What does it mean to “hack back” and is it a good idea?

There is more and more talk about companies hacking back against those who attack them in cyber space and whether allowing them to take such measures is a good idea. Right now, hacking back, or active defense, as it is often called, is illegal under the federal unauthorized access law, the Computer Fraud and Abuse Act. There are current federal efforts to change this, along with some woefully misguided rumblings by some state legislators (who do not seem to understand that the CFAA supersedes anything they pass to the contrary).

So, the question is whether hacking back a good idea or will it cause more harm than good? Shawn Tuma was a guest on the KLIF morning show to discuss this issue. Go here to listen to what he had to say about it.

What are your thoughts?

Can your company do business without its computer system? Let’s ask Atlanta!

Atlanta RansomwareIn the world of cybersecurity and data protection, we tend to think about most cyber incidents as being “data breaches” because that’s the term de jour that occupies news headlines. Because of this, far too many companies think that if they do not have valuable data that hackers would want to “breach,” so to speak, they do not need to be concerned about cybersecurity. While this is wrong on one level because all data has value to hackers, it is even more wrong on a much greater level.

There is a lot more to cybersecurity and data protection than just breaches of the confidentiality of data (i.e., “data breaches“). Hackers have shown a strong trend over the last couple of years of attacking the computer system itself and, as some call it, “bricking” company’s computers and/or data and demanding an extortion payment in exchange for their promise to honor their word and undo the damage (if they even can). This is the process underlying what is often called ransomware.

Do you see where I’m going with this? If not, let me see if I can simplify this process for you a bit with the question below: (1) If you still think your company does not have data that is valuable to hackers, and (2) You still think that means that your company does not need to focus on cybersecurity,

Can your company continue to do business if it is not able to use its computer system?

If you’ve seen the news today you see that the City of Atlanta has had many of its computer systems bricked by ransomware and those business operations that require the use of those systems are now shut down.

Now, let me ask you, “how many days can your company go without doing whatever it is that it does before it really begins to hurt?”

Still need more convincing? Ok, I addressed this issue in more detail in Chapter 5 of The #CyberAvengers Playbook (free to download) — go give it a read.

______________________

Shawn Tuma (@shawnetuma) is an attorney with an internationally recognized reputation in cybersecurity, computer fraud, and data privacy law. He is a Cybersecurity & Data Privacy Attorney at Scheef & Stone, LLP, a full-service commercial law firm in Texas that represents businesses of all sizes throughout the United States and, through its Mackrell International network, around the world.

Down the Security Rabbithole Podcast #DtSR with Los and Tuma talking all things #cybersecurity

DtSR ImageThis week’s #DtSR Podcast featured Raf Los and guest Shawn Tuma talking about all things cybersecurity. Check out more of what was covered and listen to the podcast here!

Check out some of the past episodes with Tuma as a guest.

 

Share on social media and join in the discussion!

______________________

Shawn Tuma (@shawnetuma) is an attorney with an internationally recognized reputation in cybersecurity, computer fraud, and data privacy law. He is a Cybersecurity & Data Privacy Attorney at Scheef & Stone, LLP, a full-service commercial law firm in Texas that represents businesses of all sizes throughout the United States and, through its Mackrell International network, around the world.

Security Weekly guest Shawn Tuma discusses “what is reasonable cybersecurity?”

Share on social media and join in the discussion!

LinkedIn Post

 

______________________

Shawn Tuma (@shawnetuma) is an attorney with an internationally recognized reputation in cybersecurity, computer fraud, and data privacy law. He is a Cybersecurity & Data Privacy Attorney at Scheef & Stone, LLP, a full-service commercial law firm in Texas that represents businesses of all sizes throughout the United States and, through its Mackrell International network, around the world.

Marine corp data breach lesson: human error is often the cause and is preventable

There has been a data breach emanating from the U.S. Marine Corps Forces Reserve that impacted 21,426 individuals. The breach exposed their sensitive personal information such as truncated social security numbers, bank electronic funds transfer and bank routing numbers, truncated credit card information, mailing address, residential address and emergency contact information.

Calm down and press the pause button on the hysteria hype machine — it was not the Russians behind it! It was something far more treacherous when it comes to the real world of data breaches: it was human error.

In this case, it happened when an individual sent an email to the wrong email distribution list and the email was unencrypted and included an attachment that contained the personal information described above. You can read more about the breach here: Major data breach at Marine Forces Reserve impacts thousands

THE TAKEAWAY:  The important lesson to take away is that scenarios such as this are far more common than all of the super-sophisticated “hacking” type over-politicised stuff that we usually hear about through the media. This is the real world of data breach that most companies face far more often than they face state-sponsored espionage. In fact, research into actual data breaches reveals that 90% of all claims made on cyber insurance stemmed from some type of human error and, as reported by the highly reputable Online Trust Alliance, “in 2017, 93 percent of all breaches could have been avoided had simple steps been taken such as regularly updating software, blocking fake email messages using email authentication and training people to recognize phishing attacks.” The good news is this type of problem is preventable with some effort.

Below is a checklist of good cyber hygiene that, in reality, all companies should be doing these days. How do you make sure you’re doing it? You develop and implement a cyber risk management program that is tailor-made for your company and is continuously maturing to address the risks your company face — such as my CyberGard™ program.

______________________

Shawn Tuma (@shawnetuma) is an attorney with an internationally recognized reputation in cybersecurity, computer fraud, and data privacy law. He is a Cybersecurity & Data Privacy Attorney at Scheef & Stone, LLP, a full-service commercial law firm in Texas that represents businesses of all sizes throughout the United States and, through its Mackrell International network, around the world.