By MacDonnell Ulsch, CEO & Chief Analyst

The Cyber Enemy and How It Uses the Internet

Shortly after the Boston Marathon bombing, another case, overshadowed by the Boston attack, was reported in the press.  It is the case of two Al Qaeda affiliated terrorists in Canada. They stand accused by the government of “conspiring to murder persons unknown … in association with a terrorist group” by plotting to attack a passenger train operating between Toronto and New York City.

This brings to mind the evolving profile of technology-literate terrorists and criminals who use the Internet.  Most cyber-attackers, including nation-states, do not want to destroy the Internet—it’s too valuable.  They simply want to profit from it.  To those who steal intellectual property and trade secrets, engage in extortion and other crimes associated with information compromise, the Internet is mission-critical.

These terrorists and criminals are not the terrorists and criminals we used to know.  They are not the embodiment of the 9/11 attackers.  The profile of the post-9/11 terrorist is evolving.  Some are professionals, working in many industries, and in many countries.  They are pursuing graduate degrees.  They appear to be part of the fabric of the workplace.  But they are not.

Chiheb Esseghaier, one of the Canadian terrorists, clearly led two lives.  Pursuing his doctorate in Canada in the field of optical and electrochemical biosensors, he published work on methods of detecting prostate cancer and HIV, among other diseases.  Science was the way he earned a paycheck.  Jihad seems to be how he defined his life’s mission.

As described in the book, “THREAT! Managing Risk in a Hostile World,” Kafeel Ahmed, one of the terrorists behind the June 30, 2007 Glasgow International Airport attack, also led a double life.  He was pursuing a doctorate in fluid dynamics and worked beneath the radar as an aerospace engineer at an overseas company under contract with Boeing Aerospace and Airbus Industries.  But Ahmed is best known for loading his Jeep Cherokee with extra tanks of gasoline and driving it, with accomplice Bilal Abdullah, an emergency room physician, into the security bollards at the entrance of Glasgow International Airport.  Traveling at 30 mph, the Jeep detonated on impact.  The security barriers prevented vehicle penetration into the interior of the airport, and only Ahmed was killed in the attack.

Abdullah was later found guilty of conspiracy to commit murder and received a prison sentence of 32 years.

The new generation of terrorists, organized crime syndicates, and others have grown up with technology.  They are educated.  They are professionals, working in industry.  They are Internet savvy.  They use laptops. Mobile devices are indispensable.  They are inveterate users of Facebook. They communicate through LinkedIn.  But they also hack into web sites, steal intellectual property and trade secrets, commit identity theft, engage in fraud, blackmail and extortion, and other criminal actions.  Just as the rest of the world has grown smaller and flat, so has the landscape associated with jihad, information-related crimes, and social protests.

There is one clear differentiation between those on the dark side and the rest of the cyber community.  They tend to be heavy users of encryption, realizing the importance to protect  communications and information integrity.

See the table below for a brief preview of how some attackers use the Internet.

© Copyright 2013.  ZeroPoint Risk Research LLC.  All rights reserved.

CyberBreach Situation Report – April

By MacDonnell Ulsch, CEO & Chief Analyst

Executive Risk Councils Vital to Managing Cyber Risk

Cyber-attack impact is variable—and virtually assured.  Fail to adequately safeguard information and the pain is quickly felt: regulatory scrutiny, fines, civil and even criminal litigation, loss of market value, loss of customer base, loss of market dominance, loss of reputation, and on and on.  The list is long, and can be costly.

What to do about it.  Here is one recommendation: build an Executive Risk Council.  If one already exists, make sure it is optimized for peak risk management performance.  An Executive Risk Council is not a silver bullet for cyber-defense, but it does have significant value.

It brings together affected parties.  For too long, security has been perceived as either an issue of guards, gates, and guns, or as an IT issue.  While it is both, it is also more than that.  Look at the impact of a breach, and it becomes obvious who should be involved in an Executive Risk Council.  Although companies and situations vary, here is an outline of who should be included.

Legal Officer.  The breach footprint is large.  A breach, first and foremost, becomes a legal issue.  The legal challenge involves regulatory considerations, breach of contracts, civil litigation and even criminal prosecutions.  So it is vital to include a legal representative.  For smaller companies, especially those without in-house counsel, consider working with an external legal resource, one with knowledge of information management and risk.

