Malware Spotlight: The Ransomware Evolution

by
Darren Windham
Senior Security Specialist
VTRAC | Investigative Response
Verizon Enterprise Solutions

The weekend of May 13th the ransomware front roared loud with the ‘WannaCry’ ransomware outbreak. The Verizon Threat Research Advisory Center obviously has been keeping Verizon customers up to speed on current ransomware activity through its Threat Bulletin (a monthly Cyber Intelligence Report we send to our security customers).  In addition to our threat bulletin, the Verizon Threat Research Advisory Center thought it was worth looking back at how ransomware has evolved over recent years – and touch on some recommendations for best practices to take when it comes to mitigation and prevention, as well as detection and response.

Ransomware has evolved quite a bit over the years. The malware functionality has been around since 1989, and the current wave goes back to 2005 with a varient called Gpcode, which used its own custom encryption and was easily broken. This early instance targeted specific individual files (e.g., Microsoft Office documents, pictures, etc.) on a system and encrypted them.

Then in 2006, we saw another ransomware variant, Cryzip, which copied files into password protected zip archives and then deleted the originals. However, Cryzip was also easily defeated as the password was embedded within the malicious code and could be recovered using reverse-engineering techniques.

From 2008 to 2009, the ransomware landscape shifted to Fake Anti-Virus applications that victimized users by demanding payment to remove fake malware from their systems. Notably, in 2008, malware called Randsom emulated a Windows security error message and directed victims to call a premium rate phone number in order to regain access to their system.

In 2012, we saw a shift to law enforcement themed messages attempting to scare the victims into paying the ransom in order to avoid legal ‘prosecution’. This ransomware varient was known as Lyposit. A tool that made these compromises even easier for criminals was the release of the Citadel malware toolkit (based off of the Zeus crime-kit).

The year 2013 brought us some big changes in ransomware including:

  • Fake crypto-malware demanding a $300 payment that didn’t actually encrypt anything but claimed to target the Safari web browser on the Mac OSX platform
  • A banking Trojan targeting Android devices that later in 2014 evolved into ransomware and locked users out of their mobile devices
  • The first variant of CryptoLocker being distributed by compromising websites or sent as part of phishing attacks as an email attachment; Locker, a variant of CryptoLocker, and also version 2.0 of CryptoLocker, coming onto the scene as well

The following year in 2014, we saw one of the largest and more damaging ransomware varieties, CryptoWall, which targeted Java vulnerabilities. This was distributed via malicious ads on popular websites, also known as malvertizing. According to our 2014 Data Breach Investigations Report (DBIR), ransomware was the 22nd most common type of malware.

By 2015, CryptoWall surpassed CryptoLocker as the most common type of ransomware infection. Also new this year we saw the arrival of crypto-malware as a service in Tox, Fakben, and Radamant. By the middle of the year, CryptoWall 3.0 arrived on the scene along with TeslaCrypt V2. TeslaCrypt was the first to target gamers and game related content as compared to user created content like documents, media files, etc., which are commonly targeted by ransomware. Also new in 2015 was LowLevel04 that attacked remote desktop and terminal services to infect systems.

 As highlighted in the most recent DBIR, 2016 saw a 50 percent increase in ransomware and this malware was the top malware type within the Crimeware category. Ransomware bumped up to the 5th most common in the overall malware category.

New variants seen in 2016 included Ransom32, the first Java based malware that allowed it to work on multiple platforms. The 7ev3n variant added the destruction to the impacted systems in addition to the ransom. Locky was the more predominant ransomware seen being used in phishing campaigns and the Dridex banking trojan. Locky also made headlines when it impacted several organizations in the healthcare industry. The year 2016 was a big one for new variants of ransomware:

  • SamSam was created to target vulnerable web exposed JBoss servers and leveraged real time communications between the attacker and victims via TOR
  • KeRanger also brought us the first OSX based malware that was bundled into the Transmission Bit Torrent Client
  • Petya leveraged DropBox for its distribution and instead of attacking files it went after the Master Boot Record (MBR) and then encrypted the entire physical drive
  • Zcryptor was one of the first Cryptoworms, as it had self-propagating techniques to infect external devices and other systems on the network while encrypting every machine and shared drive as well

 CryptXXX was also new but was used as part of the Angler Exploit Kit for its distribution and saw widespread usage.

