Facebook IPO Setting Stage for Cyber Security Disclosures

Given the recent guidance from the SEC on how public companies must include cyber security postures in their disclosures, many have been waiting to see how these companies would interpret this guidance. Facebook’s IPO filing gives some indication of what this is going to look like going forward.

While most of the discourse in Facebook’s filing talks about data privacy, they do a good job explaining why a privacy-related breach would be costly for their business. I’m not a regulator, but it seems like this is a good way to disclose this type of risk – put it in context of the monetary impact of a problem occurring.

March 7, 2012 Posted by Laura Mather | Detection, Social Networks | Facebook, SEC guidance, Social Networks | Leave a Comment

Security Pros Don Vieira and Demetrios ‘Laz’ Lazarikos Discuss SEC Guidance

Earlier this week we hosted a webinar that included commentary from industry insiders, Don Vieira – Partner at Wilson, Sonsini, Goodrich and Rosati, and Director of Strategy at Silver Tail – Demetrios ‘Laz’ Lazarikos. With extensive experience in security and the federal government, Don began the discussion by talking about how the SEC guidance impacts public businesses and Washington’s role. He noted that in a way, this updated document could be referred to as the “Disclosure Guidance,” as it clarifies exactly what information public companies need to share with stakeholders and investors. Don continued on to discuss the fact that Washington’s role is broader than regulation, and that they must identify timeframes for specific pieces of legislation to pass.

As the former head of Information Security for the Sears Online Business, Laz discussed specifics about ways companies can flag cybersecurity incidents as well as how web session intelligence can identify where malicious behavior is occurring on the website.

Overall, this latest SEC guidance has been a step in the right direction for the cybersecurity industry as it’s all about becoming aware of and having visibility into various types of attacks on websites. The proper monitoring tools need to be in place to ensure websites and mobile devices are protected and these give companies several benefits:

• Helping to identify and address malicious activity before they become major issues.
• Helping to identify areas where there are vulnerabilities so they can be corrected quickly.
• Should a hack occur, these tools can help measure the extent of the damage.

We look forward to having you participate in our upcoming webinars!

November 16, 2011 Posted by Laura Mather | Detection, education | SEC guidance, web session intelligence, Webinar | 1 Comment

How will the SEC cybersecurity guidance change organizational structure moving forward?

With the October 13 announcement by the SEC stating that cybersecurity vulnerabilities, incidences, and risks should be part of corporate filings, I’m starting to hear some buzz about whether or not this will change the organizational structure of public (or private) companies.

Executive summary: This “change” (or lack thereof) will accelerate a shift in organizational structure that has been slowly gaining momentum before this SEC announcement.

The shift in organizational structure I am referencing is the combination of Information Security teams (which usually sit in the iT group) with Risk Management teams (which can sit in Legal, business units, or other groups within an organization). The term “cybersecurity event” has a huge range of connotations, but I believe the SEC would consider major security breaches and major fraud events to both be in the category of “cybersecurity event.” Because these two teams will likely be impacted the most, it will become imperative for them to work more closely together.

As I mentioned earlier, this will not be a surprise to some organizations. Several industry-leading companies have already combined their Risk Management and Information Security teams.

Last week I spoke to a group of risk and fraud managers from various large financial institutions. They said that their organizations are starting to see how the attacks tracked by information security groups are often the precursors to the fraud attacks. Take for example the case of passwords stolen by phishers. In most organizations it is the job of the Information Security team to identify when the phishers are verifying the passwords they collected on the phishing site. If Information Security does not identify that activity, the stolen accounts will likely be used to perpetrate fraud – now falling into the purview of the Risk Management team. There are hundreds of examples that follow this exact trend.

In another conversation, last week I spoke with a very forward-thinking security executive. This executive told me that her organization is building a team to help identify the precursors of fraud to reduce the fraud impact on the back end. This will be a joint Information Security and Risk Management effort. I would be highly surprised if we don’t see more organizations going in this direction in the next 12-18 months.

