Tuesday, January 27, 2015

Business E-mail Compromise (BEC)

The Business E-mail Compromise (BEC) is a sophisticated scam targeting businesses working with foreign suppliers and/or businesses that regularly perform wire transfer payments. Formerly known as the Man-in-the-E-mail Scam, the BEC was renamed to focus on the “business angle” of this scam and to avoid confusion with another unrelated scam. The fraudulent wire transfer payments sent to foreign banks may be transferred several times but are quickly dispersed. Asian banks, located in China and Hong Kong, are the most commonly reported ending destination for these fraudulent transfers.
The BEC is a global scam with subjects and victims in many countries. The IC3 has received BEC complaint data from victims in every U.S. state and 45 countries. From 10/01/20131 to 12/01/2014, the following statistics are reported:
  • Total U.S. victims: 1198
  • Total U.S. dollar loss: $179,755,367.08
  • Total non-U.S. victims: 928
  • Total non-U.S. dollar loss: $35,217,136.22
  • Combined victims: 2126
  • Combined dollar loss: $214,972,503.30
The FBI assesses with high confidence the number of victims and the total dollar loss will continue to increase.


Most U.S. weapons programs contain 'significant vulnerabilities'

An annual report released by the Pentagon's chief weapons tester indicates that a majority of the government's weapons programs contain “significant vulnerabilities.” Many of the bugs stem from outdated and unpatched software.
Red Teams portraying a Cyber OPFOR successfully accessed target networks primarily through vulnerable web services and social engineering (phishing). Red Teams routinely expanded access across networks using stolen credentials. The asymmetric nature of cyber operations allows even a single default or weak password to lead to rapid access and exploitation of the network. This is particularly true when the password belongs to an individual with elevated privileges. FY14 assessments revealed numerous violations of DOD password security policies, which indicates the policies are either too difficult to implement, too hard to enforce, or both. The generally poor defensive performance against dedicated attacks by Red Teams shows that a network is only as secure as its weakest link. Unless compliance levels approach 100 percent, it is likely a dedicated cyber adversary will succeed in accessing a network. 

Friday, January 16, 2015

Concerns by Policy-Level Executives about Cyber security


On February 26, 2014, the U.S. Commodity Futures Trading Commission published guidance outlining the data security practices it expects from firms it oversees and the third parties they contract with.[1] 

The importance of this issue is also reflected in the notices from the SEC’s Office of Compliance Inspections and Examinations and from the Financial Industry Regulatory Authority.[2] 
Executives and board members lack knowledge about the cyber risks their organizations face and how to include cyber risk management in overall business strategy.

·      52% of directors ranked IT strategy and risk as the #1 issue for which they need better information and processes – behind only strategic planning.[3]
·      69% of directors are concerned that cyber threats may impact growth.
·      77% of respondents to the US State of Cybercrime Survey detected a security event in the past 12 months, and more than a third said the number of security incidents detected increased over the previous year.[4]

·      Only 49% of respondents have a plan for responding to insider threats.
·      Only 38% of respondents prioritize cyber security investments based on risk to the business.

Banking and finance organizations are currently spending up to $2,500 per employee/year on cyber security. At this level this sum represents approximately 15% of the total IT budget. In retail that also amounts to a comparable ratio,

Executive Guidance

Most of the organizations surveyed do not have cyber security programs that can match skills and technological capabilities of their cyber adversaries. To initiate such programs will require first answering the following policy-level questions:

  • ·      What are your most crucial cyber assets and what is being done to keep those secure?
  • ·      In recent cyber incidents what weak links were discovered and addressed?
  • ·      What threats are facing your business?
  • ·      What are the most likely internal threats?
  • ·      Have any of your partners or those in your supply chain been subjected to a cyber-attack?
  • ·      What are your policies for ensuring that partners achieve a minimum level of cyber security?
  • ·      Does your business have a written cyber security risk management strategy?
  • ·      Does your policy include training employees, perhaps the most important line of defense?
  • ·      If a breach occurs who takes the lead? What are the responsibilities of those in the C-Suite?
  • ·      What does the company’s cyber insurance policy cover?

Wednesday, January 14, 2015

Twitter Corrupts U.S. CENTCOM Communications


US military's Central Command (Centcom) pages were hijacked by people claiming to operate on behalf of Islamic State. Both Twitter accounts were temporarily suspended. Centcom has called the incident vandalism, and says it did not affect operations, nor was it a serious data breach. 
Centcom mislabeled the event as nuisance. 

This undervalues this breach. All targeted cyber attacks start with multistage breaches. The first stage involves reconnaissance of the potential arena where the ultimate attacks would take place. Twitter is one of the many methods used in collecting information about names, locations and activities of individuals. Results are then fed into follow-on attacks.  

