BorderHawk Blog

Security in a Connected and Changing World

 In a twelve-month period, I received notices from two federal agencies and a major healthcare provider stating that my lawfully collected but private data files had been compromised in three independent cyber-breaches.  Specifically, the agencies and the company are the Veteran’s Administration, the Federal Bureau of Investigation, and Anthem Blue Cross/Blue Shield.  The FBI’s breach certainly is the most serious of these in that it could lead to the loss of lives.  However, I feel that the theft of my medical records is equally troubling.  Allow me to point out that these data breaches did not involve cutting edge infrastructures.  In the above cases, data-at-rest or stored data were compromised.  The attackers were international hackers acting under the auspices and protection of nation states.  In response to these security breaches, Congress recently enacted new legislation:

Safe and Secure Federal Websites Act of 2017

This bill prohibits a federal agency from deploying or making available to the public a new federal personally identifiable information website until the Chief Information Officer of the agency submits a certification to Congress that the website is fully functional and secure. “New Federal PII website” is defined as a website that: (1) is operated by (or under contract with) an agency; (2) elicits, collects, stores, or maintains personally identifiable information (i.e., information that can be used to identify an individual, such as a social security number, a date and place of birth, a mother’s maiden name, biometric records, or other information linked to an individual); and (3) is first made accessible to the public and collects or stores personally identifiable information on or after October 1, 2012.  To what degree these requirements will improve information security remains to be seen.  My initial impression is that H. R. 404 merely identifies who will be held responsible for the next data breach.  However, linking responsibility to a department head is not without its merits.

The future is fast approaching and there are a few clear trends that may aid us in developing sound security strategies:

  1. Mobile and connected devices continue to increase at a rapid rate, and it follows that the communications between these devices and systems will increase as well. A recent study places the number of smartphones at more than 1.4 billion worldwide, with that number expected to increase to more than 1.8 billion by 2020.   The same study estimates that there are currently 6.4 billion “Internet of Things” connected devices, and by 2020, it is expected that there will be 20 billion such devices.  While this mass adoption of technology presents tremendous marketing opportunities for companies, the integration of new (and perhaps inadequately tested) technology makes these devices, applications, and back-end systems prime targets for cybercriminals.


  1. Both governments and corporations are recognizing and adapting to changing consumer preferences, such as, transacting business via mobile devices and entering personal financial and medical information into mobile browsers, all in the belief that these applications pose no personal threat. Despite the naiveite of the end-users, corporations and agencies who engage in these business practices must respond effectively and quickly to the changing environment to protect both their brands and the privacy of their customers’ data.


  1. “Big Data” is struggling with balancing innovation and convenience with the regulations and laws that require them to secure confidential data against cyberattacks. Mobile devices exponentially increase the amount of PII, which adds to the security challenges as sensitive data moves through the data lifecycle.  The problem is complex in that most major corporations or agencies must seek solutions that apply to legacy applications and are compatible with “The Cloud”, mobile technologies, and the Internet of Things.  It may be said that the traditional network perimeter of the firewall has moved into the customers’ pockets.  As always, education of the end-user is of critical importance.  This is true of both public-facing and internal web sites.


Cybercriminals and nation states will continue to target PII with the intent to steal, sell, or otherwise use stolen identities.  Considering the inter-connected nature of many applications and devices – such as connected home, car, or even medical devices – a security breach may cause physical harm to a person, not simply monetary damage.

In 2017, a stated goal of most corporations and government agencies is to protect proprietary information and end-user data end-to-end, that is, from point of origin, through transit, and into storage, or from the beginning to the end of its lifecycle.  At the same time, these same institutions will be enabling new technologies and attempting to keep legacy applications viable.  Most corporations and government agencies are focused on data breach protection with varying degrees of success.  Some enlightened corporations have accepted the new paradigm that cyber-breaches will come to everyone in time, even those who are well prepared.  This course of action leads to an increased focus on timely incident recognition and effective response.  Early warning applications aid in this endeavor.

All early enablers of new technologies should act with due diligence and integrate these applications only after an extensive evaluation period.  Now is the time to establish a planning team to research and determine which technologies may impact your industry and start preparing for how security controls will be integrated into this future milieu.

All projections indicate that the amounts of data (stored and in transit) will continue to increase, and it will become even more critical for organizations to protect these valuable assets from cybercriminals and ensure that end-user privacy is protected.  The public’s acceptance of these preventable data breaches is wearing very thin.  Privacy and data protection must not be compromised in the name of innovation.  It can be done.  Adopt a security mindset and recruit or hire experienced leadership who understand how to accomplish INFOSEC objectives while enabling the business units to achieve their goals.

By | June 28th, 2017|Cyber Security|Comments Off on Security in a Connected and Changing World

The Most Serious Issues in Cybersecurity (2017)

Whenever someone submits a list of the most serious ____ (fill in the blank), I always question their objectivity.  For example: Who paid for the study?  Do the authors’ professional interests bias the findings?  Example: NOAA 2017.  Are there any political motives?  With that in mind, I now offer my list of the most serious issues in cyber-security for 2017.

