Doug Lhotka

Technical Storyteller

Opinions and commentary are mine, and do not reflect those of my employer.

(C) Copyright 2019-2023
Doug Lhotka.
All Rights Reserved.
Use of text, images, or other content on this website in generative AI or other machine learning is prohibited.

Adopting an industrial mindset: Cyber Safety

By

We’ve always said that there’s two kinds of organizations, those that have been hacked, and those that don’t know they’ve been hacked.  Yet security teams are still having problems getting resources and attention from our business stakeholders, particularly in industrial companies that consider IT and technology a back office problem.

Over my career I’ve worked in manufacturing, energy, utilities, oil and gas, and other similar industries.  One thing they all have in common is a focus on accident avoidance and safety – that is, how to fail gracefully.  That’s why they have a safety briefing before every meeting on where to evacuate to in case of a fire, or a safety minute with a thought of the day, or even those ubiquitous signs about ‘100 days since our last injury’.  The constant focus on safety has had amazing results:  business can now do dangerous things with much lower risk.   Yet many CISO’s in those industries are challenged in having cyber security made a high priority.

Often the OT folks won’t let IT touch the environment, which is unfortunate because it’s often riddled with insecure IOT devices, outdated and unpatched machines, and even modems still hanging off industrial equipment running PC Anywhere for dial-up maintenance by third party providers.  Discussions of hacking and cyber risk just don’t resonate much with someone running an offshore platform, or a manufacturing line.  So how do we get their attention?  Change our vocabulary.

We need to talk not about cyber security, but rather cyber safety.  To speak in the industrial language and talk about risk, not as ransomware or data exfiltration, but as plant downtime, risk to life and safety, generator outages, line stoppages, and so forth.  It’s getting traction, and in the process, we’re learning from our peers.  For example, we were talking with a line operator about the risk of someone hacking in and changing the computer to speed up the line (theoretical risk) in an attempt to crash it.  He shared that there are multiple control points (aka defense in depth) against it, including a purely mechanical control that will rate govern the equipment to get an operator time to intervene manually.

Then he turned and asked me why we didn’t have a rate governor around our critical data (e.g. on the database itself), so if someone does hack in, they can’t get the information out all at once…to give the SOC time to intervene.

Hmmmm.  He’s on the cutting edge with that – there’s some early stage architecture work being done but it’s hardly widespread.  Yet to him, it’s pretty obvious.

Because a system isn’t safe unless it can fail gracefully.  That’s just one example of where the safety mindset can help our security programs, as much as we can help theirs.   We just need to start speaking the same language.  Cyber Safety has a nice ring to it.

Are we losing the cybercrime war?

By

I didn’t share a Friday photo last week because I’ve been working on this post in response to a question a friend asked:  “Are we losing the cybercrime war?”

It sure feels that way.  In the past couple of years, we’ve had three major data disclosures – Aetna, Equifax and Yahoo, not to mention the myriad of lower-level incidents.  While the data lost in each is different, all three have major implications for security and privacy.  I’ve written before that we should all assume that our data’s been stolen and take precautions, and that’s absolutely the case.  All the big breaches are failures of prevention (data retention, patching, privileged credential protection), detection (instrumentation, analytics), and response (both technical and public relations).  That sounds like a systemic failure to me.

I’m a fan of the Fifth Discipline by Peter Senge, and tend to look for system causes rather than blame people, but in each of the large breaches, people’s decisions played a major role – from failure to invest in prevention, to failure to operationalize detection, to tone-deaf responses to incidents.  But let’s take a step back and look at the larger system in which those people operate – not just within their companies, but the entire economic and legal environment, for that’s where the real systemic problems lie.

As one of my favorite authors and bloggers, Jerry Pournelle (he recently passed away) was fond of saying, unrestricted capitalism will result in human meat being sold in street stalls.  Don’t get me wrong – I’m a hard-core capitalist, and believe in the power of the free market, but in this particular case we don’t have one.  Crony capitalism has tilted the regulatory and legal environment in the favor of a handful of large corporate entities (concentrated interest) and away from citizens and consumers (diffuse interest).  Companies that make their living exploiting consumer information are among the worst offenders, but all to some degree use their size and scale to manipulate laws and regulations in their favor to the exclusion of new entrants.

In an environment where ‘two years of credit monitoring and an apology’ is the worst expense a company will endure, we’re going to continue to get more breaches.  That’s because the bean counters will calculate the security budget based on the probability of a breach * scope of the breach * the cost of a breach on an annual basis.  That’s resulting in underinvestment in cybersecurity because the cost factor is artificially low.  What we need to do is change the cost and responsibility piece of the equation – once we do that, we’ll see the companies change their behavior.  This is exactly what happened with the Ford Pinto back in the 70’s.  In that case, the damage to the Ford brand overall was significant, and their competitors immediately changed practices to avoid a similar situation.    None of the three I mentioned above are in any danger of dying because their customers weren’t impacted – Equifax sells reports to creditors, Anthem sells insurance to businesses, and Yahoo sells information about consumer activity.  Consumers can’t really choose to avoid them having their data, so we’re stuck.  And that’s the first thing we need to fix.

