8
Apr

Near term future consumer risks from successful malicious online activities look to grow

2-Color-Design-Hi-Res-100px-widthDespite what looks like a daily increase in the number of successful attempts to maliciously disrupt legitimate online activities, end consumers look more exposed, today, and for the near term future than ever before.

Two factors contribute to this assessment:

  1. Hacker tools now include a much richer supply of once legitimate access credentials. At the same time the set of organizations victimized by hacker successes are moving at too slow a pace towards safely pooling the kind of information critically important to an objective of better defending future victims from the next round of hacker activities
  2. Risk management programs–electronic data insurance policies–exist (and are available for businesses to purchase), but are not funded to an appropriate level, given the extent of business exposure to hacker activities. There is little indication of the underwriters of these programs adding much more financial power to them anytime soon.

Both of these factors are worth further description: proven methods exist to render information specific to organizations anonymous. As written earlier in this blog, I have personal direct experience promoting content sets (Key Risk Indicators, or KRIs) produced by one of these methods by an ISV targeting operational risk management teams for banking institutions subject to the Basel II accord.

There is no reason why similar technology cannot be used to strip critically important information about compromised login credentials of the specifics required to directly identify the source of the data. In case readers are unfamiliar with the imperative for keeping organization-specific information absolutely private, there are a number of good reasons for this requirement. The two most prominent of these amount to:

  1. Protecting an institution from full revelation of the extent of damages suffered to peers within its industry group and
  2. Protecting an institution from potentially damaging publicity

Certainly other reasons exist. Readers looking to explore these can contact me. I will be happy to discuss the topic further.

But the lack of interest on the part of risk underwriters to “bulk up” on the financial resources they offer does not look to be as sanguine and easily correctable. On April 7, 2015, the Wall Street Journal published an article written by Rachel King titled Cyber Insurance Capacity is ‘Very Small’: AIG CEO. In my opinion Ms. King is on track to publish this piece, which includes excerpts from an interview Ms. King had with Mr. Peter D. Hancock, the CEO of AIG.

One of the quotes Ms. King includes from her conversation with Mr. Hancock should provide the data security ISV community with a very valuable insight: “‘I suspect, over time, the willingness of insurers and by others in the industry to provide greater capacity will increase with greater comfort in the maturity of the countermeasures'” Apparently Mr. Hancock, AIG, and, perhaps, a good chunk of the rest of the risk underwriting business community are not yet convinced about our ability to defeat the hackers. Makes sense to me and ought to provide ISVs with a reason to work harder at the hacker problem.

In the meantime, businesses, and the members of the general public affiliated with them, should plan on more pain.

Ira Michael Blonder

© IMB Enterprises, Inc. & Ira Michael Blonder, 2015 All Rights Reserved

2
Apr

Frequency and intensity of successful malicious exploits of online data call for a pooling of information between impacted parties

2-Color-Design-Hi-Res-100px-widthWhen hackers obtain otherwise legitimate credentials to online sites and the data repositories they contain, the likelihood of success for their efforts to depart with data they do not own is much greater — perhaps unstoppable. Therefore it makes sense for parties impacted by these attacks to pool their information so a new level of defense can be promptly implemented against further successful exploits with the same credentials.

Unfortunately this is the condition apparently in place in March 2015. On Sunday, March 29, 2015 the online edition of the Wall Street Journal ran a story written by the Associated Press titled Some British Airways Frequent-Flier Accounts Hacked. Notable in the article is mention of what appears to be the method the hackers used to access the data: “The breach apparently was the result of a third party using information obtained elsewhere on the Internet”.

Then, through what looks like a brute force method of simply trying credential set after credential set against the access control method at the perimeter of the British Airways web site, the hackers eventually succeeded in their effort. Tellingly, the writers from the Associated Press note this attack is, apparently, the fourth such recent attempt. The other attempts compromised data owned by the “Hilton and Starwood” hotel brands and “United and American airlines”.

It is very hard to defend a data repository against requests for access based on legitimate credentials. Sure processes can be implemented to detect brute force access methods and to deny access — even to holders of legitimate credentials — when they are presented within the context of a brute force attack. But what if the “automated process” mentioned by the Associated Press amounted to a substantially more sophisticated tactic than a rapid, repeated completion of an online site access form? It would be much harder to detect a brute force attack should it transpire over days, or even weeks.

Regardless of how one argues data owners should defend themselves against these types of attacks, the substantial value of implementing data consortiums — literally groups pooling data about attacks — as a defense method should pass muster. One can argue law enforcement agencies already provide this type of knowledge “beyond the wall” and should be able to play this role. But there is another aspect to the potential of a data consortium for online data security, a similar opportunity to the concept of Key Risk Indicators (KRIs) as it has been applied to efforts to implement Operational Risk Management (ORM) solutions for global financial businesses. This application of a data consortium will not fall within the purview of a decision to look to law enforcement for “environmentally relevant” data about similar data security breaches. I have some experience with ORM solutions including KRIs and would be interested to speak with readers with an interest in hearing further about this notion. Please contact me to discuss.

Ira Michael Blonder

© IMB Enterprises, Inc. & Ira Michael Blonder, 2015 All Rights Reserved