The Private Equity Digital Threat Landscape and How Leaders Can Address It

L

ike other critical economic sectors, Private Equity Firms and their portfolio companies are increasingly facing digital threats. Whether this threat originates from organized criminal enterprises, disgruntled employees, or even careless vendor protections, digital risk stands to significantly impact business operations. Firms that fail to proactively prepare for these cyber threats of today, face profound reputational risks and financial losses, whether internally or through its’ portfolio companies.

With regulatory bodies such as the SEC, now requiring enhanced cybersecurity protections, proactive efforts by senior leadership and boards to combat these threats should not only be seen as good business practices, but a legal necessity.

With all this in mind, you are probably asking yourself, what are the real threats to my business and should I be more selective in the vendors I’m doing business with?  With budget on the mind you’re also likely wondering how do I effectively prepare without breaking the bank?  

We will explore the answers to your burning questions in this ValorrInsight.

What are the real business threats to Private Equity and Venture Capital Firms?

Beyond direct losses in the form of funds, data, or intellectual property, firms that fail to protect their trusted investments and customers best interest, face potential lawsuits, fines, and damage to their brand. In addition, impacted firms may be the focus of follow-on attacks, if bad actors can determine that their actions are profitable enough.

Combine this with the pandemic and ongoing economic lockdowns, many corporations have been forced to pivot to a work-from-home operating model; One is which has significantly increased cyber risk and associated attacks on valued data, and digital infrastructure. In a recent poll conducted by security news organization, Threatpost1[1], a reported 40% of corporations saw a rise in cyber incidents as they shifted to a remote workforce.  These cyber incidents typically fall into the following business risk categories:

  1. Ransomware: The attacker steals and holds data or systems, until a payment is received.
  2. Third Party / Vendor Risk: The attacker typically targets lax vendor security measures, thus being able to access an organizations critical system and data.
  3. Insider Threat: A company insider, typically an employer or contractor, steals valuable company information and monetizes this for their own benefit.
  4. Business Email Compromise: The attackers leverage existing employee email accounts to attempt to intrude on the trust within an organization’s operations. These attacks typically result in moderate to significant losses resulting from unauthorized financial transactions.
  5. Failed Compliance Fines: Fees associated with non-compliance which could negatively impact the company’s financial position.

Portfolio companies must consider that ineffective or lacking Information Security or that have will make them less attractive to potential buyers or investors. This impact can not only decrease the value of a private equity firm’s investment but can also tarnish the firm’s reputation and negatively impact future fundraising efforts. Ultimately, the proactive resources invested today, to enhance company cybersecurity, will pay dividends in the long run.

A strong commitment to data and digital security starts at the top and requires significant buy in from key stakeholders. While some private equity firms have been slow to adjust their focus beyond the traditional valuation metrics of companies within their portfolios, there is a shifting awareness of the need to understand and address cybersecurity risk across their organization.

Despite this growing recognition, the private equity industry has lacked a practical approach to address the cybersecurity issues and concerns of their portfolio companies. The reality is that formulating a tailored cybersecurity strategy for each company in a portfolio is an inefficient prospect; one that would saddle the companies as well as the private equity firm with undue investment in time and costs. While the typical firm’s approach to focus cybersecurity efforts on their most highly valued investments, lower valuation companies may pose the greatest risk.

With constrained resources and focus on building the business, portfolio companies may not consider vendor risk as a priority. As such, it is in a firm’s best interest to quantify the third-party risk profile of investing in portfolio companies.  Portfolio risk management and vendor due diligence must continuously be considered as top priority for leaders in the private equity space, going forward. 

So, what vendors should a firm be worried about?  We take a deeper dive into vendor selection and associates risks in the section below:

“Private equity firms that fail to do cybersecurity due diligence on their portfolio companies are at a significant disadvantage, both from a compliance and competitive standpoint.”

What vendors should PE/VC firms be concerned about and why?

The best approach for managing vendor risk is to identify critical and non-critical vendors. While all vendors may play a meaningful role, prioritized focus should be given to those critical to business operations. Firm should routinely assess critical vendors to ensure that they remain a good steward of your data and to understand how they will respond in the event of an outage or cyber-attack. Below, we have identified key vendor dependencies that we are consistently seeing in the private equity space, as well as how these are utilized to execute targeted attacks.

Email and Productivity Tools

No other tools expose organizations to as much opportunity risk as productivity platforms such as Microsoft 365, Google Suite (GSuite) and others. Firms rely on toolkits like spreadsheets (Excel / Google Sheets), PowerPoint Presentations, and Word Processing Software to collaborate, innovate and close deals.  

