SECURITY : WHAT YOU NEED TO KNOW TO STAY OFF THE FRONT PAGE OF THE WALL STREET JOURNAL (November 13, 2009)

It seems as though hackers used to mainly break into systems and steal credit card numbers and personal information for the hacker’s individual use. Today, hacking can provide data that is extremely profitable to sell. Most breaches today still involve the procurement of credit card or personal identification. In order to become a hacking target, a firm must possess something the hacker wants. When initially assessing a client’s threat level, Ken asks the firm the type of data it is holding. Today, foreigners also hack US companies attempting to gain usable info. Every quarter at NASA Lewis there is a sting operation involving hackers’ attempts to break into NASA’s system to procure information and sell it overseas.

The purpose of today’s ITEE was to share experiences with security so that 1) breaches do not occur, and 2) breaches (if they do occur) do not severely impact the firm. The two frontiers of “black hat” and “white hat” hacking collided in the Taylor Institute as participants listened attentively to Ken Stasiak, founder of SecureState, as he conveyed intriguing stories about both sides of this mysterious profession.

IS IT A BAD THING TO LAND ON THE FRONT PAGE OF THE WSJ?

One of the first questions Ken posed to the group was “is it really a bad thing to land on the front page of the Wall Street Journal.” In order to land on the front page of the WSJ, a very serious breach must occur in a very large company. He presented an example of TJX Companies, Inc. (parent firm of TJ Maxx and other brands). After some time had gone by after one of the largest data breaches in history, TJX’s stock value increased. On the other hand, in the global environment, a smaller business hitting the front page due to a security breach can lead to financial devastation. The results depend as much on the response as on the initial event.

CASE STUDY PRESENTED

Recently, SecureState took on a bank client concerning a hacking event that occurred between the banks and one of its clients. SecureState performs assessments, audits, Sarbanes-Oxley (SOX) compliance issues, forensics investigations, and hacking risk management services for clients throughout the US. Ken explained that he becomes a virtual Chief Information Security Officer (CISO) for clients as they outsource security services to his firm.

The case is ongoing and Ken asked the group to comment and provide insights into how attendees might respond to certain scenarios. A European hacking community targeted banks specifically through SQL injections [1]. A hacker apparently gained access to over 2,500 user accounts and transferred $500,000 to an offshore account. SecureState was hired to determine the extent of the breach and whether or not the bank needed to issue a letter to customers indicating the breach’s occurrence. In addition, the timing and content of the potential letter remained to be determined.

Many questions surfaced including: When did the breach occur—is it at the time of access to the system or the time the data was actually used? How much liability do consumers face regarding the breach?

WHAT HAPPENED?

There were several salient facts presented by Ken:

THE BANK

· A hacker apparently gained access to over 2,500 user accounts at the bank. The mode of attack was not specified, and in theory should not have been possible because the bank was using SSL to encrypt data transfers. A security company was supposed to be monitoring traffic, looking for suspicious patterns that might indicate an attack.

· The bank switched from partial to full SSL and did not notify the security company about the change. Before this switch the security company could read the (unencrypted) traffic it needed to monitor in order to detect an attack. After the change, the security company was blinded (not being able to see the data at all due to full encryption), and therefore could not see/detect the attacks occurring.

· After three to four months, the bank realized it was being attacked. At this time, very few checks and balances existed with the monitoring company. Every year the bank should have had someone simulate an attack to see if the monitoring companies was doing its job and picking up attacks. Because of constant upgrades and changes, the bank needed to be sure that the monitoring company was monitoring the proper things.

· In addition, there were no logging information records to indicate if someone was even in the bank’s system looking at data.

THE MANUFACTURING FIRM

· The company that owned the $500,000 that was transferred was a manufacturing firm. They had set up a capability with the bank so that they could conveniently transfer money overseas through an online mechanism.

· SecureState visited this company, broke into the company’s system, and was able to transfer money.

At this point, SecureState told the bank that it did not have exclusive liability concerning the breach. The manufacturing firm did not do a sufficient job protecting its own funds. At this time, it is not clear where the $500,000 transfer occurred. Did the transfer occur because of the breach at the bank or because the manufacturing firm did not possess sufficient controls to safeguard the data? The bank needed to understand how to respond to FDIC auditors in a written letter. What should the bank tell the FDIC? Because of the absence of logging information, it is not clear whether the information was even stolen. If the data were stolen, have the data been used?

