Top 3 Actions Every Middle Market Executive Must Take on Cyber Incident Response

Over the last sev­er­al weeks, as sum­mer wrapped up and our kids went back to school, I’ve been talk­ing with a great bunch of mid­dle mar­ket exec­u­tives in the greater Seat­tle-area. These folks fit the pro­file of our poten­tial cus­tomers: They’re cyber risk man­agers. But, rather than sell­ing to them, I’ve been doing research to learn more about their cyber­se­cu­ri­ty needs.

Credit: Horseshoe Bay Resort

Cred­it: Horse­shoe Bay Resort

Some sub­jects come up a lot, like cyber-insur­ance. And the large num­ber of ran­somware attacks. And emails try­ing to get some­one in finance to move a ton of cash on short notice to a dark cor­ner of our plan­et.

Every now and again I hear about a real­ly meaty issue, like whether to turn on full or par­tial encryp­tion for pro­duc­tion data­bas­es. Yet some things I expect (hope?) will come up just don’t.

Like cyber inci­dent response. (Although, a cou­ple exec­u­tives have men­tioned Yahoo’s all-time record-break­ing 500 mil­lion user account com­pro­mise.)

So, I’ve tak­en it upon myself to answer the ques­tion nev­er asked: “Kip, what are the top 3 things I should do at my lev­el to pre­pare for the big cyber­se­cu­ri­ty breach I hope will nev­er come?”

Glad you asked!

  1. Believe it or not, ear­ly detec­tion of a data breach saves you mon­ey. The longer it takes to dis­cov­er a breach, the more it costs to deal with. (Just ask Yahoo, who’s in the mid­dle of being acquired.) So your first step is to ask your man­age­ment team: “How good are we at detect­ing data breach­es?” If any­one answers “Great!” ask them to walk you through how they do it. Right now, very few of us are great at it. But this will give you some idea of where you are.
  2. Cyber­se­cu­ri­ty breach­es are packed with a lot of poten­tial lia­bil­i­ty issues. To reduce your risk, all types of non-rou­tine cyber­se­cu­ri­ty events that involve peo­ple out­side your orga­ni­za­tion should be dis­cussed under attorney/client priv­i­lege. So your next step is to have a con­ver­sa­tion with an out­side attor­ney who spe­cial­izes in cyber­se­cu­ri­ty and ask them for guid­ance.
  3. Unfor­tu­nate­ly, most com­pa­nies find out they’ve suf­fered a data breached by law enforce­ment, the news media, or a cus­tomer. Ouch! The only thing worse than bat­tling a data breach is when some­one else fires the start­ing gun! Maybe that’s why Yahoo sat on their 2014 data breach for two years before telling any­one about it. So your last step is to ask your head of pub­lic rela­tions if they’re ready right now to man­age a data breach that spins out of con­trol before you’ve even had a chance to under­stand what hap­pened.

What’s on your top 3 list?

Moving To Quarterly Posting Schedule

When I start­ed my blog over a year ago, my goal was to pub­lish some­thing help­ful to cyber risk lead­ers every week on Mon­day morn­ing.

A quick review of my log shows I’ve done a very good job of hit­ting that goal!

Kids thumbs.001

Post­ing week­ly made a lot of sense to me. Until recent­ly, when I start­ed tak­ing my act to the next lev­el in terms of sales, mar­ket­ing, and deliv­ery of my com­pa­ny’s main prod­uct, the Cyber­se­cu­ri­ty Exec­u­tive Toolk­it.

When I start­ed my blog, I did­n’t yet know how I was going to focus my com­pa­ny, Cyber Risk Oppor­tu­ni­ties. Who would we help? Specif­i­cal­ly how would we help them? In what ways would we be dis­tinct­ly dif­fer­ent from our com­peti­tors? How will we earn enough mon­ey to become (and remain) a viable busi­ness? I had just start­ed work­ing to answer these and oth­er foun­da­tion­al ques­tions.

After a year of hard work, count­less con­ver­sa­tions, and doing real work with my cus­tomers I now have sol­id answers. You can get a quick sum­ma­ry of how I’m help­ing cyber risk man­agers by watch­ing the 3 minute video over at my com­pa­ny’s web­site, www.CyberRiskOpportunities.com. That’s where I’ll keep all the infor­ma­tion about our prod­ucts and ser­vices.

