Tim Guerra of Defensicon Bank grinned as he watched the furious activity in his IT Conference Room. With the 2010 hack of Google, Adobe and 32 other companies and now the Chinese cyber-threat, Tim had decided to engage his IT Department in a scenario planning exercise. What was the most exotic, devilish, unprecedented hack that they could imagine hitting the company?
The white board was filled with wild ideas. One programmer suggested spy cameras hidden in office plants and ceiling tiles, secretly recording every keystroke. Another imagined twin teams of ninjas entering the building through a crawlspace near the garage. The first team would cut network cables and throw smoke bombs to create a diversion – while the second team would break into the server room and replace a rack of servers with an identical-looking server rack teeming with spyware.
The stories were like something out of the movie “Live Free or Die Hard”, or “Ocean’s Eleven”. The room convulsed with laughter when a hack was proposed that involved pigeons, parachutes and a parrot – but things turned grim when Liz DeMarco burst in.
“Somebody has unauthorized access to our online banking platform. We’re watching their activity and they seem to be able to gain entry into almost any account at will.”
“It’s China’s PLA Unit 61398!” somebody from the back of the room shouted. Tim nodded and said to the group, “What did I tell you guys?”
Defension Bank is a fictional company, but the issue of cybersecurity is real. How does something like this happen?
What Did Defensicon Bank Miss?
How did the unauthorized account access happen at Defensicon Bank?
Customers’ account numbers were entirely visible – right there in plain sight in the web address. Most people wouldn’t even notice, but to a hacker it was completely obvious. Accessing other accounts was as easy as changing the account numbers in the browser address bar.
There was no exotic foreign threat. No army of diabolical plotters. No hidden flaw in the system. It was simply attributable to a very, very visible oversight.
Like the true story of the British MI5 officer whose anti-terror computer was stolen from an open window in his house, most serious security incidents stem from a failure to take basic precautions.
The Chinese Threat
According to a recent report from Mandiant, a unit of the Chinese government – The Chinese People's Liberation Army Unit 61398 – has hacked 141 companies. And from a single company, they stole 6.5 terabytes of data!
With 115 of the companies affected being in the U.S., it’s only natural for companies and even the government to have deep concerns.
President Obama's Executive Order on Cybersecurity underscores how seriously the U.S. is taking this threat. Today, a great deal of America's critical infrastructure is at least partly online -- and the fallout from a significant cyber-attack could inflict serious damage to the economy. The growth of “the internet of things” -- where “smart” physical objects are participate in information networks only expands the potential impact.
Understandably, Defensicon’s first reaction was to try and protect itself from dedicated armies of hackers who might attempt exotic exploits. After all, they assumed their basic security was already quite good. Yet in reality, this is rarely the case. Companies are chock-full of human beings – and inevitably some of us will leave the window open when we shouldn’t. The appropriate first step is to focus on the ordinary and obvious.
The team at Defensicon was right to worry about safeguarding the bank’s data. But they were starting in the wrong place.
Getting Defensicon’s House in Order
When an organization is sufficiently large, evaluating the entire infrastructure at one time is unwise. There are simply too many things to cover and the process would take too long.
Hackers will prioritize; Defensicon should have done the same. The most effective approach is to begin with limited-scope assessments that focus on hardening high-value targets – like personal online banking -- first.
According to Capsicum Group CEO Sandy Goldstein, “At Capsicum, our process is to conduct face-to-face interviews with key staff members to learn which data is critical to your business and what steps you are taking to keep it safe. Our assessment verifies that the policies, procedures and controls you have in place are actually being followed and enforced. Through our interviews, as well as automated and manual checks, we determine your strengths and weaknesses. We analyze your risk levels and assess potential business impacts.“
It’s a thorough approach: covering a long list of everything from access control and physical premises security, to incident response readiness and disaster recovery readiness.
Many security gaps can be identified through this careful interviewing process. Others must be uncovered using more sophisticated penetration tests and other simulations.
Building a Stronger Defense
Once gaps are identified and remediated, it’s a good idea to review your security architecture. Strong security starts at the top of the company, with clear policies and procedures, layers of control and simple but effective security precautions.
Building a strong architecture takes time and is an ongoing investment. But only once this is in place should companies begin thinking about how to defend themselves against more exotic threats.
Even then, it’s important to recognize that all security is relative. Like a medieval castle, there’s only so long it can provide perfect protection against a dedicated, well-funded army. Bear in mind that one Chinese siege documented by Mandiant continued for nearly five years.
Carefully constructed, defensive plans are also needed to address a breach when it happens. All companies should anticipate that it’s a matter of when, not if, and have appropriate contingency plans in place. Thoughtfully considered layers of security will help contain the damage.
It also makes sense to have access to resources that are experienced in handling crime scene data appropriately. At Capsicum, we have deep experience in handling evidence properly, finding and remediating malware, and analyzing the attack so it can be successfully prevented in the future.
A final word
“No institution can possibly survive if it needs geniuses or supermen to manage it. It must be organized in such a way as to be able to get along under a leadership composed of average human beings.”
- Peter Drucker
In the end, the best security is a system that is set up properly in the first place and rigorously maintained. Many security systems are created in an ad-hoc manner to deal with issues as they emerge – and all become lax over time if not occasionally challenged.
If you haven’t audited your security lately, you can be certain that a hacker will eventually put your system to the test. Call Capsicum to help you audit your set up and maintain a safe, well-managed operational environment that is customized to your unique business.
Meet Capsicum Consultant Jake Stone
Jake Stone joined Capsicum Group in March 2012 as a Senior Consultant in our Ft. Lauderdale, Florida office.
From his very American name, you might assume Jake's family has lived in Florida for the past 100 years.
But as Jake explains, “I grew up in Kishinev, in the former Soviet Union when the country was going through tremendous changes and at a time when entrepreneurial spirits ran high. Unlike when my father was my age, it was now possible for people to open businesses.” Which is exactly what Jake did.
With some friends, Jake opened an arcade that charged people to play computer games. As the business grew, he grew curious about how the games worked, and began studying computing. During this time Jake also studied at the State University in Russia, receiving a Bachelor’s of Science, Psychology and Methods of Education.
At 22, Jake left the business to his friends and moved to the U.S. He learned English and became a software developer. "I was very lucky," Jake says. "I met a lot of great people at just the right time and had the opportunity to work with a lot of diverse systems." During his career, Jake has developed software to do everything from tracking online registrations for more than 100,000 sporting events and activities nationwide, to designing and developing a web based application to track suspicious transactions for a currency exchange company with branches located in almost every major airport in the world.
When Jake joined Capsicum’s team in Florida, he quickly became an integral member of the group, doing custom application development, automated forms management, computer forensics and e-discovery. In fact, Jake recently created a custom web application to search and capture marketing information on the Internet for a Capsicum client that saved them significant time and money. According to Jake, “There are many EDD and Forensics products, but each one has certain capabilities and limitations. Capsicum’s specialists can offer a custom-tailored product that is more streamlined, robust, and cost effective. We always want to find a way to do what’s best for our clients, whatever it takes.”
Jake’s entrepreneurial spirit is a great asset as the firm expands its practice in Florida.
Jake is married and has three sons, the oldest of whom attends Arizona State University.
Capsicum Group, LLC, is a technology and consulting company devoted to helping businesses improve operations and successfully complete technology-related projects. Its practice is focused on various disciplines including: digital forensics and investigations, data and tape recovery, electronic and paper discovery and technology, security and compliance. Contact Capsicum today!