How CISOs Can Change The Game of Cybersecurity

In the modern enterprise, chief information security officers need a broad mandate over security and risk management across all operational silos, not just the datacenter.

As data breaches continue to escalate, organizations, regardless of size or industry, need a new mindset to rise to the pervasive challenge of cybercrime and cyber espionage. Despite the fact that the FBI claims that their number one criminal priority is cybercrime, less than five percent of computer intrusions are successfully prosecuted, according to the Department of Justice and FBI. With jail time and other penalties few and far between, corporate decision makers are on their own when it comes to protecting corporate reputations, intellectual property, finances, and customers.

Facing this challenge boils down to risk management and financial investment. But with only 8 cents of every corporate IT dollar allocated towards security, the current picture isn’t reassuring, especially given the hostility and unregulated nature of cyberspace. Worse, today’s security investment deficit is jeopardizing corporate brands and exacerbating their risk of serious reputational damage.

Board-level mandate beyond the datacenter
Typically, organizations serious about cybersecurity appoint chief information security officers (CISOs) to lead the charge. Historically, a CISO answers to the chief information officer (CIO). The problem with this model is that the CIO role is similar to that of a football offensive coordinator, a position that is concerned primarily with increasing efficiencies, access, and resiliency within the IT realm.

While important, none of these elements aid the CISO, (continuing our football analogy, the defensive coordinator), whose principal job is to improve security and risk management across all operational silos within the enterprise. From a governance perspective, the CISO needs a broader mandate than that of a defensive coordinator, a mandate befitting an executive with more far-reaching responsibilities and reporting to the COO or CEO.

In the modern enterprise, all corporate leaders should be held accountable for their cybersecurity posture, even though their position might be far from managing the datacenter. For instance, chief marketing officers are typically focused on the actual use of the Web, such as email campaigns, mobile app development, website updates, blogs and search engine optimization. Even though these responsibilities may seem like strictly promotional endeavors, they can leave the door open for malware or other cyberattacks against unsuspecting customers’ systems. It’s not a good outcome for the company or the constituency.

Preventing the systemic spread of malware
Malware infections often times migrate from one part of the enterprise to the other, even from a third-party partner. Once a network is compromised, an attack can become widespread throughout the entire IT infrastructure supply chain in a practice known as “island hopping.” A classic example of island hopping was the infamous Target breach, which ultimately resulted in the resignation of both the CEO and CIO. A holistic mentality toward cybersecurity will mitigate the systemic risk of the spread of threats across an IT infrastructure.

The subsequent investigation at Target also revealed that thieves had infiltrated a third-party vendor to steal the retail giant’s credentials. The result? Cybercriminals successfully gained access to approximately 40 million customer credit cards, potentially affecting more than 100 million individuals. The repercussions are still being felt throughout the retail sector today.

As Target shows us, third-party partnerships are another overlooked aspect of many security strategies – strategies that demand attention and support from the corporate leadership team to be effective. Organizations looking to strengthen security should examine the policies of their partners — including law and accounting firms — particularly if a company is publicly traded. These partners have access to sensitive information that make very attractive targets.

A new level of safety in the digital world
For two decades, corporate focus has predominantly been on cutting cost, improving access and increasing efficiencies to goods and services. The same commitment should now transition to policies that make customers, partners and investors feel safe in the digital world created for their convenience. Just as a customer at a shopping center should expect a level of safety from the landlord and retailers, an online environment should have the same trust factor.

To accomplish this, a concerted effort should be made to elevate cybersecurity to an operational and reputational risk management priority. It is the obligation of boards of directors to improve oversight and governance for cybersecurity. This translates to analyzing investment strategies regarding information technology, cybersecurity and drastically improving training in order to stay ahead of sophisticated cybercriminals.

The Internet is not a comforting environment. Proper due diligence of cybersecurity is not only a risk management function but also a reality of modern-day brand protection.

Within his role as chief cybersecurity officer, Tom Kellermann is responsible for analysis of emerging cybersecurity threats and relevant defensive technologies. Tom served as a commissioner on The Commission on Cyber Security for the 44th Presidency and serves as an advisor … View Full Bio

More Insights

The Grinch Who Exposed Your Kids’ Identities

5 Ways VTech’s Scrooge-like security spending put young users at risk.

As news unfolds about the huge data breach at toymaker VTech that exposed personal information and passwords for s close to 5 million parents and 200,000 children, it’s becoming clear that sometimes the Grinch isn’t the thief. Sometimes the Grinch is the company with poor security practices that makes it possible for thieves to take innocent consumers’ data–especially when those consumers are minors.

The VTech breach, which was first reported in a Motherboard article last week, seems to have been carried out not to steal the data, but to prove a point through its exposure: VTech’s security stinks, and there’s loads of data at risk as a result. Included in the data dump were poorly encrypted passwords, secret questions stored in plaintext and names, birthdays, photos, and chat logs for children using VTech toys that were easily tied to their parents’ identifiable information like home addresses.

