PREFACE:

Just the other day, when I was looking over a post on the 5 largest cyberbreaches of 2014 (to date),[1] my mind went back to the Case of Bob,[2] a malfeasing cyber breach insider, on whom I blogged in an earlier post.  The top 5 list sequenced a total of 309 million records.[3]  That is, I believe, enough to cover stealing one record each, from every Citizen of Canada (34 million), Italy (61 million), France (63 million), the United Kingdom (64 million), and Germany (82 million); at a total of 304 million records, according to their respective population counts in 2013.[4]  Looking only domestically, in the United States, this 309 million could account for the loss of a single record (e.g. social security number) for all but 6 million U.S. Citizens in a 315 million population count at 2013.[5]  That’s a whole lot of broken (out/into) records![6]

Clearly, this is a big and growing problem.  And so, I decided to look a little more closely at that list, focus-in on the non-American example of South Korea,[7] and lay-down a better understanding of why the cyber realm remains so hard to secure – not just from last year’s big breaches at Target,[8] Adobe,[9] and LivingSocial,[10] but persistently and consistently for even those most tech-savvy of U.S. businesses and veterans of the eCommerce and eBanking verticals, including Google/Gmail,[11] Home Depot,[12] JPMorgan Chase & Co,[13] and eBay;[14] along with assorted state and federal government entities.[15]

I will look at the problem from four angles: “B” for Bob, “E” for eCommerce, “S” for Structure, and “T” for Trust; addressing the challenges and opportunities in which, obviously requires certain “b-e-s-t” practices.  This is a simplification of an extremely complex issue, but a useful approach, nevertheless.

 

THE B-ANGLE:

Bob[16] was not the first, nor will he be the last insider to “go rogue”.  The debate continues on whether insiders or outsiders are the greater threat.

“The fact that the individual was reportedly able to access and then sell on vast quantities of customer information is very worrying. It should not be the case that an employee – and in this case a temporary consultant – is able to access and then download sensitive data without this suspicious activity being flagged up,” (…)[17]

“It would seem that this case is a classic example of the ‘insider threat’ – that is, the malicious abuse of privileged access. A breach of customer data can spell disaster for a business, due to the loss of customer confidence, revenue and the possibility of severe financial penalties if they are found to have been negligent in the protection of this information.”[18]

However, it is the safest and the highest of best practices, to do one’s utmost best to protect against both, and each through the other, in a figure of eight lattice-work.

Suggested solutions include: proper and more comprehensive onboarding and offboarding; segregation of duties; rigorous credentialing and authorization procedures; real-time access and event logging; training and discipline with enforced usage rules (BYOD, social media, portable media, telecommuting); behavioural guidance including full disclosure of privacy limitations and waivers as applicable (travel and mobile security, regulatory compliance, data governance, eDiscovery, and cybersecurity); and so forth – including ONGOING due diligence on ALL employees, vendors, contractors, and counterparties on these parameters.[19] Just as banks were looking to their law firms to harden cyber defences,[20] regulators and especially financial sector regulators, have also been increasingly focused on the issue of cybersecurity.

The question we need to all ask as regulators is should we be considering the cyber threat as something as fundamental to institutions as capital levels. I’m not saying yet that they’re equal but we should probably start discussing them in the same breath[.][21] The legal community has long weighed-in on this issue for and regarding others, but has only recently and so publicly, been forced to look at its own house, with some resulting and readily available, practical guidance on the starting point for a law firm cyber audit that is easily applicable to other industries.[22]

 

THE E-ANGLE:

eCommerce is a 5-edged sword (hard to see in reality – especially as anything easy to wield or even effective, but logically easy to conceptualize). There are the two (alleged) counterparties; there are each of the (apparent) originating and destination locations; and then there are the (acceptable, accredited, and accepted) payment parameters. These are the five.

Counterparties are “alleged” because one or more may be fictitious or on a borrowed or pilfered identity.  Originating and destination locations may be fronts, dead drops, or non-existent.  And the acceptable payment methods may have one party presenting something with false accreditation that is accepted as valid until it is too late to halt the deal;[23] something with proper accreditation that is intercepted before being properly accepted by the intended recipient;[24] or something with proper accreditation that is accepted by a fictitious or otherwise fraudulent counterparty.[25]

Albeit fraught with dangers, eCommerce has become indispensable in an interconnected, and beyond line of sight business world.  The best we can do is manage it, harden it in advance, and adapt as and when a new vulnerability is shown in this constant battle for sword edges between victims, and rogues.

 

THE S-ANGLE:

Now, we look back to South Korea, and ask whether there is any structural strength or weakness that makes the nation a recurring[26] and worthy[27] target for cybercrime; and the answer is a very loud yes.

With a wealthy and tech savvy population that has a GDP/PPP over US $33,000, South Korea in 2013, was Asia’s 4th largest economy, 12th largest in the world, and 10th largest, globally, in terms of trade in merchandise and services, alone.[28] In that same year, the economy grew by 2.8%, and had a projected 2014 growth forecast of 3.5-4%.[29]

Essentially, South Koreans are connected, mobile-friendly, and absolutely just love eCommerce.  Nearly 80% of the population is online, which makes it the most connected country in the world.[30]  Mobile penetration has also long been high,[31] with 75% of South Koreans using smartphones overall, and a 98% penetration rate for the 18-24 demographic.[32] On the subject of eCommerce, the consultant Borderfree, “found that an increasing number of South Koreans shop overseas retailers to find lower prices, leverage parcel forwarding to save on shipping costs and join online communities to resell imported items they don’t want.”[33]  Since at least 2008, it has been quite commonplace for South Koreans to send and receive gift certificates and discount coupons by mobile or smart phone, which can be redeemed just by showing the phone and having it scanned, making coupon clipping (and paper coupons), things of the past.[34]

“From smartphones with flexible, foldable screens to smart refrigerators where you can view the inside contents while shopping; or smart communities, where even your child’s wanderings can be tracked through a central operations centre, Korean companies are on the cutting edge of technology.  Each is vying to be the first to develop the Next Big Thing.”[35]

Hence it follows that if everything cyber-new is there, as in methods and applications in a target-rich environment, then every old and new form of cyber offence will also follow into this nation that is essentially structured and functions, as a massive testbed!

This factor is further underscored by the fact that: “South Koreans have on average five credit cards, compared to two in the U.S., and the country has the highest credit card penetration globally.  Consumers in South Korea also use credit more often.  There are 129.7 credit card transactions per year in South Korea, compared to 77.9 credit card transactions annually in the U.S.[36]  Newer technologies introduced will invariably have often unforeseen vulnerabilities that have yet to be patched, and credit card ownership and use have, to date, hardly proved to be entirely risk-free.

It is therefore no surprise that cyber-criminals will congregate at that confluence of high credit card use, high technology, extreme connectivity and mobility, and intense eCommerce that is South Korea.

 

THE T-ANGLE:

I have written, elsewhere, that data has very many “faces” – ranging through Form Factors, Applications, Categories, End-users, and Scale; and therefore presenting many attack surfaces vulnerable to myriad and multiplying attack vectors.[37]  Yes, we can (and must) generally trust the data of and provided by counterparties in an eCommerce-driven world, but why not also verify? Too few are taking the time to fully go through the steps, due to cost and time concerns.  When you receive an email, does the return email match the claimed sender, is the content their usual, are the links or required/suggested actions suspicious in any way?  When it is a business, does the contact information match what they list in a directory (remembering that the spoof site found through an internet search is still a spoof site)?  If this is a claimed professional, are they registered somewhere in a searchable official or regulatory database with the same contact data?  Finally, if it is a financial institution account communication, then do you do business with them?  If the answer is no, or your financial services provider does not send you such open login requests, then you should delete the message! These are very basic steps.

Forensic investigations, eDiscovery, disaster preparedness and recovery, and assessing the effect and impact of remediation measures are now greatly aided by better information governance;[38] as well as backups balanced with commonsense and due diligence in knowing what you are getting into with specific situations as a cloud vendor, a cloud user, or a basic data custodian.[39]

 

CONCLUSION:

Banks had all the money, but data custodians have all the data. Criminals therefore go after the motherlodes of data (financial services entities, telecommunications providers, medical legal and accounting professionals, governments, and other data-loaded intermediaries including high volume vendors – supermarkets, department stores, and hardware stores) where no shotguns or facemasks are needed, because they are unseen and can blend into that stream of blissfully unmonitored eCommerce.

Whether stupendously big, or comparatively small,[40] and even if we don’t hear about them publicly or immediately,[41] there will likely still be hacks for quite some time to come. However, all is far from lost, despite the mind-numbing possibility of staggering single and cumulative future data breaches in new markets,[42] and due to developing mobile and virtual payment and settlement solutions – regardless of the breach’s apparent or alleged nation of origin.

