Chapter 5: Cybersecurity in organizations and governments

Our work as cybersecurity experts is to find the vulnerable entry points to conduct targeted assessments of an organization’s security layers, whether that’s penetration testing, physical entry, or access via the internet. If a hacker can inject themselves into the supply chain of an organization (e.g., manufacturing process), steal something, or tamper with a production batch, they can seriously screw up the entire global operation of a company—before they’ve touched the technology stack. This is why we need to follow the onion layer model, starting at the physical security of a company before moving to the technology stack to the core. (See Chapter 3).

Some years ago, a global manufacturer asked my team to test the security of their product ordering system. Could we access the system, order a large quantity of products, have them configure the order and ship them? We secured the valid credentials by infiltrating and sniffing the network, got into the system, and ordered a highly customized $100,000 pink luxury mode of transport to be shipped to a specified location. This security breach relied on us first obtaining a user name and their login details to the system. It demonstrated that we could stop their process and put in some fake orders, or change the configuration of the models to a different color, and severely impact their business. It would cause a serious disruption to the supply chain and impact customer satisfaction. We found the vulnerabilities for the clients to fix.

Cybersecurity in business

Any company that uses the internet is vulnerable. Companies jeopardize their IT because they don’t invest in adequate security measures, or even know what “adequate” entails. Even the simplest procedures like patching systems is basic-level hygiene that companies are responsible for, and not the government. This is the current landscape businesses are facing, according to the Identify Theft Resource Center (ITRC):

• Businesses accounted for nearly 51 percent of breaches in 2017, followed by banking, healthcare facilities, educational institutions, and government.

• Monetary damage to a large organization averaged $5 million, approximately $301 per employee.

• Nearly 70 percent of companies do not think antivirus protection can stop current threats.

Three key reasons why many organizations struggle with implementing cybersecurity can be drilled down to cost, lack of visibility, and complacency. (Note how similar they are to the reasons everyday consumers have security problems. See Chapter 4.)

Why are companies careless in protecting themselves? Perhaps they think any loss and fines associated with a breach, along with the investigation and remediation costs, will be so much lower than their total revenue that it’s not worth their time to install and monitor modern security measures. The irony is that they’ve probably already been breached, and they just haven’t discovered it yet. The possibility of lower sales, loss of customer loyalty, and destroyed reputation or brand equity isn’t enough to deter them to make changes, so this attitude persists.

Because there is little coverage and visibility of the range of impacts resulting from hacking, too many companies naively believe they’re secure by default. They are unable to understand the risks or believe criminals know how to exploit their vulnerabilities. Too many also operate with outdated systems and patches that, if updated, would keep hackers at bay. Part of the problem rests with the top layer in an organization, an older generation of executives who might know how to do business but don’t understand technology, cyber or security. Therefore they don’t fully understand how to protect their organizations. (Remember the Senate hearing with Facebook?) Until companies have board members with true technology and security expertise, new and adequate technology and security levels will trickle down too slowly.

To cap it all, while the reasons for hacking may be the same as ten years ago, the defenses against it aren’t. The way we drive cars hasn’t changed much since the first four-wheeled car was invented, however the technology we now use allows us to drive faster or use driverless, autonomous cars. The methodology behind computer hacking hasn’t changed; its technology and methods have. Neither individuals nor companies have significantly raised their defense game, so hackers haven’t had to change their attack methodology. I compare it to living in a castle while war rages around it. From a window, you see soldiers approaching on the horizon, and soon they’re at the doors, beating them loudly. You focus on the window only.

Meanwhile, you’ve left the back door to the castle open to attackers. Except they’re also tunneling from below ground and you can’t see that the perpetrators are already inside. In the end, the attackers don’t have to change their game much to get inside the castle. That’s what I mean by lack of visibility, and this is what the internet is like every day. Physical and virtual walls may seem adequate, but attackers are always looking for a way in. Businesses and governments usually don’t know that what they have isn’t enough. That’s why so many rely on outdated antivirus protection or a system patch for protection.