Attackers are commonly using phishing campaigns to get users to login to fake Microsoft Websites. This may be in the form of ‘password reset’ emails or text messages to smartphones. The ultimate goal is for compromise the user account and gain unauthorized access. With hundred if not thousands of emails flowing through account boxes, the opportunity for stealing information and extending phishing campaigns become endless.

Another common attack we are seeing are ‘Malicious Macros’ whereby a user is sent what appears to be a benign Microsoft File (i.e., Word Document). The user opens the file, and it runs a series of malicious commands, all hidden from the user’s screen. What typically results in the installation of malware, which can steal your computer files, monitor your web browsing history, or even worse record your keystrokes. There’s good news however, Microsoft typically enables Macro Protections against attacks such as these, so make sure to keep your office software up to date!

Finance/accounting + portfolio management

As with all companies, PE firms use software tools, such as AllVue, to track their finances and accounting. Because their finances are very tied with those of their portfolio companies, firms will often use a package that combines portfolio management and reporting with its own finance/accounting.

Typically, we see more focused phishing attacks against these platforms, targeted as business executives, commonly known as ‘Spear Fishing’. The primary goal is to gain access to user accounts, such as senior accounting leads, who have higher level access to financial documents.  

Investor portal

Most PE firms will have an online portal set up for their LPs / investors to send secure messages, access important investment information and get timely notifications.

Investor portals are commonly used for Business Email Compromise Attempts, with the goal to disrupt the integrity of communications, so that unauthorized financial transactions may be made. Access may be obtained through several measures, but is commonly sourced through Phishing Campaigns.

3rd party databases

Most PE firms lean heavily on data from subscription databases. Sites like CapIQ and PitchBook provide data on recent financial transactions and funding, which helps the firms establish comps and get a sense for movement in the market.

These 3rd party databases are targeted through a variety of methods. To stay out of the technical weeds, attackers typically target vulnerable code to gain access and steal data. Once the integrity of this data is ‘broken’, firms can no longer rely upon the information to make informed business decisions.

Deal & Relationship Management

Most PE firms also use a system to keep track of the opportunities for investment that they’re evaluating. Common solutions include a custom Excel sheet or a more traditional Customer Relationship Manager (CRM) like Salesforce.

Because many of these operate on complex databases, Deal and Relationship Management systems are targeted like other subscription software. These platforms are ripe for stealing internal firm, as well as customer data. Personal contact information taken from these platforms can be instantly sold on Dark Web forums or given to competitors for gaining a competitive edge.

How PE/VC firms can effectively protect themselves and their investment portfolio?

At a time when cybercrime is growing at an unprecedented rate, private equity firms need to illustrate that they are proactively governing their portfolio companies to meet the evolving risk landscape. This requires a holistic approach, whereby people, processes, and technologies are assessed to determine existing cybersecurity proficiency. Gaps in cybersecurity knowledge and protections of critical data should be addressed with an action-based and prioritized strategy to reduce risk to investments.

Firm executives must lead the charge on building and fostering a strong security culture, starting from the top down. A culture that promotes consistent conversations across leadership, on how the organization is tackling business and connected technology risk. By firms taking steps to drive these initiatives forward, they will demonstrate to investors and partners that they are committed to securing trusted relationships now and into the future. Thus positioning

In the section below, we have highlighted actions, that firms of all sizes can implement to better secure their connected ecosystem and business.

  • Establish an Information Security Policy: Outlining how the organization is addressing digital and IT-related risks.
  • Identify critical systems: Document those systems, vendors, and data which are critical to the core of your business operations. Typically, these systems are productivity tools, Customer Relationship Manager (CRM) Tools, and Financial/Accounting platforms.
  • Control access to critical systems and software: Individuals’ access to critical systems, should be continuously reviewed to ensure that it aligns with the business role within the organization. Commonly known as the ‘Principle of Least Privilege’, individuals should only be given access to the data, systems, and files necessary to successfully perform their role within the organization. We have typically seen individuals change roles within an organization, however, access to files and folders related to their previous role(s) remain in place.
  • Security Awareness Training: To address how bad actors continue to evolve their attacks, security training should be completed monthly. As an industry best practice, training should be aligned to threats targeting the specific industry vertical. For example,
  • Secure your email service and other critical services: Ensure that your critical communication and productivity services are configured properly and tested. Your business depends heavily on real-time data and system access, when a crisis hits these relationships will propel you through.
  • Document an Incident Response Plan: Ensure your organization and its leaders know how you will respond to a cyber incident or IT disruption; this proactive planning will literally save you millions.
  • Back up your data: Back up your data within resilient infrastructure and test those backups frequently.