“However, I also think that all threats can be adequately considered when you focus on: (a) achieving buy-in to the need for security protocols and adherence thereto at all levels of the organization; (b) you budget accordingly for training, ERP, and the staff and tolls to deal with the threat universe; and (c) you assiduously enforce best practices, even when it makes (for some) the accessing of preferred apps. or sites inconvenient to impossible, or slows people down a little.  I call this cubing the B.”[43]

In the end, it all starts with leadership, because where there is no buy-in for doing what needs to be done from the higher-ups due to cost concerns, short sightedness, or bad advice, there will be little to no I.T. security budget, best practices will be whatever the heck everyone feels like doing at the time, and a breach will surely come.[44]

At the very least, then, in response to Bob & Co. and what they can do, you should sincerely cube that B!

_____________________________________________________

 

Author:

Ekundayo George is a lawyer and a sociologist. He has also taken courses in organizational and micro-organizational behavior, and has significant experienced in business law and counseling (incorporations, business plans, contracts and non-disclosure agreements, teaming and joint venture agreements), diverse litigation, and regulatory compliance practice. He is licensed to practice law in Ontario, Canada, as well as in New York, New Jersey, and Washington, D.C., in the United States of America (U.S. business advising, outsourcing and cross-border trade, technology contracts, and U.S. financing). See, for example: http://www.ogalaws.com. A writer, blogger, and avid reader, Mr. George has sector experience in Technology (Telecommunications, eCommerce, Outsourcing, Cloud), Financial Services, Healthcare, Entertainment, Real Estate and Zoning, International/cross-border trade, other services, and Environmental Law and Policy. He is a published author on the National Security aspects of Environmental Law, has represented clients in courts and before regulatory bodies in both Canada and the United States, and he enjoys complex systems analysis in legal, technological, and societal milieux.

 

Mr. George is also an experienced negotiator, facilitator, team leader, and strategic consultant- sourcing, managing, and delivering on large, strategic projects with multiple stakeholders and multidisciplinary teams. Our competencies include program investigation, sub-contracted procurement of personnel and materiel, and such diverse project deliverables as business process re-engineering, devising and delivering tailored training, and other targeted engagements through a highly-credentialed resource pool with several hundred years of combined expertise, in: Healthcare; Education & Training; Law & Regulation; Policy & Plans; Statistics, Economics, & Evaluations including feasibility studies; Infrastructure; and Information Technology/Information Systems (IT/IS) – sometimes also termed Information Communications Technologies, or ICT). See, for example: http://www.simprime-ca.com.

 

Hyperlinks to external sites are provided to readers of this blog as a courtesy and convenience, only, and no warranty is made or responsibility assumed by either or both of George Law Offices and Strategic IMPRIME Consulting & Advisory, Inc. (“S’imprime-ça”) including employees, agents, directors, officers, successors & assigns, in whole or in part for their content, accuracy, or availability.

 

This article creates no lawyer-client relationship, and is not intended or deemed legal advice, business advice, the rendering any professional service, or attorney advertising where restricted or barred. The author and affiliated entities specifically disclaim and reject any and all loss claimed, no matter howsoever resulting as alleged, due to any action or inaction done in reliance on the contents herein.

 

***********************************************************************

[1] Chris DiMarco. The top 5 largest cyberbreaches of 2014 (for now). Published October 9, 2014 on insidecounsel.com. Online: >http://www.insidecounsel.com/2014/10/09/the-top-5-largest-cyberbreaches-of-2014-for-now?page=1<

The writer gave these top 5, in ascending order, as: Gmail/Google (5 million), Korea Credit Bureau (20 million), Home Depot (56 million), JPMorgan & Chase Co. (83 million), and eBay (145 million). See also infra, notes 11-14, and 7.

[2] Ekundayo George. Cybersecurity: the Enemy is also (perhaps even more so), Within – the case of “Bob”. Published January 17, 2013 on ogalaws.wordpress.com. Online: >https://ogalaws.wordpress.com/2013/01/17/cybersecurity-the-enemy-is-also-perhaps-even-more-so-within-the-case-of-bob/<

[3] Supra, note 1.

[4] See generally, Wikipedia.

[5] Id.

[6] This is especially true as a sixth big breach has been added since the list was first made, which now fully covers those 6 million “formerly” lucky U.S. Citizens. See e.g. Steve Kovach. Nearly 7 Million Dropbox Passwords Have Been Hacked. Published October 13, 2014, on businessinsider.com. Online: >http://www.businessinsider.com/dropbox-hacked-2014-10<

[7] Initially pegged at 20 million (which number I have retained), the Korea Credit Bureau breach was later re-calculated to have impacted 27 million South Koreans. See Steve Ragan. 27 million South Koreans affected by data breach. Published August 25, 2014, on csoonline.com. Online: >http://www.csoonline.com/article/2597617/data-protection/27-million-south-koreans-affected-by-data-breach.html<

[8] CBC News. Target data hack affected 70 million people. Published January 10, 2014, on cbc.ca. Online: >http://www.cbc.ca/news/business/target-data-hack-affected-70-million-people-1.2491431<

[9] Chris Welch. Over 150 million breached records from Adobe hack have surfaced online. Published November 7, 2013, on theverge.com. Online: >http://www.theverge.com/2013/11/7/5078560/over-150-million-breached-records-from-adobe-hack-surface-online<

[10] Rachel King for Zero Day. LivingSocial confirms hacking; More than 50 million accounts affected. Published April 26, 2013, on zdnet.com. Online: >http://www.zdnet.com/livingsocial-confirms-hacking-more-than-50-million-accounts-affected-7000014606/<

[11] See generally Google Corporate. Cleaning up after password dumps. Published September 10, 2014, on googleonlinesecurity.blogspot.ca. Online: >http://googleonlinesecurity.blogspot.ca/2014/09/cleaning-up-after-password-dumps.html<

[12] Ben Elgin, Michael Riley, and Dune Lawrence. Home Depot Hacked After Months of Security Warnings. Published September 18, 2014, on businessweek.com. Online: >http://www.businessweek.com/articles/2014-09-18/home-depot-hacked-wide-open<

[13] Jim Finkle and Karen Freifeld. States probe JPMorgan Chase as hack seen fueling fraud. Published Friday, October 3, 2014, on reuters.com. Online: >http://www.reuters.com/article/2014/10/03/us-jpmorgan-cybersecurity-idUSKCN0HS1ST20141003<

[14] Jennifer Abel. eBay hacked again? BBC reports hijacked seller accounts. Published September 23, 2014, on consumeraffairs.com. Online: >http://www.consumeraffairs.com/news/ebay-hacked-again-bbc-reports-hijacked-seller-accounts-092314.html<

[15] Administrative Office of the Washington Courts. Washington Courts Data Breach Information Center: Common Questions. Visited November 3, 2014 (regarding a data breach discovered in February/March, 2013). Online: >http://www.courts.wa.gov/newsinfo/?fa=newsinfo.displayContent&theFile=dataBreach/commonQuestions< ;

The Associated Press in Washington. Records of up to 25,000 Homeland Security staff hacked in cyber-attack.

Published Saturday August 23, 2014, on theguardian.com. Online: >http://www.theguardian.com/technology/2014/aug/23/homeland-security-25000-employees-hacked<

[16] Ekundayo George. Cybersecurity: the Enemy is also (perhaps even more so), Within – the case of “Bob”. Published January 17, 2013, on ogalaws.wordpress.com. Online: >https://ogalaws.wordpress.com/2013/01/17/cybersecurity-the-enemy-is-also-perhaps-even-more-so-within-the-case-of-bob/<

[17] Sophie Curtis. Credit card details of 20m South Koreans leaked. Published January 20, 2014, on telegraph.co.uk. Online: >http://www.telegraph.co.uk/technology/internet-security/10584348/Credit-card-details-of-20m-South-Koreans-leaked.html<, comments on the Korea Credit Bureau case by Matt Middleton-Leal, regional director for the UK and Ireland at security firm CyberArk.

[18] Id.

[19] Indeed, both of the monumental hacks – at Target and Korea Credit Bureau, were accomplished through third parties: Krebs on Security, Email Attack on Vendor Set Up Breach at Target. Published February 12, 2014, on Krebsonsecurity.com. Online: >http://krebsonsecurity.com/2014/02/email-attack-on-vendor-set-up-breach-at-target/< ; Lucian Ciolacu. Contractor with USB Stick Commits Biggest Credit Card Data Heist in South Korean History. Published January 21, 2014, on hotforsecurity.com. Online: >http://www.hotforsecurity.com/blog/contractor-with-usb-stick-commits-biggest-credit-card-data-heist-in-south-korean-history-7667.html<

As a result, some banks with their own compliance concerns, are now quite nervous about their law firms as vulnerable third parties. See e.g. Jennifer Smith and Emily Glazer of Dow Jones Business News. Banks Demand That Law Firms Harden Cyberattack Defenses. Published October 26, 2014, on nasdaq.com. Online: >

http://www.nasdaq.com/article/banks-demand-that-law-firms-harden-cyberattack-defenses-20141026-00022<

[20] Id. Jennifer Smith and Emily Glazer of Dow Jones Business News.

[21] Kara Scannell in New York. NY bank regulator targets cyber threat. Published October 6, 2014, on ft.com. Online: >http://www.ft.com/cms/s/0/5a981338-4cdf-11e4-a0d7-00144feab7de.html#axzz3HghMk1j4< quote of Benjamin Lawsky, Superintendent for New York’s Department of Financial Services.

