Egnyte unifies its security and productivity tooling into single platform

Egnyte announced today it was combining its two main products — Egnyte Protect and Egnyte Connect — into a single platform to help customers manage, govern and secure the data from a single set of tools.

Egynte co-founder and CEO Vineet Jain says that this new single platform approach is being driven chiefly by the sheer volume of data they are seeing from customers, especially as they shift from on-prem to the cloud.

“The underlying pervasive theme is that there’s a rapid acceleration of data going to the cloud, and we’ve seen that in our customers,” Jain told TechCrunch. He says that long-time customers have been shifting from terabytes to petabytes of data, while new customers are starting out with a few hundred terabytes instead of five or ten.

As this has happened, he says customers are asking for a way to deal with this data glut with a single platform because the volume of data makes it too much to handle with separate tools. “Instead of looking at this as separate problems, customers are saying they want a solution that helps address the productivity part at the same time as the security part. That’s because there is more data in the cloud, and concerns around data security and privacy, along with increasing compliance requirements, are driving the need to have it in one unified platform,” he explained.

The company is doing this because managing the data needs to be tied to security and governance policies. “They are not ultimately separate ideas,” Jain says.

Jain says, up until recently, the company saw the data management piece as the way into a customer, and after they had that locked down, they would move to layer on security and compliance as a value-add. Today, partly due to the data glut and partly due to compliance regulations, Jain says, these are no longer separate ideas, and his company has evolved its approach to meet the changing requirements of customers.

Egnyte was founded in 2007 and has raised over $138 million on a $460 million post valuation, according to Pitchbook data. Its most recent round was $75 million led by Goldman Sachs in September, 2018. Egnyte passed the $100 million ARR mark in November.

Encoding Stolen Credit Card Data on Barcodes

Crooks are constantly dreaming up new ways to use and conceal stolen credit card data. According to the U.S. Secret Service, the latest scheme involves stolen card information embedded in barcodes affixed to phony money network rewards cards. The scammers then pay for merchandise by instructing a cashier to scan the barcode and enter the expiration date and card security code.

This phony reloadable rewards card conceals stolen credit card data written to a barcode. The barcode and other card data printed on the card have been obfuscated. Image: U.S. Secret Service.

Earlier this month, the Secret Service documented a recent fraud incident in Texas involving a counterfeit club membership card containing a barcode, and a card expiration date and CVV printed below the barcode.

“Located underneath the barcode are instructions to the cashier on the steps necessary to complete the transaction,” reads an alert the Secret Service sent to law enforcement agencies. “They instruct the cashier to select card payment, scan the barcode, then enter the expiration date and CVV. In this instance, the barcode was encoded with a VISA credit card number.”

The instructions on the phony rewards card are designed to make the cashier think it’s a payment alternative designed for use exclusively at Sam’s Club and WalMart stores. When the transaction goes through, it’s recorded as card-not-present purchase.

“This appears to be an evolution of the traditional card-not-present fraud, and early indications are linking this type of activity to criminal organizations of Asian descent,” the Secret Service memo observed.

“As a result of this emerging trend, instead of finding a large number of re-encoded credit cards during a search, a subject may only possess stickers or cards with barcodes that contain stolen card data,” the alert continues. “Additionally, the barcodes could be stored on the subject’s cell phone. If barcodes are discovered in the field, it could be beneficial to utilize a barcode scanning app to check the barcode for credit card data.”

Cyber Insurance & Information Security | Is InfoSec’s Criticism of Cyber Insurance Fair?

A Guest Post by Jeffrey Smith. Jeffrey founded Cyber Risk Underwriters to offer tech-backed cyber insurance and related products distributed by insurance agents and cyber security providers.

Insurance is easy to hate. You can’t touch it and it is difficult to understand. Cyber insurance is particularly confusing. The product is relatively new and evolving quickly, making it ever more difficult to understand for lay people and insurance professionals alike. To make matters more complicated, the ubiquitous nature of cyber risk can trigger some level of coverage in multiple business insurance policies. As a result, cyber insurance is often misrepresented and confused with other types of insurance. It is not only alleged that the policy doesn’t pay claims, but InfoSec professionals are concerned that the purchase of a cyber insurance policy threatens funding for existing cyber security efforts.

image of cyber insurance

Business Insurance is Confusing

The source of the most confusion results from the fact that multiple business insurance policies may provide coverage for some aspect of cyber loss. The table below indicates typical coverage overlaps found in various business insurance products. Oft-cited claim disputes such as Mondelez, National Bank of Blacksburg and others do not involve stand-alone cyber insurance. 

image table showing cyber insurance coverage and policy types

These companies did not purchase stand-alone cyber insurance. As such, they are pursuing recovery under other insurance policies that often contain limited coverage grants consistent with exposure overlaps. Since these other insurance policies are not designed to respond to all cyber events, the insurers are going to the mat to restrict payments to the bespoke and limited coverage provided. Crime, kidnap and ransom, and property insurance are the most notable ‘other’ insurance policies; however, overlaps are also found in other policies such as professional liability, management liability and general liability products.

