Social Icons

Thursday, May 8, 2014

Dyman & Associates Risk Managements Projects: 8 Tips for Keeping Spreadsheets Secure

For most businesses, spreadsheets offer a simple way to perform key business functions, such as accounting, data analysis or chart creation. But many of the user-friendly advantages of spreadsheets also make them susceptible to data or security errors that can create nightmares for organizations if overlooked.

According to the European Spreadsheet Risk Interest Group (EuSpRIG), a global resource for spreadsheet risk management, spreadsheet errors can have a tangible impact on companies ranging from lost revenue or fraud to poor decision-making or financial failure.

In a recent survey by Forrester Research, only 10 percent of 155 IT decision makers surveyed said they provide an alternative to Microsoft Office. Although Excel is an excellent business tool, it still requires careful auditing, particularly as the complexity of a spreadsheet increases, says J├╝rgen Schmechel, owner of Capitalise-IT, a Sydney based consultancy specializing in spreadsheet auditing and business strategies for growing companies. By following best practices for spreadsheet use, whether Microsoft Excel or an alternative, many common problems can be prevented, he says.

1. Define parameters for use- “Complex spreadsheets in large enterprises normally involve several departments, and designing an effective template for each process is often necessary,” says Schmechel. By identifying requirements for spreadsheet use up front, companies can avoid common errors such as versioning mistakes or allowing the wrong person access.

2. Perform an audit- Identify the most critical spreadsheets used within your organization and ensure ad hoc sheets are not used for critical processes. “Logical handover processes for spreadsheets are crucial, especially when multiple departments are involved,” says Schmechel.

3. Don’t rely on document protections- Security features such as password protection, hiding or protecting sheets and other features are not actually designed to secure information and can be easily bypassed. “Many companies do not consider that software is readily available to crack passwords or are unaware that opening an Excel document on the iPad using a $10 app called Numbers will remove all perceived protection features such as hidden sheets,” says Schmechel. “The fact that third-party solutions also remove such so-called protection is another issue, with common examples including cloud offerings from Google GOOG +0.19% and Zoho,” he adds. Preventing this problem can be difficult without taking steps to better manage or secure files.

4. Determine sharing requirements- Make a distinction between spreadsheets designed for internal and external use, ensuring that confidential information or source data is not present in documents designed for third-party review. “Alternatively, use PDF format only for third parties,” says Schmechel.

5. Secure at the file level- Security must be enforced at a file level for true protection. “File or directory-based, read-only or edit permissions for internal spreadsheets is recommended, given the open nature of spreadsheets,” says Schmechel.

6. Utilize document management- Implement an internal document management system that includes file versioning, testing and approval processes before sharing takes place.

7. Don’t forget to check the work- Manual data entry and custom formulas must be checked to correct errors just like a spell-check is needed on text documents. Studies indicate that almost 90 percent of spreadsheets contain errors ranging from minor to severe. “Larger companies often base multimillion-dollar decisions on spreadsheet information that contains errors. If a $10,000 external audit ensures all data is correct, the expense is worth it,” says Schmechel.

8. Bring your own- With BYOD increasing, companies must also consider spreadsheet security for personal mobile devices and for documents created using software from home or freeware, such as Google Docs. Decide whether employees can send out spreadsheets to third parties or edit them on portable devices using Polaris Office, Kingsoft Office or other solutions. Alternatively, maintain all data on local servers, with remote access  technology  granted to approved staff and frequent audits from uninvolved parties.

The ubiquity of spreadsheet use within organizations of all sizes can make it easy to overlook the potential risks they can pose. Companies that follow these simple best practices will ensure they are less vulnerable to errors and security flaws.

Wednesday, May 7, 2014

Dyman & Associates Risk Managements Projects: For cloud providers, fraud detection is integral part of business plan

Cloud providers have attracted enterprise customers with the promise of rapid elasticity, on-demand provisioning, high availability and a pennies-per-hour pricing model. But there's just one problem: These very qualities have enticed criminals to adopt cloud services as well.

