All posts by Rob Sobers

The World in Data Breaches

The World in Data Breaches

Data security is one of the largest concerns impacting the world today.

The increasing sophistication of cyber attacks coupled with the overall lack of cybersecurity has led to the greatest data breaches and the loss of data records on a global scale.

However, not all data breaches are the same worldwide — various factors such as laws, population, and the size of data breaches influence the number of stolen records in each country.

Data Breaches Worldwide

The number of lost or stolen data records varies around the world. Data records refer to any piece of information that can put an individual or organization at risk, including email address, date of birth, account credentials, medical files, and banking details. Using data from the Breach Level Index, we visualized where these records are concentrated based on the locations of the organizations that reported them.

The map puts into perspective the discrepancies in data records on a global level.

world in data breaches

Almost 64 percent of the total stolen data records occurred in the United States, whose large population, concentration of major companies, and rate of technological adoption make it the most massive “hotspot” on this map. Countries like China and India are also major centers of data breaches.

However, we also see densely populated countries like Brazil and larger countries like Italy represented as small regions on the map. This means that having a large population is only half of the picture, especially if we take a look at the ratio of the population to data breaches.

According to the Breach Level Index, over 9.7 billion data records have been lost or stolen globally since 2013 as a result of data breaches and cyber crime. Here a few of the most alarming data breach statistics:

global data breach stats

Data Breaches by Country and Population

The below graphic shows the countries that have the highest ratio of data records stolen relative to their population. With over 6 billion stolen records, the total number of records in the U.S. exceeds the population by 19 times.

However, countries like South Korea and Canada have substantial data theft in relation to their smaller populations, suggesting that other factors influence stolen data records.

Identity Theft Worldwide

While data breaches refer to specific incidents that lead to data loss, identity theft is the moment one’s compromised data is used for malicious purposes. There have been a total of 10 million stolen identities stolen since 2013. Like the total number of data records, identity theft also contains geographic differences that aren’t caused by just population.

identity theft around the world

The United States leads other countries with almost 85 percent of identities stolen worldwide. While population size explains this amount, the United States’s stringent data breach reporting requirements suggests that the identity theft count in other countries may be underreported.

Despite their smaller populations, countries like South Korea and Canada are among the most hacked. According to Symantec, these countries were affected by “mega breaches” — breaches affecting more than 10 million identities. For example, the Dailymotion breach in France exposed 85 million identities, almost equal to the total data records stolen for the whole year. We also see other smaller countries like Sweden and the Netherlands sized much larger proportionately.

These geographic views reveal that dense populations and first-world power are not the sole sources of data breaches. Specific events and laws create gaps between countries, leading to major breaches that steal more data records than the populations that exist in some countries. With global data privacy regulations like GDPR and NDB taking place, it’ll be interesting to see how data breaches continue to impact the world.

Sources:

Breach Live Index | Gemalto | Symantec | Guiding Tech | Worldometers | Risk-Based Security | TechInsurance | CSO Online | Checkmarx | The Register

The Average Reading Level of a Privacy Policy

privacy policies of tech companies after gdpr

On May 25th, 2018 the European Union’s General Data Protection Regulation, better known as GDPR, became an enforceable law. The policy was implemented primarily to create greater transparency regarding how companies handle personal data, and to enforce stricter requirements around the use and sharing of that personal data.

While the regulation pertains to the personal data of EU citizens, the law and fines for misconduct still apply regardless of whether the person is paying for the service or whether the company has operations within the EU. The result has been a swath of privacy policy updates here in the U.S.

Since privacy policies are often overlooked — in 2014 half of internet users didn’t even know what a privacy policy was according to the Pew Research Center — added complexities from GDPR are surely making things worse, right?

We decided to look at the individual privacy policies of the top websites on the web to check word count, reading time and reading grade level before and after GDPR to determine just how easy these companies are making it for users to understand their policy changes.

What Did Privacy Policies Look Like Before GDPR?

privacy policies before gdpr

As you can see, Reddit had the longest reading time, of almost 27 minutes to read. Facebook and eBay are a close second. Overall with eBay’s third highest word count and highest reading level of 18 (which is essentially a senior level college student) eBay was effectively the most difficult privacy policy to read.

Yahoo was by far the easiest the shortest read of the group at under 8 minutes. Their reading level site just above the average of 13.6. Perhaps fittingly, Facebook’s reading level was the easiest reading level of 11 given their push to be more transparent about their privacy.

So, how did things change once GDPR caused these sites to update their policies?

How Did Privacy Policies Change After GDPR?

privacy policies after gdpr

The major change seen here is that eBay not only increased their word count to the highest on the list, but their reading level now sits at 20. Yahoo is still the the lowest word count and reading time, but Reddit now has the easiest reading level. We dig deeper into each site to understand the changes after GDPR below starting with the most popular site on the web, Google.

Google privacy policy after GDPR

Google processes over 40,000 search queries every second, which translates into 3.5 billion searches every day. Since search is only one avenue for Google to collect data from users, the amount of raw data collected is mind blowing. By some estimates, Google owns and stores about 15 exabytes of data. To put this in perspective, 1 exabyte equates to 1 million terabytes.

The large number of products and users Google has opens up their exposure to data breaches. It might not surprise you that with the introduction of GDPR law, Google’s privacy policy increased by more than 48 percent.

Facebook privacy policy after GDPR

Following intense public scrutiny following the Cambridge Analytica scandal, Mark Zuckerberg testified before Congress and the European Parliament. After his testimony, the chair of the European Parliament Civil Liberties, Justice and Home Affairs said, “Mr Zuckerberg and Facebook will have to make serious efforts … to convince individuals that Facebook fully complies with European data protection law.”

How did Facebook’s efforts to increase the readability of their privacy policy measure up as a result of GDPR? Although they shortened the time it takes to read by over 5 minutes, the reading level increased by two full grades.