Executive Guidance

There is no reason why Centcom, a strategically critical U.S. command need to rely on Twitter, a notoriously insecure communication method. My only explanation is that the fundamentally inadequate DoD e-mail system is not only ponderous but also largely inadequate for person-to-person communications. Twitter has simplicity and ease of use because the DoD e-mail – engaged in a decade-long controversy – has never been fixed to deliver assured messages.


Labeling Twitter messages as a nuisance overlooks the security of messages to and from our key military command. Though most of the messages would be innocuous, there will be always a few transmissions that will offer leading clues where to direct further penetrations.

Highly sensitive sources of information must be always protected. Twitter is not. DoD should finally fix its e-mail rather than just call for another round of more onerous password formats.

Microsoft Bug Fix from Google


Google will publicly disclosing software flaws whether or not that vendor has fixed the bug. The objective of its “Project Zero” is to significantly reduce the number of targeted attacks. For this reason Google is hiring additional security researchers to improve security across the Internet. The purpose of this effort is to create a quick response capability to reduce "zero-day" vulnerabilities.

The first result of “Project Zero” is a batch of Microsoft patches for 2015 that fix vulnerability in Windows 8.1, discovered only two days ago. Microsoft responded with a blog post complaining that this leaves Microsoft users in the without adequate defenses.

Executive Guidance

Executives should welcome a third party checking of security, particularly since bug fixes may currently be taking a very long time, sometimes months before a correction is announced by a vendor and then weeks before a bug fix is implemented (if ever).

For instance, Microsoft’s MS15-002 is a “critical” flaw that makes it possible for an attacker to perform remote code execution. Microsoft’s January 13, 2015 also includes seven additional vulnerabilities classified as “important”.


“Project Zero” should be seen as start of a new era in security management of systems. Only major vendors will have the staff to accelerate the identification of software flaws from months to days. Security interception is speeding up. Firms will need to start choosing support of cloud computing from firms that can demonstrate such capabilities.

Tuesday, January 13, 2015

Cyber Crime Agenda for Top Executives


Cyber crime has resulted in topics that require discussion at the highest executive levels for most organizations:
How is top executive leadership appraised about cyber risks?

What is the status of the current impact of cyber attacks on the conduct of business?

What plans and action programs are in place to deal with already identified cyber risks?

How do current cyber security activities compare with accepted standards and best practices?
How many cyber incidents have been detected and disposed?

What are the practices for the notification of cyber incidents to executive management and to the government?

What process is used to prepare and then to validate a cyber incident response plan?
Is there continuous oversight into adherence to cyber security standards for systems, networks and software? 

Does key personnel, at the business, technical and management levels, have the skills and training to understand the cyber-risks as well as potential business damage of the decisions they will make?

How to depend on employees, suppliers and business partners to report about serious security problems?

How to verify that the management of the defenses will respond rapidly and appropriately? 

Executive Guidance

The above questions can be seen as constituting an actionable agenda for the executive committee of a commercial firm: 

The source and authority of the appraisal of existing cyber risks should specify what are the respective roles or personnel such as the CIO, CSO and legal counsel in delivering status reports in periodic intervals.

Reporting on the current impact of cyber attacks must be sufficiently detailed as to sources, contents and participants so that full disclosures are assured. The roles of the legal counsel in receiving such information must be detailed.

Action programs for countering cyber incidents should be always described in terms of responsibilities of the existing reporting structure of organization and never through committees. Only a “line” organizational structure can be held accountable.

A report that compares actual conditions for managing cyber security exposures as compared with prevailing practices should be delegated to a trusted consultant or to someone who is independent in making such judgments.

The critical responsibility to account and then to report about the detection, conclusion and evaluation of cyber incidents should be delegated to someone who cannot be seen as directly involved. As a general rule only the authority of legal counsel can be expected to perform such an assessment.

Notification to the government as well as for any public disclosure must be guided by legal as well as fiduciary roles. The likely impacts of any financial or publicity disclosures, such as governed by security legislation will mandate what caution will be exercised to prevent premature disclosures. The roles of the legal counsel in this regard should be always followed.

The roles of oversight into adherence to cyber security standards for systems, networks and software is a technical responsibility and can be executed only by the Chief Information Officer.

The qualifications of key personnel, at the technical level for the skills, experience and training to understand the cyber-risks should be the responsibility of the Chief Information Officers.

The qualification of managerial personal for understanding the potential business damage from cyber crime should be held by the Chief Operating Executive and not by personnel accountable for technical compliance.


Coping with cyber crime is becoming a significant, costly and all-encompassing functional responsibility in corporate management. Organizations must now act to counter rapidly rising threats. These could have substantial adverse consequences.