October 26, 2016 | Leave a Comment
By Avani Desai, Executive Vice President, Schellman & Co.
October 25, 2016 | Leave a Comment
By Susan Richardson, Manager/Content Strategy, Code42
During National Cyber Security Awareness Month, understanding the ins and outs of ransomware seems particularly important—given the scandalous growth of this malware. In this webinar on ransomware hosted by SC Magazine, guest speaker John Kindervag, vice president and principal analyst at Forrester, talks about what ransomers are good at—and offers best practices for hardening defenses. Code42 System Engineer Arek Sokol is also featured as a guest speaker, defining continuous data protection as a no-fail solution that assures recovery without paying the ransom.
The art of extortion
Kindervag says ransomers are good at leveraging known vulnerabilities when organizations are slow to patch. They are also excellent phishermen, posing skillfully as trusted brands to lure their prey; collaborative entrepreneurs who learn and share information; and enthusiastic teachers, eager to impart how to pay in bitcoin for the unschooled.
Like Pearl Harbor, Kindervag says, the day the enterprise gets hit with across-the-board ransomware will live in infamy—unless the organization has planned for the event with effective backup.
Kindervag advises the following to prevent the delivery of ransomware:
- Prioritized patch management to avoid poor security hygiene that puts computer systems at risk.
- Email and web content security that includes effective anti-spam, gray mail categorization, and protection for employees against poisoned attachments.
- Improved endpoint protection with key capabilities that include prevention, detection and remediation, USB device control to reduce the ransomware infection vector, and isolation of vulnerable software through app sandboxing and network segmentation.
- Hardening network security with a zero trust architecture in which any entity (users, devices, applications, packets, etc.) requires verification regardless of its location on or with respect to the corporate network to prevent the lateral movement of malware.
- A focus on clean, effective backups.
The ransomware antidote
Following Kindervag’s “hardening defenses” presentation, Sokol reports on the number of businesses hit by ransomware in 2015 (47 percent) and how many incidents come through the endpoint (78 percent). He also dispels the rumor that file sync and share are synonymous with rather than antithetical to endpoint backup.
During the webinar, Sokol demonstrates the extensibility of modern, continuous, cross-platform endpoint backup. He describes the efficacy of endpoint backup in recovering data following ransomware or a breach, its utility in speeding and simplifying data migration and its ability to visualize data movement—thereby identifying insider threats when employees leak or take confidential data. Don’t miss it.
October 11, 2016 | Leave a Comment
By Jacob Ansari, Manager, Schellman
How many arbitrary people do you have to get into a room before two of them share the same birthday? Probability theory has considered this problem for so long that no one is quite certain who first posed the so-called “birthday problem” or “birthday paradox.” What we do know is that this occurs with many fewer people than we might have guessed. In fact, there’s a 50% chance that two people will share a birthday (month and date) with only 23 people. That confidence goes up to 99% with 75 people.
Beyond just awkward situations about who gets the first slice of cake, this idea has applications in cryptography and security situations. The short of the idea is that things that seem unpredictable or unlikely are often much more likely than we would think. For a security system based on random numbers and unpredictability, this can pose a few dangerous security problems. Some researchers from the French Institute for Research in Computer Science and Automation (INRIA) recently published some work that shows significant weaknesses with practical exploits in 64-bit block ciphers, particularly 3DES and Blowfish, and in their most common uses in HTTPS and VPN connections.
Most modern ciphers that use a symmetric key, that is a key that both parties need to have to encrypt and decrypt messages, are what cryptographers call “block ciphers.” They encrypt blocks of data, rather than bit by bit. Often, the block length is the size of the key, but in some cases it isn’t. So a 3DES cipher, which performs three cryptographic operations using 64-bit blocks and 64-bit keys (technically 56-bit keys with eight bits used for error checking) divides up its message into 64-bit segments and encrypts each one. The problem related to the birthday paradox is this: when you have a 64-bit key, an exhaustive attack would potentially need to try 264 guesses at the key value to see if it could decrypt the encrypted message (this is what we call a brute-force attack).
In practice, however, block ciphers use what are called modes of operation, which link blocks of messages together. In these situations, with a 64-bit block length, encrypting more than 2 (block length/2) or 232 bits of data presents a well-known cryptographic danger. The operation will inevitably repeat enough data for patterns to emerge and for an attack to determine the key from these patterns. Thus, good design prevents more than 232 bits of data encrypted by the same key, and cryptographers refer to this as the birthday bound.