Mean­while, here on my blog, you’ll get a longer, more thought­ful post about cyber risk man­age­ment once per quar­ter. I’ll pub­lish on the first work­ing Mon­day of every Jan­u­ary, April, July, and Octo­ber. I’ll put my short­er, more fre­quent thoughts out on Twit­ter and LinkedIn. And maybe some­thing extra here when I think it makes sense.

Hope you enjoy the rest of your sum­mer! Me? I got­ta find some cyber risk lead­ers to help…

Three More No-Capex Ways to Detect Network Intruders

I pre­vi­ous­ly out­lined three strate­gies for detect­ing intrud­ers on your net­work with­out the need for a large cap­i­tal expense for spe­cial­ized sys­tems. In fact, you don’t even need a man­aged ser­vice provider.

Currency stacks

Now, as promised, here are three more ways:

  1. Using time stamps and the geolo­ca­tion of the source IP address­es, look for sim­ple irreg­u­lar­i­ties in log-ins and access pat­terns. The most obvi­ous would be an account that is log­ging in from two coun­tries so close togeth­er in time that it’s unlike­ly they are both legit­i­mate. You can access geolo­ca­tion data for free or low cost.
  2. When the HTML response sizes leav­ing your net­work are much larg­er than usu­al, that’s a sign you’ve prob­a­bly been the vic­tim of a SQL injec­tion attack.
  3. Final­ly, watch for out­bound web traf­fic where 30 or 40 brows­er win­dows are open­ing all at once. This kind of behav­ior is more like­ly a sign of an auto­mat­ed ses­sion rather than a human one.

Will you have false pos­i­tives? Yes. But you’ll also under­stand what’s con­sid­ered nor­mal on your net­work much bet­ter than you do today.

Do you have any low-cost, yet auto­mat­ed, strate­gies for net­work intru­sion detec­tion?

Three No-Capex Ways to Detect Network Intruders

Orga­ni­za­tions can do a good job of detect­ing intrud­ers who have infest­ed their data net­work with­out buy­ing and oper­at­ing an expen­sive com­mer­cial net­work intru­sion detec­tion sys­tem. You don’t even have to hire an out­side man­aged net­work secu­ri­ty provider. Check out these three pow­er­ful strate­gies for deal­ing with this cyber risk:

capex

  1. The first strat­e­gy is pos­si­bly the most pow­er­ful: Use your exist­ing admin­is­tra­tive tools to pro­duce a dai­ly report that shows all mem­ber­ship changes to all admin­is­tra­tive groups for the past 24 hours. Then assign some­one to val­i­date every change. This will tell you if some­one tries to “sneak in” through a priv­i­lege esca­la­tion.
  2. One sign that an attack­er is “bed­ding down” in your net­work to con­duct long-term sur­veil­lance is the unex­pect­ed patch­ing of sys­tems. Why? An attack­er does­n’t want anoth­er attack­er break­ing in and mess­ing up his inside access to your data net­work! So watch your vul­ner­a­bil­i­ty scans for sys­tems that don’t need a patch you nev­er pushed.
  3. To detect the stag­ing of data for exfil­tra­tion, mon­i­tor your crit­i­cal data­bas­es for sud­den, unex­plained swells in read activ­i­ty. In addi­tion, mon­i­tor all filesys­tems for large quan­ti­ties of data sud­den­ly or grad­u­al­ly appear­ing in the wrong places.

With each of these tips, I’m sure you’ll get a few false pos­i­tives. And, you’ll have to climb a learn­ing curve that keeps chang­ing as the activ­i­ty of your orga­ni­za­tion trans­forms over time. A new prod­uct launch will cause per­ma­nent changes in what’s con­sid­ered “nor­mal” on your net­work.

These are just the first three on my list. Next week I’ll give you three more. See you then!

Should CEOs Lose Pay For Cybersecurity Failures?

Given all the cyber­se­cu­ri­ty fail­ures we’ve wit­nessed thus far, could it be any more clear that our legal and gov­er­nance incen­tives and mech­a­nisms for pre­vent­ing and deal­ing with cyber­se­cu­ri­ty attacks are not prop­er­ly aligned? Here’s the lat­est data point: The CEO of Talk­Talk was paid almost £2 mil­lion on top of her base pay of £550,000 in 2015 which includ­ed Talk­Talk’s lat­est cyber attack and result­ing loss of 95,000 sub­scribers.

