Hybrid Active Directories: Another Frontier for Data Breaches

A Q&A with Quest

More organizations are adopting Microsoft’s cloud-based Azure Active Directory (AD) but maintaining on premises AD deployments to support legacy systems or applications without internet access. We call this a hybrid Active Directory deployment.  Hybrid ADs may pose a security risk if not managed properly. Unexpected changes to the AD environment, such as changes in user privilege, multiple logins in rapid succession, and logins from unusual locations often provide the first indication of an external or internally initiated breach. We spoke to Keri Farrell, Brad Kirby and Matthew Vinton from Quest about this particular concern for organizations and how they can shore up security measures to avoid data loss.

Continue Reading

Don’t Ring the (False) Alarm: When a Data Loss Event Isn’t a Breach

A Q&A with Darin Bielby and Jeremy Batterman of Navigant Consulting’s Information Security & Investigations Practice
During a recent Risk and Insurance Management Society (RIMS) panel discussion, Navigant Managing Director Darin Bielby asserted that 50 percent of the organization’s information security forensic investigations yield evidence that enables legal counsel to counsel companies that a data breach did not occur. These findings typically demand no further action or notification about the event, though some organizations proceed with additional precautionary measures. I talked with Bielby and his colleague Jeremy Batterman about the reality of data privacy events and what forensic investigators are seeing.

Continue Reading

Data Breach Costs: Another Look

A Q&A with Sasha Romanosky, PhD, of the RAND Corporation

In a recent study, RAND Corporation policy researcher Sasha Romanosky examined 12,000 data breaches from 2004 to 2015, trying to get a more holistic view of their causes, costs, and associated risks and trends. I spoke with Dr. Romanosky about his findings.

Continue Reading

Protecting Against Data Loss with Backup Services

A Q&A with Zeb Ahmed of iland
While most companies seem to understand that preparation is necessary for worst case scenarios, there’s often confusion about what backup services can and can’t do, says Zeb Ahmed of iland. I asked Zeb about the differences between backup and disaster recovery and how organizations can determine which service they might need.

Continue Reading

Data Breach Events: A Plaintiff Perspective

Email Computer Key For Emailing Or ContactingA Q&A with John Yanchunis of Morgan & Morgan
The legal landscape around data loss is rapidly evolving, and with major events such as the Anthem breach changing the game on a daily basis, it can be a challenge to keep up with the courts’ current thinking. I spoke with plaintiff attorney John Yanchunis of Morgan & Morgan about some of the most recent developments he’s observed.

Continue Reading

Mandiant’s Summers: Companies Mostly Ill-Prepared for Inevitable State-Sponsored Cyber Attacks

Reprinted with permission from HB Litigation.

Fire alarms sounded at the waterfront luxury hotel in Southern California, bringing an early end to the speaker’s presentation.  He was addressing a 200-person audience assembled to learn about avoiding, mitigating and insuring the risks of cyber attacks.  The hotel sirens turned out to be a false alarm, but the message he delivered was not. 

Mandiant Vice President Grady Summers, who delivered the keynote address at the NetDiligence Cyber Risk & Privacy Liability Forum, a twice-annual event produced by HB Litigation Conferences, said it is getting pretty bad in cyberspace when nations are able to take out power grids and water supplies from the other side of the world.   The Mandiant executive, part of the company’s team of highly-sophisticated incident responders who handle many of the higher profile breaches we hear about, said only a small percentage of companies are truly prepared for a cross-functional, cross-departmental response to data breaches — which is exactly what is required. 

Many do not even know who is interested in hacking their systems or how they will do it, he said.  With increasing interest in data from U.S. companies by state-sponsored hackers, and ever-improving levels of sophistication, you do not want to be one of those companies.

Motivation

What motivates a cyber attacker is important to understand because their end-game will determine the seriousness of the threats they present.  Preferring the phrase “threat actors” over characterizations such as “the bad guys,” Summers took the audience through five categories of attacks, from the merely irritating to the terribly damaging variety. 

1.  Nuisance attacks.  These are largely automated attacks executed by people with low skills.  After sustain such an attack an organization is typically up and running in no time. 

2. Data theft.  These attackers are often state-sponsored, advanced persistent threats, or APTs.  These folks want intellectual property to save their R&D teams from troubling themselves with coming up with inventions of their own.  It has been estimated, Summers said, that attacks on U.S. companies from China have netted its government and companies $250 billion’s worth of U.S. intellectual property. 

