The Maturity Paradigm

In healthcare we have an insatiable appetite to adopt new technology

Should we be worried

About state-sponsored attacks against hospitals?

Security and the Board Need to Speak the Same Language

How security leaders speak to thier C-Suite and Board can make all the difference

Who'd want to be a CISO?

Challenging job, but increasingly well paid

Medical Tourism - Growing in Popularity

Safe, fun, and much, MUCH more cost-effecitive

The Changing Face of the Security Leader

The role is changing, but what does the future hold?

Cyber Risk Insurance Won't Save Your Reputation

Be careful what you purchase and for what reason

Just How Secure is Healthcare?

Richard Staynings Interview
HIMSS Interview with Richard Staynings

During HIMSS 2016 in Las Vegas I was interviewed by the press for my thoughts on the cybersecurity risks now facing the healthcare industry, and how effective healthcare boards were in managing down these growing risks to their business. While some of the content was broadcast, the following is an edited transcript of the full interview:


 Interviewer:
Welcome.  I'm here with Richard Staynings, Security Principal and global leader of cybersecurity for the Healthcare Industry at Cisco. Richard is a respected thought-leader in healthcare security and is here at HIMSS with us today.


Richard, I know that you're on a journey talking with healthcare executives and their boards about cybersecurity risks, threats and security best practices, but how receptive, and how aware is the industry to your message? What level of awareness and understanding are you finding when meeting with healthcare leaders?

Richard:
I think healthcare executive and Board understanding of cybersecurity has evolved quite radically from where it was, say as little a five years ago. Most of this evolution has occurred quite recently in fact.

I think there's been a late awakening amongst Boards of Directors of healthcare providers, payers, and pharmaceutical organizations; a realization of the cyber security threat, and the way that that impacts not only their current business, but also their future business. If we talk about intellectual property loss within the pharmaceutical industry for example, it's a huge concern. The next generation of genomics-based medications is already assumed to have been stolen, largely by foreign nation states, in order to bolster their own pharma sector. All this, largely because of ineffective security across the industry to protect its intellectual property.


At the same time, we're seeing a large amount of media attention generated with regard to cyber breaches of our healthcare systems - patient health information being stolen and exposed, or patient information being encrypted and held to ransom, as has been the case at several hospital systems over the past month. Or malware infestations on hospital networks that have resulted in the hospital having to revert to paper, or even worse, to unplug their network core so that they could deal with the outbreak.

Boards are now aware of some of these issues, many of them have a good understanding of the enterprise risk and potential impact to their business of cyber security, which I think is something that historically wasn't the case. Security and the Board to a large degree speak different languages and its taken a new breed of security leadership to bridge that gap and to translate. By and large, that language barrier caused some historic rifts, and didn't go far in engendering trust towards what security leaders were telling their Boards and executive leaders.


I think there's been a growing realization that in order to communicate to boards, you need to use appropriate language. You need to talk in terms that board members will understand: profit and loss, balance sheets, the cost of action versus the cost of inaction, for example. I think there's a greater risk in healthcare however, because it's not just a question of fines, penalties, restitution costs, or even loss of reputation, it's the fact that there could be physical damage caused to patients, where cyber attacks could compromise patient safety. Protecting patient safety has been the holy grail of healthcare risk management for as long as I have been working in the industry, and now we are seeing a convergence of cyber risks and patient safety concerns.

Cyber attacks can now be leveled against the actual delivery of care to patients in hospitals. Many medical devices are easily compromised to the extent that it's not inconceivable that patients could soon be assassinated in our hospitals. Its relatively easy to compromise the medical devices that patients are attached to, and which maybe keeping them alive, or surgical devices being used in an operating theater. This is something I think boards of directors are beginning to recognize, though from what I've seen, most have yet to fully comprehend the magnitude of the threat.


Interviewer:
Do you think that once they understand the risks, that leaders have the ability to react quickly? Is it something that they have to go back to their foundation to fix, or is it something that they could put a task force on it and get remediation fairly rapidly?

Richard:
The healthcare industry is a juggernaut. It's quite conservative. It takes a lot of effort to stop, and doesn't change direction quickly. Security has largely been an afterthought in the healthcare space. The focus has always been on patient care. Security across the healthcare industry has been massively underfunded and understaffed compared to other industries. Healthcare is probably 10 years behind financial services in most areas of security, and even more so in the formation of high caliber security teams for example. Healthcare is not seen as a glamorous destination for many security professionals. Most transfers into the industry recognize that they will be fighting an uphill battle just to play catch-up to where they were in their previous organizations.

With the right Board and executive sponsorship, reinforced by effective governance and security leadership, and of course funding, the security gap could be narrowed quickly, through more effective adoption of expert managed security services. This would allow the small number of experienced professionals that work in security to focus on higher value tasks.

More importantly, I think there are some more fundamental and structural problems in the way that security is viewed within most healthcare organizations today. Security needs to be elevated in terms of priority at the executive and board level. Security leaders need a seat at the table in Board meetings, so that Boards can effectively discuss, and be made aware of cyber risks and issues that may accompany new service offerings, new business ventures, mergers and acquisitions, etc. The Board needs to be fully informed to make the right decisions and that's not going to happen if the security message is being relayed through the CIO, or someone else with direct access to the Board.



Interviewer:
Given Board understanding of the risks, and the desire and funding to secure their organizations, what should security leaders focus on first?

Richard:
Healthcare security leaders would love an unlimited budget to go out and secure their environments. They have years of under-investment to catch up on, but we need to recognize that Rome wasn't built in a day, and healthcare doesn't have unlimited funds. If anything funds are getting tighter, which means dollars allocated to security need to come from elsewhere, IT, charitable patient care, etc.

Realistically, and to answer your question, I think that comes down to fully understanding the risks that are being born by the organization, and the potential impact to the organization's ability to function. That means understanding how the organization works, where there are opportunities to make significant improvements to the risk/reward balance, and to target scarce resources most effectively.

One of the most effective ways of understanding risk is to conduct a risk assessment but then to prioritize the remediation of risks and control gaps based upon the reduction in enterprise risk. What level of risk can I reduce with the least amount of money? Can I tackle remediation of these really big risks over the course of many years? (Because hospitals have very limited budgets and that situation is not getting any better.) There's an increasing squeeze on healthcare provider budgets especially, because of reduced reimbursement rates from insurance companies and government, and that is really compounding the difficulty for CISOs to block gaps in their overall infrastructure, through the implementation of new more effective security controls.


I think there's also been a historic problem with what I call the "shiny object effect."
"There's a new tool out there that looks to be a panacea to many of the security problems that I have. It's very expensive; the cost to implement is not really fully understood; the time to implement is not really fully understood, and it may be many years before the new tool is able to effectively reduce risk from the time its purchased."
There's been a temptation by CISOs to go after that shiny object, rather than to look at what is the most effective use of the scarce resources at their disposal. There are many opportunities for CISOs to reduce risks very quickly without the outlay of large sums of money, however these opportunities are often missed because security leaders fail to look at security through the conceptual lens of enterprise risk management and risk reduction.


One particular concern in healthcare has to do with the growing security resource shortage. The whole of security is suffering from a massive shortage of qualified, experienced, security professionals and this was reflected in the 2015 Cisco Mid-Year Security Report which found that there's a 12x demand over supply for security professionals. Healthcare doesn't pay as well as financial services and many other industries, and therefore, it's lower down the stack, in terms of its ability to attract and retain top cyber security talent; skilled resources needed to help defend against the attacks that are being leveled at the industry.