This attack goes from theoretical to practical in two significant applications: HTTPS using 3DES (typically with TLS 1.0 or earlier), and OpenVPN, which uses Blowfish (which has 64-bit blocks) as its default cipher. With 64-bit blocks, the birthday bound is approximately 32GB of data transfer, which is something a reasonably fast connection can handle in about an hour. Thus, the practicality of collecting these data and attacking the key is an entirely reasonable prospect. Further, modern uses of HTTPS and VPN connections often find cases where the session lasts for long periods of time, and thus continues to use the same key for those long periods, making both the recovery of the key and its use in an attack practical and effective.
Ultimately, the solution for this kind of attack is to replace the use of 64-bit block ciphers with 128-bit block ciphers like AES. In many cases, the capability to do this already exists and organizations facing this threat can do so with reasonable expedience. In some cases, particularly when supporting legacy connections such as TLS 1.0 and the corresponding support for 3DES ciphers, this becomes more complicated. While many organizations have made advances in moving to more secure block ciphers, others have compatibility and legacy support issues. These kinds of advances in attacks make those transitions all the more urgent.
Organizations currently in transition should strongly consider accelerating those efforts and eliminating the use of ciphers like 3DES and Blowfish entirely.
October 11, 2016 | Leave a Comment
Denis Naughten will address (ISC)2 Security Congress EMEA delegates on the latest developments in Ireland’s National Cyber Security Strategy since its launch in 2015, including the requirement to transpose the European Union Security of Network and Information Systems Directive (2016/1148) into national law by May 2018. The digital economy is growing at 20 percent per year, and securing this sector is vital for the country’s long-term growth and nurturing its cloud computing and big data industries.
The full agenda can be found here.
Organized in partnership with MIS Training Institute, the Congress will feature three intensive days of deep-dive workshops, interactive think-tanks, panel debates and over 40 speakers discussing current events from the use of robots in security to the need for a new ‘creative commons for privacy’.
Denis Naughten T.D., Minister for Communications, Climate Action and Environment said: “At a time when we are building capacity on cyber security to help industries bolster their cyber defences, I am pleased to support the (ISC)2 community in bringing together professionals across every tier of industry, here and across EMEA, to align international efforts against the cyber threats we face. Online threats are not confined to one industry or country, so we can no longer work in isolation but must share knowledge and expertise across sectors.”
Other confirmed keynotes speakers include:
- Ade McCormack, Digital Strategist, and Financial Times columnist
- Barrie Millet, Head of HSSE & Resilience, E.ON U.K.
- Eoin O’Dell, Associate Professor, School of Law, Trinity College Dublin
- Nick Hawes, Reader in Autonomous Intelligent Robotics, School of Computer Science, University of Birmingham (U.K.)
- Mark Carolan, Head of Research and Development, Espion
Adrian Davis, Managing Director EMEA, (ISC)2, said: “Bringing together the largest network of working professionals in EMEA, this Security Congress will enable attendees to draw on a pool of front-line experiences and cybersecurity best practice from every sphere of society. It is also a great opportunity for professional development, with a range of speakers who are leaders in their fields sharing some of their world-leading expertise with the audience. Our vision is to create a safe and secure society and that can only be achieved by professionals from every walk of life, working together.”
The Cloud Security Alliance will be exhibiting at this year’s congress, and you can join us by booking here and quoting CSA2016.
October 6, 2016 | Leave a Comment
By Ajmal Kohgadai, Product Marketing Manager, Skyhigh Networks
The Health Insurance Portability and Accountability Act (HIPAA) helps protect patient privacy by requiring healthcare organizations and their business associates to protect sensitive data — including how the data is used and disclosed. As the healthcare industry is increasingly being targeted by cyber attackers, HIPAA gives healthcare organizations minimum benchmarks for assessing and implementing their cyber defenses.
Patient health data is highly sought after by cyber criminals because they can exploit it in many different ways and for much longer periods of time as compared to information such as credit card numbers. On black market marketplaces on the Darkweb, stolen medical data can sell for 10 to 20 times more than credit card data. One report found that stolen Medicare numbers sold for nearly $500 each.
