ZeroPoint Risk Research, LLC

Security, Privacy and the Affordable Care Act: A Prescription for What Ails U.S.?

By MacDonnell Ulsch, CEO & Chief Analyst

On the subject of the Affordable Care Act (ACA) or Obamacare and protecting healthcare information, take no comfort in the words from the U.S. Department of Health and Human Services on the difficulties of implementation:  “Developing effective oversight strategies to prevent, detect, and correct any problems that occur is critical. The large number of new and complex program responsibilities under the ACA makes achieving these twin goals challenging.”  Challenging, indeed.

As I write this CyberBreach Situation Report, the Privacy Rights Clearing House reports that 616,417,491 electronic records in the U.S. have been breached since January 2005.  That’s roughly two breached records for every man, woman, and child in this country.  Then consider that these breaches are only the reported ones.  Many data breaches are never reported to regulators and entered into the public record.  I have personally worked on breach investigations that have not been reported to state and federal regulators because disclosure was not, for a variety of reasons, required.  In some cases, disclosure was required in foreign countries with stricter laws, but not in the U.S.  Here’s the uncomfortable truth: we don’t really know how many paper and electronic records have been breached.  This should disturb everyone.  And now, we are preparing to aggregate, electronically, perhaps the largest interactive data repository in the history of the nation—and we’re not prepared to protect these records.

Here are a few unsettling trends that pose a threat to all personal information records, including healthcare records:

1. The Office of the Inspector General of the U.S. Department of Health & Human Services has said that there was only a limited amount of time to test ACA security.  The August 2013 HHS report stated that “several critical tasks remain to be completed in a short period of time, such as the final independent testing of the Hub’s security controls, remediating security vulnerabilities identified during testing, and obtaining the security authorization decision for the Hub before opening the exchanges.”
2. Effective security and privacy is further complicated by the fact that both the federal government and states must coordinate on all such issues, findings, vulnerabilities, remediation, and other factors.  History shows that security has not been anywhere near even acceptable.
3. Who are these “navigators,” those workers who have access to precious personal information?  What level of background checks did they receive?  Were they drug tested?  Have any committed felonies?  Who did the background checks and declared them employable and trustworthy?  Was it the same organization that assessed the integrity of Edward Snowden of NSA infamy?  How are they monitored?  Are they able to snap photos with their cell phones of on-screen personal information?  Do they have access to pen and paper so that they can write down information, including Social Security Numbers?  Are they under video surveillance to ensure protection against the insider threat?
4. The explosion of social media has led to numerous data breaches, many of them unreported.  Hackers troll social media sites as they develop profiles of social media users.  Company employees are targeted.  The use of weak, poorly constructed passwords has resulted in the acquisition of detailed information that is used in a variety of cyber attacks.
5. Mobile device proliferation and Bring Your Own Device (BYOD) options mean that more data is distributed across many more hardware units, from smartphones to tablets, often with less security.
6. Many security and privacy healthcare professionals freely admit that the healthcare industry information protection practices are approximately ten years behind the financial services industry.
7. Employees and budgets in many healthcare operations are being cut back due to uncertainties in the ACA.
8. Cyber attacks are increasing and the cost of breaches, according to a new Ponemon Institute study on the subject, is on the rise.
9. Cyber crime is escalating as information maintains its marketable value in transnational organized crime.
10. Compliance with U.S. federal and state information privacy laws is low, perhaps in the single digits according to some regulators.
11. U.S. government agencies have not fared well historically in passing information security tests.  In 2012, about 40 percent of agencies were out of compliance with the Domain Name System Security Extensions or DNSSEC, a full two years after these agencies were required to comply.  It was designed to protect certain applications against attack.
12. Cloud computing is a central theme in the U.S. government’s information technology strategy.  Given that a large number of companies are participating in the cloud initiative, there is much uncertainty in the security effectiveness of each participant.

When reminiscing about the security and privacy in practice inside the federal government, think back to 2006.  This was the year of the Veteran’s Administration data breach.  A Veterans Affairs analyst had been taking home his government laptop for three years.  It was stolen from his house.  The laptop contained unencrypted information on more than 26 million veterans and their family members.  Due to delays in escalating the incident to the Veterans Affairs Secretary, several weeks passed before an investigation began in earnest.

This was a serious breach, including compromised names, Social Security Numbers, dates of birth, and some medical information.

The breach remains problematic.  In fact, seven years later, the government admits that it still does not know the full extent of the impact this breach will have, nor its cost.  The government estimates that the breach will ultimately cost between $100 million and $500 million to prevent and cover possible losses.  At half a billion dollars, this comes to less than $20 per name, a figure that seems suspiciously low, depending on record configuration.

Whether or not the ACA is good for the country is a political question.  But the security and privacy readiness of the highly complex ACA information management system is, at best, highly suspect, based on the compressed—and ultimately inadequate—testing timeframe.  At its worst, this is the beginning of an information integrity nightmare that could result in immense unanticipated cost associated with catastrophic data breaches.

Here’s what we do know.  Perhaps the most complex, complicated record management system is being launched without adequate security testing.  It is being launched by a government that has experienced serious failures of security testing in the past across multiple agencies.  This is occurring at a time of unprecedented cyber crime, and exacerbated by lightning-fast changes in technology and its cultural adaptation.  It comes at a time when external vendor breaches are also at an all-time high, and the number of external vendors hitching their stars to the ACA is legion.