I think there's a growing recognition across the healthcare industry, of the need to look at optimizing the scarce security resources that it's able to attract and retain, and to focus the attention of those professionals, at the areas of greatest need in healthcare security. Areas like security architecture and security awareness training for example. Healthcare is a very labor-intensive industry, and users have largely disparate levels of computer literacy and security awareness. I think we do that by looking at what can we accomplish more effectively; by procuring services from service providers, that can provide expert services that we could never justify staffing ourselves; and to do that cheaper, better, faster, than if we were to build those capabilities internally.


Interviewer:
You've dealt with high-level executives and boards, can you compare and contrast the ones that 'get it' versus the ones that don't get it? What's contributing to that?

Richard:
I think there's been a change in the makeup of healthcare boards over the past few years. I've been presenting to boards of directors for probably 15 years or more. I think historically, healthcare boards were made up almost exclusively of clinicians or those sponsoring health services, - nuns for example in the Catholic Health System, retired and active physicians, line of business owners, as well as the CEO and his team of direct reports.

More recently I've seen a diversification of typical board membership, and the skills and backgrounds of members. This is a big differentiator to those boards that 'get it' and those that have a hard time understanding cybersecurity. It's not universal across all organizations by any means, but there is a growing trend towards diversification.

I'm seeing expertise brought in from other industries, from banking and finance, and some retired military. Also, some people from government and defense backgrounds, that are on the boards of larger healthcare organizations, and are able to bring experience of how other industries 'do security', and an understanding of the cyber risks that they've seen during their active career, or in their full time jobs. They're able to share those experiences and contribute to a much richer board decision-making process.



Interviewer:
I hear a lot of times that the biggest risk factor for security is just workforces themselves. How do you believe companies are dealing with that issue - that the workforce may be the weakest link in security?

Richard:
Well, your people are your greatest asset, and also your biggest risk. This is particularly so in healthcare. You have at one extreme, some of the brightest, smartest people on the planet - physicians. Very computer literate, many of these physicians are extremely capable at working their way around rudimentary security controls that IT may have put in place over the years. At the other end, you have scrub nurses, food services, and janitorial staff that may almost be computer illiterate. It creates an interesting challenge when it comes to the question of, "How do we take a security message out to our entire workforce?" Whether they're contractors – (most physicians for example), or whether they're employees – (nursing, admin and billing staff), or whether they're contract service providers for janitorial services, maintenance or food services.


How do we take a message out so that all of our people are working together towards a common goal of securing the network, securing the hospital, and protecting patients? I think we have to do that via a quite elaborate security awareness program, and it can't be a just one-off program where all users sit down in front of the same computer and answer a few questions at the end of a video. It also can't be something they do once a year, as part of a staff or contractor attestation that they will follow security and privacy policy.

It needs to be an ongoing process, and it needs to be differentiated and targeted to different types of users. Physicians should see one type of training program, executives see another type; those people who work in IT and may have elevated permissions see yet a different type of program, and those people that are on the cutting edge of delivery out at the nursing stations, should be provided a different type of awareness program that's more privacy focused, and more targeted towards the types of phishing attacks and social engineering that they may experience while fulfilling their jobs. They are in a very different situation to IT, admin or senior executives who, by and large, work most of their days behind closed doors, or at sites where they don't see the public at all.


On that note, where I've seen the most effective security awareness program is where there's a rich and diverse multimedia approach. Where there are a variety of web-based delivery systems, classroom based lectures, and brown-bag seminars / group lunch discussions, and where users are required to participate. Most importantly, where there are constant reminders to awareness themes throughout the workplace, so its not forgotten.

One particular health system I do a lot of work with, has little cartoon characters on their elevators and at doorways. It's to remind the staff subtlety not to talk about patients in public areas because they could be overheard. Most patients that walk through the hospital probably just think it's a cute little animal for the kids, and have no idea of the value it's also providing to staff privacy and security awareness. The value that these animals provide is immeasurable in terms of making the staff aware and making them think,  "Hey, I'm in a public area. I can't discuss patient issues here".


Interviewer:
Healthcare rightly or wrongly is seen as an increasingly highly regulated industry. Have you found that these governing organizations are helping to advance security?

Richard:
I think compliance in the healthcare space was the initial spark that really led towards improved security and privacy across the industry. I don't think it's necessarily as effective as it could be however.

In the United States, we have the HIPAA regulations. They were written in 1996 when most of us didn't even have modems attached to our home computers, and many of us were running Windows 95. We didn't have web 2.0 social media technologies. We didn't post to Facebook, Instagram, or SnapChat every 10 minutes, as my kids tend to. We didn't have instant message, or many of the technologies many of us live on today – especially the younger ones! 

Hospitals were largely paper-based back in 1996 when the HIPAA regulations were created. HIPAA was a political compromise in order to put something in place to protect the privacy, initially, and later security of healthcare. It's been enhanced with the HITECH Act and Omnibus changes, but it's still a high-level advisory type regulation, and is widely open to interpretation. It's not a prescriptive rule set in the way that we have in other industries, like PCI DSS that says, "You shall do this, this way, and this way only, and if you don't do it exactly as written, you're non-compliant."


HHS OCR, the Health and Human Services, Office of Civil Rights, has come in with its audit protocol and looked at HIPAA compliance from a very different paradigm. OCR looks at it from an audit compliance perspective, more so than the checkbox mentality that the healthcare industry itself has tended to follow. OCR assessors look for the effectiveness of controls in the same way that a financial auditor would, and they look for evidence that a control has been tested for its effectiveness and that this has been documented. That's beginning to change things across the industry.

In other jurisdictions, we have new regulations that are slowly being implemented or enhanced: Singapore Privacy Act, Caldicott, Australian Privacy Act, European Privacy Directive, etc. These tend to be more privacy focused, but increasingly cover many aspects of traditional security – cyber attack and breach notification for example, or use of patient data in research. And we've got other regulations in the process of being revised or expanded in other countries, as well.


I think compliance was the initial spark that led to awareness of the need for security in healthcare, but I think that's now minor compared to other risks, particularly around cyber attacks and breaches of PHI, which seem, almost every other week, to be all over the papers and TV news channels. We're seeing a growth in targeted attacks against healthcare; ransomware, for example, the encryption of medical records, and then holding them to ransom for tens of thousands or dollars, or even larger sums of money in some circumstances. That's just the beginning in my opinion. Where I see things going, is towards not so much the ransom of information, or the theft of PHI, but towards open extortion and ransoming of patient lives, where hackers may have gained control of entire parts of our hospitals and be able to inflict real life-threatening damage.


I don't think we are far-off before we're going to see ransom attempts leveled at hospitals to say, "If you don't pay a thousand BitCoin, I'm going to start killing babies in NICU" or, "I'm going to start assassinating people on life support in your ICU, or undergoing surgery in your operating theaters."

One massive attack vector that very few hospitals have considered is their ICS or Industrial Controls Systems. Systems that manage HVAC for example, which are critical in healthcare for disease control and for clean rooms like operating theaters. As a hacker, if I own your HVAC systems, I can mess with the airflow, temperature and humidity levels, and render whole parts of the hospital useless – and lock everyone else out of the system at the same time.