3.  Cyber crime.  These hackers are motivated to steal money, and they are getting better at it, Summers said.  Gone are the good old days when mere “sequel injection” was employed.  Now they are stealing with the help of advanced persistent threat concepts, meaning companies are discovering malicious software that has been kicking around in their systems for years.  “We found instances where emails from executives had been forwarded outside the company for four years,” Summers said.  “What used to be ‘smash and grab’ attacks have evolved into complex schemes against payment card processors.  These guys are there for six months and can take $10 million dollars a day.” 

Cyber crime — and the business of fighting it — is going to continue to grow, and grow rapidly, Summers said.  This is not something you would know if you only relied on corporate reports to the Securities & Exchange Commission.  Last year a mere 27 companies disclosed the occurrence of cyber events to the SEC.  Mandiant gets thousands of calls about cyber events, the vast majority of which, obviously, are not being reported.  “As events become more visible things will be more public and therefore there will be more reporting,” Summers said.  “As for public companies that don’t choose to report — they are going to have to eventually.”

4.  Hacktivists.  Organizations such as Anonymous and LulzSec claim they hack to support various social causes.  Summers said this category of hacks continues to some extent, but the hackers are not always as sophisticated as they want us to believe.  For example, Anonymous took credit for hacking the Rural Sheriffs Association, ostensibly to protest the association’s alleged mistreatment of immigrants.  But, Summers explained, the group merely grabbed whatever data they could, then crafted a cause to match the data.  They effectively use social media for this purpose, however, Summers said.

5.  Cyber War. “This completely changes things,” Summers said.  Unlike crime and theft — where it is not in the best interest of the hackers to damage the network housing the very data they want to steal — "state-sponsored cyber war combines the desire to destroy with high-levels of technical sophistication," he said.

Five Nations Cyber Armies

Nation states are very active in cyber attacks, Summers said.  Whereas a government simply looks away when cyber crime is taking place, he said five countries lead the pack in actually sanctioning and supporting cyber attacks.

1. China is most active, he said, pointing to APT1, which Mandiant says is a state-sponsored and prolific cyber espionage group that has been in operation since at least 2006, stealing more than 100 terabytes of compressed data — millions of documents — from 141 companies.  They are a cyber espionage factory, with more than 700 servers from which they control their activity, Summers said.  “We tied them back to an army unit and proved actual state involvement,” he said.  For example, when APT1 needed a better internet connection, a communist government official made it happen.  The 76-page Mandiant report can be downloaded at intelreport.mandiant.com.

2. Syria is a more recent entrant, featuring the Syrian Electronic Army (SEA).  The SEA breaks into media outlets, like the Associated Press Twitter account, the Washington Post, and the New York Times.  Syria is getting more serious attention, but primarily it  hacks with the intention of spreading propaganda as it did when it hacked the U.S. Marine Corps website.  They say they are 10,000 strong but in fact they are a very small group.  Despite their small numbers, they are “getting a big return with headlines.”

3. Russia harbors the Russian Business Network, Summers said, characterizing it as an “extensive operation” that is enabling Russia to put cyber operations together in support of conventional military operations. He noted Russia’s attack on Estonia in 2007 during which it took the smaller nation off the Internet so it could not conduct business or financial transactions.  In its attack on Georgia, Russia knocked out news outlets and then sent in tanks, again coupling cyber war techniques with kinetic war tactics.   “Russia is demonstrating the model for what cyber warfare will look like going forward.” 

4. Iran is new to cyber hacking, Summers said, and their intrusions so far have been very quite.  Iran is emulating China, he said, “but they still have their training wheels on.”  He said Mandiant responded to an attack on a U.S. government agency that had all the fingerprints of an attack from China.  It turned out that it was an attack from Iran, which spent days looking for U.S. defense information.  The Iranian hackers downloaded data, but instead of U.S. defense secrets they captured a treasure trove of data on mounting a legal defense for indigent immigrants in the U.S.  “We might laugh at them now,” he said, “but we shouldn’t for long since they surely will have a more destructive intent.”

5. United States, unfortunately, has to be included in discussion of cyber warfare, he said. The government likes to say what the U.S. does is very different from what China or Russia does, that is, "we hack for democracy."  But when the curtains were pulled back on Stuxnet — the U.S./Israel cyber worm created to attack Iran’s nuclear facilities, “that sort of blew the doors off” how our activities differ, or do not, from that of other nations.  Summers said people and nations soon will have a tough time seeing the distinctions between U.S. cyber activity and that of other nations. 

When discussing the revelations of the National Security Administration’s (NSA) “prying eyes,” he tells companies to move on and pay attention to other threats.  If you want to guard your data from agencies like the NSA, then encrypt your data and don’t use a public cloud.  If you want to fight with the NSA you need a lawyer, not a data security company, he said. 