We’re now well past the internet boom, so for companies to say they don’t understand cybersecurity is, in my opinion, not defensible. This attitude might have worked in 2005, when the number of internet users worldwide according to Statista was a bit over one billion. The number of users has topped 3.5 billion. Cyber-hygiene is the one thing organizations can control but simply don’t want to. They’re unconcerned about taking care of the basics and don’t want to admit it. If the majority of the non- executives sitting on the board are ignorant of the latest cybersecurity practices, and don’t believe that they might be breached, and if simple things like patches aren’t done, it leaves their organizations wide open to breaches. Cybersecurity, like finance, should be on the board’s agenda at every meeting. Countless online resources, free and paid, can help commercial infrastructure developers cover the basics of cybersecurity and beyond, so for organizations to claim they don’t understand the everyday risks and instead pay lip service to them is both lazy and negligent. Companies demonstrate these lackadaisical attitudes when, in an attempt to avoid negative publicity, they don’t admit to a breach. Attempting to control the narrative is understandable, given the long-reaching consequences that can ensue once the media gets a hold of a negative story. I’ll discuss this later. But it can also backfire. For example, Uber waited a year to admit that 57 million personal records, including email addresses, mobile phone numbers, and driver’s license information, were stolen. For many, this attempt to ease the public, customers, and potential clients was misleading and too late for a company that was already struggling with rumors of being a hostile environment for female employees. Their new security chief, the highly credentialed Matt Olsen, said this “For any large organization, whether you’re talking N.S.A. or a company like Uber, having a plan and having practiced and exercised how to respond to a breach is critically important,” he said. Let’s hope they do more than just prepare to “respond” to a breach.

Just as we saw in online consumer behavior, the human element impacts how businesses become vulnerable to cybercrime and how they defend themselves. As long as corporate system users perpetuate a casual attitude toward cyber risks and don’t invest in prevention or even see what could harm them, even a novice hacker will find his way to confidential or proprietary information.

When private lives are exposed: Ashley Madison

Case in point. The most embarrassing of incidents can occur when someone’s private online activity reveals unsavory activities. In the summer of 2015, Avid Life Media received a warning message from a group calling themselves the Impact Team ordering them to shut down their Ashley Madison and Established Men websites within thirty days or their client information would be leaked. As the deadline passed and the company struggled to contain the damage and solve the breach, the hackers reportedly published a torrent file containing company information (including the CEO’s email addresses), email addresses, and mailing addresses of account holders—some of whom were public officials—along with partial credit card numbers and sexual preferences. The leaks continued as the hackers released user IP addresses, sign-up dates, state-by -state user lists, and even amounts spent on the company’s services. Meanwhile, copycat hackers moved in to further scam compromised users into paying them to delete their files or threaten to send them to relatives. The mess seemed to have no end in sight. As users scrambled to find out whether their information had been compromised, for others, it was too late—in less than two months, the media reported two suicides associated with the leak.

The lesson here isn’t about whether or not you should use dating websites. It’s that all types of organizations are at risk, and this case represents any website in any industry. Users put themselves and possibly their loved ones in danger when they engage in high risk websites that aren’t doing all they can to protect their users. According to individuals who were part of the anonymous Impact Team, the company’s security level was bad. “No one was watching,” so they used their technical advantage to unleash a world of hurt. And according to researchers CynoSure Prime, who reportedly cracked 2.5 million of the website’s passwords in hours, the top ten Ashley Madison passwords included “123456,” “DEFAULT,” and “password.” Not so smart for people who didn’t want to get caught cheating. I guess the second lesson is if you’re going to engage in this type of activity, just don’t use 123456 in any form as your password.

How safe is your bank?

Banks are one of the top five industries highly attractive to hackers. Technology has brought us a long way from traditional banking practices that entailed waiting in long lines to speak to a teller and signing on the dotted line for every transaction. Credit cards, ATMs, mobile banking apps, and fintech companies are revolutionizing the way we bank. Although this sector spends considerable amounts to protect itself:

• According to the Identity Theft Resource Center, there were 69 breaches in the banking/credit/financial industry in 2017, believed to have exposed 2,781,270 banking records.

