08 April 2012

Cyber Reality: Quest for the Digital Castle...

On this Easter Sunday the prayers are silent. For family, friends and also for the subject matter experts in business and the U.S. government. They have been waking us up again to the reality of the Operational Risks we now face, to our ubiquitous digital-based economic infrastructure. The message is clear to those insiders, who have been trying to defend our "Digital Castles" against tremendous odds of these seemingly invisible threats. Is it really, game over?

The short answer is yes. The current mindset should be, that every major business of valuable interest in the eyes of the enemy has already been compromised or soon to be. It is already too late. The stealth digital code is currently waiting in the shadows of your organizations hundreds or thousands of digital assets. Whether it is the aging Dell Tower Desk Tops still running on Windows XP somewhere or the latest Android PDA/Apple IOS devices tethered to the corporate network does not matter. Your adversary has control of when and where to begin the attack on you and your organization. To illustrate the point, Shawn Henry had this to say in a recent interview:

Q: So the cyber threat is truly global in scope?

Henry: Absolutely. In the physical world when somebody robs a bank, the pool of suspects is limited to the number of people in the general vicinity of that bank. When a bank is robbed virtually, even though it is very real for the victims—the money is actually gone—the pool of suspects is limited to the number of people on the face of the earth that have a laptop and an Internet connection, because anybody with an Internet connection can potentially attack any other computer that is tied to the network. You don’t have to be a computer scientist to launch these types of attacks.


So if this is the reality of the global state-of-play, in both the business world and also to government, what should the risk management strategy consist of going forward? How could we ever get to a point of advantage over those who seek to do us harm? That requires a longer answer. Here is what just happened this past week on the Apple beach head:

A strange thing happened earlier this week when Apple closed a security hole that allowed more than half a million Mac computers to get infected.

The infections, by and large, stopped spreading, according to Doctor Web, the Russian maker of antivirus software that researched and publicized the threat.

In the security world, that’s the opposite of what’s expected.

In a paradoxical way, fixing a well-known software bug can expose users to worse attacks. That’s because patching a security hole is the equivalent of planting a flashing neon sign on top of the hole alerting hackers to its presence.

Granted, the patch covers the hole and fixes the problem, but only for people who get the updates. And many people don’t get the updates.

They might use pirated software and thus can’t get patches. They might work in a corporation that tests all patches before pushing them out to all employees, which causes delays. They might have automatic updates turned off. Or their computer might already be infected and blocking security updates.

So internally, the prudent corporate business strategy should be for your General Counsel and the CIO of your organization to be already preparing themselves for the day that they will step before the press conference microphone to disclose the material breach of the companies intellectual capital or theft of assets. They should already know, that it is just a matter time and not a denial that it will ever happen on their watch. If you are a Board Director and you still have not had "The Talk" with management about this stark reality, then you too are complicit in the scheme to present your stockholders and stakeholders with a false sense of confidence that you are safe and secure.

The new normal for forward thinking organizations is already being implemented for adverse events. The Crisis Management Team has already exercised the "Data Breach" scenario numerous times. Your General Counsel and Chief Information Officer have rehearsed and practiced their testimony before opposing and adversarial questioning of your organizations information security processes. The company subject matter experts are more than prepared to submit evidence of their best practices, industry standards compliance and previous tests of due diligence. The stage is set for the court room battles ahead:

Global Payments Inc. (GPN), the bank-card processor whose shares were halted last week after reports of a data breach, said perpetrators may have obtained fewer than 1.5 million card numbers.

The impact is confined to North America, the Atlanta-based company said yesterday in a statement. So-called track 2 data, the information encoded on the back of payment cards, may have been stolen while cardholder names, addresses and Social Security numbers weren’t compromised, the firm said.

“These are fiends, these are bad guys, these are guys who are working day and night to hurt all of us,” Chairman and Chief Executive Officer Paul R. Garcia said today on a call with analysts. “How’d they get in in the first place? That’s not a good thing.”

Global Payments, a so-called merchant acquirer that sets up retailers to accept credit and debit cards, plunged as much as 14 percent on March 30 and was down 9 percent when trading in its stock was halted. The Wall Street Journal reported the same day that 50,000 cardholders may have been put at risk as the firm was hit by a security breach, and krebsonsecurity.com, which tracks cybercrimes, said more than 10 million accounts may have been affected by an incident in the payments industry.

The stock fell an additional 3.2 percent today to $46 at 9:51 a.m. in New York.

The quest for the "Digital Castle" has been going on for years. Are you awake now or still living in a dream of denial on your state of achieving a Defensible Standard of Care? Our Father who art in Heaven...

No comments:

Post a Comment