Category

Risk and Liability

Apr 22
2

The New Battlefront 101: Cyber Attacks on Governments

By | Cyber Warfare, Data Protection, Risk and Liability | No Comments

Governments are a major target of cyber-attacks, which increases during times of conflict. The primary goals of cyber-attacks focused on government and governmental organizations are gathering information, disrupting critical infrastructure, and eroding public trust.

Collecting and Compromising Data: Governments have massive amounts of information on citizens, businesses, academia, and intellectual property that are lucrative targets, especially with the United States’ posture toward Freedom of Information and transparency in government. Even more sensitive is information on military or otherwise classified activities. These could be as simple as communications between embassies on upcoming events or as sensitive as transferring weapons to the Ukrainian military. Regardless, it is a rich target for anti-government militia, international terrorists, industrial espionage, nation-state spies, and any other flavor of cybercriminals. Suppose cybercriminals can steal that non-public data from governments. In that case, they can sell that data, hold it as blackmail, or release it to cause damage to an administration, business, or group of citizens. While not having his data collected through cyber attacks, Alexander Hamilton was a known victim of blackmail. Many victims of blackmail won’t come forward as he did, but with the amount of information that can be accessed on the internet, it can be assumed that the number of blackmail cases has increased.  

Taking Down a Nation: Critical infrastructure includes the vast network of highways, connecting bridges and tunnels, railways, utilities, communications, and buildings necessary to maintain normalcy in daily life. Transportation, commerce, clean water, and electricity rely on these vital systems[1]. These sectors are typically controlled by a government organization or a regulated company that works with the government to provide the service. The energy sector is one of the main targets of cyber-attacks against critical infrastructure, but it is not the only one. Transport, public sector services, telecommunications, and critical manufacturing industries are also vulnerable. The goal of cyberattacks on these sectors is to disrupt economies, destroy critical infrastructure, and disable public services. Our CEO, Kris Schroeder, discussed the goals of Cyber Attacks in a recent ABC News segment. Governments need to decide how to deal with the cybersecurity risks associated with both the physical and cyber systems and assets that control all sectors. Since the incapacity or destruction of one of these sectors would have a debilitating impact on physical or economic security or public health or safety, governments cannot avoid this risk. So they must try to mitigate the likelihood of an attack or transfer the responsibility of an attack to a third party.

Eroding Public Trust: Suppose citizens feel that their government can’t protect them from attack, their faith in their government would decrease. Cyber attacks will only grow in their severity and impact, which will result in increased tensions between governments and citizens. Governments are meant to act as digital stewards and showcase how to react to a cyber attack. However, cyber attacks have caused increased tension between governments, especially the superpowers, so there has been a lack of digital stewardship. The World Economic Forum’s (WEF) annual Global Risks Report highlights the erosion of public trust around governments’ ability to prevent, counter, and retaliate against cyber attacks. WEF specifically calls out that “without mitigation, governments will continue to retaliate against perpetrators (actual or perceived), leading to open cyberwarfare, further disruption for societies, and loss of trust in governments’ ability to act as digital stewards.”

Cyber attacks against a government or nation rarely take a single form. This was especially clear in the Colonial Pipeline cyber attack, which took out a critical infrastructure pipeline. The lack of communication and misinformation eroded public sentiment and trust, causing panic buying of fuel. Grey Market Lab’s Chief Engineer, Fred Kenowski, experienced this impact directly, “working remotely, I don’t depend on driving daily to do my job. However, living in a rural area, many folks depend on a steady fuel supply from a limited number of gas stations for their lengthy commutes, trips to the store, or to keep all their farm equipment running. Shortly after the pipeline shut down, there were long lines at the gas stations filled with folks running on empty or panic buying and stocking up. Later the following day, all the pumps in the county were closed because they were out of gas. It wasn’t initially clear when the pumps would turn on again, and it created a lot of concern with many I spoke to questioning if they would be able to work soon if service wasn’t restored quickly.”

Without clear communication from the government and an immediate solution in sight, there was a lot of panic buying that drained the Just-In-Time supply chain of fuel quicker than was necessary. Prevention is the best medicine, but strong plans must be in place to mitigate the inevitable cyber attack that breaks through and the likely human response it will trigger. The White House released a Best Practices Fact Sheet following the Colonial Pipeline cyber attack focusing on establishing an interagency response group to monitor and address the cyber attack. The US Government Accountability Office created an outline to put the United States in a better position to prevent or more quickly detect and mitigate the damage of future cyberattacks by highlighting the need to develop and execute a more comprehensive federal strategy, mitigate global supply chain risks, and enhance the federal response to cyber incidents[2]. Government should continue to embrace concepts to fundamentally change the landscape and render some of these attacks irrelevant: zero trust architectures, specifically those with isolation, limit the scope of any attack and advanced approaches like moving target defense (i.e. rotation of computer settings on a regular basis) make hacking attempts fail because criminals are always seeing different settings and don’t have a fixed thing to attack.

