What Coronavirus can Teach us about CyberSecurity February 28, 2020
Posted by Chris Mark in cybersecurity, Data Breach, Industry News, InfoSec & Privacy.Tags: adaptation, Chris Mark, coronavirus, data breach, disease x, johari, risk, RSA, security, threat, virus
add a comment
The 2020 RSA CyberSecurity Conference was held recently in San Francisco, California. There were some notable companies that elected to not attend this over safety concerns related to Coronavirus. On February 25th the mayor of San Francisco declared a state of emergency for their city over Coronavirus fears.
This state of emergency was declared is in spite of the fact that there are no confirmed cases of Coronavirus in the city. Mayor Breed, in discussing her prudent steps stated: “We see the virus spreading in new parts of the world every day, and we are taking the necessary steps to protect San Franciscans from harm…”
First identified in Wuhan, China in late 2019, Coronavirus (covid-19) has reportedly infected over 80,000 people worldwide and has resulted in over 2,700 deaths on several continents. Recently, the World Health Organization identified the newly identified Coronovirus as a potential “Disease X”. “Disease X” was added to World Health Organization’s “Prioritizing diseases for research and development in emergency contexts” list of illnesses. This list includes such diseases as the Crimean-Congo hemorrhagic fever (CCHF), Ebola and Marburg virus disease, Lassa Fever, MERS, SARS, Nipah and henipaviral diseases, Rift Valley fever and Zika. Importantly, “Disease X”:
(…represents the knowledge that a serious international epidemic could be caused by a pathogen currently unknown to cause human disease, and so the R&D Blueprint explicitly seeks to enable cross-cutting R&D preparedness that is also relevant for an unknown “Disease X” as far as possible) (emphasis added).
What can the current Coronavirus situation teach us about cybersecurity?
Reflecting upon the situation in San Francisco and the WHO’s statements, it is possible to utilize the Johari Window to analyze the situation. The Johari Window[1]developed by psychologists Joseph Lutz and Harrington Ingram in 1955 and reintroduced to the American Public in 2012 when then Secretary of State in referencing Iraqi Weapons of Mass Destruction stated:
“…there are known knowns; there are things we know we know. We also know there are known unknowns; that is to say we know there are some things we do not know. But there are also unknown unknowns—the ones we don’t know we don’t know…it is the latter category that tend to be the difficult ones.” (paraphrased)
The Johari Window identifies four panes of knowledge. They include: The “known/knowns” where both the person and others know of a given situation. There is the “Known/Unknown” where the person knows and others do not know of a situation. Consider a personal secret that has not been shared with others. There is then an “Unknown/Known” where the situation is not known the person yet is known to others. In simple terms think of a surprise birthday party where everyone but the birthday boy/girl is aware. Finally, there are “unknown/unknowns” where neither the party knows. This is the truest example of an ‘unknown’ and represents, the most difficult situation to analyze because it truly represents a position of ignorance on both parties.
In 2016 the World Health Organization identified that there was a conceptual, although yet undefined threat that was both unknown to others and to themselves but they understood that, theoretically, existed and would present a major risk if and when it was eventually realized. This, they proactively identified as ‘Disease X’. This was the ‘unknown/unknown’ in the Johari Window until the time that it was identified as Coronavirus.
It is now a ‘known/known’ threat although countries are still struggling to identify how to deal with the risk it presents. Until it was actually realized, however, there was little any country could do except wait until it was realized. Once it was identified, then actual defensive and protective measures could be put into place to address the threat.
In much the same way, organizations dealing with cybersecurity today are presented with the ‘unknown/unknown’ of the conceptual “Disease X” threat in cybersecurity. This is any yet unidentified and yet predicted threat that may impact their organization in the not too distant future. Companies are faced with attempting to develop security and continuity plans for a threat that they do not yet know exists and what specifically that threat encompasses. On a nearly daily basis, however, a ‘Disease X’ arises in cybersecurity and companies are forced to react quickly and decisively to address such threats. Adding to the threat is the fact that these threats are not naturally occurring and are, in fact, created by humans – intent on creating harm.
