Improving Technical Security Privacy

What India's Banking Industry Breach Can Teach Us About the Importance of Collaboration

Towards the end of October 2016, several Indian banks announced they would be recalling millions of debit cards in the wake of a data breach that affected the backend of software that powered an ATM network there.

It was a situation that could have been better mitigated; a government-sponsored organization tasked with sharing information about data breaches completely missed the warning signs that a breach was taking place. As a result, no one connected the dots until millions of fraud cases had been detected.

Raj Singh, Regional Bureau Director for the Asia-Pacific region, Internet Society, recently gave me his insights into the lessons that organizations in all industries can learn about mitigation from this incident, as well as how to overcome barriers that prevent collaboration, which is vital to mitigation efforts.

Information Sharing and Collaboration: The Keys to Successful Mitigation

Data breaches are all too prevalent nowadays. “Hackers will always try to find a weakness in the system,” Singh asserted. While organizations should continue their efforts to prevent such breaches, they must also have a mitigation strategy in place to offset the disastrous effects of cyber crime.

In the case of the Indian ATM data breach, the Information Sharing and Analysis Centre (ISAC) established by the Indian government failed to detect the breach in time because each compromised debit card was flagged as a case of fraud rather than the result of a cyber attack. Before this incident, banks bore the responsibility of tracking and handling fraud cases. No one raised an alarm until millions of debit card customers complained of fraudulent charges.

Singh pointed out that the situation could have been managed much better “if people had realized that hacks and breaches have multiple dimensions.” If ISAC had treated each case of debit card fraud as a cyber crime, a pattern would have emerged much sooner. When the Indian government founded ISAC, no one considered the possibility that credit and debit cards were so vulnerable to hackers. “People are focused on the door when the hacker is coming in through the window,” Singh added.

In general, the finance industry has some strong information sharing mechanisms in place that have a good reputation for mitigating the impact of data breaches. Singh noted that Singapore’s Association of Banks (SAB) and the global Financial Services – Information Sharing and Analysis Center (FS-ISAC) are two examples of organizations that enable members to share news of threats so that others can attempt to prevent or at least mitigate attacks.

It’s becoming abundantly clear that information sharing and collaboration must take place outside of the finance industry, too. The EU’s Agency for Network and Information Security (ENISA) published a report at the end of December 2015 about the importance of information sharing and collaboration in prevention and mitigation of cyber attacks for all industries. In the Obama administration’s final cybersecurity report, released at the beginning of December 2016, researchers stressed how crucial it is that the private sector and the public sector share information to prevent mass cyber attacks from taking place.

Easier Said than Done: Barriers to Information Sharing and Collaboration

Making recommendations and even being a member of an information sharing network still isn’t enough to keep incidents such as the one in India from unfolding. Singh observed that barriers hamper vital collaboration between firms and organizations that would otherwise counter or at least mitigate the consequences of a cyber attack.

For a start, SAB and FS-ISAC only share information with members. So, if your company doesn’t operate within the finance industry, you don’t have access to details of threats submitted by SAB or FS-ISAC members.

Secondly, Singh observed that businesses tend to be quite competitive and hesitant to share information about any possible weakness. Yahoo is a recent example of just such a company. In 2014, hackers stole encrypted passwords and personal data from over 500 million accounts. It took Yahoo over two years to uncover the breach and disclose it. Users responded by threatening to shut down their accounts. American senators expressed their dismay at Yahoo’s slow detection and response to the attack. After disclosing the breach, the value of Yahoo’s stock fell three percent.

Another barrier to information sharing and collaboration is the “it can’t happen here” mindset. “There’s a lack of empathy and understanding,” Singh explained. Businesses might say, “Oh, a data breach hit a bank. We’re not in the banking sector, so we don’t need to worry about something like that affecting us.” While some businesses in industries outside of finance might pay attention, others won’t because they haven’t been hit by hackers yet, or they’re unaware that they’ve been attacked. Of course, that mindset leads to firms falling prey to hackers. “A data breach can happen anywhere, anytime,” Singh emphasized.

Overcoming the Hurdles to Improve Breach Mitigation

Singh doesn’t view these burdens as insurmountable. He believes that organizations can improve collaboration and information-sharing efforts in order to mitigate breaches.

One of the first steps is stronger regulations and enforcement of existing rules on data breach disclosure and data sharing. “From what I hear, everyone says that they’re talking to each other and working with each other,” Singh remarked. “But that’s taking place at conferences. What’s happening on the ground?” He added that self-regulation is unreliable, because of the competitive nature of business and the desire to be seen as strong and invulnerable. Although many countries have enacted personal data protection laws, they don’t seem to be powerful enough to force companies to collaborate so that incidences such as the one in India don’t take place again.

