Category Archives: Data Breach

IoT World 2017

I have spent the last week in Santa Clara attending the IoT World conference hoping to see what was new and exciting in the world of IoT. After tracking this sector for a while now it has been interesting to see all the new platforms (512 and counting) and startups that have popped up.

While I found the keynotes a great window on possible new products by companies I did get a sense that security and privacy did not get the air time it deserves. I attended many of the security sessions and, while interesting, they were more focused on product plugs versus real discussions on how to design and build security into a product. It was more buy my product or platform and you will be secure. That is scary proposition especially when vendor generated standards are used as guideline for self assessment. Lets be clear folks, vendors have their best interest at heart not yours when it comes to security.

I was also troubled by vendors stating that if customers just pay more they can add  security. This is the wrong view from an executive and security perspective. The right view, in my humble opinion, should be here is what we identified as the threat profile for our products and solutions and here is how we designed security and privacy into our products and services from day one. Oh and it did not significantly increase the price of the product!

I really wanted to tell some of the top brass that lawyers are attending ISO security standards meetings globally and are planning to use standards such as those in ISO/IEC SC 27 and IEC 62443 as the base line for controls that will be expected in IoT solutions. In the event of a compromise or data breach and the ensuing lawsuit, these same corporations will be held to task on how they meet these requirements and controls. So by all means keep working on your vendor association standards but realize the actual yardstick are the ISO/IEC standards.

On the more positive side of conference, I really liked that NASA is going out its way to make software freely available to community. The breadth of expertise that has gone into some of this software is quite remarkable. I was also really impressed with the Samsung Artik HW and platform and how far it has developed in a short time. It really is making its mark as a contender in IIoT, smart cities and power generation sectors. I even signed up for the developer program and plan to buy some of the dev boards so we can start evaluating this platform for some of our projects. Other notable things were the use of embedded tags and sensors on products, and how to test just about every component being designed and built. If you are in Santa Clara next year, I recommend that you attend the vendor exhibit for next year’s show to see all the development and new products. It would of been good to see Apple and other product companies show where they going in these areas but I will keep my fingers crossed for next year.


What does the WikiLeaks announcement mean to you?

I doubt you missed it but this week but WikiLeaks announced some very serious allegations on how vulnerabilities are being used by government agencies to compromise devices then use the devices to listen to conversations and capture all data from those devices. Do I have your attention now?

If you have one of following pay attention:

a. An iPhone
b. An Android phone and/or based device (this category is very wide)
c. Windows
d. Smart TV
e. Home IoT devices
f. Fake versions of security software from McAfee, Kaspersky, and Sophos

The list goes on and on. This truly represents a significant president  that an intelligence organization has infiltrated and created a platform to compromised systems for spying. I for one am not surprised. Why????

1. Many companies do not have SDLCs that include security testing and those that do only do the minimums they are required for their particular industry.

2. Many do not threat model or conduct aggressive pen-testing that is required for many of these products.

3. Executives are more inclined to release an insecure product to get revenues versus doing the right thing and securing it from the get go. Go to many startup incubators, they only think about security and privacy when they hit several 1000 of users or larger companies start asking about the security posture. Many of the folks that fund these start-ups consider security a “patching” problem. They want their money so get the product to point where someone is going to pay big dollars for it and we can walk away.

4 .Vendors are not required to provide any assurance to their products. This is why IoT in the consumer and business markets is a bounty of either compromised or to be compromised devices that are used in pivot attacks.

So how do you protect yourself and your organization in this wild west of vulnerable software? Consider the data you collect, store and process then how it is touched by the known vulnerable products listed above. Now, start to remove your critical data from these platforms until the patches and fixes can be provided. Start asking vendors and service providers those uncomfortable questions:

a. How do you securely test and design your software or solution? Prove it!
b. Do you provide free upgraded and patches to your products?
c. When was the last time you experienced a data breach?
d. How is your source code protected and evaluated against backdoors and compromises?
e. What security training do you provide your staff on a regular basis?
f. What 3rd party evaluations have you had conducted against your products?
g. What is your vulnerability disclosure policy?