Reddit privacy policy after GDPR

Reddit is the self-proclaimed “front page of the internet” and, with over 1.5 billion monthly active users and over 1.2 million total subreddits, that tagline has become a self-fulfilling prophecy. There are subreddits dedicated to blackhat hacking techniques and other subreddits that have been targeted for the very nature of their existence.

In December of 2017, the cryptocurrency focused r/btc subreddit was targeted by a series of hacks that resulted in users bitcoin cash wallets being depleted. The very nature of Reddit, which involves sharing links to third-party sites, exposes users to threat of malicious intent. With this in mind, it’s a little surprising to see the word count decreased by 38.20 percent.

Amazon privacy policy after GDPR

Amazon has grown into more than just the largest eCommerce company in the world. Their cloud computing platform, Amazon Web Services, is now responsible for 10 percent of the company’s revenue. Security is more important than ever since Amazon now houses sensitive data of individuals — the cloud platform reached 1 million users in 2016.

The company also stores the information of companies and governments. An Uber breach in 2016 that compromised the information of 57 million users worldwide was linked to a compromised Amazon Web Services account.

Amazon’s privacy policy changes resulted in increases across the board: the web count, time to read, and reading grade level all went up.

Wikiedpia privacy policy after GDPR

Wikipedia was launched in 2001 with the goal to increase the availability of information worldwide, and the English edition has reached since reached 5.6 million articles. While the often-cited website has since become one of the most popular in the world, it’s information isn’t always completely reliable. The free encyclopedia was built around a model of openly editable content, which means that anyone with access to the Internet can edit it, even anonymously or using a pseudonym.

While the website has policies in place to remove false content, the reliability of the website is often in question — Turkey banned the site in 2017 after the company refused to take down an article with validity in question. Wikipedia’s privacy policy saw the largest increase in word count at nearly 95 percent; the time to read increased as well.

Yahoo privacy policy after GDPR

A golden child of the dot-com bubble, the domain “yahoo.com” was purchased on January 18, 1995. By 1997, Yahoo was the second most visited website on the internet, after AOL, and Yahoo’s valuation skyrocketed to $125 billion before the bubble popped and the company’s stock fell dramatically. When cooler heads prevailed, the stock price began to normalize and the company maintained its position as one of the most frequently viewed websites in the U.S.

In 2016, Yahoo reported a security breach that the company believed comprised the privacy of 1 billion accounts. In 2017, it was revealed that in actuality every single Yahoo account — over 3 billion accounts in total — had been hacked, making it the largest data breach in history. It might not be surprising to see the word count of their new privacy policy increase by 38.11 percent, but this could also be a result of their acquisition by Verizon in 2017.

Twitter privacy policy after GDPR

Twitter launched in 2006 after the founding team failed in starting Odeo, a podcasting company. The team included current CEO Jack Dorsey who sent the first “tweet” when it was an SMS service. The company had their initial public offering in 2013 with over 200 million monthly active users and over 500 million tweets per day.

In 2016, the company created the “Twitter Trust & Safety Council” to ensure users feel safe using the product. The company has had a string of security breaches, including one as recent as May 2018 when the passwords of 330 million accounts were exposed in plain text. Although the reading level has remained consistent, Twitter’s new privacy policy has grown by more than 29 percent.

Ebay privacy policy after GDPR

eBay, another veteran member of the Silicon Valley dot-com bubble on this list, started as an online auction marketplace. In fact, the company was started to help the founder’s fiancée trade her collection of Pez dispensers. With their “Buy It Now” feature, the company has moved beyond their original auction-style business model and solidified their place in eCommerce.

Certainly not immune to the tech industry’s privacy and security issues, eBay has had their fair share of public scrutiny. In 2014, eBay revealed that usernames, passwords, phone numbers, physical addresses and even banking information had been released for millions of users. It’s interesting to see that the privacy policy has become more difficult to read, increasing by two reading levels, yet the word count has increased only a little more than 8 percent.

instagram privacy policy after GDPR

Social media photo- and video-sharing app Instagram has a wealth of information to protect: As of 2017, the app has 800 million users, 500 million of which are daily users. Additionally, more than 40 billion photos have been uploaded to the app as of October 2015; this number doesn’t reflect the number of videos (or “Stories”) uploaded to the app, as that feature launched in 2016.

Instagram isn’t a stranger to breaches of this information, either. In 2017 the app suffered a data breach that left the personal information of approximately six million users vulnerable. Among the information affected were the phone numbers and email addresses of high-profile users, which was then made available on the dark web. The company is also owned by Facebook, which faced widespread criticism following the 2018 Cambridge Analytica scandal.

Instagram’s policies increased across the board: It’s word count increased over 40 percent, while the time it takes to read increased a full 6 minutes.

Netflix privacy policy after GDPR

What began as a DVD rental service in 1997 quickly expanded and exploded with the proliferation of technology: Today, Netflix is a subscription-streaming service provider and content producer with over 125 million users worldwide. The company also expanded globally in 2016, simultaneously launching in 130 countries and bringing its total availability to 190 countries.

The company has also been hacked: In 2015, security company McAfee released a report that detailed how you can buy access to streaming accounts, like Netflix’s, on the dark web. A file containing 1.4 billion hacked passwords, which was leaked on the dark web in 2017, also included Netflix login information.

Overall, Netflix’s privacy policy has seen an increase in word count, reading time and reading grade level, although the increases are slight compared to some.

How Privacy Policies Have Changed Overall?

how privacy policies have changed since gdpr

The goal of the updated privacy policies is to simplify the process of managing user privacy concerns and accessing user data. However, you might be surprised to see how the privacy policies have changed. Eight out of 10 companies we analyzed actually increased their privacy policy word count and the subsequent time it takes to read them.