So far in 2017, we are seeing more variations on the same theme as attackers leverage open source for ransomware to create their own versions as well as updating the variants that have worked well over the years. If one thing is clear, it is that this problem is not going away any time soon.

In terms of mitigation and response countermeasures, here are essentially the ones we provided for ‘the Fetid Cheez’ ransomware scenario in the 2017 Verizon Data Breach Digest (DBD), as well as the 2016 DBD Update ‘Data Ransomware: User and File Space Error’:

 Mitigation and Prevention 

  • Train and sensitize users to report phishing and suspicious system activity
  • Keep host-based and enterprise anti-virus solutions updated
  • Patch third-party applications as soon as possible
  • Remove local administrative rights
  • Deploy a File Integrity Monitoring (FIM) solution
  • Test and validate data backup processes
  • Set file shares to read-only mode

Detection and Response

  • Block access to C2 servers
  • Check encrypted file ownership to identify users; offline infected systems
  • Recall known phishing emails from mailboxes; block certain attachments
  • Deploy Group Policy Objects (GPOs) to block executable files and disable macros

Would you like to learn more about Crypto Malware and data breaches?

2017 DBIR

Get the 2017 Data Breach Investigations Report (DBIR). It’s our foremost publication on security,    and one of the industry’s most respected sources of information.

2017 DBD

Read the Data Breach Digest for the story of Verizon’s most intriguing cybercrime investigations. Learn about the attacker’s tactics, the victim’s mistakes and the scramble to limit the damage.

Verizon’s Data Breach Digest – Perspective is Reality

by John Grim
RISK Team | Verizon

2017 is here and this means it’s Data Breach Digest season. This year, just like last, we released the 2017 Digest at the RSA Conference in San Francisco, CA. What makes this year’s Digest different from last year? Stakeholders!

So, what do we mean by stakeholders?

Well, data breaches are complex affairs often involving some combination of human factors, hardware devices, exploited configurations, or malicious software. Data breach response activities—investigation, containment, eradication, notification, and recovery—are correspondingly complex. These activities, and the lingering post-breach after-affects, aren’t just an IT security problem; they’re an enterprise problem involving Legal Counsel, Human Resources, Corporate Communications, and other Incident Response (IR) stakeholders. Each stakeholder brings a different perspective to the breach response effort.

To illustrate this complexity, this year’s “Data Breach Digest – Perspective is Reality” (a.k.a. “the IR Stakeholder Edition”) presents each breach scenario from a different stakeholders point of view (PoV). Within this PoV, the stakeholder narration looks at critical decision pivot-points, split-second actions-taken, and crucial lessons-learned from cases investigated by us – the Verizon RISK Team.

These IR stakeholders often include top-level leadership (i.e., the “strategic” decision-makers), middle-level managers (i.e., the “tactical” decision-makers), and a variety of technical and non-technical subject matter experts (i.e. “the trusted advisors”) on cyber-security and breach response. If organized by relationship to the victim organization, there are two groups: “internal” stakeholders – those who are part of the victim organization, and “external” stakeholders – those who are outside the victim organization, such as the Verizon RISK Team.

For the 2017 Data Breach Digest, 16 different stakeholders present a data breach scenario from their respective PoV. Within this group, ten internal (a.k.a. victim) stakeholder PoVs are represented: CIO, CISO, Legal Counsel, Human Resources, Corporate Communications, Incident Commander, Internal Investigator, IT Security Manager, SOC Analyst, and Endpoint Detection and Response (EDR) Technician. We round this out with six external (RISK Team) stakeholder PoVs: Lead Investigator, Endpoint Forensics Examiner, Malware Reverse Engineer, Network Forensics Specialist, CIP/CS Specialist, and PFI Investigator.

