As seen on pei.com on January 31, 2020
What is an Identity Based Attack?
An identity-based attack is when an attacker obtains a user’s credentials to perform malicious actions. The actions could go very far depending on the user’s level of access. The attacker could steal intellectual property, delete major pieces of systems, hold systems hostage, carry out actions as the user, etc. Using credential theft, the attacker can also move laterally to gain access to critical data away from their initial entry point and perform their attack.
Now that we’re through some definitions, it still may be difficult for many to put this into real-world scenarios that they or their users are in. I’ve built out several real-world examples that we have personally encountered at PEI with clients. For all examples, usernames have been modified for confidentiality (and because I’m enjoying coming up with these other names. What’s your favorite combo? Let me know in the comments below).
Example #1: Email Phishing Attack and Wire Transfer
Mufasa is the VP of Finance for a manufacturing company, authorizing a great deal of purchases, sales, and transfers for their partners and clients. Mufasa gets an email stating that he has a pending message from his own company’s Office 365 name, stating there is a message that was pending delivery and he needs to approve it.
He clicks the link to approve it (below is an example of one of those types of emails I received today, albeit not a greatly crafted one).
Once clicked, it sends Mufasa to an Office 365 login page (or what looks to be one). He puts in his credentials, and the link simply reroutes him to outlook.office.com where he doesn’t see anything waiting for him and assumes this was just an error.
This attacker (let’s call him Scar) now has Mufasa’s username and password to do with it as he pleases.
Scar logs into Mufasa’s Outlook account and begins investigating the type of mail he gets, the design of the Purchase Orders and Invoices, the number structure, and their common partners and clients.
Scar begins crafting his attack.
Scar logs in as Mufasa, sends a completely phony invoice to Mufasa’s purchasing manager, and sends this same invoice to expedite payment to their vendor. This invoice is using a new routing number that Scar has put in there.
Before the company even knows there’s been a breach, payment has been made and can never be retrieved.
In our client’s case, they lost $200K immediately.
Had the company had multifactor authentication in place, the second Scar tried to use Mufasa’s credentials, the real Mufasa would have seen an authentication prompt on his phone (or whatever the 2nd form of authentication was), and he would have known someone was trying to use his credentials.
Mufasa could then block the attempt, reset his account credentials, and go on with business as usual.
Example #2: Wireless Hijacking and MFA
Mr. Krabs is a small business owner who travels a lot to build his business and meet with prospective clients. Mr. Krabs is waiting for his flight at a small airport in Mississippi and wants to catch up on email.
He doesn’t have great cell service and sees a network called “Biloxi Public Free Wifi 5G.” He joins the network and logs into his Office 365 account to finish his correspondence before his flight.
Little did he know, the Biloxi airport didn’t build the 5G network and he just joined a network that an attacker (let’s call him Plankton) created. Plankton is using wireless hijacking to broadcast his laptop as a wireless access point.
The attacker monitored Mr. Krabs’ activity and then stolen his credentials.
Plankton then uses Mr. Krabs’ credentials to login to his Office 365 environment and send a piece of malware to his customers in a PDF that closely mimics typical PDFs sent by Mr. Krabs.
Plankton now has infected several of Mr. Krabs’ contacts with his malware, which the clients have tracked back to Mr. Krabs as the source, severely damaging Mr. Krabs’s relationships with his clients and losing his business.
Similar to the first example, if Plankton had tried to use Mr. Krabs’s credentials and MFA was in place, he would have been stopped at the gate with no harm caused.
Example #3: Disgruntled Employee Could Have Been Stopped with MFA
Brutus is a call center employee for an engineering company, and he constantly needs the IT team to help with his workstation. One day, their systems administrator, let’s call him Caesar, needs to help Brutus install some software on his workstation since Brutus doesn’t have local admin rights.
While in front of him at his keyboard, Brutus sees and writes down Caesar’s password, intending to use it only so he doesn’t have to go through the process of asking next time he needs to download something.
A month later, Brutus gets passed up for a promotion he felt he deserved and is fed up with the company.
Brutus uses Caesar’s credentials to login to their SharePoint environment, where the engineering department keeps its intellectual property.
Brutus decides to quit his job, but first downloads all of the files onto a zip drive and takes the credentials with him.
This IP makes its way over to a competitor’s company, rapidly advancing their product development and hurting the market strength of Caesar’s company.
After the fact, there is an internal audit, which points to Caesar’s account being the account that downloaded the files, leading to Caesar’s wrongful termination after the backstabbing Brutus is long gone.
With MFA turned on, Brutus would never have been able to use Caesar’s credentials to access any data, keeping the company’s IP safe.
Where to go from here? How to Get Started with Multi-Factor Authentication.
Hopefully some of these examples showed the benefits of how MFA can thwart attack attempts for your company. One of the biggest objections I hear for implementing MFA is not wanting to inconvenience the user–whether that’s the frequency of MFA prompts or any hinderance to working seamlessly from anywhere.
Multi-factor authentication is very easy for end-users to use, but even so, there are ways to implement MFA that limit the frequency of prompts and focus on actually risky sign-in attempts.
As seen on okta.com
Multi-factor authentication (MFA) is an IT authentication technique that requires a user to present at least two factors that prove their identity.
Why Use MFA?
