Why Kill Chains Are Hitting the Boardroom
WHY YOU SHOULD CARE
Because none of our personal data will be safe until corporate boards of directors get the message.
By Steven Butler
The tech guys know exactly how it’s done, and they’ve even coined a cool name for it: the cyber attack kill chain. In fact, it could be the last (almost) plain-English description you’ll find in this murky world of cybersecurity. It starts with “recon” — sussing out personal info on a target employee — which is used for a custom-made “lure,” before eventually leading to a seventh and final stage of “data theft.” The remedies? Welcome to an alphabet soup of TICAPs (threat intelligence consolidation and analysis platforms) and CRITs (collaborative research into threats), not to mention SIEM (security information and event management).
No wonder company executives and board members would rather talk about stuff like product development or sales strategy. “How does a board member get engaged when they have no understanding of tech?” asks John Reed Stark, a consultant who previously ran the Securities and Exchange Commission’s Office of Internet Enforcement.
Well, they may have no choice but to face up to the biggest underestimated challenge facing corporate boards everywhere. Cyberattacks are increasing in frequency and getting costlier, escalating to an average of $6.53 million per incident once cleanup costs and lost business of this sometimes existential threat are factored in. Yet the message isn’t quite getting through to the people ultimately responsible — and sometime legally liable — for the health and safety of a company. One survey from the research firm Ponemon found a huge gap in perceptions between IT staff and board members, with board members ignorant of the technology and the scary level of potential losses. “I’m often pretty amazed at how little a typical board of directors understands about cybersecurity response,” says Stark.
Those days when the antidote featured anti-virus software and firewalls are long gone.
Perhaps it’s understandable. After all, who but a tech whiz can really grasp this stuff? “If I go to upper management and say we’re out of disk space, they get it,” says Victor Bonic, a Web app specialist at security provider Trustwave. But beyond that, the conversations can get difficult. Plus, those days when the antidote featured anti-virus software and firewalls are long gone. At the same time, the problem is only growing more widespread as risk points proliferate due to mobile devices, cloud storage, telecommuting and network access readily given to partners and vendors. All that’s needed is one failed software update, or a compromised password. “If you have someone who is determined, they will find it,” says Charisse Castagnoli, a strategist at security vendor Websense.
Of course, these cat-and-mouse dynamics have also created a business opportunity for the likes of Stark and Websense, both of which have penned papers outlining steps boards should take to get their houses in order. (In short: Protection will cost money.) Meanwhile, Cambridge, Massachusetts–based BitSight is growing quickly on the back of a scoring system that monitors and rates 28,000 companies on security standards much the way a credit rating agency looks at potential borrowers. It does this mainly by sniffing out Web traffic that pinpoints poor security practices — things like communicating with malicious sites or misconfigured security certificates. In just over a year, the company has garnered 150 clients, including insurance giants ACE and AIG, and some boards are using it to monitor their own companies, says Tom Turner, BitSight’s executive vice president of sales and marketing.
For some boards, it has struck home that cybersecurity is an ordinary risk-management issue, on par with proper accounting and protecting against employee fraud. The wake-up call? Many companies cite the huge hack of retailer Target, which has said 40 million credit and debit card accounts of its customers may have been accessed without authorization, plus 70 million customer details such as names, mailing addresses and phone numbers. Whatever the reason, attendance at the annual RSA security conference has ballooned from fewer than 60 companies in 2009 to more than 500 this year.
But the ugly truth is that the biggest threat to a company is its own employees. Upa Hazarika, senior director of marketing and strategy for cloud security provider Palerra, points out that 90 percent of successful hack attacks can be traced back to stolen passwords, often captured by simple tricks, like leading a person to a fake website. Privileged users — those with administrative credentials — are “the most dangerous insiders,” says Hazarika. As a result, companies like Palerra and Websense are automating the detection of behavioral anomalies among staffers, such as those who log on at odd hours, send strange files or check in from weird places around the globe.
Sure, all of this will cost money — but that’s probably better than the alternative. Last year, background-checker U.S. Investigations Services lost more than $2.5 billion in government contracts after its website was hacked, eventually forcing its parent company, Altegrity, into Chapter 11 bankruptcy proceedings. A company representative says Altegrity has since emerged from Chapter 11.