Thursday, July 9, 2015

NYSE, & United Grounded; Information Security Stocks Take Off

NYSE, & United Grounded; Information Security Stocks Take Off

Technology blunders grounded or delayed over 800 flights, halted trading on the New York Stock Exchange (NYSE), and brought down the Wall Street Journal’s website all in the span of a few hours during the morning of Wednesday, July 8th, 2015.  The small window during which these three companies were impacted led many (including personnel at the FBI and Homeland Security) to speculate that cyber-attacks may have been the culprit. 
As morning turned to late afternoon, Director Jeh Johnson of Homeland Security took the reassuring yet somewhat unusual step to publicly deny that any of the day’s events were caused by cyber-attacks.  With this denial came the implied, albeit unintended confirmation that these companies had been severely impacted by some inevitable combination of poor technology planning, implementation, and/or maintenance.  To illustrate, the outage at the Wall Street Journal was conceivably due to an overload of people seeking more information on the NYSE outage.  Separately, United (the second-largest US airline) later admitted that a “network connectivity issue” impacted their systems.  Lastly, the NYSE outage was said by an internal spokesperson to be caused by a “configuration issue”.

Just a Bad Day in the Server Room

Days like “United/NYSE/WSJ Wednesday” remind us that while burgeoning cybersecurity threats and cyber attacks have been keeping Chief Information Security Officers (CISOs) up at night, companies and their Chief Information Officers (CIOs) still have other pain points to worry about.  Not all technology issues are caused by external, evil actors.  Sometimes, the root cause for really expensive days like this can be linked back to old-fashioned bad decisions in the server room.
While none of the day’s big three outages seem to have been caused by a cyber attack, news of the day was rife with speculation to the contrary.  Key stocks in the cyber security sector were undoubtedly thankful for the gains on a day when the DOW Jones industrial average dropped over 260 points by the closing bell.   These gains highlight how even the perception of a hacking attack can benefit cybersecurity technology companies - and instill fear in companies that (probably should) contract their services, buy their software, or train for their proper implementation. 
Information security specialists have long deplored that many companies do not take cyber security seriously until they themselves have been breached.  Target learned a valuable lesson in 2013 with a much-publicized breach that is projected to have cost the company nearly $200 million dollars.  This case was clearly an awareness ‘tipping point’ felt across all IT departments worldwide - Gartner Group predicts global IT security spending to reach $76.9 billion in 2015 (up 17% from 2013 levels). 
80% of outages impacting mission-critical services will be caused by people and process issues
Hopefully "United/NYSE/WSJ Wednesday" will keep companies focused on the more mundane "blocking and tackling" functions critical to network and application uptime.  A recent Gartner study projected that through this year, 80% of outages impacting mission-critical services will be caused by people and process issues, and more than 50% of those outages will be caused by change/configuration/release integration and hand-off issues.
Many of the most significant risks to an enterprise are also the most routine:
  • lack of management buy-in or poor funds allocation
  • insufficient training and retraining
  • mismanagement of system and application upgrades
  • inadequate documentation
  • poorly designed applications
  • inadequate testing
  • lack of redundancy in the architecture and infrastructure
While the threat of cyber attacks is more prevalent than ever, most organizations don’t need to be attacked by from external parties - they can implode from the inside and from the most insipid causes.
At Training Camp, our outcome-based information technology management and information security "boot camp" courses will prepare managers and practitioners alike to safeguard against internal and external threats.  Our most popular courses include:

Information Security

Information Technology Management

Information Technology Practitioner

Thursday, June 18, 2015

Hack Me Out To The Ballgame. Cyber Attacks a Game Changer.

