What does it mean to encrypt your data?

So let’s not waste a minute and get started by defining what exactly does data encryption mean. Encryption is the process through which cryptographers transform data into code intending to protect it from unauthorized access. Usually, the sensitive data is scrambled and ordered in a practically unreadable way, and the information that it gives out does not make any sense. This unreadable text is referred to as ciphertext. To read the information users have to decrypt the ciphertext so that it transforms to its initial state of plaintext.

“Encrypting data is not a new concept, it has been around for centuries. One of the oldest and most widely-known encryption techniques is the so-called Caesar’s cipher, named after the infamous Julius Caesar who used it to protect military messages. To encrypt a message using Caesar’s cipher you would need to replace each letter from the plaintext with a letter from the alphabet that is positioned a certain number of spaces before the letter that you need to replace. We refer to this number as the key because if the user knows what the number is, they can easily decipher the message. It sounds complicated, but it is actually pretty simple. So, for example, if you select the number 4 to be your key, then the letter A in the plaintext will be substituted by the letter W in the ciphertext, while the letter D will be switched for an A and so on. This method of encryption is called a substitution cipher, and while it was useful some decades ago, now we need to use more complicated methods of encryption.”, shares Steliyan Petkov.

So, for example, if you wanted to encrypt the word “CYBERSECURITY” by using Caesar’s cipher with a key of 3, you would end up with the following ciphertext: “ZVYBOPEZROFQV”. Another historical use of substitution cipher during WW2 is when the German Enigma machine was invented to help military officials send and receive secret information in the form of substitution cipher.

The encryption of data is still widely used today and it is arguably one of the essential cybersecurity practices. In fact, organizations and companies are often obligated to encrypt any sensitive data that they store or send via diverse communication platforms on the Internet. As Steliyan Petkov puts it, encryption could not only protect organizations from being hacked, but in case of an existing cyberattack, encryption could also make the difference between a massive breach of personal data and a compromising of unreadable ciphertext.

“If you don’t encrypt the sensitive data your company handles, you are exposing your business to enormous risk. And I’m not only talking about the risk of a data breach, but also the risk of non-compliance with certain regulations and industry requirements. Consequently, if you’re not compliant, you may be faced with fines and reputational damages.”, adds Petkov.

Before we share which regulations require businesses to encrypt their data, however, we’ll first explore the different types of encryption used today.

Types of Encryption

There are two main types of encryption – Symmetric and Asymmetric (also known as public-key encryption). The differences between them lie in the speed of the process, the number of keys needed to encrypt and decrypt data, the length of the keys, as well as the means through which the keys are shared with other parties (key management).

• Symmetric

This type of encryption uses one key for both processes – encryption and decryption. So, for example, if you want to send a secret message to John, you need to provide him with the encryption key, so that he can decrypt your message. Therefore, the risks associated with symmetric encryption are higher. As Steliyan Petkov explains it:

“When only one key is used for encryption and decryption, both parties that participate in the communication need to know what that key is. Thus, the key needs to be exchanged and if this process is not done safely, the key could fall in the wrong hands. For example, you cannot simply send the key to the other party via email without it being encrypted itself. There are specific procedures that need to be followed when it comes to key management.”

• Asymmetric

With asymmetric encryption, there are two keys involved – one for encrypting the message (a public key) and one used to decrypt it (a private key). When this method is used, the sender encrypts the message with the public key and the receiver decrypts it with his/her private key.

“The public key is available to anyone, hence the name. On the other hand, the private key is only known by the person receiving the message. Therefore, asymmetrically encrypted messages are less likely to be compromised by cybercriminals.”, clarifies Petkov.

Because symmetric encryption is not as complicated as asymmetric, it is also a much faster process. Furthermore, the recommended length of the keys associated with both types of encryption is different. While in our example with Caesar’s cipher we only used a key containing one number (3), in reality, encryption keys consist of hundreds or thousands of numbers.

“The encryption keys are essentially strings of symbols (digits, letters and some special characters) with different lengths. They could consist of 128, 192, or 256 numbers (professionals usually refer to those numbers as bits) and could even contain more than 2048 bits. At the time of writing, the recommended symmetric key length is 128 bits and higher, while the length for asymmetric keys is 2048 bits and higher.”, shares Steliyan Petkov.

Why should you encrypt your sensitive data?

Encrypting your data is crucial for your organization’s cybersecurity regardless of the industry your business operates in. Steliyan Petkov shares that many industry regulations require companies to encrypt their sensitive data:

“Whether your business operates in the financial, healthcare, or any other sector, it’s strongly advisable, and in some cases compulsory, to encrypt the sensitive data you handle. The Health Insurance Portability and Accountability Act (HIPAA), for example, requires organizations to protect patients’ data via encryption or an equivalent alternative. Additionally, businesses can avoid hefty data breach fines from the California Consumer Privacy Act (CCPA) if the breached data cannot be accessed without a decryption key. Not to mention that the Payment Card Industry Data Security Standard (PCI DSS), as well as the Federal Information Processing Standards (FIPS) require organizations to encrypt sensitive data and anyone who fails to do so will be faced with expensive penalties.”

According to The Global Encryption Trends Study 2021 by Entrust, the data types that were routinely encrypted in 2020 were payment-related data (55%), financial records (55%), intellectual property (48%), employee data (48%), customer information (42%), healthcare information (26%), and non-financial business information (25%). Furthermore, according to the same study, the top four reasons for encryption in 2020 were:

• Protecting customer information – 54%
• Protecting information against specific, defined threats – 50%
• Protecting intellectual property – 49%
• Complying with privacy or data security regulations and requirements – 45%

It’s best if you outsource the task of encrypting your data to a professional cybersecurity team with the needed experience and expertise. 3Cyber-Sec’s team can protect your organization from cyber threats. As a boutique cybersecurity consultancy, we are passionate about providing tailored solutions to each of our clients and we’re always ready for new challenges. Contact us for a free consultation now.