Human Error & Failure to Maintain

We often hear that cyber insurers try to find ways to avoid paying claims, citing human error or an insured’s failure to maintain a threshold of security efforts. From our experience, 85% of paid cyber insurance claims involve human error. These typically include not following existing procedures, clicking on malicious links, and falling victim to sophisticated social engineering attacks. Not unlike legacy cyber security software, early versions of cyber insurance policies were not very good compared to current products.

As an example, many early cyber policies included a ‘failure to maintain’ condition that precluded coverage in the event the insured did not maintain specific security controls. Today’s cyber underwriters are better equipped to evaluate exposure, so today’s policies no longer include this restriction. However, it is important to keep in mind that if you indicate on the insurance application that you encrypt all information at rest, and it is discovered that no such process existed, your claim may be denied. As long as you are honest during the application process, a single error or omission in application of stated security protocols will not preclude a coverage response by your cyber insurance policy.

Cyber Insurance Is Not a Replacement for Security Practices

The idea of course, is not to experience a cyber claim. As mentioned here before, cyber insurance should not, under any circumstance, be seen as a replacement for a robust security posture, which requires modern cybersecurity technologies, trained teams and tested procedures. 

Sentinel One is among the less than 1% of InfoSec vendors to stand behind product performance (for more information on product guarantees, check this out). However, Infosec technology vendors do not provide financial guarantees for all costs associated with human error or failure of product performance.

The primary role of cyber insurance is to provide financing of breach costs and liability resulting from a cyber event. In our view, cyber insurance is the last puzzle piece of any cyber risk management process.

Conclusion

High profile claims such as Mondelez, National Bank of Blacksburg, DLA Piper and others wrongly suggest stand-alone cyber policies do not pay. Product confusion and the use of brokers without cyber expertise often result in false expectations for claims recoveries. Make sure to use insurance brokers with specific cyber insurance expertise. Use your broker to review policy coverage parts, conditions and exclusions prior to purchase. Get quotes from multiple insurers. If you want to use one of your vendors for incident response, try to negotiate that into the deal. A good policy includes bespoke coverage for cyber-terrorism events (such as NotPetya) and is devoid of any ‘maintenance’ conditions as found in older policy versions.

It is common sense to use all available tools to protect from catastrophic peril. While not the most important part of your cyber security platform, a carefully crafted cyber insurance policy is a great addition to your existing cyber risk management program.


Like this article? Follow us on LinkedIn, Twitter, YouTube or Facebook to see the content we post.

Read more about Cyber Security

Rippling starts billboard battle with Gusto

Remember when Zenefits imploded, and kicked out CEO Parker Conrad. Well, Conrad launched a new employee onboarding startup called Rippling, and now he’s going after another HR company called Gusto with a new billboard, “Outgrowing Gusto? Presto change-o.”

The problem is, Gusto got it taken down by issuing a cease & desist order to Rippling and the billboard operator Clear Channel Outdoor. That’s despite the law typically allowing comparative advertising as long as it’s accurate. Gusto sells HR, benefits and payroll software, while Rippling does the same but adds in IT management to tie together an employee identity platform.

Rippling tells me that outgrowing Gusto is the top reasons customers say they’re switching to Rippling. Gusto’s customer stories page lists no customers larger than 61 customers, and Enlyft research says the company is most often used by 10 to 50-person staffs. “We were one of Gusto’s largest customers when we left the platform last year. They were very open about the fact that the product didn’t work for businesses of our size. We moved to Rippling last fall and have been extremely happy with it,” says Compass Coffee co-founder Michael Haft.

That all suggests the Rippling ad’s claim is reasonable. But the C&D claims that “Gusto counts as customers multiple companies with 100 or more employees and does not state the businesses will ‘outgrow’ their platfrom at a certain size.”