Wikipedia showed the largest update, with a word count increase of almost 95 percent. Only two companies — Facebook and Reddit — decreased both the word count and the reading time of the privacy policies.

download gdpr privacy policies infographic

Sources
Google – Old | New | Facebook – Old | New | Reddit – Old | New | Amazon – Old | New | Wikipedia – Old | New | Yahoo – Old | New | Twitter – Old | New | eBay – Old | New | Instagram – Old | New | Netflix – Old | New | IBM Watson – Natural Language Understanding | IBM Watson – Tone Analyzer | Readability Formulas | Alexa | Niram | EU – GDPR

What Does it Take to Be an Ethical Hacker?

how to be an ethical hacker

What do you think of when you hear the term “hacker”?

If you immediately envision a mysterious figure out to illegally access and compromise systems with the intent to wreak havoc or exploit information for personal gain, you’re not alone.

While the term “hacker” was originally used within the security community to refer to someone skilled in computer programming and network security, it has since evolved to become synonymous with “cyber criminal,” a change in perception largely due to portrayals in movies and in the media.

As such, the cyber community has developed several terms to differentiate malicious, illegal hackers (known as “black hat hackers”) from other cyber risk and programming professionals without malicious intent.

Read on to learn more about ethical hackers, or jump to our infographic to learn how to become one yourself.

What is a White Hat Hacker?

A white hat hacker — also referred to as a “good hacker” or an “ethical hacker” — is someone who exploits computer systems or networks to identify security flaws and make improvement recommendations. A subset of ethical hackers are penetration testers, or “pentesters,” who focus specifically on finding vulnerabilities and assessing risk within systems.

Unlike black hat hackers, who access systems illegally, with malicious intent and often for personal gain, white hat hackers work with companies to help identify weaknesses in their systems and make corresponding updates.

In many ways, white hat hackers are the antithesis of black hat hackers. Not only do white hat hackers break into systems with the intention of improving vulnerabilities, they do so to ensure that black hat hackers aren’t able to illegally access the system’s data.

Ten Influential White Hat Hackers

White hat hackers are the “good guys” of the hacking world. They exploit systems to make them better and keep black hat hackers out. Below are some of the most influential white hat hackers.

Tim Berners-Lee
One of the most famous names in computer science, Berners-Lee is the founder of the World Wide Web. Today he serves as the director of the World Wide Web Consortium (W3C), which oversees the development of the web.

Greg Hoglund
Computer forensics expert Hoglund is best known for his work and research contributions in malware detection, rootkits and online game hacking. In the past, he worked for the U.S. government and the intelligence community.

Richard M. Stallman
Founder of the GNU project, a free software project that promotes freedom with regard to the use of computers, Stallman is a prime example of a “good guy” hacker. Stallman founded the free software movement in the mid-1980s, with the idea that computers are meant to support cooperation, not hinder it.

Dan Kaminsky
A well-known figure within the cybersecurity world, Kaminsky is the chief scientist of White Ops, a firm that detects malware activity via JavaScript. He’s best known for discovering a fundamental flow in the Domain Name System (DNS) protocol that would allow hackers to perform widespread cache poisoning attacks.

Jeff Moss
Ethical hacker Jeff Moss served on the U.S. Homeland Security Advisory Council during the Barack Obama administration and co-chaired the council’s Task Force on CyberSkills. He also founded hacker conferences Black Hat and DEFCON, and is a commissioner at the Global Commission on the Stability of Cyberspace.

Charlie Miller
Miller, who’s largely famous for finding Apple vulnerabilities and winning the well-known Pwn2Own computer hacking contest in 2008, has also worked as an ethical hacker for the National Security Agency.

Linus Torvalds
Software engineer Torvalds created and developed the Linux kernel, which is the kernel which eventually became the core of the Linux family of operating systems.

Kevin Mitnick
Once one of the most notorious black hat hackers around, Mitnick became a white hat hacker after a highly publicized FBI pursuit landed him in jail for computer hacking and wire fraud. Today, he runs Mitnick Security Consulting, which performs security and penetration testing for companies.

Tsutomu Shimomura
White hat hacker Shmomura is best known for assisting the FBI in taking down Mitnick after the black hat personally attacked Shimomura’s computers.

Marc Maiffret
Now the chief technology officer at a leading security management company, Maiffret’s accolades include the invention of one of the first vulnerability management and web application products. He’s also credited with discovering some of the first major vulnerabilities in Microsoft software, including Code Red, the first Microsoft computer worm.

Get a Job as an Ethical Hacker

While the term “hacker” may not have the most positive connotation in today’s vocabulary, it actually encompasses a wide range of professionals with a number of motivations. To learn more about the different types of hackers — including how to become a white hat hacker — check out the full infographic below.

how to be a white hat hacker

Sources:
Malware Fox | Lifewire | Investopedia | MakeUseOf | Gizmodo | Business News Daily | SC Magazine | Payscale | PCMag | Pluralsight

60 Must-Know Cybersecurity Statistics for 2018

cybersecurity facts 2018

Cybersecurity issues are becoming a day-to-day struggle for businesses. Trends show a huge increase in hacked and breached data from sources that are increasingly common in the workplace, like mobile and IoT devices.

Additionally, recent research suggests that most companies have unprotected data and poor cybersecurity practices in place, making them vulnerable to data lass.

We’ve compiled 60 cybersecurity statistics to give you a better idea of the current state of overall security, and paint a picture of how potentially dire leaving your company unsecure can be.

Data Breaches by the Numbers

The increasing amount of large-scale, well-publicized breaches suggests that not only are the number of security breaches going up — they’re increasing in severity, as well.