Firms should consider their individual needs, size, and business locations when comparing backup options. It is valuable to know that data storage facilities/services are not typically one size fits all, and costs may vary.  

The Valor Team looks forward to providing continual insights relevant to your industry.  For other tips and tricks in staying cyber informed, please visit our Expert Cybersecurity Valor Insights page at Insights – Valor Cybersecurity

Why PE/VC General Partners Have Growing Concerns Around Cybersecurity and What They Can Do About It

C

yber crime has skyrocketed in recent years and several corporate giants have endured catastrophic breach events.  Cyber attacks targeting behemoths like Target, Home Depot and Talk Talk have triggered a contagion effect that impacts organizations spanning all industries, regardless of scope, 

Authors: Greg Tomchick, Partner, C|CISO; Jeff White, Chief Security Officer, CMMC-RP 

Many small and mid-sized financial firms (wrongly) consider themselves too small to be of interest to cyber criminals and choose to ignore the threat, leaving them open to attack. 

Private equity firms are particularly vulnerable as most operate with small cybersecurity budgets and limited IT staff.  However, recent news headlines have emphasized the real risk that all firms face.  It is not surprising, therefore, that the whole financial industry is coming under increased pressure from governing authorities to do something concrete about it, especially with the Russia-Ukraine developments, crypto-currency surges and investment at an all time high.  

Regulatory associations – among them the US Securities and Exchange Commission’s (SEC) Office of Compliance Inspections and Examinations (OCIE), the Financial Industry Regulatory Authority (FINRA) and the UK’s Financial Conduct Authority (FCA) – have already delivered detailed reports exposing how unprepared and ill equipped firms currently are to defend against threats.

In these reports, the authorities have also set out their expectations on the benchmarks, measures and procedures that firms need to implement in order to identify, prevent and respond to possible future attacks.  As regulatory associations work to fully define and outline these expectations, it is essential that firms gain an understanding of governance analysis to better prepare themselves for the continuous program and posture evaluation and audits that lie ahead to demonstrate their efficacy.  

As a leading cybersecurity advisor in the Private Equity and Venture Capital industry, Valorr is continuously aligns with the regulatory associations driving change and remains committed to delivering essential services to help firms in the sector stay ahead of governance requirements.  

As we continue to work with our partners to protect their businesses from cyber threats, we notice three main trends: 

  1. The absence of current cybersecurity programs.
  2. Unmonitored and unsecure data environments, applications and devices.
  3. Lack of the requisite expertise among staff to develop effective cybersecurity protocols

There Is A Shift Taking Place

In the private equity (PE) space, cyber risk and threat awareness among General Partners (GPs) is on the rise.  A strong driver of this shift is Limited Partners (LPs), who want a better understanding of how firms are securing their own environments and also how firms are addressing cyber risks with their portfolio companies. 

In November 2021, the Institutional Limited Partners Association (ILPA), a global organization dedicated to supporting the interests of limited partners, issued a new standardized due diligence questionnaire (DDQ) with added cybersecurity components. 

According to the ILPA website, the purpose of the revised DDQ is “to standardize the key areas of inquiry posed by investors during their diligence of managers.”  A primary area of concern is PE firms’ cybersecurity policies and procedures. 

Such due diligence is crucial in the PE space.  

“Private equity firms that fail to do cybersecurity due diligence on their portfolio companies are at a significant disadvantage, both from a compliance and competitive standpoint.”

How could General Partners be better prepared?

The best approach for managing cyber risk is to develop an informed perspective by way of a streamlined and manageable process that treats cyber risk as equally as other types of risk, for example, market risk, counterparty risk, and legal risk. 

Formal practices for managing cyber risk should align with other risk management approaches that are in place, where cyber risk is treated as just another risk. The SEC has encouraged developing a “reasonably” designed approach to managing cyber risk, such as one that reflects the following characteristics: 

Informed – supports and promotes an awareness of today’s cyber risks, including regulatory and legal considerations 

Manageable – risk evaluation, if performed in a manner that is manageable, does not overwhelm the business, and does not negatively impact day-to-day operations.

Digestible – reporting “in plain English” is generated that can easily be consumed by a firm’s risk leads, including COOs, deal teams, and boards of directors 

Actionable – reporting is clear and includes reasonable next steps to address key identified cyber risks 

Should a PE firm or one of its portfolio companies be impacted by a serious cybersecurity event, the reputation of the firm among investors, regulators, and other stakeholders may be on the line. 