If I've gained control of your elevator systems, I can prevent you from transporting patients between floors – maybe on their way to or from the operating theater.

If I own your water management or electrical management systems, even for a short time, I can wreak havoc. Many of these ICS systems are totally automated in our hospitals today, and are remotely managed over the Internet by a service provider. 

All of these are very feasible attack vectors against healthcare, and most of the people running these attacks live tens of thousands of miles away, in other countries, out of the reach of law enforcement. There's recent evidence to suggest that many of the perpetrators of some of the recent ransomware attacks against healthcare, are in fact, employees of state cyber espionage units, moonlighting after hours.

I think some more forward thinking boards of directors are slowly becoming aware of the real risks to their organizations and patients, and are beginning to look at ways that stronger controls can be put in place, to manage the very broad range of threats that could be leveled against healthcare.


Interviewer:
That's amazing stuff. It's almost like a controlled outbreak ...

Richard:
You imagine a man made Hurricane Katrina. During Hurricane Katrina, the New Orleans hospitals were rendered useless because the water, sewer, power, air circulation, all eventually came to an end. Back up generators ran out of fuel. Fuel trucks couldn't get to those hospitals. Flooding rendered large parts of the hospitals inaccessible, and very quickly full of mold, such that patients could no longer stay inside for their own health and safety. Patients were carried out (where they could be carried out) and placed on flood debris in many cases, which was on dry ground to get them out of the hospitals that were filling up with airborne mold spores. Many patients were too heavy to carry down flights of stairs. Elevators didn't work because there was no power, so they died in their beds.


Imagine if I were a rogue nation state or a well-organized and skilled terrorist group conducting a cyber war against the United States. I would most likely first go after power generation and distribution systems, water management and other critical infrastructure to disable the domestic systems the military and modern Americans have come to rely upon – running water, regular power, etc.

After critical infrastructure, I would attack hospital systems, because that's where the weakest and most vulnerable people in American society would be found – those unable to look after themselves. I could tie up thousands of National Guard troops forcing them to care for, or rescue, the most needy in society, divert them from defending against other attacks, and weaken a speedy counter-attack by the military. These are all feasible, albeit unpleasant, scenarios and many people have written and published in this area.


Interviewer:
Wow!

Richard:
Oh, it's scary alright!


Interviewer:
What's the biggest leap forward that you've seen within the last year with regard to security?

Richard:
Security is always developing and there are a lot of cool new capabilities every few months so it seems. However, given the kinds of attacks we are seeing against healthcare, I would have to say Real Time Threat Analytics. Understanding where threats are coming from, and recognizing an attack almost immediately; the ability we have now, to identify anomalous user and system behavior, and to light up our networks so we can use the network as a sensor and as an enforcer of the security policy that the board approves, and is enforced by the CISO or security leader.

Recognizing when an attack is underway is incredibly valuable so we can block it, and thwart the attack before data is stolen or compromised. Historically, we've looked at things forensically and 'after-the-fact', when damage has already been done. We bring in forensics teams to investigate the integrity of file systems that may have been compromised; we bring in forensic investigators to work with law enforcement and to preserve evidence for prosecution. But in healthcare a breach is a breach and I'm already in a world of hurt!

In most hospitals we're not being active in terms of saying, 
"There's an attack coming in. There's some malware that's just been added to my network. I've got suspicious behavioral activities, and new communications out to the Internet, that are out of the ordinary. They don't fit the usual pattern of activity on my network. I'm under attack," 
and be able to pull the plug or to block that attack; to put defensive measures in place to thwart that attack before the damage is done; before my files are encrypted; before I need to notify patients that their records were compromised; before I need to contact the OCR and let them know that there's been a breach, and my reputation is tarnished, because I'm now on the HSS OCR 'Wall of Shame'.



Interviewer:
I like the predicative nature of that.  What do you think differentiates successful attacks on some healthcare providers from those that fail?

Richard:
Let me start by saying that across healthcare delivery, the vast majority of attacks go totally unnoticed. Healthcare simply doesn't have the resources to monitor what's happening on all of its systems, and its rapidly expanding network of partners, suppliers and HIEs. There's no single regulatory body to identify a common point of information disclosure for identity theft, or medical insurance fraud, etc. like there is in the payment card industry for example. And information stolen from healthcare, by and large doesn't expire, in the way that a credit card number does after a certain period of time. I can use or sell that stolen information whenever I like.

With the exception of the very largest providers, most organizations lack a security operations center, or have staff viewing event management systems 24 by 7. Those that have invested in a SIEM have a hard time getting usable, high-fidelity information from alerts. 'False-positives' keep security operations staff chasing their tails, rather than quickly being able to identify real attacks and risks, and to remediate them. SIEM alerts need to be validated before the truth is known. This can be very time-intensive, and will ultimately delay response to an attack.

The critical differentiator between successful attacks and unsuccessful attacks is the ability of the organization to quickly recognize when an attack in underway, such that the attack can be blocked before damage is done. Before PII, PHI or IP can be exfiltrated from the healthcare network. Speed is key today. Attackers are in and out in a matter of a few hours in most cases.

Once you're looking at things forensically and after-the-fact, then the damage has already been done. You've already lost patient information, your IP is gone, and it's out on the Internet. Once an attack is underway against a patient, then that patient could have already been harmed.



Interviewer:
Is healthcare under attack more than other industries do you think?

Richard:
Healthcare by and large provides easy pickings for cyber criminals. They've been after banks and credit card companies for a number of years and that water fountain is drying up. What I see is a concerted attacked against healthcare. Big payer breaches, big provider breaches, and pharma networks are largely owned by foreign states, and their well-funded cyber espionage units. This is not going to stop anytime soon. We need to put in place effective security controls wherever possible, wherever feasible, and to do it quickly before more damage can be done, and we suffer a widespread loss of confidence from patients. Before hospitals are forced to close, because they can't afford to pay the fines, penalties, identity theft monitoring, and other standard restitution expenses. Before they get hit with a billion dollar class action suit from patients, that is going to force them out of business!



Interviewer:
How has the digital era changed the way we're facing security?


Richard:
The digitalization of healthcare has brought around a large number of changes in healthcare delivery particularly. We now have the capability to provide all kinds of new services to patients, and most patients are very eager to consume those services, but they introduce new risks to our healthcare organizations. I refer particularly to the meaningful exchange of health information, to and from the proliferation of other service providers out there. 

I'm no longer tied to a single service provider and can shop around to get the best deal. I no longer need to go to the hospital to get my X-Ray, and pay $1,000 for that X-Ray. Most of us are now on High Deductible Health Plans, which means we now pay for service rather than insurance. I can go to a simple imaging center and pay $300 for the exact same thing, with probably half the wait.

I can go to a web portal that my provider has put up that allows me to communicate with my physician or my specialist. I can look at my images from my X-Ray or my cat scans, and I can read the diagnosis online, rather than have to book an appointment, drive across town, come into see a specialist, consume his time and my time, to basically reiterate something that's already been written down, that I could read myself. In order to provide these types of services, we need security around them however.


I'm seeing a growth in a large number of opportunities for increased Digitalization, Telehealth, Telemedicine, all types of new services that are more cost effective in the delivery of healthcare services to patients, but again, we need security in order to facilitate that. I need to be able to authenticate legitimate users, and to communicate with them securely, I need to be able to store information securely, and I need effective security controls so that I don't introduce new risks as a result of the new services I am providing to patients.


