Monday, September 12, 2016

Cyber Crisis Management, Survival or Extinction?

INTRODUCTION

In today’s highly interconnected global economy, a major breach can quickly explode into an extinction-level event for any company. We operate in a 24/7, multi-platform news environment which presents organizations with an entirely novel communications challenge. In the past, a crisis might have played out in the media of one country and, in time, spread internationally. Moreover, the cyber domain doesn’t have geographical boundaries. Today, a negative story can go around the world in minutes, putting organizations under even more pressure to plan for reputational crises and respond quickly when problems arise.

Cyber Crisis involves additional levels and challenges compared to general crisis management, including the technical aspects, the fact that Cyber Crisis can be hard to detect in time, and the possible cascading effects. To a much greater degree than in cases of general crisis management, there is a vast amount of information that needs to be grasped and organized during instances of Cyber Crisis management.

Effective crisis management requires that managers understand both the sources of crisis events (i.e. cyber incidents) and the strategies and tactics needed to identify and plan for them.

A crisis event rarely occurs “out of the blue.” Instead, it usually follows one or more warning signs. Typically, a series of precipitating events occur before a crisis can commence. These events lead to the “trigger event” that ultimately causes the crisis, and in the cyber domain they're typically identified in the SIEM (Security Information and Event Management).

Adequate Crisis Management planning goes through the five key tasks or challenges that are involved in resolving cyber crisis situations. The tasks are[1], in rough chronological order: sense-making, meaning-making, decision-making, termination, and learning. These tasks can be (unevenly) separated into a loose before–during–after categorization, where the bulk of the actual crisis management happens during the actual crisis. A well-planned and efficiently executed cyber crisis management plan can be the differentiator between cyber breach survival and extinction.


Before a Crisis
Because we're dealing with Cyber Crisis Management, a significant portion of the preparation is focused on the systems that can provide us with prevention and early warning. These include but are certainly not limited to a broad portfolio of technical capabilities, such as, Threat Intelligence, Security Operations Centers (SOCs), Incident Response (IR) and digital forensics capabilities, Security Information and Event Management (SIEM) systems, behavioral analysis, sandboxing, honeypots and more. All of the abovementioned together with ancillary security and risk management capability should lead to the "Situational Awareness" which should be your goal. In short, Situational Awareness is knowing what’s going on all around you at all times so you can figure out how best to react when conditions change.

Identify and anticipate the Cyber Crises
Through threat modelling or risk assessment the organization should identify, in advance, potential cyber crises. Threat scenarios should be examined, in addition to the threats you're anticipating it's also advisable to identify "known unknowns" (https://en.wikipedia.org/wiki/There_are_known_knowns) and to at least discuss them. This step is an absolute must otherwise the entire crisis management planning may completely miss the mark.

The Crisis Management Team (CMT) and the Crisis Management Plan (CMP) are the core of an organization’s crises planning efforts. Once the CMT is in place, efforts can be made to construct the Crisis Management Plan. The CMP is a systematic way of thinking about organizational crises. Top management support is very important in the development of the CMP and in managing a crisis. Flexibility is favored over a rigid step-by-step procedure. When human, technical, and other unknown elements are integrated, some degree of improvisation is required to discern effectively and act on the situation accordingly.

Brainstorming and drafting a plan
In addition to the CMT gathering senior representatives from all potentially impacted internal functions (IT, security, sales, marketing, finance, ops, etc...) identified in the previous stage, supporting functions such as HR, Legal and most importantly the Crisis Communications Team (PR) should be included for intensive brainstorming sessions on all the potential crises that could occur at your organization. The exercise should include an analysis of the anticipated impact on the various organizational units, as well as the possible implications across legal, finance, operations, sales, marketing, customer care, and other internal and external shareholders.

The outcome from the brainstorming should be the basis for creating an integrated plan that addresses the potential crisis-causing threats identified in threat modeling/risk assessment phase. It should also detail (with flexibility) what each function should do at which stage for any of the scenarios identified, special emphasis should be given to coordination and unison.

Identify and Train Spokespersons
The message and the person who delivers that message are two critical components. It should be ensured, via an appropriate policy and training, that only authorized spokespersons speak publicly. This shouldn't be "on the job" training!
Develop Holding Statements - In case of any cyber crisis, your stakeholders have the right to know what has happened and in some cases you also have a regulatory or legal mandate to make a full disclosure. A holding statement has to provide the media with an initial statement that sets forth the basic facts about the incident and lets people know that you are actively dealing with the situation. Of course you would need to adjust this to the particular circumstances of the incident and anticipate the implications of each one before you finalize it.

Assign Responsibility
A company needs a single person or function that oversees the technical and non-technical aspects of preparing for and responding to cyber crises. This person should understand how the technical aspects of a breach can impact the entire enterprise, including the follow-on ‘risks’ it could pose. They should direct the preparation and response in the context of mitigating enterprise risk. That person should also own the plan, be responsible for creating the plan, updating changes, exercising it and more importantly executing it on “D-day.” Having it any other way would potentially lead to challenges with coordinating the different parties and poor (costly) execution during the cyber crisis.

Testing and Exercising
The CMT leads training in the area of crisis management. The best plans are worthless if they exist only on paper. Team training should occur at regular scheduled intervals. The CMT needs an exercise that focuses on collaboration with different actors and meaning-making in relation to the general public and investors' relationship. The security organization needs an exercise that focuses on Incident Response and on explaining to the CMT what the problem is. By far the best way to test the CMT and the CMP is War Gaming. War games are about resilience and how well the organization responds to realistically simulated cyber incidents. They help the organization to assess how suitable CMP is and under what conditions they are more likely to fail.

During a Crisis – Show Time!
The IRT has completed the triage and congratulations, you've been breached, what now?