And finally, this vast aggregation of data, and the staggering dimension of the information management system, is coming under the direct control of a federal agency that remains inadequate to the task of ensuring integrity.  It does not possess the technical infrastructure, capacity, headcount or budget to meaningfully monitor, audit and enforce the security and privacy provisions that are intended to protect the identities and personal information of those who assume their data will remain uncompromised.

Ulsch can be reached at or at 1.978.808.6526.

The Axis of Cyber Evil: A North Korean Case of Cyber Espionage

By MacDonnell Ulsch, CEO & Chief Analyst

China, Russia, Syria, Iran, and North Korea, long established cyber threats, are evolving into a post-Cold War axis of cyber evil, which is escalating in intensity and should be taken seriously by any entity, government or private sector, possessing valuable proprietary information.  The stakes are getting higher.

Let’s start with the Syrian Electronic Army or SEA, thought by many to be funded by the Bashar Hafez al-Assad regime.  Until recently, the media and diplomatic focus on Syria has been on the deployment of deadly chemical weapons.  But now we are witness to cyber attacks on the institutions that have been critical of Assad and Syria: the New York Times, the BBC, the Qatar government, National Public Radio, even al-Jazzera.  The attacks resulted in various levels of cyber disruption, and believed to have resulted from very sophisticated phishing attacks.

Iran has been engaged in attacking U.S. bank web sites for more than a year, creating operational disruption in the form of denial of service attacks, while demonstrating that U.S. targets are not, by any measure, immune.

China’s cyber attacks are well known, despite its diplomatic protestations.  Transnational organized crime is equally well established.  But North Korea’s recent attacks against South Korea targets are particularly interesting, because North Korea is an element of the axis of cyber evil.

The attacks, recently made public by anti-malware company Kapersky Lab, are concerning for several reasons: first, because of the selection of attack targets and second, because of North Korea’s relationship with China.  The targets included the Sejong Institute, a South Korea think tank specializing in national security strategy and Korean unification.  This seems to be a clear case of political espionage.  The Korea Institute for Defense Analyses is a national security and defense quasi-governmental organization, so it, too, is an understandable target for North Korea, as is the South Korea Ministry of Unification.  One of the more intriguing espionage targets was South Korea’s Hyundai Merchant Marine Co. Ltd., part of the Hyundai Group, a diversified corporation.

While the other targets are logical, given North Korean unification and national security concerns, the Hyundai information theft may not be as immediately obvious.  It is true that North Korea maintains a merchant marine operation, yet it seems unlikely that this rogue nation-state would benefit substantially and directly from cyber espionage against Hyundai Merchant Marine.  South Korea ranks number eight in the global merchant marine market sector with 1,114 vessels.  North Korea, which is 34th in the world, maintains a fleet of only 150 vessels, many of which are said to be not seaworthy and reportedly do not stray far from home port.  To put this in perspective, Germany is ranked number one with 3,768 vessels.  It seems improbable that North Korea would steal information for its own competitive positioning, given its anemic economy, deficient fleet operational status, and its maritime scrutiny by many law-abiding nations.

What is more likely is that either (A) North Korea was hired by China to breach South Korean interests, perhaps the political components of the breach providing strategic cover; (B) North Korea, acting independently, believed that it could sell the information to China; or (C) China launched the attack against South Korea, but making it look like the attack was originated by North Korea.

Geography plays a part in the cyber attack against South Korea.  Ten of the IP address ranges, according to Kapersky, originated in the Jilin Province Network and the Liaoning Province Network.  Situated in the northeast region of China, Jilin and Liaoning are near the North Korean border, and near the Russian border.  The Internet Service Providers that serve the region are believed to maintain communication lines into parts of North Korea.

Once a center of heavy industry, with strong Russian, Chinese, and North Korean influence, this region of China with a population exceeding 100 million, has not fared well economically. Industry sectors include steel, automotive, shipbuilding, aircraft, petroleum, and manufacturing.  There are approximately a dozen key universities in the region, many of them with strong science and technology programs.

And here is the point: China has an aggressive revitalization plan that was developed by China’s National Development and Reform Commission (NDRC).  The NDRC economic development report, translated from Chinese, states that “China’s participation in international competition, the use of domestic and foreign resources and markets to accelerate the pace of expansion of trade … to create more opportunities” is part of its strategy.   The report also states that “economic development is not sufficient.”  However, there is a more direct link that suggests China is the beneficiary of the Hyundai information.

Citing that its “high tech industries [are] inadequate,” the report documents the need for China to significantly improve its “international level of shipbuilding …” and “accelerate the development of [its] high-tech industry.”  Perhaps most indicative of China’s involvement is its stated objective to pursue, as part of its regional economic strategy, an upgrade of its “logistics management, logistics and distribution facilities” and its “integrated logistics system in Northeast China.”  Of course, global integrated logistics is the business of Hyundai Merchant Marine, the South Korea espionage target.

Regardless of specifics—and we may never know exactly what occurred—it is obvious that North Korea has global reach.  It is also obvious that it has an important relationship with China.  Given China’s voracious appetite for an extraordinary range of information that it will use to fuel its global economic leadership, companies possessing intellectual property and trade secrets are at extreme risk.  And because most  proprietary information is unregulated and is, therefore, not subject to basic protections, the risk of compromise is heightened.

