Security

The singer Meat Loaf (real name Marvin Lee Aday) had a song once called Two Out of Three Ain’t Bad. Well, in this case, it is.  According to a new study, many companies haven’t updated their data breach plans since developing them, report a lack of adequate employee training on data protection, and still haven’t figured out how to guard cloud services and mobile devices.

As reported by Legaltech^® News (Two Out of Three Companies Haven’t Reviewed Their Breach Preparedness Plans, Study Says, written by Sue Reisinger), a study of global companies also found that just over half of professionals believed their C-suite executives knew the company’s plan to deal with a breach.  The “Seventh Annual Study: Is Your Company Ready for a Big Data Breach?” was sponsored by Experian Data Breach Resolution and conducted by Ponemon Institute.

“I was surprised that two out of three respondents said they haven’t reviewed or updated their data breach preparedness plans,” said Michael Bruemmer, vice president of data breach resolution and consumer protection at Experian. “Preparedness plans can’t be a binder on a shelf that are not active and fluid plans. They should be reviewed and updated at least on a yearly basis.”

Bruemmer said a main takeaway from the report for general counsel is that “their clients are not preparing enough by practicing [data breach drills] and updating their response plans. They should work with clients to ensure this piece is a well-oiled machine.”

The study showed that 55% of respondents believed their C-suite executives knew the company’s plan to deal with a breach, but Bruemmer said the number should be higher. He recommended that general counsel make sure the CEO and C-suite “are knowledgeable and prepared for a data breach response. We have witnessed many leaders ill-equipped to handle the consumer response after a data breach.”

Here are some other notable study findings:

• About 36% of respondents reported their organization had a ransomware attack last year with only 20% feeling confident in their ability to deal with it. The average ransom was $6,128 and 68% of respondents say it was paid.
• Spear phishing attacks are pervasive, with 69% of respondents reporting one or more attacks and 67% saying the negative consequences of these attacks were very significant. Bruemmer called these threats “rudimentary at this point, and … a strong employee training program against these attacks [is] a must.”
• Some 68% of respondents said their company has put more resources toward security technologies to detect and respond quickly to a breach. Still data breaches are increasing, with significantly more organizations reporting data breaches than ever before. “Consequently, confidence levels among executives to thwart spear phishing and other common attacks have declined,” according to the report.
• More organizations at 54% report they have a high ability to comply with the European Union’s General Data Protection Regulation, compared with only 36% a year ago.

You can download a copy of the study from the Experian web site here.

So, what do you think?  Are you surprised by any of these findings?  As always, please share any comments you might have or if you’d like to know more about a particular topic.

Image Copyright © Page Six

Sponsor: This blog is sponsored by CloudNine, which is a data and legal discovery technology company with proven expertise in simplifying and automating the discovery of data for audits, investigations, and litigation. Used by legal and business customers worldwide including more than 50 of the top 250 Am Law firms and many of the world’s leading corporations, CloudNine’s eDiscovery automation software and services help customers gain insight and intelligence on electronic data.

Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by CloudNine. eDiscovery Daily is made available by CloudNine solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscovery Daily should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.

The FBI’s Internet Crime Complaint Center (IC3) reported that it received over 460,000 internet and cyber-crime complaints in 2019, which the agency estimates caused losses of more than $3.5 billion, the bureau wrote in its yearly internet crime report released earlier this month.  And, about half of that is due to BEC (Business Email Compromise), aka EAC (Email Account Compromise) crimes, which are sophisticated scams targeting businesses and individuals performing wire transfer payments.

This was reported by ZDNet (FBI: BEC scams accounted for half of the cyber-crime losses in 2019, written by Catalin Cimpanu – hat tip to Sharon Nelson of the excellent Ride the Lightning blog).

“At its heart, BEC relies on the oldest trick in the con artist’s handbook: deception,” the FBI said back in 2017, when it started receiving an increased number of BEC scams reports.

A typical BEC scam happens after hackers either compromise or spoof an email account for a legitimate person/company. They use this email account to send fake invoices or business contractors. These are sent to employees in the same company, or upstream/downstream business partners.