Time to gather the Crisis Management Team (CMT) –
The first step in the formal response to a crisis is to convene the CMT. The length of time managers have to react to a crisis is related to its impact on the organization and its stakeholders. Having a formalized Crisis Management Plan, or protocol (CMP) makes it possible to think and act expediently during the first few hours of a crisis. The CMP is a key strategic organizational tool responsible for initiating the crisis decision-making process by helping to frame the problem, determine the parties responsible for implementing various actions, and develop justifications for the decisions that are made.

Assess the Crisis Situation (Meaning making)
The most important task for the CMT at this stage is to assess the situation so that decisions can be made to mitigate the crisis. Situational assessment refers to the information processing and knowledge creation aspects of crisis management. Some describe it as an awareness of knowing what is going on and then predicting how the crisis may evolve. Situational awareness is critical to understanding the crisis and identifying its dimensions and intensity.

The CMT should collect all relevant information: Learn as much as possible about the situation, including what happened, who was involved, where it took place, and the current status of the crisis. This step should not only occur during the situational assessment but also throughout the duration of the crisis, and should be repeated at set intervals.

Decision Making while continuing with Meaning Making
Assign tasks and continue fact finding. The crisis management team should delegate duties.

Damage Containment

It is important that the CMT does what is feasible to contain the damage inflicted on its internal & external stakeholders, the reputation of the organization, and its assets. This task is the bottom-line goal for all crisis managers.

Damage containment is the effort to keep the effects of a crisis from spreading and affecting other parts of the business. On the "technical side" crisis damage containment & eradication means to quickly stop the spread of the attack and prevent further damage. The CMT role is to allocate resources such as funds and human resources to help contain the damage.

Develop solution alternatives.
Identify possible solutions that can be implemented.

Mitigation Strategies

Once the situational analysis is completed, strategies for managing the crisis can be identified and implemented. Not all strategies will work initially, so care must be taken to reassess the situation on a regular basis. Flexibility must be maintained because a crisis situation can rapidly change. Care should be taken to address the crisis directly and restore confidence with the affected stakeholders.

Implement the chosen solution(s).
Implementation is often the most difficult part of the process. It requires competent people, time, and money. Allocation of sufficient resources is important.

Notification and Communication

Communicate with the media.
The organization should be proactive in meeting with the media and presenting its side of the story. If the organization does not communicate, the media will find the facts of the story elsewhere, a situation that takes control out of the hands of management.

While having pre-prepared statements as a starting point, the Crisis Communications Team must continue developing the crisis-specific messages required for any given situation. The team already knows, categorically, what type of information its stakeholders are looking for and what information should be made available.

Notifying Customers
Customer notification should be made as soon as the ‘Meaning Making’ process has confirmed the scope and nature of the attack, including whether customer information was involved in the crisis.

Notifying Law Enforcement
Based on the circumstances established through investigation, the organization must determine whether and when to notify law enforcement.

Notifying Governing bodies and Regulators
A legal analysis should be made in the preparation to crisis stage and the organization should know at this point which governing body/regulators should be notified, how they should be notified, and in which circumstances. After such notifications, the organization must coordinate with regulators to manage the relationship and repercussions. Listed companies are also responsible for evaluating cybersecurity risks and disclosing these risks to investors as appropriate.

Monitoring Systems.

The CMT must recognize the importance of monitoring the opinions and behaviors of its key stakeholders during a crisis and exercising its own influence when possible. It may be necessary to adjust the message being communicated, the stakeholders being addressed, and the manner in which the leader is communicating.

Intelligence gathering is an essential component of both crisis prevention and crisis response.
Knowing what’s being said about you on social media, in traditional media, by your
employees, customers, and other stakeholders often allows you to catch a negative
“trend” that, if unchecked, can escalate the crisis.

Termination

The major goal at the beginning of a crisis is to minimize potential damage to the firm and its reputation. In some cases the objective may even be to turn any potential negatives associated with the crisis into positives for the organization.

The termination task is where decision makers decide that the crisis is finally over and that the CMT can be disbanded. This does not necessarily mean that every last detail of the crisis has been fully resolved, but rather that what remains can be handled using normal, non-crisis means and methods.

After a Crisis

Review what happened.

Evaluate the decisions that were made and the results that followed. What was learned, and how might such a crisis be handled differently in the future?

The evaluation process is not an activity that occurs only after the crisis ends. Evaluation is a process that begins when the crisis commences and continues throughout its duration. The more the CMT can understand what is and what is not working in the crisis response, the more easily they can adjust their plans in tackling the crisis. Because the evaluation process is so important, the following benchmark questions should be raised:

How has the crisis affected both internal and external stakeholders’ behaviors and opinions?
To what extent normal business operations have been affected?
Which crisis response strategies and tactics were effective and which were not?


Conclusion

To sum it up, adequate Crisis Management planning goes through the five key tasks or challenges that are involved in resolving cyber crisis situations. The tasks are*, in rough chronological order: sense-making, meaning-making, decision-making, termination, and learning. These tasks can be (unevenly) separated into a loose before–during–after categorization, where the bulk of the actual crisis management happens during the actual crisis. A well-planned and efficiently executed cyber crisis management plan can be the differentiator between cyber breach survival and extinction.



REFERENCES

Web site:

http://www.itgovernance.co.uk/
Freshfields Bruckhaus Deringer llp, crisis communications professionals' survey 2013 
https://www.enisa.europa.eu/activities/Resilience-and-CIIP/cyber-crisis-cooperation/nis-cooperation-plans/ccc-management



[1] As per definition by ENISA

A Review and Analysis of the World of Cyber Terrorism

Introduction

In order to conduct a discussion about cyber terrorism, one needs to differentiate between terrorism and other kinds of threats in cyberspace, such as organized crime, espionage, cyber war and activism. Terrorism is characterized as an act intended to achieve political objectives through influencing the decision making process of a nation state. Another characteristic is that it is an act intended to cause fear through violent means. For instance, activism also wants to affect political decision, but does not use intimidation of the public to do so.

PICTURE SOURCE: THE GUARDIAN
Violent means that are used in cyber terrorism can physically harm people through manipulation of information systems (IT&OT) that run physical systems [critical infrastructures].They can also be used to disrupt the routine of modern life that is based mostly on information systems [for example, attacks on the financial sector].
Another point to be taken into consideration when reading this review is that a cyber terrorist organization operates in a very similar way to a business organization. In both cases, it is a for-profit organization, but instead of financial gain, the terrorist organization is acting to achieve political gain. This means that many of the tools and methods used by business organizations in the cyber sphere for financial gain are used by the terrorist organization to gain political objectives. This dual use of technologies, tools and methods makes it difficult to identify and counter cyber terrorism.
Terrorism is an act of very high intensity in terms of the risks it entails and possible impact, in addition to undermining the public’s sense of security. It is usually performed in the context of an organization, one that may be strong, secretive and many times benefits from global network and the lack of physical boundaries, as well as the support of the local population.
Most definitions of a terrorist act are based on a number of premises:
  • The purpose of the act is to promote a political, ideological or religious purpose.
  • The goal of the act is to create an effect of extreme fear and panic in the general public or force a government/elected body to change its policy
  • The act is characterized as a grave and violent one that can endanger human life (also through the disruption of critical infrastructures1).
Professor Boaz Ganor of the International Policy Institute for Counter-Terrorism defines terrorism as “a violent struggle, in which violence is used intentionally (or threatened to be used) against civilians, for the purpose of achieving political goals”.

Cyber Terrorism

Cyber terrorism is no different in its objectives then physical terrorism. Cyber terrorism uses the cyber sphere to spread fear and panic in the general public in order to achieve political goals. Unlike physical terrorism, cyber terrorism has yet to directly cause fatalities.
Terrorism uses cyberspace for more pragmatic purposes as well, such as fundraising, recruitment, acquiring knowledge, intelligence gathering, money transfer, arms procurement and purchasing of other goods. In fact, a terrorist organization uses the cyber sphere for every aspect necessary to run its operations, just like any legitimate business.
Cyber terrorism is less expensive to execute than physical terrorism. One reason being awareness. While terrorism in the physical sense is not a new phenomenon and nations have established intelligence and defense organizations to deal with it and foil it, terrorism in the cyber sphere is a relatively new phenomenon that has yet to create national or international mechanisms to counter it. Therefore, in economic terms, the threshold for committing cyber terrorism is lower than in physical terrorism.
Cyber terrorism does not require a long, complex and expensive logistical tail. In theory, any lone wolf/hacker with a reasonable resources can commit an act of cyber terrorism while drinking espresso in a coffee shop. Hacking the twitter account of the president of the United States and posting a threatening message does not require prolonged intelligence gathering, explosives, weapons, a getaway car or safe houses.

Political objectives

Cyber terrorism is mostly employed by the same actors who perform terrorist acts in the physical world – terrorist organizations and nations who sponsor terrorism. Its main objective is to achieve political gain.
The main tool in cyber terrorism is spreading fear in the public. The main methods of doing so includes media websites, social networks and websites/blogs belonging to leaders of public opinion. The terrorists will seek out the platform with the greatest ability to spread a threatening message to the public. It is not a coincidence that “The electronic Syrian army” a terror group associated with the Assad regime in Syria, is known for attacking twitter accounts of news channels2.

Communication

One main use of the cyberspace in terms of terrorism is for communication purposes – for contact between operatives to execute an attack in the physical dimension, recruitment, planning a collective cyber-attacks, or passing messages for any other purpose.
The technologies used to this end are those utilizing electromagnetic transmissions and those using the internet – from landline, mobile and satellite phones, VOIP communications based on SIP protocol or any other medium. The internet communication tools are chat programs [WhatsApp, Viber, Telegram and others]3 ,social media, cellular apps including games, and email.
One should remember that when it comes to communication there is no real difference between the operations of a terrorist organization and a business organization, the difference is in the objectives. While the former wants to spread fear in the public, the latter wants to sell a product to the public. In both cases this means selling an idea for the purpose of motivating the end consumer to act. Therefore, when thinking about the use terrorist organizations make of cyber, one should assume they will use similar tools to those of a business organization.
Thus we learn about one of the most basic problems of dealing with and foiling cyber terrorism – The dual use of technology. In other words: the same technology that is used for legitimate economic activities, can be used for terrorist activities.

Propaganda

Terrorists want to spread fear. Hence they direct their activities at news outlets that can mass distribute messages to the public with little effort. To this end terrorist organizations use websites of media outlets, companies and individuals who are thought leaders on social media. Another platform to pass on a message to the masses is by cell phone. There were cases in the past in which Hamas has sent threatening text messages to the Israeli public.
Propaganda can be achieved through creating messages in the physical dimension. For example, if a terrorist organization can gain control over the traffic light system and obstruct the main roads, it will convey a powerful message. It can also do so by disrupting information on a commonly used navigational system like Waze. Proving the capability to disrupt the daily routine can cause fear in the public and gain political capital.
In the age of internet of things [IOT], terrorist organizations can use any technology that delivers messages and is connected to the World Wide Web – for example, electronic billboards, smart TVs and others. In terms of propaganda, the advantage a terrorist organization has in cyberspace is the relative ease of disrupting messages conveyed to the public. For example, hacking the twitter account of a prime minister is not considered a very difficult task, but its results can be devastating.

Finances

The financial sector is used by terrorist organizations for two main purposes: financial management of the organization and attacking of the financial sector to disrupt normal life and cause fear. In the management aspect, the terror organization uses the banking system for money laundering, payments to operatives, arms procurement, payment for cyber-attacks conducted through outsourcing and various other missions.
When it comes to causing fear, the terrorist organization will act to disrupt life’s routine: disrupting the stock exchange, altering data bases of a central bank or manufacturing a bribery case for an elected official through the injection of information into his bank account – all of these can cause chaos in a country. The financial sector can be a mean of spreading fear in the public due to its pivotal role in everyday life.
Another technology used in the financial sector is virtual currency which by design is a method of transferring funds anonymously. Terrorist organizations use this medium to make it more difficult for national an international security services to track their sources of funding.

Fundraising

As any other organization, terrorist organization needs funding to execute its ideology, funding typically come from a supporting nation (when associated) and from “donations of ideologist supporters, the same way the WWW is perfect for fundraising in Kickstarter it is perfect for fundraising terror operation. Instead of sending representatives door to door a terror group sends an email or a message through social media groups. The purpose is the same – reaching out to a supportive audience and raising funds. Digital currencies such as Bitcoins help the organization raise funds anonymously.
Fundraising among supportive communities might be legitimate act (pending on the purpose). However, knowing that it exists should lead to monitoring these activities in order to uncover the ways that terrorism is funded. Furthermore, contacts that are made for the purpose of fundraising can also be used for other purposes, such as recruitment, intelligence gathering, arms procurement and more.

Recruitment

Recruiting operatives is similar in its essence to fundraising, only instead of funds the resource is operatives for the organization. For example, ISIS recruits operatives through twitter4 or Anonymous recruiting operatives to attack Israel on April 7th with a DDoS attack. Recruitment is done on online forums, mailing lists, and any other means that enable the terrorist organization to contact its loyal public.

Acquiring knowledge

Terrorists need to learn – whether it is knowledge for physical implementation of terrorism [building bombs, working with explosives] or knowledge for implementation in cyber terrorism [programing languages, coding malicious software]. The cyber sphere that is used as an infrastructure for knowledge sharing is also used by those engaged in terrorism to acquire information and knowledge.
Alongside tactical information, the internet allows terrorists to acquire academic knowledge in the fields of engineering, chemistry, physics, etc. Higher education enables terrorist organization to close technological gaps they have compared to the capabilities of a nation state. In the context of cyber, higher education in the fields of sciences and computer sciences places the terrorists in the forefront of knowledge, alongside white hat hackers.

Arms procurement

The cyber sphere is used by terrorists to procure physical weapons and cyber malicious software. Whether through secret groups on social media, closed forums, IRC channels or the dark web, arms procurement is an industry serving anyone with money.
For a number of years criminal organizations have dealt in the commercialization of malicious software. This is an huge industry engaged in the development of malicious software sold as a service [SaaS], including support and updates. Modern malicious software is composed of a collection of components put together to create an attack tool as a service. Each such component is an entire professional field, with developers who do it for a living. This is a full economic ecosystem of professional service providers collaborating amongst themselves for the purpose of selling malicious software.56This commercial infrastructure is used by cyber terrorists. Alongside purchasing of cyber-attack capabilities, there is also an infrastructure based in the cyber sphere for buying and selling physical weapons of various kinds.

Intelligence gathering

The WWW is awesome for intelligence gathering, the terrorists acquire intelligence on their targets from 3rd parties, collect OSINT and WebINT, map-out targets, plan courses of action in preparation for an operation and use the internet to coordinate operations.
In fact, there is no difference between a business organization wanting threat intelligence for defensive purposes, and a terrorist organization wanting intelligence for the purpose of preforming a “cyber terrorist attack”. In both cases intelligence gathering can be performed through the same tools and methods.

Actors in the world of cyber terrorism

Russia

Russia is considered one of the countries that possess superior cyber capabilities. Russia first used cyber as a weapon during the war with Georgia in 2008. Subsequently Russia started using cyber terrorism as a means of promoting its political objectives. One example is the attacks on critical infrastructures in the Ukraine78 executed by a group typically associated with cybercrime9.
Russia is used as a shelter for companies offering “Bulletproof Hosting”10, many of whom are used as an infrastructure for cyber terrorist attacks alongside gambling and child pornography. Russia is also home to some of the largest cyber-crime organizations in the world. These criminal organizations are also used as part of the infrastructure for executing acts of cyber terrorism.

China

China is also considered one of the countries that possess superior cyber capabilities. China is estimated to employ nearly 200,000 people in the field of cyber, about 30,000 of them work for the Chinese army and the rest in the private sector11.
Officially, China opposes any kind of cyber terrorism, but unofficially it has the ability to disrupt critical infrastructures, banking systems and the systems for relaying information to the public [news media]. Hence, it has great potential for using cyber terrorism for political purposes, those capabilities might materialize if the United States chooses to threaten the stability of the ruling communist party.

Iran

Iran is known to employ terrorism for political purposes. For the most part, Iran’s cyber terrorist attacks correspond to political maneuvers it is trying to promote, for example whilst the nuclear talks with the US and Europe. During the negotiation talks Iran employed a variety of cyber terrorist acts against the US12.
Iran has developed very good cyber capabilities over the years, and these are displayed in its ability to apply cyber terrorism. One way to enhance these abilities is to disrupt or threaten critical infrastructures.
Cyber terrorist attacks that can physically damage critical infrastructures of a country can cause grave casualties and lead to panic in the public. One such example is the Iranian attempt to target a dam in the state of New York13.
Iran is considered one of the strongest countries in terms of cyber capabilities. This is due to a sound academic infrastructure, a well-developed military industry and high motivation to use terrorism as a political tool14. Iran also uses terrorist organizations as a proxy [Hezbollah for example] and therefore it can implement cyber terrorism through them as “proxies” without the trail leading back to Tehran. Also in Iran there is an apparent connection between the government and private hacking groups that are used in order to execute the Iranian cyber strategy.

North Korea

North Korea employs terrorism for political purposes. The one event that placed the country on the terrorist map and in the news was the hacking of the Sony Corporation15. An attack that came as a response to a movie that Sony produced that mocked the ruler of North Korea. North Korea also uses cyber terrorism to cause fear in South Korea. Among other incidents, it tried to attack train infrastructures16 and nuclear power plants17. More about the capabilities of North Korea can be found in a report by the CSIS website18.

