CyberWire Daily - Case studies in risk and regulation. [CyberWire-X]
Episode Date: January 30, 2019In the final episode of our four-part series, called “Ground Truth or Consequences: the challenges and opportunities of regulation in cyberspace,” we examine some of the game changing high profi...le breaches like Yahoo, Equifax and OPM, along with their impacts and lessons learned. Our guest is Dr. Christopher Pierson, CEO and founder of BlackCloak. Later in the program we'll hear from Jason Hart, CTO for enterprise and cybersecurity at Gemalto. They're the sponsors of this show. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. affecting organizations around the world. This is the final installment of a four-part series called Ground Truth or Consequences?
The Challenges and Opportunities of Regulation in Cyberspace.
Today, we look at case studies in risk and regulation.
We'll examine some of the game-changing high-profile breaches like Yahoo, Equifax, and OPM,
along with their impacts and lessons learned.
A program note, each CyberWire X special features two segments.
In the first part of the show, we'll hear from industry experts on the topic at hand.
And in the second part, we'll hear from our show sponsor for their point of view.
And speaking of show sponsors, a word from our sponsor, Gemalto.
Our sponsor, Gemalto.
Your enterprise is rich with sensitive data at rest and in motion throughout the network.
But what happens if that sensitive data isn't secure or if it's improperly accessed?
We're guessing that regardless of what defenses you have currently implemented,
the thought of your data being stolen or manipulated keeps you up at night. Gemalto tackles the two main causes of cyber attacks, identity theft and data breaches.
They do this by providing next-generation digital security built from two technologies,
secure digital identification and data encryption. Gemalto already operates these solutions for many well-known businesses and governments,
protecting trillions of data exchanges.
And as independent security experts,
they guarantee digital privacy and compliance
with data protection regulations.
Gemalto puts you back in control of your own data.
Visit Gemalto today to learn more about
their access management and data protection
solutions. You can also check out the most recent findings from the Breach Level Index,
which tracks the volume and sources of stolen data records.
Go to gemalto.com slash cyberwire to subscribe and learn more.
That's gemalto.com slash cyberwire. And we thank Gemalto for sponsoring our show.
I can remember back in being outside counsel at a large corporate law firm and handling the first breach.
It was like July 8th of 2003.
That's Dr. Christopher Pearson.
He's CEO and founder of Black Cloak.
But I think really the big breaches that were out there were maybe card systems,
which was a payment card system back in Arizona. That was one of the first big ones.
But the one that really lingers in everyone's mind is definitely TJX, TJ Maxx, that brand of companies. Whereas in 2006
to 2007, they had some 46, it started out smaller, but up to 90 million cards and other unique pieces
of information that were stolen. So for TJX, a lot of that included driver's license numbers that
were written on checks and some other information there, as well as the credit and debit card information. But I mean, I think really,
you know, TGX is what propelled things onto the front page.
And what was the response in the industry to have something like this happen at that scale?
A lot of the interesting things actually came out of the banks on that one. So there were a large
number of banks that had credit cards and debit cards that were associated with that breach. They were the back, not necessarily the back end,
but they were the providers of the cards that were actually used. And because TGX was nationwide,
and because it impacted all the consumers, all the banks were basically saying, well,
why are we paying for this? Why do we have to reissue the card? It costs $20 to $30 to reissue a credit card at that point in time. So why do we have to do this? We are otherwise impacted.
We need some remuneration. We need something to happen as a part of this breach. And it was then
that you started hearing a little bit about chip and pin, EMV, and that discussion take root.
It later on resurfaced with Target some six know, some six, seven years later in
2013. But I think that with TJX, it was one of the ones that hit almost all consumers in some
form or fashion. It was large enough scale. You had banks getting on the national headlines saying,
you know, why should we be saddled with the fraud that's resulting from this? Because it was
active fraud, especially on the card side.
But on the flip side, as a part of the settlement, what's interesting is that part of the case settlement, what consumers actually got that were otherwise aggrieved, I mean, yes, some credit
monitoring and all the rest, if you hit the right trigger categories for information stolen,
but they also got some $50, I forget what the exact amount was, $50 worth of TJX gift cards to go back and shop again at the store.
