Is there hope? Yes, absolutely there is hope. Companies big and small are waking up and realizing at the very top levels that this is no longer an issue that can be relegated to the IT department. Cybersecurity risks represent major threats to your organization and as such require a high level of engagement by top leadership and board directors. There are very few other categories of risks that can, overnight, freeze your business dead in its tracks, decimate your financial resources, or even take it completely offline.
The only way we get better at cybersecurity security is by working together and by exchanging ideas as a team. No one entity can fight this battle alone. FBI Director James Comey recently made this point over the summer, stating, “To finish, I don’t know whether we can stay ahead of the cyber threat. I think talking about it that way actually shows hubris. We can hope to mitigate the threat, reduce the threat; send messages that change behavior. In the face of a threat unlike any we’ve seen before, we need enough humility to be agile; enough humility to take feedback from our partners to figure out how we can be better. We definitely need each other.”(15)
“If you can’t get to some level of AI or machine learning with the volume of activity that you’re trying to understand when you’re [defending] networks from activity of concern, if you can’t get to scale, you are always behind the power curve — it’s got to be some combination of the two.”(16) [emphasis supplied]
— Admiral Mike Rogers
In the rest of this chapter, we talk about threat actors and criminals who have launched attacks against the U.S. over the past 18 months, as well as the vectors (i.e. the types of cyber-attacks they used to steal our stuff).
Who Are the Threat Actors?
“We’re moving into a new era here and frankly, we’ve got more capacity than anybody both offensively and defensively. … What we cannot do is have a situation where this becomes the wild, wild West, where countries that have significant cyber capacity start engaging in unhealthy competition or conflict through these means.”
— President Barack Obama, September 5, 2016, at the G20 Summit
“Cybersecurity threats and vulnerabilities continue to be pressing concerns for companies and governments in the United States and around the world. In the U.S. financial system, cybersecurity remains an area of significant focus for both firms and the government sector. This attention is appropriate, as cybersecurity-related incidents create significant operational risk, impacting critical services in the financial system, and ultimately affecting financial stability and economic health.”
— Annual Report of the Financial Stability Oversight Council, US Department of the Treasury(17)
“[C]yber is one area we have to acknowledge that we have peer competitors with every bit as much capacity and capability as we do.”
— Admiral Mike Rogers, before the Senate Armed Services Committee, April 5, 2016
“What worries me most is that ISIL’s investment in social media — which has been blossoming in the last six to eight weeks in particular — will cause a significant increase in the number of incidents that we will see…. That’s what I worry about all day long. “ISIL is changing [the] model entirely because ISIL is buzzing on your hip,” he continued, referring to smartphones. “It’s pushing its message ‘all day long’ on Twitter.” — Director of the FBI James Comey, July 22, 2015(18)
Who are the main threat actors? First, despite vehement denials from its government, it appears — as per the comments of FBI Director Comey — that the Chinese, prior to the September 2015 agreement between the U.S. and China over the theft of intellectual property, had been the most industrious nation when it comes to cyber attacks, both in breadth and scope. As noted in the FireEye/Mandiant Trends Report, “Beyond the Breach” (hereinafter the “Mandiant Report”),(19) “we’ve increasingly observed the Chinese government conduct expansive intrusion campaigns to obtain information to support state-owned enterprises. This translates into data theft that goes far beyond the core intellectual property of a company, to include information about how these businesses work and how key executives and key figures make decisions.”
The Mandiant report further states that these intrusions have not just plundered agencies like the U.S. government Department of Defense, and weapons systems like the F-35 fighter jet,(20) but more importantly basic “how to conduct business” information in various industries. These persistent intrusions led to the U.S. government indictment of five officers of the Chinese People’s Liberation Army on charges of cyber espionage.(21) To date, rumors persist that China may have had some involvement in both the Anthem breach and the OPM breach, though that has been heavily disputed.(22) The FBI released a study of 165 companies that reported a data breach by foreign sources. In 95% of those cases, the companies suspected China was to blame.(23) There is some evidence today that Chinese incursions into U.S. company computer networks has lessened. But it appears they are still very much in the game and have attacked other countries instead.(24)
In close second is the Russian government, which was rumored to have been involved in several recent attacks, including hacks on the White House, the DNC hacks mentioned earlier, the very recent attack on The New York Times,(25) and the hack of medical records of several U.S. Olympians and gold medalists who participated brilliantly at the 2016 Rio Summer Olympics.(26) These alleged attacks are no joke, and have attempted to reach into the depths of our government and the American political and election process.(27)
Next comes a variety of other nation-state actors, including North Korea,(28) Iran,(29) and Syria.30 We have to add to the equation ISIS or ISIL, which has spent 2015 and 2016 planning attacks on the EU.31 North Korea’s defining moment as a nation-state hacker was attribution for the Sony wiper ware attack. At the time, one expert noted:
“The North Korean attack on Sony was absolutely a watershed moment for everybody. Because within hours, they saw Sony pull a movie, and the President was on TV talking about it. It was a major international incident. They didn’t have to launch a bomb…all they had to do was [plant] malware. Emerging countries are probably going to see how this type of attack is effective …”(32)
Excluding nation-state actors, public reports have revealed private actors (more commonly termed “cyber criminals”) who have, most notoriously, devastated the U.S. retail sector with repeated attacks on retailers’ point-of-sale (POS) systems using a variety of methods,(33) which will be explained below. Indeed, according to the most recent Ponemon Institute/IBM 2015 Cost of Data Breach Study(34) (hereinafter, the “Ponemon Report,” which surveyed data breaches over calendar year 2014 in 11 countries), 47% of all data breaches surveyed stemmed from malicious or criminal attack. The average cost of a data breach due to malicious or criminal attacks increased to $170 per compromised record 2014 from $159 in 2013. In the United States alone, the cost per comprised record was $217.(35) Note that is the “per record” cost, and the total damages for some of the major breaches reported in 2014 could easily reach 8 or 9 figures.(36)
A key takeaway from these attacks is that it has sometimes taken companies up to five months to realize they have been breached.(37) And in many cases, the victims did not discover the breach on their own, but were informed by either a governmental authority (principally, the FBI or Secret Service) or a third-party (like a banking institution).(38) In a few cases, breaches were even first reported by famous cyber investigative blogger and noted cybersecurity authority Brian Krebs.(39) This delay in discovering evidence of a breach (called in later chapters “indicators of compromise”) is important for two reasons: it brings into question whether companies have the right tools, hardware and IT experience to recognize very sophisticated cyber-attacks, which may leave only “pieces” of the larger picture that have to be gathered quickly and correlated to uncover a potential breach; and, more obviously, the more time it takes to uncover a breach, (called in the business, “dwell time”) the more damage an attacker can do or the more information he or she can steal. We discuss this problem later in the “Incident Response” and “AI/Machine Learning” chapters.