Cybercriminals have more than 15 billion stolen credentials to choose from. If they choose yours, they could take over your bank accounts, health care records, company secrets, and more.
Multi-factor authentication is important, as it makes stealing your information harder for the average criminal. The less enticing your data, the more likely that thieves will choose someone else to target.
As the name implies, MFA blends at least two separate factors. One is typically your username and password, which is something you know. The other could be:
- Something you have. A cellphone, keycard, or USB could all verify your identity.
- Something you are. Fingerprints, iris scans, or some other biometric data prove that you are who you say you are.
Adding this secondary factor to your username/password protects your privacy. And it’s remarkably easy for most people to set up.
Do Passwords Offer Enough Security?
We all use passwords to gain entry into our email systems, work databases, and bank accounts. We are usually forced to change our combinations periodically in the hopes that we’ll stay just a bit safer. But the truth is that, on their own, passwords no longer provide an appropriate level of security.
Consider Google. One password gives access to:
- Email. The messages you’ve sent, those you’ve received, and the accounts you talk to are all stored in the system and protected with only a password.
- Calendars. Information about who you’ve met, where you were, and what you did are all linked to a password.
- YouTube. Your password unlocks your viewing history, your uploads, and records about videos you enjoyed.
- Other web apps. Use your Google account to connect to other online resources, such as Hootsuite or Salesforce, and your password could reveal a great deal of data.
In 2017, Google admitted that hackers steal almost 250,000 web logins each week. That number could be even higher now. And each incident can be incredibly dangerous.
When we think about data breaches, we often think about bank accounts and lost money. But the health care sector is also a common target for hackers. Once inside, people can change your medical records to bill fraudulent companies and make money. An altered record is incredibly difficult to change, and it could impact your health care and credit going forward.
Companies are recognizing these risks and acting accordingly. More than 55 percent of enterprises use MFA to protect security, and that number rises each year. If you haven’t considered this technique, it’s time to start.
How Does MFA Work?
Most MFA systems won’t eliminate usernames and passwords. Instead, they layer on another verification method to ensure that the proper people come in and the thieves stay out.
A typical MFA process looks like this:
- Registration: A person links an item, such as a cellphone or a key fob, to the system and asserts that this item is theirs.
- Login: A person enters a username and password into a secure system.
- Verification: The system connects with the registered item. Phones might ping with verification codes, or key fobs might light up.
- Reaction: The person completes the process with the verified item. Entering verification codes or pushing a button on a key fob are common next steps.
Some systems demand this verification with each login, but some systems remember devices. If you always use the same phone or computer to log in, you may not need to verify each visit. But if you attempt to log in on a new computer or during an unusual time of day, verification might be required.
MFA may seem simple, but it’s remarkably effective. Microsoft says, for example, that MFA blocks nearly 100 percent of account hacks. This one tiny step could protect your security in a huge way.
Benefits of Multi-Factor Authentication
Countless organizations have adopted MFA, given the realities of today’s security landscape and regulations.
With compliance standards like GDPR and NIST requiring sophisticated security policies, MFA’s presence will only continue to become more widespread. But given its ease of use and the protection it provides, this only stands to benefit employees and IT teams alike.
What’s behind the pervasiveness of MFA? There are several reasons for MFA’s ubiquity in today’s corporate world.
MFA Enables Stronger Authentication
Risk reduction is critical for organizations, which is why multi-factor authentication is growing exponentially. In a world where credential harvesting is a constant threat and over 80 percent of hacking-related breaches are caused by stolen or weak passwords, this kind of bulletproof authentication solution is essential.
With MFA, it’s about granting access based on multiple weighted factors, thereby reducing the risks of compromised passwords. It adds another layer of protection from the kinds of damaging attacks that cost organizations millions.
A security breach caused by a weak user password would understandably have huge consequences for both the company and the customers who trust it.
MFA Adapts to the Changing Workplace
As the workplace changes and more employees work outside the office, companies require more advanced MFA solutions to manage more complex access requests. Enter Adaptive MFA.
Where multi-factor authentication offers multiple layers of protection, adaptive multi-factor authentication evaluates the risk a user presents whenever they request access to a tool or information, looking at details like the user’s device and location for context.
For example, an employee logging in from the company premises is in a trusted location and may not be prompted for an additional security factor. But if that same employee logs in from a coffee shop, uses their personal mobile phone to check work emails, or connects over an unsecured WiFi network, they may be prompted to verify an additional factor because they are utilizing an untrusted location, device, or connection.
Adaptive MFA also allows for dynamic policy changes and step-up authentication — significant controls in securing critical data. For instance, users may be prompted for a higher assurance second factor (or even a third factor) before obtaining access to deeply sensitive information, such as customer data in Salesforce.
MFA Offers Security Without Compromising User Experience
Passwords are a headache to remember — the more users need to remember, the lazier their password habits become. Moreover, it’s important to avoid weighing IT teams down with password resets after they’ve implemented more stringent password policies to protect the company.
MFA secures the environment, the people in it, and the devices they’re using without requiring cumbersome resets or complicated policies. Organizations can also make it easier for users by providing them with a variety of factors to choose from or by only requiring additional factors when necessary.
With MFA’s simple deployment and management as well as its integration with a broad range of applications, IT teams are freed up and can focus this time on more strategic tasks.