“Fortunately, the damage appears to be limited in that this attacker hasn’t shared the data, but there’s no way of knowing whether other attackers may have already obtained the same data,” says Shuman Ghosemajumder, vice president of strategy at Shape Security. “Parents in general should, of course, be very careful about who they give their children’s information to, and should watch for telltale signs that a company isn’t taking security seriously.”

The attention garnered by the exposure has certainly drawn the security community’s microscope over VTech and what it found isn’t pretty.

Willful Ignorance On What Kind Of Data Is Valuable

“VTech is proud that no credit card or banking information was stolen, but the data that was stolen could potentially make this breach more damaging and dangerous over the long run,” says Jeff Hill, channel marketing manager for STEALTHbits, who explains that while credit card information can be cancelled, personal information cannot.

As he explains, patient criminals can stash information like names, birthdays, and mailing addresses to carry out future attacks that take advantage of initially stolen informatoin. In particular, information on minors can be seriously valuable as parents are less likely to do credit checks on their kids than on their own identities–giving attackers a longer time to use a stolen minor’s information without any repercussions.

“Much more disturbing, however, is the potential for child predators to obtain and exploit the children’s information,” Hill says.

Atrocious Encryption Practices

In a thorough analysis of VTech’s data collection practices and weaknesses observable through its Web applications’ customer interface and through information from the breach’s data dump, development security expert Troy Hunt dismantled the company’s data security practices. One of the first glaring problems? VTech is encrypting all of its parent passwords using only an unsalted MD5 hash. 

“Once the passwords hit the database we know they’re protected with nothing more than a straight MD5 hash which is so close to useless for anything but very strong passwords, they may as well have not even bothered,” he wrote.

As Hunt explains, VTech’s encryption at rest is second only to no encryption at all–which is exactly the route the company chose to go with for data in transit.

“All communications are over unencrypted connections including when passwords, parent’s details and sensitive information about kids is transmitted,” he says. “These days, we’re well beyond the point of arguing this is ok – it’s not.” 

Similarly, all data surrounding password reset questions were also stored in plaintext.

No Data Retention Boundaries

Beyond the crummy encryption, though, is an even more endemic data governance problem at VTech. Given the volume and variety of data breached, its clear that no thought had been given about data collection and retention policies. Exhibit A on this is the news yesterday that chat logs were also left exposed on VTech servers–leading most security experts to wonder why that data was even available to take.

If the firm had some kind of philosophy with regard to either collection or retention, VTech likely would have thought twice about the risk it incurred by keeping this kind of sensitive information.

“You should only collect and store data for well understood use,” wrote Mark Nunnikhoven, vice president of cloud research for Trend Micro in a blog discussing the breach. “Data should be evaluated for its overall value to the organization and—just as importantly—the risk it can pose to the organization.”

Bad Data Design

VTech’s data governance woes extended beyond just promiscuous collection and retention practices. Another huge flaw exposed by this breach is the sloppy data design that allowed sensitive information about kids to be tied to even more identifiable information stored about those kids’ parents.

These kinds of considerations are absolutely huge for companies that collect data on children, says Beth Marcus, CEO and founder of children’s app developer Playrific.

“Through the data access structure, it’s crucial to prevent various data pieces from being put together by any external player – even when parental permission in given,” Marcus says. “You have to break the link between the data and the child, and the links between the various pieces of the data vault containing different elements of the individual’s data. When kids are involved, saying ‘sorry we didn’t think about that’ doesn’t cut it. Hackers may never exploit data the way you think they might, that’s why you can’t risk having identifying information and behavior information tied together anywhere in the system at rest.”

SQL-Laden Error Messages

VTech has gone on record saying that the likely attack vector for the breach was the tried and true SQL injection. That’s no surprise given the fact that the company’s error messages are serving up attackers valuable infrastructure on a silver platter. According to Hunt, VTech’s password error messages were returning SQL statements to users. That’s pretty much putting out the welcome mat for SQLi attackers.

 “This breach is another sad example of a company ignoring some very basic application security best practices,” says Chris Eng, vice president of research for Veracode. “Why are websites still vulnerable to SQL injection today? The industry has known about this for decades, is one of the OWASP Top 10 most dangerous vulnerabilities and they are not difficult to find or fix.”

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

More Insights

Using HTTPS on your website? We’ll see you in court

cipher-herocredcnet.jpg CNET

If you use HTTPS, you’d better pay us.

At least, that’s what CryptoPeak wants to happen, holder of a patent it hopes covers the widely-used elliptic curve cryptographic key.

Encryption is on the rise in a post-Snowden world full to the brim of surveillance-happy governments monitoring everything from your digital communication channels to the streets via CCTV.

It seems no matter what we do, privacy is now a moot point when it comes to over governmental overlords — but you can at least make the life of spies a little more difficult.

