Archives for April 2016

Exploring the Cybersphere – April 2016

This week in our blog, we offer a snapshot of cybersecurity, privacy and data security news of interest to the executive suite. Periodically, we’ll recap insights from the growing cadre of voices in this space as well as lend our own views on the issues that impact executive governance of cyber risk and response.

“Spring is when you feel like whistling even with a shoe full of slush.”
–  Doug Larson

In the northern hemisphere, April marks the first month of spring.  It’s a time of rejuvenation, as the great awakening changes the landscape. It is a month that touches the poet’s fancy. From my perspective, any month that starts with a day known as April Fools’ Day is worth recognition. I’ll share the April Fools joke that is number one on many lists. In 1957, the BBC news show Panorama announced that thanks to a very mild winter and the elimination of the devastating spaghetti weevil, Swiss farmers were harvesting a bumper spaghetti crop. It accompanied the announcement with footage of people pulling strands of spaghetti down from trees. Huge numbers of viewers who watched the story called the BBC wanting to know how they could grow their own spaghetti tree, apparently thinking the English climate wasn’t all that different from the Swiss climate.

As we’ve seen in following the ever evolving cybersecurity threat, it’s possible to fool people on other days in April, and cyber threats respect few boundaries. Here are our takeaways from articles this month that further our understanding of cybersecurity concerns and issues.

Well, encryption worked for the Greeks

Encryption we can trust: Are we there yet?


Encryption is arguably the most important single security tool that we have, but it still has some serious growing up to do. The current debate about the pros and cons of ubiquitous encryption and the FBI’s request for Apple to unlock iPhones reinforces the public notion that encryption is unbreakable, even by the nation state, unless artificially weakened by backdoors. Everyone in the industry knows this isn’t true – there is a difference between strong and weak encryption. Perhaps surprisingly those differences have almost nothing to do with encryption itself – or at least the math behind encryption. Encryption relies on secrets, digital keys to lock and unlock the data. Whether those secrets can be guessed or stolen is what makes all the difference.


It’s 2016 and you aren’t using encryption. Why?

Encryption sounds synonymous with complexity. It’s not. It’s very, very simple. There should be no reason why an organization shouldn’t be encrypting its data in 2016. The technology is there. And the rationale for using it is simple: Breach prevention is dead. Encryption sounds synonymous with complexity. It’s not. It’s very, very simple. There should be no reason why an organization shouldn’t be encrypting its data in 2016. The technology is there. And the rationale for using it is simple: Breach prevention is dead.


Week ahead: Encryption fight resumes before Congress

The dispute between Apple and the FBI will be back in the spotlight, with both sides sending representatives to testify before the House Energy and Commerce Committee. But lawmakers will keep the two sides apart at the Tuesday hearing, titled “Deciphering the Encryption Debate.” There will be two separate panels: one made up of law enforcement voices and a second dominated by tech industry members. Amy Hess, executive assistant director for science and technology at the FBI, will speak on the first panel, which also includes the intelligence bureau chief of the New York Police Department and a member of the National Sheriff’s Association. Apple general counsel Bruce Sewell will speak on the second panel, which also features several computer science academics and cybersecurity professionals.


Data kidnapped? 

The silver lining of a ransomware infection

Getting infected with ransomware may actually be a good thing for your enterprise. Ponder that statement for a moment. Yes, someone has written that ransomware, which has cost U.S. businesses and consumers approximately $18 million in the past year, may be a good thing for your environment. In case you have been blissfully unaware of the aggressive ransomware campaigns launched by attackers in the past year, ransomware is malware designed to seek out specific file extensions, encrypt them and then request the end user to pay a fee to have the files decrypted. This fee is typically paid in bitcoin or another digital currency. Ransomware has caused many headaches throughout the industry. According a recent IBM CISO assessment, 8 out of 10 security leaders surveyed reported they were concerned about ransomware. …If you need a silver lining, think of a ransomware event as a low-cost security assessment pointing out weaknesses in your environment.