This is not a call to regulate proprietary information.  But every audit and risk committee member of the board of directors, every CEO and General Counsel, should ask questions about the entity’s ability to protect the very information that is anticipated to contribute to the current and future corporate value.  This is not just a security problem.  This is an issue of critical corporate governance, clarity of mission, and long-term reputation and market competitiveness.  It is, equally, a national economic security imperative.

CyberBreach Situation Report – August 2013 By MacDonnell Ulsch, CEO & Chief Analyst

Liberty Reserve and Transnational Cyber Crime

“Cyber criminals should be reminded today that they are unable to hide behind the anonymity of the Internet to avoid regulated financial systems.” Steven G. Hughes, Special Agent in Charge of the U.S. Secret Service New York Field Office, in reference to the arrest of the defendants in the Liberty Reserve case.

In brief, digital currency exchange Liberty Reserve, based in Costa Rica, is alleged by U.S. law enforcement authorities to have laundered billions of dollars of criminal proceeds through an intricate transnational network of unregulated and unauthorized money transfer operations.

The Liberty Reserve case affected a number of U.S. companies that were targeted for a variety of web-related frauds. These frauds included blackmail and extortion. U.S. Secret Service, the Department of Homeland Security, and the Internal Revenue Service executed arrest and search warrants in multiple countries, including Spain, Costa Rica, the Netherlands and the United States. Assets of Liberty Reserve were frozen in Hong Kong, Spain, Morocco, and China. Current and former executives of Liberty Reserve were charged with violating numerous anti money laundering statutes and operating as illegal money transmitters.

Liberty Reserve’s criminal conduct was as widespread as it was lucrative. It had approximately one million users worldwide with more than 200,000 users in the U.S. It is estimated that Liberty Reserve processed more than 12 million financial transactions annually with a combined value of more than $1.4 billion. It is believed that Liberty Reserve, according to the U.S. Secret Service, processed an estimated 55 million separate financial transactions and is believed to have laundered more than $6 billion in criminal proceeds.

A grand jury indictment filed in U.S. District Court, Southern District of New York, lays out a number of details about Liberty Reserve and the crimes it is alleged to have committed. The indictment describes in detail the financial frauds committed by Liberty Reserve defendants, including the development of a system of payments that allowed users to open accounts under false names in order to conceal criminal activity. Users could open these accounts with names such as “Russia Hackers” and “Hacker Account.”

“Liberty Reserve has emerged as one of the principal means by which cyber-criminals around the world distribute, store and launder the proceeds of their illegal activity,” according to the indictment filed in U.S. District Court for the Southern District of New York.

According to the Treasury Department, Liberty Reserve developed virtual currency that was used to anonymously buy and sell software designed to steal personal information and attack financial institutions. The hackers, who earlier this year stole $45 million from two Middle Eastern banks by hacking prepaid debit cards, used Liberty Reserve to distribute the illicit proceeds.

Although not noted in the indictment, some of the illicit financial proceeds handled by Liberty Reserve involved the theft and unauthorized use of corporate intellectual property by criminal networks around the world. The use of compromised intellectual property was involved in the commission of identity theft and financial fraud, through the deployment of scam web sites.

The web sites looked valid. And that’s the point. Because the web sites appeared to be authentic, potential investors and other high net-worth individuals and executives would visit the site and open an account “to receive additional information.” To open an informational account, the site visitor would simply create a logon ID and a password.

Unfortunately, many executives, when creating logon IDs and passwords, frequently default to using their business credentials for multiple applications, business and personal. When they opened an informational or transactional account on the fraudulent web sites, it only looked like their passwords were indecipherable. In reality, the criminals now possessed this valuable information.

One important lesson, here. Employees, no matter how low in the organization, or how senior, need to be extremely judicious in the use of their corporate email address. You never really know where these often under-appreciated credentials will surface. Creating solid, enforceable credential use policies—accompanied by ongoing awareness—can help keep cyber criminals from obtaining sensitive information.

One other important note. Hackers continuously attempt to develop active profiles on the employees of targeted companies. Some companies, fortunately, require employees to develop passwords that are sufficiently complex. However, employees often use much less sophisticated passwords when using social media. When employees use their corporate email addresses with weak social media passwords, they are inviting hacker profiling and exploitation. Manage the risk by managing the use of credentials.

© Copyright 2013. ZeroPoint Risk Research LLC. All rights reserved.

CyberBreach Situation Report – July 2013

By MacDonnell Ulsch, CEO & Chief Analyst

The NSA, Snowden and Third-Party Risk: Preliminary Lessons Learned


Remember this: Edward Snowden Worked for a Third-Party Vendor.  While it remains uncertain what exactly Mr. Snowden shared with other nations, we do know this: he wasn’t authorized to disclose classified information.  Some may believe he is a hero, others believe he is a villain.  It is clear, though, that his employer, consulting firm Booz Allen, is the recipient of unwanted publicity.  The company is one of the more prominent government contractors supplying personnel to the intelligence community,

It is also clear that the third-party background investigation firm that vetted Mr. Snowden is under examination.  Northern Virginia-based USIS, which advertises that it is “the leader in federal background investigations ” is on the hot seat.  U.S. Senator Claire McCaskill (D-Mo.) said during a Senate hearing in June that USIS is “under active criminal investigation.”