  1. In 2016, 3 billion Yahoo accounts were hacked in one of the biggest breaches of all time. (Oath.com)Click To Tweet
  2. In 2016, Uber reported that hackers stole the information of over 57 million riders and drivers. (Uber)
  3. In 2017, 412 million user accounts were stolen from Friendfinder’s sites. (LeakedSource)Click To Tweet
  4. In 2017, 147.9 million consumers were affected by the Equifax Breach. (Equifax)
  5. According to 2017 statistics, there are over 130 large-scale, targeted breaches in the U.S. per year, and that number is growing by 27 percent per year. (Accenture)Click To Tweet
  6. Thirty-one percent of organizations have experienced cyber attacks on operational technology infrastructure. (Cisco)
  7. 100,000 groups in at least 150 countries and more than 400,000 machines were infected by the Wannacry virus in 2017, at a total cost of around $4 billion. (Malware Tech Blog)Click To Tweet
  8. Attacks involving cryptojacking increased by 8,500 percent in 2017. (Symantec)
  9. In 2017, 5.4 billion attacks by the WannaCry virus were blocked. (Symantec)Click To Tweet
  10. There are around 24,000 malicious mobile apps blocked every day. (Symantec)
  11. In 2017, the average number of breached records by country was 24,089. The nation with the most breaches annually was India with over 33k files; the US had 28.5k. (Ponemon Institute’s 2017 Cost of Data Breach Study)Click To Tweet
  12. In 2018, Under Armor reported that its “My Fitness Pal” was hacked, affecting 150 million users. (Under Armor)
  13. Between January 1, 2005 and April 18, 2018 there have been 8,854 recorded breaches. (ID Theft Resource Center)Click To Tweet

Cybersecurity Costs

Average expenditures on cybercrime are increasing dramatically, and costs associated with these crimes can be crippling to companies who have not made cybersecurity part of their regular budget.

  1. In 2017, cyber crime costs accelerated with organizations spending nearly 23 percent more than 2016 — on average about $11.7 million. (Accenture)Click To Tweet
  2. The average cost of a malware attack on a company is $2.4 million. (Accenture)
  3. The average cost in time of a malware attack is 50 days. (Accenture)Click To Tweet
  4. From 2016 to 2017 there was an 22.7 percentage increase in cybersecurity costs. (Accenture)
  5. The average global cost of cyber crime increased by over 27 percent in 2017. (Accenture)Click To Tweet
  6. The most expensive component of a cyber attack is information loss, which represents 43 percent of costs. (Accenture)
  7. Ransomware damage costs exceed $5 billion in 2017, 15 times the cost in 2015. (CSO Online)Click To Tweet
  8. The Equifax breach cost the company over $4 billion in total. (Time Magazine)
  9. The average cost per lost or stolen records per individual is $141 — but that cost varies per country. Breaches are most expensive in the United States ($225) and Canada ($190). (Ponemon Institute’s 2017 Cost of Data Breach Study)Click To Tweet
  10. In companies with over 50k compromised records, the average cost of a data breach is $6.3 million. (Ponemon Institute’s 2017 Cost of Data Breach Study)
  11. Including turnover of customers, increased customer acquisition activities, reputation losses and diminished goodwill the cost of lost business globally was highest for U.S. companies at $4.13 million per company. (Ponemon Institute’s 2017 Cost of Data Breach Study)Click To Tweet
  12. Damage related to cybercrime is projected to hit $6 trillion annually by 2021. (Cybersecurity Ventures)

Cybersecurity Facts and Figures

It’s crucial to have a grasp on the general landscape of metrics surrounding cybersecurity issues, including what the most common types of attacks are and where they come from.

  1. Ransomware detections have been more dominant in countries with higher numbers of internet-connected populations. The United States ranks highest with 18.2 percent of all ransomware attacks. (Symantec)Click To Tweet
  2. Trojan horse virus Ramnit largely affected the financial sector in 2017, accounting for 53 percent of attacks. (Cisco)
  3. Most malicious domains, about 60 percent, are associated with spam campaigns. (Cisco)Click To Tweet
  4. Seventy-four percent of companies have over 1,000 stale sensitive files. (Varonis)
  5. Malware and web-based attacks are the two most costly attack types — companies spent an average of US $2.4 million in defense. (Accenture)Click To Tweet
  6. The financial services industry takes in the highest cost from cyber crime at an average of $18.3m per company surveyed. (Accenture)
  7. Microsoft Office formats such as Word, PowerPoint and Excel make up the most prevalent group of malicious file extensions at 38 percent of the total. (Cisco)Click To Tweet
  8. About 20 percent of malicious domains are very new and used around 1 week after they are registered. (Cisco)
  9. Over 20 percent of cyber attacks in 2017 came from China, 11 percent from the US and 6 percent from the Russian Federation. (Symantec)Click To Tweet
  10. The app categories with most cybersecurity issues are lifestyle apps, which account for 27 percent of malicious apps. Music and audio apps account for 20 percent. (Symantec)
  11. The information that apps most often leak are phone numbers (63 percent) and device location (37 percent). (Symantec)Click To Tweet
  12. In 2017, spear-phishing emails were the most widely used infection vector, employed by 71 percent of those groups that staged cyber attacks. (Symantec)
  13. Between 2015 and 2017, the U.S. was the country most affected by targeted cyber attacks with 303 known large-scale attacks. (Symantec)Click To Tweet
  14. In 2017, overall malware variants were up by 88 percent. (Symantec)
  15. Among the top 10 malware detections were Heur.AdvML.C 23,335,068 27.5 2 Heur.AdvML.B 10,408,782 12.3 3 and JS.Downloader 2,645,965 3.1 (Symantec)Click To Tweet
  16. By 2020, the estimated number of passwords used by humans and machines worldwide will grow to 300 billion. (Cybersecurity Media)

Cybersecurity Risks

With new threats emerging every day, the risks of not securing files is more dangerous than ever, especially for companies.