There are other business changes that will likely result from the cybersecurity interpretation of the SEC guidance. Information Security, Risk Management, and the business will have to work together to understand the impact of various threats and the prioritization of addressing them. Having come from a Risk Management team, I can say that giving Risk Management and Information Security a little leverage when negotiating with marketing is not a bad thing.

While I can see why there is consternation around these guidelines – the increased process, paper work, etc. – I see them as a good thing for organizations as a whole. It will create incentives to ensure that the cyber posture of organizations is sufficient given the valuable data and assets that infrastructure protects.

November 10, 2011 Posted by Laura Mather | information security, Online Fraud, Uncategorized | cybersecurity, Fraud, information security, Online Fraud, online security, SEC guidance | 1 Comment

New SEC Guidance as it Relates to the Navigation Layer

The recent SEC disclosure guidance pertaining to cybersecurity includes very broad descriptions of the threats and associated impacts of cyber incidents, and for good reason.  As the cybersecurity landscape continues to evolve, criminals are finding more and more ways to steal information, commit fraud, game website logic, and impact business operations.  Central to the explosion of cybercrime in recent years is the continued evolution of rich internet applications and exposure of critical business operations to the web.  The more business operations, both internal and external facing, move to web enabled platforms, the more opportunities criminals have to find loopholes, mine for valuable data, and exploit legitimate website functionality.  The attack surface where these activities are conducted is called the Navigation Layer.

Simply put, the Navigation Layer is how users of web services access and interact with various resources and functionality of websites.  Purchasing a digital camera on an e-commerce site, balancing your checkbook using online banking, and interacting with project plans on a company intranet are all examples of the Navigation Layer.  The reason this is such an attractive target for criminals is that the functionality that enables their criminal activities, in large part, has to be made available to legitimate users.  As long as there are websites, criminals will be looking for ways to take advantage of the data and functionality made available through those sites.  Although certainly not an exhaustive list, a significant portion of online criminal activity can be seen in the categories of Business Logic Abuse, Data Scraping, and Architecture Probing.

Business Logic Abuse involves using website functionality as designed, but for malicious or exploitative purposes.  Specific exploits can range from password guessing and email farming to abuse of loyalty point programs and coordination of pump-and-dump schemes.  These types of activities rely on the fact that websites have to expose functionality to the fraudsters if it is also to be exposed to legitimate users.  If a website has a login page, there will be an opportunity to guess passwords.  If a company’s marketing department organizes a sweepstakes administered on the website, there will be chances to rig the outcome through mass registrations.  Similar dynamics rule every bit of functionality on every website across the globe.

Data Scraping is similar to Business Logic Abuse in that it typically leverages functionality built for legitimate users, however it focuses only on the collection of data.  The collected data can then be sold on the black market, used to gain a competitive market advantage, used to further additional criminal activities, or in a multitude of other ways.  Pricing and availability scraping from online merchandise catalogs, collecting of classified internal documents, and capturing customer data records are all examples of Data Scraping.  It is important to realize that Data Scraping is conducted by both individuals and organizations, by both internal and external actors, and using both scripted/programatic access as well as manual processes.  If there is potentially valuable data accessible on a website, it is a target for Data Scraping.

Arguably the most dangerous of the three categories is Architecture Probing, which involves the systematic communication with application or server resources with the intent to expose vulnerabilities.  Vulnerabilities may be exposed through bugs in the application or server code, weak validation of user input on web forms, poor site maintenance where deprecated pages and functionality is still present on the site, or a host of other circumstances.  Architecture Probing typically requires a higher skillet for the criminal than Business Logic Abuse or Data Scraping, however the impacts of a successful Architecture Probing attack can be far more damaging.  Depending on the vulnerability identified, the criminal may be able to perform activities including accessing every user account in the system, extracting the entire backend database, gaining access to other systems not exposed to the web, or even installing malicious code on the server that then infects every user who visits the website.  Many of the large-scale data breaches made public over the past few years have resulted from vulnerabilities identified through Architecture Probing attacks.