In an email to staff provided to TechCrunch, Rippling CMO Matt Epstein wrote, “We take legal claims seriously, but this one doesn’t pass the laugh test. As Gusto says all over their website, they focus on small businesses.”

So rather than taking Gusto to court or trying to change Clear Channel’s mind, Conrad and Rippling did something cheeky. They responded to the cease & desist order in Shakespeare-style iambic pentameter.

Our billboard struck a nerve, it seems. And so you phoned your legal teams,
who started shouting, “Cease!” “Desist!” and other threats too long to list.

Your brand is known for being chill. So this just seems like overkill.
But since you think we’ve been unfair, we’d really like to clear the air.

Rippling’s general counsel Vanessa Wu wrote the letter, which goes on to claim that “When Gusto tried to scale itself, we saw what you took off the shelf. Your software fell a little short. You needed Workday for support,” asserting that Gusto’s own HR tool couldn’t handle its 1,000-plus employees and needed to turn to a bigger enterprise vendor. The letter concludes with the implication that Gusto should drop the cease-and-desist, and instead compete on merit:

So Gusto, do not fear our sign. Our mission and our goals align.
Let’s keep this conflict dignified—and let the customers decide.

Rippling CMO Matt Epstein tells me that “While the folks across the street may find competition upsetting, customers win when companies push each other to do better. We hope our lighthearted poem gets this debate back down to earth, and we look forward to competing in the marketplace.”

Rippling might think this whole thing was slick or funny, but it comes off a bit lame and try-hard. These are far from 8 Mile-worthy battle rhymes. If it really wanted to let customers decide, it could have just accepted the C&D and moved on…or not run the billboard at all. It still has four others that don’t slam competitors running. That said, Gusto does look petty trying to block the billboard and hide that it’s unequipped to support massive teams.

We reached out to Gusto over the weekend and again today asking for comment, whether it will drop the C&D, if it’s trying to get Rippling’s bus ads dropped too and if it does in fact use Workday internally.

Given Gusto has raised $516 million10X what Rippling has — you’d think it could just outspend Rippling on advertising or invest in building the enterprise HR tools so customers really couldn’t outgrow it. They’re both Y Combinator companies with Kleiner Perkins as a major investor (conflict of interest?), so perhaps they can still bury the hatchet.

At least they found a way to make the HR industry interesting for an afternoon.

Pay Up, Or We’ll Make Google Ban Your Ads

A new email-based extortion scheme apparently is making the rounds, targeting Web site owners serving banner ads through Google’s AdSense program. In this scam, the fraudsters demand bitcoin in exchange for a promise not to flood the publisher’s ads with so much bot and junk traffic that Google’s automated anti-fraud systems suspend the user’s AdSense account for suspicious traffic.

A redacted extortion email targeting users of Google’s AdSense program.

Earlier this month, KrebsOnSecurity heard from a reader who maintains several sites that receive a fair amount of traffic. The message this reader shared began by quoting from an automated email Google’s systems might send if they detect your site is seeking to benefit from automated clicks. The message continues:

“Very soon the warning notice from above will appear at the dashboard of your AdSense account undoubtedly! This will happen due to the fact that we’re about to flood your site with huge amount of direct bot generated web traffic with 100% bounce ratio and thousands of IP’s in rotation — a nightmare for every AdSense publisher. More also we’ll adjust our sophisticated bots to open, in endless cycle with different time duration, every AdSense banner which runs on your site.”

The message goes on to warn that while the targeted site’s ad revenue will be briefly increased, “AdSense traffic assessment algorithms will detect very fast such a web traffic pattern as fraudulent.”

“Next an ad serving limit will be placed on your publisher account and all the revenue will be refunded to advertisers. This means that the main source of profit for your site will be temporarily suspended. It will take some time, usually a month, for the AdSense to lift your ad ban, but if this happens we will have all the resources needed to flood your site again with bad quality web traffic which will lead to second AdSense ban that could be permanent!”

The message demands $5,000 worth of bitcoin to forestall the attack. In this scam, the extortionists are likely betting that some publishers may see paying up as a cheaper alternative to having their main source of advertising revenue evaporate.

The reader who shared this email said while he considered the message likely to be a baseless threat, a review of his recent AdSense traffic statistics showed that detections in his “AdSense invalid traffic report” from the past month had increased substantially.

The reader, who asked not to be identified in this story, also pointed to articles about a recent AdSense crackdown in which Google announced it was enhancing its defenses by improving the systems that identify potentially invalid traffic or high risk activities before ads are served.

