Virginia-Based Business Valor Cybersecurity Announces Launch of a Free New Rapid Cyber Threat Assessment Tool

Norfolk, VA, Janurary 22, 2023 –(Valor Cybersecurity)– With cybercrime and ransomware attacks on the rise, cybersecurity is becoming a hot-button issue for organizations across the globe. From boardrooms to server rooms, leaders are being asked how secure are we? The overwhelming response may surprise you. In a recent IBM study, an estimated 70% of businesses stated that they do not have the necessary resources to protect their assets. A critical component of any decision-making process is having the right information, at the right time, alongside the right expertise.

Leveraging more than 20 years of combined experience in helping build cybersecurity programs for leading organizations, the team at Valor Cybersecurity is excited to announce the release of its Free Rapid Cyber Threat Assessment. This tool is designed to help leaders identify the relevant cybersecurity threats to their business and brand by answering several targeted questions. At the completion of this assessment, individuals will receive actionable guidance to begin the journey of better protecting their organization.

“The team and I are extremely excited to release this accessible resource to the wider business community. Having the ability for business leaders to identify and receive actionable guidance to address cyber threats is something that I wish I had 7 years ago, when my business was decimated by a cyber-attack,” said Valor CEO Greg Tomchick. “Had I had the threat intelligence at hand early enough, we could have acted on it and prevented the attack.”

“The ability to provide leaders a lens into their business risks and help guide them with proactive protection mechanisms is extremely rewarding,” said Valor CSO Jeff White. “As a company, we strive to improve the security environment for organizations large and small, and this free rapid threat assessment tool can be one step in helping us achieve that goal.”

Click Here to take the free Rapid Cyber Threat Assessment.

About Valor Cybersecurity

Valor Cybersecurity simplifies identifying and addressing cybersecurity threats and business requirements for leading small to medium-sized businesses. Though we are laser-focused on serving organization in technology, defense, and investment communities, our expertise and collaborative approach enable our solutions to scale to tackle your cybersecurity requirements, save you money, and build the right-sized strategy to protect your business and brand. This work creates a more Valor future and we are passionate about that.

To learn more about us, we encourage you to visit our website (https://valor-cybersecurity.com/) and follow us on LinkedIn (https://www.linkedin.com/company/valor-cybersecurity/) and Twitter (https://twitter.com/valorcyber).

Driving Your Growth Forward: Cybersecurity as a Business Enabler

In today’s connected business environment, protecting your assets is more critical than ever. Attackers know that leaders rely upon having access to online information to make informed decisions. The reality is that most of this information is stored or touched by vendors in order to provide core services to their customers. But what happens when your business is unable to access critical data? Do you have a plan in place to operate despite the disruption? Just how long can you be without your data before a negative business impact is realized? Cybersecurity aims to bring awareness, preparation, and proactive solutions to these burning questions and more.   

At its core, cyber security is about identifying and addressing business risks. Cyber risk is in fact a business risk. Unfortunately, complex vendor marketing has driven many leaders to confusion on not only where to start in the security journey, but what tools and strategies to put in place to enable your business to operate safely. In the sections below, we break down these complexities so that your business can leverage cyber security to drive your business forward

Core Benefits of Investing in Cybersecurity 
  1. Protection against external threats

Cybercriminals are cashing in on businesses. In fact, a recent study expects the global cost of cybercrime to exceed $1 trillion in 2023. 

But what really motivates someone to perform a cyber-attack? While primarily launched for financial gain, the reasons behind cyber-attacks can vary from industrial espionage, reputation damages, or even hacking for a cause (typically known as hacktivism). Despite the motivating factors, cyber criminals all have one common thread; to negatively impact you. 

Cyber security however can be leveraged before a business impact is felt. From enabling best practices to include Multi Factor Authentication, regular systems, and software updates, and performing security awareness training, organizations can be better positioned to not only thwart attackers’ attempts but minimize business damages in the event of occurrence. 

  1. Protection against internal threats

Despite all the shiny cybersecurity tools and vendors out there, a simple click of a link by an employee or trusted third party can cripple these protections. The weakest link in the cyber security chain remains the human element. Whether it’s by accident, negligence, or outright malicious intent, insiders pose a real threat to your business. 

The insider threat is expected to grow in the coming months, as business continues to shift towards a fully remote, and hybrid workforce. You may be asking yourself: ‘With the shifting business landscape of today, how can I ensure employee flexibility while protecting my most trusted assets?’ Good news, as there are ways you can act NOW!  

Implementing proactive monitoring of networks and managed access and reviewing existing access control (permissions) for your employees can significantly cut down on the likelihood of a trusted insider damaging your business. In addition, providing your employees and vendor ecosystem with consistent, and relevant cyber education can turn your people into security champions for the organization.  

  1. Regulatory Compliance

With breaches continuing to make headline news, regulators are taking note that cyber protections must no longer be an afterthought. From Payment Card Industry (PCI) security standards to protected health information and even merger and acquisition safeguards, it’s likely that if you do business anywhere, you have required cyber protections.  

Even for those in typically unregulated markets, such as crypto-based investments, the time for regulatory oversight in how these transactions are performed and secured, is coming. The recent collapse of the crypto kingpin, FTX, has shown that decentralized investments are under the watchful eye of government and business entities.  With impending regulations on the horizon, you should be asking yourself, ‘why not take the first step today towards better protecting your business and your client’s information?’ 

But don’t just take our word for it. According to data privacy and cyber security law expert Jamal Hartenstein, leaders could approach cyber security in regulatory compliance as “a competitive advantage, getting ahead of industry competition before underregulated industries become regulated.” 

  1. Improved productivity

Threats such as malware, ransomware, and even compromised email boxes can bring traditional business operations to a screeching halt.  At best, you’re able to revert to good ol’ pen and pad transactions. At worst, your business has no access to its data, and the bad guy/girl wants a heap of money to give it back. 

By implementing a variety of proactive technical measures such as defined backups firewalls, alongside a security strategy to define the execution of these resources, you can drastically reduce not only occurrences but the time to detect, respond and recover from cyber breaches.  

  1. Cost savings and value

According to the Hiscox Cyber Readiness Report 2021, the average cost of a single cyber-attack to a small business in the U.S. is $25,612. Considering the fact that only about 40% of SMBs operate at a profit — the loss of data and cost to recover it, downtime to restart operations, and hefty fines can be a steep price to pay.  

As cyber-attacks only continue to grow more sophisticated and complex every day, it’s important to weigh the cost of dealing with one attack versus the value of taking preventative measures. By mitigating risks, you put your business in a better position to respond, recover, and keep existing customers happy — a far more cost-efficient option than attracting new ones. 

  1. Confidence in Your Brand

With inflation and uncertainties plaguing every industry vertical, can your business afford to lose any customers? Business success in today’s environment goes well beyond providing quality products and services. Today’s customer counts on your business to keep the information entrusted to you, safe, secure, and out of the news headlines.  

But what happens when one of your customer databases ends up for sale on the Dark Web? Is your team prepared to respond to and defend the reputational damages, such a breach could lead to? The fact is, our team continues to see this happen, where treasure troves of client information (credit cards, names, email, social security numbers, etc.) is leaked to the highest bidder). 

But what would you say if you could implement a basic security strategy, without costing an arm and a leg? Would you take that first step to ensure client confidence? 

Taking The First Step – Completing A Baseline Security Assessment 

Your business is on a journey, into the unknown and although you can’t predict the future, you can do everything to ensure its success.  How can you better protect your people, your brand, and your reputation? The logical first step in this process is to perform a baseline security assessment getting to know not only how your business operates, but what critical systems and processes enable its success.  

From here, you can apply industry best practices to determine how prepared your business is to defend, respond and recover from modern-day cyber-attacks.  

Lastly, a recommendations roadmap will detail how to improve upon your business’ current security state by utilizing cost-effective tools and practical resources.  