KEN’S QUESTION TO THE GROUP

Ken asked the group how they might respond to this case by posing two questions.

1. What do you do about the $500,000 that was transferred? Who is liable—the bank or the firm?

2. How do you respond to customers of the bank? Do you send a letter now or wait to see if any accounts are compromised as a result of the breach?

One attendee responded that the lawyers would sue all parties in an attempt to collect. Another attendee indicated, regarding the letter, that a company only has one chance to control the message so it is better to take a proactive stance and control the message from the beginning. Waiting for the news of the breach to hit the media first risks brand damage regardless of the liability issue.

SECURESTATE’S ANSWER

SecureState adopted a pro-active response. They drafted a letter indicating to consumers that their data “may” have been compromised. The letter recommended that customers change their individual passwords. In the event of a theft, the bank will provide identity theft protection to the consumer for one year. The bank received very few responses to the letter.

An attendee asked why SecureState did not recommend a mandatory password change for the customers. Due to the desire to provide excellent customer service, SecureState and the bank felt it better to allow the customers to change the passwords on their own. From a customer satisfaction point of view, customers may not like being forced and the helpline phone might ring off the hook. However, it might be wise for the bank to force periodic mandatory password changes. Two opposing concepts concerning customer service may be clashing concerning the need to make systems easier to use and the desire to empower customers to maintain their own personal security. Promoting customer responsibility and making systems easier for customers to use might oppose one another.

OTHER ISSUES

Additional legal issues concerning the case include the software development companies that coded the web-based application through which the SQL injection took place. What portion of the blame does this company share, because this channel was the one used to create the breach?

A question came up about how prevalent SQL injects attacks occur. Ken explained that most attacks occur within the application layer. On-line banking comprises a complicated tiered functionality comprising many layers including a presentation layer, business logic layer, and data layer. Insufficient coding at the application layer causes approximately 70% of all attack opportunities. Coders are not sufficiently knowledgeable about security issues and they often fail to consider the risks when coding procedures that comprise applications. This problem occurs in all industries according to Ken.

Another question was raised about other countries’ willingness to provide assistance and level of cooperation to prosecute offenders and recover assets. Banks do not insure transfers of funds. Once the transfer is authorized and takes place, the money is considered to be out of the control of the bank and either gets to its destination or does not. Worms get into systems and causes breaches affecting many small businesses seriously and the bank cannot help them recover the funds. This creates ill will and customer relations nightmares for the banks. A local CIO suggested that SecureState develop a program to help small business understand the risk and teach small business to install controls to safeguard fund transfer. Doing so will mitigate the blame the bank receives for the losses.

Since fraud must be proven, it can take six to eight months to understand how the money transfer came out. It may be possible to figure out where the money was sent, but if it was your money, it is your problem. Who can help you get it back? Ken discussed the fact that one part of the transfer system does not use encryption, although numerous other controls are in place [2].

STATE SPONSORED HACKING?

A question surfaced about state sponsored hacking. Currently, the US does not understand when a cyber event constitutes an act of war. Today, the US is looking to hire 1000 cyber security professionals within the next three to four years. Part of this recruitment effort will be directed toward setting up teams to investigate cyber warfare as a true avenue of attack. Certain countries like Canada and Israel do have state sponsored hackers that attempt to break into US government systems. Currently, the US does not collaborate with private industry to prevent cyber attack. The US possesses the technology to help private business but the knowledge is not being disseminated down to the private sector. Other countries provide much better collaboration with the private sector.

Another question concerned whether hackers are interested in B2B or is it just B2C? Ken is a hacker and spent many years within the inner circles of the hacking community. At that time, the hacking spirit entailed having fun and education. The scary thing now is that over the last two years the spirit has changed. Hackers are now attacking one another and the situation is comparable to the Wild West. Companies such as SecureState are now targets because hacking has become a lucrative career and the hackers seek to protect their livelihoods. This phenomenon is known as the Anti-Sec movement and it is a weird cultural dynamic. Today, Ken does not understand the motivations of the hackers and he sees hacking attacks on both B2B and B2C channels. Security companies are presently being hacked by other security companies.

The code of ethics has been lost within the hacking community. Today, banks and other firms ask Ken whether they might become a target. It is better to identify a target ahead of time because once the attack begins it is hard to fight it off. Ken advises companies to fly under the radar and try to avoid making news that might instigate a hacking community. Hackers used to desire to help companies. Today, they desire to take down companies and appear to possess a culture of bitterness.

Another question was asked as to whether companies will produce better products that resist hackers and do not require so many patches to be installed. Microsoft Windows 7 might be better because it uses an application blocker. It is possible to specify the apps that can and cannot run using Windows 7. Presently, Microsoft is trying to build in technologies to cushion the effects of security problems. One solution will never fix all vulnerabilities because security costs considerable money. Security costs should be a normal part of doing business today. As consumers, we expect security to be offered at no cost. Future consumers may pay for security through higher product costs.

This statement caused pushback from one of the attendants who is sick and tired of having to employ dozens of engineers and technicians to install patches and maintain security. He asks why the security firms do not charge more so that he does not have to hire so many people working on the system 24 hours a day. He compared installing patches to auto repair where an individual does not desire to keep returning to a dealer for service repeatedly. This attendee desires regulation of the industry and demands safer and better products. He feels industry should approach Washington and lobby for regulation because after all, cars have a lemon law.

PHISHING AND OTHER ATTACK AVENUES

Phishing attacks are a huge concern for one attendee. Phishing can leave a company more vulnerable than an attack that is just based on exploiting technology. The company may be more vulnerable because the user does not know what actions he or she must avoid (such as clicking on a bad attachment that looks just like the real thing). The company has a new training program in place; however, it is not gaining a favorable response. Some comparable issues, such as security of some aspects of the supplies the company receives from suppliers, do receive plenty of the company’s attention.

One former consultant present at the ITEE meeting asserted that companies spend more money on coffee than security. Many CEO’s are not aware of the problem. Some targeted phishing appears so realistic that it might even be impossible for the average user to detect. Hackers are able to spoof the real thing including addresses so that spam blockers become ineffective. In addition, social media collaboration tools will create many unknown future issues and are a cesspool for attackers.

Mobile devices pose another avenue of attack. The airways offer more opportunities for hacking. CEO’s are targeted in their homes and travel plans can be hacked. High profile individuals are targets. Today, we do not understand the rationale behind these attacks or all of the technologies involved.

STORIES OF GOOD SECURITY… OR NOT

Are there any positive security stories or companies that are doing everything right? Ken indicated that the entertainment industry handles security the best. Entertainment businesses, such as casinos, understand that they are a target and they have learned to break fraud and corruption due to extensive experience. Most casinos have far better security measures in place than most banks. Security awareness among casino employees is very high and even suspicious looking customers are quickly escorted out of casino buildings. Conversely, within most banks, most employees do not ask questions and are naïve. Although it is a well-kept secret and not discussed in polite company, the pornography industry is also at the forefront of high security measures.

Another question arose concerning the percentage of companies SecureState breaks into while performing security evaluations. Ken indicated that three years ago, his company broke into about 90% of all firms under contract. Today the number is about 75% indicating that improvement and awareness has increased. However, regarding internal breaches, Ken still breaks in 100% of the time if access is granted. Usually, Ken places a bet with the client too wager on how fast his company can break into the client’s system. To date, the fastest time is two minutes! Breaches are easier internally as opposed to externally.

In one instance, the technique Ken’s firm used was to find out where the board of directors of the company was meeting. His team came in advance to the hotel, penetrated the meeting room, and put USB memory sticks with a company logo on them next to each place setting. When the executives plugged these devices in, they were created with a lovely video show about the firm. In the background, malicious software was loaded onto their computers. Ken’s team also set up a fake wireless access point in the hotel that broadcast at a much stronger level than the hotel’s own network. When firm executives attached to the Internet via the bogus access point, they connected to their office systems using Virtual private Networks with passwords and encryption. Because the access point was the classic “man in the middle,” Ken’s firm obtained these passwords and was then able to monitor the traffic that was supposedly secure. In another instance related by one of the firms present for the discussion, a phishing attack that sent targeted emails to senior executives was successful in a very short period of time as one of these executives clicked on a seemingly innocent attachment.

CLOSING THE MEETING

At the conclusion of the meeting, a question surfaced as to what individual participants might do as a result of the presentation. Changing banking passwords ranked the highest amongst the group. Another participant suggested a thorough investigation of vendor systems and other strategic partners of their firm. Worry about social networking tools like Facebook and Linked-In also prevailed. Ken indicated that he has a great social networking policy, investigated by several lawyers, available for the group to review.

The next ITEE meeting is scheduled for Friday January 22, 2010 and will feature a discussion on various governance issues.