As consumers share more information with organizations, and those organizations rely on interconnected digital systems that are prone to breaches, the risk for hacks will only continue to rise. When businesses work together and treat information on data breaches as something to be disclosed rather than a closely guarded secret, they have the power to better protect their customers and keep their reputations (and profits) intact.

Editor’s note: For more on data breaches and their impact, please see the Internet Society’s 2016 Global Internet Report.

Improving Technical Security Privacy

Dan Geer Revisits 2014 BlackHat Recommendations: More Industry Recognition of the Problem, Much Left To Do

Computer security analyst and risk management specialist Dan Geer used his keynote at the Black Hat conference in 2014 to make 10 policy recommendations for increasing the state of cybersecurity. Among his suggestions: mandatory reporting of cybersecurity failures, product liability for Internet service providers and software companies, and off-the-grid alternative control mechanisms for increasingly Internet-reliant networks like utility grids and government databases.

I caught up with Geer for an update on his proposals, and his views on the current state of cybersecurity.

First, let’s talk about your policy recommendations for making the digital world safer. Have you seen any progress on any of these fronts?

Not in the concrete sense of here’s a law, or here’s a dollar or here’s a new organization, but in the sense there is broader recognition that we actually have to do something. This isn’t just a bunch of ninnies complaining. We have to do something.

The sensitivity to all of this is getting higher. I hope that doesn’t result in panic or doing something silly, which could happen. I hope instead that the reaction is more, “you’re right, we really have to do something substantial.”

Can you point to some examples of this broader recognition?

If you look at the topics that are discussed at meetings that are not academic meetings, more and more of them have a policy flavor, and only a small number still that “here’s a technological nicety that’s really cool.” Again, I take that as a marker in time, as a change in opinion, as to whether the threats are real or not.

Also, just as we thought that some banks were too big to fail, I think we have to think about things on the Internet that are too connected to fail. That idea is beginning to get a little play. For instance, there is a bill in the U.S. Senate, The Securing Energy Infrastructure Act (S.B. 3018), that argues that electric systems need to have, at least in part, analog not digital controls. Like a fire line or firebreak, where a failure can’t jump from this point to that. I think the very idea that a sitting senator would introduce something talking about the need for non-digital controls on the grounds of resilience is indicative of minds coming around.

You also call for mandatory reporting of security breaches. Is there any progress being made on that front and why do you think that is important?

It’s going to happen and I think it’s going to happen for public companies first. The Securities and Exchange Commission has been ramping up its rule-making in this area for a couple of years now. The issue goes to materiality and what do I have to tell my stockholders. Cyber failure has clearly become material. And things related to it that are secondary, like loss of trade secrets and customer data, have become material.

Most of your recommendations focus on organizations and companies. Where do consumers fit into this and the liability issues of cyber failures?

It’s getting harder for consumers to avoid being recruited into problems. There was a recent example of closed-circuit televisions that were recruited for a giant distributed denial of service attack. Consumers are not in a position to prevent what they own being used as a weapon against someone else. If my car is stolen and is used in a bank robbery, I probably won’t face and repercussions. If my handgun is stolen and used in a bank robbery, I might, especially if I left it on the front porch. Where is the line for computers? Probably closer to the automobile. But on the other hand, Internet service providers have to take some responsibility. If they want dumb clients then it’s their problem.

We have seen some big companies report massive breaches recently, albeit quite a while after the fact. Do you think more are stepping up on their own to announce security breaches, or are they only coming out when they are forced to?

According to Data Breach Investigations Report from Verizon, 80 percent of data breaches are discovered not by the victims but by someone else. That is important, and it hasn’t changed. If people don’t report cyber failures then you are encouraging silent failure – silent in the sense that you discover there has been a cyber invasion and you repair it but don’t tell anyone. I am sympathetic, but I’m afraid you’re going to have to tell. It’s like driving off the end of a bridge and not telling anyone. And silent failure is the problem we have more of than anything else. Silent failures often are gateways or stair steps to other failures.

So it is essential that we get a handle on this kind of thing. In the medical world, you have medial privacy unless you have a disease that is too important. If you show up with the plague, that’s a big deal. Sorry about your medical privacy, but we have to notify all sorts of people.

Some people may object to that, and they may have an argument of principle, but they don’t have an argument of logic.

That same logic should apply in cyber space. As the definition of a material event changes, like you lost all your client data or accidentally shipped something that had malware in it, those things all have to be reported.

I am not sure how to make that pleasing for all concerned. It’s one of those things that it’s a bad solution but I don’t have a better one.