  1. 21 percent of all files are not protected in any way. (Varonis)Click To Tweet
  2. 41 percent of companies have over 1,000 sensitive files including credit card numbers and health records left unprotected. (Varonis)
  3. 70 percent of organizations say that they believe their security risk increased significantly in 2017. (Ponemon Institute’s 2017 Cost of Data Breach Study)Click To Tweet
  4. 69 percent of organizations don’t believe the threats they’re seeing can be blocked by their anti-virus software. (Ponemon Institute’s 2017 Cost of Data Breach Study)
  5. Nearly half of the security risk that organizations face stems from having multiple security vendors and products. (Cisco)Click To Tweet
  6. 7 out of 10 organizations say their security risk increased significantly in 2017. (Ponemon Institute’s 2017 Cost of Data Breach Study)
  7. 65 percent of companies have over 500 users who never are never prompted to change their passwords. (Varonis)Click To Tweet
  8. Ransomware attacks are growing more than 350 percent annually. (Cisco)
  9. IoT attacks were up 600 percent in 2017. (Symantec)Click To Tweet
  10. The industry with the highest number of attacks by ransomware is the healthcare industry. Attacks will quadruple by 2020. (CSO Online)
  11. 61 percent of breach victims in 2017 were businesses with under 1,000 employees. (Verizon)Click To Tweet
  12. Ransomware damage costs will rise to $11.5 billion in 2019 and a business will fall victim to a ransomware attack every 14 seconds at that time. (Cybersecurity Ventures)
  13. Variants of mobile malware increased by 54 percent in 2017. (Symantec)Click To Tweet
  14. Today, 1 in 13 web requests lead to malware (Up 3 percent from 2016). (Symantec)
  15. 2017 represented an 80 percent increase in new malware on Mac computers. (Symantec)Click To Tweet
  16. In 2017 there was a 13 percent overall increase in reported system vulnerabilities. (Symantec)
  17. 2017 brought a 29 percent Increase in industrial control system–related vulnerabilities. (Symantec)Click To Tweet
  18. By 2020, we expect IT analysts covering cybersecurity will be predicting five-year spending forecasts (to 2025) at well over $1 trillion. (Cybersecurity Ventures)
  19. The United States and the Middle East spend the most on post-data breach response. Costs in the U.S. were $1.56 million and $1.43 million in the Middle East. (Ponemon Institute’s 2017 Cost of Data Breach Study)Click To Tweet

There’s no question that the situation with cybercrime is dire. Luckily, by assessing your business’s cybersecurity risk, making with company-wide changes and improving overall security behavior, it’s possible to protect your business from most data breaches.

Make sure you’ve done everything you can do to avoid your company becoming a victim to an attack. The time to change the culture toward improved cybersecurity is now.

Must-know cybersecurity statistics

The Anatomy of a Phishing Email

Recognize a phishing scam

Have you been hooked by a phishing email?

Phishing scams are one of the most common ways hackers gain access to sensitive or confidential information. In fact, according to the Verizon’s 2018 Data Breach Investigations Report, phishing is involved in 70 percent of breaches that feature a social engineering component.

What is Phishing?

At the most basic level, a phishing scam involves sending fraudulent emails that appear to be from a reputable company, with the goal of deceiving recipients into either clicking on a malicious link or downloading an infected attachment, usually to steal financial or confidential information.

If your employees don’t know the signs of a phishing email, your company is at risk. According to Verizon, the average time it took for the first victim of a large-scale phishing campaign to click on a malicious email was 16 minutes; however, it took twice as long — 33 minutes — for a user to report the phishing campaign to IT.

Given that 49 percent of malware is installed via email, these 17 minutes could spell disaster for your company.

How to Spot a Phishing Scam

We’ve broken out the most common components of a phishing email. Check out our full infographic to test your knowledge.

how to spot a phishing scam

How many did you get? Read on to learn more about the identifying characteristics of a typical phishing email.

scare tactics phishing

Subject line
Phishing campaigns typically aim to create a sense of urgency using intense language and scare tactics, starting with the email’s subject line. Common themes among phishing emails are that something sensitive, such as a credit card number or an account, has been compromised. This is done to induce the recipient into responding quickly, without recognizing the signs of a scam.

“From” field
To work, phishing campaigns must trick the email recipient into believing that the message is from a reputable company. As such, the email will appear to come from a legitimate entity within a recognized company, such as customer support. Upon closer look, however, you can see that both the name of the sender and the sender’s email address is a spoof on a known brand, not a real vendor.

phishing email body copy

“To” field
Phishing emails are often impersonal, addressing the recipient as a “user” or “customer.” This is a red flag; while businesses may send out mass eblasts announcing a sale or service, legitimate companies will address you by name when asking for an update to financial information, or dealing with a similarly sensitive matter.

Body copy
As with the subject line, the body copy of a phishing email is typically employs urgent language designed to encourage the reader to act without thinking. Phishing emails are also often riddled with both grammar and punctuation mistakes.

phishing scam malicious link

Malicious link
A suspicious link is one of the main giveaways of a phishing email. These links are often shortened (through bit.ly or a similar service) or, as above, are formatted to look like a legitimate link that corresponds with the company and message of the fake email. However, rolling over the link shows a malicious address that doesn’t take you to the stated web address.

Scare tactics
In addition to urgent language, phishing emails often employ scare tactics in hopes that readers will click malicious links out of alarm or confusion. Such messaging is often framed around updates that are immediately required or payments that must be made within a certain amount of time.

phishing scam footer

Email sign-off
As with the email’s greeting, the sign-off is often impersonal — typically a generic customer service title, rather than a person’s name and corresponding contact information.