Did you enjoy our article? For more expert advice, read our last month’s talk, when we were joined by 3Cyber-Sec’s Business Development Manager and certified Cybersecurity Consultant Todor Kunev. Together with him, we discussed the dangers phishing attacks propose for businesses and individuals.

The post Experts’ Talk: Why Do You Need to Encrypt Your Data appeared first on 3Cyber-Sec.

We’ve witnessed several US federal agencies and thousands of businesses being compromised with (possibly) a single supply chain cyberattack targeting SolarWinds – a company that provides network monitoring products to top USA state-owned and public organizations. What’s unique about this attack is its sheer magnitude. It was executed in a professional and precise manner with the help of complicated techniques. The cybercriminals behind it were highly knowledgeable and experienced hackers. They used sophisticated methods that enabled them to attack multiple companies while remaining undetected for at least 10 months. 

While the investigation as to what exactly happened, who is responsible, and what will be the consequences is still ongoing, we’re here to take a look at this curious case and shed light on the key findings available to the public so far.

How was the SolarWinds cyberattack performed, who was compromised, and who is responsible?

The SolarWinds hack was a supply-chain attack.

Cyberattacks of this kind can compromise the security of a given organization through third-party providers who have access to the organization’s network, systems, and data. In this case, the hacked third-party provider was SolarWinds. As a result, over 18 000 networks, systems, and data were compromised. Additionally, more than 200 private businesses (including big names such as Microsoft, Cisco, FireEye, and Intel) and several federal agencies including the US Department of Commerce, the US Department of Homeland Security, the US Department of the Treasury, the National Institutes of Health, the US Department of Energy, and the National Nuclear Security Administration were also affected by the attack.  

Although it is still not confirmed who is responsible for the hack, US government officials and popular media websites such as The Washington Post, have claimed that the attack was performed by a Russian hacking group referred to as APT29 or Cozy Bear. The idea that the hacking group was state-funded and a part of Russia’s foreign intelligence service was also mentioned to the public. Donald Trump, on the other hand, posted a tweet about two weeks after the attack’s discovery in which he expressed his beliefs that China may be the one behind it. That said, for the time being, there is no proof that either of the two countries was involved.

According to Microsoft, there were more than a thousand cybercriminals who participated in the creation of the SolarWinds cyberattack and they must have had incredible skill sets. It is believed that the initial hack took place way back in September 2019 when the attackers used a highly sophisticated malicious software referred to as SUNSPOT to insert the now-infamous SUNBURST malware into SolarWinds’ IT management software product Orion. The cybercriminals were able to replace one of Orion’s source files and add the SUNBURST backdoor code to it, which allowed them to bypass the cybersecurity defense systems that were in place, gain access to SolarWinds’ networks, as well as to SolarWinds’ clients’ networks, transfer files, execute files, profile the system, reboot the machine, and disable system services. As FireEye shares:

The malware masked its network traffic as Orion Improvement Program (OIP) traffic and stored reconnaissance results within legitimate plugin configuration files, enabling it to blend in with legitimate SolarWinds activity. 

The SUNBURST backdoor enabled the attackers to introduce another malicious software, which was used to trojanize a series of Orion update fails, which were released by the IT service provider SolarWinds between March 2020 and June 2020, as CSO shares. Once they gained access to the compromised systems, the hacker group was careful not to leave any traces and preferred to steal and use credentials to move laterally through the networks and establish remote access.

Detection and Response

The hack was first detected by the cybersecurity company FireEye at the beginning of December 2020. FireEye discovered that there has been unauthorized access to their systems and traced back the trail to SolarWinds. On the same day, 13th of December 2020, the USA’s Cybersecurity and Infrastructure Security Agency (CISA) issued an emergency directive with instructions for mitigating SolarWinds Orion Code Compromise. Furthermore, SolarWinds started informing its clients via Tweets that they need to immediately upgrade the Orion Platform to another version to address the vulnerability. Shortly after, SolarWinds introduced two additional updates that were meant to serve as “hotfixes” along with instructions for their implementation.

In mid-December, FireEye discovered a “killswitch”, which could block the functions of the malware and prevent it from doing further harm. However, as darkreading.com shares: 

FireEye’s fix wasn’t effective for networks where the attackers might have already deployed additional persistence mechanisms. 

The scope of the attack became clear by the end of December when the majority of the victims were named in the press. At the beginning of January 2021 a joint statement by the Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), the Office of the Director of National Intelligence (ODNI), and the National Security Agency (NSA) was released. The statement informed that the National Security Council staff has stood up a task force construct composed of the FBI, CISA, and ODNI and supported by NSA. The task force group was named Cyber Unified Coordination Group and its main purpose was to “coordinate the investigation and remediation of this significant cyber incident involving federal government networks”. On the 6th of January CISA issued supplemental guidance in relation to the emergency directive for mitigation of the SolarWinds hack. Furthermore, the security agency updated the directive with additional information and instructions once more – on the 22nd of April. 

At the end of January 2021, CISA issued a malware analysis report with technical details about the malicious software used for the attack, while SolarWinds also published a security advisory with information about the company’s response to the incident. Around one month later, in late February, the national security adviser Jake Sullivan announced during an interview for CNN that the US administration is working towards addressing those responsible for the attack within weeks: 

We are in the process now of working through a series of steps to respond to Solar Winds, including steps that will hold who we believe is responsible for this and accountable, and you will be hearing about this in short order. We’re not talking about months from now, but weeks from now, that the United States will be prepared to take the first steps in response to solar winds.