Not Quite Ready for A Full Fledged Assessment? Don’t worry, we’re here to help! 

Typical security assessments, require key stakeholders to allocate time for interviews. But what would you say if you could identify relevant cybersecurity threats and business requirements, on your own time and own pace? You’re in luck because we’ve done just that! 

 The team at Valor Cybersecurity is pleased to offer our FREE Rapid Cyber Threat Assessment today. As a bonus for taking our assessment, we will give you a free 30-minute, consultation with recommended guidance for better protecting your business! 

Be Bold, Brave, and Courageous In Your Endeavors 

Whether the Valor Team can help you now or in the future, we remain poised to support your business success and protection.

Authors: Greg Tomchick and Jeff White

The Growing Need for Cybersecurity Advisors. But how do you select the right one for your business?

Cyber beaches continue to make waves across almost all industry verticals. Whether your business is large or small, your people, technology, and information could be in the crosshairs of the next cyber-criminal. Over the past year, we’ve seen increasing instances of data exposures, extortion attempts, and crippled business across both critical infrastructure and supply chain vendors, resulting in reputational damages, the inability to serve customers, and even businesses closures. The reality is that our world is continuing to grow as connected businesses and society, one in which information that we need to make informed decisions is a mouse click away. As such. it is necessary for business leaders to understand, prepare for, and prioritize the protection of technologies in our digital world.

Cyber risk is a business risk at the end of the day.  But navigating the uncertainties of today’s cyber threats and ensuring your business has an effective plan of action is not an easy task. It is one which requires focus, expertise, and true understanding of how your business serves and enables its customers. A cybersecurity advisory partner can help you and your business navigate uncharted waters with the goal of getting you to your destination safely.

Are you needing help in protecting those precious things which you’ve spent years building? Let’s take a closer look at how a cyber partner can help add a layer of protection around your nest egg:

Selecting the right advisor for your business

The journey of building, maintaining, and maturing a cybersecurity program is unique for every business. Some organizations require support when it comes to identifying and addressing security gaps within business systems; others may seek support in developing an effective and scalable culture of security. Ultimately, the needs of an organization relating to protecting their business, will grow and evolve over time, just like the evolution of products and services.

Regardless of their role or function, the most important part of hiring the right cybersecurity advisor is feeling confident that their roadmap to securing your success aligns with your business goals and objectives.

Selecting a cybersecurity partner doesn’t have to be a daunting task, however. Let’s examine a few things to consider in your selection process:

  • Does the advisor have accessible resources with a wide range of functions and capacities in the event that they do not specialize in a specific subject matter?
    •  In this instance, they would be able to leverage a network of subject matter experts, as necessary, to better serve their customers’ needs.
  • Do they have your company’s best interest at heart?
    • The right advisor will focus on getting to know your company inside and out. They will provide the right security needs for your organization at the present time, considering cost and available internal resources.  The right partner will take care in building a trusting relationship, centered on transparent communication, timely feedback, and consistent collaboration.
  • Are they will be personable, in their interactions?
    •  A good cybersecurity advisor is someone who can relate to you and your businesses’ pain points, someone who you genuinely enjoy working with.

Advisors Serve as An Extension of Your Team

Before you consider hiring a cybersecurity advisor, it’s important to consider why you may need them. For example, have you determined if someone already working within the company may be able to support this need? Do they have the right skills necessary to perform these duties? If so, are they a full-time or part-time employee? Can they effectively manage the task themselves would they need additional support? These are very important questions to keep in mind as you look for cybersecurity support, internal or external, for your organization.

As you embark on enabling and better securing your business, realize that we’re all in this together. You’re not alone, and there are dedicated folks out there like @Valor-Cybersecurity committed to keeping your business running smoothly and securely so you can have increased peace of mind.  While you won’t accomplish these efforts overnight, you’re well on your way by taking the first step forward!

If you have questions or are interested in a collaborative conversation, reach out to our team of experts at www.valor-cybersecurity.com or email us at info@valor-cybersecurity.com.

Authors: Jeff White and Greg Tomchick

 

Why Choosing The Right Cybersecurity Partner Matters

L

et’s face it, cybercrime is constantly evolving, and no business is immune from these vicious attacks. Protecting businesses of today requires executives to take a strategic, and proactive approach that involves understanding relevant cyber threats and how these threats can impact operations.

How Do Cybersecurity Advisors enable your business?

As digital transformation continues to touch every part of a business, cybersecurity consulting firms have become a valuable resource to companies across all industry verticals. We also recognize that not every cybersecurity firm, can provide you with the right resources, with the right expertise, at the right time. As you search for that next trusted party to help you on your security journey, here are a few things to consider: Many organizations lack a dedicated security strategist, otherwise known as a Chief Information Security Officer (CISO). This individual typically serves as a point person to guide, advise, and transform business initiatives focused on better protecting the business. As such businesses routinely search for external expertise, who can help them baseline their security across people, process and technology and provide a prioritize way forward. External support in these activities not only saves money up front but provides business leaders with expertise on how to effectively navigate the cyber threats of today. In fact, external CISO support (typically referred to a fractionally or vCISO), costs on average, half the price as the same FTE. Not to mention the associated time and money associated with burdensome onboarding processes.

So how are the benefits of having cybersecurity advisor or vCISO realized? Let’s have a look:

Develop a Right-Size Strategy with The Right Partner

If done the right way, an independent cybersecurity consulting providing vCISO services, won’t sell you overpriced cyber tools that you can’t afford or can’t effectively utilize. Instead, they will evaluate the options, bearing in mind your budget, business structure, objectives, and ability to safeguard against relevant cyberattacks. The right cybersecurity advisor will develop a prioritized action plan alongside recommended tool options, so that your business knows where its headed and how to get there. Whether its security compliance, cyber insurance or establishing a board oversight, your cybersecurity partner should walk beside you in your journey.

Identify and Address Business Risks, Previously Undiscovered

Approximately 64 percent of businesses have experienced at least one web-based attack, according to Fundera. Even more astonishing is that small to mid-size organizations spend an average of $7.68 million per incident. Having a trusted advisor by your side, can help you proactively identify, cyber risk before they become incidents; such as identifying the lack of Multi-Factor Authentication (MFA) on business-critical systems.

Ensure Client and Internal Data Is Safeguarded and Recoverable

Technology alone is not the surefire solution for protecting your business. You should be able to answer critical questions like what data you have, what safeguards are in place, and who has access to your systems? By working with a trusted cybersecurity consulting firm, businesses can establish a data governance strategy to answer these questions and more. Thus, giving you piece of mind that you know where your data lives.

But controlling your data is just one component of data governance. What happens when your online service vendor is experience an outage, or you receive a message ‘corrupt file, cannot open’. Not to worry, as your cybersecurity partner working alongside your existing IT team, will formulate an effective backup strategy to implement. Thus, ensuring that you have access to data you need, at the right time, to make informed business decisions.

Thwart Phishing Attacks

Phishing is a common type of social engineering attack that cybercriminals use to steal business data, such as login credentials, credit card numbers, or even business documents. During a phishing attack, a hacker may masquerade as a trusted entity to trick the victim into opening a text message, email, or other online correspondence. Their goal here is to convince you, the end users, to provide something they want.

An effective Cybersecurity advisory team can work with you to reduce the likelihood of these attacks. Through a combination of tools and providing awareness on how to spot/report activity, you can reduce your likelihood of being the next victim.

Avoid Potential Fines from Lost or Compromised Data

Mistakes happen, whether intended or unintended. Unfortunately, some mistakes cost real headaches and financial loses. With cyber regulations tightening on all markets, regulators are cracking down on security breaches with increasing fines and penalties.

By proactively implementing security best practices. you can reduce the risk that your business will face these steep penalties. A trusted cybersecurity partner can help you identify appropriate safeguards within your industry, so you can stay ahead of the cyber threat.