The Senator also noted that there appears to be “systemic failure to adequately conduct investigations under its contract.”  In a statement that should resonate with every company engaging with third-party background investigation services, Sen. McCaskill commented that this should serve as “a reminder that background investigations can have real consequences for our national security.”  The problem extends to companies outside of the Washington Beltway and the defense and intelligence arena.

While it is unlikely that third-party employee behavior will rise to the level of policy violation exhibited by Mr. Snowden, it doesn’t have to in order to compromise information integrity, breach corporate governance and contracts, and violate regulatory requirements in the forms of identity theft, trade secret theft, brand hijacking, blackmail, and extortion.  The background investigation doesn’t always work.

The annals of background investigation history are rich with examples of failed policy, procedures, and even strategies associated with understanding the truth about a candidate’s past.  Criminals have passed background checks.  There is a reason that top secret security clearances can take up to nearly two years to conduct and may cost several thousands of dollars—and sometimes much more–depending on a number of variables relative to each case.  Of course, not every candidate needs this level of background investigation.  But companies should examine the background investigation process used by third-parties that have physical, logical, or administrative access to information.

It’s always good to conduct a more extensive background investigation on the basis of access.  Sometimes organizations initiate background checks only on some candidates.  One executive remarked that “we only conduct checks on positions with the title of vice president or above.”  This can convey a false sense of security.  While senior executives may have access to critical sensitive information, many lower level positions come with high level of access to this same information.

Here are ten background investigation considerations:

  1. Assess how the third-party under consideration may pose risk to your company, not by the title or level of a position, but rather the level of access to information.
  2. Make sure the third-party is open and responsive to questioning about the background check process.  Trust but verify, as the saying goes.
  3. Ask about their background investigation vendors, and then conduct your own due diligence on those firms used by the third-parties.  Examine the processes and methods used to investigate candidates.
  4. Don’t hesitate to ask to see background check forms.  We’ve seen background reports where certain information contained in the report didn’t seem right—and it wasn’t.  Maybe it was a phone number that didn’t seem correct, perhaps an area code that doesn’t exist.  Yes, people actually make up telephone numbers and addresses.  It may be worth knowing what type of telephone number was used by the candidate.  Is it a temporary, prepaid number?  Is it a registered mobile number, a home telephone, or maybe even a business telephone number?  Is it the number of a family member, a friend, or other person?
  5. Have the third-party firm supply references.   And make sure that the references are consistent with your company.  For example, if the third-party is going to handle regulated data, check out companies that have engaged the third-party to manage that type of information.  The security and privacy requirements may be industry or jurisdiction specific.
  6. Check the third-party breach history and the cause of any breaches.  Were any breaches linked to failures in the background investigation process?
  7. Ask what lessons were learned after any breaches and if those lessons were incorporated into the background analysis process.
  8. Are employees ever reinvestigated?
  9. What is the reinvestigation frequency and scope?
  10. Are reinvestigations triggered by certain life events, or corporate events, such as a merger or acquisition?

The accuracy and effectiveness of background investigations of third-party employees is one of the best defenses against a breach and its consequences.  Knowing who has access to your data, and whether they are trustworthy, is a mandatory tenant of strong corporate governance.

Al Qaeda’s “Inspire” Magazine and the Boston Marathon Bombing


MacDonnell Ulsch

CEO & Chief Analyst

Al Qaeda loves the Internet.  Would it like to strike down the very companies and government that created what we now know as a multifaceted, integrated collection of technologies that connect the world in ways never imagined only several decades ago?  Yes.  But while some would revel in a lifeless, disconnected Internet, such a strike would be costly to Al Qaeda and its adherents worldwide.

Can we expect an Al Qaeda strike at U.S. critical infrastructure? Yes, an absolute certainty this will happen, Al Qaeda attacking specific targets that will create confusion in command and control, disrupt the global supply chain, interfere with the strategy and operations of capitalism at work, and create uncertainty about financial services, food, water, health services, law and order, and the other elements necessary to sustain a functioning society.

While the idea of a disabled Internet, death to America, and capitalism held hostage at the hands of terrorists gives rise to inspirational messaging, the cold reality is that the Internet is essential to Al Qaeda’s recruitment and conversion programming.  The Internet is an important component of Al Qaeda’s revenue generation, which is linked to narcotics trafficking, which is then linked to organized crime and money laundering.  This is one reason that what has become known as a potential Digital Pearl Harbor is more likely a goal of North Korea or Iran, and not Al Qaeda.  An “Inspire” magazine without the Internet will have the reach of homing pigeons; not unimportant, but extremely limited.

And this is exactly why “Inspire” was at least implicit in the Boston Marathon bombings.  Terrorist action, while extreme and loathsome, and even barbaric, is not isolated and it is not unplanned.  It is an integrated plan backed by vivid, lethal impact and painstaking strategic consideration.  Whether the Boston Marathon bombings are directly or indirectly connected to “Inspire” is an important consideration in many ways, it is the impact of the action that, in the eye of the terrorist, that matters.  The Brothers Tsarnaev, and whoever else may have been engaged in their strike against the peaceful gathering of athletes and cheerleaders on April 15, 2013, launched an attack that was heard around the world.  “Inspire” may or may not have been the hands-on creator and promoter of it, but it will no doubt be the beneficiary of it.

