Tag Archives: cybercrime

What to Learn From an Executive Chef

Howard Karp, a chef at the Waldorf Astoria and instructor at the California Culinary Academy who cooked for four U.S. presidents, once told me the secret of cooking: “It’s all in the technique. There are no shortcuts.”

Exquisite food comes from a highly trained, coordinated and cohesive kitchen operation that involves culinary skills such as slicing, dicing, searing and sautéing. Chef Karp added: “One must also understand the chemistry of cooking.”dwdwdw He explained that the order and manner in which all the ingredients are “introduced to one another” makes all the difference.

Watching him cook a five-course dinner for a small group of us was like watching an artist paint a masterpiece. I never followed a recipe card again.

In my world, risks are a common ingredient and need to be handled just as expertly as the fish, meat and other ingredients that Chef Karp works him magic on. The risks to business ventures include:

  1. Damage to reputation/brand
  2. Economic slowdown/slow recovery
  3. Regulatory/legislative changes
  4. Increasing competition
  5. Failure to attract top talent
  6. Failure to meet customer needs
  7. Business interruption
  8. Third-party liability
  9. Cybercrime/viruses
  10. Property damage

Some organizational risk management programs I’ve seen follow a recipe of sorts that seems to have been passed down from one risk manager to another — but only good wines and spirits improve with age.

Clearly, the prevention of accidents (workforce, property, fleet, customer, etc.) establishes the basis for sustained profitability. So, boards demand that senior management have robust involvement in the organization’s enterprise risk management (ERM) efforts. Risk management departments cannot operate outside the business flow and related decision-making processes. Management silos have no place here. Decisions about risk must be driven across all operational aspects of the organization in a consolidated, standardized fashion to build trust and meaningful partnerships with operations.

But the traditional corporate approach to reducing risks is one clever safety campaign after another. Risk management staff, especially those in workers’ comp, obsess on frequency and severity — cutting the number of claims and reducing reserves and settling claims. Risks are “managed” by things like: compliance enforcement; personal protective equipment (PPE); signs; and those safety contests. Risk management operations are often buried in finance, HR or legal departments.

But these loss controls, from my experience, are no match to the potential losses that may occur under a bureaucratic, disliked supervisor.

Senior management must raise its game and focus on the strategic components of risk, such as: alternative risk financing, market economics, reputational risks and human capital. In turn, management needs to know the true costs in each business unit. Relevant risk factors may be buried in a ream of statistics, but corporate executives need to know if their risk management program is making an impact. How is information collected, managed and disseminated? Are your analytics predictive?

After 38 years of directing risk management, I believe that organizations must embrace what some friends and colleagues are calling a culture of safety (COS). This is the pièce de résistance.

COS involves using embedded risk management teams in each business unit to send signals up and down the corporate ladder that loss control is much more than a motto or simple list of steps to take. COS requires developing loss-control programs that are a product of the DNA of a specific organization. COS builds strong, binding partnerships among business units that allow the development of a platform for data analytics, volatility analysis, forecasting and reporting that allow for continual improvement through ERM/Six Sigma. COS has demonstrated significant savings, in the tens of millions of dollars a year at a single company.

There are five essential stages to a viable culture of safety:

  1. Awareness, repositioning of responsibility and analytics
  2. Cultural sustainability through behavioral economics
  3. Behavioral change through positive observations
  4. Combined service, safety and engagement measures
  5. Extended service, safety and engagement measures to the community

An organization should have a vision to assess knowledge, skills and abilities and work with HR to train employees to bring about new levels of expectations. Old safety methodologies focused on inspectors; audit and regulatory-based decisions; checklists and processes; task completions; and frequency-based decisions. COS, on the other hand, is behaviorally focused using coaches, trainers and outside consultants who partner with teams of employees who are already technically proficient and operational savvy. In addition, key performance indicators (KPIs) can help shape behaviors.

To deploy a viable COS, companies should consider using qualified outside experts as a diagnostic tool to identify and quantify risks using meaningful analytics. Companies need to know how they stack up against the competition. This type of analysis by reputable firms can provide practical insights for senior management and lead to the building blocks for a fine-tuned corporate risk strategy and an enhanced culture of safety.