First, let’s consider the origins of vulnerabilities found in cyber-security.  Research indicates that vulnerabilities may fall under one of three categories:

People – intentional or unintentional actions by people cause over 50% of incidents

Process – good security is a process; every pen test or audit offers the opportunity to revise and improve your existing processes

Technology – is everywhere and therefore the likelihood of an exploitable vulnerability existing in your organization is high.

Frequently, vulnerabilities are not isolated in silos that can be addressed simply by making technological changes.  Consequently, approximately 50% of INFOSEC vulnerabilities are found in the realms of people, and process, not in technology.  With this in mind, I have labelled each issue accordingly.

  • Improved Security Awareness of End Users (People)

It doesn’t matter how good your technology is if your people don’t actively participate in good security practices.  Failure to follow established best practices may be an educational issue or a cultural one.  Either way the result is a major vulnerability.  Employee and contractor training must be on-going and applicable to every level of management and non-management.  Successful completion of security training by every employee should be documented and maintained by HR.  This should be a part of each employee’s annual review.  Security is everyone’s responsibility, not just those who hold the titles.

  • Improved Code Development (Process)

This is an international problem but since most code is written for the United States, it is a critical problem here.  This is a problem with a known solution.  Poor implementation of the solution is why this remains a major issue in security.  In their rush to be the first to the market, companies who know better, release bad code with the intent of issuing updates at a later date.  Sometimes, these updates are delayed indefinitely leaving the consumers in extremely vulnerable positions.  There is a secondary issue involving the receptiveness of software companies to accept, test, and respond quickly to vulnerabilities identified by third-parties.

  • Attacks on Personally Identifiable Information (PII) (People, Process, and Technology)

A twelve-month period across 2015-2016 contained a series of high-profile cyberattacks, starting with the compromise of 80 million medical records at Anthem Blue Cross/Blue Shield, the Veterans Administration, the Federal Bureau of investigation, Walmart, and concluding with breaches at Starwood, Hilton and Hyatt hotel chains.  In 2016, Raytheon’s Websense analyzed threat data from 22,000 customers in 155 countries and states that hackers will target PII and emerging technologies, such as mobile payments and top-level domains.

  • Existential Crisis in the Governance of Cyber-Security (People)

Talk about cyberwar has been heard for at least the last twenty years.  Yet, cyberwarfare has maintained a guerilla persona with the possible exception of STUXNET.  Now, US intelligence agencies report that Russian interests interfered in the recent election.  The consensus points to state action rather than disaffected hacker groups.  Is this an escalation or merely more harassment?  You need better intelligence (HUMINT) than I possess in order to answer that question.

Throughout our history, both friends and foes have attempted espionage against the United States.  Today, the US is both heavily dependent on its electronic infrastructure and equally unable to protect it from a determined, sustained attack from a hostile nation state.  The same charge applies to American businesses.  In this case, offense is our best defense.  That is, our ability to retaliate via cyber-attack and destroy the networks, systems, and databases of our attacker may act as a deterrent to a nation state.  But what if our attacker is not a nation state?

“Contested spaces” and “failed states” are geographical areas where non-state actors such as terrorist and criminal organizations, including cyber-criminals, may train, re-supply, recruit, and plan without reprisal.  It may be argued that the Internet is a virtual, “contested space” where alternative forms of governance compete for control and power.  To date, few academic studies have addressed cyber governance.  The few existing courses on cyber governance draw from public administration and legal theories.  The crisis in cyber-governance is that we are under attack and without academic guidance.  What’s past is not prologue.  Reliance on brick and mortar governance will not get the job done.

  • Shortage of cybersecurity professionals (People)

According to the Bureau of Labor Statistics (2016), there are approximately six million software specialists in the United States.  Only 89,000, or just 1.5% of this group, specialize in cyber-security.  The median pay for a security specialist with a bachelor’s degree is $90,120.  This skills gap has not gone unnoticed by the federal government.  The Obama/Trump 2017 budget calls for a 35% increase in spending on cybersecurity, bringing it to $19 billion.  How this money should be spent is the topic for another article.

  • Attacks on mobile payments and other non-traditional payment systems. (People, Process, and Technology)

As mobile devices become the preferred source of authentication for many financial transactions, malware creators will increase their efforts to steal funds from consumers’ Apple Pay, Google Wallet and other mobile payment systems.  Once attackers learn to infiltrate consumer’s mobile wallet they will attempt to breach the associated corporate network.  Specialized apps, emails, contacts, and authentication procedures will become a great source of insider information which will facilitate future attacks.

  • Cyber-security Insurance. (Process)

The cost of cyber-insurance rose in 2016, as an increasing number of companies considered purchasing indemnification coverage.  To maintain profitability, insurance carriers will require more client intelligence and will seek to develop baseline requirements for issuing cybersecurity policies.  Such policies may evaluate a company’s defense and risk profile, breach history, as well as it’s documented capability to halt attackers and remediate breaches.  Insurers will send auditors to conduct hands-on assessments of cybersecurity systems, reinforcing the need for advanced threat detection.  Cyber-insurance is an effective means of addressing residual risk.  With the cost per breach estimated at 4M, the insurance industry must respond quickly if this alternative is to remain viable.  See Ponemon/IBM Study June 2016.