It is too early to know the extent of the conspiracy involved in the bombing.  No doubt some of the investigative findings will remain classified.  But this much is clear: two terrorists, who lived largely beneath the radar, were clearly extremist, and were clearly capable.  They executed the plan with near precision.  They were also unreservedly inspired.  Thanks to “Inspire,” their deadly actions will be used to introduce a new age of terrorist engagement.  “Inspire” will use the events associated with the bombings to further its extremist goals: that much is certain.

Much is being said and written about the concept of a lone wolf.  It’s interesting.  In nature, a wolf kills when it is hungry or is threatened.  Terrorists are not lone wolves.  Terrorists are indoctrinated; they are inspired.  They may not receive from “Inspire” or directly Al Qaeda a complete bomb-making kit.  But is there a difference between inspiring someone to kill someone else and in handing them the tools necessary to make the kill?  The answer is that in a court of law, there may be a difference.  In the court of public opinion the answer may be divided.  To those who lost a friend or loved one, to those who experienced the physical and mental anguish of the bombing and its aftermath, the subtlety is irrelevant.

The goal of the terrorist is to inspire fear—or terror.  The goal of “Inspire” is to capitalize on that terror by perpetuating it, aggrandizing it, and praising it as an act of faith above the faith of all others.  The result is predictable and unfortunate.  The culpability is inclusive.  Whether before a terrorist attack occurs or in its bloody aftermath, the human and digital imprimatur of “Inspire” is present.

Note:  I asked my friend and colleague Gary Beach to contribute to the ZeroPoint blog because he has an important new book coming out in July.  The U.S. Technology Skills Gap: What Every Technology Executive Must Know to Save America’s Future examines issues that should be of concern to everyone because the “skills gap” is not just about jobs: it’s about defining and positioning for an uncertain future defined by global digital risk. Gary has been a keen analyst and observer of the industry for several decades.  In this book he decodes this coming risk and what we must do to mitigate the impact of the disconcerting skills gap.  This is not just a concern about jobs—it is a critical issue of national security and national economic security.  Gary’s book is a wakeup call and a call to action. –MacDonnell Ulsch.

Technology Skills Gap a Determinant of Future Risk

By Gary J. Beach

As author of The U.S. Technology Skills Gap: What Every Executive Technology Executive Must Know to Save America’s Future, a question I am asked often is “what are the tech skills found lacking in the United States? Where’s the gap most critical?”

Before I answer, I ask my inquirer, “what skills do you think are lacking”? And to that question the most common answers I hear are “social media”, “mobility”, “analytics” and “cloud”. All good choices.  But not the number one response!

CompTIA, a large professional skills association, surveyed 1,061 information technology professionals and asked them their opinion the most vulnerable tech skills gaps in the United States. Thirty-one tech areas were measured. Tied for first as the most blatant tech skills gap in America was “security/cybersecurity” and “network infrastructure”. For the curious, PHP, the web scripting language, came in last.

In an era where, if needed, every grain of sand could be assigned an IP address, the downside side of connectiveness of “the internet of things” is the biggest skills gap worry for IT executives.

With screaming headlines like “Yes, the Chinese Army Is Spying on You” on the cover of a recent issue of Bloomberg Business Week , in hindsight, having “security/cybersecurity” top the list really should not be a surprise. One of my favorite all-time movies, Failsafe (1964) vividly imagined the ramifications of glitches in information technology infrastructure. Aside:  log on to YouTube, type in the word Failsafe and on about the third page of returns you will find the full, uninterrupted, black and white movie. For security professionals, it is a must watch!

And 36-years later, two years before the fateful events of September 11, 2001, the United States Commission on National Security in the 21st Century, in its provocative report Road Map for National Security: Imperative for Change ( the commission recommended “the creation of a new independent National Homeland Security Agency with responsibility for planning, coordinating, and integrating various U.S. government activities involved in homeland security”. Moreover, in an amazingly prescient prediction, the commission said, “the United States will become increasingly vulnerable to hostile attack on the American homeland and U.S. military superiority will not entirely protect us.”

OK, so “security/cybersecurity” top the list of tech skills gaps in America. The vital question is how does our country “bridge” those gaps?  Adam Davidson, an award-winning New York Times columnist, in a November 2012 piece on the skills gap in the manufacturing industry, said the skills gap wasn’t a gap that affected, in a vertical nature, the manufacturing industry. “Rather,” he said, “the skills gap is really a gap in education and it affects all of us.”

And that the creation of a “skills gap,” based on the existence of an “education gap”, is the focus of The U.S. Technology Skills Gap where I connect the dots of over 100-years of missteps in how the American public school system has utterly failed to educate young Americans in a “proficient” manner in the subjects of math, science and reading.

A failure that now threatens our nation’s future economic strength, the global employability of our workforce and the strength of our nation’s security as “cyberspace” joins the other planes of war – land, air, sea and space.

Gary J. Beach is Publisher Emeritus of CIO magazine and the author of The U.S. Technology Skills Gap: What Every Technology Executive Must Know to Save America’s Future, to be published in July by Wiley.

