The Bad, the Ugly and the Cyber Immoral – Thank you, Uber

Technology, business and morality are not mutually exclusive, but rather fundamentally intertwined into the fabric of how our society operates and will have to increasingly operate in the future. As information about us is leveraged at the very core of modern economies, users have every right to expect a reasonable standard of care when it comes to keeping their personal information secure. And companies have a legal requirement to do just that. Security is far from perfect and we all acknowledge that breaches may still occur. The Uber breach and subsequent coverup displayed not only a disregard for the law, but more fundamentally a disdain for their customers and basic morality responsibility. Uber not only failed to protect the information they were collecting about their customers -- thus causing them potential harm -- they chose to cover up the breach and subject those individuals to further risk by not meeting their notification responsibilities. There are already a number of class action lawsuits against Uber, alleging the company was negligent in protecting consumer data. That sounds about right. A digital society and economy require the establishment of a reasonable standard of care that ensures basic cyber hygiene practices are maintained...
Read more

Hiding Behind the APT Helplessness Defense…Really?

Former Equifax CEO Richard Smith’s Congressional Testimony was a real WTF moment for many of us who work in the cyber field. Last week, former Yahoo CEO Marissa Mayer testified about Yahoo’s 2013 and 2014 data breaches, leaving us with intentionally vague, if not misleading statements. Mayer asserted that in both of the breaches, “Russian Intelligence Officers and state-sponsored hackers were responsible for highly complex and sophisticated attacks on Yahoo’s systems.” What we haven’t seen in Yahoo’s case is any further detailing of what these "sophisticated attacks" actually looked like. In cyber, details matter A LOT. We do forensic analysis and read through numerous incident reports, gaining knowledge, identifying patterns and trying to step up our game. We know that all threat actors, including government intelligence services, cyber criminals, and hacktivists, readily use common exploits and phishing techniques whenever possible. Why? Because among other reasons, they're readily available at no cost and make attack attribution harder. In a vast supermajority of breaches, the victims were ultimately compromised by the seemingly simple things. Equifax’s catastrophic breach occurred because they failed to identify and patch a known vulnerability in their Apache Struts implementation for which updates and workarounds...
Read more

The Equifax Breach – A Cyber WTF Moment

Now that some time has passed since the news broke on the Equifax breach, we’ve had some time to ascertain the facts, digest what happened and draw some conclusions.  It’s taken some time as for the first few weeks the company slowly doled out bits and pieces of information.   For starters,  it is not even remotely acceptable for a CEO of a tech company, an information company, or any other company leveraging technology to be clueless about his organization’s cyber exposure and technology risk.  Former Equifax CEO Richard Smith’s statement before Congress about the catastrophic breach affecting 145 million Americans was dumbfounding. The company’s willingness to blame the breach on a single engineer not acting quickly enough to patch a known vulnerability can only be characterized as a total face-palm moment. In fact, the whole Equifax explanation is such a long series of face-palm moments that I now have a migraine. Cyber 101 teaches us that security requires people, process and technology. I won’t comment on the people side of this incident, since I don’t know them personally.   There are clearly a series of technology failures.  How did they operate with a vulnerability scanner that they didn’t know...
Read more

Maintain Your &%$#* Systems! A Mantra for IT Professionals in the Wake of Equifax

Once again, we have a basic failure in cyber hygiene causing a massive data breach. This one affects potentially half of the U.S. population and compromises particularly sensitive personal information that can be used by criminals to wreak havoc on people’s bank accounts, credit scores and identities. I’m referring, of course, to the Equifax breach. What I find particularly disturbing is that criminals took advantage of a known vulnerability for which a patch had been available for two months. Let that sink in for a moment -- two months is an eternity of exposure to hostile internet actors when efficient systems management and compensating controls are readily available. In fact, the Tenable team had published this post in March about this particular Apache Struts vulnerability and the availability of Tenable plugins. In an era where companies are continuously updating their software, IT and security teams should be consistently patching bugs and closing vulnerabilities as they are reported.  These types of attacks take advantage of the worst and most common habits -- the avoidance of doing something as simple as maintaining good cyber hygiene and patching systems.  Cyber criminals don’t need to waste a precious and rare zero-day exploit when they can easily...
Read more

Cybersecurity’s role in U.S. trade agreements, starting with NAFTA

We must modernize our trade agreements to incorporate cybersecurity cooperation, and cooperation with our closest neighbors through NAFTA is a good place to start. Cybersecurity is a major global economic force, with spending estimated to reach more than $100 billion by 2018, and more than $170 billion by 2020. North America has the largest cybersecurity market in the world, and the United States accounts for the biggest portion, making the industry an important source of well-paying, high-value jobs. Digital security is critical to every industry, from healthcare and finance to manufacturing and agriculture. But the nature of today’s global networks means that cyberattacks do not stop at national borders. Security lapses abroad can cause catastrophic harm to U.S. businesses, our critical infrastructure and economy. To increase both economic and national security, it’s imperative that U.S. cybersecurity companies continue to innovate both at home and abroad.  Later this week, the federal government has an opportunity to help better protect U.S. businesses by conveying the U.S. priority on establishing international cybersecurity norms as part of the renegotiation of the North American Free Trade Agreement (NAFTA). Secure computing has become paramount in the global digital economy. We must modernize our trade agreements...
Read more