Risk Officer.  Some companies have a chief risk officer, but many don’t.  In the absence of a senior-level risk officer, the chief financial officer often serves in the role of the chief risk officer.  Every breach results in a cost to the company—that’s a post-breach consideration.  It is also important to have the CFO on the Council because that officer can be influential in making budget available for preventative measures.

Security.  This is obvious, but not entirely so.  Companies often get this wrong.  Information security must contain three very specific characteristics: (1) physical security, (2) technical or logical security, and (3) administrative security.  The regulators make reference to these aspects of security, and each should have equal measure.  In many companies, there is a wide gulf between physical security and technical and administrative security.  This is a weakness that increases the likelihood of breach success, particularly when an intrusion involves physical penetration of the target company.

IT.  Information Technology infrastructure is vital to the Council because most every activity the company engages in involves a computer, a tablet, a smart phone, the network, the Internet, servers, etc.   IT touches everything.

Information and Records Management.  While many organizations are transitioning to paperless records, many are not.  Most environments currently are a mix of paper and electronic records.  This magnifies the risk.  Include the chief information officer (CIO) or records management executive in the Council.

BCP/DR.  Business Continuity Planning and Disaster Recovery are critical to the Council.  The absence of this representation on the Council may result in increased risk impact.  BCP/DR should include issues such as workplace violence, terrorist attack, natural disasters, utility outages and other factors.

Marketing and Sales.  Often not included in risk councils, it is important to remember that marketing and sales are intimately related to the company’s reputation.  In the event of a breach, it is necessary to address this issue with customers.

Human Resources.  Get the entire employee base onboard with the security message.  HR is often the organization that has the greatest reach to all employees, from onboarding to exit interviews.  HR needs to be part of the solution to risk impact management and prevention, as well.

Privacy.  Make sure that a professional with the responsibility of monitoring information use and maintaining information privacy is in the Council.  Also, remember that privacy includes not only personal information, but intellectual property and trade secrets.

Internal Audit.  A representative from internal audit will add substantial value, making certain that the internal audit plan embraces the full dimension of the scope and dimension of the risk.  Also, it has direct linkage to the audit committee of the board of directors.

Corporate Communications.  Developing a media response plan before a breach is fundamental and should be part of every company’s corporate governance initiative.  If perception is reality, then perception should not be left for others to define, lest that become the reality.

Alliance Management.  Strategic alliance and joint venture partner relationships are at risk in the event of an inadequately managed breach.  Having an alliance management executive participate in the Council allows for proper messaging (working with corporate communications) to the various companies who may have skin (and risk) in the breach.

Compliance.  A compliance representative is critical, particularly if the breach involves PII or PHI.  Depending on the size of the company, compliance may be part of the legal office.  If not, someone from compliance will be able to convey to the Council the regulatory requirements associated with managing data and what to do in the event of a breach.

Executive Sponsor.  The more senior the title, the better, at least in most cases.  For smaller organizations, it may be the CEO.  But whether it is the Director of Internal Audit, General Counsel, or CFO, the executive sponsor has direct access to the board and to the executive management team.  An Executive Sponsor can be  invaluable for budgetary approvals.  Because of exposure to the content in the Council, the Executive Sponsor, as well as each participating member, will have a strong understanding of the need to prevent breaches and reduce the impact of one should it occur.

The goal of the Council is to reduce to the lowest degree possible the impact of a breach.  The Council needs to understand the fundamentals of cyber-threats, and how to defend against legal, financial, regulatory, and reputation risk.

This includes recognizing risk impact.  It forces the team to confront potential loss associated with a cyber-breach.  Impact potential includes loss of market share, sales, company value, market positioning and dominance, customer and alliance concerns, investor confidence, and even insurability.

Again, the Council is no silver bullet against information compromise, but it is a good starting point for building the appropriate level of awareness and sense of urgency where it counts.

All companies targeted by cyber-attacks face one great commonality: compromise of reputation—reputation risk.  Position the Council to “think post-breach” and “act pre-breach.”  An effective Executive Risk Council can help reduce the impact of a potentially devastating cyber-attack, and maintain that ever important bond of trust, which defines reputation.

