Trust: Better the devil(s) you know, than the devil(s) you don’t?

By Kevin Bailey, Head of Market Strategy. 

IT Business Edge recently posted their prophecy for 2014, ‘The year ahead will require even stronger risk management, with an increased focus on leveraging social media to drive situational awareness. Organizations will need to focus more of their efforts on continuous monitoring, also leveraging security and risk analytics based on IT and security ‘Big Data’’, but as Hack surfer commented “Hmm. Using social media to drive situation awareness? Leveraging risk based on IT and security Big Data? If only there was one place all these businesses could go, a place that had "social media with a purpose," a place where people could "learn, share and collaborate" that was backed by big cybercrime data. Man, I bet a community like that could do some amazing things in 2014”.

But how long will it be before one or more of the three devils turn nirvana into a nightmare!

So when was the last day you can remember when something across the various communication channels of TV, Radio, Press and Online did not have a significant story about how someone, something or a group has lost or stolen some type of information? Whether we are talking about state sponsored, hacktervist groups, opportunist thieves or negligent individuals we are now surrounded by a world of security breaches that make traditional crimes look like stealing from the candy store.

Three devils image

So where do individuals begin to start to ensure that they trust or are aware of the various devils laying siege to their information.

State Sponsored

In a democracy all citizens have the right to effect the appointment of parliamentary employees based on their manifesto of policies. But sometimes circumstances require amendments to those policies for the defence and stability of a country or region. One such change happened following worries that another 9/11 may happen again, when the US administration decided to use the NSA to implement a program called ‘Prism’, a program that collects stored Internet communications based on demands made to Internet companies such as Google Inc. under Section 702 of the FISA Amendments Act 2008 and the Protect America Act 2007 and is used as "a circumscribed, narrow system directed at us being able to protect our people." (Obama, June 2013). But as Edward Snowden revealed it wasn’t only the US administration collecting this type of information, but also agencies such as the United Kingdom’s GCHQ who also undertook mass interception and tracking of Internet and communications data.

National security is all well and good, but where is the line drawn when we hear that the National Security Agency is able to track the movements of individuals and map their relationships in ways that were "previously unimaginable." It does so by gathering nearly 5 billion records a day on the location of cell phones around the world. "Analysts can find cell phones anywhere in the world, retrace their movements and expose hidden relationships among the people using them.", wrote the Washington Post. “One of the key components of location data, and why it’s so sensitive, is that the laws of physics don’t let you keep it private,” said Chris Soghoian, principal technologist at the American Civil Liberties Union. People who value their privacy can encrypt their e-mails and disguise their online identities, but “the only way to hide your location is to disconnect from our modern communication system and live in a cave.”

Hacktervist

Many define a Hacker as a ‘White Hat’, those who are computer security experts and the computer criminals as ‘Black Hats’ also known as ‘Crackers’.
Many of the leading IT vendors utilise ‘White Hat’ hackers to help them in return for a reward. Microsoft has recently paid James Forshaw one of Microsoft’s biggest bounties of $100,000 after he identified a new “exploitation technique” in Windows operating systems, rival consumer computing brand Apple, as well as social networking website Facebook both recognise white hat hackers with hall of fame pages on their websites.

Unfortunately we exist in this context with the negative connotations that a ‘Hacker’ is a bad person, which is reinforced with recent incidents such as:

  • Gediminas Simkus and Volodymyr Kurach who have recently been arrested by Scotland Yard on charges of stealing £1m from two banks via bogus emails carrying viruses.
  • Jens Kyllonen, an online poker player had his laptop stolen from his hotel room – only to mysteriously reappear an hour later with a hidden Remote Access Trojan (RAT) installed that ‘gave the attackers (hackers) a view of whatever was happening Kyllönen’s screen’. That’s inconvenient for most, but fatal for an online poker player. As soon as Kyllönen logged on, the attackers could see where he was playing and what his cards were.
  • Karen “Gary” Kazaryan, from Glendale, California, was sentenced to five years in prison for hacking into the online accounts of at least 350 women. The 27-year-old stole explicit or embarrassing photos from their accounts and used them to blackmail the victims.

Characterizations start to become blurred when you try to establish if someone like Edward Snowden is a ‘Devil’ wearer of the Black or White Hat fraternity?

