Post Executive Education Series, “Identify, Plan, Protect: Using Cyber to Your Advantage”

On April 19,2017,  The Risk Institute at The Ohio State University, Fisher College of Business held an engaging conversation, as part of its Executive Education series, on the topic, “identify, Plan Protect: Using Cyber to your Advantage”.

As we see on an almost daily basis, Cyber Risk and Crime has become a part of our lives. During the first few weeks of 2017, we witnessed a large restaurant chain’s register payment systems impacted and a large business services firm’s marketing database with over 33 million corporate contacts shared across the web. Without much difficulty multiple other examples are found that cross any number of industries.

We were fortunate to have had Ohio Attorney General Mike DeWine introduce the topic to our audience of executives. AG DeWine is passionate about Cyber Crime and Cyber Risk and its impact upon the citizens of Ohio.

The session focused on raising the conversation of the obvious current situation with regard to Cyber Risk and Crime, but also considered risk mitigants that businesses can take.  The speed at which crisis communication and Public Relations plans are treated and managed are certainly at the forefront of dealing with Cyber challenges within business.  So much so, that the phrase “Fiasco Vortex” has been coined (see Glass Jaw by Eric Dezenhall). In the 21st Century, communication never sleeps. We live in a 24/7 news cycle that demands a much different treatment to Cyber Risk and Cyber business continuity planning.

An organizations business continuity plans will need to be tested to respond to geographic specific exposure that could have wider impact upon the business and it customers. Our speakers highlighted, from their diverse experiences and backgrounds, how companies can take a proactive approach to Cyber Risk and Crime.

Session leaders, Helen Patton, CISO, The Ohio State University; Jim Trainor, SVP, Aon Cyber Solutions and former FBI head of the FBI Cyber Division, Washington, DC; David White, CIO, Battelle Memorial Institute; David Lyon, Senior Manager, The Crumpton Group, LLC, collaborated to provide insight into:

  • Cyber a View from the CISO Trench
  • Cyber Threat Landscape 2017 and Beyond
  • Cyber Security’s Impact on IT Operations
  • The Role of Intelligence in Cyber Attacks: Offense vs. Defense

The session emphasized how to proactively use risk management to balance the risks related to Cyber Risk in order to meet business goals and enhance business performance.

The session did an excellent job of creating thought provoking ideas and advancing The Risk Institute’s unique role in uniting industry thought leaders, academics and highly respected practitioners. This is an ongoing dialog to advance the understanding and evolution of risk management in our world today. The Risk Institute’s conversation about risk management is open and collaborative with its relevance across all industries and its potential for competitiveness and growth.

Identify, Plan, Protect: Using Cyber to Your Advantage

On April 19,2017, The Risk Institute at The Ohio State University, Fisher School of Business will be presenting as part of its 2017 Executive Education series, the topic “identify, Plan Protect: Using Cyber to your Advantage”.

As we see, almost on a daily basis, Cyber Risk and Crime have become part of our lives. During the first few weeks of 2017, we have seen a large restaurant chain’s register payment systems impacted and a large business services firm’s marketing database with over 33 million corporate contacts shared across the web. Without difficulty, multiple other examples are found that cross any number of industries.

We are fortunate to have Ohio Attorney General Mike DeWine introduce the topic to our audience. AG DeWine is passionate about Cyber Crime and Cyber Risk and its impact on the citizens of Ohio.

The session will look to raise conversation on the obvious current situation with regard to Cyber Risk and Crime, and will consider risk mitigants that businesses can take. The speed at which crisis communication and Public Relations plans are treated and managed are certainly at the forefront of dealing with Cyber challenges within business. So much so, that the phrase “Fiasco Vortex” has been coined (see Glass Jaw by Eric Dezenhall). In the 21st Century, communication never sleeps. We live in a 24/7 news cycle that demands a much different treatment to Cyber Risk and Cyber business continuity planning.

An organization’s business continuity plans will need to be tested to respond to geographic specific exposure that could have a wider impact upon the business and it customers. Our speakers will highlight, from their diverse experience and background, how companies can take a proactive approach.

Session leaders, Helen Patton CISO, The Ohio State University; Jim Trainor SVP Aon Cyber Solutions and former FBI head of the FBI Cyber Division, Washington, DC; David White CIO Battelle Memorial Institute; and David Lyon, Senior Manager Crumpton Group, LLC will collaborate to provide insight into:

  • Cyber a View from the CISO Trench
  • Cyber Threat Landscape 2017 and Beyond
  • Cyber Security’s Impact on IT Operations
  • The Role of Intelligence in Cyber Attacks: Offense vs. Defense

The session will emphasize how to proactively use risk management to balance the risks related to Cyber Risk in order to meet business goals and enhance business performance.

The session will provide thought provoking ideas advancing The Risk Institute’s unique role in uniting industry thought leaders, academics and highly respected practitioners in an ongoing dialog to advance the understanding and evolution of risk management. The Risk Institute’s conversation about risk management is open and collaborative with its relevance across all industries and its potential for competitiveness and growth.

Cyber Security: About Whale Phishing, the Deep Web and the Dark Net

By Professor Ingrid M. Werner, Risk Institute Faculty Member, and Martin and Andrew Murrer Professor in Finance at The Ohio State University Fisher College of Business.


October 28, 2014

Ingrid-Werner

Ingrid M. Werner The Risk Institute Faculty Member Martin and Andrew Murrer Professor in Finance, The Fisher College of Business

The attendees at The Risk Institute Launch and Conference last week learned two new terms from cyber-space: Whale Phishing, and the Deep Web and Dark Net. These terms were introduced by Mr. Jeremy Kroll, CEO and co-founder of K2 Intelligence who discussed effective strategies for managing cyber security risks faced by business around the world.   