Consumers have called out for better protection against such widespread surveillance and as cyberattacks are also steadily increasing, encryption is a method many online services have chosen to protect not only the data being funnelled to and from visitor to domain, but also as a means of lessening the risk of hacking being successful.

However, websites using the elliptic curve cryptographic key (ECC) are now at risk of being forced to court for using the protocol. As reported by The Register, Texas-based firm CryptoPeak snapped up US Patent 6,202,150 earlier this year, which describes “auto-escrowable and auto-certifiable cryptosystems” — which the firm argues covers ECC.

The abstract reads:

“A method is provided for an escrow cryptosystem that is overhead-free, does not require a cryptographic tamper-proof hardware implementation, is publicly verifiable, and cannot be used subliminally to enable a shadow public key system [..] an unescrowed public key system that is publicly displayed in a covert fashion.

The key generated by the method are auto-recoverable and auto-certifiable (abbrev. ARC). The ARC Cryptosystem is based on a key generation mechanism that outputs a public/private key pair, and a certificate of proof that the key was generated according to the algorithm. Each generated public/private key pair can be verified efficiently to be escrowed properly by anyone. The verification procedure does not use the private key.”

More security news

According to CryptoPeak, TLS-secured websites using ECC are under this patent and therefore it wants its financial due.

While CryptoPeak began its patent campaign in July, the company has filed fresh litigation against a number of top brands in the last few weeks — including AT&T, Groupon, Netflix, Experia, Etsy and Yahoo.

Filed in the Eastern District court of Texas, many of the complaints filed ask for legal costs and damages.

In one case, against Scottrade, CryptoPeak says “irreparable harm and monetary damage” is being caused through running websites which “operate in compliance with the standards of Elliptic Curve Cryptography (“ECC”) Cipher Suites for the Transport Layer Security (“TLS”) protocol.”

While ECC does generate and publish public keys for use in encryption protocols, the patent does not cover every function of ECC, and the wording is vague enough to cause doubt — especially as use of the key is so widespread, and the use of a “method” and “apparatus” in the patent has been called into question.

You might consider CryptoKey little more than the next patent troll looking to cash in on advances in technology, and perhaps you’d be right — since the company doesn’t seem to have much of a footprint outside of the courtroom.

Netflix, one of almost 70 companies being dragged to court over the patent, appears to agree based on the company’s motion for case dismissal (.PDF), which calls CryptoKey’s lawsuit “invalid” from the outset.

Either way, it’s unlikely such a fragile lawsuit in this day and age is likely to discourage online services from using encryption in a world where consumers demand it to make online purchases.

Read on: Top picks

37,479 websites struck down for selling counterfeit goods, abusing copyright

screen-shot-2015-12-01-at-10-15-58.png

Over 37 thousand websites have been seized by law enforcement as part of an ongoing battle against counterfeit goods trade, IP theft and piracy.

Officials from Europol, the U.S. Immigration and Customs Enforcement (ICE) and Homeland Security Investigations (HSI)’s Intellectual Property Rights Coordination Center led police agents in a joint operation designed to take down websites in an international operation dubbed In Our Sites (IOS) VI.

On Monday, Europol said websites which touted their goods across e-commerce platforms and social networks were of particular interest.

Operation IOS, which has ran for the past four years, reached the height of its success in phase VI through the takedown of 37, 479 websites, including those which sold counterfeit goods, fraudulent domains and websites which touted online piracy.

Law enforcement from 27 countries — including new players such as Chile, Japan and Hong Kong — were involved in the takedowns, which coincided with the Black Friday weekend and Cyber Monday — some of the busiest days for shopping ahead of the holiday season.

“Cooperation with private industry remains crucial and is key to monitoring and reporting IP-infringing websites to the concerned countries via Europol, to ultimately make the Internet a safer place for consumers,” Europol said.

“The participating rights holders represented different sectors including traditional luxury goods, sportswear, spare parts, electronics, pharmaceuticals and toiletries.”

What’s Hot on ZDNet

Traders of counterfeit goods can make a killing not only on the street but now online. You only need to look at Google search results to find websites screaming about discount designer items, pharmaceuticals and rock-bottom prices on luxury items — however, not only are many of these products fake, but visiting these websites can be dangerous — as they may be waiting to deliver malware payloads to unsuspecting shoppers looking for a good deal.

“This effort highlights the global commitment to take aggressive action against online piracy,” said IPR Center Director Bruce Foucart.

“The IPR Center will continue to collaborate with international law enforcement and industry to protect consumers from purchasing counterfeit goods online, which could expose sensitive financial information and present a health and safety threat.

In previous phases of the operation, law enforcement seized over a thousand websites across the US, Europe and other continents. As long as fraudulent websites keep appearing, law enforcement has a difficult challenge on its hands to not only keep consumers safe but prevent the widespread sale of dodgy goods.

Read on: Top picks