Don’t let your company be the next grim headline . . . Cybercrime is on the rise — and businesses large and small are at risk. For management, the question is not if you will be targeted, but when. Are you prepared? Is your enterprise actively monitoring networks, taking steps to understand and contain attacks, enabling continued operation during an incident? Do you have a recovery plan ready? Few are prepared, explains cybersecurity expert Ray Rothrock, who lays bare tactics used by hackers, vulnerabilities lurking in networks, and strategies not just for surviving attacks, but thriving even while under assault. Fascinating and highly readable, Digital Resilience opens with the infamous 2013 Target attack, which compromised the credit card information of 40 million customers. In hindsight, the hack (like most today) was preventable. This book helps businesses: Understand the threats they face • Assess the resilience of their networks against attacks • Identify and address weaknesses • Respond to exploits swiftly and effectively Data theft. Downed servers. Malware. Even human error can trigger cyber events anytime from anywhere around the globe. This powerful guide provides the resilience-building strategies you need to prevail — no matter what strikes.
|Product dimensions:||6.00(w) x 9.10(h) x 1.00(d)|
|Age Range:||18 Years|
About the Author
RAY A. ROTHROCK is CEO of RedSeal, a premier cyber security analytics platform. RedSealÆs corporate customers span the finance, utility, technology, and retail sectors. Government clients include defense, intelligence, and civilian agencies.
Read an Excerpt
Why Resilience Is the Only Rational Cybersecurity Choice
November 30, 2013 — From offices in Bangalore, India, employees of the Silicon Valley security firm FireEye alerted Minneapolis-based Target that they had detected evidence of a security breach of Target's digital network. By this time the U.S. retailer, second only to Walmart in size, had been a FireEye client for about six months, having hired the company for $1.6 million to create a state-of-the-art network security system.
The 2013 attack against Target was one of more than three thousand that year. So, cyberattacks are far from unusual. In fact in 2016, the Ponemon Institute, which conducts independent research on privacy, data protection, and information security policy, looked at the "likelihood of a company having one or more data breach occurrences in the next twenty-four months" and concluded that each of the 383 companies it surveyed had a "26 percent probability of a material data breach involving ten thousand lost or stolen records." Put another way, over the long term, the nature of the threat against the digital network of your business is defined by two facts.
* Number one, breaches are, by their nature, highly probable occurrences — so probable that, over the long term, they can be deemed inevitable. Breaches will happen. Breaches will happen to you.
* Number two, breaches are, by their nature, costly in time, worry, and reputation.
ANSWERING THE CALL TO ACTION
The call to action is clear: We must protect ourselves and our enterprises. The problem is that no means of protection is bulletproof. It is not enough to erect a "firewall" around the firm's digital infrastructure, issue antimalware software to all hands, pronounce your enterprise "secure," and walk away. Such passive, static security measures are necessary, but they are not sufficient. In Chapter 3, we will review the most effective and cost-effective strategies and devices for "securing" our networks. We must note now, however, and always bear in mind that security alone offers no silver bullet. All security approaches are inherently and inevitably flawed because the vulnerabilities of digital connection are inherent and inevitable. They are the price of opening ourselves to the opportunities of connection. Once we accept the risk-reward trade-off of digital connectivity, our next step is to survive — and even thrive — under attack. Digital security is an incomplete answer. Digital resilience completes the answer.
As a concept, digital resilience is relatively new — but only because digital technology is relatively new, and networked digital technology is even newer. The fact is that digital resilience is a subset of resilience, which is a characteristic of biological, ecological, social, national, and institutional systems that have survived and thrived, some of them since time immemorial. Whereas digital security is about security, digital resilience is about how you do business in today's intensively interconnected environment. It is not confined to the realm of IT specialists, but is a whole-business strategy.
THE TARGET ATTACK: WHAT A FAILURE OF RESILIENCE LOOKS LIKE
Only two things make the 2013 attack on Target unusual: its magnitude — 70 million customers became victims — and the amount and detail of insight we have gained from it. (While the Equifax data breach, which took place during May–July 2017 but was not reported until September 2017, affected at least twice as many victims — 145.5 million American consumers, close to half the U.S. population — we don't as yet have sufficient information to create a definitively illuminating narrative.) The Target attack reveals the severe limits of conventional digital security. More important, it is a call to move beyond these limits. The numbers make it clear that attack is virtually inevitable. We need something more than the current "state of the art" in digital security.
It is true that most private- and public-sector leaders agree on the necessity of making preparations for survival under cyberattack. All sophisticated businesses have active disaster recovery plans (DRP) and business continuity plans (BCP). They understand that having an emergency plan for a crisis is essential. But both DRPs and BCPs are very different from a cyber recovery plan. The purpose of this book is to persuade managers, C-suite executives, and boards of directors that the default environment in which their highly connected businesses, institutions, and government agencies operate is in crisis. Connectivity creates both frictionless business opportunity and frictionless vulnerability to attack. This is today's default situation. Mere survival is not a sufficiently ambitious objective. Intensively connected enterprises need to thrive in high-risk environments and even under attack.
Thriving under attack is not a radical proposal. It is a function of digital resilience. As defined very ably by Andrew Zolli and Ann Marie Healy, resilience is "the capacity of a system, enterprise, or a person to maintain its core purpose and integrity in the face of dramatically changed circumstances." The chapters that follow are about applying the concept and quality of resilience specifically to digital networks. Before we get to these chapters, however, let us take a close-up look at what happened to a network whose operators failed to make it resilient. The Target attack, breach, and data theft, one of about three thousand that year, is representative of today's digital business environment. It is also an event about which we have an abundance of information.
There is no bulletproof protection against cyberattack. Digital security is mandatory but not sufficient. In addition to digital security, understand, embrace, and implement digital resilience as a strategy for surviving and thriving in an inherently insecure digital environment.
On March 26, 2014, John Mulligan, executive vice president and chief financial officer of Target Corporation, testified before the Senate Committee on Commerce, Science, & Transportation. His unenviable task was to explain why and how the credit card data of 40 million of his company's customers had been stolen. "It appears that intruders entered our system on November 12[, 2013]," he testified. "With the benefit of hindsight and new information, we are now asking hard questions regarding the judgments that were made at that time and assessing whether different judgments may have led to different outcomes."
Without doubt, the first "hard question" is why, having been alerted by Bangalore on November 30, 2013, Target's Minneapolis-based Security Operations Center did exactly nothing. Nothing. The next question is, why, after a second alert was sent on December 2, they also did nothing. Target did not even begin an "internal investigation" until December 12, when the retailer was "notified by the Justice Department of suspicious activity involving payment cards used at Target stores." Target personnel met with the DOJ and the Secret Service on December 13, hired "an outside team of experts to lead a thorough forensic investigation" on December 14, and on December 15 "confirmed that criminals had infiltrated our system, installed malware on our point-of-sale network and potentially stolen guest payment card data. That same day, we removed the malware from virtually all registers in our U.S. stores."
By this time, records affecting 70 million customers had been stolen: data for 40 million debit and credit cards plus the personally identifiable information (PII) of those customers in addition to 30 million others whose credit card data was not stolen.
For 40 to 70 million Target customers, there were the ugly consequences of identity theft — unauthorized charges to sort out, inability to access credit, endless phone calls to credit reporting agencies, getting blindsided by fraudulent credit and loan applications, and no way to know when and where the ripples created by compromised PII would end.