 

***The next article in The New Battlefront 101 series will  discuss how misinformation affects public perspective.

___________________________________________________________________________________

Grey Market Labs® is a Certified B-Corp founded with the mission to protect life online. Our Replica™ platform orchestrates, automates, and secures Environments-as-a-Service, making organizations more protected with our patented privacy and Zero Trust architecture and more productive by increasing access to critical data, tools, and workflows simply, on-demand, anywhere. Replica™ support of dozens of use cases that span industries: from disrupting fraud on the dark web, to supporting military operations, combatting human trafficking, and enabling trusted data sharing in healthcare. 

Grey Market Labs® is the first cybersecurity product company recognized as a Certified B-Corp organization.

Contact us to see how we can work together.

Apr 05
2

The New Battlefront 101: Introduction

By | Cyber Warfare, Risk and Liability | No Comments

Battles and wars were previously fought head-on, on a physical battlefield, but now we are seeing a transition in how and where battles are fought. These battles are now fought in the digital and physical worlds. This way of fighting will become the new normal, especially when developed countries are at the forefront. In this article, we will cover what cyber attacks are, how they happen, and what you can do to protect information.  We will also cover information warfare and how information can be used to change public perspective.

More cyber attacks are being announced and everyday sensitive, proprietary, and vulnerable information is at risk. Recently, Microsoft had partial source code pertaining to Bing and Cortana stolen as part of a cyber attack. The White House also just warned about possible plans by the Russian government to target critical American infrastructure and released a best practices fact sheet for institutions and individuals to refer to in order to protect themselves.

Cyber attacks aren’t the only type of digital warfare that people need to be concerned about. Information warfare has profoundly and permanently changed how wars are fought. People are using the internet during almost every waking moment of their lives. Every time they actively access the internet (to check the weather, access Instagram, transfer money, etc.), they are being bombarded by information. Additionally, people are having their information collected whenever they access the internet, including passively by their installed apps collecting data from phones at all times. That information is then distributed to data actors who sell or act on the collected personal information.

Cyber Attacks

Anyone can be a victim of cyber attacks, and they are common as ever now. Personal information, account information, and anything posted online is at risk for a cyber attack. These cyber attacks aim to disable, disrupt, destroy, or control computer systems or to alter, block, delete, manipulate or steal the data held within systems and accounts. Every major company or government in the world has had some sort of cyber attack. Those attacks can result in breaches of information or systems being shut down. Below are some of the most common types[2]:

  • Malwareis malicious software, including spyware, ransomware, viruses, and worms. Malware breaches a network through a vulnerability, typically when a user clicks a dangerous link or email attachment that then installs risky software.
  • Phishingis a type of social engineering attack often used to steal user data, including login credentials and credit card numbers. It occurs when an attacker, masquerading as a trusted entity, dupes a victim into opening an email, instant message, or text message and providing personal or sensitive information.
  • Man-in-the-middle(MitM) attacks, also known as eavesdropping attacks, occur when attackers insert themselves into a two-party transaction.  The goal of an attack is to steal personal information, such as login credentials, account details and credit card numbers.
  • denial-of-serviceattack floods systems, servers, or networks with traffic to exhaust resources and bandwidth. As a result, the system is unable to fulfill legitimate requests.
  • Structured Query Language (SQL)injection occurs when an attacker inserts malicious code into a database that uses SQL and forces the server to reveal information it usually would not.
  • zero-day exploitis an unknown exploit that exposes a vulnerability in software or hardware and can create complicated problems well before anyone realizes something is wrong.
  • DNS tunnelingis a method of cyber attack that encodes the data of other programs or protocols in DNS queries and responses. DNS tunneling often includes data payloads that can be added to an attacked DNS server and used to control a remote server and applications.

Since cyber attacks are inevitable, people, institutions, and governments must decide how they want to respond to these attacks’ risks. The different risk mitigation strategies for cyber threats are Mitigate, Avoid, Transfer, Accept, and Escalate a Risk. To mitigate risk is to do something to reduce the impact or the probability of a threat. Organizations can avoid risk by choosing different products, adding additional security to their information, can hire additional resources, adopting different technical solutions, or changing project scope. Transferring risk puts the risk on another party, typically by outsourcing that operation to another organization. So, the new organization is responsible for the risks. When organizations decide to accept the risk, they decide that risk is an acceptable risk and will not take any actions to mitigate the risk.