So it was a masterful settlement by outside counsel there in terms of funneling the people that were aggrieved right back into the stream of commerce back into the store.
Now, how did a breach like that affect people's approach to calculating their risk?
Did it cause a recalibration? You mentioned
how the banks were kind of pointing the finger at the retailer and saying, wait, this isn't our
fault. Yeah. In terms of risk, I think this was the one case that when it started out, this was
the one case that everyone, whether you were in, I was the chief privacy officer of Royal Bank of
Scotland at that point in time.
But it was one of those that was being used not just in the financial space, but in the healthcare space and aerospace and defense and all these different sectors.
Everyone was pointing to the TJX incident, TJX breach, and saying that could happen here within our own company in some form or fashion, and we need to be prepared. We need to start making sure we have the right controls.
We need to be making sure that from a risk alignment perspective,
we are actually upping and categorizing the cybersecurity risk
as something that is more definite on our risk inventory.
And then, I mean, you're talking, yes, there was Archer systems
and a few different things that were percolating from a GRC,
a governance risk and compliance side.
But really, a lot of people were still locked in Excel spreadsheets then.
And I think it's at that point in time that you start to get these line items for hackers break in.
They steal something of value, steal card data, SSNs, driver's license numbers, other pieces of information.
That's where I think things really started hitting on the risk registry in terms of making sure that cyber was one of those things that you would actually have and that you would take control of and really try to mitigate the risks of.
For many, many years afterwards, and for some companies still today, but for many years afterwards, easily until 2013 to maybe 2015, cybersecurity is an IT issue and an IT issue exclusively. So yet for another seven to eight years, it's entirely an IT issue. TJX didn't
change that conversation, unfortunately. It was still, hey, let the IT guys handle it. IT's in
charge of it. It's an IT problem. It's not a reputational risk problem. It's not an overall
business problem. It's not an overall business problem.
It's not an overall operational problem. That's where the dialogues kind of died down.
And these systems were not making significant use of encryption at the time either?
No, not really. I mean, you had, you know, in 2007, 2008, you finally had, you know,
2007, 2008, you finally had, you know, people saying, hey, we should really look at all laptops being encrypted, all mobile devices being encrypted.
But, you know, it wasn't until Massachusetts CMR 17.00, where it actually, as a state law, pushed out a mandate that all mobile devices be encrypted. And it wasn't until that point in time, which really those regulations took effect in March of 2010. So it wasn't until 2010 that there was some stick
there to say, you must do this if you have a Massachusetts resident as your customer,
or you're doing business in Massachusetts, which of course, you know, many companies were doing in
terms of having customers almost, you know, equal weight to California. California being the biggest stick, obviously, with, you know, forget what it is,
fifth largest GMP in the world. But as a result of that, you know, encryption was starting to be
pushed in in terms of mobile devices, in terms of pushed in in terms of phones,
maybe even a little more laggard there until 2012 and 13 on phones. But database level encryption was not widely in use.
In some places, you were actually doing field level encryption for just that specific field.
But when marketing would take the data out of one database and create a new data warehouse,
the information would be unencrypted again, and so on and so forth. So you really had data proliferation in terms of it going everywhere,
and that key level of encryption, if it existed, only existing in that one place.
So still very, very raw and new in terms of encryption for large companies.
I want to go through some of these high-profile breaches
with you and get your take on where they stand, where they stand out, and sort of the lessons that
the industry and the public learned from them. Why don't we start with one of the biggies,
and that's Yahoo from 2013. Yeah, I mean, the Yahoo breach or breaches, right, 2013 and 2014,
you had some $500 million in the first, and then
kind of the resulting, I think the grand total is around 3 billion in terms of usernames, passwords,
and other information there. I mean, certainly the biggest, certainly one of the most impactful
in terms of just about everyone had as a stopping point. I mean, at some point in time, everyone had
some type of AOL, maybe a Hotmail.
Definitely everyone had some type of Yahoo address.
And of course, look, the end users using this,
password safes weren't in wide existence
back then in easy format.
There are a number that are standalone,
now a number that are cloud-based and online and apps.