What Are the Threat Vectors?
First, what is a “threat vector?” It is a path, or a tool, that a “threat actor” uses to get at a “target.” In this chapter, the word “target” means a “target industry,” but in reality a target is more than that. Targets “are anything of value to the threat actor,” e.g., control of your server (and its secrets), your computer, your iPad, your social media accounts, your passwords, or your bank account.
Our favorite report that statistically documents global data breaches is the 2016 Verizon Data Breach Investigations Report,(40) (the “Verizon DBIR”), which reviews and summarizes a confirmed 2,260 data breaches (where there was disclosure or potential disclosure of confidential information) in 82 countries over the 2015 calendar year. The report does an excellent job pinpointing the exact type of threat vector used in any given cyber assault. It is not necessary to go into exhaustive detail on each type of threat vector identified in the Verizon DBIR (in fact many are way too complicated for the average director or officer to understand), but we think it’s important to identify the trends involved since they correlate with the types of industries being attacked, as well as the governance and risk issues that we will explore in later chapters. Here are the top threat vectors and a short description of how they generally work:
1. Point-of-Sale (“POS”) Intrusions:
These are the big cybersecurity breaches you read about almost every day in the newspaper or on your Twitter feed. The basic premise of a POS attack is to implant some variant of malware into a retailer’s credit card processing system to collect credit card information via some sort of a “RAM” scraper at a POS terminal (like the card-swiping machine at your local department or food store). The credit card data (account numbers, expiration dates, and cardholder information) on the card’s magnetic stripe is then collected via the malware-compromised server and sent (the technical term is “exfiltrated”) outside the network to a third party. There have been many variants of malware used to accomplish this task, and many vectors used to deliver the malware, including spam, phishing, and now even botnets.(41) The malware has been difficult to find (sometimes taking months for a retailer to become aware it has suffered a breach). The results of POS attacks on retailers, hotels, and food-service restaurants this year have been particularly ugly.(42) Unfortunately, POS attacks are likely to continue in the near future.(43)
2. Web Application Attacks:
A web application attack is defined generally as when any web application is used as the vector for an attack. This one is a bit hard to explain. Generally the malicious actor will attempt to gain access to applications on a company’s server through a variety of methods like phishing and spear-phishing,(44) password and credential compromises, finding code vulnerabilities within certain popular network applications, or injecting code into an application to compromise the company’s network. A recent study found 40% of all SQL injection attacks and 64% of all malicious HTTP traffic campaigns target retail websites. “Our study shows that retail sites are a big target for hackers. This is largely due to the data that retail websites store — customer names, addresses; credit card details — which cyber criminals can use and sell in the cybercrime underworld.”(45)
3. Software Vulnerability or “Zero Day” Attacks:
A zero day vulnerability (or a “Common Vulnerability Exposure” or “CVE”) refers to a “hole” in software that is unknown to the vendor. Hackers then exploit this security hole to install malware on the subject server before the vendor becomes aware and hurries to fix it — this exploit is called a zero day attack. Exploits using software vulnerabilities can be extremely harmful if not caught early, and one linked to a Microsoft Windows vulnerability has been associated with high-profile attacks on critical infrastructure using the “Black Energy malware variant.”(46) Nine zero day attacks have been discovered to date in 2016. Approximately 15 zero days in 2015 have been discovered so far.(47) The 2015 zero-day attacks to date were all discovered in popular Adobe and Microsoft products widely in use across private and professional IT systems.”(48) Vulnerabilities are rated under a Common Vulnerability Scoring System (“CVSS”), which attempts to measure the potential severity of the vulnerability.(49)
Once discovered (very typically by a third party forensic analysis), a patch is issued by the software company to “fix” the vulnerability. The problem here is that some companies do not have the internal resources to implement the patch, or regimented patching schedules (indeed, ASAP patching for critical vulnerabilities), thus leaving them susceptible to attacks for days, months, or even years before being patched. Patching alerts and updates seem to occur now on an almost daily basis.(50) Unfortunately, many of the alerts for some reason or another are not timely remediated, allowing attackers even more time to successfully exploit the vulnerability.(51) Indeed, one recent study of software vulnerabilities stated:
The analysis showed that over 15,000 (7.5%) of the open source components being consumed by these organizations in 2014 had known security vulnerabilities. Of those 15,000 components, an average of 66% (9,900) had known vulnerabilities dated 2013 or older. That means they were known vulnerable components (‘bad’) before they were downloaded.