We advise that you take the following actions: 

  • Establish an Information Security Policy: Outline how the organization plans to and is currently addressing cyber and IT-related risks.  
  • Secure your email service and other critical services: Ensure that your critical communication and productivity services are configured properly and tested.  Your business depends heavily on real-time data and system access, when a crisis hits these relationships will propel you through.  
  • Document an Incident Response Plan: Ensure your organization and its leaders know how you will respond to a cyber incident or IT disruption, this proactive planning will literally save you millions.  
  • Back up your data: Back up your data within resilient infrastructure and test those backups frequently.  Not all backup and data storage facilities/services are created equal! 

As cyber threats continue to proliferate, anticipating and managing them at all organizational levels will remain vital during 2022 and beyond.  As recent events have proved, PE firms are vulnerable on a variety of fronts, from their vendors and third-party suppliers to their portfolio companies.  Taking steps now to ensure proactive protections and risk management practices can help reduce these risks and help ensure that portfolio companies generate profits—not headaches—for PE firms. 

The Valor Team looks forward to providing continual insights relevant to your industry.  For other tips and tricks in staying cyber informed, please visit our additional Valorr Insights at Insights – Valor Cybersecurity

The San Francisco 49ers Football Team Make Superbowl Headlines, But Not As A Contender

D

espite the San Francisco 49ers not making it to the big game this year, they still made Superbowl headlines.  On Sunday, February 13th, the 49ers front office confirmed that they were the latest victim of a Blackbyte Ransomware Attack.

While not confirmed by the football club until February 13th, the cyber-attack reportedly took place one day prior based on BlackByte’s online postings.  On February 12th, BlackByte took to underground (Darknet) Ransomware Forums claiming to have stolen financial data from the team’s servers. The group posted what appeared to be approximately 300 MB of team documents from a folder called ‘2020 Invoices’.

Author: Greg Tomchick, Managing Partner, CCISO & Jeff White, Chief Security Officer, CMMC-RP

Ransomware groups, like BlackByte, typically post some evidence of the successful compromise. It should be noted however, that this advertised data may not represent the true extent of the attack, in terms of the amount of data theft.

Since the incident, neither the 49ers nor the perpetrators have made any public mention of a ransom payment.  Following the attack, the 49ers did disclose that they incurred a temporary disruption to parts of their network, however mentioned that the threat actors failed to impact stadium, ticket operations, and ticket holder information.  

Some security experts believe that the attack was a means for BlackByte to attain mainstream credibility, pulling off an attack to make headline news.

The 49ers have yet to release an updated statement regarding the full impact of the Ransomware.  The incident remains under investigation by external support parties and law enforcement. We will update this article as we learn more.

Blackbyte Analysis and Potential Motivators

This attack came to surface just two days after the FBI and U.S. Secret Service issued a joint cyber advisory on the BlackByte Ransomware Group. Law enforcement sources alerted that BlackByte had “compromised multiple US and foreign businesses, including entities in at least three US critical infrastructure sectors” since November 2021.

Ransomware gangs have continued to cause widespread havoc to a variety of businesses over the last year.  High-profile attacks ranging from the world’s largest meat-packing company to the biggest U.S. fuel pipeline, have led to significant financial impacts, supply chain and operational disruptions.  Despite Western Governments pledging to crack down on cyber criminals, their efforts have yet to fully disrupt the activities of Ransomware actors. 

Like similar Ransomware Gangs, Blackbyte operates under a subscription model known as ‘Ransomware as a Service’ (RaaS). RaaS allows affiliates to enter into an agreement with ransomware operators to use their prebuilt tools and platforms to launch attacks against targets, typically in return for a profit share of the ransom.  The presence of Blackbyte first became known in approximately July of 2021. The group typically operates in a ‘Double Extortion’ fashion where compromised data is encrypted, and unless a defined ransom is paid (typically in a form of cryptocurrency), the organization’s data is offered to the highest bidder.  Ransom notes are left by the threat actor, in the encrypted directory, identifying what necessary steps must be taken to unencrypt the businesses data. Interestingly enough, Blackbyte and other notable ransomware groups offer email support and calling hotlines to support and expedite their victim’s payment.  Blackbyte’s typical attack methodology is to exploit vulnerabilities in Microsoft Exchange known as ‘ProxyShells’. 

For technical reference, the three vulnerabilities successfully used by Blackbyte to gain internal access, have been listed below along with their assigned ‘CVE’ (Common Vulnerabilities and Exposures) number.  Links to patch information has been provided for each vulnerability with accompanying ‘KB’ (Knowledge Base) number.