I think payers and providers are now recognizing the fact that Connected Care, and increased Digitalization, will provide opportunities for huge cost savings and new avenues for revenue generation, while simplifying and improving patient experience with their care team. However there's a huge cost to this if its not done right. You need to apply appropriate security controls, before you can provide these services to patients.



Interviewer:
How is healthcare going to cope with this new reality?  What trends are you seeing?

Richard:
I'm seeing a consolidation within the healthcare delivery industry, particularly in the US where we've had a multitude of different standalone small hospitals and health systems. Its driven by cost pressures and the need to spread meaningful use costs, and the need for improved security over a greater number of beds and patients. 

The same is true in the payer space. Organizations are coming together under one umbrella, and building shared services organizations to better leverage scarce resources, and this is saving healthcare money, and at the same time improving technology, security and other services.

I've seen a recent increase in the adoption of cloud-based services, and wider use of mobility as payers and providers become more comfortable with these things. This is all helping to drive growth. I've seen a syndication of technology services to smaller hospitals. Larger hospital systems that have the money to invest in new clinical technologies, in expensive, state of the art systems and applications, are able to recoup some of that investment by providing IT or application services for example, to smaller hospitals that can't afford the investment needed for those types of things. Of course wherever systems are being shared you need to segment and secure, to prevent a whole host of possible issues down the road. It's a decent revenue generator for a lot of health systems, and I see that trend continuing.



Interviewer:
Thank you very much Richard for your insights. I'm hoping that some of your predictions don't come true, but recognize that awareness across the industry may help to avert some of these security risks and threats.

Richard:
Let's hope so!



Take a Strategic Approach to Security Segmentation




You’ve read the stats by the end of the decade, the Internet of Everything will result in 50 billion networked connections of people, process data and things. You don’t need to look far to see it come to life in your own organization. With increased digitization comes an exploding number of devices and applications gaining access to your network, creating more data to secure and new attack vectors for malicious actors to exploit.

At the same time, you are increasingly required to demonstrate to organization stakeholders and board members what you’re doing to protect your organization from pervasive, innovative cyber threats. In this year’s Cisco Annual Security Report, 92% of the respondents agreed that regulators and investors will expect companies to provide more information on cybersecurity risk exposure in the future. Business leaders are also anticipating that investors and regulators will ask tougher questions about security processes, just as they ask questions about other business functions.

Already you may be required to meet audit requirements for protecting and isolating sensitive and personally identifiable information, like Payment Card Industry Data Security Standard (PCI DSS) and Health Insurance Portability and Accountability Act (HIPAA). Or your organization may be pursuing a business strategy that requires an increased numbers of suppliers, partners and third parties to access your networks. What is your plan to ensure only those with the right credentials and identity can have access to the right assets and at the right time?

Cisco's Security Advisory Services experts have worked with many customers who have employed network segmentation approaches as a way to address these questions. But, those approaches are inadequate because their security policies are flat – they expose their organizations companies to risk, for example when production and non-production, as well as sensitive and non-sensitive data, are mixed. Or they’ve created overly complex segmentation schemes that complicate audit and compliance processes. At the same time, data and systems need to be available to carry out the work of the organization. A different, more strategic approach is needed.

Fortunately, next generation technology like Cisco Identity Services Engine (ISE), TrustSec and new fully integrated Cisco Firepower NGFW exist today to implement flexible security controls in your network. You can build a network segmentation strategy that isolates environments and critical systems from other areas of the network and makes it harder for threat actors to take advantage of weaknesses in the infrastructure. You can now combine the tools and technology with your processes and priorities to create a strategic segmentation framework that will support your business objectives.

To help you build out this strategic framework, Cisco has introduced a new Security Segmentation Service, an Advisory Service within the Cisco Security Services portfolio. This service provides a strategic infrastructure segmentation approach for clients that allows organizations to reduce risk, simplify their audit profile, protect data, and achieve a defensible position for board-level requirements in a hyper-connected and complex environment.

Security Segmentation Service:

  • Is customer specific. Cisco will work with you to develop a model that takes into consideration your specific privacy, security, and business needs.
  • Extends beyond the network. The service blends a top-down-driven information security management system with an adaptable, metrics-based framework. Cisco looks at your entire network architecture, plus much more: for instance, your application data flows, any cloud services you’re using, your HR policies for access to critical data and assets, and your intellectual property. We help you apply differentiated controls over different systems and data.
  • Incorporates reusable design patterns. Cisco develops a design you can reuse as your business changes, so you get sustainable and measurable results.

Even if you have policies in place that provide guidance and security around protecting critical assets and data, we often find that users who have changed job roles have increasingly greater access to systems and data than needed, and terminated users still
have credentials for many systems. Inconsistency in classification of users, data, and systems results in pivot points where attackers can access data and systems with high business value.

The purpose of segmentation is to simplify the application of security by using a centralized management point. Once this process is in place, it reduces complexity and requires very little maintenance.

To learn more about how Cisco Security Services can help you uncover new ways to think about securing your business as you take advantage of an array of emerging business models, follow the above link.


Written by my good friend and colleague Pavan Reddy, Cisco Security Principal. First published at http://blogs.cisco.com/security/cisco-security-segmentation-service

Cisco 2016 ASR

Is Your Security Up to Date?

Its 'all quiet on the western front' was was the sit-rep I received from our SOC recently.

In case it might have escaped your attention, there's been a stunning lack of a major cyber breach thus far this year. This may have lulled some into a false sense of security into believing that the forces of good were finally winning the battle against the Dark Side, however Cisco’s 2016 Annual Security Report (ASR) sheds a mixed light on the fight against cyber crime.

Vastly outnumbered, cyber defenders are fighting to keep up with rapid global digitization and increasingly bold adversaries, who seem intent on the theft and ransom of non-public information and the disruption of legitimate business activities.

Almost by the day, the report claims, attackers seem to grow more bold, adaptable, and resilient, setting up professional business organizations and technical infrastructures that mimic legitimate enterprises.

On the global front, the report sees fluctuations in cyber Internet governance across regions, which inhibits collaboration and the ability to respond to attacks.

Despite these challenges, and despite a gloomy outlook, the ASR describes some of the successes against the Dark Side and the ‘take-down’ of a number of cyber-criminal groups.

This years’ ASR reveals that attackers increasingly use legitimate online resources to launch their malicious campaigns. Though the news might speak to zero-day attacks, hackers also continue to deploy age-old malware to take advantage of weak spots such as unpatched servers. Furthermore, aging infrastructure and uneven or inconsistent security practices remain a challenge for many businesses.

Other key insights from the 2016 ASR include a growing encryption trend (particularly HTTPS) for web traffic, which often provides a false sense of security to users. For companies it potentially cloaks suspicious activity. The report also witnesses the increased use of compromised WordPress servers to support ransomware, bank fraud, and phishing attacks.

The ASR portrays the latest installment of an ongoing epic battle between the forces of good and evil, with some attacks successful, some repelled, and some wicked counter-attacks that have sent the forces of evil running – (no doubt to regroup and ready themselves for another battle). A veritable source of information, it not only reports on the current state of cybersecurity but makes recommendations for the implementation of defensive measures, and how to prepare for the next wave of attacks.