Because medical records are rich with information, they can be used for committing identity theft, medical identity theft, and tax fraud; obtaining loans or credit cards, sending fake bills to insurance companies; obtaining and then reselling expensive medical equipment — and the list goes on. And unlike a credit card number, that can easily be cancelled if it has been compromised, medical health records can’t be altered and tend to last a lot longer. Stolen medical records of terminally ill patients are especially valuable because that information can be used to receive other services on behalf of the patient long after the patient has passed away.
HIPAA requires that healthcare organizations report any data breaches involving more than 500 patient records. According to the HHS web portal, there have been 205 such breaches so far this year. Many data breaches of electronic protected health information (ePHI) that have resulted in HIPAA fines were the result of carelessness or lack of data protection and could have been avoided.
Numerous HIPAA fines have stemmed from the lack of risk assessments or properly implemented risk management plans. A risk assessment is a foundational step that healthcare organizations must take in order to evaluate all the vulnerabilities, threats, and gaps in defenses in order to mitigate security risks.
The Worst HIPAA Violations — and What You Can Learn from Them
Advocate Health Care Network, $5.5 million
This is the largest HIPAA settlement as of September 2016 and was the result of three separate data breaches that affected a total of 4 million individuals. One of the incidents involved an unencrypted laptop that was stolen from an employee vehicle and another incident involved the theft of four computers.
The Department of Human and Health Services Office of Civil Rights (OCR), which enforces HIPAA, noted that Advocate Health Care failed to conduct an accurate and thorough risk analysis of all of its facilities, information systems, applications, and equipment that handle ePHI. This risk management plan needs to include not only technical but also physical and administrative measures.
New York and Presbyterian Hospital (NYP) and Columbia University, $4.8 million
In a joint case, the two organizations were fined after 6,800 patient records were accidently exposed publicly to search engines. The breach was caused by an improperly configured computer server that was personally owned by a physician. The server was connected to the network that contained ePHI.
NYP lacked processes for assessing and monitoring all its systems, equipment, and applications connected with patient data. It also didn’t have appropriate policies and procedures for authorizing access to patient databases. Both of these violations would have been easy to prevent through administrative processes.
WellPoint, Inc., $1.7 million
The managed care company exposed the records of more than 600,000 individuals over the internet after upgrading an internet-based database containing ePHI. WellPoint didn’t know about the breach until a lawsuit notified the company that the data was available through a web portal.
This kind of incident could be avoided by:
- Performing a technical evaluation of changes resulting from software upgrades ahead of deployment
- Implementing technology, policies, and procedures for authenticating users that are accessing ePHI as well as limiting the categories of users who can access the data.
Anchorage Community Mental Health Services (ACMHS), $150,000
A malware infection compromised the records of more than 2,700 individuals. ASMHS did not review its systems for unpatched and unsupported software and did not regularly update its IT resources.
This case underscores the importance of having policies and procedures in place for running regular updates and patches. It’s a simple yet often ignored practice that could have major implications.
St. Elizabeth’s Medical Center, $218,400
This settlement stemmed from two incidents, one of which was in connection with staff use of a cloud-based file-sharing application. Specifically, the medical center did not evaluate the risks of using this cloud service, putting ePHI of nearly 500 people at risk.
As more healthcare organizations are embracing the cloud as a scalable, cost-effective and flexible solution for storing and sharing patient data, it’s critical to conduct a risk assessment prior to migrating to a cloud environment. This evaluation should also include a comprehensive analysis of the security capabilities of prospective vendors.
University of Mississippi Medical Center (UMMC), $2.75 million
UMMC reported a breach after a password-protected laptop loaned to a visitor went missing. Subsequently, OCR’s investigation found that users could access a network drive containing ePHI via a wireless network with a generic user name and password. The accessible network drive contained ePHI of 10,000 patients dating as far back as five years.
According to Verizon’s 2016 Data Breach Investigations Report, more than 60 percent of data breaches in 2015 involved weak, stolen, or default passwords. Passwords are a major problem that can have serious consequences for organizations, yet it’s a problem that’s easy to mitigate by implementing strong password-management policies as well as techniques like multi-factor authentication.
Triple-S Management Corp., $3.5 million
This case was the result of multiple, extensive violations involving several subsidiaries. One notable violation related to two former employees whose access rights to a restricted database were not terminated when they left the company. The two then accessed the internet Independent Practice Association (IPA) database, which contained members’ diagnostic and treatment codes, while being employed by a competitor.