The cyberattack was so sophisticated that it became the reason for several council hearings the first of which was held on the 23rd of February by the US Senate intelligence committee. During the hearing executives from SolarWinds, Microsoft, FireEye, and CrowdStrike discussed the attack. As Associated Press informs, the CEO of FireEye, Kevin Mandia, told the Senate that his company has had nearly 100 people working to study and contain the breach since they detected it in December 2020. On February 26th the executives from SolarWinds, FireEye, and Microsoft were summoned once more to testify before a joined house hearing held by the US House of Representatives’ Oversight and Homeland Security Committees. The main topics of the hearing were concerned with how and why did the SolarWinds hack happened, was classified government information compromised, and what are the existing vulnerabilities to the cyber supply chain.

At the beginning of March 2021, CISA issued another set of guides on remediating networks affected by the SolarWinds hacks and encouraged affected organizations to review and apply the necessary guidance. At the end of the same month, news broke that the SolarWinds hacker group also managed to access email accounts belonging to the Trump administration’s head of the Department of Homeland Security and DHS cybersecurity staff members whose jobs included hunting threats from foreign countries, as Associated Press shares. 

One of the last actions in response to the SolarWinds cyberattack was undertaken a couple of weeks ago when on June 21st the US Securities and Exchange Commission started an investigation that aims to determine if any of the compromised companies failed to disclose that they had been affected by the SolarWinds hack, as reported by Reuters.

Consequences of the SolarWinds Cyberattack

Even now, one year and nine months after the initial SolarWinds cyberattack and seven months after the hack’s discovery, the investigation and remediation activities continue. According to Brandon Wales, the acting director of CISA, officials will have fully secured the compromised government networks not earlier than 2022. Additionally, Wales said that even fully understanding the extent of the damage will take months and it could take up to 18 months before the US government recovers from the SolarWinds hack: 

There are two phases for response to this incident. There is the short-term remediation effort, where we look to remove the adversary from the network, shutting down accounts they control, and shutting down entry points the adversary used to access networks. But given the amount of time they were inside these networks—months—strategic recovery will take time.

Of course, the biggest, scariest, and most obvious outcome of the SolarWinds attack is the fact that thousands of private and several government organizations were compromised. It shouldn’t come as a surprise that according to a survey by Domain Tools, 96% of the 200 respondents, amongst which global security specialists and executives, were concerned by the SolarWinds cyberattack. Furthermore, 60% of the impacted respondents said they were still not sure whether the compromised data was breached and 21% admitted that their sensitive data was in fact breached. 

It is not a secret that cyberattacks often lead to a damaged reputation and the SolarWinds case isn’t an exception. SolarWinds was planning to spin out SolarWinds MSP – another service offered by the company which provides monitoring and management IT solutions. After the attack, however, SolarWinds decided to re-brand their MSP business, which is now known as N-able. According to channele2e.com, although company officials have stated that the N-able business and associated MSP software were not involved in the Orion attack, the January 2021 sales in the MSP software business were slightly impacted by it.

The attack is also going to cost a lot of money. According to MSSP Alert, SolarWinds said that it already had to pay $3.5 million in one-time expenses related to the hack. Furthermore, the company’s executives said that they estimate costs of $20 million to $25 million related to the hack and going towards upgrading the company’s security posture in 2021. 

No one is safe against innovative cyberattack methods – that is the essential lesson to learn from the sophisticated SolarWinds hack. Businesses have to be cautious when trusting third-party providers regardless of how well-known their brands are. Furthermore, cybersecurity experts and companies should continuously strive to better their defense mechanisms so that they can respond adequately and mitigate future risks. Last but not least, organizations need to achieve greater visibility concerning the vulnerabilities of their systems and networks. 

If you need help with identifying the vulnerabilities of your systems or if you seek expert cybersecurity advice, contact us for a free consultation. 3Cyber-Sec is a boutique cybersecurity consultancy company. Our primary focus lies in the development of cyber and information security control frameworks, infrastructure as well as vulnerability management solutions.

The post The Curious Case of The SolarWinds Cyberattack appeared first on 3Cyber-Sec.

Although those shifts have many positive aspects, such as easier and faster customer service, they also propose cybersecurity risks for organizations. Retarus.com shares some quite alarming statistics connected to cyberattacks in the last couple of years, including the fact that in comparison to 2019 we’re witnessing 358% more malware attacks and 435% more ransomware attacks. Therefore, businesses need to take the necessary measures and protect themselves and their clients against cybercriminals. The first step to the cybersecurity of any company, however, is outlining the key vulnerabilities associated with the organization’s specific industry and business type. To do this cybersecurity specialists conduct vulnerability assessments.

What is a vulnerability assessment?

Essentially, a vulnerability assessment is an ongoing process that identifies the security vulnerabilities of a given company’s network system, IT applications, and infrastructure by performing security scans either manually or with the help of automated testing tools.

In other words, it is used to determine the extent to which a technology asset could be threatened by a potential circumstance or event. Once the threats and the weak spots are outlined, cybersecurity specialists create a vulnerability assessment report that includes detailed information about the findings. Vulnerability assessment reports enable organizations to gain a clear understanding of their security posture and take the necessary actions to mitigate or eliminate any cybersecurity risks they may be faced with.

When performing vulnerability assessments cybersecurity specialists not only quantify the vulnerabilities but also analyze and prioritize them based on predefined risks. Moreover, vulnerability assessments are a component of the company’s holistic security program to maintain compliance with popular industry standards, like for example ISO27001, PCI DSS, SWIFT Customer Security Program (for financial institutions), and HIPPA (for the healthcare sector), and many more.

It is important for business owners to differentiate between penetration testing and vulnerability assessment, as although similar, each of both services has a unique nature. While the latter can help outline vulnerable spots in the systems of a given organization via scans, penetration testing goes much deeper into those vulnerabilities to determine their potential impact. In this sense, vulnerability assessment and penetration testing complement each other and can be used together to gain a better and more comprehensive understanding of the critical threats for the organization.

Types of Vulnerability Assessment

In terms of the examined areas of a company’s infrastructure, there are three main types of vulnerability assessments:

• External Scans

They aim to outline vulnerabilities in the external IT infrastructure which can be accessed from anybody through the Internet. Cybersecurity experts conduct external vulnerability assessments without having physical access to the scanned network.