Steps to protect your business

To minimize your business’s exposure to Ransomware Attacks, general security guidance has been provided below:

  • Patch Management: Keep systems and applications patched with the latest security updates, with a prioritized focus on those critical to business operations.
  • Critical Data System Protection: Restrict sensitive organizational data to specific servers/systems, with enhanced security controls/monitoring around these systems. Ensure that these systems are remotely accessible.  When possible, restrict local system downloads of any sensitive organizational information. For example, users are able to download employee rosters to their local machines from Microsoft 365.
  • Network Segmentation:  Create separate communication networks for internal and external devices (to include any guest devices).  This practice is commonly referred to as ‘network segmentation’. Ensure that critical data systems and those systems accessing them are assigned to a specified network segment(s).  Closely restrict access and monitor activities on these systems.
  • Access Control: Enforce the principle of least privilege security, by providing all users the least amount of access to systems/applications necessary to perform their job duties. Ensure Multi-Factor (MFA) authentication is turned on for all applications.  In alignment with best practice, remove any local administrative accounts, where applicable.
  • Protection of Virtual Machines: In alignment with security best practice, do not expose any corporate virtual machine (such as Citrix), directly to the internet.
  • Perform Regular Back-ups: Ensure regular data backups are performed, with a prioritized focus on critical data systems/applications. Backups should be tested, once a month to ensure backups operate as intended. the backup plan is in place and tested periodically.
    • Establish Backup and Recovery Plan: Document procedures to execute backup/recovery efforts, and any lessons learned from previous backup test exercises. Ensure that all key stakeholders (internal and external) involved in backup activities are identified along with corresponding roles/responsibilities and contact information.
  • User Awareness Training: Establish a formalized cybersecurity education and awareness program. Provide all users with training modules to educate them on what cyber threats may look like, and steps they can take to protect your organization.  Continue to engage in discussions with team members, on why cybersecurity is important for the growth and success of everyone.
    • Phishing Exercises: In concert with formal training modules, users should be tested on lessons learned through phishing simulation exercises. This will allow the organization to have a better understanding of the effectiveness of training content, and to further prevent malicious activities from occurring. It is important to note that any follow-up training from these exercises, should be non-punitive when possible. This will enable the organization to continue to have security advocates now and into the future.

The Valor Team looks forward to providing additional updates on this incident. We look forward to helping you and your organization avoid being a victim of cybercrime. Stay tuned!

For other tips and tricks in staying cyber informed, please visit our additional Valor Insights at Insights – Valor Cybersecurity

Log4J: What you should know and how you can proactively protect your business

O

n Friday November 10, 2021, critical vulnerability was publicly disclosed in the Java based logging library, Log4JAlso known as ‘Log4Shell’ this vulnerability enables a threat actorto preform Remote Code Execution (RCE) across a slew of connected devices ranging from computers, home and enterprise routers, VPN’s, internet of things/smart devices (IoT), and web servers.  

Author: Jeff White, Chief Security Officer, CMMC-RP

For context, this vulnerability has been assigned a criticality rating of ‘10’, the highest score for an industry recognized vulnerability scale. Remote Code Execution essentially allows an attacker to preform malicious commands, without authentication (login), on an internet connected device. To put this in perspective, the flaw requires minimal technical prowess. It can be exploited simply by running one command against an internet connected and Log4J vulnerable device.    

What makes this vulnerability even more troubling is that Log4J has been used for years in some of the best-selling consumer products. Some of the world’s biggest companies have used some flavor of Log4J to include the likes of Microsoft, Amazon, and Apple.  In fact, it has been reported that some 3 billion connected devices currently use a version of Java.  

While the full scale and impact of this vulnerability has yet to be determined, it is currently being exploited ‘in the wild’. Both stateside and state sponsored actors are currently scanning network devices, in an effort to locate unpatched systems. Publicly available web sites such as Shodan.io, have helped attackers and threat groups identify these vulnerable network resources. It’s important to note that secondary cyber-attacks can be launched following initial exploit of Log4J including but not limited to installation of crypto currency mining malware, data exfiltration, and potentially even ransomware.  

Are you impacted? Steps you can take to reduce your business risk.