One such consulting firm, Operant Solutions, inspired me to write this article with stories on risk management successes it presented at the RIMS Western Regional Conference in Lake Tahoe recently. (If you’re interested in getting a copy of the presentation, you can contact Sue Antonoplos at 650-336-3144.)

I am inspired by the words of Julia Child: “Cooking well doesn’t mean cooking fancy.”

How to Keep Malware in Check

Firewalls are superb at deflecting obvious network attacks. And intrusion detection systems continue to make remarkable advances. So why are network breaches continuing at an unprecedented scale?

One reason is the bad guys are adept at leveraging a work tool we all use intensively every day: the Web browser. Microsoft Explorer, Mozilla Firefox, Google Chrome and Apple Safari by design execute myriad tiny programs over which network administrators have zero control. Most of this code execution occurs with no action required by the user. That’s what makes browsers so nifty.

A blessing and a curse

But that architecture is also what makes browsers a godsend for intruders. All a criminal hacker has to do is slip malicious code into the mix of legit browser executable code. And, as bad guys are fully aware, there are endless ways to do that.

Stay informed with a free subscription to SPWNR

The result: The majority of malware seeping into company networks today arrives via infectious code lurking on legit, high-traffic websites. The hackers’ game often boils down to luring victims to click to an infected site, or simply just waiting to see who shows up and gets infected.

So if browsers represent a wide open sieve to company networks, could inoculating browsers be something of a security silver bullet? A cadre of security start-ups laser-focused on boosting browser security is testing that notion. The trick, of course, is to do it without undermining usability.

spike

Branden Spikes, Spikes Security founder and CEO

ThirdCertainty recently sat down with one of these security innovators, Branden Spikes, to discuss the progress and promise of improving Web browser security. Spikes left his job as CIO of SpaceX, where he was responsible for securing the browsers of company owner Elon Musk’s team of rocket scientists, to launch an eponymous start-up, Spikes Security. (Answers edited for clarity and length.)

3C: The idea of making Web browsing more secure certainly isn’t new.

Spikes: Let me break it down by drawing a line between detection and isolation. Browser security has been attempted with detection for many, many years, and it’s proven to not work. McAfee, Symantec, Sophos, Kaspersky and all the anti-virus applications that might run on your computer became Web-aware a while back. They all try to use detection mechanisms to prevent you from going to bad places on the Web.

Then you have detection that takes place at secure Web gateways. Websense, Ironport (now part of Cisco), Blue Coat, Zscaler and numerous Web proxies out there have security features based on the concept of preventing you from going to places that look malicious or that are known to be bad. Well, hackers have figured out how to evade detection, so that battle has been lost.

3C: Okay, so you and other start-ups are waging the browser battle on a different front?

Spikes: When you realize that detection doesn’t work, now you have to isolate. You have to say, :You know, I don’t trust browsers anymore. Therefore, I’m not going to let my stuff interact with the Web directly.” In the past five years, newer products have started to offer browser isolation technology. We’ve taken a very no-compromise approach to isolation technology.

Free IDT911 white paper: Breach, Privacy, And Cyber Coverages: Fact And Fiction

3C: So instead of detecting and blocking you’re isolating, and sort of cleansing, browser interactions?

Spikes: Yes, and much like with detection technology, isolation can exist in either the endpoint or on the network. Some examples of endpoint isolation might be Invincea or Bromium, where you’ve got your sandboxes that do isolation on the endpoint. I applaud all the efforts out there. It spreads the whole gamut from minimal amount of isolation to sandbox technologies built into browsers. There’s quite a bit of investment going into this.

3C: Your approach is to intercept browser activity before it can execute on the worker’s computer.

Spikes: If you come at the problem from the assumption that all Web browsers are fundamentally malware, you can understand our technology. We essentially take the malware off the endpoint entirely, and we isolate the execution of Web pages on a purpose-built appliance. What goes to the end user is a very benign stream of images and sound. There’s really no way for malware to get across that channel.

3C: If browser security gets much better, at least in the workplace, how much will that help?