How to avoid becoming the next victim of ransomware

Recently, I traveled to South Carolina to deliver a presentation on advanced threats and mitigation strategies and it wasn’t long before the question-and-answer session turned to a discussion on ransomware. One attendee wanted to know: Should businesses ever pay to recover encrypted files? I stressed that victims should never pay ransoms because it only exacerbates an already out-of-control problem and there are never guarantees that files will be recovered after paying money to criminals. Recommended: Why hospitals have become prime targets for ransomware attacks After the session ended, an IT administrator for a local healthcare outfit approached me and pointedly told me his company was in the midst of paying the ransom after a pretty nasty infection and he wanted me to know that my “never pay” advice was impractical.


Cyber attacks continue to grow and evolve

Cyber criminals continue to prey on websites with unpatched vulnerabilities and ill-protected point of sale (POS) systems to steal credentials such as personal data, credit card numbers and bank account details. Fraudsters are known to use methods most commonly associated with their victim’s normal business practices – wire transfers in most cases, cheques in others. Intrusions are facilitated through a phishing scam in which a victim receives an email from a seemingly legitimate source that contains a malicious link. When the victim clicks on the link, it downloads malware, allowing the criminals unrestricted access to data, including passwords or financial account information. Fraudsters also contact companies by email or phone pretending to be lawyers or representatives of law firms claiming to handle confidential or time-sensitive matters. Organizations and Internet users should be vigilant in strengthening their guard against the anticipated surge in cyber attacks targeting web servers, POS systems and mobile devices. It is predicted that extortion via DDoS (distributed denial-of-service) and Ransomware will also flourish as cyber criminals are increasingly offering paid ransomware services (complete with kits for attacks on different operating systems) and managing ransom payments.


Spring checkup. Out of energy?

Cybercom sounds alarm on infrastructure attacks

The commander of the U.S. Cyber Command warned Congress this week that Russia and China now can launch crippling cyberattacks on the electric grid and other critical infrastructures. “We remain vigilant in preparing for future threats, as cyberattacks could cause catastrophic damage to portions of our power grid, communications networks and vital services,” Adm. Mike Rogers, the Cyber Command chief, told a Senate hearing. “Damaging attacks have already occurred in Europe,” he stated, noting suspected Russian cyberattacks that temporarily turned out the lights in portions of Ukraine. Adm. Rogers said that unlike other areas of military competition, Russia is equal to the United States in terms its cyberwarfare capabilities, with China a close second.


Homeland Security Dept. struggles to hire staff to combat cyberattacks

At a time of increasing threats of cyberattacks on critical infrastructure, the Department of Homeland Security is having trouble recruiting much-needed computer experts because it cannot match the pay of the private sector and does not have the same allure as intelligence agencies. Recent disclosures that Iranian hackers with ties to the government in Tehran had launched a cyberattack against a dam in New York highlighted the need for the department, which is charged with protecting government and private systems from cyber intrusions, to have a staff capable of responding to sophisticated enemies. “We are competing in a tough marketplace against a private sector that is in a position to offer a lot more money,” Jeh Johnson, the Homeland Security secretary, told senators at a hearing last month. “We need more cyber talent without a doubt in D.H.S., in the federal government, and we are not where we should be right now, that is without a doubt.”


Governments must regulate against cyberattacks, says Kaspersky

No nation has enough engineers to protect its infrastructure against cyberattacks, Eugene Kaspersky, founder and CEO of Kaspersky Labs, told a meeting in London yesterday. “We’re living at a time of growing numbers of attacks on infrastructure,” said Kaspersky, ‘ we have seen a case where petrol deliveries were heated above the temperature at which it should be delivered, we’ve seen attacks on coal transportation systems which say that a consignment weighs less than it does so that some can be stolen, ships are hijacked and the containers scanned and opened up to remove the contents, the Ukrainian power grid was hacked and its systems wiped, South Korean financial infrastructure was attacked last year and this year hospitals in Australia, California and Germany were attacked and had all their data wiped.”


Did Big Energy just make us safer from terrorism or cyber attacks on the US electrical grid?

Homeland Security Secretary Janet Napolitano had some words of caution for her successor in her final days in office: A cyber attack on America’s power grid is coming and it’s not a matter of if, but when. Now, thanks to a new private sector cooperative called Grid Assurance, help is on the way. This is an existential issue for America and the free world. The congressional Commission to Assess the Threat to the United States from Electromagnetic Pulse (EMP) Attack says an EMP attack would wipe out about 90% of the U.S. population within two years of such an event as a result of disease, food scarcity and the complete breakdown of society. The Department of Energy echoes this sentiment, noting the dependence of navigation, telecoms, the Internet and our financial, health care and emergency response systems on the power grid. Lloyds of London says costs of a grid geomagnetic disturbance event could top $2 trillion.


What, me worry? I don’t have to, I’m in charge.

Cybersecurity responsibility: Are execs passing the buck?

Who’s ultimately responsible for cybersecurity? It’s a critical question; according to Bloomberg BNA, 84 percent of businesses polled have adopted some kind of cybersecurity framework, and information security is quickly becoming a high-priority boardroom topic. But there’s a problem: A new survey found that more than 90 percent of executives can’t read a security report, CNBC reported. More worrisome? Forty percent say they “don’t feel responsible” for the repercussions of a hack. Are execs passing the buck on cybersecurity responsibility?


Survey finds accountability gap among execs dealing with cybersecurity

The cybersecurity “accountability gap” is growing as 40 percent of executives admitted they didn’t feel responsible for the impact of a cyberattack and a lack of understanding concerning cybersecurity could be a contributing factor, according to a study commissioned by endpoint security firm Tanium and the NASDAQ. The Accountability Gap: Cybersecurity and Building a Culture of Responsibility asked 1,530 non-executive directors, C-level executives, Chief Information Officers, and Chief Information Security Officers from around the world.“Executives generally don’t feel they have an important role in information security, believing it to be a problem for their IT and security teams.” Tanium Chief Security Officer David Damato said in comments emailed to


Are IT executives blind to cybersecurity events?

Is your company’s cybersecurity keeping you up at night? If you’re an IT professional, the answer to that question is probably yes. If you’re an IT executive, the answer to that question might be no – even if you work at the same company. What we’re seeing, says Jack Danahy, co-founder of Barkly, a Boston-based endpoint security startup company, “is a breakdown in communication.” That’s what Barkly found in its “Cybersecurity Confidence Report.” In it, Barkly surveyed of 350 IT professionals and found that 50 percent are not confident in their current security products or solutions. However, the story is different at the executive level: Nearly 70 percent of IT executives said they have confidence in their current security/solution. There’s a disconnect in measuring return on investment, too: About 70 percent of IT executives said they’re confident that can be determined while less than 50 percent of IT pros said the same thing.


Cybersecurity threats are real: You and your organization could be in danger

Last week I moderated an NACD Boardroom Excellence webinar in partnership with Broadridge Financial Solutions that focused on the issue of cybersecurity. Approximately 200 directors representing various corporations participated. The data shared was unnerving and troubling in its scope and implications. The cybersecurity statistics are jarring. CNBC’s most recent survey in April 2016, indicated that null and are not prepared to handle a major attack. The worst part of the survey results is that 40% said they feel no responsibility for the consequences of being hacked. Leaders of an organization, including CEOs, CIOs, board members and executives are still struggling to define responsibility for customer data. They have transferred this burden to the CISO (Chief Information Security Officer) and the IT department. This trend is problematic.

By Tom Davis, SDI Cyber Risk Practice

SDI #CyberTuesday offers insights and commentary on cyber risk management by SDI’s trusted cybersecurity, privacy and data security experts, skilled practitioners whose decades of experience working for governments and corporations around the world distinguish them as strategists and crisis managers.

April 26, 2016





What the…Hal?

“Open the pod bay doors, please, Hal.”
“I’m sorry, Dave. I’m afraid I can’t do that.”

Well, at least the little psychopath was well mannered. The world was introduced to Hal (acronym for Heuristically programmed ALgorithmic Computer) in the blockbuster film 2001: A Space Odyssey. Hal was the onboard computer system that relied on artificial intelligence to run all of the systems of the spaceship Discovery 1. Oh, and Hal had other skills, including the ability to read lips. Hal used that talent to interpret a conversation between two of the crew members as a decision to kill him, and Hal then went on the offensive, killing four of the five astronauts on board, and giving a good effort to get the only survivor as well. In the end, man triumphs over machine as Hal is rendered hors de combat when his memory cells are removed.

I am reminded of the misadventures of Hal while reading this story “AI + humans = kick-ass cybersecurity.” The article reports on an interesting project from MIT that combines human intelligence and artificial intelligence to achieve some impressive results in detecting cyber attacks. The approach now detects 85 percent of attacks while reducing the number of “false positives” —non-threats mistakenly identified as threats—by a factor of five. That’s critical, for as the article explains: “In the world of cybersecurity, human-driven techniques typically rely on rules created by living experts and therefore miss any attacks that don’t match the rules. Machine-learning approaches, on the other hand, rely on anomaly detection, which tends to trigger false positives that create distrust of the system and still end up having to be investigated by humans.”

It’s fascinating to see that, like Hal, other manifestations of artificial intelligence are given to paranoia. Every anomalous behavior represents a threat. Futurists have been predicting that machine-learning will offer a far better answer to the cybersecurity challenge than currently exists, and many companies are employing or developing artificial intelligence systems. But the potential dangers associated with this approach should not be underestimated. We are and will be investing machines with considerable power, and these machines will not be invulnerable to error. Keeping the human element in the ascendant position in the process will be a difficult needle to thread.

The Global Challenges Foundation recently issued a report “12 Risks That Threaten Human Civilisation.” Nuclear war? Check. Global Pandemic? Check. Artificial Intelligence? Yes, indeed. Here’s a chilling conclusion: “Artificial Intelligence (AI) seems to be possessing huge potential to deliberately work towards extinction of the human race. Though, synthetic biology and nanotechnology along with AI could possibly be an answer to many existing problems however if used in the wrong way it could probably be the worst tool against humanity….”

Artificial intelligence will be an integral part of cyber defense going forward. Let’s hope the next gen does not learn to read lips.

By Tom Davis, SDI Cyber Risk Practice

April 19, 2016

The Elephant in the Room

Ever wonder about the origin of the phrase “the elephant in the room?”  Did the phrase originate with Russian author Ivan Andreevich Krylov, whose “The Inquisitive Man” tells of a man who goes to a museum and notices all sorts of tiny things, but fails to notice an elephant? Or does it stem from an argument at Cambridge University in 1911 between Ludwig Wittgenstein and Bertrand Russell? Might it arise out of a Mark Twain story titled “The Stolen White Elephant?” It appears there is no definitive conclusion to be drawn. But the phrase lends itself nicely to examining the cyber story now dwarfing all others—the theft and publication of what is being referred to as “The Panama Papers.”

The theft of more than 11 million documents from a Panamanian law firm has become a leading story in many nations, in no small measure because the documents can be connected to some of the most powerful and influential people in the world. The political repercussions were substantial. Iceland’s prime minister resigned, U.K. Prime Minister David Cameron apologized and released his tax returns, Vladimir Putin shrugged, and senior Chinese leaders practiced their version of the “Golden Rule.” Obviously, there will be more to come as documents continue to be released and as investigative authorities in affected nations pour over information to determine whether laws were broken.

This last point is worth pondering.  As a general proposition, unless one is either a person whose information has been compromised by the theft of the aforementioned documents, or a close friend or relative, it’s likely we are generally satisfied that the end here justified the means. At this point we don’t know what laws were broken, or who, precisely, was guilty of what, but we have a reasonable supposition that something underhanded was going on. We treat any suggestion that there are substantive privacy issues that arise out of the theft of documents with the same humorous perspective we’d have for Captain Renault’s memorable line in Casablanca “I am shocked, shocked to find that gambling is going on in here!”  Thus, just as surely as there is gambling in a casino, there must be criminality in offshore banking.

The United States has experienced similar phenomena at least twice recently. First, Chelsea (then Bradley) Manning turned over a trove of sensitive military and diplomatic documents to Wikileaks.  Later, Edward Snowden leaked volumes of classified information about global surveillance programs run by the U.S. and some of its allies. The Snowden case touched off a huge debate over the appropriate balance between national security and privacy rights.  But there was an earlier drama that inspired this interesting Fortune article by Rajiv Gupta.

Likening the latest high profile breach to Watergate, Gupta wrote…”The Panama Papers represent the future of political scandal in the digital age—from the initial hack down to the cloud technology used to analyze the documents. Journalists Bob Woodward and Carl Bernstein, who famously took down Richard Nixon, could hardly have imagined working with millions of pages of confidential documents. This generation’s Watergate will be conducted through shared folders and chat rooms. Mossack Fonseca, the hacked law firm, embodies the cyber risk to which many organizations have not yet woken up. Hackers are clearly after more than just credit cards and social security numbers. The breach is at once a glimpse into the brave new world of online leaks and a warning that all organizations should assume any sensitive information to be a potential target.”

Gupta squarely addresses the privacy issue. “Publicly releasing the entire cache of documents, as some have called for, calls into question the right to privacy of Mossack Fonseca clients, especially those who may not have committed illegal activity or do not hold public office. “Hacktivism” inherently takes decision-making away from the legal system. What happens when “hacktivists” act on behalf of principles or entities we consider deplorable or dangerous? Should the abuse of privacy of the innocent be considered unfortunate but necessary collateral damage?”

In the nascent stages of the many investigations being carried out as a result of the theft of The Panama Papers, it’s doubtful privacy will be a leading concern. But the world we now live in will soon force a painful examination of privacy. Every organization must look closely not only at its own data protection practices but also at those of any partners who may hold data on its behalf. The real elephant in the room is the fact that very little information is truly secret any more. In fact, we may need to caveat the use of the term secret, attributing it to what is private at the moment… as best we know.

By Tom Davis, SDI Cyber Risk Practice

April 12, 2016

Heads in the Sand Over Cybersecurity?

The ostrich defense is a criminal defendant’s claim of being ignorant of the criminal activities of an associate, which normally the defendant would be expected to be aware of. The defendants seeking this defense claim that all wrongdoing was performed by others, without his/her knowledge or consent. This defense is so named because of the tendency of ostriches to put their heads in the sand in the event of danger.

What to make of the findings of a study conducted on behalf of Nasdaq and cybersecurity technology provider Tanium? The two commissioned a study of over 1,500 C-suite officers and non-executive company directors at Global 2000 organizations across five regions to gauge the state of cybersecurity awareness and readiness. The regions surveyed included the United States, Japan, Germany, the United Kingdom, and the Nordic nations. To an extent the findings are predictable and in line with our current understanding of corporate vulnerability.  Corporate executives don’t understand cyber? No surprise here.  Executives feel their organizations are not prepared to handle a major attack. Of course they don’t, because most organizations aren’t. But, how about this?  Forty percent of the executives surveyed said they do not feel responsible for the repercussions of a cyber attack. If true, this represents a serious challenge.

The suggestion that senior corporate executives do not feel personal responsibility for cybersecurity is baffling. Dave Damato, chief security officer at Tanium, put it this way in an interview with CNBC. “I think the most shocking statistic was really the fact that the individuals at the top of an organization—executives like CEOs and CIOs, and even board members—didn’t feel personally responsible for cybersecurity or protecting the customer data.” Taking this at face value, it suggests that CEOs and other C-suite executives don’t appreciate that a breach could damage the entire business, and have not drawn appropriate lessons from the misfortunes of cyber victims like Target and Sony.

There is, of course, another potential explanation. It may be that senior executives are feeling so overwhelmed by the cyber threat, and so insecure about their organization’s capability to effectively deal with a cyber attack, that they are rationalizing successful attacks as an ordinary cost of doing business, and expecting that customers, business partners, regulators, and shareholders will see the world the same way. The sentiment would be understandable, but would offer scant defense against litigation and/or regulatory penalties. Moreover, taking this logic a step further, it seems executives who do not feel responsible for protecting customer data inevitably will be less likely to do so, and thus their organizations more readily become victims. This would be a classic example of the ostrich defense.

Perhaps it’s useful to bear in mind the ostrich defense has other names—notably the dumb CEO defense, dummy defense, and idiot defense. Just saying.

By Tom Davis, SDI Cyber Risk Practice
April 5, 2016