It’s Time Organizations Treat Cybersecurity as a Core Business Value

Ted West, BOHH Labs Executive Chair, Director

In a recent publication of Deloitte University Press, “Navigating Legacy: Charting the Course to Business Value (2016-2017),” it was revealed that only 10 percent of over 1,200 CIOs surveyed reported that cybersecurity and IT risk management are a “top business priority.” In fact, “Cybersecurity” trailed “Customers,” “Growth,” “Performance,” “Cost,” and “Innovation” among other priorities.

ONE WONDERS

This shockingly low statistic brings to the forefront a very pressing thought, is security getting the attention really needed, especially in organizations with very large customer bases and highly sensitive personal and transactions data?

Most CIOs acknowledge that cybersecurity is a core expectation of their role and their IT organizations. However, many feel that their business leaders view security and risk management as a “compliance chore” and a “cost of doing business.” While most of these CIOs do expect to increase their technology spending on security, under these circumstances, will they be successful in securing the investments needed when it is still not valued as an integral part of an organization’s success and reputation?

REALLY?

With the current climate of breaches being revealed daily and ransomware on the rise, organizations and its leaders must start asking themselves if fixing a security breach that exposes millions of client records and brings financial and brand damage is still merely a “compliance chore?” Is the investment needed to prevent such a breach from happening again a simple “cost of doing business?” Or, is fixing such a breach, or guarding against it in the first place, a strategic issue impacting the trust and reputation of the organization and its position to grow and retain a loyal base of customers?

In our increasingly digitally-driven, cloud and mobile-dispersed business IT world, security is becoming an essential priority for more and more organizations, especially in banking, healthcare, insurance, e-commerce, and so many more segments that are responsible for holding personal information for millions of its customers.

SECURITY MATTERS

One thing is becoming increasingly clear: security matters. Business leaders, starting from the Board of Directors and moving through the C-suite, must insist on their organizations adapting the most effective security measures in their IT platforms and workflows and processes today. They have no choice, and they should expect nothing less. The good news for these leaders is that there are promising new security technologies coming to market that will dramatically strengthen their organizations’ ability to keep the “bad actors” from compromising their good data, their customers’ trust and loyalty, and their critical brands. Leaders who make security a business priority and an integral part of their organizations’ daily operations, can help navigate their organization to better long-term performance and success.

Weekly News Roundup

Too busy working all week to keep up with the most interesting stories coming out of the technology and security industries? Below are our recommendations for a roundup of the top stories happening now that you need to know.

1. Yahoo Delays Its Sale to Verizon Until the Second Quarter

Yahoo reported positive numbers in their most recent quarterly report, but they are still dealing with the aftermath of its breaches. Now its expected sale to Verizon has been delayed until no sooner than April. Read more…

2. Lloyds bank accounts targeted in huge cybercrime attack

It was confirmed this week that Lloyds Banking Group was a victim of a DDoS cyberattack. Cybercriminals attempted to block access to 20m UK accounts. Read more…

3. Heartbleed bug still found to affect 200,000 services on the web

Almost three years later, the infamous Heartbleed bug is still at it. Researchers found that nearly 200,000 services globally are still connected to the web and not patched against Heartbleed. Read more…

4. Trump’s attorney general nominee in favor of encryption backdoors

Trump’s pick for attorney general is in favor of putting in backdoor encryption. The statement was buried at the end of a confirmation hearing last week and most people missed it. Read more…

5. US law enforcement can’t ask companies to turn over foreign data

Microsoft has been in a hard fought battle to stop American law enforcement from demanding data from overseas. Recently it was found by the court ruled that the US can’t request foreign data be turned over. Read more…

Banking Trojans – What Are They & How Can you Stay Protected?

Meghan O’Leary, CMO of BOHH Labs

With more people relying on the Internet, computers and phones for their banking activities, this makes their accounts more vulnerable to security risks and cybercriminals have noticed. One specific tool hackers use for banking attacks are called Banking Trojans.

