Category Archives: Data Breach

Facebooks fall from grace…..its just the beginning

This week I finally felt jubilation due to the Facebook story. Not that I want to celebrate in anyones down fall that is not it all but for years I have been telling people the dangers of using this service. Many laughed and poked fun at me and even told me I watched too many James Bond movies.

Well, I think what is really scary is that this incident only skims the surface to the true problem. What are all these social media and cloud services companies doing with our data? Even all telecom providers collect all your internet access traffic and sell this for money. Yes my friends we are fully monitored welcome to 1984.

I hope this serves as a wake up call to users globally you really need to think about what a “free” service is really about. The “free” aspect is your data, companies have to make money and you better determine what you are giving up before you jump in. Start with their privacy policy and then look at the data they are collecting or possibly collection. For example, pictures, conversations, even your mood that day, everything is up for grabs. If this information was leaked would it cause any damage to you or those close to you.

It is also refreshing to see so many people wake up to the fact that their privacy matters. And it does! In many ISO meetings, we constantly have members saying individuals don’t care about their privacy anymore. I have been arguing the opposite position. Many users just don’t understand the implications of the data being captured, analyzed and sold. Now they do…..or at least they are waking up to it.

Now the next issue that is bound to be exposed is Google and all the data they collect on school kids. As many school boards use Google due to operational cost and most kids use this platform for email and all documents, who is buying this access and usage data? These are the questions we need to be asking as parents, educators and regulators. This will be next data breach we find ourselves involved in.

airplane taking off

Mayday: The Call for Cybersecurity Reform in Aviation

If the first big cybersecurity breach of 2018 has taught us anything, it’s that even multinational tech companies need help navigating the realm of cybersecurity. Intel knew about Spectre and Meltdown since June of 2017 and eight months of inactivity is not sufficient post-breach protocol.

If the tech industry is struggling to grasp cybersecurity’s severity, what does this mean for other industries? As tech and financial institutions recognize the importance of cybersecurity, other industries need to address the digital elephant in the room.

If we think about the most vulnerable industries to cyber-attack, the answer may both figuratively and literally fly over our heads. The aviation industry is one of those most influential industries in the global economy and one of the most susceptible right now to cyber-attack. As the number of digital components in the cockpit has increased, so too has the attack surface of all aircraft and air traffic control systems.

In the United States alone, the civil aviation industry accounts for over five percent of the US economy generating $1.6 trillion in economic activity per year. While a cyber-attack impacting the economy is frightening enough, the most alarming notion is that hackers have the ability to make airplanes vanish from radar systems or even crash. Even smaller scale cyber attacks can have a significant impact. A simple Denial-of-Service for airport services or flight delays can have massive cost implications and impact goods, people and information. With dollars and lives at risk, it’s important to understand where and why certain threat vectors in the aviation industry exist.

Mind the ‘air’ gap.

Traditionally, component parts and systems in aviation have been made up of air gapped technologies making them near to impossible to breach. As society has evolved and shifted to a more connected digital environment, we’ve seen a similar paradigm shift in aviation. Even critical components such as engines, hydraulics and flight management systems are now being monitored using IoT approaches to services. While this has made flying easier for pilots and cozier for passengers, it has also made systems exponentially more vulnerable to cyber-attack – specifically after switching from fly-by-wire to fly-by-wireless systems.

With fly-by-wireless technology, aircraft are controlled with fewer, more centralized units by

using higher throughput multicore, multiprocessor computers and commercial off-the-shelf components. While this increases efficiency, it also means that the aircraft, cockpit, cabin crew and passengers are using many of the same communications constituents. Wi-Fi, passenger information, avionics and more are all controlled by a centralized system making a single cyber-attack easier and all the more catastrophic. Not only that, but since aircraft parts are manufactured by different sources, malware could infiltrate these systems as early their journey through the supply chain.

As aviation security measures struggle to keep up with aviation technology, a number of threat vectors have surfaced. The most common in the industry include: air traffic control, aircraft IP networks, aircraft communications addressing and reporting systems (ACARS), aircraft interfaces, reservations, document control, electronic flight bags (EFB) and baggage handling. Since all airline and airport operations differ slightly, determining to what level these vectors exist and how to protect them requires a Threat & Risk Assessment (TRA) and Risk Registry (RR). With a TRA conducted and RR in place, organizations can prepare cybersecurity methodology for both pre- and post- breach conditions.

Keep airways breach-free.

You can summarize an effective cybersecurity policy in two words: be proactive. Setting up pre-breach methodology is equally as important as having post-breach methodology in place. The greatest victory is the battle not fought and there is too much at stake for the aviation industry to wage war with cyber criminals.

The harsh reality is that airlines need to prioritize as it is too expensive to protect all assets from all threats. While a TRA and RR provide the framework for an airline’s individual security needs, the mercurial nature of cyber threats requires ongoing monitoring and maintenance of the methodology in place. Pre-breach methodology should follow international standards and consider the full breach picture by understanding the risk of data exposure, breach prevention and incident response.

In an ideal world, incident response wouldn’t be a part of breach methodology, but hackers are a cunning bunch. Defenses are sometimes broken and airlines need to be prepared. Post-breach methodology is about timely mitigation and since it takes businesses an average of 100 to 200 days to detect intrusion, timeliness seems to be a widespread issue.

The key to prevention and detection is ensuring technical controls are in place and that policies and procedures governing security practices are well communicated to protect and secure assets. The ability to detect and perform an incident response that follows a breach aids greatly in tightening security practices by identifying methods that will prevent further compromise in the future.

Airlines need to realize that this can’t be done alone. Whether it’s through the public or private sector, airlines need to partner with experts that understand the ever-changing cybersecurity landscape. The best security partner helps you implement procedures to handle this swiftly and independently and can also be called to assist in emergency situations.

A commercial plane wouldn’t take off without landing gear nor would it fly without a channel connected to air traffic control. Whether it’s physical or digital, a preflight checklist is required to ensure safety of both the flight crew and passengers. Cybersecurity isn’t a risk the aviation sector can afford to take.


IoT World 2017

I have spent the last week in Santa Clara attending the IoT World conference hoping to see what was new and exciting in the world of IoT. After tracking this sector for a while now it has been interesting to see all the new platforms (512 and counting) and startups that have popped up.

While I found the keynotes a great window on possible new products by companies I did get a sense that security and privacy did not get the air time it deserves. I attended many of the security sessions and, while interesting, they were more focused on product plugs versus real discussions on how to design and build security into a product. It was more buy my product or platform and you will be secure. That is scary proposition especially when vendor generated standards are used as guideline for self assessment. Lets be clear folks, vendors have their best interest at heart not yours when it comes to security.

I was also troubled by vendors stating that if customers just pay more they can add  security. This is the wrong view from an executive and security perspective. The right view, in my humble opinion, should be here is what we identified as the threat profile for our products and solutions and here is how we designed security and privacy into our products and services from day one. Oh and it did not significantly increase the price of the product!

I really wanted to tell some of the top brass that lawyers are attending ISO security standards meetings globally and are planning to use standards such as those in ISO/IEC SC 27 and IEC 62443 as the base line for controls that will be expected in IoT solutions. In the event of a compromise or data breach and the ensuing lawsuit, these same corporations will be held to task on how they meet these requirements and controls. So by all means keep working on your vendor association standards but realize the actual yardstick are the ISO/IEC standards.

On the more positive side of conference, I really liked that NASA is going out its way to make software freely available to community. The breadth of expertise that has gone into some of this software is quite remarkable. I was also really impressed with the Samsung Artik HW and platform and how far it has developed in a short time. It really is making its mark as a contender in IIoT, smart cities and power generation sectors. I even signed up for the developer program and plan to buy some of the dev boards so we can start evaluating this platform for some of our projects. Other notable things were the use of embedded tags and sensors on products, and how to test just about every component being designed and built. If you are in Santa Clara next year, I recommend that you attend the vendor exhibit for next year’s show to see all the development and new products. It would of been good to see Apple and other product companies show where they going in these areas but I will keep my fingers crossed for next year.


What does the WikiLeaks announcement mean to you?

I doubt you missed it but this week but WikiLeaks announced some very serious allegations on how vulnerabilities are being used by government agencies to compromise devices then use the devices to listen to conversations and capture all data from those devices. Do I have your attention now?

If you have one of following pay attention:

a. An iPhone
b. An Android phone and/or based device (this category is very wide)
c. Windows
d. Smart TV
e. Home IoT devices
f. Fake versions of security software from McAfee, Kaspersky, and Sophos

The list goes on and on. This truly represents a significant president  that an intelligence organization has infiltrated and created a platform to compromised systems for spying. I for one am not surprised. Why????

1. Many companies do not have SDLCs that include security testing and those that do only do the minimums they are required for their particular industry.

2. Many do not threat model or conduct aggressive pen-testing that is required for many of these products.

3. Executives are more inclined to release an insecure product to get revenues versus doing the right thing and securing it from the get go. Go to many startup incubators, they only think about security and privacy when they hit several 1000 of users or larger companies start asking about the security posture. Many of the folks that fund these start-ups consider security a “patching” problem. They want their money so get the product to point where someone is going to pay big dollars for it and we can walk away.

4 .Vendors are not required to provide any assurance to their products. This is why IoT in the consumer and business markets is a bounty of either compromised or to be compromised devices that are used in pivot attacks.

So how do you protect yourself and your organization in this wild west of vulnerable software? Consider the data you collect, store and process then how it is touched by the known vulnerable products listed above. Now, start to remove your critical data from these platforms until the patches and fixes can be provided. Start asking vendors and service providers those uncomfortable questions:

a. How do you securely test and design your software or solution? Prove it!
b. Do you provide free upgraded and patches to your products?
c. When was the last time you experienced a data breach?
d. How is your source code protected and evaluated against backdoors and compromises?
e. What security training do you provide your staff on a regular basis?
f. What 3rd party evaluations have you had conducted against your products?
g. What is your vulnerability disclosure policy?

The answers to these questions are going to give you a good sense to the security posture of the vendor. If they cannot answer these immediate or have to go check. Walk away! A company that has instilled a culture of security will have the answers to all members of staff.

Additionally, I would recommend that you stay off public WiFi networks as these are used to hunt for victims. Stop making it easy for governments to gain access to your devices. This includes corporate confidential and IP data because they take that too. Harden your device as much as you can and use a IPSec VPN to project your data in transit. Finally, encrypt all your stored data. If your systems are compromise you need to have that additional level of protection.


Devs stop the “bolt-on” syndrome

We believe the companies who develop products and services need to develop a cyber assurance program to ensure their solutions do not lead to “bolt-ons”…….yeah you heard me “bolt-ons”. Let me explain — we use insecure communications then use a VPN as a bolt-on to secure it, we use an insecure OSes and applications then use AV as a bolt-on to protect our desktops and PCs, and we do not patch and service our operational systems and use IPS/IDS as a bolt-on to protect them. Get the point?

We have been using this outmoded approach to security for a long time and it does not seem to be getting better but worse. Worse because those organizations that don’t use the bolt-ons are making it ugly for the rest of us when their systems are compromised and used to attack our systems.

How do we fix this mess? At the cusp of all things computerized is software. We need to become obsessed with safe and usable software and applications. We have to stop accepting licenses to use a product that is built to make people lots of money with little regard to users well being. Stop expecting your software to fail and exposure your business and your children. Think of it this way…..if your car was to fail as much as your OS or applications would you buy that car again? Probably not and you would light up social media channels with why not……so why give money back to the same developers who exposed your data in the first place? Or why give someone money who did not perform basic security or privacy testing for an application?

Help stop the bolt-on effect. Be selective of your software providers. Ask them the tough questions on how they perform security testing and ensure that vulnerabilities are reduced to a minimum. Then have them prove it! Take a peek at how many CVEs have been reported against them. This includes your mobile apps. You might be surprised to learn the folks who develop these apps have little to no formal software training yet collect and store your confidential and proprietary data — how safe do you feel now?


Our Approach to Security is All Wrong

When I look at the time, money and resources used to protect digital assets I start to wonder as many executives do when are we going to see a turning point or a ROI?

While the problem is complex, I believe the lowest common denominator is software and more specifically the lack of time we spend testing and analyzing it prior to shipment. With many companies in a race to get to market; security and privacy is always the last thing that is considered. Many believe it gets in the way of productivity. If you want to see a disaster happening look at all the IoT solutions with little consideration to security and privacy. Then  consider all the data breaches that have happened recently. Many of these data breaches were the result to someone taking advantage of bad code to get access using an insider.

As we continue to develop substandard code, we then spend billions on security technologies in an attempt to protect it. It seems crazy when you thing about it this way. You cannot protect flawed software, it is near to impossible because without user training and detection systems there is no one to deal with signs that a system has been compromised.

I also look at how over 20+ years the expectations of software developers has changed considerably. When I first started my career I did LOTs of programming. We did not have the Internet to provide us code samples, we had to learn the language and its nuances. We also had constraints on HW given the cost of memory and systems back in the day. You had to write good clean code.

Today, many developers when they hit a snag they will search Google and perform a CTLR-C + CTRL-P…..problem fixed. In the old days we used to have structured walk-throughs and spend more time in design to figure out the code logic. Today, programmers will use 3rd party libraries and SDKs without any consideration to security implications. Specifically, where did it come from and who has touched it.

So how do we fix this mess. Well with small steps and change our mindset to how we consider software in our society. Namely, we have to do the following:

  1. Make security part of our companies and organizations. Using an ISMS provides the basis for this regardless of the widget you build. Every company is different and will have to cater their ISMS to their specific risk profile.
  2. Once done you need to determine how you build your widget. This requires the use of a SDLC to identify the threats to the widget and how you plan to dispose of all the data that this widget might collect over its usable life. These need to be fully understood prior to every writing a line of code and document, document and document. These become audit-able elements later in the life of the widget. They also serve as education material for new team members as the team grows and changes.
  3. As the first versions of the widget are created they need to be evaluated to ensure the identified threats are sufficiently addressed. Spending this time now will save you costs down the road… me.
  4. Prior, to production release, ensure the widget gets a final assessment to ensure all risks are known including residual risk(s).
  5. When the widgets are in-field they need to be monitored for signs that they have been targeted for compromise. The process for this would be been created under your ISMS and will drive how your organization will handle these reports.
  6. If these are reported it is important to evaluate them and if deemed relevant then address them as possible. If you designed your widget correctly it will have a method to perform in-field updating. This includes notify users of the update.
  7. At this point, you just need to repeat this process for every revision of the widget. As the company changes you will have to ensure the ISMS is updated to deal with growing nature of your business operations.

Only by addressing the current approach to software development can we reduce the current risk landscape to all businesses, consumers and government who use this vulnerable software. With vulns being found and not disclosed they are the nuggets that are used by the digital underground to prosper. Fixing software will help reduce the targets so your widget is not targeted but your competitors is. Let a secure cost effective widget be your competitive advantage.


Are you a good data custodian?

Due to the increased numbers of breaches lately it makes me think that companies large and small need to re-think the data they collect and store at a different level or even from a strategy perspective. Clearly many don’t until it too late.

As we have learned from previous industries such forestry and fishing is that good husbandry and management are key to operating longevity. Data and now big data are no different. We must learn and accept that data is the NDA of our businesses. With that in mind we must consider what data is being collected and its lifecycle.

What are some of the keys to a good data custodian program:

  1. Understanding what data is collected and how it is stored, processed, and destroyed. This is can be implemented via a risk assessment process for every project including the adoption of an ISMS (Information Security Management System).
  2. Setting up systems and networks to monitor for signs of intrusion and even who is accessing your data. Remember CIA principles here and separation of duties for all systems being deployed. Again part of an ISMS.
  3. Providing training to your staff and making staff aware of these issues. See ISMS
  4. Policies and procedures. See ISMS
  5. Discuss and plan data breach with legal council that understands breach. While you might deploy every security control to identify and mitigate a breach they still could occur. 
  6. Talk to a PR firm that understands and has dealt with data breach
  7. Repeat this process every day that you operate your organization

While deploying an ISMS is not trivial your business and customer deserve the protections these systems afford us. The process piece needs to get management adoption and they need to start to adopt a culture of security for their organization. However, if they don’t a court of law and a class action law suit could find them negligent and that does not benefit anyone involved.


Planning For a Data Breach

Why is it important to be prepared for a data breach? Well given the recent data breaches they are the trend these days but it is more than that. Preparation for a data breach allows for businesses to prepare their employees, suppliers and customers that in the event of a data breach they are better positioned to deal with the situation.

While a class action lawsuit may result based on a breach by have a good well thought out playbook for data breach will reduce the potential payout by the company. Ensuring you have adequate insurance in place to deal with the bills… there will be many of them. You also want to do everything in your power not to show negligence.

Some specific aspects that will get you prepared include:

Developing and testing a Breach Playbook

Retaining a law firm with experience in data breach

Retaining a PR firm with expertise in crisis management

Purchasing cyber security insurance fit to the data being retained

Conducting RAs to determine where critical data resides

Keeping the contact details of a data forensics experts in your address book

Being prepared is your best chance of success. Each member of your staff should know their role and responsibility and make sure that every detail of a post breach assessment are documented every 6 minutes. Why? You will need these details for litigation later on and to ensure the process is making progress. The executive and PR team can determine the best method to use the updated details to the breach and keep media and shareholders with the most up-to-date details. Remember: Be prepared and communicate when it happens it is the best course of action. 


You have been compromised now what?

So you just received a notification from either a company, credit agency or government department that your data could have been compromised. First of all, take a deep breath this is going to take a while to sort itself out nothing in this process will be solved quickly believe me. Second, call the number or contact provided and try to obtain as much detailed information as you can. Get a pen and paper ready to record the details. Some of these questions include the following:

  1. Ask for a contact name and number
  2. Record time and date of call
  3. Get details to precisely what data they store that was possibly compromised?
  4. Do they know when the breach happened?
  5. Are they going to be provided any support services for credit monitoring or identity theft?
  6. Was the data insured against data breach?
  7. When can you expect a final report on the possible data that has been compromised?

Next Steps:

  • If your data was financial related I would request demand that your credit and accounts me monitored for unauthorized usage and the related costs should be covered by the breached organization. 
  • If your compromised organization provides strong authentication for web services I would ensure that you sign up for this.
  • Change passwords for a web service that only uses a simple login solution. Or better yet if you don’t need the service terminate it immediately and use another company with similar services. Ask the provider to delete all your remaining data and/or remove your account. If they refuse see the next bullet.
  • Talk to a lawyer who specializes in data breach and discuss if this was caused by negligence on the part of the breached organization and can I pursue damages?

Ensure going forward before giving any organization your hard earned $$$$’s make sure you ask questions on what data they store and how is it kept secure. If they cannot provide an answer or one that lacks detail find another provider. As data owners we need to start demanding this of both businesses and our government. 

Your personal data is like digital diamonds, organizations and criminals want to profit from it. This includes social media organizations who monetize your data by selling it retailers and advertisers. Criminal groups who use your identity to conduct malicious activity since your a lower target of attention. 

Consumers and businesses need to realize this new reality and ensure that where data is being shared many questions should be asked first before that data is released. Once, it is compromised it is gone and you will not get it back