By: Gerry Kane

Managing Director

Gerry.Kane@ZeroPointRisk.com

The world we live in often seems like an endless repetition of day after day, with little variance but the weather.  We become complacent, perhaps content and, unfortunately, dismissive of the possibility for calamitous change. The reality is, however, that while life does follow repetitious patterns and gradual trends, it is also subject to random and unexpected events that truly change the world and the way we live our lives.  Even here in the United States where, for the most part, our daily lives are lived without fear and with a sense of security, it happens in the blink of an eye.

No better examples exist than the horror at the Twin Towers on 9-11, the bomb attack on the Alfred P. Murrah Federal Building in downtown Oklahoma City on April 19, 1995, and now the double bombing at the Boston Marathon on Patriots Day, 2013.

Much has been written in the days since the tragedy about the three spectators killed and the more than 170 (at this point) wounded and dismembered.  There are also emotionally stirring stories about the first responders:  police, firefighters, EMTs, race volunteers, the military, and even other racers and spectators who seemingly without regard for their own safety immediately went to the aid of those who had fallen.

Mostly missing from the news stories, however, but likely to be given more print and airtime in the coming weeks when the dust has settled, are the stories of how the response to this crisis was incredibly rapid, coordinated, managed, effective and, yes, even planned.

From www.energencymgmt.com:  “All indications are that the response in Boston appeared well planned and well executed.  Police, fire, EMS and even the Massachusetts National Guard responded to and stabilized the incident quickly and decisively.  This does not occur without well developed policy, operational plans and exercises to ensure that responders understand their role and that agencies have the resources needed to execute plans quickly.”

From the Wall Street Journal: “Rescuer reaction was so instantaneous that it appeared to be rehearsed, and it was: Two years ago, a citywide drill required Boston police, fire-department workers, hospitals and emergency-medical service personnel to react as if bombs had been detonated across the city.”

Similar preparedness was exhibited by the local hospitals which were obviously prepared for “normal” race related medical needs, but were able to execute response plans for much more serious and larger scale disaster related injuries.

From the Huffington Post: “Boston’s hospitals couldn’t have known Monday morning that dozens of people would pass through their doors that afternoon in need of immediate medical care for injuries sustained in a bombing at the finish line of the Boston Marathon.

“But for hospitals in Boston and elsewhere in the U.S., especially in big cities, years of thinking ahead triggered response plans that directed the most injured patients to the facilities best suited to care for them, cleared beds and operating rooms to speed treatment for the worst cases and pulled in medical personnel from across the region to help those suddenly in need of emergency medical care.”

Did Boston take preventive measures in the days leading up to the race and on race day itself?  You bet. But security is never 100% and we must be prepared for those times when even the best security measures aren’t enough.  And without diminishing the tragedy of the marathon or suggesting that a loss of data is as important as loss of life, we should also think of the above in terms of our business environments.  Most of us work in organizations that take at least some preventive measures when managing the financial, legal, regulatory, and reputation risks associated with a potential data breach or other type of reputation compromise.  But have we all planned for the event where our best security measures fail?

Probably not.

In my experience, Incident Response Planning gets very little attention, much like disaster recovery, business continuity and, yes, crisis management.  We all say we’re ready for it, but until we are actually faced with a true incident we are unaware that we are woefully unprepared.  We fool ourselves, or even lie to ourselves, when we state that the two paragraphs on Incident Response in our Written Information Security Plan (WISP), if we have one, are adequate.  It is only when the breach occurs that we look for the plan, and it isn’t there.  At that point we ask the following questions for the first time:

• Who is in charge of managing the incident?
• Are we sure we have been breached?
• What has been taken?
• How did it happen?
• What else might be exposed?
• How do we contain it?
• Is it still happening?
• Who is impacted? Customers?  Vendors?  Regulators?  Employees?
• Who are we obligated to tell?  Customers?  Vendors?  Regulators?  Employees?
• What do we tell them?
• How do we tell them?
• Who is the spokesperson to them?
• Do we need to contact law enforcement?
• How do we remove the problem?
• How do we know when the problem has been eradicated?
• When can we safely go back to business as usual?
• How can we learn from this incident in order to better respond the next time?

