Why Doing Nothing is Risking Everything
Your Company Is Getting Hacked, What are You Going To Do About It?
Me and Michael McCaul
Chairman of the House Committee on Homeland Security
Special Investigator for Cyber Threat Prevention
by Robert Bluestein
How Businesses and Our Military Apparatus are Risking Everything by Doing Nothing with Regards to Protecting Sensitive Data
''There are three ways in which you can find out about a security flaw. (1) You can hire someone to find them (2) You can find them yourself, or (3) You can suffer a Cyber-Attack attacked and react to the consequences.''
Katie Moussouris, Founder of Luta Security
You get an email one day from a trusted friend that has a word document attached to it. You click on it, and suddenly, without you even realizing it, pandora's box has been opened. The simplicity is due to a flaw in Internet Explorer. Your hacked system and all your passwords and online financial business has just been cloned and sent to an unknown person(s). And worse still, it can be months before you are even aware of the theft. It's really that easy....and our Security is far behind. If you are in the constant phase of evaluation, each and every day can and probably IS costing you.
In the Hacking world, the term is called ''Zero Days.'' The reason is simple. They hack into a system and hold the corporation hostage. These hackers will also compile your information and sell it abroad. And even more directly, they simply seize the moment and empty your bank accounts within minutes. Corporations can have vulnerabilities exposed that critically hurt their reputation, force them into legal matters, and otherwise destroy the financial credibility of a company. And as for the defense of our nation goes, complex algorythyms that are now operating at super-threading speeds unlock combinations to everything from anti-aircraft defense systems to missile-launch units. Everything, from the electric grid to our cellular phones are at risk.
''Zero-Days'' represent a severe threat. Soon, an undisclosed computer software vulnerability are revealed that hackers can be used to adversely affect computer programs, data, additional computers or a network. It is known as a "zero-day" because it is not publicly reported or announced before becoming active, leaving the software's author with zero days in which to create patches or advise workarounds to mitigate its actions.
These holes could be from everything from the camera on your I-Phone to the webcam on your computer, all the way to the Data-Center at the Pentagon. And if these holes aren't fixed, hackers can send 'torpedo's' to breach the target. The implications are profound and far-reaching.
For leadership of Small-Medium Sized businesses, the cost for even consultation on matters of security can be prohibitive. If we are going to understand what threat intelligence actually is, it best requires organizations to understand themselves first and then understand the adversary. The next step is to try to project forward because any security assessment and implementation is going to take time. The last thing that needs to happen is for a deployment to take place on data that is aged.
Every year in Seattle there is an unusual competition. Hackers compete for half-million dollars in order to break into commonly used applications like Safari and Adobe Flash. In one case, hackers were given four hours to hack into Adobe-Flash, a task that one team accomplished in under two minutes. The company, ''TenCent Security Sniper'' easily found a flaw which would have opened up the personal files of a BILLION people.
The team that won admitted that they could have sold the ''Zero-Days'' and would have been offered millions for the information. But far more sinister than simply exposing the personal files over nearly 1/7th of the earth's population, the security flaw revealed something far worse. Imagine if you were simply browsing the internet, is such a bug is involved, it can take the users control and take full control of the system. The hacker can then locate the users bank-account information and drain it, all within minutes.
For Adobe-Flash, the discovery of a Zero-Day in just under 120-seconds was a wake-up call. They had no idea that a vulnerability as glaring as this was even there. Amazingly, while they work feverishly to fix one vulnerability, they can create two more. As one can see, staying ahead of the technology curve requires an ongoing team of people whose specializations in security operations is top-notch.
Chrysler paid the price back in 2015 when two hackers were able to break into Chrysler with specific computer solutions. Their impact was unbelievable. By targeting the ''head-unit'' - where the radio display was, there was an attachment to the Internet.
Hackers could 'talk' to it and expose the vulnerability. It took them nine months to fix it. With this knowledge, you could be stopped at a light, and the brakes would go off. The car would steer itself remotely and even flip into the neutral, affecting millions cars. Car companies haven't explored such vulnerabilities and they don't seem to be protecting themselves against it.
Modern day cars are smartphones on wheels - and just like any computer, vulnerable to hackers. The change in technology finally caused Chrysler to offer a ''Bounty'' to anyone who could uncover a security flaw in their on-board computers. One-after-another vulnerabilities were discovered. In response, Chrysler would put together a team of analysts to manage the on-board computer systems. But the costs are high and the impact is felt all the way to the customer.
