Data Breach , Risk Management

The WikiLeaks release of 19,252 emails stolen by hackers from the Democratic National Committee's computer systems has lurched the party into crisis, showing just how deep an impact data breaches can have on an organization. A look at the emails gives insight into the organization's cybersecurity practices, as well its view of the threat landscape.

See Also: Vulnerability Management with Analytics and Intelligence

A hacker going by the nickname Guccifer 2.0 claimed to have stolen the emails and other material from the DNC's network (see Lone Hacker Claims to Have Breached DNC). But prior to his claim, the DNC's appointed cyber forensics firm, CrowdStrike, said two Russian hacking groups had access to the DNC's network for more than a year, through early June (see Report: Russia's 'Best' Hackers Access DNC's Trump Research).

Guccifer 2.0 published some of the stolen material on a WordPress site, and he said he'd passed it to WikiLeaks.

Hillary Clinton's campaign has charged that the information was released by Russia to cause discord in the Democratic Party, boosting Republican Donald Trump's electoral position, according to the Washington Post. It's unclear if Guccifer 2.0 was working with one of the Russian groups or represents a third intruder in the DNC's network.

The emails, some of which are alleged to show bias against candidate Bernie Sanders by committee officials, have already caused the resignation of Debbie Wasserman Schultz, the DNC's chairwoman, and more turmoil may be coming ahead of the party's convention, set to start July 25 in Philadelphia (see Analyzing Clinton's Positions on Cybersecurity, Privacy).

'We've Been Hacked! But It's OK'

WikiLeaks has made the correspondence of seven top DNC officials searchable by keywords. A search by Information Security Media Group finds many examples of personally identifiable information leaked, plus other emails that indicate a lack of basic knowledge about information security practices.

An attachment to one email contained a PDF of a letter from the IRS to a top DNC official notifying him of an overdue tax penalty. The notice includes the official's full Social Security number.

In another example, the DNC reminded participants scheduled to attend a June fundraising dinner with President Barack Obama that the Secret Service needed personal information ahead of the event. Participants were asked to send their full names, birth dates, occupations and current employers, addresses and Social Security numbers.

Many people replied by email. Ironically, recipients were advised by the DNC that they could supply their details over the phone if they "do not feel comfortable putting all of this information in an email."

Another email shows a general disregard for password security. It involves Factivists.democrats.org, a blog funded by the DNC that's designed to refute false campaign claims. Rachel Palermo, a press assistant with the DNC, sent an email on April 29 warning that Factivists had been hacked.

"We have been compromised!," she writes. "But it's all ok. Here is our new password: 'HHQTevgHQ@z&8b6'. It will now change every few weeks to prevent future issues. So as it is re-set, I will forward it along."

The DNC would get points for creating a strong, complex password. But a strong password is useless when it's sent to email accounts that have been compromised. Palermo sent the email to "This email address is being protected from spambots. You need JavaScript enabled to view it.," a group email address.

What's Wrong with USB Drives?

Other emails provide clues to how the DNC viewed cybersecurity. The organization's deputy communications director, Eric Walker, sent an email on May 5 to another group email address for the organization's press unit.

The email - subject line: "The dumbest thing I've ever read" - included the headline of a Buzzfeed story, "These Experts Think The DNC And RNC Are Both Horrible At Cybersecurity." Cybersecurity experts criticized the Democratic and Republican National Committees for giving out USB drives at events.

Walker disparaged the story. "The thesis: we hand out thumb drives at events, which could infect the reporters/attendees' computers," he writes. "So that means that we're bad at cybersecurity. Okay."

In fact, handing out USB drives is a terrible idea, especially in retrospect for the DNC. One Russian group nickname Cozy Bear was apprently inside the DNC's network since mid-2015, according to CrowdStrike, which believes that Cozy Bear may be linked to the FSB, Russia's state security service.

CrowdStrike says the other group in the DNC's network, called Fancy Bear, gained access in April and focused on collecting the DNC's research on its opposition, including Donald Trump. By rooting around in the DNC's network, either group would have likely been able to learn if the DNC was loading USB drives for events and possibly try to corrupt the process by implanting malware.

If successful, that kind of attack could have allowed the hackers to diversify their range of compromised targets with minimal effort.