Compounding the problem of the ‘unknown/unknown’ is the idea of threat adaptation in known threats. While not modified by naturally security processes, security strategies, like those of disease control must also deal with threat adaptation. Using the Coronavirus as an example, according to a South China Morning Post article posted on February 4th, 2020 Chinese scientists had already:
“…detected “striking” mutations in a new coronavirus that may have occurred during transmission between family members.” It further states that: “While the effects of the mutations on the virus are not known, they do have the potential to alter the way the virus behaves.”
It has been well established that Influenza virus ‘shift’ and ‘drift’ antigenically. Without delving into the specifics of how these occur, according to the Center for Disease Control and Prevention, states that:
“When antigenic drift occurs, the body’s immune system may not recognize and prevent sickness caused by the newer influenza viruses. As a result, a person becomes susceptible to flu infection again, as antigenic drift has changed the virus enough that a person’s existing antibodies won’t recognize and neutralize the newer influenza viruses.”
While not a direct corollary to a natural viral drift or shift, human actors respond in a similar way when attempting to commit criminal acts. They ‘adapt’ to the changing security environment and are defined as ‘adaptive threats’. According to the Department of Homeland Security’s Security Lexicon, Adaptive Threats are defined as:
“…threats intentionally caused by humans.” It further states that Adaptive Threats are: “…caused by people that can change their behavior or characteristics in reaction to prevention, protection, response, and recovery measures taken.”
In short, as defenses improve, threat actors change their tactics, and techniques to adapt to the changing controls and prevent the established controls from identifying and protecting against the newly adapted threat. As the threat actor improves their capabilities the defensive actors necessarily have to change their own protections. This cycle continues ad infinitum until there is a disruption. This recurring cycle is known as the Defense Cycle.
Consider medieval castles. Originally, they were built of wood. Those assaulting castles would simply use fire to burn the castles to the ground. Castle makers then built Castles of stone. Assaulters then created siege engines to knock down the walls or began digging under the walls to ‘undermine’ them. Castle walls were made larger and stronger and were nearly impenetrable until cannons were introduced. Even in situations where the attackers could not ‘storm the castle’ they would simply lay siege and starve the inhabitants until they capitulated. This is a classic example of threat adaptation and the defense cycle.
In a more relevant and timely example consider a standard network with security controls applied commensurate with the identified risks. An attacker may try an attack against the network layer. If this is ineffective and the incentive is great enough the attacker will likely modify their behavior and attack methodology to attempt to circumvent some other control. This process continues until a resource has been compromised.
Applying the concepts addressed in this article, a newly identified or developed exploit is the proverbial “Disease X”. As it has not yet been identified, the organization has no definitive defense against it. Once it is identified and known, then the company can begin identifying new controls to address the newly identified risk. The attacker will then, once again, modify their behavior. As stated, this cycle can continue ad infinitum.
In 2020, organizations are dealing with myriad threats. First there are the ‘unknown/unknowns” that represent the “Disease X”of the cyber attack world. These may include new attack vectors, or zero day exploits. Secondly, organizations are faced with defending against motivated, determined adversaries who are not only is focused on attacking networks and resources but are continually adapting their strategies as defenses improve. While not a direct correlation, by looking at nature and how diseases impact our society, organizations can better understand their own security strategy and risk management practices.
Equifax’s History of Hacks and Music Majors September 19, 2017
Posted by Chris Mark in Data Breach, Uncategorized.Tags: credit freeze, data breach, Equifax, hack, krebs, PCI DSS, susan maulden, W-2
add a comment
Let me get this out there first. People are making a lot of noise about Equifax’s (no former) CISO (Susan Maulden) being a Music Major in college. So what? Information Security really has only been a ‘profession’ since about 1998 or so. I know MANY CSOs and CISOs that do not have technical degrees. While I am currently working on a Doctorate in CyberSecurity my undergrad was political science and I have an MBA. I think I am a fairly capable security professional. I think Equifax threw Ms. Maulden under the bus by trying to scrub her information from the Internet. Given her prior employment (First Data, SunTrust, etc.) I cannot imagine she would have been given such a role without the requisite experience or knowledge. Until we know more...harping on her college major is simply fishing and projecting blame in the wrong area. What we do know is that Equifax has a history of being breached and has apparently done little to stem the flow of information being stolen.