The cybersecurity challenge facing businesses and organizations is that it is notoriously difficult to detect and defend against Business Logic Abuse, Data Scraping, Architecture Probing, and other types of attacks executed through the Navigation Layer.  Traditional approaches that leverage deep-authentication of users, transaction risk modeling, link analysis, event correlation, etc. are still critical to have in place, but are rendered largely ineffective when confronted with “low-and-slow” processes scraping site data or with attacks carried out by networks of hundreds of PCs infected with criminal-controlled malware.  Moreover, criminals are continually changing their attack strategies and developing new methods of exploiting website functionality.  Keeping detection systems up-to-date with the latest attack vectors is incredibly challenging.

All of this may seem overwhelming and rightfully so.  However, there are a few aspects of this type of criminal activity that begin to level the playing field.

• First, these attacks all take place through the Navigation Layer and website owners control this layer.  Although the functionality exploited by criminals typically is required for the use of legitimate users, businesses and organizations can have visibility into every aspect of the traffic going through the Navigation Layer.  The ability to monitor this wealth of traffic is invaluable for detecting attacks coming through the website and for performing forensic investigations of past events to better inform detection and mitigation decisions in the future.

• The other area where businesses and organizations have an advantage is that criminals, in order to execute their attacks, have to behave differently than normal users of a website.  Normal users do not try to log in using tens, hundreds, or thousands of different passwords.  Nor do they crawl entire product catalogs on e-commerce sites or submit nonsensical chunks of data to web applications in the hopes that it will break.  By leveraging full visibility into the Navigation Layer, it is possible to perform behavioral analytics on every click on the website and rapidly identify the outliers – those web sessions that are not behaving like everyone else using the website.

As web applications and web-enabled devices continue to rapidly evolve, the attacks on the Navigation Layer will continue to keep pace – using the latest functionality for something other than what it was intended for.  But, by maintaining full visibility into the Navigation Layer and performing adaptive behavioral analytics on every click occurring on the website, these evolving threats can be detected and mitigated in near real-time, thus preventing the often dramatic impacts of attacks that have gone unnoticed until the damage has already been realized.

November 3, 2011 Posted by Jesse McKenna | Data Loss, Detection, education | Navigation Layer, SEC guidance | Leave a Comment

Point of Entry: A Website’s Navigation Layer is Susceptible to Attacks

Since the commercialization of the Internet, there has been an evolution with how cyber criminals are conducting malicious activities on Web sites.  Cyber criminals are becoming more creative and automating their way of exploiting vulnerabilities and business logic flaws at the Navigation Layer.  The Navigation Layer of a Web site includes all behavior of a Web site and may be referred to as clickstream.

Because of the evolution of malicious behavior, businesses will be required to strategize around how to protect the brand, stock price, revenue, and reputation of an organization.  Unexpected costs associated with a malicious cyber event could range from a stock price dip to loss of productivity when resources are pulled from revenue generating projects to address the event.  For example, if an organization is under a DDoS attack and dozens of internal resources are pulled away from their primary job responsibilities, costs can spiral out of control to address the security issue.  Additionally, when a well orchestrated malicious security event is launched against an e-commerce site, that organization will lose revenue if the site becomes inaccessible or does not function properly.  Brand erosion will occur as customers become concerned about the security of their information or purchases.  If the Web site of a company is compromised, what is the likelihood a consumer would come back to the business and trust that their sensitive information is protected?

At a very high level, stock prices are determined by several factors, which include, but are not limited to, all assets and revenues coupled with shareholder confidence.  When a dozen security related events expose a weakness within an organization, a stock price may dip because of revenues being affected and/or shareholders losing confidence with the company.  In recent events this year with a large organization, an organization’s stock price has had a steady decline over the past six months, which at its lowest point was at roughly $10 a share loss in six months.  This case may become the first example of how cyber criminals are empowered to affect stock prices.  Something else to consider when looking at recent online breaches and/or comprises are the potential shareholder lawsuits against an organization due to the lack of cyber security controls to protect critical assets.