As far as fighting back against cyber attacks, Summers came out against retaliation.  Some clients want to launch counter-attacks or plant the equivalent of cyber grenades in data that is being stolen.  “Any retaliation is foolish because we have an attribution problem in cyberspace.  It was only after seven years we knew APT1 was hacking.  The opportunity for collateral damage is too great," he said.  The APT1 building, for example, was attached to a day care center.  You could launch a cyber attack against an organization and kill a life support device, he said.  Some non-U.S. companies will do this kind of thing for you, but Summers opposes the activity which, among other things, is illegal. 

Summers predicts that, as with actual war, the solution will be a diplomatic one, not a technical one.  “We have to develop norms like we do for human espionage where, for example, spies are not permitted to kill government officials."

Policies for Companies

Summers advocates that companies adopt the FUD approach — one of Fear, Uncertainty and Doubt.   "Organizations are being targeted more broadly than ever.  Compromise is inevitable.  If Syria, Iran or China want your data, they are going to get in.  The logical conclusion is that detection and response are critical.  And it is a smart practice to assess your risk posture."  Are your systems patched? Are your people trained? How many times have you been compromised? How long did it take you to respond?  Are you examining empirical data that is more output based? Do you have a response team or detection system in place?  Do you possess "situational awareness"? What threats would target your company?  Spear fishing?  Do you have a cross-functional incident response team, including expertise from IT to legal?  "Because that is what you will actually do in the event of a breach," Summers said.

It was at about that point that the fire alarm sounded and Summers wrapped up his address.

This article was written by Tom Hagy, Managing Director of HB Litigation Conferences, co-producer of the conference referenced in the article. Hagy is a former Vice President at LexisNexis and former publisher of Mealey’s Litigation Reports. Click here to see the original article.

Fighting Advanced Malware

A Q&A with Ramon Peypoch of McAfee, Inc.
One of the most insidious enemies of data security is advanced malware. But what are these advanced persistent threats, and how can companies protect themselves from them? I asked Ramon Peypoch, VP of Web Protection at McAfee to share his expertise.

Can you please define ‘advanced malware’ and describe the harm it can bring to an organization?
There’s a confluence of different situations that can fall under the term advanced malware, but basically these are stealth attacks that tend to get past existing security solutions. The threats might come from state-sponsored entities such as the Chinese or Russian governments trying to penetrate United States government networks or steal IP from commercial enterprises. What we know is that advanced malware is responsible for a great deal of loss in terms of IP and financial assets. In terms of the actual techniques involved, advanced malware typically combines sophisticated hacking, social engineering and spear fishing that allow an intruder to go undetected in your network for a long period of time. One example might be something that looks like an email from a friend telling you to click on a link to view vacation photos—you click on the link and nothing seems to happen but important code is downloaded to the machine that would “wake up” the next time you enter in PII. The bottom line is that these are very real threats being perpetrated by very sophisticated people. This is not some 13 year-old antisocial kid trying to make a name for himself.

How common is this threat for organizations?
Research shows us that the true cost of cyber crime is staggering—multiple billions of dollars of losses on an annual basis. If you are a business with any type of sensitive financial information or intellectual property, you are a target. And unfortunately hackers don’t just go after the largest organizations. They actually get the most bang for their buck with small and medium enterprises, because these are often more susceptible than the big guys.

How does advanced malware get through the system? Are organizations failing to implement controls that could stop it?
Basically, advanced malware can defeat signature-based defenses—the conventional security solutions that most people are using today. These are great at stopping already-identified threats but they won’t catch anything new. Since traditional solutions are not effective, the gap is widening, allowing the threats to grow exponentially.

What can a company do to mitigate this exposure proactively?
The easy answer from my perspective is to look into McAfee’s solutions. We are taking a different approach to solving this problem. We use the traditional signature-based solution and complement it with a specific advanced malware solution that uses cloud-based lookups and analysis including a hash of malware sent to different parts of the McAfee protection network. Once it’s identified, it’s stopped right there at all the endpoints and we can do a lookup to make sure nothing has been compromised—if it has, we initiate a remediation process. Unlike a lot of our competitors’ solutions, it’s not just a malware sandbox, it’s actually multiple products working to combat the problem in an integrated way.

In summary…
Ramon underscores the problem that many of our clients are seeing and combating on a daily basis. The bad guys are very smart and often one step ahead of both human and electronic security measures, giving them unauthorized access to information-based assets. Even clients with sophisticated IT operations and large security budgets can fall victim simply because there are so many variables and third-party dependencies to control. (A few examples include a large server farm with an unknown system missing a patch, mishaps with vendors, or staff that get duped.) Organizations need to keep this in mind when selecting solutions for combating malware.

No more posts.