Spikes: If we successfully solve the browser malware problem, we could, I think, allow for more strategically important things to occur in cybersecurity. We could watch the other entry points that are less obvious. This sort of rampant problem with the browser may have taken some very important attention away from other entry points into the network: physical entry points, social engineering and some of the more dynamic and challenging types of attacks.

Unclaimed Funds Can Lead to Data Breaches

When it comes to privacy, not all states are alike. This was confirmed yet again in the 50 State Compendium of Unclaimed Property Practices we compiled. The compendium ranks the amount of personal data that state treasuries expose during the process by which individuals can collect unclaimed funds. The data exposed can provide fraudsters with a crime exacta: claiming money that no one will ever miss and gathering various nuggets of personal data that can help facilitate other types of identity theft. The takeaway: Some states provide way too much data to anyone who is in the business of exploiting consumer information.

For those who take their privacy seriously, the baseline of our compendium—inclusion in a list of people with unclaimed funds or property—may in itself be unacceptable. For others, finding their name on an unclaimed property list isn’t a huge deal. In fact, two people on our team found unclaimed property in the New York database (I was one of them) while putting together the 50-state compendium, and there were no panic attacks.

Free IDT911 white paper: Breach, Privacy and Cyber Coverages: Fact and Fiction

That said, there is a reason to feel uncomfortable—or even outright concerned—to find your name on a list of people with unclaimed property. After all, you didn’t give anyone permission to put it there. The way a person manages her affairs (or doesn’t) should not be searchable on a public database like a scarlet letter just waiting to be publicized.

Then there’s the more practical reason that it matters. Identity thieves rely on sloppiness. Scams thrive where there is a lack of vigilance (lamentably, a lifestyle choice for many Americans despite the rise of identity-related crimes). The crux of the problem when it comes to reporting unclaimed property: It’s impossible to be guarded and careful about something you don’t even know exists, and, of course, it’s much easier to steal something if you know that it does.

The worst of the state unclaimed property databases provide a target-rich environment for thieves interested in grabbing the more than $58 billion in unclaimed funds held by agencies at the state level across the country.

States’ response to questions about public database

When we asked for comment from the eight states that received the worst rating in our compendium—California, Hawaii, Indiana, Iowa, Nevada, South Dakota, Texas and Wisconsin—five replied. In an effort to continue the dialogue around this all-too-important topic, here are a few of the responses from the states:

— California said: “The California state controller has a fraud detection unit that takes proactive measures to ensure property is returned to the rightful owners. We have no evidence that the limited online information leads to fraud.”

The “limited online information” available to the public on the California database provides name, street addresses, the company that held the unclaimed funds and the exact amount owed unless the property is something with a movable valuation like equity or commodities. To give just one example, we found a $50 credit at Tiffany associated with a very public figure. We were able to verify it because the address listed in the California database had been referenced in a New York Times article about the person of interest. Just those data points could be used by a scammer to trick Tiffany or the owner of the unclaimed property (or the owner’s representatives) into handing over more information (to be used elsewhere in the commission of fraud) or money (a finder’s fee is a common ruse) or both.

This policy seems somewhat at odds with California’s well-earned reputation as one of the most consumer-friendly states in the nation when it comes to data privacy and security.

— Hawaii’s response: “We carefully evaluated the amount and type of information to be provided and consulted with our legal counsel to ensure that no sensitive personal information was being provided.”

My response: Define “sensitive.” These days, name, address and email address (reflect upon the millions of these that are “out there” in the wake of the Target and Home Depot breaches) are all scammers need to start exploiting your identity. The more information they have, the more opportunities they can create, leveraging that information, to get more until they have enough to access your available credit or financial accounts.

— Indiana’s response was thoughtful. “By providing the public record, initially we are hoping to eliminate the use of a finder, which can charge up to 10% of the property amount. Providing the claimant the information up front, they are more likely to use our service for free. That being said, we are highly aware of the fraud issue and, as you may know, Indiana is the only state in which the Unclaimed Property Division falls under the Attorney General’s office. This works to our advantage in that we have an entire investigative division in-house and specific to unclaimed property. In addition, we also have a proactive team that works to reach out to rightful owners directly on higher-dollar claims to reduce fraud and to ensure those large dollar amounts are reaching the rightful owners.”

