Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Mark Lanterman - The Risk Report October 2015


Published on

  • Be the first to comment

  • Be the first to like this

Mark Lanterman - The Risk Report October 2015

  1. 1. 1 Reprinted with permission THE RISK REPORT PLAN TO PROTECT DIGITAL ASSETS MARK LANTERMAN October 2015 There is no such thing as perfect cybersecurity. No matter how many millions of dollars an or- ganization spends on information security, some hacker, somewhere, at some time, will success- fully break in. But this does not mean that indi- viduals and organizations should just sit around and wait for the inevitable. There are steps that can be taken to minimize risk and thus poten- tially circumvent a data breach. This article explains some of the methods hack- ers currently use, along with the best-practice preventive measures to circumvent such hacks. In addition, a case study illustrates both the risk and lessons learned, stressing the importance of education and developing a “culture of secu- rity.” Prevention Is the Best Solution While it may be the most optimal solution, pre- venting breaches is not simple or easy. In many ways, organizations have to be prepared for something that has not yet happened—they have to forecast the future of cyber and privacy threats. Doing so often entails poring through mountains of data to find a needle in the hay- stack—a piece of malware or a threat that can compromise critical data. Sometimes, as is clearly evidenced by the re- cent breaches, these threats can get lost in the noise. Furthermore, the best and worst thing about the tech industry is that it is fast paced. Product cycles move fast, but tech mainstays like software updates and patches move even faster. It takes dedicated personnel for organiza- tions to keep up. Add to this industry-specific software and hard- ware, which varies greatly, each with its own purpose and security considerations. This leads to a diverse palate of devices and software tools, and a consequent variety of new uses, but is also targeted by hackers for the market- ability of the data it collects and stores. Nowadays, security is not just a locked shop door. Digital breaches are robberies that hap- pen at any hour and without warning. In some cases, these robberies happen without any im- mediately apparent evidence. But do not de- spair! Being informed of these issues is the greatest defense an organization can have. If an organization’s network configuration and em- ployee education program is lacking, exposure to serious risk and liability is heightened. The potential loss of valuable digital assets, espe- cially client information, can result.
  2. 2. 2 Conduct a Digital Security Assessment The prevention and detection stages of security (those before a breach occurs) are typically in- formed by a digital security assessment, which goes beyond simply testing an organization’s network for vulnerabilities. Rather, an assess- ment allows for a more complete picture of an organization’s security posture—focusing on poli- cy, controls, and procedures, as well as the ef- fectiveness of their implementation. Tech infrastructure is often a “set-it-and-forget-it” affair. Essentially, digital infrastructure is in- stalled, configured, and then never touched again. To maintain a secure digital environment, it’s imperative to test, test, and test some more. Consider the Human Element When it comes to issues of information security, the human element is just as important as the technology itself—perhaps even more so. Hard- ware and software require regular human input to make sure it is keeping up with the latest up- dates, security patches, etc. Therefore, the hu- man element of security is the single most im- portant aspect to an organization’s security posture. It can only be achieved by fostering a culture of security, through education and imple- mentation of a written digital use policy. Also consider the psychology of a hacker when assessing the role of human vulnerabilities in determining the viability of an organization’s cy- bersecurity practices. The term “hacker” is inter- esting in its ability to conjure up a vague, though widely held notion of the cybercriminal. The vision is fairly common: a scruffy, socially challenged individual, slouched in a swivel chair, speedily typing on a keyboard as indeci- pherable streams of digits race down the com- puter screen. Compared to other criminals, the hacker largely remains an unknown, impersonal entity, tied in- trinsically to a modern era of technological ad- vancement. However, what is often forgotten is that, although hackers are primarily recognized for their abilities to manipulate technology, they can be equally adept at manipulating people. Security procedures rely heavily on human par- ticipation and interactions. The first step of a hacking scheme, the crucial point at which the probability of a data breach is determined, can (and often does) start at the human level. Un- suspecting personnel may encounter a hacker without even realizing it, giving them access to sensitive data simply