As was the case last year, we organized the data breach scenarios into one of four “Clustered Groupings”:

  • The Human Element – four scenarios highlighting human-related threat actors or targeted victims
  • Conduit Devices – four scenarios covering device misuse or tampering
  • Configuration Exploitation – four scenarios focusing on reconfigured or misconfigured settings
  • Malicious Software – four scenarios centering on sophisticated or special-purposed illicit software

Each breach scenario consists of an “Attack-Defend Card” along with a scenario narrative. Each Attack-Defend Card is specific to the scenario and covers four areas: “breach scenario,” “incident pattern,” “threat actor,” and “targeted victim.” We drew this content from the previous three years of RISK Team caseload, as well as VERIS, NAICS, and CIS Critical Security Controls (CSCs). Each scenario is brought to life through a narrative told from a unique stakeholder PoV to walk the reader from initial incident detection (and validation), to response and investigation, and then to lessons-learned.

To use the 2017 Data Breach Digest, here are four approaches:

  1. “The Kitchen Sink” – dive in and read from start to finish
  2. Scenario – hone in on a specific Clustered Grouping
  3. Industry or Data Breach Investigation Report (DBIR) Incident or Both – use the Digest’s Usage Matrix to map victim NAICS industry to DBIR incident pattern to the most applicable scenario(s)
  4. IR Stakeholder – leverage the Attack-Defend Card “Key Stakeholders” sub-category to focus on certain stakeholders

The Data Breach Digest provides a great data breach study reference for not just IT security practitioners, but for nontechnical IR stakeholders as well.

We hope you enjoy reading our latest installment of the Data Breach Digest and in doing so, gain that new perspective on data breach response!

 

Data Breach Digest Update: Data Ransomware – the Catch 22

by John Grim

RISK Team/Verizon

The Data Breach Digest—a compilation of scenarios issued by the Verizon RISK Team at the beginning of the year—was written as a companion to the Data Breach Investigations Report (DBIR). In creating this DBIR companion, we tried to make it both entertaining and informative. To tell our story, we took the approach of making more of an investigations ride-along and brought the DBIR and its underlying VERIS data to life for a broader audience beyond the typical IT security folks.

The Data Breach Digest proved to be such a hit that we decided to release several follow-up publications in the form of three scenario updates for Incident Response stakeholders and 18 Cyber Security Awareness Month (CSAM) posters intended for the end user audience. More about the scenario updates in a minute.

These CSAM posters, which can be printed and hung up on your organization’s break room message board or disseminated digitally, can be accessed and downloaded from here.

The three follow-ups to the original 18 scenarios are as follows:

Update #1 – In September, we followed-up on Scenario #12:  ‘CMS Compromise – the Roman Holiday’ and provided five mitigation recommendations and five response recommendations specific to this rather prevalent scenario.

Update #2 – Then in October, we followed-up on Scenario #8:  ‘Hacktivist Attack – the Dark Shadow’ by providing five mitigation / five response recommendations specific to this lethal scenario.

Update #3 – And finally, this month, we decided to take another look at Scenario #15:  ‘Data Ransomware – the Catch 22’ by providing a ‘Key3x5x5 Approach’ to detecting, responding to, and mitigating crypto malware attacks.

Scenario #15 – ‘Data ransomware—the Catch 22’ was identified as one of six ‘lethal’ scenarios.  Since the Data Breach Digest publication, the RISK Team has had several cases involving different varieties of ransomware, to include CryptoWall, TeslaCrypt, KeRanger, Locky, and Cerber variants. Nonetheless, the ‘Key3x5x5 Approach’ of detection, response, and mitigation essentially remains the same. So check out the ‘Data Breach Digest – Update:  Data Ransomware:  User and File Space Error’.