Effectively Train and Inform Employees on Cyber Threats

The best offense is a good defense. Properly trained employees are an organization’s best defense to scoring ‘wins’ against cyber criminals. It is essential for companies to educate their employees on how to identify and avoid potential cyber threats that could put the business at risk. The right cybersecurity advisor can help train your employees on ways to stay vigilant to defense against cybercrime.

Save Costs on Hiring Cybersecurity Staff

These days, cybersecurity professionals are in high demand. It is expensive to hire and retain employees to work in an internal cybersecurity role. Outsourcing to trusted third-party cybersecurity firm is a cost-effective option for businesses that require prioritized cybersecurity expertise but cannot afford, or don’t need a full-time team member. An independent cybersecurity advisory firm can help you identify what roles and expertise your business needs, and rapidly deploy those resources when needed.

Curious about how cybersecurity support can help your business move the need? We’d love to have a chat.

Valor Cybersecurity exists to simplify the identifying and addressing of cybersecurity threats and business requirements. Our team of experts serve as an extension of your team helping you to achieve your business goals. Whether it be identifying cyber best practices, preparing for compliance requirements, or simplify considering cyber insurance for the first time, were here to help! For more information or to speak with an independent, vendor agnostic cybersecurity consulting firm, reach out to our team of experts today.

 
Authors: Jeff White and Greg Tomchick

Web 3 Explored – How Did We Arrive And Are Digital Experiences Evolving Faster Than We Can Secure Them?

T

here is no doubt about it, digital technologies have rapidly modernized the way we create, and innovate. With an internet connection and a swift click of a button, we can now access our friends, family, and work colleagues, without bounds or borders.  In fact, if we took a step back, most of us would be amazed by how far our technology has evolved throughout the years.

Let’s rewind back to 2007, when Apple released the 1st generation of iPhone; a device that would revolutionize the way we communicate, for years to come. In that same year, tech giant Amazon would release its first e-reader, the Amazon Kindle, which all but transformed mobile reading experiences. In 2009, the first peer-to-peer digital currency, known as Bitcoin, came on the scene, which would soon allow us a new way to buy, sell and transfer value, all without the need for a central banking system. In leveraging blockchain technologies, Bitcoin would soon give rise to alternative digital currencies, further expanding decentralized experiences and transaction opportunities.

Fast forward to 2014 when Gavin Wood, the founder of cryptocurrency ‘Ethereum’, coined the term Web3 (or Web 3.0). Web3 would soon become known as the next generation of the internet, where connected devices would further the connection between the physical and digital realms.  Facebook (now Meta) accelerated this transition to Web3 experience in 2019 and 2020, with their release of the Oculus Quest and Quest 2 Virtual Reality (VR) headsets. What was once a high-tech and relatively expensive gadget largely built for the tech community, was becoming more accessible for the everyday consumer.

Enter 2020, when the world was on the brink of a Pandemic. With growing health and safety concerns, many businesses were forced to send hundreds if not thousands of employees to work from home; thus, leading employers to incorporate innovative outlets that would encourage collaboration and sharing. From telephone calls, and traditional video conferencing to ‘Metaverse’ meetings on VR headsets, the computer connection became another extension of our lives.

Coinciding with the ongoing digital shift in work, leisure, and shopping from home, has been the emergence of digital assets, namely NFTs (Non-Fungible Tokens). The original premise for NFTs was to take a traditional physical asset and transform them into digital representations. What originally began as a platform for trading digital artworks, has continued to expand its NFT offerings. To date, paintings, real estate, clothing, and digital collectibles, are all being offered as investable, with some items selling in the Millions of Dollars ($USD). Furthermore, there’s no sign that this marketplace is drying up anytime soon. In 2021 alone, the Global Market for Non-Fungible Tokens was an estimated $15.70 Billion 1. Based on forecasts, this value is expected to reach close to 122.43 Billion ($USD) by 2028 1.

While not every industry vertical and business leader has been quick to the NFT and crypto table, private equity investors and sports teams are taking note in capitalizing on missed opportunities. Below we will explore who is ‘playing ball’ in the NFT space, and how investors are accelerating these ventures.

Digital Memorabilia – Professional Sports are going all in on new collectibles

Despite the crypto craze and uncertainties regarding the long-term value, sports teams, players, and partnering investors are striking while the iron is hot. Recent estimates demonstrate that there is a lot of playing field when it comes to monetizing digital collectibles. For 2021, NFT sports collectibles were estimated at $1.4 Billion (USD); Based on the forecast, this number is expected to rise to a whooping $92 Billion (USD) by 2032 2

Let’s have a look at some notable investments, made in the NFT – pro sports collectible space, and examine how they are shaking up traditional keepsakes.

Top Pro Sports – NFT Collectible Ventures

  • NBA Top Shot – A NFT marketplace started in 2020, in partnership between the NBA and Dapper Labs (creator of NFT venture ‘Crypto kitties’) allowing users to buy, collect, sell, and trade basketball video highlight reels of their favorite sports moments. The list of investors in this venture is ongoing, with recent funding in the amount of $305 million (USD); This most recent round was led by wealth management firm, Coatue, and included the likes of star Athletes including Michael Jordan, and Kevin Durant 3 . Even team owners got in on the investment, with Sacramento Kings owner Vivek Ranadive taking part in the action!
  • Autograph – Launching in 2021 and Inspired by both son Dillon and father Paul Rosenblatt, Autograph has risen to notoriety with collectible NFTs ranging from sports phenoms to music legends. With backing from Tom Brady, himself, Autograph has been able to attract top talent to their platform, providing offerings at the intersection of community and collectibles. In 2022, Autograph received $170 Million (USD) in series B funding through leading VC Firms Andreesen Horowitz, Kleiner Perkins, and San Francisco Based VC ‘01A’ 4 .
  • Sorare – Launching in early 2019, Sorare focuses on bringing the fantasy sports experience to the NFT community. While focused on European Football, Sorare has expanded its footprint into Major League Baseball as of early 2022. A notable series B investment round was received by Sorare in the amount of $680 Million (USD) and led by investment fund SoftBank Vision Fund 2.

Pro Sports – NFT Ventures to Watch

  • LPGA – While there has been initial NFT movement on the PGA front, the LPGA is preparing for this movement. Despite no confirmed signs, it’s apparent that the Ladies Professional Golf Association (LPGA) is exploring options in both NFTs and the Metaverse. As of June of 2022, the LPGA filed a trademark application for these spaces, with the United States Patent and Trademark Office, which can be viewed here: https://www.uspto.gov/patents/search (Trademark Nos: 97462083 and 976462042)
  • Crypto Country Club – Launching in 2021, a pair of Austin Entrepreneurs foster a community where members can buy, sell, and interact with one another through golf-inspired artwork. Crypto Country Club has a well-known PGA tour, Joel Dahmen, as its brand ambassador (while they refer to it as ‘Club Champ’)
  • Malbon Golf Buckets Club – Featuring exclusive golfer-inspired NFT art, Malbon Golf Buckets Club seeks to provide another form of rich ownership and lifestyle experience, typically afforded to the golf course members of Malbon Golf Club.

“Organizations that fail to evolve their digital security practices with rapidly evolving innovations are at a significant disadvantage, both from an IT and a competitive standpoint.” 

Looking ahead of the curve – the Risk of NFT ownership

Like trading cards, there may be both short- and long-term market volatility that comes with ownership of NFTs. But should the market value be the only risk, investors should be focusing on when hedging their bets on digital investments? Unfortunately, the answer is no, primarily because the transaction to acquire, sell and interact with NFTs occurs ‘online’ across an internet connection. With the rising values of these collectibles, malicious actors are seeking ways to cash in and cash out. Let’s look at some recent cyber news, as it relates to theft, fraud, and unintended mistakes in NFT land.