A variation of such an attack has been publicly described before. Kaspersky Lab discovered that CDs mailed to attendees of scientific conference in Houston containing conference material also contained two zero-day exploits and a rare type of malware back door. The plot came from the so-called Equation Group, a suspected NSA project.

Fraud , Payments Fraud

An investigative report from Reuters paints a disturbing picture of the Federal Reserve Bank of New York using antiquated security practices to handle interbank SWIFT payments. The report follows the February heist of $81 million heist from the central bank of Bangladesh's account at the New York Fed, via fraudulent SWIFT messages (see SWIFT Deduction: Assume You've Been Hacked ).

See Also: Achieving Advanced Threat Resilience: Best Practices for Protection, Detection and Correction

Brussels-based, bank-owned cooperative SWIFT, formally known as the Society for Worldwide Interbank Financial Telecommunication, maintains a messaging systems designed to guarantee that money-moving messages between banks are authentic. Some security experts believe the Fed relies too heavily on other institutions and organizations, such as SWIFT, to authenticate and verify interbank payments. But is it the Fed's responsibility to ensure the validity of interbank transactions it doesn't initiate?

No, says Avivah Litan, an analyst at consultancy Gartner.

"The liability is with the originating bank," she says. "So Bangladesh Bank should review its contract with SWIFT. If it plans to sue, I don't see the bank having a case."

But many experts say that U.S. banks have not paid enough attention to interbank transaction security. Some also argue that the Fed, in particular, needs to improve its related risk-management efforts.

Lessons from Account Takeovers of the Past

SWIFT is the interbank messaging system of choice for many banking institutions throughout the world to send back-end payment instructions to each other. Litan says most recipient banks don't re-authenticate or verify SWIFT transactions after they get received from the originating bank.

"There are a couple of recipient banks I know of that are now putting controls in, and then the originators are trying to strengthen their security, too," Litan says.

Litan likens the recent rash of fraudulent SWIFT payments - after attackers infected Bangladesh Bank and at least several other banks with malware - to the rash of corporate account takeover incidents that plagued small businesses seven to 10 years ago. Then, millions of dollars were fraudulently wired out of commercial accounts after online-banking login credentials were compromised via malware, such as Zeus, that included keylogging capabilities (see Banks, Regulators React to SWIFT Hack).

Those account takeover incidents spurred the Federal Financial Institutions Examination Council to update its authentication guidance for online payments and wire transfer verification, leading to stronger controls being put in place. Of course, the FFIEC could also issue new guidance in the wake of the SWIFT-enabled heists.

Heading to Courts

Related court cases may also set new precedents. Litan expects that heists linked to fraudulent SWIFT transactions will increase, thus leading to more cases involving banks going to court to attempt to recover funds from receiving banks or seeking related compensation. As the number of cases involving SWIFT and some of more of its 11,000 member banks increases, she predicts that the same types of legal arguments that cropped up in court in the wake of corporate account takeover cases will reappear.

Such cases often hinge on a seemingly simple question: "Is the security reasonable?" Litan asks. But in the Bangladesh Bank case at least, "based on the contracts, SWIFT and the Fed didn't do anything wrong," she says. "They may have been negligent. But what is the standard they're held by?"

Bank-to-Bank Security Boost Required

Cybersecurity attorney Chris Pierson, general counsel and CISO at invoicing and payments provider Viewpost, says U.S. banks have focused much more attention on ensuring the security of customer-to-bank payments rather than bank-to-bank payments.

"This needs to be re-examined," he says. "It is imperative for all banks to implement the same types of controls they have internally and externally with customers as they have between banks and the Fed."

But Al Pascual, head of fraud and security at Javelin Strategy & Research, says that relying on participating banks to prevent unauthorized transfers - given the many information security risks and attacks those banks face - is no longer a viable strategy. "This isn't lost on the Fed, and I'd expect them to implement more effective risk-management protocols throughout the system," he says. "Every point in the system is connected, and all of it will be tested."