Download the Data Breach Digest. Download the three scenario updates. Download the 18 CSAM posters. Use them to help improve your Incident Response posture for mitigating, detecting, and responding to the most prevalent and most lethal data breach scenarios.

As social engineering activities increase buyer beware of tech support scams

By Roy Porter
Verizon Cyber Intelligence Center
Remote Tech Support Report

Threat Vector: Social Engineering

VCIC has tracked consistent variations in social engineering tactics throughout 2016 to include wire fraud, tech support scams, and tactics used to entice the opening of malicious email attachments. Active threat reporting by Microsoft in October 2016 further highlights the prevalence of this problem, with two out of three people being targeted in the past year for a specific type of social engineering attack known as remote tech support scams. One in five of those targeted end up victimized by downloading software, visiting a malicious site, allowing remote access, or transferring financial information. Microsoft estimated that in 2015, tech support scammers stole an estimated $1.5 billion. The financial loss could be immediate, take the form of information loss, as well as render an organization unable to operate.

Recent Case Highlights

In today’s organizations, users expect IT helpdesk support via remote administration. In this environment, a tech support scammer’s goal is to establish a remote session whereby malicious software is installed, data ex-filtrated, or configuration changes are made. This method isn’t new; it’s now being combined with recent tactics, such as ransomware. For example, in March 2016, the popular TeamViewer software, reportedly used by 90%+ of Fortune 500s, was the main delivery vector for the Surprise ransomware variant. Additionally, Symantec has observed a new feature in the tech support scams it is detecting – the use of code obfuscation in the pop-ups used to lure victims, in an effort to avoid automated detection.

Several recent cases involving remote tech support scams are highlighted here including tactics, tools and procedures used to by the attackers to gain a remote session. 

Case 1:

  • User encounters pop-up on corporate laptop with a suspicious activity warning
  • User calls support number listed on the popup
  • Scammer convinces user to visit hxxp://anydesk.com and download/execute anydesk.exe
  • Scammer establishes session with corporate laptop

Case 2:

  • User receives unsolicited phone call after browsing non-business related websites on corporate system
  • Scammer directs user to visit hxxp://client.teamviewer.com and download/execute teamviewer.exe
  • Scammer establishes session with corporate system

Case 3:

  • User receives unsolicited phone call regarding a qualifying refund
  • Scammer convinces user to allow access to system via Logmein Rescue software
  • User directed to scammer controlled site that is actually a fake portal for a refund service
  • Scammer establishes session and sniffs user’s banking credentials

Recommendations

Even as attackers evolve their tactics in carrying out a remote tech support scam, there are general security practices that organizations can take to lessen the chances of falling victim. VCIC recommends considering the following:

  • Restrict software installation rights to privileged users
  • Block access to popular remote access software sites
  • Establish policies and practices whereby users can verify the validity of any contact with personnel offering tech support
  • Maintain a whitelist of approved software and enforce at endpoints
  • Educate users that they will never be instructed by tech support to install additional software downloaded from the internet

Cyber Insurance Part V

by Mark Rasch,

Managing Principal, Cybersecurity

You get a call at 2AM from your sysadmin with the four worst words you can hear from a sysadmin.  “Oh, by the way…” You have had a breach.  A big one.  You assemble your internal team.  You put into place your data breach, forensics and investigation plan.

Because you had planned ahead for this eventuality, and had a Rapid Response Retainer program from Verizon, you call in their team of investigators, researchers and analysts.  You bring in your legal team (in house and outside counsel.) You coordinate your activities with relevant law enforcement agencies.  You bring in your HR and crisis communications team.  You prepare press releases for your CIO or CISO or CEO or whomever, depending on the scope and scale of the breach.  You retain and bring in a data breach notification team to send out the tens of thousands of data breach notification letters or emails.  You retain a company to provide credit freeze or credit monitoring for affected customers.  You obtain documents and records from the relevant ISPs to track down the bad guys.  You monitor the dark web to see whether any purloined information shows up on the black market.  You prepare for potential class action lawsuits by shareholders, customers, business partners, credit card issuers, or third party merchants.  You prepare for litigation with the FTC or state consumer protection regulators.  You prepare your international response; all the things that you prepared for when you retained Verizon’s rapid response team – except one.