by offering a Wi-Fi pass- word or log-in credentials. It is important to recognize that, similar to tech- nology, individuals can be prone to trusting dis- reputable sources. A hacker is willing to take advantage of the breadth of an organization’s vulnerabilities; consequently, employees are just as vulnerable to attack as technological data sources. On the flip side, employees can download mal- ware without realizing it, such as through illegal downloads or torrents of movies and applica- tions. These unsafe browsing habits can and of- ten do lead to a malware infection. Don’t trust an e-mail scanning application or spam folder to stop the messages from getting to the in- box. A hacker’s job goes beyond exploiting strictly digital vulnerabilities; the successful ones look for human vulnerabilities. Watch Out for Phishing Attacks To assess and react to the danger humans pose to digital security, it is important to know what the bad guys are doing. While external hackers have a diverse arsenal of techniques— and even more diverse reasons for their activi- ties—there are a few that are more pertinent, as they can affect any employee within an organi- zation. Hackers are often referred to as “social engineers,” as they try to manipulate and trick their targets to give them access. One of the most prominent hacking examples is “phishing.” Phishing is the process by which cy-
  3. 3. 3 berthieves are able to lure unsuspecting victims to a malicious link that then executes malware. These malicious links are usually presented to a user though an e-mail message. This is when a user unknowingly initiates the malware by ac- cessing the malicious webserver. Even more unsettling, though similar, is a “spear-phishing” attack. Unlike a phishing at- tack, spear-phishing is a directed attack. Cyber- criminals gather information about a victim, which is then used to construct a fraudulent e- mail intended to trick the victim. Rather than being obviously nefarious, these e-mails are very realistic and tailored to the person hackers are trying to trick. For example, in the banking industry, a hacker may use an e-mail message cloaked as a com- munication from, for example, the Federal De- posit Insurance Corporation (FDIC). Due to their nature, phishing attacks are not problematic un- less the link to the malicious webserver within the message is clicked. To prevent this within an organization, personnel need to be trained to identify false links. Before clicking the link, “hov- er” over it to see the true URL or, even better, train employees to manually type in the Web address they need to access in a Web browser. Provide IT with the Tools It Needs While a universal training program aimed at in- forming all employees of their role in the securi- ty posture is critical, it is also important to en- sure that the information technology (IT) team is staying on top of current advancements in se- curity and has the resources to minimize vulner- abilities. Often, IT people are more concerned with making sure technology is being imple- mented for productivity, not necessarily for se- curity. Digital assets vary for every organization, making specific preventive measures hard to de- fine. In general, the prevention of attacks and threats should be consistently audited so that a specific information security policy can be cre- ated and carried out within the specific context of an organization. As one general example, outdated and un- patched software applications pose a serious risk. Cybercriminals often target older outdated software because of its longevity. That is, the longer a piece of software is around, the more time cybercriminals have to develop malware based on an established exploit that will not be, or has not yet been, fixed by the developer. In many industries, including health care, legacy technology is becoming a serious problem as an avenue for data theft. Furthermore, preven- tive measures can get expensive. An organiza- tion’s IT team or information security team, however, has a serious leg up on outside threats—they know where the valuable data is. Thorough knowledge of an organization’s infra- structure is a considerable advantage against outside threats. Consequently, it is worth invest- ing in the people who know most about it—IT. The avenues by which data can fall victim to a remote attack are as innumerable as the unique software and hardware contexts of com- panies all over the world. Keeping a team that is well equipped is a key component of a strong security posture. Limit Access to Sensitive Information An often underanalyzed piece of the preventive data security puzzle is data access controls. More simply put, not every employee of an or- ganization should have full access to all data. Even in the case of IT, it is recommended that members of the team use nonprivileged cre- dentials for daily activities. This is a central step to minimizing risk as it inherently reduces the number of access points for data to leave the confines of an organization’s network. More privileged credentials mean more credentials that can be compromised and used to elevate an external threat. In line with this, it is also crucial to consider in- ternal threats. For example, a disgruntled em- ployee gains access to sensitive data, steals it, and posts its publicly online. Limiting access to critical data on an as-needed basis can, in