By MacDonnell Ulsch, CEO & Chief Analyst

The Cyber Enemy and How It Uses the Internet

Shortly after the Boston Marathon bombing, another case, overshadowed by the Boston attack, was reported in the press.  It is the case of two Al Qaeda affiliated terrorists in Canada. They stand accused by the government of “conspiring to murder persons unknown … in association with a terrorist group” by plotting to attack a passenger train operating between Toronto and New York City.

This brings to mind the evolving profile of technology-literate terrorists and criminals who use the Internet.  Most cyber-attackers, including nation-states, do not want to destroy the Internet—it’s too valuable.  They simply want to profit from it.  To those who steal intellectual property and trade secrets, engage in extortion and other crimes associated with information compromise, the Internet is mission-critical.

These terrorists and criminals are not the terrorists and criminals we used to know.  They are not the embodiment of the 9/11 attackers.  The profile of the post-9/11 terrorist is evolving.  Some are professionals, working in many industries, and in many countries.  They are pursuing graduate degrees.  They appear to be part of the fabric of the workplace.  But they are not.

Chiheb Esseghaier, one of the Canadian terrorists, clearly led two lives.  Pursuing his doctorate in Canada in the field of optical and electrochemical biosensors, he published work on methods of detecting prostate cancer and HIV, among other diseases.  Science was the way he earned a paycheck.  Jihad seems to be how he defined his life’s mission.

As described in the book, “THREAT! Managing Risk in a Hostile World,” Kafeel Ahmed, one of the terrorists behind the June 30, 2007 Glasgow International Airport attack, also led a double life.  He was pursuing a doctorate in fluid dynamics and worked beneath the radar as an aerospace engineer at an overseas company under contract with Boeing Aerospace and Airbus Industries.  But Ahmed is best known for loading his Jeep Cherokee with extra tanks of gasoline and driving it, with accomplice Bilal Abdullah, an emergency room physician, into the security bollards at the entrance of Glasgow International Airport.  Traveling at 30 mph, the Jeep detonated on impact.  The security barriers prevented vehicle penetration into the interior of the airport, and only Ahmed was killed in the attack.

Abdullah was later found guilty of conspiracy to commit murder and received a prison sentence of 32 years.

The new generation of terrorists, organized crime syndicates, and others have grown up with technology.  They are educated.  They are professionals, working in industry.  They are Internet savvy.  They use laptops. Mobile devices are indispensable.  They are inveterate users of Facebook. They communicate through LinkedIn.  But they also hack into web sites, steal intellectual property and trade secrets, commit identity theft, engage in fraud, blackmail and extortion, and other criminal actions.  Just as the rest of the world has grown smaller and flat, so has the landscape associated with jihad, information-related crimes, and social protests.

There is one clear differentiation between those on the dark side and the rest of the cyber community.  They tend to be heavy users of encryption, realizing the importance to protect  communications and information integrity.

See the table below for a brief preview of how some attackers use the Internet.

Cyber Enemy Threat Execution

© Copyright 2013.  ZeroPoint Risk Research LLC.  All rights reserved.

CyberBreach Situation Report – April

By MacDonnell Ulsch, CEO & Chief Analyst

Executive Risk Councils Vital to Managing Cyber Risk

Cyber-attack impact is variable—and virtually assured.  Fail to adequately safeguard information and the pain is quickly felt: regulatory scrutiny, fines, civil and even criminal litigation, loss of market value, loss of customer base, loss of market dominance, loss of reputation, and on and on.  The list is long, and can be costly.

What to do about it.  Here is one recommendation: build an Executive Risk Council.  If one already exists, make sure it is optimized for peak risk management performance.  An Executive Risk Council is not a silver bullet for cyber-defense, but it does have significant value.

It brings together affected parties.  For too long, security has been perceived as either an issue of guards, gates, and guns, or as an IT issue.  While it is both, it is also more than that.  Look at the impact of a breach, and it becomes obvious who should be involved in an Executive Risk Council.  Although companies and situations vary, here is an outline of who should be included.

Legal Officer.  The breach footprint is large.  A breach, first and foremost, becomes a legal issue.  The legal challenge involves regulatory considerations, breach of contracts, civil litigation and even criminal prosecutions.  So it is vital to include a legal representative.  For smaller companies, especially those without in-house counsel, consider working with an external legal resource, one with knowledge of information management and risk.

Risk Officer.  Some companies have a chief risk officer, but many don’t.  In the absence of a senior-level risk officer, the chief financial officer often serves in the role of the chief risk officer.  Every breach results in a cost to the company—that’s a post-breach consideration.  It is also important to have the CFO on the Council because that officer can be influential in making budget available for preventative measures.

Security.  This is obvious, but not entirely so.  Companies often get this wrong.  Information security must contain three very specific characteristics: (1) physical security, (2) technical or logical security, and (3) administrative security.  The regulators make reference to these aspects of security, and each should have equal measure.  In many companies, there is a wide gulf between physical security and technical and administrative security.  This is a weakness that increases the likelihood of breach success, particularly when an intrusion involves physical penetration of the target company.

IT.  Information Technology infrastructure is vital to the Council because most every activity the company engages in involves a computer, a tablet, a smart phone, the network, the Internet, servers, etc.   IT touches everything.

