A constellation of stars, representing Bandura Cyber's commitment to increasing cyber security.

Bandura Cyber Bytes
12-6-2018

With Bandura Cyber Bytes, we take a look back at the most interesting industry news and happenings related to cybersecurity and threat intelligence.

This week we share some holiday-hacking statistics, talk about hospitality and airline vulnerability, emerging geos of cyber crime activity, tackle UK critical infrastructure, as well as cover a few articles on third-party risk: what’s the weakest link in your supply chain or vendors?

Marriott says 500 million Starwood guest records stolen in massive data breach

In what may be the second largest breach behind Yahoo! Marriott announces a data breach that impacted a whopping 500 million Starwood guest records. Apparently, the attackers had been inside the network for four years.

Bandura’s Take: We really didn’t have a “doozy” in 2018 until now. This is a big deal and gained widespread media attention. We’re talking CNN, CNBC, NBC, etc. Several regulators quickly announced investigations. This week should provide more visibility into what happened, as well as the ramifications. At first blush, it illustrates the importance of cyber due diligence with respect to M&A and why cyber insurance is a good idea.

 

FBI Swats Down Massive, Botnet-Fueled Ad Fraud Operation

In a collaborative effort between the FBI, cybersecurity organizations, and tech companies, a global botnet known as 3ve was taken down. At its peak, the botnet did 3 billion daily ad requests and 700,000 active botnet infections and had earned over $34 million in ad view revenue since 2014.

Bandura’s Take: Botnets remains a key risk for organizations and we continue to see this as one of the critical categories in the threat intelligence feeds within the Bandura Threat Intelligence Gateway.

 

Middle East, North Africa Cybercrime Ups Its Game

Cyber criminals in the Middle East and North Africa are getting more advanced and aggressive in their tradecraft. Ransomware infections increased 233% this past year. It’s indicated this could be yet another international cybercrime region emerging as a threat to the U.S.

Bandura’s Take: A well thought out GEO-IP filtering policy is a great first step for organizations to reduce their attack surface here. If you aren’t doing business in these regions, what’s the point of having traffic from them on your network? One thing we continue to see is organizations conducting GEO-IP filtering through access control lists (ACLs) in their routers. This can be ineffective due to changing country IPs and is also hard to manage. Comprehensive, easy, and effective GEO-IP blocking continues to be a key use case for Threat Intelligence Gateways.

 

Carbon Black: Cyber Attacks Could Jump 60% During Holidays

According to Carbon Black’s Threat Analysis Unit, companies can expect as much as a 60% increase in cyber-attacks during the holiday season. Last year, the number of attacks grew 57.5% year-over-year with many of the attacks coming through spear-phishing campaigns that take advantage of commodity malware. Carbon Black cites attack kits being readily and cheaply available on the dark web and an expanding attacker arsenal incorporating artificial intelligence, using watering holes, and targeting mobiles apps.

Bandura’s Take: There continues to be a high volume of known threats that organizations are grappling with. Incorporating threat intelligence into your defense arsenal is an effective and efficient way to mitigate the risk of known threats. It’s also a great time of year to revisit your GEO-IP filtering policies.

 

Buckle Up: A Closer Look at Airline Security Breaches

Great article from Kelly Sheridan at Dark Reading. Takes a look at a recent increase cyber attacks on airports and airlines with motivations ranging from financial and identity theft to corporate espionage. Attackers are looking to gain access to valuable credit cards and using ransomware to extort airlines. Passport information is also indicated to be an attractive target. Airlines and airports both also work with a number of third-party vendors which increases risk.

Bandura’s Take: Attackers are clearly increasing their sights on the aviation industry. One best practice for aviation companies is to make sure you are a member and involved with the Aviation Information Sharing & Analysis Center (A-ISAC). Incorporating threat intelligence, including industry-specific threat intelligence, is a critical component of cyber defense. However, it’s also important to be able to operationalize this intelligence to be able to better see and block threat actor activity.