The remaining 34% (approx. 5,100) might have actually been “good” components at the time they were downloaded by development teams from public open source repositories, but at some time during 2014 a new security vulnerability was discovered and a CVE identifier was assigned.(52)
The 2016 Verizon DBIR also reports some progress made in normalizing vulnerabilities, meaning we are fixing about the same number of vulnerabilities that have been reported in 2015 and 2014, many companies are still cannot get to all known and exploited vulnerabilities within a reasonable time. This is especially problematic for vulnerabilities known to be successful with attackers. They just reuse the good ones.
There are (at least) two points here: 1) threat intelligence is important. If you don’t have time for everything, fix the known bad vulnerabilities (or the known bad ones within your industry vertical) before someone with ill intent gets to them; and 2) prioritize patching efforts.
There are “have to have” and “nice to have” patches that might affect your most critical systems. Patch the “have to have” vulnerabilities affecting your most critical systems first. Then get to the rest as soon as you can. We know that superhuman efforts might be required, but we know you’ll try your best.
4. Cyber-Espionage Attacks:(53)
These are what the category indicates: blatant, yet highly disguised and nearly undetectable methods used by nation states and third party actors to steal valuable information. Methods include: injection of malware, phishing, malvertising,(54) watering hole attacks,(55) spear phishing, finding network and software vulnerabilities,(56) creating backdoors to exfiltrate information, and simply by brute force attacks. Even the notorious wiperware malware called “Shamoon” has recently been used against Saudi Arabian government agencies and companies. The methods vary from actor to actor, many are “zero day” or “APT” or “advanced persistent threat” attacks.
5. Card Skimmers:
Card skimmers are a little different from retail POS attacks in that they generally involve some device installed, for instance on an ATM or gas pump, to skim credit card data and send it to a third party. The types of card skimmers vary. They are generally very hard to detect.(57)
6. Misuse of Passwords and Privileges — One Phish, Two Phish, Red Phish, Blue Phish:
Insider misuse of IDs and passwords is relatively simple to explain. One of your employees uses his ID, password, or network privileges to gain information he either has access to, or should not have access to but does because of “over-privileging,” and then uses it or sells it for his own financial gain.(58) The malicious use of passwords and privileges often happens with a third party involved, like a former employee, cybercriminal, or competitor who somehow gains access to your network through a phishing or spear phishing attack and steals information for his gain, and your loss.(59)
Because of the vast amount of information available on the Internet, phishing and spear phishing attacks have taken great prominence in the US cyber ecosystem, and they have become the primary threat vector facing U.S. companies. Eighty-four percent of organizations said a spear phishing attack successfully penetrated their organization in 2015.(60) The 2016 Verizon DBIR notes, somewhat sarcastically, “Thirty percent of phishing messages were opened by the target across all campaigns. “But wait, there’s more!” (in our best infomercial voice) About 12% went on to click the malicious attachment or link and thus enabled the attack to succeed. That indicates a significant rise from last year’s report in the number of folks who opened the email (23% in the 2014 dataset).(61) [emphasis added]. The attachment or links may lead to the seeding of malware on the recipient’s computer or even ransomware, like CryptoLocker or Cryptowall.(62) “The average impact of a successful spear phishing attack: $1.6 million. Victims saw their stock prices drop 15%.”(63) Socially engineered spear phishing attacks continue to present a tremendous problem. We discuss spear phishing mitigation and employee training tactics in later chapters.
7. Wiperware Attacks:
We mention one more type of attack that has surfaced more recently: “wiper” malware. Wiper malware is “designed to erase data from PC and file-server hard drives and delete the master boot record, so the machines cannot boot.”(64) Simply put, wiper malware can wipe away all the data on multiple servers infected at a target company. In two recent cases, called “Shamoon” and “Dark Seoul,” over 30,000 servers were essentially deleted.(65) Apparently, a variant of Shamoon called “Destover” attacked the servers at Sony Pictures. “Destover, and the like, are much more dangerous in that they overwrite the master boot record on a computer, not only rendering the computer useless after robbing it blind, but also leaving few bread crumbs for investigators to follow.”(66) Another variant of wiper malware was apparently used to attack the Las Vegas Sands in February 2014, rendering thousands of servers useless. (67)
8. Distributed Denial of Service (“DDoS”) Attacks:
A final method hackers have used to wreak havoc on U.S. and UK companies and financial institutions is the DDoS attack. Over the last several months these attacks have become more prevalent, more powerful, more dangerous, and more thought-provoking.
In a DDoS attack, a hacker, through the use of massive botnets,(68) creates an “army of computers” that then attack a particular website, with a typical bandwidth and a typical duration. Botnets, a very typical threat vector in the financial services and retail spaces, can tie up a computer network for hours (and sometimes days), throwing the company offline and frustrating users and customers. Many financial institutions were attacked in 2015 and 2016.(69) Brian Krebs and OVH were attacked with DDoS botnet attacks of epic proportions called “Mirai” in September 2016, displaying the potential vulnerabilities caused by IoT devices.(70) These attacks were extremely powerful — double the size of previously recorded DDoS attacks (quadruple the size in OVH’s case). Then on October 24, 2016, lightning struck again. A lot of lightening. A major attack struck the domain name server company Dyn, purportedly commenced by hundreds of thousands of IoT enabled devices — like Internet enabled cameras and DVRs — that flooded Dyn’s servers at three
different times during the day. The largest attack registered at about 1,200 gigabytes. These attacks were powerful and Dyn understandably could not handle the tremendous volume of Internet traffic. The attacks not only took down Dyn, but companies that relied upon Dyn for their domain name services (like customer traffic aimed at websites such as Twitter.com). In total, about 70 companies in the U.S. lost Internet connectivity. Imagine no Twitter feed for one day! The Dyn attack is a game changer. Unfortunately, these Mirai-inspired botnet attacks continue today.