• Internal Scans

Internal Scans are used to detect vulnerabilities in the network of a given organization and, unlike external scans, are performed with full access to the scanned organization’s internal network. These types of scans can outline security gaps inside a company’s network and detect already existing malware, which has penetrated the defense systems.

• Environmental Scans

These scans aim to outline vulnerabilities connected to the specific operational technologies a given organization uses, for example, cloud services, mobile devices, and IoT.

Additionally, vulnerability scans can also be classified based on the assets they examine:

• Network-based scans: aim to detect if any unauthorized devices or users are connected to the network
• Host-based scans: aim to outline vulnerabilities on workstations, servers, or other network hosts
• Wireless scans: aim to detect unauthorized open Wi-Fi networks in the organization’s infrastructure
• Database scans: aim to discover vulnerabilities in the database of a given organization
• Application scans: aim to detect vulnerabilities in web- and mobile-based applications

The vulnerability assessment process

Any vulnerability assessment regardless of its type is conducted by following the same steps: Planning, Asset Discovery, Conducting the Scans, Analyzing the Findings, Creating a Remediation Plan, Recommendations.

During the planning stage, cybersecurity experts will research the organization’s network and environment to familiarize themselves with the specifics of the particular business. Within the Asset Discovery process, they will also outline the main goals of the vulnerability assessment and will determine which assets need to be scanned in order for the assessment’s objectives to be met. Then, the cybersecurity experts will either use manual or automated tools to scan the organization’s network. Usually, the scanning will result in a list of vulnerabilities and the level of their severity according to the Common Vulnerability Scoring System (CVSS). CVSS is a published standard used by organizations worldwide. It is a system that produces a numerical score reflecting the severity of a given vulnerability and labeling it as either low, medium, high, or critical.

Once the scans are completed and the vulnerabilities, as well as their severities, are outlined, the experts will then analyze the findings of the scans. They will rule out any false positive signals, evaluate and interpret the results and the risks, and outline the possible causes of the vulnerabilities. Last but not least, the cybersecurity experts will create a thorough report and an appropriate mitigation plan that focuses on the highest severity priorities and that is tailored to reflect the unique nature of the organization and its operations.

Furthermore, vulnerability assessment is and should be an ongoing process.

A single assessment can only provide you with a snapshot of your security posture at a given moment in time and does not guarantee that after a few months your network will be still facing the same vulnerabilities (or that it will be still secured once you’ve implemented the mitigation or remediation solutions). Therefore, to maintain a good security posture and to keep compliant with the industry regulations organizations need to continuously conduct vulnerability assessments. Deriving from these facts, it is safe to say that the final step of vulnerability assessment is repetition.

Why is vulnerability assessment important?

One of the key benefits of vulnerability assessment is the fact that it helps organizations improve their cybersecurity visibility and gain valuable information about the threats they may be faced with. Visibility is crucial because you cannot protect what you cannot see. According to Edgescan’s vulnerability statistics report from 2020, 64% of professionals admitted to not being fully aware of their organization’s web applications or end-points. Furthermore, nearly 68% believe their visibility is ‘average’ while acknowledging they do not monitor some connected devices. This data emphasizes the significant lack of visibility into assets for most organizations, which is alarming but can be improved by conducting regular vulnerability assessments.

Furthermore, Edgescan’s 2021 vulnerability statistics report points out that 50% of the vulnerabilities discovered in internal web applications were rated as high or critical risk, while external networks have a high or critical risk density of 32%. Additionally, the report shows that the average time needed for mitigating high-risk vulnerabilities is 84.4 days while critical-risk vulnerabilities are usually mitigated within 50.9 days. During this time cybercriminals can take advantage of the weak spots in the organization, which can lead to data breaches and different types of cyberattacks. Consequently, this could cost the business even more time and money to recover. Therefore, the faster those vulnerabilities are detected, the quicker they will be resolved and won’t propose any threats to the organization.

Vulnerability assessment can not only help businesses ensure the safety of their organization, but it can also serve as proof of the security posture of a given company. Moreover, vulnerability assessment is a key part of becoming compliant with certain industry regulations such as and not limited to ISO27000, PCI DSS, SWIFT Security Program, and HIPPA, as mentioned above. Last but not least, vulnerability assessments can help organizations evaluate the risks third-party service providers propose to the business.

Don’t hesitate to contact us if it’s time for evaluation of the vulnerabilities of your company’s network, or if you simply have any questions about vulnerability assessments and cybersecurity as a whole. 3Cyber-Sec’s team is always ready to help by providing tailored solutions to organizations operating in diverse industries. Our expertise and collaborative approach allow us to focus on and respond to the specific needs of each of our clients.

The post What Is Vulnerability Assessment And Why Is It Important? appeared first on 3Cyber-Sec.

Today, together with 3Cyber-Sec’s business development manager and certified cybersecurity consultant Todor Kunev, we’ll be getting to the bottom of phishing attacks and the dangers they propose for businesses and individuals. Todor Kunev is an exceptional industry professional, capable of devising and implementing cybersecurity scenarios to strengthen cybersecurity and safeguard sensitive information and systems for his clients. To achieve his current level of expertise, Todor has spent years working towards obtaining his licenses and certificates some of which include CDPSE, CISM, CCNP, and CCNA. He was eager to share his take on phishing with us, hoping that his advice might elevate some of the misunderstandings connected to the topic.

Let us explain what phishing is. It has nothing to do with the relaxing lake-house weekend you might be imagining. Although the word sounds just like the well-known hobby of fishing, phishing is not about you catching fish, but rather it’s about you being preyed upon by cybercriminals. In essence, this cyberattack type uses socially engineered emails (or in some cases text messages and voice calls) with the malicious intent to direct users to dangerous websites, distribute malware, collect credentials, and more.