One of the things you did (and it is looking pretty smart right now) was purchased cyber insurance.  Not general cyber insurance, mind you.  But data breach insurance.  Exactly what you need.  You’ve been paying premiums for a couple of years, and now that investment has paid off.  Maybe.   Data breach and cyber insurance policies are frequently written in a way that creates ambiguities about what breach costs are covered and which are not.  Exclusions for things like criminal activities of insiders may be used to limit coverage when the breach occurs as a result of an employee’s conduct with respect to phishing, and “first party” coverage may limit payments only to your customers, and not to their banks, credit card companies, card brands, or other merchants who are impacted by stolen credit cards.  If medical records are breached, you may have a conflict between your breach insurance policy and your publicity policy (that’s your general liability policy that covers breach of privacy or publicity) especially if issued by different carriers.  But none of these policies provide any coverage if you don’t notify your insurer.

Insurance policies typically contain at least two duties of the insured as a condition of coverage.  A duty to promptly notify of the claim and a duty to cooperate with the insurer with respect to the claim.  Policies typically require that the insurer “promptly be notified, in writing, of any casualty loss, third-party liability claim, or occurrence that could give rise to a liability claim.”  Seems simple, no?  No.  What does “in writing” mean?  Mail?  E-Mail? Text message? Does prompt oral notification suffice for notice?  And what is an “occurrence that could give rise to a liability claim?”  A breach?  A potential breach?  An investigation of a potential breach?  Oh, and of course, what is “promptly?”  It’s so much better to get these terms worked out (at least informally) before a claim than litigated afterwards.  All of the costs you incurred before notifying the insurer may end up being for naught if you don’t notify.

The duty to cooperate extends the duty to notify and generally would require the insured to keep the insurance company apprised of all material facts concerning the loss or underlying claim, and to respond fairly to all reasonable insurer requests for information and documentation.  Many data breach insurers may insist that you use their data breach investigators, or their counsel, or their forensics teams, or at least teams that have been approved by them as a condition of coverage.   If you want to continue to use the team that you know and trust, the one that you have retained in advance, the one with knowledge and awareness of your policies and procedures, networks and devices, then tell your breach insurers that you intend to use your own team and that you have a Rapid Response Retainer service, and get them to buy in.  In fact, since such a retainer service can help limit the cost and impact of a breach, your breach insurer is not only likely to let you use your own team, but may reduce your premiums or increase your coverage for having the foresight to have planned for potential breaches.  It’s worth a conversation.  ‘Cause everyone loves talking about insurance, amirite?

Hacktivist Attack – the Dark Shadow

by John Grim

RISK Team/Verizon

The Data Breach Digest—authored and published by the Verizon RISK Team earlier this year—slices through the FUD, the Fear, Uncertainty, and Doubt, that’s so prevalent in the world of cyber security. In doing so, the Data Breach Digest reveals what’s really happening in the world of cyber investigations. And more importantly, what you, the Incident Response stakeholder, should do when faced with a data breach.

We took a ‘RISK Team ride-a-long’ approach to telling our story, and selected 12 of the most prevalent scenarios we have seen, and six of the most lethal scenarios we have seen in the past three years of our caseload. Each scenario narrative follows a common path:

  • ⎯ ‘detection and validation’ – the state of the data breach prior to us getting involved
  • ⎯ ‘response and investigation’ – us responding and working hand-in-hand with the victim
  • ⎯ ‘remediation and recovery’ – our final feedback to the victim – expert, experienced feedback to get them back on their feet

For this month, we selected one of the six lethal scenarios to follow-up on:  Scenario #8 of the Data Breach Digest, ‘Hacktivist Attack—the Dark Shadow’, which detailed the breach of a critical infrastructure provider by a determined hacktivist seeking to punish or embarrass their target rather than seeking personal financial benefit. The associated scenario follow-up takes a ‘Key 5×5 Approach’ by providing five recommendations on mitigating and five recommendations on responding to hacktivist attacks.

Download the Data Breach Digest. Read about the Dark Shadow and the 17 other RISK Team-experienced scenarios, and use the lessons-learned to mitigate and respond to those most prevalent and most lethal data breaches.

Data Breach Digest Update: CMS Compromise

by John Grim
RISK Team/Verizon

The Data Breach Digest—released this past February by the Verizon RISK Team—has brought a fresh perspective to the security conversation. It’s underlying premise was that ‘many data breach victims believe they are in isolation, dealing with sophisticated tactics and zero-day malware never seen before.  The RISK Team has seen otherwise. To us, few breaches have been unique – there is tremendous commonality in real-word cyber-attacks.

Based on 18 actual cases that we’ve investigated, the Data Breach Digest makes security tangible and real to not only the technical Incident Response stakeholders, but all stakeholders who are involved in incident response. And, in doing so, it encourages everyone to become an important link within the security chain.

One of the cases we investigated involved actual pirates hacking a global shipping company’s content management system (CMS) to steal the freight records and target their theft of valuables. This Update provides recommendations on how you can mitigate the threat of a CMS attack and how you should respond if you are breached.

Download the Data Breach Digest.  Read it, learn from it, and use it to mitigate and respond to those most prevalent and lethal data breaches that we – the RISK Team – have come across.

 

Making the Most of Limited Security Resources

Author: Joan Ross, Managing Principal, Cybersecurity

“If your enemy has no ships, building submarines may not be the best use of your limited resources”, a CIO at a recent Verizon 2016 Data Breach Investigations Report (DBIR) session conveyed.  Accountable for building and maintaining major infrastructure, he and the chief information security officer were actively strategizing together as to how to best utilize and stretch their limited security resources for the year.  Knowing the threats to your industry is the first step in evolving the most effective security strategies, obtaining priority budget, and educating all personnel within your organization.

While the extent of security breach data represented in this year’s report is sobering, (especially, for example, internal organization detection of security breaches have greatly decreased), there is encouraging information in how to get ahead of these attacks. Eighteen of the most common attacks are detailed within the Verizon 2016 Data Breach Digest.

We know from empirical evidence that in 82% of security breaches, we found evidence leading up to the breach in the logs.  Thus, one of the significant activities security teams can do as part of their rapid response practice is gathering the last 90 days of their logs from critical and non-critical systems.

There should be standard operating procedures and training established for the team in gathering log data for two reasons:  One, it’s critical to rehearse incident response activities before an actual breach and collect evidentiary data that follows proper chain of custody handling quickly (within 24 hours).  This rehearsal gets valuable data rapidly into the expert hands of the responding experts when actual breaches may be occurring to more accurately source and defend against known attack patterns.

Secondly, and just as important, if you take the additional steps of getting the data from the rehearsal into the hands of trusted experts with the right tools, the early behaviors and reputations associated with increased attacks can be ascertained to help prevent a serious attack.  This puts valuable digital intelligence into the hands of your security team, executives and board of directors as to where potentially malicious traffic and connectivity is following known patterns.  While security incident event management systems (SIEMs) may detect perhaps up to 15% of potentially malicious activity, being proactive in your review by hunting for known malicious patterns and behaviors is increasingly useful in getting ahead of the 85% of more sophisticated attack queries.

The best way to get ahead of security breaches is to familiarize your team with these patterns, and build your strategy based on relevant, empirical evidence for your organization.

Making the Move to Managed Security Services

Author: Joan Ross, Managing Principal, Cybersecurity

One of the hardest realities for chief information security officers (CISOs) to confront is what concrete protections can be achieved with the annual resources available to them.  Theirs is a vital function, albeit typically with a smaller staff and budget than other divisions.  One must constantly evaluate and protect against the ongoing concern that someone with malicious intent will breach or disrupt the organization’s operations, and obtain sensitive customer information and secret business intellectual property.  Being a CISO is not for the faint of heart.