As seen on ctscomplete.com on 5/24/21
According to the Federal Emergency Management Agency (FEMA), roughly 40-60% of small businesses never reopen their doors after a disaster. For this reason, it’s smart for businesses to have a disaster recovery plan in place.
What Is a Disaster Recovery Plan?
Also known as a DRP, a disaster recover plan describes how work can be resumed after a disaster in a quick and efficient manner. The plan allows the IT department to recover lost data, and to continue operating after failure. A disaster recovery plan will have exact instructions on how to deal with an unplanned incident, and how to recover lost information.
1. Permanent Data Loss
Data loss is detrimental. If a business doesn’t have a disaster recovery plan in place, they risk losing data that is vital to customer satisfaction and continued operations. Having the right plan in place will help a business protect themselves from external threats and internal accidents. With a DRP, data backups are stored on external devices and cloud storage services. A business can’t afford to permanently lose company and client files.
2. Humans Are Not Perfect
Mistakes happen in the workplace whether it’s hardware, software, or user error. Any accidental click can cause chaos for a business. Even the most cautious person can make the mistake and place important information at risk.
A disaster recovery plan in place with data backups will come in handy when these mistakes happen. DRPs should include preparation for potential cybersecurity threats, an allocated recovery team, and backup solutions for priority files.
3. Customer Re-acquisition Is Expensive
Customer retention is expensive but customer re-acquisition is far more costly. Earning a customer’s trust and loyalty is difficult, which is why taking preventative measures to protect their information and files is essential to standard operating procedures.
In many industries, IT disasters can cost thousands of dollars per minute, depending on the type of data loss. As a result, customers tend to be unforgiving when a managing 3rd party encounters impactful file loss.
4. Broad Range of Threats
With any online data, the threat of cybersecurity is always present. A breach in a network equates to a very serious information security risk, and can cause further unwanted destruction to a business’s network.
The loss from a cyber attack totals over $500,000 on average. This can be the beginning of the end for some businesses, especially for start-ups, causing them to seize continued operations.
Data also has natural disaster threats and technical threats that a disaster recovery plan will address.
5. Reputation Damage
Unhappy customers will spread the word fast about their problems. With social media, the word about a bad experience can spread in seconds. Damaged reputation can not only impact the ability to gain new customers, but it can also negatively impact how existing customers feel.
Investing in a disaster recovery plan will reduce the risk of a bad brand reputation.
6. Protect the Business
After spending money and priceless time to build a business, it makes sense to protect it. It’s almost like driving a car without insurance. A disaster recovery plan is like insurance for businesses, bringing peace of mind in the event of undesirable occurrences.
On average, 96% of businesses with a plan are able to fully recover, and get back on track to continued and successful operations.
Unplanned attempts to recover lost data can be very expensive. Demanding a quick recovery is even more expensive. Planning ahead saves this headache for a business owner. Having a plan in hand will have the business prepared in case of a data loss.
This means that the business owners won’t be forced to hire expensive professionals due to urgency.
As seen on washingtonpost.com by Will Englund on 5/18/21
The system that shippers use to communicate goes down. The company says it was not an attack.
Colonial Pipeline, the main Gulf Coast-East Coast artery for gasoline and other petroleum products, ran into a new computer snag Tuesday as it was still recovering from a shutdown that started May 7 after a ransomware attack.
The company said the latest problem, which interrupted the system used by shippers to place requests for service, called nominations, was not a continuation of the cyberware attack that sparked panic-buying by frustrated motorists across the Southeast last week. In a statement, the company said that the problems arose from the effort to “harden” its systems to ward off future cyberattacks.
It said that the pipeline continued to operate.
“Our internal server that runs our nomination system experienced intermittent disruptions this morning due to some of the hardening efforts that are ongoing and part of our restoration process,” Colonial’s statement said. “These issues were not related to the ransomware or any type of reinfection. We are working diligently to bring our nomination system back online and will continue to keep our shippers updated. The Colonial Pipeline system continues to deliver refined products as nominated by our shippers.”ADVERTISING
Colonial is a privately held company owned by Koch Industries, Royal Dutch Shell and several investment firms. A Shell spokesman said Tuesday that he had no details to add to the Colonial statement. A spokesman for Phillips 66, one of the pipeline’s customers, declined to comment.
The operators of the 5,500-mile pipeline system, which runs from Texas to New Jersey, discovered they were under a ransomware attack May 7, which had infected their information system but not the operating system. To avoid losing control of the pipeline, the company said, it shut down operations.
Colonial supplies the East Coast with 45 percent of its fuel.
By early last week, news of the shutdown had set off a run on gasoline throughout the Southeast, and the majority of stations in several states went dry. States further to the north were less affected because they had larger reserves on hand. The price of gas nationally rose to its highest level since 2014, but it did not spike as much as some analysts had feared.
Colonial began restoring service by midweek, but it has taken several days to get the whole system back to normal. Several reports have asserted that the company paid $5 million in ransom to regain control of its computers from a group called DarkSide that appears to have been based in Russia.
As seen on geekwire.com by Alan Boyle on 5/1/21
What will commercial space stations be good for? The application that typically comes up would be their use as space hotels, or maybe zero-gravity research labs and factories.
“Looking for new markets is something we’re highly motivated to do,” Meyerson told GeekWire. “Data storage and compute is one market. Cybersecurity is another.”