The answers to these questions are going to give you a good sense to the security posture of the vendor. If they cannot answer these immediate or have to go check. Walk away! A company that has instilled a culture of security will have the answers to all members of staff.

Additionally, I would recommend that you stay off public WiFi networks as these are used to hunt for victims. Stop making it easy for governments to gain access to your devices. This includes corporate confidential and IP data because they take that too. Harden your device as much as you can and use a IPSec VPN to project your data in transit. Finally, encrypt all your stored data. If your systems are compromise you need to have that additional level of protection.


Devs stop the “bolt-on” syndrome

We believe the companies who develop products and services need to develop a cyber assurance program to ensure their solutions do not lead to “bolt-ons”…….yeah you heard me “bolt-ons”. Let me explain — we use insecure communications then use a VPN as a bolt-on to secure it, we use an insecure OSes and applications then use AV as a bolt-on to protect our desktops and PCs, and we do not patch and service our operational systems and use IPS/IDS as a bolt-on to protect them. Get the point?

We have been using this outmoded approach to security for a long time and it does not seem to be getting better but worse. Worse because those organizations that don’t use the bolt-ons are making it ugly for the rest of us when their systems are compromised and used to attack our systems.

How do we fix this mess? At the cusp of all things computerized is software. We need to become obsessed with safe and usable software and applications. We have to stop accepting licenses to use a product that is built to make people lots of money with little regard to users well being. Stop expecting your software to fail and exposure your business and your children. Think of it this way…..if your car was to fail as much as your OS or applications would you buy that car again? Probably not and you would light up social media channels with why not……so why give money back to the same developers who exposed your data in the first place? Or why give someone money who did not perform basic security or privacy testing for an application?

Help stop the bolt-on effect. Be selective of your software providers. Ask them the tough questions on how they perform security testing and ensure that vulnerabilities are reduced to a minimum. Then have them prove it! Take a peek at how many CVEs have been reported against them. This includes your mobile apps. You might be surprised to learn the folks who develop these apps have little to no formal software training yet collect and store your confidential and proprietary data — how safe do you feel now?


Our Approach to Security is All Wrong

When I look at the time, money and resources used to protect digital assets I start to wonder as many executives do when are we going to see a turning point or a ROI?

While the problem is complex, I believe the lowest common denominator is software and more specifically the lack of time we spend testing and analyzing it prior to shipment. With many companies in a race to get to market; security and privacy is always the last thing that is considered. Many believe it gets in the way of productivity. If you want to see a disaster happening look at all the IoT solutions with little consideration to security and privacy. Then  consider all the data breaches that have happened recently. Many of these data breaches were the result to someone taking advantage of bad code to get access using an insider.

As we continue to develop substandard code, we then spend billions on security technologies in an attempt to protect it. It seems crazy when you thing about it this way. You cannot protect flawed software, it is near to impossible because without user training and detection systems there is no one to deal with signs that a system has been compromised.

I also look at how over 20+ years the expectations of software developers has changed considerably. When I first started my career I did LOTs of programming. We did not have the Internet to provide us code samples, we had to learn the language and its nuances. We also had constraints on HW given the cost of memory and systems back in the day. You had to write good clean code.

Today, many developers when they hit a snag they will search Google and perform a CTLR-C + CTRL-P…..problem fixed. In the old days we used to have structured walk-throughs and spend more time in design to figure out the code logic. Today, programmers will use 3rd party libraries and SDKs without any consideration to security implications. Specifically, where did it come from and who has touched it.