By | March 1st, 2017|Cyber Security|Comments Off on The Most Serious Issues in Cybersecurity (2017)

Questions the CEO Should Ask

 According to the June 2016 Ponemon/IBM study, the average cost of a compromised record in the U.S. was $158 per record and the cost of a cyber breach was estimated at $4 million per incident. If there were ever any questions, this fact certainly elevates cybersecurity to the boardroom of every corporation and the executive committee of every government agency. The purpose of this article is to suggest several key questions which may guide executive discussions about cybersecurity and risk management. The following questions should be viewed as a starting point for further discussions, not as a comprehensive blueprint to resolve cybersecurity concerns.
What questions should a CEO or board member ask to determine the state of cybersecurity?
1) How is executive management informed about the potential impact of cybersecurity threats on business operations and how timely is this information?
2) What is the current risk level and what is our risk appetite? That is, what amount of residual risk are we willing to accept?
3) What federal or state regulations are relevant and how are we meeting these requirements?
4) Are we following established best practices in cybersecurity? If not, why not, and what specific areas are excluded? Are the most appropriate standards, such as the ISO, being followed?
5) Do we have comprehensive incident response, business continuity, and disaster recovery plans established and are they being followed? Is an annual independent audit conducted on these critical processes and were steps taken to remediate all findings? If not, why not?

 Cybersecurity oversight and governance includes the regular evaluation of cybersecurity budgets, IT acquisition plans, IT outsourcing, supply-chain security, cloud services, incident reports, risk assessment results, and review of security policies. As well as engagements with information sharing consortiums. The security industry realizes that the definition of good security has changed from attempting to create an inviolate perimeter to equal parts strong defense plus timely and effective response.
Effectively managing cybersecurity risk throughout the enterprise flows from good governance. Good communications between the boardroom and those held accountable for managing cybersecurity provides the opportunity to address vulnerabilities and to create a robust incident response program. Achieving compliance with federal and state regulations should not be mistaken for a comprehensive cybersecurity program. A comprehensive cybersecurity program leverages people, process, and technology to create a set of controls that have been specifically crafted to serve a specific corporation or agency.

A risk-based approach to cybersecurity will generate a more comprehensive and cost effective management of cyber risks than compliance activities alone. Identifying critical assets, determining the business impact of cyber-attacks, and setting priorities are critical first steps in understanding and responding to risk exposure – whether the risks are financial, competitive, reputational, or regulatory. Ongoing and independent risk assessments are essential to identify and to prioritize specific defensive actions, allocate resources, and develop policies and strategies to manage cyber risks. In-house reviews are still valuable in that they point out areas that need work. But inadequate separation of duties and conflicts of interest often bias these findings.

Early and effective response to a cyber-attack has been proven to limit damage. Quickly detecting and remediating a data breach saves money. The average time to discover a breach is about 201 days in 2016. That’s slightly over 6.5 months and that’s the average time. Some breaches are not found for years. Imagine the damage that a hacker can cause. Imagine the liability that a business might incur. When a company discovers and contains a data breach within 30 days or less, on average, about one million dollars is saved per breach. Effective solutions can come only from an accurate understanding of our environment and a willingness to adapt our responses to meet ever-changing challenges.

(Source: Ponemon/IBM Report June 2016)

By | February 1st, 2017|Cyber Security|Comments Off on Questions the CEO Should Ask

The Ponemon/IBM Report June 2016

In most developed countries, the ability to achieve enterprise business objectives is reliant on information systems and the Internet.   The world-wide business community is aware of this fact as are the hackers, criminal organizations, and nation states who seek to degrade the confidentiality, availability, and/or integrity of these vulnerable electronic systems.  The result is an increased risk of cyber-attack that could cause severe disruption to business functions, supply chains, and reputations, or compromise sensitive data and intellectual property.

Since measurements began, the cost of these attacks has risen steadily.  There are various ways to measure cost of a cyber-attack.  In the United States, a common way to measure the cost of a cyber-attack is to determine the number of business records that were compromised.  Business records may exist in hard copy or digital formats and are used to document and store information from business operations.  Digital business records, such as those stored in the cloud or on hard drives, are considered the same as hard copy documents. Types of operations having business records include: minutes from board meetings, audits, contracts, personnel files, patient records, and customer data as well as business transactions such as purchases, bills of lading and invoices.

Business records must be stored and maintained for the designated period established by law.  If these records are compromised, i.e., lost, stolen, corrupted, or hacked, many states require public disclosure of this event and hard copy notification of the loss to the clients, business partners, or individuals who were affected.

The average cost per compromised record has grown to $158 in 2016 from $154 last year.  The average cost of a data breach has risen to $4 million per incident—up 29% since 2013.  The cost of a compromised record varies significantly by industry type.  The Healthcare Industry has the highest cost per compromised record at $355.  Source: Ponemon/IBM June 2016.

