Cybersecurity and the Cloud Multiplier Effect

An article on the front page of the Wall Street Journal on June 30, 2014 discussed corporate boards racing to shore up cybersecurity. It alluded to a number of corporate boards waking up to cyber threats and worrying that hackers would steal company know-how and intellectual property (IP). In the first half of 2014 1,517 NYSE- or NASDAQ-traded companies listed in their securities filings references to some form of cyber attack or data breach – almost a 20 percent increase from the previous year. In all of 2013 1,288 such filing comments were made whereas in 2012 only 879 companies reported cyber statements. This is good and bad news – good that cybersecurity is getting CEO and Board attention and bad news in that executives are belatedly waking up to an endemic problem.

Fiduciary Responsibility

The Board and CEO have a fiduciary responsibility to shareholders to protect the company's assets from undue risks. It is not something that can be assigned and then ignored. Yet that is what has happened at many companies over the years. They must be involved in cybersecurity governance and decision-making on an ongoing basis and not shunt it off to Chief Risk Officers (CROs), Chief Security Officers (CSOs or CISOs) and/or IT executives. CEOs and other senior executives should also ensure privacy and security programs are aligned with each business unit's requirements and that the risk probability and exposures are reasonably known and reduced to an acceptable level. It is important that all parties understand that zero security risks are not possible anymore (nor would the expense be worth it if attainable); what is important is to agree upon what level of risk exposure is acceptable, budget for it, and implement initiatives to make it happen.

At the Board level there should be a risk committee that is responsible for all risk management, including cyber risk. Moreover, best practices suggest Boards should, as a minimum, address the following five areas:

• regularly reviews and approves top-level policies on privacy and IT security risks
• regularly reviews and approves roles and responsibilities of lead personnel responsible for privacy and IT security
• regularly reviews and approves annual budgets for privacy and IT security programs separate from IT budgets
• regularly reviews and approves cyber insurance coverage
• regularly receives and acts upon reports from senior management regarding privacy and IT security risk exposures.

These efforts can be done by the full Board or by a risk committee that reports to the Board. Some Boards may have assigned this role to the audit committee but, while it is good that it is addressed, it is not a perfect fit.

Cloud Multiplier Effect

In June the Ponemon Institute LLC published a report on the cloud multiplier effect. The firm surveyed 613 IT and IT security practitioners in the U.S. that are familiar with their companies' usage of cloud services. The news is not good. Because most respondents believe cloud security is an oxymoron and certain cloud services can result in greater exposures and more costly breaches, the use of cloud services multiplies the breach costs by a factor between 1.38 and 2.25. The top two impacts are from cloud breaches involving high value IP and the backup and storage of sensitive or confidential information, respectively. Most respondents believe corporate IT organizations are not properly vetting cloud platforms for security, are not proactively assessing information to ensure sensitive or confidential information is not in the cloud, and are not vigilant on cloud audits or assessments.

Moreover, disturbingly, almost 75 percent of respondents believe their cloud services providers would not notify them immediately if they had a data breach involving the loss or theft of IP or business confidential information. Almost two-thirds of those surveyed expressed concern that their cloud service providers are not in full compliance with privacy and data protection laws – and this is in the U.S. where the rules are less strict than the EU. Furthermore, respondents feel there is a lack of visibility into the cloud as it relates to applications, data, devices, and usage.

Summary

Boards, CEOs and senior non-IT management need to become more aware of their cybersecurity exposures and actively participate in minimizing the risks. IT executives, on the other hand, need to present the challenges, status and trends in a more business, less technical manner, including recommendations, so that the other executives can appreciate the issues and authorize the appropriate actions. As the Ponemon study shows, the challenges go beyond the corporate four walls into clouds they have no control over. IT executives need to become involved in the selection and vetting of cloud services providers. Furthermore, business and IT executives must work together and build strong governance practices to minimize cybersecurity risks.

More Risk Exposures

Lead Analyst: Cal Braunstein

Hackers leaked more than one million user account records from over 100 websites, including those of banks and government agencies. Moreover, critical zero-day flaws were found in recently-patched Java code and a SCADA software vendor was charged with having default insecurity, including a hidden factory account with password. Meanwhile, millions of websites hosted by world's largest domain registrar, GoDaddy.com LLC, were knocked offline for a day.

Focal Points:

• The hacker group, Team GhostShell, raided more than 100 websites and leaked a cache of more than one million user account records. Although the numbers claimed have not been verified, security firm Imperva noted that some breached databases contained more than 30,000 records. Victims of the attack included banks, consulting firms, government agencies, and manufacturing firms. Prominent amongst the data stolen from the banks were personal credit histories and current standing. A large portion of the pilfered files comes from content management systems (CMS), which likely indicates that the hackers exploited the same CMS flaw at multiple websites. Also taken were usernames and passwords. Per Imperva "the passwords show the usual "123456" problem.  However, one law firm implemented an interesting password system where the root password, "law321" was pre-pended with your initials.  So if your name is Mickey Mouse, your password is "mmlaw321".   Worse, the law firm didn't require users to change the password.  Jeenyus!" The group threatened to carry out further attacks and leak more sensitive data.
• A critical Java security vulnerability that popped up at the end of August leverages two zero-day flaws. Moreover, the revelation comes with news that Oracle knew about the holes as early as April 2012. Microsoft Corp. Windows, Apple Inc. Mac OS X and Linux desktops running multiple browser platforms are all vulnerable to attacks. The exploit code first uses a vulnerability to gain access to the restricted sun.awt.SunToolkit class before a second bug is used to disable the SecurityManager, and ultimately to break out of the Java sandbox. Those that have left unpatched the vulnerabilities to the so-called Gondvv exploit that was introduced in the July 2011 Java 7.0 release are at risk since all versions of Java 7 are vulnerable. Notably older Java 6 versions appear to be immune. Oracle Corp. has yet to issue an advisory on the problem but is studying it; for now the best protection is to disable or uninstall Java in Web browsers. SafeNet Inc. has tagged a SCADA maker for default insecurity. The firm uncovered a hidden factory account, complete with hard-coded password, in switch management software made by Belden-owned GarrettCom Inc. The Department of Homeland Security's (DHS) ICS-CERT advisory states the vendor's Magnum MNS-6K management application allows an attacker to gain administrative privileges over the application and thereby access to the SCADA switches it manages. The DHS advisory also notes a patch was issued in May that would remove the vulnerability; however, the patch notice did not document the change. The vendor claims 75 of the top 100 power companies as customers.
• GoDaddy has stated the daylong DNS outage that downed many of its customers' websites was not caused by a hacker (as claimed by the supposed perpetrator), but that the service interruption was not the result of a DDoS attack at all. Instead the provider claims the downtime was caused by "a series of network events that corrupted router tables." The firm says that it has since corrected the elements that triggered the outage and has implemented measures to prevent a similar event from happening again. Customer websites were inaccessible for six hours. GoDaddy claims to have as many as 52 million websites registered but has not disclosed how many of the sites were affected by the outage.

RFG POV: Risk management must be a mandatory part of the process for Web and operational technology (OT) appliances and portals. User requirements come from more places than the user department that requested the functionality; it also comes from areas such as audit, legal, risk and security. IT should always be ensuring their inputs and requirements are met. Unfortunately this "flaw" has been an IT shortfall for decades and it seems new generations keep perpetuating the shortcomings of the past. As to the SCADA bugs, RFG notes that not all utilities are current with the Federal Energy Regulatory Commission (FERC) cyber security requirements or updates, which is a major U.S. exposure. IT executives should be looking to automate the update process so that utility risk exposures are minimized. The GoDaddy outage is one of those unfortunate human errors that will occur regardless of the quality of the processes in place. But it is a reminder that cloud computing brings with it its own risks, which must be probed and evaluated before making a final decision. Unlike internal outages where IT has control and the ability to fix the problem, users are at the discretion of outsourced sites and the terms and conditions of the contract they signed. In this case GoDaddy not only apologized to its users but offered customers 30 percent across-the-board discounts as part of their apology. Not many providers are so generous. IT executives and procurement staff should look into how vendors responded to their past failures and then ensure the contracts protect them before committing to use such services.