Just like poor password-management policies, user-privilege policies are a major problem for organizations. Too often, user access is not terminated when employees leave the company or move to another position within same company that changes their status. Many unauthorized access incidents can be avoided with tools and procedures that manage user access.
Massachusetts Eye and Ear Infirmary and Massachusetts Eye and Ear Associates, Inc. (MEEI), $1.5 million
OCR found multiple violations after investigating the theft of a personal unencrypted laptop containing patients’ prescriptions and clinical data. The violations included longtime failures to conduct a risk analysis and implement security measures for portable devices.
“In an age when health information is stored and transported on portable devices such as laptops, tablets and mobile phones, special attention must be paid to safeguarding the information held on these devices,” OCR Director Leon Rodriguez said in the announcement.
Many of the HIPAA settlements to data have involved stolen or lost devices such as laptops as well as removable media like USB drives. What makes this case stand out from many others involving stolen or lost laptops is the fact that this was a personal device.
As healthcare organizations become more open to the bring your own device (BYOD) policies, it’s important to have practices and procedures in place for devices that are not managed by the IT department. Best practices could include credentialing or “registration” of personal devices and controls for giving IT staff advance permission to remotely wipe or lock a stolen device.
October 4, 2016 | Leave a Comment
By Susan Richardson, Manager/Content Strategy, Code42
Ah, those ingenious cyber criminals. They keep coming up with ever more frightening ransomware threats. JIGSAW warns victims it will delete files every hour until they pay $150 USD in bitcoins. Chimera threatens to publish the victim’s files online for all to see. Cerber ups the ante by enlisting a creepy robotic voice to tell victims their files have been encrypted. And now the latest ransomware hopes to intimidate victims by showing their location on Google Maps. In other words, “We know where you are.”
But wait, there’s more
Dubbed CryLocker, the new ransomware is getting publicity for another unusual trait, as well. Instead of sending affected files to remote command and control (C&C) servers for the attackers to access, it encodes the victim’s files into a bogus PNG image file and uploads it to a free online image hosting site, either Imgur or Pastee. Security researcher MalwareHunterTeam, which detected the new strain in August, said it found PNG images for more than 10,000 victims inside CryLocker’s Imgur album.
Although the official name of the ransomware is CryLocker, it’s also referred to as the Central Security Treatment Organization ransomware based on the bogus organization name displayed on its payment site—or Cry ransomware because it appends the .cry extension to encrypted files.
Never pay the ransom
The good news is that if CryLocker victims have modern endpoint data protection, ransomware recovery is no big deal. Because endpoint security solutions such as Code42 CrashPlan can restore files from a backup time just before the attack, users never have to pay up—no matter how creative or intimidating ransomware threats get.
September 22, 2016 | Leave a Comment
By Susan Richardson, Manager/Content Strategy, Code42
Sometimes the ingenuity of the free market is truly remarkable. And in the case of the new black market for ransomed data, remarkably scary. One of the latest triumphs of the entrepreneurial spirit is Ran$umBin, a sort of eBay for ransomers—or as Dark Reading described it, “a one-stop shop for monetizing ransomware.”
The ransomware middleman
Much as eBay acts as the middleman for sellers of all sizes, Ran$umBin popped up in early 2016 to act as a proxy for data ransomers. The site gives cyber thieves three options: Lock up the victim’s data and use the site as a payment proxy for the ransom; “dox” the victim, posting the stolen, sensitive information on the site to add extra urgency to the payment demands; or sell the stolen data to a third party and let them handle the extortion (or use the data in some other way). The site provides an easy bitcoin-based payment interface, and Ran$umBin takes a cut of every payment.
Making the ransomware business easier, lowering risk for veterans and newcomers
Stealing or locking up data isn’t the tough part of the ransomware business (flawed systems and unreliable users make that way too easy). It’s the payment side—making direct contact with a victim and exchanging currency—that poses the highest risk. In eliminating this risk and handling the logistics of payment, Ran$umBin serves to streamline the business of ransomware.
Comparisons to eBay, Uber or Airbnb, are apt—and alarming—in this context. These disruptive innovations made it easy for the little guy to go into business for himself, particularly by streamlining and reducing risk around payment. Sites like Ran$umBin effectively lower the barrier to entering the cybercrime business, making it easier than ever for anyone to make money in the ransomware game.