Protect and serve should be the goal

While Indiana has the right idea, the state still provides too much information. The concept here is to protect and serve—something the current system of unclaimed property databases currently does not do.

The methodology used in the compendium was quite simple: The less information a state provided, the better its ranking. Four stars was the best rating—it went to states that provided only a name and city or ZIP code—and one star was the worst, awarded to states that disclosed name, street address, property type, property holder and exact amount owed.

In the majority of states in the U.S., the current approach to unclaimed funds doesn’t appear to be calibrated to protect consumers during this ever-growing epidemic of identity theft and cyber fraud. The hit parade of data breaches over the past few years—Target, Home Depot, Sony Pictures, Anthem and, most recently, the Office of Personnel Management—provides a case-by-case view of the evolution of cybercrime. Whether access was achieved by malware embedded in a spear-phishing email or came by way of an intentionally infected vendor, the ingenuity of fraudsters continues apace, and it doesn’t apply solely to mega databases. Identity thieves make a living looking for exploitable mistakes. The 50 State Compendium provides a state-by-state look at mistakes just waiting to be converted by fraudsters into crimes.

The best way to keep your name off those lists: Stay on top of your finances, cash your checks and keep tabs on your assets. (And check your credit reports regularly to spot signs of identity fraud. You can get your free credit reports every year from the major credit reporting agencies, and you can get a free credit report summary from Credit.com every month for a more frequent overview.) In the meantime, states need to re-evaluate the best practices for getting unclaimed funds to consumers. One possibility may be to create a search process that can only be initiated by the consumer submitting his name and city (or cities) on a secure government website.

Data Breach Law Could Hurt Consumers

With each passing brand name mega-breach—Home Depot, Target, JPMorgan Chase, Anthem—it becomes ever more urgent for government and industry to get on the same page about how to protect consumers.

Sadly, not all laws are created equal, and there are few better examples of this homespun truth than a would-be federal law currently wending its way through Congress. The Data Security and Breach Notification Act of 2015, in its current form, has a long way to go before it should become the law of the land.

The Data Security and Breach Notification Act of 2015 says it “aims to tackle the nation’s growing data security threats and challenges.” So far, that sounds pretty good to me. The bill was written by Energy and Commerce Committee Vice Chairman Marsha Blackburn (R-TN) and Rep. Peter Welch (D-VT), making it a bipartisan effort. The goal: to implement “a comprehensive plan to help safeguard sensitive consumer information and shield Americans from the harmful consequences of cyber attacks.”

I’ve written elsewhere about the need for a federal breach notification law, so in theory I’m on board. A strong federal law that requires businesses and government entities to inform people that their personal information has been compromised in a data breach can absolutely be a good thing…if it’s done right.

The problem with this proposal is that there are far more effective laws already on the books in several states, and they could be preempted were the bill to pass. If that weren’t bad enough, the proposed bill could also supersede stronger rules already put in play by the FCC with regard to telephone, broadband Internet, cable and satellite user information.

The undermining of better laws is bad, but worse is the way the Data Security and Breach Notification Act of 2015 underscores a continuing failure of our leaders to fully understand the nature of the problems we face in the mare’s nest that is consumer privacy and data security. In a widely publicized survey conducted by the Pew Research Center, “91% of adults in the survey ‘agree’ or ‘strongly agree’ that consumers have lost control over how personal information is collected and used by companies.” Data breaches, and the identity theft that flows from them, have become the third certainty in life. We need a strong federal law, but as I argued in my op-ed about the Data Breach Disclosure Box, any proposed bill that threatens to weaken existing laws has to be challenged, quickly and without equivocation.

Why It’s an Issue

Senior Policy Counsel at New America’s Open Technology Institute Laura Moy eloquently outlined the problems this bill could create in her testimony before the House of Representatives.

In a wide-ranging discussion of the major concerns raised by the bill, Moy pointed out some of the laws that could be preempted. One was California’s Song-Beverly Credit Card Act, which made it illegal to record a credit card holder’s personal identification information during a transaction. Another law in Connecticut outlawing the public posting of any individual’s Social Security number was also named. Both state laws represent solid advances in the realm of data security, and both might be preempted were the bill moving through Congress to succeed.