The possibilities for providing data and security services on the final frontier played a big role in C5 Capital’s decision to lead a $130 million funding round for Texas-based Axiom Space, which is due to send citizen astronauts to the International Space Station next year and could start laying the groundwork for its own space station in 2024.
“We have a lot of data that’s created in space, but how valuable would it be to actually do compute and storage in space?” Meyerson asked. “We’ve been talking with Axiom about that and helping them to form partnerships. How do we use the C5 portfolio in cybersecurity and threat protection to assist Axiom with their supply chain and their partners, to bring the most advanced technologies to that critically important area?”
In connection with the funding deal, Meyerson has joined Axiom Space’s board of directors. It’s the latest big move for Meyerson, who lives in Tacoma, Wash., and served as the president of Amazon CEO Jeff Bezos’ Blue Origin space venture from 2003 to 2017.
Meyerson’s experience in the space industry goes even further back than Blue Origin, taking in a six-year stint as senior program manager for Kistler Aerospace’s K-1 reusable launch vehicle (which never got off the ground) and 12 years as an aerospace engineer at NASA’s Johnson Space Center.
But it’s only been in the past few years that people have been talking seriously about creating privately owned outposts in Earth orbit. Space tourism and in-space manufacturing no longer seem as far out as they once did, and Meyerson believes Axiom Space is well-placed to capitalize on the possibilities.
“This is the kind of opportunity that we wouldn’t have been betting on to come if we had done this in 2019,” he said. “But in 2020, it was perfectly aligned, and we said, ‘OK, well, here are all these services, and let’s invest in the destination.’ There’s only one company out there that has this exclusive contract with NASA to access the node on the ISS, and that’s Axiom Space.”
That doesn’t mean Axiom Space will have the space station market all to itself. Other companies — including Sierra Nevada Corp., Bigelow Aerospace, Nanoracks and Meyerson’s old teammates at Blue Origin — also have plans on the drawing boards.
At the same time, heavyweights ranging from Amazon and Microsoft to Lockheed Martin are looking into ways to extend cloud computing to the space frontier. Satellite constellations such as SpaceX’s Starlink and Amazon’s yet-to-be-launched Project Kuiper could play a big role in those efforts.
What’s so attractive about moving data processing off the planet?
“Most importantly, there is a lot of data that is generated in space,” Meyerson explained. “We can envision a number of use cases where that data is generated in space, transmitted back to Earth in one part of the world, and there are compute operations done on that data to process it and turn it into actionable data, and then it is transmitted to another part of the world to have action taken on it.”
Space-based processing could dramatically streamline that data flow.
“We believe that doing those computer operations in space is going to reduce the decision timeline by fractions of a second, if not seconds,” Meyerson said.https://www.youtube.com/embed/N_WvDkdgDuU?feature=oembed&enablejsapi=1
So does that mean Axiom Space will be going up against Amazon Web Services and Microsoft Azure? Not at all, Meyerson said.
“They can definitely draw upon Axiom Space,” he said. “We have great relationships with those companies, and all of the cloud providers and service providers that work on top of the cloud. I think they’re very obvious choices for partners.”
Speaking of partners, the perils of the past year have only confirmed Meyerson’s view that space ventures mesh well with the rest of C5 Capital’s investment portfolio, which is heavy with companies that focus on big data and cybersecurity.
“The digital transformation of everything we do has been so accelerated during the pandemic,” he noted. “And it’s making us more and more vulnerable. So the combination of two things — becoming more reliant on space for critical infrastructure, and the digital transformation leading to more vulnerability — just makes our investments in cybersecurity more important. And we think the natural application is in space.”
As seen on bloomberg.com by Ian King, Debby Wu, & Demetrios Pogkas on 3/29/21
A six-decade-old invention, the lowly chip, has gone from little-understood workhorse in powerful computers to the most crucial and expensive component under the hood of modern-day gadgets.
That explosion in demand—unexpectedly goosed during the Covid-19 pandemic for certain industries like smartphones and PCs—has caused a near-term supply shock triggering an unprecedented global shortage.
In February, lead times—the duration between when an order for a chip is placed and when it actually gets filled—stretched to 15 weeks on average for the first time since data collection started in 2017, according to industry distributor data from Susquehanna Financial Group. Lead times for Broadcom Inc.—a barometer for the industry because of its involvement across the supply chain—extended to 22.2 weeks, up from 12.2 weeks in February 2020.
The crunch has sideswiped the General Motors and Volkswagens of the world and swung politicians from Washington to Beijing into crisis control. It’s also catapulted Taiwan Semiconductor Manufacturing Co. and Samsung Electronics Co. to the top of investor and government agendas. Asia’s two largest chipmakers are responsible for making the vast majority of the world’s most advanced silicon, yet don’t have the capacity to sate all demand. It’s a bottleneck that could last several quarters—or into next year.
Alarm bells are ringing. A growing number of industry players from Continental AG to Innolux Corp. and Renesas Electronics Corp. have in recent weeks warned of longer-than anticipated deficits snarling production—potentially well past the summer. Samsung flagged a “serious imbalance” globally, the largest company so far to warn of fallout from the crunch. Broadcom Chief Executive Officer Hock Tan in March said his company is sold out this year and customers were “willing to book out for delivery of those products out through the rest of 2021.” And on Friday, Nio Inc.—the Chinese EV company sometimes compared with Tesla—became the first high-profile automaker from the country to suspend production because of shortages.