Acting before the event – Advance Threat Management
If you are looking to hire a company to keep your business safe, consider Intellalag. This is one of the few that monitors the 'Dark Web' for details which would compromise sensitive data. As I wrote last month, these attacks are happening at a record pace. Consider this case study from their website, a law enforcement agency was breached recently in an undetected attack. The hacker, who was unhappy about recent work by the agency, published their entire employee roster with home addresses, phone numbers and other personal details. They discovered the severity of the situation and contacted the affected agency who then took action to close the security hole and alert the affected parties before the story came to light in the media.
What is the marketplace for hackers to sell their ''Zero-Days?''
Part of the problem is that companies rarely understand their Microsoft EA Agreements, and Microsoft (and companies that license software) only do audits every so often. So IF your software isn't 'technically' legal, you are unable to 'Patch' it or protect it with the latest fixes. Even large companies have a mismatch of users to licenses and Application-Lifecycle Management is rarely in a silo by itself. The same person responsible for putting together Purchase Orders will also be in charge of Application Lifecycle Management. In other cases, it can be a Mid-Level Manager who is entrusted with this information. But in almost every customer I have ever encountered, there is seldom an agreement on how to manage compliance and license agreements using out-of-date toolsets. (I have always advised my customers to set up programs that align with what auditors will use so that you get the same datasets and comparable analysis.)
I have seen companies facing an audit make ''Panic'' buys because they feel compelled once they receive an audit notice. Auditors will note that the receipts of the date the licenses were purchased will match too closely to that of the letter that they received, and this raises red-flags almost immediately.
But herein lies the enabler of poor compliance controls with regards to a cyber-attack. Huge numbers of people do not patch their software. This occurs when businesses lose track of all of their licensing or otherwise lose them in their many complexities. So firm-ware upgrades, virus protection, and malware intrusion can happen more and more regularly. The result is that before long, you have left a huge attack surface.
Businesses should be making sure that all licensing is compliant and up-to-date. Take the time to assess where end-users are getting their applications that are so frequently downloaded to their handheld devices. Defending your landscape may happen in stages, or it may happen at once. But one thing is certain - a person on your staff who is a Predictive Cyber-Threat Analyst is an invaluable resource and worth every dollar. It is the difference between reactive and pro-active IT practices.
Hacking in China and Russia have become a military operation. Its missions are that important and we have been open game for this behavior for decades. How do protect our data?
What can we do in a world where it seems like the bad guys are far ahead? How can companies reassure their customers that sensitive data, bank-accounts, medical history and any other personal data remains protected from cyber-enabled theft of intellectual property? How do we retain the confidence of the stock-holders who can see their investments crash in a single day?
Operation Aurora, out of Shanghai, broke into Google, Coca-Cola, Yahoo, Rack-Space and Adobe. The amount of Intellectual Property stolen virtually crippled many of its victims. Yet, we finally stood up against this cyber-crime.
Operation Aurora was the first time an American company had the courage to stand up and blame China directly. Google lost sensitive source-code which helps them in comprehensive search-engines. The result was a backward piece of detective brilliance to locate the source.
The Chinese have attacked everything from Business Negotiations to Diplomacy to University Professors to Law Firms and even Retail Outlets. As a result, America put sanctions on China, limiting the type of American technology and intellectual data they could acquire, but to many, this was a measure taken far too late.
In addition, Operation Aurora was run by the DHS Control Systems Security Program, that operation was focused on hacking into a 27-ton generator — 4,000 pounds heavier than an M3 Bradley tank — and opening its circuit breakers long enough for the machine to slip out of sync. This caused the generator to experience “tremendous over-torque stresses,” causing it to blow up. To many in the Cyber-Threat world, this was simply a dress-rehearsal. For to the outsider, America looks like it is full of holes and weaknesses to our own day-to-day infrastructure. Many are left wondering, ''To what extent can America be brought down without firing a single shot?''
Military and Business analysts alike were part of the planning for a test to determine American vulnerability to Cyber Attack. This particular test, which lasted all of three minutes, took almost a full year to plan, was all done to prove the existence of a cybersecurity flaw and was called the “Aurora Vulnerability Project.”