TalkTalk

I came across this news over at the CFO Net­work group on LinkedIn where Conor Marken recent­ly post­ed a link to an arti­cle enti­tled Fine Firms For Cyber Secu­ri­ty Fail­ures. The arti­cle reports that in the UK, mem­bers of par­lia­ment recent­ly con­sid­ered whether com­pa­nies should be fined if they fail to guard against cyber attacks. This comes as they dis­cuss last year’s Talk­Talk hack. Here’s the best line:

The com­mit­tee also rec­om­mend­ed that CEOs’ pay should be linked to effec­tive cyber secu­ri­ty;

Great sen­ti­ment, but who knows if that would real­ly work? Link­ing CEO pay to oth­er per­for­mance fac­tors has­n’t turned out as well as we hoped. Har­vard Busi­ness Review was sour on the whole idea as ear­ly as 1999. And here’s their lat­est take on it: Stop Pay­ing Exec­u­tives for Per­for­mance.

I’m not sure what the big fix is for the fact that many of the same qual­i­ties of the Inter­net that lets Ama­zon dom­i­nate are the same ones that are fuel­ing the rise of online crim­i­nals (bul­lies): Low-cost, glob­al reach, most­ly auto­mat­ed, and large­ly anony­mous. How­ev­er, it is clear that the legal and gov­er­nance incen­tives and mech­a­nisms are not prop­er­ly aligned.

So, what should we do?

Proof Cybersecurity Is A Management Problem

Back on March 28th, I talked about the $54 mil­lion Busi­ness Email Com­pro­mise (BEC, or CEO Fraud) at FACC, an Aus­tri­an sup­pli­er of spare parts to Boe­ing and Air­bus. As bad as it was, it’s got­ten worse: In addi­tion to the CFO, CEO Wal­ter Stephan has been fired after 17 years in that job.

FACC-12-00x_Jobs4You.indd

Here’s the rough time­line lead­ing up to this point:

  1. FACC dis­closed the Busi­ness Email Com­pro­mise (BEC) in Jan­u­ary 2016
  2. US$56 mil­lion stolen; about US$11 mil­lion recov­ered
  3. CFO fired in Feb­ru­ary 2016
  4. Net loss of about US$22 mil­lion announced for 2015, a direct result of the BEC
  5. An imme­di­ate 17 per­cent drop in its share price fol­low­ing the net loss announce­ment
  6. May 2016, CEO fired, after 17 years with FACC

One way to put this all into per­spec­tive, is to know that BEC loss­es glob­al­ly from Octo­ber 2013 through Feb­ru­ary 2016 are $2.3 bil­lion and climb­ing!

Anoth­er way to put this into per­spec­tive is to real­ize that rel­a­tive­ly lit­tle in the way of tech­nol­o­gy was com­pro­mised to steal all that mon­ey. And, while there are some tech­no­log­i­cal things we can do to reduce risk, the best defense is had by hav­ing trained finance peo­ple fol­low­ing strong process­es work­ing in a cul­ture where it’s OK to respect­ful­ly ques­tion unusu­al emails.

In my view, cyber­se­cu­ri­ty is no longer a tech­nol­o­gy prob­lem. It’s a man­age­ment prob­lem. And exec­u­tives need to lead the way by com­mit­ting their orga­ni­za­tions to cyber resilience.

Do you know a bet­ter way?

International Use of NIST Cybersecurity Framework

A cus­tomer of mine recent­ly won­dered about how much the NIST cyber­se­cu­ri­ty Frame­work was being used inter­na­tion­al­ly. This is impor­tant because they have offices in oth­er coun­tries and want­ed to know how favor­ably they would respond to using the Frame­work to guide their own cyber­se­cu­ri­ty pro­gram.

So, I did some research. My goal was to find out how many non-US orga­ni­za­tions are using the Frame­work, or plan­ning to do so. I used open sources avail­able via Google search.

Screenshot 2016-05-27 13.38.57

I wasn’t able to find any data on the rate of adop­tion by non-US orga­ni­za­tions.

I found two reli­able data sources on Frame­work adop­tion in gen­er­al. Here are their con­clu­sions:

  • The rate of adop­tion in the US was 30% as of end of 2015 (Gart­ner)
  • By the end of 2016, CSF adop­tion in the US is expect­ed to be 43% (Dimen­sion­al Research, n=300).
  • By 2020, more than 50% of US orga­ni­za­tions will use it (Gart­ner)
  • As com­pared with ISO 27001 and SANS Top 20, the Frame­work is the most like­ly secu­ri­ty frame­work to be adopt­ed by US orga­ni­za­tions over the next year (Dimen­sion­al Research, n=300).