But highly likely, if someone had a Yahoo email,
that their password to that email was the same as it to Gmail,
same that they were using in at work, same they were using in other places,
or with some minor modifications.
I think as I look at Yahoo, great data trove to find out what someone's password is,
see if they're using it similarly on other websites,
and attack them at those websites in terms of their
corporate life or other associations that they may be a part of, especially associations that
may be a part of that could yield you other information, other intelligence, or point out
weaknesses in them, especially if you want to target that individual or that company.
Also a good treasure trove in terms of documentation. I mean, everyone putting their airlines or their rent-a-car or their hotels or whatever into Yahoo over the years.
And, you know, obviously equally Gmail.
But, I mean, Yahoo seems to be the one-stop shop.
And what have we taken away from that?
What were the lessons learned there?
Well, I mean, I think a few different things.
First of all, obviously, you have large-scale breaches over a number of different years, a number of different kind of quote-unquote administrations, if you will, within Yahoo.
I look at it as a cultural issue, a cultural problem from the outset. So there's a problem
there in terms of the culture. There's a problem there in terms of governance. There's a problem
there in terms of the realization and the acknowledgement from the top on down, from the board and the C-level suite on
down, that at the end of the day, they are a data company. They live and die off of data. Therefore,
they must be a cybersecurity company, and it must be baked into everything they do.
From all public accounts, it looks like it was an uphill battle, and in many instances,
to get the funding and the things that they needed to be done. But that's no excuse, none whatsoever.
It seems like absolutely the wrong culture, something opposite to storing and safeguarding
however number of people and accounts and or amount of data that they hadn't held.
So I look at it as that's one massive lesson in terms of you are a cybersecurity company,
you're an IT company, two things go together.
terms of you are a cybersecurity company, you're an IT company, two things go together.
That lack of realization in terms of Yahoo of not saying, well, yeah, we make our money via marketing, but we are only able to exist because of our name and reputation and goodwill.
Yeah, let's move on and talk about Equifax.
I mean, that one was particularly damaging, yes?
I mean, that's probably one of the most damaging breaches ever. And it isn't just a Dave Bittner's record is exposed in terms of he has a Citibank card and an American Express card and a home loan here and a car loan there. what all the banks use and mortgage financial companies use, even government to an extent uses,
which is it's the single source of data input for what's called the KBA, knowledge-based
authentication. So you, Dave, when you're trying to buy that new ski chalet, you're filling out
the final. But when you're filling out all that information and it's trying to ascertain your
identity, it's asking you those questions.
Dave, what was the first color of car you got? Who was your first home mortgage with?
What was the first credit card you got with? Who was the bank behind that? Proving to that third party that you have a degree of knowledge about your financial patterns and other things about your life over a 10, 20, 30-year history period of time, you can't erase them.
Your first car was purple.
It just is what it is.
It was a Dodge Dynasty, and it was Acme Insurance Company and Acme Mortgage Company for the house.
You can't change those.
This knowledge-based authentication is the backbone for the banks, credit card transactions,
and other things that we do that are more financial in nature. And that entire database,
really half of the population of the United States, is gone. Someone else has it, has access
to it, and can figure out all of those answers for what 50% of the United States consumers are doing as it relates to their background.
That's really damaging, and the only thing that's actually going to make it less risky is time, i.e. another 30 years really to wash through the system.
We can't do anything about that.
It is what it is. I want to talk about some of the breaches that weren't so much consumer
focused, but that really could kind of hit us at a nation state level. I'm thinking about the OPM
breach. I'm thinking about the Sony hack and even things like Ashley Madison, Friend Finder,
where you're getting personal information that could be used to extort someone.
When you take a look at those tools that are useful for, yes, intelligence purposes, but also for ransom or extortion or reputational issues,
I mean, it doesn't get any better than OPM. Office of Personnel Management has the SF-86
standard forms that are the entry point to apply for classifications or clearances within the United States government, whether it be
confidential, secret, or top secret and above. This is the one form, one size fits all.