The idea is to trick counterparts into wiring money into the wrong bank accounts.

BEC scams are popular because they’re (1) dead simple to execute, and (2) don’t require advanced coding skills or complex malware.  And, they pay BIG.  There were only 23,775 BEC victims last year, but they accounted for over $1.77 billion in losses for victims, which is an average of $75,000 per complaint.  Wow.  Here’s a breakdown of the loss amounts and victim counts by crime type over last year – as you can see, BEC crimes are almost four times as large as any other by total loss amount, but only sixth in total number of victims:

I wrote (almost to the day, no less) about an email I received last year that I suspect was a BEC scam that appeared to be from CloudNine’s co-founder Brad Jenkins.  But I could tell that it wasn’t because it was identified as an external email.  At CloudNine, we mark any emails coming from an external source to identify them as an external email, which is inserted into the received email to help recipients differentiate between real and fake CloudNine emails.  It’s easy to set up and an effective way to flush out those BEC scam emails.

BTW, the map at the top shows the number of complaints by state and, as you can see, California was the only state with over 30,000 complaints (while Florida, Texas and New York had between 20,000 and 30,000).  But the map is a bit deceiving in this respect – California had 50,132 complaints last year, nearly double that of the next highest states (Florida and Texas, which tied at 27,178 complaints).  Ouch.

So, what do you think?  Do you know someone who has been victimized by a BEC scam?  Please share any comments you might have or if you’d like to know more about a particular topic.

Images Courtesy of 2019 FBI Internet Crime Report

Sponsor: This blog is sponsored by CloudNine, which is a data and legal discovery technology company with proven expertise in simplifying and automating the discovery of data for audits, investigations, and litigation. Used by legal and business customers worldwide including more than 50 of the top 250 Am Law firms and many of the world’s leading corporations, CloudNine’s eDiscovery automation software and services help customers gain insight and intelligence on electronic data.

Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by CloudNine. eDiscovery Daily is made available by CloudNine solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscovery Daily should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.

Have I mentioned lately how much I love an infographic?  Well, I do. And this latest infographic that I have come across – from a Facebook friend who is also a colleague nonetheless – is a great one to note when considering your own passwords.

As you can see from the infographic above, the size and composition of your password could dramatically affect how long it takes to crack the password.  For example:

• If you have a password that is numbers only, a password that is as much as eight numbers (that’s nearly 100 million number combinations) can still be cracked instantly;
• Even if that number only password is 14 numbers (that’s nearly 100 trillion number combinations), it only takes four days to crack a password even that size;
• Want to use all upper and lower case letters instead? That will help somewhat, but a five-letter password can still be cracked instantly;
• And a nine-letter password will still only take 4 days to crack;
• Want to mix numbers and upper and lower case letters? You’d better use more than seven characters or it will take no more than 3 hours to crack your password;
• Even with eight characters, it could still take as few as ten days;
• If you add in symbols, then a seven character password could still take less than a day;
• But, if you add an eighth character, that pushes the time up to 57 days. Add a ninth character? That pushes the time up to 12 years;
• But, notably, size does matter – when it comes to passwords and other things. ;o)  An 18 number password still takes 126 years to crack, an 18 letter password takes a trillion years, an 18 number and letter password takes 374 trillion years and an 18 number, letter and symbol password takes 1 quintillion years!

Ain’t nobody got time for that!

Interesting!  Of course, that’s one school of thought – here’s another, straight from the man who originally wrote password advice for the National Institute of Standards and Technology (NIST) and ultimately decided that advice was wrong.  And, here’s a case from last year involving a criminal defendant who used a 64-character password to protect his device!

As I mentioned, I got this infographic from a Facebook friend – Michael Potters, who is also the CEO and Managing Partner of the Glenmont Group.  It may be available in other places (not sure where it started), but I got it from Michael, so hat tip to him for the info!

So, what do you think?  Does this change your thinking about password creation?  Please share any comments you might have or if you’d like to know more about a particular topic.