If any of your systems are currently running Log4J versions 2.0 – 2.14.1, you are vulnerable to this Log4J exploit. Apache however, has since reported that this issue has been resolved in updated version 2.15 which is currently available for download on the Apache Website link below: 

 https://logging.apache.org/log4j/2.x/security.html   

The following is provided as general guidance in mitigating the Log4J Vulnerability, and related risk to your organization:  

  • It is recommended that organizations first update all web facing applications and systems to the latest version of Log4J (Version 2.15).
  • If possible, organizations should block external access to applications until they can be patched. Organizations should then preform a full inventory and fix/patch of any remaining internal systems impacted by the above.  
  • In addition, it is recommended that organizations also implement a Web Application Firewall (WAF) if possible, for additional monitoring capabilities.
  • If your organization can afford a dedicated Managed Security Service Provider, or MSSP, it is highly recommended to do so. While Valorr remains vendor agnostic, partnering with the right MSSP provider will provide layered insight into those threats/bad actors actively targeting your network.  
  • While vendors are working diligently to address this, it is recommended that organizations stay up to date with 3rd party responses. Typically, vendors will send emails on how and to what extent customers may be impacted by this, and other security vulnerabilities. Customers may also check vendor blog updates for similar information.
  • If you have an existing Security/Threat Intelligence Provider, you may also receive direct vulnerability related correspondence from a Customer Success Manager 
  • While information continues to be released on this critical vulnerability, organizations should continue to update all endpoints, and network connected devices whenever possible.   

For further technical information regarding this vulnerability, please visit MITRE’s CVE-2021-44228 at the link below:  

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228 

Please also visit U.S. Cybersecurity and Infrastructure Security Agency (U.S. CISA) for the latest updates and actionable guidance, as more information becomes available. Through ongoing public-private partnership, U.S. CISA provides community sharing initiatives to help businesses secure and defend against the ongoing cyber threat.   

https://www.cisa.gov/news/2021/12/11/statement-cisa-director-easterly-log4j-vulnerability (CISA Director, Jen Easterly’s statement on Log4J)  

https://www.cisa.gov/uscert/ncas/current-activity (CISA Current List of Cyber Related Activity)  

https://www.cisa.gov/known-exploited-vulnerabilities-catalog (CISA Known Vulnerability Catalogue)  

 

Update: 12.30.2021

Since initially posting, security researchers continue to discover new vulnerabilities in java-based logging library, known as Log4J. Previous industry and Apache guidance1 were to update any known vulnerable versions of LogJ (including versions 2.0-beta9 through 2.15.0; except for update 2.12.2) to version 2.16.0.

Additional Log 4J security loopholes have led Apache to issue the most recent upgrade through version, 2.17.1. A summary of vulnerabilities found in previously updated Log4J versions, 2.15.0 – 2.17.0 have been provided below for reference:

  • Mitre CVE-2021-45046 – With a severity score of 9, this vulnerability in version 2.15.0, allows for potential information leak and remote code execution. Updated version 2.16.0, corrected this vulnerability.
  • Mitre CVE-2021-45105 – With a severity score of 5.9, this vulnerability in version 2.16.0, allows for potential Denial of Service (DoS) to an application. Updated version 2.17.0, corrected this vulnerability.
  • Mitre CVE-2021-4104 – With a severity score of 8.1, this vulnerability in version 2.17.0 allows for deserialization attacks. Updated version 2.17.1, corrected this vulnerability.

Actionable Steps your business can take to ensure the best protection:

  • It is recommended that organizations upgrade to the latest version of Log4J (Version 2.17.1), for all web-facing applications and systems. If possible, organizations should block external access to applications until they can be patched.
  • For Systems that cannot be patched, it is recommended to disconnect these systems from the network.
  • If possible, implement a Web Application Firewall (WAF) solution for further security/activity visibility into web application activities.
  • If not already in place, consider implementing a trusted managed security service provider to proactively monitor for network traffic anomalies and irregular system activity.
  • Ensure all endpoints (computers) and endpoint monitoring tool (i.e., Anti-Virus or EDR) are continuously updated to the latest versions.
  • Continue to monitor vendor statements and communications, for updates on how their products are addressing these vulnerabilities.

Additional Resources/Tools:

  • Valor recommends organizations continue to visit U.S. Cybersecurity and Infrastructure Security Agency (U.S. CISA) for ongoing actionable guidance, based on potential threats they are seeing.

https://www.cisa.gov/uscert/apache-log4j-vulnerability-guidance (CISA Guidance updated 12/28/2021)

  • Organization may also visit the NIST National Vulnerability Database, which provides a list of known vulnerabilities and related technical details across impacted systems, and applications. All vulnerabilities in the CVD are provided a CVE (Common Vulnerability and Exposure) Number for universal sharing purposes.

https://nvd.nist.gov/vuln

References: 1https://logging.apache.org/log4j/2.x/security.html (Apache list of known vulnerabilities and fixes and Log4J Version 2.17.1 download)

If you found value out of this article, please check out our other Valor Insights for how you can protect your business.  