When a scam artist is looking to set up a phishing scheme to gain access to victims' bank accounts, the built-in redundancy, scalability and automation capabilities of cloud servers are extremely appealing. And when all it takes to procure cloud services is a working credit card -- without ever needing to deal with a live salesperson -- the cloud becomes an even more viable base from which criminals can commit fraud.

"All of the advantages of the cloud for enterprises are the advantages for the bad guys," said Jeff Spivey, international vice president of ISACA, a founding member of the Cloud Security Alliance (CSA) and president of Security Risk Management Inc., a Charlotte, N.C., and information security consultancy. "It's that anonymity and scale that's attractive to the fraudsters."

Without proper cloud-based fraud detection and prevention practices in place, cloud providers can become unwitting hosts for cybercriminals. It's a threat that can expose providers to legal liabilities, profit loss and blacklisting. What's more, any cloud provider can become a target.

"While cloud has been a phenomenal enabler for legitimate businesses, it's also been a phenomenal -- and I mean phenomenal -- enabler for fraud and fraudulent activity," said John Rowell, senior vice president of research and development as well as global service operations at Dimension Data, a South African cloud and managed services provider. "Fraud is a huge deal on the business side."

How does cloud-based fraud occur?

Across the broader market, discussions about cloud security have focused primarily on the customer side of the equation. Even as cloud providers continue to devote the resources necessary to ensure that customer data is secure, they can't overlook the fact that some of their own customers could be a threat.

Fraud manifests in the cloud in several ways, according to experts. Typically, fraudsters use a stolen credit card to procure virtual machine (VM) instances or platform services on which they build their operations -- among them phishing schemes, money-transfer scams, identity theft and malware.

"[You] can go get a fraudulent credit card, a good one -- it'll be working, but it'll be stolen -- for less than a dollar," Rowell said. "So, think about how the cloud enables [criminals]. All they have to do is sign up online and they can have a server in five minutes for less than a buck, and it's a throwaway identity."
In a joint investigation in 2012, researchers from McAfee Labs and Guardian Analytics uncovered a massive, cloud-based banking fraud operation that attempted to bilk an estimated $78 million from account holders in Europe, Latin America and the United States. The investigation, dubbed "Operation High Roller" because of the criminals' focus on high-balance accounts, found the scheme's success hinged on the resource availability and automation in the cloud, as opposed to a single host computer.

"With no human participation required, each attack moves quickly and scales neatly," investigators wrote in a report.

In some cases, criminals skip the stolen credit cards altogether and instead crack into a legitimate customer's account, hijacking the VMs to use for their own fraudulent activities. Cyber criminals are also looking to Infrastructure as a Service to provide vast amounts of on-demand processing power to launch distributed-denial-of-service attacks, according to Raj Samani, vice president and chief technology officer of McAfee Inc.'s EMEA operations.

Consequences of failure to detect fraud

Although fraud may not be the gravest security threat cloud providers face, ignoring it jeopardizes their bottom line in several ways.

From a purely financial perspective, any revenue gained from a stolen credit card is likely to evaporate quickly, thanks to the sophisticated fraud detection systems banks and credit card companies now use. The real damage comes from the revenues cloud providers never see from legitimate customers because the hundreds of VMs they would have paid to access have been tied up by the fraudsters.

"[There are] service providers that … do not have adequate fraud measures in place, and they have to be losing insane amounts of money on it," said Dimension Data's Rowell. "It's got to have an immense impact to their profitability as well as just the health and cleanliness of their platform."
Moreover, cloud providers that don't commit resources to fraud detection and prevention could ruin their reputation -- and kiss goodbye any chance to engage enterprise customers, Rowell added.

"If you were putting up a storefront, you wouldn't want to hang your shingle beside a shop that says, 'Hey, we're selling stolen credit cards.' No one wants to be associated with that," he said. "It's incumbent on the service provider industry to police fraud. If they're not doing it, they're doing their entire customer base a disservice."