Sponsor: This blog is sponsored by CloudNine, which is a data and legal discovery technology company with proven expertise in simplifying and automating the discovery of data for audits, investigations, and litigation. Used by legal and business customers worldwide including more than 50 of the top 250 Am Law firms and many of the world’s leading corporations, CloudNine’s eDiscovery automation software and services help customers gain insight and intelligence on electronic data.

Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by CloudNine. eDiscovery Daily is made available by CloudNine solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscovery Daily should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.

Care to hazard a guess?  Ten?  Twenty?  More?  Try TWO.  Maryland is currently considering a bill to become only the third state after Michigan and Wyoming, to criminalize the possession and distribution of ransomware.

As noted by Bitdefender’s Hot for Security blog (with hat tip to Sharon Nelson’s Ride the Lightning blog), the bill understandably makes exceptions for penetration testing, security researchers, and other legitimate reasons to own ransomware.

Certainly a motivating factor may have occurred when hackers hit Baltimore, Maryland’s largest city, with a RobbinHood ransomware attack on May 7, 2019. All administrative transactions, payments and communications were frozen after city officials refused to pay the attackers. It took them more than eight weeks to restore all systems.  Following the attack, Baltimore City’s board allocated $10 million to an emergency ransomware response to prevent similar attacks. When the dust settled, the city estimated recovery costs at $18 million.

The current law in Maryland specifies that a cyberattack that incurs damages of less than $10,000 is a misdemeanor and carries a punishment of up to five years in prison and a fine up to $10,000. If the damages pass the $10,000 mark, it turns into a felony, and the punishment goes up to 10 years in prison.  The bill would dispense with limits for damages and raises the punishment to up to 10 years, even if it’s a misdemeanor.

This while the Insurance Journal reported (via Reuters – hat tip again to Ride the Lightning) last week that U.S. insurers are ramping up cyber-insurance rates by as much as 25% and trying to curb exposure to vulnerable customers after a surge of costly claims.  While there were 6% fewer ransomware incidents in 2019 versus the prior year (according to Malwarebytes), the average ransom of $41,198 during the 2019 third quarter more than tripled from the first quarter, according to Coveware, which helps negotiate and facilitate the payments.

By the way, if you remember our post from a couple of weeks ago regarding Apple and Attorney General William Barr’s claim that they weren’t helping to crack into password-protected iPhones used by Pensacola Navy base shooter Mohammed Saeed Alshamrani (Apple, for their part, disputed Barr’s assessment that it failed to provide “substantive assistance”), Naked Security reported that Apple, under pressure from the FBI, backed off plans to let iPhones users have end-to-end encryption on their iCloud backups.  Where did I find that out?  You guessed it – Ride the Lightning (via Sharon’s post here).  It’s the RTL trifecta!  :o)

Just a reminder, CloudNine will be once again exhibiting next week at Legaltech, at booth 3000 in America’s Hall 2.  And, we’re once again excited to be co-sponsoring the annual #DrinkswithDougandMary cocktail reception with Mary Mack, Kaylee Walstad and the rest of the EDRM team!  This is our fourth year and we’re grateful to Marc Zamsky and Compliance Discovery for co-sponsoring as well.  It will once again be at Ruth’s Chris Steak house and will happen Wednesday, February 5 from 4-6pm.  You can register to attend here.  And, as I told you on Wednesday, we will be conducting another NineForum education series of TED-talk discussions from our booth, so please check that out as well!

So, what do you think?  Are you surprised that there are only TWO states that criminalize ransomware?  Seriously, TWO?!?  Please share any comments you might have or if you’d like to know more about a particular topic.

Ransom Image Copyright © Touchstone Pictures

Sponsor: This blog is sponsored by CloudNine, which is a data and legal discovery technology company with proven expertise in simplifying and automating the discovery of data for audits, investigations, and litigation. Used by legal and business customers worldwide including more than 50 of the top 250 Am Law firms and many of the world’s leading corporations, CloudNine’s eDiscovery automation software and services help customers gain insight and intelligence on electronic data.

Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by CloudNine. eDiscovery Daily is made available by CloudNine solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscovery Daily should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.