[22] Sharon D. Nelson & John W. Simek. Clients Demand Law Firm Cyber Audits. Published in ABA Law Practice Magazine Vol 39, Number 6 (Nov./Dec. 2013) Online: >http://www.americanbar.org/publications/law_practice_magazine/2013/november-december/hot-buttons.html<

[23] As with a stolen credit card, a bounced cheque, or counterfeit cash, for example.

[24] As with a man in the middle attack (spoofed eCommerce website, or legitimate but infected site with cross-site scripting), for example.

[25] As in advance fee fraud, for example.

[26] In July of 2011, two websites (Cyworld and Nate) run by SK Communications of South Korea were breached, resulting in a loss of some 35 million records. “Hackers are believed to have stolen phone numbers, email addresses, names and encrypted information about the sites’ many millions of members.” See BBC. Millions hit in South Korean hack. Published July 28, 2011, on bbc.com. Online: >http://www.bbc.com/news/technology-14323787< . One year later, in July, 2012, South Korean authorities announced arrests in the case of hacks impacting 8.7 million users at KT Corp, the nation’s number one fixed line operator and number two mobile operator.

 

“The company says hackers stole subscribers’ names, phone and personal identification numbers, and then sold the data to telemarketers.”

 

“An illegally installed computer program had collected subscribers’ information over several months, KT Corp said.”

 

See BBC. South Korea arrests phone firm KT Corp hacking suspects. Published July 30, 2012, on bbc.com. Online: >

http://www.bbc.com/news/technology-19048494<

[27] To impact the Personally Identifiable Information (PII) records of 40% of an entire nation’s population in a single stroke, is certainly a major scoop, by any reckoning. Especially ironic, are the circumstances of this hack:

 

Customer details appear to have been swiped by a worker at the Korea Credit Bureau, a company that offers risk management and fraud detection services.” (Where were the vendor due diligence, segregation of duties, and the internal fraud controls?) (Emphasis added).

 

“The worker, who had access to various databases at the firm, is alleged to have secretly copied data onto an external drive over the course of a year and a half.” (Where were the access and event logs, “business need only” access privilege limitations, and random audits?) (Emphasis added).

 

See Sophia Yan and K.J. Kwon. Massive data theft hits 40% of South Koreans. Published January 21, 2014, on cnn.com. Online: >http://money.cnn.com/2014/01/21/technology/korea-data-hack/< See also supra, note 13, Jim Finkle and Karen Freifeld (JPMorgan Chase & Co.).

[28] Foreign and Commonwealth Office of the United Kingdom. Guidance: Overseas Business Risk – South Korea.

Last updated May 27, 2014, and published on gov.uk. Online: >https://www.gov.uk/government/publications/overseas-business-risk-south-korea/overseas-business-risk-south-korea<

[29] Id.

[30] Daniela Forte. South Korea Stands Out as Ecommerce Market for U.S. Retailers. Published June 19, 2014, on multichannelmerchant.com. Online: >http://multichannelmerchant.com/must-reads/south-korea-stands-out-in-ecommerce-market-for-u-s-retailers-19062014/<

[31] The Associated Press. Korea has nearly as many cell phones as people. Last updated January 28, 2009, and published on nbcnews.com. Online: >http://www.nbcnews.com/id/28893283/ns/technology_and_science-tech_and_gadgets/t/korea-has-nearly-many-cell-phones-people/#.VFKb0xbClGM<

[32] Id., and supra note 30.

[33] Supra note 30.

[34] Reuters. Paper is passe for tech-savvy South Koreans. Published Friday, May 9, 2008, on reuters.com. Online: >http://www.reuters.com/article/2008/05/09/us-korea-coupons-idUSS0914416520080509<

[35] Gordon Hamilton. Asia Pacific report: South Korea now a global technology tiger. Published November 25, 2013, on biv.com. Online: > http://www.biv.com/article/2013/11/asia-pacific-report-south-korea-now-a-global-techn/<

[36] Sarah Jones. South Korea boasts highest global credit card penetration: report. Published June 27, 2014, on luxurydaily.com. Online: >http://www.luxurydaily.com/south-korea-boasts-highest-global-credit-card-penetration-report/<

[37] Ekundayo George. The 100 “FACES” of Data: a 5-part Complex Systems Study (Part 1 – Form Factors). Published November 1, 2013, on ogalaws.wordpress.com. Online: >https://ogalaws.wordpress.com/2013/11/01/the-100-faces-of-data-a-5-part-complex-systems-study-part-1/<

[38] Ekundayo George. To Gatto from Zubulake: 2 Thumbs-up for Better Information Governance/Anti-Spoliation. Published March 31, 2013, on ogalaws.wordpress.com. Online: >https://ogalaws.wordpress.com/2013/03/31/to-gatto-from-zubulake-2-thumbs-up-for-better-information-governanceanti-spoliation/<

[39] Ekundayo George. Data Protection and Retention in the Cloud: Getting it Right. Published March 11, 2013, on ogalaws.wordpress.com. Online: >https://ogalaws.wordpress.com/2013/03/11/data-protection-and-retention-in-the-cloud-getting-it-right/< You cannot leave everything to a vendor or counterparty, if and when you are primarily responsible for your own security and the security of the data that you host at rest, in transit, or subject to access and change, for others.

[40] Terry Collins and Anne D’Innocenzio for The Associated Press. Twitter hackers nab data on 250,000 accounts. Published February 2, 2013, on ottawacitizen.com. Online: >http://www.ottawacitizen.com/business/Twitter+hackers+data+accounts/7911027/story.html<

[41] Ben Elgin, Dune Lawrence and Michael Riley. Coke Gets Hacked And Doesn’t Tell Anyone. Published November 4, 2012, on bloomberg.com. Online: >http://www.bloomberg.com/news/2012-11-04/coke-hacked-and-doesn-t-tell.html< This kind of silence is changing, however, due to increasing regulatory focus on cyber risks and cyber events, and a push for timely and full disclosure and remediation when it may impact the bottom line, systemically important entities, or public or investor confidence.

[42] China and India are the most populous nations on earth, with well over 1 Billion citizens, each; but comparatively (with all other nations) very low ratios of banked citizens, and citizens with access to organized credit facilities. The promised easing of China’s restrictions on foreign credit card issuers paves the way for many of the entry-market credit card products that we see in the West – secured cards, rechargeable cards, debit cards, and the like, along with the juicy fees for annual access, loading, overdrafts, late payments, cash advances, and per transaction. Of course, this will require the taking, keeping, and updating of vast amounts of data on a vast population; creating a single and captive, target rich environment of irresistible size that will remain very vulnerable to any lapses in data governance and/or cyber best practices. See generally Joe McDonald of The Associated Press. China easing credit card monopoly opening door for Visa, MasterCard. Published October 30, 2014, on ctvnews.ca. Online: >http://www.ctvnews.ca/business/china-easing-credit-card-monopoly-opening-door-for-visa-mastercard-1.2078518<

[43] Ekundayo George. Individual (allegedly) Wreaks Havoc with Former Employer – Another Teachable Moment in Infosec. Published May 16, 2013, on wordpress.ogalaws.com. Online: >https://ogalaws.wordpress.com/2013/05/16/individual-allegedly-wreaks-havoc-with-former-employer-another-teachable-moment-in-infosec-2/<

[44] See e.g. Supra note 12, Ben Elgin, Michael Riley, and Dune Lawrence (Home Depot).

Advertisements

The story recently broke of an employee (former employee) who had high-level system access as a “software programmer and system manager”.  The allegation is that he retaliated after being passed-over for promotions, which led to his resignation in December, 2011; with a final day of work in January, 2012.[1]  According to a Criminal Complaint in the incident as filed by the Federal Bureau of Investigation (FBI) in the District Court for the Eastern District of New York, the accused had worked there for several years, and was actually “one of two employees who were primarily responsible for ensuring that the software that drove the company’s manufacturing business—including its production planning, purchasing, and inventory control—operated efficiently”,[2] showing just how much free system access he really had.  The estimate puts a cost to the former employer of his alleged activities at some $90,000.00 in damages.  Admittedly, it could have been significantly more than this.  That number is not insignificant.  However, we may or may not ever come to know whether it stopped there due to self-imposed limitation(s), or inability to do anything more destructive or wide-ranging due to security impediments.

 

On to the questions:

1. When someone with that kind of access departs, is it now necessary to change every single password of every single employee?

2. Is that the same if you have high IT turnover?  Things can get pretty hectic in that case!

Bob[3] was an “ongoing insiders”.  The current accused is therefore a “former insider” and not a “pure outsider”, if looking at the situation from a purist perspective.

3. Which of these three (ongoing insiders, former insiders, and pure outsiders) is now classified as the greater threat to employers and/or businesses in general?

