Another indication of the pervasiveness of data loss comes from several recent reports about nation-state activity to extract intellectual property from companies in the U.S. Security analyst Mandiant published a report in February 2013 that exposed evidence of Chinese military complicity in efforts to steal proprietary information from companies that control critical infrastructure (CI) assets: water, electrical power, oil and gas lines.2 According to the Mandiant report, the “APT1” group has infiltrated at least 150 different companies across industries and extracted terabytes of information—including 6.5 TB from one organization.3
The vulnerability of the automated industrial control systems (ICS) used in these CI industries has attracted increasing concern over the past several years. Originally designed to collect and transmit data and commands over a closed (point-to-point) communications network, many systems have been brought online, that is, over Internet Protocol networks. The National Institute of Standards and Technology (NIST) released its guidelines on ICS security in June 2011 as NIST Special Publication 800-82. Ranking highly among NIST recommendations are intrusion detection, audit trail analysis, monitoring compliance gaps, enforcing the rule of least privilege,
and managing credentials by various user categories.
CI and non-CI infrastructure industries not associated with power and utility are also under attack. Mobile storage practices that rely on convenient repositories like Evernote, Google Docs, and Dropbox also create data leakage channels. Evernote, for example, reported it had been hacked in early March 2013 and asked that all 50 million customers change their now-compromised passwords.4
THREAT LANDSCAPE – EXPOSURE OF ORGANIZATIONS
Estimating the cost of data loss to organizations is challenging, in part because the majority of organizations do not really have high confidence about the status of their data, even when it is categorized as sensitive, confidential, or otherwise protected. In an estimated 59 percent of data breach incidents examined as part of the 2012 Data Breach Investigations Report (DBIR),5 law enforcement officials notified the compromised organizations about their problems. Equally disturbing is that 92 percent of the incidents examined were detected initially by a third party. The organizations themselves had not identified the problem! The report further indicated that the use of stolen login credentials was the lead attack modality responsible for the majority of records compromised.6 It’s one thing to have your house broken into. It is more disturbing when your house is broken into, your keys are stolen, and you are still oblivious to your vulnerable position.
The extent of the problem is impressive. The 2012 DBIR showed the second-highest number of records exposed—174 million—since the report’s first publication in 2004. Big data organizations are especially attractive to attacks using advanced persistent threat (APT) techniques. In his comments made at the 2012 RSA Conference in San Francisco, Uri Rivner predicted IP threat targets include pharmaceuticals, energy, and mining organizations.7 Critical infrastructure sectors should take heed.
Third Parties—Trust Assumptions
Third parties represent multi-faceted liability to an organization. On the one hand, third parties may entrust their sensitive information to an organization with the explicit or implicit assumption that that information will be protected. If that trust proves ill-founded due to the organization’s negligence, security vulnerability, or bad luck, the affected third parties may pursue restitution or penalty. On the other hand, third parties themselves may be the source of an unmitigated weakness in the organization’s security architecture. In its 2013 survey of more than 120 technology, media, and telecommunications (TMT) companies in 38 countries, Deloitte & Touche identified third party security risks and employee awareness as the top concerns.8 Its 2011 study observed that, given our hyper-linked world, Multiple parties are connected – and therefore affected – meaning that organizations must not only assure the security of their own assets, but also those of their third parties who have access to their
Nearly 60 percent of the surveyed TMT organizations view third parties as an ‘average’ to ‘high’ threat for information security, versus only 30 percent who are very confident in the information security practices of third parties. This skepticism may be partly driven by the widely publicized problems recently experienced by major cloud service providers.9
The Open Security Foundation’s DataLoss DB report expressed concern with respect to third party involvement in data extrusion, highlighting “a trend that indicates that data loss incidents involving third parties, on average, result in a greater number of records lost than incidents that do not involve third parties. This may be as a result of the type of data handled by third parties, the process of transferring the data between organizations, or other hypothesis.”10 And again, in the majority of cases, third parties (often government agency representatives, foreign and domestic) deliver the message that an organization’s systems have been compromised. Both individuals and businesses can check PwnedList’s database of stolen credentials, email addresses, and passwords if they suspect their information may have been exposed, for example, if among the 8 million Gamigo account holders whose information was compromised in March 2012 <www.pwnedlist.com>.