In Friday’s post about Norton Rose Fulbright’s 2019 Litigation Trends Annual Survey, one of the most notable trends was that 44 percent of corporate respondents identified Cybersecurity/data privacy as the most likely new source of dispute for their business on the horizon, which was more than four times the next likely sources.  Cybersecurity is also a big challenge for municipalities as we saw on Friday.

According to Forbes (New Orleans Declares State Of Emergency Following Cyber Attack, written by Davey Winder), the City of New Orleans suffered a cybersecurity attack last Friday serious enough for Mayor LaToya Cantrell to declare a state of emergency.

The attack started at 5 a.m. CST on Friday, according to the City of New Orleans’ emergency preparedness campaign, NOLA Ready, managed by the Office of Homeland Security and Emergency Preparedness. NOLA Ready tweeted that “suspicious activity was detected on the City’s network,” and as investigations progressed, “activity indicating a cybersecurity incident was detected around 11 a.m.” As a precautionary measure, the NOLA tweet confirmed, the city’s IT department gave the order for all employees to power down computers and disconnect from Wi-Fi. All city servers were also powered down, and employees told to unplug any of their devices.

During a press conference, Mayor Cantrell confirmed that this was a ransomware attack. A declaration of a state of emergency was filed with the Civil District Court in connection with the incident.

NOLA Ready said that emergency communications had not been affected. Although the “Real-Time Crime Center” had been powered down, public safety cameras were still recording, and incident footage would be available if needed. The police and fire departments continued to operate as usual, and the ability to respond to 911 calls was not impacted.

The ransomware attack that has hit New Orleans follows another that targeted the state of Louisiana in November. Louisiana school district computers were also taken offline, and a state of emergency declared, in response to a ransomware attack in July. It isn’t yet known if the two were connected. However, in August, 23 government agencies were taken offline by a cyber-attack on the State of Texas. Which suggests that U.S. municipalities are firmly in the crosshairs of ransomware threat actors.

Gee, you think?  Apparently, any business is in the crosshairs these days, if they have enough money.  After all, why do hackers hack, if not for the money.

So, what do you think?  Does your organization have a plan if it’s hit by a ransomware attack?  Please share any comments you might have or if you’d like to know more about a particular topic.

Sponsor: This blog is sponsored by CloudNine, which is a data and legal discovery technology company with proven expertise in simplifying and automating the discovery of data for audits, investigations, and litigation. Used by legal and business customers worldwide including more than 50 of the top 250 Am Law firms and many of the world’s leading corporations, CloudNine’s eDiscovery automation software and services help customers gain insight and intelligence on electronic data.

Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by CloudNine. eDiscovery Daily is made available by CloudNine solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscovery Daily should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.

This isn’t a throwback post – that comes tomorrow.  But, it’s worth noting that we covered a story over two years ago where the guy who recommended we change our passwords periodically and require passwords that combine upper case letters, lower case letters, numbers and special characters admitted that was bad advice.  But, people – and systems – still seem to support the old ways.  That’s so 2003!

As discussed in Help Net Security (The password reuse problem is a ticking time bomb, written by Michael Greene), In the first six months of 2019, data breaches exposed 4.1 billion records and, according to the 2018 Verizon Data Breach Incident Report (which we covered here), compromised passwords are responsible for 81% of hacking-related breaches. The latest data from Akamai states that businesses are losing $4m on average each year due to credential stuffing attacks, which are executed by using leaked and exposed passwords and credentials.

The author recommends three key steps that organizations should take to strengthen their defenses:

1. Prevent the use of weak, similar or old passwords: New passwords should be significantly different from the previous ones and old passwords shouldn’t be re-used. Also, fuzzy-matching is a crucial tool for detecting the use of “bad” password patterns, as it checks for multiple variants of the password (upper-lower-case variants, reversed passwords, etc.).
2. End mandatory password resets, which don’t improve security: This policy has proven to be ineffective as it does nothing to ensure that the new password is strong and has not already been exposed. For example, changing your password from “Big5tud” to “Big5tud!” isn’t an incremental enough change to protect yourself.  ;o)  The author also notes that Microsoft and NIST guidelines (which we covered in the post two years ago) advise against this approach.
3. Check credentials continuously: NIST advises companies to verify that passwords are not compromised before they are activated and check their status on an ongoing basis. As the number of compromised credentials expands continuously, checking passwords against a dynamic database rather than a static list is critical.