 

There is a sometimes quite intense ongoing debate on whether outside threats or inside threats are greater; but both sides of the debate, and naysayers who disdain such reductionism per se or prefer to focus on purer forms of quantification and categorization, all agree that the state of Infosec/Cybersec is complex and accelerating at a breakneck pace.  Events will doubtless continue to present teachable moments.  I say that an inside the firewall/outside the firewall categorization is helpful in quantifying the potential harm from various threat vectors on available attack surfaces, and planning to address them on a constant and consistent basis.  However, I also think that all threats can be adequately considered when: (a) you focus on achieving buy-in to the need for security protocols and adherence thereto at all levels of the organization; (b) you budget accordingly for training, ERP, and the staff and tools to deal with the threat universe; and (c) you assiduously enforce best practices, even when it makes (for some) their accessing of preferred apps. or sites inconvenient to impossible, or slows people down a little.  I call this cubing the B.

The above-referenced and linked allegations remain allegations.  All parties are innocent until proven guilty in a court of law.

**********************************************************

Author:

Ekundayo George is a sociologist and a lawyer, with over a decade of legal experience including business law and counseling (business formation, outsourcing, commercial leasing, healthcare privacy, Cloud applications, social media, and Cybersecurity); diverse litigation, as well as ADR; and regulatory practice (planning and zoning, environmental controls, landlord and tenant, and GRC – governance, risk, and compliance investigations, audits, and counseling) in both Canada and the United States.  He is licensed to practice law in Ontario, Canada, as well as in New York, New Jersey, and Washington, D.C., in the United States of America (U.S.A.).  Please See: http://www.ogalaws.com

He is an experienced strategic and management consultant; sourcing, managing, and delivering on high stakes, strategic projects with multiple stakeholders and multidisciplinary teams.  Please See: http://www.simprime-ca.com

Backed by courses in management, organizational behaviour, and micro-organizational behaviour, Mr. George is also a writer, tweeter and blogger (as time permits), and a published author in Environmental Law and Policy (National Security aspects).

Hyperlinks to external sites are provided to readers of this blog as a courtesy and convenience, only, and no warranty is made or responsibility assumed by either or both of George Law Offices and Strategic IMPRIME Consulting & Advisory, Inc. (“S’imprime-ça”), in whole or in part for their content, or their accuracy, or their availability.

This article does not constitute legal advice or create any lawyer-client relationship.


[2] Federal Bureau of Investigation (FBI).  Press Release.  Long Island Software Programmer Arrested for Hacking into Network of High-Voltage Power Manufacturer.  Published by the FBI on fbi.gov, May 2, 2013.  Online: >

http://www.fbi.gov/newyork/press-releases/2013/long-island-software-programmer-arrested-for-hacking-into-network-of-high-voltage-power-manufacturer<

[3] Ekundayo George.  Cybersecurity: the Enemy is also (perhaps even more so), Within – the case of “Bob”.  Published January 17, 2013, on ogalaws.com.  Online: >https://ogalaws.wordpress.com/2013/01/17/cybersecurity-the-enemy-is-also-perhaps-even-more-so-within-the-case-of-bob/<

Much attention is focused on the “Triple A” of Cloud services, namely: Availability all the time (Service Level Agreements and uptime claims); Appropriate access controls (passwords and authentication); and Alteration protection and audit trails, which is especially critical in terms of eDiscovery, and responsibility in ensuring the entity’s ability to effectively backup, recover, and archive its data on a regular basis, and to restore its data on-site or off-site after the fact of a contingency event.

Whether you are thinking of a far-flung transnational operator or a small business, the following are 8 (“eight”) factors to constantly revisit in getting it right when considering or indulging in cloud services.

1.   Backup Cloud: If you have critical functionalities that have moved completely or almost completely to a cloud-based solution (SaaS,[1] PaaS,[2] Iaas,[3] NaaS[4]),[5] then it is highly-advisable to have a backup cloud.  Whether this is done as a failover provision (not always easy to coordinate the two providers), or the running of parallel instances (such as accessing a standalone data archive with staggered replication between those two or more remote access nodes, so permitting them to jointly recover the entire data set should access to the central archive suddenly cease), is ultimately the consumer’s decision.  It is important to remember in the former scenario, however, that if it is not working or suddenly stops working, then it might not be able to failover on its own, without external intervention.  This is especially true if the stoppage is due to a utility outage, climatic event, or human action (terrorism, error, criminality, or hacktivism).

2.   Effective Version Controls: Backup, recovery, and replication processes can be configured in a variety of ways, from the guarantee that a single newer version replaces a single older one, to cases where multiple older versions are retained and disposed-of in sequence as new ones are stored.  Mishaps or mis-alignments in this process can lead to sometimes irretrievable loss of valuable data, which must be avoided.  It may well be true that short of walking hard drives and zip drives, many modern “losses” may still be recoverable.  However, with the increasing complexity and sensitivity of the back-end tools, and the difficulty and active management required to get them to work well together (within promised SLA parameters) for enough of the time, the costs can be prohibitive.  Doing it right the first time, should always be the goal.

3.   Security Consciousness:  There is significant current media and government focus (here in North America and Canada) on the topic of hacking and data exploitation.  One report,[6] indicates that while 54% and 20% respectively of all 2012 breaches were in the accommodation and food services industries, and the retail trade industry,[7] external threats accounted for 95% of all breaches.[8]  With regard to the actors, 83% of breaches against all organizations reporting, were by organized criminal groups,[9] and the descending-order ranking of breach motivation for exploits at large organizations, was: financial or personal gain (71%); disagreement or protest (25%); fun, curiosity, or pride (23%); and grudge or personal offence (2%).[10]  The disgruntled current or former employee with a grudge, is apparently less of a threat than the current employee in deep financial distress, who himself or herself is also apparently less of a threat than the totally unknown but well-financed and staffed criminal organization or state actor that wants access at almost any cost, to the treasure-chest of information on your servers or on the servers of your Cloud Services Provider (CSP).  However, “apparently” is just that, because the reality is joint or co-opted action.  In stating that 65% of internal agent breaches were through a cashier, teller, or waiter, the report also found that “[t]hese individuals, often solicited by external organized gangs, regularly skim customer payment cards on handheld devices designed to capture magnetic stripe data.  The data is then passed up the chain to criminals who use magnetic stripe encoders to fabricate duplicate cards”.[11]  The threat landscape is deep, diverse, and dynamic.  Forewarned with this knowledge, you should have no choice but to be security conscious, spurring you on to craft strategies appropriate to your industry, entity, and V5,[12] to protect your client and other critical data, systems, and processes against compromise, criminality, and a completely unrecoverable disaster.

4.   Traditional (off-Cloud) Backup: Whether the cloud package is offsite, uses in-house accessories, or is a hybrid solution, off-cloud backup may still be an option – whether in addition to or as an alternative for, a backup cloud.  An offline backup sequence that occurs weekly, daily, or several times during the day depending on the interplay (V5)[13] of data Volume (sheer amount), Velocity (speed of its change), Variety (by operating division, product line, client, transaction, trade or other event, analytical element or matrix of elements in the case of big data, and so forth), Value (its criticality to the core functionality, as well as its full replicability on short-order), and Vulnerability (susceptibility to internal, external, and developing threats), with tapes transported, maintained, and regularly tested for their usability, offsite, is a highly-advisable redundancy.  In the event that the primary workspace is compromised and cloud connectivity interrupted, a well-prepared and practiced entity may – far more swiftly and smoothly than the competition – be able to recover from an initial adverse event or sequence of same, and resume operations in an alternate location using the backup tapes, staff able to reach that location if telecommuting remains unavailable, and either pre-positioned or called-in equipment; as available through an expanding group of contingent offsite emergency recovery solution/outcome providers.

5.   Data Retention Policies: Be aware of, and attune your operations to, applicable data retention policies.  Courts in the United States have, to date, proven more eager than Canadian courts to sanction parties for failing to preserve, protect, and produce data that they should have kept by law, and didn’t, or data that they could have had to present at a court or regulatory proceeding, but couldn’t, due to its initial non-retention.  There may be specific rules pertinent to your industry (such as food, or financial services and the PCI-DSS), your activity (such as Intellectual Property filing/prosecution, and healthcare), or your jurisdiction (differing in Canada and the European Union, for example).

6.   Advisable (and accelerating) Best Practices: Having your data resident (whether by bald custody or actual control, in accordance with your Cloud Services Agreement) in the pocket of a third-party, has its obvious risks.  There are also several more subtle ones, which I have canvassed at some length elsewhere in my several blogs on the cloud and outsourcing in general.  It used to be the fact that: (i) the lawmakers would write a law either creating a new regulator or authorizing an existing regulator to act; (ii) proposed regulations would be published for comment; (iii) final regulations would issue; and (iv) tests in court would help to better define and refine them.  Now, everything is in reverse.  An event leads to tests in court, the regulator makes a knee-jerk reaction to try and restore sanity in the interim, there is a public outcry (either here, or earlier in this reversed process), and then a law is passed; which may start the entire sequence again if the law is too broad, not broad enough, or has some adverse effect on a specified/protected group or interest.  “Best Practices in the Cloud” must for now, remain a still-evolving paradigm, so watch your prose (know what you draft and sign), listen to those-in-the- know (pay attention to ongoing doings, debates, and developments), and stay on your toes (be nimble and adaptive, and keep an open mind in this rapidly-changing service space).