Google defines invalid traffic as “clicks or impressions generated by publishers clicking their own live ads,” as well as “automated clicking tools or traffic sources.”

“Pretty concerning, thought it seems this group is only saying they’re planning their attack,” the reader wrote.

Google declined to discuss this reader’s account, saying its contracts prevent the company from commenting publicly on a specific partner’s status or enforcement actions. But in a statement shared with KrebsOnSecurity, the company said the message appears to be a classic threat of sabotage, wherein an actor attempts to trigger an enforcement action against a publisher by sending invalid traffic to their inventory.

“We hear a lot about the potential for sabotage, it’s extremely rare in practice, and we have built some safeguards in place to prevent sabotage from succeeding,” the statement explained. “For example, we have detection mechanisms in place to proactively detect potential sabotage and take it into account in our enforcement systems.”

Google said it has extensive tools and processes to protect against invalid traffic across its products, and that most invalid traffic is filtered from its systems before advertisers and publishers are ever impacted.

“We have a help center on our website with tips for AdSense publishers on sabotage,” the statement continues. “There’s also a form we provide for publishers to contact us if they believe they are the victims of sabotage. We encourage publishers to disengage from any communication or further action with parties that signal that they will drive invalid traffic to their web properties. If there are concerns about invalid traffic, they should communicate that to us, and our Ad Traffic Quality team will monitor and evaluate their accounts as needed.”

The Good, the Bad and the Ugly in Cybersecurity – Week 7

Image of The Good, The Bad & The Ugly in CyberSecurity

The Good

Welcome news this week as Citrix’s campaign to get businesses aware and on-task patching CVE-2019-19781 over the last two months has really borne fruit. It’s now estimated that 80% of all internet-exposed machines with the flaw have been patched to date. That only leaves the 20% of unpatched boxes to go, but the admins responsible for them had better get a move on. There’s already “plug-and-play” exploits for the bug publicly available.

image of Shodan map of Citrix boxes exposed on the internet with CVE-2019-19781
Source

It’s been a great week for vulnerability fixes. 99 is the astonishing number of bugs Microsoft have addressed in this week’s Patch Tuesday, including a fistful of RCEs like CVE-2020-0674 and CVE-2020-0729. Adobe also crushed 12 critical CVEs (including CVE-2020-3742, CVE-2020-3752, and CVE-2020-3751) plus five other less severe vulnerabilities in Reader and Acrobat, and one critical CVE in Flash Player (CVE-2020-3757). Elsewhere, in a good advert for bug bounty programs, SoundCloud fixed a number of critical bugs that could allow attackers to take over user accounts, although the company said there was no evidence of these bugs being actively used in the wild.

The Bad

If there’s one thing that the Emotet trojan and malware loading platform will be remembered for in cyber history, it’ll no doubt be its sophistication. Adding to that rep is news that the ubiquitous malware loader has been making use of a Wifi spreader. According to researchers, previously Emotet was thought to spread purely via malspam and infected networks. It now turns out that Emotet can also infect nearby wireless networks if the networks use insecure passwords. Essentially, the Wifi-spreader module enumerates the Wifi networks in range of any Emotet-infected machine, and then tries to brute force the passwords of each from a built-in password dictionary.

Business Email Compromise (BEC) cost U.S. companies a combined total of $1.7 billion in 2019, according to the FBI’s “2019 Internet Crime Report.” The huge scale of cybercrime is worth pausing over: those losses came from a staggering 23,775 targeted attacks. “By using an email address similar to a trusted company address, criminals can trick an employee into giving away valuable information at almost no cost,”, the FBI said in its report. If you still think your business is flying under the cybercriminals’ radar, those figures are a bullhorn telling you to think again.

image of tweet of FBI Tampa Crime Report

The Ugly

American accusations that Huawei spies for the Chinese government are being viewed with a certain amount of chutzpah this week after news broke that the U.S. and German intelligence agencies have been spying on over 100 other nations, including allies, for decades through deliberately weakened encryption. It turns out that Crypto AG, a Swiss firm manufacturing encryption devices, was secretly owned by the CIA. While the secret operation led to many intelligence coups against U.S. enemies, it also raises some worrying ethical issues. According to the Washington Post, these include:

“the deception and exploitation of adversaries, allies and hundreds of unwitting Crypto employees. Many traveled the world selling or servicing rigged systems with no clue that they were doing so at risk to their own safety.”