  • Fraudulent sale of NFT sells for $340,000 – In August 2021, a fraudulent actor lists and sells an NFT, featured by the world-renowned artist Banksy, in the amount of $340,000 5. In an interesting twist, however. the resulting media coverage by the BBC and others pressured the seller to return the buyer’s money in full.
  • Insider Trading– In September 2021, a senior employee of a well-known NFT marketplace was suspected of insider trading. It had appeared that they bought NFTs prior to the official launch, and subsequently sold them for a profit of close to $67,000 after launch  6 . Following this incident, the marketplace reportedly instituted security policies prohibiting the use of confidential and internal company information, for the use of NFT transactions.
  • Price Manipulation– In October 2021, an NFT character titled ‘CryptoPunk #9998’ sold for over $400,000. Unfortunately, it was soon determined that the buyer and seller were the same people. This NFT owner attempted to sell this NFT for over a billion dollars  7. While this may not be illegal at face value, this scenario represents the opportunity for price gouging in the marketplace.
  • Identity Theft – On or around March of 2021, well-known creator of Marvel’s Super Hero Adventures appeared as a seller on the secondary marketplace, Rarible. The comic creator went on to post on Twitter, that the ‘verified’ profile, was in fact not him 7 . This example demonstrates that fraudulent sellers may be posing as established figures, in an attempt to drive value to their NFT sales.
  • Actor loses his beloved Ape NFT – Actor, Seth Green became a recent victim of NFT theft. In May 2022, Green attempted to ‘mint’ an NFT on a phishing/fake site. Because Green had his cryptocurrency wallet linked to the site, the actor was able to make off with a total of 4 of his NFTs, including a well-known Bored Ape Yacht Club Character 8 .

Steps to protect your digital investments – Web 3 and Beyond

Now you’re probably asking yourself, now that I know the potential risks of Web3 transactions, how can I better protect my portfolio of assets? We have outlined several steps you can take, to immediately better safeguard your assets:

  • Perform Investment Due Diligence: Before making any sort of investment in cryptocurrency or NFTs, ensure the legitimacy of the seller and source. This can reduce the risk of acquiring counterfeits. Whether you talk to fellow investors or read a company publication, it’s always best to cross-reference multiple sources. You may typically buy NFTs from either the original Minting Company or from a secondary marketplace. If buying from a community marketplace, you should typically favor more established platforms, those that have been in business for a least a year, and focus on fighting not only theft but scams from members/outsiders. A few noteworthy NFT marketplaces are https://opensea.io/ and https://rarible.com/ . As always, we recommend you perform your own diligence, before taking the plunge into NFTs.
  • Ensure you are visiting the authentic website – Whether you are buying, selling, or trading an NFT, you must ensure that you are visiting authentic websites. Like bank account websites, hackers have been known to create fake websites that almost mirror the original one, with attempts to steal users’ login/account information. It is always a good idea to verify the website’s authenticity by looking for the ‘Padlock’ icon in the web browser. By clicking, you will be shown a subpage, where you can scroll down and look for the ‘dates of validity’ for the ‘certificate’. This padlock or certificate represents that the website uses encryption.
  • If the offer is too good to be true, it probably is! – Seeing your latest Bored Ape Yacht Club character going for $2,000? While we recognize that markets can drastically fluctuate in the NFT space if the going value of all other minted NFTS is much higher, then you probably have yourself a bad investment; it’s either a counterfeit item or stolen from the legitimate owner. To help in verifying the NFT transaction, you can check the authenticity of the listing, by visiting https://etherscan.io/ .
  • Storage of NFTs in an ‘offline’ wallet – Otherwise known as cold storage, this physical storage device allows for the transfer and safe keeping of your valued (and potentially high dollar worth) NFTs. At a high level, the main difference between online wallets, like ‘Meta Mask’ for example, and ‘offline’ wallets is that online wallets require an internet connection to access. In addition, a password typically referred to as a ‘seed phrase’ prevents those not knowing the combination to access. While we typically remain vendor agnostic, here are a few cool ones to check out: Ledger & Trezor.
  • Vetting Third Party Ecosystem-If you are actively investing or considering investing in NFT companies in the future, Vendor Due Diligence is critically important to the success and security of your money. What would you say if your company’s offices were locked, but the night cleaning crew left the door open? This example is strictly to illustrate that attackers actively look for weaknesses (intentional or unintentional) in vendor physical, data protection, and even software/web development practices. The NFT company or you as an investor may have strong digital security measures in place, but these may be bypassed if vendors aren’t good stewards of your investments. This all starts by having a conversation with critical vendors that are supporting a minting venture or website launch; asking them how to interact, store, and access data. An extra few days or weeks of undergoing thorough vendor due diligence will potentially save you months-long headaches in the future.
  • If you’re selling an NFT, make sure your double check your list price– While this one sounds like a no-brainer, a simple extra ‘0’ or decimal can make the difference between a profit or loss of thousands, if not hundreds of thousands of dollars!

Article References: Global News Wire 1 , Sports Pro Media , Ref: Sports Techie ¾. ,    BBC  5 , Reuters  , Inc 42  7 , The Crypto Times  8

The Valor Team looks forward to providing continual insights relevant to your industry.  For other tips and tricks in staying cyber informed, please visit our website at www.valor-cybersecurity.com

Authored By Jeff White, Chief Security Officer

The Private Equity Digital Threat Landscape and How Leaders Can Address It

L

ike other critical economic sectors, Private Equity Firms and their portfolio companies are increasingly facing digital threats. Whether this threat originates from organized criminal enterprises, disgruntled employees, or even careless vendor protections, digital risk stands to significantly impact business operations. Firms that fail to proactively prepare for these cyber threats of today, face profound reputational risks and financial losses, whether internally or through its’ portfolio companies.

With regulatory bodies such as the SEC, now requiring enhanced cybersecurity protections, proactive efforts by senior leadership and boards to combat these threats should not only be seen as good business practices, but a legal necessity.

With all this in mind, you are probably asking yourself, what are the real threats to my business and should I be more selective in the vendors I’m doing business with?  With budget on the mind you’re also likely wondering how do I effectively prepare without breaking the bank?  

We will explore the answers to your burning questions in this ValorrInsight.

What are the real business threats to Private Equity and Venture Capital Firms?

Beyond direct losses in the form of funds, data, or intellectual property, firms that fail to protect their trusted investments and customers best interest, face potential lawsuits, fines, and damage to their brand. In addition, impacted firms may be the focus of follow-on attacks, if bad actors can determine that their actions are profitable enough.

Combine this with the pandemic and ongoing economic lockdowns, many corporations have been forced to pivot to a work-from-home operating model; One is which has significantly increased cyber risk and associated attacks on valued data, and digital infrastructure. In a recent poll conducted by security news organization, Threatpost1[1], a reported 40% of corporations saw a rise in cyber incidents as they shifted to a remote workforce.  These cyber incidents typically fall into the following business risk categories:

  1. Ransomware: The attacker steals and holds data or systems, until a payment is received.
  2. Third Party / Vendor Risk: The attacker typically targets lax vendor security measures, thus being able to access an organizations critical system and data.
  3. Insider Threat: A company insider, typically an employer or contractor, steals valuable company information and monetizes this for their own benefit.
  4. Business Email Compromise: The attackers leverage existing employee email accounts to attempt to intrude on the trust within an organization’s operations. These attacks typically result in moderate to significant losses resulting from unauthorized financial transactions.
  5. Failed Compliance Fines: Fees associated with non-compliance which could negatively impact the company’s financial position.

Portfolio companies must consider that ineffective or lacking Information Security or that have will make them less attractive to potential buyers or investors. This impact can not only decrease the value of a private equity firm’s investment but can also tarnish the firm’s reputation and negatively impact future fundraising efforts. Ultimately, the proactive resources invested today, to enhance company cybersecurity, will pay dividends in the long run.