A Pandemic that Reshaped Demand
Overall demand for semiconductors of all stripes—from basic microcontrollers and memory chips to the most sophisticated high-performance processors—has grown over the past decade, as smartphone usage and computing power boomed. A steady rise in semiconductor sales faltered in 2019, but was then boosted 5.4% by 2020’s shelter-in-place demand for home gadgets, IDC data shows.
At the same time, once largely mechanical machines like cars have become smarter, entailing the use of many more chips. Automotive electronics, which may include everything from displays to in-car systems, are set to account for an estimated 45% of a car’s manufacturing cost by 2030, according to a Deloitte report. The cost of the semiconductor-based components used in those electronics is estimated to jump to $600 by 2030 from $475 in 2020.
On the other end of the supply chain, chipmaking capacity has kept pace with the growth in sales over past years, according to SEMI data, suggesting buyers are taking up capacity as soon as it comes online—a sign that semiconductor demand has in general been on par with available production resources. But advanced manufacturing has become concentrated in the hands of fewer and fewer players.
Industry experts say an imbalance is particularly apparent in so-called 200 millimeter wafers, from which lower-end chips are made. Those include power management chips and display ICs (or integrated circuits), required in a wide range of sectors from automotive to consumer electronics, but are in a short supply at the moment.
Uncertainties caused by the pandemic also led to sharp swings in orders last year, which in turn muddied the waters for chipmakers trying to match capacity with demand. That’s why carmakers have had to halt production in 2021 and why Playstations and Xboxes are getting harder to find in stores.
Carmakers got hit first in part because of poor inventory planning. The industry underestimated vehicle consumption and thus the amount of chips they needed when the pandemic hit. They are now expected to miss out on $61 billion of sales this year alone. But TSMC executives said on their two most recent earnings calls that customers across many sectors have been accumulating more inventory than normal to hedge against the unknown.
The problem gets further magnified by the fact that the cost of chipmaking and keeping pace with technology advancements has increased exponentially this decade—making the business of manufacturing semiconductors a rarefied field for the deepest of pockets. As an illustration, TSMC raised its envisioned capital expenditure for 2021 by as much as 63% to $28 billion, while Samsung is earmarking about $116 billion on a decade-long project to catch its Taiwanese arch-rival.https://253ea416c70b2efaa1a61ed03455214a.safeframe.googlesyndication.com/safeframe/1-0-38/html/container.html
The most complex and expensive pieces of silicon these days are logic chips from Qualcomm, Nvidia or Apple that give computers and smartphones their intelligence. But these “fabless” companies don’t operate their own fabrication plants; they just design the semiconductors. Manufacturing happens at advanced factories called foundries that produce the designs of those big-name electronics companies.
This is another key bottleneck. Just three or four foundries now account for the majority of global chip fabrication—TSMC and Samsung and their more distant rivals, California-based Globalfoundries Inc., controlled by Abu Dhabi’s investment arm, and United Microelectronics Corp. Looking at it another way, an estimated 91% of the contract chipmaking business is housed within Asia, the lion’s share of which is divided between just two regions: Taiwan and South Korea, home to TSMC and Samsung, respectively.
An opportunity for the U.S. to regain chip independence might come from Intel Corp., which last week unveiled a $20 billion plan to set up its own foundry business. Intel, the largest chipmaker by revenue, designs and manufactures its own chips, but this expansion would enable it to produce chips for other companies as well.
TSMC is the undisputed leader of that triumvirate, in terms of sheer scale, sophistication and reach, cranking out millions of wafers every year for marquee clients in just about every industry imaginable. TSMC’s total wafer shipments were 12.4 million 12-inch equivalent wafers in 2020, up from 10.1 million in 2019. Taiwan’s largest company has spent more than three decades to perfect its chipmaking craft and billions in past years to ensure it remains at the forefront of technology.https://253ea416c70b2efaa1a61ed03455214a.safeframe.googlesyndication.com/safeframe/1-0-38/html/container.html
According to Bloomberg supply-chain estimates, 25% of all TSMC’s business comes from Apple, the highest-profile client it directly manufactures chips for. However, TSMC’s importance lies in the critical role it plays in the entire semiconductor supply chain; it also manufactures chips for other chipmakers or for fabless chip designers, such as Broadcom, Qualcomm, Nvidia, AMD or Texas Instruments. They are in turn supplying the world’s biggest consumer electronics, communications equipment and auto parts companies.
Supply Chain Bottleneck
TSMC manufactures chips for chip designers and semiconductor firms, which in turn supply major makers of consumer electronics and cars
- Consumer electronics
- Household appliances
- Online Services
Bottlenecks can appear in other parts of the supply chain, too. The Netherlands-based ASML Holding NV has a virtual monopoly on advanced photolithography equipment required to print patterns of cutting-edge chips onto the wafer. Companies from Japan, such as Shin-Etsu Chemical Co., dominate the market for chemicals used in semiconductor manufacturing. And manufacturing cannot start in the first place without access to electronic design automation software, a segment led by the U.S.’s Cadence Design Systems Inc. and Synopsys Inc.