Industry                                       Cost Per Record 2016

 Public                                                                         $80

 Research                                                                   $112

 Transportation                                                       $129

 Media                                                                         $131

 Consumer                                                                 $133

 Hospitality                                                                $139

 Technology                                                               $145

 Energy                                                                        $148

 Industrial                                                                   $156

Communications                                                     $164

 Retail                                                                           $172

 Life Science                                                                $195

 Services                                                                       $208

 Financial                                                                      $221

 Education                                                                   $246

 Healthcare                                                                  $355

Source: IBM + Ponemon Institute

The Ponemon/IBM sponsored study puts the likelihood of a material data breach involving 10,000 or more lost or stolen records occurring in the next 24 months at 26 percent.  The study surveyed 383 companies in a dozen countries that had suffered breaches ranging from 3,000 to roughly 101,500 compromised records.  A careful reading of the report revealed that a few extremely large data breaches were omitted from the report as outliers which, it was decided by the Ponemon researchers, would have skewed the report’s results.

One of the inherent flaws in multi-variate data analysis is the consensus among academics that outliers may be dropped if they diverge significantly from the mean of the findings.  The reasons in support of this practice include: 1) to correct for data entry errors, and 2) to correct for anomalies.  In my opinion, dropping the “outliers” in this report was a significant statistical error that resulted in artificially lowering the probability of a major breach.  Without the raw data, the correct likelihood of a major breach cannot be determined, but it is higher than 26% over 24 months.

The practice of dropping the “outliers” biases the findings and tends to accept established explanations over those that suggest change.  Thus, paradigm shifts are often ignored.  See Thomas S. Kuhn (1962) The Structure of Scientific Revolutions,

Businesses and government agencies face a variety of cyber threats, some of which will require security measures that go beyond basic compliance initiatives.  “We’re now in a mode where these attacks are going to happen even to people that are well preparedIt’s about being able to respond when the inevitable happens,” said Caleb Barlow, a vice president at IBM Security.

The message to the business community and government agencies is: Don’t be caught off guard when the next data breach hits you.  “Be prepared,” stated IBM’s Barlow.

The Ponemon/IBM Report of June 2016 has several additional findings:

  1. Having an effective incident response team in place lowers the cost per compromised record by $16 — more than any other defensive tactic
  2. The effective use of encryption – reduced the cost of each compromised record by $13
  3. Employee training – reduced the cost per compromised record by $9,
  4. Threat sharing – reduced the cost per compromised record by $9,
  5. Appointing a chief information security officer saved $7
  6. Quickly detecting and remediating a data breach saves money.   The average time to discover a breach is about 201 days in 2016.  That’s slightly over 6.5 months and that’s the average time.  Some breaches are not found for years.  Imagine the damage that a hacker can cause.  Imagine the liability that a business might incur.  When a company discovers and contains a data breach within 30 days or less, on average, about one million dollars is saved per breach.  Source: Ponemon/IBM June 2016
  7.  About half the data exposures were caused by external attacks; the other half were due to the intentional or unintentional acts of employees and contractors.

The findings of the Ponemon/IBM study recommend that action be taken immediately to reduce the potential operational and financial impact to corporations and our national infrastructure.  The following is an abbreviated and incomplete list which may serve as a starting point.

  1. Create or examine your incident response team.  Have you run practice exercises?  Have you conducted an internal audit of the team’s capabilities?  Do you have benchmarks for monitoring improvement?
  2. Consider an early alert service. The average time to discover a breach is 6.5 months.  An Early Warning Service might put you ahead of the attacker.  Ponemon says companies who detect the attack in 30 days or less save one million dollars per incident.
  3. Conduct internal audits to determine where your data is vulnerable. Follow “best practices” and encrypt your data in transit and in storage, this includes laptops.
  4. Create an on-going employee/contractor awareness program. Unintentional actions by employees or contractors may cause as much harm as a cyber-attack.  Security is everyone’s responsibility.

Developing and maintaining an effective security program demands a realistic and pragmatic strategy.  Any company or agency that has Internet connectivity has been or will be hacked.  This is not hyperbole; it is a fact.  Anyone who believes that their company or agency is too small or unimportant to be hacked is wrong.  This is today’s reality.  A paradigm shift has occurred in INFOSEC.  The security industry realizes that the definition of good security has changed from attempting to create an inviolate perimeter to equal parts strong defense plus timely and effective response.  As a security manager or executive, it is your responsibility to explain this strategy shift to your executive committee.  Proper expectation setting is key to a robust security program.  Effective solutions can come only from an accurate understanding of our environment and a willingness to adapt our responses to meet the challenges of our times.

By | November 15th, 2016|Cyber Security|Comments Off on The Ponemon/IBM Report June 2016

Positioning the CISO in the Executive Hierarchy

The saga of positioning the Chief Information Security Officer (CISO) continues after more than fifteen years. This subject has been attempted by everyone from magazine editors to the annual RSA Security Conference. Yet, here we are. The role of CISO is still fighting for its place at executive table and there is no consensus as to whom the CISO should report.

Generally speaking, prior discussions on this subject have focused on two questions.

1. Where does the role of CISO belong in the organizational structure?
2. What are the “pros and cons” of various reporting structures?

So, why am I bringing this to your attention now? Because successful attacks on Big Data have become a much too frequent news lead. Information security and executive management have come under heavy fire in recent years due to a large number of high-profile data breaches (Yahoo, Target, Home Depot, Anthem BC/BS, the FBI, the Veterans Administration, and the list goes on). After each incident, someone must answer the questions: “How did this happen?” and “How do we prevent this from happening again?” The person in the “hot” seat is the person best able to answer these questions, namely the CISO.