• A Security Scorecard survey reports 50,803 malware incidents in the 2,924 financial institutions they scanned between March 2017 and August 2107, with 45 percent of the banks having had at least one malware event in that same period.

• If you can’t quite wrap your head around these numbers, here’s another example. The 2016 Bangladesh Central Bank cyber-heist remains one of the biggest and most highly sophisticated attacks. Hackers managed to siphon a whopping $101 million from the bank’s Federal Reserve Bank of New York account and split the loot between bank accounts in Sri Lanka and the Philippines. They had planned to steal $1B in thirty-five transactions, but only five transactions were approved.

POS and ATMs

To encourage spending, banks and fintech companies have made it even more convenient for consumers to buy. If you grew up in the 80s, you might remember that banking theft was mainly isolated to a stolen credit or debit card; you would just go to the bank, cancel the card, and replace it. Today, point-of-sale (POS) systems that allow you to swipe your debit or credit card to pay can also be compromised. It may not be the database but the system processing these transactions that gets compromised.

So, let’s say that you went out today and ran some errands. You stopped by Whole Foods and at Verizon for a new phone. Then you capped off the day at your favorite coffee shop for a snack. The following month, you’re horrified to see multiple debit transactions from multiple retailers you’ve never even shopped at. So, where was the compromise? The brick and mortar retailers? The coffee shop? Your bank? Or the ATM you used two months before? There are so many attack surfaces it is difficult to pinpoint where the compromise happened.

Hackers can also skim magnetic stripes at ATMs by placing devices over the card insert slot. They can see your pin through a pinhole camera (which they install) in the ATM. At the end of the night they have the data to create a fresh batch of credit/debit cards. Then, they go on spending sprees in foreign countries because the systems aren’t interlinked, so by the time the fraud is triggered, they’ve already taken a million dollars off some five hundred cards.

While banks have certain detection systems in place, fraudulent transactions happen all the time. Using debit cards is crazy because they offer very little protection for consumers. And as in other industries, some banks prefer to absorb the loss, as there is a point of finite return in protecting the card data versus the amount of money that has been stolen.

So, are today’s banking practices safe? Financial institutions have a duty of care to protect the systems you use, so they must protect your data and transactions. Meanwhile, as a customer, you should be using best practices, and if you see your bank not doing this as well, consider changing banks—sometimes easier said than done. To reduce my risk, I use a separate computer for financial/sensitive transactions and another for day-to-day activity.

For more steps to better protect your banking activity, review the checklist at the end of Chapter 4.

Ransomware and why companies pay for recovery

Businesses across all industries and affected centers are often subject to these ransom demands. Their reasons for paying, while always rooted in business recovery, vary according to the potential damages. One of the fastest growing online crimes (see Chapter 3), ransomware is impacting the business operations of organizations around the world, targeting individuals and organizations alike.

In one case I worked on, a particular manufacturing company was hit, and all the data used for running the business was rendered useless as it was all encrypted. They couldn’t even use email or access their ordering system. The attackers wanted $5 million in exchange for the key to their files, and we managed to negotiate it down to $800,000. They made the payment, recovered their data, and all was well again.

Along with access recovery, companies can have other reasons for not confronting hackers head-on:

1. There’s a deadline, and they want to avoid a recovery fee hike.

2. It is cheaper to pay the ransom than investigate how the

infection happened in the first place.

3. They want to prevent the incident from leaking to the press.

4. They don’t want to report the breach to authorities, who will implement fees and penalties.

Ransomware is a great business model for attackers; companies reward their bad behavior with a payment, while there’s no guarantee they’ll even release the stolen data. It’s also highly lucrative. Of fifty companies exploited, if only five paid $500,000, that’s $2.5 million. All you’d need is the right skills and some patience to pull it off. And if you’re extra lucky, the company won’t even make the required changes to their infrastructure, and you can hit them again.

The healthcare sector—a deadly target

In May 2017, the National Health Service in England (NHS) was hit in ransomware attack known as WannaCry, which infected over 230,000 computers in more than 150 countries. The attack caused disruptions, canceling patient appointments and operations, and could have had much more serious impact on NHS’s service to its patients. As you can imagine, there are several issues around the privacy of patient data that go beyond connecting ailments to patients.

