers breached their fiduciary duties by failing to adequately protect the company’s credit card information. Based on what is uncovered, it is likely that future litigation will ensue.

The law regarding director’s liability is fairly well established, and claims typically arise in one of two scenarios: 1) The directors should be liable because they made a decision or took an action that was either negligent or ill-advised (they breached their duty of care); or 2) The directors failed to act in a situation where they could have prevented a loss (they breached their duty of loyalty).

Claims alleging a breach of the duty of care are unlikely to succeed because directors enjoy the protections of the director-friendly business judgment rule. Essentially, the business judgment rule immunizes a director’s conduct from judicial scrutiny as long as the decision is informed, made in good faith, and with the genuine belief that the decision was made in the company’s best interest. Even if a plaintiff can overcome the presumptions in favor of a director by showing gross negligence, many companies have adopted charter or bylaw provisions consistent with Delaware law, thereby insulating directors from liability for a breach of their duty of care. Other states such as Nevada have enacted statutes specifically protecting directors from these types of claims.

In the second scenario, a director is not insulated from liability under Delaware law, and a director’s conduct is evaluated under the standards enunciated in Caremark International Inc. Derivative Litigation and its progeny. This oversight liability attaches when directors consciously disregard their responsibilities either by: 1) failing to implement a sufficient reporting system; or 2) after implementing a reporting system, failing to properly oversee or monitor its operations by serving as passive recipients of information. Simply put, making no decision – or looking the other way – may indeed be worse than making any decision, even a bad one.

Many risks can be mitigated through the use of insurance policies. But with respect to cybersecurity, relying on insurance may prove problematic. With no form of standardized cyber insurance policy language established, different insurers are adopting different approaches. Moreover, an actuarial challenge exists in predicting or gauging the probability and impact of a cyberattack. As a result, it remains difficult to match a cybersecurity policy with the risk profile of a particular company. Also, the damages suffered from a data breach may be multifaceted and unique, with no normal distribution of outcomes. In sum, insurance may be a partial answer, but not necessarily a cost-effective complete solution.

Rise of the Corporate Investigation

Over the past several years, a cottage industry has emerged among lawyers who claim to specialize in corporate investigations. These investigations used to be the purview of a company’s general counsel or legal staff. But courts became less likely to apply the business judgment rule if an investigation was conducted in-house. This reluctance has spawned the exponential growth of corporate investigations, and more or less established that the standard of care is to retain outside counsel. Even though the costs of these investigations can be prohibitive, there appears to be no consensus on a different tactic.

In the face of a government enforcement action, regardless of which regulatory authority is involved, a director’s playbook is pretty straightforward. Directors should establish a committee to exercise day-to-day supervision of an internal investigation and monitor the progress in order to best ensure the company’s protection. One way for directors to limit their exposure—and perhaps cut down on corporate misconduct—is to provide the same oversight on an ongoing, day-to-day basis. This can decrease the number of required corporate investigations and the identification and remediation of issues before they become significant liabilities. Viewed through the eyes of a director, such an approach could lessen the likelihood of future liability.