The Fed has already taken some steps to mitigate immediate risks, such as implementing a 24/7 hotline for central bank customers to contact if they suspect fraud. That's notable because when $81 million was stolen from the central bank of Bangladesh via a fraudulent SWIFT payment in February, the Fed's hotline was only open during U.S. business hours from Monday through Friday, Reuters reports, and when Bangladesh Bank tried to report suspicious activity to the Fed on a Saturday, it received no response until two days later, after business had resumed on Monday. By that point, the Fed had already approved five of the fraudulent requests, transferring $101 million out of Bangladesh Bank's account. While $20 million was quickly recovered, most of the rest of the money remains missing.

Additional Regulatory Action Possible

As with the historical flurry of account-takeover cases, SWIFT-enabled heists could also lead to closer regulatory scrutiny of public and private banks, for example via the Uniform Commercial Code, Litan says (see Will SWIFT-Related Heists Trigger More Regulatory Oversight?).

"Article 4A of the UCC was the basis in the courts in the account takeover cases," she says (see A New Legal Perspective on ACH Fraud ). "I'm not sure if 4A applies here, but the situations are very similar."

Article 4A, which all 50 states have adopted, is an attempt to allocate risk between banks and their commercial customers when electronic fraud occurs (see Reasonable Security: Changing the Rules).

Article 4A was created in the 1980s to offer fraud protection to commercial customers. But in account takeover suits, banks used Article 4A to support claims that the security measures they offered were reasonable, even when accounts did get taken over and fraud resulted.

Litan says that a standard or code similar to 4A, which outlines expectations for "reasonable security," could soon be applied to compromised SWIFT transactions. Indeed, if originating banks such as Bangladesh Bank start filing related lawsuits in U.S. court, Litan says she wouldn't be surprised to see Article 4A - the standard used to determine responsibility for fraud in account takeover cases - soon being applied as well to SWIFT transactions.

Seeking SWIFT Help

Litan says SWIFT should also be doing more to help its member banks block future heists or at least better contain any related fallout (see SWIFT Promises Security Overhaul, Fraud Detection).

"I do think SWIFT needs to put some security measures in place to provide to its member banks to help banks that don't have time to do this on their own," she says. "And the receiving banks should do more. These large financial institutions have not had any fraud detection against SWIFT payments because they never needed to. Many are reluctant to put much in, because these are transactions that move almost in real time. There is big urgency to get the money moved, and the more fraud controls you put in place, the more you slow the transactions down."

Cybersecurity , Encryption , Mobility

As Democrats gather in Philadelphia this week to nominate Hillary Clinton for president, it's a good time to look at the positions Clinton and the Democratic Party offer on cybersecurity and online privacy.

See Also: How to Illuminate Data Risk to Avoid Financial Shocks

The convention kicks off with an untimely leak, for Democrats, of nearly 20,000 emails, including some showing an alleged bias by top party officials against Clinton's primary challenger, Sen. Bernie Sanders (see Leaked DNC Emails Show Lax Cybersecurity).

Last week, I looked at the Republican platform, which took a hard line against Chinese and Russian hackers (see A Look at GOP Cybersecurity Platform). The GOP platform also seems to advocate using hack back - a form of online retaliation - as a way for enterprises to defend themselves (see GOP Platform Suggests 'Hack Back' a Suitable Cyber Defense).

The Democratic Party platform doesn't offer anything as daring as hack back. It promises to protect industry, infrastructure and government from cyberattacks as well as to seek to establish global norms in cyberspace and impose consequences on those who violate the rules. All this would be accomplished, the platform contends, while protecting American citizens' privacy and civil liberties.

"We will protect the privacy and civil liberties of the American people - standing firm against the type of warrantless surveillance of American citizens that flourished during the Bush administration," the platform states. "We support recent reforms to government bulk data collection programs so the government is not collecting and holding millions of files on innocent Americans."

The platform's position on cybersecurity and privacy parallel those found on the Clinton campaign website; Trump's campaign website is virtually silent on cybersecurity and online privacy matters.

"Overall, [Clinton's] published plans go further than the plans I've seen from other politicians for privacy and information security," says Rebecca Herold, a privacy expert who goes by the moniker the Privacy Professor. "Of course, there is still more that could be done. However, I was pleasantly surprised to see the breadth of topics she covered within it, and the stated goals for privacy and security."

Clinton's website says she "rejects the false choice between privacy interests and keeping America safe."

Encryption Bypass Dilemma

Though the Clinton campaign website and party platform itemize a number of positions, merely stating them doesn't necessarily mean the candidate and party offer detailed solutions (platforms rarely go into detail).