 

Uber Fined Nearly $1.2 Million by Dutch, UK Over Data Breach

Uber pays a heavy fine for failing to protect customers’ data. British officials cited “avoidable data security flaws.”

Bandura’s Take: Monetary penalties related to cyber breaches are going to become more common place and a bigger issue. This is one key driver behind the growing adoption of cyber insurance.

 

Gov Committee Raises Concerns Over UK Critical Infrastructure Security

This Security Weekly article discusses a report by the UK Parliament’s Joint Committee on the National Security Strategy, which examines the security of critical infrastructure. One recommendation is that the government should establish a plan for the development of threat and intelligence-led penetration testing. There’s also the mention of an increasing focus on supply chain security, identifying an expert board member with specific responsibility for cyber resilience and mandatory corporate reporting, and that the government should consider whether and how the increased use of cyber insurance could be used to improve companies’ cyber practices.

Bandura’s Take: Third party risk and supply chain security continue to be a hot topic. Having dedicated executives and/or board members focused on cyber is becoming a trend as is increasing focus on and adoption of cyber insurance.

 

Who’s the Weakest Link in Your Supply Chain?

Speaking of third party risk some interesting data from a survey by The Ponemon Institute. 60% of organizations of suffered data breaches resulting from a third party. Only 34% of companies have a comprehensive inventory of all third-party suppliers they work with.

Bandura’s Take: We recently attended the Global Resilience Federation’s Annual Summit which was focused on third party risk. For good reason, this is an area where more security organizations are instituting formal and dedicated people and programs focused on this issue. Our friends at Shared Assessments are doing some interesting work in this area. Check them out.

 

USPS fixes ‘Informed Delivery’ flaw that exposed 60M users

U.S. Postal Service fixed a flaw that exposed the personal details of 60 million users with usps.com accounts. It’s indicated that a researcher reported the vulnerability to USPS a year ago but never received a response. The vulnerability was in its Informed Delivery API.

Bandura’s Take: Illustrates the increasing importance of securing APIs. More importantly, it’s a shocking example of not doing the basics with respect to cyber hygiene. Taking a year to remediate an issue is crazy.

 

Enjoyed Bandura Cyber Bytes? Share it with a friend!

Sign up for the weekly Bandura Cyber Byte!

Get the best threat intelligence and cybersecurity news delivered to your inbox each week.
  • This field is for validation purposes and should be left unchanged.

End User License Agreement

This is an End User License Agreement (the “Agreement“) between Bandura Cyber, Inc. (“Bandura“), You (or “User” or “your”) and the insurance company affiliate of American International Group, Inc. that issued the insurance policy providing the IP Blocking Solution to you (with its affiliates, “AIG“) (each, a “Party” and collectively, the “Parties“).
Subject to the terms and conditions of this Agreement, Bandura is providing the User, as a qualified policyholder of a cyber insurance policy issued by AIG, one Bandura threat intelligence network security appliance (the “Network Appliance“), including Bandura’s IP Blocking software (together with any third party proprietary software, and any patches, updates, improvements, additions and other modifications or revised versions that may be provided by Bandura or its licensors from time to time, the “Licensed Software“) and open source code software programs (each, an “Open Source Program” and together with the Licensed Software, the “Software“) provided to User as necessary to deliver the blacklist IP blocking service (“IP Blocking Service“). This Agreement is valid and becomes effective upon User’s electronic acceptance of its terms. BY CLICKING THE “I ACCEPT” BUTTON YOU ACKNOWLEDGE THAT YOU HAVE READ THIS AGREEMENT, UNDERSTAND IT, AND AGREE TO BE BOUND BY ITS TERMS AND CONDITIONS.

1. Grant of License.

User acknowledges and agrees that: (i) AIG has contracted with Bandura to make the Licensed Software, IP Blocking Service and associated services available to you at no cost to you; (ii) the Licensed Software, IP Blocking Service and all associated services are being licensed and provided by Bandura, and not by AIG; (iii) neither Bandura nor AIG shall be liable for any damages to User caused by the Licensed Software, IP Blocking Service or any associated services; (iv) Bandura will have access to certain of your information and has developed a policy, which can be viewed at https://banduracyber.com/privacy-policy/ to address your privacy concerns; and (v) AIG will have access to certain of your information and has developed a policy, which can be viewed at www.aig.com, to address your privacy concerns.