And here’s the really bad news: they would be two of the less alarming casualties.

The problem with the bill hinges on the way that it tries to separate privacy from data security, but they are inextricably intertwined. This could weaken or even eliminate protections for the many kinds of information – like your email address, for one — that fall outside the bill’s narrow definition of the personal data that is covered. That’s why this matters so much.

As Moy argued during her testimony, “Many laws that protect consumers’ personal information [can] be thought of simultaneously in terms of both privacy and security.” I will go one step further and say that I do not believe it is possible to discuss data security until we have a worst-case scenario definition of what constitutes personally identifiable information in the eyes of an identity thief.

To give an example of the kinds of preemption that are possible here, Florida’s privacy law includes email and a consumer’s username-password combination in its definition of personal information, the logic being that consumers use the same combination for many different login pages, including financial accounts. Eight other states currently mandate the same standard—California, Missouri, New Hampshire, North Dakota, Texas, Virginia and, as of July 1, Hawaii and Wyoming. Under the currently proposed bill, a business would not have to notify you if your email and username-password combination were involved in a breach. Meanwhile, the above kinds of information continue to be highly exploitable data points in an identity thief’s toolkit.

In addition to the exemption of breaches that “only” include email addresses or user login details, the bill is unclear about personal information related to telecommunications, cable and satellite customers, which hinge on a trigger of “authorized access,” and Moy believes it may supersede important protections created by the Communications Act. Most alarming is the prospect of less robust notifications regarding compromised customer proprietary network information (CPNI) – that includes texts, phone calls, every location where you were when you made this or that phone call, your location when you didn’t make a phone call and the location of all your network-connected devices. All this information could be breached, and this proposed law in Congress says you don’t need to know about it. The same goes for what you watch on television, including any items you may have purchased on pay-per-view. All of it could, hypothetically, be out there open to public perusal. Every site you ever visited on line. Every call. Every text.

And what about your protected health information (PHI)? Critics note the bill doesn’t mention it, which at first blush seems like a four-alarm-fire level of non-comprehension. However, whether the product of partisan warfare or common sense, it’s actually a bit of good news. Because it has been entirely carved out here, most forms of PHI actually would still be covered by the notification requirements of the HIPPA/HITECH Act — with a few notable preemptions of existing state law affecting over-the-counter purchases and other health-related items.

Defining Harm

According to the narrow logic of the proposed legislation, a breach of any of the above information will not result in financial damage, which is the reason it isn’t covered. It’s a position easily brushed aside with one mind-blowing word of refutation: extortion. Scam artists have countless tricks up their sleeves, and the onus to anticipate the adaptive nature of crime falls on legislators. A single text or rented video could potentially ruin a person’s life, and fraudsters know that. If the wrong person has access to the above data points—and any of those bytes contain information that might harm you professionally or personally—they most certainly could be used against you for financial gain.

A recent Science study showed that with just a few data points (Instagram posts and tweets) it was possible to re-identify anonymized data about credit card purchases with the unique consumer who made them. While it may seem off the beaten path, the proposed bill, with its narrow definition of what should be covered, would not cover a glitch in Instagram’s code that revealed protected accounts to the public. For the end user unaware that their private posts were viewable, and that those posts could be used to re-identify data that is publicly available, the above hypothetical scenario featuring a “financially harmless” compromise (that revealed every purchase made on an individual’s credit card) could be a life changer—and not for the better.

What we really need in the federal government is someone in a position of authority with the expertise and knowledge to make sure anyone exposed in a breach knows about it, and is informed about the potential fallout as far as current intel permits as quickly as possible. Call this person a Breach Tzar, if you will. Since data-related crimes are often quite ingenious, isn’t it best to err on the side of caution? The fact is that any federal law aimed at protecting consumers from the danger of identity-related crime needs to be best-in-class, and far better than all the existing state laws combined, and, while it should go without saying, it must not supersede stronger existing protections afforded by non-state agencies.

There is still a yawning gulf between what’s been done so far and what needs to happen in the realm of cyber legislation. The protections we deserve are a work in progress, one that the entire constellation of consumer advocates and data-security experts must solve in concert. In the same way that data-related crimes are constantly evolving, we need to get into the habit of responding to the very biggest picture we can imagine.