Cyber attacks can threaten someone’s way of life. Still, the risks and chance of attacks decrease dramatically through proper education and preparation. The government, private companies, and nonprofits all share ways to protect yourself, such as Cybersecurity & Infrastructure Security Agency, FireEye, and “No More Ransom”.

Information Warfare

Information has been the maker and breaker of wars, as generals relied heavily on information gathering about opposing forces when making their battle plans. George Washington credits his spies and information gathering as a key reason for defeating the British. It’s no different today on the cyber battlefield. The advent of the internet in the mid-1980s has restructured the landscape of information sharing, availability, gathering, and dissemination. However, just because all this information is out there doesn’t mean that this information is good. The saying that “a lie can travel around the world and back again while the truth is lacing up its boots” was true when Mark Twain said it and still is today.

Misinformation (Fake news, fabricated images, and clickbait articles) are spread faster and further than researched-backed information. Facebook has been fighting a losing battle with falsified information, and everyone has seen that information on their feed. For example, 49% of adults in the United States shared information online, which they later found was made up[1]. People often don’t even know that they shared information was incorrect until after the fact. Still, by the time they realize the information has already been circulated to their connections. However, in the same survey, 10% of those adults admitted to sharing information online that they knew was false which introduces a new problem of disinformation – the practice of knowingly spreading false information.

False information creates worlds of problems, but just the ability to access information and the promotion of information is another tactic used in information operations or information warfare (aka IW). GAO.gov defines Information Warfare as the use of information-related capabilities during military operations to influence, disrupt, corrupt, or usurp the decision making of adversaries and potential adversaries while protecting our own. Propaganda is one example and has been used for centuries to spread information to different groups that may not have access to that information. While propaganda itself has a bad connotation, it can be beneficial and involves many different ways of sharing information. Propaganda can be written, musical, or visual and plays upon and channels complex human emotions towards a desired goal. The Uncle Sam poster is the symbol of American patriotism starting in World War I and We can do it! poster became a symbol for female workers’ morale in World War II.

Misinformation, disinformation, and propaganda all have their place on the cyber battlefield. They all rely on the spreading of information to influence public opinions and alter outcomes of diplomacy, negotiations, and all out conflict.

 

***The next article in The New Battlefront 101 series will  discuss how cyber attacks on governments effect everyone.

___________________________________________________________________________________

Grey Market Labs® is a Certified B-Corp founded with the mission to protect life online. Our Replica™ platform orchestrates, automates, and secures Environments-as-a-Service, making organizations more protected with our patented privacy and Zero Trust architecture and more productive by increasing access to critical data, tools, and workflows simply, on-demand, anywhere. Replica™ support of dozens of use cases that span industries: from disrupting fraud on the dark web, to supporting military operations, combatting human trafficking, and enabling trusted data sharing in healthcare. 

Grey Market Labs® is the first cybersecurity product company recognized as a Certified B-Corp organization.

Contact us to see how we can work together.

Feb 07
1

Zero-Trust Principles: Best Practices Refined

By | Data Privacy, Data Protection, Risk and Liability | No Comments

The Office of Management and Budget released a memo outlining the Federal Government’s strategy for implementing a zero-trust architecture (ZTA) across their technology footprint. This memo is part of a broader effort to modernize US cybersecurity in the wake of a string of high-profile attacks on the US and US companies.

While some of the requirements in the memo are already commonplace security policies, there are a few guidelines in the memo that might be a dramatic change from the strategy some organizations are currently employing. Here’s our summary of some of the new guidelines we think you shouldn’t miss:

  1. Authenticate users to applications, not to networks. It’s no longer good enough to lean on perimeter security to trust that traffic on your network is trustworthy. Single-sign-on solutions are mature and widely supported – use them for every application!
  2. Use multi-factor authentication (MFA), but don’t use one-time passcodes, SMS passcodes, or push notification prompts. These are susceptible to phishing attacks. Use a solution that is resistant to phishing, like FIDO2, WebAuthn, or PIV.
  3. Stop requiring that users regularly change passwords or use special characters. While this once was considered best practice, it is now known to decrease security because it leads to password reuse (and credential-stuffing attacks) or unsafe storage practices.
  4. Consider eliminating passwords entirely! It is possible to have multi-factor authentication without one of the factors being a password. It’s more convenient for your users, and a password isn’t adding much security if your users are reusing it across multiple sites and it ends up in a password breach.
  5. Encrypt all HTTP, DNS, and email traffic, even on internal networks. It’s not uncommon to see these unencrypted on many networks, but these all carry sensitive information, and leaving them in plaintext leads to an increased attack surface.
  6. Isolate environments and assign access with granular attribute-based access control, rather than giving role-based access to users or enhanced visibility by default.
  7. Have a process in place to take security vulnerability reports from the general public, and respond to them promptly.