This vulnerability deals with what are called digital protective relays which manage circuit breakers in generators, motors and other parts of power grid substations. All of America’s infrastructure relies on these protective relays to make sure the machines that run our country don’t go out of sync. Think about the scenario - not just for Brokerage Houses that do trillions of transactions a second, but to hospitals, first-responders, and prisons. The question that we must answer is this: Is America suited for the chaos of a mass cyber-attack?
What this project proved is that hackers could quite easily override our infrastructure’s defense mechanisms and turn it against us, affecting facilities like oil refineries, water plants, and chemical factories. Consider the effect on an internal and Private Cloud. Structured Query Language (SQL) injection is an attack technique that attempts to subvert the relationship between a webpage and its supporting database, typically in order to trick the database into executing malicious code.
Once this happens, all of the applications connected with it are at risk.
And we know about the security of our own State Department and Internal Revenue Service. The head of the IRS, John Koskinen, testified before congress in 2016 that the notebooks used by IRS to conduct lengthy studies were in fact running on Windows-2007. Not only is this platform NOT supported, but it is also out of COMPLIANCE, meaning that the IRS would ironically fail its own audits. No less than FIVE different nations are confirmed to have hacked into sensitive State Department Email, all due to a personal decision that may have cost the American public very dearly in the long run. Once again, it's not the machinery - but its the people.
As for Operation Aurora, it began - as far as we can tell - in 2007 and ran all the way until 2015. How did we determine that China was behind the attack? We played their game, sending them phishing emails. Once we were able to determine where the majority of the machines were coming from, we then looked into social engineering to learn about how these people clicked on links with malware payloads. In some cases, it was done with Instant Message. By tracking the command-control connections, we found an exact place in Shanghai's most densely populated business area.
There seems to be a central location for cyber-warfare in China. Located in just one building, 61398 Shanghai. They have high-end communications and while it isn't as secure as an American military base, but this IS a military installation. The Chinese are very much behind these attacks, and to them it is just an extension of the Cold-War End Game.
Unit 61398, Shanghai
The Peoples Liberation Army is the armed forces of the working wing of the Chinese military. Cyberwarfare has gained recognition as a valuable technique because it is an asymmetric technique that is a part of Chinese Operations and
Information. As is written by two PLAGF Colonels, Qiao Liang and Wang Xiangsui, "Methods that are not characterized by the use of the force of arms, nor by the use of military power, nor even by the presence of casualties and bloodshed, are just as likely to facilitate the successful realisation of the war's goals, if not more so.''
Many Americans don't realize that regardless of how the Chinese companies are owned and operated, there will always be Chinese Communist officers in the same building. Nothing is done without the state's knowledge.
In 2014, The US Department of Justice issued indictments on six Chinese nationals for crimes against corporate America. Chinese Military Hackers, members of the Chinese Peoples Liberation Army for Cyber-Breachers are now on the FBI's most wanted list. We were proving specific facts and specific people that gave up the information of the person behind the keyboard. The kind of trade secrets that keep economies growing and other corporate negotiation tactics were stolen and had critical effects on the US Economy and undermined trust that Americans have in our own Corporate America.
One such company is American Super-Conductor. They specialize in making wind-turbines and super-conducting wire. To secure their data, source-code was kept on an offline server. But in 2011, one of the employees took a $2M bribe to extract the source code and hand it over to the Chinese. The employee, Dejan Karabasevic, wasn't real smart. This was a guy who documented his entire theft, all of the bribes and used Skype to send much of the data. The fallout was that the company devalued in half in one day, collapsing the stock. The PLA has continued to have American Super Conductor even after they were caught.
Economic espionage sponsored by the Chinese government is costing U.S. corporations hundreds of billions of dollars. They're targeting our private companies. And it's not a fair fight. A private company can't compete against the resources of the second largest economy in the world. Security companies are there to put up a castle-wall when the opposition has aerial superiority. John Carlin, assistant attorney general for National Security recently was quoted as saying on 60-Minutes, ''...This is a serious threat to our national security. I mean, our economy depends on the ability to innovate. And if there's a dedicated nation state who's using its intelligence apparatus to steal day in and day out what we're trying to develop, that poses a serious threat to our country.''
This is not a pre-cursor to Chinese taking over America. It IS already happening. The Wind-Turbine, to add-insult-to-injury, was a Chinese made turbine and sold back to the USA was running on the stolen source-code. The software is stolen, the turbine hardware is re-made, copied almost to perfection, but there were flaws. They passed that information onto future turbines which ended up costing ASC in terms of time, money and resources.