There is little question that cyber security is more important than people ever imagined it would be. Just a few short years ago, having up-to-date firewalls and anti-virus software was considered more than enough protection for most companies and organizations. Today, however, C-Level Executives are faced with a new, more simplified information security-focused raison d'etre: "Keep us out of the news."
A recent report indicates that cyber-attacks increased by 48% in 2014 alone, and that number has rapidly increased through 2015. In addition, almost every major company (whether in retail, sports, entertainment or even the Federal government) has faced at least one cyber-attack in their past; if successful, those cyber-attacks yield damages in the millions to billions of dollars, as well as create public relations nightmares.  

Hack me out to the Ballgame

The most recent negative headlines involve America’s Pastime. The St. Louis Cardinals, with the best record in baseball this year and a perennial playoff contender, are under investigation by the FBI and Justice Department for hacking into the Houston Astros database (called Ground Control) to garner closely guarded information about the inner workings of the Astros front office, and specifically General Manager Jeffrey Luhnow.
The biggest question is: why would one of the most successful franchises over the past 20 years want to steal information from one of the worst teams over the past 10 years? The answer is Luhnow. He did not come from a baseball background when he joined the Cardinals back in 2003, but his use of analytics in drafting ballplayers figured prominently in the sustained excellence of the organization. After moving to the Astros in 2011, Luhnow built Ground Control to help revamp that struggling franchise. It was from Ground Control that information began to spill out for 10 months until June 2014 when the FBI was called in. While it is still an ongoing story, rumors swirl that the hackers were able to infiltrate by using passwords from the system Luhnow had used in St. Louis, and that the hack was not as much a theft of baseball operations data as it was more of a character assassination attempt on Luhnow.
The Cardinals officials who orchestrated the hack will certainly be prosecuted by the Justice Department, and the team itself will have fines levied and lose draft picks; never mind the public relations hit they will take being branded as cheaters. According to Luhnow, Ground Control’s security has been upgraded. Better training in security, including a greater password creation methodology, might have made this hack a big whiff.

Caveat Emptor

As the 2013 holiday shopping season began in late November, hackers installed malware on Target's Point of Sale (POS) registers that was designed to capture customer contact and credit card information used at their almost 2,000 retail store locations. By December 15th, Target confirmed the data breach had resulted in over 70 million stolen customers information (including name, address, email, phone, etc.) as well as 40 million compromised customer credit and debit cards.
Three days later, CEO Gregg Steinhafel sent the following letter detailing the breach to their customers:
In the weeks that followed, Target, once associated with "quality for less" and praised by Forbes in 2010 for "getting the simple things right (and a lot more)", incurred a constant and sustained barrage of media coverage that resulted in a public relations disaster that brought about a 46% drop in quarterly year over year profits.
On March 4th, Steinhafel, in an effort to restore the company's reputation among wary shoppers concerned about the security of their personal data, announced the resignation of CIO Beth Jacob.  By May 5th, Steinhafel himself was gone, having been forced to resign his positions as President, CEO and Chairman of the Board of Directors.
Steinhafel's ouster demonstrates that cyber-attacks and the damages they inflict place BOTH organizations and their executives (not just Chief Information and Chief Information Security Officers) at risk.
Ultimately, the Target breach was wholly avoidable, as a recent purchase of a $1.6 million dollar installation of FireEye (an advanced persistent threat anti-malware system) would have detected and deleted the malicious software. Unfortunately for Target, they had turned off the feature that would have stopped the attack. The great Target lesson is that company managers need to be armed with the knowledge required to understand the importance of preventing and combating cyber-attacks - as well as the requisite knowledge and training with which to contribute to security policy decision making. All C-Level Executives need to understand more in-depth technological concepts to collectively solve information-security challenges to ensure that their company does not fail both their consumers and shareholders.