Negligent

At what point do individuals and organizations transition from being naïve in the loss of information to negligent or down right irresponsible? Naivety is the start of the learning process, as the South African poet Alison Croggan said “We are all mistaken sometimes; sometimes we do wrong things, things that have bad consequences. But it does not mean we are evil, or that we cannot be trusted ever afterward.” This quote stares into the face of the world we live in today, where individuals or organizations need to be allowed to learn from their mistakes and rectify the situation where a genuine mistake [in the case of information loss] can be communicated, assessed and actions put into place to minimize the opportunity of the mistake occurring from the same or different individual/organization.

An example of naivety is outlined below. A burglary can never be anticipated, but the accessibility and security of patient health information (PHI) can be managed in a more responsible manner.

San Jose-based orthopaedic surgeon Stephen T. Imrie, M.D. notified 8,900 patients that a password-protected laptop stolen from his home on September 23 held their protected health information. Although the burglary was immediately reported to the police, the laptop has not been recovered. Patient information on the laptop included the patients’ names, dates of birth, telephone numbers, Social Security numbers, medical history (medications and diagnoses), and surgical information (if surgery was performed). So far, there have been no reports of any misuse of the information. Patients were offered free credit monitoring services through AllClearID.

Whereas negligence and irresponsibility yield to latter statement from a quote from the Greek playwright Sophocles, “All men make mistakes, but a good man yields when he knows his course is wrong, and repairs the evil. The only crime is pride.” Many organizations that transition from naivety to negligence are not focused on the individuals that their actions have affected but more about the repercussive impact on them or the damage that disclosure and remediation would have on their organization. These are not intentional acts of malicious information loss and/or unauthorized distribution, but ineffective working practices or lack of controls associated with access, management and security of critical information.

In January 2013, the Information Commissioners Office (ICO) placed a financial penalty of £250,000 on Sony Computer Entertainment Europe. The data breach penalty relates to the hacking of the Sony PlayStation Network Platform in April 2011, which compromised the personal information of millions of customers. An ICO investigation found the attack could have been prevented if the software had been up-to-date. Technical developments meant passwords were not secure. “If you are responsible for so many payment card details and log-in details, then keeping that personal data secure has to be your priority,” said David Smith, deputy commissioner and director of data protection. The technology was one contributing factor to Sony’s negligence; the other was the lack of upfront information to their customers and downplaying its problems. In a report sent to Japan's Ministry of Economy, Trade and Industry, Sony confirmed that it knew much more about the security breach than it told the public. According to the report, Sony confirmed on April 25 (2011) that a "fairly large amount of data" was compromised, but it only told the public that it "cannot rule out the possibility" of a risk.

With the lack of transparency from many large organizations, changes will have to be made. The teeth of the ICO is becoming more visible, as is the case covered by SC Magazine in January 2014, where the Irish Data Protection Commissioner (DPC) - the equivalent of the ICO in the UK - has begun an investigation into the massive Adobe data breach in which hackers stole around 38 million customer records from the company's server. According to the DPC, an investigation has been ongoing since last October, when the company's Irish operation first notified the regulator of its problems. "This office immediately launched an investigation into the matter, which is still ongoing," said the DPC's press statement.

Despite initially claiming that the data breach only affected 2.9 million users, that figure was later revised to 38 million by Adobe following investigations by security researcher Brian Krebs, who revealed that the database included email addresses, passwords and password hints. Krebs added that the reported source code leaked had widened to include Adobe's Photoshop software. The final breach could reach over 100 million users.

Which Devil can you trust or change your attitude to minimize your exposure?

  • State Sponsored - Would you trust the State sponsored ‘Devil’ who can crawl across your information for [assumed] legitimate reasons, or is big brother working on ways to block freedom of movement and speech?
  • Hacker – Do you assume the hacktervist ‘Devil’ is an innocent ‘White Hatter’ until proved guilty, but that would mean allowing them to run with your information and hoping they would return it without turning to the dark side and join the ‘Black Hat’ brigade 
  • Negligence – Can you trust the negligent ‘Devils’; yourself and other colleagues, friends, confidants and organizations, to remove negligence and errors from their interactions to safe guard your information from those with prying and malicious eyes?