For Target, the gross expense created by the breach during 2013–2014 was reported as $252 million. Insurance compensation reduced this to $162 million, and tax deductions brought it down to $105 million. Nevertheless, the company's profits fell 46 percent in its fourth fiscal quarter of 2013 and were down by more than a third for all of 2013.9 More than 140 lawsuits from customers and financial institutions rolled in. In March 2015, Target settled a class-action suit brought by customers for $10 million; in August, Target settled with Visa for $67 million; and in December, the company settled with several banks (whose credit cards were compromised) for $39 million in damages. Both Target CIO Beth Jacob and CEO Gregg Steinhafel resigned following the breach. Federal and state authorities have threatened fines and other penalties. Beyond all of this, there was the damage to the Target brand and reputation, a hit difficult to measure.
"We are asking hard questions about whether we could have taken different actions before the breach was discovered that would have resulted in different outcomes," Mulligan told the senators. "In particular, we are focused on what information we had that could have alerted us to the breach earlier...."
There is an answer to this. An earlier alert would have made no difference. Two reasons: First, Target made no response to the two alerts it did receive. There is no compelling reason to believe it would have responded to an alert received earlier. Second, the November 30 alert came after the network had been infiltrated but before data was being exfiltrated. The theft itself started on December 2, the date of the second alert. Nurtured on pop culture images of "wired-in" cyber prodigies gone over to the dark side, the uninformed picture "hackers" as superhuman geniuses and assume they move with infinite stealth and at great speed. Those who possess even basic knowledge of the complexity of large digital networks, however, know that infiltrating a network, finding what you want to take, and then exfiltrating that material — which typically amounts to huge quantities of data — takes time: days, weeks, sometimes months.
As far as can be determined, exfiltration from Target did not begin until December 2 and continued for nearly two weeks. The process was painstaking: The malware automatically sent data to three different U.S.-based staging points, servers located in Ashburn, Virginia, Provo, Utah, and Los Angeles, California, active only between 10:00 a.m. and 6:00 p.m. Central Standard Time, probably to reduce the chances that the outflow would be detected by burying it in the massive volume of normal workday traffic. From the U.S. staging points, the data was sent to vpsville.ru, a Moscow-based webhosting service, which operates openly. The company's spokesman, Alexander Kiva, later unapologetically explained that the company has far too many clients to effectively monitor.
ADVANCED PERSISTENT THREAT: THE ENEMY WITHIN
Far from being smash-and-grab affairs, most meaningful breaches take time. Indeed, an entire category of breach is categorized as an "Advanced Persistent Threat" (APT), a network attack in which the intruder not only gains access to the network but remains active in it for a long period of time. To date, the most spectacular documented APT was that of "APT1," which was exposed in a February 2013 report by the Mandiant security company. "APT1 is believed to be the 2nd Bureau of [China's] People's Liberation Army (PLA) General Staff Department's (GSD) 3rd Department...." Since 2006, APT1 compromised "141 companies spanning 20 major industries," most of them U.S.-based. It "maintained access to victim networks for an average of 356 days." The longest span was 1,764 days of continuous network access — four years and ten months."
Truly destructive network breaches are not smash-and-grab "attacks." A successful breach is better described and understood as a chronic infection rather than a transitory attack, as espionage and embezzlement rather than burglary, as an invasion and occupation rather than a hit-and-run raid. An intruder can live and operate in your network for hours, days, weeks, years. Detecting and neutralizing a breach begins by gaining complete and comprehensive knowledge of your networks and their connections. Take steps to get this knowledge.
On the one hand, the persistence of the Advanced Persistent Threat is truly appalling. On the other hand, the takeaway lesson of the APT is that the most serious and destructive attacks provide us with a great deal of time to discover them — ifwe pay attention and ifwe know our own networks both comprehensively and intimately.
But few enterprises pay enough attention, and even fewer know much of anything about the networks they operate.