Take a few minutes and think an incident scenario through from beginning to end, asking yourself all of the above questions along the way.  If you have a plan that addresses all of them, fantastic.  But keep working on it.  Do a live exercise at least once a year and update the plan based on what you learn.  I suspect, however, that many of us might never get past the first question.

Who remembers this commercial from the early 1980s?  There are two auto mechanics in the shot.  One, the speaker, tell us that these days he is turning a lot of his repair work over to the other mechanic who performs, it would appear, complete engine rebuilds.  The announcer, who apparently runs the maintenance portion of the business, talks about new, smaller 4 cylinder engines and the fact that they work much harder than traditional engines, and therefore need more regular maintenance.  The oil filter is part of that regular maintenance.  Skipping the maintenance does not eliminate expense.  Rather, it postpones it, and when it presents itself it is many times the original maintenance expense.

Cue the catch phrase:

“You can pay me now, or pay me later.”

Fade to black.

The commercial conveys a very simple message and could be stated in a number of other ways.  “An ounce of prevention is worth a pound of cure” comes to mind.  Or even the pithy “Be prepared”.  And the message is worth heeding whether your field of endeavor is auto mechanics, merit badges or data privacy.   But, let’s be honest, far too many of us hear the message but do not heed it.  We fool ourselves into thinking that

• A data breach will never happen to us;
• We have nothing worth stealing;
• We spend plenty on technology – we must be secure;
• We pass an IT audit every year and they never find anything significant – we must be secure;
• Nobody has come after us so far – we must be secure;
• We have an IT security function – we must be secure.

But, take it from me, there is more, and more sophisticated, breach activity taking place in the world today than at any time in the past, and organizations who hang their hats on the above beliefs are not exempt.  They are being attacked and breached regularly and systematically.  They are paying dearly for that engine rebuild – the post-breach containment, recovery, legal fees, regulatory fines and loss of reputation.  Pre-breach preparedness as part of an information risk management program, would have been much cheaper.

Information Risk Management is not the same as information security.  The latter is a component and result of the former, and the fact is that you can’t have effective security, regardless of how much you spend on it, if you don’t also have a sound risk management program.  And effective risk management starts with risk assessment.

If you manage private data of nearly any kind, you probably face a regulatory requirement to perform an annual (at least) risk assessment.  This is true if you process credit card data, personal health information (PHI), or non-public personal information (NPPI) in Massachusetts and many other states.  If you do not have regulated data, chances are pretty good that you have intellectual property of some kind that may be even more worthy of protection than regulated data.  The result is that just about any organization with a computer needs to practice information risk management.  But it is amazing how many of these organizations skip the risk assessment as being unnecessary.

Risk assessment is critical.  It enables you to understand exactly what assets (including data) need protection, what threats to those assets exist within your organization or “in the wild”, and what the impact would be to your organization should one of those threats take advantage of an existing, unchecked vulnerability.  It enables you to determine and prioritize your security initiatives based on potential risk impact to your organization – risk that could be financial, legal, reputational or regulatory.  It should be as fundamental to your general management (NOT your IT management) as the oil filter.

THOUGHTS ON STEALING THE FUTURE

When Organized Crime Strikes

Is nothing sacred?  A friend put it succinctly.  “When you get labeled with child pornography, that’s the worst.  How do you ever come back from that? “

Good question.  It used to be that the subject never made the light of day, not at least among respectable adults.  But this seems to be a corner around which we have turned, thanks to organized crime, which has the dubious and disgusting distinction of controlling much of that despicable content.

Disturbingly, an increasing number of breaches involve either the actual photographic, morphed, or textual references to child trafficking and sexual exploitation.  The intent is often to extort money, blackmail, compromise corporate brands, and steal proprietary information.