Mobile devices figure prominently in reported data breach cases. Results from a 2011 Ponemon Institute survey of IT professionals show that mobile devices figured in 63 percent of data breach cases.11 According to a more recent survey report from the Ponemon Institute about practices to mitigate mobile device vulnerability:12
Many companies make significant investments in encryption and endpoint security to protect sensitive data, but they often don’t know how/what data is leaving through insecure mobile devices. Traditional static security solutions such as antivirus, firewalls, and passwords are not effective at stopping advanced malware and data theft threats from malicious or negligent insiders. To safely permit corporate use of mobile devices, organizations need data loss prevention technology that knows where critical data is saved, who is accessing it, how it’s attempting to leave, and where it’s going (Ponemon 2012a, p. 9).
This advice carries across all potential attack surfaces. Still, collecting data about network traffic, system changes, and user activity from a variety of widely dispersed logical and physical sensors is challenging. With sophisticated and patient attackers, even nation-state agents, deploying complex, multilayer exploit strategies over an extended period of time, detection is difficult, especially for understaffed IT groups. Analytical tools that facilitate effective correlation and understanding of log and system data are needed to help IT professionals visualize the organization’s informational situation awareness.
LOSS LANDSCAPE – BURDEN TO ORGANIZATIONS
Data leakage prevention (DLP) is a security objective that resonates clearly with the confidentiality leg of the CIA triad, but not necessarily with availability and integrity (even though authenticity, the assurance that data has not been tampered with, is problematic when the implicit chain of custody has been broken). Unlike a water leak, data leakage may not be readily apparent. In many cases, the data is still available and even in its original, designated repository. The problem arises when it is also in another repository—and not necessarily one managed by the organization. Possession and access are now shared. It’s like having your cake and eating it—while another person is digesting it.
Calculating the cost of DLP to organizations involves multiple factors, categorized in a 2012 Ponemon Institute study as internal costs (detection, investigation, containment, recovery, ex-post response) and external costs (information loss or theft, business disruption, equipment damage, revenue loss).13 According to survey results from the 56 companies that participated in this study, almost half (44%) of the external cost of cyber crime could be attributed to information loss, in part because of legally required notification and restitution/ victim compensation, including credit monitoring. Protecting and knowing the status of the information asset itself thus may be perceived as having a higher cost impact to an organization than other external costs.14
The National Crime Prevention Council quotes estimated damage to the U.S. economy due to intellectual property theft as $250 billion a year, also noting, “more than 45 percent of all U.S. businesses have reported losses due to intellectual property theft.”15 Michael Chertoff, former Secretary of the U.S. Department of Homeland Security, Intellectual property theft and McAfee’s Vice President for Threat Research stated, “I am convinced that every company in every conceivable industry with significant size and valuable intellectual property and trade has been compromised (or will be shortly), with the great majority of the victims rarely discovering the intrusion or its impact. In fact, I divide the entire set of Fortune Global 2,000 firms into two categories: those that know they’ve been compromised and those that don’t yet know.”16
Brand piracy is one type of IP loss that affects an organization in various ways: (1) lost revenue, as when the pirating company benefits from the pirated company’s marketing efforts and sells a knock-off product; (2) warranty cost, as when the pirated company replaces or repairs faulty product that it did not produce; (3) diminished product image/reputation when the counterfeit products proliferate (less exclusivity, thus snob appeal; buyer disappointment in the quality of the counterfeit product, leading to future sales loss). Products affected can range from high tech (software, electronics) to medium tech (pharmaceuticals, instrumentation) to consumer tech (music, movies, instrumentation, clothing, toys). Energy resource companies have also reported suspected IP theft. The consequences of IP theft can be deadly. Although a broken strap on your new Prada bag only constitutes an irritating wardrobe malfunction, taking bogus medication to regulate your heartbeat can be fatal. The problem is not new: Caveat emptor is a term first used in the 16th century. The ability to copy designs without physically breaking into locked file cabinets and desk drawers is, however, very 21st century.