How­ev­er, I did see a few case stud­ies where large, US-based orga­ni­za­tions (e.g., Intel) were using the Frame­work on an inter­na­tion­al basis. There is a Japan­ese trans­la­tion of it and Italy has issued their own based on the NIST Frame­work.

Although not backed by any research, I also found indi­ca­tions that the Frame­work will soon become a require­ment for all US fed­er­al gov­ern­ment agen­cies. And I saw unsup­port­ed asser­tions that the Frame­work is being used by for­eign orga­ni­za­tions but no names were men­tioned.

Here’s my advice if you are in a sit­u­a­tion where you need to have some good PR on the Frame­work: Tell them you’re using ISO 27001. And this is easy and true because the NIST Cyber­se­cu­ri­ty Frame­work is 76% mapped to ISO 27001.

The remain­ing 24% of the non-ISO mapped sub­cat­e­gories are still easy to jus­ti­fy (RC.CO‑1: Pub­lic rela­tions are man­aged) and you prob­a­bly already do many of them (PR.IP-12: A vul­ner­a­bil­i­ty man­age­ment plan is devel­oped and imple­ment­ed).

Any­one have addi­tion­al data to help bet­ter under­stand inter­na­tion­al adop­tion of the Frame­work?

4 Reasons Why Cybersecurity Depends On Relationships

Ever won­der why cyber­se­cu­ri­ty is so hard for peo­ple to get right? And, why are cyber­se­cu­ri­ty lead­ers fail­ing to con­vince peo­ple to work more secure­ly? We can learn some great lessons by study­ing the spread of med­ical and oth­er tech­nolo­gies and then apply those lessons to cyber­se­cu­ri­ty tech­nolo­gies we know make a dif­fer­ence, such as pass­word man­agers.

For exam­ple, anes­the­sia (specif­i­cal­ly, chlo­ro­form) was in world-wide use less than a year from its intro­duc­tion in 1846. In con­trast, anti­sep­tics, which were pro­mot­ed in the 1860s, took over twen­ty years to become estab­lished in most oper­at­ing rooms. Why the dif­fer­ence?

Dr_Atul_Gawande

Dr. Atul Gawande: “We yearn for fric­tion­less, tech­no­log­i­cal solu­tions. But peo­ple talk­ing to peo­ple is still the way that norms and stan­dards change.”

Here’s why: The spread of all new ideas about what’s good and how things should be is depen­dent on peo­ple talk­ing to each oth­er. Everett Rogers, who is best known for intro­duc­ing the term ear­ly adopter, tells us that “Every change requires effort, and the deci­sion to make that effort is a social process.” In oth­er words, new ideas are spread and adopt­ed pri­mar­i­ly through rela­tion­ships.

I’ve learned this les­son the hard way. Only after wast­ing $30,000 of my bud­get and a good chunk of polit­i­cal cap­i­tal try­ing to imple­ment a new, home­grown cyber­se­cu­ri­ty tool did I real­ize my lack of the right rela­tion­ships had doomed me almost from the start. Based on what I learned from my fail­ure, I take a dras­ti­cal­ly dif­fer­ent approach to intro­duc­ing change these days. My approach is more rela­tion­ship-dri­ven, which is what you should do as well, so that your change efforts will be more suc­cess­ful.

Back to anes­the­sia ver­sus anti­sep­tics. The New York­er pub­lished an arti­cle by Atul Gawande: Slow Ideas. You may remem­ber one of his well-received books, The Check­list Man­i­festo. (Save your­self some time and mon­ey: read the arti­cle upon which the book was based.)

Slow Ideas describes and pro­motes Atul’s Bet­ter Birth project. It’s an exper­i­men­tal approach to reduc­ing the rate of death among moth­ers and babies dur­ing and short­ly after child­birth in poor­er coun­tries. And, along the way, Atul also answers the ques­tion about anes­the­sia ver­sus anti­sep­tics.

It’s a fas­ci­nat­ing sto­ry that’s well worth read­ing on it’s own mer­its. But it also pro­vides keen insight on the strug­gle to cre­ate new norms, which any cyber­se­cu­ri­ty leader look­ing to pro­mote change should appre­ci­ate.