It seems that the criminals behind these crimes will stop at nothing to architect extortion and blackmail schemes.  Using the Internet for exploitation has become the defacto standard.  Here are the facts:

1. Corporate brands, and even executives, are unknowingly being linked to scam web sites that feature exploitative content, and even directly to child pornography sites unless ransoms are paid.
2. Organized criminals have access to better technology than most and spare little expense.
3. The cost of powerful technology is cheap and plentiful and they are expert in using it.
4. They have no moral compass and children and women have no special status against abuse and exploitation.
5. The global legal framework makes it very difficult to stop these crimes and punish the guilty.  Wealth is a great insulator against arrest and conviction, at least in some countries.
6. The criminals expertly cover their tracks as they electronically infiltrate companies, and many target entities have deficient defenses against cyber-extortion.

Targeted brands walk a delicate balance across a tightrope of decision, where timeliness of response is a critical determinant of risk impact.  Here are a few questions every company CEO, General Counsel and board director should ask if that day of decision should come:

Should law enforcement be notified in the event of an extortion event, and what law enforcement organization should be contacted?

What is the likelihood the breach will be made public by the attacker?

Will alliance partners, customers, business associates and others be affected in the crime?

If they are affected, what’s the right response, and what is the brand liability?

Answering these questions should be the start of a conversation on risk and impact.

THOUGHTS ON STEALING THE FUTURE

Napoleon on China: “There, is a sleeping giant. Let him sleep! If he awakes, he will shake the world.”  Make no mistake: China is wide awake.

The People’s Republic of China is at the forefront of nation-state espionage, despite its denials.  But the theft of U.S. technological secrets by China is not new.  In fact, Project 863 was developed in 1986 as the State High-Tech Research & Development Plan.  It is also China’s evolving blueprint for technological independence and global economic empowerment.

Research and development is expensive.  Stealing the secrets of emerging technologies is inherently less expensive.  The Internet, the use of third-party vendors, deficient data protection and a number of other factors increase the effectiveness of illicitly acquiring targeted technologies.

China’s goal of dominating technology markets has tough consequences to those investing heavily in research and development.  The most valuable targets include an interesting array of intellectual property and trade secrets that will create and fuel the engines of commerce for decades to come.

The Golden Eggs of Industry

While medical and pharmaceutical technologies have long been in the crosshairs of Project 863, other costly intellectual property and trade secrets are the focus of its unrelenting and highly effective data collection apparatus:

Information Technology (IT).  IT is the building block of the future.  Hardware, software, and communication technology, information acquisition and processing technologies are key targets.

Advanced Materials.  Key to energy efficiency, aerospace and defense industries are critical beneficiaries and especially susceptible to loss.  Photo-electronic materials and devices and high-performance structural materials are highly sought after in Project 863.

Biotechnology and Advanced Agricultural Technology.  Targets include bio-engineering, gene manipulation, and bio-information technology that will be used to feed growing populations.  This is a contemporary version of capturing hearts and minds: feed the bodies, and the hearts and minds will follow.

Advanced Manufacturing and Automation Technology.  Even in a country of massive labor supply, CIMS or Contemporary Integrated Manufacturing Systems and robotics are important.  China as manufacturer to the world is the theme.  This is the path to global competitiveness.

Energy Technology.  Sustainable energy technology and clean coal technology is critical.  Energy makes the world go ‘round; it is a vital currency to every economy.  Dominate energy, manipulate the world.  The implications are enormous.

Resource and Environment Technology.  Marine resources exploitation, ocean monitoring technologies, and the technology associated environmental pollution prevention are growth sectors.  Emerging nations contribute pollutants as never before.  China envisions leadership in cleaning up the planet, even as the air in Beijing clouds the city and its moral authority.

But moral authority isn’t the issue upon which the future hinges.  Now that China has awakened to the opportunity, shouldn’t industry awaken to the threat and take immediate action to protect its assets and value?

THOUGHTS ON STEALING THE FUTURE

Prepare for more corporate data breaches in 2013!  Prepare for greater risk impact, as criminals, rogues, and nation-states escalate the quest to steal the future through theft, sabotage, and disinformation.

While many rightfully speculate about an electronic Pearl Harbor targeted at U.S. critical infrastructure, an event intended to devastate commercial and government communications, this would be an especially difficult attack to execute.  Not impossible, necessarily, but extremely difficult.  While such a threat should never be discounted, the greater likelihood is the targeted attack against valuable corporate assets.