The success of the program probably helps account for the US government’s penchant for haranguing the likes of Apple to build backdoors into their own encryption products. It’ll be interesting to see whether this case serves to strengthen or weaken public perception on the legitimacy of that stance.

image of crypto AG building and logo

Adding grist to the mill, prosecutors have held pretty compelling evidence to obtain a conviction against this suspected pedophile for some time, but they were determined to also examine his computer hard drive. The problem was the alleged offender either couldn’t or wouldn’t disclose the password for the encrypted disk even after being ordered to do so by a judge, so he’s been sitting in prison for the last 4 years on a contempt of court charge. That was until this week, when a federal appeals court ruled that 18 months is the maximum jail term for contempt as a result of refusing (or forgetting, as the defence would have it) to provide a decryption password. That could be either good news (the government can’t indefinitely imprison, say, a journalist) or bad news (the government can’t indefinitely imprison, say, a pedophile, either) depending on how you look at it, so we’ll file this under ‘ugly’ for now. The “eww” factor will certainly vary from case to case, but one thing is for sure: it’ll be interesting to see how strong that precedent proves to be when the next decryption controversy crops up to challenge it.


Like this article? Follow us on LinkedIn, Twitter, YouTube or Facebook to see the content we post.

Read more about Cyber Security

Alibaba Cloud revenue reaches $1.5B for the quarter on 62% growth rate

Alibaba issued its latest earnings report yesterday, and the Chinese eCommerce giant reported that cloud revenue grew 62 percent to $1.5 billion U.S., crossing the RMB10 billion revenue threshold for the first time.

Alibaba also announced that it had completed its migration to its own public cloud in the most recent quarter, a significant milestone because the company can point to its own operations as a reference to potential customers, a point that Daniel Zhang, Alibaba executive chairman and CEO, made in the company’s post-earnings call with analysts.

“We believe the migration of Alibaba’s core e-commerce system to the public cloud is a watershed event. Not only will we ourselves enjoy greater operating efficiency, but we believe, it will also encourage others to adopt our public cloud infrastructure,” Zhang said in the call.

It’s worth noting that the company also warned that the Coronavirus gripping China could have impact on the company’s retail business this year, but it didn’t mention the cloud portion specifically.

Yesterday’s revenue report puts Alibaba on a $6 billion U.S. run rate, good for fourth place in the cloud infrastructure market share race, but well behind the market leaders. In the most recent earnings reports, Google reported $2.5 billion in revenue, Microsoft reported $12.5 billion in combined software and infrastructure revenue and market leader AWS reported a tad under $10 billion for the quarter.

As with Google, Alibaba sits well in the back of the pack, as Synergy Research’s latest market share data shows. The chart was generated before yesterday’s report, but it remains an accurate illustration of the relative positions of the various companies.

Alibaba has a lot in common with Amazon. Both are eCommerce giants. Both have cloud computing arms. Alibaba, however, came much later to the cloud computing side of the house, launching in 2009, but really only beginning to take it seriously in 2015.

At the time, cloud division president Simon Hu boasted to Reuters that his company would overtake Amazon in the cloud market within 4 years. “Our goal is to overtake Amazon in four years, whether that’s in customers, technology, or worldwide scale,” he said at the time.

They aren’t close to achieving that goal, of course, but they are growing steadily in a hot cloud infrastructure market. Alibaba is the leading cloud vendor in China, although AWS leads in Asia overall, according to the most recent Synergy Research data on the region.

A Light at the End of Liberty Reserve’s Demise?

In May 2013, the U.S. Justice Department seized Liberty Reserve, alleging the virtual currency service acted as a $6 billion financial hub for the cybercrime world. Prompted by assurances that the government would one day afford Liberty Reserve users a chance to reclaim any funds seized as part of the takedown, KrebsOnSecurity filed a claim shortly thereafter to see if and when this process might take place. This week, an investigator with the U.S. Internal Revenue service finally got in touch to discuss my claim.

Federal officials charged that Liberty Reserve facilitated a “broad range of criminal activity, including credit card fraud, identity theft, investment fraud, computer hacking, child pornography, and narcotics trafficking.” The government says from 2006 until the service’s takedown, Liberty Reserve processed an estimated 55 million financial transactions worth more than $6 billion, with more than 600,000 accounts associated with users in the United States alone.

While it’s clear that the digital currency system for years was the go-to money-moving vehicle for many engaged in dodgy online activities, it also was favored by users primarily because it offered a relatively anonymous way to send irrevocable transfers globally with low fees.