A strong commitment to data and digital security starts at the top and requires significant buy in from key stakeholders. While some private equity firms have been slow to adjust their focus beyond the traditional valuation metrics of companies within their portfolios, there is a shifting awareness of the need to understand and address cybersecurity risk across their organization.

Despite this growing recognition, the private equity industry has lacked a practical approach to address the cybersecurity issues and concerns of their portfolio companies. The reality is that formulating a tailored cybersecurity strategy for each company in a portfolio is an inefficient prospect; one that would saddle the companies as well as the private equity firm with undue investment in time and costs. While the typical firm’s approach to focus cybersecurity efforts on their most highly valued investments, lower valuation companies may pose the greatest risk.

With constrained resources and focus on building the business, portfolio companies may not consider vendor risk as a priority. As such, it is in a firm’s best interest to quantify the third-party risk profile of investing in portfolio companies.  Portfolio risk management and vendor due diligence must continuously be considered as top priority for leaders in the private equity space, going forward. 

So, what vendors should a firm be worried about?  We take a deeper dive into vendor selection and associates risks in the section below:

“Private equity firms that fail to do cybersecurity due diligence on their portfolio companies are at a significant disadvantage, both from a compliance and competitive standpoint.”

What vendors should PE/VC firms be concerned about and why?

The best approach for managing vendor risk is to identify critical and non-critical vendors. While all vendors may play a meaningful role, prioritized focus should be given to those critical to business operations. Firm should routinely assess critical vendors to ensure that they remain a good steward of your data and to understand how they will respond in the event of an outage or cyber-attack. Below, we have identified key vendor dependencies that we are consistently seeing in the private equity space, as well as how these are utilized to execute targeted attacks.

Email and Productivity Tools

No other tools expose organizations to as much opportunity risk as productivity platforms such as Microsoft 365, Google Suite (GSuite) and others. Firms rely on toolkits like spreadsheets (Excel / Google Sheets), PowerPoint Presentations, and Word Processing Software to collaborate, innovate and close deals.  

Attackers are commonly using phishing campaigns to get users to login to fake Microsoft Websites. This may be in the form of ‘password reset’ emails or text messages to smartphones. The ultimate goal is for compromise the user account and gain unauthorized access. With hundred if not thousands of emails flowing through account boxes, the opportunity for stealing information and extending phishing campaigns become endless.

Another common attack we are seeing are ‘Malicious Macros’ whereby a user is sent what appears to be a benign Microsoft File (i.e., Word Document). The user opens the file, and it runs a series of malicious commands, all hidden from the user’s screen. What typically results in the installation of malware, which can steal your computer files, monitor your web browsing history, or even worse record your keystrokes. There’s good news however, Microsoft typically enables Macro Protections against attacks such as these, so make sure to keep your office software up to date!

Finance/accounting + portfolio management

As with all companies, PE firms use software tools, such as AllVue, to track their finances and accounting. Because their finances are very tied with those of their portfolio companies, firms will often use a package that combines portfolio management and reporting with its own finance/accounting.

Typically, we see more focused phishing attacks against these platforms, targeted as business executives, commonly known as ‘Spear Fishing’. The primary goal is to gain access to user accounts, such as senior accounting leads, who have higher level access to financial documents.  

Investor portal

Most PE firms will have an online portal set up for their LPs / investors to send secure messages, access important investment information and get timely notifications.

Investor portals are commonly used for Business Email Compromise Attempts, with the goal to disrupt the integrity of communications, so that unauthorized financial transactions may be made. Access may be obtained through several measures, but is commonly sourced through Phishing Campaigns.

3rd party databases

Most PE firms lean heavily on data from subscription databases. Sites like CapIQ and PitchBook provide data on recent financial transactions and funding, which helps the firms establish comps and get a sense for movement in the market.

These 3rd party databases are targeted through a variety of methods. To stay out of the technical weeds, attackers typically target vulnerable code to gain access and steal data. Once the integrity of this data is ‘broken’, firms can no longer rely upon the information to make informed business decisions.

Deal & Relationship Management

Most PE firms also use a system to keep track of the opportunities for investment that they’re evaluating. Common solutions include a custom Excel sheet or a more traditional Customer Relationship Manager (CRM) like Salesforce.

Because many of these operate on complex databases, Deal and Relationship Management systems are targeted like other subscription software. These platforms are ripe for stealing internal firm, as well as customer data. Personal contact information taken from these platforms can be instantly sold on Dark Web forums or given to competitors for gaining a competitive edge.

How PE/VC firms can effectively protect themselves and their investment portfolio?

At a time when cybercrime is growing at an unprecedented rate, private equity firms need to illustrate that they are proactively governing their portfolio companies to meet the evolving risk landscape. This requires a holistic approach, whereby people, processes, and technologies are assessed to determine existing cybersecurity proficiency. Gaps in cybersecurity knowledge and protections of critical data should be addressed with an action-based and prioritized strategy to reduce risk to investments.

Firm executives must lead the charge on building and fostering a strong security culture, starting from the top down. A culture that promotes consistent conversations across leadership, on how the organization is tackling business and connected technology risk. By firms taking steps to drive these initiatives forward, they will demonstrate to investors and partners that they are committed to securing trusted relationships now and into the future. Thus positioning

In the section below, we have highlighted actions, that firms of all sizes can implement to better secure their connected ecosystem and business.

  • Establish an Information Security Policy: Outlining how the organization is addressing digital and IT-related risks.
  • Identify critical systems: Document those systems, vendors, and data which are critical to the core of your business operations. Typically, these systems are productivity tools, Customer Relationship Manager (CRM) Tools, and Financial/Accounting platforms.
  • Control access to critical systems and software: Individuals’ access to critical systems, should be continuously reviewed to ensure that it aligns with the business role within the organization. Commonly known as the ‘Principle of Least Privilege’, individuals should only be given access to the data, systems, and files necessary to successfully perform their role within the organization. We have typically seen individuals change roles within an organization, however, access to files and folders related to their previous role(s) remain in place.
  • Security Awareness Training: To address how bad actors continue to evolve their attacks, security training should be completed monthly. As an industry best practice, training should be aligned to threats targeting the specific industry vertical. For example,
  • Secure your email service and other critical services: Ensure that your critical communication and productivity services are configured properly and tested. Your business depends heavily on real-time data and system access, when a crisis hits these relationships will propel you through.
  • Document an Incident Response Plan: Ensure your organization and its leaders know how you will respond to a cyber incident or IT disruption; this proactive planning will literally save you millions.
  • Back up your data: Back up your data within resilient infrastructure and test those backups frequently.

Firms should consider their individual needs, size, and business locations when comparing backup options. It is valuable to know that data storage facilities/services are not typically one size fits all, and costs may vary.  

The Valor Team looks forward to providing continual insights relevant to your industry.  For other tips and tricks in staying cyber informed, please visit our Expert Cybersecurity Valor Insights page at Insights – Valor Cybersecurity

Professional Sports Front Offices And Sports Agencies Are Using Cybersecurity As A Competitive Advantage, You Can Too

F

rom a Major League Baseball scouting director using a cyberattack to break into a competitor’s records, to an NBA franchise being compromised in a phishing scheme, U.S. professional sports leagues are waking up to the fact that cybersecurity is no longer just a problem for the government or tech firms—it has now reached into the playing field, locker room, and boardroom.  

In this ValorrInsight, we breakdown how the four major U.S. professional sports leagues—Major League Baseball, the National Football League, the National Basketball Association, and the National Hockey League—are currently protecting themselves from these cyber risks that threaten the competitive integrity of their games, and detail ways in which the leagues could do more to proactively mitigate their cyber risk. 

