Doug Lhotka

Technical Storyteller

Opinions and commentary are mine, and do not reflect those of my employer.

(C) Copyright 2019-2023
Doug Lhotka.
All Rights Reserved.
Use of text, images, or other content on this website in generative AI or other machine learning is prohibited.

It’s 2019 and we know better

By

(c) Depositphotos / MichalLudwiczak

Over the past few weeks I’ve run across, either personally or via press, case after case of companies with poor security practices.  These aren’t small shops like Bob’s Bait and eCommerce site, rather big brand name organizations that have sophisticated security practices.  So why do these things continue to happen?

Let me walk through some examples first.  A fairly large regional credit union asked me to submit some paperwork for a mortgage loan….via email.   I reached out to the security department, introduced myself, let them know of the request, and they had those instructions removed from the site that day. Took the situation very seriously, and I still would do business with them.

A major bank decided, without a request, or authorization, to start sending email notifications of credit card payment’s being due, including last four of the account, balance due, and credit limit, all of which are sensitive.  This is the same company that continually does a soft pull of credit scores to put on the bills – again, it’s opt-out instead of opt-in.  I reached out through their public contact info, heard no response, and closed my account a week later.

Press reports this week talk about a large telco provider that uses a default PIN on accounts of 0000 to ‘secure’ them.  They are ‘working on it’.  Fortunately that line of business has widespread competition, but in other areas they have monopoly control.  I could probably cite dozens of reports of common default credentials.

There was another report of a social media site exploiting user information for profit, via a free analytics kit embedded into applications.  Why anyone is surprised is beyond me.  There’s no such thing as a free puppy, or social media site.

A number of password management software vendors badly muffed the PR response to the recent report of credential harvesting from direct memory attacks.  Technically they’re right – the machine has to be compromised for the attack to work, but from a PR standpoint it’s a bad situation.  They build their company on trust, and customers feel as if that’s been broken.  I still use the software, but then again, I’d read the security paper, so this wasn’t a surprise to me.

An ecommerce site reported a loss of credit card information when their shopping cart software – which was out of date – was hacked.  There’s a new thunderbolt attack that can dump memory.   Companies continue to produce public computers where people can enter sensitive information (think hotel business centers and all those tablets in the airport).  And there’s dozens of companies, including some of the world’s largest brokerage firms, still relying on mother’s maiden name, last four of SSN, or other easily discoverable/guessed alternate authentication schemes.

In many cases, to paraphrase Ian Malcom from Jurassic Park , these companies are focused more on how they ‘could’ rather than if they ‘should’.  I’m sure that some marketing person thought it would be cool to proactively provide credit scores, balances, and credit limits, and didn’t bother to ask anyone in the security or privacy departments if they should – or how to do it safely. The telco provider, I’m sure, made that decision by the support and account people who were more worried about account recovery challenges than account takeover attacks.  They are paid on minimizing call center costs, so optimized for their own interests over that of the customers.

Both those tie with previous articles, from having the CISO report to the CEO or CRO instead of the CIO – so that they are a peer of the business, rather than subordinate to a service organization, to pushing not just internal security awareness, but also productsecurity awareness throughout the business. But even when training occurs, without a formal multi-stakeholder risk management workflow, people will focus only on their immediate scope.

The most insidious reason though is inertia.  They’ve asked for mother’s maiden name since the beginning of time, and continue to do so because no on pushes change.  They don’t patch criticial vulnerabilities, because ‘the system works’.  They don’t upgrade to the new OS because it requires a hardware refresh.  In some cases, like hardware, that may be a valid business decision (though I’d argue it’s a reflection many times of poor prior planning – like the Windows 7 desupport date.  Not a secret!), but most of the time no formal decision was made.

Changing the reporting structure is a major undertaking, and something for CEO’s to consider. Building a risk management workflow across stakeholders would be a good initiative for COO’s.  CISO’s can provide a conduit for ‘bad behavior escalation’. CRO’s can expand the requirements for product security and privacy training.  For everyone else, there is something we all can, and should do, especially as security professionals.

Speak up.

If the company we work for is doing something legacy, dumb, risky, or thoughtless, we have a duty to escalate and try to effect change.  There’s no excuse for these bad practices to continue in 2019.  Better that it’s driven internally and proactively, than in response to new legislation or worse, to a breach.

Commander’s Intent

By

So all your preventative measures have failed – to be fair, they succeeded for the last few thousand hacks, but the bad guys got lucky once, and you now have a full blown incident underway.  Unfortunately you (the CEO) is at 23,000’ knocking K2 off their bucket list.  How does your company execute?

Let’s expand the scenario a bit more.  Turns out it’s a bad one, with serious implications for business operations and significant customer impact.  Decisions need to be made right nowto mitigate and respond – both technically and to your customers.  The security team has their runbooks, notification trees, and incident response plans in place (you do have all that, right?). They’ve notified PR, Legal, the CISO, and the on-deck line of business leadership.  Each of those teams is assembling and starting to launch their own parts of the plan.  So far, so good.

Now’s where it usually breaks down.  You have hundreds of angry customers calling on the phone, and they all want resolution. Response plans rarely extend to business operations, let alone to customer remediation; most organizations try to use existing day-to-day processes, which fail miserably.  When there’s a major disaster, hospitals change their workflow.  They don’t look for insurance cards – they treat the wounded.  Does your call center?