7.   Transferring Risks: Insure thyself!  The costs of privacy practices, data breach liability, and similar lines of insurance have come down due to a modicum of standardization, and increased prevalence and awareness of their value from breach announcements occurring in several industries and jurisdictions; despite apparent best efforts.  Business interruption insurance has long been an option, and now, there are contingent event recovery services that can provide pre-packaged, tailored recovery solutions for a fixed monthly price; which is akin to insurance.  Risks can be transferred (insurance), shared (pooling), accounted for (planning), and limited (due diligence and best practices).  However, they can never be fully eliminated.  Be prepared, practice and game a variety of disaster and other contingency scenarios within your organization on a regular basis – whether actually or as tabletop exercises,[14] and expect the unexpected!  Utilities fail; climatic events don’t discriminate; and irrational actors, opportunists, state actors, hacktivists, and criminals all remain predictable in one respect: they will act!

8.   Alert and Notification Protocols: There is really no substitute for a solid system of internal controls. Pre-employment background checks, segregation of duties, authentication and access logging, counterparty due diligence, and strictly enforced policies, are all critically important.  Only 2% of 2012 breaches for misuse were as a result of inappropriate web or internet usage (surfing the wrong type of site, for example), whilst 43% were the result of abusing system access or privileges, and 50% were the result of using unapproved hardware or devices on work systems[15] (whether with BYOD, or as a workaround on strict network controls or prohibitions).  Having, properly configuring, and diligently checking logs is key to risk management.  However, the report also notes the rising challenge to proper data protection and retention from Anti-forensics[16] – especially when someone else is handling functions, now outsourced on a Cloud, that were formerly done in-house.  Cloud Security and Cybersecurity will, for now, remain as moving targets; even with current calls in the United States for laws empowering private actors to jointly take immediate steps (preserving evidence, curtailing breaches, or tracking sources, deeper structures, and sponsors of security events),[17] while regulators and Law Enforcement and National Security (LENS) actors either get up-to-speed, or use their own customized tools for some parallel or complementary actions.[18]

 

CONCLUSION:

We all know the adage that asks why re-invent the wheel?  I think the Payment Cards Industry Standards Council has already done a very good job in establishing the framework for its members to follow in their data protection and retention efforts as they “process, transmit, or store” that data;[19] which with “access” – presupposed by those first three options, also constitute the majority, if not the totality, of functions that can currently be performed in/via the Cloud.

I also think that the 6 categorical elements of that PCI-DSS Standard,[20] are broadly applicable in other industries; especially with cloud-based or cloud-dependent entities and service models.  To allow for proper tailoring, the 12 sub-elements can of course remain customizable within each of the SaaS, PaaS, IaaS, and NaaS sub-spaces.

There are many avenues that CSPs can pursue in efforts to self-regulate before something, perhaps more draconian than they had wanted, comes down firmly from the lawmakers and/or regulators above; whether with or without the precursor hue & cry following an adverse incident.

Perhaps they may find something in the above that is worthy of trying.[21]

************************************************************************

Author:

Ekundayo George is a sociologist and a lawyer, with over a decade of legal experience including business law and counseling (business formation, outsourcing, commercial leasing, healthcare privacy, Cloud applications, social media, and Cybersecurity); diverse litigation, as well as ADR; and regulatory practice (planning and zoning, environmental controls, landlord and tenant, and GRC – governance, risk, and compliance investigations, audits, and counseling) in both Canada and the United States.  He is licensed to practice law in Ontario, Canada, as well as in New York, New Jersey, and Washington, D.C., in the United States of America (U.S.A.). Please See: http://www.ogalaws.com

He is an experienced strategic and management consultant; sourcing, managing, and delivering on high stakes, strategic projects with multiple stakeholders and multidisciplinary teams.  Please See: http://www.simprime-ca.com

Backed by courses in management, organizational behaviour, and micro-organizational behaviour, Mr. George is also a writer, tweeter and blogger (as time permits), and a published author in Environmental Law and Policy (National Security aspects).

Hyperlinks to external sites are provided to readers of this blog as a courtesy and convenience, only, and no warranty is made or responsibility assumed by either or both of George Law Offices and Strategic IMPRIME Consulting & Advisory, Inc. (“S’imprime-ça”), in whole or in part for their content, or their accuracy, or their availability.

This article does not constitute legal advice or create any lawyer-client relationship.


[1] Software as a Service (SaaS), including “tools for processing, analysis, accounting, CRM, and back-office functions”.

[2] Platform as a Service (PaaS), including tools “for email, online backup, or desktops-on-demand”.

[3] Infrastructure as a Service (IaaS), including “tools for collaboration, integration, and visualization”.

[4] Network as a Service (NaaS), including advanced virtualization tools, such as bandwidth-on-demand for multiple Virtual Private Networks (VPN)-on-demand, and for cloud-to-cloud networking on demand.

[5] See generally, Ekundayo George, at (f).  In who’se pocket is your data packet? – International Data Governance.

Published February 6, 2013 on ogalaws.wordpress.com.  Online: >https://ogalaws.wordpress.com/2013/02/06/in-whose-pocket-is-your-data-packet-international-data-governance/<

[6] Verizon.  2012 Data Breach Investigations Report (DBIR).  Published 2012, by Verizon.com.  Online: >http://www.verizonenterprise.com/resources/reports/rp_data-breach-investigations-report-2012-ebk_en_xg.pdf?__ct_return=1<.  The report also discloses an error rate of +/- 4 percent.

[7] Id. at 11.

[8] Id. at 18.

[9] Id. at 20.

[10] Id. at 19.

[11] Id. at 21-2.

[12] Infra, note 13.

[13] The V5 interplay, is the mix of data volume, velocity, variety, value, and vulnerability that determines the how, where, and how often you back it up; amongst other distinct operations and/or management tasks.

[14] I have proposed a number of permanent executive positions for the C-Suite in modern business, including a Chief Contingency policies, plans, and practices Officer (CCO) with line and staff responsibility for all-hazards contingency affairs.  See e.g. Ekundayo George, at (i).  10/4: the “C–Suite” in 2013 and beyond; who should really be there?  Published November 21, 2012 on ogalaws.wordpress.com.  Online: >https://ogalaws.wordpress.com/2012/11/21/104-the-c-suite-in-2013-and-beyond-who-should-really-be-there/<

[15] Verizon.  2012 Data Breach Investigations Report (DBIR), at 35.  Published 2012, by Verizon.com.  Online: >http://www.verizonenterprise.com/resources/reports/rp_data-breach-investigations-report-2012-ebk_en_xg.pdf?__ct_return=1<.

[16] Id. at 55.

[17] American Bar Association (ABA).   National Security Experts Discuss Options for ‘Active’ Cyber Defense.  Published February 11, 2013, by ABA Division for Communications & Media Relations, on abanow.org.  (Link to full podcast is available at bottom of page).  Online:

>http://www.abanow.org/2013/02/national-security-experts-discuss-options-for-active-cyber-defense/<

[18] Supra note 15, at 52.  Fully 59% of breaches at all organizations in 2012 (10% for large organizations), were “only” discovered by the target when it was notified of the breach, by an arm of law enforcement/national security.  Notification by third-party as a result of that third-party’s fraud detection measures came next, at 26% and 8% respectively.

[19] PCI Security Standards Council.  PCI DSS Quick Reference Guide – Understanding the Payment Card Industry.  Data Security Standard version 2.0. For merchants and entities that store, process or transmit cardholder data.  Published 2010 on pcisecuritystandards.org, by PCI security Standards Council LLC.  Online:  >https://www.pcisecuritystandards.org/documents/PCI%20SSC%20Quick%20Reference%20Guide.pdf<

[20] Id. at 8.  These six categorical elements of the PCI Data Security Standard (DSS), are: (i) Build and maintain a secure network; (ii) Protect cardholder data; (iii) Maintain a vulnerability management program; (iv) Implement strong access control measures; (v) Regularly monitor and test networks; (vi) Maintain an information security policy.

[21] Supra note 15, at 58.  With regard to PCI DSS in the context of the 2012 Data Breach Investigation Report (DBIR), we read:

“Overall, the standard attempts to set a bar of essential practices for securing cardholder data.  Nearly every case that we have seen thus far has attributes of its breach that could have been prevented if the control requirements had been properly implemented.  Of course, there is no way to be certain that new and different tactics could not have been used by the perpetrators to circumvent a compliant entity’s controls”.

Much ado has been made about the hacking threat from overseas, with regard to cybersecurity.[1]  Indeed, several commentators repeatedly reinforce that belief.[2]  The truth, however, is that Information Technology and Information Systems (IT/IS) employees and contractors, right here in North America, might be the greatest danger and the weakest link in the chain.  The story recently surfaced of a man who had outsourced his many software development contracts at several different employers, to offshore developers in China.[3]  He provided them with all his access codes and scripts, and was basically absent at work.  For how long he did this, or how much additional data those sub-contractors were able to access and potentially download from those employers, and who they were … we may never fully know!