Syria

The Assad regime uses cyber terrorism through a hacker group called “the Electronic Syrian Army”. It is estimated that this organization receives funding from the Syrian government. One incident attributed to this organization is an attempt to poison the water system in Israel.
The Electronic Syrian Army is known for its specialty in attacking news organizations19. Their purpose is to broadcast messages through news outlets to promote the political goals of the Assad regime. This organization also engages in exposing the classified information of various regimes in the Middle East20. There is no doubt this organization is aware of the strength of the media as a medium for employing terrorism and specializes in it.

Hezbollah

Hezbollah is a terrorist organization, employed as an Iranian extension, and therefore it is assumed that technical capabilities from Iran are transferred from Iran to Hezbollah. This transfer includes training of human capital in cyber, procurement of tools and systems, and sharing of intelligence knowledge. Hezbollah’s cyber capabilities were exposed in 2006 when during the second Lebanon war with Israel a claim was made that the organization was able to hack into the IDF’s encrypted mobile network called “Vered Harim”.
In 2013 there were claims that Israel eliminated the head of technology of the organization. This exemplifies how in the cyber sphere, technological capabilities that reach the hands of a terrorist organization, can pose a threat to an official state.
In February 2016 the organization unveiled its hacker unit and its capabilities, claiming to have superior capabilities.

Islamic jihad

The Islamic jihad is a terrorist organization operating in Gaza and has adapted cyber capabilities. Mostly it is an infrastructure based on “talents” – few individuals with high technical capabilities. This is not an organized infrastructure that develops human capital to perform cyber activities.
Not much is known about the organization’s cyber capabilities, but a case that was revealed in March 2016 shed light on the organization’s capabilities. In that case, a hacker named Majed Awida was accused of developing hacking software to infiltrate monitoring systems and sensitive systems of the military, police and TLV Airport. According to the charges, Awida, a computer engineer by profession, developed hacking software through which one can watch the live video of traffic cameras and police camera, and thus locate crowded places, assembly places of security forces and follow traffic cameras in Israel. The indictment also attributes to Awida the development of software enabling the tracking of aircraft and passenger movements in TLV airport. According to the indictment, Awida supplied the software to the Islamic Jihad and has continued developing malicious software for the organization that would enable the organization’s high ranking officers to track the IDF’s UAV transmission in real time.

ISIS aka Daesh

Operating in Syria and Iraq, uses the cyber sphere mostly for the purpose of intimidating the world’s population and creating propaganda. The most prominent example is the posting of horrifying executions in various methods on social media. The organization’s use of cyberspace for the purpose of publicizing its extreme visual messages is considered “pure” cyber terrorism, aimed at causing fear.
Alongside posting threatening messages and propaganda, the organization uses cyberspace for the routine operational activities of recruiting resources and people. In the context of terrorism the organization also uses other methods such as advertising the names of American security personnel with a call to its operatives around the world to assassinate them21.
There is no doubt ISIS is aware of the power of cyberspace for spreading propaganda and fear and it works to this end in social media and the internet. The organization also publishes a monthly online magazine named Dabiq 22uses chat services for communication with operatives and even developed mobile software for encrypted communication.

Anonymous

Anonymous is a terrorist organization operating for political purposes in the cyber sphere. Unlike other terrorist organizations in the physical world that also use cyber capabilities, Anonymous operates exclusively in cyberspace. Anonymous operates on the border between activism and terrorism.
Well known terrorist attacks by Anonymous are the attacks on Israel on April 7th over the past four years. These attacks were intended to spread fear in the Israeli public and effect the political decisions of the Israeli government. Anonymous operates in a similar manner towards other countries through Denial-of-service attack on government or stealing classified information and publishing it in order to intimidate and undermine the regime. Anonymous recently threatened to disrupt the Olympic games of Rio.23

Technological Trends in Cyber Terrorism

Similar to the physical dimension, terrorist organizations in cyber space outsource assignments to criminal organizations for payment. It’s been established that there is a link between terrorist organizations and organized crime, a link that is based on financial gain. One can also observe a connection between rogue states and terrorist organizations. Another link that was observed is between terrorist organizations and hacking groups that are used as mercenaries.
When examining the technological trends in the cyber terrorism world, it is important to note these links exist and technological trends flow from one group to the other.
An emphasis should be made on the flow of technology from the world of organized crime and the world of state cyber capabilities to the world of cyber terrorism. One prominent example is the leak of the Stuxnet code from the world of state-cyber to the internet24.This means a code that was created by a nation as a weapon to attack critical infrastructures is now at the hands of terrorist organizations and rogue states supporting these organizations. For those who do not believe a software code can paralyze critical infrastructures, it is recommended they review the experiment the American DHS held in 200725.

Encryption

One of the trends we see in the world of cyber terrorism is a growing use of encryption, for the purpose of concealing the terrorists’ activities from the state’s security services. It is assumed that some of the cyber terrorism organizations have extremely high technological awareness, and therefore know that modern countries develop tools to monitor communications through electromagnetic transmissions and the internet. Voice, data, images, video or text – all are monitored. Therefore, terrorist organizations use encryption to hide their activities.
The use of encryption is not limited to a specific medium. From two-way radio devices, laptop and desktop computers, mobile phones, e-mail, chat software or file sharing software, the terrorist organization will try and maintain encrypted communications.
Encryption is not just AES. In the past the Israeli Mossad revealed26that terrorist organizations use known websites such as Reddit, eBay and porn sites to pass encrypted messages. In that case the technique is called steganography27 and it enables hiding information in legitimate files.

Biometrics

Use of biometric technologies is expected to gain momentum in future in the user verification process of technological services. This trend is also expected to come into use amongst cyber terrorist organizations. Much like encryption, biometric technologies can aid terrorists in concealing their activities from law enforcement.
Another aspect of the biometric technology is the ability of terrorist to manipulate data for the purpose of intimidation. The main concern of law enforcement and data security professionals is a leak from a government’s biometric database. In theory, this scenario will enable the framing of innocent people. Whether they are thought leaders in the political, business or military world, framing them can undermine the sense of security the general public has in their government.
Biometric technologies are also expected to come into use as verification methods in the financial world. For terrorists, possessing such capabilities can give them an advantage in committing financial crimes for the funding of terrorism.