Ran$umBin: We’re just an honest business—with great customer service!
The creators of Ran$umBin tell a familiar story, claiming that they’re a neutral business that just provides an honest service for activity that’s going on anyway. Interestingly, they say they view their responsibility as serving and protecting the “safety” of their customers, meaning both the data thieves and their victims. This business mission takes shape in the strange regulations that supposedly govern the site. Ran$umBin claims they validate stolen data to make sure it’s not inaccurate, old or irrelevant, though they don’t explain how this vetting is accomplished. An even more bizarre claim of business ethics: Ran$umBin says they won’t let an individual victim be extorted more than 10 times. But nine times is perfectly reasonable. How noble.
A sign of things to come
Ran$umBin hasn’t seen much activity so far, but that’s no reason for comfort. This is just the free market’s first shot at a solution for enterprising data thieves. Think of how Facebook took the MySpace idea to a higher level. With ransomware increasingly becoming big business, new and better versions of sites like Ran$umBin are sure to pop up soon, fueling the overall ransomware market with bigger incentives, more organization and greater sophistication.
The simple antidote: Back up your data—don’t pay the ransom
The free market drives some pretty crazy innovation, but it also follows some pretty simple rules. Namely, if the money dries up, the market looks elsewhere. Fortunately, snuffing out the cash flow to data thieves couldn’t be easier: Back up your data. When ransomware hits, you’ll be certain your data is preserved. You’ll be certain the restore will be fast and comprehensive. You’ll be certain that you never have to pay the ransom.
September 14, 2016 | Leave a Comment
By Kyle Hatlestad, Principal Architect, Code42
One of the objections I’m hearing more and more is, “Why do I need backup when I have Microsoft OneDrive for Business (or Google Drive, Box or Dropbox for Business)?” On the surface, it may seem like endpoint backup isn’t needed because with an enterprise file sync and share (EFSS) tool, a copy of the data is in the cloud. But if you dig a bit below the surface, you’ll find there are several distinct differences. We cover those in our Top 3 Iron-Clad Reasons Why File Sync/Share is Not Endpoint Backup, so I won’t go into them here.
Instead, I thought I would illustrate a situation in which it’s painfully obvious why it’s important to have modern endpoint backup. Every organization today is facing ransomware. No matter how sophisticated your defenses, ransomware invariably finds a way through.
For example, Jeff, a recruiter from the Human Resources team, is reviewing resumes to fill a new position. He receives an email with a link to download a resume in Microsoft Word. As part of his process, he downloads the resume to his OneDrive “Job Postings” folder which is shared with his HR co-workers. The document is automatically uploaded to OneDrive and synchronized to his co-workers’ devices.
Unfortunately, this is no ordinary resume. It contains a crypto-ransomware. When Jeff opens the resume, the ransomware takes hold and begins encrypting the files on his local device as well as network shares. Because Jeff saves a lot of files in his OneDrive folder, as the ransomware encrypts those files, OneDrive then syncs them to the cloud. And for any shared/team folders he has, the encrypted files are synced to his co-workers as well as to any publically shared files/links. And even though Jeff is supposed to save all of his files to OneDrive, he keeps a bunch on his desktop where he likes to work. He’s also got a big .PST email archive sitting on his device as well. All of those files are being encrypted by the ransomware to lock out access.
Because Jeff saved the file to a shared HR folder, the ransomware file now appears on his co-worker Julia’s laptop. Julia takes a peek at the resume and now the ransomware starts attacking her device.
At this point, Jeff tries to open one of his files and gets the dreaded ransom note. For just one bitcoin, he can get his data back. He contacts the help desk to let them know what happened and get help. OneDrive keeps previous versions, so no problem, right? Help desk then informs Jeff that he can get his earlier file versions, but he has to do it file-by-file! And for those files that were saved outside of OneDrive, he’s out of luck. Next up is Julia who calls up help desk and is in the same boat as Jeff. Not only did EFSS not help with recovery, it actually spread ransomware!
Well, that’s when it becomes clear that EFSS is not a true backup solution. EFSS leaves it up to the user to pick the right spot to save his data. And when it comes time to remediate from an event like ransomware, EFSS is not equipped to handle large restores. Even EFSS vendors themselves recommend having a true backup of the data to recover from an event like ransomware.
Hopefully this real-world scenario makes it easier to distinguish the differences between file sync & share and modern endpoint backup—and the advantages of true endpoint backup when recovering from ransomware.
September 12, 2016 | Leave a Comment
By Rich Campagna, Vice President/Products & Marketing, Bitglass
Cloud Access Security Brokers are the hottest technology in enterprise security right now, topping Gartner’s Top 10 list two years running. Widespread adoption of major cloud apps like Office 365 (and corresponding cloud security concerns) are accelerating CASB adoption in every major industry, from financial services to healthcare.
If you’re like most enterprises, you’ve already decided that a CASB can help you meet your security & compliance goals when moving to the cloud. The next step is to figure out how to evaluate a CASB. There are 8 key questions you should be asking when evaluating a CASB. Drumroll please…
1. How does the CASB differ from security built into my cloud apps?
Each cloud app vendor makes their own decisions on what types of security functions to build into their application. One app may include encryption for data-at-rest, but not transaction logging. Another app might offer the opposite. Ensure that the CASB vendor is offering value above and beyond what is built into your applications. And don’t shortchange the value of a single policy enforced across cloud applications or inter-cloud user behavior analytics.
2. Does the CASB protect cloud data end-to-end?
Cloud data doesn’t only exist in the cloud – as soon as you deploy, your end users will arrive with an arsenal of devices and start syncing or downloading data. Very quickly, your cloud security problem becomes a mobile data protection problem. Ensure that your CASB is able to protect not only data-at-rest in the cloud, but data downloaded to devices (both managed and unmanaged – see #3 below).
3. Can the CASB control access from managed and unmanaged devices?
A user logging in from an unmanaged device represents more risk than the same user logging in from a fully patched and protected laptop running an approved corporate image. Whether we like it or not, most organizations need to extend at least some access to the unmanaged device. Make sure your CASB can control access from these devices as well as unmanaged devices – and note that this means you’re not likely to be able to install agents or reconfigure these devices.
4. Does the CASB provide real-time visibility and control?
If data leaks for 30 minutes is it still data leakage? Absolutely. While there are some CASBs that operate entirely via API integration into major cloud apps, API-only approaches are subject to notification delays in the APIs, which may mean minutes, even hours of data leakage before something like an external share can be revoked. Only a hybrid approach, which leverages both API and proxies ensures total data protection.
5. Can the CASB encrypt uploaded data?
Many organizations will decide that encryption is the best way for them to safely adopt cloud apps. If this is even a consideration for your company, make sure that you’re covered, as many CASBs do not offer encryption functions. Also beware that it is common for CASB vendors to weaken encryption in order to preserve application operations like search and sort
6. Does the CASB protect against unauthorized access?
Visibility into suspicious activities is helpful, but is usually too little too late. You want proactive protection against unauthorized access, something only a CASB with integrated identity management can offer. So for that often cited example of “detecting” a user logging in from two locations simultaneously, wouldn’t it be better if the CASB could force a step-up to multifactor authentication on both devices as soon as the rogue session is attempted?
7. Can the CASB help me detect risky network traffic, such as shadow IT or malware?
Understanding the unsanctioned apps in use by your employees is helpful, but what if that isn’t the riskiest traffic leaving your corporate network? Leading CASBs have moved beyond simple shadow IT discovery to rank and prioritize the riskiest traffic on your corporate network – whether that is shadow IT, malware, anonymizers, etc.
8. Will the solution introduce scale or performance issues?
Look to CASBs that have deployed on a global, high performance infrastructure. Appropriately architected and deployed, a CASB can actually have a CDN-like effect on your cloud applications, increasing performance versus going direct to the app!
CASBs are the most effective way to ensure a secure, compliant cloud deployment. By asking these 8 questions, you can ensure that you select the right vendor for your organization. Learn more about CASBs here.
September 9, 2016 | Leave a Comment
By Paul B. Kurtz, CEO TruSTAR Technology and Member of Board of Directors, Cloud Security Alliance
“Change or die” is an old phrase computer programmers use to highlight the speed of change in a world of innovation. Its implications go beyond programming and underscore the precarious situation we find ourselves in today. The Washington Post’s Sept. 5 article on U.S. intelligence agencies’ investigation of a “broad covert Russian operation in the United States to sow public distrust in the upcoming presidential election and in U.S. political institutions” through cyber attacks is disturbing but should not be surprising. Russia, China, Iran, North Korea and non-state adversaries understand our dependence on cyber systems as an Achilles Heel of our economic and national security. What is more disturbing is the Federal government’s inability to help. The private sector must now rapidly expand its capabilities to work together to secure cyberspace. The Cloud Security Alliance is taking the lead.
Joshua Cooper Ramo in his book “The Seventh Sense” helps us better understand our traditional national security structure and how our levers of power and current strategy are of limited value in the networked world. Ramo states, “And while we know that effective foreign policy or politics or economics can’t be improvised, the speed of networks now outstrips the velocity of our decisions…” In cyberspace this means sanctions and indictments are necessary, but they take too long to apply to prevent the propagation of attacks. A military response to attacks leaves us waiting and wondering what, if anything will happen. Even if force is used, we can expect a very high threshold before action is initiated.
Russia’s alleged activities are particularly worrisome as they involve corruption of manipulation of systems and information. Typically we think of breaches, disruption, theft, but we do not think about how information can be surreptitiously corrupted or manipulated. Yes the Cold War brought us disinformation but not at Internet speed. Ramo states,
“Even though the connected age lets people around the world see crises and measure problems with unprecedented precision, our leaders can do almost nothing about them.”
The connected age brings good but also allows for mischief that traditional democratic institutions are ill suited to handle. Recall the New York Times Magazine’s June 2015 report on “The Agency,” which operates inside a nondescript building in St. Petersburg, Russia, with “an army of well-paid trolls” focused on causing havoc, including in the United States. Ramo continues,
“Many new challenges exhibit a worrying nonlinearity. Small forces produce massive effects. One radical teenager, a single misplaced commodity order, or a few bad lines of computer code can paralyze an entire system. The scale of whiplashing grows every day, because as the network itself grows it turns pin-drop noises into global avalanches.”
As government flails, companies continue to independently defend themselves spending more money on software, hardware and personnel. Adversaries remain steps ahead developing and sharing tools to defeat firewalls, anti-virus systems, authentication, and behavior-based detection systems. The costs of defending against attacks are going up, while at the same time the costs of conducting attacks are going down according to a recent reporting (See Graphic A).
With the ongoing investigation of Russia, we must assume that their intent extends beyond seeking to influence or unsettle our democratic institutions. We must also assume they are not the only adversary recognizing our acute vulnerabilities. There are other ways corruption or manipulation of data could cause uncertainty and panic. For example, witness the recent press in Bloomberg Businessweek over MedSec’s partnership with Muddy Waters to short sell St Jude Medical’s stock over a possible pacemaker vulnerability. It is unclear whether there really is an exploitable vulnerability but yet the stock has traded down.
All of these signs seem to be screaming, “we must change.” Change must be driven by the private sector as the traditional levers for government to protect us are limited and do not work in the networked age. The first step is beginning to work together — rather than independently — to defend ourselves. This is not a call for the private sector to take up cyber arms and attack others. Such a strategy is fraught with legal and technical challenges. Rather, this is a call for connective defense. A recent study showed that 39 percent of attacks could be thwarted through collaboration between companies. (See Graphic B.) The challenge for companies to date has been balancing market and reputation risks with a return on investment in exchanging incident data. The Cybersecurity Act of 2015 addressed legal challenges, but security and ROI on collaboration have remained elusive.
We can use the power of networking and technology to turn the tables and begin to stabilize cyberspace. The technology exists to exchange incident data securely between vetted parties. Anonymity and redaction allow vetted companies to exchange incident data without market risk or exposing personally identifiable information. This data is correlated providing immediate insight to users. Attack trends and exploits are tracked, and users can securely collaborate with each other. Indicators of compromise and supportive context can be downloaded from the platform by vetted members to help defend systems before an attack. In the wake of an attack, a company can enrich what they know about an incident and quickly understand whether others have experienced similar events and if mitigative measures are available. Incident exchange and collaboration are affordable and scalable.
Several companies have quietly started exchanging data already, including members of the Cloud Security Alliance that are using TruSTAR as the technology backbone of their exchange. As the private sector begins to collaborate, new avenues of protecting ourselves from adversaries will become clear, and the costs to adversaries will increase as risks of contagion are reduced. We can turn the tables, but we have to accept real change.