CISOs are being roasted and not at comedy clubs. And you say, “Someone must be held responsible for allowing this to happen”. I agree about responsibility but I am skeptical of the sacrificial offering.

The CISO is an executive level position that exists to provide executive management with expert council and advice on matters of information security and asset protection. Unlike a Director of Information Security, the CISO has overall responsibility for information security management plus he or she would serve as a spokesperson representing INFOSEC to the executive committee. The success of the new CISO depends on accomplishing two meaningful goals within the first one hundred days:

1. developing a sound organizational foundation for the INFOSEC program and
2. demonstrating tactical progress to the members of the executive committee

To accomplish these objectives, the new CISO should not focus solely on technical details that may isolate the security organization from the key business operations. The CISO needs to be an integral part of the senior management team, not just the lead technical manager. A primary goal in the first 100 days should be to hire or select staff with the specialized skills that the INFOSEC program will require and then to organize this team in the most effective way possible.

If these objectives are known and generally accepted, why then do so many new CISOs fail? The answer is that achieving success demands that both personal and organizational characteristics are present A successful CISO possesses strong leadership and communication skills coupled with technical knowledge and vision. These personal characteristics suggest success, but the organization also has a responsibility to the CISO.

There are at least three keys to making the CISO role successful:

1) Independence — The CISO should be independent of influence or pressure from those involved in the day-to-day protection or purchase of corporate assets.
2) Empowerment – The CISO should be empowered to recommend, and upon agreement of the executive team, deploy all necessary processes, safeguards, and awareness training.
3) Organizational Position – The CISO should be positioned within the organization so as to facilitate his or her role as an enabler of “best practices”. It is essential that the implementation,     audit, and enforcement of “best practices” should not be limited to IT. INFOSEC issues are business issues.

In 2016, the roles of CIO, CTO, and CISO are still restricted, in many cases, to issues concerning new or embedded technologies. This organizational issue may lead to a duplication of effort and confusion as to the correct course of action in an emergency, leading to a slower response time. Is there a better way?

To answer that, let’s consider the totality of vulnerabilities found in information security. Research indicates that vulnerabilities may fall under one of three categories:

1. People – intentional or unintentional actions by people cause over 50% of incidents
2. Process – good security is a process; every pen test or audit offers the opportunity to revise and improve your existing processes
3. Technology – is everywhere and therefore the likelihood of an exploitable vulnerability existing in your organization is high.

venn-diagram The Venn Diagram to the left illustrates what this relationship might look like. It is clear that the realms of people, processes, and technology overlap. Frequently, vulnerabilities are not isolated in silos that can be addressed simply by making technological changes. Consequently, approximately 50% of INFOSEC vulnerabilities are found in the realms of people, and process, not in technology. The role of CISO demands developing comprehensive solutions to complex business problems, therefore, its place in the organization should reflect that requirement.

A survey conducted in July 2014 by ThreatTrackSecurity found that:
1. 47% of CISOs report to the CEO or president,
2. 45% report to the CIO,
3. 4% to the chief compliance officer,
4. 2% to the COO or CFO
5. 2% to other

An additional finding of this 2014 survey was that legacy C-level managers view the role of CISO as a desirable add to the executive committee because they view the CISO as a scapegoat should the organization experience a catastrophic cyber breach. This finding confirms an opinion long held by the author of this article.

It would be wonderful (and too simple) if by writing this article, I could inform every organization and agency where the CISO(s) should reside in their respective hierarchies. Such a declaration would be hubris. The only person who can decide where your CISO belongs is “you”, the reader. By this, I mean someone with an in-depth understanding of the organization in question. That person may be a FTE or an experienced INFOSEC consultant. However, I can give you a framework from which you may base your decision.

1) The information security related roles of CIO, CTO, and CISO are all siloed in the same way. The best case is that they reinforce each other and present a solid front on matters of information security. The worst case leads to in-fighting which results in a fragmented security program. Attempting to manage a comprehensive, business focused security initiative from a siloed base will never work.
2) Since the CISO may be the newest addition to the executive team, there is a tendency to place the newcomer under the aegis of a mentor. This should be avoided.
3) Remember that your new CISO must be both technically skilled and a great communicator.
4) Remember the three keys to success: independence, empowerment, and organizational position

Now, let’s evaluate our three keys to CISO success against a hypothetical organization.

  1. ) Reports to the CEO or President –
    a. Independence – yes
    b. Empowerment – yes
    c. Organizational position – yes
  2. ) Reports to CIO
    a. Independence – no
    b. Empowerment – maybe
    c. Organizational position – no
  3. ) Reports to Chief Compliance Officer
    a. Independence – maybe
    b. Empowerment – maybe
    c. Organizational position – yes
  4. ) Reports to the COO or CFO
    a. Independence – maybe
    b. Empowerment – maybe
    c. Organizational position – maybe

The Venn Diagram, referenced above, speaks to the concern that the CISO’s influence should not be siloed in IT without the capacity to affect business operations throughout the organization. It is possible that homing the CISO in IT may work, but my personal experience does not support this alternative.