Adversaries and defenders are both developing technologies and tactics that are growing in sophistication. For their part, bad actors are building strong back-end infrastructures with which to launch and support their campaigns. Watch Cisco CEO Chuck Robbins and Chief Security Officer John N. Stewart discuss these key findings and more from the Cisco 2016 Annual Security Report.

Security and the Board


Not long ago I was asked to attend a quarterly Board meeting of one of my healthcare clients and to present the recommendations of a Strategic Security Roadmap (SSR) exercise that my team and I had conducted for the organization. The meeting commenced sharply at 6am one weekday morning and I was allocated the last ten minutes of the meeting to explain our recommendations and proposed structure for a revised Cybersecurity Management Program (CMP).

The client Director of Security and I waited patiently outside the Board Room while the “real” business of the Board was conducted inside. As is the case with many organizations, Information Security was not really taken seriously there, and the security team reported into IT way down the food chain with no direct representation at the ‘C’ Suite or the Board level.

The organization’s CMP had “evolved” over the years from anti-virus, patching and firewall management, into other domains of the ISO27002 framework but was by no means complete or taken seriously by those at the top. Attempts to build out a comprehensive holistic security program over the years, had met with funding and staff resource constraints, and Directors of Security had come and gone with nothing really changing.



The current Security Director was enthusiastic, young and bright. He had memorized the magic quadrant leaders for each and every security tool that he felt he needed to round-out security across the organization. His approach to security was a shopping list of “shiny objects” each of which was a best-of-breed point solution. There was no strategy for integrating them and little understanding of the costs and efforts that would be involved. Proposed solutions were only loosely tied back to business objectives and drivers.

Right on time, an Executive Admin opened the double doors to the boardroom and we were ushered in to our seats; printed color copies of the Executive Brief I had prepared were uppermost on a stack of papers in front of each member.

Like many healthcare boards, the membership was a mix of active physicians dressed in their whites and greens ready for their day shift, the CEO and his Executive team, and a collection of what looked to be retired Generals and corporate chieftains from various industries including one notable banker.

The CIO introduced me and I spent the next eight minutes walking the Board through the recommendations of our report, leaving two minutes on the clock for questions.The Executive Team and most of the younger physicians nodded in agreement and understanding at each recommendation and the reason for it. Some of the older members required further explanation and a deeper understanding of the risk management context, which formed the basis of the suggested revisions.

All was going well and it looked at this point that funding would be approved for an update of the security program. Then one of the older physicians asked a question about a particular security application and the Director of Security who hadn’t said anything thus far, saw his opportunity to jump in and be heard. Unfortunately the language he used was full of technical security jargon that might just as well have been Double-Dutch for all the good it did in communicating his point. The Physician looked on with an irritated stare and I had to rescue the meeting before it deteriorated quickly.

It was at this point that I realized why all previous attempts to build out a robust holistic information security management program had met with failure. Security and the Board spoke totally different and highly incompatible languages and it had taken a seasoned consultant to bridge the chasm and to act as arbiter.

The importance of establishing a formal Cybersecurity Management Program written in neutral language that both sides could understand, and that was structured so as to address underlying business objectives rather than the latest security fads would be absolutely critical at this customer if it was to secure its business.

Fortunately the CMS was approved, but this example is all too typical of the interaction of information security professionals and boards of directors - especially in organizations afflicted with low levels of security maturity. There is a difference in language and often a generational gap that hampers understanding on both sides. Each views cybersecurity through a completely different conceptual lens.

Security professionals all too often attempt to explain risks in language that senior executives may not fully comprehend, using alien concepts and terminology. They fail to translate and communicate cybersecurity threats and vulnerabilities in terms of business enterprise risks and the potential future impact to the business unless mitigated. This is compounded by a lack of trust and a long-standing historic pattern by security professionals of using Fear, Uncertainty and Doubt, otherwise known as ‘FUD’ in these conversations.

Instead of muscling decision makers into procuring desired security tools with FUD, security professionals should define the probable costs of inaction, in comparison to the costs and benefits of action. This should include objective conversations about operational risk, legal / regulatory compliance, protecting corporate brand image and potential penalties, cleanup and restitution / compensation costs of breaches, including loss of reputation and brand damage.

Boards need to view cybersecurity as a critical business function and a critical business-enabler in an increasingly inter-networked digital world. They need to educate themselves so as to be able to make informed decisions on security strategy and policy and spend. Security needs representation at the senior executive level and to make regular reports to the Board so that the Board can make informed enterprise risk management decisions.

There is a wide lack of quantitative risk assessment and reporting across the industry to enable executives and their boards to view and weigh cyber risks in the format of a more familiar looking balance sheet rather than in a subjective report with only limited business risk context.

Above all, organizations need a formal cybersecurity management program in which security purchasing decisions can be understood from the context of addressing enterprise risks while following a previously approved cybersecurity management plan.

A newly published Cisco whitepaper lists 10 key success factors to building a successful cybersecurity management plan. These apply not only to organizations constructing their very first formal CMP, but also to those looking to update or to maintain their existing program. When followed in order, these will position the organization well for success.

The introduction of a CMP affects virtually every individual or group in an organization, so it’s essential that the final cybersecurity management program best address everyone’s needs.


This blog was originally published at http://blogs.cisco.com/security/security-and-the-board and https://www.linkedin.com/pulse/security-board-richard-staynings


Health Insurers Under Attack




February set a new monthly record for the largest US healthcare breach to date in which the personal records of 80 million individuals were compromised. It also marked an apparent change in focus from attacks on delivery organizations to healthcare payers. A few weeks later, two additional health insurers reported that they too had been hacked, resulting in the possible compromise of a further 11.25 million personal records. In a period of less than 3 months, the US has seen over 91 million records and personal identities stolen from healthcare insurers alone.

The health insurers appear to have been the target of highly sophisticated cyber attacks thought to be perpetrated from China, which involved the use of advanced persistent threats (APTs) and spear phishing. This allowed them to gain administrative credentials that were used to exfiltrate stolen data via the use of common cloud data services.

Why the sudden focus on healthcare?

Combatting Cybercrime Cisco White PaperAs a new Cisco Healthcare white paper shows, healthcare has been in the cross-hairs for several years. However because of the relative lack of sophistication of healthcare information security to detect attacks, most have gone unreported. The theft of someone’s bank balance doesn’t go unnoticed for very long. The theft of a large number of credit card numbers triggers banks to look for a common point of purchase (CPP) in order to identify the compromised merchant(s). The theft of someone’s personal health information (PHI) or personally identifiable information (PII) takes much longer to be noticed. Unless the FBI is involved there is no single body to correlate all the identity thefts and medical insurance frauds cases etc., in order to identify the source.

The second factor has more to do with the market valuation of stolen data. The wholesale value of stolen credit cards on the dark net has declined rapidly over the past nine months as markets became flooded with card numbers. At the same time cyber criminals have discovered lucrative new avenues for the disposal of stolen healthcare information by parsing the data into market categories such as personal identities, prescription information, or insurance information. Criminals are able to make much more money by selling these buckets of information to different groups, rather than selling the medical record as a whole.

Market values of stolen information vary greatly each day. The price of a medical record continues to increase, while the price of a credit card number continues to decrease. By some estimates, a stolen credit card has a value of less then one dollar, while a medical record can fetch in excess of $45.