Information and Records Management.  While many organizations are transitioning to paperless records, many are not.  Most environments currently are a mix of paper and electronic records.  This magnifies the risk.  Include the chief information officer (CIO) or records management executive in the Council.

BCP/DR.  Business Continuity Planning and Disaster Recovery are critical to the Council.  The absence of this representation on the Council may result in increased risk impact.  BCP/DR should include issues such as workplace violence, terrorist attack, natural disasters, utility outages and other factors.

Marketing and Sales.  Often not included in risk councils, it is important to remember that marketing and sales are intimately related to the company’s reputation.  In the event of a breach, it is necessary to address this issue with customers.

Human Resources.  Get the entire employee base onboard with the security message.  HR is often the organization that has the greatest reach to all employees, from onboarding to exit interviews.  HR needs to be part of the solution to risk impact management and prevention, as well.

Privacy.  Make sure that a professional with the responsibility of monitoring information use and maintaining information privacy is in the Council.  Also, remember that privacy includes not only personal information, but intellectual property and trade secrets.

Internal Audit.  A representative from internal audit will add substantial value, making certain that the internal audit plan embraces the full dimension of the scope and dimension of the risk.  Also, it has direct linkage to the audit committee of the board of directors.

Corporate Communications.  Developing a media response plan before a breach is fundamental and should be part of every company’s corporate governance initiative.  If perception is reality, then perception should not be left for others to define, lest that become the reality.

Alliance Management.  Strategic alliance and joint venture partner relationships are at risk in the event of an inadequately managed breach.  Having an alliance management executive participate in the Council allows for proper messaging (working with corporate communications) to the various companies who may have skin (and risk) in the breach.

Compliance.  A compliance representative is critical, particularly if the breach involves PII or PHI.  Depending on the size of the company, compliance may be part of the legal office.  If not, someone from compliance will be able to convey to the Council the regulatory requirements associated with managing data and what to do in the event of a breach.

Executive Sponsor.  The more senior the title, the better, at least in most cases.  For smaller organizations, it may be the CEO.  But whether it is the Director of Internal Audit, General Counsel, or CFO, the executive sponsor has direct access to the board and to the executive management team.  An Executive Sponsor can be  invaluable for budgetary approvals.  Because of exposure to the content in the Council, the Executive Sponsor, as well as each participating member, will have a strong understanding of the need to prevent breaches and reduce the impact of one should it occur.

The goal of the Council is to reduce to the lowest degree possible the impact of a breach.  The Council needs to understand the fundamentals of cyber-threats, and how to defend against legal, financial, regulatory, and reputation risk.

This includes recognizing risk impact.  It forces the team to confront potential loss associated with a cyber-breach.  Impact potential includes loss of market share, sales, company value, market positioning and dominance, customer and alliance concerns, investor confidence, and even insurability.

Again, the Council is no silver bullet against information compromise, but it is a good starting point for building the appropriate level of awareness and sense of urgency where it counts.

All companies targeted by cyber-attacks face one great commonality: compromise of reputation—reputation risk.  Position the Council to “think post-breach” and “act pre-breach.”  An effective Executive Risk Council can help reduce the impact of a potentially devastating cyber-attack, and maintain that ever important bond of trust, which defines reputation.

In the Blink of an Eye

April 18th, 2013

By: Gerry Kane

Managing Director


The world we live in often seems like an endless repetition of day after day, with little variance but the weather.  We become complacent, perhaps content and, unfortunately, dismissive of the possibility for calamitous change. The reality is, however, that while life does follow repetitious patterns and gradual trends, it is also subject to random and unexpected events that truly change the world and the way we live our lives.  Even here in the United States where, for the most part, our daily lives are lived without fear and with a sense of security, it happens in the blink of an eye.

No better examples exist than the horror at the Twin Towers on 9-11, the bomb attack on the Alfred P. Murrah Federal Building in downtown Oklahoma City on April 19, 1995, and now the double bombing at the Boston Marathon on Patriots Day, 2013.

Much has been written in the days since the tragedy about the three spectators killed and the more than 170 (at this point) wounded and dismembered.  There are also emotionally stirring stories about the first responders:  police, firefighters, EMTs, race volunteers, the military, and even other racers and spectators who seemingly without regard for their own safety immediately went to the aid of those who had fallen.

Mostly missing from the news stories, however, but likely to be given more print and airtime in the coming weeks when the dust has settled, are the stories of how the response to this crisis was incredibly rapid, coordinated, managed, effective and, yes, even planned.

From  “All indications are that the response in Boston appeared well planned and well executed.  Police, fire, EMS and even the Massachusetts National Guard responded to and stabilized the incident quickly and decisively.  This does not occur without well developed policy, operational plans and exercises to ensure that responders understand their role and that agencies have the resources needed to execute plans quickly.

From the Wall Street Journal: “Rescuer reaction was so instantaneous that it appeared to be rehearsed, and it was: Two years ago, a citywide drill required Boston police, fire-department workers, hospitals and emergency-medical service personnel to react as if bombs had been detonated across the city.”

Similar preparedness was exhibited by the local hospitals which were obviously prepared for “normal” race related medical needs, but were able to execute response plans for much more serious and larger scale disaster related injuries.

From the Huffington Post: “Boston’s hospitals couldn’t have known Monday morning that dozens of people would pass through their doors that afternoon in need of immediate medical care for injuries sustained in a bombing at the finish line of the Boston Marathon.