Indeed, the two stories I wrote about the closure of Liberty Reserve in 2013 remain among the most-read on this site, and have generated an enormous volume of emails from readers who saw many thousands of dollars held in legal limbo — much of it related to investments in online gaming platforms, payments to and from adult entertainment services, and various investment schemes.

The IRS official who contacted me was not authorized to be quoted in the media (and indeed did not initially realize he was speaking to a member of the press when he called). But he told me the government had recently obtained legal access to some of the funds held in overseas bank accounts that were used by Liberty Reserve, and that IRS investigators were now starting to contact people and vet any claims made in the wake of the takedown.

“We’re just getting to the point where we have received funds,” the investigator said. “We’ve started to contact people who originally contacted us, to vet their claims, make sure they weren’t involved in any illegal activity, and that the claim amounts match the records that we have.”

The official said he didn’t know how much money in total the government was seeking to return to former Liberty Reserve users. Requests for this information from the Justice Department office that prosecuted the case — the U.S. Attorney for the Southern District of New York — went unanswered.

The founder of Liberty Reserve, 45-year-old Arthur Budovsky, pleaded guilty in 2016 to conspiring to commit money laundering. He was sentenced to 20 years in prison, ordered to pay a $500,000 fine and forfeit $122 million in company funds.

If you filed a monetary claim in response to the Liberty Reserve seizure years back, you may have already been contacted by federal investigators, or you may be soon. But please know that fraudsters will likely seize on public awareness about the possible repatriation of funds to fleece the unwary: KrebsOnSecurity has received more than a few emails from readers over the years who fell for various phishing scams that promised to return funds lost at Liberty Reserve in exchange for a bogus “processing fee.”

Defeating Ransomware | Outflanking Attackers Through Public-Private Cooperation

Technical experts, business leaders and state officials agree on one thing about ransomware: it’s a mess. But as we sift through the carnage, there are some good lessons learned from our states, municipalities and healthcare providers.

CEO of Farsight Security Paul Vixie comes at the problem as a researcher. “Ransomware exposes some embarrassing weaknesses in our digital lives. First, our computers and networks are so complicated that only an attacker can understand them — we don’t, and our vendors don’t either. Second, we’re not backing up our critical data at all, or if we are backing it up, we’re using online backup drives or shares — which means a successful ransomware attack will be able to encrypt all our data, including our backups if any. We ought to be ashamed of how little understanding we have and how little care we demonstrate for our digital assets.”

His message is startling. Humans are often to blame for bringing root kits into an environment that leads to all manner of attacks. The weakest entities appear to be state and local governments and healthcare providers. What is the reason for their apparent vulnerability and what groups are racing to their defense?

image of outflanking attackers

Elections Are A Ransomware Attack Away from Disaster

In state election land, the Iowa caucus had some technical difficulties and reporting inconsistencies which delayed results. Fingers are pointing at an app used. I spoke with Jeremy Epstein, a veteran volunteer at the polls in Fairfax VA and asked him how exposed we are to attack in a general election.

“Ransomware is a particular threat against elections. While there are no reported cases of ransomware affecting elections and voting systems, there are many points of vulnerabilities including the voter registration systems, electronic poll books, voting machines, and election reporting systems. Election officials work hard to have backup plans in place for any eventuality, but they’re chronically underfunded.”  

Jeremy noted potential impacts as “long lines at polling places as voters are checked in by hand, inability to cast votes, loss of votes or delays in results — any of which might reduce public confidence in the election results, even if the election results are not manipulated. What election official would want to go on TV and announce ‘it’ll take a few weeks before we can tell you the results because our systems are out of commission due to ransomware’?”

What function is more essential to our state and local governments than voting? Yet with all of the recent infections, we focused on those services we rely on daily. The DMV, 911 services, land transfers, courthouse services, policing, have all been interrupted by ransomware.

How Vulnerable Are We to Ransomware Attacks?

So just how bad is it? There were 104 ransomware attacks against administrative systems in schools and governments in 2019. This means your children’s data is likely for sale on the darkweb and presents a clean credit profile. One group that is fighting hackers from the ground up is CyberUSA. With 28 member states and over 10,000 member companies, they are focusing on education, software access and coordination with federal resources.

I spoke with CyberUSA member Laura Baker, co-founder of CyberWyoming, and she shared a story about the largest hospital in Caspar WY that was shut down due to ransomware. “Campbell County Health was a blow to all of Wyoming. It felt like a personal attack to our entire state. The IT team at CCH is top notch, the systems they use are excellent, the administration is very proactive about cybersecurity and other issues, and the employee training program is substantial. We all felt ‘how could this happen to CCH?’ The bad guys are attacking our communities and our infrastructure.”

Mississippi chose to conduct a statewide audit of 125 state agencies, boards, commissions, and universities. Although results were mixed, the assessments are similar to SEC guidance. Combine that approach with new legislation calling for a DHS Cyber Coordinator to be appointed in all 50 states and we may be seeing a blueprint emerging. State mandated audits with reporting to state legislators combined with federal technical and financial resources to address the states’ shortcomings are good first steps.

Tom Scott, Executive Director of CyberSC commented, “A ransomware attack is the most prevalent cyber threat to state and local governments and most of the public are oblivious to the potential impact until they are unable to access governmental services. Identification of mission essential functions and assets is the first step to ensuring that the most critical services are made resilient.” Tom noted that there is high demand for DHS CISA assessment services and that there is “limited interaction and coordination between state and local governments beyond SLED’s SCCIIC program and the FBI’s Infragard program.”

Reputations Are At Risk When Ransomware Strikes

Marcus Ranum, CSO at Tenable Security has been dealing with these problems for longer than he would like to admit. “I think ransomware is a tax coming due on IT security incompetence. If you’ve got basic host-side controls and edge controls in place, you should be able to resist the attacks. If you’ve got basic data reliability (backups and business resumption) in place, you can respond effectively to the attacks. The organizations that cut costs and said “it’s not going to happen to us” turn out to be wrong and the money they thought they were saving has been un-saved. They gambled and they lost. It’s just basic incompetence.”

Is he right? Perhaps. It’s worth noting that in all the chaos recently, we haven’t seen a lot of ransomware incidents at financial services entities, and we know they are rigorous about preventing phishing, blocking malware and ensuring they have good backup policies in place. Contrast that with what happens where such cyber hygiene is lacking. The 850-store Wawa breach impacted some 30 million people and credit card issuers. And ransomware gives the victim little choice: pay up or suffer. The latest attacks involving Maze ransomware enable the hacker to exfiltrate data before they encrypt it, and then (optionally) publicly post the data in a shaming process to accelerate payment. Reputation is important, especially for publicly traded companies.

Can We Legislate Our Way Out of Ransomware?

Recently, two NY state senators authored legislation that would prevent municipal governments from using tax dollars to pay ransom to hackers. The US Conference of Mayors issued a similar resolution, denouncing ransom payments. This might work if the program to establish back-ups can be implemented, but this approach does little on the prevention side of the equation. Presumably, cyber insurance could still pay ransom demands if the municipality had purchased a policy.

When an organization buys cyber insurance, they are transferring the risk that could not be addressed through a technology solution. But cyber insurance must be coupled with a strong security stack. Much of the growth in cyber insurance policies has been in sectors which have less funds and fewer resources to handle an inbound attack.  

And, with the latest “dumbed down” ransomware kits, any criminal can invest in ransomware as a service and start infecting businesses for $195. That package delivers a return of $7,500 because they cap the number of infections and the amount of ransom to be collected at $250! They must have determined that ransom amount is likely to be paid. And when you combine troves of leaked personal data with automated phishing programs, the hackers will succeed across a wide swath of businesses, with or without insurance.

Lessons From the Tidelands Health Lawsuit

Last week, Tidelands Health in South Carolina was sued in a class action for the loss of thousands of patient data records that resulted from a ransomware attack. One patient had her nuclear stress test cancelled and another patient was given food she couldn’t eat because of no access to medical records. They say that their data was exposed and that Tidelands did not give notice to HHS or to the affected patients. For their part, Tidelands claims no data was exposed, but the latest ransomware strains offer so many “features”, who can really know? 

HHS requires reporting of ransomware events because unauthorized control of the data occurs when it is encrypted and is considered a ‘disclosure’ under the HIPAA Privacy Rule. It may be difficult for Tidelands to show that their data was not altered or exfiltrated during the ransomware incident. But with 764 healthcare breaches in 2019 and a Vanderbilt University report stating “breach remediation efforts were associated with deterioration in timeliness of care and patient outcomes,” it seems hospitals are on notice and should have proper back ups.

Health providers hosting data and applications with MSPs should be safer than those trying to manage their own security, but due diligence is required. When Virtual Care Provider Inc. (VCPI) was hit with Ryuk ransomware in December demanding $14 million, 2400 nursing homes and acute care facilities in 45 states were unable to get medicine for patients, access records or conduct business with Medicaid. The true costs of a ransomware attack go beyond the merely financial, which can be devastating enough.