Subject to this Agreement, Bandura grants User a non-exclusive, non-assignable, non-transferable, revocable, limited right and license to use the Licensed Software and IP Blocking Service, together with Bandura’s release notes or other similar instructions in hard copy or machine readable form supplied by Bandura to User that describes the functionality of the Network Appliance and/or the Software purchased or licensed hereunder (the “Documentation“). User shall not (i) license, sublicense, lease, sublease, sell, resell, transfer, assign, reverse engineer, decompile, disassemble, sublicense or distribute or otherwise make available to any third party the Licensed Software, IP Blocking Service, or the Documentation, (ii) modify or make derivative works based upon the Licensed Software, IP Blocking Service, or the Documentation; (iii) commercially exploit the Licensed Software, IP Blocking Service or Documentation in any way, or (iv) create Internet “links” to the Licensed Software or “frame” or “mirror” the Licensed Software on any other server, wireless or Internet-based device; (v) impersonate another user of the Licensed Software or IP Blocking Service; (vi) use the Licensed Software or IP Blocking Service to violate the rights of or cause injury to any person or entity; (vii) remove, alter or obscure any proprietary or copyright notice, labels, or marks on the hardware components of the Network Appliance or within the Software; or (viii) disable or circumvent any access control or related security measure, process or procedure established with respect to the Network Appliance or any Software or any other part thereof.

You are solely responsible for maintaining the confidentiality of the access information provided to you for access to the Licensed Software (“Credentials“), and you agree to keep this information confidential. You are solely responsible for all activity that occurs through use of the Credentials. You will not: (1) use another user’s Credentials to obtain copies of or access to the Licensed Software; (2) use your Credentials to download unauthorized copies of or grant others access to the Licensed Software; (3) use the Licensed Software in a way that violates any third party’s rights or any applicable law; (4) upload any files or software that may damage or provide unauthorized access to the data, software or hardware of another; or (5) interfere or allow interference with the proper functioning of the Licensed Software.

If the User is entitled to and elects to receive the IP Blocking Service, Bandura will provide one (1) Network Appliance at no additional charge. Title to and ownership of such Network Appliance provided to the User in connection with the IP Blocking Service will transfer to the User. Bandura will determine the appropriate IP Blocking Service to deliver to each User. Additional Network Appliances can be purchased from Bandura.

The scope of use of any Open Source Programs shall be governed by the applicable open source license agreement included with the Licensed Software. User acknowledges that each Open Source Program is distributed under the Open Source Program license applicable to such Open Source Program, and only such license, and this Agreement in no ways supplements or detracts from any term or conditions of such open source license agreement (the “Open Source License“). Notwithstanding anything to the contrary in this Agreement, User agrees and acknowledges that the rights attached to any Open Source Programs provided hereunder are separate from and do not depend on the Open Source Programs being part of, or used in connection with, the Software or the Network Appliance.

2. Proprietary Rights.

User acknowledges that ownership of and title in and to all intellectual property rights, including patent, trademark, service mark, copyright, and trade secret rights, in the Licensed Software and IP Blocking Service are and shall remain in Bandura. User acquires only the right to use the Licensed Software and IP Blocking Service and does not acquire any ownership rights or title in or to the Licensed Software or IP Blocking Service. All modifications, updates, revisions and extensions to the Licensed Software, IP Blocking Service and Documentation shall be considered part of the Licensed Software, IP Blocking Service and Documentation for purposes of this Section 2. All data, information, content, graphics, text and other materials or applications prepared by User through the use of the Licensed Software, added by User or integrated by User with the Licensed Software, shall be the sole property of User. You understand that neither Bandura nor AIG has any obligation to monitor the areas of the Licensed Software through which the User can supply information or material.