The administration holds out on decisions regarding sanctions. One of the trade secrets stolen wasn't even secret. They were stealing the formula for the color white. Driven by profit, they will manufacture their own paint and compete against American paint companies. Recipes for frozen foods and chemical compositions for how those tiny metal clips used on the edge of raw hamburger meat are stolen too.
The U.S. Government has been known to pay hackers for 'Zero-Day's in the past. Certain scenarios are terrifying to imagine and we -----Our specific part to play includes developing the ongoing Coordinated Vulnerability Disclosure Policy and program for the Department of Defense. This innovative program will serve as a model for handling vulnerability disclosure for the rest of the US government.
Companies Leading The Way In The Cyber-Security War
It often doesn't make much sense to start a bug bounty right away if an organization has no real way to fix the issues that might be uncovered. The cost-effectiveness for such an insurance program might not justify the B2B impact that might be required in order to fix the issue. Companies that provide Technical and Security guidance are partners a company would want to retain.
Perhaps one of the best companies in Predictive Threat technology is Cylance. Its use of Artificial Intelligence is a first and highly successful venture. This company has a product called Threat-Zero© and there are some great case-studies that tell their story. Oil and Gas is a fast growing and rapidly changing industry that has more and more impact at a worldwide level.
Cylance® was selected as a Finalist for "Best Enterprise Security Solution" and "Best Emerging Technology" in SC Awards 2017.
Their Artificial intelligence based CylancePROTECT® is listed among the top five technologies honored in two categories of revolutionizing cybersecurity through the use of artificial intelligence to proactively prevent advanced persistent threats and malware. These categories honor the most cutting-edge, evolutionary solutions and technologies that have helped to strengthen the IT industry within the last two years.
The ROI on using Artificial Intelligence makes this attractive and largely risk-free to the customer. Its platform is scalable and addresses a number of present day cyber concerns as well as flexible in terms of current deployment. Gartner certainly thinks high of them too, as they were named by Gartner as fastest-growing endpoint security company.
As I mentioned earlier in the article, Cyber-Threat analysis includes being in-front of what the threats might be. One of the keys is to understand how we remediate after a Cyber Attack. It is the first company to use artificial intelligence, algorithmic science and machine learning to cybersecurity to prevent the most advanced security threats in the world.
One particular customer, an Oil and Gas company, was looking for a solution that would be more effective than the traditional antivirus technology it had been using for several decades. It switched antivirus technology in 2011 in a bid to improve detection rates, but the new product failed to show significant advantages and resulted in excessive latency on many machines.
In addition, support for their many different Operating Systems presented additional challenges. The firm responded to an ad which promised that the Cylance® next-generation endpoint solution, CylancePROTECT, would have far higher efficacy in stopping malware and would not slow machines or otherwise hurt performance. The company started with a six-week Proof of Concept (POC) during which CylancePROTECT ran on a limited number of endpoints. CylancePROTECT was so successful in this initial pilot that halfway through the POC, the company chose to go ahead with an aggressive rollout, putting CylancePROTECT on all of their endpoints as quickly as possible.
The results were outstanding. The company continued to run its traditional antivirus product for about a month after deploying CylancePROTECT, but then pulled it off all systems after realizing a second solution was no longer needed. Seven months after deployment, the firm’s director of information services reported that the company had not identified a single piece of malware that had gotten past CylancePROTECT.
You can read about Cylance and their case-studies in particular at
https://cdn2.hubspot.net/hubfs/270968/All_Web_Assets/Case_Studies/EnergyCaseStudy.pdf?t=1481924479842
Consider Absolute Software, which has found a way to use persistence technology, a module embedded in the firmware of laptops, tablets and smartphones mobile devices always connected to the IT organization. Alert Management takes a novel approach, keeping log management, intrusion detection and vulnerability scanning and management and does this from a central location. White Cloud Security uses a program called Trust Lockdown that implements the number one type of breach prevention that is used by several governments.
Others have simplified Cloud Security that is attractive to the SMB space. Duo Security specializes in two-factor authentication and device security fraud prevention. There is an incredible bang-for-your-buck and an ROI for customers of Duo.
CipherCloud is one of a growing number of cloud security vendors that can identify Shadow IT and the unauthorized use of cloud applications across an organization’s network. CEO Pravan Kothari has found a special and unique place in amongst Cloud Security Companies.