Whale Phishing

Whale phishing is a new form of cyber crime in the general family of hacker strategies known as spear phishing.  Generally, phishing scams cast a wide net and hope that a few foolish individuals that click on the attachment or link in an e-mail compromising the security of their computer or financial account.  Spear phishing instead targets specific individuals or organizations, aiming to harvest financial information or trade or military secrets that can be used for financial gain.  Whale phishing, or simply whaling, takes this practice to a new level by targeting senior executives and other key leaders in an organization.  Vircom Guest Blogger Megan Horner, Marketing Coordinator at TrainACE, lays out the strategies commonly used in whale phishing attacks, and also explains what to look out for in an article here.

A spear phishing scam targets an employee with access to sensitive information or financial accounts.  It takes the form of an email that looks as if it was sent by a person in a position of authority within the company (the boss) or from outside (a regulator).  For example, a staff member in the purchasing department may get an e-mail from IT requesting that the individual login and reset his or her password.  Malware is used by the attacker to direct the individual to a fake website which is designed for the sole purpose of capturing the username and password for use to access the organization’s network.  The access can be used to manipulate accounts, transfer funds to external accounts, or simply to download sensitive information.

You guessed it, a whale phishing scam follows the same strategy but targets senior management.   The emails used are personalized and often extremely well-crafted, using corporate logos and html templates to convey a sense of authenticity.  The sender’s address looks like it comes from a known person or organization, and often alludes to a sensitive and urgent business matter.  Finally, the matter raised is one that requires the intervention of senior management.  For example, it may be a subpoena and the official-looking email instructs the CEO to click an link to download special software so they can view the subpoena.  According to Megan Horner, a scam like this targeted an estimated 20,000 recipients.  Shockingly, about 10 percent responded and thus downloaded the malicious software, so called malware.  In addition to being used to display the fake subpoena, the malware was actually a key logger that captured anything the CEO typed, including network access credentials and other sensitive information.  Using the opened door, the phishers then launched attacks against the corporations to harvest information, manipulate accounts, and transfer funds external accounts controlled by the phishers.

How does senior management avoid being caught in a whale phishing scam?  Megan Horner lists the following red flags for managers who receive emails with urgent calls to action involving confidential data.

·  The email requires a download or website visit in order to view an official document.
·  The sender’s address is similar but not identical to a familiar one.
·  The email refers to an urgent matter, such as a legal proceeding, that the executive has never heard of.
·  A website requesting personal data does not use encryption. Although a site’s appearance is no guide to its authenticity, lack of encryption is a danger sign.
·  The communication contains supposedly confidential information that in reality is publicly available

She also suggests that if you cannot quickly verify an email’s authenticity you should immediately call IT Security.  This is good advice for employees and senior managers alike!

The Deep Web and the Dark Net

We have just gotten used to the word cyber-space, and now people start talking about the “Deep Web” or the “Dark Net.”  This is not some imaginary part of the universe, but rather a part of the web that is not accessible to the general public. It is a place where cyber criminals roam and is used for trafficking in drugs, guns, pornography, and credit card information but also in state and military secrets.  According to Amy Wilson, a blogger at K2 Intelligence, an estimated 80% of all online activity takes place in the deep web.

Amy Wilson also explains that world-wide web is tiered.  The top layer is the surface web which is indexed by our popular search engines such as Google, Yahoo, and Bing and is the place where most of us get news, engage in  e-commerce, and share information about organizations and individuals.  The next level is the deep web, which is not accessible using popular search engines as users need passwords or other credentials to get through the doof.  The closed access is often used by hackers in for example the Whale Phishing attacks to set up temporary web sites where stolen information can be sold to the highest bidder.  The third level is the dark net that in addition to requiring passwords or other credentials requires the user to surf anonymously by using applications such as Tor, I2P and Freenet. 

The deep web recently gained publicity through the 2013 shutdown by the FBI of the Silk Road, a site for mail-order drugs run by “Dread Pirate Roberts” and operating on the dark net.   The FBI arrested Ross William Ulrich, who they claim was the Dread Pirate Roberts running Silk Road.  While Ulrich is awaiting trial, and his site is closed down, law enforcement is not necessarily more on top of the mail-order drug business than before.  The reason is that when the monopolist Silk Road closed down, it opened up the market for a slew of tiny drug trafficking bazaars that  cropped up on the dark net, leaving law enforcement with an even bigger problem.

While the most highly-prized targets for cyber criminals are financial institutions, Amy Wilson points out that there are plenty of examples of less obvious victims. These include Sony’s networks of Playstation users that was hacked in 2011, leaking almost 80 million accounts with personal information that was subsequently published online.  Similarly, Goodwill had a credit card breach recently where malware was installed on a third-party system used to process credit card payments, compromising almost 900,000 credit cards.  More information on the Goodwill breach can be found here.

Amy Wilson also provides advice for companies on how to protect themselves against cyber-crime.  The first line of defense is to have a comprehensive cyber security strategy in place.  The second line of defense is to have a constant flow of intelligence scanning the deep web on your behalf.  The number of reported cyber security incidents increased 48% to 42.8 million in 2014 compared to 2013 according to PwC (http://www.pwc.com/gx/en/consulting-services/information-security-survey/assets/the-global-state-of-information-security-survey-2015.pdf ), so companies clearly need to heed her advice!