Let’s start with the availability of medication and supplies. What if you could stockpile all of the insulin, asthma pumps, or self- injectable epinephrine? Or, what if there was a denial-of-service attack and CAT scans or MRI machines were under attack? What if you could hack a hospital’s wireless network and stop medical devices such as chemo pumps or dialysis machines from operating and used them to do harm to someone?

Thankfully, NHS’s attack was resolved in the same day, but according to a report by the UK’s National Audit Office, the organization could’ve prevented it with simple steps because they had been warned the year before that an incident could happen.

The Role of the Press

In 2016 we worked on the biggest bank robbery in the world. The Bank of Bangladesh heist1 was uniquely challenging for two reasons. First, because it is a developing country, the logistics surrounding communications and traveling independently was very hard for the team when they worked onsite. Second, corporate governance was nonexistent—every time the team provided an internal report to the client, parts of that same report would suddenly appear in the press. In essence, all the information about what we were doing leaked like a sieve while we were trying not to tip off the hackers.

What goes on in the background during an investigation affects how breaches are perceived by the public and how they react. Companies normally call in forensics when they discover they have an issue. By this time, the narrative is already out and owned by the press, so we white hats are behind the curve when we arrive on the site. The client knows that they need to regain control of the messaging, so they start by putting a backstop behind the story to stop the bleeding. Companies normally release a positioning statement that acknowledges the issue and says that an investigation is underway. They don’t want to admit any liability, nor how big the issue is, so after their legal team approves the language in the statement and everyone else agrees, the statement they push will depend on how much risk they want to take. It takes time for forensics to triage, so this gives us all some breathing room to hold the wolves, the press, and everyone else’s opinions at bay.

We then investigate; what we’re able to see depends on the evidence we found. For example, if a client routinely doesn’t collect their logs or monitor security events, we only report on the facts evidenced in this environment. This is standard in a basic investigation. We should be able to tell the client what’s happening in their system in a short period of time. We then feed that information to the client’s incident team, which is usually made up of PR, legal, and part of the C-suite.

This is what typically goes on during an investigation. The savvy companies will have a process in place so that their PR team can stop the bleeding early. Companies that don’t have a sophisticated messaging mechanism in place get bitten by the press. In the end, the press will always find something to talk about, and they will speculate and assume and are, therefore, very seldom correct. Few press outlets cover security breach stories accurately. This is because the press typically doesn’t have the full details or context around an attack, but rather, bits of data they rely on. It’s similar to watching the news coverage of any news event such as a terrorist attack. Everyone speculates on what’s going on, including experts or a random person who was once in the army and has an opinion. But here’s the thing: it’s just an opinion, and they have no idea what’s really going on behind the scenes.

I believe that the press in the Western world only knows and reports on 10 percent of breaches that are happening at any time. And where there is no free press, no one knows what’s going on. I’ve worked a lot in countries where big breaches have happened, but nothing is shared with the public because the authorities can easily shut down the media. For a company to weather the storm and minimize the negative narrative, it should orchestrate things to keep their name in the press for as short a time as possible and take the biggest hit of exposure in the beginning.

When I look back at press reports on the Saudi breach I discussed in Chapter 1, I’d say that 80 percent of the reporting during the time of the event was way off, mainly because they weren’t fighting the fight and seeing what we were seeing. The next time you see a report about a major breach, know that much of the reporting is the result of the children’s game known as “telephone” or “Chinese whispers.”

Behavior in government

I’ve worked across the globe to block intruders and to protect computer systems, networks, databases, and hardware, and it’s always eye-opening to see how nations deal with and protect themselves from cyber threats. I am surprised at the lack of sophistication or maturity of governments employ to protect their citizens. I’ve found that the offensive capabilities of various countries are part of an unspoken “Best, Better, Worst” ranking system. For example, in terms of nation-states, the Chinese, US, and Russians are considered to be very sophisticated and very capable in performing offensive cyber operations. Also, although the majority of governments say they don’t do them, they all do. They perform both offensive and defensive operations. When you examine just the defensive protections—the protectors of home nations—their maturity levels differ by country, as does their own citizens belief about the protection in place.