While some zealots may want to shut down the Internet, most attackers, from many foreign governments to organized crime, use the Internet to generate revenue and market advantage.  Whether stealing credit card numbers, personal data, intellectual property, trade secrets and other proprietary information, a dead Internet is unproductive—for legitimate businesses and for crime.

The Internet, aside from legitimate commerce, is used to steal data, to launder money, to conduct scams, to recruit terrorists, to raise capital for terrorist attacks and criminal enterprises, and to communicate and conspire.  Blackmail, ransom, extortion, virus development and deployment, disruption, and distribution of disinformation are increasingly common.

Of course, nation-state espionage is extremely active.  While the People’s Republic of China and the Russian Federation lead the illicit quest for technology secrets, more than one-hundred nations engage in economic espionage against the U.S.  According to the Rand Corporation, the U.S. accounts for nearly 40 percent of the global research and development investment.

Four Trends Driving Data Breaches

Technological Shift.  Researchers forecast the use of 50 billion mobile devices by 2020: more data on more devices that are easily lost or stolen, most always unrecovered and too infrequently secured.  Cloud computing also distributes information widely, and not always under optimally secure conditions.  Security varies, and so does the risk.

Economic Shift.  This reflects changes in work structure: offshoring and outsourcing result in increased breaches because of inconsistent protective measures and differences in hiring and background check procedures, among many other risk-laden factors.

Cultural Shift.  Where and how people work: working from home, producing work product across multiple geographies, and the use of strategic alliance and third-party vendors complicates data protection.

Geopolitical Shift.  National boundaries are no meaningful deterrence: and the interconnected global supply chain has become dominated by the Internet, which escalates the risk.  This creates more opportunity for compromise.  Successful attacks against the supply chain can have devastating, lasting effects.

These four trends create advantage for those seeking to steal a future that is representative of financial investment, hard work, diligence, creativity, and extraordinary performance in a competitive global market.  Successfully defending against multidimensional threat vectors requires a multidimensional approach. In the words of NASA’s Mission Control director Gene Kranz:  failure is not an option.

FTC Halts Computer Spying: http://t.co/v9dbreHQ

Hacker who infected 72K computers gets prison sentence: http://t.co/csxFQm7p

To whom it may concern:

I want to let you know a few things I know about you. Please don’t worry, as I am sure I will forget everything in a few minutes. However, I implore upon you, please be more aware of how you are placing your personal information at risk…..

- I know which bank you use based on the icon you tapped on your iPhone.

- I know what your password is for your mobile banking app. I was standing right there as you tapped it in.

- I know a little bit about your typical transactions and debit amounts.

- Oh, and thanks for opening your actual checkbook too. That made it easy for me to identify the date and check # used for your last Amex payment.

- Thanks also for opening Facebook right after doing your mobile banking. That helped me to identify what your name is.

Yes, I really did see all this information. It all happened in a span of about 3 minutes on the MBTA about 30 minutes ago.

And, of course, I will not divulge anything and will likely forget it all soon anyways.

But to anyone reading this, please let this be an example of how easy it is to acquire non-public personally identifiable information from you if you are not aware, really aware, about what you are doing.

And the ease of seeing this information was not facilitated by sophisticated systems, tools, or technology. Rather, it was facilitated by one of the simplest social engineering tools around….observation.

Anyone who has read my Tales of a Social Engineer series knows how easy it can be to gain access to secured buildings using other social engineering techniques. And once inside a building, the less sophisticated techniques such as those I utilized today can often result in the siphoning of sensitive information right out of your four walls.

So let’s all agree upon doing a few things on a going forward basis when you consider mobile banking or any other similar app while on the go. These just might help protect your personal info and finances a tiny bit more:

1) If you are going to use a mobile banking app, do a little bit of inquiry into the controls built into the app.

2) Consider a privacy screen cover that will obfuscate the on screen images for anyone that is not looking at the phone in a direct straight line.

3) Consider where you are when you fire up your mobile banking app. Better yet, just wait until you are home where no one is peering over your shoulder.

This stuff is not rocket science. It’s easy to do. Give it a chance and change your ways just one little bit and you might very well save yourself months and years of anguish and stress that comes along with having your identify stolen……

- Jeff Bamberger