Malicious Software

Terrorists will continue to be part of the cyber ecosystem of malicious software, whether in developing malicious software, buying them or hiring hackers to attack targets on their behalf.
It is safe to assume that terrorists will increase their efforts to get their hands on capabilities that can disrupt the operations of critical infrastructures in order to conduct a mass casualty attack or disrupt the day to day life. In the attack in Brussels in March 2016, one of the assumptions is that the terrorists planned to disrupt the operation of a nuclear power plant in Belgium28.
In addition to damaging critical infrastructure, malicious software will continue to be used in the terrorist’s tool box for hacking of websites, social media accounts, databases and financial crimes.

Command and Control

Sophisticated terrorist activities in the cyberspace or the physical world require coordination, and the way to achieve it is to use command and control technologies. Cyber terrorists have adopted such technologies for the purpose of coordinating operatives in preparation for an attack, joint intelligence gathering and operational planning.
In addition, command and control technologies can aid the terrorist organization in managing equipment stocks, money and knowledge. In the cyber sphere, a terrorist organization can use the Waze Rider service to coordinate a meeting between members of a sleeper cell, despite the fact that the service was originally designed to plan carpools rides to work. And this is just one example.

Big Data & Algotrading

A fascinating and very advance technological field that can be very useful for terrorists is algotrading. Originally, it was intended for developing algorithms for automatic, fast stock trading. However, this field has already come into use in recent years in the military field for improving real-time decision making processes based on information collected by big data systems.
Similar to a military organization, a terrorist organization can also use these technologies for real-time decision making, whether they are for cyber terrorism or the physical dimension. The ability to collect large amounts of data to be analysed by the algorithm for decision making is not foreign to terrorist organizations. In the same indictment of an Islamic Jihad operative in March 2016, it was revealed the organization wanted to use the information from Israeli traffic cameras and a mobile app for monitoring airplane traffic in order to increase the damage caused by the rockets the organization launches at Israel.
Using algotrading technology, combined with big data, will provide terrorist with the ability to make better decisions in real time and enhance the impact of damage caused by their activities, and the level of fear they spread in the public.

The Main Risks of Cyber Terrorism

To sum up the main risks of terrorism, I will chose to define it as disrupting the routine of life. The political and economic systems operate on the assumption that there is a defined routine which allows stability. If we examine countries that are subject to widespread terrorism, we can observe that they lack stability of those two systems.
From a business point of view, terrorism spreads fear in the consumer public. This fear causes behavioral changes that affect the economic system. That can materialize in effects on the stock market, the consuming habits, long-term financial decisions [such as changes in real estate prices as a result of the frequency of terrorist incidents in a certain location].
From a political point of view, terrorism tries to disrupt the governability of a regime. Political instability also directly affects the economic system both in terms of local consumption, as well as global investments coming into the country.

Critical infrastructures

One of the main risks that cyber terrorism poses is a threat to a country’s critical infrastructures [electricity, water, food, medicine]. Damage to these infrastructures can paralyze a country’s economic system for an extended period of time.

The Financial Sector

Choosing to define the financial sector of a state as a critical infrastructure is a political choice. It terms of the business owner, one should view the financial sector as a critical infrastructure which, when damaged, can have significant impact on businesses.

Communications

News outlets in various mediums, social media and publications by thought leaders in various fields should be considered a potential target for cyber terrorist attacks. Through publishing of true or false reporting in cyberspace, and propaganda a terrorist organization can inflict extensive damage to a business in the physical world, causing a change in the consumers’ behaviour.

EMP

Another threat I have chosen to add to the list is the electromagnetic pulse or EMP. This is a threat that is not discussed much in the media, but it is relevant to the world of terrorism as well as the cyber sphere. EMP destroys all electronic circuits in the attack zone and effectively destroys all computer systems in that area. It’s a mean of physical DDoS for computer systems.
Recovering from such an attack takes a long time, sometimes months or years. Even though this is a relatively supervised technology, EMP generators in various sizes and shapes can be acquired through organized crime or other terrorist means. This is an extreme scenario, but one that shouldn’t be ignored.

Countering Cyber Terrorism

Coping with cyber terrorism can be divided into two parts: the first is at the nation state level and the second is the business sector level. Much like the physical dimension, threats at the state level cannot and shouldn’t be handled by the business sector. However, the business sector should be aware of the threats, especially those that can affect its business operations.
The business sector should assume it is a target for terrorism since it is part of a wider context, for example – businesses in the state of Israel. In this scenario, Anonymous has targeted Israeli business organizations to try and influence political decisions of the Israeli government.
Cyber terrorism prevention is almost impossible for a business. However, business should include cyber terrorism as part of its threat modelling and prepare to such attacks.

Conclusion

Cyber terrorism is in many ways similar to physical terrorism, this conceptual similarity allows to draw from one dimension to the other. However, there are few main differences. One difference is that it is harder to deter a cyber terrorist organization, one of reasons for this is the problem of assigning responsibility for an attack due to lack of physical (and other) evidence, and when you cannot assign responsibility for a cyber-attack to a specific entity, you cannot punish it, hence no deterrence.
A second difference stems from the fact that cyber terrorism targets the business sector directly. While in the physical dimension the government through its security services has the proper infrastructure to shield the business sector from terrorism, in the cyber sphere the governmental security services are almost none existent and the responsibility for handling cyber terrorism is left with the business owners. This reality forces the organization to be aware of the threats arising from cyber terrorism, and to take the necessary action to defend and recover from it with very little support from the government.
There is no doubt cyber terrorism is a challenge for modern business organizations. The economic connectivity based on the World Wide Web forces business globally to deal with the “butterfly effect” – changes in one place in the world can quickly affect businesses on the other side of the globe, terrorist organizations use this reality to its full.
If credit cards are stolen from a retailer in Europe, and the incident is publicized on the internet, that message goes out to all consumers around the world. This means the sense of security of consumers around to world to shop online is diminished. This behavioral change leads to a drop in proceeds from online transactions thousands of kilometres from the origin of the incident. Cyberspace makes the changes in consumer behaviour into global trends.
The responsibility for dealing with cyber terrorism rests on the shoulders of the business organization. The fact that the government is out of the equation forces the business organization’s executive team to prepare and react to such event which is an additional operational and managerial overhead cost that is added to the daily operation of the business not to mention the potential impact that can be caused due to a cyber-attack on public infrastructures of a nation state.
Ignoring the threat from cyber terrorism threat will not make it go away and would certainly not prevent it. Cyber terrorism is here to stay and will almost certainly toll its price from the business sector.