2022 Executive Guide To Cyber Risk Management

The executive guide to tackle your most challenging cybersecurity risks in 2022.

Author: Greg Tomchick, CEO, C|CISO

Cybersecurity risk has emerged as a top-three concern for leaders of medium and large organizations as cyber-attacks, online fraud and internal threats make a material impact on businesses across the world.   

While boards and executives expect to be informed about cyber risk, very few of them seem to be getting the answers they want or need to make informed decisions. 

All too often, cyber risk reporting is filled with technical jargon and colorful but hard to understand charts. Those responsible for cybersecurity—from the CEO on down—are urgently looking for better ways to measure risk and enable well-informed decision-making, regarding questions like:  

  • What are their organization’s top cyber risks and how much exposure do they represent?  
  • Which cyber risk management investments matter most?  
  • Are they investing enough (or too much) in cyber risk management? 

This ValorrInsights intended to provide a translated, high-level guide for executives on business-focused cyber risk management.

For example, prioritizing activities effectively, making trade-offs and choosing cost-effective solutions, to name a few.  This insight is not intended to be prescriptive, but instead, help you to recognize common risk management strategies, understand the options available to you and choose the best-fit based on the nature and scale of your organization.  

“Cyber Risk Management must have a seat at the table when discussing any business strategy or company iniatiative. This risk area intersects and impacts every area of the business and should be treated as so.”

Cyber Threats Are Not Bound By Compliance Requirements

Compliance requirements in cyber risk management tend to give most leaders a false sense of security.  On the surface, it makes perfect sense—the more boxes your organization can check on an industry-standard “compliance” list, the more “mature” it is. And the more closely aligned it is with the herd (your peers in the industry), the better off you should be from a risk perspective.

This reliance on relative measurements is a form of “implicit risk management,” i.e., more boxes/maturity/alignment implies less risk. The problem is that none of those measurements provide real insight into how much risk exists or how risk levels will change if this, that, or the other event takes place. 

With the implicit risk management approach, it causes many questions to be unanswered: How does my organization take a risk-based approach to implementing gaps in controls or capabilities? How much does implementing that control reduce your risk of a cyber-attack? Are we expending our resources to the right security activities? 

Using Quantitative Approaches to Prioritize Cyber Risk Mitigation

Every organization has resource constraints, which means managing risk cost-effectively is necessary in order to appropriately balance risk management with other business imperatives. However, because of the tendency to rely on relative risk measurements, most organizations don’t achieve this balance.  

There are two dimensions that determine cost-efficacy in risk management:  

  1. The ability to identify and focus on your most important risks (i.e., prioritization) 
  2. The ability to understand the value proposition of risk mitigation projects and optimize your solution choices through cost-benefit analysis.

Organizations that are effective in both of these dimensions reduce the odds of painful surprises and wasted resources. With this in mind, it’s important to recognize the degree to which qualitative and quantitative measurements support these dimensions. 

Organizations can make significant improvements in their ability to prioritize by avoiding or being proactive towards the issues mentioned above, even if still measuring risk qualitatively. This will only take them so far, however, because qualitative measurements are inherently so imprecise. For example, an organization might become very good at accurately putting risks into the right high/medium/low buckets, but they will not be able to differentiate risks within these buckets—i.e., they won’t know which “high risk” is highest.  

Choosing Cost- Effective Solutions

Once you’re able to focus on your most important risks, the next step is being able to choose your most cost-effective solutions. This is where qualitative measures fall flat for two reasons. First, in many cases they are simply too imprecise to effectively reflect differences in the level of risk reduction from various solutions. Second, they don’t reflect risk reduction in meaningful business terms. Going from “high” to “medium” might sound and even feel good, but what does it actually mean? The diagram below provides a comparison between how far qualitative measurements can support cost-benefit analysis, versus quantitative measurements.  

The bottom line is that improving your organization’s ability to measure risk qualitatively is a start toward managing risk cost-effectively. To become good at cost-effective risk management though, you need to leverage quantitative measurements. This enables you to understand how much less risk is likely to exist after a control is improved. It also allows you to understand how much more risk is likely to exist if a control is removed or loosened for business efficiency or cost-saving reasons. 

A Roadmap For Success

Despite cultural and operational differences between industries and organizations, there appear to be some fundamental steps that consistently help to smooth the process of building quantitative risk management programs. 