Officials from the U.S. and Europe have beseeched Taiwan’s officials for help in resolving the global chip crunch, and are pushing for the creation of domestic chipmaking capabilities. Yet research from Sanford C. Bernstein shows there isn’t much that governments can do to address the current shortages. It takes years to build a new fabrication facility and get it operating smoothly—regardless of where it is located.With assistance from: Tom Lagerman and Ridho ReinandaEdited by: Edwin Chan, Peter Elstrom and Jeremy Scott DiamondNote on TSMC supply-chain data: Data compiled by Bloomberg. Included are supplier–customer relationships, active as of March 24, for which the value, share of the supplier’s total revenue and share of the customer’s total expenditure, can be quantified either by figures disclosed by the company or by Bloomberg supply chain estimates. Company classifications based on the Bloomberg Industry Classification Standard. “Autos” includes auto parts manufacturers and car makers; “Communications” includes communications and wireless telecommunications equipment manufacturers; and “Hardware” includes computer hardware and storage manufacturers.
As seen on jdsupra.com on 2/25/21
In a recent letter to insurers, the New York State Department of Financial Services (“NYDFS”) acknowledged the key role cyber insurance plays in managing and reducing cyber risk – while also warning insurers that they could be writing policies that have the “perverse effect of increasing cyber risk.” If a cyber insurance policy does not incentivize the insured to maintain a robust cyber security program, the insurer can end up bearing excessive risk when the customer leans on the policy as their business continuity plan.
You may be wondering “What does this have to do with my business? I don’t do any business in NY state.” However, your insurer might be subject to the NYDFS cybersecurity regulation (23 NYCRR 500) and, if so, likely received this letter.
According to NYDFS, every cyber insurer should have a formal strategy that incentivizes their insureds – through more appropriately priced plans – to “create a financial incentive to fill [cybersecurity] gaps to reduce premiums.” Below is our take on five of the key practices outlined in the NYDFS letter that have potential implications for insureds.
- Manage and Eliminate Exposure to Silent Cyber Insurance Risk. Up to now, many organizations have leveraged clauses in standard policies to cover ransomware attacks, such as those covering general liability, theft, malpractice and errors. NYDFS advises that “insurers should eliminate silent risk by making clear in any policy that could be subject to a cyber claim whether that policy provides or excludes coverage for cyber-related losses.” When you next renew your policy, read the fine print carefully to determine if there are any exemptions for cyber-related losses – even if you have a standalone cyber insurance policy. An insurer that was left ‘holding the bag’ for covering a ransomware attack under a policy that wasn’t priced to cover cyber losses is incentivized to update that policy language at the soonest opportunity.
- Evaluate Systemic Risk. Here, insurers are being advised to “stress test” their coverage to ensure they would remain solvent while covering potentially “catastrophic” cyber events impacting multiple insureds. If you are a cloud or managed services provider and/or are part of other organizations’ supply chains, you should expect to receive more scrutiny from your insurer on the strength of your cyber security program.
- Rigorously Measure Insured Risk. No surprises here, unless you haven’t been filling out detailed questionnaires about your cyber security program. Expect more scrutiny of your program, and possibly the involvement of auditors to validate your claims. Check your insurance policy to see if investing in a certification program – such as ISO 27001 or HITRUST – might improve your policy premium.
- Educate Insureds and Insurance Providers. This practice states that “insurers should also incentivize the adoption of better cybersecurity measures by pricing policies based on the effectiveness of each insured’s cybersecurity program.” Take advantage of any educational opportunities your provider offers on cybersecurity best practices and improvements. They might be trying to tell you how you can lower risk – and your rates.
- Require Notice to Law Enforcement. While this is a best practice, NYDFS is recommending this be more formally required in the policy language. Involving law enforcement is important when responding to cyber incidents, especially when it comes to investigating the incident and attempting to recover funds. Make sure you involve legal counsel and have a plan for engaging law enforcement in the event of a breach.
Even if your insurer hasn’t received this guidance, they are certainly aware that cyber risk, and the cost of underwriting cyber insurance, continue to increase. With the cyber insurance market estimated to exceed $20 billion by 2025, and the risk that intermediaries – including insurers – can be liable for ransom payments made to entities sanctioned by the Office of Foreign Assets Control, business leaders should expect that their insurers will be more closely scrutinizing their cyber security plans and controls. Rebuilding encrypted systems and restoring from backup, as opposed to paying ransoms, will need to be the first plan of action.
If your organization is still struggling with the decision whether to invest more in IT security and architecture improvements or continue to rely on insurance as your cyber security plan, the guidance in the NYDFS Cyber Insurance Risk Framework merits a closer look.
While cyber insurance can be essential to helping your organization recover from a data breach, it should not take the place of a strong cyber security program. At minimum your cyber security program should include a Cyber Security Plan, Business Continuity and Disaster Recovery Plan and an Incident Response Plan. These plans should be tested, reviewed and updated at least annually, preferably in conjunction with a penetration test and vulnerability assessment from a qualified third party.
As seen on cnbc.com by Lauren Feiner on 2/23/21
- The massive hack into government systems through a software contractor would have remained unknown by the public if not for one company’s decision to be transparent about a breach of its systems, Microsoft President Brad Smith told lawmakers at a hearing Tuesday.
- Smith’s testimony highlights how cybersecurity incidents can potentially go undisclosed.