As Todor Kunev puts it:

“All phishing attacks aim to create a sense of urgency, provoke users’ interest or inflict fear. Once they’ve succeeded in grabbing users’ attention, cybercriminals usually propose a solution to the “urgent matter” in the form of a downloadable document or a link leading to a malicious website.”

It is one of the most popular cyberattack methods which is widely used today. In 2020 alone, 75% of organizations had experienced phishing attacks, according to research conducted by Proofpoint. Furthermore, 74% of the attacks that targeted businesses in the US were successful. This data is concerning especially given the fact that phishing attacks could cost organizations $3.8 million on average, as reported by retruster.com. Therefore, businesses should do everything in their power to prevent this from happening to their organizations.

Types of phishing attacks

There are quite a few types of phishing attacks depending on the communication channel and method used for the attack, as well as on its target. In terms of communication channels, we can outline four main types of phishing attacks – email phishing, smishing, search engine phishing, and vishing. As reported by Tessian, the most popular of them is email phishing with 96% of all attacks belonging to this category. The other 3% and 1% of the attacks were delivered via malicious websites (search engine phishing) and via smartphones (smishing and vishing) respectively. This data is also supported by Proofpoint’s research, which found that in 2020, 66% of the surveyed organizations experienced targeted phishing attacks, 61% of businesses faced smishing attacks and 54% of the respondents say they were targeted by vishing attacks.

“Email phishing occurs when cybercriminals impersonate a person or a business and send you an email with the goal of tricking you into clicking on a malicious link or downloading an infected attachment. Smishing and vishing are both different types of phishing, however, they are not used to target users via email. Vishing is referred to when cybercriminals call you on the phone pretending to be an employee from a well-known company, Microsoft for example, and request that you give them your personal details or payment information. When you receive a text message with malicious links, then you’ve been targeted by a smishing attack. The word is formed from the combination between “SMS” and “phishing”. Last, but not least, search engine phishing, or “SEO poisoning” as we sometimes call it, is when hackers create malicious websites and try to rank them on the first pages of legitimate search engines such as Google. Those websites could offer irresistible product deals intending to collecting as many of the users’ card details as possible, or they could look like an exact copy of another website, again aiming to deceive the user into giving his or her personal information away.” – explains Kunev.

In terms of the target of the attack, there are two main types of phishing – whaling and spear phishing. They are both similar in the sense that they target specific groups of people. Spear phishing occurs when hackers strategically direct their malicious message towards a particular organization or a particular employee in a selected company. Whaling, on the other hand, refers to cybercriminals who target the CEOs or the “big fish” in a given organization.

In his career as a cybersecurity expert, Todor Kunev has witnessed both whaling and spear phishing. According to him, those methods are particularly concerning because the messages they use are specifically crafted for the recipient (attack’s victim), which means the cybercriminals had to research their target.

“Cybercriminals often research names and company roles of employees working in the targeted organization, they even go as far as stalking their social media profiles and browsing through their friends’ lists. The goal is to produce a highly targeted, highly personal message, which prompts the victim to reveal sensitive information (both personal or in relation to the business), make a bank transfer, or alter documents to the cybercriminal’s benefit.” – says Kunev.

Therefore, it is extremely difficult to recognize targeted phishing attacks such as spear phishing or whaling. In fact, 97% of the users are unable to recognize a sophisticated phishing email. However, if you’re not recognizing a problem, it doesn’t mean it’s not there.

Consequences of phishing attacks

According to Proofpoint’s research, due to phishing attacks in 2020 businesses were left to deal with data loss (60% of the respondents), compromised accounts (52% of the respondents), ransomware infections (47% of the respondents), malware infections (29% of the respondents), and financial loss or fraud (18% of the respondents). The consequences of phishing attacks also include legal trouble, reputational damages, and intellectual property loss. This includes trade secrets, research findings, new developments, and other valuable data, which often cost the targeted organization years of work and thousands of dollars of research. However, according to Todor Kunev, one of the most dangerous aspects of phishing is the fact that businesses take too long to even notice they were attacked.

“It’s not uncommon for cybercriminals to target a business partner of yours in order to access your data. When the phishing attack is successful they can easily get hold of your network, because you and your employees perceive the already infected partner as a trusted source. Once the attackers gain initial access to your network through a given endpoint (one of your employees’ computers, for example) they may impersonate a legitimate user and continue to move laterally through your network. This means that even if you detect the initial point of access, you may not even notice or know that the cybercriminal is going through your files and systems and mapping them out until they find something of interest.” – shares Todor Kunev.

According to fortinet.com, it takes approximately 280 days to identify and contain an average cyberattack. In the meantime, businesses lose $2.9 million a minute due to cybercrime, as reported by riskiq.com. We don’t even want to do the math on this one.

How to spot a phishing attack?

Phishing attacks can often be easy to spot because of poor spelling and grammar, or because of poorly created links, which can hint that the web pages they lead to are fabricated. Some of the key clues of a phishing attempt are:

• The message is informing you that you need to take immediate action concerning a given matter
• The message is sent from a public email domain (simply @yahoo.com, for example, as opposed to @3cyber-sec.com)
• The domain name is spelled incorrectly
• The email contains grammatical, spelling, and/or punctuation mistakes
• The email includes a suspicious link or attachment

However, targeted phishing attacks such as spear phishing or whaling can be difficult to recognize. That is why it’s important to educate your employees about the warning signs and appropriate action plans in case they are targeted. Todor Kunev’s expert opinion is that staff awareness training should be done as regularly as possible, but not farther apart than 3 months:

“In the digital transformation journey, our customers’ exposure change requires the implementation of robust security capabilities to mitigate risk-shift and enable the business’s vision. It is crucial for businesses to invest in staff cybersecurity awareness training because more often than not, your employee serves as the middleman between a cybercriminal and your organization. Your employees need to be able to recognize the warning signs and avoid opening suspicious emails.” adds Kunev.

