Top 12 Ways Small To Med Businesses Can Reduce Cyber Risk

1) Use the Free DHS Developed CSET (Cybersecurity Evaluation Tool) To Assess Your Security Posture: High, Med, or Low.

Figure 1. (DHS, 2018).
CSET Process.PNG

2) Educate Employees About Cyber Threats and Hold Them Accountable. 

Educate your employees about online threats and how to protect your business’s data, including safe use of social networking sites. Depending on the nature of your business, employees might be introducing competitors to sensitive details about your firm’s internal business. Employees should be informed about how to post online in a way that does not reveal any trade secrets to the public or competing businesses. Use games with training and hold everyone accountable to security policies and procedures.

3) Protect Against Viruses, Spyware, and Other Malicious Code.

Make sure each of your business’s computers are equipped with antivirus software and anti-spyware and updated regularly. Such software is readily available online from a variety of vendors. All software vendors regularly provide patches and updates to their products to correct security problems and improve functionality. Configure all software to install updates automatically. Especially watch freeware which contains malvertising.

4) Secure Your Networks.

Safeguard your Internet connection by using a firewall and encrypting information. If you have a Wi-Fi network, make sure it is secure and hidden. To hide your Wi-Fi network, set up your wireless access point or router so it does not broadcast the network name, known as the Service Set Identifier (SSID). Have a secure strong password such as (xeyg1845%RELIGO) to protect access to the router.

5) Base Your Security Strategy Significantly on the NIST Cybersecurity Framework 1.1: Identity, Detect Defend, Respond, and Recover.

Fig. 2. (NIST, 2018).
NIST

6) Establish Security Practices and Policies to Protect Sensitive Information.

Establish policies on how employees should handle and protect personally identifiable information and other sensitive data. Clearly outline the consequences of violating your business’s cybersecurity policies and who is accountable.

7) Require Employees to Use Strong Passwords and to Change Them Often.

Consider implementing multi-factor authentication that requires additional information beyond a password to gain entry. Check with your vendors that handle sensitive data, especially financial institutions, to see if they offer multi-factor authentication for your account. Smart card plus pass-code for example.

8) Employ Best Practices on Payment Cards. 

Work with your banks or card processors to ensure the most trusted and validated tools and anti-fraud services are being used. You may also have additional security obligations related to agreements with your bank or processor. Isolate payment systems from other, less secure programs and do not use the same computer to process payments and surf the Internet.

9) Make Backup Copies of Important Business Data and Use Encryption When Possible.

Regularly backup the data on all computers. Critical data includes word processing documents, electronic spreadsheets, databases, financial files, human resources files, and accounts receivable/payable files. Backup data automatically if possible, or at least weekly, and store the copies either offsite or on the cloud.

10) Control Physical Access to Computers and Network Components.

Prevent access or use of business computers by unauthorized individuals. Laptops can be particularly easy targets for theft or can be lost, so lock them up when unattended. Make sure a separate user account is created for each employee and require strong passwords. Administrative privileges should only be given to trusted IT staff and key personnel.

11) Create A Mobile Device Protection Plan.

Require users to password protect their devices, encrypt their data, and install security apps to prevent criminals from stealing information while the phone is on public networks. Use a containerization application to separate personal data from company data. Be sure to set reporting procedures for lost or stolen equipment.

12) Protect All Pages on Your Public-Facing Web-pages, Not Just the Checkout and Sign-Up Pages.

Make sure submission forms can block spam and can block code execution (cross side scripting attacks).

Contact Abstract Forward here for more info.

Top Ten Ways Companies Can Reduce Cyber Risk

cost-of-cyber-attacks-to-business-mq593szq6dt3vzuawhu5qtm2upt66jfkqpxzl18l8sMid-sized businesses are defined from about $50 million to $800 million in revenue. A 2017 report published by Keeper Security and the Ponemon Institute found more than 50% of small and medium business had been breached in the past 12 months, but only 14% of them rated their ability to defend against cyber-threats as “highly effective” (Keeper / Ponemon, 2017). According to the 2017 Verizon Data Breach Investigations Report, 75% of the breaches were caused by outsiders with 51% involving organized criminal groups and the remaining involved internal actors. Not surprising, malware installed via malicious email attachments was present in 50% of the breaches involving hacking(Verizon, 2017). Here are ten steps (applicable to any size business) you can take to shield your mid-sized business from cyber-attacks:

10) Train Staff Often:

Most cyber-attacks take the form of phishing and spear phishing which is hackers targeting individuals rather than computer systems – typically with the help of good social engineering (IT Governance Blog, 2017). Therefore, employees need to be educated to roll back what they share on social media and to opt out of data harvesting when they can. Training needs to be ongoing because the threat landscape and technology change so fast. For example, ransomware was not a serious attack vector 6 years ago, but it is front and center today. Additionally, crypto-currency mining networks is an exploit vector that is arguably less than 2 years old and growing rapidly. Lastly, training more often improves the company security culture and that is directly related to keeping a good business reputation and core customer base. Here are a few more training necessities:

1. Follow cyber security best practices and conduct audits on a regular basis – based on your selected one or two frameworks (Cobit 5, ISO 2700, etc)

2. Use games contest and prizes to teach cyber safety – leadership must do this as well.

3. Notify and educate staff of any current cyber-attacks – have a newsletter.

4. Teach them how to handle and protect sensitive data – do lunch and learns.

9) Secure Wireless Networks:

Wireless networks can be easily exploited by cyber attackers, unknowing guests, and even angry customers. Your network is not like a coffee shop community room but rather it’s like a bank vault with many segmented areas – map the segments and know their rank order value. To harden your wireless network, avoid WEP (Wired Equivalent Privacy) encryption (which can be cracked in minutes) and use only WPA2, which uses AES-based encryption and provides better security than WPA.