You run the Index of Cyber Security which regularly polls those on the front line about the state of cybersecurity. What are some of the trends you are seeing?

A steady increase in risk more than anything else, but other things as well. Three years ago, we asked what fraction of the security tools that the respondents are using now would they install again if starting from scratch. Three years ago, they expressed buyer’s remorse for about a third. This year buyer’s remorse had grown to half. So, my reading between the lines is “I am buying one of everything and my unhappiness is growing.”

Another thing that I think is quite fascinating is that the size of data breaches seems to be on a curve known as power law, an interesting kind of curve that says in effect the biggest one you’ve ever seen to date will be eclipsed by a bigger one but bigger in a certain substantial kind of way. That is what is happening and while we are talking, just such a report (from Yahoo) has appeared.

To quote Nassim Taleb, “We are undergoing a switch between continuous low grade volatility to the process moving by jumps, with less and less variations outside of jumps.” Using a forest fire analogy, if there are no little forest fires, then eventually you will get a whopper. In the woods, that is due to a buildup of combustible timber. On the Internet, that is due to a buildup of unwarranted trust and dependence.

Editor’s note: For more on data breaches and their impact, please see the Internet Society’s 2016 Global Internet Report.

Building Trust Improving Technical Security Privacy

'Security Fatigue' Complicates the Battle Against Data Breaches

With the news of a second, even bigger hack of Yahoo user data, common sense might conclude that consumers would be scurrying to batten down their Internet hatches. But a new study indicates otherwise, concluding that “security fatigue” has made many of us numb to the dangers lurking in cyberspace.

“Users are tired of being overwhelmed by the need to be constantly on alert, tired of all the measures they are asked to adopt to keep themselves safe, and tired of trying to understand the ins and outs of online security,” a team from the U.S. National Institutes of Standards and Technology concluded in an article for IT Professional, which is published by IEEE Computer Society. “All of this leads to security fatigue, which causes a sense of resignation and a loss of control.”

The study by Brian Stanton, Mary F. Theofanos and Susanne Furman, all of NIST, along with independent consultant Sandra Spickard Prettyman have indeed reached this saturation point.

So, the announcement in December by Yahoo that it has identified another security breach, from 2013, that compromised passwords, birthdays and other personal information from more than 1 billion accounts, will likely do little to bolster Internet security – at least among average users.

In fact, with the rise of mobile, the Internet of things and the continued linking of just about everything in our personal and professional lives to global networks, the study underscores what many have long warned will be a growing number of increasingly bigger security breaches, from distributed denial of service, or DDoS, attacks, to hacks of retail, banking, healthcare and other sites that we freely share our personal information with on a daily basis.

The report is based on an analysis the authors did of a larger study of average computer users in the Washington, D.C., and Central Pennsylvania in 2011.

Although that original study did not specifically address security fatigue, the authors say they began to notice “many indicators in which fatigue surfaced as participants discussed their perceptions and beliefs about online privacy and security.”

 After recoding the data, they said, security fatigue surfaced in 25 of 40 interviews, and was one of the most consistent codes among the dataset.

“I think I am desensitized to it,” one respondent is quoted as saying. “I know bad things can happen. You get this warning that some virus it going to attack your computer, and you get a bunch of emails that say don’t’ open any emails, blah, blah, blah. I think I don’t pay attention to those anymore because it’s in the past. People get weary of being bombarded by ‘watch out for this or watch out for that.’”

The authors said the data shows participants often don’t feel personally at risk, or assume they are not important enough for anyone to care about stealing their information. They highlight several comments in which they say the “frustrated tone, minimization of risk and devaluating of information is evident. 

“It doesn’t appear to me that it poses such a huge security risk,” one wrote. “I don’t work for the state department, and I am not sending sensitive information in an email. So, if you want to steal the message about (how) I made blueberry muffins over the week, then go ahead and steal that.”

Another wrote: “If someone needs to hack into my emails to read stuff, they have problems. They need more important things to do.”

What many of the respondents apparently don’t realize, is that while their personal communications and information may be of little value to hackers and cyber thieves on its face, their lax security practices enable the bad guys to hijack their computers and networks and use them in broader attacks, such as DDoS attacks that can cause huge crashes across the Internet.

So what can the IT community do? The researchers said it’s time to “rethink the way we currently conceptualize the public’s relationship to cybersecurity.”

They make three specific recommendations:

(i) limit the decisions users have to make related to security,
(ii) make it easier for them to do the right thing and
(iii) provide consistency whenever possible.

For example, in the workplace, they suggest offering different ways for users to log into the system, including an option between a traditional user name and password or the use of a personal identification and verification card.