Take, for instance, Clinton's stand on whether law enforcement should be able to bypass security safeguards such as encryption to access data on suspected criminals smartphones. Clinton says she understands law enforcement's need to collect evidence from devices of suspected criminals. At the same time, she sees the benefits of encryption to ensure the privacy of individuals. "This is one of the most difficult dilemma's we're faced with," Clinton said at a town hall meeting earlier this years (see Presidential Candidates All But Ignore Cybersecurity). "I see both sides, and I think most citizens see both sides."

Clinton's solution, according to her website: Bring the public safety community and technology companies together to find a way to address the needs of law enforcement while protecting Americans' privacy and security to use technology. She supports a legislative proposal by Sen. Mark Warner, D-Va., and Rep. Michael McCaul, R-Texas, to establish such a commission (see House Committee Seeks Crypto Calm).

A Copout?

An overwhelming number of cybersecurity and encryption experts see creating an encryption bypass as a black-and-white issue, contending it's impossible to make exceptions for law enforcement to bypass safeguards without permitting others to do the same. "You can't have a world where the good guys can spy and the bad guys can't," says cryptographer Bruce Schneier (see Experts Blast Encryption 'Backdoor' Plan). "All we can get is where everyone can spy or nobody can spy."

Is Clinton's stand calling for a commission a copout? It seems to be a political stand, not one based on facts as described by Schneier and others.

"The stand of the U.S. president matters greatly," says Herold, who sees circumventing encryption as weakening individuals' privacy. "The leaders and citizens of other countries take notice. ... Encryption is not an enemy of homeland security, but instead a tool that is vital for protecting personal data from the exponentially increasing occurrences of privacy breaches."

Prioritizing Multifactor Authentication

The former secretary of state says, as president, she would prioritize the enforcement of well-known cybersecurity standards, such as multifactor authentication, as well as the mitigation of risks from known vulnerabilities. Clinton says she'd encourage government agencies to consider innovative tools, such as bug bounty programs. And, she says, she'd bolster the government's ability to test its own defenses by increasing the capacity of elite, cleared government red teams to help agencies find and fix vulnerabilities before hackers exploit them.

Martin Libicki, a cybersecurity scholar at the think tank Rand Corp., assesses Clinton's cybersecurity beliefs: "Multifactor authentication is important, but it only addresses one vector of attacks; it doesn't do much for attacks that insert malware into computers because someone has, as they inevitably do, despite training, opened a document or visited a web page. Bug bounties are really cost-effective, but that's largely because they are very inexpensive. Red teams are a better idea if agencies are funded to fix the problems such red teams encounter and assuming that the threat model used by the red teams conforms to the true threat model."

Affirming Strong Consumer Protections

Noting the rise of big data and the Internet of Things that will yield "transformative benefits to people" as well as raise important questions about privacy, Clinton's campaign site says her approach to privacy "will affirm strong consumer protection values through effective regulatory enforcement in an adaptive manner, encouraging high standards in industry without stifling innovation." But the statement doesn't provide details on what is effective regulatory enforcement in an adaptive manner or how to do so without stifling innovation.

Clinton's website says she supports expanded investment in cybersecurity technologies, as well as public-private collaboration on cybersecurity innovation, responsible information sharing on cyberthreats and accelerated adoption of best practices such as the National Institute of Standards and Technology cybersecurity framework. To ensure a coherent strategy across federal agencies, the campaign site says she'd build on the Obama administration's Cybersecurity National Action Plan, especially the empowerment of a federal Chief Information Security Officer, the modernization of federal IT and upgrades to governmentwide cybersecurity (see Obama Creating Federal CISO Post).

"What I saw was anodyne: information sharing, strengthening federal cybersecurity, balancing privacy with law enforcement, etc.," Libicki says of the Clinton cybersecurity plan. "There's nothing on bolstering the security of private enterprises, notably, no regulation to that effect."

Silence on Email Server Ruckus

Absent from the website statement and the platform is any mention of Clinton's use of private email servers as secretary of state, which FBI Director James Comey and the State Department inspector general contend exposed classified information to hackers, though no proof exists that her computers were breached (see Debating Hillary's Email Server: The Missing Element).

