Archives for September 2017

A New Shakespearean Tragedy?

Once more unto the breach, dear friends, once more;
Or close the wall up with our English dead.


In Shakespeare’s retelling of the life of King Henry V, he has the king urging his brave soldiers forward once more, hurling themselves against the French army in the early stages of what became the decisive battle of Agincourt.  The line has survived to become a common exhortation for giving something another try. One notes that King Henry did offer the alternative of dying in the gap of the wall, but the essential idea is to flow through the breach to victory.

Today we are dealing with a breach in which the flow is outbound, and there is no victory in sight.  The massive date breach suffered by Equifax has exposed the personal identifying information of over 143 million people. The attackers took people’s names, Social Security numbers, birth dates, addresses and, in some instances, driver’s license numbers. They also stole credit card numbers for about 209,000.  The breach is rightly seen as a monumental failing on the part of Equifax, and the repercussions are mounting rapidly.

Writing on the Gartner Blog Network, John Wheeler calls the breach a game changer for cybersecurity.   Among his predictions, Equifax will cease to exist. “In the last 4 business days since the company disclosed the data breach Equifax has suffered a $5.3 billion loss in market capitalization which represents almost a third of the company’s total value. When considering an estimate of the potential costs associated with the data breach (based on the 2017 IBM/Ponemon Institute Cost of Data Breach Study), Equifax faces a potential loss of $20.2 billion which currently exceeds their total market value by $8.3 billion. Also, the company currently faces more than 23 class actions lawsuits with at least one seeking more than $70 billion in damages. The death spiral will soon take on greater momentum when executives are required to testify before Congress and criminally investigated for potential insider trading related to the delayed disclosure of the data breach. Equifax will ultimately be acquired out of bankruptcy by one of the remaining two credit reporting companies – TransUnion or Experian.”

The “delayed disclosure” noted by Wheeler is extremely problematic. Equifax said it first detected suspicious behavior on July 29. It appears the breach dates back to May of this year, and some reports suggest it may have happened even earlier. Even if one accepts the July 29 date as the first instance in which Equifax became aware of the breach, several weeks went by before customers were made aware. The delay triggered outrage, and credit reporting companies have few friends, so the fury goes on unabated.

The fallout continues. Equifax’s Chief Information Officer and Chief Security Officer “retired,” and its CEO stepped down. More heads will likely roll. Forty states are investigating how Equifax handled the breach. Other regulatory agencies are launching investigations, and there is a real possibility that this breach will lead to significant change in law and regulation.

Once more, out through the breach.

By Tom Davis, SDI Cyber Risk Practice

September 26, 2017

Do You Trust Your Network?


The question seems simple enough, doesn’t it? But have you asked the question? My feeling is that not enough people actually do. Of course, a natural response may be: isn’t that a question for my IT department to answer?

Yes and no (more on that in a moment). And I promise I am not trying to play word games, but words and their meanings matter, and am therefore placing particular focus on the word trust. Trust is different than confidence. Trust is different than transparency. Trust has a much more “personal” element than the others. And so much of what we do in the world today is based on trust.

There are times where confidence may be appropriate. For example, “I am confident in Joe’s abilities, but I do not trust he will finish the job.” And there are times where transparency may be appropriate, such as, “blockchain technologies offer transparency, but I do not trust them to serve as the backbone for a currency.”

Notice where I am going? These terms are not interchangeable. Somebody can be “transparent” with you but it is quite possible you do not trust them at all. Conversely, somebody who is not wholly transparent with you may earn your trust.

And trust is a funny thing because it guides so many of actions. Simple example:

“Would you do business with Bob?”
“No. I know he has a solid track record, but something about him I just don’t trust.”

“Would you do business with Sally?”
“Yes. I know she doesn’t have the track record of Bob, but something about her that just makes me feel she’s the right person to do business with.”

In other words, we are dealing with emotion and rational action may be taking a back seat.

So let’s get back to the IT department. I am not asking: do you trust your IT department? Rather, I am asking: do you trust your network? There is a difference. It’s huge. And if you don’t see it as being huge, your cybersecurity nightmares may only be in their opening act.

If you have 20 minutes, there is a 2010 podcast worth listening to by Brian Snow, who was the technical director of information assurance at the National Security Agency. It can be found here and special thanks to my fellow #CyberAvenger Chris Veltsos for pointing out this podcast. At around the 16 minute mark, Brian Snow talks about the “trust bubble” and that while “trust” is “widely used” it is also complicated and poorly understood.

Our world operates with so much going on in the background that we seldom give thought to how complicated things can be. Therefore, the only way we can operate and conduct business is when we have levels of transparency, confidence, and trust. For example, I am confident my ISP will provide reliable service so I can get my professional work done, but I do not trust my ISP when they say they are “best service provider” or “the fastest network” or that they will “have 99.9999% uptime” or whatever else you can think of (nor do I think they make their billing particularly transparent but that is unrelated to network reliability). In other words, I’m keeping my expectations in check.

In fact, I try to keep my expectations so “in check” that I expect my services to go down from time to time because that’s just life! Bad connection, server times out, bandwidth issues, and yes, even potential DDoS attacks and hacks! I expect all of these to happen because my trust in network capabilities can only go so far. Sure, I can invest more capital and overhead, but I do not have a printing press for money, so this solution is untenable over time. You need to use your resources wisely and because my trust in network capabilities can only go so far, I do things like: regularly patch, update, have offline backups, back up devices, have alternate connectivity means, and – get ready for it – even plan for total shutdown (and sometimes the plan is “no way to do work today, find something else to do”).

In summary, I simply do not trust network reliability to be as reliable as the sun coming up from the east every morning. And keep your expectations in check: there are very very few operations that can justify the need (and cost) for 100% uptime (and even those are susceptible to the freak event that shuts them down).

As for social engineering attacks, shame on me if I get suckered into them. I don’t have the expectation that my network should protect me from them. Remember, a social engineering attack is going after YOU FIRST before the actors execute their following intent.

Side commentary: WOW! Some of these social engineering attacks are getting really sophisticated and I am impressed. One of the best I have seen in the last few months is the attacker faking that you are the initiator of the conversation and the attacker is “replying” to your original query. Be careful before you click “reply” because sometimes all the attacker wants you to do is just that, click reply, and scoop up an e-mail address, a device ID, an OS version, message headers, or the basic information on your signature line. All these information leaks can come back to haunt you.

But back to my original question: do you trust your network? If your trust in network reliability is rooted in the trust you have for your IT department, I have a car I want to sell you. I do not say this as a knock against your IT department, but if we can be perfectly candid for a moment, if your IT department has full trust in your network reliability, you should be concerned. Granted, the IT department can be confident about the network, but usually when you are confident, it means that you have done some sort of honest and thorough assessment of the situation.

Therefore, if your IT department says to you, “we’re confident we do not have any malware on our network” ask how they came to that conclusion. If instead they say, “we do not have any malware on our network, honest, trust us!” then raise an eyebrow and get your hands dirty, because you have work to do.

By George Platsis, SDI Cyber Risk Practice
September 12, 2017