“But for hospitals in Boston and elsewhere in the U.S., especially in big cities, years of thinking ahead triggered response plans that directed the most injured patients to the facilities best suited to care for them, cleared beds and operating rooms to speed treatment for the worst cases and pulled in medical personnel from across the region to help those suddenly in need of emergency medical care.”

Did Boston take preventive measures in the days leading up to the race and on race day itself?  You bet. But security is never 100% and we must be prepared for those times when even the best security measures aren’t enough.  And without diminishing the tragedy of the marathon or suggesting that a loss of data is as important as loss of life, we should also think of the above in terms of our business environments.  Most of us work in organizations that take at least some preventive measures when managing the financial, legal, regulatory, and reputation risks associated with a potential data breach or other type of reputation compromise.  But have we all planned for the event where our best security measures fail?

Probably not.

In my experience, Incident Response Planning gets very little attention, much like disaster recovery, business continuity and, yes, crisis management.  We all say we’re ready for it, but until we are actually faced with a true incident we are unaware that we are woefully unprepared.  We fool ourselves, or even lie to ourselves, when we state that the two paragraphs on Incident Response in our Written Information Security Plan (WISP), if we have one, are adequate.  It is only when the breach occurs that we look for the plan, and it isn’t there.  At that point we ask the following questions for the first time:

  • Who is in charge of managing the incident?
  • Are we sure we have been breached?
  • What has been taken?
  • How did it happen?
  • What else might be exposed?
  • How do we contain it?
  • Is it still happening?
  • Who is impacted? Customers?  Vendors?  Regulators?  Employees?
  • Who are we obligated to tell?  Customers?  Vendors?  Regulators?  Employees?
  • What do we tell them?
  • How do we tell them?
  • Who is the spokesperson to them?
  • Do we need to contact law enforcement?
  • How do we remove the problem?
  • How do we know when the problem has been eradicated?
  • When can we safely go back to business as usual?
  • How can we learn from this incident in order to better respond the next time?

Take a few minutes and think an incident scenario through from beginning to end, asking yourself all of the above questions along the way.  If you have a plan that addresses all of them, fantastic.  But keep working on it.  Do a live exercise at least once a year and update the plan based on what you learn.  I suspect, however, that many of us might never get past the first question.

Who remembers this commercial from the early 1980s?  There are two auto mechanics in the shot.  One, the speaker, tell us that these days he is turning a lot of his repair work over to the other mechanic who performs, it would appear, complete engine rebuilds.  The announcer, who apparently runs the maintenance portion of the business, talks about new, smaller 4 cylinder engines and the fact that they work much harder than traditional engines, and therefore need more regular maintenance.  The oil filter is part of that regular maintenance.  Skipping the maintenance does not eliminate expense.  Rather, it postpones it, and when it presents itself it is many times the original maintenance expense.

Cue the catch phrase:

“You can pay me now, or pay me later.”

Fade to black.

The commercial conveys a very simple message and could be stated in a number of other ways.  “An ounce of prevention is worth a pound of cure” comes to mind.  Or even the pithy “Be prepared”.  And the message is worth heeding whether your field of endeavor is auto mechanics, merit badges or data privacy.   But, let’s be honest, far too many of us hear the message but do not heed it.  We fool ourselves into thinking that

  • A data breach will never happen to us;
  • We have nothing worth stealing;
  • We spend plenty on technology – we must be secure;
  • We pass an IT audit every year and they never find anything significant – we must be secure;
  • Nobody has come after us so far – we must be secure;
  • We have an IT security function – we must be secure.

But, take it from me, there is more, and more sophisticated, breach activity taking place in the world today than at any time in the past, and organizations who hang their hats on the above beliefs are not exempt.  They are being attacked and breached regularly and systematically.  They are paying dearly for that engine rebuild – the post-breach containment, recovery, legal fees, regulatory fines and loss of reputation.  Pre-breach preparedness as part of an information risk management program, would have been much cheaper.

Information Risk Management is not the same as information security.  The latter is a component and result of the former, and the fact is that you can’t have effective security, regardless of how much you spend on it, if you don’t also have a sound risk management program.  And effective risk management starts with risk assessment.

If you manage private data of nearly any kind, you probably face a regulatory requirement to perform an annual (at least) risk assessment.  This is true if you process credit card data, personal health information (PHI), or non-public personal information (NPPI) in Massachusetts and many other states.  If you do not have regulated data, chances are pretty good that you have intellectual property of some kind that may be even more worthy of protection than regulated data.  The result is that just about any organization with a computer needs to practice information risk management.  But it is amazing how many of these organizations skip the risk assessment as being unnecessary.

Risk assessment is critical.  It enables you to understand exactly what assets (including data) need protection, what threats to those assets exist within your organization or “in the wild”, and what the impact would be to your organization should one of those threats take advantage of an existing, unchecked vulnerability.  It enables you to determine and prioritize your security initiatives based on potential risk impact to your organization – risk that could be financial, legal, reputational or regulatory.  It should be as fundamental to your general management (NOT your IT management) as the oil filter.

Proudly powered by WordPress. Theme developed with WordPress Theme Generator.
Copyright © ZeroPoint Risk Research, LLC. All rights reserved.