Enterprises are also likely to block IP addresses from which spam and other suspicious activity originate, unintentionally blacklisting the cloud providers that host them.

While there is no legal precedent yet, it's possible that governments and law enforcement agencies may start holding cloud providers criminally or civilly responsible for neglecting to detect and eradicate fraud, said ISACA's Spivey.

"Depending on how big the problem becomes will determine whether regulators or lawmakers start to get more involved," he said. "But if I'm running a store, for instance, and I know people are coming into the store buying and selling drugs, and I never brought it up to people, then law enforcement is basically going to [conclude] that I enabled this to occur because I let it happen on my premises."

Friday, May 2, 2014

Dyman Associates Management The political science of cybersecurity V: Why running hackers through the FBI really isn’t a good idea

(Washingtonpost) - One of the most difficult challenges of cybersecurity is that it enables private actors to play a significant role in international security. Both security officials and international relations scholars tend to assume that states are the most important security actors. With a couple of minor exceptions (mercenary forces and the like) private actors simply don’t have the firepower to play a substantial role. Even terrorist groups with international ambitions usually require some kind of state to provide them with safe haven or to back them. Many (although certainly not all) experts argue that cybersecurity is different. Computers and Internet access are all that you need to carry out many kinds of attack, allowing private actors to become a real force in international cyber politics.

This potentially presents two problems for traditional understandings of international security. First, many argue that the world will be less stable if private actors can affect international security. For example, Joseph Nye, a prominent scholar and former policymaker, argues (PDF) that states have not been displaced by private actors in cybersecurity, but now have to share the stage with them. This creates greater volatility in world politics. The more actors there are, the greater the chance of unpredictable accidents, events, attacks or misunderstandings. Furthermore, private actors may have widely varying motivations and be more difficult to discipline. They are less likely to be concerned with the stability of the international system than states are.
There is also a more subtle problem. The existence of empowered private actors in cybersecurity presents temptations to states. It is easier for states to attack other states while blaming hackers, rogue elements or others for the attacks, thus making retaliation less likely. In cyberspace, it is often hard to figure out who precisely is responsible for an attack. These problems are multiplied when states can e.g. use clandestine relationships with private actors to carry out attacks by proxy.

For example, there is still vigorous debate over whether or not the Russian state mounted cyber attacks on Georgia during a dispute a few years ago. Certainly, the major attacks appear to have been mounted from within Russia. However, Ron Deibert, Rahal Rohozinski and Masashi Crete-Nishihata argue (paywalled) that the likely perpetrators were patriotic Russian cyber criminals (who had already created “botnets” of compromised computers for purely criminal attacks) rather than the Russian state itself. While it is possible that the Russian state (some elements of which maintain clandestine contact with the Russian underworld) was using these criminal networks as a cutout to blur responsibility, it is nearly impossible to prove one way or another.

This has led some experts to call for new norms about responsibility. Jason Healey of the Atlantic Council proposes a sliding scale under which states would effectively be required to take responsibility for any major attacks organized from their territory or carried out by their citizens. This would change the incentives, so that states would both be less inclined to cheat by acting through hidden proxies, and more inclined to tidy up rogue elements on their territory that might mount international attacks and land them in hot water. They suggest that the best way for the U.S. to protect its national security interest is to push for such norms.

In this context, yesterday’s New York Times story about the relationship between the FBI and the loosely-knit hacker culture/collective Anonymous raises some problems. The FBI identified a key Anonymous member, Sabu, and turned him so as to identify other hackers. Sabu then appears to have shared a list of foreign Web sites (including sites run by the governments of Iran, Syria, Poland, Turkey, Brazil and Pakistan) with vulnerabilities, and encouraged his colleagues to try to hack into them, uploading data to a server monitored by the FBI.