Footer
A phishing email’s footer often includes tell-tale signs of a fake, including an incorrect copyright date or a location that doesn’t correspond with that of the company.

malicious attachment

Attachment(s)
In addition to malicious links, phishing scams often include malicious downloadable files, often compressed .zip files, which can infect your computer.

malicious landing page

Malicious landing page
If you do click on a phishing link, you’ll often be taken to a malicious landing page, much like the one above. There are several ways to spot a malicious landing page:

  • Website address: The web address of a malicious landing page attempts to mimic the web address of a legitimate company, but errors such as misspellings and unsecure connections denote an unsafe website.
  • Missing navigation and footer: The goal of a malicious landing site is to take your information. As such, these pages are often bare-bones. Here, you can see that the landing page is missing both the header and footer of Apple’s ID sign-in page.
  • Misspelling: Like in the phishing email, the malicious landing page will attempt to mimic a real company, but small oversights can tip you off: like above, where “Apple Pay” is misspelled as one word.
  • Information collection: The goal of phishing scams is to get you to enter personal or financial information, so malicious landing pages will almost always include some type of information collection form that deviates slightly from the company’s legitimate landing page. In the malicious page above, users are required to enter their Apple ID password; this is not required on the actual Apple ID login page.

So, were you able to spot all the errors? As phishing attacks become more common — and phishing tactics more sophisticated — it’s important to inspect all unsolicited emails with a careful eye.

Email recipients don’t shoulder all the burden, however. To truly combat phishing tactics, companies must become more vigilant, through both employee training and the use of security software, to better spot and prevent potentially debilitating attacks.

Is Your Company Prepared for a Cyber Attack?

Is Your Company Prepared for a Cyber Attack?

In December of 2016, a researcher approached credit card reporting agency Equifax with a simple message: Your website is vulnerable to a cyber attack. The company did nothing to patch the flaw. They were breached six months later, in May of 2017, with hackers stealing the sensitive data of 145.5 million Americans.

It’s an extreme example of an all-too-common business failing: that of cybersecurity preparedness.

As hacks continue to proliferate the news cycle, targeting both large corporations and small businesses, companies that previously didn’t see a need to invest in cybersecurity training and prevention are increasingly focusing in on one question: Are we prepared in the event of an attack? And, resoundingly, the answer is “no.”

Cybersecurity readiness involves developing a complex, proactive strategy that goes far beyond a basic response plan — although research suggests that many businesses don’t have one of those in place, either.

We’ve compiled the major steps you need to take to prepare your business for a cyber attack. Take a look at them below, and decide for yourself how your company would fare.

would your company survive a cyber attack

Creating an effective cybersecurity preparedness plan is a mix of implementing company-wide, procedural policies; utilizing data protection and taking technical precautions to protect your data; and putting a reactive plan in place in case the worst case does happen.

So, is your company prepared?

Sources
Verizon Data Breach Investigations Report | PWC Global State of Information Security Survey

Is Your Biggest Security Threat Already Inside Your Organization?

Are insiders compromising your security

The person in the cubicle next to you could be your company’s biggest security threat.

The large-scale attacks we’re accustomed to seeing in the news — Yahoo, Equifax, WannaCry ransomware — are massive data breaches caused by cyber criminals, state-sponsored entities or hacktivists. They dominate the news cycle with splashy headlines that tell an all-too recognizable story: one of name-brand corporations vs. anonymous cyber villains.

We focus in outsider threats because they’re both terrifying and thrilling, and because they’re familiar. They often have a clear-cut storyline, one that we’ve seen before. But the hyper-focus on cyberattacks caused by outside parties can lead organizations to ignore a major cybersecurity threat: insiders already in the organization.

We’ve seen these threats before too: attacks of dramatic espionage from Snowden, Reality Winner and Gregory Chung — but insider threats aren’t always so obvious, and they pose a risk for organizations that don’t operate in the national security space. In fact, research suggests that insider threats account for anywhere from 60 to 75 percent of data breaches.

They’re dangerous for a number of reasons, including because of how much they vary: from rogue employees bent on personal gain or professional revenge to careless staffers without proper cybersecurity training, insider threats can come from almost anyone, making them a prime concern for businesses. Check out our full infographic to learn more about the motives and methods behind these types of threats.

Insider threats cybersecurity

Are you doing everything you can to prevent insider threats?

If you’re granting unnecessary internal permissions, lack an auditing system for high-risk people or sensitive data, or aren’t paying close attention to possible behavioral indicators of malicious activity, your organization is at risk. You’re more vulnerable than you think — assess your risk today to see what you can do to ward off threats that come from the inside.

Infographic sources:
U.S. Department of Homeland Security | 2018 Insider Threat Report | Digital Guardian | MetaCompliance | ITProPortal | IT Governance | Wired

Social Media Security: How Safe is Your Information?

Comparing social media privacy

In 2012 a massive cyber attack by a hacker named “Peace” exploited over 117 million LinkedIn users’ passwords. After the dust settled from the initial attack, new protocols were put in place and the breach was all but forgotten in the public eye, the same hacker reared their head again. Nearly five years later, “Peace” began releasing the stolen password information of the same LinkedIn users from the earlier hack.

With millions of users’ data (or billions, in the case of Facebook) floating around the web, the need for tight security from social media platforms is obvious. Facebook alone has reported receiving more than 600,000 security hack attempts each day. (Although that is nothing compared to the NSA’s 300 million attempted hacks each day!)

The wide age range and technology experience level of social media users makes security management even more complex. A social platform needs to not only combat hackers, but also has to protect users whose personal security practices might be elementary. Only 18 percent of Americans report changing their social media password regularly.

So with the constant threats of hacks coming in — from both foreign and domestic hackers — what exactly are these platforms doing to keep our information safe?

Each of the major social platforms has their own security blog that keeps users and industry infosec bloggers in the loop about new security advancements, tactics for combating fraud and the occasional public statement about hacks.

