Archives for October 2017

Beary Scary

We are slowly easing through the languorous days of fall, reluctantly trading daylight for darkness, feeling the crunch of leaves, inhaling the smoke-tinged air that marks the fullness of the season. Soon it will be All Hallows Eve, a night when witches ride high across cloud-strewn skies and spirits restlessly roam the earth below. They will be joined by millions of children less concerned about the spirits than the potential bounty that awaits behind closed doors. Tiny princesses will race alongside pirates and ballerinas, each eager to ring a doorbell and shout in unison “trick or treat!” Older adolescents and young adults will gorge on horror shows, feasting on the fright inspired by vampires, werewolves, goblins, and countless maladjusted individuals who act out in truly horrific fashion. Those who’ve been around for a while may think of frightening figures such as Nosferatu, Frankenstein’s monster, the Mummy, and more recently Candyman, Pennywise, Leatherface, and Berserk Bear.

Astute readers may have tripped over Berserk Bear, but Berserk Bear may be very scary indeed. The world was introduced to Berserk Bear in CrowdStrike’s 2014 Global Threat Intel Report. “Proactive analysis during 2014 revealed another Russian actor that has not encountered public exposure, yet appears to have been tasked by Russian state interests. BERSERK BEAR has conducted operations from 2004 through to the present day, primarily aimed at collecting intelligence but has also provided capability in support of offensive operations in parallel to the Russia/Georgia conflict in August 2008.”

Since then, the legend of Berserk Bear has grown. In 2016 it was reported to be attacking energy interests in the Middle East. In September of 2017, Symantec said Berserk Bear had penetrated firms in the U.S., Turkey, and Switzerland, and had the ability to cause mass power outages, shutdown electrical grids, and disrupt utilities. That report was confirmed last Friday, when the Department of Homeland Security (DHS) and the FBI issued an alert warning critical infrastructure companies of “advanced persistent threat (APT) actions targeting government entities and organizations in the energy, nuclear, water, aviation, and critical manufacturing sectors.”

What we know at this point is that the attacks have been successful, and critical parts of the infrastructure have been breached. DHS has reported the attack is ongoing. There are no reports of damage to this point. We are left to speculate as to motivation, and what might happen next.  Like many scary stories, this one may have a sequel. Stay tuned.

By Tom Davis, SDI Cyber Risk Practice

October 24, 2017


Have We Normalized Theft?

When did cyberattacks truly begin to concern us?  Was it the Morris worm of 1988?  One would have wished it was, but clearly this is not the case.  How about the 2008 cyberattack on USCENTCOM?  That worm, likely injected into the DoD system through a single USB key, took about 14 months to clean up by some estimates.  Fast forward nine years, Equifax.  145 million records stolen.  Have we learned yet?  I wish I could say “okay, this time we will do something about it!” but I am not too optimistic.


Because I feel we have slipped into a dangerous area: we have allowed the normalization of data theft.  And today, data theft means anything from personally identifiable information to R&D/intellectual property to good old fashioned money.  My feeling is that because we don’t “feel” data the same way we would, oh a stack of $20s, we don’t really appreciate what is being lost.

Let’s try to put this into perspective.  If in fact 145 million records were stolen from Equifax, what would that look like in a “smash-and-grab” operation?  For simplicity, let’s assume one record is one page.  The average thickness of paper is 0.1 mm (0.0039 inches).  How high would the paper stack in this case?  Well, those 565,500,000 inches equate to about the distance from New York to Manila (over the Pacific), give or take a few hundred miles.*

To think that somebody could perform a break-and-enter like this (and get away with it) sounds so preposterous, this idea wouldn’t even make into a B-movie script.  But when all these “pieces of information” are digitized into a bunch of zeros and ones, well, you can fit all that information into the palm of your hands.

And that’s what gives me heartburn because we are doing such a poor job understanding what is being stolen.  We spend billions of dollars innovating, labor for years, and all these valuable resources could be gone, poof, like that because somebody missed patching a system or left a terminal unprotected or clicked a link they shouldn’t have.  This is asymmetry of galactic proportions.

So back to my point about normalizing theft: I think because we can’t “feel” the pain, we don’t give this issue the attention it deserves.  If I was a nefarious actor and I was able to siphon $5 a month from your bank account, would you care?  Before you answer … would you notice?  What if I was able to make this siphoning as some sort of “fee” or common every day purchase?  You may not give it that much thought and let it slide.  Now let me do that to a million people.  And let me do that to a different million people every week.  How does $260 million a year sound to you?

Does this sound like a tenable business model for an economy to survive?  Nope.  But that’s what we are dealing with when we normalize theft.

Sure, some may say “but we have services to protect us.”  Okay, but those services cost money, $10 a month, let’s say.  That’s $120 a year per individual.  To protect the 52 million people that would have gotten ripped off in the earlier scenario, that’s a hit of $6.24 billion dollars annually.  That’s $6.24 billion dollars that could have gone into paying rent, buying a meal, helping a local foundation, or go towards tuition or medication.

Lost in so much of the cybersecurity conversation is that protection rarely offers a return on investment.  Protection is a tax on business and a tax on individuals.  So unless we start “feeling” this theft on a more personal level and take the steps to properly educate ourselves of the human dimension, we are going to run out of money to invest in protection real fast.  People are generally not good at understanding risk and we often have farmed out that risk to somebody else (insurers, public officials, you name it).  But even this model is becoming too expensive.  So it’s time we take a closer look at ourselves and see if we are part of the problem by having allowed data theft to be normalized.  We shouldn’t be so passive about it.  We should be outraged, because this is a slow strategic bleed of national strength and stability.

By George Platsis, SDI Cyber Risk Practice

October 3, 2017

* Correction: “I’m tempted to say what’s a few extra zero’s among friends, but am forced to heed my own counsel…when you make a mistake, own it: it’s actually 565,500 inches, which is closer to 9 miles, more like New York to Hoboken and back…but that’s still a lot!”