Fig 1. (WPA2 Selection Screen Clip).

wpa_top

If you have a Wi-Fi network, be sure access to the router is secured by a password and hidden so that it does not broadcast the network name. To hide your Wi-Fi network, set up your wireless access point or router so it does not broadcast the network name, known as the Service Set Identifier (SSID). Also, remember to password-protect access to the router. Additionally, for protection against brute-force attacks, protect your network with a complex passphrase containing at least 25 characters and including a mix of letters, upper and lower case and numerals and symbols. Use a firewall and encryption to safeguard your internet connection.

8) Physically Secure Your Environment:

Focusing on web tools and monitoring is needed, but it’s also important to remember there are physical concerns about securing your network as well. To a threat actor overcoming all of your security measures may be as easy as walking up to your router and pressing the reset button. Make sure that your key pieces of in-office infrastructure are secure, and that you’re monitoring them with video, sensors or other physical security controls. Make sure to be creative and thorough about how you define a physical security connection point including: doors, public lobbies, windows, air vents, turnstiles, roofs, printer room, network closet, and USB ports on machines, etc. Lastly, employees should keep their devices near them at all times.

7) Double Down on Firewalls:

While most routers have a firewall built in that can protect your internal network against outside attacks, you should know that it may not be automatically activated. It’s generally called something like SPI (stateful packet inspection) or NAT (network address translation). Either way, turn it on (Chelsea Segal, Cox Blue, 09/16/18).

It’s also important to ensure that your own software isn’t sending information out over the network or the internet without your permission. For that, you’ll want to install firewall software on your PC as well. PC Magazine’s top pick is Check Point ZoneAlarm Pro, but the default firewall that comes with Windows 8 and 10 is also a good start.

6) Evaluate Your Operational Resilience and Cyber-Security Practices Quarterly: 

A good start is the US-CERT’s Cyber Resilience Review (CRR), which helps organizations assess enterprise programs and practices across 10 domains including risk management, incident management, service continuity, and more (SBA, 2018). They can also use the CSET (Cyber Security Evaluation Tool), which is a free customizable multi-framework DHS created general cyber security assessment.

5) Review Control Access / IAM and Audit Access Regularly:

Administrative access to your systems should only be granted on a need-to-know basis – least privilege principle. The correct job roles should be in the correct windows access groups. Keep sensitive data – such as payroll – out of the hands of anyone who doesn’t need it to do their job, marketing for example. Remove unused, stale, or unnecessary IAM users/credentials. Also, consider decommissioning old systems for risk reduction and cost savings – with the appropriate project analysis done. Use a secure strong password especially for single sign on interfaces – two factor authentication. Organizations should audit their IAM user activity to see which users haven’t logged into AWS for at least 90 days and revoke their permissions. Monitor user activity in all cloud services (including IAM user activity) to identify abnormal activity indicative of threats arising from a compromised account, or malicious/negligent internal employee – when corroborated with event logs and related intelligence.

4) Back up and Secure Your Systems and Data but Don’t Over Retain:

Ransomware, or viruses used by hackers to encrypt an organization’s computer files and detain them until a ransom is paid, has emerged as a serious and growing threat to businesses worldwide, according to the FBI (FBI CISO Report 2018). Whether data is stored in the cloud, on-premises, or in a hybrid data center, businesses should back up all files to hard drives stored in a safe place outside the reach of cyberthieves. These are some key data backup subpoints.

1. Limit access to sensitive data to only a few authorized employees.

2. Encrypt all your sensitive data – do not over-classify.

3. Backup your data periodically and store it in an offsite location.

4. Protect all devices with access to your data – third party vendor implications.

5. If you accept credit cards transactions, secure each point of sale.

3) Create a Guidebook for Mobile Security:

While mobile devices allow for work anywhere, anytime, they create significant security challenges. The FCC suggests requiring users to password-protect their devices, encrypt data, and install security apps to prevent criminals from stealing information while the phone is on public networks (FCC, Feb 2018). Plus, set reporting procedures for lost or stolen mobile devices. Draft a BYOD policy that separates personal vs. corporate data and covers the below points.

1. Ensure your equipment has the latest security software and run anti-virus/malware scans regularly. If you don’t have good anti-virus software installed, buy and install it.

2. Install all software updates as soon as they are available, including all web browsers.

3. Have the latest operating systems on your devices with access to regular updates.

4. Make sure your internet connect is protected with firewall security.

5. Make sure your Wi-Fi network is encrypted, hidden, and password protected.

2) Use Encrypted Websites for E-commerce Via Strong Third-Party Risk Management Policies:

Only buy from encrypted websites by looking for https on every page. Don’t’ be teased in by super low prices or the like, it may be a drive by download set-up. Ensure that the owner of the website is reputable and is who they say they are. This kind of gets at third party and supply chain risk management, which should be based on some applicable security framework for your industry, etc.

1) Avoid When Possible and Rigorously Evaluate Freeware:

There are a lot of free options for software including anti-virus (AVG), graphic design (GIMP), marketing and sales applications, some of which are quite reliable. However, many are not reliable and pose risk because they often come with malvertising, utility ad ons that slow things down, or direct malware. All of this complicates cyber risk and blurs sight lines into the infrastructure stack. Cyber security isn’t a good place to cut costs so pay for a good antivirus and firewall tool-set. If you are going to use a robust free graphic design tool like GIMP make sure it is documented, always updated, and that it is run in a limited area.

Bonus) Have a Sound Way To Prioritize Patching.

Establish a process to risk-rate vulnerabilities based on: ease of exploit and potential impact of the vulnerability (reference the CVE scores), if other working defenses are in place, and lastly by grouping the assets they may impact.

Reach out to me here for questions.

