The partial US government shutdown is the longest in modern history and continues to drag on as both political parties remain entrenched, refusing to budge from their respective positions. The inability to reach an agreement, or at least to open the government, may have lasting impacts on the effectiveness of cybersecurity in the federal government.
The near-term effects of the shutdown are more apparent than some of the downstream impacts. We regularly see or hear about the furloughed staff not receiving a paycheck, the growing list of .gov websites with expired Transport Layer Security (TLS) certificates, the unavailable National Institute of Standards and Technology (NIST) content, or bare bones staff left to perform system monitoring. Conversely, it is much harder to quantify the adverse long-term impact of the prolonged government shutdown. Let’s take a closer look at some affected elements, though the extent of the consequences will only be known at a later date.
NIST resources being affected by the shutdown hurts both the public and private sectors. Its guidance is heavily relied upon for compliance and security, regardless of industry. NIST is expected to release updates to major Special Publications in 2019 such as 800-53: Rev 5, 800-53A: Rev 5, 800-160: Rev 2, and 800-171: Rev 2. Updates to FIPS 199 and FIPS 200 are also on the horizon. The shutdown may cause delays to the completion of these efforts and thus push back adoption by the government and private industry.
The government already faces an incredible cybersecurity skills and resources gap. The shutdown is surely going to exacerbate this problem by making it more difficult to attract talented new employees and fill critical needs. University graduates are going to think twice before taking a job with the government compared to the private sector. It may get to the point where existing government employees possessing in-demand skills may start seeking new employment opportunities.
DHS’s new Cybersecurity and Infrastructure Security Agency suffers from a large percentage of its staff currently furloughed. The new agency “leads the national effort to defend critical infrastructure against the threats of today, while working with partners across all levels of government and in the private sector to secure against the evolving risks of tomorrow.” But with such a significant portion of its staff not working, the agency’s ability to meet its goals and objectives will be affected.
Some government projects that are not currently on hold may soon be reaching the point where they run out of funding and have to be stopped. This not only results in more furloughs, but will also cause delays to implementation schedules. An increase in contractor furloughs may cause them to seek new employment opportunities, leaving the government project short-staffed when the shutdown ends. The lost time will have to be made up through scope reduction or sliding the schedule to the right. Unfortunately, the end result is likely to be increased spending by the government and a final product delivered later than originally planned.
We are all hopeful that the government shutdown will conclude in the near future and agencies can get back on track quickly. Regardless of when it ends, the extent of the lasting impact on cybersecurity is daunting.
Author’s note: Jason's views are his own and do not necessarily represent IBM's positions, strategies or opinions.
The cybersecurity profession is facing a shortage of qualified talent to fill an increasing demand for positions, as so many reports inform us. What I find self-fulfilling about our “talent dilemma” is the acknowledged rapid rate of technology change, yet the ongoing quest for specific technical experience and expertise. We seek plug-and-play people to match technology components, rather than individuals with foundational skills and an aptitude and desire to learn changing technology.
As processes and people internal and external to our organizations continually adapt to ongoing technology changes, our profession needs individuals with skills in systems thinking, problem-solving, innovation, and collaboration. Cybersecurity professionals also need strong business proficiency, including communications skills and the ability to manage risk in support of desired business outcomes and risk tolerance levels of our organizations. We need a workforce that reflects the diversity of customers we serve, going beyond external traits of gender and race, to a robust variety of experiences and ways of thinking.
Yet, when we look at job postings for information security positions, we see traditional male-dominant language, a long list of specific technical infrastructure and coding experience, and a preference for technical or information science degrees, particularly computer science. Do those elements yield the applicants with broad skills and perspectives we need, or is that the CV customary for our current homogenous information security workforce?
The most common trait across the cybersecurity industry is the absence of a common path to a cybersecurity career. According to the 2017 Global Information Security Workforce Study that surveyed 19,000 cybersecurity professionals worldwide, 87 percent of us started in a career path outside of cybersecurity. Of those, 30 percent came from non-IT, non-engineering backgrounds, including business, marketing, finance, accounting, military and defense.
I looked at the “non-traditional” education of strong performers on our past and present information security team at Harvard, and I found the following degrees: German, English, Philosophy, Fine Arts, Comparative Literature, and International Relations, among others. I also found some didn’t have college degrees at all. In addition to a desire for ongoing learning, we all have strong communication, analytic and risk management skills. Those are specifically the top three skills sought by hiring managers within information security, according to the 2017 Workforce Study. Another report, the ISACA/RSA Conference Survey for the State of Cybersecurity: Implications for 2015, identified the most common deficiency for cybersecurity professionals as the ability to understand the business, with 72.33 percent of respondents citing that gap. Sufficient technical skills came in second at a distant 46.32 percent, followed closely by communication skills at 42.16 percent.
How do we improve our recruiting – and retention – practices to attract and develop the enduring combination of skills we need for successful cybersecurity professionals? Follow these five steps as a start:
- Prioritize the top 10 skills – technical and cultural – for a role and limit the job description to those;
- Check for and correct gender bias in the wording of job postings, using a free or commercial tool;
- Use consistent interview questions and skills assessment processes for all applicants;
- Provide ongoing training in both technology and business leadership skills;
- Value differing backgrounds and perspectives within your workforce.
Editor’s note: Silk will be presenting on this topic in the session, “A New Rubric for IT Recruiting and Retention” at the 2019 North America CACS conference, to take place 13-15 May in Anaheim, California, USA.
Many presentations by information security managers for stakeholders within their organizations include the depiction of a lifecycle in one form or another to underline that information security is not a one-off project, but a continuous activity. However, often these depictions focus on what you do (such as NIST Cybersecurity Framework: Identify – Protect – Detect – Respond – Recover) or how you do it (such as Deming cycle: Plan – Do – Check – Act).
As useful as these lifecycle models are, they often do not resonate as well as expected with the audience, because they do not give the reason why we do information security. Marketing professionals will tell you that you need to start with the why to get your message across. Only the why gives stakeholders purpose and motivates them to take action.
Below, I will present a strategic lifecycle for information security that focuses on the why. This cycle provides generic goals that can easily be adapted to the needs of any organization. It consists of the following five steps:
- Gain visibility. In order to facilitate informed risk treatment decisions based on the risk situation of the organization, it is necessary to have the most accurate and complete risk-related information possible. This is especially true when you are new to the role of an organization's information security manager. So, first you need to gain visibility into information assets (including shadow IT), threats, vulnerabilities, security incidents, and control effectiveness. This information serves as input for risk assessments, metrics and KPIs.
- Promote risk awareness. Once visibility has been gained, it is important to convey the information collected to the various target groups in the right form and with actionable insights. End users need to know the most common threats in their work environment and how to address them. Decision-makers such as senior management must receive prioritized and tailored risk information to build up commitment to information security and make the most appropriate business decisions.
- Optimize risk. Risk treatment decisions must strike the right balance between mitigating risk to an acceptable level at reasonable cost and enabling business opportunities. By providing the relevant information and raising the level of risk awareness in the previous steps, we have laid the foundation for achieving this goal. Risk optimization is the central goal of every information security program.
- Increase resilience. Risk treatment is very likely to result in new or enhanced security controls that will help make the organization more resilient to security incidents. The goal is to uphold the organization’s ability to deliver the intended outcome continuously despite adverse events such as cyberattacks. To achieve this, the organization must be able to identify changing risk conditions swiftly, respond appropriately and recover quickly from disruptions.
- Maintain compliance. In addition to increasing resilience in the face of evolving threats, the organization must monitor and uphold compliance with internal and external regulations. Most organizations today must also meet legal requirements for information security, such as those arising from data protection legislation.
At this point, the cycle starts again from the beginning. For example, new and enhanced security controls are likely to further increase visibility, thereby revealing new risk information, which in turn will shift the optimal balance between risk and reward. Needless to say, the individual steps do not follow a strict chronological order, but often overlap.
This strategic lifecycle – the why of your information security program – will hopefully serve as a valuable addition to your communication toolset.
Have you ever wondered just how many ways there are to hack the human mind and just how effective each technique is? I did; so I set about collating all of the techniques for human control and influence:
- Every social engineering scam I could find;
- The list of factors that influence the human decision-making process;
- The components that make any argument or point persuasive;
- How confidence tricks work;
- How cognitive biases—the shortcuts in how the human brain processes information—work, and how they can be manipulated;
- How far subconscious and subliminal suggestions can be used to control and influence the actions or beliefs each of us has.
I also wondered if the techniques we use in the field of cybersecurity to defend computer systems could be used to analyze and defend against the tactics designed to deceive the human mind. Was it possible to create a human hacking kill chain?
What raised my interest in this project was that I had started to notice that the techniques I learned many years ago when studying hypnotherapy – methods for planting suggestions in patients – were becoming increasingly noticeable in standard web pages.
According to the experts, 90 percent of what guides our decisions is based on something called implicit memory. This is composed of the subconscious and unconscious patterns driven by past experiences, our environment and other factors that we do not even realize we may be referencing when we make a decision. It seemed to me as though many business-savvy organizations had woken up to the power of PsyOps (psychological operations) and were now looking to use those skills to help sell as much product and advertising as possible.
The project took me much longer than I anticipated. What was supposed to be a three-month project turned into nine months of thought-provoking revelations.
Those irritating cookie permission boxes might look harmless enough, but as I collated and analyzed the tactics in use, I came to realize that most of the permission boxes were using 10 or more separate techniques just to persuade us that it was easier to click “Accept all” rather than take any other course of action:
- Attentional bias to make the “Accept” option most noticeable
- Coercion to block the page content until we agreed to the terms
- Misdirection to hide the options for changing the permission settings so they were not easy to find
- Fuzzing to make the time involved in pursuing the navigation of settings and options unappealing
Fuzzing as a human hacking technique was an interesting discovery. Fuzzing used to be a technique for pushing excessive and unexpected data into computer systems to check for vulnerabilities. However, because of the way the human mind operates, it is now also a social engineering technique in regular use to overwhelm the human mind with the impression that the level of expected effort to pursue what should be a reasonable and preferable option within easy reach will instead take a huge and unsatisfying amount of time to achieve. After all, there is rarely any option on the cookie permission boxes to “Proceed with minimum cookies” or “Reject all” – and continue to read the page.
The more I collated and understood about the techniques, the more I noticed how many of them had fallen into mainstream usage. They had become standard tactics for most large and successful organizations.
Subliminal imagery, the subtle use of particular language to slip suggestions straight into the reader’s subconscious, selective social proof, reverse psychology, the illusion of choice and even outright bullying … I thought I had some idea of how these tactics were in use to hack the human mind, especially through the technologies we use. But it turned out that even I had vastly underestimated the degree to which PsyOps have become the backbone of trillions of dollars of income.
Due to the amount of psychology I had to explore – and on the recommendation of my copy editor – I also had to enlist the help of a psychologist to ensure my exploration of how the human mind could be exploited (and defended) would not be too egregious to those that worked in that field.
So where did I end up with all that research? Was I able to identify indicators of human compromise and a human hacking kill chain? In short, yes.
It turns out that hacking humans, just like hacking computers, is indeed a process, or to be more precise, many different process options – all of which share some common components.
What each human hacking technique has in common is that they each need to get access to their human targets. But what was a real eye-opener was that just like the techniques of the advanced persistent threat, the most effective human hacking seeks to embed its techniques into our everyday lives and to go unnoticed for as long as possible.
I no longer look at content delivered through technology in the same way. I sit and pull apart the vast array of techniques packed into web pages and even emails, and I reduced the number of organizations I subscribe to and have increased my efforts to protect my identity.
This book has changed my life. It forced me to analyze and improve what I knew about making effective, persuasive arguments, and to recognize how the things that we do not think make a difference to the way we make life choices (but do) are exactly the items that are used to hack the human mind.
Editor’s note: Raef Meeuwisse’s new book, How to Hack a Human: Cybersecurity for the Mind, will be released on 9 January, 2019.
For the modern business, there are few topics more important than data security. Without a proper appreciation for data security and all that it entails, you’ll find your business falling behind. But getting all of your employees and company stakeholders on board can prove to be a major challenge.
The importance of buy-in
Let’s say you have a big 10-gallon bucket sitting in your garage. It’s a thick, sturdy bucket that’s brand new – never been used before. And while the bucket looks like it’s in great shape, there’s a tiny hole at the very bottom. It isn’t any bigger than a pinhead, but it’s there. Guess what happens when you pour water in? Though it might take a few minutes, the water is eventually going to completely drain out of the bucket. Despite the difference in size, 10 gallons of water is no match for a tiny hole.
The same could be said of your company’s approach to data security. No matter how strong your strategy is or how many various safeguards you have in place, all it takes is one uncooperative employee or uninformed stakeholder to compromise the entire thing.
Your data security strategy is only as good as your organization’s weakest link. When you look at it through this context, the importance of stakeholder buy-in becomes clear.
How to encourage total buy-in
As with anything else, getting people to take data security seriously requires a purposeful and concerted effort. Here are some things to consider:
1. Employees are often to blame.
According to the Online Trust Alliance (OTA), roughly 91 percent of data breaches can be prevented. And though there are four major ways in which data breaches occur, employees are often to blame. They account for 30 percent of breaches (whether accidental or malicious).
“By educating on the dangers of phishing, companies can prevent these embarrassing situations from happening,” Point Park University explains. “The OTA reports that insiders can be a threat when they are feeling unhappy, moving to another company or having financial problems. Companies must realize that insider threats to data protection are a reality.”
2. Education is key.
While there are instances in which employees knowingly put the business in harm’s way, most of the time their actions are the result of a lack of education on the topic of data security. The more you commit to educating your employees, the fewer costly mistakes there will be.
You can send out emails until you’re blue in the face, but the only way to ensure employees take your instructions seriously is to hold informative presentations and meetings where you’re able to talk with everyone in a face-to-face manner.
In addition to delivering a compelling message, it’s smart to give employees something to reference. Printed booklets or brochures that explain various policies and recap different rules can serve as a nice complementary resource.
3. Give decision-makers the numbers.
With employees, you’re telling them how to act so that they can be in compliance with your data security protocol. With stakeholders that are higher up in the organization – including decision-makers and gatekeepers – you may actually have to convince them to buy into what you’re doing. And the best way to do this is by giving them the cold, hard numbers.
According to this year’s Cost of Data Breach Study conducted by Ponemon Institute, the global average cost of a data breach is up 6.4 percent from 2017 to $3.86 million. The average cost for each lost/stolen record containing confidential or sensitive information is up 4.8 percent year-over-year to $148.
Honestly, the numbers do the talking. When you use data points like these as your basis, it’s hard for stakeholders not to buy in. For even better results, tell a story around these statistics. In doing so, you appeal to both the analytical and subjective modes of decision-making.
Adding it all up
The time for taking data security lightly and tinkering with different techniques is over. There are 230,000 new pieces of malware produced every single day, while hacks occur every 39 seconds in the United States alone. You need total buy-in from all key stakeholders. If you aren’t confident that you have this, dig your heels in and make a plan.
Transport Layer Security (TLS) is a cryptographic protocol for protecting privacy and data integrity of information (logins, passwords, credit card numbers, personal correspondence etc.,) between two communicating applications. It encrypts data traveling between internet hosts, including mail servers, VPN, SIP for voice, video and messaging applications. Its current version is 1.3, following the previous version, 1.2. With TLS, browsing habits, emails and online chats can be monitored.
TLS is normally implemented on top of Transmission Control Protocol (TCP) in order to encrypt Application Layer protocols such as HTTP, FTP, SMTP and IMAP. It can also be implemented on UDP, DCCP, and SCTP protocols (such as SIP-based application use and VPN). TLS also can be used in conjunction with other standard protocols such as FTPS, DNS over TLS, etc., for securing connections. To ensure authentication in communication, TLS can be used along with X.509 Public Key Infrastructure (PKI), which is issued by a trusted third party called Certificate Authority (CA) that asserts authenticity of the public key and DNSSEC.
Working of TLS
TLS uses symmetric and asymmetric cryptography for communication. A secret key known to the sender and receiver is used for encryption and decryption in symmetric cryptography; 128/256 bit encryption is generally used in the industry. Private and public keys are used for asymmetric cryptography. Public keys are used to encrypt the data from the sender, which is decrypted with a private key of the receiver. This is advantageous over symmetric encryption, in that sharing of encryption keys need not be secure. In asymmetric encryption, the session key is generated and exchanged securely, which is used for encryption and decryption of data, after which the session key is discarded. Minimum key length should be at least 1024 bits. Due to its computation of large key length, asymmetric encryption is slow for many purposes.
TLS protocol has two layers: TLS record protocol and TLS handshake protocol. TLS record protocol provides security in connections. It has two properties, including private connection, which can use symmetric encryption. It can work without encryption, as well. The second property is connection reliability. Various higher protocols are encapsulated using TLS record protocol.
In TLS handshake protocol, before the first byte of data is transmitted/received by the application protocol, authentication of the client server and negotiation of encryption algorithm and cryptographic keys are done. It has three properties; first, the peer identity is authenticated by asymmetric, public or cryptographic keys. Second, the shared secret is made secure. Third, integrity of the negotiated communicate is assured. Connections can be terminated due to handshake failure or protocol error. TLS handshaking and interpretation of authentication certificate are done by designers/implementers who should ensure authentication on at least the server side, and confidentially and integrity of the communication channel.
Three basic key exchange modes are available in TLS 1.3:
- Diffie-Hellman (DHE) over Elliptic curve (EC) or Finite Fields
- PSK with (EC) DHE
Some of the advantages of TLS 1.3 are the simplified handshake for secure connection, and fast resumption of sessions with servers, which decreases setup latency and the number of failed connections. It does not support outdated/insecure encryption algorithms.
All US government servers should support TLS 1.3 by 1 January 2024.
Comparison of TLS 1.2 and TLS 1.3
Legacy algorithms are used
Only Authenticated Encryption with Associated Data (AEAD) algorithms are used
All handshake messages are not encrypted
All handshake messages after the ServerHello are now encrypted
Existence of superfluous message
Consistent handshake and superfluous messages are removed
Two round trip times for completing the handshake
One round trip time for completing the handshake
Higher encryption latency
Latency encryption is halved
Handshake time 300 ms
Handshake time 200 ms
No zero round trip
Has zero round trip (remembers previously visited sites so that it can send data on first message to server)
More load time
Less load time
Has obsolete and insecure features
Obsolete and insecure features are eliminated
All public exchange mechanism does not provide forward secrecy
Static RSA and Diffie-Hellman cipher suites have been removed; all public-key based key exchange mechanisms provide forward secrecy.
Now that we are nearing the end of the year, I thought I would revisit my own write-up on 2018 cybersecurity predictions and see how I can best update them for 2019. The acceleration of rapid digitization and the inter-networked world led to a huge data explosion, which, combined with the relentless growth of transformative technologies, underscores the importance of cybersecurity much more than even last year.
Therefore for 2019, my top five predictions for major cybersecurity trends remain largely the same as for 2018, but only with more emphasis and, interestingly, with more corroborating evidence.
- Huge demand for security professionals with evolving and grounded expertise
- Stringent global regulations
- Rise of crypto-mining, Banking Trojans, DDoS attacks and cyber-warfare
- Explosion of threats, vulnerabilities and IoT
- Privacy, ethics of big data, and back to basics
Huge demand for security professionals with evolving and grounded expertise
Industries require skilled cybersecurity professionals who are not only able to meet the current challenges, but also can evolve continuously with the changing technology landscape and with the associated threats and vulnerabilities. This point is emphasized by the Future of the Jobs Report 2018, published by World Economic Forum. Some of the top skills needed in the context of the current threat scenario are as follows:
- Data analysis, data governance and enterprise IT governance
- Data analytics, data science and big data management
- Cognitive computing and artificial intelligence
- Strong knowledge to address ransomware and evolving IoT connectivity issues and mobile access
- Increased use of DevOps will necessitate application security and knowledge of defensive software engineering, application security self-testing, run time application, self-protection (RASP)
- Blockchain technology and cloud security, including Cloud Access Security Brokers (CASB)
- Strong knowledge on regulatory guidelines
Stringent global regulations
The General Data Protection Regulation (GDPR) was fully enforced throughout the European Union in May. Organizations in breach of GDPR can be fined up to 4% of annual global turnover or €20 million (whichever is greater). Given the serious implications, GDPR has become a top priority for boards of directors around the globe. The US released its first fully articulated cyber strategy in September, which gives lots of importance to tighter control and monitoring of third-party vendors, IT governance, strategic alignment to security spending, and calls for international cooperation in tracking and nabbing cyber criminals operating across the globe.
Rise of crypto-mining, Banking Trojans, DDoS attacks and cyber-warfare
Bitcoins are generated through crypto-mining, which is a computationally-intensive task that utilizes lots of energy and processing power for verifying transactions, for which the miners are rewarded by adding coins to their digital wallet. When this process is executed illegally, by using computers belonging to other users without their intent and knowledge, this is known as crypto-jacking, and the hackers get bitcoins directly added to their wallet. This malware directly prints money for criminals, which is much better than ransomware, which is now reportedly on the decline due to best practices being followed and users’ refusal to pay ransom.
Now there is a surge in Banking Trojans, which allows access to financial accounts primarily through stealing login credentials by tricking victims to open a malicious mail attachment or making them visit a compromised website. Such type of malware is behind ATMs and SWIFT fraud worldwide.
DDoS continues to pose a serious threat to organizations worldwide, as the capacities employed by cyber-criminals keep growing year after year with no decline in number of attacks. The threat of DDoS will get accentuated with the increased usage of Internet of Things (IoT)-connected devices in the enterprise, which, when left unsecured, can become pathways as well as slave nodes, and add to the DDoS traffic stream.
As a consequence, cyber-crimes will flourish, which could be used by powerful nations to initiate and develop highly refined attacks against targets of national value belonging to other countries. This has been well articulated, with remedial measures pronounced in the US Cyber Strategy released in September.
Explosion of threats, vulnerabilities and IoT
Due to exponential growth of innovative technologies, lots of new vulnerabilities will be introduced. However, the highest risks will still come from well-known and well-understood vulnerabilities. SANS estimates that over 80 percent of cybersecurity incidents exploit known vulnerabilities, and the annual Verizon Data Breach Investigations Report shows similar numbers. Gartner comes in much higher, estimating that “through 2020, 99 percent of vulnerabilities exploited will continue to be ones known by security and IT professionals for at least one year.”
As if this is not sufficient, in the space of IoT, Cisco estimates that 40 billion devices will be connected to the internet by 2020 as cars, fridges, medical devices and gadgets not yet imagined or invented will link in, which will lead to the tremendous growth of threats and vulnerabilities.
Privacy, ethics of big data, and back to basics
With the acceleration of big data, organizations now come across new types and formats of data, many of which are not structured like that of traditional data. Different types of sensors generate data in various formats and in huge volume. Hopefully, GDPR will serve as a guide post for exercising compliance while leveraging big data.
Most of the time, cybersecurity issues are due to internal processes and people. In 2019, organizations the world over will be spending more on security awareness and training their employees so that preventive measures are exercised and incidents are properly addressed when required. Patching of servers and updating software versions will remain important as basic security hygiene.
Author’s note: The views expressed in this article are the author’s and do not represent those of his organization or of the professional bodies to which he is associated.
One of the world’s largest hotel chains, Marriott International, recently reported that its Starwood Guest Reservation database was breached – meaning names, mailing addresses, phone numbers, email addresses, passport details and a variety of other personally identifiable information (PII) were leaked, all the way through to member credit card details.
We always say it is not a matter of “if you will be breached,” but a matter of “when.” As always, it is better to have the mindset of “assume breach” when managing cybersecurity for an organization. Some in the media have already jumped to many conclusions for this incident, and are questioning why it took so long to detect this breach, and have commented that Marriott should have done a better job with privacy by design, security awareness training, etc. However, cyberattacks often are a result of a variety of bad practices cascading on top of each other to exacerbate the situation, and with good enough skill, the attacker can often remain dormant within the network without being detected. My comments here will not go into the various areas of the cyber kill chain, but will look at this situation from a different angle, highlighting the importance of looking at the possible root cause of breach, where it may have all started with “inherited risk.”
Details of the exact events which led to the breach may never be made public, but a lot of the speculation has centered on whether this was a state-sponsored attack, or if a hacker got in to steal all the credit card details to sell on the dark web, etc. Given the reports that access to the data may have started as far back as 2014, we should go back to the basics and see what key significant business changes occurred between 2014 and today, which may have set the foundation for the breach to occur.
In September 2016, Marriott announced that it would acquire Starwood Hotels & Resorts Worldwide for US $13 billion, and that the Starwood loyalty program would be a “central, strategic rationale for the transaction,” according to Marriott CEO Arne Sorenson. Since the announcement came in 2016, it would not be out of the question to assume that the planning, testing and integration of the membership database and systems would have started several years before the announcement – placing this at or around the 2014 date when it has been stated the breach began. The first thought to come to mind would be to assess whether or not a detailed cybersecurity and privacy risk assessment was done prior to Marriott’s acquisition of Starwood. “Eighty percent of global dealmakers said they’ve uncovered data security issues in at least one-fourth of their M&A targets,” as highlighted in a PwC report, and if a detailed assessment was not done, they cannot ignore that they may have inherited the security risk from Starwood and/or the integration of Starwood’s membership database. Further to this point, if a detailed cybersecurity assessment was done, were the issues identified remediated and corrected before the M&A took place?
In addition, integration of legacy systems can open up new attack surfaces which were not present in the original parent company and acquired company when they were operating separately – thus the importance of doing a pre and post risk assessment, which should include (but not be limited to) penetration tests and access control audits, to avoid the chances of excessive privileges and creeping privileges as a result of the take-over. These basic cybersecurity due diligence controls often are ignored, in the rush of meeting M&A deadlines, and more needs to be done to include cybersecurity audits and remediation processes.
Breaches are becoming more and more common in news headlines, with the recent Cathay Pacific breach reportedly resulting in the data of 9.4 million passengers being exposed. Cathay is still under investigation and may indeed face GDPR fines in the near future. However, Marriott could be the first post-GDPR case where the fines are going to be significant, due to the sheer number of people affected, and the type of sensitive PII data that was leaked.
“We are working with partners to better understand the data breach affecting Marriott International and how it has affected customers,” the National Cyber Security Centre spokesperson said. “The NCSC website includes advice for people who think they have been affected by the data breach, including guidance on suspicious phone calls and targeted emails that can be sent after a data breach.”
Additional resources and guidance
- National Cyber Security Centre advice for Marriott customers is available here.
- Marriott has published information related to the breach here.
- If a member of the public thinks he or she has been a victim of cyber crime or cyber-enabled fraud, use Action Fraud’s online fraud reporting tool any time of the day or night, or call 0300 123 2040.
- Victims of cybercrime should be vigilant against suspicious phone calls or targeted emails. If you have been told that your personal details, such as your password, may have been accessed, you should ensure those details are not used on any other accounts.
Author’s note: Jason Lau is CISO at Crypto.com, and holds CISSP, CIPP/E, CIPM, CGEIT, CRISC, CISA, CISM, CEH, CDNA, CSM, ITIL and an IAPP Fellow of Information Privacy (FIP).
Many of you may be wondering how can a major, multi-billion dollar organization not have sufficient cybersecurity in place to detect the theft of hundreds of millions of customer details?
The problem with cyberattacks is that they are intentionally designed to go unnoticed for as long as possible. Cybersecurity professionals refer to this as the dwell time, the interval between when an intruder first gains unauthorized access and when they are detected and expunged. The longer an attack can remain undetected, the greater the value the attacker can strip from the target.
There are many statistics about just how long it takes to detect an intrusion, but the hard truth is that these statistics are skewed by the fact that many intrusions never get uncovered. From the intrusions that are discovered, it is clear that such incursions (known as advanced persistent threats) regularly take months to discover and, in numerous cases, such as the Yahoo breach, the dwell time can be measured in years.
In the case of the newly reported Marriott Starwood breach, Marriott appears to have effectively “purchased” the breach. Just like contact with an infected person can spread a disease, integrating a compromised system effectively delivers new opportunities for an attacker to widen the intrusion. When Marriott acquired Starwood and integrated its database, the unwelcome passenger was not initially detected.
The real question is this: could the intrusion have been detected earlier?
Although the specific mechanics of this breach have not yet been revealed, it is possible to look back at similar megabreaches. What they reveal is that stealing hundreds of millions of customer details is not a minor data leak. There will have been signs (or as cybersecurity professionals like to call them; “indicators of compromise”). There would also have been defensive processes and technologies that could have been in place.
Many companies are still underestimating the budget and resources they need to operate cybersecurity effectively. In my opinion, such organizations also underestimate the brand and share value damage that cyberattacks can create, especially when they are not dealt with swiftly and transparently.
When Yahoo discovered and disclosed a megabreach before the company was sold, the impact was hundreds of millions of dollars in reduction in the asking price. If I were a Marriott shareholder, I might be wondering just how much of a discount could have been achieved if the pre-purchase due diligence checks on Starwood had found the breach before the acquisition was made … and then I might be wondering just how much this breach will end up costing, and whether the current management had been strategically directing sufficient resources toward cybersecurity.
Simply having a cybersecurity function is not enough. It is important that each organization is investing in keeping its security personnel, technologies and process up to date. From my own perspective, the complaint I hear most often from fellow ISACA members is that their organizations spread security resources too thinly and fail to recognize just how important it is to adequately invest in staff training and new security technologies to keep pace with evolving threats.
It was a dreary Thursday morning. Harriett, an up-and-coming banker, gets on her train at her usual spot and gets ready for the ride into London. She’s a mother of two with a good job in finance and a strong marriage. There is nothing unusual about this morning. All the riders are sleepy. They look at their phones or just stare at the floor of the train.
Quietly, a rider approaches the woman. He speaks softly and casually into her ear. Then he shows her his phone. On it, a video plays. It frightens Harriett and shocks her into silence.
The man passes Harriett a flash drive, saying calmly, “If you put this into the system by 11 a.m. this morning … I delete this video.” He pauses and slips the phone back into his pocket. “If you don’t … your husband will see this video before you arrive home tonight.”
With that, the man disappears into the throng of drowsy commuters.
Harriett pauses, watches the man disappear and tries to catch her breath. She remembered that late night three months before … too many drinks … an indiscretion. It would never happen again. But somehow … somehow these people had a video of her greatest mistake.
All Harriet had to do was put this tiny thumb drive into her trading system at work. It was just a little bit of code. The market would shutter, crash and then recover, but there were some people who would make a lot of money.
Harriet rebalanced herself in the early morning train. She felt like she was standing at the edge of nothingness. There was nothing she could do. If she did nothing, her life would fall apart. If she did as they asked, this would all go away.
A combined effort
This futuristic science fiction story is rooted in science fact. A constellation of technological advances like artificial intelligence (AI), the Internet of Things (IoT), smart cities, 5G connectivity and advanced data science mean that Harriett’s nightmare is not too far from being reality.
An inter-disciplinary group of organizations are working together to not only envision these possible threats to personal and economic security, but are actively working to make sure that organizations have the tools to make sure that these dark futures don’t happen.
At Arizona State University in Tempe, Arizona, USA, there is a Threatcasting Lab that draws together people from government, military, corporations, non-profits, foundations, and academia, as well as average citizens, to envision possible future threats. But beyond this, they also explore how to disrupt, mitigate and recover from these threats.
Threatcasting is a process by which a wide range of people and organizations gather to imagine possible threats and then work to figure out what they can do to make sure that these dark futures don’t happen.
The story of Harriett was created during a 2017 Threatcasting workshop at ASU, looking at the future of weaponized artificial intelligence. The goal of this interdisciplinary gathering was to identify possible new and novel threats to our national and economic security, and chart out what we could do about it.
ASU’s Threatcasting Lab is a think tank with a simple vision—to envision futures to empower action. The lab’s charter is to bring together the wide range of security practitioners, such as the U.S. Army, whose job is to make sure that we are more secure. The Army Cyber Institute, located at West Point, NY, is a cybersecurity organization that works in collaboration on threatcasting projects with ASU.
Threatcasting enables the Army community to envision potential cyber threats to our forces on the future battlefield. As technology continues to expand exponentially, touching nearly every facet of human existence, its benefits to society are immeasurable. However, the benefits of technology come with significant threats to not only America’s national security but also the economic and personal security of the nation’s citizens. The Army Cyber Institute (ACI) is committed to collaborating with our partners in academia, government, and industry to expand the body of knowledge about future cyber threats. These threats have the potential to affect all sectors of our nation’s vital information infrastructure. Once future threats have been identified, it is the ACI’s goal to influence the actions and behaviors of the Army cyber community that allow our Army to successfully disrupt, mitigate, or recover from future threats.
When threatcasting was invented over 10 years ago, the goal was to not only envision possible futures, but also to give people pragmatic steps that they can take to make themselves and their organizations safer and secure.
The output of the ASU Threatcasting Lab is meant to empower organizations, both public and private, to plan and prepare for these future threats. The 2017 Threatcasting Lab produced a report, “The New Dogs of War: The Future of Weaponized Artificial Intelligence.”
From these findings, ISACA, one of the founding members of the ASU Threatcasting Lab committee, has developed live fire labs to train the next generation of cybersecurity professionals to prepare for this coming threat future.
Working for a more secure future
The future isn’t set. As citizens, community members, and business leaders, we cannot sit back and be passive participants in the future. We cannot let these threat futures happen to us. We need to be active participants in the future and provide security practitioners with the tools and training to prepare themselves for the digital and cyber threats that are coming.
The work of ASU, ACI and ISACA are empowering organizations and people to prepare for these futures today so that we can have a safer and secure tomorrow.