___________________________________________________________________________________

Grey Market Labs is a Certified B-Corp founded with the mission to protect digital life. We build revolutionary software including Replica and hardware products, and partner with like-minded industry leaders, to create a future with “secure-environments-as-a-service”.

Contact us to see how we can work together.

Dec 16
0

Multi-cloud by Design, or You Fail

By | Information Security, Risk and Liability | No Comments

A scaling issue took out huge swaths of AWS last week. In the same week, the Log4j exploit required 84 updates from Amazon across dozens of their major AWS services. Every major software company has issued emergency patches and will be cleaning up the aftermath from this pervasive vulnerability for months, if not years. That is a problem, and the blame is only slightly on the Apache developers having a flaw in their software. Flaws and errors are going to happen, forever, even when DevSecOps is fully adopted. People make mistakes.

The problem here is the oversized impact of these flaws on companies that rely on AWS for critical and core aspects of their business. The weakness in most cloud strategies has been in the adoption of a single cloud platform or provider. Even when an organization uses multiple providers, their cloud hosted data and applications are not designed to fail over to another cloud, they just fail. Redundancy within a cloud system is great but a single point of failure, no matter how large or backed up, is still a single point of failure.

First, adopt new technology with a mandate to be multi- or hybrid-cloud. Demand failovers, at least for critical users and processes. If you can afford it, make sure data availability is part of that multi-cloud strategy.

Second, leadership needs to get on board and stop putting irrational constraints or mandates on the use of cloud resources and Zero Trust architecture. Yes, demand transparency, observability, and the data to support it but stop forcing your organization to use Azure because, “the CEO signed a memorandum.” Agreements like that put corporate privacy and security in jeopardy.

Third, get educated on the topics and know your options. Seek out companies that give you multi-cloud, reduce your IT costs, and at the same time, increase your Privacy and Security. Ask for responsiveness and partnership from your software vendors to understand their deployment strategy, dependencies and Software Bill of Materials.

And finally, get every last log4j instance patched across your organization. Reach out if you need us, we are here to help. https://www.replicacyber.com

___________________________________________________________________________________

Grey Market Labs is a Certified B-Corp founded with the mission to protect digital life. We build revolutionary software including Replica and hardware products, and partner with like-minded industry leaders, to create a future with “secure-environments-as-a-service”.

Contact us to see how we can work together.

May 17
1

Ransomware Attacks from Critical Infrastructure to Police Departments

By | Data Protection, Information Security, Risk and Liability | No Comments

Ransomware attacks have been growing over the past three years and in just the past 2 weeks have shown how public these attacks have become.  The first attack on Washington DC (Metropolitan) Police resulted in a massive leak of internal information because they did not meet the blackmail demands1.  The second major attack was on the Colonial Pipeline, which shut down the pipeline, resulting in fuel shortages up and down the East Coast.  The Colonial Pipeline operators decided to pay the ransom of 75 Bitcoin or nearly $5 million USD2.  Government organizations can’t pay ransom per longstanding practices, but commercial groups decide to pay or not based almost purely on cost and impact to their bottom line. The latter could encourage more ransomware attacks since they are so lucrative, but there is very little to guarantee that systems or data are completely “released” once ransom payments are made. We need a better way.

Ransomware can infiltrate an organization through hacking or in the ways that a computer virus might spread. Once executed, the ransomware essentially holds your data and systems hostage. It’s rather effective because rather than attempting to steal all your data, it typically will encrypt all your data and make your systems unusable and unreadable until a ransom is paid for the decryption key.

Ransomware with the release of the Executive Order on Improving the Nation’s Cybersecurity has become a top priority of the White House. Previous attacks against police departments have resulted in cases being dropped due to the offices being locked out of their computers3.  Police departments need to protect sensitive data such as background check files by keeping them separate and ensuring that they can recover the data if they are locked out.