Unfortunately, the leagues’ efforts to safeguard the competitive integrity of their sporting competition from these threats have been relatively slow to develop.  Rather than formulate league-wide cybersecurity standards, U.S. leagues appear to largely defer to their teams to protect themselves from cyber intrusions.  Meanwhile, the leagues have also failed to enact specific rules to deter their teams from targeting one another in cyberattacks.  At the same time, the existing academic literature has completely overlooked the industry, and failed to analyze the unique cyber risks that these high-visibility leagues and franchises face.   

The common themes we see when conducting cyber threat assessments in this space are: 

  • Data Overload: Players, coaches and equipment are creating and sending gigabytes of data per second and sent back to the front office to make informed decisions.  If that data is altered or stolen, the teams reputation and decision making ability could open be at severe risk.  
  • Connected Everything: From third party vendors at stadiums, to connected lights, to cloud based security systems, credit card machines, and millions of lives in the hands of the venue, everything across the professional sports landscape is connected to the internet today.  
  • Single Points of Failure: Many teams have that one system that everything important about its players is exchanged within.  Whatever that one system is for your team, that is what we call a single-point-of-failure from a cybersecurity standpoint.  The system that attackers will be on the lookout and the one that we recommend you protect most.  
  • Not Enough Focus on Connected Devices: Many of the teams we work with are incredible at physical security but often lack the expertise or resources to tie the two together.  We strongly encourage teams to leverage their physical security strategies and converge them with sound cybersecurity practices and capabilities.  

The Unique Cyber Threat Landscape Under The Lights

It is no secret that the cost of cyberattacks on both the public and private sectors is mounting. According to a recent National Bureau of Economic Research report, large companies that are victims of a cyberattack in which customers’ personal data are compromised realize an approximately 1.1  percent loss in market value and a 3.4 percentage point drop in sales growth.  These statistics are sobering, given the prevalence of the attackers frequent success in penetrating even the most guarded corporate networks. One recent example of this all too familiar phenomenon was the alleged Chinese government hacking of a U.S. Navy contractor charged with developing a top-secret super-sonic missile.  

In fact, one leading cybersecurity scholar has reported that “[n]inety-seven percent of Fortune 500 companies have been hacked . . . and likely the other [three] percent have too, they just don’t know it.”   

Three trends are making it much more difficult for sports organizations of all sizes to mitigate the array of cyber risks they face:  

The evolution of the “Internet of Everything” (IoT): With the explosion of connected devices in our businesses and our homes, we are seeing rapid expansion of the cyber threat surface for organizations and available doors for the attackers to come through.  IoT vulnerabilities can cause widespread, supply chain disruptions, such as when they are utilized to spread ransomware attacks.  This occurred during the WannaCry and later NotPetya attacks, which impacted more than 7,000 firms globally and cost the shipping giant Maersk more than $200 million.  These IoT vulnerabilities can, in turn, help fuel the theft of invaluable trade secrets, which are the lifeblood of major Fortune 500 firms as well as the professional sports industry.  Sports teams are increasingly relying on IoT applications to track their players’ movements, training, and dietary regimens. 

The difficulty of protecting trade secrets in such an interconnected digital ecosystem: Any potential cyber intrusion against a professional sports team operating in the United States would potentially run afoul of several existing laws.  Such as the Computer Fraud and Abuse Act (CFAA) and the Economic Espionage Act (EEA) or Uniform Trade Secrets Act (UTSA) and the Defend Trade Secrets Act (DTSA).  We often see these attacks being covered up in expert fashion, which makes these post-incident actions difficult to defend against from a legal standpoint.  

The proliferation of threats to critical infrastructure, including public facilities: Many critical infrastructure sectors in the U.S. boast an array of federal  and state regulations, given their vital status to national life—examples range from the North American Electric Reliability Corporation standards to the Health Insurance Portability and Accountability Act (HIPAA)—but, as we will see below, professional sports leagues have long enjoyed a special status in which policymakers have allowed leeway to self-regulate. The question going forward is whether this should continue in light of the serious cyber risks facing these organizations, their players, staffs, and fans. 

 Each of these trends is analyzed below in turn to provide context for these debates before focusing in on the specific issues confronting the U.S. professional sports industry.  

“Professional sports teams that fail to evolve their cybersecurity practices with the recent threat landscape are at a significant disadvantage, both from an IT and on-the-field standpoint.” 

How could Front Offices be better prepared?

The best approach for managing cyber risk is to develop an informed perspective by way of a streamlined and manageable process that treats cyber risk as equally as other types of risk, for example, financial risk, vendor risk, and legal risk. 

Formal practices for managing cyber risk should align with other risk management and security approaches that are in place, where cyber risk is treated as just another risk.  

If you are in the professional sports business, we advise that you take the following actions: 

  • Document Single Points Of Failure: Document your critical systems, along with processes and manual procedures if your critical system(s) were to go down.  
  • Understand Cyber Risks to Players and Operations: Identify your team’s most critical connected risks and address them with a reasonable plan.  Take into account the cyber threats to your players, their reputation can be your most valuable asset. 
  • Document an Incident Response Plan: Ensure your organization and its leaders know how you will respond to a cyber incident or IT disruption, this proactive planning will literally save you millions.  
  • Back up your data: Back up your data within resilient infrastructure and test those backups frequently.  Not all backup and data storage facilities/services are created equal! 

As cyber threats continue to proliferate, anticipating and managing them at all front-office levels will remain vital during 2022 and beyond.  As recent events have proved, Professional Sports Teams are vulnerable on a variety of fronts, from their vendors and third-party suppliers to their players.  Taking steps now to ensure proactive protections and risk management practices can help reduce these risks and help ensure that the playing field remains competitive and your advantages stay under your roof.

The Valor Team looks forward to providing continual insight relevant to your industry.  For other tips and tricks in staying cyber informed, please visit our additional Valor Insights at Insights – Valorr Cybersecurity

Why PE/VC General Partners Have Growing Concerns Around Cybersecurity and What They Can Do About It

C

yber crime has skyrocketed in recent years and several corporate giants have endured catastrophic breach events.  Cyber attacks targeting behemoths like Target, Home Depot and Talk Talk have triggered a contagion effect that impacts organizations spanning all industries, regardless of scope, 

Authors: Greg Tomchick, Partner, C|CISO; Jeff White, Chief Security Officer, CMMC-RP 

Many small and mid-sized financial firms (wrongly) consider themselves too small to be of interest to cyber criminals and choose to ignore the threat, leaving them open to attack. 

Private equity firms are particularly vulnerable as most operate with small cybersecurity budgets and limited IT staff.  However, recent news headlines have emphasized the real risk that all firms face.  It is not surprising, therefore, that the whole financial industry is coming under increased pressure from governing authorities to do something concrete about it, especially with the Russia-Ukraine developments, crypto-currency surges and investment at an all time high.  

Regulatory associations – among them the US Securities and Exchange Commission’s (SEC) Office of Compliance Inspections and Examinations (OCIE), the Financial Industry Regulatory Authority (FINRA) and the UK’s Financial Conduct Authority (FCA) – have already delivered detailed reports exposing how unprepared and ill equipped firms currently are to defend against threats.

In these reports, the authorities have also set out their expectations on the benchmarks, measures and procedures that firms need to implement in order to identify, prevent and respond to possible future attacks.  As regulatory associations work to fully define and outline these expectations, it is essential that firms gain an understanding of governance analysis to better prepare themselves for the continuous program and posture evaluation and audits that lie ahead to demonstrate their efficacy.  

As a leading cybersecurity advisor in the Private Equity and Venture Capital industry, Valorr is continuously aligns with the regulatory associations driving change and remains committed to delivering essential services to help firms in the sector stay ahead of governance requirements.  