 

As I have stated at length,[4] you need to take a comprehensive approach to Cybersecurity that also watches the employees and contractors at your back, while you are watching the outsiders in front of you.  In scanning only those 180 degrees left to right, and those 180 degrees north to south at your front, you are missing exactly that same size of iceberg at your back.  You must engage in strict Segregation of Duties, initial background checks, datalogs and audit trails, constant network monitoring, and other actions.

 

Apparently, only one of his employers noticed a problem, and sought (outsourced) a deeper look.  Even then, why did it take so long for them to discover that: (i) the credentials assigned to a domestic worker; (ii) were accessing the system out of work hours, almost non-stop; (iii) from a place where the worker was not last noted to have traveled?  There needs to be more of a focus on internal security, employee access logging (where and when, for how long, and how frequently), and real-time system access audits.

 

Clearly, it seems that some U.S. employers are still far from having a serious approach to Cybersecurity.[5]

******************************************************************************

Author:

Ekundayo George is a sociologist and a lawyer, with over a decade of legal experience including business law and counseling (business formation, outsourcing, commercial leasing, healthcare privacy, Cloud applications, social media, and Cybersecurity); diverse litigation, as well as ADR; and regulatory practice (planning and zoning, environmental controls, landlord and tenant, and GRC – governance, risk, and compliance investigations, audits, and counseling) in both Canada and the United States.  He is licensed to practice law in Ontario, Canada, as well as in New York, New Jersey, and Washington, D.C., in the United States of America (U.S.A.). Please See: http://www.ogalaws.com

He is also an experienced strategic and management consultant; sourcing, managing, and delivering on high stakes, strategic projects with multiple stakeholders and multidisciplinary teams.  Please See: http://www.simprime-ca.com

Backed by courses in management, organizational behaviour, and micro-organizational behaviour, Mr. George is also a writer, tweeter and blogger (as time permits), and a published author in Environmental Law and Policy (National Security aspects).

Hyperlinks to external sites are provided to readers of this blog as a courtesy and convenience, only, and no warranty is made or responsibility assumed by either or both of George Law Offices and Strategic IMPRIME Consulting & Advisory, Inc. (“S’imprime-ça”), in whole or in part for their content, or their accuracy, or their availability.

This article does not constitute legal advice or create any lawyer-client relationship.

 


[1] Mark Clayton, Staff writer.  Cyber security in 2013: How vulnerable to attack is US now?  Published on csmonitor.com, January 9, 2013.  Online: >http://www.csmonitor.com/layout/set/print/USA/2013/0109/Cyber-security-in-2013-How-vulnerable-to-attack-is-US-now-video<

[2] Ed Beeson/The Star-Ledger.  N.J. businesses should brace for higher cyber security costs, complexity, experts warn.  Published on nj.com, January 15, 2013.  Online: >http://www.nj.com/business/index.ssf/2013/01/nj_businesses_should_brace_for.html<

[3] Claire Gordon.  Man Reportedly Outsources His Own Job To China — Then Spends His Time Watching Cat Videos.

Published on jobs.aol.com, January 16, 2013.  Online: >http://jobs.aol.com/articles/2013/01/16/man-outsources-his-own-job-china/<

[4] Ekundayo George.  Cybersecurity (the Nitty-Gritty; and what is Cyberspace?): A Different, Flexible Approach.

Published on ogalaws.wordpress.com, December 9, 2011.  Online: >https://ogalaws.wordpress.com/2011/12/09/cybersecurity-the-nitty-gritty-a-different-flexible-approach/<

[5] More details about the May, 2012 discovery of that employee are available here.  See Andrew Valentine.  Case Study: Pro-active Log Review Might Be A Good Idea.  Published on verizonbusiness.com, January 14th, 2013.  Online: >http://securityblog.verizonbusiness.com/2013/01/14/case-study-pro-active-log-review-might-be-a-good-idea/#more-2659<

Currently, there is a lot of chatter in military, civilian, political, and business circles on “Cybersecurity” and how best to exploit and secure the cyber-realm or “Cyberspace”.  I wrote in an earlier blog post on the big picture of Cybersecurity, and avoiding data disasters, in general.[1]

Unfortunately, however, while everyone may “think” they are talking about the same thing, I dare say that they are not.  It is, of course, important to know and understand what we are all talking about, before we attempt to secure it with any hope of success.  So, then, what is Cyberspace, we ask?  The answer: almost anything, and nearly everything.  Let me explain, as Cyberspace in its totality, comprises 5 Domains, multiplied by 3 Bundles, to give 15 “e-Compartments; which e-Compartments should be the focal points of and for, specific protective and exploitative techniques and technologies, as appropriate.  This is a different, flexible approach better attuned to the rapidly changing world of technology.  It will take an extremely momentous event or series of events closely related in time and space, to change and re-align all e-Compartments at once, or to render techniques and technologies used for exploitation and security in more than a handful of these, all obsolete at one and the same time.  I will also discuss cyber-breach consequences, and make commonsense recommendations.

5 DOMAINS:

(a) The Internet (“Net”) is its own domain, and comprises all systems and services accessible through same, as well as being the catch-all category for everything “online”.

(b) A second domain is the telecommunications networks (“Telco”), which cover phone, fax, voicemail, voice over I.P., videoconferencing, webcasting, and so forth.  The Net and Telco are becoming increasingly intertwined and to a large extent, near indistinguishable.

(c) Third, is that complex of computers, servers, and thin and thick clients (“I.T.”) that drive and serve and access the above 2 (“two”), and the remaining 2 (“two”) domains

(d) The fourth domain, is that of mobile devices (“Mobile”), or the plethora of “steadily richer clients” in smartphones, PDAs, Notebooks, Tablets, and so forth; along with all the portable drives with capacities ranging from a few megabytes to many terabytes (or even “quigaflops”, as I have also blogged, elsewhere).[2]

(e) The fifth domain of Cyberspace may well surprise some of you, but it shouldn’t.   It includes paper!   Yesterday, today, and tomorrow are not the first times that people will walk critical papers, performances, paintings and portraits, and other personal or positive assets including intellectual property out of monitored or even secure locations, by taking their pictures.  This is the world of “P2ED”, where those papers, performances, paintings and portraits, and other personal or positive assets (collectively being the “P”), can be converted into Electronic Documents (meaning “2ED”), and thereby, in essence: “made to move, to order.”  Modern rapid scanning technologies, the camera-capture tools on almost every mobile data device now available on the market, and the staggering storage capacity of portable drives as earlier stated, mean that almost anything can be relocated in time and space almost instantly and quite completely; often without the victim or “targeted subject” being the wiser.  When you add-in the abilities of three-dimensional printers working with multiple pictures from multiple angles, or simple panned video footage, that “P” can be very easily reproduced in and as an “infringing facsimile”, in any place, at any time, and very many times.

An Electronic Document, I would therefore and expansively, define as: 1 (“one”) or more items of data that may include meta data, created or collected or compiled by electronic means from a paper source or sources, an electronic or other source or sources, or a combination of these and that is:

(i) organized in the same or substantially the same way as the original source or that otherwise characterizes and represents or presents the data in a cognizable format; and

(ii) capable:

(1) of being provided or published or posted or displayed or distributed or otherwise transferred by or to, or retained or reviewed as appropriate, by its creator or compiler, or by any other party or parties possessing the appropriate access permissions and utilities, or by both of the creator or compiler and others; or

(2) of being received or retrieved or acquired or accessed or analyzed or processed or altered as appropriate, by its creator or compiler, or by any other party or parties possessing the appropriate access permissions and utilities, or by both of the creator or compiler and others;

in such a way that makes it capable of being stored and therefore used for subsequent reference; and
(iii) capable of being replicated as is or in an alternate format by its creator or compiler, or by any other party or parties with the appropriate access permissions and utilities, or by both of the creator or compiler and others.

3 BUNDLES:

The three bundles by which to multiply each of the five domains, are: Hardware (“HA”), Software (“SO”), and Services (“SE”).

15 E-COMPARTMENTS:

A full treatment of this multiplication into the 15 e-Compartments, would take a very long time; and so, I gladly leave it to the reader.  However, and as a much abbreviated series of examples:

(i) securing one compartment of the hardware (HA) in any or many domains may include access barriers or credentials verification, whether with keys and passes, or by biometric or other technical means.

(ii) Exploiting one compartment of the software (SO) in any or many domains may include knowing and using the vulnerabilities found and from time to time exposed in certain types of programs, where updates and antiviral or other protections are lacking, and in people, by means of social engineering.