The information on that form is incredibly, incredibly sensitive, incredibly personal,
and it's not just on the individual. It's on them, the spouse, significant other, the kids,
on the individual. It's on them, the spouse, significant other, the kids, their parents,
the significant other's parents and relatives, any foreign contacts. I mean, it goes on and on and on.
Well, that information in one easy to find document that can be indexed, OCR'd, stolen, and even if it's the old fashioned written forms, stolen and then OCR'd later on,
I mean, is a treasure trove for any intelligence agency anywhere in the world, period.
Not only does it tell who someone is, give potentially weaknesses about them because it's illegal to lie on that form, and it potentially tells others who to get to to get to that person.
All of that taken together is – I, it's like the perfect roadmap.
Really a perfect roadmap.
The same thing in terms of like from a flip side,
you know, Ashley Madison, Friend Finder.
I mean, these are 2015, 16.
I mean, if an intelligence agency is able to get active knowledge of active users
on those types of sites,
perhaps put people in place,
exploit them, exploit the individual,
embarrass the individual. I mean, kind of a treasure trove there once again. And same thing
in terms of some of the IP breaches in Sony, just a little bit different. The embarrassment or the
extortion factor of Sony, but we're also going to steal your intellectual property. I think
one of the James Bond movies, the script was stolen. A few other things were
stolen there. But then dot, dot, dot, the extra add-on is, oh, and by the way, since your exchange
server is next door to all this fun, cool stuff, we're going to look through all of your emails
and find the most embarrassing emails that we can about the best stars that are out there,
the ones that make you the most amount of money, and we're going to expose those emails of you complaining about Brad Pitt or complaining against about whatever star it was.
And I mean, that goes straight to the bottom line. Yeah, absolutely. And I wonder, you know,
when you look back at some of these big breaches, is there any thread that goes through them where
if only we had done this,
if only we'd thought about this, then maybe this wouldn't have happened?
Well, I think there's a tactical piece of that that needs to be there. But at a higher strategic
level, I think most certainly it is absolutely a miss in terms of each one of these companies not putting enough value on the data that they have and hold,
and the value to them in terms of damage and reputational damage and branding damage and or operational damage to the loss of control of the data.
There somehow is this misnomer that even though the data isn't gone and can never, ever be found,
even though the data isn't gone and can never ever be found, that it still can be damaged and the company can be damaged by others having access to it or control or you're losing control to it.
And it's that inability to accurately risk rate what you have and translate it into how this
makes you money, how this makes the company survive, and how this actually promotes and
supports the products and services you have. I go back to the risk equation here in terms of
if there was a proper risk assessment that was done that was well understood, not an IT risk
assessment. Talk about a business risk assessment. What is it that actually makes the company go?
I would hasten to say across all of these companies, they didn't actually say what
can make us or break us in the digital realm. And what do we want to do about it? How do we want to
act on this? And do we, the board, approve it? Do we, executive management, approve it? Do we,
the one person who's in charge of cybersecurity, approve it? And we didn't do that. And I think that's
a theme throughout all of these. We've learned nothing, if I'm really true. If we go back all
the way to TK Maxx, Heartland Payment Systems, the RSA security breach, every breach that we've
seen to date is what I call a confidentiality breach.
That's Jason Hart. He's CTO for enterprise and cybersecurity from our show sponsors,
Gemalto. It's where data has been compromised and exposed and published.
That's been done in some cases because it was very simple to do, to expose the data. The data then is being used to conduct other forms of attack or breaches.
But ultimately, as per the previous podcast with you, Dave, it's always about data.
The bad guys have this ability to get access to data, sensitive data, expose that sensitive data,
when actually they shouldn't have been able to do that.
So for me, to date, every breach has been a confidentiality breach,
reputational impact, financial impact, etc.
But we're entering into a world of what I call a world of integrity attacks,
which is going to bring us a world of bigger pain than we've ever seen before.
Well, let's dive into that. What do you mean by that?
Every breach that's happened today,
it's been about exposing the data.
You know, there's been reputational impact.
In some cases, there's been some substantial fines.
But the way we consume data and use data today,
we make business decisions.
So what about if the bad guys may have already altered data,
altered the integrity of the data for a downstream effect
so let me give you an example this is purely a theoretical example right um so have you as you
may have gathered my accent i'm from the england um in england in the uk i live in a very rural
village uh and it's a it's a farming community i have have two neighbours, both farmers, Will and George, the brothers.