The most famous botnet attack of 2014 was the “Grinch-like” attack by the Lizard Squad on the Sony and Microsoft gaming networks on Christmas Day, knocking users offline for hours.(71) Other DDoS attacks have targeted financial institutions.(72) One very large scale DDoS attack was recently launched against the Rio Olympics’ online presence (which televised the Olympics on a streaming basis).(73) Indeed, the Lizard Squad has been very active, taking down the UK National Crime Authority website for a period of time with a DDoS attack.(74) A recent report issued by cybersecurity company Akamai noted that:
For the past three quarters, there has been a doubling in the number of DDoS attacks year over year. And while attackers favored less powerful but longer duration attacks this quarter, the number of dangerous mega attacks continues to increase. In Q2 2015, there were 12 attacks peaking at more than 100 Gigabits per second (Gbps) and five attacks peaking at more than 50 Million packets per second (Mpps). Very few organizations have the capacity to withstand such attacks on their own.
The largest DDoS attack of Q2 2015 measured more than 240 gigabits per second and persisted for more than 13 hours. Peak bandwidth is typically constrained to a one to two-hour window. Q2 2015 also saw one of the highest packet rate attacks ever recorded across the Prolexic Routed network, which peaked at 214 Mpps. That attack volume is capable of taking out tier 1 routers, such as those used by Internet Service Providers (ISPs). The strength of attacks increased throughout 2016, with the largest attacks being registered in the fourth quarter.(75)
One final variant on the DDoS attack is the “smokescreen DDoS” attack: while the company is taking steps to mitigate the DDoS attack, hackers strike with another piece of malware aimed at stealing data. A recent article noted:
In many cases, it may be a coordinated effort, but even if these attacks originate from different sources, IT staff have to allocate resources to solve two problems at the same time, under a lot of stress.
While many attackers do use DDoS as a smokescreen to hide data stealing or network damaging attempts, it’s difficult to attribute them. For sure. … But even if they are unrelated, the fact that they arrive simultaneously — even by chance — a high percentage of the time means security staff should make sure their DDoS-mitigation plan includes resources to look for other incursions.”(76)
Who Are the Targets of the Cyber Attacks?
The Verizon DBIR gives a very good summary of the industry segments most affected by cyber incidents and data breaches in calendar year 2015. Setting aside the number of cyber breaches affecting the public sector (like federal and state governments), here are the industry segments suffering the highest number of security incidents with confirmed data losses:
1. FINANCE — No surprise here. Financial organizations hold high value personal and business information and high proprietary trading data, algorithms, and M&A data. These organizations faced cyber threats from both malicious insiders and third parties.(77)
2. RETAIL — Also no surprise given the prevalence of POS attacks. Retailers hold high value personal information and credit card data, as we saw in the Target and Neiman Marcus breaches.
3. ACCOMMODATION (HOTELS, MOTELS) — Similar to retail, these businesses hold high value personal information and credit card data.(78)
4. PROFESSIONAL SERVICE FIRMS (LIKE LAW FIRMS, ACCOUNTING FIRMS, AND
CONSULTANTS) — Perceived to be “soft targets” not necessarily concerned about cyberattacks, but an industry segment that typically stores a high volume of both intellectual property and confidential business data of its clients.
5. HEALTHCARE — No surprise, as healthcare organizations hold high value personal information. Well known breaches include Anthem, Premera, Carefirst, UCLA Healthcare System, Excellus Healthcare, and Banner Healthcare.(79) There were also an untold number of ransomware attacks against hospital and healthcare organizations in 2016.
6. EDUCATIONAL INSTITUTIONS — Hackers have recently mined data at institutions such as Harvard, Penn State, the University of Virginia, University of Georgia, Michigan State University and Rutgers University.(80)
Well, enough of the good news. As we noted above, cybersecurity breaches affect everyone. Governments (state and federal), public companies, private companies, healthcare institutions — everyone. And the threats grow every day. The question is, “So what are you going to do about it?”
The answers to that deceptively simple question through insurance and advanced technical solutions, through better communication and better security investments, and through the integration of cybersecurity into the organization’s overall risk management. A “failure to communicate” is no longer a tolerable excuse. It is time for action.
This article is the introductory chapter of Paul Ferrillo’s and Dr. Christophe Veltsos’ book, “Take Back Control of Your Cybersecurity Now: Game Changing Concepts on AI and Cyber Governance Solutions for Executives. InfraGard members can download the entire book for free at http://tiny.cc/CyberBook2017
PAUL FERRILLO is counsel in Weil’s Litigation Department, where he focuses on complex securities and business litigation, and internal investigations. He also is part of Weil’s Cybersecurity, Data Privacy & Information Management practice, where he focuses primarily on cybersecurity corporate governance issues, and assists clients with governance, disclosure, and regulatory matters relating to their cybersecurity postures and the regulatory requirements that govern them. He is a prolific writer, speaker, and commentator on a wide range of subjects. He is a frequent contributor of articles concerning securities, cybersecurity, corporate governance, and accounting fraud issues to the New York Law Journal, D&O Diary, Harvard Law School’s Forum on Corporate Governance and Financial Regulation, and other national publications and forums, and is a frequent speaker on securities law, corporate governance, and directors’ and officers’ liability insurance issues for the ALI-ABA, the New York State Bar Association, the American Conference Institute, NACD, and the Directors’ Roundtable.