  4. 4. 4 some cases, preemptively eliminate this risk al- together. People are a company’s biggest asset but also the biggest liability as respects infor- mation security. Awareness and implementation of policy is key to maintaining that “culture of security.” Recognize the Risks of BYOD Security and data access controls must be prac- ticed and applied outside of the confines of an office as well as inside. Mobile computing has changed everything, including how security is maintained and adapted to reasonable policies. It is becoming increasingly common for employ- ees to take sensitive data home with them (on thumb drives, laptops, phones, e-mails, cloud services, etc.). With respect to policy, many organizations and their agents alike favor the cost benefits and choice of bring-your-own-device (BYOD) permis- sion, which allows employees to use their per- sonal devices, particularly mobile devices, to store and access company data. Unfortunately, in most instances, this policy relinquishes some defined, universal security strategy and inherent- ly gives an organization less in the way of data control. Standard mobile device management tools are not typically applied and installed on employees’ personal devices. BYOD can also invite unauthorized connections from an organization to the Internet. Many smart phones offer device tethering, whereby the phone’s cellular data connection is shared with other devices. This type of network activity is not part of an organization’s network, and thus cannot be monitored for suspicious con- nections. Before simply accepting BYOD as a cost-effec- tive and desired approach, ensure that policy is clear and consequences are clearer. If BYOD is implemented, do so in such a way that the or- ganization maintains a modicum of control. Also, take legal ramifications under consider- ation and determine whether there are special regulatory concerns particular to a certain in- dustry that need to be worked into BYOD and mobile computing policies. In some industries, such as health care, a lack of central data secu- rity policy and control opens up serious liability risks. There is another breach risk associated with BYOD—physical device theft. This is becoming less of a problem with certain devices (ahem, Apple), but it is nevertheless important to con- sider in a fragmented situation where an orga- nization uses software and hardware from a number of providers and manufacturers. For in- stance, in the healthcare industry, data breach- es that affect 500 patients or more must be re- ported to the U.S. Department of Health. Perusing the listing of breaches, the downside to the convenience of mobile computing is ap- parent—hundreds of incidents involving stolen physician laptops and phones. Compliance pro- fessionals cringe. If an organization must allow for remote and mobile solutions, again, it is important to con- sider the regulatory responsibilities of an indus- try. Regardless of industry best practices for mobile devices, it is critical to keep the data they store encrypted so that a thief is unable to access sensitive data. It’s critical never to fall into a false sense of security, and never rely en- tirely on it. Look Beyond Employees Data control goes beyond just employees. Rath- er, it extends to include any entity that can store, access, or use a company’s sensitive da- ta, including third-party vendors. Develop con- tracts that protect the organization, particularly those that use third-party vendors. Third-party vendors can introduce security lapses and vul- nerabilities, and might not hold themselves to the proper and necessary digital risk standards. Not doing so can result in a digital catastrophe. This is best evidenced by the example of the devastating credit card breach experienced by
  5. 5. 5 Target in late 2013. Target seemed to have the appropriate controls in place with dedicated IT and security appliances. Thinking that every- thing was fine with its security practices, man- agement overlooked one critical issue. Target al- lowed an outside heating, ventilation, and air- conditioning (HVAC) service vendor to connect to the same network responsible for point-of- sale device Internet traffic. Again, this is an ex- ample of good technical security measures be- ing rendered ineffective because of lapses with- in the human element of security. Like Target, there have been other breaches that can be traced back to failures to audit third-party vendors, such as the Boston Medical Center and Goodwill. Often, smaller third-party vendors are a sort of hacking “stepping-stone”— compromise their information to get to their larger clients that have more valuable data. This is especially true today, as even the smallest companies have a digital presence. Once again, a company can have all the proper controls in its own offices, but