The amount of daily "Cyber Intelligence" flowing into the organization is growing exponentially and there are few hours in the day to analyze it. You have invested hundreds of thousands if not millions on cyber security to keep your corporate systems protected and ready for any significant business disruptions. Electronic Stored Information (ESI) is continuously being discussed at the Board of Directors meetings. Data Breach Notification Laws are being amended and the congressional pipeline for privacy and cyber laws is in full swing in the United States.
AT&T vs. Apple is now gaining momentum in the news media. Exposing cyber security vulnerabilities without a prudent legal process is starting a healthy dialogue. Andrew Dowell at WSJ explains:
AT&T Inc., reaching out to iPad users Sunday to explain why their email addresses were released last week, blamed the incident on "computer hackers" who "maliciously exploited" an attempt by the carrier to speed the process of logging in to its website.
The comments were the harshest yet by the carrier, which apologized for the security lapse and said it would cooperate with any efforts to investigate or prosecute the breach.
"AT&T takes your privacy seriously and does not tolerate unauthorized access to its customers' information or company websites," the company said.
A group of computer experts calling itself Goatse Security uncovered the flaw and then turned the results over to Gawker Media LLC to be made public last week. Escher Auernheimer, a member of the group, said in a blog post overnight that it acted to protect users and chided AT&T for taking several days to inform customers after becoming aware of the security breach.
"If not for our firm talking about the exploit to third parties who subsequently notified them, they would have never fixed it," Mr. Auernheimer said. "We know what we did was right."
AT&T sent the comments in an email to the roughly 114,000 users of the iPad 3G it determined were affected by the incident. The carrier said only users' email addresses and numbers that identify their devices to AT&T's network were exposed, and that no other personal or account information was at risk.
What AT&T and the Fortune 500 are going to find out is that they are already paying for hackers to test their online and data security. The only way to continuously determine the effectiveness of risk management controls is to continuously test them in a lab or scenario environment. The "Red Cell" approach to attacking the corporate assets from the "inside out" or the "outside in" provides the intelligence necessary to close the gaps and vulnerabilities.
These penetration or vulnerability tests are necessary and the ecosystem of companies and source and methods is expansive. AT&T and Apple may currently subscribe to annual services that provide the intelligence that gives them an alert of a "Red Flag" in their security landscape. The company that provides the intelligence is paying a substantial fee to a network of sophisticated professionals to exploit the vulnerabilities in software coding. Namely, the design, configuration or implementation of a complex set of technologies to determine where and how these vulnerabilities may pose a threat to your assets.
It's possible that AT&T had the intelligence about it's vulnerability and was working on the patch when the whole thing went public in the media. There is a high likelihood that Microsoft, Adobe, Cisco, Juniper and hundreds of others are working on the updates and fixes to flaws that have been identified in the current versions of their software. The public and the consumer are becoming used to the fact that the challenge continues to be an iterative process and worthy of some levels of patience.
Operational Risk Management is not about eliminating all threats to the enterprise. It is about the speed and accuracy of understanding the current levels and threat vectors so you can effectively deter, detect, defend and document. This "4D" approach to risk management in the rapidly changing, digitally mobile organization of 2010 and beyond is a shift away from pure information security thinking that is housed within the Information Technology Department.
The model for Enterprise OPS Risk Management in the most savvy and enlightened critical infrastructure dependent organizations realize that cyber security is not a department or a unit at the company. It remains a horizontal platform on which all business units and the departments of the organization rest and it's pervasive mechanisms for the security and safety of people, processes, systems and external events must operate 24 X 7 X 365.
Just ask the team at CyberCom about the Cyber Holy Grail ahead:
U.S. Cyber Command, a subdivision of U.S. Strategic Command launched last month to help shield the Defense Department against cyberattacks, has a big job in the months ahead. The command has to protect the entirety of the military’s computer systems, which consists of more than 7 million machines, 15,000 networks, 21 satellite gateways and 20,000 commercial circuits. Unauthorized users probe these systems over 6 million times a day. And now Army Gen. Keith Alexander, CyberCom's chief and director of the National Security Agency, has admitted that the command has a long way to go before it can adequately defend against attacks on military networks.National Defense Magazine reports that CyberCom currently lacks the ability to view the DoD's digital domain in real time--a weakness that prevents the command from preventing attacks before they happen.