Going forward it’s going to be critical for organizations to take into account the various business expenses that arise from the diversity of cyber attacks that are beginning to unfold.  From the corporate boardroom to the average consumer, Navigation Layer attacks are far from an isolated localized event.

November 2, 2011 Posted by Laz | Uncategorized | Fraud, information security, Online Fraud, online security, SEC guidance | Leave a Comment

Large-scale Attacks Draw Attention – Is It Warranted?

Recent industry coverage has revealed that the same attack that RSA suffered earlier this year has also hit 760 other companies – a list of which has been published here. It is very important to note, however,  that this is actually a list of IP registration records associated with victim IPs, which explains why so many telecoms and hosting companies are on it.

The list itself may actually be quite misleading, but it still brings to light the fact that many of the organizations (or users using their networks) were potentially at risk of an attack. Of course companies don’t want to admit that they’ve been compromised (recent guidance from the SEC is looking to address the disclosure issue), though the fact that companies didn’t disclose these attacks earlier does not necessarily mean they did so purposefully.

Companies often are unaware they have previously been at risk, or have been at risk over a longer period of time and criminals have been taking advantage unbeknownst to the organization. We refer to these types of threats as Advanced Persistent Threat (APT). APT is exceedingly difficult to detect and block, and many companies are not adequately prepared to defend against APT.

Context for security alerts is so important when defending against APT. Organizations should have visibility into all activity of individual users and/or IP addresses and they can’t rely on analysis of isolated activities. To understand what normal behavior looks like, you need to have an accurate profile built for users to best pinpoint what can be deemed as anomalous behavior. That is why full web session intelligence is imperative to identifying and stopping cybercriminals today, and this is a key component to defending organizations against APT and avoiding the fall out after a public attack disclosure.

October 31, 2011 Posted by Laura Mather | Detection, Investigation | Advanced Persistent Threat, SEC guidance | Leave a Comment

SEC Guidance: The Business Impact

The recent SEC disclosure guidance reflects the increasing impact of cyber attacks on the day-to-day operations of business. Cyber criminals are well capitalized and continue to demonstrate high levels of innovation and the capacity to rapidly disseminate new and emerging techniques to thwart the defenses of companies around the world. The globalized nature of attacks coupled with the federated model of information sharing by cyber criminals highlights the truly global scale of the problem and points towards a likely increase in global regulations for how companies should address the issue.

Interpreting the guidance starts with visibility. Companies need to understand what is happening in their network, the scope of the attack and its impact on the business. With more business being conducted online, the navigation layer of websites is an emerging target for attack. The navigation layer is the primary way users access assets and applications on the Internet. Historically, the navigation layer was used for legitimate purposes and was left largely unprotected.  The cyber criminals are now exploiting this and companies are struggling with how to respond. Traditional IT applications and log analysis tools are unequipped to provide the level of scale, monitoring, analysis and real-time responsiveness for delivering adequate protection.

Web Session Intelligence provides visibility to the teams responsible for protecting the navigation layer of the web and enables a response to cyber attacks while they are occurring. Web Session Intelligence delivers a complete view of a user’s web session navigating a website and leverages this to identify legitimate users from criminals. This capability is key to real time visibility and providing key decision makers within an organization the information needed to interpret the attack through the lens of the guidance.

The impact of the guidance is likely to be felt beyond just technology. Complying with the guidance will likely lead to companies assessing their current operational models and processes for cyber defense. Business functions and InfoSec teams will need to be more closely aligned to share relevant information associated with the attacks and deliver a coordinated, rapid response.

Ultimately, though this guidance helps clarify the expectations on public companies, there is no silver bullet for stopping cyber attacks. It requires a well thought out approach that combines technology, people and processes. Our vision at Silver Tail Systems from day one has been to help restore integrity to the Internet via Web Session Intelligence. Web Session Intelligence should be incorporated into the decision making process of any organization thinking through how they respond to the recent guidance.

October 24, 2011 Posted by timothyeades | Uncategorized | Fraud, information security, Online Fraud, online security, SEC guidance | Leave a Comment