Clinton's actions in that matter demonstrated, at the very least, her ignorance of common cybersecurity practices. Let's hope Clinton learned a valuable lesson about IT security from the email server fiasco.

Cybersecurity , Governance , Incident Response

Security experts disagree about whether a new presidential policy directive on how to coordinate response to a large-scale cyber incident is well-designed.

See Also: Rethinking Endpoint Security

While some say its far too complex to work, others say it reflects current practices.

Richard Stiennon, chief strategy officer at Blancco Technology Group, a provider of mobile device diagnostics, sees the directive as being "overly complicated" with "too many moving parts. It calls on many new and relatively unvetted components of the federal government to work together in a quick and efficient manner."

But Phil Reitinger, chief executive of the Global Cyber Alliance, doesn't see the complexity getting in the way of executing the directive. "I don't think it's a huge lift for implementation; I suspect this is the way the government already works," says Reitinger, a former DHS deputy undersecretary for cybersecurity and onetime chief information security officer at Sony. "I think it's more a likely description of the way things now generally work and ought to work as opposed to a notional thing to work toward."

Assign Roles to Agencies

The new directive, announced July 26, gives specific roles to the FBI, Department of Homeland Security and the Office of the Director of National Intelligence to coordinate three lines of effort: threat response, asset response and intelligence support activities.

In terror-related cyber incidents, the FBI will take the lead to coordinate the response to an immediate threat, the policy states. The Department of Homeland Security will lead what the directive calls "asset response," in which the department provides technical assistance to help victims find the adversary on their systems, protect their assets and bring systems back online. The ODNI will integrate intelligence and analysis about the threat and identify opportunities to mitigate and disrupt it.

"Our new policy acknowledges that when businesses and federal agencies are the victim of or experience a significant cyber incident, one of the most important considerations is likely to be restoring operations and getting back online," Lisa Monaco, assistant to the president for homeland security and terrorism, told a cybersecurity conference on July 26, the day the White House issued the directive (see New White House Policy Defines Coordination of Cyber Response). "Our policy makes clear that we will coordinate with the victim to minimize any interference between their incident response and our own."

Homeland Security Secretary Jeh Johnson says the directive is another crucial step to improve national cybersecurity. "It not only clarifies the roles of the various government actors involved in cybersecurity, it re-enforces the reality that cybersecurity must be a partnership between the government and the private sector, and among the law enforcement, homeland security and intelligence components of the government."

Developing a Partnership

Although the administration promotes the idea of a government-private sector partnership, one industry leader contends the White House did little to get industry ideas in developing the new policy.

Larry Clinton, chief executive of the Internet Security Alliance, says he's delighted to see the government move to clarify its role and responsibilities regarding cyber events. "However, defining these roles and responsibilities on a government-only basis, as this appears to have done, is bad policy making and counter to the administration's own oft stated views on the need for government to work with the private sector," he says. "As far as I can tell, there has been little or no private sector involvement in the development of this new system.

"Every Cyber Storm [joint cyber exercises with industry and government] action report has stressed the need to increase coordination between the public and private sectors. This program seems to move in the opposite direction."

Elevating DHS Agency

Sam Visner, senior vice president for cybersecurity at the professional services firm ICF International, says the directive could be strengthened if the National Protection and Program Directorate at DHS, which is charged with overseeing asset response of the new policy, is elevated to an agency, on par with Immigration and Custom Enforcement, the Federal Emergency Management Agency and the Transportation Security Administration.

Legislation to do just that has passed a House committee, but must be approved by the full House, Senate and signed by the president to become law. Visner says he believes that could be done in the lame-duck session of Congress that will follow the November presidential election.

"This is a huge, powerful mission - cyber and infrastructure protection - and it would be stronger, it would compel more cooperation and support governmentwide if it had enhanced status, which giving it agency status would do," Visner says.

What Will Next President Do?

With only five months remaining in the Obama administration, the next president could rescind the directive. "How will the cumbersome series of Obama administration presidential policy directive fare after Jan. 20, 2017, when a new administration takes office?" Stiennon asks.

Stiennon says he suspects a Clinton administration would retain much of the same personnel and organization; a Trump administration would likely start from scratch. "Time will tell," he says.