DR. CHRIS VELTSOS — AKA DR.INFOSEC — is passionate about helping organizations take stock of their cyber risks and manage those risks across the intricate landscape of technology, business, and people. Both faculty and practitioner, Chris understands the value of clear communication, the need to manage human assets and relationships, and the need to manage risks in the digital age. He has advised CEOs, has worked with CIOs, has shadowed and mentored CISOs, and interacted with a wide range of other business executives. He is a frequent speaker and author on all things cybersecurity and privacy related. He has presented at the regional and national level, including at major security conferences like RSA. He has written articles, book chapters, blog posts, and even a white paper. More recently, he’s authored over 35 articles for IBM’s SecurityIntelligence blog on topics ranging from traits of successful CISOs, questions board directors are asking, to the nature of conversations top leaders should have about cyber risks.
(1) See “DNC breach was likely Russia, not 400-pound hacker, law enforcement says,” available at http://www.cnbc.com/2016/09/27/dnc-breach-was-likely-russia-not-400-pound-hacker-law-enforcement-says.html.
(2) See “How Hacked Cameras Are Helping Launch The Biggest Attacks The Internet Has Ever Seen,” available at http://www. forbes.com/sites/thomasbrewster/2016/09/25/brian-krebs-overwatch-ovh-smashed-by-largest-ddos-attacks-ever/#52a6f29e6fb6; “Amateurs were behind the Dyn Inc. DDoS attack, report says,” available at http://www.csoonline.com/article/3134721/security/amateurs-were-behind-the-dyn-inc-ddos-attack-report-says.html.
(3) See e.g. “Vera Bradley says payment system hacked, sales could be affected,” available at http://www.cnbc.com/2016/10/12/
(4) See “Hackerpocalypse: A Cybercrime Revelation,” available at http://cybersecurityventures.com/hackerpocalypse-cybercrimereport-2016/.
(5) See “Hollywood hospital pays $17,000 in bitcoin to hackers; FBI investigating,” available at http://www.latimes.com/business/technology/.
(6) See “Sage Employee Arrested for Insider Breach,” available at http://www.esecurityplanet.com/network-security/sage-employee-arrested-for-insider-breach.html; “The Biggest Cybersecurity Threats Are Inside Your Company,” available at https://hbr.org/2016/09/the-biggest-cybersecurity-threats-are-inside-your-company (noting “In the 2016 Cybersecurity Intelligence Index, IBM found that 60% of all attacks were carried out by insiders.).
(7) See e.g. “Putin denies that Russia hacked the DNC but says it was for the public good,” available at https://www.washingtonpost.com/world/putin-denies-that-russia-hacked-the-dnc-but-says-it-was-for-the-public-good/2016/09/02/d507a335-baa8-40e1-9805-dfda5d354692_story.html.
(8) See “ISIL aims to launch cyberattacks on U.S.,” available at http://www.politico.com/story/2015/12/isil-terrorism-cyber-attacks-217179.
(9) See e.g. “Research Finds Malware In 75% Of The Top 20 Banks In The U.S,” available at http://virusguides.com/research-findsmalware-75-top-20-banks-u-s/ (“As banks continue to grow through acquisition, legacy IT systems and their vulnerabilities are also acquired. In many cases, they remain in place for years. Despite major financial institutions spending billions of dollars on cybersecurity annually, this report suggests the financial industry may not be spending those dollars as effectively as possible. A greater level of protection is required, which should be a concern for their customers and partners”).
(10) See “The Internet of Things: A “National Treasure,” or a Worldwide Problem of Epic Proportions?” available at http://levick.com/blog/public-affairs/the-internet-of-things/; “The Dyn report: What we know so far about the world’s biggest DDoS attack,” available at http://www.zdnet.com/article/the-dyn-report-what-we-know-so-far-about-the-worlds-biggest-ddos-attack/.
(11) See e.g. “How Bitcoin helped fuel an explosion in ransomware attacks,” available at http://www.zdnet.com/article/how-bitcoinhelped-fuel-an-explosion-in-ransomware-attacks/.
(12) See “Russian government hackers penetrated DNC, stole opposition research on Trump,” available at https://www.washingtonpost.com/world/national-security/russian-government-hackers-penetrated-dnc-stole-opposition-research-on-trump/2016/06/14/cf006cb4-316e-11e6-8ff7-7b6c1998b7a0_story.html. (It is suspected that the hack “may have targeted DNC employees with“spear phishing” emails. These are communications that appear legitimate — often made to look like they came from a colleague or someone trusted — but that contain links or attachments that when clicked on deploy malicious software that enables a hacker to gain access to a computer.”)
(13) See “Hackers Target Anti-DDoS Firm Staminus,” available at http://krebsonsecurity.com/tag/ddos/; “Massive Email Bombs Target.Gov Addresses,” available at http://krebsonsecurity.com/ (describe a personal DDoS attack upon the mailbox of noted Cy-bersecurity intelligence gatherer and blogger, Brian Krebs).
(14) See “U.S. official blames Russia for power grid attack in Ukraine,” available at http://www.cnn.com/2016/02/11/politics/ukrainepower- grid-attack-russia-us/; see also “FERC Takes Action on Cybersecurity in Response to Ukrainian Cyber Attacks,” available at http://www.jdsupra.com/legalnews/ferc-takes-action-on-cybersecurity-in-87475/ (describing the Federal Energy Regulatory Commission’s proposed response to the Ukrainian grid attack for US electric companies).
(15) See Speech by James B. Comey, Director, Federal Bureau of Investigation, Symantec Government Symposium, Washington,
D.C., August 30, 2016, available at https://www.fbi.gov/news/speeches/the-fbis-approach-to-the-cyber-threat.
(16) Testimony of Admiral Michael Rogers, head of both US Cybercommand and the National Security Agency before the Senate Armed Services Committee, dated September 13, 2016, available at http://www.executivegov.com/2016/09/adm-michael-rogersai-human-analytics-integration-can-aid-natl-security-programs/.
