Cybersecurity breaches keep getting larger, and the hackers behind them keep getting bolder. Wired magazine predicts that 2016 will see more efforts to shake down large computer networks. These aren’t simple ransomware attacks, where computer systems are locked until a victim pays a ransom, but full-blown shakedowns, where sensitive company information or customer data might be released—unless the company either pays big or is forced to respond in another way. Another threat is data manipulation, where nothing is stolen. It’s just changed, to raise issues about the integrity of systems such as those at financial institutions or the stock market.
Whatever form they take, security breaches are an unending headache for corporate executives and board members. In San Antonio, security is already a substantial part of the city’s economy, and includes the 24th and 25th Air Force and a branch of the National Security Agency. The Chamber of Commerce is developing an initiative called Cybersecurity San Antonio, which its director, Will Garrett, says will accelerate the growth and national reputation of the city’s cybersecurity industry. Garrett helped organize a panel on cybersecurity for Texas CEO Magazine. It featured speakers Chris “Skinner” Fogle of Delta Risk; Dave McDermitt of USAA; and Deron Means of the Denim Group.
Boards are a lot smarter about cybersecurity than they were five years ago, Fogle said. But they’re becoming less confident about dealing with it because of all the news about the unending attacks on computer systems. Fogle said we have to work on those confidence issues, because of the boards’ fiduciary responsibility to shareholders. “Most boards today know they are well short of the bar they need to meet,” he said.
Fogle said one thing companies must have is someone to watch the Security Operations Center, or SOC. “You have to have someone actually watch it,” he said. “You do have to invest—someone needs to watch for the anomalies on the network every day who knows the difference between normal and not normal.” And it must be in-house, not done offshore. “Offshore?” Fogle asked. “Not ‘No,’ but, ‘Hell, no!’”
Another must is the Chief Information Security Officer, or CISO. It’s a position as different from the CIO as IT is from IT Security. “They are two different sets of skills and two different mindsets that need to be hired,” Fogle said. And he urges boards not to put the CISO under the CIO, but rather, to treat them as separate businesses within the organization.
Then there’s cyberinsurance. Delta Risk has developed a tool where companies can assess risk. Fogle said a 30-minute questionnaire by an insurance company will often determine a $100-million policy. But, he said, no one underwrites $100 million. Instead, they underwrite $10 million, and the broker puts together a tower of $10 million policies. In traditional insurance towers, insurers try not to be the one to pay out the first $10 million, because if they’re in the middle or last in the tower, the chances that they’ll have to pay out are pretty low. “In cybersecurity, the competition is to be the first to pay out because they know that entire $100 million is going to be paid out and the ones who pay out first, get the higher premium,” he said.
To get the best bang for the buck, Fogle says a company should get the board and C-suite together, look up the latest hack reported in the Wall Street Journal, and ask what could be done if that happened in the company. He suggested the company run an exercise. “Focus on your incident response, because the breach could come tomorrow,” he said. “Most of the money that goes toward a cyber incident gets paid in the incident response phase.”
Another place to look for breaches is the vendors. “Law firms and accountants are the most vulnerable—if I’m an attacker, your lawyers and CPAs all have your critical information, so make sure they are involved in your cybersecurity strategy,” Fogle concluded.
USAA’s Dave McDermitt looks at security from an insider’s viewpoint, as CISO. Business is all about managing risk, he observed, but business leaders are not focused on information security. But information security affects finances, reputation and operations. “We’ve moved into an era where increasingly, our business is online,” he said. Customers and suppliers need to access information, and a company’s ability to conduct business depends on that access as well.
McDermitt urged companies to think about the kinds of information that could be of value to an attacker, and noted that the “threat landscape” is changing significantly. Hackers can no longer be stereotyped as a kid sitting in his parents’ basement, banging away at a computer in the middle of the night. Now, the attackers are funded by nation states and organized crime.
“They are targeting big data,” he said, “and they are going after personal identifiable information and health care information in larger quantities than they have ever gone after before.” McDermitt said the big threat is against personally identifiable information, which USAA has on 11 million members. “This information is of great value to individuals who would do harm to both our country and our company,” he said.