We’ve broken down the security initiatives and features to compare what LinkedIn, Twitter and Facebook security teams are doing to protect the social platforms that people use each day.

comparing social media settings

While each platform has its unique set of challenges, one of the main initiatives from each is the bug bounty program. You can read more about each platform’s policy below:

Each policy been very successful for its respective site. However, even though these safety precautions exist, there are always hackers trying to get one step ahead of the curve.

For instance, Twitter is attempting protect the safety and integrity of of their platform by reducing the number of automated bots. They publicly announced their battle in a blog post, stating “While bots can be a positive and vital tool, from customer support to public safety, we strictly prohibit the use of bots and other networks of manipulation to undermine the core functionality of our service.” However, bots are clearly still an issue, with their hands in everything from the Oscars to local elections.

It is clear the fight to protect the safety and privacy of social media is far from over, but as data security teams in companies continue to grow, learn and share knowledge, there is hope that they will remain ahead of the game.

Infographic sources:

LinkedIn 1, 2, 3 | Threatpost | Vice | Twitter | Harvard Business Review | Wired | Facebook | The Telegraph

Do Americans Ever Change Their Passwords?

computer with data

Just how cautious are Americans when it comes to cybersecurity?

In today’s hyper-connected, highly-digitized society, data breaches are becoming increasingly commonplace. And they affect both corporations and individuals. In 2017 alone, the Equifax breach — considered by some to be the worst security breach in recent history — put 145.5 million Americans at risk of exposed information and identity theft.

Additionally, a Gmail phishing attack last year put 1 million users at risk of exposed information, and an Instagram hack revealed the contact information of 6 million users. Yahoo also revealed that a 2013 data breach affected the private information associated with all of their users — 3 billion in total.

According to the Pew Research Center, 64 percent of Americans have experienced some type of data breach in their lifetime. Despite this, the center found that the majority of Americans fail to follow cybersecurity best practices in their own digital lives.

In an effort to uncover more on password security habits (and associated feelings of cybersecurity), we put these numbers to the test. Read on to discover what we found after surveying 1,000 Americans.

Americans and Password Security

While cyberattacks are top-of-mind for many Americans, first-hand experiences and worry about imminent attacks doesn’t seem to get people to change their digital habits.

Despite the Pew Research Center’s report that the majority of Americans have personally experienced a major data breach and even anticipate an attack within the next five years, the majority of adults surveyed still seem largely unconcerned with personal password safety.

The most common reason users change their passwords is because they’ve simply forgotten their current one. Half of people surveyed cited this as the most common reason to change a password. In contrast, despite the increasing amount of hacks in the news cycle, only 1 in 5 Americans said they change their password as a result of a hack in the news.

americans changing their passwords data

Which Password Is Changed Most Often?

Our research revealed that the most common password Americans change is the password to their online banking or loans account, at 29 percent.

which passwords do americans change data

This is perhaps unsurprising, considering that financial security is one of the major concerns for Americans when it comes to cybersecurity. According to Pew, 66 percent of Americans anticipate the banking and financial systems to experience major cyberattacks in the near future, 41 percent say that they’ve experienced credit card fraud, and 14 percent have had loans taken out in their name.

However, recent hacks in the news have shown that individual users are increasingly affected across a number of entities, including email, social media, online shopping, and software and applications.

How Are Passwords Saved?

Our research also found that the majority of Americans use memorization or pen and paper to keep track of their passwords.

This is in contrast to the password best practices outlined by cybersecurity professionals, which recommend using third-party password management services, changing passwords on a regular basis and most importantly, never leaving passwords accessible or in plain text.

how do americans remember passwords

Although there are some memory tricks you can use to remember complex passwords, memorization can be difficult, given that ideal passwords are meant to be a combination of letters, numbers and symbols. Additionally, using the same password for different sites isn’t recommended.

Despite the fact that password management services are the easiest and most highly recommended form of keeping passwords safe, only 7 percent of respondents said that they use this kind of software to keep track of their passwords.

We found that the biggest demographic difference in how people manage and remember their passwords is between men and women. Both men and women agree that memorization is the best way to remember a password. However, men are considerably more likely to use password managing software.

men vs. women password management data

In all, there seems the be a major discrepancy between Americans’ real-life experiences with cyber breaches and their personal online practices. Learn more about how Americans approach cybersecurity and password security by downloading our full infographic, below.

download varonis infographic

Varonis Brings Data Security to Nasuni

Nasuni Cloud NAS

We’re excited to announce that, in an upcoming release, the Varonis Data Security Platform will bring data-centric audit and protection to Nasuni Enterprise File Services. Nasuni is a key Varonis partner in the growing market for hybrid cloud Network Attached Storage (NAS).

If Nasuni is a critical part of your IT infrastructure, adding Varonis will enable you to:

  • Discover and classify sensitive, regulated files
  • Detect and alert on suspicious activity like ransomware and insider threats
  • Lock down file systems and permissions to only the right people
  • Capture and analyze a fully searchable audit trail of file system activity
  • Automatically find and flag stale data

Varonis will use the Nasuni API to analyze access events, lock down file systems and permissions, capture a detailed audit trail for compliance and forensics, and automate reporting. You’ll have unprecedented visibility and protection on your Nasuni edge appliances, helping you stay safe from insider threats and cyberattacks.

If you’re in the Boston area this week and are looking to leverage the cloud for more scalable file sharing, NAS consolidation, or multi-site file collaboration, head on over to Nasuni Summit on October 5 where you can hear more about our partnership. We’re also participating in panel discussions on security, compliance, and cloud.

Stay tuned to learn more about the official release of our Nasuni integration. If you’d like to be one of the first to try it out, simply reach out.

🚨 Petya-Inspired Ransomware Outbreak: What You Need To Know

NotPetya Ransomware

On the heels of last month’s massive WannaCry outbreak, a major ransomware incident is currently underway by a new variant (now) dubbed “NotPetya.” For most of the morning, researchers believed the ransomware to be a variant of Petya, but Kaspersky Labs and others are reporting that, though it has similarities, it’s actually #NotPetya. Regardless of its name, here’s what you should know.