3. Warranty and Indemnification.

Bandura represents, warrants and covenants that it owns the Licensed Software, including all intellectual property rights therein, and that Bandura has all rights necessary to license and/or provide, in accordance with the terms of this Agreement, the Licensed Software, IP Blocking Service and appropriate Network Appliance, if any, to User.

3.1 Indemnification of AIG:

Bandura shall indemnify and hold AIG harmless against claims, liabilities, and costs, including reasonable attorneys’ fees, incurred in the defense of any claim brought against AIG by User or any other third party in connection with the Licensed Software and/or IP Blocking Service, including, but not limited to, malfunction of a Network Appliance, User’s inability to use the IP Blocking Service or Network Appliance, and/or any damage to User’s network.

3.2 Indemnification of User:

Bandura shall indemnify User against claims, liabilities, and costs, including reasonable attorneys’ fees, reasonably incurred in the defense of any claim brought against User by third parties alleging that User’s use of the Licensed Software, IP Blocking Service or Network Appliance infringes or misappropriates: (i) any patent; (ii) a copyright; or (iii) trade secret rights, provided that, User promptly notifies Bandura in writing of any such claim and Bandura is permitted to control fully the defense and any settlement of such claim as long as such settlement shall not include a financial obligation on User. User shall cooperate fully in the defense of such claim and may appear, at its own expense, through counsel reasonably acceptable to Bandura.

3.3 Indemnification of Bandura and AIG:

To the extent permissible by law, User shall indemnify Bandura, AIG, and their licensors, against all third party claims, liabilities, and costs, including reasonable legal fees, reasonably incurred in the defense of any claim (other than for the infringement of intellectual property rights specified in Section 3.2 above), arising out of User’s breach of its representations and warranties under this Agreement or User’s unauthorized use of the Licensed Software, IP Blocking Service or Network Appliance, and other proprietary information licensed under this Agreement, provided that, Bandura or AIG promptly notifies User in writing of such claim and that User is permitted to control fully the defense and any settlement of the claim.

4. Term and Termination.

This Agreement will become effective on the date User accept its terms and conditions or accesses the Licensed Software or IP Blocking Service and will remain in force until User or AIG terminates this Agreement. AIG will be deemed to have terminated this Agreement and the User’s right to use of the Licensed Software and the IP Blocking Service immediately without notice if User: (i) fails to comply with the terms and conditions of this Agreement, or (ii) no longer has an in-force cyber insurance policy with AIG or one of its insurance company affiliates. Notwithstanding, AIG reserves the right to terminate User’s use of the Licensed Software and IP Blocking Service, for any reason whatsoever, with ten (10) days written notice to User. Email notice to User is deemed to be sufficient notice under this Agreement.

Unless otherwise agreed by User and Bandura, User is not required to return any Network Appliance intentionally provided by Bandura as part of the IP Blocking Service.

5. Waiver.

No waiver of any right under this Agreement shall be effective unless in writing, signed by a duly authorized representative of the Party to be bound. No waiver of any past or present right arising from any breach or failure to perform shall be deemed to be a waiver of any future right.

6. Severability.

If any provision in this Agreement is invalid or unenforceable, that provision shall be construed, limited, modified or, if necessary, severed, to the extent necessary, to eliminate its invalidity or unenforceability, and the other provisions of this License shall remain unaffected.

7. Governing Law.

Except as otherwise restricted by law, this License shall be governed by the internal laws of the State of New York (as permitted by Section 5-1401 of the New York General Obligations Law or any similar successor provision), without giving effect to any choice of law rule that would cause the application of the laws of any jurisdiction other than the internal laws of the State of New York to the rights and duties of the Parties. The Parties expressly agree that the United Nations Convention on Contracts for the International Sale of Goods Act shall not apply to this Agreement.