The Ryuk ransomware has not only increased the average cost of a ransom demand; hackers will sell access to compromised MSP’s and open the doors to less skilled hackers. The Albany International Airport was hit with Sodinokibi ransomware, paid a ransom fee and then sued its MSP Logicalnet, claiming they were responsible for the breach. Cyber insurance paid all but $25,000 of the demand, which was the deductible on the policy. Counties and small businesses outsource their data and apps to an MSP because they are ‘experts’ at security but — buyer beware!  

Strength Lies in Sharing Our Knowledge

Perhaps the best model I have seen is the public-private partnership model developed between Healthcare Sector Coordinating Council and the Government Coordinating Council. The HHS Cybersecurity program (HICP) falls under the Cybersecurity Act of 2015 and focuses on managing threats and protecting patients. They will identify the top five threats for healthcare and then the top 10 security controls to address those threats. Last, they will help organizations prioritize and implement those controls.

Former CISO of MarinHealth, Jason Johnson helped to put this in context. “While frameworks like NIST are incredibly useful, those in under-funded industries, like healthcare, might not have the expertise to fully digest and implement everything in them. The HICP was created exactly for this reason — it is an easily digestible walk through of the must-do controls from multiple frameworks. If you’re a healthcare security professional, especially at a smaller physician practice or hospital, their set of documents must be on your reading list today.”

So Where Do We Go From Here?

HICP is a voluntary, industry-led initiative supported by federal resources. Broader participation in this program could stem the crisis our healthcare providers are experiencing. Maybe a similar program could be implemented for our state and local governments. Along with state mandated audits and federal technical and financial resources, plus collaborations like CyberUSA and more public-private partnerships like HICP, we may be able to see the beginning of the end in sight. Public-private partnerships can help us clean up some of the mess that cyber criminals so easily exploit and bring a halt to the disruption that ransomware causes to businesses, healthcare providers and our other vital public services.


Like this article? Follow us on LinkedIn, Twitter, YouTube or Facebook to see the content we post.

Read more about Cyber Security

Tozny introduces encrypted identity tool as part of security service platform

Tozny, a Portland, Oregon startup that wants to help companies more easily incorporate encryption into programs and processes, introduced TozID today. It is an identity and access control tool that can work independently or in conjunction with the company’s other encryption tools.

“Basically we have a Security as a Service platform, and it’s designed to help developers and IT departments add defense in depth by [combining] centralized user management with an end-to-end encryption platform,” Tozny CEO and founder Isaac Potoczny-Jones told TechCrunch.

The company is introducing an identity and access solution today with the hope of moving beyond its core developer and government audience to a broader enterprise customer base.

Under the hood, TozID uses standards identity constructs like single sign-on, SAML and OpenID, and it can plug into any existing identity framework, but the key here is that it’s encryption-based and uses Zero Knowledge identification. This allows a user (or application) to control information with a password while reducing the risk of sharing data because Tozny does not store passwords or send them over the network.

In this tool, the password acts as the encryption key, which enables users or applications to control access to data in a very granular way, only unlocking information for people or applications they want to be able to access that information.

As Potoczny-Jones pointed out, this can be as simple as one-to-one communication in an encrypted messaging app, but it can be more complex at the application layer depending on how it’s set up. “It’s really powerful to have a user make that decision, but that’s not the only use case. There are many different ways to enable who gets access to data, and this tool enforces those kinds of decisions with encryption,” he explained.

Regardless of how this is implemented, the user never has to understand encryption or even know that encryption is in play in the application. All they need to do is enter a password as they always have, and then Tozny deals with the complex parts under the hood using standard open source encryption algorithms.

The company also has a data privacy tool geared towards developers to build in end-to-end encryption into applications, whether that’s web, mobile, server and so forth. Developers can use the Tozny SDK to add encryption to their applications without a lot of encryption knowledge.

The company has been around since 2013 and hasn’t taken any private investment. Instead, it has developed an encryption toolkit for government agencies, including NIST and DARPA, that has acted as a funding mechanism.

“This is an open source toolkit on the client side, so that folks can vet it for security — cryptographers like that — and on the server side it’s a SaaS-type platform,” he said. The latter is how the company makes money, by selling the service.

“Our goal really here is to bring the kind of cybersecurity that we’ve been building for government agencies into the commercial market, so this is really work on our side to try to, you might say, bring it down market as the threat landscape moves up market,” he said.