  • Identify your pain points 
  • Socialize those pain points with the expected change 
  • Build or deploy a committee or group to address 
  • Train your people on the chosen mitigated action(s) 
  • Find ways to organize tactical (quick wins) and strategic (longer term) activities.  
  • Integrate new steps or activities into existing business processes, starting with the highest priority business processes.  
  • Host checkpoints and continually refine. Effective risk management, in any capacity, is a continuous improvement process.  

If you have benefitted from these insights or have questions regarding how Valor helps leaders implement these principles, request a meeting with our team at your convenience.  

Sources:

  1. Measuring and Managing Information Risk: A FAIR Approach. (Jack Jones and Jack Freund). Available on amazon.com (http://amzn.to/2pXshsO) in both softcover and electronic form. 

The Current State Of Cyber Insurance In 2022

T

he U.S. cyber insurance market is at a standoff.  As coverage demand continues to accelerate into early 2022, coverage supply has put on the brakes.  On the demand side are organizations of all sizes, across all industry classes.  They are looking to make an initial coverage purchase, increase their existing coverage or simply renew within budget. 

Author: Greg Tomchick, CEO, C|CISO

As the world continues to digitally transform, the frequency, severity and sophistication of cyber incidents are increasing along with the dependency on technologies to operate.  Vulnerabilities and exposures are multiplying due to greater interconnectivity, creating systemic risks that are vast, growing and not easy to detect or control.  Combining these systemic risk dimensions with potentially severe and widespread consequences creates the possibility for a cyber catastrophe.  

Similar to pandemics, cyber incidents can cause losses that are not limited by time or geography. It’s no longer theoretical, cyber criminals have already demonstrated their ability to disrupt supply chains for businesses around the world and cripple critical infrastructure, as with the recent attack that resulted in Colonial Pipeline shutting down its lines supplying fuel to the east coast of the U.S. With recent cyber incidents causing billions of dollars in economic losses, it’s not difficult to imagine a catastrophic attack that could test the balance sheet capacity of the insurance industry.  Unlike previous sudden catastrophe events, we are witnessing the continuous escalation of cyber risks. This advance notice provides an opportunity to build cyber defenses and economic safeguards before a catastrophe occurs.

A More Risk Informed Path Forward

Despite organizations being more aware of cyber risk and its consequences, cyber incidents and threats are only increasing and evolving.  All the while, cyber insurance is clearly playing an increasingly important role in managing the cyber exposure for organizations, the ability of insurers to absorb the total loss potential long term is less certain. 

The increase in both frequency and severity of cyber incidents is causing insurers to reevaluate their pricing and terms and conditions.  Providing a stable market for cyber insurance while accounting for the potential scale of catastrophic risk will require new solutions, such as a partnership with the government, as well as in the product offerings of individual insurers.  For the insurance industry, the challenge becomes how to craft policies that offer coverage certainty, provide meaningful protection, and help manage both attritional and catastrophic cyber events for clients and insurers. 

With cyber exposures continually increasing, either through the nature of operations and IT environments, failure of common infrastructure, or bad actors exploiting vulnerabilities, it’s more critical than ever for organizations to improve preparations for a potential cyber catastrophe.  A great place to start is: 

  1. Understanding the specific exposures each organization may face through the lens of the potential catastrophic cyber events outlined, 
  2. Identifying and socializing potential risk mitigating actions, and 
  3. Then committing necessary resources to improving cyber defenses and resilience.   

Next Steps and Closing

With growing leadership recognition of relevant supply chain risks, shared IT vendors represent a significant systemic risk to organizations, so extensive due diligence should be conducted on these vendors and redundancy and resiliency should be built around them, in addition to examining the indemnity language in contracts to assess how risk is being transferred.   

Organizations should also take full advantage of the expertise offered by their insurance broker or agent and their cyber insurance carrier.  While IT, risk management, and business continuity teams may have confidence in their cyber protection and incident response measures, no organization can ever be fully protected from all potential cyber incidents, especially wide-spread, catastrophic ones.  

Many insurance carriers and advisory partners offer a range of pre-incident services to help organizations improve their cybersecurity posture, such as incident readiness assessments, security effectiveness benchmarking, network vulnerability testing, and common attack simulations.  

Organizations also should be prepared to respond when a cyber incident occurs.  An insurer’s incident response team of experts can help contain the damage from such events and help restore an organization to full operations as soon as possible.  These services could make the difference between merely surviving a major cyber event and moving forward with confidence. 

We hope this ValorInsight has provided you with the necessary information that you need regarding the cyber insurance landscape as we continue through 2022.  

We are passionate about ensuring our partners have appropriate coverage in place. Request a meeting with our team if you have any questions.