8. Export Control Notice.

Regardless of any disclosure made by User to Bandura or AIG of an ultimate destination of the Licensed Software or IP Blocking Service (including any Network Appliance provided in connection therewith), User acknowledges that if the Licensed Software, IP Blocking Service or Network Appliance is being released or transferred to User in the United States that it is subject to the U.S. and European Union export control laws. User acknowledges its exclusive obligation to ensure that its exports from the United States are in compliance with the U.S. export control laws. User shall also be responsible for complying with all applicable governmental regulations of any foreign countries with respect to the use of the Licensed Software, IP Blocking Service or Network Appliance outside of the United States. User agrees that it will not submit the Licensed Software, IP Blocking Service or Network Appliance or any related content to any government agency for licensing consideration or other regulatory approval without the prior written consent of Bandura. Customer shall defend, indemnify, and hold Bandura and AIG harmless from and against any and all claims, judgments, awards, and costs (including reasonable legal fees) arising out of User’s noncompliance with applicable U.S. or foreign law with respect to the use or transfer of the Licensed Software, IP Blocking Service or Network Appliance outside the United States by User and its affiliates.

The Licensed Software, IP Blocking Service and Network Appliance provide services and use software and technology that may be subject to United States export controls administered by the U.S. Department of Commerce, the United States Department of Treasury Office of Foreign Assets Control, and other U.S. agencies. The User acknowledges and agrees that the Licensed Software, IP Blocking Service and Network Appliance shall not be used, and none of the underlying information, software, or technology may be transferred or otherwise exported or re-exported to any countries to which the United States maintains an embargo (collectively, “Embargoed Countries”), or to or by a national or resident thereof, or any person or entity on the U.S. Department of Treasury’s List of Specially Designated Nationals or the U.S. Department of Commerce’s Table of Denial Orders (collectively, “Designated Nationals”). The lists of Embargoed Countries and Designated Nationals are subject to change without notice. By using this Licensed Software and IP Blocking Service, User represents and warrants that it is not located in, under the control of, or a national or resident of an Embargoed Country or Designated National. User agrees to comply strictly with all U.S. export laws.

9. Warranty Disclaimer.

EXCEPT AS OTHERWISE RESTRICTED BY LAW, NEITHER BANDURA NOR AIG MAKE ANY REPRESENTATION, WARRANTY, OR GUARANTY AS TO THE RELIABILITY, TIMELINESS, QUALITY, SUITABILITY, TRUTH, AVAILABILITY, ACCURACY OR COMPLETENESS OF THE LICENSED SOFTWARE OR IP BLOCKING SERVICE. BANDURA AND AIG DO NOT REPRESENT OR WARRANT THAT (A) THE USE OF THE LICENSED SOFTWARE OR IP BLOCKING SERVICE WILL BE COMPLETELY SECURE, TIMELY, UNINTERRUPTED OR ERROR-FREE OR OPERATE IN COMBINATION WITH ANY OTHER HARDWARE, SOFTWARE, SYSTEM OR DATA, (B) THE LICENSED SOFTWARE OR IP BLOCKING SERVICE WILL MEET USER’S REQUIREMENTS OR EXPECTATIONS, (C) ANY STORED DATA WILL BE ACCURATE OR RELIABLE, (D) THE QUALITY OF ANY PRODUCTS, SERVICES, INFORMATION, OR OTHER MATERIAL PURCHASED OR OBTAINED BY USER THROUGH THE LICENSED SOFTWARE OR IP BLOCKING SERVICE WILL MEET USER’S REQUIREMENTS OR EXPECTATIONS, (E) ERRORS OR DEFECTS WILL BE CORRECTED, (F) THE LICENSED SOFTWARE OR IP BLOCKING SERVICE OR THE SERVER(S) THAT MAKE THEM AVAILABLE ARE FREE OF VIRUSES OR OTHER HARMFUL COMPONENTS, OR (G) THE SECURITY SERVICES ARE SUITABLE FOR ALL NETWORKS.
THE LICENSED SOFTWARE AND IP BLOCKING SERVICE IS PROVIDED TO USER STRICTLY ON AN “AS IS” BASIS. ALL CONDITIONS, REPRESENTATIONS AND WARRANTIES, WHETHER EXPRESS, IMPLIED, STATUTORY OR OTHERWISE, INCLUDING, WITHOUT LIMITATION, ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NON-INFRINGEMENT OF THIRD PARTY RIGHTS, ARE HEREBY DISCLAIMED TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW BY BANDURA AND AIG.