From read­ing Dr. Gawande’s arti­cle, I’ve iden­ti­fied four rea­sons why you should lead all your change efforts by first using your rela­tion­ships:

  1. Tech­nol­o­gy alone won’t get the job done. Dr. Gawande describes see­ing unused incu­ba­tors pushed into dark cor­ners, bro­ken due to lack of spare parts or switched off due to a lack of elec­tric­i­ty. As tech­no­log­i­cal­ly advanced as the units were, drop­ping them off in under­de­vel­oped coun­tries and then mak­ing no arrange­ments for inte­grat­ing them into local life speaks to the lack of rela­tion­ships.
  2. Requests, incen­tives, and penal­ties only work up to a point. Mere­ly request­ing a change will win over a cer­tain per­cent­age of the audi­ence, but prob­a­bly not as many as you want­ed. Study­ing the tax code of any coun­try will reveal incen­tives are hard to get right. Peo­ple have a way of max­i­miz­ing incen­tives for them­selves, often to the detri­ment of the stat­ed goals, and in ways the authors nev­er imag­ined.
  3. Research has shown rela­tion­ships are the most effec­tive way to bring about change. We can intro­duce a new idea to peo­ple. But, peo­ple fol­low the lead of oth­er peo­ple they know and trust when they decide whether to take it up. Everett Rogers wrote: “Every change requires effort, and the deci­sion to make that effort is a social process.”
  4. Real-world expe­ri­ences. In his arti­cle, Dr. Gawande tells a sto­ry about how drug mak­ers per­suade stub­born doc­tors to pre­scribe new med­i­cines: “Evi­dence is not remote­ly enough, how­ev­er strong a case you may have. You must also apply ‘the rule of sev­en touch­es.’ Per­son­al­ly ‘touch’ the doc­tors sev­en times, and they will come to know you; if they know you, they might trust you; and, if they trust you, they will change. Human inter­ac­tion is the key force in over­com­ing resis­tance and speed­ing change.”

I encour­age you to read the arti­cle for your­self. It’s per­sua­sive and very inspi­ra­tional. And, you’ll find out why anes­the­sia got into the oper­at­ing room faster than anti­sep­tics.

Have I con­vinced you that rela­tion­ships are the best method for improv­ing cyber­se­cu­ri­ty? If not, why not? Do you know a bet­ter way?

Two Daily Actions To Contain Data Breach Costs

A sin­gle data breach can cost your com­pa­ny a lot of mon­ey. How much? Based on the Net­Dili­gence 2015 Cyber Claims Study of actu­al insur­ance claims data, we know the aver­age cost of a large com­pa­ny data breach is US$4.8 mil­lion.

Want to min­i­mize the cost? Quick­ly iden­ti­fy the data breach.

How do I know that’s the best way? And, how do you do it quick­ly?

Here’s the first answer: Check out this data in the IBM/Ponemon 2015 Cost of Data Breach Study. This graph from page 22 of their report shows the rela­tion­ship between the mean time to iden­ti­fy a data breach and total aver­age cost:

Screenshot 2016-05-14 08.25.19

That’s a very clear con­nec­tion, don’t you think?

OK, so how can you quick­ly detect a data breach with­out spend­ing a ton of CapEx for a fan­cy intru­sion detec­tion sys­tem and then a ton of OpEx to run the thing?

Here’s how: Have your serv­er admin­is­tra­tion teams run these two dai­ly checks:

  1. Dis­cov­er when­ev­er some­one becomes a priv­i­leged user by ver­i­fy­ing all new accounts that have been added to any admin­is­tra­tor or root groups
  2. Iden­ti­fy data being staged for exfil­tra­tion by notic­ing when large amounts of data sud­den­ly show up in unusu­al places

With both these checks, the large major­i­ty of the work can be auto­mat­ed. The way you do it is use exist­ing serv­er man­age­ment tools to com­pare and high­light the major dif­fer­ences between today’s and yes­ter­day’s snap­shot of (1) all your admin/root group mem­bers and (2) the per­cent­age of free serv­er disk space.

The man­u­al work is track­ing down why those changes hap­pened and mak­ing sure it’s a legit busi­ness rea­son. This will take some sleuthing at first to know who to call and what con­sti­tutes nor­mal changes. But with­in a month you will set­tle down into a pro­duc­tive rou­tine.

What oth­er sim­ple tech­niques have you used to detect data breach­es?