As we continue to work with our partners to protect their businesses from cyber threats, we notice three main trends: 

  1. The absence of current cybersecurity programs.
  2. Unmonitored and unsecure data environments, applications and devices.
  3. Lack of the requisite expertise among staff to develop effective cybersecurity protocols

There Is A Shift Taking Place

In the private equity (PE) space, cyber risk and threat awareness among General Partners (GPs) is on the rise.  A strong driver of this shift is Limited Partners (LPs), who want a better understanding of how firms are securing their own environments and also how firms are addressing cyber risks with their portfolio companies. 

In November 2021, the Institutional Limited Partners Association (ILPA), a global organization dedicated to supporting the interests of limited partners, issued a new standardized due diligence questionnaire (DDQ) with added cybersecurity components. 

According to the ILPA website, the purpose of the revised DDQ is “to standardize the key areas of inquiry posed by investors during their diligence of managers.”  A primary area of concern is PE firms’ cybersecurity policies and procedures. 

Such due diligence is crucial in the PE space.  

“Private equity firms that fail to do cybersecurity due diligence on their portfolio companies are at a significant disadvantage, both from a compliance and competitive standpoint.”

How could General Partners be better prepared?

The best approach for managing cyber risk is to develop an informed perspective by way of a streamlined and manageable process that treats cyber risk as equally as other types of risk, for example, market risk, counterparty risk, and legal risk. 

Formal practices for managing cyber risk should align with other risk management approaches that are in place, where cyber risk is treated as just another risk. The SEC has encouraged developing a “reasonably” designed approach to managing cyber risk, such as one that reflects the following characteristics: 

Informed – supports and promotes an awareness of today’s cyber risks, including regulatory and legal considerations 

Manageable – risk evaluation, if performed in a manner that is manageable, does not overwhelm the business, and does not negatively impact day-to-day operations.

Digestible – reporting “in plain English” is generated that can easily be consumed by a firm’s risk leads, including COOs, deal teams, and boards of directors 

Actionable – reporting is clear and includes reasonable next steps to address key identified cyber risks 

Should a PE firm or one of its portfolio companies be impacted by a serious cybersecurity event, the reputation of the firm among investors, regulators, and other stakeholders may be on the line. 

We advise that you take the following actions: 

  • Establish an Information Security Policy: Outline how the organization plans to and is currently addressing cyber and IT-related risks.  
  • Secure your email service and other critical services: Ensure that your critical communication and productivity services are configured properly and tested.  Your business depends heavily on real-time data and system access, when a crisis hits these relationships will propel you through.  
  • Document an Incident Response Plan: Ensure your organization and its leaders know how you will respond to a cyber incident or IT disruption, this proactive planning will literally save you millions.  
  • Back up your data: Back up your data within resilient infrastructure and test those backups frequently.  Not all backup and data storage facilities/services are created equal! 

As cyber threats continue to proliferate, anticipating and managing them at all organizational levels will remain vital during 2022 and beyond.  As recent events have proved, PE firms are vulnerable on a variety of fronts, from their vendors and third-party suppliers to their portfolio companies.  Taking steps now to ensure proactive protections and risk management practices can help reduce these risks and help ensure that portfolio companies generate profits—not headaches—for PE firms. 

The Valor Team looks forward to providing continual insights relevant to your industry.  For other tips and tricks in staying cyber informed, please visit our additional Valorr Insights at Insights – Valor Cybersecurity

The San Francisco 49ers Football Team Make Superbowl Headlines, But Not As A Contender

D

espite the San Francisco 49ers not making it to the big game this year, they still made Superbowl headlines.  On Sunday, February 13th, the 49ers front office confirmed that they were the latest victim of a Blackbyte Ransomware Attack.

While not confirmed by the football club until February 13th, the cyber-attack reportedly took place one day prior based on BlackByte’s online postings.  On February 12th, BlackByte took to underground (Darknet) Ransomware Forums claiming to have stolen financial data from the team’s servers. The group posted what appeared to be approximately 300 MB of team documents from a folder called ‘2020 Invoices’.

Author: Greg Tomchick, Managing Partner, CCISO & Jeff White, Chief Security Officer, CMMC-RP

Ransomware groups, like BlackByte, typically post some evidence of the successful compromise. It should be noted however, that this advertised data may not represent the true extent of the attack, in terms of the amount of data theft.

Since the incident, neither the 49ers nor the perpetrators have made any public mention of a ransom payment.  Following the attack, the 49ers did disclose that they incurred a temporary disruption to parts of their network, however mentioned that the threat actors failed to impact stadium, ticket operations, and ticket holder information.  

Some security experts believe that the attack was a means for BlackByte to attain mainstream credibility, pulling off an attack to make headline news.

The 49ers have yet to release an updated statement regarding the full impact of the Ransomware.  The incident remains under investigation by external support parties and law enforcement. We will update this article as we learn more.

Blackbyte Analysis and Potential Motivators

This attack came to surface just two days after the FBI and U.S. Secret Service issued a joint cyber advisory on the BlackByte Ransomware Group. Law enforcement sources alerted that BlackByte had “compromised multiple US and foreign businesses, including entities in at least three US critical infrastructure sectors” since November 2021.

Ransomware gangs have continued to cause widespread havoc to a variety of businesses over the last year.  High-profile attacks ranging from the world’s largest meat-packing company to the biggest U.S. fuel pipeline, have led to significant financial impacts, supply chain and operational disruptions.  Despite Western Governments pledging to crack down on cyber criminals, their efforts have yet to fully disrupt the activities of Ransomware actors. 

Like similar Ransomware Gangs, Blackbyte operates under a subscription model known as ‘Ransomware as a Service’ (RaaS). RaaS allows affiliates to enter into an agreement with ransomware operators to use their prebuilt tools and platforms to launch attacks against targets, typically in return for a profit share of the ransom.  The presence of Blackbyte first became known in approximately July of 2021. The group typically operates in a ‘Double Extortion’ fashion where compromised data is encrypted, and unless a defined ransom is paid (typically in a form of cryptocurrency), the organization’s data is offered to the highest bidder.  Ransom notes are left by the threat actor, in the encrypted directory, identifying what necessary steps must be taken to unencrypt the businesses data. Interestingly enough, Blackbyte and other notable ransomware groups offer email support and calling hotlines to support and expedite their victim’s payment.  Blackbyte’s typical attack methodology is to exploit vulnerabilities in Microsoft Exchange known as ‘ProxyShells’. 

For technical reference, the three vulnerabilities successfully used by Blackbyte to gain internal access, have been listed below along with their assigned ‘CVE’ (Common Vulnerabilities and Exposures) number.  Links to patch information has been provided for each vulnerability with accompanying ‘KB’ (Knowledge Base) number.

Steps to protect your business

To minimize your business’s exposure to Ransomware Attacks, general security guidance has been provided below:

  • Patch Management: Keep systems and applications patched with the latest security updates, with a prioritized focus on those critical to business operations.
  • Critical Data System Protection: Restrict sensitive organizational data to specific servers/systems, with enhanced security controls/monitoring around these systems. Ensure that these systems are remotely accessible.  When possible, restrict local system downloads of any sensitive organizational information. For example, users are able to download employee rosters to their local machines from Microsoft 365.
  • Network Segmentation:  Create separate communication networks for internal and external devices (to include any guest devices).  This practice is commonly referred to as ‘network segmentation’. Ensure that critical data systems and those systems accessing them are assigned to a specified network segment(s).  Closely restrict access and monitor activities on these systems.
  • Access Control: Enforce the principle of least privilege security, by providing all users the least amount of access to systems/applications necessary to perform their job duties. Ensure Multi-Factor (MFA) authentication is turned on for all applications.  In alignment with best practice, remove any local administrative accounts, where applicable.
  • Protection of Virtual Machines: In alignment with security best practice, do not expose any corporate virtual machine (such as Citrix), directly to the internet.
  • Perform Regular Back-ups: Ensure regular data backups are performed, with a prioritized focus on critical data systems/applications. Backups should be tested, once a month to ensure backups operate as intended. the backup plan is in place and tested periodically.
    • Establish Backup and Recovery Plan: Document procedures to execute backup/recovery efforts, and any lessons learned from previous backup test exercises. Ensure that all key stakeholders (internal and external) involved in backup activities are identified along with corresponding roles/responsibilities and contact information.
  • User Awareness Training: Establish a formalized cybersecurity education and awareness program. Provide all users with training modules to educate them on what cyber threats may look like, and steps they can take to protect your organization.  Continue to engage in discussions with team members, on why cybersecurity is important for the growth and success of everyone.
    • Phishing Exercises: In concert with formal training modules, users should be tested on lessons learned through phishing simulation exercises. This will allow the organization to have a better understanding of the effectiveness of training content, and to further prevent malicious activities from occurring. It is important to note that any follow-up training from these exercises, should be non-punitive when possible. This will enable the organization to continue to have security advocates now and into the future.