What does this mean for the healthcare industry? This means that there is little question now that US healthcare organizations are being targeted by sophisticated and highly organized cyber-criminals. What’s more alarming is that based upon evidence gathered from recent attacks, these are not merely opportunistic thefts perpetrated by the usual collection of Eastern European gangs, but lengthy, costly, advanced persistent attacks that may have been orchestrated by state actors for reasons other than the monetization of stolen data. The investigations of all three attacks are not yet conclusive, but it is safe to assume no matter who the perpetrators are, that healthcare is now being targeted. This is especially true in the United States, where personal health records contain so much valuable information.

The targeting of healthcare is something that cybersecurity experts, including myself, have been warning against for several years. Healthcare is so poorly protected compared to other industries and ranks close to the bottom in information security spend. It is unsurprising that the information systems of payers, providers and bio-pharmaceutical organizations are considered low-hanging fruit by cyber-criminals.

What’s more alarming is the inability of the industry to respond to this now widely acknowledged threat. Healthcare simply does not have the people, processes or the technology to protect itself quickly against the onslaught. Furthermore it lacks the financial resources to hire the expertise needed to fix information security programs or to purchase the advanced security services and tools needed to protect its non-public data. According to ABI Research, healthcare cybersecurity spending will reach only $10 billion globally by 2020. That amounts to less than ten percent of global spending on critical infrastructure security today.

What is needed, is a better understanding of the threats, vulnerabilities, and necessary transformations of the way healthcare is run and funded. This should include a much greater emphasis on cybersecurity and the protection of the information that individuals entrust to their doctors and healthcare insurance providers.

Read more on the changing threats to healthcare and the challenges facing the industry in Cisco’s white paper: Combating Cybercrime in the Healthcare Industry.

A shorter version of this blog was first published here. To view comments or join the discussion on this article or the questions it raises, please follow the link above.

Security World

Richard Staynings Keynote kicks off the Security World Conference in Hanoi

I had the honor of presenting the Keynote at "Security World" yesterday in Hanoi, Vietnam to a packed house of government Ministers, Generals and other military staff from Vietnamese and other ASEAN nations, corporate chieftains, and security and privacy professionals drawn from all over Asia, Australasia, the USA and Europe.

In fact I had the honor of presenting twice - the morning keynote on how the Internet of Everything will change security for the next 25 years, and a session in the afternoon on securing the next generation data center.

I would like to thank the organizers and the government Ministers and other officials who gave me such a warm and appreciative welcome, and all of the attendees whose well thought out questions showed great knowledge and insight, and who obviously paid very close attention to every word I had to say. I was glad to share my knowledge, experiences and opinions with each and all of you.

An English translation of the official Vietnamese website covering the event can be found here.

A gallery of the official photography can be found here.


Behind the Great (Fire) Wall

The Great Chinese Firewall.
June 20, 2014
For anyone who hasn’t been to China yet, the realization when you get there that the ‘Internet’ isn’t the ‘Internet’ can be slightly alarming. China blocks many of the most popular web sites and services that the Free World uses on a daily basis.

Forget updating your Facebook page, YouTube, or your personal blog to 'show and tell' your friends and family about your wonderful trip to the Great Wall, Forbidden City, or Summer Palace. Forget also about catching up on news from popular news sites. Most are blocked - especially if there's a story about China!

No other country censors the Internet quite like the People’s Republic of China does. It determines almost completely what it allows its 1.4 Billion citizens to read, write, listen to, watch, or post. .... No other country that is, excluding the more than slightly isolated hermit kingdom of North Korea where there’s often no electricity even if you are one of the few elites allowed to access a computer.

Twitter, Blogger, Gmail, Google Plus, even the Google Search Engine are all blocked at the present time. Major publications like The New York Times, The Wall Street Journal, BBC, The Times, and Bloomberg are blocked also. China doesn’t permit the free flow of information in or out of the country, so if you want your service to be accessible to China’s 618 million online users you have to abide by China’s rules, and that means you need to self-censor or be blacked out entirely. Some companies like Google for example refuse to censor the truth, re-write history, or compromise its charter to “do no evil’ for the sake of doing business in China. Consequently, and at the present time, Google is to put it lightly, not particularly liked by the China Net Police.

China effectively has its own 'national intranet', with its own providers and its own rules. So far, none of the big U.S. Internet firms has managed to make significant headway there, and the ones who try must play by the rules. LinkedIn, for instance, which entered the market this year, is drawing flak for blocking posts about political matters in China. Even sensitive pages in Wikipedia are blocked.

Bing and Yahoo search engines work but forget searching for such heinous terms as ‘Tienanmen Square Massacre’, ‘Dalai Lama’, ‘Muslim ethnic riots', ‘protests in Tibet’ or ‘Chinese Official corruption’. These things don’t exist as far as China is concerned unless the government says so. They are mere ‘untruths’ fabricated by the West to make China look bad. Its not quite George Orwell’s '1984', but there are a lot of similarities. China allows just enough freedom to make its citizens believe that they have free access. It regards its filtering actions as being nothing more than paternalistic protection of its citizens.

There is no official warning or 'verboten' page for trying to access blocked content. Your request will just time-out as if the web site is down rather than being blocked. Sometimes its hard to know whether the site or service is purposely blocked, or whether the traffic-slowing 'Great Firewall', or the less than stellar China network is to blame. You just have to try later. The notion of things like 'Internet quality of service' (QOS) in China simply doesn’t exist. One day you can connect with decent bandwidth, the next, nothing seems to work properly. That is however as much for internal China hosted web sites as it is for ones hosted overseas.

There is no official censorship list either. Sites and services just get blocked - sometimes returning, sometimes not, depending upon relationships with the West, and internal political activities like self immolation in Beijing, or Lhasa, protesting of any kind, or the cause of ethnic Uighur separatists in Western China’s Xinjiang province much of which was once called 'East Turkestan' before China occupied it in 1949.

Pro Democracy Protests / Tiananmen Square Massacre
Of course the 25th anniversary this month of the Tiananmen Square Massacre in which untold thousands of Chinese students and ordinary citizens, along with paramedics and doctors treating the injured, were gunned down, bayoneted, or purposely run over by tanks has been an especially auspicious time for the censors. The mere thought that the Chinese population should find out about the events of 1989 when China's leaders mobilized complete battalions of the Peoples Liberation Army (PLA), and sent over 300,000 armed troops and tank regiments into Beijing to break up the peaceful democracy protest, sends shivers down their spines. This month, even shortwave radio is blocked - just in case the BBC Word Service or Voice of America should mention the anniversary.

As for available services - unblocked web sites or email for example, forget the idea that your surfing or email messages are private. You should fully expect that someone, somewhere, in China is monitoring what you do, what you read and what you write. Even SSL/TLS email and web sites are often decrypted by the Great Firewall, examined and filtered before being sent on or dropped.

Don't expect western style privacy in China but something closer to Orwell's "1984"
Your only option for secure communications with the outside world is VPN and even then it can be touch and go, and you absolutely need to set this up before landing in China. Encryption keys need to be long and complex and set to the highest encryption strength supported by your provider or VPN termination device outside of China. The web sites of companies that offer VPN services are generally blocked in China, so if you don’t have a service agreement beforehand and your encryption keys along with your setup information with you when you arrive in China, tough luck!