(iii) Services (SE), you can further divide into at least 6 (“six”) sub-elements to create “sub-compartments” after the multiplication, of: (a) internal; (b) contracted; and (c) outsourced accredited service personnel, and then the same 3, once again, for actual services performed.  To secure your internal personnel, you would of course, have conducted background checks, and engage in some sort of “lawful” ongoing and periodic monitoring.  Securing contracted services, would involve due diligence of the providers, perhaps additional checks and balances on the personnel to do the actual work, and then of course, there is insurance, appropriate contractual terms including warranties and indemnifications from the provider, and other steps as are reasonable, and sometimes seen as unreasonable by the other side.  When they protest, it can be reassuring to see that they are paying attention and not so desperate for your business as to accept any and all conditions without a word.  Similar steps can also be taken to secure outsourced services, with additional precautions where offshoring or a sensitive industry (such as healthcare, or involving personal information or an especially vulnerable and protected class of persons like children, the disabled, the mentally-challenged, or the elderly), is involved.

(iv) If one were to look at Radiofrequency Identification (RFID) and Near-field Communications (NFC) for example, it becomes obvious how one size does not fit all e-Compartments when trying to secure HA (smart phone passwords), SO (against hacking, tampering, and redirection of funds or data sent or  received), and SE (challenge and handshake protocols, and perhaps using geolocation – to the extent lawful – to guard against someone’s account being accessed with the same credentials, and apparently from the same device, in two or more jurisdictions at the same time, as spoofed, or in less time than one could reasonably be expected to travel between them).  Each Domain must therefore have and maintain its own set of techniques and technologies to secure Ha, So, and Se in RFID and NFC, as and where applicable, inter alia.

3 CONSEQUENCES OF CYBER-BREACH:

Remediation:  This can include the costs of any combination of cash settlements; credit monitoring; credentials replacement for the impacted parties or persons; and changes in the compromised (or absent or insufficient) policies, procedures, personnel, and platforms.

Reputation:  Reputational damage can be felt by its effects on clients, who may leave or reduce their business dealings; labor markets where it may become harder to get the best and brightest talent; media and social media circles, not just the late night talk shows, which may all combine to continue and compound a storm that would otherwise have passed-by and been forgotten more quickly; and of course, insurance deductibles paid and heavier premiums going forwards.  Depending on the specific facts of the situation, the insurer may or may not seek to decline coverage or reduce the available benefits under the applicable policy or policies for errors and omissions, general liability, privacy, and otherwise.  Additional economic impacts may also be felt by issuers in greater “activism” of their shareholders.  The share prices may take a hit, impacting upon debt covenants, debt to equity ratios, leverage ratios – with or without ensuing margin calls – solvency, and directors and officers liability insurance policies, as well.  This, again, could build upon itself in a negative direction if not properly and timely managed.

Regulatory:  The possibility of heavy fines and penalties is always there, whether before or after grueling regulatory investigations that sap time, and resources, and money.  An entity may also face ongoing monitoring and operational restrictions that may go as far as mandatory supervision or takeover.  Suits at law or in equity, or both, may also accrue at a very fierce pace.

4 KEY COMMONSENSE RECOMMENDATIONS:

Systemic SecuritySecure the systems, and those who use and maintain the systems.  This involves the personnel security, the access controls, and educating everyone in the organization on the benefits of compliance with policies, as it could impact upon their salaries and bonuses, the viability of the business, and their jobs.  Where there is a tie-in to their personal realities, stakeholders who see and appreciate potential downsides will be more likely to buy-in to those business practicalities.

Active ManagementHave an Active (and not reactive) Management.  It is never a good recommendation to wait until something bad happens, before thinking about what you will do and how you will react when something bad happens.   More and more jurisdictions are enacting breach notification laws, and so this luxury is no longer an option; even if your jurisdiction has been slow to follow-suit.  Business, today, is hardly so uni-locational as to allow you to be ignorant of global best practices, and still expect to compete and succeed against the competition.  Join and form reputable local industry groups; develop a relationship with a good Public Relations firm; find and retain inside and/or contract and/or outside legal counsel that can cover you on the 3 (“three”) prongs of litigation and e-Discovery, regulatory compliance in your industry, and your contracting and labor practices – in all jurisdictions where you operate; have a solid Social Media presence and policy; and adopt and prepare and plan for, an all-hazards disaster response.

Internal ControlsActive Management must monitor and verify the Systemic Security through internal controls, inter alia.  Your people must be following these wonderful policies and procedures, otherwise you have just been wasting paper in employee handbooks and handouts, and storage space on your intranet or bulletin board system.  Is Social Media being used responsibly during work time, and regarding work but outside the office?  Are employees following your portable data policies and mobile device policies?  Are contractors being properly segregated from physical areas, online accounts, and specific data that they are not authorized to access?  Are those with authority acting within and not exceeding their access, alteration, and audit authorities?  These and other questions must be asked and answered.  Industry-specific internal controls should include, for any entity with developers writing software or an I.T. department, a policy on Open Source Software (OSS), as I will further explain, below.

Legal and Regulatory ComplianceCompliance is also very important.  If and when something goes wrong, it always helps to show that you did or were doing the right things, in accordance with law.  The hammer generally tends to fall harder on those who were lax in their compliance, as the weight of culpability becomes significantly harder to avoid.  This is especially important for entities that do not have any in-house legal personnel, which could mean that there is nobody keeping a regular eye on practices and policies that may well slip or dip from time to time, in the ordinary course of business.  The value of regular legal audits becomes that much greater, for a periodic “compliance fine-tuning”.  One area that requires careful scrutiny, tracking, and audits, is Open Source Software (OSS), which is far from being the “free software” that so many may think it is.  Incorporating someone else’s Intellectual Property in company products, or inadvertently contributing the employer’s Intellectual Property to an outside product, through off-time or online collaboration projects, could have dire results.  Some open source licenses will then require that you post all the source code for free and further use by all and sundry; damming a revenue stream and giving away valuable I.P. rights.  Employees and contractors who’se contracts state that all they create belongs to the employer, should be made aware of this “significant risk area”, and have some restrictions placed on what they can and cannot do in terms of OSS, collaboration, and their skills as co-mingled with employer property.  The penalties for I.P. infringement, whether of copyright, patent, trademark, or trade secrets, can be severe.

SUMMARY:

This different, flexible approach to Cyberspace and its 15 e-Compartments should serve as a roadmap, in guiding your conceptual approach to the issues in a logical, and step-by-step or compartment by compartment strategy.  As the fields of e-Commerce, Cyberspace, and Cybersecurity grow by leaps and bounds and expand into, above and beyond the “Clouds” – at least until we are all hardwired to be and remain online, at the same time, and all the time – the above basic typologies should suffice and remain the same; and the 5 Domains of Cyberspace, as set out and identified so far, should hold fast, again absent any “category-killer-app” as a caveat.

Happy (belated) Cyber-Monday; and Merry Christmas, 2011!

Author:

Ekundayo George is a Sociologist, Lawyer, and Strategic Consultant, with experience in business law and counseling, diverse litigation, and regulatory practice.  He is licensed to practice law in Ontario, Canada, as well as multiple states of the United States of America (U.S.A.); and he has published in Environmental Law and Policy (National Security aspects).

Hyperlinks to external sites are provided as a courtesy and convenience, only, and no warranty is made or responsibility assumed for their content, accuracy, or availability.

This article does not constitute legal advice or create any lawyer-client relationship.


[1] Ekundayo George, Cybersecurity (the Big Picture): Avoiding “Destabilizing Data Disaster” (D3).  Published on September 1, 2011.  Available at: https://ogalaws.wordpress.com/category/strategic-consulting/cybersecurity/

[2] Ekundayo George, “M”edia Effectiveness. (Blog Tab).  Available at https://ogalaws.wordpress.com/media-effectiveness/

Introduction.

Hurricane Irene of late August, 2011, has come and gone, devastating the Eastern seaboard of the United States of America– especially Vermont and the Carolinas, and also causing damage in Quebec and the Canadian Maritime Provinces (Eastern Canada).[1]  As Hurricane Irene came at the start of hurricane season and shortly after the 5.8 magnitude earthquake of Tuesday, August 23, 2011, centered some 40 miles to the Northwest of the City of Richmond, in the State of Virginia,[2] this is as good a time as any to discuss and promote a more comprehensive approach to our collective Cybersecurity.  I will cover the specific topic of portable data security in another post.

In addition, 2011 has witnessed successful Cyber-hacks on notable businesses, national governments, and government agencies and departments that were thought to be tech-savvy, very well protected, and up to date in their Cybersecurity practices.[3]  However, we should distinguish the “hacktivists”[4] from the “covert snoops”[5] and from the “news-related snoops”;[6] even though they may all look and sound and feel the same, to the hacked.  In essence, we must all realize and always remember that “Destabilizing Data Disaster” (D3) can actually touch anyone, anytime, and as a result of almost any cause or event.  Fortunately, destabilizing need not mean or equal debilitating, if adequate, reasoned, directed planning and preparation have been done; as do BIRDS for the BEES.

BEES & BIRDS.

BEES:

Destabilizing Data Disaster (D3), can be caused by 3 (“three”) main event groupings and 5 (“five”) specific elements, under a “BEES” typology.  These are: (i) Breach Entries; (ii) Environmental, or Economic, or Exported Strictures; and (iii) Engineering Social.