Two Equifax Leaders Charged with Insider Trading Amid Data Breach Mess

equifax (1).jpgA former software developer for Equifax, Sudhakar Reddy Bonthu, faces insider trading charges related to the company’s massive data breach last year, according to the SEC and federal prosecutors. Allegedly, in August 2017, Bonthu was asked to participate in Project Sparta, which Bonthu’s bosses described as a major project for one of the company’s clients who suffered a major breach that exposed details of over 100 million users.

Unknown to Bonthu at the time, that client was Equifax itself, which a month prior discovered that it was hacked and an intruder stole details for over 145.5 million US and international users. Bonthu was tasked with creating “an online user interface into which users could input information to determine whether they had been impacted by the breach.” According to court documents, he was told that “the project was a high priority for the unnamed company and had a short deadline because the client intended to ‘go live’ on September 6, 2017, with the breach remediation applications designed by Equifax.”

To create the website, which later turned out to be equifaxsecurity2017.com, Bonthu was given test data and was included in mailing lists exchanging information about the still-secret breach. SEC investigators say that Bonthu concluded on his own that the secret client in Project Sparta was in fact Equifax itself.

In an attempt to obstruct his trail he used his wife’s trading account, wherefrom he purchased eighty-six out-of-the-money put option contracts for shares of Equifax common stock with an expiration date of September 15, 2017, and a strike price of $130 per share. Bonthu made this purchase despite the fact that Equifax’s policies expressly prohibit any trading in derivative securities, including put and call options.

By purchasing out-of-the-money put options, Bonthu could make money only if the market price of Equifax stock were to drop below the put option strike price before the contract expired approximately two weeks later, on September 15. If the market price did not so drop, the put options would expire and his investment would be worthless.

On September 8, the price of Equifax common stock closed at $123.23, a drop of $19.49 (nearly 14%) per share from the prior day’s closing price of $142.72. […] As a result of the precipitous drop in Equifax’s share price, Bonthu turned his initial investment of $2,166.11 into $77,333.79 in only six days. In sum, Bonthu’s ill-gotten gains from his trading in Equifax options totaled $75,167.68, a return of more than 3,500% on his initial investment.

3028.03.15equifaxchart.JPG

The SEC says Bonthu had never previously traded in Equifax options. Equifax fired Bonthu in March 2018 after he allegedly refused to cooperate on an internal investigation on charges that he violated the company’s insider trading policy. Bonthu has agreed today to a permanent injunction and to return ill-gotten gains plus interest. If the settlement is approved by a judge, this will terminate SEC civil charges.

The equifaxsecurity2017.com website, on which Bonthu worked, has been deemed one of the most poorly put together breach notification sites in recent years, with several issues affecting it.

He is the second Equifax employee charged with insider trading after Equifax’s breach last year. Earlier this March the SEC charged former CIO of Equifax U.S. Information Solutions Jun Ying. Equifax says it tipped off the Department of Justice and the SEC to Ying’s alleged insider trading.

Although Ying wasn’t directly told that Equifax had been breached, he was assigned to assist Equifax’s Global Consumer Solutions unit with what was billed as “a business opportunity for an unnamed client,” code-named Project Sparta, according to court documents. The project was designated as “urgent,” and everyone participating, including Ying and his team, were instructed to cancel their Friday evening plans and respond to all requests.

At 5:27 p.m. that day, Ying texted a co-worker that the breach they were working on “sounds bad” and noted: “We may be the one breached. . .. Starting to put 2 and 2 together,” according to the SEC complaint. Later that evening, Ying learned that Equifax’s CSO, chief legal officer and vice president of cybersecurity had all canceled their travel plans, it adds.

The following Monday, around 10 a.m., “Ying used a search engine to find information on the internet concerning the September 2015 cybersecurity breach of Experian, another one of the three major credit bureaus, and the impact that breach had on Experian’s stock price,” according to the complaint. “The search terms used by Ying were: (1) ‘Experian breach’; (2) ‘Experian stock price 9/15/2015’; and (3) ‘Experian breach 2015.’

“This defendant took advantage of his position as Equifax’s USIS chief information officer and allegedly sold over $950,000 worth of stock to profit before the company announced a data breach that impacted over 145 million Americans,” says U.S. Attorney Byung J. “BJay” Pak. “Our office takes the abuse of trust inherent in insider trading very seriously and will prosecute those who seek to profit in this manner. By selling when he did, Ying avoided losses in excess of $117,000.”

Earlier this month, Equifax revised its estimate of the breach’s impact to 147.9 million U.S. consumers. About 15 million U.K. consumers – of which about 860,000 are at risk of identity theft – and 8,000 Canadian consumers also saw their personal information get breached (see Equifax Breach Victims: UK Count Goes Up).

I identified Equifax’s control gaps and conflict of interest in a post shortly after the breach in 2017. I suspected then as I do now that more people will be charged related to conflict of interest with LifeLock identity theft protection.

Information sourced from Tara Siegel Bernard for the New York Times, Allison Prang for the Wall Street Journal, and the associated press. Curated and edited by Jeremy Swenson of Abstract Forward Consulting.

Key Updates to the NIST Cyber Security Framework

framework-01The first version of the NIST Cybersecurity Framework came about in Feb. 2014. In May 2017 President Donald Trump issued an executive order directing all federal agencies to use the framework to manage this risk, including future versions. Conversely, the private sector more so uses it as a non-uniform guide (sometimes in part) when needed. They use other more industry specific frameworks as well. On 04/17/18 NIST released the updated version of this standard-setting framework. We attended the NIST hosted webcast reviewing this on 04/27/18 and my key points are:

Framework 7 Step Process:

1)    Prioritize and Scope: Implementation tiers may be used to express varying risk tolerances.
2)    Orient
3)    Create a Current Profile
4)    Conduct a Risk Assessment
5)    Create a Target Profile: When used in conjunction with an Implementation Tier, characteristics of the Tier level should be reflected in the desired cybersecurity outcomes.
6)    Determine, Analyze, and Prioritize Gaps
7)    Implementation Action Plan

These recent changes to the framework are based on feedback collected through public calls for comments, questions received by team members, and workshops held from 2016 to 2017.