VICTIM LANDSCAPE – EXAMPLES OF VICTIMIZED ORGANIZATIONS
In 2010, McAfee identified a multi-layered attack against oil and gas companies that it dubbed “Night Dragon.” The documents exfiltrated from the companies as a result of the attacks, which had been going on for a minimum of two years (perhaps as many as four), included financial records (on field exploration and bidding) and SCADA system data.17 Another disturbing, coordinated attack with nation-state involvement and U.S. national security concerns was “Operation Aurora.” McAfee made this observation about Night Dragon and the attacks that targeted dozens of high profile organizations like Google, Juniper Networks, Northrop Gruman, and Dow Chemical:
What we have witnessed over the past five to six years has been nothing short of a historically unprecedented transfer of wealth — closely guarded national secrets (including from classified government networks), source code, bug databases, email archives, negotiation plans and exploration details for new oil and gas field auctions, document stores, legal contracts, SCADA configurations, design schematics and much more has “fallen off the truck” of numerous, mostly Western companies and disappeared in the ever-growing electronic archives of dogged adversaries.18
A 2009 study from Purdue’s Center for Education and Research in Information Assurance Studies (CERIAS), based on its survey of 800 companies, estimated a combined cost of $4.6 billion in lost IP in 2008 alone, as well as $600 million to repair damage caused by breaches.19 In addition to attacks against corporate data repositories, social networking sites are also trawled to fish for information inadvertently shared that can be useful for economic espionage. Guiding employees in the judicious use of social media, perhaps even preventing their posting sensitive content, can reduce opportunities for bad actors.20
Other high-level data leakage incidents detected since 2010 include the U.S. Chamber of Commerce (trusted partner of some three million companies), Sony PlayStation 3 (decryption codes released; this was after the 2011 breach that gave hackers access to 101.6 million customer records, including 12 million unencrypted credit cards), The New York Times and The Wall Street Journal (and other Chinese hacks into various U.S. media organizations to control information flow), Cargill and Dow Chemical (more than $7 million of agribusiness and agrichemical trade secrets passed through to a government sponsored Chinese university), Motorola (1,000 sensitive documents intended for Chinese military and a media company), and Ford (insider theft of at least $50 million worth of manufacturing trade secrets). Interestingly, U.S. Government actions have thus far centered on policy, training, and reporting mechanisms (like databases), rather than tools to detect and capture evidence of leakage.
TECHNOLOGY LANDSCAPE – TOOLS FOR ORGANIZATIONS
As much as sharing is valued and promoted among the nursery school set, the accidental or intentional data sharing subjects an organization to specific collateral damage. The context of the data leakage determines an organization’s response and business impact:
- Source – Where is the opening, membrane, or surface through which data left the organization?
- Channel – By what means is the data seeping out (e.g., personal media storage, ephemeral messages, mobile devices, trusted community members)?
- Data State – Was the compromised data at rest, in motion, in process?
- Sensitivity – How was the escaped data classified with respect to protection level?
- Scope of Responsibility – To what extent is the organization legally or ethically accountable for the protection of the data accidentally or intentionally shared?
- Restitution/Recourse – What kind of safety net (e.g., insurance) does the organization have in place to cover the cost of litigation, penalties, and remediation?