Next…in keeping with Equifax’s proclivity for telling half truths while selling their own stock, it looks like there was a breach the March prior to the one in July (announced in September 2017). That particular hack included employee tax records. No doubt those execs who dumped their stock were also unaware of that breach (cough, cough).
Interestingly, Equifax provided a cryptic statement that reads: “The criminal hacking that was discovered on July 29 did not affect the customer databases hosted by the Equifax business unit that was the subject of the March event,” ..using my powers of reading comprehension it appears that they are saying that the July 29th “hacking” did not affect the SAME “customer databases” (plural) that were hacked in March. So are we to assume that in both cases customer data was compromised? According to Brian Krebs, well known security expert and researcher, the answer appears to be ‘yes’.
Adding to the fun, according to Forbes: “In one case, it had to change its ways following a class action lawsuit over an alleged lapse in security. That suit related to a May 2016 incident in which Equifax’s W-2 Express website had suffered an attack that resulted in the leak of 430,000 names, addresses, social security numbers and other personal information of retail firm Kroger. Lawyers for the class action plaintiffs argued Equifax had “wilfully ignored known weaknesses in its data security, including prior hacks into its information systems.”
I am sure we will continue to learn more about this breach and others. Stay tuned!
SwimOutlet.com Breached in 2016 – 51 days later..and after the holidays…we were notified. January 19, 2017
Posted by Chris Mark in Data Breach, Uncategorized.Tags: Breach, compromise, credit card, CVV2, debit card, dta, fraud, hack, payment card, PCI DSS, swimoutlet.com, yogaoutlet.com
2 comments
This is a post to notify those who may be affected. Yesterday I received the following letter in the mail. It was sent in a nondescript envelope and nearly discarded as ‘junk mail’. Upon opening the letter I was shocked to read that my wife’s credit card data appears to have been compromised at SwimOutlet.com. It should be noted that the same infrastructure is used by YogaOutlet.com. In reading the letter provided to the State of Oregon’s Attorney General, it appears that over 6,200 Oregon residents likely had their data stolen.
Within the letter there is a curious statement that says: “The information at risk as a result of this event includes the cardholder name, address, phone number, email address, card number ,expiration date, and CVV“. For those in the credit card industry the inclusion of CVV is very troubling. Under the card brand operating regulations and PCI DSS standard, it is prohibited for a merchant to retain CVV subsequent to authorization of the charge. This particular type of data (actually the CVV2 or equivalent data) is what is needed to authenticate a transaction. In short, the likelihood of fraud increases exponentially when a criminal captures CVV2 type data. It is certainly curious that this ‘prohibited data’ is listed as an element that may have been stolen.
In reviewing the SwimOutlet.com website I notice a conspicuous absence of any form of notification on their website. Their blog is filled with helpful tips on swimming better and eating better but there is no mention of the fact that their user’s credit and/or debit card data was stolen. A review of their Facebook page has the same conspicuous absence of any notification or information. Their Twitter feed is also absent of any information.
If one looks at the timeline of events, there are some disturbing (to me, at least) items. On October 31st, 2016 SwimOutlet.com “…began investigating unusual activity reported by (our) credit card processor.” On November 28th, 2016 SwimOutlet.com received ‘confirmation’ that their systems were ‘hacked’ yet the notice states that data may have been compromised as late as November 22nd, 2016. I have been involved in numerous data breach investigations and incidents. “unusual activity” notifications by credit card processors are ‘notifications of fraud’. This is a major red flag that the merchant HAS been breached. The notice then provides a qualified statement in saying that the beach: “…may have compromised some customers’ debit and credit card data…” Again, if notified by the credit card processor then the data ‘may not’ have been compromised it almost certainly was compromised.
What is most disturbing to me is that SwimOutlet.com had confirmation on November 28th, 2016 that they were breached. They had confirmation as early as October 31st, 2016 of ‘unusual activity’ yet chose to wait until AFTER the holiday season to notify affected consumers. Criminals are not stupid. They steal credit card data before the holidays to be used over the holidays when the fraud systems are often ‘detuned’ by retailers and the volume of transactions creates noise in which fraud is often harder to identify. By waiting until January 12th (we received the letter on January 17th, 2017) it created a situation in which we were blissfully unaware that our data had been breached. If we had been notified before the holiday season, we could have cancelled the card immediately and been saved the inconvenience and possible cost associated with this situation.