If you don’t know how to organize staff cybersecurity awareness training, you can always contact us for advice. 3Cyber-Sec’s team is composed of certified cybersecurity consultants, who can help you stay safe in the cyber world. We are determined to craft a tailored security solution for your specific needs.

The post Experts’ Talk: What Is Phishing And How Can You Spot It? appeared first on 3Cyber-Sec.

It is not a secret that cyberattacks often aim to cause data breaches. According to the RiskBasedSecurity report, data breaches exposed 36 billion records in the first three quarters of 2020. And of course, we shouldn’t forget that social platforms also store massive amounts of sensitive data related both to the users and to the particular network as well. Furthermore, personal data was involved in 58% of last year’s breaches, as shared by varonis.com. Just a few months ago, a hacker who tackled a vulnerable feature of Facebook in 2019, leaked the personal data of more than 533 million Facebook users for free. As Business Insider shares, the exposed data includes the personal information of users from 106 countries, including over 32 million in the US, 11 million in the UK, and 6 million in India. It includes their phone numbers, Facebook IDs, full names, locations, birthdates, bios, and, in some cases, email addresses.

So we shouldn’t be surprised that one of the biggest data breaches of the century was extremely similar to Facebooks’ sensitive data leak. It targeted the Chinese microblogging website Sina Weibo, which is often referred to as the Chinese Twitter.

The Sina Weibo Data Breach

At the end of March 2020, the former security chief of Alibaba Wei Xingguo announced via a Weibo post that the personal data of more than 538 million of the Twitter-like platform users, including his own, was compromised and leaked online. The breach included details such as real names, usernames, user IDs, number of Weibo tweets, number of followers and accounts users are following, gender, and geographic location. Fortunately, no passwords were leaked, however, this does not mean that the exposed information could not lead to scams, fraud, and other types of impersonation attempts.

To make things worse, the sensitive information of 172 million of all compromised user accounts was sold on the dark web for as little as 1,799 Chinese Yuan or approximately 250 U.S. dollars, as Security Boulevard shares. It isn’t hard to believe that the incident resulted in negative public outbursts and was covered by a number of Chinese and international media.

Sina Weibo’s Official Statement

On the 21st of March last year, Sina Weibo posted an official statement in regards to the breach. The company acknowledged the incident as a severe one and expressed its beliefs that the breach is a result of a so-called dictionary attack. A dictionary attack is a form of brute-force attack which aims to guess a password or another security code by trying thousands or millions of likely possibilities. For example, previously used passwords or lists with key phrases, which are usually obtained from past security breaches.

Sina Weibo claimed that back in 2011 the company introduced a special service that enabled users to look for other Weibo accounts by matching them to the list of their smartphone contacts. However, the company clarifies that users could only gain information about a given number-related account name. In the same statement, Weibo assured users that their passwords are protected with one-way encryption and are not stored as plain text. The company warned users that although their passwords are safely stored, their Weibo accounts could still be stolen in case their password is used for multiple platforms and websites.

Additionally, according to IT Pro Portal, Sina Weibo stated its engineers had identified certain accounts that tried to upload large batches of contacts in late 2018 in order to match them with phone numbers held in the database. It’s interesting that the attack allegedly occurred in 2018, but it was either not noticed for a couple of years, or the information about it was simply silenced. Furthermore, Sina Weibo’s statement is not particularly convincing, because it contains contradictory points. The company claims that passwords were not leaked, however, implies that the attack was initiated because hackers were able to obtain users’ passwords and thus gained access to the leaked information (usernames, gender, location, etc.). As tesonet.com shares, Chinese security experts also detected technical irregularities with the company’s claims. A definite conclusion hasn’t been reached yet and the question of how the data was obtained is still up for debate.

Weibo’s Director of Information Security Luo Shiyao also commented on the attack, downplaying it as cited by Security Affairs:

“Phone numbers were leaked due to brute-force matching in 2019 and other personal information was crawled on the Internet. When we found the security vulnerability we took measures to fix it. We also reported to the police as soon as possible and submitted related information to them. Besides, we have been investigating the ‘gray industry’ because we take user personal information very seriously, especially when the personal data contains phone numbers. Don’t be credulous. Both password fields and Know Your Customer (KYC) data fields are not shown in the description. Don’t worry too much. Good night.”

The Consequences of Sina Weibo Data Breach

Soon after the breach was announced, China’s information technology regulator summoned Sina Weibo for a face-to-face meeting over the leak. The Twitter-like platform was obliged to enhance its internal data security management and eliminate further risks. As yicaiglobal.com shares, the Chinese Ministry of Industry and Information Technology issued a press release which confirmed that Sina Weibo has taken action in response to the information breach, such as updating its interface security strategy. However, there is no official information about whether Sina Weibo was fined because of the breach or not. As varonis.com shares, usually, the average cost of a data breach is $3.86 million as of 2020.

Even if the company hasn’t been fined yet, it did suffer reputational damages which resulted in a decrease in Sina Weibo users. As reported by China Internet Watch, users now are 4% less than the same period last year. The average daily users also suffered a 5% year-over-year decrease.

Stay Safe

While your organization may be protected against cybercriminals, the third-party website you use may still propose risks for you and for your company. Cyberattacks on social media can compromise your company’s data if you have created an account for your business. However, you shouldn’t let fear stop you from growing and expanding your organization.

Stay safe by having a thorough cybersecurity program with clear response plans in place. If you need help with keeping your organization safe in the cyber world, don’t hesitate to contact us. 3Cyber-Sec is a boutique cybersecurity consultant that protects its clients from cyberthreats by crafting tailored security solutions. We use a unique collaborative approach to guide our clients throughout their cyber journeys safely.

The post One Of The Biggest Data Breaches Of The Century: Sina Weibo appeared first on 3Cyber-Sec.