(17) See “2016 Financial Stability Oversight Council Report,” available at https://www.treasury.gov/initiatives/fsoc/studies-reports/Pages/2016-Annual-Report.aspx.
(18) See “ISIL Keeps FBI Director Awake At Night,” available at http://www.refinery29.com/2015/07/91202/james-comey-isis-biggestfears.
(19) See “FireEye Releases Annual Mandiant Threat Report on Advanced Targeted Attacks,” found at http://www.fireeye.com/newsevents/press-releases/read/fireeye-releases-annual-mandiant-threat-report-on-advanced-targeted-attacks.
(20) See “Theft of F-35 design data is helping U.S. adversaries –Pentagon,” found at http://www.reuters.com/article/2013/06/19/usafighter-hacking-idUSL2N0EV0T320130619; “Chinese Hacked U.S. Military Contractors, Senate Panel Says,” available at http://www.wsj.com/articles/chinese-hacked-u-s-military-contractors-senate-panel-says-1410968094.
(21) See “Attorney General Eric Holder Speaks at the Press Conference Announcing U.S. Charges Against Five Chinese Military Hackers for Cyber Espionage,” available at http://www.justice.gov/opa/speech/attorney-general-eric-holder-speaks-press-conferenceannouncing-us-charges-against-five.
(22) See “Nation-State Cyber Espionage, Targeted Attacks Becoming Global Norm,” available at http://www.darkreading.com/attacks-breaches/nation-state-cyber-espionage-targeted-attacks-becoming-global-norm/d/d-id/1319025.
(23) See “FBI Probes ‘Hundreds’ of China Spy Cases,” available at http://www.thedailybeast.com/articles/2015/07/23/fbi-probes-hundreds-of-china-spy-cases.html (one FBI official recently noted that “The predominant threat we face right now is from China,”).
(24) See “Russia More Prey Than Predator to Cyber Firm Wary of China,” available at http://www.bloomberg.com/news/articles/
(25) See “First on CNN: FBI investigating Russian hack of New York Times reporters, others,” available at http://www.cnn.
(26) See “Cyber ‘Smear’: Hackers Publish Olympians’ Medical Records,” available at http://abcnews.go.com/International/anti-doping-agency-russian-hackers-published-athletes-medical/story?id=42063565.
(27) See “Obama administration accuses Russian government of election-year hacking, available at: http://www.politico.com/story/
(28) See “Update on Sony Investigation,” available at http://www.fbi.gov/news/pressrel/press-releases/update-on-sony-investigation; “FBI: North Korea to Blame for Sony Hack,” available at http://krebsonsecurity.com/2014/12/fbi-north-korea-to-blame-for-sonyhack/.
(29) See “Now at the Sands Casino: An Iranian Hacker in Every Server,” available at http://www.businessweek.com/articles/
2014-12-11/iranian-hackers-hit-sheldon-adelsons-sands-casino-in-las-vegas; “Iran hackers targeted airlines, energy firms:
report,” available at http://www.reuters.com/article/2014/12/02/us-cybersecurity-iran-idUSKCN0JG18I20141202; “Iran-Linked Espionage Group Continues Attacks on Middle East,” available at http://www.securityweek.com/iran-linked-espionage-group-continues-attacks-middle-east; “U.S. charges Iranians for cyberattacks on banks, dam,” available at http://www.cnn.com/2016/03/23/politics/iran-hackers-cyber-new-york-dam/.
(30) See “Syrian Electronic Army Claims to Have Hacked U.S. Army Website,” available at http://www.newsweek.com/syrian-electronic-army-claims-have-hacked-us-army-website-340874.
(31) See “Cyberterrorist Attacks Unsophisticated but Effective: Former FBI Agent,” available at http://www.securityweek.com/cyberterrorist-attacks-unsophisticated-effective-former-fbi-agent; “ISIL plotting deadly cyber-attacks against Britain, George Osborne warns,” available at http://www.telegraph.co.uk/news/uknews/terrorism-in-the-uk/11999607/islamic-state-cyber-attack-plot-britaingeorge-osborne-warns.html.
(32) See “Nation-State Cyber Espionage, Targeted Attacks Becoming Global Norm,” available at http://www.darkreading.com/attacks-breaches/nation-state-cyber-espionage-targeted-attacks-becoming-global-norm/d/d-id/1319025.
(33) See e.g., “Berkshire-owned Dairy Queen says customer data hacked in 46 states,” found at http://www.reuters.com/article/
2014/10/10/us-usa-dairy-queen-cybersecurity-idUSKCN0HZ1TM20141010; “Target Now Says 70 Million People Hit in Data Breach,’ available at http://www.wsj.com/articles/SB10001424052702303754404579312232546392464.
(34) See “2014 Cost of Data Breach Study: Global Analysis,” available at http://www.935.ibm.com/services/multimedia/SEL03027USEN_Poneman_2014_Cost_of_Data_Breach_Study.pdf.
(35) See 2013 Ponemon Cost of Breach Report Study, found at https://www4.symantec.com/mktginfo/whitepaper/053013_GL_NA_WP_Ponemon-2013-Cost-of-a-Data-Breach-Report_daiNA_cta72382.pdf
(36) See “Target’s data breach fraud cost could top $1 billion, analyst says,” available at http://www.bizjournals.com/charlotte/
news/2014/02/03/targets-data-breach-fraud-cost-could-top-1-billion.html. The cost of replacing the compromised credit cards could alone total $400 million or more. See “Banks’ Lawsuits Against Target for Losses Related to Hacking Can Continue,” available at http://bits.blogs.nytimes.com/2014/12/04/banks-lawsuits-against-target-for-losses-related-to-hacking-can-continue/?_r=0.