The Times says it is unclear whether he was doing so on direct orders from his FBI handlers. It is also unclear what happened to the information after it was uploaded (the Times raises the possibility that it was shared with other intelligence agencies, but it may have been left there to sit as evidence). Either way, this report is sure to be interpreted by other countries (including U.S. allies like Poland and Turkey) as strong circumstantial evidence that the U.S. has used independent hackers to conduct attacks in the past, and very possibly is doing so at present.

This obviously makes it harder for the U.S. to push for the kinds of norms that Healey and others advocate. If the U.S. appears to have dirty hands, it will have a more difficult time getting other states to believe in the purity of its actions and intentions. U.S. allies  will be disinclined to believe its protestations. Countries that are more or less hostile to the U.S., and which have dubious relations with their own hacking community (such as Russia), are sure to point to the FBI’s decision to run Sabu as evidence of U.S. hypocrisy if the U.S. tries to get them to take responsibility for attacks mounted from their soil.

This will also have consequences if and when U.S. hackers (who are smart, talented and sometimes politically motivated) mount a successful public attack on a target in a third country. The U.S. administration will likely come under sustained suspicion as the hidden culprit behind such an attack, even if it has had absolutely nothing to do with it. Apparent past history will guide other states’ judgment (especially if these other states themselves have clandestine but systematic relationships with hackers, and assume that countries do the same). It’s doubtful that these issues of international policy were foremost in the thoughts of FBI officials when they decided to run Sabu (the FBI is a domestically focused agency, primarily concerned with criminal enforcement). Even so, their decisions may turn out to have important, and likely unfortunate, international ramifications.

Thursday, May 1, 2014

Dyman Associates Management 5 Things You Need to Know About Cybersecurity Insurance

Cybersecurity insurance transfers some of the financial risk of a security breach to the insurer. But it doesn’t do a good job of covering the reputation damage and business downturn that can be triggered by a security breach.

CIO — Cybersecurity insurance does mitigate some financial damage should you suffer an attack, but it's not a complete solution. Here are five things CIOs need to know.

1. It’s a risk-management strategy. Cybersecurity insurance transfers some of the financial risk of a security breach to the insurer. First-party insurance typically covers damage to digital assets, business interruptions and, sometimes, reputational harm.

Third-party insurance covers liability and the costs of forensic investigations, customer notification, credit monitoring, public relations, legal defense, compensation and regulatory fines. Cyberthreats are so broad that the cost of protecting against them all would be prohibitive. The best approach is to identify and secure the company's digital crown jewels, then quantify and insure the remaining risk, says Daljitt Barn, director of cybersecurity at PricewaterhouseCoopers.

2. American and European markets differ. The cybersecurity insurance market is more mature in the U.S. than in the E.U., primarily because of U.S. states' mandatory data-breach-notification laws. Third-party insurance is more common in the U.S., and first-party is more popular in Europe, but that may change if the E.U. starts requiring breach notifications, Barn says.

The U.S. market is growing about 30 percent per year, says Richard Betterley, president of Betterley Risk Consultants. Some surveys estimate that 30 percent of large U.S. companies have cybersecurity insurance, but among companies of all sizes, Betterley says, the number is probably under 10 percent.

3. Clear wording is essential. Before you buy, investigate what risks are covered by existing insurance packages, because there may be overlaps with a cyber-insurance policy. "Make sure the cyber policy wording covers your true cyber exposure," Barn says. "Challenge your corporate insurance broker to find a policy that provides a multifaceted response, including legal, PR, notification, forensics and cyber incident response."

4. Coverage is inadequate in some areas. Cybersecurity insurance doesn't do a good job of covering intellectual property theft or the reputational damage and business downturn that can be caused by a security breach, Betterley says. Meanwhile, the industry is debating whether state-sponsored cyberattacks, to the extent they can be identified as such, are covered by cybersecurity insurance policies.

5. There's room for improvement. Ideally cybersecurity insurance should encourage companies to improve security so they can negotiate lower premiums. However, insurers don't have enough actuarial data to adjust premiums based on what security controls and products are most effective, says Andrew Braunberg, research director at NSS Labs.