In January 2021 alone there have been three major cyberattacks directed towards financial institutions, as reported by carnegieendowment.org. It’s important to note that there are big names such as PayPal, American Express, and The Reserve Bank of New Zealand amongst the targeted organizations. Cyberattacks typically aim to steal money or information or disrupt the operations of a financial institution. This includes attacks on the financial institution itself, its customers or members, or its service providers.

Top 5 Cyberthreats Financial Institutions Face

While there are many methods through which a cyberattack can be performed, some of them are more popular when it comes to hacking banks and financial institutions. Keep reading to find out which they are.

1. Malware

By definition, malware is any software, which is intentionally designed to damage or destroy computer systems, servers, clients, and computer networks. Your organization can get infected with malware through email attachments, flash drives or external hard drives, infected end-user devices such as smartphones or tablets, or downloads from malicious or compromised websites. As purplesec.us shares, 90% of financial institutions reported being targeted by malware in 2018 and companies spent an average of $2.4 million in defense against such malicious software.

2. Ransomware

Ransomware attacks are similar to malware attacks because they are also executed with the help of malicious software. The difference, however, is that when it comes to ransomware, usually the used malware encrypts the files on your device and hackers demand a ransom in order to decrypt the files and restore the device to its functional state. According to safeatlast.co, there’s a 19-day downtime following a ransomware attack, and businesses are blackmailed to pay a ransom of $233,217 on average. Furthermore, it is predicted that the global cost associated with ransomware recovery will exceed $20 billion in 2021.

3. Cyberattack through third-party vendors

When working with third-party vendors, banks and financial institutions are often put at risk of cyberattacks. Even if a given financial institution has taken measures to establish solid cybersecurity controls and action plans, its partners could be vulnerable to attacks. This may lead to the contamination of the bank itself. Naturally, data breaches may follow, which could result in millions of dollars in expenses. In fact, one of the largest data breach settlements in history ($18.5 million) was paid by Target after cybercriminals managed to exploit third-party access and exfiltrated payment information, which impacted more than 41 million customers.

4. DDoS attack

Attacks that disrupt a website’s operation and block the users from accessing the site are called DDoS (distributed denial-of-service) attacks. In essence, the cybercriminal uses botnets (a network of Internet-connected devices usually build of infected user systems) to drastically increase the traffic towards the victim’s website. Therefore, authentic users can’t get through as the servers overload. As gomindsight.com shares, 1/3 of network downtime incidents are attributed to DDoS attacks, costing businesses financial losses and reputation damages. Often, DDoS attacks are used as a distraction while another cyberattack takes place simultaneously.

5. In-house threats

Harvard business review shared IBM’s report findings that 60% of cyberattacks were carried out by insiders. Moreover, the same security research also found that the financial industry is amongst the top three most targeted sectors. Whether through human errors or carefully calculated actions, employees can contribute towards your company being hacked. Therefore, it’s important to conduct regular security awareness training.

It’s crucial for financial organizations to take the necessary steps to avoid such attacks and mitigate their consequences. To further ensure the safety of financial institutions and to protect sensitive data, governments and organizations came up with a number of compulsory regulations, with which financial institutions must comply.

Essential Cybersecurity Regulations for Financial Institutions

The financial industry is amongst the most strictly regulated ones. There are many regulations that are specific to each country, but there are also global requirements that banks and other organizations in the financial industry must adhere to. Three major ones are PCI DSS, ISO/IEC 27001, and SWIFT CSP.

PCI DSS stands for Payment Card Industry Data Security Standard. This standard specifies requirements for the processing, storage, and transfer of payment card data. These standards apply to organizations, institutions, merchants, and payment solution providers. The PCI DSS aims to prevent credit card fraud and further strengthen the security of cardholder data. It’s important to note that financial organizations will be fined if they fail to comply with this regulation. According to centurybizsolutions.net, the penalties can vary between $5,000 and $500,000.

The ISO/IEC 27001 is part of the larger array of ISO/IEC 27000 security standards. The abbreviation stands for International Organization for Standardization / International Electrotechnical Commission. Information security management systems (ISMS) should be created and operated in accordance with this standard. Its main purpose is to set guidelines for best practices in order to prevent and protect sensitive data. If your organization complies with ISO/IEC 27001 this will secure its services and give you a competitive advantage. If, however, you fail to comply, you may still apply for a reassessment, but this can cost you as much as 60% of the original assessment, depending on your level of non-compliance, as shared by standardfusion.com.

Every organization which uses SWIFT (Society for Worldwide Interbank Financial Telecommunication) services must comply with the SWIFT CSP. CSP stands for Customer Security Program. Its goal is to outline requirements for the protection of data, managing access, and responding to incidents. SWIFT routinely inspects its members to ensure that they maintain adequate cybersecurity controls. If the inspections outline non-compliant organizations, SWIFT notifies industry regulators such as the UK’s Financial Conduct Authority.

Those are the three compulsory global cybersecurity standards for financial organizations. There are also local laws and guidelines which need to be considered by businesses operating in the financial sector. It’s crucial to take measures and ensure that your business is compliant with the cybersecurity frameworks, especially if you work with sensitive data. Otherwise, you risk becoming a target for a cyberattack.

Take measures before it’s too late

As we become increasingly dependent on technology and as new FinTech inventions become widely popular in people’s day-to-day life, cybercrime is only going to continue to thrive. Therefore, it’s important to take the necessary measures and protect your organization, especially if it operates in the financial industry.

If you’re not sure how you can achieve that, feel free to contact us. 3Cyber-Sec is always ready to help you stay safe in the cyberworld. We are a team of highly experienced, certified professional cybersecurity consultants. Our approach is one of collaboration, with a clear focus on understanding the specific challenges and risks faced by each client. We’ll be happy to hear from you and craft a tailored solution for your organization’s cybersecurity.

The post The 5 Biggest Cyberthreats To Financial Institutions appeared first on 3Cyber-Sec.