It sometimes surprises me that some countries aren’t even at a basic level of offensive/defensive capability. And if you think the US is near the top of these capabilities, consider that even they have struggled unsuccessfully to protect their own sensitive data. In the end, all governments have been breached at some point disclosure depends on whether or not there’s freedom of press in a country and how often they want to play the national security card.

Two prominent but separate breaches occurred at the Office of Personnel Management2 (OPM). In one, personnel information of 4.2 million current and former federal government employees with security clearances was stolen. The personal information, including criminal histories of 21.5 million employees and contractors, was taken in the other. There’s no telling the damage the hackers could cause with this amount of personally identifiable information. For more examples of US government data breaches, check out the list in the Appendix.

What is the Government’s Role?

Who is responsible for protecting citizens and organizations from cybercrime? While the government has a say in how much of our information they need to do their job, we’re still responsible for our own internet activity. It wasn’t always like this. Governments weren’t originally responsible or anything. Critical national infrastructure is becoming part of the fabric of the internet, it became obvious that they needed to protect critical national infrastructure items. But the security standards were set at minimum levels, which makes it easy for intruders to hack their way in. Government agencies store more data than the private sector and often do so on antiquated and vulnerable systems. Governments are now trying to upgrade security protections, but individuals and organizations still need to provide their own security. For current insights on what the government’s role should be, make sure to read the interviews in Chapter 7, particularly those of Patrick Olsen, Robert Coles, and Ramses de Beer.

Should we trust the government? In the end, although everyone is fair game including the government, that same government can also hack into whatever they see fit. For example, the US government has full access to anything it wants— all it needs to do is submit a Foreign Intelligence Surveillance Act (FISA) warrant to be let loose on your Gmail account. This shouldn’t surprise you; governments have always spied on their own citizens and other countries for the sake of national security, and intelligence communities have ways of stealing things that you and I will never know about.

Another argument for holding governments accountable is that citizens never truly know what their own governments are doing. You don’t need to look further than the possible Russian involvement in the 2016 US elections as an example of how quickly an investigation can become entangled and messy. But was Russia really involved? I think certain people within the intelligence communities know for sure—everyone else is purely surmising. And even if they uncovered solid evidence of interference, no one knows the potential repercussions. We may never know the truth.

Lastly, committees in government departments all rely on other people to tell them what’s wrong. This means there is sometimes considerable papering over the truth about what’s really going or of the current state of the health of the organization. Those at the operations level don’t want to filter the bad news up and think they have control of it. They also rely on audit committees—run by accountants who know nothing about security—to tell them that everything is good. In the end, the top tier operates on a false sense of security (sounds like a Hans Christian Anderson tale of “The Emperor’s New Clothes”).

Here’s the bottom line: All governments have certain standards and guidelines in place, but individuals and organizations should also be vigilant in protecting their own data. Even when regulations are established, no one should assume that they have closed all possible doors that can mitigate the risks.

What Needs to Change

It’s clear that organizations and government agencies can do more to protect their customers and citizens. Most of them simply haven’t covered the basics and continue to operate in an insecure manner, allowing hackers to access their environments without being detected. Check out what other industry experts have to say in Chapter 7. Lots of governments around the world do provide practical guidance for companies large and small. I also include infographics from the UK National Cyber Security Center as well as adding my own top suggestions at the end.

https://www.ncsc.gov.uk/information/infographics-ncsc.

My top suggestions for organizations and governments:

1. All organizations need to take threat risks more seriously and understand how to protect themselves. Many of them think that auditing/compliance is security, believing that a control review is enough, but compliance only means they’re following a command. It doesn’t equal security.

2. All types of organizations should take a risk assessment to review their current security, identify their assets and possible threats, and create a cybersecurity policy.

3. They should be aware of their government’s cyber initiatives and programs and get involved, in whatever capacity they can, in improving standards within their industry.

4. All staff need better training to know how to detect suspected malicious activity on computers and networks.

5. Access should be limited to only those who need it and staff who have high-level access should be monitored.

6. All types of organizations should be ready with a breach response plan.