NIST Cyber Security Framework 3 Areas

The newest version (1.1) includes these updates:

1)    Clarifies utility as a structure and language for organizing and expressing compliance with an organization’s own cyber security requirements.

2)    Added a new section for self-assessing cybersecurity risk which explains how organizations can use the framework. Emphasizes the role of measurements in self-assessment stresses critical linkage of business results:

  • Cost
  • Benefit
  • to cybersecurity risk management
  • Continued discussion of this linkage will occur under
  • Roadmap area – Measuring Cybersecurity

3)    Added a new section for supply chain risk management which focuses on identifying, assessing, and mitigating acquired products and services that may contain malicious functionality, be counterfeit, or have critical vulnerabilities because of poor manufacturing practices.

4)    Added new focus area for small business – what this means is yet to be seen.

“Engagement and collaboration will continue to be essential to the framework’s success,” said Matt Barrett of NIST. “The Cybersecurity Framework will need to evolve as threats, technologies and industries evolve. With this update, we’ve demonstrated that we have a good process in place for bringing stakeholders together to ensure the framework remains a great tool for managing cybersecurity risk”, he said.

PwC’s 2018 Global State of Information Security Survey (GSISS) indicated that respondents from healthcare payer and provider organizations, as well as oil and gas companies, said the NIST Cybersecurity Framework is the most commonly adopted set information security standards in their respective industries.

In another case, the University of Chicago’s Biological Sciences Division (BSD) successfully implemented the Cybersecurity Framework to help them comply with HIPAA and other federal data security rules.

If you want to know how to customize this to your organization please contact us.

5 Things Equifax Could Have Improved to Prevent Their Data Breach

Equifax_breach_exposes_143_million_peopl_0_4110363_ver1.0_640_360Minneapolis, MN – 11/22/17. The recent Equifax data breach impacted one-third of the U.S. population with more than 143.5 million records exposed.  This epic hack started on 05/13/2017 and lasted until 07/29/2017, all the while the company was clueless.  As a result, the threat actors trolled around Equifax’s network, staging and exfiltrating data undetected for 2.5 months.  It is one of the biggest data breaches in U.S. history but clearly not the biggest.  Going forward, breaches are likely to be bigger, given the threat actors risk vs. reward tradeoff, and the increasing capabilities of cloud computing and botnets thereby enabling anonymity.

Equifax 1Yet this breach may be one of the most negatively impactful because of the comprehensive sensitive data lost in it including social security numbers, full names, addresses, birth dates, and even drivers licenses and credit card numbers for some.  “This information is the kind that several businesses like financial companies, insurance companies, and other security-sensitive businesses use to identify a customer accessing their accounts from online, by phone, or even in person” (Pelisson, Anaele; & Villas-Boas, Antonio, 09/08/17).

Therefore, this breach lends itself perfectly to future identity theft.  To date, hundreds of fraudulent loan applications, credit card charges, student loans, and insurance claims have been documented and it’s not likely to stop anytime soon.  All of this has inspired negligence lawsuits and regulatory reviews across most states.  If there is one thing you would expect from a credit monitoring company claiming to protect the accuracy of your data, it is that they would at least have above average information security standards.  Yet they clearly did not.  Below are the things that went wrong at Equifax to enable and exacerbate the breach:

1) Equifax’s first problem was that they failed to take a recent critical update notice seriously:
NIST (The National Institute of Standards in Technology) via CERT (critical emergency readiness team) issued an update alert for the Apache Struts platform on 03/08/17, CVE (critical vulnerability exploit) 5638 (Fig 2) which Equifax ignored or gave low priority.  Apache Struts is a free, open-source, MVC (model view controller) framework for creating nice, new Java web applications.  At Equifax, the Apache Struts platform was used for multiple applications and thus the risk associated with failing to patch the vulnerably was exponentially large and complex.

Apache Struts
Negatively, the Apache Struts vulnerability allowed remote code execution via a cmd string upload in the HTTP header.  Both versions of this vulnerability were listed as being highly severe by the CVE alert.  There is no way Equifax did not know this to a considerable degree.  Lesson learned: solidify your security baseline and update and patch based on likely impact and ease of execution.

2) Equifax had a history of poor security culture back to 2014 and failed to make key improvements:
“In April 2017, cyber-risk analysis firm Cyence rated the probability of a security breach at Equifax at 50 percent in the next 12 months.  Credit analytics firm FICO gave Equifax low marks on data protection — an enterprise security score around 550 on a scale of 300 to 850.  In 2014, Equifax “left private encryption keys on its server,” potentially allowing hackers to decrypt sensitive data, according to a recent breach related lawsuit.” (Harney, Kenneth; 11/21/2017).  Thus, Equifax had poor security long before the recent breach and they have been warned.

a) Creating a culture of security where rank and title do not suppress valid evidence and reason, and outside vendors are vetted and listened to in a timely order concerning security risks would improve their security posture.  Yet this requires cross-departmental collaboration, openness, and it requires firing those insulating themselves in fiefdoms of “yes sayers”.

3) Executives had more concern for short-term profit than long-term security:
On 08/01/17 and 08/02/17 three top executives from Equifax sold nearly $2 million worth of company stock at a high price but maintain that they had no knowledge of the breach that was discovered by the company on 07/29/17. Allegedly these trades were placed before August 2017. Although these may be innocent well-earned stock trades, the totality of the circumstances warrants further validation even though Equifax’s attorneys reviewed the trades at the time. Trades like these should not just be reviewed by the legal department but also by the P.R. department when a disaster is near, likely, or present. Most importantly, long-term security should be on the mind of executives, not short-term profits – implicates a huge culture issue.

4) They have business products that create conflicts of interest that incent data breaches and identity theft:
This is because Equifax sells credit monitoring services at about $17 per month per customer.  They also partner to sell identity theft monitoring via LifeLock.  LifeLock has a direct copy of most of Equifax’s data so they can accurately monitor for fraud indicators.  LifeLock cost about $30 per month per customer and a part of that profit is shared with Equifax via a prearranged deal inked in 2015.  Sen. Elizabeth Warren described it in the video below.

5) Equifax used stunningly simple PIN numbers that were composed of date
and time:

This was corroborated by Wes Moehlenbruck, MS, CISSP, CEH, CHFI, a California-based senior cybersecurity engineer with a master of science degree in cybersecurity.  He stated, “The PINs used to lock and unlock credit files were simply based on the time and date – nothing more complicated than that.  Absolutely yes, this is a rookie mistake” (Hembree, Diana, 11/15/17).  Obviously, in using such a simplistic approach in PIN generation, a user’s PIN could easily be guessed or brute-forced by testing every possible combination using a computer program.  PINs should be more complex, completely confidential, and there should be a policy mandating that they change often (every six months for example).

If you want to talk more about these and related concepts applied to my consulting and speaking, please contact me here.

Lessons Learned From the Sony Hack

sony-hack-photo-3This article reviews the 2014 Sony hack from a strengths and weaknesses standpoint based on select parts of the SysAdmin, Audit, Network and Security (SANS) and National Institute of Standards in Technology (NIST) frameworks. Although an older hack, the lessons learned here are still relevant today.

Strengths – A Track Record of Innovation and Multilayered Information Security:
From early boom-boxes in the 1980s to the first portable disc player in the early 1990s.  To high-quality headphones, the first HD TVs, to high-quality speakers, a gaming system revolution called the PlayStation, and now a massive on-line gaming network, Sony has been creative and innovative.  This has made them one of the most respected and profitable Japanese companies to date.  Yet this success derived overconfidence in other areas including information security but they still have the potential and the money to be a security leader.   The managerial layering of Sony’s information security team was a good start even if their head count was too low.  One source stated, “Three information security analysts are overseen by three managers, three directors, one executive director and one senior vice president” (Hill, 2014).  Although contradictory, at least there was some oversight.

Failure 1 – Poor Culture and Lack of Leadership Support:
Sony’s leadership is on the record as not respecting the recommendations of either internal or external auditors.  A quote from an I.T. risk consultancy summarized it this way, “The Executive Director of Information Security talked auditors out of reporting failures related to Access Controls which would have resulted in Sony being SOX (Sarbanes-Oxley) non-compliant in 2005” (Risk3sixty LLC, 2014).  Things like this trickle down the layers of management and become a part of the company culture.  Specifically, low level whistle blowers were silenced even though their I.T. risk arguments were solid.  “Sony’s own employees complained that the network security was a joke. (Risk3sixty LLC, 2014)”.  When this happened Sony’s leaders failed to execute their fiduciary duty to the board, shareholders, and customers.  They did this so they did not look bad in the short term yet it cost the company more in the long term.

Failure 2 – Not Understanding Their Baseline:
The baseline is a measure that determines when you have the right amount of security and security process in relationship to your required business objectives and risk tolerance.  Being below the baseline means risk is too high and an attack or breach is likely.  This is why the baseline changes often and needs to be closely monitored.  For example, when you are producing a very politically controversial movie about an unruly world leader who has a history of making war threats against his political opponents, you should have a higher baseline to be on guard from hacktivists.  Sony overly focused on their cash generating core competencies and security was at most an afterthought.  According to one source, Sony Pictures had just 11 people assigned to a top-heavy information security team out of 7,000 total employees (Hill, 2014).  For a technology company that is way too few people working in security.  It’s not enough people to collect and intelligently review logs, patch software, pen test, red team, and be available for one or more war room type projects which are bound to come up – all things prudent security would require.

Understanding your I.T. risk baseline requires testing and measurement and this has to be based on some framework, SANS, NIST, or some of the others.  One former employee described Sony’s failure to comply with any framework as follows, “The real problem lies in the fact that there was no real investment in or real understanding of what information security is.  One issue made evident by the leak is that sensitive files on the Sony Pictures network were not encrypted internally or password-protected” (Hill, 2014).  Had they conformed to the SANS or NIST framework they would have been required to encrypt the data – see conclusion.

Failure 3 – Weak Password Policies:
Sony’s password policy was embarrassingly weak.  In fact, so weak you might think they were deliberately trying to help hackers.  “Employees kept plaintext passwords in Microsoft Word documents” (Franceschi-Bicchierai, 2014).  Even very small companies from the 1990s would have policies against that.  Moreover, one source confirmed that the word files were named with password in the file name (Risk3sixty LLC, 2014).  Once in the network, all a hacker has to do is search for a file with password in the name and they have it.

Failure 4 – Late Detecting the Hack and Data Exfiltration:
Right away the intruders easily walked into Sony’s internal network and began stealing unencrypted sensitive data with apparently no log alarms going off.  Sony had not followed data classification, retention, or governance plans – not even checkbox compliance.  If they did they would not have had all types of data mixed together.  One reporter described it this way, “Intruders got access to movie budgets, salary information, Social Security numbers, health care files, unreleased films, and more” (Hill, 2014).  Thus, their network segmentation here must have been weak or non-existent.  Health care data should not be near unreleased film files as they are totally different.  There is no business justification for this.  Segmenting and encrypting the data would have greatly reduced and delayed any data theft.