10. Internet Delays.

User acknowledges that access to the Licensed Software and IP Blocking Service may be subject to limitations, delays, and other problems inherent in the use of the Internet and electronic communications. Bandura and AIG are not responsible for any delays, delivery failures, or other damage resulting from such problems.

11. Limitation of Liability.

EXCEPT AS OTHERWISE RESTRICTED BY LAW OR AS STATED HEREIN, BANDURA AND AIG SHALL NOT BE LIABLE FOR ANY DIRECT OR INDIRECT DAMAGES (IN CONTRACT, TORT (INCLUDING NEGLIGENCE) OR OTHERWISE), INCLUDING BUT NOT LIMITED TO, SPECIAL, INCIDENTAL, CONSEQUENTIAL, OR PUNITIVE DAMAGES (INCLUDING, WITHOUT LIMITATION, LOSS OF DATA, REVENUE, PROFITS, USE OR OTHER ECONOMIC ADVANTAGE) ARISING OUT OF, OR IN ANY WAY CONNECTED WITH THE LICENSED SOFTWARE OR IP BLOCKING SERVICE, INCLUDING BUT NOT LIMITED TO THE USE OR INABILITY TO USE THE LICENSED SOFTWARE OR IP BLOCKING SERVICE, , ANY INTERRUPTION, INACCURACY, ERROR OR OMISSION, REGARDLESS OF CAUSE AND/OR FITNESS FOR A PARTICULAR PURPOSE, EVEN IF ADVISED OF THE POSSIBILITY OF THOSE DAMAGES.

IN FURTHERANCE, AND NOT IN LIMITATION OF, THE FOREGOING, BANDURA AND AIG ASSUME NO RESPONSIBILITY, AND SHALL NOT BE LIABLE FOR, ANY DAMAGES TO, OR VIRUSES THAT MAY INFECT, YOUR COMPUTER EQUIPMENT OR OTHER PROPERTY AS A RESULT OF YOUR ACCESS TO, USE OF, OR YOUR DOWNLOADING OF ANY MATERIALS, DATA, TEXT, IMAGES, VIDEO, OR AUDIO ARISING OUT OF OR RELATING TO THE LICENSED SOFTWARE OR IP BLOCKING SERVICE.

12. Confidentiality.
As used herein, “Confidential Information” means any non-public technical or business information of Bandura (or its licensors), including without limitation, any information, relating to Bandura’s techniques, algorithms, software, know-how, current and future products and services, research, engineering, designs, financial information, procurement requirements, manufacturing, customer lists, business forecasts, marketing plans and information, the terms and conditions of this Agreement, and any other information of Bandura (or its licensors) that is disclosed to User. Customer will take all reasonable measures to maintain the confidentiality of Bandura’s Confidential Information, but in no event less than the measures User uses to protect its own confidential information. User will limit the disclosure of Bandura’s Confidential Information to its employees with a bona fide need to access such Confidential Information in order to exercise its rights and obligations under this Agreement; provided that all such employees are bound by a written non-disclosure agreement that contains restrictions at least as protective as those set forth herein. User agrees that Bandura will suffer irreparable harm in the event that User breach any obligations under this Section 12 and that monetary damages will be inadequate to compensate Bandura for such breach. In the event of a breach or threatened breach of any of the provisions of this Section 12, Bandura, in addition to and not in limitation of any other rights, remedies or damages available to it at law or in equity, shall be entitled to a temporary restraining order, preliminary injunction and/or permanent injunction in order to prevent or to restrain any such breach.

13. Entire Agreement.

This Agreement sets forth the entire understanding and license between User, Bandura and AIG. This Agreement may be amended joint notice from AIG and Bandura to User concurrently with User’s renewal of the insurance policy with AIG. No other person is authorized to modify this Agreement or to make any warranty, representation or promise, which is different than, or in addition to, the warranty, representations or promises herein.