Face "IT" - "To Err is Cyber's Hard Truth!" - Setting the Stage

Every adversity, every failure, every heartache carries with it the seed on an equal or greater benefit. - Napoleon Hill, Writer

From the countless recent cyber breaches, we have to accept that any organisation can be in the headlines. To put it bluntly, no one is immune. Such events can be also a blessing in disguise. Failure can help. However, while doing wrong thing right is important, we should strive to do the first thing right too. In the many openly reported breaches, we can sum up the first things to do right.
 

• Prevent: Set up proactive measures to identify past oversights and mistakes
• Detect: Maintain constant situation awareness of the organisation to identify vulnerable systems before they get exploited
• Respond: Prepare robust responses and timely actionables to isolate and recover from any damage

 
In reviewing any incident, we should always put a priority on identifying the actual root cause. The book on the incident can be out of sync if each paragraph is written without knowing what leads into it and what happens next.

Learning from failure - mother of success

Failure forms the bulk of experience, and that is your "free" content. We should not fear failure as when one fails more, the better chance you will be prepared for such future recurrences. We must tell ourselves we are better off as we move into each new chapter. The existing security posture should not be status quo, as it will lead to repeated mistakes.

How can one really filter out the "fat" and enjoy the real meaty stuff? There are massive investigation findings, tons of discoveries and uncertain implications thrown out openly. We can be lost, but that doesn't mean we're directionless. We can be non-savvy but that doesn't mean we're ignorant.

With these short assessment questions, we can tell whether the organisation is prepared or even aware of its current incident response readiness.

• Do you currently have security incident response plans in place?
• Has your organisation tested its security incident response plans?
• Are there any security incidents have you experienced in the last six to twelve months?
• Are there any readily available security incident response elements and resources?
• Will your organisation be looking to improve its security incident response capability?

 
What can we learn from the many incidents and breaches?
 
Let's look at four industry segments:

• Healthcare/Retailer/e-Commerce/Finance - Cybercriminal intrusions and theft of data
• Mobile/Cloud/Social/Education - Cyber "steroid" as linchpin to groom crimeware as a service bandwagon
• SCADA/IoT/IoE (Smart devices)/Software - Cyber "Sabotage" attempt to amplify massive infection and total destruction
• Government - Cyber "Espionage" to breach privacy and bridge covert surveillance 

 
Healthcare/Retailer/e-Commerce/Finance

These industries gather massive amounts of data that include personal identification information, financial account and transaction data and health records. The databases from those industries are top sellers in the cyber black market, and as old criminal organizations are broken up by law enforcement agencies, new ones have emerged. Unfortunate targets are leading companies whose own inaction is far more responsible for the breaches, but it will be the consumer who suffers.

The significance is due mainly to the tangible loss from the cyber crime committed. Taking a snapshot average costs of more than 617 other breaches is truly scary, but while the direct costs easily total up to some $5,400,000 in expenses per breach, the non-tangible damages cannot be neglected. Darknets and the cyber underground markets that recover quickly despite law enforcement effort to bring them down further aggregate the loss. Overall, the cumulative effect is not always just about the costly lesson but the extremely ugly consequence that an organisation has to face by an unforgiving customer.

Mobile/Cloud/Social/Education

Gartner published a strategic planning assumption that "by 2017, the focus of endpoint breaches will shift to tablets and smartphones." The company also said that "by 2016, 20 percent of enterprise Bring Your Own Device (BYOD) programs will fail due to enterprise deployment of mobile device management (MDM) measures that are too restrictive." Users bring their own devices, demand unlimited access, and will always seek the path of least security, because it's typically also the path of least friction.

Despite a security team's efforts to close the cracks that can exploit an organisation, there is one thing that cannot be closed up: users. One common trends is in the use of madware. The name, which combines the words mobile and adware, described a type of online intrusive advertising that currently affects smartphones and tablets.

There is also ransomware that restricts access to your files and apps in the device until a ransom is paid to unlock it. With the emergence of crimeware as a service in the cyber underground market, this is even more worrying as it feeds the growth of more "sales" and increases the underground supplier pool.

The whole unfortunate truth is that technology simply cannot protect companies against very human problems. Anyone can be the next "Human Zero day" unconsciously causing their own damage and loss.

SCADA/IoT/IoE (Smart Devices)/Software

SCADA is the control system for the critical infrastructures covering our daily needs such as gas, oil, water, electricity and transportation. They are the prized jewel that hackers -- often state-sponsored -- exploit to their advantage. One classic instance of such an exploit is Stuxnet that targeted Iran's uranium enrichment facilities. It infiltrates a site to steal codes and design, and included instructions that can be uploaded to control the programmable logic controllers interfacing with the SCADA control system. Such malware has potentially far more lethal massive damages and it marks a new era of uncovering more SCADA hacking attempts.

Online "zombie" computers can attack SCADA connected systems and servers through denial-of-service attacks which can easily overwhelm any online web services and knock them offline in just a few seconds. One of the security vendor shared in their threat report that there have been 133 DDoS attacks over 100Gbps so far in 2014. Another report lists the average cost per hour of assault is $40,000.

Yet another very prominent contributor to the threat landscape is the use of open software and emergence of IoE. For example, Singapore prides itself to have 1,000 sensors deployed to monitor air, water quality and public safety under their Smart Nation Platform (SNP). The smartness and innovation need to also do a check and balance to maintain a secure cyberspace with higher assurance. The relevance of open source vulnerabilities such as Heartbleed, Shellshock and Poodle are good learning lessons. We can no longer assume safety and security by default without due diligence checks.

Government

Documents from the Snowden leaks reveal a program called "physical subversion" under which the NSA's undercover operatives infiltrated foreign networks to acquire sensitive data and access to systems in the global communications industry and possibly even some American firms. The documents describe various field activities involving computer network attacks, and there's no reason to believe that the NSA has changed its behavior since then.

The advanced persistent threat (APT) community that have surfaced from the security industry, groups of cyber hackers whom are very driven with political agendas. Some may be state sponsored hackers acting under the cover of human rights and "freedom of speech". What is unique for the APT community is their modus operandi and use of a number of known and more specialised tools in their targets. These are revealed in multiple security firm and coalition firm forensic analysis and findings.

Another noticeable hacktivist group is the Syrian Electronic Army, which made the headlines by launching advanced phishing attacks against Western media outlets. Instead of using a very targeted toolkit, they built their own, including their own Linux distribution known as SEANux. This is a coordinated collection of software consisting of a customized version of the kernel together with hundreds of open source utilities, installers, programming languages and application programs.

Static defence models (e.g., antivirus, firewall and intrusion detection) upon which many companies rely are not sufficient to prevent a systemic data breach or APT. The efficient means to manage such cyber kill chains requires not only proactive measures but also more holistic and tested security controls on their attested robustness.

A recent survey of 59 US firms revealed that the cyber attacks on large US companies result in an average of $12.7 million in annual damages, and the average cost due to cybercrime per company is $7.6 million this year compared to $7.2 million in 2013.

What is more significant is average company took 170 days to detect an attack and 31 days on average to resolve cyber attacks. The longer it takes to close the breach, the more costly the damage is going to be. The survey showed that each day adds nearly $20,600 to the cost, an average of $640,000 per incident (an 23 per cent increase over 2013). Attacks involving malicious insiders took the longest time, about two months to resolve.

It's not just the government, though. Verizon Wireless will be adding cookie-like tokens to Web requests traveling over its network. These tokens are being used to build a detailed picture of users' interests and to help clients tailor advertisements, according to researchers and Verizon's own documentation -- but Verizon is not the only one. And it's easy enough for the government to acquire the data.

The stage is set - Time for quick action

We cannot let our guards down to protect our privacy. Even with transparency reports, that won't alleviate further fear that privacy can "breached" due to government reaching over ISPs and the big companies like Google, Facebook and Microsoft.
 
Use strong encryption. This already protects us as part and parcel of many established accepted security policy and standards. With those past (and ongoing) cyber espionage schemes and APT or hacktivitism activities, the use of encryption is even more important, not only to deter those adversaries' persistent attempts but also to protect businesses from competitors and foreign spies.

Address the issues of disgruntled insiders and employees to reduce the unnecessary risk exposure and always remember history of scary stories for end user awareness. It stay with user and that matters.

Resourcing must play a key part in a good security strategy, but a lack of available talent still poses a challenge to management. IT security may even need to extend to the recruitment process, complete with employee incentives, in order to place education about procedures, risks and consequences at the very heart of organisations. This measure, together with nuanced analysis of existing employee behaviours and learning from the patterns of previous security breaches to anticipate future problems.

The supply chain can be attractive target to springboard for intrustion and breaches. Everyone has to play a part in this cyber space ecosystem, including those companies that are possible avenues.

Finally, your human staff is the weakest link. But do not overrule when the going get tough, the tough get going. Build verifiable human trust link as a long term strategy.