It’s impossible to prevent all forms of hacking. Therefore, one must also develop a strategy to mitigate the effects of an attack. As referenced in the recent Executive Order, Zero Trust is a framework that assumes you and your organization has or will be compromised is a tremendous step forward in changing how computing systems are built and how truly resilient they can be. This involves the same strategies one would implement for a disaster recovery plan, which includes taking regular backups of all the data and rebuilding the infrastructure supporting that data in a short amount of time. Isolated Secure Enclaves, provided by Grey Market Labs, are one possible solution to the problem that police departments face when trying to keep information protected, allowing sensitive forensics (e.g., exploitation reviews) to take place on modern technology and providing increased access for officers while increasing the security of all their digital work.

___________________________________________________________________________________

Grey Market Labs is a Public Benefit Corporation founded with the social mission to protect life online. We build revolutionary software and hardware products, and partner with like-minded industry leaders, to create a future with “privacy-as-a-service”.

Simply: we prevent data from being compromised and protect our customers work, online.

Contact us to see how we can work together.

Apr 27
1

Pattern-of-Life through Electricity Monitoring

By | Data Privacy, Information Security, Risk and Liability | No Comments

Household electricity monitoring provides insight into the usage of electronics in the home. Monitoring can be accomplished through commercial products (e.g. those described here https://www.bobvila.com/articles/best-home-energy-monitor) or through a utility provider’s service (such as the Duke Home Energy Report). These insights can help pinpoint which devices are wasting energy to help the homeowner save money. The analysis of electricity by these products or providers is so in-depth that they extract exact brand information on individual devices based on how much electricity that device is using and the unique electrical signature it produces

This information can also be used for Pattern-of-life analysis to expose the daily activities inside the home – which could be used for anything from targeted advertising to exploiting security weaknesses. It is important for homeowners to be aware of how this data is being used and what rights they have over it in order to make informed decisions when managing risk and participating in politics.

#GREYdient Score: 3/10

___________________________________________________________________________________

Grey Market Labs is a Public Benefit Corporation founded with the social mission to protect life online. We build revolutionary software and hardware products, and partner with like-minded industry leaders, to create a future with “privacy-as-a-service”.

Simply: we prevent data from being compromised and protect our customers work, online.

Contact us to see how we can work together.

Oct 18
3

Cyber Liability Insurance: Part of a comprehensive security plan

By | Data Privacy, Information Security, Risk and Liability | No Comments

It seems like every day there is a new story about a data breach and how millions of sensitive user records have been exposed.  The financial and healthcare industries are two of the biggest targets with some of the most sensitive data about people’s daily lives.  Theft and exposure of this data can open up these institutions to huge financial losses in the form of lawsuits and lost business.  Companies need ways to prevent and mitigate these potential losses.  Well-designed security protocols and software can prevent many of the data breaches that happen daily.  There will always be some risk of a breach but the use of best practices and strong security software reduces the number of attack vectors and thus significantly diminishes the risk.

Knowing that there always remains the risk of a breach, the question every company should be asking is: Should Your Business Get Cyber Liability Insurance?  As the CEO of LowCards.com (a free consumer resource website covering the credit card industry) points out, “many businesses are now turning to cyber liability insurance to minimize their risk of loss.”  Bill Hardekopf provides a great 101 on Cyber Liability Insurance and why you should consider it.  An important takeaway from the article is that “The insurance provider will evaluate policies, software and hardware to check for potential areas of weakness.”  The provider may even set a minimum standard for obtaining insurance or charge higher premiums for companies with weaker practices and software. Even if the standards aren’t there today, they will be emerging, and they will begin to affect rates and overall liability of a data compromise or a breach.

A good analogy to cyber liability insurance is property insurance, something every business should have.  Basic safety measures like fire extinguishers and smoke detectors are often minimum standards for even obtaining property insurance.  More advanced features like a security alarm system result in discounts on the premium paid for insurance.  In the same way with cyber liability insurance, installing anti-virus software or an advanced counter-exploitation platform could be considered a minimum standard or result in reduced premiums.

Given the importance of preventing a data breach most companies already implement counter measures.  However, given the likelihood a business will be the target of a successful data breach, companies should also consider adding cyber liability insurance.   Having a comprehensive plan for prevention and mitigation will help a company weather any storm that confronts them.

 

 

Grey Market Labs is a Public Benefit Corporation founded with the social mission to protect life online for people and organizations. Our software and hardware products are creating a future with privacy-as-a-service, delivering proactive internet protection from the moment of access to countering exploitation of digital behavior and activity. Simply: we prevent data from being compromised, establish trust between users and protect our customers work, online

Contact us to see how we can work together.