Wherever the CISO is homed, there will be griping and complaints from the legacy C-levels. Some will want to claim the new member in order to extend their own influence. Others will want to avoid INFOSEC for fear of fallout from a data breach. This is life at the executive level.

The success of your chosen CISO should be dependent on his or her experience, skills, and an organizational scheme that recognizes security problems are business problems. After working through the above thought process, you now know where your CISO should be homed for the best chance of success.


By | October 15th, 2016|Cyber Security|Comments Off on Positioning the CISO in the Executive Hierarchy

The Insider Threat Redux

“People make the best exploits. I’ve never found it hard to hack most people. If you listen to them, watch them, their vulnerabilities are like a neon sign screwed into their heads.” Elliot Alderson, Mr. Robot, USA Network

The TV show, Mr. Robot, is all about vulnerabilities, both electronic and human. Whether it’s a bug in the programming or a personal character flaw, everyone and everything has a weakness, and the only way to truly understand and potentially control someone is to learn their vulnerabilities. Finding these vulnerabilities is the essence of this TV program and to the degree that TV mirrors our lives, it could be said that “finding the vulnerabilities” is an epithet for life in 21st Century America.

Consider politics, it’s all about finding the vulnerabilities. The same applies to diplomacy, business, the law, news services, banking, covert agencies, and the military. And since this is a security blog, let’s not forget criminals and criminal organizations. Certainly, finding vulnerabilities is their raison d’ệtre.

It’s no surprise that in 2015, social engineering became the #1 attack technique used by criminals. (source: Proofpoint 2016). As Yogi Berra once said, “It’s déjà vu all over again”. Hackers slowly are moving away from automated exploits and instead attempt to engage people to act as their knowing or unknowing proxies. Across all industries and in attacks of varying scope, hackers are replacing automated attacks with social engineering strategies intended to trick or seduce people into acting as their agents.

Who are the targets of these attacks? That might be the most senior person possible or perhaps a key server administrator. But most of the time, that is not necessary. Gaining low level access often is enough. For example, capturing the credentials of a bank teller allows the attacker legitimate access to the target network from where he or she can further develop the attack. To counter this threat, you need a strong, layered defense. The time of relying on a strong perimeter defense is long past.

Where are you most likely to be attacked via social engineering? Young people, who hold entry level jobs, are the most common starting point. The occupants of most entry-level positions are people, aged 18-34, of the Millennial Cohort, a.k.a, Gen-Y, those born between 1981 and 1997. In 2015, the Millennials passed the Baby Boomers as the largest Generational Cohort in the United States (source: Pew Research). I have been unable to find any academic studies specific to the attitudes of Millennials toward white-collar crime. However, there are many such studies that correlate youth to an increased appetite for risk-taking which could be interpreted as participation in non-violent criminal activities.

These New Age Criminals draw from their knowledge of social media and present their messages in such a way as to “develop” their targets and entice the most vulnerable into becoming willing participants in their schemes. This selection process is facilitated by the high turn-over rates experienced in many entry-level jobs (such as bank teller) and is further enhanced by the increased mobility and transient nature of the American workforce.

Hackers and Fraudsters attempt to manipulate insiders in at least four ways:

1. Low Tech/very narrow scope/personal contact –Fraudsters enter a place of business, such as a bank, and observe the tellers. Wait for a shift change or closing and follow employees to their cars or public transportation. Then, determine their affluence or lack thereof. Make an initial approach with a seemingly benign request, such as, “Bring me a blank loan application and I’ll pay you $20.00”. Covert pictures may be taken of the money hand-off to later use as blackmail. If this approach succeeds, then move on to copying customer records. On the cases in which I have been involved, the payout to the insider was about $200 for each batch of stolen customer records.

2. Medium Tech/Broad Scope/No Personal Contact –The objective here is to trick or entice a computer user to “click-on” or “download” malware thereby giving functional control of the user’s computer to the hacker. These attacks are usually high-volume campaigns distributed to a broad groups of users. These attacks employ a wide variety of themes to convince or entice people to disable security, click-on links, open documents, or download files that will install malware on laptops, tablets, and smart phones. These attacks may be of a general nature or specific to a company or institution. The more sophisticated attempts may copy a company’s logo and appear as an outreach from a trusted or known business.

3. Low or medium tech/narrow scope/personal contact – These attacks appear frequently in targeted campaigns. Within the targeted company are key people who have valued credentials (electronic or physical). This method may use the telephone or the Internet with the hacker usually posing as an insider in an attempt to trick the targets into voluntarily revealing their IDs, passwords, or access codes. Another technique involves RFID or other similar scanners to capture the credentials of a moving target, such as in an airport or while waiting in line (See Forbes Magazine, Andy Greenberg January 2012).

4. Medium tech/very narrow scope/ personal contact – The objective here is to recruit the target to work for the hacker or covert agency. This could involve a “false flag” action or it could be a direct appeal to a foreign national by agents of his government. Usually, these efforts are long-term and may involve sleeper agents. (See FBI Investigation Operation Ghost Stories, 2010)

Hackers, fraudsters, and covert operatives use social engineering because the cost is low, the risk to themselves is very low, and the potential rewards are high.