In the notice SwimOutlet.com does: “…encourage (me) to remain vigilant against incidents of identity theft and fraud.” This would have been sage advice BEFORE the holiday season. It begs the question why a major online retailer would wait until after CyberMonday and after the holiday season to notify of a breach?
Finally, SwimOutlet.com reassures the recipient that “We take the security of our customers’ information extremely seriously…” and that: “…you can safely use your payment card at http://www.swimoutlet.com”. In light of the method and delay of notification I am going to personally take my business elsewhere.
”Active Responses” to CyberAttacks are Losing Propositions May 22, 2014
Posted by Chris Mark in cybersecurity, Data Breach.Tags: active, active response, Chris Mark, cybercrime, cybersecurity, data breach, data security, deterrence, fight, InfoSec & Privacy, PCI DSS, response, security
1 comment so far
“Everyone has a plan until the’ve been hit” – Joe Lewis
Having spent numerous years providing armed and unarmed physical security in combat zones, hospital emergency rooms, psychiatric wards, and anti-piracy operations off the coast of Somalia has given me a deep respect for force continuum and the dangers of unnecessarily provoking an escalation by a volatile and dangerous adversary.
As cyberattacks continue to plague American companies as well as the payment card industry, there is a growing voice within the cybersecurity industry to allow and empower companies to take offensive action against cyber attackers. This is frequently referred to as ‘hacking back’ or ‘offensive hacking’. Several prominent security experts as well as some companies who have fallen victim to cyber-attacks have begun advocating that ‘a good offense is the best defense’. On May 28th, 2013 there was an online discussion in which an author of the upcoming book: The Active Response Continuum: Ethical and Legal Issues of Aggressive Computer Network Defense[1] posted the following excerpt:
“There are many challenges facing those who are victimized by computer crimes, who are frustrated with what they perceive to be a lack of effective law enforcement action to protect them, and who want to unilaterally take some aggressive action to directly counter the threats to their information and information systems.”[2] (emphasis added) (more…)
Beating an Old Drum October 27, 2012
Posted by Heather Mark in cybersecurity, Data Breach, Industry News, InfoSec & Privacy.Tags: cybersecurity, data security, Dr. Heather Mark, Heather Mark, InfoSec, mark consulting group, privacy, security
add a comment
It’s the end of what has already been a tough year for data security. And the news just got worse. South Carolina has announced that its Department of Revenue suffered a major breach. The breach is so massive, in fact that more than 75% of the state’s residents have been affected. The compromised data consisted of the (unencrypted) social security numbers of more than 3.6 million residents. Also included in the breach were about 390,000 payment cards. Most of those were encrypted, though.
This is disturbing on a number of levels. I find it curious, for example, that while encryption was deployed, it was only deployed on payment cards (and not even on all of those). Consumers have built in protections on payment cards. As long as those cards are branded by one of the major card brands, consumers are protected against liability for fraudulent transactions. The far more sensitive data, the social security numbers, were not encrypted, though. This defies logic. Consumers have little to no protection against misuse of SSNs. Not only can very real financial damage be done, consumers have to spend enormous resources (time, money, emotions) in untangling the identity theft knot that comes with stolen SSNs.
Secondly, in the wake of the breach, Governor Nikki Haley issued an executive order that read: “I hereby direct all cabinet agencies to immediately designate an information technology officer to cooperate with the State Inspector General who is authorized to make recommendations to improve information security policies and procedures in state agencies.” WHAT? If I’m inferring correctly, it seems that these agencies didn’t have an information technology officer already?? That is very troubling, particularly considering the types of data that state agencies hold. After 3.6 million (out of about 4.7 million) residents have had their sensitive data stolen is not a great time to decide that data security and privacy should become priority.
Private sector organizations have been working for years to shore up their data security, and in some cases (PCI DSS, HIPAA/HITECH, GLBA, SOX, state laws) face real consequences for failure to protect that data. It’s long past time states put forth the same level of protection. On the plus side, the state did comply nicely with its own data breach notification law.
Global Security, Privacy, & Risk Management 