First, data about a consumer needs to belong to the consumer.  Companies then become data custodians instead of data owners, cannot share data with a third party unless there is opt-in consent, and are monetarily responsible for disclosure as the asset itself has been lost (rather than damages incurred).   That’s the lynchpin.  Note that this would break Google and Facebook’s business model.

Next, full disclosure, within 14 days of discovery of a data disclosure (no limit on records) should be mandatory.  An exception where there is an ongoing law enforcement investigation and no evidence of exploitation of the data would make sense.  But once there’s evidence of exploitation (even less than 14 days), individual notification must follow immediately.  By US Mail if possible (e.g. if they have your physical address), by email at least.  Social media, websites, and news reports are not sufficient.

Last, and most important, the cost born by the company should reflect the risk to the consumer.  That means a statutory floor for damages – payable in cash direct to the consumers impacted.  Note that this would break the class-action attorney’s business model.  This should be tiered based on the data lost.  For example, compromised credit card numbers have a minimal impact on consumers, so set a low bar of $25 to $50 per consumer for the inconvenience of having to get new cards and change all their monthly payments.  The issuers should be compensated both for the cost of fraud on those accounts and for the cost of issuing new cards.  Medical and credit records are much higher value, so perhaps $100-200 plus the cost of lifetime security freeze and credit monitoring services (at retail rates, by a company of the consumer’s choosing if they want it) would be the right benchmark.

You can be sure that would get companies to take notice (they will fight the last one tooth and nail – as will the plaintiff’s bar).  It would change the calculation on what information to retain (getting rid of risky data becomes the cost effective option, rather than retaining to exploit it), and how to protect it.  The credit agencies are the prototypical example here – they hold massive amounts of information on consumers (who are the product) and have an economic incentive to release it to any and all comers, as that’s how they get paid.    GDPR in Europe has penalties attached to it, but mostly for non-compliance, rather than for disclosure costs, and they’re not paid to consumers, rather to the EU itself.

So unfortunately my three points above might as well be “I wish I was younger, taller and thinner”.  We might be able to made some changes around the margins (the thinner), but the concentrated interests will likely prevent any real reform from happening (taller and younger).

Because it’s all about the money.  Cybercriminals attack where it’s stored, companies invest based on cost of loss, and consumers wonder where it went.  Put it another way: right now, the criminals are winning, the companies are wondering, and the consumers are spending.

Don’t be fooled: A credit lock is not a security freeze

By

There’s been a lot of interest in placing a security freeze on your credit reports.  Consumers are interested because it prevents credit theft.  Credit agencies are interested because it breaks their business model.  Remember, nothing is free, someone’s getting paid for it somehow, and if you aren’t paying, you’re the product, not the customer.

A true security freeze locks down your credit report completely – no one who doesn’t already have a credit relationship with you can get access to the report.  This means that if you have a credit card from a bank, the bank can periodically pull your credit report to make sure you still are a safe risk.  But no one else – including companies that want to sell you ‘pre-approved credit cards’, or sell you credit monitoring services, can get access.  The latter two are large revenue generators for credit agencies, so a freeze threatens their business model.

TransUnion and now Equifax both are offering ‘credit lock’ services.  These are not true credit freezes.  They allow the companies to continue to sell and market your credit information and contain liability limitation and arbitration clauses that may impinge your rights in a future breach.   The net is that they preserve the agencies’ business models, and that’s why they’re free.  It’s also why they charge for a credit freeze – to replace revenue lost when customers from remove themselves from the database (that’s also why the ‘opt out’ provisions usually have a time-limited expiration).

I’ll talk more about the fundamental problem in another post – data ownership versus data stewardship.  But for now, I still believe that we need legislation that mandates free, true, security freezes be made available by all four agencies, and that they each have a streamlined process to correct information on file that prevents the consumer from getting one.

Don’t be fooled – get a real freeze from the links below – and watch out for attempts to route you the ‘free’ services.

Transunionhttps://freeze.transunion.com/sf/securityFreeze/landingPage.jsp

Watch out for a push to ‘TrueIdentity’ which is not a freeze.

Experian: https://www.experian.com/freeze/center.html

So far, no non-freeze services from them

Equifax: https://www.freeze.equifax.com/Freeze/jsp/SFF_PersonalIDInfo.jsp

Watch out for their new ‘lifetime credit lock’ service.

Innovis: https://www.innovis.com/personal/securityFreeze

So far, no non-freeze services from them.  Note – this is the one everyone misses when placing freezes.