APT1 was a highly crafted military operation backed by the resources of the government of the world's most populous nation. As for the level of skill required to pull off the Target breach, however, Jim Walter, director of threat intelligence operations at the McAfee security firm, called the malware that was used "absolutely unsophisticated and uninteresting." Two of its main moving parts were off-the-shelf malware, Citadel and Kaptoxa (pronounced kap-TOEsha), both available for purchase on underground (or under-groundish) websites well known to cybercriminals. The first was used to steal credentials enabling the attackers to enter the Target system. The second was used to steal credit card information of customers who swiped their cards at the stores' cash registers. Both APT1 and the Target breach were long present in the networks they attacked. The significance of this is that they were discoverable, if the operators of the networks under attack had possessed better, fuller knowledge of those networks.
ANATOMY OF A "RUN-OF-THE-MILL" EXPLOIT
Although spectacularly successful, the Target breach was a run-of-themill cyber exploit. That means two things. First, it was containable, if not stoppable — which is true of the vast majority of cyberattacks. Second, it was the kind of attack likely to hit anyone who runs any digitally connected business — in other words, anyone who runs just about any business today. Using research from Aorato Labs and the SANS Institute, we can actually trace the likely steps the attackers took. It is worth tracing because some variation of the Target attack has likely been, is being, or will be aimed at your business.
Casing the caper. Retail companies deal with retail customers, but they also interact with an array of B2B vendors. Often, these vendors are given privileged access to networks and data, especially for bidding and billing purposes. A simple Google search would have revealed to the attackers a wealth of information about Target's vendors. Among these was Fazio Mechanical, a Sharpsburg, Pennsylvania–based refrigeration systems contractor that frequently served Target. Additional research could also have turned up, on a Microsoft website, a case study describing how Target used Microsoft System Center Configuration Manager (SCCM) to automatically update and security-patch much of its software infrastructure, including the software for its POS (point-of-sale) system — the system communicating with its retail checkout counter card readers.
Without so much as having to glance away from their computer monitors or committing any crime, the attackers could have, first, found a means of hijacking the credentials that would get them into Target's network and, second, obtained a remarkably detailed picture of the retailer's POS system.
Phishing for an entrance. The attackers launched an email phishing attack against Target's vendors, such as Fazio Mechanical, which were likely to have privileged access to Target's network. A phishing email masquerades as a message from some trusted entity — a bank, for example — and may trick the recipient into revealing confidential information or clicking on a seemingly legitimate attachment that executes an invasion. In the Target case, someone at Fazio innocently clicked on an email attachment that opened a malware program, which infected Fazio's network and the computers on it. Against Fazio, it is thought that the Target attackers used Citadel, an off-the-shelf password-stealing bot developed by cybercriminals from an older item of malware called ZeuS. A Trojan horse used to invade a computer by duping the victim into opening an attachment, ZeuS surfaced in 2007. Both Citadel and ZeuS are available for sale on black market hacker websites.
Excerpted from "Digital Resilience"
Copyright © 2018 Ray A. Rothrock.
Excerpted by permission of AMACOM.
All rights reserved. No part of this excerpt may be reproduced or reprinted without permission in writing from the publisher.
Excerpts are provided by Dial-A-Book Inc. solely for the personal use of visitors to this web site.
Table of Contents
FOREWORD by Richard A. Clarke, v,
1 INTENSIVELY NETWORKED Why Resilience Is the Only Rational Cybersecurity Choice, 1,
2 HARD TO BREAK Resilience — A Winning Strategy in a Losing War, 27,
3 THE NATURE OF NETWORKS Knowledge — The First Step Toward Digital Resilience, 49,
4 DIGITALLY BOUND Getting the C-Suite and Board Up to Speed on Digital Resilience, 83,
5 PORTRAIT AND LANDSCAPE Achieving Resilience in Our Fragile Digital Environment, 109,
6 THE MEASURE OF RESILIENCE Assessing and Improving Your Digital Resilience, 137,
7 RESILIENT RESPONSE Making Resilience a Whole-Business, Whole-Nation, Whole-World Issue, 167,
8 ACHIEVING DIGITAL RESILIENCE A Top-Down Guide, 193,
About the Author, 247,
Free Sample from Driving Digital by Isaac Sacolick, 248,
About AMACOM Books, 266,