Friday, September 18, 2015

The Critical Role of Cyber Security in Law Firms

Cyber-attacks have escalated to the point where they threaten all businesses today, however, given the sensitivity and confidentiality of information at law firms they have been and will remain one of the largest targets. Whether the firm serves as custodians of clients’ intellectual property, commercially sensitive information or investigators of possible M&A transactions, the desire to hack into these deals can be and will continue to be a great risk.
I would go so far as to say that some law firms face an even greater risk than the typical mid-sized company, especially those who deal with Patents and Intellectual Property as they’re threatened not only by cyber criminals but also nation-state hackers that are after commercial secrets and patents.
Numerous studies in last few years have indicated that a law firm’s security is often relatively poor. Anecdotally, through my personal conversations with managing partners I’ve identified two likely causes for that. Firstly, they’re typically not threat informed which includes a lack of understanding regarding the potential impacts of a cyber-breach to their business and most importantly to their customers. Secondly they still perceive security as an expense while they should be viewing it as a future business opportunity.
Studies aside, let me point to a case I personally worked on. We’d been engaged by a prestigious law firm, one that was likely to have better security than most, to execute a red team exercise. In a red team exercise we mimic threat actor behavior with the purpose of obtaining the ‘crown jewels’ or disrupting the business operation. Long story short, in less than 48 hours we had full control of the network, all assets including servers and shares, and all of the users’ mail boxes. We managed to do this in three different ways or attack vectors: (1) we broke their WiFi encryption, (2) we used social engineering against the receptionist to run our malware, and (3) we used social engineering against one of the partners where he was convinced to open a malicious file sent via email.
Some of the ‘crown jewels’ in this case were all of the litigation documents related to the defense of a major car manufacturer. In a recall trial that was ongoing, that information by itself was potentially worth hundreds of millions of dollars. Mind you the effort required to get to that information wasn’t more than a few tens of thousands of dollars. With hackers for hire this was a worst-case scenario which could and does happen today.
I believe that it’s time for law firms to not only look at cyber security from an ethical perspective (ABA Model Rule 1.6(c) requires that “[a]lawyer shall make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.” ) but also as a business opportunity, one that leads as a differentiator within the industry. Given the justified buzz around cyber security and the growing attention given to the topic by executive teams and the boards, who often serve as law firms marquee clients, firms that are able to prove they’re taking security seriously are likely to win the meaningful business.

Thursday, September 17, 2015

Doing it all wrong . . .

We’ve been doing it wrong for a while now, over the last 20 years or so we’ve kept the discussion regarding security highly technical. Unfortunately, our greatest achievement was to exclude the c-levels and the board of directors from the conversation and in doing that we’ve lost hundreds of years of organizational memory in problem solving, overcoming challenges, and mitigating risk. I’m arguing that Cybersecurity isn’t a technical issue, it’s a business issue with strong behavioral and cultural influencers. The flourishing of the Cybersecurity scene alongside the rise in cyber-attacks lends a certain credence to this theory. Yes, yes…one can argue that the increase in cyber-attacks is derived both from the shifting of conventional crime to cybercrime and the active participation of the nation sponsored threat agents in countless cyber-attacks. I don’t! To set the record straight, technology is crucial for solving the problem. Technologies involved in efforts such as sandboxing, deception, behavioral analysis, threat detection, cloud security, end point security, and many others are advancing by the day BUT they’ll only get us so far. The unstoppable race continues through and beyond the next technology; additional resources and budgets is forever incapable of yielding the desired results. As long as we keep looking at cybersecurity as a technology issue we’ll keep coming short in solving it. By the way, I think that we’re just in the pre-game and we’ve seen nothing yet, I predict that in the next 24 months (17 September 2017) we’ll see the first mega cyber-attack, and I wouldn’t be too surprised if that is aimed at critical infrastructure. Personally, I’m not fond of the term “governance” and what it represented over the last two decades in the security field – lame auditors with little to absolutely no understanding of security checking boxes. The same goes for “compliance” which is just a mean to enforce governance but if the governance is missing its true essence then what you get out of compliance is nearly worthless when it comes to actual security. I like the terms “Management Oversight” much better. If we want to yield better results we need to start addressing cybersecurity as a business issue, we need to deploy methods and disciplines used in other areas of the business “doing” and problem solving (e.g. game theory, applied mathematics, risk management, etc.)… The board has two primary roles, the first is to set strategy and the second is to oversee the executive team and the business operation. Hence, if you’re convinced that cybersecurity is indeed a business issue then the first step is to provide accessibility to the c-level execs and the board of the directors, and that would only happen after we transform the discussion to a business discussion, looking at and evaluating business parameters. The approach I’m suggesting is conceptually simple and potentially quite complex in its implementation. Think of layers and think of security-related technology (and products) as the first. Technology will continue to be fundamental in solving the problem, if only because humans are both slow and are liable to demonstrate poor judgment. I would like to say that the next layer is simply an industry-standard security framework (e.g., NIST, ISO, etc.) but they’ve proven not enough as they rely on old-school governance which is only partially effective. Traditionally, these don’t provide real guidance pertaining to the effectiveness of security infrastructure and systems but instead focus mainly on the existence of a security management system. The third layer is the audit and testing layer. I’ve strong reservations about typical audit functions because, much like compliance, they tend to be too theoretical, too forgiving… too soft. That said, supplementing tradition with a strong testing function which leverages red teams and war gaming and puts functions such as security operations, incident response, and crisis management to a real-life test would provide a realistic view on the level of security. The first three layers should be complimented by two additional layers, one which we explore earlier in management oversight and a final component – quantitative risk management. These are bi-directional in that both receive inputs from the first three layers, they complement and feed each other and provide output in a meaningful way which supports decision making. So, why quantitative and not qualitative risk management? That’s easy. When using qualitative risk management the assessment evaluates critical factors using qualitative scales (e.g., high – low, 1 – 5) leaving it to the mercy of an assessor’s mood on the day. At best, experienced security practitioners may be able arrive at similar scorecards when evaluating “high” and “low” probability scenarios. Experience and double-blind testing tells me not to count on it. Quantitative measurements and estimates flesh out the assumptions and they can be reviewed for accuracy over time. Back to “Management Oversight”, if we want to keep the executive team and the board of directors threat informed, and we aim to include them, the “Management Oversight” layer need to address their concerns and their questions: What threats are we facing? Which of these threats are we better prepared for and where should we make further investment? How resilient are we to a cyber-attack? What is the overall survivability of the organization through a major cyber-attack? How mature is our incident response and threat intelligence programs? Have we tested our crisis management function? Who do we inform? Do we have the right messaging? Who faces the media? How effective is our security framework and how compatible is our risk management framework to cyber risk? Are we under-insured or are we over-paying? To sum it up, cyber security has only been around for 25 years; in some areas of the discipline there is a great deal of maturity and in others… not so much. We’re going through an evolutionary process, and what we know about evolution is whomever manages to adapt when the circumstances change has the better chance of surviving