Many of us who watched prime time TV in the 1960s and 1970s remember the nightly ABC admonishment,
“It’s 10 p.m. Do you know where your children are?” For organizations, knowing the whereabouts of their data
was challenging even before cloud computing, BYOD, and ad hoc trading partner arrangements. In an ideal
world, of course, organizations have complete informational awareness, enabled through a combination of
responsible organizational data practices, consistently reinforced user training, audited control mechanisms,
secure network architecture, and layered monitoring tools.
DO YOU KNOW WHERE YOUR DATA IS?
INTELLIGENT ID – BENEFIT TO ORGANIZATIONS
With the pervasiveness of IP theft, data loss, information use and abuse combined with the increase of
sensitive information stored and transmitted digitally, cloud computing, management of third party PII and
BYOD creates the perfect storm of opportunity for leakage to occur, whether maliciously or accidentally. While
many may prefer to adopt an “ignorance is bliss” mindset toward the use of an organization’s data, increasing
policy, compliance measures, regulation and the chance of unattractive media exposure demand that decision
makers remain in-the-know and proactive regarding company data.
Adopting an in-the-know philosophy regarding data and its usage not only prevents the negative consequences,
but produces positive outcomes as well, including cost reduction, efficient data flow, brand protection and
over-all enhanced organizational security. According to the PI report, significant opportunities for cost reduction
are available to organizations that invest in technologies to assist with and automate recovery and detection
activities. (p. 15)
Intelligent ID’s endpoint and user activity management system captures the largest area of opportunity for
organizational benefit, identified by PI as “investigation and incident management,” capturing the source,
channel, data state and sensitivity of data in the event of a leakage, and preventing loss and theft through
monitoring compliance, enforcing policies, user training and intuitive data analysis and alerting. This area of
opportunity showed a 40% reduction in cost for those reporting companies that implemented an intelligent
security solution as compared to those who did not.21
Because its dashboard monitoring interface and customizable reporting is so easy for IT and non-IT staff alike
to use, Intelligent ID can equalize the asymmetry of informational situation awareness among organizational
legal, HR, R&D, marketing/sales, and IT teams. Intelligent ID can thus alleviate the “shoot the messenger”
response that often characterizes IT communications with other business areas, especially when the news
is not welcome. Bridging this information gap facilitates better teamwork for investigation and resolution. In
addition to its utility as an investigative tool, Intelligent ID also serves to ensure compliance with HR policies,
by promoting staff training/awareness, equally and consistently applied enforcement, and organizational
protection against wrongful termination lawsuits. A recent issue of HR Magazine recommends the wellcoordinated
and preemptive use of technology, policy, and training controls that includes collection of
electronically stored information as a “just in case” measure.22
Such coordinated controls covering removable media and mobile devices were not in place at the Florida
Department of Juvenile Justice when a mobile device was stolen in January 2013, even though organizational
policy governing such usage was disseminated as early as November 2008. The information on the device—at
least 100,000 records concerning youths and their employee records—was neither encrypted nor the device or
files password-protected. This was in violation of the aforementioned policy. Sadly, three computers that also
contained unprotected but sensitive information from the Department were stolen from an Orlando apartment
in September 2012. Intelligent ID customers like the Ohio Department of Developmental Disabilities avoid
these kinds of unfortunate incidents related to lax policy enforcement and user training. The DODD chose
to enhance its data leakage prevention mechanisms by using Intelligent ID’s features such as monitoring
removable media, protecting against unauthorized copies to USB drives, and encrypting files that have been
deemed sensitive prior to their copy to removable media.
Given the increasing incidents of data leakage reports, rising cost of responding to such incidents, and
significant evidence of incidents going underreported or unacknowledged, it is reasonable that companies
invest in electronic tools to aid in monitoring, detection, containment, investigation, and response. “Electronic
discovery response planning is not just a matter of gathering responsive information but of working in advance
to control what information is created and how it is stored. Electronic discovery best practices begin with
making data management a part of daily business operations.”23 Intelligent ID’s monitoring capabilities are
ideally suited to address these coverage areas. In addition, Intelligent ID is not an “IT Staff Eyes Only” tool.
