8
Apr

Near term future consumer risks from successful malicious online activities look to grow

2-Color-Design-Hi-Res-100px-widthDespite what looks like a daily increase in the number of successful attempts to maliciously disrupt legitimate online activities, end consumers look more exposed, today, and for the near term future than ever before.

Two factors contribute to this assessment:

  1. Hacker tools now include a much richer supply of once legitimate access credentials. At the same time the set of organizations victimized by hacker successes are moving at too slow a pace towards safely pooling the kind of information critically important to an objective of better defending future victims from the next round of hacker activities
  2. Risk management programs–electronic data insurance policies–exist (and are available for businesses to purchase), but are not funded to an appropriate level, given the extent of business exposure to hacker activities. There is little indication of the underwriters of these programs adding much more financial power to them anytime soon.

Both of these factors are worth further description: proven methods exist to render information specific to organizations anonymous. As written earlier in this blog, I have personal direct experience promoting content sets (Key Risk Indicators, or KRIs) produced by one of these methods by an ISV targeting operational risk management teams for banking institutions subject to the Basel II accord.

There is no reason why similar technology cannot be used to strip critically important information about compromised login credentials of the specifics required to directly identify the source of the data. In case readers are unfamiliar with the imperative for keeping organization-specific information absolutely private, there are a number of good reasons for this requirement. The two most prominent of these amount to:

  1. Protecting an institution from full revelation of the extent of damages suffered to peers within its industry group and
  2. Protecting an institution from potentially damaging publicity

Certainly other reasons exist. Readers looking to explore these can contact me. I will be happy to discuss the topic further.

But the lack of interest on the part of risk underwriters to “bulk up” on the financial resources they offer does not look to be as sanguine and easily correctable. On April 7, 2015, the Wall Street Journal published an article written by Rachel King titled Cyber Insurance Capacity is ‘Very Small’: AIG CEO. In my opinion Ms. King is on track to publish this piece, which includes excerpts from an interview Ms. King had with Mr. Peter D. Hancock, the CEO of AIG.

One of the quotes Ms. King includes from her conversation with Mr. Hancock should provide the data security ISV community with a very valuable insight: “‘I suspect, over time, the willingness of insurers and by others in the industry to provide greater capacity will increase with greater comfort in the maturity of the countermeasures'” Apparently Mr. Hancock, AIG, and, perhaps, a good chunk of the rest of the risk underwriting business community are not yet convinced about our ability to defeat the hackers. Makes sense to me and ought to provide ISVs with a reason to work harder at the hacker problem.

In the meantime, businesses, and the members of the general public affiliated with them, should plan on more pain.

Ira Michael Blonder

© IMB Enterprises, Inc. & Ira Michael Blonder, 2015 All Rights Reserved

2
Apr

Frequency and intensity of successful malicious exploits of online data call for a pooling of information between impacted parties

2-Color-Design-Hi-Res-100px-widthWhen hackers obtain otherwise legitimate credentials to online sites and the data repositories they contain, the likelihood of success for their efforts to depart with data they do not own is much greater — perhaps unstoppable. Therefore it makes sense for parties impacted by these attacks to pool their information so a new level of defense can be promptly implemented against further successful exploits with the same credentials.

Unfortunately this is the condition apparently in place in March 2015. On Sunday, March 29, 2015 the online edition of the Wall Street Journal ran a story written by the Associated Press titled Some British Airways Frequent-Flier Accounts Hacked. Notable in the article is mention of what appears to be the method the hackers used to access the data: “The breach apparently was the result of a third party using information obtained elsewhere on the Internet”.

Then, through what looks like a brute force method of simply trying credential set after credential set against the access control method at the perimeter of the British Airways web site, the hackers eventually succeeded in their effort. Tellingly, the writers from the Associated Press note this attack is, apparently, the fourth such recent attempt. The other attempts compromised data owned by the “Hilton and Starwood” hotel brands and “United and American airlines”.

It is very hard to defend a data repository against requests for access based on legitimate credentials. Sure processes can be implemented to detect brute force access methods and to deny access — even to holders of legitimate credentials — when they are presented within the context of a brute force attack. But what if the “automated process” mentioned by the Associated Press amounted to a substantially more sophisticated tactic than a rapid, repeated completion of an online site access form? It would be much harder to detect a brute force attack should it transpire over days, or even weeks.

Regardless of how one argues data owners should defend themselves against these types of attacks, the substantial value of implementing data consortiums — literally groups pooling data about attacks — as a defense method should pass muster. One can argue law enforcement agencies already provide this type of knowledge “beyond the wall” and should be able to play this role. But there is another aspect to the potential of a data consortium for online data security, a similar opportunity to the concept of Key Risk Indicators (KRIs) as it has been applied to efforts to implement Operational Risk Management (ORM) solutions for global financial businesses. This application of a data consortium will not fall within the purview of a decision to look to law enforcement for “environmentally relevant” data about similar data security breaches. I have some experience with ORM solutions including KRIs and would be interested to speak with readers with an interest in hearing further about this notion. Please contact me to discuss.

Ira Michael Blonder

© IMB Enterprises, Inc. & Ira Michael Blonder, 2015 All Rights Reserved

26
Feb

Online businesses looks to be on course for a negative event of even greater magnitude — stay tuned

2-Color-Design-Hi-Res-100px-widthIt is one thing to lose something of great value while covered by a comprehensive insurance policy, and quite another to be in the same position, albeit without the coverage.

So adding the insurance policy looks to be a no-brainer, right? Not so fast. According to an article titled Cyber attack risk requires $1bn of insurance cover, companies warned, written by Gina Chon and published on Thursday, January 26, 2015 by the Financial Times, businesses are not only finding a lot of obstacles on their way towards securing the extent of insurance coverage they need to cover online commerce, but (and this is even more worrisome) are also exhibiting a lot of reluctance to even make the effort. If we are looking at a wave of complacency, then perhaps we are looking at a major negative event with enormous financial impact all around in the making.

Back in October 13, 2013 we published a post to this blog titled Online Security Problems are too Pressing for the Public to Continue to Ignore. The position I have always taken on topics like the one Chon treats in her article for the FT is as follows:

  • the “mono protocol” data communications world we have, perhaps inadvertently, created by vigorously pushing further expansion of markup language code at the application layer with Ethernet over TCP/IP as the underlying pipe is very very dangerous. The old world of multiple data protocols running across wide area networks made a lot more sense and was, inherently, safer

But my position, at present, is “so be it”. The internet, for better or worse, as it is presently technically constructed is here to stay. The question ought to be how do we get this “genie back in the bottle” and mitigate the risks associated with doing business online.

Apparently businesses are not willing to take the steps required to accomplish this critically important step. Underwriters seem not to want to handle the risk and the insured are not willing to pay the cost for coverage. This is a potentially dangerous condition. One would hope all of the parties involved will see their way through to a mutually satisfactory conclusion. The sooner the better.

Ira Michael Blonder

© IMB Enterprises, Inc. & Ira Michael Blonder, 2015 All Rights Reserved