Conclusion:
sans-top-3-sony
nist-cyber-sec-framework-for-sony

References:
Baker, L., & Finkle, J.  “Sony PlayStation suffers massive data breach”.  Reuters.  Published 04/26/11.  Viewed 10/26/16.  http://www.reuters.com/article/2011/04/26/us-sonystoldendata-idUSTRE73P6WB20110426

Franceschi-Bicchierai, Lorenzo.  “Don’t believe the hype: Sony hack not ‘unprecedented,’ experts say.”  Mashable.  Published 12/08/14.  Viewed 10/20/16.  http://mashable.com/2014/12/08/sony-hack-unprecedented-undetectable/#359BD06aEkq6

Greene, Tim.  “SANS: 20 critical security controls you need to add.” Networked world.  Published 10/13/15.  Viewed 10/23/16.  http://www.networkworld.com/article/2992503/security/sans-20-critical-security-controls-you-need-to-add.html

Hill, Kashmir.  “Sony Pictures hack was a long time coming, say former employees”.  Published 12/04/14.  Viewed 10/20/16.  http://fusion.net/story/31469/sony-pictures-hack-was-a-long-time-coming-say-former-employees/

NIST.  “Framework for Improving Critical Infrastructure Cyber Security”.  Published 01/01/2016.  Viewed 10/23/16. https://www.nist.gov/sites/default/files/documents/cyberframework/Cybersecurity-Framework-for-FCSM-Jan-2016.pdf Risk3sixty LLC.

Risk3sixty. “The Sony Hack – Security Failures and Solutions.”  Published 12/19/14.  Viewed 10/20/16. http://www.risk3sixty.com/2014/12/19/the-sony-hack-security-failures-and-solutions/

Sanchez, Gabriel.  “Case Study: Critical Controls that Sony Should Have Implemented”.  SANS Institute Information security Reading Room.  Published 06/01/2015.  Viewed 10/20/16.  https://www.sans.org/reading-room/whitepapers/casestudies/case-study-critical-controls-sony-implemented-36022

Demystifying 9 Common Types of Cyber Risk

1)       Crimeware
This is designed to fraudulently obtain financial gain from either the affected user or third parties by emptying bank accounts, or trading confidential data, etc. Crimeware most often starts with advanced social engineering which results in disclosed info that leads to the crimeware being installed via programs that run on botnets which are zombie computers in distant places used to hide the fraudsters I.P (internet protocol) trail. Usually the victim does not know they have crimeware on their computer until they start to see weird bank charges or the like, or an I.T. professional points it out to them. Often times it masquerades as fake but real looking antivirus software demanding your credit card info in an effort to then commit fraud with that info.

2)       Cyber-Espionage
The term generally refers to the deployment of viruses that clandestinely observe or destroy data in the computer systems of government agencies and large enterprises – unauthorized spying by computer, tablet, or phone. Antivirus maker Symantec described one noteworthy example where the U.S. Gov’t made a worm to disable Iran’s nuclear reactors arguably in the name of international security (Fig. 1).

“Stuxnet is a computer worm that targets industrial control systems that are used to monitor and control large scale industrial facilities like power plants, dams, waste processing systems and similar operations. It allows the attackers to take control of these systems without the operators knowing. This is the first attack we’ve seen that allows hackers to manipulate real-world equipment, which makes it very dangerous. It’s like nothing we’ve seen before – both in what it does, and how it came to exist. It is the first computer virus to be able to wreak havoc in the physical world. It is sophisticated, well-funded, and there are not many groups that could pull this kind of threat off. It is also the first cyberattack we’ve seen specifically targeting industrial control systems” (Accessed 03/20/16, Norton Stuxnet Review).

Richard Clarke is the former National Coordinator for Security, Infrastructure Protection and Counter-terrorism for the United States and he commentated on Stuxnet and cyber war generally in this Economist Interview from 2013.

Fig.1.

3)       Denial of Service (DoS) Attacks
A DoS attack attempts to deny legitimate users access to a particular resource by exploiting bugs in a specific operating system or vulnerabilities in the TCP/IP implementation (internet protocols) via a botnet of zombie computers in remote areas (Fig. 2). This allows one host (usually a server or router) to send a flood of network traffic to another host (Fig. 3.). By flooding the network connection, the target machine is unable to process legitimate requests for data. Thus the targeted computers may crash or disconnect from the internet from resource exhaustion – consuming all bandwidth or disk space, etc (Fig. 3.). In some cases they are not very harmful, because once you restart the crashed computer everything is on track again; in other cases they can be disasters, especially when you run a corporate network or ISP (internet service provider).
Fig. 2.                                                                Fig. 3.Botnet and TCP image
4)      
Insider and Privilege Misuse
Server administrators, network engineers, outsourced cloud workers, developers, I.T. security workers, and database administrators  are given privileges to access many or all aspects of a company’s IT infrastructure. Companies need these privileged users because they understand source code, technical architecture, file systems and other assets that allow them to upgrade and maintain the systems; yet this presents a potential security risk.

With the ability to easily get around controls that restrict other non-privileged users they sometimes abuse what should be temporary access privileges to perform tasks. This can put customer data, corporate trade secrets, and unreleased product info at risk. Savvy companies implement multi-layered approvals, advanced usage monitoring,  2 or 3 step authentication, and a strict need to know policy with an intelligible oversight process.

5)       Miscellaneous Errors
This is basically an employee or customer doing something stupid and unintentional that results in a partial or full security breach of an information asset. This does not include lost devices as that is grouped with theft – this is a smaller category. The 2014 Verizon Enterprise Data Breach Investigation Report gives an example of this category as follows:

“Misdelivery (sending paper documents or emails to the wrong recipient) is the most frequently seen error resulting in data disclosure. One of the more common examples is a mass mailing where the documents and envelopes are out of sync (off-by-one) and sensitive documents are sent to the wrong recipient” (Accessed 02/21/16, Page 29).