This is not the time to parse expense authority though five layers of management with graduated clip levels, let alone try to run your day-to-day customer care plans.  During a crisis, the goal has to be to resolve the customer’s situation on the very first call.  You might get away with one level of escalation – as long as hold times are short and calls don’t drop – but as soon as you have to call them back, the customer will be fuming, and probably calling your competitors.  And woe to the bottom line if they aren’t called back as promised.   Goodwill doesn’t come back easily, if at all.

Avoiding this starts at the very top.  The commander’s intent has to be clear, concise and easy to understand.  During a recent ransomware outbreak, the CEO told the entire staff to ‘make it right for the customer, we’ll cover the cost’.  Full stop.

Now if you have a strong command and control culture, I’ve probably just caused a heart attack.  But the point is clear – you need a different set of rules on deck when a disaster – cyber or otherwise – strikes.  On declaration, the teams break glass on the case, crack the code books, and execute a streamlined workflow that includes escalated authority for the duration of the crisis.

The next time you do a cyber range drill or tabletop exercise, include an angry customer in the scenario.  See what happens.  I’ll bet that in most organizations your staff will either resort to daily procedures, platitudes, playing hot potato, or just wing it.  Very few teams have the modified workflow in place to handle a disaster when it strikes, let alone have a clear statement of their commander’s intent.

Do yours?

Data Breach Liability & Credit Monitoring

By

(c) www.depositphotos.com / @ the_lightwriter

Apparently there’s a proposed settlement for the Anthem breach.  As a refresher, this was one of the largest data breaches on record, with roughly 80 million individuals data compromised.  The settlement breaks records – for $115M.  But is it a good settlement?

What victims are going to get is two years of low value credit monitoring – at a cost of $659/person or about $50M (assuming everyone signs up). There’s also a potential for folks to claim actual costs associated with the disclosure.  The attorneys are getting about $39M – nice paycheck there.   I’ll leave comment on the fairness of the legal fees alone, and just focus on the first two, because ‘two years of credit monitoring’ seems to be the industry playbook for a data disclosure.

That playbook covers both credit card data theft, medical records, as well as other financial information.  Unfortunately, the risk and impact can vary widely depending on what’s stolen.  When Target, Home Depot, or TJ Maxx lost credit cards, it’s an annoyance – have to get a new card, maybe a couple of phone calls, and you’re done.  Debit cards have much more liability and can be harder to recover from.  As an aside, that’s why I recommend against using – or even having – them, as they have a much lower level of legal protection than a credit card.  In those cases, two years of credit monitoring might be fine.

Situations where your fundamental data is lost – SSN, birth date, medical history, banking information, and so forth presents life-long risks.  These range from on-going identity theft, criminal fraud, extortion, loss of employment or other opportunities and so forth.  In those cases, as with Anthem, two years of monitoring is inadequate given the long term impact.  It’ll take the bad guys more than that long to work through that number of records.  This is a business for them, and they’re likely to just be patient and wait to use most of them until after the free period expires.

And let me be clear, I’m right there with Brian Krebs opinion of credit monitoring.  It’s overpriced, and at best will let you know that your credit was just stolen, not prevent it from doing so.  He recommends (and I wholeheartedly echo) that the best option is to get a credit freeze from all four agencies.  Rather than recreate his good work, here’s a link to instructions on how to do it.  Even if you weren’t part of this breach, it’s worth doing as a preventative measure – as is creating accounts with IRS and Social Security Administration.  Oh, and if you freeze your accounts, monitoring services are useless, as third party ones can’t see anything, and the in-house ones can only see in-house data.

Take a few minutes and go do that (if you’re at a secure system), I’ll wait……

Ok, all done?  Good.  If you want to hedge your bets, getting coverage for identity restoration services might be worthwhile.  State Farm and AllState offer a rider for homeowner’s policies that’s affordable.

As far as documenting actual costs and getting them recovered, you might be able to get the cost of placing a freeze covered, but that’s about it – and I doubt they’ll cover the costs for the rest of your life.  Similar to when I’ve written about how hard attribution of an attack to a particular agent is, attributing identity theft to a particular breach is essentially impossible.  How aggressive will they be on proving a linkage?  It’ll be interesting to see.

So what would I like to see instead of this canned playbook?

  • Cash award option for the retail cost of the identity theft services offered. Lifelock’s top end one runs about $650 for two years.  That’d cover a big chunk of the freeze/unfreeze costs for many years.
  • Formal letter sent to each victim stating that they are at risk of identity theft. In many states, that triggers free freeze/unfreeze options.
  • Counselors available to help obtain freezes when there’s inaccurate information on credit reports that prevents the automated systems from working (I had that at one agency…extremely painful to resolve).

Tort reform, and caps on attorney fees are also on my list, but this is a security blog, not a political one.  But there is one political solution here – we need to reform data ownership laws.  If it’s our data, and these companies are just the custodians of it, and liable under law for abuse, misuse and disclosure, it’ll change behavior.

In the end we should all assume that our personal information either has been, or will be, captured by the bad guys and take appropriate precautions.  That means watching credit card and bank statements for suspicious activity, not answering any inbound phone call about personal information (call the company back from the number on your statement), getting a credit freeze and locking down other accounts, never, ever using a device other than your own for financial transactions and buying – and using – a shredder.