Prioritizing relevant risk to their organization and determining appropriate treatment with their executive team is an ongoing process. When necessary security funding is not allocated, or resources are few, the CISO is in a difficult position.  Ultimately, they bear the responsibility of a breach, even should it occur through a business supplier on systems outside of their control.  There may be limited people and mitigating controls to provide quality information security assurance.

2016 is the year more CISOs are making an honest evaluation of their team’s core security competencies and annual funding.  While difficult to relinquish control, the realization is they have no control or insight if the security functions are not being fulfilled.  This is when the tough decision is made to move the most time-consuming and burdensome security activities to a quality managed security services provider (MSSP).

In hindsight, CISOs relay moving to a MSSP has been one of the best decisions for the organization, given they select a strong MSSP.  They’re able to obtain more actionable security intelligence by experts at recognizing patterns and events, and if frees up their limited resources to devote their efforts to the evolving business security strategy and improvements.

Expanding access capabilities, burgeoning security devices, and the continual monitoring of threats and vulnerabilities takes a toll, both professionally and financially. MSSPs are an acceptable option provided the CISO conducts the appropriate due diligence on the third-party provider.  This is where experience, skill, certifications, reputation and investment in ongoing personnel training of the MSS provider matters, the selection criteria must be greater than any cost efficiencies.

At a minimum, today’s CISO needs a rapid response retainer in place.  Established organizations are moving to contractually require these contracts with their critical business partners.  The reason for this is simple: preventing, detecting, containing and managing information security requires trained professionals, reliable processes, chain of custody expertise, and forensics experts available at a moment’s notice.  With a retainer in place, organizations can report suspicious activity and have it qualified, or have response on course of action within minutes.  In seventy-percent of the targeted breaches we analyzed, the incident spread to the secondary victim(s) in twenty-four hours once the attack was successful – a risk no CISO takes lightly in consideration of their organization, customers, and business partners.

Briefing the Board: Directing Security Evolvement

Author: Joan Ross, Managing Principal, Cybersecurity

If an organization’s CISO is not regularly updating the Board of Directors (BoD), there is an inherent disconnect in the security viability of the organization.  The function of the BoD is to act on the behalf of the best interests of shareholders and stakeholders in validating a well-managed company.

A CISO’s agenda for the BoD begins with three primary areas:

  1. What we know and have tested recently regarding security controls.
  2. What we don’t know or haven’t effectively evaluated at this time.
  3. Priorities for risk, budget, and evolving strategy based on a combination of #1, #2, current and planned business model, and current threat intelligence for your industry.

Verizon publishes the Data Breach Investigations Report (DBIR) on an annual basis for the greater good of the security community at no cost. This intelligence is heavily leveraged for the empirical research and investigation findings it provides, including trends in the common attack patterns.  Every security organization has it available to them to utilize as the basis for their BoD presentations and ongoing security awareness training for the organization.

CISOs convey that the most important graphic for them to begin their BoD presentation is the DBIR Incident Classification Patterns and percentages for their industry.  Annual budgets and periodic new budget needs can leverage the attack trends to justify requests.  While many security professionals may be aware of the proliferation of these patterns and methods, rarely is the BoD.  Today’s CISO educates their BoD as part of every briefing opportunity on how the organization remains potentially vulnerable.

The BoD are responsible for gaining the understanding of the routine occurrence of many of these data breaches and asking their organization the tough questions on risk reduction to prevent, detect, defend against and mitigate these intrusions.  Verizon’s Data Breach Digest illustrates twelve of the most common recurring attacks and methods, and six of the emerging more sophisticated attack types to guard against.

With the publication of these reports and truly brief reads, there is no reason for top leadership, including the BoD, not to be aware of the risk, commonality and methods of the majority of security breaches to their industry.  The measurement of a well-managed company is evolving to where these attacks risks are mitigated based on BoD support.