So how do we fix this mess. Well with small steps and change our mindset to how we consider software in our society. Namely, we have to do the following:

  1. Make security part of our companies and organizations. Using an ISMS provides the basis for this regardless of the widget you build. Every company is different and will have to cater their ISMS to their specific risk profile.
  2. Once done you need to determine how you build your widget. This requires the use of a SDLC to identify the threats to the widget and how you plan to dispose of all the data that this widget might collect over its usable life. These need to be fully understood prior to every writing a line of code and document, document and document. These become audit-able elements later in the life of the widget. They also serve as education material for new team members as the team grows and changes.
  3. As the first versions of the widget are created they need to be evaluated to ensure the identified threats are sufficiently addressed. Spending this time now will save you costs down the road… me.
  4. Prior, to production release, ensure the widget gets a final assessment to ensure all risks are known including residual risk(s).
  5. When the widgets are in-field they need to be monitored for signs that they have been targeted for compromise. The process for this would be been created under your ISMS and will drive how your organization will handle these reports.
  6. If these are reported it is important to evaluate them and if deemed relevant then address them as possible. If you designed your widget correctly it will have a method to perform in-field updating. This includes notify users of the update.
  7. At this point, you just need to repeat this process for every revision of the widget. As the company changes you will have to ensure the ISMS is updated to deal with growing nature of your business operations.

Only by addressing the current approach to software development can we reduce the current risk landscape to all businesses, consumers and government who use this vulnerable software. With vulns being found and not disclosed they are the nuggets that are used by the digital underground to prosper. Fixing software will help reduce the targets so your widget is not targeted but your competitors is. Let a secure cost effective widget be your competitive advantage.


Are you a good data custodian?

Due to the increased numbers of breaches lately it makes me think that companies large and small need to re-think the data they collect and store at a different level or even from a strategy perspective. Clearly many don’t until it too late.

As we have learned from previous industries such forestry and fishing is that good husbandry and management are key to operating longevity. Data and now big data are no different. We must learn and accept that data is the NDA of our businesses. With that in mind we must consider what data is being collected and its lifecycle.

What are some of the keys to a good data custodian program:

  1. Understanding what data is collected and how it is stored, processed, and destroyed. This is can be implemented via a risk assessment process for every project including the adoption of an ISMS (Information Security Management System).
  2. Setting up systems and networks to monitor for signs of intrusion and even who is accessing your data. Remember CIA principles here and separation of duties for all systems being deployed. Again part of an ISMS.
  3. Providing training to your staff and making staff aware of these issues. See ISMS
  4. Policies and procedures. See ISMS
  5. Discuss and plan data breach with legal council that understands breach. While you might deploy every security control to identify and mitigate a breach they still could occur. 
  6. Talk to a PR firm that understands and has dealt with data breach
  7. Repeat this process every day that you operate your organization

While deploying an ISMS is not trivial your business and customer deserve the protections these systems afford us. The process piece needs to get management adoption and they need to start to adopt a culture of security for their organization. However, if they don’t a court of law and a class action law suit could find them negligent and that does not benefit anyone involved.


Planning For a Data Breach

Why is it important to be prepared for a data breach? Well given the recent data breaches they are the trend these days but it is more than that. Preparation for a data breach allows for businesses to prepare their employees, suppliers and customers that in the event of a data breach they are better positioned to deal with the situation.

While a class action lawsuit may result based on a breach by have a good well thought out playbook for data breach will reduce the potential payout by the company. Ensuring you have adequate insurance in place to deal with the bills… there will be many of them. You also want to do everything in your power not to show negligence.

Some specific aspects that will get you prepared include:

Developing and testing a Breach Playbook

Retaining a law firm with experience in data breach

Retaining a PR firm with expertise in crisis management

Purchasing cyber security insurance fit to the data being retained

Conducting RAs to determine where critical data resides

Keeping the contact details of a data forensics experts in your address book

Being prepared is your best chance of success. Each member of your staff should know their role and responsibility and make sure that every detail of a post breach assessment are documented every 6 minutes. Why? You will need these details for litigation later on and to ensure the process is making progress. The executive and PR team can determine the best method to use the updated details to the breach and keep media and shareholders with the most up-to-date details. Remember: Be prepared and communicate when it happens it is the best course of action. 


You have been compromised now what?

So you just received a notification from either a company, credit agency or government department that your data could have been compromised. First of all, take a deep breath this is going to take a while to sort itself out nothing in this process will be solved quickly believe me. Second, call the number or contact provided and try to obtain as much detailed information as you can. Get a pen and paper ready to record the details. Some of these questions include the following:

  1. Ask for a contact name and number
  2. Record time and date of call
  3. Get details to precisely what data they store that was possibly compromised?
  4. Do they know when the breach happened?
  5. Are they going to be provided any support services for credit monitoring or identity theft?
  6. Was the data insured against data breach?
  7. When can you expect a final report on the possible data that has been compromised?

Next Steps:

  • If your data was financial related I would request demand that your credit and accounts me monitored for unauthorized usage and the related costs should be covered by the breached organization. 
  • If your compromised organization provides strong authentication for web services I would ensure that you sign up for this.
  • Change passwords for a web service that only uses a simple login solution. Or better yet if you don’t need the service terminate it immediately and use another company with similar services. Ask the provider to delete all your remaining data and/or remove your account. If they refuse see the next bullet.
  • Talk to a lawyer who specializes in data breach and discuss if this was caused by negligence on the part of the breached organization and can I pursue damages?

Ensure going forward before giving any organization your hard earned $$$$’s make sure you ask questions on what data they store and how is it kept secure. If they cannot provide an answer or one that lacks detail find another provider. As data owners we need to start demanding this of both businesses and our government. 

Your personal data is like digital diamonds, organizations and criminals want to profit from it. This includes social media organizations who monetize your data by selling it retailers and advertisers. Criminal groups who use your identity to conduct malicious activity since your a lower target of attention. 

Consumers and businesses need to realize this new reality and ensure that where data is being shared many questions should be asked first before that data is released. Once, it is compromised it is gone and you will not get it back


Data Breach – Get Prepared if you collect customer data

Today, I was a panellist at Data Breach Seminar held in Toronto. It was a full room of attendees at the Davis LLP office in First Canadian Place. Our panelist include the following:

Kelly Friedman – Moderator

Kelly is an experienced litigator with unique expertise in electronic information matters, including e-discovery, privacy and data breach risk mitigation and response. She is an expert advisor to Standards Council of Canada with respect to the development of international (ISO) standards regarding information technology security. 

Kelly is known for her efficient, no-nonsense approach to problem solving and dispute resolution and her ability to bring calm and clarity to bear in crisis situations.

Anna MacMillan

Anna MacMillan has extensive experience in mergers and acquisitions, and has been involved in a broad range of transactions involving international and Canadian clients. Anna has specialized expertise in dealing with financial institutions and payment card industry participants, both in the M&A setting and in respect of ongoing compliance considerations. 

She has advised clients on a wide range of issues relating to privacy, data protection, actions to be taken on a data breach incident and allocation of risks relating to data breach.

Carol Levine

Carol Levine is a professional communicator with expertise in image, issues and reputation management, as well as crisis communications. Her experience spans many industry sectors, including health and pharmaceuticals, consumer packaged goods, retail, technology and manufacturing. 

Carol is co-founder and owner of energi PR, the Canadian affiliate of the Public Relations Global Network (PRGN), which is among the four largest networks of independently-owned PR firms in the world.

Patrick Malcolm

Patrick Malcolm is the President of NetRunner Inc. – A Canadian Cyber Defence Company. 

Patrick is a trusted advisor to the Department of National Defence and the Royal Canadian Mounted Police Integrated Technology Crime Unit. He has extensive experience dealing with both criminal and nation-state cyber threats. He is a technical trainer and professional speaker. Patrick combines subject matter expertise with a mature assessment process to provide a complete solution that helps his customers enhance their security posture, reduce risk, facilitate compliance and improve operational efficiency.

Garth Heustis

Garth is responsible for leading and managing the Information Risk (cyber) book of business for CNA in Canada and is very active in conducting seminars across the country for their brokers. CNA as a corporation has been writing Information Risk since 2001 and is one of the top 5 carriers for this line of business.

We provided attendees details to both pre-breach and post-breach issues and considerations. The key here is being prepared and ensuring you create a playbook to be used in the even of a breach.

As this is growing issue with our customers, I am attaching a document the includes some considerations and questions you should be asking your organization to determine you level of preparedness.

As always, should have any questions on data breach please reach out to us. We would be more than willing to provide support and help you build your data breach playbook.

Data Sheet on Breach Services