“As IT professionals, it is our responsibility to take up this challenge and work to alleviate the security fatigue users’ experience,” they write.

“…We must also continue to investigate users’ beliefs, knowledge, and use of cybersecurity advice and the factors, such as security fatigue, that inform them, so we can ultimately provide more benefit and less cost for adopting cybersecurity advice that will keep users safe online.”

In other words, improving online security is going to require a concerted effort to not only educate computer users about the need to follow security guidelines, but also provide them much easier ways to keep their data safe on an ongoing basis.

Editor’s note: For more on data breaches and their impact, please see the Internet Society’s 2016 Global Internet Report.

Improving Technical Security Privacy

New Study Reveals More Than 200 Mobile Sites/Apps are Exposing Sensitive Consumer Information

The Wandera 2017 Mobile Leak Report, a global analysis of almost 4 billion requests across hundreds of thousands of corporate devices, found more than 200 mobile websites and apps leaking personally identifiable information across a range of categories – including those that are essential for work.

Most notably, the study revealed:

  • More than 59 percent of all the leaks identified were from just three categories: news and sports, business and industry and shopping.
  • Among leaked mobile sites and apps were well-known sites such as ESPN Fantasy Rugby, Fox Sports and Royal Mail
  • A vast majority of leaks included sensitive information such as email/username (90 percent) and password/hash (86 percent)
  • 80 percent of the top 50 adult sites were leaking some form of PII.

I spoke with Michael Covington, vice president of Product at Wandera, about the report and what it means for both businesses and consumers.

What is the Mobile Leak Report?

The Mobile Leak Report is a summary of research that uncovered more than 200 well-known and reputable digital services responsible for exposing sensitive consumer and enterprise information. These “data leaks” are particularly relevant to mobile users because the primary culprits were apps and mobile-tailored websites that failed to protect the sensitive information as it was in transit.

In your opinion, what was the biggest “take away” from this report?

For me, the biggest take away from the report is a realization of how critical end-to-end visibility can be when assessing security risk. Most organizations have no visibility at the data level of how a corporate mobile device is being used. Simply understanding the risks is an essential first step to plugging the holes.

I’m fairly confident that most users assume mobile apps and websites will protect their sensitive information; sadly, this report shows that those assumptions are flat out wrong. We found that these 200+ leaks were coming from devices in more than 20 countries that were using apps, websites and mobile websites – it seemed that no one was spared.

The information at risk included credit card details, dates of birth, addresses, home phone numbers and passport information. Overall, it was a staggering amount of detailed information that was being exposed.

Without some end-to-end visibility that could expose these leaks, most organizations are flying blind and have no idea how much they, or their employees, are exposed.

What was the most shocking discovery within this report?

In my opinion, the biggest shock contained within this report was the fact that so many mainstream apps were leaking the private information of the users and organizations that trusted them with this data in the first place.

Our research shows that this problem is not isolated to a particular category or service domain. The fact that the data leaks are so broad and span geographies is what I found most disturbing.

With data leaks being so broad, what can be done to mitigate these risks?

First, companies that publish apps and maintain online services should have a security development lifecycle practice that considers security and privacy requirements early in the development process. These same organizations should also be going thorough security audits on a regular basis to ensure that their security requirements continue to be met.

Secondly, companies with mobile users who utilize apps to handle sensitive data need to have tools in place to manage security risk. We have seen several instances where even the official app stores have been plagued by malicious apps, fake apps and apps that simply fail to protect the privacy of sensitive information.

Companies that are embracing mobility must have a plan in place to deal with security issues when—not if—they occur.

What is your advice to consumers on reducing leaks or protecting themselves from these mobile leaks when using their favorite apps?

Enterprise security teams are usually the most organized when it comes to assessing their overall risk exposure, largely due to investment in third-party tools and services to help manage that risk.

For consumers, however, it is difficult because there is no visual cue on an app that indicates when a connection is secured.

Consumers can take some basic steps to help protect themselves. I recommend that mobile end users spend time reviewing app store comments and at least limit their downloads to the official app stores so they can minimize their overall risk exposure.

What other steps need to be taken to address data leaks?

When it comes to data leaks, the biggest change that’s needed is with the publishers and owners of content. Whether you are a major sports news website or a train operator or an online streaming music service, you absolutely must consider security and privacy as part of the transaction with your users.

Time-to-market is important, but rushing an app through the review process or launching a mobile website before it’s been tested is a mistake because it could put your users—not to mention your brand—at risk.

Editor’s note: For more on data breaches and their impact, please see the Internet Society’s 2016 Global Internet Report.