Nowadays, pretty much every organization handles sensitive information, connected both to the business itself, as well as to its clients. Whether companies realize the importance of protecting sensitive data, however, is a whole different story. Unfortunately, professional negligence does not go unnoticed by cybercriminals as we witness daily cyberattacks and security breaches. As Forbes shares, Google alone has detected 2,145,013 phishing sites as of Jan 17, 2021, which is a 27% increase compared to the same period last year when the registered phishing websites were 1,690,000. The financial losses associated with cyberattacks are often colossal, but what’s more important is that the reputation of the hacked organization also suffers immensely.

The good news is that businesses are not doomed to live in constant fear of being compromised. There is a solution to this problem – organizations need to construct a solid security architecture in order to protect their clients and employees against cyberthreats. You can achieve that by hiring a vCISO.

What is a vCISO?

Put into simple words vCISO is an abbreviation that stands for a virtual chief information security officer. As the job title suggests, vCISOs protect organizations against cyberattacks by constructing and implementing security programs specifically tailored to suit the needs of a given company.

In order to keep your company protected against cyberattacks, a virtual security officer will first identify potential threats and security flaws for your business in order to determine the risks, develop and manage your cybersecurity program, revise and build security policies and frameworks, outline incident response processes and guidelines, and continuously monitor and report meaningful Key Performance Indicators (KPI’s) to the stakeholders. By doing this Cyber Risk Management is transformed into a Business-as-Usual process in every organization. Furthermore, vCISOs can help you comply with key industry-specific regulations and requirements such as PCI, HIPPA, ISO, and many more.

Overall, you should perceive your vCISO as a trusted expert who is always there for you and your organization and whose primary goal is to guide, advise and safely lead you throughout your cyber journey. Although CISO (chief information security officer) and vCISO can be extremely similar in terms of their professional tasks (and titles for that matter), there are a few drastic differences between the two.

vCISO vs. CISO

Hiring a vCISO and hiring a CISO can turn out to be two distinctly different experiences for your company. The latter means to delegate your cybersecurity needs to an in-house professional, who is your employee and works solely for your company. On the flip side, virtual chief information security officers often manage the cybersecurity needs of more than one organization by implementing a risk-focused approach and remaining result-oriented. The fact that vCISOs work with many organizations simultaneously, however, does not mean that they are less invested in protecting your company against attacks. On the contrary, vCISOs can turn out to be more competent and experienced than their in-house colleagues, simply because they have had the chance to work for businesses operating in diverse industries and requiring varied security demands.

Nowadays, companies are forced to build their online presence, because of the pandemic and many of them have never set foot in the digital before. Furthermore, we’ve seen a rapid increase in the number of regulations and requirements concerning the protection of vulnerable data. Therefore, cybersecurity experts also saw an increase in their workload, which means that finding skilled professionals with experience in your specific business area is not a particularly easy task. It may take a long time before you are finally able to come across a good match for your company. Not to mention that you may end up in a sticky situation even before you’ve found “the one” and you should try to avoid that at all cost!

Therefore, many organizations prefer outsourcing their cybersecurity needs to consultancy companies, which offer vCISO as a service.

Why do you need to hire a vCISO?

If you’re not sure why you might need to protect your company’s sensitive information from cybercriminals, then the next paragraphs should give you all the answers.

First and foremost, we have to warn you: don’t wait until the ship has sailed to protect your organization. It’s important to point out that the costs of recovering from a cyberattack can often be much more expensive than those of taking measures to prevent it. According to cybersecurityventures.com, cybercrime is predicted to inflict damages totaling $6 trillion USD globally in 2021, while Statista predicts that this year the global spending on cybersecurity products and services will reach 54 billion USD. Therefore, it becomes obvious that recovering from a cyberattack can lighten your wallet much more than dedicating a budget for cybersecurity before it’s too late.

Furthermore, businesses that operate in certain industries such as financial, insurance, and healthcare, are required to comply with a number of regulations, some of which obligate them to employ third-party cybersecurity experts. Additionally, with the continuous rise of cyberattacks, it is believed that the regulatory landscape will change. As securityboulevard.com shares, we shouldn’t be surprised if more strict regulations with heavier fines and shorter implementation time arise in the near future.

The fact that detecting breaches and dealing with them are not easy tasks is yet another reason to utilize a trusted partner in your cybersecurity initiatives. While cyberattacks occur every 11 seconds, some companies take as long as 6 weeks to detect that their data has been compromised as reported by cybintsolutions.com. Not to mention that this is also valid when it comes to big companies such as Facebook. On top of that, over 77% of organizations do not have a cybersecurity incident response plan, which means that even if they recognize a cyberattack in action, they would not know what steps to take in order to resolve the situation successfully.

Is your organization protected?

Keep in mind that the vCISO you decide to trust should be able to give answers to reasonable questions, such as:

• Is my business protected?
• What are the cyberattack risks my organization faces?
• How badly could my business be affected and how big could the costs be?
• Which regulatory requirements do I need to comply with and why?
• What do we need to do in the short and mid-term to mitigate the risk?
• How much will the cyber protection measures cost me?
• Which are the essential cybersecurity KPIs that we need to monitor if we want to be confident in our protection measures?

Now that our article is coming to an end, we hope you have a clearer idea of why hiring a vCISO can turn out to be one of the most important decisions you’ve ever made. It can not only result in you saving money to invest in growing your business further but it will also give you peace of mind (and we know that’s priceless).

To learn more about vCISO as a service, click here. Additionally, if you have any further questions about this service or cybersecurity as a whole, don’t hesitate to reach out and contact us. 3Cyber-Sec is always ready to help you and give you advice on how to protect your organization’s sensitive data. As a boutique cybersecurity consultancy, we value each of our clients and strive to answer their individual needs with tailored security solutions.

The post What Is vCISO And Why Do You Need To Hire One? appeared first on 3Cyber-Sec.