The other key step (that the author didn’t mention) is to implement two-factor authentication wherever possible and expect it from your applications.  Two-factor authentication is where the application sends you a code (via text or email – the means for sending may vary depending on the platform) once you provide your password that you have to enter to then be able to access the application.  Unless a hacker can also access your email account or see your texts, that second layer of security helps protect against hacking of your account via just your password.  According to this infographic from Symantec, 80 percent of data breaches due to stolen credentials could have been eliminated with the use of two-factor authentication.

We’ve known all of this information for at least a couple of years now, yet organizations continue to move slowly in making changes.  Maybe by 2031?

So, what do you think?  Does your organization require you to change passwords periodically?  Please share any comments you might have or if you’d like to know more about a particular topic.

Sponsor: This blog is sponsored by CloudNine, which is a data and legal discovery technology company with proven expertise in simplifying and automating the discovery of data for audits, investigations, and litigation. Used by legal and business customers worldwide including more than 50 of the top 250 Am Law firms and many of the world’s leading corporations, CloudNine’s eDiscovery automation software and services help customers gain insight and intelligence on electronic data.

Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by CloudNine. eDiscovery Daily is made available by CloudNine solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscovery Daily should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.

There are plenty of reasons that organizations experience a data breach, including weak or stolen passwords (despite the availability of two factor authentication technology to thwart those efforts).  Here’s another common cause of data breaches: unpatched vulnerabilities in your software.

According to ZDNet (Cybersecurity: One in three breaches are caused by unpatched vulnerabilities, written by Steve Ranger – hat tip to Sharon Nelson’s excellent Ride the Lightning blog here), more than one in three IT professionals (34 percent) in Europe admitted that their organization had been breached as a result of an unpatched vulnerability according to a survey by security company Tripwire.  The overall average isn’t much better at 27 percent.

Why?  Software vendors are constantly publishing new patches to fix problems in software that they have sold. It’s then up to the users of the software to apply the patches – or else risk leaving themselves open to attack via the backdoors that the vendors failed to spot when building the product in the first place.

But the sheer volume of patches, with many vendors publishing new fixes on a monthly basis, and the need to test those patches to ensure that they don’t cause other unexpected problems, means that there’s often a delay in getting systems secured. That leaves a gap that hackers can exploit.

Finding the stuff that needs patching can be a challenge: 59 percent of respondents said they can detect new hardware and software on their network within hours, but it’s a difficult manual effort for many, with 35 percent saying less than half of their assets are discovered automatically.  As a result, nearly half (42 percent) of respondents take more than a week to deploy security patches in their environment.

And, there are often several patches to implement per month – 42 percent of respondents indicated that they patch at least 10 vulnerabilities per month, 15 percent said at least 50 per month, 6 percent said more than 100 per month.  Four out of five companies said they had stopped using a product because of a vulnerability disclosure.

The 2017 WannaCry ransomware attack was probably the clearest example of what can go wrong when patches aren’t applied; while a patch for the vulnerability exploited by the ransomware had existed for several months many organizations such as parts of the UK’s National Health Service had failed to use it.  Now, that really makes you wanna cry!

So, what do you think?  Are you aware of a data breach that occurred because of an unpatched vulnerability in the organization’s software?  As always, please share any comments you might have or if you’d like to know more about a particular topic.

Sponsor: This blog is sponsored by CloudNine, which is a data and legal discovery technology company with proven expertise in simplifying and automating the discovery of data for audits, investigations, and litigation. Used by legal and business customers worldwide including more than 50 of the top 250 Am Law firms and many of the world’s leading corporations, CloudNine’s eDiscovery automation software and services help customers gain insight and intelligence on electronic data.

Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by CloudNine. eDiscovery Daily is made available by CloudNine solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscovery Daily should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.