- He planned to tell lawmakers that private sector companies should be required to be transparent about significant breaches of their systems.
The massive hack into government systems through a software contractor would have remained unknown by the public if not for one company’s decision to be transparent about a breach of its systems, Microsoft President Brad Smith told lawmakers at a hearing Tuesday.
“The fact that we are here today, discussing this attack, dissecting what went wrong, and identifying ways to mitigate future risk, is occurring only because my fellow witness, Kevin Mandia, and his colleagues at FireEye, chose to be open and transparent about what they found in their own systems, and to invite us at Microsoft to work with them to investigate the attack,” Smith told the Senate Select Committee on Intelligence, according to his prepared remarks.
“Without this transparency, we would likely still be unaware of this campaign. In some respect, this is one of the most powerful lessons for all of us. Without this type of transparency, we will fall short in strengthening cybersecurity.”
Smith’s testimony highlights how many cybersecurity incidents can go undisclosed. Smith told lawmakers that private sector companies should be required to be transparent about significant breaches of their systems. He compared the “patchwork” of disclosure requirements in the U.S. to more consistent obligations in places like the European Union.
FireEye disclosed in a regulatory filing in December that it had been hacked by what it believed to be a state-sponsored actor who mainly sought information related to its government customers. The company said the attack was unusually advanced, employing “a novel combination of techniques not witnessed by us or our partners in the past.”
Soon after, Reuters reported that hackers possibly linked to Russia accessed email systems at the U.S. Commerce and Treasury departments through SolarWinds software updates. The Defense Department, State Department and Department of Homeland Security were also affected, The New York Times later reported. Reuters reported, citing sources, that the SolarWinds attack was related to the FireEye incident.
A few days later, Reuters reported that Microsoft was also hacked. U.S. agencies later shared that Russian actors were likely the source of the attack. Smith said in his written testimony that Microsoft does not dispute that assessment while he said, “Microsoft is not able to make a definitive attribution based on the data we have seen.”
Smith told Congress that Microsoft notified 60 customers, mainly in the U.S., that they were compromised in connection to the attack. But he warned lawmakers that there are certainly more victims that have yet to be identified. A White House cybersecurity advisor estimated last week that nine government agencies and roughly 100 private companies were affected by the attack. Smith told Congress that Microsoft identified further government and private sector victims outside the U.S. that were impacted.
Smith proposed that in addition to requiring more disclosures from private companies, government should provide “faster and more comprehensive sharing” with the security community.
“A private sector disclosure obligation will foster greater visibility, which can in turn strengthen a national coordination strategy with the private sector which can increase responsiveness and agility,” Smith said in his written remarks. “The government is in a unique position to facilitate a more comprehensive view and appropriate exchange of indicators of comprise and material facts about an incident.”
But Mandia, FireEye’s CEO, told CNBC’s Eamon Javers in an interview ahead of the hearing Tuesday that disclosure is “a damn complex issue.”
“The reason it’s a complex issue is because of all the liabilities companies face when they go public about a disclosure,” Mandia said. “They have shareholder lawsuits, they have lots of considerations of business impact. You also don’t want to unnecessarily create a lot of fear, uncertainty and doubt.”
Intelligence Committee Chairman Mark Warner, D-Va., said in his opening remarks Tuesday that it may be worth considering greater disclosure requirements, even if it means creating liability protection for companies that follow those disclosure obligations.
As seen on apnews.com by Frank Bajak on 10/29/20
In an alert Wednesday, Oct. 28, 2020, the FBI and other federal agencies warned that cybercriminals are unleashing a wave of data-scrambling extortion attempts against the U.S. healthcare system that could lock up their information systems just as nationwide cases of COVID-19 are spiking. (AP Photo/Jose Luis Magana, File)
BOSTON (AP) — Federal agencies warned that cybercriminals could unleash a wave of data-scrambling extortion attempts against the U.S. health care system, an effort that, if successful, could paralyze hospital information systems just as nationwide cases of COVID-19 are spiking.
In a joint alert Wednesday, the FBI and two federal agencies said they had credible information of “an increased and imminent cybercrime threat” to U.S. hospitals and health care providers. The alert said malicious groups are targeting the sector with attacks aiming for “data theft and disruption of healthcare services.”
The impact of the expected attack wave, however, is difficult to assess.
It involves a particular strain of ransomware, which scrambles a target’s data into gibberish until they pay up. Previous such attacks on health care facilities have impeded care and, in one case in Germany, led to the death of a patient. But such consequences are still rare.
The federal warning itself could help stave off the worst consequences, either by leading hospitals to take additional precautions or by expanding efforts to knock down the systems cybercriminals use to launch such attacks.
The offensive coincides with the U.S. presidential election, although there is no immediate indication the cybercriminals involved are motivated by anything but profit. The federal alert was co-authored by the Department of Homeland Security and the Department of Health and Human Services.
Independent security experts say the ransomware, called Ryuk, has already impacted at least five U.S. hospitals this week and could potentially affect hundreds more. Four health care institutions have been reported hit by ransomware so far this week, three belonging to the St. Lawrence Health System in upstate New York and the Sky Lakes Medical Center in Klamath Falls, Oregon.