(i) Breach Entries, are intentional intrusions that may or may not be targeted at data retrieval.  The breach factor, refers to the intentional circumvention or disabling of security protocols and barriers to entry.  Examples include denial of service, defacing after gaining administrator privileges, and physical removal, alteration, or destruction of critical hardware, software, or information.  This category also covers the actions of disgruntled employees or contractors; the actions of whom exceed their authority, occur outside the law, or appear to be lawful and legitimate but are done with malicious intent.

(ii)(a) Environmental Stricture, is defined as a compromised functionality due to an environmental event, be it flooding (such as with a swollen river), loss of power due to some weather-related incident (such as with a snowstorm that takes-down power lines), or extreme heat that compromises a power substation or transformer to the point of failure, where there is no backup power, or there is insufficient backup power, on hand.

(ii)(b) Economic Stricture, is defined as a compromised functionality due to an economic event, whether or not foreseeable, such as a bank foreclosure on one’s own premises and assets for non-payment of debt; a dispute with a critical vendor that has a delayed or immediate operational impact; being the subject of a legal injunction; or, being the target of any government action of a regulatory or enforcement nature, including but not limited to investigation or nationalization, with a delayed or immediate data operational impact.

(ii)(c) Exported Stricture, is defined as the impact suffered by the subject entity, when any or all of the other 4 (“four”) other BEES options here listed, befall a critical vendor, a critical customer, or a group of vendors or customers to the point of criticality, such that the stricture cascades in data impact and is exported one or more times along the chain.

(iii) Engineering Social, is defined as the tools and technologies that lure people into sharing or divulging critical access information, or otherwise personal or confidential information that can lead to access or identity theft, phishing, or data mining in the hands of a knowledgeable recipient with malicious intent.  The result can be a loss of secret, confidential, or otherwise proprietary information, which will certainly cause great embarrassment; which may bring legal action from aggrieved parties; and, which may ultimately need to be reported and publicly disclosed across multiple jurisdictions in accordance with then applicable data retention and protection laws.[7]

BIRDS.

As the BEES can occur and swarm in combination, the means to guard against them must be similarly flexible and comprehensive.  From my consultations with and work for corporations and executives in various jurisdictions, I have been able to use a variety of privacy impact assessments of events, reactions, advances in technique and technology, and adaptations, to devise a “BIRDS” Cybersecurity typology for dealing with the BEES.  Individual client circumstances will, however, vary, as the steps must be specifically tailored with additional, custom inputs.  In addition, a comprehensive Cybersecurity policy must be well-structured, well entrenched, well managed, and actively monitored with comprehensive follow-up, in order to have optimum results.  This general scheme, below, though, should get the appropriate Cybersecurity professionals, employees, and managers with budgetary authority, all on the right train of thought, and at the same time.

The 5 (“five”) below points must be taken and comprehensively assessed and addressed in the order that best fits the entity, in light of its then current position, its future plans, and other custom metrics and analyses beyond the scope of this basic introduction.  Presented here simply in the order that gives them their name, these points, are:

Point 1: “Backup and hardening”, mean it is vital to ensure that any data farm always has an adequate system for emergency power and management, and offsite data backup.  Remote operation and re-boot, as well as using cloud technologies, may be considered.

Point 2: “Imperatives of full compliance with law”, should be paramount for the entity concerned.  There may be legal and regulatory requirements specific to the industry (such as data retention and protection laws), there may be industry or professional standards or best practices that have the force of law (such as with self-regulatory professional and licensing bodies), or, there may be specific requirements related to investigations or legal proceedings (such as for search warrants and document production in Discovery), or in relation to specific corporate events (as with due diligence on a merger or acquisition).

Point 3: “Rights of verification and correction”, for the data gathered, data held, and data that must or may be disclosed, should be specifically assigned and well-known across the entity.  To the extent prescribed by law in the applicable jurisdiction, the persons on whom and on behalf of whom the data is held, may also have a right to verify and correct.

Point 4: “Data integrity”, as a mandate, makes it similarly vital to follow industry best practices to the extent that they exist, and ensure that all employees know them and are trained to stay up to date (which may give some protection against legal claims, and perhaps, a reduction in premiums from insurers).[8]  This point also involves having, using, and maintaining reliable systems and protocols for input management regarding the data, intrusion prevention and detection, incident management, and then following-up to push through the requisite improvements in policies and procedures from lessons learned.

Point 5: “Site and System access protocols”, should, likewise be paramount for the entity.  Passwords, became pass keys, then combinations and security tokens,[9] and now, the field is being populated by an ever-expanding array of biometric applications.  Here, again, it is important to know the local law of the applicable jurisdiction.  In Canada, for example, certain occupations and procedures can mandate a Certified Criminal Record Check.[10]  In all cases, it remains vitally important for an entity to control who has access to the data system and from where.  Staggered edit authorities and segregated levels of both physical area access and system and subsystem access, are and will ever remain, highly advisable.

Summary.

The writing is on the wall, and everyone, as data consumer, handler, and producer, should take personal data security and the collective Cybersecurity, very seriously; especially as we see that top corporations and governments with access to significant technical talent and financing, have been and continue to be, hacked on an alarmingly frequent basis.  The above, however, are some steps and “BIRDS” that any entity may take in hand, alone, or a group of entities or industry may take in hand together, as a “flock”, in order to guard against “Destabilizing Data Disaster” (D3), and to hold off and discourage those troubling swarms of “BEES” gathering, ominously, on the horizon – at least for a time.

Author:

Ekundayo George is a Lawyer and Strategic Consultant.  He is a published author in Environmental Law and Policy; licensed to practice law in multiple states of the United States of America, as well as Ontario, Canada; and has over a decade of solid legal experience in business law and counseling, diverse litigation, and regulatory practice.

Hyperlinks to external sites are provided as a courtesy and convenience, only, and no warranty is made or responsibility assumed for their content, accuracy, or availability.

This article does not constitute legal advice or create any lawyer-client relationship.


[3]http://www.bbc.co.uk/news/technology-13686141 (“A Brief History of Hacking”).

[4] Id.

[5]http://www.upi.com/Top_News/World-News/2011/02/17/Canadian-government-computers-hacked/UPI-21551297945502/ (Government of Canada suffers major hack attack); http://www.bbc.co.uk/news/technology-13626104 (Top United States Government employees and private sector company executives suffer email hacks).

[6]http://www.bbc.co.uk/news/uk-14685622 (Public figures in theUnited Kingdom suffer from the intentional hacking of their voicemails).

[7] Many jurisdictions operate under highly complex webs of privacy and data retention laws and regulations covering such areas as: banking information, health information, law enforcement and national security, employment-related information, tax information, electoral rolls, and so forth.  It is important to know the laws of the jurisdiction or jurisdictions within which one operates, or more frequently nowadays – “is deemed to be operating”.  You should always consult competent local legal counsel for specific guidance that is pertinent to your situation, and the facts.

[8] Numerous industries in North America, Canada, and Europe, have specific industry groups – and lobbyists – that enable the meeting of stakeholders and governments on a regular basis to formulate best practices, establish limits on liability, and otherwise shape applicable legislation and regulations in a way that protects the consumer, provides a degree of legal certainty, and enables the industry to thrive by ensuring direct participants that a given level of risk-taking will not be unduly thwarted, and ensuing investors that their investments will be both protected and rewarded.

One example of a health and safety standard is the concept of ALARA (“As Low As Reasonably Achievable”), which received a detailed analysis at the United States Supreme Court, in the case of Silkwood v. Kerr-McGee, 464 U.S. 238 (1984), in reference to workplace radiation exposure in the nuclear energy field.  The concept has since been adopted across other industries using radioisotopes, such as the medical field (See, for example the Health Canada Guidelines on using diagnostic ultrasound): http://www.hc-sc.gc.ca/ewh-semt/pubs/radiation/01hecs-secs255/rec-eng.php

The concept is also used, as modified, in the field of health and safety in the United Kingdom, where it is termed “As Low as Reasonably Practicable” (ALARP) http://www.hse.gov.uk/risk/theory/alarp.htm, or “So Far as Is Reasonably Practicable” (SFAIRP).  The two are often used interchangeably http://www.hse.gov.uk/risk/theory/alarpglance.htm

Similarly, in a Report published on June 8, 2011, the Internet Policy Task Force of the United States Department of Commerce proposed best practices for the Internet, that, if followed, would reduce an entity’s Cybersecurity insurance premiums due.  That report is available at: http://www.nist.gov/itl/upload/Cybersecurity_GreenPaper_FinalVersion.pdf

Additional background on the thinking behind this initiative, can be found here http://www.darkreading.com/cloud-security/167901092/security/security-management/230500089/commerce-department-proposes-voluntary-security-best-practices-for-businesses.html

[9] Of note, is the embarrassing fact that a purveyor of security tokens used to protect banking and corporate network access, was recently hacked http://www.bbc.co.uk/news/technology-12784491 (“Hackers tackle secure ID tokens”).

[10]http://www.rcmp-grc.gc.ca/cr-cj/fing-empr2-eng.htm (Background information on the Certified Criminal Record Check procedure, from the Royal Canadian Mounted Police (RCMP)).

%d bloggers like this: