Archives for July 2017

Collateral Damage in Cyber Warfare

Hot on the heels of the infamous WannaCry ransomware attack came the less heralded and seemingly less consequential Petya cyberattack. WannaCry was big and bold, and obviously well named. Petya didn’t seem to measure up, and researchers noted that less than $10,000 was paid in ransom. However, it soon became apparent that Petya was not a ransomware attack, but actually aimed at destroying data. Given that much of the damage associated with Petya focused on Ukraine, suspicion quickly turned to Russia, the assumption being the attack was part of Russia’s ongoing efforts to destabilize Ukraine. Whether the attack actually was carried out by individuals acting on behalf of Russia remains unproven, but what is clear is that, as is the case in all conflicts, there are ancillary casualties.

Take, for example, FedEx, which acquired Dutch shipping company TNT Express for $4.8 billion last year to compete with United Parcel Service Inc. and Deutsche Post AG’s DHL. What seemed like a good aggressive business move now has become a major headache. TNT operations were completely disrupted by the Petya attack, and FedEx now says it has not been able to recover some systems, and may never be able to recover some critical business data.

FedEx just filed its Securities and Exchange Commission (SEC) 10k, and it forecasts material losses. The list of reasons why those losses are mounting is instructive:

⋄ loss of revenue resulting from the operational disruption immediately following the cyber-attack;
⋄ loss of revenue or increased bad debt expense due to the inability to invoice properly;
⋄ loss of revenue due to permanent customer loss;
⋄ remediation costs to restore systems;
⋄ increased operational costs due to contingency plans that remain in place;
⋄ investments in enhanced systems in order to prevent future attacks;
⋄ cost of incentives offered to customers to restore confidence and maintain business relationships;
⋄ reputational damage resulting in the failure to retain or attract customers;
⋄ costs associated with potential litigation or governmental investigations;
⋄ costs associated with any data breach or data loss to third parties that is discovered;
⋄ costs associated with the potential loss of critical business data;
⋄ longer and more costly integration (due to increased expenses and capital spending requirements) of TNT Express and FedEx Express; and
⋄ other consequences of which we are not currently aware but will discover through the remediation process.

Oh, and FedEx also noted it did not have insurance against these losses. Going forward, FedEx may become the poster child for why cyber insurance makes sense.

By Tom Davis, SDI Cyber Risk Practice

July 25, 2017

Cybersecurity Starts With Basics

One undeniable fact: the 2016 elections brought the word “cybersecurity” into the mainstream.  The problem that stemmed from that fact: nobody is actually sure what “cybersecurity” is.  And as a result, we spin our wheels or head off into differing directions.

For all the tech talk, commentary, and promise of some incredible “save you from all cyber threats” solution, lost in the conversation are the cybersecurity basics.  It is a disservice to all when pundits use words, such as hack and leak, interchangeably.  Those who have a more informed understanding of the issue know that these terms having incredibly different meaning.  The same can be said for words such as stolen and copied.  They are not the same and are often confused, even misused.  And how about this one: the difference between authorized access by an unauthorized user and unauthorized access.  The fine nuance between the two can entirely re-characterize the nature of an attack.

I have not conducted a formal study to know how many people know the differences or can spot the nuances, but from informal observation of my own experiences, about 95% of people cannot tell the difference and of the 5% that do, almost all of them have some form of security-type training or professional work experience.  Another informal observation: even those who have the training still cannot always spot the difference.

Why is all of this important?  Because if we cannot get the basics right, chances are everything that follows will be wrong, insufficient, or inadequate.

I start from this premise: we have finite resources.  I do not think anybody serious would disagree with me on this premise.  Therefore, let us be smart about how we use these resources.  And part of being smart is asking the right questions and knowing the basics.

In the middle of serious cybersecurity policy debate, does it make a difference if a Senator asks a witness whether data was stolen or copied?  Yes, it does.  In trying to determine how an attack happened, does it make a difference when the Board asks its IT manager if the source of the attack came from authorized access by an unauthorized user or by unauthorized access?  Yes, it does.

The human brain can only process so much information and the more complex we make the cybersecurity discussion, the increased likelihood of us mucking it up.  Add into the mix a disregard or misunderstanding of the basics and the muck up is almost certain.

What are the basics?  A few are here, from my last #CyberTuesday blog.  Successful cybersecurity relies on personal ownership.  Somebody else does not make you fit; you make yourself fit.  And we are quite poor at personal ownership, with multiple studies showing that human action/error is responsible for 90+% of successful attacks or breaches.

Some more basics include the understanding of terminology and the state of affairs.  We know the difference between somebody kicked down the front door to my house versus somebody stole my house keys and walked in the front door.  If somebody kicked down your front door, chances are you need a stronger door or you may consider putting a gated fence around your house to make it more difficult for a perpetrator to get to your front door.  If somebody stole your house keys you would do a better job to protect your keys.

It is worth asking: would you erect a 30 foot high six foot thick steel perimeter around your property if you lost your front door keys?  No, as that would be resource overkill.  Instead, you would likely change the locks on your doors.  And if your problem is your keys getting stolen, what good exactly does this mega-fortress bring you?  Unless you plan to seal yourself off from the entire world, the mega-fortress will need an access point, say, like a door with a lock.  What happens when you lose your keys again?  Build a mega-mega-fortress that will protect the mega-fortress?

If this is sounding a bit ridiculous, welcome to the world of cybersecurity.  Because so many of the basics are misunderstood, or even outright ignored, many of us are seeing mega-mega-fortresses being erected all over the place.  But we are not exactly sure if they are making anybody more secure.  Part of what we do at SDICyber is to help you understand these basics.  The basics can work miracles, as I point out here with some fellow patriots.

There is no harm in saying that you are unsure of the basics.  Nor should you be embarrassed to ask that question.  That very admission may be the most crucial step to getting you cyber secure.

By George Platsis, SDI Cyber Risk Practice

July 11, 2017