(37) See “2016 FireEye M-Trends Report, available at https://www2.fireeye.com/rs/848-DID-242/images/Mtrends2016.pdf (noting that according to Mandiant, in 2015 it took companies an average of 146 days to detect a breach).
(38) Id. The Mandiant report further reports that only 31% of companies were able to discover breaches on their own.
(39) See “Dairy Queen Confirms Breach at 395 Stores,” available at http://krebsonsecurity.com/2014/10/dairy-queen-confirms-breachat-395-stores/.
(40) Available at http://www.verizonenterprise.com/verizon-insights-lab/dbir/2016/.
(41) See “New point-of-sale malware distributed by Andromeda botnet,” available at http://www.cio.com/article/2949334/new-pointofsale-malware-distributed-by-andromeda-botnet.html.
(42) See e.g. “Credit Card Breach Hits All Eddie Bauer Stores in U.S., Canada,” available at http://www.esecurityplanet.com/networksecurity/credit-card-breach-hits-all-eddie-bauer-stores-in-u.s.-canada.html.
(43) Id. (“What’s more, these ongoing attacks against retailers, hoteliers and food chains indicate that it’s likely that there are many more businesses that leverage PoS systems that have been at-tacked but don’t yet know it because of a lack of insight into their risk and security posture”).
(44) See “Anatomy of an Attack: From Spear phishing Attack to Compromise in Ten Steps,” found at https://www.mandiant.com/
(45) See “Nearly half of all web application cyber attacks target retailers, study shows,” found at http://www.computerweekly.com/news/2240235253/Nearly-half-of-all-web-application-cyber-attacks-target-retailers-study-shows.
(46) See “BlackEnergy Malware Plug-Ins Leave Trail of Destruction,” https://threatpost.com/blackenergy-malware-plug-ins-leavetrail-of-destruction/109126#sthash.2zz6Trah.dpuf; see also “Sandworm APT Team Found Using Windows Zero Day Vulnerability,” https://threatpost.com/sandworm-apt-team-found-using-windows-zero-day-vulnerability/108815#sthash.n3Mr8nBo.dpuf.
(47) See “Recent Zero-Day Exploits,” available at https://www.fireeye.com/current-threats/recent-zero-day-attacks.html.
(48) See “Vulnerabilities in 2015: 0-days, Android vs iOS, OpenSSL,” available at http://www.net-security.org/secworld.php?id=18732.
(49) See “Common Vulnerability Scoring System, V3 Development Update,” available at https://www.first.org/cvss.
(50) See “Setting priorities with July’s huge Patch Tuesday,” available at http://www.computerworld.com/article/2947756/applicationsecurity/huge-july-patch-update-with-critical-update-to-ie-and-windows.html.
(51) See “Sixty Percent of Enterprise Application Vulnerabilities Go Unmitigated,” available at http://darkmatters.norsecorp.
com/2015/07/13/sixty-percent-of-enterprise-application-vulnerabilities-go-unmitigated\ (noting that many organizations take three to six months to re-mediate a known vulnerability).
(52) See “When Good Code Goes Bad,” available at http://www.infosecurity-magazine.com/blogs/when-good-code-goes-bad/.
(53) In this section, we have not used the acronym “APT” or “advanced persistent threat” for a reason. An APT is not a per se “vector.” It is a type of actor (very often nation-state sponsored) that makes a concerted effort to dig deep into a Company’s network to collect sensitive information about a person, place, or secret (like the plans to the F-35 Fighter Jet) by silently moving laterally through a Company’s network. See “Catch Me If You Can: How APT Actors Are Moving through Your Environment Unnoticed,” available at http://blog.trendmicro.com/catch-me-if-you-can-how-apt-actors-are-moving-through-your-environment-unnoticed/?utm_source=twitterfeed&utm_medium=twitter&utm_campaign=information_security.
(54) See “Yahoo Malvertising Attack Points To More Flash Problems,” available at http://www.informationweek.com/software/enterprise-applications/yahoo-malvertising-attack-points-to-more-flash-problems/a/d-id/1321626; See also “Cyphort Labs Issues Special Report on the Rise in Malvertising Cyber Attacks,” available at http://www.darkreading.com/attacks-breaches/cyphort-labs-issuesspecial-report-on-the-rise-in-malvertising-cyber-attacks/d/d-id/1321902 (noting that “Cyphort researchers found that malvertising campaigns carried out by hackers increased 325 percent in the past year.”).
(55) See “BlackHat 2015: 2FA key to defense against cyber espionage groups,” available at http://www.computerweekly.com/
(56) See “Symantec uncovers Morpho cyber espionage operation,” available at http://www.computerweekly.com/news/4500249597/Symantec-uncovers-Morpho-cyber-espionage-operation.
(57) See, e.g., “Skimmer Innovation: “Wiretapping ATMs,” found at http://krebsonsecurity.com/.
(58) A very recent study of IT decision makers reported that only 68% of the companies surveyed felt that their company was making an adequate investment in technology designed to monitor activities of users with elevated or privileged access rights. See “2015 Cyberthreat Defense Report, North America and Europe,” available at http://www.brightcloud.com/pdf/cyberedge-2015-cdrreport.pdf.
(59) See e.g., “JP Morgan Found Hackers through Breach of Corporate Event Website,” found at http://www.moneynews.com/Companies/JP-Morgan-Hackers-Breach-Website/2014/11/02/id/604663/.
(60) See “Spearphishing Attacks,” available at https://www2.fireeye.com/rs/fireye/images/fireeye-how-stop-spearphishing.pdf.
(61) See 2016 Verizon DBIR
(62) See “IBM X-Force Threat Intelligence Quarterly, 3Q 2015,” available at https://www.01.ibm.com/marketing/iwm/dre/signup?source=swg-WW_Security_Organic&S_PKG=ov38487&S_TACT=C41303YW&dynform=20131. “Ransomware continues to grow very rapidly – with the number of new ransomware samples rising 58 percent in Q2.” See “Ransomware jumps 127%, IoT malware on rise too: McAfee,” available at http://www.firstpost.com/business/ransomware-jumps-127-iot-malware-on-rise-toomcafee-2419582.html. The rise in ransomware activity led the FBI to issue a very good alert in January 2015 on how to avoid potential harm from a ransomware attack. See “Ransomware on the Rise: FBI and Partners Working to Combat This Cyber Threat,” available at https://www.fbi.gov/news/stories/2015/january/ransomware-on-the-rise.
(63) See “Spearphishing Attacks,” available at https://www2.fireeye.com/rs/fireye/images/fireeye-how-stop-spearphishing.pdf.
(64) See “Sony Hack: Ties to Past ‘Wiper’ Attacks?” available at http://www.bankinfosecurity.com/sony-hack-ties-to-past-wiper-attacksa-7644/op-1.
(66) See “Details Emerge on Sony Wiper Malware,” available at http://threatpost.com/details-emerge-on-sony-wiper-malware-destover/109727.
(67) See “Las Vegas Sands’ network hit by destructive malware in Feb: Bloomberg,” available at http://www.reuters.com/article/
(68) A “bot” is “a type of malware that allows an attacker to take control over an affected computer. Also known as “Web robots”,
bots are usually part of a network of infected machines, known as a “botnet”, which is typically made up of victim machines that stretch across the globe” infecting thousands, if not hundreds of thousands of computers. See “Bots and Botnets—A Growing Threat,” available at http://us.norton.com/botnet/.
(69) See “Britain’s HSBC Recovers from Massive DDoS Attack,” available at http://www.securityweek.com/britains-hsbc-recoversmassive-ddos-attack.
(70) See “Krebs dropped by Akamai for record DDoS attack, OVH suffers 1100 Gbps DdoS,” available at http://www.scmagazineuk.com/krebs-dropped-by-akamai-for-record-ddos-attack-ovh-suffers-1100-gbps-ddos/article/524556/.
(71) See “Lizard Stresser Runs on Hacked Home Routers,” available at http://krebsonsecurity.com/2015/01/lizard-stresser-runs-onhacked-home-routers/.
(72) See “Cyber attack hits RBS and NatWest online customers on payday,” available at http://www.theguardian.com/business/2015/jul/31/rbs-and-natwest-customers-complain-of-online-problems.
(73) See “How a Massive 540 Gb/sec DDoS Attack Failed to Spoil the Rio Olympics,” available at http://www.tripwire.com/state-ofsecurity/security-data-protection/cyber-security/how-a-massive-540-gbsec-ddos-attack-failed-to-spoil-the-rio-olympics/#.V8mxswwSDY.twitter.
(74) See “Stressed out: Lizard Squad takes down UK law enforcement website in latest DDoS at-tack,” available at http://siliconangle.com/blog/2015/09/02/stressed-out-lizard-squad-takes-down-uk-law-enforcement-website-in-latest-ddos/.
(75) See “Akamai Releases Q2 2015 State of the Internet – Security Report,” available at http://prwire.com.au/pr/53743/akamaireleases-q2-2015-state-of-the-internet-security-report.
(76) See “Under DDoS attack? Look for something worse,” available at http://www.networkworld.com/article/2984648/security/underddos-attack-look-for-something-worse.html.
(77) See “Corporate Espionage Risk Management For Financial Institutions,” available at http://www.tripwire.com/state-of-security/risk-based-security-for-executives/risk-management/corporate-espionage-risk-management-for-financial-institutions/; “The Damage of a Security Breach: Financial Institutions Face Monetary, Reputational Losses,” available at https://securityintelligence.com/thedamage-of-a-security-breach-financial-institutions-face-monetary-reputational-losses/ (nothing that more than 500 million records have been stolen from financial institutions over the past 12 months as a result of cyberattacks.”).
(78) See “Donald Trump’s Hotels Have Reportedly Been Hacked,” available at http://www.nationaljournal.com/tech/donald-trump-shotels-have-reportedly-been-hacked-20150701.
(79) See “Cyber breach hits 10 million Excellus healthcare customers,” available at http://www.usatoday.com/story/tech/2015/09/10/cyber-breach-hackers-excellus-blue-cross-blue-shield/72018150/; “BREAKING: Massive Cyber Attack at Banner Health Affects 3.7M Individuals,” available at http://www.healthcare-informatics.com/news-item/cybersecurity/breaking-massive-cyber-attack-bannerhealth-affects-37m-individuals. Don’t forget that along with the problems and litigations associated with a data breach, healthcare organizations also face potential HIPPA violations as well. See, e.g., “Health Care System to Pay Largest Data Breach Settlement Ever,” available at https://www.shrm.org/resourcesandtools/hr-topics/technology/pages/health-care-system-to-pay-largest-databreach-settlement-ever.aspx.
(80) See “Harvard says data breach occurred in June,” available at https://www.bostonglobe.com/metro/2015/07/01/harvardannounces-data-breach/pqzk9IPWLMiCKBl3IijMUJ/story.html; “Who hacked Rutgers? University spending up to $3M to stop next cyber attack,” available at http://www.nj.com/education/2015/08/who_hacked_rutgers_university_spending_up_to_3m_to.html; “University of Georgia hit by cyberattack,” available at http://www.ajc.com/news/local-education/university-georgia-hit-cyberattack/jeGZpeHnYViTSI5u62YhSN/.