6)       Payment Card Skimmers
This is a method where thieves steal your credit card information at the card terminals, often at bars, restaurants, gas stations, sometimes at bank ATMs, and especially where there is low light, no cameras, or anything to discourage the criminal from tampering with the card terminal.

Corrupt employees can have a skimmer stashed out of sight or crooks can install hidden skimmers on a gas pump. Skimmers are small devices that can scan and save credit card data from the magnetic stripe (Fig. 4.). After the card slides through the skimmer, the data is saved, and the crooks usually then sell the information through the internet or if they really want to be secure the Darknet which is a secure non-mainstream internet that requires a special browser or plug-in to access. After this counterfeit cards are made, then bogus charges show up, and the bank eats the costs which unfortunately drives up the cost of banking for everyone else. Also, some skimmers have mini cameras which record the pin numbers typed at ATM machines for a more aggressive type of fraud (Fig. 5.).  Here are two images of skimmer technologies:

Fig 4.                                                                       Fig 5.
Card Skimmer and Camera

7)       Physical Theft and Loss
This includes armed robbery, theft by accident, and/or any type of device or data lost.  Although some of the stolen or lost items may never end up breached or used for fraud sometime they are depending on what device and/or what data is on that device and/or if it was encrypted or not, or if it the data could be deleted remotely, etc.

8)       Point of Sale Intrusions
See my 2014 post on the Target Data Breach here for a good example.

9)       Web App Attacks
These incidents were carried out primarily via manipulation of vulnerabilities in input validation and authentication affecting common content management systems like Joomla, Magento, SiteCore, WordPress, and Drupal.

According to the 2015 Verizon Data Breach Investigation Report these types of attacks are not only a reliable method for hackers, but also fast with 60% of the compromises taking a few minutes or less(Accessed 02/21/16). With web applications commonly serving as an organization’s public face to the Internet, the ease of exploiting web-based vulnerabilities is alarming (Accessed 02/21/16, 2015 Verizon Data Breach Investigation Report). According to The Open Web Application Security Project these are two common types Web App weaknesses (Accessed 02/21/16, 2013, OWASP 10 Most Critical Web Application Security Risks):

“i) Injection flaws, such as SQL, OS, and LDAP injection occur when untrusted data is sent to an interpreter as part of a command or query. The attacker’s hostile data can trick the interpreter into executing unintended commands or accessing data without proper authorization.

ii) XSS flaws occur whenever an application takes untrusted data and sends it to a web browser without proper validation or escaping (Fig. 6.). XSS allows attackers to execute scripts in the victim’s browser which can hijack user sessions, deface web sites, or redirect the user to malicious sites access unauthorized pages”.

Fig. 6.
RXSS
Jeremy Swenson, MBA is a seasoned, Intel certified, retail technology marketing and training representatives on assignment at Best Buy for clients including Intel, Trend Micro, Adobe, and others. He also doubles as a Sr. business analyst and project management consultant. Tweet to him @jer_Swenson.

Four PMBOK Inspired Tips For Success On Complicated Projects

imagesCMHQ1JHK1) Stakeholder Management: Attain clear support from the executive stakeholders from the beginning of the project and schedule regular check-in meetings with them ahead of time as they tend to be very busy and are often pulled in many directions.  Set the tone that their participation is needed and that they will need to approve change requests which is not uncommon.  You should also use clever people skills and empathetic listening skills as you interview the many high-level stakeholders in the early part of the project so as to diffuse conflict and get consensus on disagreements about scope, business goals, order, and to find out who will be the thorn in your back as the sooner you know that the better.  Also, accept that stakeholders will be different and they may not even directly work for your company which is ok as those ones tend to offer specialized expertise and are often very creative.

2) Communications Management: It’s common to have one or two stakeholders who are difficult, protesting the project through their actions, or who are otherwise egotistical, and/or just plain difficult to deal with.  As a project manager, project consultant, or business analyst, it is your responsibility to deal with these people and situations.  One way to do this is to understand the communication styles of all project stakeholders early on in the project and document this.  Strength Finders, DISC, and many other communication style tests can help with this or you could consult a person who has a lot of international travel experience – they are often helpful understanding group communication dynamics.  You should also know when to be direct, indirect, and/or silent in your communications.  Communication is mostly about listening and perception and as project manager you are not the direct boss of the project team members so your ability to drive tasks is heavily based on your communication and motivational skills – so ask all team members what you can do to clear their roads either yourself or in partnership with other stakeholders.  This reduces surprise road blocks down the road and encourages silent people to speak up.

Project Mgmt3) Quality Management: Having worked on many complex projects in highly regulated industries over the last 5 years I have noticed a shift towards agile methodologies vs. waterfall.  From my perspective this is really about quality and timely flexibility.  Aligning the project tasks in small pieces allows you to test the results independently and faster, and if the results are bad that’s a good thing because it’s just one piece of the project and you can learn from it – getting an early warning.  Yet to get better quality out of an error you need to have documented what went into the error from beginning to end and you need intelligent consensus.  On SDLC projects there will be many small errors which then raise questions about other systems and how they relate to the business rules.  Yet with good process flows, screen shots, and JAD sessions with key people, you can ensure that these errors are nothing more than normal bumps in the road.  Every project has its bumps but the real test is having above average quality on budget and on time at the projects end thus creating a reusable plan others can learn and be inspired from.

imagesRIPQVZGS4) Risk Management: In this new era where almost everything is in the cloud and hackers are targeting large and mid-sized companies to steal and sell their data, every risk analysis document/plan should take into consideration data security, customer privacy, access controls from the project team, and there should be an independent audit plan – often out of scope of the project and done by a different group for checks and balances.  No project has no data so data is always a part of a project, sometimes more and sometimes less.  Question number one is who should have access to the data and at what point?  In today’s environment you should embrace a need to know policy and you should document that to reduce risks.  You should also imagine a worst case scenario and be prepared for it and run this by the executive project sponsors, and/or risk officer if your company has one.