sensitive information with its vendors could be compromised. To mitigate third-party risk, ensure that appropri- ate parties, especially legal departments, are in- volved with the outside vendor hiring process and that audit rights are guaranteed and pro- tected by contracts. That means including audit clauses to contracts to allow the organization to regularly monitor and check that vendors are in compliance with any generally accepted or nec- essary standards. Cybersecurity is now a reality and must be included in the outside contracting process. Don’t Overlook the Importance of Data Backups In addition to the risk of compromising data, loss of data entirely can be even more devastat- ing. While most large corporations can afford to keep their sensitive data in multiple locations, others cannot. Irrespective of the size of an or- ganization, individual workstations can contain important client data that should be regularly backed up. Furthermore, no matter how many backups an organization maintains, it is impor- tant to not get bogged down by the sheer vol- ume and always prepare for the absolutely worst—a hurricane, tornado, or some other nat- ural disaster that could destroy an entire organi- zation’s data in one fell swoop. But, data loss can happen in other ways most people don’t expect. A couple of months ago, I got a call from a local government agency that had a horrible rash of “ransomware.” Ransom- ware is malware that seeks to exploit victims by encrypting their files. It is downloaded acciden- tally by clicking on a link in a pop-up or through a “phishing” e-mail. Once executed, the user is notified that their files have been locked be- cause they committed a crime, and that they must send money for the decryption key within a certain amount of time or their files will for- ever be inaccessible. Unfortunately, paying the “ransom” usually will not unlock the files, but only serves to line the pockets of the extortion- ists. In this particular case, the local agency did not consistently keep a backup of its data, and months of work was lost. This new ransomware infection prompts reflection on something that is still overlooked as a serious risk to daily busi- ness activity—data backups, offsite or otherwise. Develop a Security Culture It is important to audit all controls to prevent at- tacks incurred from external and internal threats. Make sure that these controls are in place, effective, and attempt to penetrate your organization’s digital infrastructure. There should be a layered approach to information se- curity. In other words, organizations should not only have a digital fence, but also a locked front door. In addition to simply having “locks” and “fences,” make sure there is a policy infor- mation session that effectively teaches people how to keep the gate closed and the door locked. Incorporating these provisions into policy, and more importantly, executing that policy through
  6. 6. 6 employee training programs, moves organiza- tions to a stronger security posture. Creating the atmosphere for effective security is just as important as the security practices themselves. Hope for the Best, Prepare for the Worst Striking the key balance between costs and preparation is something to consider, but it is always a good investment, and is usually much cheaper than the fallout of a breach. When it comes to security, prevention certainly is the first choice. But, what happens if all the preventive mea- sures are taken and incorporated into policy, but an organization is still breached or data is lost? As previously stated, technology is fast paced, and cybercriminals can be one step ahead of the latest preventive security mea- sures. One of the primary reasons for their per- sistence is because a targeted organization’s data is exceedingly valuable. In recent history, credit cards have been an obvious target for the clear monetary value they carry. These breaches have dominated the headlines and are an unfortunate side effect of our increased reli- ance on credit technology’s conveniences. Recognize the Value of Data Not dissimilar from the recent credit card breaches, hackers have consistently and specifi- cally targeted health data over the years be- cause health data is valuable—it can be used to gather intel about specific people or as a tool for identity theft. It has also historically not been the most secure. Patient names, birth dates, billing information, and health histories have the potential for complex identity theft and medical fraud schemes. More importantly, though, this data has a mar- ket on the “Dark Web” outside of those who are responsible for stealing it. To illustrate the Dark Web, Google indexes approximately 17 percent of websites where most people typical- ly dwell online and do their browsing, shop- ping, and other online activities. But, below the Internet’s surface lurks the Dark Web, where criminals market a variety of different goods and services, from passports and drugs to “rent-a-hacker” services for the purposes of messing up someone’s life. Thanks to the Dark Web, stolen client data of