How the Sony Hack Should Affect You

In the past two years have revealed anything, it’s that every conceivable mode of communication comes with its share of serious privacy and security issues. Email can be hijacked, mail servers can be breached and malware can turn your smartphone into a peepshow. Wikileaks revealed that even our phone conversations are at risk.

That said, don’t panic! It’s highly unlikely anyone is listening to your phone calls. (OK, it’s possible, but you’d have to be incredibly sloppy or unlucky enough to download call-intercepting malware, or targeted by folks who can handle a price tag that hovers north of the $1 million mark.) The more relevant point here is that the big data mills at the NSA that may or may not be crunching your calls don’t care if you’re negotiating the sale of Ford to General Motors, much less if you’ve been naughty or nice – unless you’re a world leader or someone perceived as a threat to America.

So what about the other, more likely ways you may be exposed? There are man-in-the-middle attacks that are fairly affordable for a hacker. There’s malware from friend (hard to spot) and foe (you can’t be alert to every danger every second of the day). It almost seems like the only way to be completely safe from intrusion is to have nothing you wouldn’t want broadcast or skywritten on your smartphone, nothing you wouldn’t want the world to know about in your browser history, not a single text message you want to keep private and no phone calls made or received that you don’t want to share with Dr. Phil and his audience.

Recent news has been nothing less than terrifying. JPMorgan Chase and Home Depot joined the ever-growing list of mega-breach victims. Sony Pictures was gutted, with career-killing emails sent hither and yon, servers erased and trade secrets and intellectual property joyously tossed like flower petals from a float in the Rose Bowl parade. The hack initially stopped the release of “The Interview,” costing the studio millions, and that’s not taking into account future losses associated with class-action lawsuits brought by current and former employees whose personally identifiable information was stolen and published for the world to see, or enforcement actions by various and sundry state and federal regulators. It’s major stuff. And then there were all those other cybercrimes. It all makes for a really uneasy feeling at the workplace.

The trend here is simply too clear: Nothing is sacrosanct, and nothing is beyond reach. And while there may be no way to keep prying eyes out of our email, there is a way to keep the most sensitive information pertaining to your business out of reach. With that thought foremost in my mind, it is, indeed, time to make some serious changes.

Call me old-fashioned, but I think I’d rather take my chances with the government listening to my phone calls. How about you? When I say, “phone call,” I mean literally, like, on the phone-and I say this because, of all the ways we communicate, a landline affords the better shot at privacy and a more secure mode of communication.

The act of getting out of a chair and walking down the corridor to talk to a colleague helps to burn off holiday excesses, builds inter-office rapport and can’t be hacked. Email and text have supplanted the collegial walk-by. There are those who will say that it’s not efficient to pick up the phone. I’m not sure I buy that. Email and text streamline workflow only in theory. Each is just a swipe or click away from the major time-sucks provided by social media. And the interaction that happens without the interference of keystrokes or thumbing a screen provides sparks that just don’t happen in the dynamic-free zone of tit-for-tat correspondence. And again, a face-to-face or headset-to-headset conversation is probably the most secure mode of communication in the post-Sony hack world.

I’m sure it will take some getting used to, but if anyone at my office needs a fast answer from me, I’m going to ask that whenever possible they tap my doorframe or give me a call. Beyond the security considerations, the truth is that I actually like talking to people, and I ultimately learn more about whatever it is we’re talking about. For all their convenience, emails and texts are far from perfect modes of communication. Much meaning is lost when communicating by keystroke. Anyone who’s emailed a sarcastic quip that was taken literally will confirm this.

There are other options. Sony Pictures had to revert to communication via fax during the days following the hack, but faxes leave too much to chance because you never know who’s waiting on the other end of your transmission, and there’s the added possibility that you might dial a wrong number.

If smoke signals weren’t so easy to spot, I’d suggest that route. And while it’s true that you never know when a fake cell tower’s going to roll into your neighborhood, using the phone and having more face-to-face discussions at the office are perhaps the better ways to engage in team building through a group commitment to data security.