PPTP is generally blocked. I’ve found it to work at major western branded hotels in big cities like Beijing, but blocked in the same hotel chain in other cities.

L2TP is a lot better and generally works in many upmarket western or Chinese hotels.

The fact is that things change all the time in China so come prepared.

Your best bet however, is SSL VPN which uses SSL rather than an IpSec tunnel to encapsulate traffic. Services and complexity of setup for both client and server can be more difficult, but its worth the extra cost and effort to ensure connectivity. Most SSL VPN clients can be configured to attempt connection on a number of ports and protocols. Your best bet is to include TCP port 443 in your configuration. This is the port commonly used for secure https web communications, so if your connection on a higher custom port fails, you can normally always get out and obtain a secure tunnel on TCP 443.

OS X, Windows and most Linux distros already contain the software needed to support PPTP and L2TP VPN connections. Third party applications such as Viscosity and Tunnelblick can be downloaded to support SSL VPNs and software found on the Apple Store and Google App Store for iOS and Android devices.

Hotels in China usually provide both wired and wireless Internet access. Wireless is usually ‘open’ meaning that your communication to the WiFi Access Point is unencrypted and could easily be observed, intercepted or exploited by ‘man-in-the-middle' attacks. You want to avoid connecting to any open wireless connection in China. Make sure that you bring an Ethernet cable and if using a Mac or slim laptop then a dongle to allow you to use the RJ45 socket in your room. A wired Ethernet connection could still be intercepted, but there's less chance of your average China hacker doing so. Besides, you can employ extra layers in your cyber defense as I'll explain.

Security in China is a MUST so rather than rely upon directly connecting your laptop to the wired network, and to facilitate access for other devices that only have WiFi connection capabilities - iPads, iPhones, etc., consider bringing a simple wireless router-firewall and loading it with the open source DD-WRT firmware. You then have this router open an SSL VPN out of China so you can use one tunnel for everything, and secondly can setup a WPA2 WiFi network for your wireless devices in your hotel room so that they can connect securely too.

Builds of DD-WRT have been written and can be easily downloaded freely for most common consumer WiFi Routers from Linksys, Netgear, D-Link, etc., but you need to load a larger 'FULL' or 'VPN 'build to be able to use it as a your SSL VPN termination point. That usually requires more RAM and Flash memory than the cheapest routers to load and run the build than an 'light or 'regular' build. Check out the DD-WRT Router Database for supported hardware and the Wiki for how to flash and configure both DD-WRT and to setup your VPN. Interestingly, older versions of the same router may often contain more RAM and Flash storage than the latest version in which case go check out eBay for the version you need.

OpenWRT is an alternative project to DD-WRT though not as many devices are supported and its a little tougher to configure. It has great support for Linksys hardware however. There are a number of different projects within OpenWRT, including Tomato which is one of the more popular distros, but an Internet search will tell you what hardware is supported on which distro.

Remember to build out, test and if needed, troubleshoot your DD-WRT / OpenWRT loaded router BEFORE your trip to China.

Before purchasing or re-imaging a router, ensure that is has sufficient RAM and Flash memory to support a 'Full' or 'VPN' build of DD-WRT / OpenWRT.

Secondly, make sure that its power adapter is multi-voltage as China uses 220 to 240volts
.
A decent surge protector for all your electronic gear is probably a good investment also as the power in China is often quite dirty.

As to the privacy of your computer, tablet or smartphone, forget that too unless it never leaves your side. Web pages where you agree to the Internet access terms of service in the coffee shop or hotel, sometimes have malicious code that is automatically pushed without your knowledge to your system unless you have that system locked down WAY tighter than most users would. Creating a user account with minimal privileges is definitely a good precaution. The more concerned may consider taking a blank machine with nothing more than a locked hypervisor and a read-only virtual machine.

And forget leaving your device in your locked hotel room or safe while you go for breakfast too. You are not the only one with a key - even to a combination lock. The maid will have a forensic acquisition of your hard drive completed before you get to your second breakfast cup of coffee - even if that hard drive is full-disk-encrypted!

Big Brother is watching you

Of course if you happen to be in China on business, then expect to be targeted. Chinese companies, most of which are owned by the Chinese State or Peoples Liberation Army (PLA) have been issued 'five year plans' to catch up and surpass their western counterparts using any and all means available including outright theft of intellectual property and trade secrets. The paternalistic monitoring forces of China are eager to aid in this endeavor even in just the acquisition of your phone contacts, so don’t lose sight of your phone or anything else.

Watch out for hidden cameras too - especially if you maybe targeted. Cover keyboards and be very careful when entering passwords in computers, phone or hotel safes. And be concerned what you do / who you bring back to your room. Just assume that you are always being watched and that anything you do, can and usually will be used against you.
Big Brother IS watching you in China
That being said, China is a great place to visit, so come prepared and enjoy your stay! Just be aware of the risks you face and take the appropriate precautionary measures to protect yourself and the data you may have with you.

See also: Why is the Chinese Military so focussed on the theft of Intellectual Property


Post Script
Eric Jacksch recently published an interesting article on the use of Chromebooks for international travel in order to safeguard private information. If crossing an international border concerns you with information on your laptop that simply should not be disclosed then this might be an option for you. However the same concerns exist for unfiltered and un-monitored access to the Internet when in China. Read Eric's full article

Mricon.com also published a Linux / Chromebook setup guide for attending conferences or meetings in China.

MacWorld published a Data Security Guide while traveling with your Mac, iPad or iPhone.

Network World recently published a crackdown by the Communist Chinese Government on ISPs to block VPNs out of the country. China goes after unauthorized VPN access from local ISPs


Not Opting-Out doesn’t mean that I am Opting-In!



Does the fact that I didn't explicitly ‘opt-out’ of your email list mean that I agree implicitly to you sending me unsolicited spam email, or any partners you may decide sell my contact information to?

Does the fact that I missed or failed to uncheck the tiny radio button in your 17 page agreement mean that I agree to providing you access to datamine my contacts, my bookmarks, or my internet history?

Most users would say, “No!” However, Facebook announced recently that it intends to start targeted advertising to its users, by pulling their interests, passions and surfing habits from their Web browser histories.
The free content ad network said in a blog post that Facebookers who hate the idea of yet more intrusive advertising, can switch the feature off via the "industry-standard Digital Advertising Alliance opt out". In other words, all Facebook users in the US will have their browsing behavior tracked by default. The company would not be able to do the same stealth-ad-bomb exercise in the European Union, however, because consent for such a mechanism has to be granted first.
While one can appreciate the need for companies that offer free services, to pay for those services via advertising - a principle that many a Web-based business uses, the fact that a U.S. based user is deemed to have consented to the use of their personal and private information, as Web browsing history surely is, only because they haven’t yet opted out is ridiculous.

Are you sharing a computer between several people? You'd better hope that one of them doesn’t like to surf porn or your Facebook targeted advertising could be interesting!

Less than 1% of users ever read the small print of the absurdly long, unintelligible and usually highly legalese user agreements, let alone the constant changes of agreements as a company updates its policy. For a company to claim then that users have been informed and are fully cognizant, aware and agree with the company’s latest policies is delusional. Most users have no idea what they are agreeing with; they just want to get on to Facebook to see who has posted to them on their way home from work, school or the airport.