"Angelina Jolie is a minimally-talented spoiled brat - between you and I"

While it is an unfortunate reality that there are new stories of cyber-attacks coming out all the time, perhaps the most embarrassing in recent memory is the Sony Pictures breach from late 2014. During that attack, (which had been going on for possibly a year prior to being found out) hackers were able to access everything from how much Sony was paying actors in their movies (and private email correspondence between Sony executives about what they really thought of certain actors, such as Angelina Jolie), the raw video footage of upcoming movies (including The Interview, which was originally supposed to be a holiday tent pole for Sony), and countless documents about internal business operations. While experts still aren't sure exactly how much the Sony breach will ultimately cost, estimates have already exceeded $100 million (and counting). However, perhaps even more important than the monetary cost (or at least as important) is the damage that Sony's reputation has suffered.
Perhaps the biggest loser from the breach was Sony Pictures co-chairwoman Amy Pascal. The release of her private emails gave intimate behind-the-scenes access of Sony Pictures day to day operations but the back and forth emails between her and other high profile Sony and Hollywood players her which derided not only actors, but also President Obama. These emails subsequently led to her stepping down from her co-chairwoman position in May.
Again, the ultimate cost to their reputation has yet to be determined, but it isn't difficult to envision actors and actresses that are reluctant to trust Sony with salary and other sensitive information, at least until Sony can prove that they have completely revamped their cyber security protocols. 

Even the Feds aren’t secure

Large for-profit corporations aren't the only entities at risk of cyber-attacks. Just in the past few days, it was announced that servers of the United States Federal Government (specifically the Office of Personnel Management) were hacked over a 5 month period, with as many as 14 million former and current civilian employees' Social Security numbers, birth dates, job assignments, training records, and benefit selection decisions being stolen.
According to an assistant inspector general (Michael Esser) of the Office of Personnel Management testifying before the House Committee on Oversight and Government Reform, the agency has persistently failed to meet basic computer security standards- as Katherine Archuleta, the head of the OPM faces congressional pressure to step down. Esser stated that many of the people hired to run the agency’s IT department had no computer experience, and that the agency itself did not discipline its employees after it failed several security audits. Archuletta, according to lawmakers, was told by the inspector general on multiple occasions to shut down the hacked system, but ignored those warnings, exposing the information. Committee Chairman Jason Chaffetz, R-Utah, said that the OPM’s security strategy was on par with leaving its doors and windows unlocked and trusting nothing would be stolen, and called on Archuletta to step down.
As a response to the OPM hack, Federal Chief Information Officer Tony Scott ordered government agencies to beef up their network security by launching the “Cybersecurity Sprint”, a 30 day program to implement better cyber security protocols. The fallout from this hack remains to be seen; will this information be used as leverage to force OPM employees to spy for foreign services? Will better training shore up our porous cybersecurity defenses? Will anyone’s head roll?

How industry is reacting to the new realities of cyber security compared to how they SHOULD be reacting

It should come as no surprise that the cyber security industry has started to grow rapidly as a result of these new realities. While the global cyber security industry is expected to grow to an impressive $106.32 billion in 2015, that number will shoot up to an estimated $170.21 billion within the next 5 or so years. 
The most important thing that companies and government entities should do is ensure that they have talented individuals working on their cyber security. This either means hiring and developing experts directly, or contracting the work out to a reputable IT company that has a proven track record of being ahead of the curve with regards to cyber security. 
It is also important for companies to secure critical company data on proven enterprise-grade platforms. While "cloud" platforms are a viable option, these platforms require even stronger assurances that data is secure (since a hacker breach can result in a complete loss of secured data). 
To stay ahead of rapidly evolving threats, companies, contractors, and government agencies alike must move aggressively to recruit, educate and train a cyber-workforce for the future, with the skills we need to tackle this problem in the years ahead.  Industry certification programs like (ISC)2's Certified Information Systems Security Professional (CISSP) provide both a path to skills competency and a means to evaluate proficiency in this increasingly visible field.
Christopher D. Porter is the Chief Executive Officer of Training Camp, Inc.  (  Training Camp (TC) is a leading provider of information technology and security training courses. Founded in 1999, TC has successfully trained nearly 100,000 certification candidates worldwide.