Companies should consider whether they face a technology risk or an enterprise risk, because the two need to be approached differently. Increasingly, the issue is enterprise risk. “We can do four things with it,” McDermitt said. “We can mitigate or reduce it, we can transfer it, we can accept it, or we can avoid it altogether by not doing business in a certain area.”
“I’m an old Navy guy, and Navy guys like what we refer to as ‘watertight integrity,’” he said. The cybersecurity equivalent of watertight integrity is network segmentation. “Is that information segmented in a way and partitioned in a way to prevent people from getting to your crown jewels in one big swoop?” he asked. “The greater you can contain the damage, the less expense you’ll have to put out with regard to your response.”
Companies have to understand the threats that could target their industry and business, and McDermitt urges executives not to go it alone. Instead, they should build relationships, in the traditional areas of government, industry and academia—and beyond, to employees, to partners. The old ruse of phishing is still effective, and McDermitt said phishing attacks—where innocent-looking emails to individuals within an organization try to steal credentials and access networks—increased by 60 percent in 2015. “All it takes is one individual to fall prey to that increasingly well targeted and well crafted message to get into your network,” he warned.
In such an environment, the Chief Information Security Officer is vitally important, and McDermitt said companies must consider their background. These days, they often come from intelligence, where they’ve dealt with national intelligence and analysis. “Ask them to provide you with assessments of how you’re doing with regard to risk in your supply chain and your third parties and your employees,” he said. “That is where we are able to address the risk and manage it in a more effective way.”
An innocuous consumer technology got the attention of Deron Means of the Denim Group. He told of taking a security walk-through at a company when he passed a woman recharging her fitness tracker via her office computer. The fitness tracker could hold 16 megabytes of storage, and Means’ tester was able to transfer files from the computer and store data to the device.
“The company changed their policy,” he said. “Just as employees had to lock their phones away in a secure location every day when they came to work, the same was now true of their fitness devices. You should do a security assessment on wearables and see if they can hold data.”
In another case, Means said the Denim Group did an assessment for a medical device company that creates log files in the device. “That’s not a big deal, but the log files were only supposed to be meant for troubleshooting,” he said. “We dug a bit deeper and we found the log files actually contained patient data.” He said that organization didn’t have a CISO or a director of security. If security had been involved in the beginning, the problem would have been caught early in the device’s development.
Means said mobile devices and their apps go hand in hand with wearables as potential security problems. Many wearables have integrated cloud apps or an associated mobile app, or a combination of the two. A survey by IBM and the Ponemon Institute found 50 percent of companies have no budget for securing mobile applications, and 40 percent don’t scan the code in their mobile apps for vulnerabilities.
“I’ve found some companies that do scan their mobile applications,” he said, “but they are only scanning one platform like Android and not scanning IOS.”
Cloud storage can be a major problem area. Executives who are issued laptops by their companies sometimes make the mistake of storing company data in their private Dropbox accounts. “Soon,” he said, “everyone in the executive circle is using Dropbox to exchange data. They share M&A data, budgets, and other sensitive documents.” But if one of those executives should move to another company, he would still be able to access his old company’s data, because it was in a private Dropbox account.
Means said if a company doesn’t have the necessary skills to secure mobile apps, the job should be outsourced to a third party.
In San Antonio, Means said the large health care industry often uses old technology, such as Windows XP operating systems, which can be vulnerable to attack.
Finally, ICS—industrial control systems—can be a real target for terrorist attacks. For the last 10 years, Means said, hackers have been penetrating the control systems of utilities. The general public doesn’t hear about such attacks, because companies work to keep them quiet. He said hackers are trying to overwhelm IC systems, which would result in a sudden catastrophic failure, or a utility shut down.
“What if CPS Energy was hacked and was out for two to four weeks?” he asked. “How would your business survive without electricity? Would your backup generator be able to keep your entire business operating?”
Such attacks can be fended off with SCADA systems (Supervisory Control and Data Acquisition), but those are not mainstream software systems. They’re generally used to control nuclear power plants, dams and water systems.
It’s up to organizations to set the “right tone at the top,” Means said, with a comprehensive security policy and standards, and quarterly penetrations tests of the ICS. And check to see that employee termination procedures are appropriate and that access controls are effective. “That issue of access controls is critical,” he said.
Thank you to our Enlightened Speaker Series Sponsors: