ISACA Journal
Volume 1, 2,014 

Columns 

Information Security Matters: Extra, Extra, Read All About It 

Steven J. Ross, CISA, CISSP, MBCP 

Item:  An apparent cyberattack paralyzed the computers of three South Korean television channels and crippled the networks of two of the country’s largest banks.

Item:  Cyberspies have stolen the top-secret blueprints for the Australian Security Intelligence Organization’s new headquarters.

Item:  Twitter has experienced technical problems, probably as a result of a cyberattack by the so-called Syrian Electronic Army (SEA).

How do I know all this? I read it in the newspapers.1

Disclosed Cyberattacks

The issue here is not that cyberattacks occur. I have hacked that to death in previous columns.2 I find it interesting that reports of these crimes are reported in the media with such frequency that individual cyberattacks are barely newsworthy any longer. In earlier times, it has been my experience that companies and government agencies preferred not to have any publicity about successful (or even unsuccessful) penetrations of their information systems. They feared exposure of their systems’ weaknesses, potential liability and simple embarrassment. So what has caused organizations to go public today?

The easiest answer is that the target of many attacks is a web site, the face an organization places before the world. When a web site is taken down, there is no way to hide the fact that it has occurred; thus, the organization has no alternative but to be forthcoming. For example, when the web sites of several US banks were brought down, many issued public apologies.3 In many cases, the media have pointed to national governments or terrorist groups as the sources of the attacks.4

If cyberattacks are cast as acts of undeclared war, it makes the victims seem a bit heroic, as frontline fighters in the war against…what exactly? More to the point, it deflects attention from the inability of these companies to anticipate, defend against and prevent the success of these attacks.

Undisclosed Attacks

I am particularly curious about what is not reported. Perhaps there is a positive reason, inasmuch as those that were successful in preventing attacks, if such exist, do not make the news. Noticeably, when the attackers get too close to the bone, organizations are less likely to talk about the events. For example, one victim of a particularly destructive wave of attacks “would not talk about the recent attack there, its origins or its consequences. [It] has openly acknowledged previous denial-of-service attacks. But the size and severity of the most recent one apparently led it to reconsider.”5

Web sites are important but not nearly as valuable as an organization’s databases, particularly those that contain customer information. Have these been targeted? I would think they probably have been. Have they been successful? We have only negative evidence that they have not, since an occurrence of corporate amnesia probably would have been reported. Or perhaps, there were successful attacks and organizations have not been forced to recover from replicated or backed-up data.

I am aware of two instances of widely reported, partially successful cyberattacks, both of which were interpreted as being politically inspired. The destruction of data on 30,000 personal computers at Saudi Aramco was widely reported and was attributed to a foreign government.6 The same sort of attack occurred at RasGas, a Qatari producer of liquefied natural gas.7 In both cases, the companies denied serious impact on their core business activities. Are there many—or any—other, similarly successful attacks that have not been publicly reported?

Reported and Unreported Risk

It is by no means evident that organizations are completely open about cyberevents that they have experienced or might in the future. A recent report from Willis, a global insurance organization, indirectly underscores this point.8 Willis surveyed the regulatory reports of the Fortune 10009 for disclosures regarding their cyberexposures. It found that only 21 percent of the top 500 companies and 15 percent of the second tier cited exposure to cyberterrorism. Overall, 12 percent of the larger companies and 22 percent of companies ranked between 501 and 1,000 mentioned cyberrisk at all. Willis surmised that the difference between the larger and relatively smaller companies might be that smaller companies feel that they are less likely targets of attacks or that they need more time to identify their cyberexposures.10

It is fair to assume that had the companies in the Fortune 1000 experienced actual attacks, they would be sensitive to their exposure, but would they report the fact to the US Securities and Exchange Commission? The public is left to ponder whether these companies have, in fact, not been attacked or if they have been, but have failed to report the incidents. In either case, the fact that 17 percent of the largest US companies do not see cyberthreats affecting them is troublesome in itself.

Sadly, cyberthreats are a part of business life in the 21st century. Nonetheless, Willis states that only a small percentage of companies in the Fortune 1000 have purchased stand-alone cybercoverage, indicating a lack of perceived risk (or a perception of the quality and cost of the insurance coverage). The absence of any statements on the claims history against those policies is itself revealing. I have always felt that companies that have insurance against cyberattacks might not tell the media when such an event occurs, but that they would tell their insurers. To borrow from American humorist Will Rogers, if all I know is what I read in the papers, then what is not there may be more important than what is.

Endnotes

1 To be honest, I read it on the newspapers’ web sites. Specifically: Lewis, Leo; “Cyber-attack Cripples South Korean Banks and TV Stations,” The Times, UK, 21 March 2013, www.thetimes.co.uk/tto/news/world/asia/article3718137.ece. Dupont, Alan; “Cyber Attacks Much More Widespread,” The Australian, 29 May 2013, www.theaustralian.com.au/national-affairs/opinion/cyber-attacks-much-more-widespread/story-e6frgd0x-1226652546742#. Le Figaro, “Twitter victime d’une cyber-attaque,” 28 August 2013, www.lefigaro.fr/flash-eco/2013/08/28/97002-20130828FILWWW00192-twitter-victime-d-une-cyber-attaque.php. While my usual source for news is The New York Times, in this case, I deliberately looked at respected journals from around the world to show that reporting on cyberattacks is a global phenomenon.
2 Outrageous pun. My apologies.
3 NPR, “PNC Bank’s Website Is Victim of Cyber Attack,” 28 September 2013, www.npr.org/2012/09/28/161934801/business-news. Wells Fargo, “We apologize to customers who may be experiencing limited access…,” Twitter.com, 25 September 2013, https://twitter.com/WellsFargo/status/250687157604347904
4 For a few examples, see: Perlroth, Nicole; “Hackers May Have Had Help With Attacks on U.S. Banks, Researchers Say,” The New York Times, 27 September 2012, http://bits.blogs.nytimes.com/2012/09/27/hackers-may-have-had-help-with-attacks-on-u-s-banks-researchers-say/?_r=0, blames Izz ad-Din al-Qassam. Perlroth, Nicole; Quentin Hardy; “Bank Hacking Was the Work of Iranians, Officials Say,” 8 January 2013, www.nytimes.com/2013/01/09/technology/online-banking-attacks-were-work-of-iran-us-officials-say.html
5 Perlroth, Nicole; David Sanger; “Cyberattacks Seem Meant to Destroy, Not Just Disrupt,” The New York Times, 28 March 2013, www.nytimes.com/2013/03/29/technology/corporate-cyberattackers-possibly-state-backed-now-seek-to-destroy-data.html
6 Mahdi, Wael; “Saudi Arabia Says Aramco Cyberattack Came From Foreign States,” Bloomberg, 9 December 2012, www.bloomberg.com/news/2012-12-09/saudi-arabia-says-aramco-cyberattack-came-from-foreign-states.html
7 Osgood, Patrick; “Cyber Attack Takes Qatar’s RasGas Offline,” ArabianBusiness.com, 30 August 2012, www.arabianbusiness.com/cyber-attack-takes-qatar-s-rasgas-offline-471345.html#.UmVFShbD_Dc
8 Willis, “Willis Fortune 1000 Cyber Disclosure Report,” August 2013
9 While this study looked at the submissions of US-based companies only, there is little reason to believe that the results would have been different if it were based on companies in other countries. Moreover, many of the Fortune 1000 are multinationals, thereby incorporating much of the rest of the world.
10 Ibid., p. 2

Steven J. Ross, CISA, CISSP, MBCP, is executive principal of Risk Masters Inc. 2014 marks the 15th anniversary of Ross’ popular Journal column. Ross can be reached at stross@riskmastersinc.com.

 

Add Comments

Recent Comments

Opinions expressed in the ISACA Journal represent the views of the authors and advertisers. They may differ from policies and official statements of ISACA and from opinions endorsed by authors’ employers or the editors of the Journal. The ISACA Journal does not attest to the originality of authors’ content.