Going back two, two and a half years ago,
one Sunday afternoon, George and Will wanted to come around,
you know, in a very English farming way in North Somerset.
They brought some cheese and then brought some cider.
But the key reason they came around was to show me their new tractors.
One had a Massey Ferguson, one had a John Deere.
And what they were really blown away by was the automation, the IoT, the telematics.
So their new tractors could actually identify the crop quality, the soil quality, the yieldage, the acreage, etc.
So from a farming point of view or a farmer's point of view,
that was providing them a lot of valuable information.
So for me, I started thinking in my odd way as I do,
like a bad guy providing some situational awareness around the whole situation.
So as a farmer, I understand the need.
I sign up to a subscription.
I get this data.
This data I can use to monetize my farm.
I can get more yieldage, et cetera.
Brilliant.
However, from a manufacturer's point of view,
you know, it's an additional amount of revenue,
but it's not a huge amount of revenue
in contrast to what the machinery cost, et cetera.
So I was thinking, okay, I'm the manufacturer now.
So now I have visibility or i have data sets of the yieldage or the crop quality or the soil quality across the whole
of the uk that's interesting and again this is all theoretical right now now i have that data set
to say actually the crop quality is going to be is poor or whatever i've got some insight so
maybe with that data i could sell that data on so dave who would you sell that data set onto
i guess the the nation next door who's uh who you're competing against and selling your crops
or what about now suddenly we start selling it onto the commodity markets to give them insight
to actually the uk or europe maybe you know the crop lower, you know, it's real-time data,
or actually the soil quality because of, you know, the lack of rain or whatever.
So you've got this real-time data.
Are we going to have a good year or not?
Exactly. So now they can bring that number or they've got that data set
so actually they can formulate into some of their analytics.
Right.
So now, think like a bad guy.
What if I could access all of that IoT environment
and alter the integrity of the data,
knowing that the flow of that data is most probably being used
to actually look at the futures market or whatever,
or the commodities markets.
So now, knowing that as a bad guy,
if I was to, every piece of data that
was entered and then put back up into the cloud, divide it by two, I can actually control the
commodity market. And at the same time, I can legitimately put money on the commodity markets,
but alter the integrity of the data that's going in to affect that price.
That's what we call an integrity attack on a grand scale.
And so what's the mitigation to that?
How do you shepherd that data through to make sure that the integrity is there from start to finish?
And that's my point.
Today, we've barely protected the confidentiality of data.
No one's actually thinking about the integrity of the data.
Is it true?
So we can take a thousand different types of businesses and say, right, those businesses are using data to make appropriate business decisions. At what point are they validating the input and the output and the integrity of it?
to do now is at some point in the life cycle of that data, just manipulate the integrity of that data to affect a downstream effect, or have a consequential impact. My point here, Dave, is
at the point an organisation finds out that they've been susceptible to an integrity attack,
they've made business decisions already. Within a confidentiality attack, yeah, it's publicised,
it's in the press, there's reputational impact, maybe some financial business moves on.
Integrity attack, it's going to be too late because the damage has already been done two years ago.
And actually being using that data to make appropriate business decisions.
It's a very, very dangerous form of attack.
And it's what I call the invisible attack, which is going to come and
bite our backsides. And I could imagine it, particularly in regulated industries, you could
almost have a double whammy where if you'd been, unbeknownst to you, reporting faulty data,
well, the regulators are going to have a problem with that as well.
Totally. Yeah. And again, the integrity attack
could have happened three, four years prior to actually the regulator realizing. So now,
where do you go from here? So, I mean, looking at our history of some of these high-profile
breaches, what leads you to this conclusion that this is the direction we're heading?