Although these types of attacks cannot be prevented, there are steps you can take to minimize the likelihood of occurrence and reduce the negative impact to your company.

1. Conduct background investigations for all employees and contractors at hiring and on an on-going basis throughout their employment.

2. Monitor the review process on these background checks.

3. Open an anonymous reporting telephone line and create Ombudsman position.

4. Make it known to your employees that you know about these techniques and that anyone caught participating in fraud schemes will be terminated and prosecuted. If you should have to terminate anyone for cause due to fraud, don’t hide it. I understand that HR may disagree but I’m not HR. I am security and I know that one arrest creates a lot of prevention.

5. Learn more about data leakage and how to minimize it. Remember that some information leakage is intentional and some is unintentional. Be certain that your employee awareness program includes a section on data leakage. Investigate electronic tools that can alert you to unauthorized leaks that suddenly appear on the Internet or Dark Web. An early alert service may cost less than a set of golf clubs and being able to know and react sooner rather than later is priceless.

6. Develop policies and procedures surrounding data leakage. Do it now. During an incident is not the time to figure out what to do next.

By | September 1st, 2016|Cyber Security|Comments Off on The Insider Threat Redux

The Cassius Syndrome

The following account is hypothetical but incidents similar to this have happened and will happen again.

A computer programmer for a large metropolitan company, let’s call it ANON, developed algorithms and wrote programs that gave him unauthorized access to confidential trade secrets and proprietary information.  When he left ANON to pursue more lucrative options, he was sued by his former employer for allegedly abusing his privileged access to steal 500 files containing sensitive company data.  ANON announced that the breach was discovered after a forensic examination found malicious code on his computers.  Investigators found sophisticated and unauthorized software which was used to conceal the insider attack.  The former employee was accused of downloading the confidential information shortly after he had announced he was leaving ANON for employment with a competitor.   ANON’s attorneys stated that the breach has caused substantial and long-term harm to the company.  This example is fiction but many information security professionals consider rouge employees to pose a greater threat to information security than external hackers.

The insider threat is known to be on the rise in financial services, federal government, and manufacturing industry segments.  It’s a world-wide concern.  Among companies reporting data breaches, internal actors were responsible for 43% of data loss, half of which was intentional, and half accidental.  Verizon’s 2016 Annual Report blamed disgruntled insiders for over 10% of all security incidents.  As a former Information Security Officer for a major American bank, I can attest personally to this activity in financial services.  Despite a heightened awareness in recent years, security experts say a majority of organizations remain dangerously vulnerable to the insider threat.

The Cassius Syndrome, as I have named this confluence of events, has increased significantly in recent years due to a steady increase in the number of dissatisfied employees and a corresponding rise in the capacity of nation states and criminal organizations to “capitalize” on the willingness of these assets to betray even long-term, trusted relationships.  Accordingly, nation states, multi-national criminal organizations, and even small-time criminal gangs are recruiting insiders to help perpetrate crimes ranging from fraud to espionage.

The Cassius Syndrome draws its name from Cassius one of literature’s great villains.  In Shakespeare’s play, Julius Caesar is walking through the Senate and points out Cassius in a crowd saying: “Yon Cassius has that lean and hungry look… such men are dangerous”.  Unfortunately for Caesar, he took no action and was assassinated in a conspiracy led by Cassius.  Unfortunately for us, the “lean and hungry look” is not so easily recognized.  The Cassius Syndrome includes these parameters:

  • A person who hold a position of trust
  • That person is dissatisfied with his or her salary, lack of fame, position in the hierarchy, or perceived importance to the company, leader, or partner
  • That person may or may not be struggling with financial difficulties. Financial problems are a red flag as is divorce.
  • That person may be vulnerable to approach from cultural, ethnic, or homeland ties and connections. We live in perhaps the most multi-cultural country in the world.  Some homeland ties are expected but not all are good.
  • The person rationalizes the behavior and feels a sense of social justice in his or her actions. “I’m stickin it to them” or “I’ll be revered as a hero back home”, or “It’s time I got what I deserve” or “I’ve been treated unfairly”.
  • And of course, there are always people who will break a trust simply for money. These people usually, but not always, have very weak ties to the company (example: tellers in a bank).

These rouge employees are making their insider services known to the criminal underworld and to the covert information gathering organizations of nation states.  Disgruntled employees, especially those working in data-rich organizations like financial services, pharmaceutical firms, and in government are being recruited aggressively by the criminal organizations of the Dark Web.  Last year’s electronic theft of $81 million from the Bangladesh Central Bank occurred with help from someone on the inside.  Investigators suspect at least one bank employee was involved with a link to the Dark Web.

Simply stated, the Dark Web is World Wide Web content that exists on DarkNets.   DarkNets use the public Internet but also require specific software such as ToR, special configurations and authorization to gain access to secured servers.  The Dark Web is a subset of the DeepWeb which is the part of the World Wide Web not indexed by search engines such as Google.

Why is the insider threat so prevalent?  The first reason is cultural.  Most people feel that insiders are supposed to be trusted.  There’s a culture climate that protects the insider from being watched.  Take Robert Hanson, disgraced FBI Special Agent and traitor.  The FBI conducts extensive background checks on contractors, business partners, and new hires but once you are in, you’re in.  This cultural naiveté permitted Hanson to steal secrets for years.

By virtue of being an insider, these criminals have the benefit of time to explore their way around systems and steal confidential data without raising any red flags.  Mainly because no one is watching.

In addition to cultural issues, there are technical challenges to catching criminals and those who would leak confidential data.  Think of an office building.  Many security controls are similar to the guards manning the front desk.  They check badges to make sure only authorized people are entering.  However, once people are inside, they cannot see what each individual is doing every minute of the day.

Cameras and automated programs capable of behavioral analysis are needed.  Background and credit checks should be standard for all employees.  These checks of the entire employee base should be conducted randomly and on a continuing basis, not just at hiring.  If an employee is counselled or put on a performance improvement program, that employee’s access should be reviewed and his or her network activity should be monitored in accordance with HR policies.

Another technical challenge: The tools available to companies to track insider threats are still evolving.  Most companies have security controls that are meant to stop threats from outside the enterprise and not from the threats within.  When organizations do have controls that limit internal access to certain sensitive files or databases, they typically do not have anything to monitor what someone with legitimate access to those assets might do with it.  Insiders know exactly how things work and where the organization’s valuable assets and information are stored.

In closing, I’ll share my experience as a Certified Fraud Examiner.  Do not overlook low tech tools to combat the insider threat.  Be sure that your company has an anonymous incident reporting line.  Also, be certain to monitor the results.  Use your company’s outreach publications to inform every employee or contractor about what to do if they suspect unauthorized activity.  Let your employees know that you are available and open a line of communications.  It costs very little but the benefits may be great.

By | August 23rd, 2016|Cyber Security|Comments Off on The Cassius Syndrome

The Starfish Story

Screen Shot 2016-06-30 at 1.07.43 PMEarly one morning, soon after a storm, two friends were walking down a lonely beach.  It was low tide, and the beach was covered with hundreds of starfish that the storm had washed ashore.

As they walked, the first man began to pick up the starfish and toss them, one at a time, back into the safety of the ocean.

This process continued for some time as the second man watched.  Finally, he spoke out: “This is a waste of time.  There are hundreds of starfish on this beach and you can’t save them all.  There will be more starfish washed ashore tomorrow.  What you are doing just doesn’t matter”.

The first man thought for a moment and smiled as he tossed another starfish back into the safety of the sea: “But it matters to this one”, he said.  (attribute: Loren Eiseley, edited by Bob)

Sometimes, it’s easy for security professionals to feel that their jobs have become repetitive and that no matter what they do today there will always be many more threats to handle tomorrow.

Security Engineers remember “but it matters to this one” as you close each vulnerability or write another firewall rule.  Take pride in your work and remember that you’ve done the right thing.

Security Executives remember leadership starts with you.  Timely recognition from you goes a long way toward maintaining a positive morale.

By | July 11th, 2016|Cyber Security|Comments Off on The Starfish Story

Call Me Bob

Call me Bob. No, it doesn’t have the same panache as “Call me Ishmael” but it will have to do. I’m writing an information security blog and I want you to read it. My objective is to provide security executives and professionals with information that is timely, accurate and contains a minimum of jargon. Initially, the format will be text but soon I plan to include audio and video recordings as well as photos.

Since I’m asking you to spend time reading my blog, I think it’s fair that you should know something about me. I started my career in information security in the U.S. Army Security Agency. I’ve held top secret security clearances twice with the last being in 2005. I consider my military service to be one of the three major crossroads in my life. My military service changed me for the better and I’m proud that I served.

Outside of the military, I have operational experience in three fields: Telecommunications, State Government, and Financial Services. My last position, prior to retirement, was Information Security Officer at Wells Fargo Bank. As for professional certifications, I hold an active CISSP while my CISA, CFE, and CGEIT certifications are inactive.

This blog is sponsored by Borderhawk-CyberSecurity. However, I am an independent writer and the majority of posts found on this blog will reflect my research and my opinions. From time to time, this blog will include interviews with subject matter experts whose technical expertise and “hands-on” experience I will be pleased to share with you. Obviously, any quotes, analysis, or conclusions will be the opinions of the person(s) being interviewed, unless otherwise noted.
The topic of this blog is information security but by that I mean the Big Picture of Information Security. I like to think of security as involving People, Process, and Technology. Technology because it is essential to individuals, corporations, and governments who demand more and faster connectivity. Process because without guidelines and standards we cannot measure our progress towards securing our respective domains or meeting our regulatory responsibilities. And most importantly of all, People — it doesn’t matter how great your technology is, or how comprehensive your policies are, unless you have active support and loyalty from a well-trained and engaged group of employees and contractors.

In this blog, we also will explore the element of Trust. What does it mean to trust employees or contractors? What controls are needed to satisfy regulations and to monitor activities? To what degree does trust extend to suppliers and business partners? What is the impact of Globalization on our supply chains?

I’m asking you to become an active member of my blog. Subscribe today. Comments are welcome at

By | June 30th, 2016|Uncategorized|Comments Off on Call Me Bob