all kinds has a mar- ket, therefore increasing its appeal to be stolen in the first place. Even if an organization conducts an audit of all security controls and policies, a new exploit could be found the next day, rendering a clean bill of security health void. Case Study Illustrates the Risk The following case study illustrates the point that employee education is key. About a year ago, I was contacted by a large corporation claiming that its systems were compromised, and that an unauthorized $1 million wire transfer was initiated, sending the money to Russia. Management suspected that this was an inside job carried out by one of their em- ployees. As they had spent hundreds of thou- sands of dollars on security appliances, they thought something like this could not possibly happen to them—they were proactive and will- ing to invest the resources in security. How- ever, a review of their infrastructure revealed a lapse. They adopted a “set-it-and-forget-it” atti- tude. There was no “culture of security.” Thinking their appliances would not allow such a thing, spam e-mail got to an employee’s workstation. That individual clicked a link and initiated “Zeus” malware. While the hacker’s toolbox is expansive and variable, there are cer- tain tools worth mentioning, one being Zeus. Zeus, when executed, monitors an infected computer for certain types of user activity, in- cluding online banking. In some cases, it often remains dormant until a user accesses a finan- cial services or banking website. Once Zeus identifies the targeted activity (such as banking), it will then collect confidential data
  7. 7. 7 to include a log of all keystrokes and screen- shots. This compromised data is then transmit- ted to the hacker. In this case, a security token was inadvertently left plugged in. Hackers had everything they needed, and set the software to wait for banking credentials. After that, all they had to do was log in and initiate the transfer. If that story teaches us anything, it is again that these lapses can and do happen even when the victims think they have a great secu- rity posture. Fortunately, that company made the right choices in handling its breach of secu- rity; management acted quickly, hired profes- sionals, and assembled the narrative to attempt to get their money back and carry out due dili- gence for the safety of their customers’ infor- mation. Lessons Learned More often than not, though, incidents come unexpectedly and organizations are not ade- quately prepared for the worst. Officers and employees often do not have a clear picture of the chain of command, nor the roles and re- sponsibilities in the face of a breach. This can lead to increased exposure to media and public relations fallout and executive meltdown. While designing preventive policy, try to design a policy or incident response manual that effec- tively prevents operational shutdown in the case of a breach and allows for quick, decisive action. And be sure you have the right contacts to respond to such an incident. Be ready for the inevitable, even if it seems impossible. Whether the organization has in-house or out- sourced IT, it is typically best to bring in an un- biased, third-party for putting the narrative of a breach together. This limits the risk of an IT pro- vider perhaps underemphasizing a breach, as they have an interest in keeping business. Fur- thermore, many IT departments are not properly trained or equipped to analyze and uncover new FIGURE 1 ZEUS ATTACK DIAGRAM Account Takeover Dissecting an Attack Initiate Funds Transfer 5 Criminals target victims by way of phishing or social engineering techniques The victims unknowingly install malware on their computers, often including key logging and screen shot capability The victims visit their online banking website and log on per the standard process The malware collects and transmits data back to the criminals through a backdoor connection The criminals leverage the victim’s online banking credentials to initiate a funds transfer from the victim’s account Dissecting a Zeus Attack Source: Joint Fraud Advisory for Business: Corporate Account Take Over by USSS, FBI, IC3 and FS-ISAC. 1 Target Victims Install Malware 2 Online Banking Collect & Transmit Data 4 3
  8. 8. 8 threats and malware. IT people are often more focused on implementing technology for ease of use and convenience, not security. Specialists are able to assemble the narrative, from initial exploit, threat elevation, and the context of data that was ultimately compro- mised. Armed with such information, an organi- zation is better able to prevent a similar attack from happening in the future, but also have a clear picture of how to handle other tasks relat- ed to the breach, such as client notification. Breach notification often goes undiscussed. Fur- thermore, the responsibility of organizations to notify their clients, partners, and other parties about a breach varies from case to case and from industry to industry. In certain industries, federal and state regulations are the rule, but in others, it is solely up to the discretion of