I always tend to look three or four years ahead. We're starting to solve some of the confidentiality issues. We're not learning,
okay? We are getting there. Again, it all comes down to the previous podcast review, Dave. It's
all about data. We need to look at our data and understand what are the likelihoods, what's the
probability, what's the type of attacks, is it confidentiality risk, is it an integrity risk?
what's the type of attacks is the confidentiality risk is an integrity risk we're starting to solve some of the confidentiality risks you know the likes of gdpr etc for normalization protecting
data at rest its source in transit etc but we also need to start thinking about new types of
possibilities of things of occurring about as organizations become more secure the attack
surface moves elsewhere and then ultimately it's all about making money from data or monetizing
data so now the bad guys is going to go right what if i can affect a cause or create a cause to occur
to the left to affect a cause or an impact to the right to monetize. What is the solution to the integrity-focused attack?
You and I have talked previously about using encryption, technological solutions.
If I take care of the basics, is that going to protect me from this as well?
Great question. Nothing's changed here, Dave. It's the basics.
So again, if we go back to the, you know, in time, you know, when in the Victorian times I would send a letter, there would be a wax seal on it.
And if that was open or the seal had been broken, guess what?
I know the integrity of that letter has been compromised.
No different.
The controls to solve this problem are out there.
They've been around for many hundreds of years.
The technology is there.
Cryptography, key management solves these problems.
Dare I invoke the name blockchain? Could that be a solution, having an open ledger?
Hugely. So again, we're in a world of centralization, going decentralized and ledger,
100%. If I'm a board member and i'm thinking about the the things that
should be on my radar in terms of risk um how how should i be approaching from that direction
so from an integrity of attack if you have done what i've previously outlined in my previous
podcast with yourself i have a risk register of data within that risk register of data. Within that risk register of data,
I know that certain types of data has a higher level of risk
from a confidentiality integrity point of view.
I need to ensure that the data
which potentially could be affected
from an integrity attack
has the appropriate controls.
Have what we've seen so far,
have any of the high profile breaches,
have any of them been integrity attacks?
There's certainly been a couple in the U.S.
The names of them have kind of gone from my head.
But there's been a, in the legal sector, where M&A activity has happened,
the integrity of some of that data has been used, yes.
For organizations who are looking to get their head around this,
where do they begin?
What's your advice?
How do we get started?
Again, it's about data.
So understand the supply chain.
We're in a world of technology now
where the IoT device is driving
other kind of technologies.
The data is being used
to make other business decisions.
Understand the flow of your data,
the types of data,
and at each level,
ensuring that the low hanging
risks are mitigated.
Do you feel like the message is getting out there?
No, I still think we are in a world of, well, why would someone target my organization?
From a bad guy's point of view, they do it because they can.
They do it for self-gratification.
They do it for monetary reasons, country on country.
There is always a real reason why they would target a particular organization.
If you're an organization where you're not applying the appropriate security controls,
the bad guys will target you.
You may not even know they've targeted you, but at an important time, it will become apparent.
So, again, getting back to this notion of looking at some of these high-profile
breaches that we've seen over the past few decades, when you look at them, is there a common
thread through them that if only they had done this, then these high-profile breaches might not
have happened? Yeah, 100%, Dave. You know, if we look at the past 21st century and look at the top
17, you know, breaches that have occurred, you know, they all had one thing in common.
It was one, it was data. But if they were applying the appropriate encryption and key
management controls to that data, yes, they would have been breached, but it would have been
what I call a secure breach. The data would have been rendered useless. We need to start applying
the basic security controls, encryption, key management, forms of multifactorial authentication.
By doing that, we've vastly reduced every breach that we see to date.
Until we do that, we're going to continually see the breaches on a daily occurrence.
We apply the appropriate security controls to the data that actually matters.
That's Jason Hart, CTO for Enterprise and Cybersecurity at Gemalto. Thanks to them for
underwriting this edition of CyberWireX. Be sure to visit gemalto.com slash cyberwire to learn more
about their access management and data protection solutions, and also find out about the breach
level index, which tracks the volume and sources of stolen data records. That's gemalto.com
slash cyberwire. Our thanks to Dr. Christopher Pearson from Black Cloak for joining us.
CyberWireX is a production of the CyberWire and is proudly produced in Maryland at the
startup studios of DataTribe, where they're co-building the next generation of cybersecurity
startups and technologies. Our coordinating producer is Jennifer Iben. Our CyberWire Thanks for listening.