Banking Trojans are a type of malware used by hackers to attempt to steal confidential information about users using online banking and payment systems. What this type of Trojan does is it redirects the traffic from a bank’s website to another a website that the hacker has access to. This works because the Trojan typically looks like a normal piece of software, but it has a backdoor for hackers, so once it is installed, the hacker can get access to the computer’s system and files. Basically, once a hacker has backdoor access, they have remote control of your computer and can send, steal, receive, delete and so on files from your computer.

Once the hacker infects the computer system with a Banking Trojan, it is all a matter of the waiting game. When a user takes part in an online baking activity, the software starts creating folders and editing registry entries each time the computer system is started. The Trojan also searches for specific cookie files that are related to financial websites that have been stored on the computer and can get information like login credentials and other access to the user’s information.

There are many ways a hacker will use a Banker Trojan to steal your information. Some of the most common methods include:

• Phishing (stealing information by impersonating a legitimate bank)
• Logging keystrokes to send captured data to remote servers
• Man-in-the-Middle attacks
• Stealing information from a clipboard
• Intercepting passwords
• Bypassing two-factor authentication
• Changing DNS settings to redirect users to malicious versions of legitimate banking sites

Now that you have a better understanding of what a Banking Trojan is and what it can do, there are some measures you can take as users to help ensure your information stays protected. Below are a few best practices tips to follow when online banking to help minimize your chances of become a victim to a Banker Trojan.

• Read and be familiar with your bank and credit card policies. If you receive a suspicious online notification, verify with your bank or credit card company before taking action.
• Don’t save personal information, bank account numbers and passwords on your phone or computers.
• Check for encryption on bank websites. Look for a small lock icon somewhere on your browser, and URLs that begin with “https:” This means the site is secured and your data is encrypted.
• Make sure your security software is up-to-date, regardless of if you are using a computer or mobile device.
• Change your passwords and PIN number frequently.
• Be careful of what you post on social media. This may sound silly, but by posting personal information about yourself on your social tools can give criminals easy access to find more information about you and use it to their advantage.
• Monitor your accounts. Regularly check in on your accounts to ensure all transactions are your own. If you find fraudulent or suspicious activity, immediately report it to your bank and they will put a hold on your card/take measures to secure your account and typically will cover your loss.

Weekly News Roundup

Too busy working all week to keep up with the most interesting stories coming out of the technology and security industries? Below are our recommendations for a roundup of the top stories happening now that you need to know.

1. Minecraft link to net’s biggest botnet

This week it was revealed that malware that was the net’s largest ever cyber-attack last year had links to Minecraft servers. Those investigating it found that the Mirai botnet can be traced back to rivalries in the Minecraft community. Read more…

2. Oracle Patches 270 Vulnerabilities in Year’s First Critical Patch Update

This Tuesday, Oracle patched 270 vulnerabilities, many remotely exploitable, across 45 different products. Oracle warned that nearly 40% of the issues fixed were remotely exploitable without authentication. Read more…

3. Bitcoin exchange employee pleads guilty in U.S. case tied to hacking

This week, a man plead guilty to charges stemming from his employment as a finance support manager and business development consultant for an unlicensed bitcoin exchange that was tied to a hack of companies including JP Morgan Chase. Read more..

4. US Seeks To Intervene In Case Against Privacy Shield

The U.S. has filed to intervene in a case against privacy shield. Digital rights Ireland has challenged the data transfer pact raising questions on its ability to protect EU privacy. Read more…

Security is All Around Us, Why Isn’t It Working?

Simon Bain, CEO of BOHH Labs

Security is all around us. We have firewalls, VPN’s, encryption and policies. Yet still it seems that millions, and in some cases billions of records, (our information, our documents, our money and our private details) are stolen from so called secure systems.

Why?

I believe that the reason for this is very simple. Security has become a buzz word. “Yes of course our systems are secure;” “We use the latest security systems;” “We employ the most up to date security systems and policies” …

In these cases, the word security has been used as an excuse not to go in to details or to throw off blame and recrimination. Yahoo sent this sentence to its users after its breach announcements, “We continuously enhance our safeguards and systems that detect and prevent unauthorized access to user accounts.” What does it mean? “We continuously …”

So there is continuous monitoring, yet still it would seem up to 1 billion records seem to have been stolen?