execu- tives. In responding to the public, or proactively notifying clients, it’s best to wait until a full in- vestigation is complete. It is important to know that there is a huge difference between an in- fection, or abnormal Web traffic, and a data breach—just because there is evidence that at- tackers tried to gain access does not mean they did so successfully. Moreover, even if hack- ers steal data, the type of data is central to the notification proceedings. Oftentimes, organizations that suspect a breach will jump the gun and notify their clients before an investigation is complete. In the end, some- times nothing serious happened—no confidential data was lost or stolen. Notifying clients before knowing there is a legitimate problem is, in and of itself, a huge risk. Understand that some cli- ents might not be comfortable continuing busi- ness with a company that disclosed a breach. Organizations need to do themselves a favor and rule out the possibility of a false alarm first. That said, it is important to incorporate client notification as part of the defined incident re- sponse plan. It is always best to be proactive, but to not unnecessarily inform clients or au- thorities until it is known that a serious breach definitively happened. Once a thorough investigation has been com- pleted, and in the unfortunate case that person- ally identifiable information was stolen, it is im- portant to work closely with legal professionals. Cybersecurity is very much a legal issue, with unique legal considerations. As previously allud- ed to, there are regulatory considerations that vary greatly between industries and states—for now. Until there is an overarching federal regu- lation that applies the same requirements of all industries, and defines the type of data that must be stolen to report, the current compli- ance and digital security laws remains the law, and it is a patchwork. Furthermore, even after the narrative of a breach is assembled, the costs (both tangible and intangible) are hard to quantify. As such, it is also worth discussing with legal an invest- ment in cyberliability insurance. Successfully mitigating the fallout of a breach and minimiz- ing related costs requires harmony between ev- eryone, but especially human resources, IT, and legal departments. Similarly, after an incident, education is still the most important aspect of preventing another breach. Take an incident or a breach and use it as a valuable learning opportunity. After a secu- rity breach investigation, walk employees through every detail of what happened, pin- point what the failures were, and, most impor- tantly, learn from the event and prevent the same thing from happening again. No one indi- vidual can be held responsible for a breach in security; the entire team is responsible. Conclusion Preparation is key in any prevention strategy, and optimal security always starts at the hu- man level. Best security practices are just that— practices. Security measures are always a work in progress and reflect the constant stream of new technology. It takes time to discover, learn, and implement the best methods. Ongoing edu- cation within this “culture of security” is imper- ative in trying to implement the best possible
  9. 9. 9 procedures. In this case, knowledge truly is power. MARK LANTERMAN ComputerForensic Services Mark Lanterman is chief technology officer for Com- puterForensic Services in Minnetonka, Minnesota. Prior to joining CFS, he was a criminal investigator with over 11 years of law enforcement experience. In addition, he has successfully led thousands of fo- rensic investigations, collaborating and supporting large legal organizations, corporations and govern- ment entities, having given expert witness testimony in over 2,000 matters. Mr. Lanterman is a sought-af- ter speaker, conducts over 40 continuing legal edu- cation classes annually, and is an adjunct professor of computer forensics. He provides frequent com- mentary about cyber and privacy security issues for national print and broadcast media, including ABC, Al Jazeera, Bloomberg, BusinessWeek, CBS, FOX News, NBC, The New York Times, NPR, and The Wall Street Journal. Mr. Lanterman received his bachelor’s and master’s degrees in Computer Science from Upsala College and has received many security certifications and training certificates, including from the Department of Homeland Security and the National White Collar Crime Center. He has authored “What You Don’t Know Can Hurt You: Computer Security for Law- yers,” Bench & Bar of Minnesota; “Elephant in the Room—Case Studies of Social Media in Civil and Criminal Cases,” Next Generation; and the eDiscov- ery Law and Tech Blog. Mr. Lanterman can be reached at mlanterman@ * * * Reproduced from the October 2015 issue of The Risk Report. Opinions expressed in this article are those of the author and are not necessarily held by the author’s employer or IRMI. This content does not purport to pro- vide legal, accounting, or other professional advice or opinion. If such advice is needed, consult with an attor- ney, accountant, or other qualified adviser.