The Valor Team looks forward to providing additional updates on this incident. We look forward to helping you and your organization avoid being a victim of cybercrime. Stay tuned!

For other tips and tricks in staying cyber informed, please visit our additional Valor Insights at Insights – Valor Cybersecurity

Log4J: What you should know and how you can proactively protect your business

O

n Friday November 10, 2021, critical vulnerability was publicly disclosed in the Java based logging library, Log4JAlso known as ‘Log4Shell’ this vulnerability enables a threat actorto preform Remote Code Execution (RCE) across a slew of connected devices ranging from computers, home and enterprise routers, VPN’s, internet of things/smart devices (IoT), and web servers.  

Author: Jeff White, Chief Security Officer, CMMC-RP

For context, this vulnerability has been assigned a criticality rating of ‘10’, the highest score for an industry recognized vulnerability scale. Remote Code Execution essentially allows an attacker to preform malicious commands, without authentication (login), on an internet connected device. To put this in perspective, the flaw requires minimal technical prowess. It can be exploited simply by running one command against an internet connected and Log4J vulnerable device.    

What makes this vulnerability even more troubling is that Log4J has been used for years in some of the best-selling consumer products. Some of the world’s biggest companies have used some flavor of Log4J to include the likes of Microsoft, Amazon, and Apple.  In fact, it has been reported that some 3 billion connected devices currently use a version of Java.  

While the full scale and impact of this vulnerability has yet to be determined, it is currently being exploited ‘in the wild’. Both stateside and state sponsored actors are currently scanning network devices, in an effort to locate unpatched systems. Publicly available web sites such as Shodan.io, have helped attackers and threat groups identify these vulnerable network resources. It’s important to note that secondary cyber-attacks can be launched following initial exploit of Log4J including but not limited to installation of crypto currency mining malware, data exfiltration, and potentially even ransomware.  

Are you impacted? Steps you can take to reduce your business risk.

If any of your systems are currently running Log4J versions 2.0 – 2.14.1, you are vulnerable to this Log4J exploit. Apache however, has since reported that this issue has been resolved in updated version 2.15 which is currently available for download on the Apache Website link below: 

 https://logging.apache.org/log4j/2.x/security.html   

The following is provided as general guidance in mitigating the Log4J Vulnerability, and related risk to your organization:  

  • It is recommended that organizations first update all web facing applications and systems to the latest version of Log4J (Version 2.15).
  • If possible, organizations should block external access to applications until they can be patched. Organizations should then preform a full inventory and fix/patch of any remaining internal systems impacted by the above.  
  • In addition, it is recommended that organizations also implement a Web Application Firewall (WAF) if possible, for additional monitoring capabilities.
  • If your organization can afford a dedicated Managed Security Service Provider, or MSSP, it is highly recommended to do so. While Valorr remains vendor agnostic, partnering with the right MSSP provider will provide layered insight into those threats/bad actors actively targeting your network.  
  • While vendors are working diligently to address this, it is recommended that organizations stay up to date with 3rd party responses. Typically, vendors will send emails on how and to what extent customers may be impacted by this, and other security vulnerabilities. Customers may also check vendor blog updates for similar information.
  • If you have an existing Security/Threat Intelligence Provider, you may also receive direct vulnerability related correspondence from a Customer Success Manager 
  • While information continues to be released on this critical vulnerability, organizations should continue to update all endpoints, and network connected devices whenever possible.   

For further technical information regarding this vulnerability, please visit MITRE’s CVE-2021-44228 at the link below:  

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228 

Please also visit U.S. Cybersecurity and Infrastructure Security Agency (U.S. CISA) for the latest updates and actionable guidance, as more information becomes available. Through ongoing public-private partnership, U.S. CISA provides community sharing initiatives to help businesses secure and defend against the ongoing cyber threat.   

https://www.cisa.gov/news/2021/12/11/statement-cisa-director-easterly-log4j-vulnerability (CISA Director, Jen Easterly’s statement on Log4J)  

https://www.cisa.gov/uscert/ncas/current-activity (CISA Current List of Cyber Related Activity)  

https://www.cisa.gov/known-exploited-vulnerabilities-catalog (CISA Known Vulnerability Catalogue)  

 

Update: 12.30.2021

Since initially posting, security researchers continue to discover new vulnerabilities in java-based logging library, known as Log4J. Previous industry and Apache guidance1 were to update any known vulnerable versions of LogJ (including versions 2.0-beta9 through 2.15.0; except for update 2.12.2) to version 2.16.0.

Additional Log 4J security loopholes have led Apache to issue the most recent upgrade through version, 2.17.1. A summary of vulnerabilities found in previously updated Log4J versions, 2.15.0 – 2.17.0 have been provided below for reference:

  • Mitre CVE-2021-45046 – With a severity score of 9, this vulnerability in version 2.15.0, allows for potential information leak and remote code execution. Updated version 2.16.0, corrected this vulnerability.
  • Mitre CVE-2021-45105 – With a severity score of 5.9, this vulnerability in version 2.16.0, allows for potential Denial of Service (DoS) to an application. Updated version 2.17.0, corrected this vulnerability.
  • Mitre CVE-2021-4104 – With a severity score of 8.1, this vulnerability in version 2.17.0 allows for deserialization attacks. Updated version 2.17.1, corrected this vulnerability.

Actionable Steps your business can take to ensure the best protection:

  • It is recommended that organizations upgrade to the latest version of Log4J (Version 2.17.1), for all web-facing applications and systems. If possible, organizations should block external access to applications until they can be patched.
  • For Systems that cannot be patched, it is recommended to disconnect these systems from the network.
  • If possible, implement a Web Application Firewall (WAF) solution for further security/activity visibility into web application activities.
  • If not already in place, consider implementing a trusted managed security service provider to proactively monitor for network traffic anomalies and irregular system activity.
  • Ensure all endpoints (computers) and endpoint monitoring tool (i.e., Anti-Virus or EDR) are continuously updated to the latest versions.
  • Continue to monitor vendor statements and communications, for updates on how their products are addressing these vulnerabilities.

Additional Resources/Tools:

  • Valor recommends organizations continue to visit U.S. Cybersecurity and Infrastructure Security Agency (U.S. CISA) for ongoing actionable guidance, based on potential threats they are seeing.

https://www.cisa.gov/uscert/apache-log4j-vulnerability-guidance (CISA Guidance updated 12/28/2021)

  • Organization may also visit the NIST National Vulnerability Database, which provides a list of known vulnerabilities and related technical details across impacted systems, and applications. All vulnerabilities in the CVD are provided a CVE (Common Vulnerability and Exposure) Number for universal sharing purposes.

https://nvd.nist.gov/vuln

References: 1https://logging.apache.org/log4j/2.x/security.html (Apache list of known vulnerabilities and fixes and Log4J Version 2.17.1 download)

If you found value out of this article, please check out our other Valor Insights for how you can protect your business.