A scalable and customizable tool, it delivers easily comprehensible alerts and reports to the desktop of
those who need to know, whether hailing from IT, HR, R&D, accounting, or any other organizational business
area. Intelligent ID assembles and correlates the numerous data points needed to attain comprehensive
informational situation awareness to prevent defined data extrusion, intercept questionable activity, and
consolidate digital evidence: organizational protection against “death by a thousand cuts.”
1 Privacy Clearinghouse, Data Breaches: A Year in Review (December 16, 2011). Retrieved from https:// www.privacyrights.
2 Gonsalves, Antone, U.S. urged to take comprehensive action on Chinese cyberespionage (February 22, 2013).
Retrieved from http://www.cio.com/article/729347/U.S._Urged_to_Take_Comprehensive_Action_on_ Chinese_
3 Lambert, Patrick, What the Mandiant report reveals about the future of cyber espionage (February 25, 2013).
Retrieved from http://www.techrepublic.com/blog/security/what-the-mandiant-report-reveals-about- the-future-of-cyberespionage/
4 Sumagaysay, Levi (March 5, 2013), (In)security: Evernote hacked, corporate data in the age of BYOD, banks as targets.
Retrieved from http://bl169w.blu169.mail.live.com/default.aspx#n=125776487&fid=1&fav=1&mi d=62e72741-8501-
5 The report analyzed the characteristics of 855 incidents that the partner organizations investigated in 2011. Thus, it
reports on a subset of data breach incidents annually.
6 2012 Data Brach Investigations Report. Retrieved from http://www.verizonbusiness.com/resources/ reports/rp_databreach-
7 Emigh, Jacqueline, RSA: Five Top Internet Security Threats in 2012 (March 6, 2012). Retrieved from http:// www.
8 Deloitte & Touche, Blurring the Lines: 2013 TMT Global Security Study (January 2013). Retrieved from http://www.deloitte.
9 Deloitte & Touche, Raising the Bar: 2011 TMT Global Security Study—Key Findings (2011).
10 Retrieved from http://datalossdb.org/statistics on January 10, 2012.
11 Ponemon Institute, Perceptions about Network Security, June 2011.
12 Ponemon Institute, Global Study on Mobility Risks (February 2012). Sponsored by Websense.
13 Ponemon Institute, 2012 Cost of Cyber Crime Study: United States (October 2012), p. 23. Sponsored by HP Enterprise
14 The study participants estimated the remaining external cost factors for 2012 as follows: business disruption, 30%;
revenue loss, 19%; equipment damages, 5% (down from 13% in 20102); and other costs, 2%. (Ponemon, 2012b, p. 14)
15 National Crime Prevention Council. Intellectual property theft: Get real. Retrieved from http://www.ncpc. org/topics/
16 Alperovitch, D. (August 2011). Revealed: Operation Shady RAT. Retrieved March 1, 2012, from www. mcafee.com/us/
17 McAfee Foundstone® Professional Services and McAfee Labs (February 2011). Global Energy Cyberattacks: “Night
Dragon,” p. 19.
18 Alperovitch, p. 2.
19 LockLizard. Intellectual property theft (n.d.). Retrieved from http://www.locklizard.com/intellectual_ property_theft.htm
20 Nairn, Geoff. Your Wall Has Ears (October 18, 2011). Wall Street Journal Online. Retrieved from http:// www.online.wsj.
com/article/SB10001424052970204226204576600531532461052.html#printMode 21. Ponemon Institute (October
2012), p. 17.
22 Jackson, Graham. Managing the risk of intellectual property theft in a highly connected business. (July 25, 2012).
HR Magazine Online. Retrieved from http://www.hrmagazine.co.uk/hro/features/1073968/ managing-risk-intellectualproperty-
23 LexisNexis®. Electronic discovery best practices. Retrieved from http://www.lexisnexis.com/ applieddiscovery/lawlibrary/