It is time for a change. Security needs to be taken seriously. Not used as a funding mechanism, or a word that corporations can use to try and shift responsibility to someone else when a theft of data happens. Yes, theft of data. Let’s stop talking about hacks and hackers. This word in my lifetime has had different meaning, from a general reporter, a kid in his bedroom having fun, to statewide intrusions into systems. Let’s start talking about these attacks as theft. Theft of our data, our money and our privacy.

Security systems need to come up to scratch. Firewalls help but they are poor defenses for theft that has arisen from an internal source. Database encryption is only as good as the administrators of the database and password hashing let it just stop being used. In today’s climate, we need systems in place that are more dynamic in nature. These systems need to change automatically with each call, they need to be able to react to situations, much like an immunization against TB can react when the real TB bacteria enters the body. An immunization against a disease is not there to stop a bacterium entering your body, but when it is in, it renders it useless without disrupting the body’s ability to carry on. It is up to you to try and stop the disease in the first place. That is where Firewalls and policies have a role. But today we also need the immunization program, one that creates systems that can protect our data from within. A system that does not hinder the role of the system even under an attack and one that renders the information useless to all but those who are authorized to view it.

Security needs to become more dynamic in its role within the enterprise. We in the industry need to start redefining how security is seen, and more importantly, how security WORKS.

Weekly News Roundup

Too busy working all week to keep up with the most interesting stories coming out of the technology and security industries? Below are our recommendations for a roundup of the top stories happening now that you need to know.

1. Phone-cracking firm Cellebrite hacked
   Cellebrite, an Israeli firm that markets hacking tools, is the latest victim of a cyber attack. Information about its customers has been compromised. Read more…
2.  Giuliani announces he’ll be Trump’s czar for the cyber thing 
   The former mayor of New York will be leading up a cybersecurity advisory group for the Trump administration. Giuliani’s appointment of this role stems from his time as chair of the “Cybersecurity, Privacy and Crisis Management Practice” at the New York law firm Greenberg Traurig. Read more…
3. Ukraine power cut ‘was cyber-attack’
   This week, researches declared that a power cut that affected Kiev, the Ukrainian capital, in December 2016 was indeed a cyber-attack. This was also linked to an incident to a hack and blackout in 2015 affecting more than 225,000 people. Read more…
4. Deloitte opens blockchain lab in New York to push for working prototypes
   Deloitte will open a laboratory in New York to explore blockchain solutions for the financial services industry. This is the second lab Deloitte has opened dedicated to blockchain. In total, they have 800 people in 20 countries dedicated to blockchain. Read more…
5. FTC vs. D-Link: A Warning to the IoT Industry
   The Federal Trade Commission filed a complaint against router and camera manufacturer D-Link for its poor security practices. Could this lead to the beginning of a long battle to fix systemic industry problems surrounding IoT and security? Read more…

Too busy working all week to keep up with the most interesting stories coming out of the technology and security industries? Below are our recommendations for a roundup of the top stories happening now that you need to know.

1. Watch Out Hackers: Deploying Ransomware is Now a Crime in California

A new law took effect January 1 that makes the delivery of ransomware in the state of California illegal. The penalty could be up to four years in state prison. Read more…

2. Mobile malware disguised as Microsoft docs spread via WhatsApp

This week it came out there was mobile malware targeting WhatsApp and users in India. Once clicked, the malware has the ability to access personal information including login credentials, banking passwords, and PIN codes. Read more…

3. Task Force Issues Cybersecurity Advice to Donald Trump

In light of the cybersecurity discussions happening after the Russian hacking allegations, a task force has recommended a cybersecurity agenda for the incoming Trump administration. Read more…

4. This Android-Infecting Trojan Malware Uses Your Phone to Attack Your Router

It was released this week that there is a new form of Android Trojan malware that can attack the router. Named the “Switcher Trojan,” the malware uses Android device users as a way to redirect traffic from Wi-Fi connected devices on the networks to cybercriminals. Read more…

5. OCC Eases Regulatory Requirements in Final Rule

This week the Office of the Comptroller of the Currency released a final rule that removes outdated or unnecessary provisions of certain rules to reduce regulatory burden on national banks and federal savings associations. Read more…