Sky Lakes said in an online statement that it had no evidence patient information was compromised and that emergency and urgent care “remain available.” The St. Lawrence system said Thursday that no patient or employee data appeared to have been accessed or compromised. Matthew Denner, the emergency services director for St. Lawrence County, told the Adirondack Daily Enterprise that the hospital owner instructed the county to divert ambulances from two of the affected hospitals for a few hours Tuesday, when the attack occurred. Neither Denner nor the company replied to requests for comment on that report.
Alex Holden, CEO of Hold Security, which has been closely tracking Ryuk for more than a year, said the attack wave could be unprecedented in magnitude for the U.S. In a statement, Charles Carmakal, chief technical officer of the security firm Mandiant, called the cyberthreat the “most significant” the country has ever seen.
The U.S. has seen a plague of ransomware over the past 18 months or so, with major cities from Baltimore to Atlanta hit and local governments and schools walloped especially hard.
In September, a ransomware attack hobbled all 250 U.S. facilities of the hospital chain Universal Health Services, forcing doctors and nurses to rely on paper and pencil for record-keeping and slowing lab work. Employees described chaotic conditions impeding patient care, including mounting emergency room waits and the failure of wireless vital-signs monitoring equipment.
Also in September, the first known fatality related to ransomware occurred in Duesseldorf, Germany, when an IT system failure forced a critically ill patient to be routed to a hospital in another city.
Holden said the Russian-speaking group behind recent attacks was demanding ransoms well above $10 million per target and that criminals involved on the dark web were discussing plans to try to infect more than 400 hospitals, clinics and other medical facilities.
While no one has proven suspected ties between the Russian government and gangs that use the Trickbot platform that distributes Ryuk and other malware, Holden said he has “no doubt that the Russian government is aware of this operation.” Microsoft has been engaged since early October in trying to knock Trickbot offline.
Dmitri Alperovitch, co-founder and former chief technical officer of the cybersecurity firm Crowdstrike, said there are “certainly lot of connections between Russian cyber criminals and the state,” with Kremlin-employed hackers sometimes moonlighting as cyber criminals.
Increasingly, ransomware criminals are stealing data from their targets before encrypting networks, using it for extortion. They often sow the malware weeks before activating it, waiting for moments when they believe they can extract the highest payments, said Brett Callow, an analyst at the cybersecurity firm Emsisoft.
A total of 59 U.S. health care providers or systems have been impacted by ransomware in 2020, disrupting patient care at up to 510 facilities, Callow said.
Hospitals and clinics have been rapidly expanding data collection and adding internet-enabled medical devices, many of which are poorly secured. Hospital administrators, meanwhile, have been slow to update software, encrypt data, train staff in cyber hygiene and recruit security specialists, leaving them vulnerable to cyber-attacks.
And as hospitals respond to the coronavirus crisis, privacy and security protocols fall by the wayside, leaving patients open to identity theft, said Larry Ponemon, a data security expert. “The bad guys smell the problem.”
Associated Press writers Michael Hill in Albany, N.Y., and Marion Renault in New York City contributed to this report.
As seen on: zdnet.com by Danny Palmer on 11/18/20
Over a quarter of organisations which fall victim to ransomware attacks opt to pay the ransom as they feel as if they have no other option than to give into the demands of cyber criminals – and the average ransom amount is now over $1 million.
A Crowdstrike study based on responses from thousands of information security professionals and IT decision makers across the globe found that 27 percent said their organisation had paid the ransom after their network got encrypted with ransomware.
While law enforcement agencies say organisations should never give in and pay the ransom, many businesses justify making the payment because getting the decryption key from the attackers is viewed as the quickest and easiest way to restore the network.
However, not only does paying the bitcoin ransom just encourage ransomware gangs to continue campaigns because they know they’re profitable, there’s also no guarantee that the hackers will actually restore the network in full.
But infecting networks with ransomware is proving to be highly lucrative for cyber criminals, with figures in the report suggesting the average ransom amount paid per attack is $1.1 million.
In addition to the cost of paying the ransom, it’s also likely that an organisation which comes under a ransomware attack will lose revenue because of lost operations during downtime, making falling victim to these campaigns a costly endeavour.
However, falling foul of a ransomware attack does serve as a wakeup call for the majority of victims; over three-quarters or respondents to the survey say that in the wake of a successful ransomware attack, their organisation upgraded its security software and infrastructure in order to reduce the risk of future attacks, while two-thirds made changes to their security staff with the same purpose in mind.
It’s unclear why almost a quarter of those who fall victim to ransomware attacks don’t plan to make any changes to their cybersecurity plans, but by leaving things unchanged, they’re likely putting themselves at risk from falling victim to future attacks.
That’s especially the case during 2020, which has brought additional cybersecurity vulnerabilities to organisations due to the rise of people working from home because of the coronavirus pandemic.
“In a remote working situation the attack surface has increased many times and security cannot be secondary business priority,” said Zeki Turedi, Chief Technology Officer for EMEA at CrowdStrike.
To avoid falling victim to ransomware attacks, it’s recommended that organisations ensure that systems are updated with the latest security patches, something which can prevent cyber criminals taking advantage of known vulnerabilities to deliver ransomware.
It’s also recommended that two-factor authentication is deployed throughout the organisation, so that in the event of criminal hackers breaching the perimeter, it’s harder for them to move laterally around the network and compromise more of it with ransomware or any other form of malware.