This malware doesn’t just encrypt data for a ransom, but instead hijacks computers and renders them completely inaccessible by encrypting their Master Boot Record (MBR).

Petya is another fast-spreading attack which, like WannaCry, uses the NSA exploit EternalBlue. Unlike WannaCry, Petya can also spread via remote WMI and PsExec (more on that in minute). A few scary things about this new malware:

  • It doesn’t have a remote kill switch like WannaCry
  • It is far more sophisticated — it has a variety of automated ways to spread
  • It renders machines completely unusable

A number of prominent organizations and companies have already been badly hit, including the Ukranian government, which has quite the sense of humor:


Infections have been reported across the globe: affecting metro systems, national utilities, banks and international enterprises: the scope is not yet known, but reports continue to come in of infected computers and stalled IT systems across industries and throughout the world.

How is Petya spreading?

Petya was initially thought to have gotten a toehold in corporate networks via emails with infected Word document attachments which exploit CVE-2017-0199. (If you’ve patched Microsoft Office, you should be protected from this attack vector.)

While phishing is a viable attack vector, one of the primary vectors is MeDoc, a financial software firm based in the Ukraine. MeDoc’s software update feature was hacked and attackers used it to distribute the Petya ransomware (source). This explains why the Ukraine has been hit hardest.

Once a single machine is infected, Petya spreads peer-to-peer to other Windows-based endpoints and servers that are vulnerable to MS17-010 — the SMB vulnerability that everyone was instructed to patch during WannaCry.  It can also spread via PsExec to admin$ shares, even on patched machines. We’ve written a detailed guide about PsExec and how to disable PowerShell recently. That’ll come in handy here.

A silver lining, at least at this juncture, is that the peer-to-peer infection doesn’t seem to leap beyond the local network. Petya can buzz through an entire LAN rather efficiently, but is unlikely to hop to other networks. As @MalwareTechBlog, the pizza-loving surfer dude who famously hit the WannaCry kill switch points out:

The Current Petya attack is different in the sense that the exploits it uses are only used to spread across a local network rather than the internet (i.e. you are extremely unlikely to be infected if you’re not on the same network as someone who was already infected). Due to the fact networks are of limited size and fairly quick to scan, the malware would cease spreading once it has finished scanning the local network and therefore is not anywhere near as infectious as WannaCry, which still continues to spread (though is prevented from activating via the “kill switch”).

 

How to Detect PsExec with DatAlert

If you’re a DatAlert customer on the version 6.3.150 or later you can do the following to detect PsExec.exe dropped on Windows file servers:

1. Select Tools –> DatAlert –> DatAlert

2. Search for “system admin”

3. For each of the selected rules (expand the groups to see them), press “Edit Rule” and tick “Enabled”

If PsExec is detected, DatAlert will generate sysadmin tools alerts in the “Reconnaissance” alert category such as “System administration tool created or modified” or “An operation on a tool commonly used by system administrators failed.”

This should help you detect if Petya is using PsExec to spread across your file servers. Keep reading because there is more you can do to prevent initial infection and stop Petya from spreading on your endpoints.

What does Petya do?

Once on a machine, NotPetya waits for a hour and a half before performing any attack, likely to give time for more machines to be affected, and to obfuscate the point of entry.

After waiting:

  1. It encrypts the Master File Table (MFT) of locally attached NTFS drives
  2. Copies itself into the Master Boot Record (MBR) for the infected workstation/server
  3. Forces a reboot of the machine so that users are locked out
  4. Displays the ransom demand lock screen on boot (shown below)

By encrypting the MFT, the individual workstation or server is taken offline until the ransom is paid. This has the potential to disrupt an organization to a much greater degree than if some files on a server are encrypted. In many cases, IT may need to individually address each machine; the standard ransomware response of “We’ll just restore those files from backup” is rendered ineffective.

If remote boot / imaging processes aren’t in place to restore infected machines, it may be necessary to put hands on the workstations to fix them. While possible in most cases, for companies with many remote installations it can be extremely challenging and time consuming. If you’re a shipping company with 600+ cargo ships on the move at any moment nearly impossible.

As Microsoft notes, “Only if the malware is running with highest privilege (i.e., with SeDebugPrivilege enabled), it tries to overwrite the MBR code” — if the infected user does not have admin privileges on the machine, it will try to encrypt user data matching the following extensions:

It does not add a unique extension to the encrypted files (such as .locky) — it encrypts the contents and preserves the original filename and extension.

What To Do?

Preventing Petya closely mirrors the steps that you may have previously taken for WannaCry:

  • Disable SMBv1 while you patch
  • Block TCP port 445 from outside (or between segments if possible)
  • Apply the patch!

Local Kill Switch

There is also somewhat of a local kill switch. On any given machine, if the file %WINDIR%\perfc exists (no extension) the ransomware will not execute. You can get creative with ways to deploy that file to all workstations in your environment.

Additionally, you can see which endpoint AV products are able to detect Petya by looking at the VirusTotal results.

A sample of Petya acquired by researchers was compiled on June 18:

Should You Pay?

A Posteo (an email service provider) account was included in the Ransomware message. The abuse and security team at Posteo have posted an update at:

https://posteo.de/blog/info-zur-ransomware-petrwrappetya-betroffenes-postfach-bereits-seit-mittag-gesperrt

They have:

  1. Blocked the account
  2. Confirmed that no decrypt keys were sent from the account
  3. Contacted the authorities to offer what assistance they can

All of which adds up to the fact that you shouldn’t pay the ransom as you won’t receive the necessary decryption keys.

This is a developing story and we’ll keep this post updated as we learn more.

Other Helpful Links