To further claim that because a box agreeing to give up some aspects of a user’s privacy is checked by default by the owner of that page, and that a user must uncheck such a box or radio button to NOT grant such access, before clicking the large bright button at the end of the agreement, which states “I agree,” is insane to rational and intelligent users.

“I didn’t agree to that!” is what I often hear from common users – and quite rightly so.

Yet in the United States this assumed legitimacy of the corporations to pillage whatever private information they please goes largely unchecked. In Europe or Australia (other modern and arguably more advanced civil societies) such actions would land those corporations in court, having to cough up hefty fines and punitive damages while forcing them to leave court with a preverbal corporate tail between their legs!

As recently as June 1st, a UK Court ruled against a large retail store for spamming a prospective customer who inquired about home delivery of groceries and had to enter his home and email addresses in order to find out if they serviced his area. He failed to notice the hidden checkbox that the retailer had checked by default asking for permission to add him to the store’s email list. The court ruled against the retailer and awarded damages to the plaintiff.

The store argued that because the plaintiff had not opted-out of receiving their emails, he had automatically opted-in. The court however agreed with the plaintiff that ….
"..an opportunity to opt-out that is not taken is simply that. It does not convert to automatic consent under the law and companies risk enforcement action if they use pre-ticked boxes.”
If the owner of a web page checks a box granting consent to itself and the onus is on the individual to reverse that action then the owner has not received permission to whatever agreement the checkbox referred.

Facebook said it planned to start offering ad preferences controls to US users over the next few weeks. The policies governing its new targeted advertising initiative however will not be released until later this year.

That’s akin to Congress passing a law and deciding what to put in that law at some point after the Bill has been passed and gone into law......and Americans sometimes wonder why the rest of the world doesn't take them seriously!

Why is the Chinese Military so focused on the theft of Intellectual Property?

PLA Cyber Troops

Yesterday’s indictment of five People's Liberation Army (PLA) cyber espionage officers on charges of hacking into US companies in order to steal trade secrets was no surprise to most of us in the cybersecurity business. Nor was it to China-watchers who have become used to seeing mainland China do whatever it takes to catch up with the rest of the world following its more than half-century of economic stagnation under communism.

The fact that the indictment handed down in the District Court of the Western District of Pennsylvania only named five mid-level officers, says that this highly unusual activity by the US Department of Justice (DOJ) to prosecute the agents of a foreign government, is very much a test case. It's also an open and very public wake-up call to Mainland China to cease and desist its rampant and prolific cyber espionage activities against western commercial businesses.

Despite years of protestations by the US and other law abiding nations, and a very revealing Mandiant report last year detailing the activities of PLA Unit 61398 or ‘APT1’ as it is also known, regarded as the most prolific of over 20 PLA cyber warfare units, China has refused to acknowledge or stop its state-sponsored cyber theft activities, and has further demanded that the US prove its allegations. Perhaps then this is a water-tight test case in which the perpetrators can be proven guilty of not only cyber theft, but also to have acted on the orders of the Chinese State. What's more, this verdict can be handed down in a globally respected US court of law - something for which China, with its general lack of law or an independent judicial system, can only aspire.

Having spent a lot of time in the People's Republic of China since the early 90s, I’m sure that the Chinese leadership will continue to loudly profess its innocence and abhorrence at US accusations, for such is the game that is played in China whenever anyone is caught red-handed. I’m also sure that China will respond in a tit-for-tat manner accusing the US of cyber spying against the People's Republic in order to save the all-important ‘Chinese Face’. However in this case the Chinese leadership in Beijing may well be largely ignorant of the true activities of one of its PLA units located in an innocuous twelve story building on the outskirts of distant Shanghai.

China’s national leaders, in fact, hold very little power in the overall command-and-control structure of the world’s fastest growing economy and most populist nation. Instead China is really commanded and run by regional power players as it has been right the way back to the Qin Dynasty in 221BC. It is these Warlords who hold the real economic and often grass-roots political power in China. A fact that Beijing and the Central Committee puts up with, but doesn't necessarily like. All too often when one of these regional barons or princelings gets too powerful and steps over the line, Beijing is forced to make an example of them with a high-profile execution or life imprisonment as was the case with Bo Xilai 薄熙来 in September 2013.

This regional power model extends down as Marx would have put it to ‘the ownership of the means of production’. Most of China's private companies that emerged during the late 80s and early 90s were, in fact, owned and managed by the PLA, which expanded into manufacturing, hotels and other commercial activities. The revenue from these activities proved to be not only profitable, but also a vital means by which PLA units were able to expand their regional power and influence, and develop a near monopoly of local commerce. These PLA units were directly or indirectly run by local warlords. In fact, many of today’s modern Chinese mega-corporations, some of which are now publicly traded, are still controlled and run by the very same power barons.

And this perhaps explains best the close link in China between official military espionage and the commercial targeting of western companies for intellectual property theft. It's all about the pursuit of power and taking, by whatever means is available, competitive advantage over opponents, even if that involves the outright and very public theft of internationally recognized trade secrets.

Memories are short and China is banking that no one will care 10 or 20 years from now just how Chinese corporations became the biggest and richest in the world, or how everyone else went broke!

See also: Behind the Great (Fire) wall

PROVE IT!


In this age of commodity IT cybersecurity (cyber) is no longer immune to the C-level challenge to “Prove it!”

Many industries are still making deep spending cuts, and plying customers with “Cyber is ROI” and “Think of it like insurance!” simply doesn’t resonate.

Executives hear “investment” as code for “long time plus big price tag". Despite best efforts, there remains a major disconnect between cyber value and business value.

If you want to compete in the cyber market then the discussion is inevitably a hard dollars and business sense conversation: “Our time to market for mobile apps increased 50% after we deployed a secure app store solution.” Real stories, real metrics, real value.
There are two kinds of companies: those that know they’re compromised and those that don’t.
The imperative today: products and services must work AND must deliver fast. CIOs and CSOs know they will have to have a conversation with their CFOs. As security professionals we need to help them. We must speak their language. The F&A floor is seldom impressed by products that are cool. Even less so if cool can’t demonstrably convey assurance, cost reduction or realized business enablement.

“But we just found a zero day APT!” Not surprised. Breaches are inevitable. This approach, however, is not convincing to the finance director. Anecdotes are good, but they lack tangibility. The new reality is that there are two kinds of companies: those that know they’re compromised and those that don’t.

“So, raise the cost in the kill chain?” Okay, but to what end. Threat identification is a good thing—it’s good to know who’s been living in your house and who’s eating that last slice of pie when all are a slumber. There’s more value if you can estimate marginal benefit (and cost) so we know how much to spend. At some point, there are always diminishing returns for raising that bar. Finance folks understand that. If we want to make our case, we need to be on their page.

Here are a few of leading questions to consider. Your ability to answer questions like this will help demonstrate bona fides:
  1. Did the tool we bought measurably decrease our per incident mitigation costs? 
  2. Did we lower our audit costs because we had evidence-based artifacts? 
  3. Did we increase our up-time during core productivity hours? 
The cost of doing business in the information age is cyber—‘tis a fait accompli'. But the language of business, even in government, is still finance. Numbers get people’s attention, especially executives whose success or failure rides on quarterly statements to their shareholders. Their proof is always in the numbers. As industry professionals, our job is to help make the business case. And if cyber as an industry wants to have a seat at the big table, then we must improve the language we speak.

Written by good friend and colleague Michael Lucero