John Di Santis is the CEO of HyTrust and this is a company on the move with real differentiation. His company continues to improve upon a cost-effective and very disruptive technology with regards to Could Security and Virtualization. HyTrust secures virtualized environments and can identify misconfiguration issues. It can identify, detect, and even suggest appropriate fixes within specific parameters. What makes HyTrust such a popular choice is that as an appliance based device, it has flexibility in every vertical. Successful customers include the banking community, state and social institutions and even in the art community.
A little over a year ago, HyTrust released a new and interesting product. Called CloudControl, the virtual appliance that resides between administrators and VMware vSphere in a manner that adds critical and custom-defined role-based access controls, visibility and secure multi-tenancy to the virtual infrastructure. It is the perfect security compliment to VMWare's NSX.
Since the number one source of IT Malpractice is human in nature, HyTrust CloudControl can now give you have visibility that wasn't possible before. An IT Director assigned administrator can now look into all administrative activity and can prevent destructive actions, intentional or otherwise. You have the ability to assign fine grained rights via customizable roles, allowing pre-defined privilege, segregation of duties and the two man rule for high impact actions. In terms of impact on the Cloud Security landscape, HyTrust has an affordable and yet robust platform.
Other companies are finding security against cyber attacks in the useful collaboration of BioSecurity. Using thumbprint technology, ThreatMetrix can also identify web-spoofing and malware intrusion. In one of the most fascinating webpages on the web, ThreatMetrix shows a real-time map of the world with regards to where Cyber Attacks are happening. Rapid Transactional Businesses such as Stub-Hub and Best-Buy count themselves as customers of ThreatMetrix because of their ability to proactively predict when a Cyber-Attack is about to happen.
As I wrote in a previous article, the Healthcare industry seems to be the most vulnerable but they have been slow to proactively approach Cyber crimes. With ThreatMetrix, the use of Real-Time, Hassle-Free Security Protection to Secure Protected Health Information Flag suspicious accounts that may be illegitimately used to retrieve PHI and medical records. (Consider the number of medical records compromised when the New York Psychiatric Institute was hacked)
ThreatMetrix also enable physicians to use their own devices while interacting with healthcare applications. This is a big plus in winning over an increasingly skeptical medical medical community. This goes a step further, protecting doctors, nurses and healthcare staff from attacks targeting sensitive PHI and medical records while building and maintaining HIPAA and HITECH compliance.
Some organizations and governments choose to move up. They have sophisticated tracking in place and are ready to build out communication channels to keep researchers and internal teams invested in the big picture.
We have to protect our country, but the fact is we are poor at identifying them. We are also poor at keeping ourselves quiet when we had the chance. Told that her phone was hacked, German leader Angela Merkel responded with a bitter defense of her privacy. ''How can anyone allow this to happen? She asked.'' In fact, wikileaks revealed that 125 German and Brazilian officials were hacked, due to a simple flaw in the system.
As we move into the 2020's, threat anticipation can cause quite a bit of heartburn. Let your focus center on holistic risks and factor people more prominently in your IT security approaches. Do not think you can maintain a competitive advantage and technical leverage by leaving security as a set-and-forget enterprise. You will need to accept evolution and indeed embrace it.
Security begins with the end-user. Password hygiene and careful security measures begin with the first person to the last person on the organization chart. Having an organization where information security awareness and responsibility belongs to everyone increases the chances that the unknowns will be identified faster.
Depending on the nature of your company, you may have to accept that losses and breaches will occur. If you can mitigate that risk and change the mindset from absolute prevention to targeted prevention combined with resiliency and a notion of acceptable loss — the approach now becomes common to biological and human systems.
Managing security is creating an innovation paradox. While we are preparing for the worst, we cannot forget to plan for the best. And yet for 40 years, security efforts stayed focused on equipment, and to a lesser extend, the data - removing the human factor in an attempt to reduce surprise and behavioral variations. As it has always been, our key vulnerability and and key line of defense are one and the same - people.
If it is your decision to sit back and see how the landscape changes, it's a high-risk, low reward approach. What you save today in letting the water leak from the ship may not be enough to save you when the hull is breached and you are on your way down---sinking to the bottom of the corporate graveyard. ***
Editors Note: Just two days after this was written, Yahoo announced that 500,000 accounts, the largest amount ever, had been hacked and all security passwords were compromised.