Thursday, January 21, 2010

Risk- informed decision-making

Today, in most organizations, information assets are fundamental, and the company therefore heavily invests in protecting these assets. However, currently, management's decisions on the scope of resources to be invested in protecting information assets are based on partial information provided in a "foreign language"- the language of information technology professionals. This might result in managers overinvesting to protect certain assets of lesser critical business nature, and lesser investing in the protection for critical assets. A possible solution to this problem lies in the ability to "translate" and match business priorities with appropriate technological challenges.

Information risk management is a relatively new discipline, and often, decision making when managing information risk falls victim to one or two fundamental problems:


  1. The decisions are not made by the right people, due to lack of clarity as per who is the proper authority needed for managing information risk in the company, their level of responsibility, and what is expected of them. This, in turn, often results in unmet goals and expectations, lack of executive support and/or determination of a faulty set of business priorities.


  2. Decisions are made based on partial information or understanding of the risk at hand, without viewing the organization as a whole. A factor which is likely to result in making monetary investments in the wrong places, not making enough investments, and to a surplus of expenses without clear ROI.

Information provided from audits and security assessments often focuses heavily on control conditions and does not explicitly take into consideration stakeholders, asset value/liability, or threat conditions. The assessor may consider some informal "gut" inclusion of those factors, but unless inclusion is explicit, risk ratings tend to inflate -- sometimes significantly. This risk inflation and the tendency to protect assets rather than stakeholder interests contribute significantly to overall cost-ineffectiveness and to deficient risk management.

Information risks are only a part of the overall risks that management and the board of directors have to manage (market, credit, operations and legal risks, etc.). In complex business situations and with limited resources, there is great importance to create appropriate balance in deploying resources to sync and manage the entire risk portfolio. This situation is also termed 'competition of risks' and the way to solve it is by creating a set of priorities based on common denominators (preferably monetary).

In essence, most CISOs are technology oriented, and are not fundamentally part of a company's executive management. Normally, they are not privy to the overall risk portfolio, and many times lack the understanding of risk tolerance, the liability, and the overall business goals of the organization. On the other hand, few executives have a profound technical understanding of threats and technology controls. As a result, entrusting the CISO with the information risk management necessitates a thorough understanding of the business elements. Entrusting this responsibility with the business executives (as is mostly done today) necessitates that the tech professionals provide the business executives with information that is complete, clear, unbiased, and useful about the threats, their possible implications and the available controls. That would ensure decision making is risk informed, and not as a result of fear or current trends. Both cases require a common language and a clear understanding of roles and responsibilities.

As stated above, the missing link is often a common language which allows for translation of the information risk to monetary terms understood by all of the stakeholders. Looking for a solution to this problem, without reinventing the wheel, I researched various methodologies and one methodology stood out from all of the rest.

Factor Analysis of Information Risk (FAIR) - is an easy to understand, effective, methodology and toolset for risk analysis, risk management, root cause analysis and decision making. FAIR enables the organization to significantly improve its information risk management process by allowing risk reporting in a cost-effective manner (as customary with business risks) , budget optimization, and a foundation from which to develop a scientific approach to quantitative information risk management (i.e. monetary).

FAIR sits on a solid foundation in statistics and actuarial science. Based upon the proven analytic utility of the normal (Gaussian) distribution, the practical value of Bayesian decision making techniques, and the power and sophistication of Monte Carlo simulation, FAIR provides estimates that are documentable, reproducible, realistic, defensible, and, most importantly, in a language that both business executives, risk managers, and CISOs understand.

FAIR's quantitative capabilities enable a real understanding of "how much" in regards to ,how much risk does X represent, how much less risk will we have if we do ABC, how much more (or less) effective is risk solution A than risk solution B?

Since FAIR provides quantitative (monetary) results, it is also useful for the following requirements:

  • A base for creating a priorities work plan and budget based on monetary values.
  • Proves Due Care to the stakeholders.
  • As a product which provides a clearer picture of liability and insurance needs, which can be used in negotiations with insurers.

Often, information security is perceived as a technological problem with technological ramifications. The truth is, the technical problems are not the real issue, but rather the level of risk. By using a quantitative risk assessment and management framework, organizations will have timely and dependable data to inform the tough decisions they have to make in order to gain and maintain competitive and strategic advantage.