Another common risk is project delay.  Have you analyzed how a one or two month delay would affect your critical path and logical task order?  For some projects it may not matter and for others it may cost your project millions more.  It may harm another dept. or a related project thus in your project risk document you should list the longest delay your project could handle and the dependencies of that delay.  Delays on projects, especially SDLC projects, do happen and are not necessarily bad and they can be dealt with but your project team needs to be ready for it and the sooner they know the better.

If you want to hire me to speak at your next event or consult for your company on these and related topics concerning project risk, process improvement, project management, and related areas please contact me.

Former FDIC Chair Shelia Bair Comments On Bank Bailouts, Peer-To-Peer Lending, And Tax Reform

On Tues, 04/08/14, former FDIC Chairperson Shelia Bair visited Minneapolis and offered commentary on the financial services industry, peer-to-peer lending, systemic risk, and the recent recession.  Bair is educated as an attorney and was Assistant Secretary for Financial Institutions at the Treasury Dept. and a professor at the University of Massachusetts Amherst before she moved over to Chair the FDIC from 2006 to 2011.  At the FDIC Bair helped the nation’s financial system out of an exacerbated recession and unprecedented bank run from 2007 to 2010 but not without ruffling a few feathers.

Addressing a sold out crowd including former Congressman Tim Penny and other elected officials, business people, students, and ethically minded community members, Bair had the honor of being the keynote speaker at Saint Mary’s University of MN’s publically broadcasted Hendrickson Forum on Ethical Leadership.  Bair opened her keynote by describing how unimpressed she was that when she arrived at the FDIC in 2006 the organization had little to no info on sub-prime lending and had to buy a database to conduct research on it.  This was in part due to the fact that sub-prime lenders were private and not a part of deposit institutions and thus slightly out of scope for the FDIC at that time.  Bair did not inherit a perfect FDIC, and it can be inferred that the FDIC should have been paying attention to sub-prime lending far sooner as it was directly related to many elements that affect deposit institutions including real estate, entrepreneurship, income and tax, and community redevelopment.

Image

Bair now free from the constraints of holding a Washington office spoke openly about how she felt hindered to speak to the human element of the financial crisis while at the FDIC.  She indicated that although she was a part of the team that brokered the historic bank bailouts (2008-2009), that she has some serious reservations about that, because it was “too generous and uneven” and “helped the banks far more than it helped homeowners and families”.  She also described regular disagreement with then Treasury Secretary Timothy Geithner and suggested he was too close to many of the bank executives who benefited from the bank bailouts.

She further described miscommunication and lack of collaboration as Geithner worked around her efforts at the FDIC, and the undertone of this was political disagreement over which agency should lead the recession resolution in terms of the banking industry.

At present, Bair supports the Dodd-Frank Act because it favors bankruptcy and a three-year claw back for executives over a bailout in the event of a bank failure.  Although Bair in the past has said she disagreed with Janet Yellen’s support to repeal the Glass-Steagall Act, she presently indicated she still supports the new Fed Chair and viewed her as a reliable Washington outsider.

Image

When I directly questioned Bair on the growth of peer-to-peer lending she seemed cautious about its long-term viability citing an unknown regulatory landscape and even recounted that peer-to-peer lender Prosper lost many investors during the worst months of the recession.  In discussion with Bair I observed that she, like many banks, is in a wait and see mode with peer-to peer-lending, but she did indicate that for customers consolidating higher interest rate debt it can be a good thing and that could in turn force banks to be more customer centric with better terms.

Yet I am more optimistic on peer-to-peer lending than Bair in partnership with many respected peer-to-peer investors including Google who invested $125 million in Lending Club and the former CEO of Citi Group, Vikram Pandit.  It is really telling when the former Citigroup CEO goes against his own industry in favor of a tech-heavy new lending model, but he is right because most customers no longer need the big bank branches and elaborate services that are fee heavy.  Moreover, peer-to-peer lenders offer attractive rates, diverse portfolio options, and low operational costs and that keeps investors and borrowers happy.  Just like online news slaughtered traditional print media, as soon as peer-to-peer lending gets more regulatory backing it will slaughter traditional fee-heavy banks if they don’t adapt to this new environment.

When commenting on federal sequestration Bair showed frustration and disagreement over the automatic spending cut approach and instead suggested that tax rates be reduced and restructured in a number of areas to encourage more employment, keep businesses in the U.S., and encourage business innovation which would in turn provide more income and employment thus bringing in a greater amount of taxable income to offset her proposed tax reduction.  This truly can be a helpful aspect of the budget deficit issue in that taxes in the U.S. are far too high and there are some needless loopholes that harm many and help few.  The 2.3% Medical Device Tax is an example of this as it encourages the many medical device companies in MN to move their operations outside the U.S. due to the high tax cost, and it adds to their cost of doing business thus reducing their ability to get favorable loans.

Lastly, as an advocate for consumer protection and creative thinking I asked Bair if she had any insight on what the massive Target data breach might mean for the banking and related industries — where an estimated 10-15% of the 40 million affected cards have encountered some type of fraud — and she reminded me that the banks are taking the losses before the retailer does.  Although she offered no specifics other than suggesting that debit cards are more relevant, she shared my concern that data security is a growing factor in financial regulation yet I was then reminded that Bair is more of a politician and economist than a technologist.  Yet from an economic policy standpoint if the nation encounters more data breaches like this it could drive the cost of goods up thus forcing more costly and secure card payment products perhaps with biometrics on them.

Photos by Rick Busch.

Written by Jeremy Swenson (c)